diff --git a/reports/containerd_release_v2.3.0-beta.2_20260417_194103.json b/reports/containerd_release_v2.3.0-beta.2_20260417_194103.json
new file mode 100644
index 0000000..3d409c6
--- /dev/null
+++ b/reports/containerd_release_v2.3.0-beta.2_20260417_194103.json
@@ -0,0 +1,101 @@
+{
+  "metadata": {
+    "generated_at": "2026-04-17T19:41:21.716492",
+    "tool": "containerd-release-tracker",
+    "version": "1.0.0"
+  },
+  "release": {
+    "tag_name": "v2.3.0-beta.2",
+    "name": "containerd 2.3.0-beta.2",
+    "body": "Welcome to the v2.3.0-beta.2 release of containerd!\n*This is a pre-release of containerd*\n\nThe third minor release of containerd 2.x focuses on continued stability alongside\nnew features and improvements. This is the third time-based release for containerd.\n\nStarting with containerd 2.3, the project has moved to release cadence aligned with\nthe Kubernetes release schedule, with new minor releases about every 4 months. The\ncontainerd 2.3 release is also the first annual LTS (Long Term Stable) release under\nthis new schedule, with support planned for at least two years. Direct upgrades\nbetween sequential LTS releases (e.g., 1.7 to 2.3) will be tested and supported.\n\nThis is a beta release and some functionality is still under development.\n\n### Highlights\n\n* Add transfer types for container filesystem copy ([#13165](https://github.com/containerd/containerd/pull/13165))\n* Introduce shim bootstrap protocol ([#12786](https://github.com/containerd/containerd/pull/12786))\n* Add option to inject trace ID to logs ([#13117](https://github.com/containerd/containerd/pull/13117))\n* Propagate OpenTelemetry traces in outgoing RPCs from plugin clients ([#13113](https://github.com/containerd/containerd/pull/13113))\n* Update plugin config migration to run on load ([#12608](https://github.com/containerd/containerd/pull/12608))\n* Detect vendor in cdi specs to generate device IDs for --gpus ([#12839](https://github.com/containerd/containerd/pull/12839))\n* Update sandbox API to include spec field ([#12840](https://github.com/containerd/containerd/pull/12840))\n\n#### Container Runtime Interface (CRI)\n\n* Allow containers to use user namespaces with host networking ([#12518](https://github.com/containerd/containerd/pull/12518))\n* Unpack images with per-layer labels for specific runtime ([#12835](https://github.com/containerd/containerd/pull/12835))\n* Populate ImageId field in container status ([#12787](https://github.com/containerd/containerd/pull/12787))\n* Set annotations parameter in CreateSandbox request ([#12566](https://github.com/containerd/containerd/pull/12566))\n\n#### Image Distribution\n\n* Support zstd-wrapped EROFS layers ([#13185](https://github.com/containerd/containerd/pull/13185))\n* Add EROFS layer media type ([#12567](https://github.com/containerd/containerd/pull/12567))\n\n#### Image Storage\n\n* Use fsmount API to avoid PAGE_SIZE limit for erofs ([#12783](https://github.com/containerd/containerd/pull/12783))\n\n#### Node Resource Interface (NRI)\n\n* Pass container user (uid, gids) to plugins ([#12769](https://github.com/containerd/containerd/pull/12769))\n* Pass seccomp policy to plugins ([#12768](https://github.com/containerd/containerd/pull/12768))\n* Pass any POSIX rlimits to plugins ([#12765](https://github.com/containerd/containerd/pull/12765))\n* Pass extended container status to NRI. ([#12770](https://github.com/containerd/containerd/pull/12770))\n* Pass injected CDI devices to plugins ([#12767](https://github.com/containerd/containerd/pull/12767))\n* Pass linux sysctl to plugins ([#12766](https://github.com/containerd/containerd/pull/12766))\n\n#### Runtime\n\n* Add configured socket directory to shim bootstrap protocol ([#12785](https://github.com/containerd/containerd/pull/12785))\n* Fix binary logging driver not blocking container start on failure ([#12595](https://github.com/containerd/containerd/pull/12595))\n* Use new filtered cgroups stats API ([#12901](https://github.com/containerd/containerd/pull/12901))\n* Update OOMKilled event handling ([#12714](https://github.com/containerd/containerd/pull/12714))\n\n#### Snapshotters\n\n* Propagate parent chain ID and diff ID via labels during snapshot preparation ([#13071](https://github.com/containerd/containerd/pull/13071))\n\nPlease try out the release binaries and report any issues at\nhttps://github.com/containerd/containerd/issues.\n\n### Contributors\n\n* Maksym Pavlenko\n* Derek McGowan\n* Sebastiaan van Stijn\n* Krisztian Litkey\n* Wei Fu\n* Samuel Karp\n* Akihiro Suda\n* Phil Estes\n* Markus Lehtonen\n* Mike Brown\n* Davanum Srinivas\n* Gao Xiang\n* ChengyuZhu6\n* Akhil Mohan\n* Chris Henzie\n* Hudson Zhu\n* Kazuyoshi Kato\n* Sergey Kanzhelev\n* ningmingxiao\n* Aadhar Agarwal\n* Andrew Halaney\n* Apurv Barve\n* HirazawaUi\n* Michael Zappa\n* Paweł Gronowski\n* Brian Goff\n* Fabiano Fidêncio\n* Hasan Siddiqui\n* Jintao Zhang\n* Paulo Oliveira\n* Shiv Tyagi\n* Austin Vazquez\n* Avinesh Singh\n* Esteban Ginez\n* Henry Wang\n* Jin Dong\n* Jérôme Poulin\n* Luke Hinds\n* Sascha Grunert\n* majianhan\n* markdodgson\n* Adrien Delorme\n* Albin Kerouanton\n* Alex Chernyakhovsky\n* Andrey Noskov\n* Andrey Smirnov\n* Annie Cherkaev\n* Anuj Singh\n* Champ-Goblem\n* Chris Adeniyi-Jones\n* Cindia-blue\n* CrazyMax\n* Danny Canter\n* Evan Lezar\n* Fletcher Woodruff\n* Gaurav Ghildiyal\n* Harsh Rawat\n* Hayato Kiwata\n* Joseph Zhang\n* Justin Chadwell\n* Kal\n* Manuel de Brito Fontes\n* Neeraj Krishna Gopalakrishna\n* Pierluigi Lenoci\n* Ricardo Branco\n* Rob Murray\n* Rodrigo Campos\n* Shachar Tal\n* Shaobao Feng\n* Shiming Zhang\n* Tariq Ibrahim\n* Tim Windelschmidt\n* Tõnis Tiigi\n* Wade Simmons\n* Weixie Cui\n* Will Jordan\n* Yohei Yamamoto\n* You Binhao\n* Youfu Zhang\n* apurv15\n* bo.jiang\n* chris-henderson-alation\n* jinda.ljd\n* qiuxue\n\n### Changes\n<details><summary>758 commits</summary>\n<p>\n\n* Prepare v2.3.0-beta.2 release ([#13239](https://github.com/containerd/containerd/pull/13239))\n  * [`367937295`](https://github.com/containerd/containerd/commit/36793729584ece2c3c52c25b6f2495837fcb9c3c) Update API to use latest beta tag\n* Parameterize K8s version in node-e2e workflow ([#13234](https://github.com/containerd/containerd/pull/13234))\n  * [`270916ad1`](https://github.com/containerd/containerd/commit/270916ad1564e4e1329994b29a1dbece1d7fe6ce) Parameterize K8s version in node-e2e workflow\n* Add check for status code for GET requests ([#12262](https://github.com/containerd/containerd/pull/12262))\n  * [`bf5fe06f8`](https://github.com/containerd/containerd/commit/bf5fe06f8d8a5279fc3b8a2cf6d60ba41fda62a5) Use len for stripping http://\n  * [`2e856be03`](https://github.com/containerd/containerd/commit/2e856be0398a722e0c4c91fe0685f246306e9903) Check for error status code on response to a get request\n* Add support for conditional gc references in metadata ([#12398](https://github.com/containerd/containerd/pull/12398))\n  * [`046421ab7`](https://github.com/containerd/containerd/commit/046421ab781ffa2c4a63b0ef220d51fb7946c6b7) Breakout arguments to sendLabelRefs in gc\n  * [`bd02dc1d7`](https://github.com/containerd/containerd/commit/bd02dc1d7b5ff245cc0f0446057b8831934a42ba) Add support for conditional gc references in metadata\n* build(deps): bump actions/cache from 5.0.4 to 5.0.5 ([#13227](https://github.com/containerd/containerd/pull/13227))\n  * [`34884e99d`](https://github.com/containerd/containerd/commit/34884e99d5b625360d13d31bc86a78e4747312c1) build(deps): bump actions/cache from 5.0.4 to 5.0.5\n* Make shim socket directory use configured directory ([#12785](https://github.com/containerd/containerd/pull/12785))\n  * [`e07a1aa49`](https://github.com/containerd/containerd/commit/e07a1aa4910addb4e5ed6ce7ed40e2b4889fa77d) Add configuration for socket directory to the shim manager\n  * [`59c3464a0`](https://github.com/containerd/containerd/commit/59c3464a011e216949d82c5c9ebc8592f44ed26e) Remove the unnecessary mkdir on the default state directory\n  * [`d806373fe`](https://github.com/containerd/containerd/commit/d806373feb1bf9e753a4beaf5b092c5176baa2c3) Make shim socket directory use configured state\n* ctr: add EROFS image conversion support ([#12555](https://github.com/containerd/containerd/pull/12555))\n  * [`64a2e62b5`](https://github.com/containerd/containerd/commit/64a2e62b5259168ee0f8f99d88a61f5799d5e3e7) erofs: wire os.features into conversion and selection\n  * [`b320d3c85`](https://github.com/containerd/containerd/commit/b320d3c855270374dc45f230f76b72c17eb7426c) ctr: add EROFS image conversion support\n* snapshotter/erofs: avoid using overlay if fsmerge is enabled and no upperdir ([#13213](https://github.com/containerd/containerd/pull/13213))\n  * [`3b357da49`](https://github.com/containerd/containerd/commit/3b357da49691a1b030d986c0b0306293fab19136) snapshotter/erofs: avoid using overlay if fsmerge is enabled and no upperdir\n* build(deps): bump softprops/action-gh-release from 2.6.1 to 3.0.0 ([#13225](https://github.com/containerd/containerd/pull/13225))\n  * [`a9acbcaae`](https://github.com/containerd/containerd/commit/a9acbcaaedd2681363c0eadf0500df7edebd9eab) build(deps): bump softprops/action-gh-release from 2.6.1 to 3.0.0\n* build(deps): bump github.com/erofs/go-erofs from 0.2.0 to 0.2.1 ([#13232](https://github.com/containerd/containerd/pull/13232))\n  * [`a9e958070`](https://github.com/containerd/containerd/commit/a9e9580709773499ba69a9834b13a214289d2b98) build(deps): bump github.com/erofs/go-erofs from 0.2.0 to 0.2.1\n* build(deps): bump actions/github-script from 8.0.0 to 9.0.0 ([#13226](https://github.com/containerd/containerd/pull/13226))\n  * [`54bb41881`](https://github.com/containerd/containerd/commit/54bb41881260a270330ee953a066afbd4024c0d1) build(deps): bump actions/github-script from 8.0.0 to 9.0.0\n* build(deps): bump the golang-x group with 2 updates ([#13228](https://github.com/containerd/containerd/pull/13228))\n  * [`ef692c986`](https://github.com/containerd/containerd/commit/ef692c98653cf5b2008a2be4a8c5b2e16ba5ceda) build(deps): bump the golang-x group with 2 updates\n* update github.com/moby/spdystream v0.5.1 ([#13215](https://github.com/containerd/containerd/pull/13215))\n  * [`d15a46927`](https://github.com/containerd/containerd/commit/d15a46927447eab0764a516cdef1efa3609a6357) update github.com/moby/spdystream v0.5.1\n* erofs-differ: support zstd-wrapped EROFS layers ([#13185](https://github.com/containerd/containerd/pull/13185))\n  * [`b9445fb9e`](https://github.com/containerd/containerd/commit/b9445fb9ef900e4724aba735eebe90592eebb5de) erofs-differ: support zstd-wrapped EROFS layers\n* core/remotes/docker: use SystemCertPool on Windows ([#13128](https://github.com/containerd/containerd/pull/13128))\n  * [`dc609cf4b`](https://github.com/containerd/containerd/commit/dc609cf4b4bfe91e21e5d984530a4e8ce5cfd993) core/remotes/docker: use SystemCertPool on Windows\n* update runhcs to v0.15.0-rc.1 ([#13211](https://github.com/containerd/containerd/pull/13211))\n  * [`915fd256a`](https://github.com/containerd/containerd/commit/915fd256a6c646ec230cc78110311dcc277f9399) update runhcs to v0.15.0-rc.1\n* For Exec format error on Windows, compile cri-integration.test binary with .exe suffix ([#13210](https://github.com/containerd/containerd/pull/13210))\n  * [`d8906ac6c`](https://github.com/containerd/containerd/commit/d8906ac6c6705a910da31f2cbfa7a5690a2bf06e) Update Makefile\n  * [`c41939a4c`](https://github.com/containerd/containerd/commit/c41939a4c0cdb47ddb6c8ccabacee08b115d8357) For Exec format error on Windows, compile cri-integration.test binary with .exe suffix\n* build(deps): bump docker/login-action from 4.0.0 to 4.1.0 ([#13168](https://github.com/containerd/containerd/pull/13168))\n  * [`244d59f79`](https://github.com/containerd/containerd/commit/244d59f79f98d63dd76e70d14ba53c7ea68277d4) build(deps): bump docker/login-action from 4.0.0 to 4.1.0\n* Prepare v2.3.0 beta.1 release ([#13209](https://github.com/containerd/containerd/pull/13209))\n  * [`d11731c74`](https://github.com/containerd/containerd/commit/d11731c74f366914e5941c7c32a3021fc0b1352b) Update vendored api to v1.11.0-beta.1\n  * [`c6f83d3bc`](https://github.com/containerd/containerd/commit/c6f83d3bc28ceee618c4126ac33d49e7c0106475) Update mailmap for Chris Henzie\n* Update bootstrap API log level definition ([#13208](https://github.com/containerd/containerd/pull/13208))\n  * [`2c102c6cb`](https://github.com/containerd/containerd/commit/2c102c6cbebbc1dabe31eb0740a1803fcce56c4e) Update bootstrap API log level definition\n* Bump cri-api to v0.36.0-rc.0 ([#13207](https://github.com/containerd/containerd/pull/13207))\n  * [`a6311a163`](https://github.com/containerd/containerd/commit/a6311a163d6bb738d75af83abedf5457ab561b49) Bump cri-api to v0.36.0-rc.0\n* Make utils.sh nounset-safe by never expanding unset CGROUP_DRIVER on Windows ([#13205](https://github.com/containerd/containerd/pull/13205))\n  * [`743210e40`](https://github.com/containerd/containerd/commit/743210e40c3044815b91a59b5ec4d51fed132097) Make utils.sh nounset-safe by never expanding unset CGROUP_DRIVER on Windows.\n* fix(windows): verify pipe readiness before returning shim address ([#13202](https://github.com/containerd/containerd/pull/13202))\n  * [`01e5fa616`](https://github.com/containerd/containerd/commit/01e5fa616f8ea26c387346675359de2568e4d061) fix: address review feedback on awaitPipeReady\n  * [`1e98ebaf0`](https://github.com/containerd/containerd/commit/1e98ebaf0e97e4beb3133e5f8f3df4acd67a291a) fix(windows): verify pipe readiness before returning shim address\n* Document shim bootstrap behavior ([#13192](https://github.com/containerd/containerd/pull/13192))\n  * [`fcb23002b`](https://github.com/containerd/containerd/commit/fcb23002b45f3524296da077c7159159579ed6a2) Document shim bootstrap protocol behavior\n* Temporarily disable uploading logs to GCP for windows periodic tests until GCP credentials are renewed ([#13173](https://github.com/containerd/containerd/pull/13173))\n  * [`6ba507ba7`](https://github.com/containerd/containerd/commit/6ba507ba768534c596695f70feb58cb5704919d5) Temporarily disable windows periodic tests until GCP credentials are renewed.\n* build(deps): bump github.com/Microsoft/hcsshim from 0.14.0-rc.1 to 0.15.0-rc.1 ([#13170](https://github.com/containerd/containerd/pull/13170))\n  * [`affe09319`](https://github.com/containerd/containerd/commit/affe09319da22ea74c267f23c2808bd7dec63c3e) build(deps): bump github.com/Microsoft/hcsshim\n* Support reading readonly overlays without mounting ([#12865](https://github.com/containerd/containerd/pull/12865))\n  * [`c61c4e8da`](https://github.com/containerd/containerd/commit/c61c4e8dab7cb4fd683ffe03d3b183edf695a112) pkg/oci: update fs error handling to use errors.Is\n  * [`30951c6f0`](https://github.com/containerd/containerd/commit/30951c6f03d496b9d538088e7a11dc69ab75352a) Add overlay symlink resolution using ReadLinkFS\n  * [`21d666cfb`](https://github.com/containerd/containerd/commit/21d666cfbcc3315a65ac03f085d449bf953bbb96) Update fsview to allow type registration\n  * [`a77c757f1`](https://github.com/containerd/containerd/commit/a77c757f15806218bdfbc1799655a18fced1f4ec) internal/fsview: update overlay to handle file replacing directory\n  * [`2fe15d7c8`](https://github.com/containerd/containerd/commit/2fe15d7c87012e0cd7d4546c81e885d174453685) internal/fsview: add support for suffixes in formatted mounts\n  * [`a5df2782d`](https://github.com/containerd/containerd/commit/a5df2782d4c17d14632328843ba471c9b385c49e) pkg/oci: remove darwin guards from user/group spec opts\n  * [`f384d2eb6`](https://github.com/containerd/containerd/commit/f384d2eb6c0275d368ba449fd434e2147a7466ec) pkg/oci: update OCI with user to try mount for Darwin\n  * [`c1eb9430a`](https://github.com/containerd/containerd/commit/c1eb9430af0cffcca8238475f3021c90e28ff067) pkg/oci: update OCI spec generation to use fsview if available\n  * [`04b7b495f`](https://github.com/containerd/containerd/commit/04b7b495f9db65fad9a0859bb1b5a9365f655906) internal/fsview: add fsview package for reading snapshot mounts\n* diff/walking: enable mount manager ([#13186](https://github.com/containerd/containerd/pull/13186))\n  * [`47cfd1138`](https://github.com/containerd/containerd/commit/47cfd1138b469e753b5035d2df8074aa523255b0) diff/walking: enable mount manager\n* Add transfer types for container filesystem copy ([#13165](https://github.com/containerd/containerd/pull/13165))\n  * [`121f3a21e`](https://github.com/containerd/containerd/commit/121f3a21e438cd8c18c6d76cbab1514ee2a8d8d2) Add transfer types for container filesystem copy\n* build(deps): bump the otel group with 6 updates ([#13169](https://github.com/containerd/containerd/pull/13169))\n  * [`69f3860f4`](https://github.com/containerd/containerd/commit/69f3860f49987d0316b1839137ea983e5574cf22) build(deps): bump the otel group with 6 updates\n* Introduce shim bootstrap protocol ([#12786](https://github.com/containerd/containerd/pull/12786))\n  * [`75afbe155`](https://github.com/containerd/containerd/commit/75afbe155a819c8e8786c2b961b4b87293dea66b) Update vendor\n  * [`16b7ce254`](https://github.com/containerd/containerd/commit/16b7ce254959e62927896aecc033e86b0a10dc31) Address code review suggestions\n  * [`45b7de283`](https://github.com/containerd/containerd/commit/45b7de2837b7c76ac6ce97efbf46c7753c5f2c9f) Limit amount of bytes read from stdin\n  * [`3c0e8a55b`](https://github.com/containerd/containerd/commit/3c0e8a55b6e240045b0c80b46b93cf472e5aa738) Update comments wording about when to deprecate and remove the old path\n  * [`9bf65dcf0`](https://github.com/containerd/containerd/commit/9bf65dcf0275341a75b9e56454e5ebe599bcc90f) Use enums instead of strings for capabilities and log level\n  * [`9dc864fd0`](https://github.com/containerd/containerd/commit/9dc864fd0feefd907aba16ba98cf453dd16df694) Switch to proto instead of json\n  * [`73edc8045`](https://github.com/containerd/containerd/commit/73edc804513e5c5711efe38f0e96e7c43909f94c) Format code after cherry pick\n  * [`243cab594`](https://github.com/containerd/containerd/commit/243cab594ee6d5edab591a43e399786ff07faab8) Deprecate old pkg/shim interfaces\n  * [`3fbdb132b`](https://github.com/containerd/containerd/commit/3fbdb132bf4fb2f59995b9fc632c0ad507ff98f6) Fix module path\n  * [`1852a4758`](https://github.com/containerd/containerd/commit/1852a4758ea70e12ada6bc98c45258a001c9f6bc) Remove testify dependency from api\n  * [`eea1fa651`](https://github.com/containerd/containerd/commit/eea1fa6516e0d4e27b0227cb24de7902aa09f22c) Do not fail when failed to parse log level\n  * [`281fb85a9`](https://github.com/containerd/containerd/commit/281fb85a9c1bc9d2dd942f9ea375a33914cf9cc7) Fix Makefile\n  * [`2005e01f0`](https://github.com/containerd/containerd/commit/2005e01f068b656b2b3aecc4ed7bd0bcf59b6fe1) Run tests from api\n  * [`0f55bdd49`](https://github.com/containerd/containerd/commit/0f55bdd49c41ba2a43d6595bdd827b6ba4ed4987) Fix extensions API and update tests\n  * [`58022a748`](https://github.com/containerd/containerd/commit/58022a748ad7e92f23ef444031742ae700823c88) Parse log level when starting shim instance\n  * [`d957b1bf5`](https://github.com/containerd/containerd/commit/d957b1bf53914443e28a3a7ab63824ea2e6c22ed) Use log level instead of debug flag\n  * [`31d0bbbad`](https://github.com/containerd/containerd/commit/31d0bbbad7723c8555b299f1dc12f7173390b2ec) Include containerd version when launching shim\n  * [`f71c2e421`](https://github.com/containerd/containerd/commit/f71c2e4211c9cbae06c582222d200c8756a84845) Reformat and clean proto files\n  * [`b7ef291ed`](https://github.com/containerd/containerd/commit/b7ef291edcc5d4beac49f8748e0606d32d83ca0c) Provide bootstrap params when launching shims\n  * [`acb8c8ea1`](https://github.com/containerd/containerd/commit/acb8c8ea1ef1f79f0b9c49ef25f8b5e87dd8d7c9) Update vendor\n  * [`9e9a095fe`](https://github.com/containerd/containerd/commit/9e9a095feb43c6b6a84fe1f4b2331977ebb92b91) Read spec annotations from file\n  * [`fa02acee2`](https://github.com/containerd/containerd/commit/fa02acee2094494436d4e6dcf5a800286d60726a) Generate shim CLI flags under Command\n  * [`fc8062f37`](https://github.com/containerd/containerd/commit/fc8062f3792e7bc056c874b4d93ecf911360da71) Rename CommandConfig field to better reflect their purpose\n  * [`3831fc806`](https://github.com/containerd/containerd/commit/3831fc80630879870327fde99f66b12959c973f0) Fix reading from stdin\n  * [`5ea993b48`](https://github.com/containerd/containerd/commit/5ea993b48d29e620dba6f90746a98ff0a4a29f65) Pass runc options as a separate extension\n  * [`e72145b19`](https://github.com/containerd/containerd/commit/e72145b192de6542dfb86554cda512e37f46eb5e) Update vendor\n  * [`7f39b2d93`](https://github.com/containerd/containerd/commit/7f39b2d9338b86e84b3c794eef10572b90f35a1b) Update shim to support new bootstrap api\n  * [`790b0ead7`](https://github.com/containerd/containerd/commit/790b0ead7bc4e234b5ce90b9a1225b60bad34d75) Implement shim bootstrap protocol\n* Bump Go to 1.26.2 ([#13177](https://github.com/containerd/containerd/pull/13177))\n  * [`8b396c768`](https://github.com/containerd/containerd/commit/8b396c768d470226f120605ee5ad38d1a764bf81) Bump Go to 1.26.2\n* Add registry host namespace query parameter to mirror push requests ([#12206](https://github.com/containerd/containerd/pull/12206))\n  * [`e95b75305`](https://github.com/containerd/containerd/commit/e95b753058b2c420374626c3eb9aca8e7a7cc125) Add namespace to push requests\n* releases: revive 2.0 ([#13158](https://github.com/containerd/containerd/pull/13158))\n  * [`a3ac81ff9`](https://github.com/containerd/containerd/commit/a3ac81ff96886f52eb1d90fb6e6fb58375dd4a4a) releases: revive 2.0\n* replace one more k8s.io/apimachinery/ reference ([#13157](https://github.com/containerd/containerd/pull/13157))\n  * [`1615e07bb`](https://github.com/containerd/containerd/commit/1615e07bb845fe9f951830f374bb208efaaf07a2) replace one more k8s.io/apimachinery/ reference\n* integration/images: add s390x builds for volume test images ([#13166](https://github.com/containerd/containerd/pull/13166))\n  * [`72919fbd6`](https://github.com/containerd/containerd/commit/72919fbd6693a18ca59231dd886152fd3f5ef8df) integration/images: add s390x builds for volume test images\n* Fix binary logging driver not blocking container start on failure ([#12595](https://github.com/containerd/containerd/pull/12595))\n  * [`cf772973c`](https://github.com/containerd/containerd/commit/cf772973cfbe52eba6d7650960351990777cdcc9) process/io: ignore SIGTERM exit in cancel() to fix flaky test\n  * [`22e6e1541`](https://github.com/containerd/containerd/commit/22e6e1541c2f272541888dbbfe79bf5fcd78f1b3) Add binary-v2 logging readiness scheme\n* content: use descriptor digest algorithm instead of assuming sha256 ([#13036](https://github.com/containerd/containerd/pull/13036))\n  * [`2a14c4254`](https://github.com/containerd/containerd/commit/2a14c4254580ee47659a8ef991ab873123f0de8a) pkg/oci: fix fake image digest computation in tests\n  * [`9423378f6`](https://github.com/containerd/containerd/commit/9423378f641ec3dd765d09ed7289634e4e483096) content: use descriptor digest algorithm instead of assuming sha256\n* Move runtime v2 docs to ./docs ([#13163](https://github.com/containerd/containerd/pull/13163))\n  * [`169e00038`](https://github.com/containerd/containerd/commit/169e0003896817c679016761c1c45ebec7851a58) Move runtime v2 docs to ./docs\n* Honor stderrthreshold when logtostderr is enabled ([#13132](https://github.com/containerd/containerd/pull/13132))\n  * [`2a69c0d2c`](https://github.com/containerd/containerd/commit/2a69c0d2c80b0baf58565b78d5e1178666482248) Honor stderrthreshold when logtostderr is enabled\n* script/setup: update runc binary to v1.4.2 ([#13155](https://github.com/containerd/containerd/pull/13155))\n  * [`143c566fc`](https://github.com/containerd/containerd/commit/143c566fcc67e38762c6a0616f8bc0666f6077a5) update runc binary to v1.4.2\n* pause image 3.10.1 -> 3.10.2 for add Windows Server 2025 (ltsc2025) s… ([#13156](https://github.com/containerd/containerd/pull/13156))\n  * [`05d3b3158`](https://github.com/containerd/containerd/commit/05d3b31586fbb61a0a908073d70740f4ee7c03ee) pause image 3.10.1 -> 3.10.2 for add Windows Server 2025 (ltsc2025) support\n* Use latest k8s 1.36 ([#13076](https://github.com/containerd/containerd/pull/13076))\n  * [`1fc92e63d`](https://github.com/containerd/containerd/commit/1fc92e63ddde9d15f65b314560bc517f44086eeb) switch from `internal/cri/streamingserver` to `k8s.io/cri-streaming`\n  * [`1b67e7854`](https://github.com/containerd/containerd/commit/1b67e78540fd8240409e9a031f4b40da6237de54) switch from k8s.io/apimachinery/pkg/util/httpstream to k8s.io/streaming/pkg/httpstream\n* Skip TestExportAndImportMultiLayer on s390x ([#13149](https://github.com/containerd/containerd/pull/13149))\n  * [`2b7085767`](https://github.com/containerd/containerd/commit/2b7085767c4966871eec29ea1d3dd065b6fd2461) Skip TestExportAndImportMultiLayer on s390x\n* fix: handle nil spec for hostNetwork containers ([#13131](https://github.com/containerd/containerd/pull/13131))\n  * [`b32cecd31`](https://github.com/containerd/containerd/commit/b32cecd3181d5cfc4f688d106270600a47f7f6fd) fix: handle nil spec for hostNetwork containers\n* Add `os.features` support for EROFS native container images ([#13091](https://github.com/containerd/containerd/pull/13091))\n  * [`940076477`](https://github.com/containerd/containerd/commit/940076477e581c28307ad326b3cd8244ba6cb8e4) client/image: check if the snapshotter supports forcely if `os.feature` is set\n  * [`f8367b8ad`](https://github.com/containerd/containerd/commit/f8367b8ad260095a55661aaa87af8f3e1adc6af6) client: remove toPlatforms()\n  * [`cb93966b9`](https://github.com/containerd/containerd/commit/cb93966b9f952c5f8f9aff0ba44b13ce6e26b8a8) transfer: Default to the EROFS snapshotter and differ for EROFS images\n  * [`146930e91`](https://github.com/containerd/containerd/commit/146930e91de7598fa93161cb96d16208f1eff866) api: add `os_features` to api/types/platform.proto\n  * [`56a6fdbe5`](https://github.com/containerd/containerd/commit/56a6fdbe5b70e708ab0e28713eba4687c6836a9b) Update github.com/containerd/platforms to v1.0.0-rc.4\n* build(deps): bump github/codeql-action from 4.33.0 to 4.35.1 ([#13141](https://github.com/containerd/containerd/pull/13141))\n  * [`1be404a95`](https://github.com/containerd/containerd/commit/1be404a9551ee3bc4f1f74f6bc8dee58aee6332b) build(deps): bump github/codeql-action from 4.33.0 to 4.35.1\n* build(deps): bump github.com/pelletier/go-toml/v2 from 2.2.4 to 2.3.0 ([#13142](https://github.com/containerd/containerd/pull/13142))\n  * [`44f01d4e7`](https://github.com/containerd/containerd/commit/44f01d4e717b9f9a2ec8f9309fa19a7e0d4ab593) build(deps): bump github.com/pelletier/go-toml/v2 from 2.2.4 to 2.3.0\n* build(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0 ([#12962](https://github.com/containerd/containerd/pull/12962))\n  * [`12cbacee6`](https://github.com/containerd/containerd/commit/12cbacee693c2ffdd8261652c559f61c58136655) build(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0\n* build(deps): bump actions/attest-build-provenance from 3.2.0 to 4.1.0 ([#12964](https://github.com/containerd/containerd/pull/12964))\n  * [`77a623118`](https://github.com/containerd/containerd/commit/77a623118175b0bc7dccaa9b2a00db5c201f7071) build(deps): bump actions/attest-build-provenance from 3.2.0 to 4.1.0\n* Add dmverity support to the erofs snapshotter using go-dmverity ([#12502](https://github.com/containerd/containerd/pull/12502))\n  * [`50f5461fb`](https://github.com/containerd/containerd/commit/50f5461fb715f217187181deefae3890edf87e84) Add dmverity support to the erofs snapshotter using veritysetup-go\n* Bump Go to 1.26.0 ([#13090](https://github.com/containerd/containerd/pull/13090))\n  * [`0130ae9aa`](https://github.com/containerd/containerd/commit/0130ae9aa8514b49a3e16f6c75ae51c80aca2a2f) Bump Go to 1.26.0\n* Update crun version to 1.27 and enable in mount options test ([#13144](https://github.com/containerd/containerd/pull/13144))\n  * [`9f62f84c5`](https://github.com/containerd/containerd/commit/9f62f84c5d97700d1fba3b2edf0e3c476f2f92df) Update crun version to 1.27 and enable in mount options test\n* core/remotes: MakeRefKey: update godoc and change Warn to Debug logs ([#13134](https://github.com/containerd/containerd/pull/13134))\n  * [`55f622c76`](https://github.com/containerd/containerd/commit/55f622c763832044f971f17efff6216da924281b) core/remotes: MakeRefKey: update godoc and change Warn to Debug logs\n* tracing: add option to inject trace ID into logrus fields ([#13117](https://github.com/containerd/containerd/pull/13117))\n  * [`10c30fb74`](https://github.com/containerd/containerd/commit/10c30fb74a520412c809d8c7f0ff1b676052d0bc) tracing: add option to inject trace ID into logrus fields\n* build(deps): bump azure/CLI from 2.2.0 to 3.0.0 ([#13140](https://github.com/containerd/containerd/pull/13140))\n  * [`0ffd99a0e`](https://github.com/containerd/containerd/commit/0ffd99a0e001a33cb60c750f5cc5a1af625097f2) build(deps): bump azure/CLI from 2.2.0 to 3.0.0\n* build(deps): bump azure/login from 2.3.0 to 3.0.0 ([#13105](https://github.com/containerd/containerd/pull/13105))\n  * [`5f813b59c`](https://github.com/containerd/containerd/commit/5f813b59cde98cfa583b3e0dbd5917dfb543eedb) build(deps): bump azure/login from 2.3.0 to 3.0.0\n* build(deps): bump actions/cache from 5.0.3 to 5.0.4 ([#13106](https://github.com/containerd/containerd/pull/13106))\n  * [`3248957cf`](https://github.com/containerd/containerd/commit/3248957cf8a3793743eea6634df42b7ad7c37680) build(deps): bump actions/cache from 5.0.3 to 5.0.4\n* cri: mirror cadvisor UsageNanoCores semantics ([#13138](https://github.com/containerd/containerd/pull/13138))\n  * [`66a1d3a60`](https://github.com/containerd/containerd/commit/66a1d3a6076093bfb271f3724dcb2535c16e1f75) cri: mirror cadvisor UsageNanoCores semantics\n* fix: hide `go-cmp` library from the non-test code path ([#12175](https://github.com/containerd/containerd/pull/12175))\n  * [`ea945443a`](https://github.com/containerd/containerd/commit/ea945443acf62c4b5b1357c6b3c768a4b8344fc7) fix: hide `go-cmp` library from the non-test code path\n* feat: Allow containers to use both host network and user namespace ([#12518](https://github.com/containerd/containerd/pull/12518))\n  * [`339b0cc17`](https://github.com/containerd/containerd/commit/339b0cc17119f4354be1156fe099ecf9f838719c) add integration test\n  * [`7d7c56357`](https://github.com/containerd/containerd/commit/7d7c56357a425eb05e888b6d6193df5c2d6fb9ca) add unit tests\n  * [`93cf5418b`](https://github.com/containerd/containerd/commit/93cf5418b9ac498163b9fb15efedaea951a0309d) Allow user namespace with hostNetwork in container\n* allow to pass multiple extra arguments to critest ([#13114](https://github.com/containerd/containerd/pull/13114))\n  * [`7ea6bb604`](https://github.com/containerd/containerd/commit/7ea6bb604b6fb323f6b896bb17cb35159ddcdc3e) allow to pass multiple extra arguments to critest\n* Tweak mount info for overlayfs in case of parallel unpack ([#13115](https://github.com/containerd/containerd/pull/13115))\n  * [`3382fb716`](https://github.com/containerd/containerd/commit/3382fb71624bdea558b18f5ff77c55e02af0e504) Tweak mount info for overlayfs in case of parallel unpack\n  * [`68e128cf0`](https://github.com/containerd/containerd/commit/68e128cf033d5e5e8a329417dda1a21645872710) Add integration test for issue 13030\n* fix: avoid content storage pollution by limiting the fallback on ref resolution ([#13017](https://github.com/containerd/containerd/pull/13017))\n  * [`9b7fa6131`](https://github.com/containerd/containerd/commit/9b7fa61316205b0d92fca50fc2d97e6860253852) fix:avoid content storage pollution by limiting the fallback on ref resolution\n* chore: Add explicit digest requirement to docker pusher ([#12861](https://github.com/containerd/containerd/pull/12861))\n  * [`4f35b756e`](https://github.com/containerd/containerd/commit/4f35b756e2ec6094154c749f0cfd14bc0126beee) chore: Add explicit digest requirement to docker pusher\n* Fix send stream data with EOF ([#12968](https://github.com/containerd/containerd/pull/12968))\n  * [`da5e548ef`](https://github.com/containerd/containerd/commit/da5e548ef36f97fd733ce206f066a9145c122892) Add fix for send stream encountering EOF with data\n  * [`cd15c253d`](https://github.com/containerd/containerd/commit/cd15c253dcbc0fdc079dfb116febd1b85f4176e5) Add test for streaming EOF with data\n* core/mount: Reject X-containerd.* options before kernel mount ([#12557](https://github.com/containerd/containerd/pull/12557))\n  * [`6f7bb4862`](https://github.com/containerd/containerd/commit/6f7bb48624be0d9e1e3007c010a276e78c626fa5) core/mount: Filter X-containerd.* options before kernel mount\n* Wire UpdatePodSandboxResources to Sandbox API ([#13118](https://github.com/containerd/containerd/pull/13118))\n  * [`33db836a8`](https://github.com/containerd/containerd/commit/33db836a8b06000e8afb5bba947c299ae721878a) Wire UpdatePodSandboxResources to Sandbox API\n  * [`e6c7f3723`](https://github.com/containerd/containerd/commit/e6c7f37235b30a3e697a3411045a9d00ab876c63) Add unit tests for CRI resource updates\n* Propagate OpenTelemetry traces in outgoing RPCs from plugin clients ([#13113](https://github.com/containerd/containerd/pull/13113))\n  * [`dc5806cd9`](https://github.com/containerd/containerd/commit/dc5806cd949178f776dec8dc83e51dd1feea65a3) Propagate OpenTelemetry traces in outgoing RPCs from plugin clients\n* Preserve cgroup mount options for privileged containers ([#12952](https://github.com/containerd/containerd/pull/12952))\n  * [`0eef29a1a`](https://github.com/containerd/containerd/commit/0eef29a1a92474f9dfb9c21e70790b25221cabdc) Add integration test for privileged container cgroup mounts\n  * [`d2f67d399`](https://github.com/containerd/containerd/commit/d2f67d399022ed170f0fa836c01b47c72f434c35) Forward RUNC_FLAVOR env var down to integration tests\n  * [`f84ddfa4f`](https://github.com/containerd/containerd/commit/f84ddfa4fbb9741633bf722ceea943ded2205b15) Preserve host cgroup mount options for privileged containers\n  * [`e15141a1f`](https://github.com/containerd/containerd/commit/e15141a1fd920da2eb02e9f5f634dcd43592dc8c) Move cgroup namespace placement higher in spec builder\n* build(deps): bump the k8s group with 3 updates ([#13107](https://github.com/containerd/containerd/pull/13107))\n  * [`46bd9a75c`](https://github.com/containerd/containerd/commit/46bd9a75cd93612396f496018379d70a95d2ccbc) build(deps): bump the k8s group with 3 updates\n* build(deps): bump the otel group across 1 directory with 5 updates ([#13109](https://github.com/containerd/containerd/pull/13109))\n  * [`ca88ae583`](https://github.com/containerd/containerd/commit/ca88ae583c71616b96ae8ff4523e161a65e3b961) build(deps): bump the otel group across 1 directory with 5 updates\n* build(deps): bump github.com/klauspost/compress from 1.18.4 to 1.18.5 ([#13110](https://github.com/containerd/containerd/pull/13110))\n  * [`68ba0d02c`](https://github.com/containerd/containerd/commit/68ba0d02c948d43e777167d4c18049246bd7d661) build(deps): bump github.com/klauspost/compress from 1.18.4 to 1.18.5\n* build(deps): bump github.com/containerd/platforms from 1.0.0-rc.2 to 1.0.0-rc.3 ([#13108](https://github.com/containerd/containerd/pull/13108))\n  * [`b39efcb82`](https://github.com/containerd/containerd/commit/b39efcb82e35df58716134c8a3553ec46d226f89) build(deps): bump github.com/containerd/platforms\n* transfer: fix the differ selection if differ is \"\" ([#13080](https://github.com/containerd/containerd/pull/13080))\n  * [`dc9cb1dfd`](https://github.com/containerd/containerd/commit/dc9cb1dfd5b45546be45f6f26a10fddeddc343da) transfer: fix the differ selection if differ is \"\"\n* Propagate parent chain ID and diff ID via labels during snapshot preparation ([#13071](https://github.com/containerd/containerd/pull/13071))\n  * [`ca7461cbe`](https://github.com/containerd/containerd/commit/ca7461cbe135cc7964727ef98ec7ed09fb485438) Propagate diff ID and parent chain ID via labels in Prepare RPC\n* runc-shim: fix exec PID error message and fmt verb ([#13088](https://github.com/containerd/containerd/pull/13088))\n  * [`ee7441ddf`](https://github.com/containerd/containerd/commit/ee7441ddfc1d1c42c18fa16656223ba13d12fd2a) runc-shim: fix exec PID error message and fmt verb\n* build(deps): bump google.golang.org/grpc from 1.59.0 to 1.79.3 in /api ([#13099](https://github.com/containerd/containerd/pull/13099))\n  * [`d323efc2b`](https://github.com/containerd/containerd/commit/d323efc2bfaf8425c8a2f1ceeb34e8230eb16f8d) build(deps): bump google.golang.org/grpc from 1.59.0 to 1.79.3 in /api\n* Add section about AI and automation in contributor's guide ([#13092](https://github.com/containerd/containerd/pull/13092))\n  * [`ac4806383`](https://github.com/containerd/containerd/commit/ac48063835ccf894edec168f9292e4cb71a1558a) Add section about AI and automation in contributor's guide\n* build(deps): bump google.golang.org/grpc from 1.79.2 to 1.79.3 ([#13098](https://github.com/containerd/containerd/pull/13098))\n  * [`6d31c1875`](https://github.com/containerd/containerd/commit/6d31c1875c845f0a75c1d7d588653ee8d53f5133) build(deps): bump google.golang.org/grpc from 1.79.2 to 1.79.3\n* script/setup: update critools to v1.35.0 ([#13093](https://github.com/containerd/containerd/pull/13093))\n  * [`c873059d0`](https://github.com/containerd/containerd/commit/c873059d00c9b2bb632674f8217bcc7fc3a624fa) script/setup: update critools to v1.35.0\n* fix linter issues ([#13089](https://github.com/containerd/containerd/pull/13089))\n  * [`27f0b1293`](https://github.com/containerd/containerd/commit/27f0b12937b7c8fc04b8a638143b9880f6b2e88d) fix linter issues\n* readme: remove announcement for 2.0 ([#13073](https://github.com/containerd/containerd/pull/13073))\n  * [`56288d42b`](https://github.com/containerd/containerd/commit/56288d42b904dbee2378de891df0fd7d52badf11) readme: remove announcement for 2.0\n* releases: clarify extended support for 1.7 ([#13067](https://github.com/containerd/containerd/pull/13067))\n  * [`7eedcb4d9`](https://github.com/containerd/containerd/commit/7eedcb4d949c8b5339d65010108d9147f73a2f3f) releases: clarify extended support for 1.7\n* update runc binary to v1.4.1 ([#13057](https://github.com/containerd/containerd/pull/13057))\n  * [`a865de1b4`](https://github.com/containerd/containerd/commit/a865de1b43bc9d447edbfda32729ce9941fd6dcf) update runc binary to v1.4.1\n* Fix vagrant on CI ([#13055](https://github.com/containerd/containerd/pull/13055))\n  * [`85dedefa0`](https://github.com/containerd/containerd/commit/85dedefa091b2dea4a949bcb6146dcef2a81c8cf) Ignore NOCHANGE error\n* Prepare release notes for v2.3.0-beta.0 ([#13048](https://github.com/containerd/containerd/pull/13048))\n  * [`86d41cdd1`](https://github.com/containerd/containerd/commit/86d41cdd158b0905ae0bc718907607db1e543cf8) Prepare release notes for v2.3.0-beta.0\n  * [`93ee55d86`](https://github.com/containerd/containerd/commit/93ee55d86618cfaee8812859cbd6623ba0181da5) Update api version to use v1.11.0-beta.0\n  * [`34a6756fa`](https://github.com/containerd/containerd/commit/34a6756fa44be8a7985adfd0a0e7cf1a044427ff) Update mailmap before release\n* pkg/shim: Fix NewSocket directory permissions ([#12960](https://github.com/containerd/containerd/pull/12960))\n  * [`8f44dc45e`](https://github.com/containerd/containerd/commit/8f44dc45eacd4f66483bb556aff56062ec5cf57e) pkg/shim: Remove Darwin-specific socket permissions\n  * [`910631704`](https://github.com/containerd/containerd/commit/910631704eeb5ac337d46c9f8fbf0d117f17e68a) pkg/shim: Fix NewSocket directory permissions\n  * [`31c630726`](https://github.com/containerd/containerd/commit/31c6307262aa0562929000c6bffddde6cab7da81) pkg/shim: Add unit tests\n* build(deps): bump github.com/containernetworking/plugins from 1.9.0 to 1.9.1 ([#13042](https://github.com/containerd/containerd/pull/13042))\n  * [`8c1fe6744`](https://github.com/containerd/containerd/commit/8c1fe67445cde2a066325a1bf450cffd28148355) build(deps): bump github.com/containernetworking/plugins\n* build(deps): bump github.com/intel/goresctrl from 0.11.0 to 0.12.0 ([#13043](https://github.com/containerd/containerd/pull/13043))\n  * [`4bcb190bf`](https://github.com/containerd/containerd/commit/4bcb190bf60d1c9766ed5c006a8bf89be98e1285) build(deps): bump github.com/intel/goresctrl from 0.11.0 to 0.12.0\n* Prepare release notes for api/v1.11.0-beta.0 ([#13045](https://github.com/containerd/containerd/pull/13045))\n  * [`aac6b5348`](https://github.com/containerd/containerd/commit/aac6b53488f05253f88fb061fed6674630feb41f) Prepare release notes for api/v1.11.0-beta.0\n* Permission denied when attempting os.Chmod the config.Root during server startup ([#12521](https://github.com/containerd/containerd/pull/12521))\n  * [`713d21281`](https://github.com/containerd/containerd/commit/713d212811453dde463eed9c2af47417445acd35) containerd operating without root permissions receives a permissions denied error\n* golangci-lint: enable modernize linter, and fix modernize for other GOOS ([#13047](https://github.com/containerd/containerd/pull/13047))\n  * [`6b58f1344`](https://github.com/containerd/containerd/commit/6b58f13443c0042b13374b85236c596f21bc7a5e) replace some uses of `interface{}` in (go)docs\n  * [`bded42c57`](https://github.com/containerd/containerd/commit/bded42c57d43538bcf99906a16b0dae01ad04ee8) golangci-lint: enable modernize linter\n  * [`a5cfa74d5`](https://github.com/containerd/containerd/commit/a5cfa74d5e94c5dd0458dd79b8dbbf3494381a6a) integration: modernize: omitzero\n  * [`22fd63994`](https://github.com/containerd/containerd/commit/22fd63994e42340129ded0adf845845c50f70800) *: modernize: stringscutprefix\n  * [`860d97854`](https://github.com/containerd/containerd/commit/860d97854f594470c0510cbf2986ed148cab74fa) plugins: modernize: plusbuild\n  * [`9bdcacc45`](https://github.com/containerd/containerd/commit/9bdcacc45f543ef10737f1701621689142dd58a4) *: modernize: waitgroup\n  * [`24012ef8f`](https://github.com/containerd/containerd/commit/24012ef8f6077a9cac726dbfbec2902b8f6733f4) *: modernize: stringscut, stringsseq, slicescontains, fmtappendf\n  * [`4dd7c13ac`](https://github.com/containerd/containerd/commit/4dd7c13ac43c700242bdb67f185ee3e4d215d1a6) *: modernize: stringscut, stringsseq\n  * [`49a524969`](https://github.com/containerd/containerd/commit/49a5249692e99b97d83646e7847fa32355702344) internal/cri/nri: modernize: mapsloop\n  * [`1ed2b15c0`](https://github.com/containerd/containerd/commit/1ed2b15c084ff0e43922ce6b5a52b0364818742c) *: modernize: minmax\n  * [`8fcf3a3cf`](https://github.com/containerd/containerd/commit/8fcf3a3cf192f58fc1f4e2b7579a73a5d968e933) *: modernize: rangeint\n  * [`9ee303d70`](https://github.com/containerd/containerd/commit/9ee303d70e502b15750f7de834a0ed0e23a21f3d) *: modernize: any\n  * [`33dfe461c`](https://github.com/containerd/containerd/commit/33dfe461c265324fe8c336af501f01cb1415becd) internal: modernize: any\n  * [`a122afe13`](https://github.com/containerd/containerd/commit/a122afe13bcad816c84823b42f0c982da5e3cac3) cmd: modernize: any\n  * [`5ccb35662`](https://github.com/containerd/containerd/commit/5ccb356620fc2b1564f76bbca91b096ff3a49a87) plugins: modernize: any\n  * [`73c96c54e`](https://github.com/containerd/containerd/commit/73c96c54eda0783e4967518ac887d442e4fcc400) pkg: modernize: any\n* build(deps): bump actions/download-artifact from 8.0.0 to 8.0.1 ([#13040](https://github.com/containerd/containerd/pull/13040))\n  * [`f1771b336`](https://github.com/containerd/containerd/commit/f1771b3363fdfbe088e1ec8ee66529d12ac77524) build(deps): bump actions/download-artifact from 8.0.0 to 8.0.1\n* build(deps): bump golang.org/x/mod from 0.33.0 to 0.34.0 in the golang-x group ([#13038](https://github.com/containerd/containerd/pull/13038))\n  * [`e1cb8b372`](https://github.com/containerd/containerd/commit/e1cb8b372dd53771f4899e3e7dbb15d91cefa2b6) build(deps): bump golang.org/x/mod in the golang-x group\n* internal/cri/setutils: remove unused, deprecated utils ([#13031](https://github.com/containerd/containerd/pull/13031))\n  * [`177241be5`](https://github.com/containerd/containerd/commit/177241be5fc092e4ab4de68f1562d6b181457b0f) internal/cri/setutils: remove unused, deprecated utils\n  * [`be7846652`](https://github.com/containerd/containerd/commit/be7846652c064202415504160c3c18ebda481f04) internal/cri/util: replace uses of deprecated String set\n* build(deps): bump github/codeql-action from 4.32.6 to 4.33.0 ([#13039](https://github.com/containerd/containerd/pull/13039))\n  * [`44474600b`](https://github.com/containerd/containerd/commit/44474600bac162d0de2c8d7569e574b8d6500fc2) build(deps): bump github/codeql-action from 4.32.6 to 4.33.0\n* build(deps): bump softprops/action-gh-release from 2.5.0 to 2.6.1 ([#13041](https://github.com/containerd/containerd/pull/13041))\n  * [`b5dba0fbc`](https://github.com/containerd/containerd/commit/b5dba0fbc88fdadf10ad236b68eecbb37fdfc654) build(deps): bump softprops/action-gh-release from 2.5.0 to 2.6.1\n* *: modernize code ([#13022](https://github.com/containerd/containerd/pull/13022))\n  * [`c2da6482e`](https://github.com/containerd/containerd/commit/c2da6482ebde5964ef55eb350e704dd31fe4a7f5) core: go fix \"inline\"\n  * [`9f016e381`](https://github.com/containerd/containerd/commit/9f016e381a9ee7758d7d297908e3d373f72fb276) core: modernize: omitzero\n  * [`a499b17f2`](https://github.com/containerd/containerd/commit/a499b17f21f2e98267eaa673c78a3c970d6d8b12) *: modernize: stringscutprefix\n  * [`fc3165188`](https://github.com/containerd/containerd/commit/fc3165188e47a89d7644475a9209a8e9f93c18a6) core: modernize: stringsbuilder\n  * [`9a46e30a2`](https://github.com/containerd/containerd/commit/9a46e30a25c75b6a088d7bebc9a2d852e5a40b35) internal: modernize: slicessort\n  * [`16e340f32`](https://github.com/containerd/containerd/commit/16e340f3269acaadcbb8e8b44e01391dad590090) *: modernize: plusbuild\n  * [`2fd5da21e`](https://github.com/containerd/containerd/commit/2fd5da21ed2357283c8411e9db2e192d1816a362) *: modernize: waitgroup\n  * [`78f40c714`](https://github.com/containerd/containerd/commit/78f40c714e06612a58e23ad3d6c9c8db572eaf6f) integration: modernize: any\n  * [`26c2ae590`](https://github.com/containerd/containerd/commit/26c2ae5900dec4f9a45336cb566afaf54d57728d) internal: modernize: any\n  * [`828c2119e`](https://github.com/containerd/containerd/commit/828c2119e52122d7e2a026d7f3cdaf8141aaed98) pkg: modernize: any\n  * [`4b6cc97c4`](https://github.com/containerd/containerd/commit/4b6cc97c4d2bad7f3155bd131618397de56a0036) plugins: modernize: any\n  * [`92b0b289e`](https://github.com/containerd/containerd/commit/92b0b289e3a215eee5dfba929b21c493db732419) core: modernize: any\n  * [`29030ff92`](https://github.com/containerd/containerd/commit/29030ff927f8f18789da520a1595aa12b779a3ce) cmd: modernize: any\n  * [`ff8a70cc0`](https://github.com/containerd/containerd/commit/ff8a70cc0f94cdf77fe2c454e5fc424900ce28e3) client: modernize: any\n  * [`cd3d63d91`](https://github.com/containerd/containerd/commit/cd3d63d913390d15b83f086f635bd4b6d860fe9a) *: modernize: fmtappendf\n  * [`18c74abd5`](https://github.com/containerd/containerd/commit/18c74abd562c3cdd39f53d27de664e8ade65716f) *: modernize: slicescontains\n  * [`1754af311`](https://github.com/containerd/containerd/commit/1754af311e00382a7023d9513650c95a57abcf2a) *: modernize: stringsseq\n  * [`b050f47ef`](https://github.com/containerd/containerd/commit/b050f47efc7f1a6b4c017ed6ee512e64fcb71b79) *: modernize: testingcontext\n  * [`0ecd8f43e`](https://github.com/containerd/containerd/commit/0ecd8f43edd46e7efabd38ab9f7be1bf2bd9205d) core: modernize: stringscut\n  * [`09f7154db`](https://github.com/containerd/containerd/commit/09f7154dbd81b06d445249b93e646ecc6f8b915d) *: modernize: mapsloop\n  * [`bc5681028`](https://github.com/containerd/containerd/commit/bc56810287248ced07ea9aebddbf3028bcdef723) client: modernize: mapsloop\n  * [`656c48f0e`](https://github.com/containerd/containerd/commit/656c48f0e5f813784b287823565ded40b0b61920) internal: modernize: mapsloop\n  * [`7bea4fa95`](https://github.com/containerd/containerd/commit/7bea4fa95420343b44860e78f91d0cbf29c5e538) core: modernize: mapsloop\n  * [`5dd377a6a`](https://github.com/containerd/containerd/commit/5dd377a6aedeb8710f1f13e5edcbb733f953c54c) pkg: modernize: mapsloop\n  * [`0d0e77640`](https://github.com/containerd/containerd/commit/0d0e77640862c607a5c8a6b81311637e6403f655) internal: modernize: minmax\n  * [`73e83de4b`](https://github.com/containerd/containerd/commit/73e83de4b9a1bcf8dee47e6e7a229335ca3b536d) *: modernize: rangeint\n  * [`3723a6709`](https://github.com/containerd/containerd/commit/3723a67092680f389ef6a6a007d4bfbb3617cf2d) core: modernize: rangeint\n  * [`b35d9ea92`](https://github.com/containerd/containerd/commit/b35d9ea9298ae6dfa2b2f576a3ebd967764fce5c) plugins: modernize: rangeint\n  * [`96326ad1f`](https://github.com/containerd/containerd/commit/96326ad1f710b46f047facf42b9eec5979009d53) internal: modernize: rangeint\n  * [`335422129`](https://github.com/containerd/containerd/commit/3354221293c0e6dd842f70eda4e3a6b2ba1c8ba4) pkg: modernize: rangeint\n* fix: correct typos found by codespell ([#13018](https://github.com/containerd/containerd/pull/13018))\n  * [`aa600f65d`](https://github.com/containerd/containerd/commit/aa600f65dd8f1e3447e9730e6f0bc0c3cc69a325) fix: correct typos found by codespell\n* nri: add dependency on internal tracing plugin ([#12947](https://github.com/containerd/containerd/pull/12947))\n  * [`3e9f21c43`](https://github.com/containerd/containerd/commit/3e9f21c4390d9cc5553b8cccc875a981874261c3) nri: add dependency on internal tracing plugin\n* Update EROFS snapshotter documentation ([#13029](https://github.com/containerd/containerd/pull/13029))\n  * [`255ed2c18`](https://github.com/containerd/containerd/commit/255ed2c18383d1f8eb1c231bd683b66566b6c232) snapshots/erofs: Update EROFS snapshotter documentation\n* Avoid ineffective chown on create snapshot when in erofs snapshotter ([#13028](https://github.com/containerd/containerd/pull/13028))\n  * [`b2eeb8635`](https://github.com/containerd/containerd/commit/b2eeb8635ebe90dc3a851849604eb93475536a63) snapshotter/erofs: avoid ineffective chown on create snapshot when in block mode\n* core/remotes/docker: include \"method\" and \"url\" in logs, and sanitize URLs in logs/errors ([#12859](https://github.com/containerd/containerd/pull/12859))\n  * [`642be181d`](https://github.com/containerd/containerd/commit/642be181dce56fceaef63a4e432195a1019e124b) core/remotes/docker: include \"method\" and \"url\" in logs\n  * [`64cc8cdec`](https://github.com/containerd/containerd/commit/64cc8cdec1b022197eef44a196b0c19db8d684df) core/remotes/docker: add request.sanitizedURL for logging and errors\n* build(deps): bump crazy-max/ghaction-github-runtime from 3.1.0 to 4.0.0 ([#12965](https://github.com/containerd/containerd/pull/12965))\n  * [`5d6032f8a`](https://github.com/containerd/containerd/commit/5d6032f8a2f914728b3de59c69e49a487da4fd0c) build(deps): bump crazy-max/ghaction-github-runtime from 3.1.0 to 4.0.0\n* Update plugin config migration to run on load ([#12608](https://github.com/containerd/containerd/pull/12608))\n  * [`0d7fee062`](https://github.com/containerd/containerd/commit/0d7fee0623430b8bf8ad6d48cd217b7b92ff1979) Update plugin config migration to run on load\n* fix(oci): apply absolute symlink resolution to /etc/group ([#12925](https://github.com/containerd/containerd/pull/12925))\n  * [`fc406dbc5`](https://github.com/containerd/containerd/commit/fc406dbc5ce50d05e37557e58eb00106d416b014) fix(oci): apply absolute symlink resolution to /etc/group\n* build(deps): bump the k8s group across 1 directory with 4 updates ([#13003](https://github.com/containerd/containerd/pull/13003))\n  * [`c8039838e`](https://github.com/containerd/containerd/commit/c8039838ee7983978da522412a0db440660720c0) build(deps): bump the k8s group across 1 directory with 4 updates\n* build(deps): bump github/codeql-action from 4.32.5 to 4.32.6 ([#13001](https://github.com/containerd/containerd/pull/13001))\n  * [`78777c33a`](https://github.com/containerd/containerd/commit/78777c33a62732cc7b910cc2eb69148afea09892) build(deps): bump github/codeql-action from 4.32.5 to 4.32.6\n* build(deps): bump the golang-x group with 3 updates ([#13002](https://github.com/containerd/containerd/pull/13002))\n  * [`f6957abcb`](https://github.com/containerd/containerd/commit/f6957abcb8e96a5219fc48c42d87c1cbe9772254) build(deps): bump the golang-x group with 3 updates\n* build(deps): bump docker/login-action from 3.7.0 to 4.0.0 ([#13000](https://github.com/containerd/containerd/pull/13000))\n  * [`b77ab0238`](https://github.com/containerd/containerd/commit/b77ab0238165fa15552ab7eeb02c6b6ade684382) build(deps): bump docker/login-action from 3.7.0 to 4.0.0\n* build(deps): bump google.golang.org/grpc from 1.79.1 to 1.79.2 ([#13004](https://github.com/containerd/containerd/pull/13004))\n  * [`8e13c9df6`](https://github.com/containerd/containerd/commit/8e13c9df655f88e65076bf0e3c80961cffbfdf7f) build(deps): bump google.golang.org/grpc from 1.79.1 to 1.79.2\n* deprecations: delay to 2.4 per Upgrade Path rules ([#13009](https://github.com/containerd/containerd/pull/13009))\n  * [`b0eb3e51b`](https://github.com/containerd/containerd/commit/b0eb3e51b9195b5627c987506db54e8da2d68f5b) deprecations: delay to 2.4 per Upgrade Path rules\n* docs: update outdated content fetch help text ([#13016](https://github.com/containerd/containerd/pull/13016))\n  * [`01d094d66`](https://github.com/containerd/containerd/commit/01d094d663386d8e8fcb2a2943f2e4bd11e7a664) docs: update outdated content fetch help text\n* update to go1.25.8, test go1.26.1 ([#12985](https://github.com/containerd/containerd/pull/12985))\n  * [`38b3e4c4a`](https://github.com/containerd/containerd/commit/38b3e4c4aa6b39518c7eb2e86376099fe195ea82) update to go1.25.8, test go1.26.1\n* build(deps): bump docker/setup-buildx-action from 3.12.0 to 4.0.0 ([#12999](https://github.com/containerd/containerd/pull/12999))\n  * [`0a3d8ba54`](https://github.com/containerd/containerd/commit/0a3d8ba54d69832fe9934900287854b1750db62e) build(deps): bump docker/setup-buildx-action from 3.12.0 to 4.0.0\n* streaming io: fix connection residual after stream closed ([#10458](https://github.com/containerd/containerd/pull/10458))\n  * [`b84751126`](https://github.com/containerd/containerd/commit/b84751126e66937a4c1d4d452d538f9b41a01866) streaming io: fix connection residual after stream closed\n* fix migrated cri image config when using registry ([#12617](https://github.com/containerd/containerd/pull/12617))\n  * [`1d77b68f0`](https://github.com/containerd/containerd/commit/1d77b68f0e6f5fa93d93b66c45322eb20edec476) set default config_path in plugin init\n* Update ttrpc to v1.2.8 ([#12977](https://github.com/containerd/containerd/pull/12977))\n  * [`d6808b71a`](https://github.com/containerd/containerd/commit/d6808b71a11527071ff33680a6e832f182d97ed9) Update ttrpc to v1.2.8\n* Introduce Windows Arm64 build in CI workflow ([#12974](https://github.com/containerd/containerd/pull/12974))\n  * [`62f479a53`](https://github.com/containerd/containerd/commit/62f479a53c2bcee076e7198bb2d7143385d47d50) Introduce Windows Arm64 build in CI workflow\n* build(deps): bump github/codeql-action from 4.32.4 to 4.32.5 ([#12966](https://github.com/containerd/containerd/pull/12966))\n  * [`44b885251`](https://github.com/containerd/containerd/commit/44b8852514c8e2ddd5612eaece1a726425878c4d) build(deps): bump github/codeql-action from 4.32.4 to 4.32.5\n* Fix TOCTOU race bug in tar extraction ([#12961](https://github.com/containerd/containerd/pull/12961))\n  * [`ba50a5645`](https://github.com/containerd/containerd/commit/ba50a5645c1d84b23501499c386010400b66a893) Fix TOCTOU race bug in tar extraction\n* release: update per 2026 proposal ([#12830](https://github.com/containerd/containerd/pull/12830))\n  * [`988c06f3c`](https://github.com/containerd/containerd/commit/988c06f3c06ecda9a97919ab146fb68bb40f2b7b) release: update per 2026 proposal\n* build(deps): bump actions/download-artifact from 7.0.0 to 8.0.0 ([#12967](https://github.com/containerd/containerd/pull/12967))\n  * [`fa804247e`](https://github.com/containerd/containerd/commit/fa804247e61ec823d58aee10f69047e7571ac375) build(deps): bump actions/download-artifact from 7.0.0 to 8.0.0\n* build(deps): bump github/codeql-action from 4.32.3 to 4.32.4 ([#12934](https://github.com/containerd/containerd/pull/12934))\n  * [`8384fb8db`](https://github.com/containerd/containerd/commit/8384fb8db2ab4d5e99a1543d92f32faa0f0adee7) build(deps): bump github/codeql-action from 4.32.3 to 4.32.4\n* ci: modprobe xt_comment on almalinux ([#12950](https://github.com/containerd/containerd/pull/12950))\n  * [`428749270`](https://github.com/containerd/containerd/commit/4287492700821c7ee8dab3ef8d099174d1654fda) ci: modprobe xt_comment on almalinux\n* ci: fix critools version used in windows tests ([#12845](https://github.com/containerd/containerd/pull/12845))\n  * [`6464c7a2c`](https://github.com/containerd/containerd/commit/6464c7a2c9a0eae2ff67a16cc6f87a69c0a89958) ci: use common cri-tools version for windows tests\n* core/mount: fix getUnprivilegedMountFlags iterating over indices instead of values ([#12941](https://github.com/containerd/containerd/pull/12941))\n  * [`1466c5319`](https://github.com/containerd/containerd/commit/1466c531960cdbc7cb5e2837fa0b209deb432d83) core/mount: add test for getUnprivilegedMountFlags\n  * [`5d3b3447c`](https://github.com/containerd/containerd/commit/5d3b3447c7667d826eec59f9580c947ff24ecec6) core/mount: fix getUnprivilegedMountFlags iterating over indices instead of values\n* Use new filtered cgroups stats API ([#12901](https://github.com/containerd/containerd/pull/12901))\n  * [`d7d7b10f9`](https://github.com/containerd/containerd/commit/d7d7b10f99d950990b1d6a56e468e186970a2e53) Use new filtered cgroup stats API\n* build(deps): bump actions/stale from 10.1.1 to 10.2.0 ([#12935](https://github.com/containerd/containerd/pull/12935))\n  * [`4f2b8e455`](https://github.com/containerd/containerd/commit/4f2b8e455a8c98138702b6a20f8ae147b0a4135f) build(deps): bump actions/stale from 10.1.1 to 10.2.0\n* Unpack images with per-layer labels for specific runtime ([#12835](https://github.com/containerd/containerd/pull/12835))\n  * [`871d58ca8`](https://github.com/containerd/containerd/commit/871d58ca8203caa5e53539e60927372bad7d8a8c) cri: unpack images with per-layer labels for runtime-specific snapshotters\n* api: regenerate and re-vendor protos ([#12913](https://github.com/containerd/containerd/pull/12913))\n  * [`4b4eb6715`](https://github.com/containerd/containerd/commit/4b4eb67150b724e0c0450cc92f295b8d6582ca9a) api: regenerate and re-vendor protos\n* fix: propagate `context deadline exceeded` error properly ([#12821](https://github.com/containerd/containerd/pull/12821))\n  * [`f078cebbd`](https://github.com/containerd/containerd/commit/f078cebbd11b16cd52559598e7bd778b1cc06e2a) fix: propagate `context deadline exceeded` error properly\n* cri: propagate runtime-specific snapshotters to image service ([#12836](https://github.com/containerd/containerd/pull/12836))\n  * [`e9622481f`](https://github.com/containerd/containerd/commit/e9622481f067ef09ba590a80b30628185fb28935) cri: propagate runtime-specific snapshotters to image service\n* Makefile: assorted cleanups ([#12916](https://github.com/containerd/containerd/pull/12916))\n  * [`d63c1dd1f`](https://github.com/containerd/containerd/commit/d63c1dd1f06a8c4464fbb6385e227d89a1181f0a) Makefile: use \"-C\" flag, and evaluate once\n  * [`43cf58a28`](https://github.com/containerd/containerd/commit/43cf58a289a9a63af5262fac5df670f7a1adeede) Makefile: fix indentation\n  * [`1f0f18f92`](https://github.com/containerd/containerd/commit/1f0f18f92c694379fd27ab3f5446221158ec652d) Makefile: remove redundant grep for vendor, integration\n  * [`7ffccac5c`](https://github.com/containerd/containerd/commit/7ffccac5cc3a06488a18d0aa192d699de525e025) Makefile: remove trailing slash from ROOTDIR\n* Make linter for release branches happy ([#12928](https://github.com/containerd/containerd/pull/12928))\n  * [`ce1c42baa`](https://github.com/containerd/containerd/commit/ce1c42baa788317fff97a80c7ebb05d1064ce638) make linter happy in release\n* Remove image service dependency from podsandbox controller ([#12849](https://github.com/containerd/containerd/pull/12849))\n  * [`151f82e57`](https://github.com/containerd/containerd/commit/151f82e57cd3ce4d0719ace3c806952690dbea4e) Fix ambiguous selector c.Config\n  * [`842528d86`](https://github.com/containerd/containerd/commit/842528d86f5c7ff9554686e2313332b66cce008a) Move pause container pulling to CRI\n  * [`dc897c5b2`](https://github.com/containerd/containerd/commit/dc897c5b285d8cb7bb2f9c68f255d3949129674e) Remove LocalResolve dependency from Controller\n  * [`01a85de2c`](https://github.com/containerd/containerd/commit/01a85de2c6a20795de67305b327d19ca4569602b) Fetch image from containerd store instead of CRI in-memory store\n  * [`13e791ef8`](https://github.com/containerd/containerd/commit/13e791ef8e9a87bdc8ed027279efa96453a0eda3) Remove GetImage dependency from Controller\n* Fix CNI issue where CNI DEL is never executed ([#12923](https://github.com/containerd/containerd/pull/12923))\n  * [`96dee5f64`](https://github.com/containerd/containerd/commit/96dee5f6440d147042aa61d7da2a7d10bcabbce5) add integration test for cni result nil\n  * [`1092b85a8`](https://github.com/containerd/containerd/commit/1092b85a8ce13fb0ec72b1e232b6a781ccef9214) address comment\n  * [`0b8471953`](https://github.com/containerd/containerd/commit/0b8471953764e4e490a11d77db0386ec622c6642) fix issue where cni del is never executed\n* Detect vendor in cdi specs to generate device IDs for --gpus ([#12839](https://github.com/containerd/containerd/pull/12839))\n  * [`090def056`](https://github.com/containerd/containerd/commit/090def05676db0c6518c3c2adaad7da49bb06161) Remove vendor lister and update tests\n  * [`7035fe813`](https://github.com/containerd/containerd/commit/7035fe813d042c01f99fcd458c61eca493d97f61) Add unit tests for gpuDeviceNames anddetectGPUVendor\n  * [`ab1a24989`](https://github.com/containerd/containerd/commit/ab1a24989f0abb70c8aebf82d7b27998b42b058f) Detect vendor in cdi specs to generate deviceIDs for --gpus\n* cmd: fix inconsistencies in command-line flags, and add missing `--version` flags ([#12868](https://github.com/containerd/containerd/pull/12868))\n  * [`e5ae0a882`](https://github.com/containerd/containerd/commit/e5ae0a8828e830b75bc51905bdfb5f11ef7d5f6d) cmd/shim: containerd-shim-runc-v2: add long-form '--version' flag\n  * [`0edde8fde`](https://github.com/containerd/containerd/commit/0edde8fde85e8a6a38fb1e2f870b0a45d2d1955c) cmd/containerd-stress: enable '--version' flag\n  * [`5fde7662f`](https://github.com/containerd/containerd/commit/5fde7662f1a5ec0ee776abe77dbec032f3957510) cmd/*: don't print default value for '--help' and '--version'\n* add check on version of drop in configs ([#12891](https://github.com/containerd/containerd/pull/12891))\n  * [`d40192b64`](https://github.com/containerd/containerd/commit/d40192b64af82c112fa7ee091ecd25c829066da1) assert exact error while loading drop in config\n  * [`21248d007`](https://github.com/containerd/containerd/commit/21248d00762ec572772c41e3bbb69a518e0a0eaf) add check on version of drop in configs\n* Don't bail out if no image verifiers available ([#12893](https://github.com/containerd/containerd/pull/12893))\n  * [`634401d24`](https://github.com/containerd/containerd/commit/634401d24c46cb8598cd3ea3fc0b500679ff83f5) Don't bail out if no image verifiers available\n* cmd/protoc-gen-go-fieldpath: add support for optional fields ([#12915](https://github.com/containerd/containerd/pull/12915))\n  * [`5ef537b38`](https://github.com/containerd/containerd/commit/5ef537b3876bca101789a0ceba7d0265510843bc) cmd/protoc-gen-go-fieldpath: add support for optional fields\n* contrib/apparmor: fix /proc/sys rule ([#12904](https://github.com/containerd/containerd/pull/12904))\n  * [`509882742`](https://github.com/containerd/containerd/commit/50988274259ca48c3b3716bd756a7cf7ad8c1cef) contrib/apparmor: fix /proc/sys rule\n* Remove Container field from sandbox metadata ([#12840](https://github.com/containerd/containerd/pull/12840))\n  * [`58c5ab444`](https://github.com/containerd/containerd/commit/58c5ab44423bfc69b395eb5a67723067463af7a9) Update proto\n  * [`528a2bada`](https://github.com/containerd/containerd/commit/528a2bada6686fa8f3506ae3bbf72a4821618b49) Add lifecycle workaround to NRI\n  * [`7474a0b2b`](https://github.com/containerd/containerd/commit/7474a0b2b53a4f61d2106d12fc1759e0cab7a6ad) Fix fetching sandbox metadata\n  * [`8ccf18724`](https://github.com/containerd/containerd/commit/8ccf18724f691f7f5503faf0b004334eb9f92cf3) Update sandbox API to include spec field\n  * [`41f92ec37`](https://github.com/containerd/containerd/commit/41f92ec37ca07567e891283a995884c0e68a5fa8) Remove sandbox Container field from metadata\n* ci: add build/test go1.26.0, drop go1.24 ([#12844](https://github.com/containerd/containerd/pull/12844))\n  * [`1f84d27c3`](https://github.com/containerd/containerd/commit/1f84d27c307f6f7fb151c65460567b6890ce4869) update golangci-lint to v2.9.0 with go1.26 support\n  * [`e4320e6cf`](https://github.com/containerd/containerd/commit/e4320e6cf5b12b23bf1fa28f453f815c1c8b315b) remove windows/arm from cross build\n  * [`9a0c5f1f0`](https://github.com/containerd/containerd/commit/9a0c5f1f025bed70ff839a1915aff455be203980) ci: build/test go1.26.0\n* contrib/apparmor: remove non-matching rules for /proc/mem, /proc/kmem ([#12905](https://github.com/containerd/containerd/pull/12905))\n  * [`f45a70121`](https://github.com/containerd/containerd/commit/f45a70121c344c88852566c3b6c0378491eb1fd0) contrib/apparmor: remove non-matching rules for /proc/mem, /proc/kmem\n* build(deps): bump github/codeql-action from 4.32.2 to 4.32.3 ([#12910](https://github.com/containerd/containerd/pull/12910))\n  * [`0737b36c7`](https://github.com/containerd/containerd/commit/0737b36c7004f8c765118efb88a322fcdc61f3d5) build(deps): bump github/codeql-action from 4.32.2 to 4.32.3\n* build(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.1 ([#12912](https://github.com/containerd/containerd/pull/12912))\n  * [`968dccdfc`](https://github.com/containerd/containerd/commit/968dccdfc7e79deafdea16a395192fefb2306638) build(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.1\n* build(deps): bump github.com/containerd/cgroups/v3 from 3.1.2 to 3.1.3 ([#12911](https://github.com/containerd/containerd/pull/12911))\n  * [`ddeef9938`](https://github.com/containerd/containerd/commit/ddeef99380a0e7a6d8db62db59d0053a985fe12f) build(deps): bump github.com/containerd/cgroups/v3 from 3.1.2 to 3.1.3\n* install-dev-tools: update protoc-gen-go-ttrpc to v1.2.7 ([#12914](https://github.com/containerd/containerd/pull/12914))\n  * [`102bf8626`](https://github.com/containerd/containerd/commit/102bf8626ad6d9f9b0c2a5153178f6ee1693a6d5) install-dev-tools: update protoc-gen-go-ttrpc to v1.2.7\n* Fix dupwords ([#12909](https://github.com/containerd/containerd/pull/12909))\n  * [`3c64bf76d`](https://github.com/containerd/containerd/commit/3c64bf76d085a975f9ea8e9320d25df4fd90cb3d) docs: fix dupword\n  * [`912a34ad0`](https://github.com/containerd/containerd/commit/912a34ad06d23a870b19adc6ed3e30befb32f753) script/test: fix dupword\n  * [`ebb6908bf`](https://github.com/containerd/containerd/commit/ebb6908bf6bc62cace69b926a1a9f3e43a063e08) integration: fix dupword\n* integration: Fix TestImageLoad() failure on CI ([#12903](https://github.com/containerd/containerd/pull/12903))\n  * [`fafbfcb8c`](https://github.com/containerd/containerd/commit/fafbfcb8c7cbc9db7fd51b679432e188fe603dce) integration: Fix TestImageLoad() failure on CI\n* build(deps): bump github.com/klauspost/compress from 1.18.3 to 1.18.4 ([#12879](https://github.com/containerd/containerd/pull/12879))\n  * [`a46ab1811`](https://github.com/containerd/containerd/commit/a46ab1811d3f8afc58453b37dcda8be0b21816fb) build(deps): bump github.com/klauspost/compress from 1.18.3 to 1.18.4\n* build(deps): bump the golang-x group with 2 updates ([#12878](https://github.com/containerd/containerd/pull/12878))\n  * [`4514f47be`](https://github.com/containerd/containerd/commit/4514f47bea67d33ce8355c23a1d6ddc376a49061) build(deps): bump the golang-x group with 2 updates\n* cri: Fix image volumes with user namespaces ([#12816](https://github.com/containerd/containerd/pull/12816))\n  * [`db9546b6d`](https://github.com/containerd/containerd/commit/db9546b6df3671efe1a5727f43ba925531362354) cri: Fix image volumes with user namespaces\n* build(deps): bump github/codeql-action from 4.32.1 to 4.32.2 ([#12880](https://github.com/containerd/containerd/pull/12880))\n  * [`7505e768d`](https://github.com/containerd/containerd/commit/7505e768de6fe992da7edc03c6a903896b720aec) build(deps): bump github/codeql-action from 4.32.1 to 4.32.2\n* build(deps): bump actions/attest-build-provenance from 3.1.0 to 3.2.0 ([#12823](https://github.com/containerd/containerd/pull/12823))\n  * [`cf9b7d4fb`](https://github.com/containerd/containerd/commit/cf9b7d4fbfef4b04d5a540a3b9e797420fe0c217) build(deps): bump actions/attest-build-provenance from 3.1.0 to 3.2.0\n* apparmor: explicitly set abi/3.0 ([#12864](https://github.com/containerd/containerd/pull/12864))\n  * [`a6f03a7d5`](https://github.com/containerd/containerd/commit/a6f03a7d56411648c2e97085ae8e120120c06b6b) apparmor: explicitly set abi/3.0\n* contrib/Dockerfile: remove proto3 (protobuf) stage ([#12866](https://github.com/containerd/containerd/pull/12866))\n  * [`8ad06b278`](https://github.com/containerd/containerd/commit/8ad06b27840f9e734dedbfadb284f61d0fb08131) contrib/Dockerfile: remove proto3 (protobuf) stage\n* update to go1.24.13, go1.25.7 ([#12869](https://github.com/containerd/containerd/pull/12869))\n  * [`1551986af`](https://github.com/containerd/containerd/commit/1551986af47067488deaa7428d04e6f89d3b6d36) update to go1.24.13, go1.25.7\n* build(deps): bump github.com/checkpoint-restore/checkpointctl from 1.4.0 to 1.5.0 ([#12825](https://github.com/containerd/containerd/pull/12825))\n  * [`3aac3eaef`](https://github.com/containerd/containerd/commit/3aac3eaefff6da3468bb426fc253ab801806ca0e) build(deps): bump github.com/checkpoint-restore/checkpointctl\n* Use buf to format proto files ([#12841](https://github.com/containerd/containerd/pull/12841))\n  * [`ca1c5b2d3`](https://github.com/containerd/containerd/commit/ca1c5b2d3db8c620c26ab9674b7ccb9a4b023a63) Reformat and revendor proto files\n  * [`2a87c9d7d`](https://github.com/containerd/containerd/commit/2a87c9d7d29a5d947fa671a0d7b52f449835fd11) Add .editorconfig for proto files\n  * [`3defa1229`](https://github.com/containerd/containerd/commit/3defa1229beed8b664b8c18b83d3806d6405ea26) Use buf to format proto files\n* cri: use mount manager when image has volumes ([#12847](https://github.com/containerd/containerd/pull/12847))\n  * [`eeb50b0e9`](https://github.com/containerd/containerd/commit/eeb50b0e9ad2932fed1ee05f42165d627a0230ed) cri: use mount manager when image has volumes\n* script/critest.sh: always skip OOMKilled on systemd cgroup ([#12819](https://github.com/containerd/containerd/pull/12819))\n  * [`c3ba452cf`](https://github.com/containerd/containerd/commit/c3ba452cf03ab23bbefed000248cb8a46b3933e1) script/critest.sh: always skip OOMKilled on systemd cgroup\n* build(deps): bump docker/login-action from 3.6.0 to 3.7.0 ([#12852](https://github.com/containerd/containerd/pull/12852))\n  * [`3f32d77ee`](https://github.com/containerd/containerd/commit/3f32d77ee090cdec6a7fa6fa495627cfebc333fb) build(deps): bump docker/login-action from 3.6.0 to 3.7.0\n* build(deps): bump github/codeql-action from 4.31.10 to 4.32.1 ([#12850](https://github.com/containerd/containerd/pull/12850))\n  * [`e00bd606d`](https://github.com/containerd/containerd/commit/e00bd606d8dfd76775dc38b73c66080840df40bc) build(deps): bump github/codeql-action from 4.31.10 to 4.32.1\n* build(deps): bump actions/cache from 5.0.2 to 5.0.3 ([#12851](https://github.com/containerd/containerd/pull/12851))\n  * [`0be2e1b50`](https://github.com/containerd/containerd/commit/0be2e1b50f4492d2db0c57bd597464bfbf3a9b5a) build(deps): bump actions/cache from 5.0.2 to 5.0.3\n* build(deps): bump github.com/coreos/go-systemd/v22 from 22.6.0 to 22.7.0 ([#12854](https://github.com/containerd/containerd/pull/12854))\n  * [`74b21a939`](https://github.com/containerd/containerd/commit/74b21a93931e7f2f6cb708e081e21b0e57fbc5e7) build(deps): bump github.com/coreos/go-systemd/v22 from 22.6.0 to 22.7.0\n* pkg/sys: Create user namespace as the container's initial user namesp… ([#12317](https://github.com/containerd/containerd/pull/12317))\n  * [`59cc4cc49`](https://github.com/containerd/containerd/commit/59cc4cc49dbcec791c981548ea849578cb445bf2) pkg/sys: Let more environments create user namespace as the initial user\n  * [`42ce92b22`](https://github.com/containerd/containerd/commit/42ce92b2220012180207c5706dbece34436aad5f) pkg/sys: Create user namespace as the container's initial user namespace user\n* ci: add retry logic for Fedora Vagrant box download ([#12856](https://github.com/containerd/containerd/pull/12856))\n  * [`e1ab55296`](https://github.com/containerd/containerd/commit/e1ab55296a754e50f4b23f7dbff3ea6121c57a70) ci: add retry logic for Fedora Vagrant box download\n* ci: set fetch-depth for containerd to 0 for version parsing ([#12855](https://github.com/containerd/containerd/pull/12855))\n  * [`3f133acd4`](https://github.com/containerd/containerd/commit/3f133acd427066b37e51dcd8252afac00ddfebdc) set fetch-depth for containerd to 0 for version parsing\n* ci: bump go 1.24.12, 1.25.6 ([#12843](https://github.com/containerd/containerd/pull/12843))\n  * [`bde3deac7`](https://github.com/containerd/containerd/commit/bde3deac7e4699c5041f2b35916388f4ea6171c4) ci: bump go 1.24.12, 1.25.6\n* Fix ctr image mount failing with no such device ([#12581](https://github.com/containerd/containerd/pull/12581))\n  * [`776e50aa2`](https://github.com/containerd/containerd/commit/776e50aa219c6c7684dc08980c084722a9ab942f) core/mount/manager: fix bind mount missing rbind option\n  * [`d2593b647`](https://github.com/containerd/containerd/commit/d2593b64778a22e8c516051ac99ba4429f0d3e9b) core/mount/manager: add tests for WithTemporary option\n* erofs: Log mkfs command at Debug level ([#12826](https://github.com/containerd/containerd/pull/12826))\n  * [`220108e1c`](https://github.com/containerd/containerd/commit/220108e1cfbd8f14f3d3f8aafe60802df87c1869) erofs: Log mkfs command at Debug level\n* CI: add almalinux/10 ([#12827](https://github.com/containerd/containerd/pull/12827))\n  * [`ff0c2d172`](https://github.com/containerd/containerd/commit/ff0c2d17293b03cbbfdeb566681d398de4770a7f) CI: add almalinux/10\n* .github: re-enable windows image pull/list tests ([#12818](https://github.com/containerd/containerd/pull/12818))\n  * [`ce9f3ad8e`](https://github.com/containerd/containerd/commit/ce9f3ad8e48b76fa44b83ab39b4901f1efd73ed5) .github: re-enable windows image pull/list tests\n* Populate ImageId field in container status ([#12787](https://github.com/containerd/containerd/pull/12787))\n  * [`2470af56e`](https://github.com/containerd/containerd/commit/2470af56e40bb2c8a3f854025bcdfbb42fb9cab5) Update TestToCRIContainer test\n  * [`b8c76199d`](https://github.com/containerd/containerd/commit/b8c76199d1e5064f9bc41e8701199500b17bb8da) cri: populate ImageId field in container status\n* Generate api/next.txtpb and name module ([#12815](https://github.com/containerd/containerd/pull/12815))\n  * [`472e0a8e7`](https://github.com/containerd/containerd/commit/472e0a8e7ada278b7aa376173eca20ad0a0348be) Generate next.txtpb to replace next.pb.txt\n  * [`f58dbbda0`](https://github.com/containerd/containerd/commit/f58dbbda0b34bea75f714e82463eb0706c06d30d) Add buf.build repository name for publishing API\n* Fix go mod replace and sync with latest api changes ([#12789](https://github.com/containerd/containerd/pull/12789))\n  * [`992597bfe`](https://github.com/containerd/containerd/commit/992597bfe9ffb750ec01d956f3ff515d51025043) Fix TTRPC prefix\n  * [`8c782cd19`](https://github.com/containerd/containerd/commit/8c782cd1971e4f3442f78cfad063b9c30edc129e) Revendor latest api changes\n  * [`c895e1ed4`](https://github.com/containerd/containerd/commit/c895e1ed40090fe4ec10c17b769fe5d6962419a3) Remove check-api-descriptors target\n  * [`ce045ca2f`](https://github.com/containerd/containerd/commit/ce045ca2f5f6ca307733c221b510c90fdf636259) Fix go mod replace\n* stability: multipart fetch pool ([#12205](https://github.com/containerd/containerd/pull/12205))\n  * [`e86523ecd`](https://github.com/containerd/containerd/commit/e86523ecdbabb675969bb683047defe526595fdf) multipart fetch stability fixes\n* erofs-differ: use same UUID append style in tar index mode as tar conversion mode ([#12782](https://github.com/containerd/containerd/pull/12782))\n  * [`52a92e83f`](https://github.com/containerd/containerd/commit/52a92e83f0cc9ff262e4fe2f64e7454ed3959682) erofs-differ: use same UUID append style in tar index mode as tar conversion mode\n* erofs: Move immutable file handling before storage.Remove ([#12807](https://github.com/containerd/containerd/pull/12807))\n  * [`cf7cb3c35`](https://github.com/containerd/containerd/commit/cf7cb3c35e72531ceae9929b8ad8ea008a01bb8f) erofs: Move immutable file handling before storage.Remove\n* fix: sanitize error before gRPC return to prevent credential leak in pod events ([#12801](https://github.com/containerd/containerd/pull/12801))\n  * [`7b11d6cae`](https://github.com/containerd/containerd/commit/7b11d6cae471a6e33d70ed662dfd781594838aaf) fix: sanitize error before gRPC return to prevent credential leak in pod events\n* build(deps): bump github.com/klauspost/compress from 1.18.2 to 1.18.3 ([#12797](https://github.com/containerd/containerd/pull/12797))\n  * [`92955bf4c`](https://github.com/containerd/containerd/commit/92955bf4c39bfd35ce51bc4ee563e253c9f3e8a8) build(deps): bump github.com/klauspost/compress from 1.18.2 to 1.18.3\n* build(deps): bump actions/cache from 5.0.1 to 5.0.2 ([#12798](https://github.com/containerd/containerd/pull/12798))\n  * [`7a0c8d906`](https://github.com/containerd/containerd/commit/7a0c8d906e4fc220d77cbb029a09f6c6e407b67b) build(deps): bump actions/cache from 5.0.1 to 5.0.2\n* build(deps): bump github.com/sirupsen/logrus from 1.9.3 to 1.9.4 ([#12799](https://github.com/containerd/containerd/pull/12799))\n  * [`94de254cb`](https://github.com/containerd/containerd/commit/94de254cbc3e8e9a8c690049c8494f52710a8d02) build(deps): bump github.com/sirupsen/logrus from 1.9.3 to 1.9.4\n* Use fsmount API to avoid PAGE_SIZE limit for erofs ([#12783](https://github.com/containerd/containerd/pull/12783))\n  * [`f873e4d3c`](https://github.com/containerd/containerd/commit/f873e4d3c2b36b05fd2244940ea80672e618bb88) plugins/mount/erofs: use fsmount API to avoid PAGE_SIZE limit\n* fix: typo in comment ([#12795](https://github.com/containerd/containerd/pull/12795))\n  * [`e066861ac`](https://github.com/containerd/containerd/commit/e066861ac7e23d1fe3715ac4146accef77a776d8) fix: typo in comment\n*  cri/podsandbox: reduce dependencies to internal CRI APIs ([#12773](https://github.com/containerd/containerd/pull/12773))\n  * [`7ef50accc`](https://github.com/containerd/containerd/commit/7ef50acccf917a7d006a6069dced7d9de2e26a07) Reduce ImageService interface dependencies\n* fix(oci): handle absolute symlinks in rootfs user lookup ([#12732](https://github.com/containerd/containerd/pull/12732))\n  * [`9bbb1309f`](https://github.com/containerd/containerd/commit/9bbb1309f051e54b51484fa0efbfe93e26223a2d) test(oci): use fstest and mock fs for better symlink coverage\n  * [`85b5418ef`](https://github.com/containerd/containerd/commit/85b5418ef5a6adeac95c910bf8c33ae0fb7bbecb) fix(oci): handle absolute symlinks in rootfs user lookup\n* command: show help and exit on unknown positional arguments ([#12748](https://github.com/containerd/containerd/pull/12748))\n  * [`677e991bb`](https://github.com/containerd/containerd/commit/677e991bb539858a954b95e7a8e2980c3ec96f57) command: show help and exit on unknown positional arguments\n* content: ensure root directory exists before checking fs-verity support ([#12416](https://github.com/containerd/containerd/pull/12416))\n  * [`5f0f0dcaa`](https://github.com/containerd/containerd/commit/5f0f0dcaac13a5370a28a42ada9fd6be246ee807) content: ensure root directory exists before checking fs-verity support\n* snapshotservice: add WithParent handling for Commit + tests ([#12755](https://github.com/containerd/containerd/pull/12755))\n  * [`01fa05731`](https://github.com/containerd/containerd/commit/01fa05731f1abaa2ef5d230ab0b7cbde9eed57c1) Add Parent option handling in Commit method and tests\n* Pass container user (uid, gids) to plugins ([#12769](https://github.com/containerd/containerd/pull/12769))\n  * [`b0bd04b04`](https://github.com/containerd/containerd/commit/b0bd04b0469b28ed0cb1f4d21682e34caf7e45f3) cri,nri: pass container user (uid, gids) to plugins.\n* cri: fix create container panic if originalAnnotations is nil ([#12763](https://github.com/containerd/containerd/pull/12763))\n  * [`9018c75d5`](https://github.com/containerd/containerd/commit/9018c75d5d720175d438fa1c8ee08803c451737c) cri: fix create container panic if originalAnnotations is nil when restore container\n* Detect breaking API changes in proto files ([#12776](https://github.com/containerd/containerd/pull/12776))\n  * [`1b4f588f3`](https://github.com/containerd/containerd/commit/1b4f588f3f8e263049cc91d764b3693ac672f12b) Detect breaking API changes in protos\n* build(deps): bump the golang-x group with 2 updates ([#12778](https://github.com/containerd/containerd/pull/12778))\n  * [`ddb6b166e`](https://github.com/containerd/containerd/commit/ddb6b166e320805b92b74aff9a5ae8f999abc7dc) build(deps): bump the golang-x group with 2 updates\n* build(deps): bump github/codeql-action from 4.31.9 to 4.31.10 ([#12779](https://github.com/containerd/containerd/pull/12779))\n  * [`ac70789ec`](https://github.com/containerd/containerd/commit/ac70789ec8c72cb74dcf98152ae2e85c6f826abc) build(deps): bump github/codeql-action from 4.31.9 to 4.31.10\n* Pass seccomp policy to plugins ([#12768](https://github.com/containerd/containerd/pull/12768))\n  * [`cfec4b30a`](https://github.com/containerd/containerd/commit/cfec4b30a72d8a37f39d1981ccfcf3e3e82bebc9) cri,nri: pass seccomp policy to plugins.\n* cri,nri: pass any POSIX rlimits to plugins. ([#12765](https://github.com/containerd/containerd/pull/12765))\n  * [`7b85525cf`](https://github.com/containerd/containerd/commit/7b85525cfee51d0b306cd1e1278e21365077213a) cri,nri: pass any POSIX rlimits to plugins.\n* cri: fix checkpoint failed with short id ([#12758](https://github.com/containerd/containerd/pull/12758))\n  * [`0dc958229`](https://github.com/containerd/containerd/commit/0dc9582295d8df173c714f762375a4b624185ae9) cri: fix checkpoint failed with short id\n* Pass extended container status to NRI. ([#12770](https://github.com/containerd/containerd/pull/12770))\n  * [`695c91324`](https://github.com/containerd/containerd/commit/695c91324a2bf5d908bfca9f0235c6ed2b198cd9) cri,nri: pass extended container status to NRI.\n* Remove protoc dependency from BUILDING.md ([#12771](https://github.com/containerd/containerd/pull/12771))\n  * [`19f39fee6`](https://github.com/containerd/containerd/commit/19f39fee6f40889e8072fdeec9fefc2887eff432) Remove protoc dependency from BUILDING.md\n* Pass injected CDI devices to plugins ([#12767](https://github.com/containerd/containerd/pull/12767))\n  * [`98a2e8876`](https://github.com/containerd/containerd/commit/98a2e8876737883e7603f2c5ad9125c17dfb57a7) cri,nri: pass injected CDI devices to plugins.\n* cri,nri: pass linux sysctl to plugins. ([#12766](https://github.com/containerd/containerd/pull/12766))\n  * [`250388dcd`](https://github.com/containerd/containerd/commit/250388dcd919346ee9da3d382cd1833ad8e7f733) cri,nri: pass linux sysctl to plugins.\n* Migrate from protobuild to buf ([#12762](https://github.com/containerd/containerd/pull/12762))\n  * [`f87550d06`](https://github.com/containerd/containerd/commit/f87550d0686a0db65ff40b2e527da2caf7385331) Install buf from install-dev-tools\n  * [`dac9721fa`](https://github.com/containerd/containerd/commit/dac9721faf891205ed46105cd38340bc3bceabcb) Drop outdated pb.txt files\n  * [`6a6283193`](https://github.com/containerd/containerd/commit/6a6283193b6f865c35529717068259bf54ccc307) Update pb files\n  * [`57782b717`](https://github.com/containerd/containerd/commit/57782b7175f743489010c348a8f59da720140722) Move buf configuration under api/\n  * [`248ee80fa`](https://github.com/containerd/containerd/commit/248ee80faba967270dd68e0f341bc85febd9e7e7) Remove GOPATH workaround from Makefile\n  * [`39991b661`](https://github.com/containerd/containerd/commit/39991b6617041c8c5b471f11f08461f36cc6719f) Use relative import intead of GOPATH style imports\n  * [`edb3e0869`](https://github.com/containerd/containerd/commit/edb3e0869706fa0d058f8530f7b563af9310eec3) Remove protobuf\n  * [`aca62ae10`](https://github.com/containerd/containerd/commit/aca62ae10d7a26a7fbf9c178e4c458ffd746db5d) Install buf on demand via go install\n  * [`eb586b5ef`](https://github.com/containerd/containerd/commit/eb586b5ef2e20c5f845f28d5e9cd5f5e8e10885d) Regenerate proto files\n  * [`e63f1d3ab`](https://github.com/containerd/containerd/commit/e63f1d3ab40ae351f85461265978a9c58ebffba1) Use buf to generate proto code\n* Add erofs idmap support ([#12433](https://github.com/containerd/containerd/pull/12433))\n  * [`9b50650d5`](https://github.com/containerd/containerd/commit/9b50650d5c492962f5da15ff261c7d168736e741) snapshots/erofs: Support idmap mounts\n  * [`552500360`](https://github.com/containerd/containerd/commit/552500360870ba8706a9f3c9939242f449106f81) core/mount/*linux: Do idmap bind mounts as private and recursive\n  * [`44751e28b`](https://github.com/containerd/containerd/commit/44751e28b378ec8d1bc45ea9d8f1444d75fe0186) core/mount: Don't apply uidmap/gidmap during ro instrospection\n* Tracing: add spans in task/metadata and sandbox paths ([#12737](https://github.com/containerd/containerd/pull/12737))\n  * [`fb295b9d4`](https://github.com/containerd/containerd/commit/fb295b9d4f8a23d9729472d43ae1180f1a9c3f32) Tracing: add spans in task/metadata and sandbox paths\n* UpdatePodSandboxResources CRI API handler ([#11406](https://github.com/containerd/containerd/pull/11406))\n  * [`de5b622bd`](https://github.com/containerd/containerd/commit/de5b622bd99823f3b6a9119270f0c8246b707d17) Persist pod sandbox resource updates\n  * [`ffd3691c9`](https://github.com/containerd/containerd/commit/ffd3691c92f42fffadf1f835f3ecc82512e4b9a3) Implement UpdatePodSandboxResources CRI API handler\n* Update OOMKilled event handling ([#12714](https://github.com/containerd/containerd/pull/12714))\n  * [`016f4a636`](https://github.com/containerd/containerd/commit/016f4a6360503adcc88bcc4239c217744bdc2338) *: move new oom package into internal\n  * [`bdff34ef6`](https://github.com/containerd/containerd/commit/bdff34ef61f1ae9df65af6f9e8dc506cd3b52f68) *: skip critest OOMKilled testcase for systemd cgroup\n  * [`cbb1b13a8`](https://github.com/containerd/containerd/commit/cbb1b13a8131041911b0cb85070d392e045c2334) cri-integration: add stress test for TestOOMEventMonitor\n  * [`aa3c50792`](https://github.com/containerd/containerd/commit/aa3c507925649f5357cf8d8bcdb18b959742c251) internal/cri/server: check if OOM event occurred before update status\n  * [`8ac7e3c06`](https://github.com/containerd/containerd/commit/8ac7e3c06d63b8c3dfc92cba7cdfc250f1b81bd6) cmd/containerd-shim-runc-v2: use experimental OOM package\n  * [`21707e6c3`](https://github.com/containerd/containerd/commit/21707e6c3bb6fd2729c9c9829c1f10a43185cf36) cmd/containerd-shim-runc-v2: add experimental OOM package\n* Fix ST1005 lint violations: lowercase error strings ([#12666](https://github.com/containerd/containerd/pull/12666))\n  * [`d6ee6f69b`](https://github.com/containerd/containerd/commit/d6ee6f69b25578ac91e1486396c4d326c5289586) Fix ST1005 lint violations: lowercase error strings\n* Simplify/Cleanup unit tests ([#12746](https://github.com/containerd/containerd/pull/12746))\n  * [`253fbe756`](https://github.com/containerd/containerd/commit/253fbe756a42fc83e03edc94c021b237a4225dc9) Cleanup unit tests\n* doc: add k8s 1.35 to support matrix ([#12749](https://github.com/containerd/containerd/pull/12749))\n  * [`b5ee44fe8`](https://github.com/containerd/containerd/commit/b5ee44fe8efc5a837523a9e3a9cf57c2670a2128) add k8s 1.35 to support matrix\n* Add EROFS layer media type ([#12567](https://github.com/containerd/containerd/pull/12567))\n  * [`36f8999b9`](https://github.com/containerd/containerd/commit/36f8999b946ed1e078d46496796ca54401423e3f) images: add EROFS layer media type\n* cri: update log level to warn for CNI load failure during CRI init  ([#12709](https://github.com/containerd/containerd/pull/12709))\n  * [`b66f92f59`](https://github.com/containerd/containerd/commit/b66f92f591edd3b55414edac84bc3bbdd8395eb5) cri: update log level to warn for CNI load failure during init\n* simplify selinux dependency in client ([#12702](https://github.com/containerd/containerd/pull/12702))\n  * [`6faacd8c7`](https://github.com/containerd/containerd/commit/6faacd8c76b409bb0907302c98964bb0717b0f9f) simplify selinux dependency in client\n* Set annotations parameter in CreateSandbox request ([#12566](https://github.com/containerd/containerd/pull/12566))\n  * [`53e696d62`](https://github.com/containerd/containerd/commit/53e696d625458a48a383364bc97a7be6b57f219d) set annotations parameter in CreateSandbox request\n* build(deps): bump docker/setup-buildx-action from 3.11.1 to 3.12.0 ([#12722](https://github.com/containerd/containerd/pull/12722))\n  * [`ddc35aca2`](https://github.com/containerd/containerd/commit/ddc35aca2d13cfb3b60d0651a22fe9f8a2f11e0b) build(deps): bump docker/setup-buildx-action from 3.11.1 to 3.12.0\n* build(deps): bump actions/attest-build-provenance from 3.0.0 to 3.1.0 ([#12723](https://github.com/containerd/containerd/pull/12723))\n  * [`4d7ce1746`](https://github.com/containerd/containerd/commit/4d7ce17462f0c2f071197ecfa534f9b84391db36) build(deps): bump actions/attest-build-provenance from 3.0.0 to 3.1.0\n* build(deps): bump github/codeql-action from 4.31.8 to 4.31.9 ([#12724](https://github.com/containerd/containerd/pull/12724))\n  * [`b3fdd83a9`](https://github.com/containerd/containerd/commit/b3fdd83a99d52fb4ef6cee4fa659766ce88ad6f3) build(deps): bump github/codeql-action from 4.31.8 to 4.31.9\n* build(deps): bump google.golang.org/grpc from 1.77.0 to 1.78.0 ([#12736](https://github.com/containerd/containerd/pull/12736))\n  * [`e7ba3c35c`](https://github.com/containerd/containerd/commit/e7ba3c35c5d49016fe25fd5e05733acd7e6def11) build(deps): bump google.golang.org/grpc from 1.77.0 to 1.78.0\n* Add support for EROFS fsmerge feature ([#12374](https://github.com/containerd/containerd/pull/12374))\n  * [`9a7500a97`](https://github.com/containerd/containerd/commit/9a7500a974388525a46a51ac7edc994e0334bc5a) Add support for EROFS fsmerge feature\n* pkg/oci: add WithUmask for SpecOpts ([#12719](https://github.com/containerd/containerd/pull/12719))\n  * [`01fd590a7`](https://github.com/containerd/containerd/commit/01fd590a770a2289e956a424cf27cfbac97de6c6) pkg/oci: add WithUmask for SpecOpts\n* cri: emit warning for concurrent CreateContainer ([#12695](https://github.com/containerd/containerd/pull/12695))\n  * [`c94b42332`](https://github.com/containerd/containerd/commit/c94b42332b5a1e830e5b198d57895c9ca4c52afb) cri: emit warning for concurrent CreateContainer\n* Drop skip for `[Feature:ResourceMetrics]` in node e2e tests ([#12720](https://github.com/containerd/containerd/pull/12720))\n  * [`b58f6579c`](https://github.com/containerd/containerd/commit/b58f6579c72aa1ac4d529f788be3557ef8486e49) Drop skip for `[Feature:ResourceMetrics]` in node e2e tests\n* cri: Use the runtimeHandler parameter in PullImage ([#12710](https://github.com/containerd/containerd/pull/12710))\n  * [`b8ae0412f`](https://github.com/containerd/containerd/commit/b8ae0412ff3503d34a8b1aec6fb0faef1631b48d) cri: Use the runtimeHandler parameter in PullImage\n* Ensure ListMetricDescriptors gets tested with latest k/k ([#12704](https://github.com/containerd/containerd/pull/12704))\n  * [`a31236b4d`](https://github.com/containerd/containerd/commit/a31236b4d052e6b9a3b4be0c9e4227ba18e2c74b) cri: populate Network.Interfaces in PodSandboxStats on Linux\n  * [`635b30143`](https://github.com/containerd/containerd/commit/635b301430a0fa8aa54fe394cde35c377171d144) Ensure ListMetricDescriptors gets tested with latest k/k\n* cri: deprecate `enable_cdi`, treat disabled CDI an error for injection requests. ([#12675](https://github.com/containerd/containerd/pull/12675))\n  * [`ec8933999`](https://github.com/containerd/containerd/commit/ec89339995a27ac9b4e1a4240fbe37ac9eda2cd5) cri: treat disabled CDI an error for injection requests.\n  * [`c49379c38`](https://github.com/containerd/containerd/commit/c49379c38a51bd26f22129cc9eb904bcecb5387c) cri: deprecate the enable_cdi config option.\n* cri: move noisy CDI logs to debug level ([#12715](https://github.com/containerd/containerd/pull/12715))\n  * [`f2ad3aedb`](https://github.com/containerd/containerd/commit/f2ad3aedbcbf194ef751906d5bafe92c4b139ebb) cri: move noisy CDI logs to debug level\n* Uncomment call to add options for pulling encrypted images ([#12705](https://github.com/containerd/containerd/pull/12705))\n  * [`c0052e1c6`](https://github.com/containerd/containerd/commit/c0052e1c699bedeb8991a83e1e9b1275101d2309) Reinstate image decryption\n* cri,nri: bump NRI dependencies to v0.11.0 ([#12699](https://github.com/containerd/containerd/pull/12699))\n  * [`6936558df`](https://github.com/containerd/containerd/commit/6936558df99881d3361f791721cf42662b89c114) cri,nri: pass any linux security profile to plugins.\n  * [`f202a6989`](https://github.com/containerd/containerd/commit/f202a6989c1dabf65cd04ada6ae0589035dd8e99) cri,nri: pass any linux RDT constraints to plugins.\n  * [`eb616d8ca`](https://github.com/containerd/containerd/commit/eb616d8cab24fcb3c6f2092089542103f840d06c) cri,nri: pass any linux net devices to plugins.\n  * [`239f69aa0`](https://github.com/containerd/containerd/commit/239f69aa02a7a72f4689b679cf06f0fb87b4665d) cri,nri: pass any linux scheduler attributes to plugins.\n  * [`8e143b2ea`](https://github.com/containerd/containerd/commit/8e143b2eaa4b3a35cf177a074dca2e0694869e1d) cri,nri: pass any linux I/O priority to plugins.\n  * [`d674423d3`](https://github.com/containerd/containerd/commit/d674423d315bcd021f16f59290a4e96e7b4225ce) go.{mod,sum}: bump NRI deps to v0.11.0, re-vendor.\n* Fix typo in README.md for shim author section ([#12694](https://github.com/containerd/containerd/pull/12694))\n  * [`5b184601d`](https://github.com/containerd/containerd/commit/5b184601d3e6acdf811c3b009ac5e6d9fca9ba00) Fix typo in README.md for shim author section\n* pkg/tracing: HTTPStatusCodeAttributes: remove use of deprecated SemConv const ([#12605](https://github.com/containerd/containerd/pull/12605))\n  * [`0d27fceee`](https://github.com/containerd/containerd/commit/0d27fceeed55785cea12a1ed91bee4e78e47da36) pkg/tracing: HTTPStatusCodeAttributes: remove use of deprecated SemConv const\n* build(deps): bump google.golang.org/protobuf from 1.36.10 to 1.36.11 ([#12690](https://github.com/containerd/containerd/pull/12690))\n  * [`6879e7e52`](https://github.com/containerd/containerd/commit/6879e7e526b4aec57290853d86583da1c6f37aa2) build(deps): bump google.golang.org/protobuf from 1.36.10 to 1.36.11\n* build(deps): bump github/codeql-action from 4.31.7 to 4.31.8 ([#12689](https://github.com/containerd/containerd/pull/12689))\n  * [`9322000b9`](https://github.com/containerd/containerd/commit/9322000b92d46bc25bfecc5dd2d78a6c8e208d21) build(deps): bump github/codeql-action from 4.31.7 to 4.31.8\n* build(deps): bump actions/download-artifact from 6.0.0 to 7.0.0 ([#12692](https://github.com/containerd/containerd/pull/12692))\n  * [`87e014471`](https://github.com/containerd/containerd/commit/87e014471aa55e71c68a719531c803e9abf01c21) build(deps): bump actions/download-artifact from 6.0.0 to 7.0.0\n* build(deps): bump the k8s group with 3 updates ([#12687](https://github.com/containerd/containerd/pull/12687))\n  * [`026d074b1`](https://github.com/containerd/containerd/commit/026d074b146fb34d8abb7d1303bf204f70d565d9) build(deps): bump the k8s group with 3 updates\n* build(deps): bump actions/upload-artifact from 5.0.0 to 6.0.0 ([#12691](https://github.com/containerd/containerd/pull/12691))\n  * [`e191976e0`](https://github.com/containerd/containerd/commit/e191976e0c46df679b09df4d646d929d6d83e2d6) build(deps): bump actions/upload-artifact from 5.0.0 to 6.0.0\n* build(deps): bump actions/cache from 4.3.0 to 5.0.1 ([#12686](https://github.com/containerd/containerd/pull/12686))\n  * [`92c36c22d`](https://github.com/containerd/containerd/commit/92c36c22d9669de90a0109c3bd531665c6b4aae4) build(deps): bump actions/cache from 4.3.0 to 5.0.1\n* go.{mod,sum}: bump CDI deps to v1.1.0. ([#12663](https://github.com/containerd/containerd/pull/12663))\n  * [`19765c9b7`](https://github.com/containerd/containerd/commit/19765c9b7e4574a91f6d1acfec27f2aa8d356c65) go.{mod,sum} bump CDI deps to v1.1.0.\n* build(deps): bump github.com/intel/goresctrl from 0.10.0 to 0.11.0 ([#12657](https://github.com/containerd/containerd/pull/12657))\n  * [`2900a8134`](https://github.com/containerd/containerd/commit/2900a8134254b50081b90f2386c4068966d41d47) build(deps): bump github.com/intel/goresctrl from 0.10.0 to 0.11.0\n* build(deps): bump github.com/containernetworking/plugins from 1.8.0 to 1.9.0 ([#12656](https://github.com/containerd/containerd/pull/12656))\n  * [`90cf47eb8`](https://github.com/containerd/containerd/commit/90cf47eb8549f9f2324651f6c974094dd39b26f3) build(deps): bump github.com/containernetworking/plugins\n* cri: Add background stats collector to calculate UsageNanoCores ([#12629](https://github.com/containerd/containerd/pull/12629))\n  * [`28f75119b`](https://github.com/containerd/containerd/commit/28f75119baa8f5e32e3dbf59201c1b0911b04151) cri: simplify network stats to only add Timestamp field\n  * [`218ef1613`](https://github.com/containerd/containerd/commit/218ef1613efcf91c3dac966c53a546cef2ef8bd0) Removed the circular dependency\n  * [`7e5809bcf`](https://github.com/containerd/containerd/commit/7e5809bcfebd25ffea58e26734df83c5cad96ec0) stats_collection_period -> stats_collect_period\n  * [`9d5ee6501`](https://github.com/containerd/containerd/commit/9d5ee650146e3a20a687a9ed225d50f7812259a9) cri: Add background stats collector to calculate UsageNanoCores\n* build(deps): bump the otel group across 1 directory with 8 updates ([#12647](https://github.com/containerd/containerd/pull/12647))\n  * [`8ab6ef83b`](https://github.com/containerd/containerd/commit/8ab6ef83bea358456c25f10714a96dd36bad7841) build(deps): bump the otel group across 1 directory with 8 updates\n* build(deps): bump the golang-x group with 3 updates ([#12644](https://github.com/containerd/containerd/pull/12644))\n  * [`5c392ae92`](https://github.com/containerd/containerd/commit/5c392ae92e8527811e1e413f4201f4652852aaf1) build(deps): bump the golang-x group with 3 updates\n* Prevents triggering of an inactive issue/PR check for forked repository. ([#12592](https://github.com/containerd/containerd/pull/12592))\n  * [`80dc40543`](https://github.com/containerd/containerd/commit/80dc405432ff99182f1bde5b7346669ef35f8253) [CI] Prevents triggering of an inactive issue/PR check for forked repository.\n* build(deps): bump github/codeql-action from 4.31.6 to 4.31.7 ([#12642](https://github.com/containerd/containerd/pull/12642))\n  * [`ca0637f16`](https://github.com/containerd/containerd/commit/ca0637f16ce98be5420c1ffe708eb98b857318fe) build(deps): bump github/codeql-action from 4.31.6 to 4.31.7\n* build(deps): bump golangci/golangci-lint-action from 9.0.0 to 9.2.0 ([#12643](https://github.com/containerd/containerd/pull/12643))\n  * [`7053b5cd1`](https://github.com/containerd/containerd/commit/7053b5cd10632418750a0bfee1679ddc31eb972a) build(deps): bump golangci/golangci-lint-action from 9.0.0 to 9.2.0\n* build(deps): bump actions/stale from 10.1.0 to 10.1.1 ([#12645](https://github.com/containerd/containerd/pull/12645))\n  * [`e72ce6215`](https://github.com/containerd/containerd/commit/e72ce62153c5864a77499ee7200b9007789f1b1e) build(deps): bump actions/stale from 10.1.0 to 10.1.1\n* build(deps): bump actions/checkout from 6.0.0 to 6.0.1 ([#12646](https://github.com/containerd/containerd/pull/12646))\n  * [`b0946006f`](https://github.com/containerd/containerd/commit/b0946006fabd177cb41267fbe8b01038f8bef81a) build(deps): bump actions/checkout from 6.0.0 to 6.0.1\n* go.mod: remove exclude rules ([#12649](https://github.com/containerd/containerd/pull/12649))\n  * [`216e43e89`](https://github.com/containerd/containerd/commit/216e43e8903f51931cb7c9d2e09cbb5634d6d167) go.mod: remove exclude rules\n* build(deps): bump github.com/containerd/zfs/v2 from 2.0.0-rc.0 to 2.0.0 ([#12641](https://github.com/containerd/containerd/pull/12641))\n  * [`fb8c01ded`](https://github.com/containerd/containerd/commit/fb8c01ded46d2cdbb99720ed33a9f7eb6dc13dda) build(deps): bump github.com/containerd/zfs/v2 from 2.0.0-rc.0 to 2.0.0\n* vendor: go.opentelemetry.io/otel/exporters v1.38.0, go.opentelemetry.io/contrib v0.63.0 ([#12604](https://github.com/containerd/containerd/pull/12604))\n  * [`a0fa92530`](https://github.com/containerd/containerd/commit/a0fa92530fca98e2ca0b66158d938275d92295b0) vendor: go.opentelemetry.io/contrib v0.63.0\n  * [`2d5a8cc71`](https://github.com/containerd/containerd/commit/2d5a8cc71e2e159d6b995d4ccbd58ec833f0b88c) vendor: go.opentelemetry.io/otel/exporters v1.38.0\n* add some log if blob is skipped to download ([#12140](https://github.com/containerd/containerd/pull/12140))\n  * [`508f8cac6`](https://github.com/containerd/containerd/commit/508f8cac6d252a01b541cfd6b831e81b6e28440b) add some log if blob is skipped to download\n* ci: update CIFuzz actions to support Ubuntu 24.04 ([#12631](https://github.com/containerd/containerd/pull/12631))\n  * [`d958fb2a2`](https://github.com/containerd/containerd/commit/d958fb2a27e43829e2a0e4b11e3d9ee7d8e146a8) ci: update CIFuzz actions to support Ubuntu 24.04\n* fix: refactor ListPodSandboxMetrics ([#12594](https://github.com/containerd/containerd/pull/12594))\n  * [`398154199`](https://github.com/containerd/containerd/commit/398154199a7345ba05b8dbd3e3803402ec49452f) fix: refactor ListPodSandboxMetrics\n* build(deps): bump softprops/action-gh-release from 2.4.2 to 2.5.0 ([#12610](https://github.com/containerd/containerd/pull/12610))\n  * [`fbb53684f`](https://github.com/containerd/containerd/commit/fbb53684fee225f059bc5dc9525fd4824a6166f6) build(deps): bump softprops/action-gh-release from 2.4.2 to 2.5.0\n* ci: bump Go 1.24.11, 1.25.5 ([#12615](https://github.com/containerd/containerd/pull/12615))\n  * [`127b16357`](https://github.com/containerd/containerd/commit/127b163577534125a3ad96e2de5539c4cb9c6e04) ci: bump Go 1.24.11, 1.25.5\n  * [`65ad60ed9`](https://github.com/containerd/containerd/commit/65ad60ed9a9511adab59b6e8613c94dc414932b6) ci: bump Go 1.24.10, 1.25.4\n* build(deps): bump github.com/klauspost/compress from 1.18.1 to 1.18.2 ([#12609](https://github.com/containerd/containerd/pull/12609))\n  * [`38e90c471`](https://github.com/containerd/containerd/commit/38e90c4715b759595eee2e314ca32a359defd074) build(deps): bump github.com/klauspost/compress from 1.18.1 to 1.18.2\n* build(deps): bump github/codeql-action from 4.31.5 to 4.31.6 ([#12611](https://github.com/containerd/containerd/pull/12611))\n  * [`37f18854c`](https://github.com/containerd/containerd/commit/37f18854c51cc8defb608436aa3182667eb55bbd) build(deps): bump github/codeql-action from 4.31.5 to 4.31.6\n* Map ctr --gpus requests to NVIDIA CDI device requests ([#12537](https://github.com/containerd/containerd/pull/12537))\n  * [`f5cd8d56f`](https://github.com/containerd/containerd/commit/f5cd8d56f4be4359ee2ad48ab784f336f0124642) Map ctr --gpus requests to NVIDIA CDI device requests\n* core/runtime/v2: remove uses of otelgrpc.UnaryClientInterceptor ([#12606](https://github.com/containerd/containerd/pull/12606))\n  * [`459a95287`](https://github.com/containerd/containerd/commit/459a95287ba66a0cde820435e9883bc3b0d0ab17) core/runtime/v2: remove uses of otelgrpc.UnaryClientInterceptor\n* build(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0 ([#12601](https://github.com/containerd/containerd/pull/12601))\n  * [`8fcb918d0`](https://github.com/containerd/containerd/commit/8fcb918d0292f1c946488926c45fc9d0fdf959cd) build(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0\n* runc: Update runc binary to v1.4.0 ([#12603](https://github.com/containerd/containerd/pull/12603))\n  * [`fbb42c2a4`](https://github.com/containerd/containerd/commit/fbb42c2a4f1d0aa31b8c7fbf6accf1057e41c488) runc: Update runc binary to v1.4.0\n* Avoid using redundant loop devices to run mkfs for mount manager tests. ([#12545](https://github.com/containerd/containerd/pull/12545))\n  * [`190ed6b67`](https://github.com/containerd/containerd/commit/190ed6b6776252ba075c8494bcb5ce5a0322b693) Avoid using redundant loop devices to run mkfs for mount manager tests.\n* build(deps): bump github.com/opencontainers/selinux from 1.12.0 to 1.13.1 ([#12528](https://github.com/containerd/containerd/pull/12528))\n  * [`72b218ee7`](https://github.com/containerd/containerd/commit/72b218ee7a09a69cf7a6e325e12c65e5555cb9dc) build(deps): bump github.com/opencontainers/selinux\n* cri/nri: short-circuit nil adjustment. ([#12574](https://github.com/containerd/containerd/pull/12574))\n  * [`3a717c175`](https://github.com/containerd/containerd/commit/3a717c175657246dcf24a994f7974035d0c54a0a) cri/nri: short-circuit nil adjustment.\n* build(deps): bump actions/checkout from 5.0.1 to 6.0.0 ([#12571](https://github.com/containerd/containerd/pull/12571))\n  * [`dfb8bffb9`](https://github.com/containerd/containerd/commit/dfb8bffb9aa02c34c77169661ef24148fcf05ab9) build(deps): bump actions/checkout from 5.0.1 to 6.0.0\n* build(deps): bump github/codeql-action from 4.31.3 to 4.31.5 ([#12572](https://github.com/containerd/containerd/pull/12572))\n  * [`5a104b967`](https://github.com/containerd/containerd/commit/5a104b96707b41fd33a5606801e7c024671a0faf) build(deps): bump github/codeql-action from 4.31.3 to 4.31.5\n* ci(release): set GO_VERSION in Dockerfile ([#12583](https://github.com/containerd/containerd/pull/12583))\n  * [`0eac0eeb1`](https://github.com/containerd/containerd/commit/0eac0eeb191c40948d573f6c8e87b97e8fbbf538) ci(release): set GO_VERSION in Dockerfile\n* bump containerd/cgroups to v3.1.2 ([#12579](https://github.com/containerd/containerd/pull/12579))\n  * [`9d357f5b9`](https://github.com/containerd/containerd/commit/9d357f5b9867910f82ebf8643791cb2d28966617) bump containerd/cgroups to v3.1.2\n* .github: skip 5 critest cases for window-2022 ([#12578](https://github.com/containerd/containerd/pull/12578))\n  * [`13912cf3b`](https://github.com/containerd/containerd/commit/13912cf3b41b086be68b689bcbbf7b934ba4f703) .github: skip 5 critest cases in window CI pipeline\n* ci: use GitHub source for erofs-utils to fix network flakiness ([#12573](https://github.com/containerd/containerd/pull/12573))\n  * [`c1089f6ed`](https://github.com/containerd/containerd/commit/c1089f6ed683c3c6154866d6dfb81eb9ba59458f) ci: use GitHub source for erofs-utils\n* core/mount.test: should not call removeLoop when set autoclear ([#12561](https://github.com/containerd/containerd/pull/12561))\n  * [`a5c84021c`](https://github.com/containerd/containerd/commit/a5c84021c8c1d9f6fe992bee23118c7c9ca5e289) core/mount: should not call removeLoop when set autoclear\n* build(deps): bump the golang-x group across 1 directory with 3 updates ([#12524](https://github.com/containerd/containerd/pull/12524))\n  * [`dfc2e35b1`](https://github.com/containerd/containerd/commit/dfc2e35b1de2fe7701de23994c85ddd74ba37d12) build(deps): bump the golang-x group across 1 directory with 3 updates\n* build(deps): bump softprops/action-gh-release from 2.4.1 to 2.4.2 ([#12500](https://github.com/containerd/containerd/pull/12500))\n  * [`e155f0a4b`](https://github.com/containerd/containerd/commit/e155f0a4bb4cc84cb4288d17597c4ecedcc57a6f) build(deps): bump softprops/action-gh-release from 2.4.1 to 2.4.2\n* build(deps): bump the k8s group with 3 updates ([#12527](https://github.com/containerd/containerd/pull/12527))\n  * [`f2771359f`](https://github.com/containerd/containerd/commit/f2771359f9b31d62ffcd8e16591aa1c4f3741756) build(deps): bump the k8s group with 3 updates\n* fix: redact all query parameters in CRI error logs ([#12491](https://github.com/containerd/containerd/pull/12491))\n  * [`3e2cee2bf`](https://github.com/containerd/containerd/commit/3e2cee2bf141e8786b6af69b799d1bdadadf60b0) fix: redact all query parameters in CRI error logs\n* build(deps): bump github.com/containerd/cgroups/v3 from 3.1.0 to 3.1.1 ([#12465](https://github.com/containerd/containerd/pull/12465))\n  * [`13b1f4371`](https://github.com/containerd/containerd/commit/13b1f43712e8341255a792dd9d24740e86c8e9ea) build(deps): bump github.com/containerd/cgroups/v3 from 3.1.0 to 3.1.1\n* build(deps): bump actions/checkout from 5.0.0 to 5.0.1 ([#12525](https://github.com/containerd/containerd/pull/12525))\n  * [`83a5208a6`](https://github.com/containerd/containerd/commit/83a5208a60367fa0070302df134e745a984ec6e6) build(deps): bump actions/checkout from 5.0.0 to 5.0.1\n* build(deps): bump google.golang.org/grpc from 1.76.0 to 1.77.0 ([#12530](https://github.com/containerd/containerd/pull/12530))\n  * [`fb92a97d4`](https://github.com/containerd/containerd/commit/fb92a97d43ed8e31a47d980388e16f350ebd5c88) build(deps): bump google.golang.org/grpc from 1.76.0 to 1.77.0\n* build(deps): bump github/codeql-action from 4.31.2 to 4.31.3 ([#12526](https://github.com/containerd/containerd/pull/12526))\n  * [`0cf656ab9`](https://github.com/containerd/containerd/commit/0cf656ab9474f39849390ffce7326a3ab3401628) build(deps): bump github/codeql-action from 4.31.2 to 4.31.3\n* Revert \"Implement io.ReaderAt on docker fetch reader\" ([#12529](https://github.com/containerd/containerd/pull/12529))\n  * [`3c9a0bd31`](https://github.com/containerd/containerd/commit/3c9a0bd31688708793046b4d7f12dcbaf9beda94) Revert \"Implement io.ReaderAt on docker fetch reader\"\n* ctr run: dump OCI config to a file ([#12531](https://github.com/containerd/containerd/pull/12531))\n  * [`3b899aa11`](https://github.com/containerd/containerd/commit/3b899aa1118384b6c05c19f6cdb3945520e4b79d) ctr run: dump OCI config to a file\n* ctr: allow rlimit-nofile override ([#12532](https://github.com/containerd/containerd/pull/12532))\n  * [`ee1f94e4d`](https://github.com/containerd/containerd/commit/ee1f94e4d1f15bb3c3902807c14ffcf66cef36a7) ctr: allow rlimit-nofile override\n* Fix image defaults on Darwin to usable configuration ([#12533](https://github.com/containerd/containerd/pull/12533))\n  * [`c2b22d6bd`](https://github.com/containerd/containerd/commit/c2b22d6bd6f487e432fc8bb06a6c22071fc06db3) Update the ctr pull defaults when using the transfer service\n  * [`487d77ff5`](https://github.com/containerd/containerd/commit/487d77ff50dd895fd23784332929f342a7aec6d5) Fix transfer unpack defaults on darwin\n  * [`497f896d6`](https://github.com/containerd/containerd/commit/497f896d653a2bd51e16cd78078e0828e3518b05) Update default differs on darwin\n  * [`49888e001`](https://github.com/containerd/containerd/commit/49888e001fc5ee8744e703c7fadc217dfe658b3d) Use default writable size in erofs snapshotter for non-Linux hosts\n  * [`01b4c8102`](https://github.com/containerd/containerd/commit/01b4c8102b8805fa2e739b5263cddee40f064b23) Update default erofs block size on macOS during erofs diff\n* build(deps): bump github.com/containerd/imgcrypt/v2 from 2.0.1 to 2.0.2 ([#12499](https://github.com/containerd/containerd/pull/12499))\n  * [`62e71af73`](https://github.com/containerd/containerd/commit/62e71af73c9b1bd8d3dda7a701405bf4a2753c1b) build(deps): bump github.com/containerd/imgcrypt/v2 from 2.0.1 to 2.0.2\n* build(deps): bump golangci/golangci-lint-action from 8.0.0 to 9.0.0 ([#12501](https://github.com/containerd/containerd/pull/12501))\n  * [`7f5d9c25b`](https://github.com/containerd/containerd/commit/7f5d9c25bf7523576a415d7483a51bca63cf8fa4) build(deps): bump golangci/golangci-lint-action from 8.0.0 to 9.0.0\n* Update RELEASES.md to set 2.0 to EOL ([#12505](https://github.com/containerd/containerd/pull/12505))\n  * [`3e0af7de2`](https://github.com/containerd/containerd/commit/3e0af7de2fd1020c94a07e6d987ced3a7b65cd7d) Update RELEASES.md to set 2.0 to EOL\n* remotes: fix possible panic from WithMediaTypeKeyPrefix ([#12508](https://github.com/containerd/containerd/pull/12508))\n  * [`720db2874`](https://github.com/containerd/containerd/commit/720db287417295a3d15b58860a9dfbf3bd921988) remotes: fix possible panic from WithMediaTypeKeyPrefix\n* Fix nil pointer dereference in container spec memory metrics ([#12492](https://github.com/containerd/containerd/pull/12492))\n  * [`6b82f034d`](https://github.com/containerd/containerd/commit/6b82f034de52f05124d633b16fa23c548c4ce285) Fix nil pointer dereference in container spec memory metrics\n</p>\n</details>\n\n### Changes from containerd/go-dmverity\n<details><summary>24 commits</summary>\n<p>\n\n* tiny fix: fix link in README ([containerd/go-dmverity#8](https://github.com/containerd/go-dmverity/pull/8))\n  * [`a7f1a09`](https://github.com/containerd/go-dmverity/commit/a7f1a09f06cd71bc2b4878f620e0616a56f33ed6) tiny fix: fix link in README\n* build(deps): bump golang.org/x/sys from 0.38.0 to 0.39.0 in the golang-x group ([containerd/go-dmverity#7](https://github.com/containerd/go-dmverity/pull/7))\n  * [`fba2650`](https://github.com/containerd/go-dmverity/commit/fba265074f293d8b2efa795784ac738dbe5c2c55) build(deps): bump golang.org/x/sys in the golang-x group\n* build(deps): bump actions/setup-go from 6.0.0 to 6.1.0 ([containerd/go-dmverity#3](https://github.com/containerd/go-dmverity/pull/3))\n  * [`8ac0910`](https://github.com/containerd/go-dmverity/commit/8ac091071fbd5b40409d0fd348ab08eae1561106) build(deps): bump actions/setup-go from 6.0.0 to 6.1.0\n* build(deps): bump actions/checkout from 5.0.1 to 6.0.0 ([containerd/go-dmverity#1](https://github.com/containerd/go-dmverity/pull/1))\n  * [`a2cd4df`](https://github.com/containerd/go-dmverity/commit/a2cd4dfdcb3dd8bce94d22bd3b08bb633a227db3) build(deps): bump actions/checkout from 5.0.1 to 6.0.0\n* build(deps): bump golang.org/x/sys from 0.27.0 to 0.38.0 in the golang-x group ([containerd/go-dmverity#2](https://github.com/containerd/go-dmverity/pull/2))\n  * [`d6426d9`](https://github.com/containerd/go-dmverity/commit/d6426d974f7c8744b5186d5f810f7f8337704f8d) build(deps): bump golang.org/x/sys in the golang-x group\n* fix CI workflow and lint issues ([containerd/go-dmverity#5](https://github.com/containerd/go-dmverity/pull/5))\n  * [`61a2dbc`](https://github.com/containerd/go-dmverity/commit/61a2dbce922a4335076f528ec72ed4aaa09d4444) fix: resolve lint issues in verity\n  * [`0876d0c`](https://github.com/containerd/go-dmverity/commit/0876d0cd0e9835775edac20396e29b3692924789) ci: correct project job checkout step\n* fix CI workflow and lint issues ([containerd/go-dmverity#5](https://github.com/containerd/go-dmverity/pull/5))\n  * [`aaacf1e`](https://github.com/containerd/go-dmverity/commit/aaacf1ea3624593897a13b7c809fa723a71d2e38) Align project with containerd sub-project requirements\n* build(deps): bump golangci/golangci-lint-action from 6.1.1 to 9.1.0 ([containerd/go-dmverity#4](https://github.com/containerd/go-dmverity/pull/4))\n  * [`7ba11d8`](https://github.com/containerd/go-dmverity/commit/7ba11d8fc9d1d74de811be60f2eb601bc42135e1) verity: extract verity operations to pkg\n* build(deps): bump actions/setup-go from 6.0.0 to 6.1.0 ([containerd/go-dmverity#3](https://github.com/containerd/go-dmverity/pull/3))\n  * [`19ed941`](https://github.com/containerd/go-dmverity/commit/19ed94141fa73cac69d08824aa39378558cb3771) dm: implement dm-verity signature verification\n* build(deps): bump golang.org/x/sys from 0.27.0 to 0.38.0 in the golang-x group ([containerd/go-dmverity#2](https://github.com/containerd/go-dmverity/pull/2))\n  * [`dab1114`](https://github.com/containerd/go-dmverity/commit/dab1114333773f82bfec64b2f18ba9be08e291fc) verity: add API to get hash tree storage size\n* build(deps): bump actions/checkout from 5.0.1 to 6.0.0 ([containerd/go-dmverity#1](https://github.com/containerd/go-dmverity/pull/1))\n  * [`687f68c`](https://github.com/containerd/go-dmverity/commit/687f68ce0799394a7b68c5418afbe09935375ba6) add ci\n  * [`110acc0`](https://github.com/containerd/go-dmverity/commit/110acc0d4e7d36798f50b818e6f600125aeec415) init veritysetup-go\n</p>\n</details>\n\n### Changes from containerd/nri\n<details><summary>79 commits</summary>\n<p>\n\n* adaptation: allow compiling out WASM support altogether. ([containerd/nri#253](https://github.com/containerd/nri/pull/253))\n  * [`ab88fe6`](https://github.com/containerd/nri/commit/ab88fe680c11b35234c38c7d4eac72335721c78d) adaptation: allow compiling out WASM support altogether.\n* Support direct editing of the intelRdt config ([containerd/nri#215](https://github.com/containerd/nri/pull/215))\n  * [`8c0c9f6`](https://github.com/containerd/nri/commit/8c0c9f67a905fb24682239a4d6d94b0dd52c13e7) Implement removal of RDT\n  * [`dfbae8a`](https://github.com/containerd/nri/commit/dfbae8a616b80037798e3cfb8315d70f3f2eff7e) plugins: add sample rdt plugin\n  * [`d05dd81`](https://github.com/containerd/nri/commit/d05dd818ed26c3dbeae0fce88289387b62e4665c) pkg/adaptation: support new RDT fields\n  * [`725289b`](https://github.com/containerd/nri/commit/725289b256878de8e965327ab6e70dc883ea771b) pkg/runtime-tools/generate: support new RDT fields\n  * [`a7832a2`](https://github.com/containerd/nri/commit/a7832a241411573e03982490197d7eb98a1c9d29) api: add rdt\n* update wazero/wazero version to v1.10.1 ([containerd/nri#252](https://github.com/containerd/nri/pull/252))\n  * [`9eb9a0f`](https://github.com/containerd/nri/commit/9eb9a0f0f6e223e6060805b55957f117f159f5cc) update tetratelabs/wazero version to v1.10.1\n* support specifying a custom NRI socket path ([containerd/nri#249](https://github.com/containerd/nri/pull/249))\n  * [`2df6565`](https://github.com/containerd/nri/commit/2df656516e73b31e013257f713a1df5baa7fdcb0) [plugins] support specifying a custom NRI socket path\n* pkg/api: add OptionalRepeatedString type ([containerd/nri#212](https://github.com/containerd/nri/pull/212))\n  * [`687c1a6`](https://github.com/containerd/nri/commit/687c1a6a8b5c75056acd176dc89c45251926d0bb) pkg/api: add OptionalRepeatedString type\n* api,adaptation,generate: allow setting kernel scheduling policy attributes. ([containerd/nri#160](https://github.com/containerd/nri/pull/160))\n  * [`6a371ac`](https://github.com/containerd/nri/commit/6a371ac5e7afcd185ee575828f4822d779f0ded9) device-injector: add scheduling policy adjustment.\n  * [`e06369e`](https://github.com/containerd/nri/commit/e06369e8d1cad80f12eaf6f2c0da19c7ac78396c) api,adaptation,generate: allow setting scheduler attributes.\n* device-injector: always log injection summary. ([containerd/nri#246](https://github.com/containerd/nri/pull/246))\n  * [`14cc2e2`](https://github.com/containerd/nri/commit/14cc2e2fb6b9504c5241e3156b24b1055ed4e3ed) device-injector: always log injection summary.\n* api,adaptation,generate: allow adjusting linux net devices ([containerd/nri#157](https://github.com/containerd/nri/pull/157))\n  * [`5145c92`](https://github.com/containerd/nri/commit/5145c92e7c215ce3969805005ebdb0f37749e68b) device-injector: add network device injection.\n  * [`8a03823`](https://github.com/containerd/nri/commit/8a03823fe8afbca00b30f669805c911414c58803) api,adaptation,generate: allow adjusting linux net devices.\n* Add support for sysctl adjustment ([containerd/nri#248](https://github.com/containerd/nri/pull/248))\n  * [`914fbf3`](https://github.com/containerd/nri/commit/914fbf3faf42da144376c133541c37211d2f9200) default-validator: restrict sysctl adjustment\n  * [`a418956`](https://github.com/containerd/nri/commit/a4189560f80f7c02579eec252ae43034bf21cb8a) api: apply sysctl adjustments\n  * [`8705f9b`](https://github.com/containerd/nri/commit/8705f9b1eb3107ad8bc422978b0412527e3fd236) api: add sysctl container adjustment\n* feat: Make logger a configurable struct member for stub ([containerd/nri#239](https://github.com/containerd/nri/pull/239))\n  * [`08a891a`](https://github.com/containerd/nri/commit/08a891a81d90b03b5e5ae14734f5ad74e74c264b) feat: Make logger a configurable struct member for stub\n* Drop dependency on opencontainers/runtime-tools ([containerd/nri#247](https://github.com/containerd/nri/pull/247))\n  * [`5e5c2be`](https://github.com/containerd/nri/commit/5e5c2be5f57436228f2762e0deb2c4f9873f3e9b) Drop dependency on opencontainers/runtime-tools\n* deps: bump runtime-spec to v1.3.0. ([containerd/nri#243](https://github.com/containerd/nri/pull/243))\n  * [`29c5811`](https://github.com/containerd/nri/commit/29c581117267cb5d2289ff08902a93ff263caf0e) (v0.1.0) examples: lock NRI, runtime spec deps.\n  * [`d812952`](https://github.com/containerd/nri/commit/d8129529588cca090c972aa5e5f7775162af59da) v010-adapter: lock NRI, runtime spec and tools deps.\n  * [`7dd7c7f`](https://github.com/containerd/nri/commit/7dd7c7f8b21c08242de41634b12ab2ee71b91000) api,runtime-tools: adjust for runtime-spec v1.3.0.\n  * [`5d5d4c4`](https://github.com/containerd/nri/commit/5d5d4c4c877fdef4fe0938e627b11b97234195b8) go.{mod,sum}: update runtime-tools, runtime-spec to v1.3.0.\n* adaptation: ensure sync'ed plugins are fully registered in tests. ([containerd/nri#234](https://github.com/containerd/nri/pull/234))\n  * [`c840397`](https://github.com/containerd/nri/commit/c84039771e9c2cee68952b4b7cc52cba1909784e) adaptation: ensure sync'ed plugins are fully registered in tests.\n* Fix wasm example ([containerd/nri#237](https://github.com/containerd/nri/pull/237))\n  * [`44b2861`](https://github.com/containerd/nri/commit/44b2861a26c8e392229cd8b27a20cf689925f176) Fix wasm example\n* Makefile: build proto files unconditionally ([containerd/nri#229](https://github.com/containerd/nri/pull/229))\n  * [`d99f960`](https://github.com/containerd/nri/commit/d99f96028e5226c004f94a3394be82190980c4bd) Fix dockerized proto build\n  * [`9623748`](https://github.com/containerd/nri/commit/9623748f543343bfe6b2312df47a7ed9000d47fe) Makefile: build proto files unconditionally\n  * [`25d9391`](https://github.com/containerd/nri/commit/25d9391690a7158d851364ef011e1f56fd607a70) build: ensure we use correct version of protoc and its deps.\n* adaptation: test with populated initial resources. ([containerd/nri#231](https://github.com/containerd/nri/pull/231))\n  * [`b6b98b5`](https://github.com/containerd/nri/commit/b6b98b56a60df29da312cc1e1e070697dec43583) adaptation: test with populated initial resources.\n* Install protoc locally in the source tree ([containerd/nri#232](https://github.com/containerd/nri/pull/232))\n  * [`2394daa`](https://github.com/containerd/nri/commit/2394daa45f1c7c0fcf28e9e39895c8b871a7445c) Install protoc locally in the source tree\n* plugins/logger: fix default event subscription mask. ([containerd/nri#158](https://github.com/containerd/nri/pull/158))\n  * [`33b1db1`](https://github.com/containerd/nri/commit/33b1db1add2e9a603f7c47e1efa95d386f4af560) logger: fix default event subscription mask.\n* extract memory and CPU resource helpers ([containerd/nri#210](https://github.com/containerd/nri/pull/210))\n  * [`7afb32a`](https://github.com/containerd/nri/commit/7afb32a3a444fd0a24e36988e0906ad35590c672) extract memory and CPU resource helpers\n* api: expose container user/group ID to plugins. ([containerd/nri#230](https://github.com/containerd/nri/pull/230))\n  * [`22aeb46`](https://github.com/containerd/nri/commit/22aeb467e553bffd7650930b3bc6c28b95a2dee5) docs: update README with container uid/gid info.\n  * [`71b0335`](https://github.com/containerd/nri/commit/71b0335fdc262451ab2ff71591f1126c8a036265) api,adaptation: add container uid/gid info.\n* contrib: add example for enabling per-container RDT monitoring ([containerd/nri#228](https://github.com/containerd/nri/pull/228))\n  * [`91fbf06`](https://github.com/containerd/nri/commit/91fbf06ed654e46629cb7aefb11856953720c9cf) contrib: add example for enabling per-container RDT monitoring\n* ci: enable image signing ([containerd/nri#224](https://github.com/containerd/nri/pull/224))\n  * [`fb54916`](https://github.com/containerd/nri/commit/fb5491601ca84bf52b70e75d0e99ddc4dfe6a922) ci: enable image signing\n* golangci: disable QF1008 from staticcheck linter ([containerd/nri#226](https://github.com/containerd/nri/pull/226))\n  * [`0b3b577`](https://github.com/containerd/nri/commit/0b3b5770d1f6845d3a3e52ccb5218f2b3ce1f34e) golangci: disable QF1008 from staticcheck linter\n* ci: bump golangci-lint to v2.4 ([containerd/nri#225](https://github.com/containerd/nri/pull/225))\n  * [`9787127`](https://github.com/containerd/nri/commit/9787127c0f3e69726b968e12b29dae31e35e250b) Bump golangci-lint to v2.4\n  * [`1a50ff5`](https://github.com/containerd/nri/commit/1a50ff585624f01763fd20aafaeaa92aa8b27c46) Add nolint directives\n  * [`00fa1a1`](https://github.com/containerd/nri/commit/00fa1a124e605590d3ceea1e687600785ae6518d) Add and fix comments for exported types\n  * [`ac21da7`](https://github.com/containerd/nri/commit/ac21da7be8f991a8699cef41acba8783dee5351e) pkg/api/seccomp: add comments for exported functions\n  * [`3aff986`](https://github.com/containerd/nri/commit/3aff986af5f8abefda8552edae991608782df46c) pkg/runtime-tools/generate: remove embedded field \"Generator\"\n  * [`c0c4bb6`](https://github.com/containerd/nri/commit/c0c4bb648ae46207f47d5b18bf447f7d5b32e26b) pkg/api/validate: add comments for exported methods\n  * [`c0ba9da`](h",
+    "published_at": "2026-04-17T18:15:35Z",
+    "prerelease": true,
+    "draft": false,
+    "html_url": "https://github.com/containerd/containerd/releases/tag/v2.3.0-beta.2",
+    "author": "github-actions[bot]"
+  },
+  "analysis": {
+    "summary": "containerd 2.3.0-beta.2 是首个年度LTS（长期支持）版本的预览，引入了新的shim启动协议、增强的EROFS支持、OpenTelemetry追踪集成以及多项CRI和NRI改进，旨在提升稳定性、可观测性和性能。",
+    "key_changes": [
+      "引入新的shim启动协议，为未来shim架构演进奠定基础 - [PR #12786](https://github.com/containerd/containerd/pull/12786)",
+      "新增容器文件系统复制传输类型，支持更灵活的容器文件操作 - [PR #13165](https://github.com/containerd/containerd/pull/13165)",
+      "支持在日志中注入OpenTelemetry追踪ID，增强可观测性 - [PR #13117](https://github.com/containerd/containerd/pull/13117)",
+      "在插件客户端的外发RPC中传播OpenTelemetry追踪，实现端到端追踪 - [PR #13113](https://github.com/containerd/containerd/pull/13113)",
+      "支持zstd压缩的EROFS层，优化镜像分发和存储 - [PR #13185](https://github.com/containerd/containerd/pull/13185)",
+      "新增EROFS层媒体类型，完善EROFS生态支持 - [PR #12567](https://github.com/containerd/containerd/pull/12567)",
+      "允许容器在使用主机网络的同时使用用户命名空间，提升安全性 - [PR #12518](https://github.com/containerd/containerd/pull/12518)",
+      "为NRI插件传递更多容器运行时信息（如用户、seccomp策略、rlimits等），增强插件能力 - [PR #12769](https://github.com/containerd/containerd/pull/12769), [PR #12768](https://github.com/containerd/containerd/pull/12768), [PR #12765](https://github.com/containerd/containerd/pull/12765)"
+    ],
+    "important_bugfixes": [
+      "修复二进制日志驱动在失败时未阻塞容器启动的问题，避免日志丢失 - [PR #12595](https://github.com/containerd/containerd/pull/12595) - **影响：** 生产环境中日志驱动故障可能导致容器异常启动且无日志，影响问题排查",
+      "修复CNI DEL操作在某些情况下从未执行的问题，可能导致网络资源泄漏 - [PR #12923](https://github.com/containerd/containerd/pull/12923) - **影响：** 长期运行后可能累积未清理的网络命名空间或接口，影响节点稳定性",
+      "修复tar提取过程中的TOCTOU竞争条件漏洞 - [PR #12961](https://github.com/containerd/containerd/pull/12961) - **影响：** 在并行解压镜像时可能引发竞态条件，导致文件系统错误",
+      "修复Windows上shim管道就绪检查，提升Windows容器启动可靠性 - [PR #13202](https://github.com/containerd/containerd/pull/13202) - **影响：** Windows节点上容器启动可能因管道未就绪而失败",
+      "修复特权容器cgroup挂载选项未保留的问题 - [PR #12952](https://github.com/containerd/containerd/pull/12952) - **影响：** 特权容器可能无法正确访问主机cgroup文件系统"
+    ],
+    "security_issues": [
+      "修复tar提取过程中的TOCTOU竞争条件漏洞 - [PR #12961](https://github.com/containerd/containerd/pull/12961) - **风险级别：** 中",
+      "在返回gRPC错误前清理错误信息，防止凭证在Pod事件中泄露 - [PR #12801](https://github.com/containerd/containerd/pull/12801) - **风险级别：** 低"
+    ],
+    "performance_improvements": [
+      "EROFS快照器使用fsmount API绕过PAGE_SIZE限制，提升大文件挂载性能 - [PR #12783](https://github.com/containerd/containerd/pull/12783) - **提升：** 改善大块设备文件的挂载效率",
+      "使用新的过滤式cgroups统计API，减少不必要的数据收集开销 - [PR #12901](https://github.com/containerd/containerd/pull/12901) - **提升：** 降低容器指标收集时的CPU和内存开销",
+      "支持只读overlay的无挂载读取，优化某些场景下的文件访问 - [PR #12865](https://github.com/containerd/containerd/pull/12865) - **提升：** 减少不必要的挂载操作"
+    ],
+    "breaking_changes": [
+      "引入新的shim bootstrap协议，旧有的shim启动接口被标记为废弃（Deprecated） - [PR #12786](https://github.com/containerd/containerd/pull/12786) - **影响：** 自定义shim或直接调用旧接口的工具需要评估兼容性，未来版本中旧接口将被移除",
+      "插件配置迁移现在在加载时运行，而非启动时 - [PR #12608](https://github.com/containerd/containerd/pull/12608) - **影响：** 配置加载逻辑有变，需确保所有节点的配置文件格式一致",
+      "从沙盒元数据中移除Container字段，更新沙盒API以包含spec字段 - [PR #12840](https://github.com/containerd/containerd/pull/12840) - **影响：** 直接依赖沙盒元数据中Container字段的内部组件或插件需要更新"
+    ],
+    "recommendations": [
+      "**生产环境暂勿升级**：此为beta预发布版本，包含实验性功能，不建议用于生产环境。",
+      "**开始测试评估**：建议在测试环境中部署此版本，重点验证EROFS集成、新的shim启动协议以及与Kubernetes 1.36（CRI API v0.36.0-rc.0）的兼容性。",
+      "**关注NRI插件兼容性**：如果使用NRI插件，请验证插件是否能正确处理新传递的容器信息（用户、seccomp、设备等）。",
+      "**检查自定义配置**：由于插件配置迁移逻辑变化，请检查并测试所有自定义或通过drop-in文件添加的配置。",
+      "**准备shim升级**：如果使用自定义shim或工具直接与shim交互，应开始规划向新的bootstrap协议迁移。"
+    ],
+    "risk_assessment": "整体风险评估：中等偏高。作为beta版本，其稳定性和兼容性尚未经过大规模生产验证。然而，作为首个年度LTS（2.3）的预览版，其引入的架构变更（如shim协议）和重要功能（如EROFS、OpenTelemetry）对未来的技术选型至关重要。建议在非关键测试环境中进行充分的功能、性能和兼容性测试，特别关注破坏性变更对现有工作流的影响。正式的LTS版本发布后，再进行生产环境的滚动升级。"
+  },
+  "statistics": {
+    "analyzed_prs": 3,
+    "analyzed_issues": 0,
+    "important_items": 0
+  },
+  "important_items": [],
+  "prs": {
+    "157": {
+      "title": "let user to specify the shim name or path",
+      "url": "https://github.com/containerd/containerd/pull/157",
+      "body": "Signed-off-by: mYmNeo mymneo@163.com\n",
+      "state": "closed",
+      "merged": true,
+      "created_at": "2016-03-24T03:09:42Z",
+      "merged_at": "2016-04-20T14:31:14Z",
+      "author": "mYmNeo",
+      "labels": []
+    },
+    "158": {
+      "title": "Add runtimeArgs to pass to shim",
+      "url": "https://github.com/containerd/containerd/pull/158",
+      "body": "This allows you to pass options like:\n\n``` bash\ncontainerd --debug --runtime-args \"--debug\" --runtime-args\n\"--systemd-cgroup\"\n```\n\nSigned-off-by: Michael Crosby crosbymichael@gmail.com\n",
+      "state": "closed",
+      "merged": true,
+      "created_at": "2016-03-24T20:32:03Z",
+      "merged_at": "2016-03-24T22:53:05Z",
+      "author": "crosbymichael",
+      "labels": []
+    },
+    "160": {
+      "title": "Integration test",
+      "url": "https://github.com/containerd/containerd/pull/160",
+      "body": "This is what I came up with for the integration testing.\n\n@crosbymichael, @icecrime, @tonistiigi, @anusha-ragunathan PTAL\n\nI dropped a few extra fixes in the mix since I needed them for the tests to work or for debugging.\n",
+      "state": "closed",
+      "merged": true,
+      "created_at": "2016-03-25T05:59:47Z",
+      "merged_at": "2016-03-25T23:25:30Z",
+      "author": "mlaventure",
+      "labels": []
+    }
+  },
+  "issues": {}
+}
\ No newline at end of file
diff --git a/reports/containerd_release_v2.3.0-beta.2_20260417_194103.md b/reports/containerd_release_v2.3.0-beta.2_20260417_194103.md
new file mode 100644
index 0000000..4ac0875
--- /dev/null
+++ b/reports/containerd_release_v2.3.0-beta.2_20260417_194103.md
@@ -0,0 +1,114 @@
+# Containerd 版本发布分析报告
+## containerd 2.3.0-beta.2 (v2.3.0-beta.2)
+
+### 📋 版本信息
+- **版本标签：** v2.3.0-beta.2
+- **版本名称：** containerd 2.3.0-beta.2
+- **发布时间：** 2026-04-17T18:15:35Z
+- **发布者：** github-actions[bot]
+- **预发布版本：** 是
+- **草稿状态：** 否
+- **GitHub 链接：** https://github.com/containerd/containerd/releases/tag/v2.3.0-beta.2
+
+### 🔍 分析统计
+- **分析时间：** 2026-04-17 19:41:03
+- **分析的 PR 数量：** 3
+- **分析的 Issue 数量：** 0
+- **重要项目数量：** 0
+
+## 📊 版本概述
+containerd 2.3.0-beta.2 是首个年度LTS（长期支持）版本的预览，引入了新的shim启动协议、增强的EROFS支持、OpenTelemetry追踪集成以及多项CRI和NRI改进，旨在提升稳定性、可观测性和性能。
+
+## 🔒 安全问题修复
+1. ⚠️ 修复tar提取过程中的TOCTOU竞争条件漏洞 - [PR #12961](https://github.com/containerd/containerd/pull/12961) - **风险级别：** 中
+2. ⚠️ 在返回gRPC错误前清理错误信息，防止凭证在Pod事件中泄露 - [PR #12801](https://github.com/containerd/containerd/pull/12801) - **风险级别：** 低
+
+**🚨 安全建议：** 如果您的环境中使用了受影响的功能，建议优先升级到此版本。
+
+## 🐛 重要问题修复
+1. 修复二进制日志驱动在失败时未阻塞容器启动的问题，避免日志丢失 - [PR #12595](https://github.com/containerd/containerd/pull/12595) - **影响：** 生产环境中日志驱动故障可能导致容器异常启动且无日志，影响问题排查
+2. 修复CNI DEL操作在某些情况下从未执行的问题，可能导致网络资源泄漏 - [PR #12923](https://github.com/containerd/containerd/pull/12923) - **影响：** 长期运行后可能累积未清理的网络命名空间或接口，影响节点稳定性
+3. 修复tar提取过程中的TOCTOU竞争条件漏洞 - [PR #12961](https://github.com/containerd/containerd/pull/12961) - **影响：** 在并行解压镜像时可能引发竞态条件，导致文件系统错误
+4. 修复Windows上shim管道就绪检查，提升Windows容器启动可靠性 - [PR #13202](https://github.com/containerd/containerd/pull/13202) - **影响：** Windows节点上容器启动可能因管道未就绪而失败
+5. 修复特权容器cgroup挂载选项未保留的问题 - [PR #12952](https://github.com/containerd/containerd/pull/12952) - **影响：** 特权容器可能无法正确访问主机cgroup文件系统
+
+## 💥 破坏性变更
+1. 🚨 引入新的shim bootstrap协议，旧有的shim启动接口被标记为废弃（Deprecated） - [PR #12786](https://github.com/containerd/containerd/pull/12786) - **影响：** 自定义shim或直接调用旧接口的工具需要评估兼容性，未来版本中旧接口将被移除
+2. 🚨 插件配置迁移现在在加载时运行，而非启动时 - [PR #12608](https://github.com/containerd/containerd/pull/12608) - **影响：** 配置加载逻辑有变，需确保所有节点的配置文件格式一致
+3. 🚨 从沙盒元数据中移除Container字段，更新沙盒API以包含spec字段 - [PR #12840](https://github.com/containerd/containerd/pull/12840) - **影响：** 直接依赖沙盒元数据中Container字段的内部组件或插件需要更新
+
+**⚠️ 升级警告：** 此版本包含破坏性变更，升级前请仔细评估对现有系统的影响。
+
+## ✨ 主要变更
+1. 引入新的shim启动协议，为未来shim架构演进奠定基础 - [PR #12786](https://github.com/containerd/containerd/pull/12786)
+2. 新增容器文件系统复制传输类型，支持更灵活的容器文件操作 - [PR #13165](https://github.com/containerd/containerd/pull/13165)
+3. 支持在日志中注入OpenTelemetry追踪ID，增强可观测性 - [PR #13117](https://github.com/containerd/containerd/pull/13117)
+4. 在插件客户端的外发RPC中传播OpenTelemetry追踪，实现端到端追踪 - [PR #13113](https://github.com/containerd/containerd/pull/13113)
+5. 支持zstd压缩的EROFS层，优化镜像分发和存储 - [PR #13185](https://github.com/containerd/containerd/pull/13185)
+6. 新增EROFS层媒体类型，完善EROFS生态支持 - [PR #12567](https://github.com/containerd/containerd/pull/12567)
+7. 允许容器在使用主机网络的同时使用用户命名空间，提升安全性 - [PR #12518](https://github.com/containerd/containerd/pull/12518)
+8. 为NRI插件传递更多容器运行时信息（如用户、seccomp策略、rlimits等），增强插件能力 - [PR #12769](https://github.com/containerd/containerd/pull/12769), [PR #12768](https://github.com/containerd/containerd/pull/12768), [PR #12765](https://github.com/containerd/containerd/pull/12765)
+
+## 🚀 性能优化
+1. EROFS快照器使用fsmount API绕过PAGE_SIZE限制，提升大文件挂载性能 - [PR #12783](https://github.com/containerd/containerd/pull/12783) - **提升：** 改善大块设备文件的挂载效率
+2. 使用新的过滤式cgroups统计API，减少不必要的数据收集开销 - [PR #12901](https://github.com/containerd/containerd/pull/12901) - **提升：** 降低容器指标收集时的CPU和内存开销
+3. 支持只读overlay的无挂载读取，优化某些场景下的文件访问 - [PR #12865](https://github.com/containerd/containerd/pull/12865) - **提升：** 减少不必要的挂载操作
+
+## 🎯 风险评估
+整体风险评估：中等偏高。作为beta版本，其稳定性和兼容性尚未经过大规模生产验证。然而，作为首个年度LTS（2.3）的预览版，其引入的架构变更（如shim协议）和重要功能（如EROFS、OpenTelemetry）对未来的技术选型至关重要。建议在非关键测试环境中进行充分的功能、性能和兼容性测试，特别关注破坏性变更对现有工作流的影响。正式的LTS版本发布后，再进行生产环境的滚动升级。
+
+## 📋 升级建议
+1. **生产环境暂勿升级**：此为beta预发布版本，包含实验性功能，不建议用于生产环境。
+2. **开始测试评估**：建议在测试环境中部署此版本，重点验证EROFS集成、新的shim启动协议以及与Kubernetes 1.36（CRI API v0.36.0-rc.0）的兼容性。
+3. **关注NRI插件兼容性**：如果使用NRI插件，请验证插件是否能正确处理新传递的容器信息（用户、seccomp、设备等）。
+4. **检查自定义配置**：由于插件配置迁移逻辑变化，请检查并测试所有自定义或通过drop-in文件添加的配置。
+5. **准备shim升级**：如果使用自定义shim或工具直接与shim交互，应开始规划向新的bootstrap协议迁移。
+
+## 📋 Release 包含的变更
+
+### PR #157: let user to specify the shim name or path
+- **链接：** https://github.com/containerd/containerd/pull/157
+- **状态：** closed
+- **已合并：** 是
+- **作者：** mYmNeo
+- **变更说明：**
+  **PR #157:** let user to specify the shim name or path
+
+**PR内容:** Signed-off-by: mYmNeo mymneo@163.com
+...
+
+### PR #158: Add runtimeArgs to pass to shim
+- **链接：** https://github.com/containerd/containerd/pull/158
+- **状态：** closed
+- **已合并：** 是
+- **作者：** crosbymichael
+- **变更说明：**
+  **PR #158:** Add runtimeArgs to pass to shim
+
+**PR内容:** This allows you to pass options like:
+
+``` bash
+containerd --debug --runtime-args "--debug" --runtime-args
+"--systemd-cgroup"
+```
+
+Signed-off-by: Michael Crosby crosbymichael@gmail.com
+...
+
+### PR #160: Integration test
+- **链接：** https://github.com/containerd/containerd/pull/160
+- **状态：** closed
+- **已合并：** 是
+- **作者：** mlaventure
+- **变更说明：**
+  **PR #160:** Integration test
+
+**PR内容:** This is what I came up with for the integration testing.
+
+@crosbymichael, @icecrime, @tonistiigi, @anusha-ragunathan PTAL
+
+I dropped a few extra fixes in the mix since I needed them for the tests to work or for debugging.
+...
+
+---
+*本报告由 Containerd Release Tracker 自动生成*
\ No newline at end of file