From 6620fec5d19f6c86425501ee64f8cb8a8fb3fa3e Mon Sep 17 00:00:00 2001
From: Sumit Solanki <sumit.solanki@ibm.com>
Date: Sat, 9 May 2026 12:17:40 +0530
Subject: [PATCH 1/8] fix(downloader): order DiskCache.Get checks for overlayfs
 empty dirs

Signed-off-by: Sumit Solanki <sumit.solanki@ibm.com>
---
 pkg/downloader/cache.go | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/pkg/downloader/cache.go b/pkg/downloader/cache.go
index 1e23fbfcd..c628ba95d 100644
--- a/pkg/downloader/cache.go
+++ b/pkg/downloader/cache.go
@@ -59,15 +59,17 @@ func (c *DiskCache) Get(key [sha256.Size]byte, cacheType string) (string, error)
 	if err != nil {
 		return "", err
 	}
-	// Empty files treated as not exist because there is no content.
-	if fi.Size() == 0 {
-		return p, os.ErrNotExist
-	}
 	// directories should never happen unless something outside helm is operating
 	// on this content.
 	if fi.IsDir() {
 		return p, errors.New("is a directory")
 	}
+	// Empty files treated as not exist because there is no content.
+	// IsDir must be checked first: some filesystems (e.g. overlay) report
+	// directory size as 0.
+	if fi.Size() == 0 {
+		return p, os.ErrNotExist
+	}
 	return p, nil
 }
 

From 53d5f13f46f7dd555be8bd90616abdc77d470000 Mon Sep 17 00:00:00 2001
From: Sumit Solanki <sumit.solanki@ibm.com>
Date: Sat, 9 May 2026 12:28:41 +0530
Subject: [PATCH 2/8] Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Sumit Solanki <sumit.solanki@ibm.com>
---
 pkg/downloader/cache.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/downloader/cache.go b/pkg/downloader/cache.go
index c628ba95d..92d477e49 100644
--- a/pkg/downloader/cache.go
+++ b/pkg/downloader/cache.go
@@ -64,8 +64,8 @@ func (c *DiskCache) Get(key [sha256.Size]byte, cacheType string) (string, error)
 	if fi.IsDir() {
 		return p, errors.New("is a directory")
 	}
-	// Empty files treated as not exist because there is no content.
-	// IsDir must be checked first: some filesystems (e.g. overlay) report
+	// Empty files are treated as non-existent because there is no content.
+	// IsDir must be checked first: some filesystems (e.g. overlayfs) report
 	// directory size as 0.
 	if fi.Size() == 0 {
 		return p, os.ErrNotExist

From 2032ec5cbaf168de0fadc59959319e4b580ff72e Mon Sep 17 00:00:00 2001
From: Kai Tanaka <275430420+quyentonndbs@users.noreply.github.com>
Date: Tue, 12 May 2026 14:12:03 +0000
Subject: [PATCH 3/8] docs: fix 'than'->'that' typo in deprecatedAPIError godoc

Signed-off-by: Kai Tanaka <275430420+quyentonndbs@users.noreply.github.com>
---
 internal/chart/v3/lint/rules/deprecations.go | 2 +-
 pkg/chart/v2/lint/rules/deprecations.go      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/internal/chart/v3/lint/rules/deprecations.go b/internal/chart/v3/lint/rules/deprecations.go
index a607a5fb4..9c73268af 100644
--- a/internal/chart/v3/lint/rules/deprecations.go
+++ b/internal/chart/v3/lint/rules/deprecations.go
@@ -28,7 +28,7 @@ import (
 	kscheme "k8s.io/client-go/kubernetes/scheme"
 )
 
-// deprecatedAPIError indicates than an API is deprecated in Kubernetes
+// deprecatedAPIError indicates that an API is deprecated in Kubernetes
 type deprecatedAPIError struct {
 	Deprecated string
 	Message    string
diff --git a/pkg/chart/v2/lint/rules/deprecations.go b/pkg/chart/v2/lint/rules/deprecations.go
index 7d5245869..76626659b 100644
--- a/pkg/chart/v2/lint/rules/deprecations.go
+++ b/pkg/chart/v2/lint/rules/deprecations.go
@@ -28,7 +28,7 @@ import (
 	kscheme "k8s.io/client-go/kubernetes/scheme"
 )
 
-// deprecatedAPIError indicates than an API is deprecated in Kubernetes
+// deprecatedAPIError indicates that an API is deprecated in Kubernetes
 type deprecatedAPIError struct {
 	Deprecated string
 	Message    string

From 979e68fbbd5a932c67b756884880d7641f268632 Mon Sep 17 00:00:00 2001
From: Aleksei Sviridkin <f@lex.la>
Date: Wed, 20 May 2026 13:24:39 +0300
Subject: [PATCH 4/8] internal/plugin: remove zero-width spaces from plugin
 name comment

The comment describing allowed plugin name characters contained three
U+200B (zero-width space) characters around the '_' and '-' literals.
The rendered comment is identical without them; the ZWSP were likely
copy-pasted from a rich-text source.

Downstream impact: every project that vendors helm.sh/helm/v4 and runs
Renovate gets a repo-wide warning on its Dependency Dashboard about
hidden Unicode characters. Renovate scans the whole tree (including
vendor/) for ZWSP/bidi-override codepoints and cannot be told to skip
a path for this specific check. Removing the characters here clears
the warning everywhere downstream.

Signed-off-by: Aleksei Sviridkin <f@lex.la>
---
 internal/plugin/plugin.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/plugin/plugin.go b/internal/plugin/plugin.go
index 132b1739e..789e583ae 100644
--- a/internal/plugin/plugin.go
+++ b/internal/plugin/plugin.go
@@ -77,5 +77,5 @@ type Output struct {
 
 // validPluginName is a regular expression that validates plugin names.
 //
-// Plugin names can only contain the ASCII characters a-z, A-Z, 0-9, ​_​ and ​-.
+// Plugin names can only contain the ASCII characters a-z, A-Z, 0-9, _ and -.
 var validPluginName = regexp.MustCompile("^[A-Za-z0-9_-]+$")

From ace245b8273e23c9f12993befa535a19ab1bc172 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 21 May 2026 21:33:33 +0000
Subject: [PATCH 5/8] chore(deps): bump actions/stale from 10.2.0 to 10.3.0

Bumps [actions/stale](https://github.com/actions/stale) from 10.2.0 to 10.3.0.
- [Release notes](https://github.com/actions/stale/releases)
- [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/stale/compare/b5d41d4e1d5dceea10e7104786b73624c18a190f...eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899)

---
updated-dependencies:
- dependency-name: actions/stale
  dependency-version: 10.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/stale.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml
index 9b0c29952..bbe339e79 100644
--- a/.github/workflows/stale.yaml
+++ b/.github/workflows/stale.yaml
@@ -12,7 +12,7 @@ jobs:
       issues: write
       pull-requests: write
     steps:
-    - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
+    - uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10.3.0
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-issue-message: 'This issue has been marked as stale because it has been open for 90 days with no activity. This thread will be automatically closed in 30 days if no further activity occurs.'

From 442e1460b9ec4450a7c12d6b6a59848e7b16d9d1 Mon Sep 17 00:00:00 2001
From: Benoit Tigeot <benoit.tigeot@lifen.fr>
Date: Fri, 22 May 2026 09:47:08 +0200
Subject: [PATCH 6/8] docs: update version status for v4 stable release

Helm v4 shipped on 2025-11-17. Mark it as the current stable release
and v3 as support-mode with its end-of-support dates.

Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>
---
 README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 37bc8abaa..d581ceac3 100644
--- a/README.md
+++ b/README.md
@@ -32,8 +32,8 @@ Think of it like apt/yum/homebrew for Kubernetes.
 
 ## Helm Development and Stable Versions
 
-Helm v4 is currently under development on the `main` branch. This is unstable and the APIs within the Go SDK and at the command line are changing.
-Helm v3 (current stable) is maintained on the `dev-v3` branch. APIs there follow semantic versioning.
+Helm v4 is the current stable release, developed on the `main` branch.
+Helm v3 is in support mode on the `dev-v3` branch: bug fixes until July 8th 2026, security fixes until November 11th 2026.
 
 ## Install
 
@@ -64,7 +64,7 @@ Get started with the [Quick Start guide](https://helm.sh/docs/intro/quickstart/)
 
 The [Helm roadmap uses GitHub milestones](https://github.com/helm/helm/milestones) to track the progress of the project.
 
-The development of Helm v4 is currently happening on the `main` branch while the development of Helm v3, the stable branch, is happening on the `dev-v3` branch. Changes should be made to the `main` branch prior to being added to the `dev-v3` branch so that all changes are carried along to Helm v4.
+Helm v4 development happens on the `main` branch. Helm v3 is in support mode on the `dev-v3` branch and receives only bug and security fixes.
 
 ## Community, discussion, contribution, and support
 

From 60665e9035ccab375780ef77934bde2ffa674448 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 22 May 2026 21:33:30 +0000
Subject: [PATCH 7/8] chore(deps): bump github/codeql-action from 4.35.5 to
 4.36.0

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.35.5 to 4.36.0.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/9e0d7b8d25671d64c341c19c0152d693099fb5ba...7211b7c8077ea37d8641b6271f6a365a22a5fbfa)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/codeql-analysis.yml | 6 +++---
 .github/workflows/scorecards.yml      | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 2af5c67cc..1c3ea0bf4 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -48,7 +48,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # pinv4.35.5
+      uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # pinv4.36.0
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -59,7 +59,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@9e0d7b8d25671d64c341c19c0152d693099fb5ba # pinv4.35.5
+      uses: github/codeql-action/autobuild@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # pinv4.36.0
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -73,4 +73,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # pinv4.35.5
+      uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # pinv4.36.0
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index 77f220426..c4a0cb196 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -64,6 +64,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
+        uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         with:
           sarif_file: results.sarif

From dbb3e353372f6e4abca9155c44d8b9a5f1e97626 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 22 May 2026 21:33:35 +0000
Subject: [PATCH 8/8] chore(deps): bump golangci/golangci-lint-action from
 9.2.0 to 9.2.1

Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 9.2.0 to 9.2.1.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/1e7e51e771db61008b38414a730f564565cf7c20...82606bf257cbaff209d206a39f5134f0cfbfd2ee)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-version: 9.2.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/golangci-lint.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
index 8b64a3be2..734bc682a 100644
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -22,6 +22,6 @@ jobs:
           go-version: '${{ env.GOLANG_VERSION }}'
           check-latest: true
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 #pin@9.2.0
+        uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee #pin@9.2.1
         with:
           version: ${{ env.GOLANGCI_LINT_VERSION }}