hashicorp
diff --git a/.changelog/24683.txt b/.changelog/24683.txt
@@ -1,3 +1,3 @@
 ```release-note:security
-api: sanitize the SignedIdentities in allocations to prevent privilege escalation through unredacted workload identity token impersonation associated with ACL policies.
+api: sanitize the SignedIdentities in allocations to prevent privilege escalation through unredacted workload identity token impersonation associated with ACL policies. ([CVE-2025-1296](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1296))
 ```
diff --git a/.changelog/24942.txt b/.changelog/24942.txt
@@ -0,0 +1,7 @@
+```release-note:bug
+scheduler: Fixed a bug where node class hashes included unique attributes, making scheduling more costly
+```
+
+```release-note:breaking-change
+node: The node attribute `consul.addr.dns` has been changed to `unique.consul.addr.dns`. The node attribute `nomad.advertise.address` has been changed to `unique.advertise.address`.
+```
diff --git a/.changelog/25093.txt b/.changelog/25093.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+cni: Fixed a bug where CNI state was not migrated after upgrade, resulting in IP collisions
+```
diff --git a/.changelog/25102.txt b/.changelog/25102.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+fingerprint: Fixed a bug where Consul/Vault would never be fingerprinted if not available on agent start
+```
diff --git a/.changelog/25104.txt b/.changelog/25104.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+ui: System, Batch and Sysbatch jobs get a "Revert to prev version" button on their main pages
+```
diff --git a/.changelog/25108.txt b/.changelog/25108.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+cpustats: Add config "cpu_disable_dmidecode" to disable cpu detection using dmidecode
+```
diff --git a/.changelog/25113.txt b/.changelog/25113.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+template: Fixed a bug where unset client.template retry blocks ignored defaults
+```
diff --git a/.changelog/25140.txt b/.changelog/25140.txt
@@ -0,0 +1,5 @@
+```release-note:bug
+template: Updated the consul-template dependency to v0.40.0 which included a bug fix in the
+quiescence timers. This bug could cause increased Nomad client CPU usage for tasks which use two or
+more template blocks.
+```
diff --git a/.changelog/25198.txt b/.changelog/25198.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+metrics: Fix the process lookup for raw_exec when running rootless
+```
diff --git a/.changelog/25201.txt b/.changelog/25201.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+rpc: Fixed a bug that would cause the reader side of RPC connections to hang indefinitely
+```
diff --git a/.changelog/25249.txt b/.changelog/25249.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+build: Updated Go to 1.24.1
+```
diff --git a/.changelog/25255.txt b/.changelog/25255.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+config: Allow disabling `wait` in client config
+```
diff --git a/.changelog/25294.txt b/.changelog/25294.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+hcl: Avoid panics by checking null values on durations
+```
diff --git a/.changelog/25307.txt b/.changelog/25307.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+csi: Fixed a bug where plugins that failed initial fingerprints would not be restarted
+```
diff --git a/.changelog/25310.txt b/.changelog/25310.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+cli: Add node_prefix read when setting up the task workload identity Consul policy
+```
diff --git a/.changelog/25328.txt b/.changelog/25328.txt
@@ -0,0 +1,3 @@
+```release-note:security
+auth: Redact OIDC client secret from API responses and event stream ([CVE-2025-1296](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1296))
+```
diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
@@ -54,7 +54,7 @@ jobs:
       - name: Retrieve Vault-hosted Secrets
         if: endsWith(github.repository, '-enterprise')
         id: vault
-        uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
+        uses: hashicorp/vault-action@a1b77a09293a4366e48a5067a86692ac6e94fdc0 # v3.1.0
         with:
           url: ${{ vars.CI_VAULT_URL }}
           method: ${{ vars.CI_VAULT_METHOD }}

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -69,7 +69,7 @@ jobs:
           product: ${{ env.PKG_NAME }}
           repositoryOwner: "hashicorp"
           sha: ${{ github.event.inputs.build-ref }}
-      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+      - uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           name: metadata.json
           path: ${{ steps.generate-metadata-file.outputs.filepath }}
@@ -90,15 +90,15 @@ jobs:
         with:
           ref: ${{ github.event.inputs.build-ref }}
       - name: Setup go
-        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with:
           go-version: ${{ needs.get-go-version.outputs.go-version }}
 
       - name: Build dependencies
         run: make deps
 
       - name: Setup node and yarn
-        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         with:
           node-version: "18"
           cache-dependency-path: "ui/yarn.lock"
@@ -121,7 +121,7 @@ jobs:
           go clean -cache
           make pkg/${{ matrix.goos }}_${{ matrix.goarch }}.zip
           mv pkg/${{ matrix.goos }}_${{ matrix.goarch }}.zip ${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip
-      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+      - uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           name: ${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip
           path: ${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip
@@ -142,15 +142,15 @@ jobs:
         with:
           ref: ${{ github.event.inputs.build-ref }}
       - name: Setup go
-        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with:
           go-version: ${{ needs.get-go-version.outputs.go-version }}
 
       - name: Build dependencies
         run: make deps
 
       - name: Setup node and yarn
-        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         with:
           node-version: "18"
           cache-dependency-path: "ui/yarn.lock"
@@ -188,7 +188,7 @@ jobs:
           go clean -cache
           make pkg/${{ matrix.goos }}_${{ matrix.goarch }}.zip
           mv pkg/${{ matrix.goos }}_${{ matrix.goarch }}.zip ${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip
-      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+      - uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           name: ${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip
           path: ${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip
@@ -225,12 +225,12 @@ jobs:
           echo "RPM_PACKAGE=$(basename out/*.rpm)" >> "$GITHUB_ENV"
           echo "DEB_PACKAGE=$(basename out/*.deb)" >> "$GITHUB_ENV"
 
-      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+      - uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           name: ${{ env.RPM_PACKAGE }}
           path: out/${{ env.RPM_PACKAGE }}
 
-      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+      - uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           name: ${{ env.DEB_PACKAGE }}
           path: out/${{ env.DEB_PACKAGE }}
@@ -254,7 +254,7 @@ jobs:
       - name: Retrieve Vault-hosted Secrets
         if: endsWith(github.repository, '-enterprise')
         id: vault
-        uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
+        uses: hashicorp/vault-action@a1b77a09293a4366e48a5067a86692ac6e94fdc0 # v3.1.0
         with:
           url: ${{ vars.CI_VAULT_URL }}
           method: ${{ vars.CI_VAULT_METHOD }}
@@ -267,15 +267,15 @@ jobs:
         run: git config --global url.'https://${{ env.ELEVATED_GITHUB_TOKEN }}@github.com'.insteadOf 'https://github.com'
 
       - name: Setup go
-        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with:
           go-version: ${{ needs.get-go-version.outputs.go-version }}
 
       - name: Build dependencies
         run: make deps
 
       - name: Setup node and yarn
-        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         with:
           node-version: "18"
           cache-dependency-path: "ui/yarn.lock"
@@ -298,7 +298,7 @@ jobs:
           go clean -cache
           make pkg/${{ matrix.goos }}_${{ matrix.goarch }}.zip
           mv pkg/${{ matrix.goos }}_${{ matrix.goarch }}.zip ${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip
-      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+      - uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           name: ${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip
           path: ${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip
@@ -358,7 +358,7 @@ jobs:
         goos: [linux]
         goarch: [amd64]
     steps:
-      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with:
           go-version: ${{needs.get-go-version.outputs.go-version}}
       - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8

diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml
@@ -30,7 +30,7 @@ jobs:
       - name: Retrieve Vault-hosted Secrets
         if: endsWith(github.repository, '-enterprise')
         id: vault
-        uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
+        uses: hashicorp/vault-action@a1b77a09293a4366e48a5067a86692ac6e94fdc0 # v3.1.0
         with:
           url: ${{ vars.CI_VAULT_URL }}
           method: ${{ vars.CI_VAULT_METHOD }}
@@ -41,7 +41,7 @@ jobs:
       - name: Git config token
         if: endsWith(github.repository, '-enterprise')
         run: git config --global url.'https://${{ env.ELEVATED_GITHUB_TOKEN }}@github.com'.insteadOf 'https://github.com'
-      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with:
           cache: true
           go-version-file: .go-version

diff --git a/.github/workflows/ember-test-audit.yml b/.github/workflows/ember-test-audit.yml
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -58,7 +58,7 @@ jobs:
       - name: Retrieve Vault-hosted Secrets
         if: endsWith(github.repository, '-enterprise')
         id: vault
-        uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
+        uses: hashicorp/vault-action@a1b77a09293a4366e48a5067a86692ac6e94fdc0 # v3.1.0
         with:
           url: ${{ vars.CI_VAULT_URL }}
           method: ${{ vars.CI_VAULT_METHOD }}
@@ -82,12 +82,12 @@ jobs:
           echo "go-version=$(cat .go-version)" >> "$GITHUB_OUTPUT"
 
       - name: Setup go
-        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with:
           go-version: ${{ steps.get-go-version.outputs.go-version }}
 
       - name: Setup node and yarn
-        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         with:
           node-version: "18"
           cache-dependency-path: "ui/yarn.lock"

diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
@@ -37,7 +37,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with:
           cache: ${{ contains(runner.name, 'Github Actions') }}
           go-version-file: .go-version

diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -6,17 +6,29 @@ on:
   # push:
 
 jobs:
+  semgrep-validate:
+    name: Semgrep Validate
+    if: (github.actor != 'dependabot[bot]')
+    runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep:1.107.0
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - run: semgrep --metrics=off --validate --config=.semgrep/
+
   semgrep:
     name: Semgrep Scan
+    needs: [semgrep-validate]
     runs-on: ubuntu-latest
     container:
-      image: returntocorp/semgrep:1.36.0
+      image: returntocorp/semgrep:1.107.0
     env:
-      SEMGREP_SEND_METRICS: 0
+      SEMGREP_SEND_METRICS: off
     # Skip any PR created by dependabot to avoid permission issues
     if: (github.actor != 'dependabot[bot]')
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - run: semgrep ci --config=.semgrep/
+
 permissions:
   contents: read