diff --git a/.github/workflows/backport.yaml b/.github/workflows/backport.yaml
index 108e3e2b..23034fc3 100644
--- a/.github/workflows/backport.yaml
+++ b/.github/workflows/backport.yaml
@@ -2,6 +2,7 @@ name: backport
 on:
   pull_request_target:
     types: [closed, labeled]
+permissions: read-all
 jobs:
   backport:
     permissions:
diff --git a/.github/workflows/conformance.yaml b/.github/workflows/conformance.yaml
index db617f8f..03316ef1 100644
--- a/.github/workflows/conformance.yaml
+++ b/.github/workflows/conformance.yaml
@@ -19,7 +19,7 @@ jobs:
       matrix:
         # Keep this list up-to-date with https://endoflife.date/kubernetes
         # Build images with https://github.com/fluxcd/flux-benchmark/actions/workflows/build-kind.yaml
-        KUBERNETES_VERSION: [1.31.5, 1.32.1, 1.33.0, 1.34.0]
+        KUBERNETES_VERSION: [1.32.1, 1.33.0, 1.34.1]
       fail-fast: false
     steps:
       - name: Checkout
@@ -42,7 +42,7 @@ jobs:
       - name: Setup Kubernetes
         uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
         with:
-          version: v0.27.0
+          version: v0.30.0
           cluster_name: ${{ steps.prep.outputs.CLUSTER }}
           node_image: ghcr.io/fluxcd/kindest/node:v${{ matrix.KUBERNETES_VERSION }}-arm64
       - name: Run e2e tests
@@ -76,7 +76,7 @@ jobs:
       matrix:
         # Keep this list up-to-date with https://endoflife.date/kubernetes
         # Available versions can be found with "replicated cluster versions"
-        K3S_VERSION: [ 1.31.8, 1.32.4, 1.33.0 ]
+        K3S_VERSION: [ 1.32.8, 1.33.4 ]
       fail-fast: false
     steps:
       - name: Checkout
@@ -169,7 +169,7 @@ jobs:
     strategy:
       matrix:
         # Keep this list up-to-date with https://endoflife.date/red-hat-openshift
-        OPENSHIFT_VERSION: [ 4.18.0-okd ]
+        OPENSHIFT_VERSION: [ 4.19.0-okd ]
       fail-fast: false
     steps:
       - name: Checkout
diff --git a/.github/workflows/e2e-azure.yaml b/.github/workflows/e2e-azure.yaml
index f2b8356b..d3304dbc 100644
--- a/.github/workflows/e2e-azure.yaml
+++ b/.github/workflows/e2e-azure.yaml
@@ -22,7 +22,7 @@ permissions:
 
 jobs:
   e2e-aks:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     defaults:
       run:
         working-directory: ./tests/integration
diff --git a/.github/workflows/e2e-bootstrap.yaml b/.github/workflows/e2e-bootstrap.yaml
index fa975e8e..a88b006d 100644
--- a/.github/workflows/e2e-bootstrap.yaml
+++ b/.github/workflows/e2e-bootstrap.yaml
@@ -28,11 +28,11 @@ jobs:
       - name: Setup Kubernetes
         uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
         with:
-          version: v0.24.0
+          version: v0.30.0
           cluster_name: kind
           # The versions below should target the newest Kubernetes version
           # Keep this up-to-date with https://endoflife.date/kubernetes
-          node_image: ghcr.io/fluxcd/kindest/node:v1.33.0-amd64
+          node_image: ghcr.io/fluxcd/kindest/node:v1.32.1-amd64
           kubectl_version: v1.32.0
       - name: Setup Kustomize
         uses: fluxcd/pkg/actions/kustomize@7f090e931301b18cbdc37d9a28b08f84ba1270fb # main
diff --git a/.github/workflows/e2e-gcp.yaml b/.github/workflows/e2e-gcp.yaml
index f8d2dab5..06b87eb4 100644
--- a/.github/workflows/e2e-gcp.yaml
+++ b/.github/workflows/e2e-gcp.yaml
@@ -22,7 +22,7 @@ permissions:
 
 jobs:
   e2e-gcp:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     defaults:
       run:
         working-directory: ./tests/integration
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
index fa714f29..bf1065d7 100644
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -34,13 +34,13 @@ jobs:
       - name: Setup Kubernetes
         uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
         with:
-          version: v0.24.0
+          version: v0.30.0
           cluster_name: kind
           wait: 5s
           config: .github/kind/config.yaml # disable KIND-net
           # The versions below should target the oldest supported Kubernetes version
           # Keep this up-to-date with https://endoflife.date/kubernetes
-          node_image: ghcr.io/fluxcd/kindest/node:v1.31.5-amd64
+          node_image: ghcr.io/fluxcd/kindest/node:v1.32.1-amd64
           kubectl_version: v1.32.0
       - name: Setup Calico for network policy
         run: |
diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml
index eb29f03b..63bbfdc7 100644
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@@ -7,6 +7,7 @@ on:
     branches: [ 'main', 'release/**' ]
   schedule:
     - cron: '18 10 * * 3'
+permissions: read-all
 jobs:
   analyze:
     permissions:
diff --git a/.github/workflows/sync-labels.yaml b/.github/workflows/sync-labels.yaml
index cc69156a..5907236a 100644
--- a/.github/workflows/sync-labels.yaml
+++ b/.github/workflows/sync-labels.yaml
@@ -6,6 +6,7 @@ on:
       - main
     paths:
       - .github/labels.yaml
+permissions: read-all
 jobs:
   sync-labels:
     permissions:
diff --git a/cmd/flux/check.go b/cmd/flux/check.go
index f4a1cf62..c8eefb37 100644
--- a/cmd/flux/check.go
+++ b/cmd/flux/check.go
@@ -60,7 +60,7 @@ type checkFlags struct {
 }
 
 var kubernetesConstraints = []string{
-	">=1.31.0-0",
+	">=1.32.0-0",
 }
 
 var checkArgs checkFlags
diff --git a/cmd/flux/testdata/check/check_pre.golden b/cmd/flux/testdata/check/check_pre.golden
index dabeb392..2ca2db8b 100644
--- a/cmd/flux/testdata/check/check_pre.golden
+++ b/cmd/flux/testdata/check/check_pre.golden
@@ -1,3 +1,3 @@
 ► checking prerequisites
-✔ Kubernetes {{ .serverVersion }} >=1.31.0-0
+✔ Kubernetes {{ .serverVersion }} >=1.32.0-0
 ✔ prerequisites checks passed