From 0f9411cd746f075d788166a293e869156dff56fd Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts@users.noreply.github.com>
Date: Wed, 17 Dec 2025 11:10:22 +0000
Subject: [PATCH 1/3] calico-3.31/3.31.2-r4: fix GHSA-r6j8-c6r2-37rr
 <!--ci-cve-scan:must-fix: GHSA-r6j8-c6r2-37rr-->

---
 calico-3.31.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/calico-3.31.yaml b/calico-3.31.yaml
index 1f9f70a729f..62a257159a4 100644
--- a/calico-3.31.yaml
+++ b/calico-3.31.yaml
@@ -1,7 +1,7 @@
 package:
   name: calico-3.31
   version: "3.31.2"
-  epoch: 4 # GHSA-jv3w-x3r3-g6rm
+  epoch: 5 # GHSA-r6j8-c6r2-37rr
   description: "Cloud native networking and network security"
   copyright:
     - license: Apache-2.0
@@ -79,6 +79,7 @@ pipeline:
       deps: |-
         golang.org/x/crypto@v0.45.0
         github.com/containernetworking/plugins@v1.9.0
+        k8s.io/kubernetes@v1.33.6
 
   # Because we are using tigera-operator during image test we are reliant on tigera-operator setting
   # up all the required rbac rules that are needed for calico-apiserver to run. Currently it does not and

From cbdb77597755749e1c82a335e3ec9cd1bd5ef63c Mon Sep 17 00:00:00 2001
From: Ankush Pathak <ankush.pathak@chainguard.dev>
Date: Mon, 22 Dec 2025 14:47:14 +0000
Subject: [PATCH 2/3] fix(calico-3.31): Bump to 3.31.3

Signed-off-by: Ankush Pathak <ankush.pathak@chainguard.dev>
---
 calico-3.31.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/calico-3.31.yaml b/calico-3.31.yaml
index 62a257159a4..63c4555ca55 100644
--- a/calico-3.31.yaml
+++ b/calico-3.31.yaml
@@ -1,7 +1,7 @@
 package:
   name: calico-3.31
-  version: "3.31.2"
-  epoch: 5 # GHSA-r6j8-c6r2-37rr
+  version: "3.31.3"
+  epoch: 0
   description: "Cloud native networking and network security"
   copyright:
     - license: Apache-2.0
@@ -65,7 +65,7 @@ pipeline:
     with:
       repository: https://github.com/projectcalico/calico
       tag: v${{package.version}}
-      expected-commit: dd5575465ed825f86a3bc10f17bb5f7dc106d0f0
+      expected-commit: 2e3c880bcabff580ddd7a08340878ede207f37be
       recurse-submodules: true
 
   - uses: go/bump

From aa9c341032ac6ee66b89c1b623c72b3888472103 Mon Sep 17 00:00:00 2001
From: Ankush Pathak <ankush.pathak@chainguard.dev>
Date: Mon, 22 Dec 2025 15:03:40 +0000
Subject: [PATCH 3/3] fix(calico-3.31): Drop crypto bump as it's not required
 anymore

Signed-off-by: Ankush Pathak <ankush.pathak@chainguard.dev>
---
 calico-3.31.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/calico-3.31.yaml b/calico-3.31.yaml
index 63c4555ca55..48076684fdc 100644
--- a/calico-3.31.yaml
+++ b/calico-3.31.yaml
@@ -77,7 +77,6 @@ pipeline:
   - uses: go/bump
     with:
       deps: |-
-        golang.org/x/crypto@v0.45.0
         github.com/containernetworking/plugins@v1.9.0
         k8s.io/kubernetes@v1.33.6