fix: resolve CVE-2026-33750 in brace-expansion

Upgrade brace-expansion to satisfy >=1.1.13
Advisory: https://github.com/advisories/GHSA-f886-m6hf-6m8v

Co-authored-by: Claude <noreply@anthropic.com>
Signed-off-by: Florent Benoit <fbenoit@redhat.com>

.agents/skills/investigate-gh-run/SKILL.md

@@ -0,0 +1,233 @@
+---
+name: investigate-gh-run
+description: Deep investigation of CI/CD test failures - identifies root causes by analyzing logs, artifacts, git history, and source code
+---
+
+Investigate CI test failures for the given GitHub Actions run. The user will provide a run URL or run ID as: $ARGUMENTS
+
+## Protocol
+
+This is an adaptive-depth investigation. You gather all surface-level data in one parallel batch, classify the failure, then go only as deep as needed. An infra failure resolves in one round. A clear build error in two. A subtle UI regression gets the full trace analysis pipeline.
+
+Wall-clock time is the enemy. Launch independent work in parallel. Never wait for one API call to decide whether to start another.
+
+---
+
+### Step 1: Gather Everything (one parallel batch)
+
+Extract the run ID from the URL (`https://github.com/{owner}/{repo}/actions/runs/{run-id}`), then launch ALL of these in a single message:
+
+```
+# a) Run overview
+gh run view {run-id} --repo {owner}/{repo}
+
+# b) Failed job IDs
+gh api repos/{owner}/{repo}/actions/runs/{run-id}/jobs --paginate \
+  --jq '.jobs[] | select(.conclusion == "failure") | "\(.id) \(.name)"'
+
+# c) Failed logs -> temp file (10-100x smaller than full logs)
+gh run view {run-id} --repo {owner}/{repo} --log-failed \
+  > /tmp/ci-logs-{run-id}.txt 2>&1
+
+# d) Artifacts
+gh api repos/{owner}/{repo}/actions/runs/{run-id}/artifacts \
+  --jq '.artifacts[] | "\(.id) \(.name) \(.size_in_bytes)"'
+
+# e) Workflow run history (workflow name unknown, so chain via ID)
+WF_ID=$(gh api repos/{owner}/{repo}/actions/runs/{run-id} --jq '.workflow_id') && \
+gh api "repos/{owner}/{repo}/actions/workflows/$WF_ID/runs?per_page=10" \
+  --jq '.workflow_runs[] | "\(.id) \(.conclusion // "running") \(.created_at | split("T")[0])"'
+```
+
+Combine the branch-name fetch with the log save to reduce tool calls:
+
+```
+# f) Branch name
+gh api repos/{owner}/{repo}/actions/runs/{run-id} --jq '.head_branch'
+```
+
+**Identify failing tests from the overview first.** The `gh run view` output (call a) already contains `🧪` annotations and `X` markers with test names. Read these before touching any log files — they tell you WHAT failed without any grepping.
+
+Then grep the saved log file for error DETAILS (locator, expected, received):
+
+```
+echo "=== SUMMARY ===" && \
+grep -E "failed$|🧪|passed \(" /tmp/ci-logs-{run-id}.txt | grep -v "STDERR\|npm warn" | head -15 && \
+echo "=== FAILURES ===" && \
+grep -B 1 -A 5 "Error:.*expect\|Error:.*Manifest\|Error:.*timeout\|Error encountered\|intercepts pointer\|no such file\|copier subprocess\|layer not known\|unable to copy" /tmp/ci-logs-{run-id}.txt | grep -v "STDERR\|echo\|npm\|curl\|jq\|matcherResult\|endWallTime\|Symbol\|stepId\|boxedStack\|stack:" | head -50
+```
+
+**`--log-failed` blind spot:** Many CI setups (podman-desktop/e2e, extension repos) mark the test step as ✓ (passed) even when Playwright reports failures — the exit code is 0 or `continue-on-error: true`. Only the "Publish Test Report" step fails (X). In this case, `--log-failed` captures the Publish step output which may NOT contain Playwright error details. The grep will return empty.
+
+**When the grep returns empty but the overview shows test failures**, fall back immediately — don't retry different grep patterns:
+
+1. **Download the individual job log** (contains ALL step output including the passed test step):
+   ```
+   gh api repos/{owner}/{repo}/actions/jobs/{job-id}/logs > /tmp/ci-job-{job-id}.txt 2>&1
+   ```
+2. **For blob-format logs** (entire output on one line), use `grep -o` with `cut` to extract error snippets:
+   ```
+   grep -o 'Error:.*expect[^\\]*' /tmp/ci-job-{job-id}.txt | cut -c1-300 | head -5
+   grep -o 'Locator:.*' /tmp/ci-job-{job-id}.txt | cut -c1-200 | head -5
+   ```
+3. **For Testing Farm** (Playwright runs remotely): extract JUnit XML from artifacts:
+   ```
+   unzip -o ci-results.zip "*.xml" -d /tmp/ci-artifacts && \
+   grep -A 20 "failure message" /tmp/ci-artifacts/junit*.xml | head -40
+   ```
+
+---
+
+### Step 2: Classify and Route
+
+With all data in hand, classify the failure and choose the investigation depth:
+
+**A) Infra failure -> Report immediately**
+Signals: "Create instance" step failed, "Missing file: host", tiny artifact (<10KB), "Artemis resource ended in error", "MAPT container failed", no JUnit results.
+Action: Skip everything else. Write the report now. These are provisioning failures with nothing to analyze.
+
+**B) Clear build/process error -> Report after confirming with run history**
+Signals: error message is self-explanatory ("no such file or directory", "unable to copy from source docker://...", registry HTTP errors, "copier subprocess" failures). The error context page snapshot would just show a generic page.
+Action: Check run history for pattern (isolated vs chronic), then report. Skip artifact download and trace analysis — the CI log error tells the whole story.
+
+**C) UI/test failure -> Full investigation**
+Signals: locator timeouts, assertion mismatches, "intercepts pointer events", strict mode violations, `expect(locator).toBeVisible()` failures. The error message says _what_ failed but not _why_.
+Action: Continue to Steps 3-5. Download artifacts, read error-context.md, dispatch trace subagent.
+
+**Also decide:**
+
+- **Branch context:** If the run is on a feature branch (not `main`), failures may be expected during development. Check if later runs on the same branch pass — if so, it's a **resolved regression** and the fix is already in. Note this in the report and skip deep investigation.
+- **Dedup:** Multiple jobs failing with the same test? Investigate one, note the rest share the root cause.
+- **Multi-failure:** Multiple different failures in one job? Check if they cascade from the first (serial test block) or are independent.
+- **Run history pattern:** Isolated (transient), regression (code change), chronic (systemic), alternating (flaky/environment), or **resolved** (failed then fixed — later runs pass). For resolved regressions, report what failed and note the fix, but skip deep investigation.
+
+---
+
+### Step 3: Artifacts + Trace Dispatch (Category C only)
+
+Launch artifact download alongside any remaining greps. Pick the smallest artifact from a failed job that ran tests. **Skip artifacts >500MB** (videos, build outputs — will timeout). **If all artifacts show "(expired)"**, skip this entire step — older runs lose artifacts after the retention period (typically 90 days but can be as short as 1 day). You'll have to work with CI logs and run history only. Note this limitation in the report.
+
+```
+# Download + list key files in one shot
+cd /tmp && gh api repos/{owner}/{repo}/actions/artifacts/{id}/zip > ci-results.zip && \
+unzip -l ci-results.zip | grep -E "error-context|trace\.zip|junit" && \
+unzip -o ci-results.zip "**/*error-context*" "**/*trace.zip" "*.xml" -d /tmp/ci-artifacts 2>/dev/null
+```
+
+**Artifact layouts:**
+
+- **Standard (Azure/MAPT):** `results/podman-desktop/tests-.../error-context.md`, `traces/*_trace.zip`
+- **Testing Farm (Fedora):** `results/e2e-test-1/data/traces/*_trace.zip`, `junit-playwright-results.xml` at root. No error-context.md.
+- **Extension repos:** `extension-name/junit-results.xml`, `extension-name/...-chromium/error-context.md`
+
+**Read error-context.md** — for UI failures (locator timeouts, assertion mismatches), this page snapshot often reveals the answer immediately. For build/process failures, skip it — the CI log error is more useful.
+
+**Trace analysis** — if trace.zip exists, pre-extract and dispatch a background subagent:
+
+```
+mkdir -p /tmp/ci-traces/{name} && cd /tmp/ci-traces/{name} && unzip -o /path/to/trace.zip
+```
+
+Read the last 2-3 screenshots from `resources/*.jpeg | sort | tail -3`, then dispatch:
+
+```
+Agent(run_in_background=true, prompt="""
+Analyze this Playwright trace for a CI test failure.
+
+Trace: /path/to/trace.zip
+Extracted: /tmp/ci-traces/{name}/
+Failing test: [name from logs]
+Error: [message from logs]
+Error context: [paste error-context.md if available]
+Screenshots: [describe what each shows]
+
+Use the playwright-trace-analysis skill to perform the analysis.
+MCP tools if available, otherwise read extracted files.
+
+Return: failure summary, event timeline with step refs, evidence citations,
+root cause [Confirmed|Likely|Unknown], failure type, recommended action with file:line.
+""")
+```
+
+---
+
+### Step 4: Regression Hunt + Source Code (parallel, Category C only)
+
+Skip if the run history shows a chronic or isolated pattern. Launch in parallel:
+
+1. **Verify last passing run:** `gh run view {id} --repo {owner}/{repo}`
+2. **Check adjacent failures** for same test: `gh run view {id} --repo ... | grep -E "^X|🧪|❌"`
+3. **Fetch test source:** `gh api repos/{owner}/{repo}/contents/{path} --jq '.content' | base64 --decode | sed -n '{start},{end}p'`
+   (macOS base64 fallback: pipe through `python3 -c "import sys,base64;print(base64.b64decode(sys.stdin.read()).decode())"`)
+4. **Commits between pass/fail:** `git log --oneline --since="{date}" --until="{date}" -- {paths}`
+
+---
+
+### Step 5: Report
+
+Collect trace subagent results if dispatched. Correlate all evidence: CI logs, error context, trace findings, test source, regression history, platform comparison. If CI logs and trace disagree, trust traces for UI failures, logs for infra.
+
+```
+## CI Failure Investigation
+
+### Summary
+One-sentence root cause.
+
+### What Failed
+| Job | Test | Error | Duration |
+|-----|------|-------|----------|
+
+### Root Cause
+- **What:** ...
+- **Where:** file:line
+- **When introduced:** commit or "N/A — transient"
+- **Why:** mechanism
+- **Evidence:** screenshot, log, trace step citations
+
+### Classification
+[App bug | Test bug | Likely flaky | Environment/infra] — [Confirmed | Likely | Unknown]
+
+### Fix
+Specific code change with rationale, or "No code fix — [explanation]".
+```
+
+---
+
+## Investigation Playbook
+
+Hard-earned patterns from real investigations. Use these to shortcut analysis.
+
+### Error -> Diagnosis Shortcuts
+
+| Error pattern                                                                      | Likely cause                                                          | Skip to                     |
+| ---------------------------------------------------------------------------------- | --------------------------------------------------------------------- | --------------------------- |
+| `Missing file: host` / `MAPT container failed` / `Artemis resource ended in error` | Azure/Testing Farm VM provisioning failure                            | Report (Category A)         |
+| `Unable to download docker-compose binary: HttpErr`                                | GitHub API download failure; test only handles success + rate-limit   | Report (Category B)         |
+| `overlay/.../merged: no such file or directory` / `copier subprocess`              | Container storage corruption, often after "Free up disk space" step   | Report (Category B)         |
+| `unable to copy from source docker://...`                                          | Registry pull failure (network/rate limit)                            | Report (Category B)         |
+| `intercepts pointer events` + `fade-bg` div                                        | Modal overlay blocking clicks; test doesn't wait for dialog dismissal | Trace analysis (Category C) |
+| `strict mode violation: ... resolved to 2 elements`                                | Locator matches multiple DOM nodes; `.or()` compound locator issue    | Error context (Category C)  |
+| `Expected: "RUNNING"` / `Received: "STOPPED"`                                      | Resource never reached target state within timeout                    | Platform comparison         |
+| `Test timeout of N ms exceeded` + `Target page closed`                             | Long operation exceeded test timeout; browser was killed              | Build/process failure       |
+
+### Platform Patterns
+
+- **Win10 vs Win11:** Win10 CI runners are consistently slower. K8s deployments, image builds, and cluster operations often timeout on Win10 while passing on Win11 with identical code.
+- **x86 vs ARM (macOS-26, Win11-ARM):** ARM runners have different timing characteristics. Tests with tight timeouts (5s) for UI rendering or provider initialization may pass on x86 but fail on ARM. If failures cluster on ARM platforms while x86 passes, suspect timing — increase timeouts.
+- **WSL vs Hyper-V:** Different networking and filesystem behavior.
+- **Linux (Testing Farm) vs Windows:** Different artifact layouts, auth file paths, filesystem watchers. No error-context.md on Testing Farm — use JUnit XML.
+- **GPU vs Default (Testing Farm):** GPU pool has been chronically unavailable. If only GPU jobs fail with provisioning errors, it's infra.
+- **Dev vs Prod mode:** Prod binaries may have different startup timing (minified, no sourcemaps, different Electron flags). A test passing in dev but failing in prod (or vice versa) on the same runner suggests mode-specific initialization differences.
+
+### Workflow Patterns
+
+- **✓ Run tests / X Publish Report:** The test step passes but the publish step fails. This means `--log-failed` won't contain Playwright errors — they're in the passed test step's log. Fall back to downloading the full job log. The `gh run view` annotations still show `🧪` with test names. This is the default pattern for podman-desktop/e2e, extension-bootc, and Testing Farm workflows.
+- **X Run tests / X Publish Report:** Both fail. `--log-failed` contains Playwright errors from the test step. Grep works normally. This is the pattern for kortex, ai-lab main e2e, and workflows where the test step exits non-zero on failure.
+
+### Noise to Ignore
+
+- `Gtk: gtk_widget_add_accelerator: assertion failed` — Electron/Gtk compat on Linux
+- `npm warn Unknown env config` — pnpm/npm config mismatch
+- `cpu-features install: Error: Unable to detect compiler type` — optional native module
+- `Error trying to run the version on docker-compose. Binary might not be there` — expected when compose isn't installed
+- `Error: Failed to execute command: spawn kind ENOENT` — expected when kind isn't installed

.agents/skills/new-extension/SKILL.md

@@ -0,0 +1,564 @@
+---
+name: new-extension
+description: >-
+  Scaffold a new Podman Desktop extension as a standalone repository with all
+  required boilerplate, build config, Containerfile, and Svelte webview. Use
+  when the user asks to create a new extension, add extension boilerplate,
+  scaffold an extension, or bootstrap a Podman Desktop extension project.
+---
+
+# Create a New Podman Desktop Extension
+
+Scaffold a standalone extension in its own repository. The user provides an extension name and a brief description of what it should do. You produce all required files and verify the extension builds and can be loaded locally into Podman Desktop.
+
+## Inputs
+
+Ask the user (or infer from context):
+
+1. **Extension name** — kebab-case identifier (e.g. `apple-container`). Used as the directory/repo name and the `name` field in `package.json`.
+2. **Display name** — human-readable title (e.g. `Apple Container`).
+3. **Description** — one-sentence summary shown in the extension list.
+4. **Feature scope** — what the extension should do. Common patterns:
+   - **Minimal** — register a command, show a notification
+   - **Webview** — display a Svelte UI panel (this is the default for any extension that shows content)
+   - **Provider** — register a container engine or Kubernetes provider
+   - **Status bar / Tray** — add status bar entries or tray menu items
+   - **Configuration** — add extension-specific settings
+   - Combinations of the above
+5. **Publisher** — the org or username that owns the extension (default: the user's GitHub username).
+
+If the extension needs to display any UI beyond simple notifications, **always use the multi-package webview layout** (not inline HTML). This is the standard for all production Podman Desktop extensions.
+
+---
+
+## Where to look in the Podman Desktop codebase
+
+When implementing extension features, you may need to look up API details:
+
+| What you need                                                                             | Where to look                                                                       |
+| ----------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- |
+| Full extension API types (`createWebviewPanel`, `containerEngine`, `provider`, etc.)      | `packages/extension-api/src/extension-api.d.ts` in the podman-desktop repo          |
+| Extension manifest schema (what `contributes` fields exist)                               | `packages/main/src/plugin/extension/extension-manifest-schema.ts`                   |
+| How the extension loader discovers and activates extensions                               | `packages/main/src/plugin/extension/extension-loader.ts`                            |
+| Container operations (`createContainer`, `startContainer`, `pullImage`, `listContainers`) | Search for `export namespace containerEngine` in `extension-api.d.ts`               |
+| Provider operations (`createProvider`, `getContainerConnections`)                         | Search for `export namespace provider` in `extension-api.d.ts`                      |
+| Webview types (`WebviewPanel`, `Webview`, `WebviewOptions`)                               | Search for `interface WebviewPanel` in `extension-api.d.ts`                         |
+| Container create options (`Image`, `Cmd`, `HostConfig`, `PortBindings`, `ExposedPorts`)   | Search for `interface ContainerCreateOptions` in `extension-api.d.ts`               |
+| Existing built-in extensions as examples                                                  | `extensions/` directory (e.g. `extensions/registries/`, `extensions/kube-context/`) |
+| How extensions are published to OCI registries                                            | `website/docs/extensions/publish/index.md`                                          |
+
+---
+
+## Step 1 — Choose layout
+
+### Minimal (no UI)
+
+For extensions that only register commands, providers, status bar items, or configuration — no webview needed.
+
+```
+{name}/
+├── .gitignore
+├── Containerfile
+├── LICENSE
+├── README.md
+├── icon.png
+├── package.json
+├── tsconfig.json
+└── src/
+    └── extension.ts
+```
+
+### Multi-package with Svelte webview (default for any UI)
+
+**Always use this layout when the extension displays content.** Do not use inline HTML strings. The frontend is a Svelte app built by Vite into static assets that the backend loads into a webview panel.
+
+```
+{name}/
+├── .gitignore
+├── Containerfile
+├── LICENSE
+├── README.md
+├── package.json                       # root workspace — runs both packages
+├── packages/
+│   ├── backend/                       # the extension entry point (Node.js)
+│   │   ├── icon.png
+│   │   ├── package.json               # has "main": "./dist/extension.js"
+│   │   ├── tsconfig.json
+│   │   ├── vite.config.ts
+│   │   └── src/
+│   │       └── extension.ts
+│   ├── frontend/                      # Svelte app built into backend/media/
+│   │   ├── index.html
+│   │   ├── package.json
+│   │   ├── svelte.config.js
+│   │   ├── tsconfig.json
+│   │   ├── vite.config.ts
+│   │   └── src/
+│   │       ├── main.ts
+│   │       └── App.svelte
+│   └── shared/                        # (optional) shared types between frontend & backend
+│       └── src/
+│           └── ...
+```
+
+---
+
+## Step 2 — File contents (multi-package webview)
+
+### .gitignore
+
+```
+dist/
+media/
+node_modules/
+```
+
+`media/` is a build artifact (frontend output) — do not commit it.
+
+### Root package.json
+
+```json
+{
+  "name": "{name}",
+  "displayName": "{displayName}",
+  "description": "{description}",
+  "version": "0.0.1",
+  "private": true,
+  "engines": { "node": ">=22.0.0", "npm": ">=11.0.0" },
+  "scripts": {
+    "build": "concurrently \"npm run -w packages/frontend build\" \"npm run -w packages/backend build\"",
+    "watch": "concurrently \"npm run -w packages/frontend watch\" \"npm run -w packages/backend watch\""
+  },
+  "devDependencies": {
+    "concurrently": "^8.2.2",
+    "typescript": "^5.9.3",
+    "vite": "^7.0.0"
+  },
+  "workspaces": ["packages/*"]
+}
+```
+
+> **Vite version constraint:** `@sveltejs/vite-plugin-svelte@6.x` requires Vite 6 or 7. Do not use Vite 8+.
+
+### packages/backend/package.json
+
+This is the **extension manifest** that Podman Desktop reads:
+
+```json
+{
+  "name": "{name}",
+  "displayName": "{displayName}",
+  "description": "{description}",
+  "version": "0.0.1",
+  "icon": "icon.png",
+  "publisher": "{publisher}",
+  "license": "Apache-2.0",
+  "engines": { "podman-desktop": ">=1.26.0" },
+  "main": "./dist/extension.js",
+  "contributes": {},
+  "scripts": {
+    "build": "vite build",
+    "watch": "vite --mode development build -w"
+  },
+  "devDependencies": {
+    "@podman-desktop/api": "^1.26.1",
+    "@types/node": "^22"
+  }
+}
+```
+
+### packages/backend/tsconfig.json
+
+```json
+{
+  "compilerOptions": {
+    "target": "ES2020",
+    "module": "ESNext",
+    "moduleResolution": "Node",
+    "resolveJsonModule": true,
+    "lib": ["ES2020"],
+    "sourceMap": true,
+    "rootDir": "src",
+    "outDir": "dist",
+    "skipLibCheck": true,
+    "types": ["node"],
+    "strict": true,
+    "allowSyntheticDefaultImports": true
+  },
+  "include": ["src"]
+}
+```
+
+### packages/backend/vite.config.ts
+
+Use `.ts` for type-safe config. The backend builds as a CJS library entry point with `@podman-desktop/api` and all Node builtins externalized.
+
+```ts
+import { join } from 'path';
+import { builtinModules } from 'module';
+import { defineConfig } from 'vite';
+
+const PACKAGE_ROOT = __dirname;
+
+export default defineConfig({
+  mode: process.env.MODE,
+  root: PACKAGE_ROOT,
+  envDir: process.cwd(),
+  resolve: {
+    alias: {
+      '/@/': join(PACKAGE_ROOT, 'src') + '/',
+    },
+  },
+  build: {
+    sourcemap: 'inline',
+    target: 'esnext',
+    outDir: 'dist',
+    assetsDir: '.',
+    minify: process.env.MODE === 'production' ? 'esbuild' : false,
+    lib: {
+      entry: 'src/extension.ts',
+      formats: ['cjs'],
+    },
+    rollupOptions: {
+      external: ['@podman-desktop/api', ...builtinModules.flatMap(p => [p, `node:${p}`])],
+      output: { entryFileNames: '[name].js' },
+    },
+    emptyOutDir: true,
+    reportCompressedSize: false,
+  },
+});
+```
+
+### packages/frontend/package.json
+
+```json
+{
+  "name": "frontend",
+  "private": true,
+  "type": "module",
+  "scripts": {
+    "build": "vite build",
+    "watch": "vite --mode development build -w"
+  },
+  "devDependencies": {
+    "@sveltejs/vite-plugin-svelte": "^6.1.0",
+    "svelte": "^5.53.5"
+  }
+}
+```
+
+Optionally add `@podman-desktop/ui-svelte` for native Podman Desktop components (Button, EmptyScreen, etc.), and `tailwindcss` + `autoprefixer` + `postcss` if you want Tailwind styling.
+
+### packages/frontend/tsconfig.json
+
+The frontend runs in a browser-like webview environment, so it needs DOM libs and bundler resolution:
+
+```json
+{
+  "compilerOptions": {
+    "target": "ESNext",
+    "module": "ESNext",
+    "moduleResolution": "bundler",
+    "lib": ["ES2020", "DOM", "DOM.Iterable"],
+    "strict": true,
+    "skipLibCheck": true,
+    "resolveJsonModule": true,
+    "allowSyntheticDefaultImports": true,
+    "verbatimModuleSyntax": true
+  },
+  "include": ["src"]
+}
+```
+
+### packages/frontend/svelte.config.js
+
+Required for Svelte preprocessing (TypeScript in `.svelte` files):
+
+```js
+import { vitePreprocess } from '@sveltejs/vite-plugin-svelte';
+
+export default {
+  preprocess: [vitePreprocess()],
+};
+```
+
+### packages/frontend/vite.config.ts
+
+The key: `outDir: '../backend/media'` — Vite builds the Svelte app into the backend's `media/` folder.
+
+```ts
+import { join } from 'path';
+import { svelte } from '@sveltejs/vite-plugin-svelte';
+import { defineConfig } from 'vite';
+import { fileURLToPath } from 'url';
+import path from 'path';
+
+const filename = fileURLToPath(import.meta.url);
+const PACKAGE_ROOT = path.dirname(filename);
+
+export default defineConfig({
+  mode: process.env.MODE,
+  root: PACKAGE_ROOT,
+  resolve: {
+    alias: { '/@/': join(PACKAGE_ROOT, 'src') + '/' },
+  },
+  plugins: [svelte()],
+  base: '',
+  build: {
+    sourcemap: true,
+    outDir: '../backend/media',
+    assetsDir: '.',
+    emptyOutDir: true,
+    reportCompressedSize: false,
+  },
+});
+```
+
+### packages/frontend/index.html
+
+```html
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>{displayName}</title>
+  </head>
+  <body>
+    <div id="app"></div>
+    <script type="module" src="./src/main.ts"></script>
+  </body>
+</html>
+```
+
+### packages/frontend/src/main.ts
+
+```ts
+import { mount } from 'svelte';
+import App from './App.svelte';
+
+const app = mount(App, { target: document.getElementById('app')! });
+export default app;
+```
+
+### packages/frontend/src/App.svelte
+
+Write the Svelte component for the extension's UI. Use `@podman-desktop/ui-svelte` components (Button, EmptyScreen, etc.) for a native look and feel.
+
+---
+
+## Step 3 — Backend loads the built frontend
+
+In `packages/backend/src/extension.ts`, the backend creates a webview panel and loads the Svelte-built `index.html` from `media/`:
+
+```ts
+import type { ExtensionContext } from '@podman-desktop/api';
+import * as extensionApi from '@podman-desktop/api';
+import fs from 'node:fs';
+
+export async function activate(extensionContext: ExtensionContext): Promise<void> {
+  const panel = extensionApi.window.createWebviewPanel('{name}-panel', '{displayName}', {
+    localResourceRoots: [extensionApi.Uri.joinPath(extensionContext.extensionUri, 'media')],
+  });
+  extensionContext.subscriptions.push(panel);
+
+  const indexHtmlUri = extensionApi.Uri.joinPath(extensionContext.extensionUri, 'media', 'index.html');
+  let indexHtml = await fs.promises.readFile(indexHtmlUri.fsPath, 'utf8');
+
+  // Rewrite asset paths so the webview can load them
+  const scriptLinks = indexHtml.match(/<script[^>]+src="([^"]+)"/g) ?? [];
+  for (const link of scriptLinks) {
+    const src = link.match(/src="([^"]+)"/)?.[1];
+    if (src) {
+      const webviewUri = panel.webview.asWebviewUri(
+        extensionApi.Uri.joinPath(extensionContext.extensionUri, 'media', src),
+      );
+      indexHtml = indexHtml.replace(src, webviewUri.toString());
+    }
+  }
+  const cssLinks = indexHtml.match(/<link[^>]+href="([^"]+)"/g) ?? [];
+  for (const link of cssLinks) {
+    const href = link.match(/href="([^"]+)"/)?.[1];
+    if (href) {
+      const webviewUri = panel.webview.asWebviewUri(
+        extensionApi.Uri.joinPath(extensionContext.extensionUri, 'media', href),
+      );
+      indexHtml = indexHtml.replace(href, webviewUri.toString());
+    }
+  }
+
+  panel.webview.html = indexHtml;
+}
+
+export async function deactivate(): Promise<void> {
+  console.log('stopping {name} extension');
+}
+```
+
+**Why this approach?** The webview runs in a sandboxed iframe with its own origin. Local file paths don't resolve — you must convert them with `panel.webview.asWebviewUri()` and set `localResourceRoots` to grant access to the `media/` folder.
+
+### Backend-to-frontend messaging
+
+The backend can send messages to the frontend with `postMessage`, and the frontend listens with `window.addEventListener('message', ...)`:
+
+**Backend** (in extension.ts):
+
+```ts
+panel.webview.postMessage({ type: 'status', value: 'running' });
+```
+
+**Frontend** (in App.svelte):
+
+```svelte
+<script lang="ts">
+  let status = $state('idle');
+
+  window.addEventListener('message', (event: MessageEvent) => {
+    if (event.data?.type === 'status') {
+      status = event.data.value;
+    }
+  });
+</script>
+```
+
+The frontend can also send messages back to the backend using `acquirePodmanDesktopApi().postMessage()`, and the backend receives them via `panel.webview.onDidReceiveMessage`. See the [full template](https://github.com/podman-desktop/podman-desktop-extension-full-template) for a complete RPC implementation using `MessageProxy`.
+
+---
+
+## Step 4 — Containerfile (multi-package)
+
+```dockerfile
+FROM scratch AS builder
+COPY packages/backend/dist/ /extension/dist
+COPY packages/backend/package.json /extension/
+COPY packages/backend/media/ /extension/media
+COPY packages/backend/icon.png /extension/
+COPY LICENSE /extension/
+COPY README.md /extension/
+
+FROM scratch
+
+LABEL org.opencontainers.image.title="{displayName}" \
+      org.opencontainers.image.description="{description}" \
+      org.opencontainers.image.vendor="{publisher}" \
+      io.podman-desktop.api.version=">= 1.26.0"
+
+COPY --from=builder /extension /extension
+```
+
+The OCI image copies from `packages/backend/` (the extension manifest lives there), plus the `media/` folder that contains the built frontend assets.
+
+---
+
+## Step 5 — Build and verify
+
+```bash
+npm install
+npm run build
+```
+
+After building, verify:
+
+- `packages/backend/dist/extension.js` exists (the backend)
+- `packages/backend/media/index.html` exists (the built frontend)
+
+---
+
+## Step 6 — Test locally in Podman Desktop
+
+1. Open Podman Desktop
+2. Go to **Settings > Preferences > Extensions** and enable **Development mode**
+3. Go to **Extensions > Local Extensions** tab
+4. Click **Add a local folder extension...** and select the folder containing the extension `package.json`:
+   - **Multi-package layout:** select `packages/backend/` (not the root)
+   - **Minimal layout:** select the repository root
+5. Verify the extension appears as `ACTIVE`
+6. Test the extension's functionality
+
+---
+
+## Step 7 — Package and publish (when ready)
+
+```bash
+npm run build
+podman build -t quay.io/{publisher}/{name} .
+podman push quay.io/{publisher}/{name}
+```
+
+To add it to the official catalog, open a PR on [podman-desktop-catalog](https://github.com/podman-desktop/podman-desktop-catalog) adding the extension to `static/api/extensions.json`.
+
+---
+
+## Minimal extension (no webview)
+
+For extensions without a UI panel, use the single-package layout from Step 1. Same `package.json` / `vite.config.ts` patterns as the backend package, minus the `media/` loading.
+
+---
+
+## Quick reference — common API patterns
+
+| Task                            | API                                                                   |
+| ------------------------------- | --------------------------------------------------------------------- |
+| Show info/warning/error message | `extensionApi.window.showInformationMessage(msg)`                     |
+| Register a command              | `extensionApi.commands.registerCommand(id, callback)`                 |
+| Create a provider               | `extensionApi.provider.createProvider(options)`                       |
+| Create a webview                | `extensionApi.window.createWebviewPanel(viewType, title, options)`    |
+| Send message to webview         | `panel.webview.postMessage(data)`                                     |
+| Receive message from webview    | `panel.webview.onDidReceiveMessage(callback)`                         |
+| Add status bar item             | `extensionApi.window.createStatusBarItem()`                           |
+| Add tray menu item              | `extensionApi.tray.registerMenuItem(item)`                            |
+| Read configuration              | `extensionApi.configuration.getConfiguration(section)`                |
+| Pull a container image          | `extensionApi.containerEngine.pullImage(connection, image, callback)` |
+| Create a container              | `extensionApi.containerEngine.createContainer(engineId, options)`     |
+| Start/stop a container          | `extensionApi.containerEngine.startContainer(engineId, id)`           |
+| List containers                 | `extensionApi.containerEngine.listContainers()`                       |
+| Get running engine connection   | `extensionApi.provider.getContainerConnections()`                     |
+| Get engine ID from connection   | `extensionApi.containerEngine.listInfos({ provider: connection })`    |
+| Navigate to webview             | `extensionApi.navigation.navigateToWebview(webviewId)`                |
+
+---
+
+## Common pitfalls
+
+### Getting the `engineId` for container operations
+
+Many `containerEngine` methods (`createContainer`, `startContainer`, `stopContainer`, `deleteContainer`, `inspectContainer`) require an `engineId` string. This is **not** `connection.name` from `getContainerConnections()` — that will produce a "no engine matching this container" error.
+
+The correct way to obtain the `engineId`:
+
+```ts
+const connections = extensionApi.provider.getContainerConnections();
+const running = connections.filter(c => c.connection.status() === 'started');
+if (running.length === 0) {
+  throw new Error('No running container engine found');
+}
+const connection = running[0].connection;
+
+// Use listInfos to get the real engineId
+const infos = await extensionApi.containerEngine.listInfos({ provider: connection });
+if (infos.length === 0) {
+  throw new Error('No engine info available');
+}
+const engineId = infos[0].engineId;
+
+await extensionApi.containerEngine.createContainer(engineId, {
+  /* ... */
+});
+```
+
+Alternatively, if you already have containers or images from `listContainers()` or `listImages()`, their `engineId` field can be reused directly.
+
+### `createContainer` auto-starts by default
+
+`ContainerCreateOptions.start` defaults to `true`. If you call `createContainer` followed by `startContainer`, the second call will fail with **HTTP 304** ("container already started"). Either:
+
+- Rely on the default and skip `startContainer`, or
+- Pass `start: false` in the create options if you need to configure the container before starting it
+
+For the full API surface, see [`extension-api.d.ts`](https://github.com/podman-desktop/podman-desktop/blob/main/packages/extension-api/src/extension-api.d.ts).
+
+## Official templates
+
+- **Minimal:** [podman-desktop-extension-minimal-template](https://github.com/podman-desktop/podman-desktop-extension-minimal-template)
+- **Webview (inline HTML):** [podman-desktop-extension-webview-template](https://github.com/podman-desktop/podman-desktop-extension-webview-template)
+- **Full (Svelte + Tailwind + multi-package):** [podman-desktop-extension-full-template](https://github.com/podman-desktop/podman-desktop-extension-full-template) — this is the recommended starting point for any extension with a UI.

.agents/skills/playwright-testing/SKILL.md

@@ -0,0 +1,373 @@
+---
+name: playwright-testing
+description: >-
+  Guide for writing, updating, and maintaining Playwright end-to-end tests for
+  Podman Desktop using the project's Electron runner, custom fixtures, and Page
+  Object Model hierarchy. Use when creating new E2E spec files, building or
+  modifying page objects, updating the test framework or utilities, debugging
+  test failures, adding smoke tests, or when the user asks about Playwright
+  tests, test automation, spec files, page models, or the E2E test structure.
+---
+
+# Playwright E2E Testing for Podman Desktop
+
+This skill covers the Podman Desktop-specific Playwright framework. It is an
+Electron desktop app — tests launch the app via `Runner`, not a browser URL.
+
+## Project Structure
+
+```
+playwright.config.ts                          # At repo root, not under tests/
+tests/playwright/
+├── package.json                              # @podman-desktop/tests-playwright
+├── tsconfig.json                             # Path alias: /@/ → src/
+├── vite.config.js                            # Library build config
+├── src/
+│   ├── specs/                                # Test spec files
+│   │   ├── *-smoke.spec.ts                   # Smoke test suites
+│   │   ├── *.spec.ts                         # Other specs
+│   │   └── z-*.spec.ts                       # Ordered-last suites (Podman machine)
+│   ├── special-specs/                        # Isolated/focused suites
+│   │   ├── installation/
+│   │   ├── managed-configuration/
+│   │   ├── podman-remote/
+│   │   └── ui-stress/
+│   ├── model/                                # Page Object Models
+│   │   ├── pages/                            # Page POMs (base-page, main-page, details-page, ...)
+│   │   │   ├── base-page.ts                  # Abstract base: holds readonly page
+│   │   │   ├── main-page.ts                  # Abstract: list pages (Images, Containers, Volumes, Pods)
+│   │   │   ├── details-page.ts               # Abstract: resource detail views
+│   │   │   ├── *-page.ts                     # Concrete page POMs
+│   │   │   ├── forms/                        # Form-specific POMs
+│   │   │   └── compose-onboarding/           # Compose onboarding flow POMs
+│   │   ├── workbench/                        # App shell POMs
+│   │   │   ├── navigation.ts                 # NavigationBar — sidebar nav, returns page POMs
+│   │   │   └── status-bar.ts                 # StatusBar
+│   │   ├── components/                       # Reusable widget POMs
+│   │   └── core/                             # Enums, types, states, settings helpers
+│   ├── runner/                               # Electron app launcher
+│   │   ├── podman-desktop-runner.ts          # Runner singleton
+│   │   └── runner-options.ts                 # RunnerOptions config class
+│   ├── utility/                              # Shared helpers
+│   │   ├── fixtures.ts                       # Custom Playwright test + fixtures
+│   │   ├── operations.ts                     # UI workflow helpers
+│   │   ├── wait.ts                           # waitUntil, waitWhile, waitForPodmanMachineStartup
+│   │   ├── kubernetes.ts                     # K8s helpers
+│   │   ├── cluster-operations.ts             # Kind cluster helpers
+│   │   ├── platform.ts                       # isLinux, isMac, isWindows, isCI
+│   │   └── auth-utils.ts                     # Browser-based auth flows (Chromium)
+│   ├── setupFiles/                           # Feature gate helpers
+│   └── globalSetup/                          # Setup/teardown (exported, not in config)
+├── resources/                                # Containerfiles, YAML, fixtures
+└── output/                                   # Traces, videos, reports (gitignored)
+```
+
+## Imports and Fixtures
+
+**Always** import `test` and `expect` from the project fixtures, not from `@playwright/test`:
+
+```typescript
+import { expect as playExpect, test } from '/@/utility/fixtures';
+```
+
+All source imports use the `/@/` path alias, which Vite resolves to `src/`.
+
+### Available Test Fixtures
+
+The custom `test` provides these fixtures:
+
+| Fixture         | Type            | Description                                                 |
+| --------------- | --------------- | ----------------------------------------------------------- |
+| `runner`        | `Runner`        | Electron app lifecycle (singleton via `Runner.getInstance`) |
+| `page`          | `Page`          | The Electron renderer window (`runner.getPage()`)           |
+| `navigationBar` | `NavigationBar` | Sidebar navigation POM                                      |
+| `welcomePage`   | `WelcomePage`   | Welcome/onboarding page POM                                 |
+| `statusBar`     | `StatusBar`     | Bottom status bar POM                                       |
+| `runnerOptions` | `RunnerOptions` | Configurable option (override with `test.use`)              |
+
+Destructure these directly in test hooks and test functions:
+
+```typescript
+test.beforeAll(async ({ runner, welcomePage, page }) => { ... });
+test('my test', async ({ navigationBar }) => { ... });
+```
+
+## Page Object Model Hierarchy
+
+### Three-Level Inheritance
+
+```
+BasePage (abstract)
+├── MainPage (abstract) — list pages with tables (Images, Containers, Volumes, Pods)
+│   ├── ImagesPage
+│   ├── ContainersPage
+│   ├── VolumesPage
+│   └── PodsPage
+├── DetailsPage (abstract) — resource detail views with tabs
+│   ├── ImageDetailsPage
+│   ├── ContainerDetailsPage
+│   └── ...
+└── Other concrete pages (WelcomePage, DashboardPage, ...)
+
+Workbench classes (not BasePage subclasses):
+├── NavigationBar
+└── StatusBar
+```
+
+### BasePage
+
+All page POMs extend `BasePage`:
+
+```typescript
+import type { Page } from '@playwright/test';
+
+export abstract class BasePage {
+  readonly page: Page;
+
+  constructor(page: Page) {
+    this.page = page;
+  }
+}
+```
+
+### MainPage
+
+For list pages with header, search, content regions, and table rows:
+
+```typescript
+export abstract class MainPage extends BasePage {
+  readonly title: string;
+  readonly mainPage: Locator;
+  readonly header: Locator;
+  readonly search: Locator;
+  readonly content: Locator;
+  readonly additionalActions: Locator;
+  readonly heading: Locator;
+
+  constructor(page: Page, title: string) {
+    super(page);
+    this.title = title;
+    this.mainPage = page.getByRole('region', { name: this.title });
+    this.header = this.mainPage.getByRole('region', { name: 'header' });
+    this.search = this.mainPage.getByRole('region', { name: 'search' });
+    this.content = this.mainPage.getByRole('region', { name: 'content' });
+    this.additionalActions = this.header.getByRole('group', { name: 'additionalActions' });
+    this.heading = this.header.getByRole('heading', { name: this.title });
+  }
+}
+```
+
+Concrete pages call `super(page, 'images')`, `super(page, 'containers')`, etc.
+
+### DetailsPage
+
+For resource detail views with tabs, breadcrumb, and control actions:
+
+```typescript
+export abstract class DetailsPage extends BasePage {
+  readonly header: Locator;
+  readonly tabs: Locator;
+  readonly tabContent: Locator;
+  readonly closeButton: Locator;
+  readonly backLink: Locator;
+  readonly heading: Locator;
+
+  constructor(page: Page, resourceName: string) {
+    super(page);
+    this.tabContent = page.getByRole('region', { name: 'Tab Content' });
+    this.header = page.getByRole('region', { name: 'Header' });
+    this.tabs = page.getByRole('region', { name: 'Tabs' });
+    this.heading = this.header.getByRole('heading', { name: resourceName });
+    // ... breadcrumb, close, back locators
+  }
+}
+```
+
+### POM Rules
+
+1. **Extend the correct base class**: `MainPage` for list pages, `DetailsPage` for detail views, `BasePage` for other pages
+2. **Declare all locators as `readonly` in the constructor** — eager `Locator` chains, not lazy getters
+3. **Wrap every method body in `test.step()`** for trace readability:
+
+```typescript
+async pullImage(image: string): Promise<ImagesPage> {
+  return test.step(`Pull image: ${image}`, async () => {
+    const pullImagePage = await this.openPullImage();
+    await playExpect(pullImagePage.heading).toBeVisible();
+    return await pullImagePage.pullImage(image);
+  });
+}
+```
+
+4. **Navigation methods return POM instances** — e.g. `openPullImage()` returns `PullImagePage`
+5. **Use `playExpect`** (aliased from `@playwright/test`) inside POM files for assertions
+6. **Import `test` from `@playwright/test`** in POM files (for `test.step`), but from `/@/utility/fixtures` in spec files
+
+### NavigationBar
+
+Returns page POMs from sidebar navigation. Each method wraps in `test.step()`:
+
+```typescript
+async openImages(): Promise<ImagesPage> {
+  return test.step('Open Images page', async () => {
+    await playExpect(this.imagesLink).toBeVisible({ timeout: 10_000 });
+    await this.imagesLink.click({ force: true });
+    return new ImagesPage(this.page);
+  });
+}
+```
+
+## Writing Spec Files
+
+### Template
+
+```typescript
+import { RunnerOptions } from '/@/runner/runner-options';
+import { expect as playExpect, test } from '/@/utility/fixtures';
+import { waitForPodmanMachineStartup } from '/@/utility/wait';
+
+// Optional: override runner options for isolated profile
+test.use({ runnerOptions: new RunnerOptions({ customFolder: 'my-feature' }) });
+
+test.beforeAll(async ({ runner, welcomePage, page }) => {
+  runner.setVideoAndTraceName('my-feature-e2e');
+  await welcomePage.handleWelcomePage(true);
+  await waitForPodmanMachineStartup(page);
+});
+
+test.afterAll(async ({ runner }) => {
+  await runner.close();
+});
+
+test.describe.serial('Feature name', { tag: '@smoke' }, () => {
+  test.describe.configure({ retries: 1 });
+
+  test('first test', async ({ navigationBar }) => {
+    const imagesPage = await navigationBar.openImages();
+    await playExpect(imagesPage.heading).toBeVisible();
+    // ... test body
+  });
+});
+```
+
+### Key Patterns
+
+- **Serial suites**: Use `test.describe.serial()` — most Podman Desktop E2E tests share Electron state
+- **Tags**: `{ tag: '@smoke' }`, `{ tag: '@k8s_e2e' }`, `{ tag: ['@smoke', '@windows_sanity'] }`
+- **Retries**: `test.describe.configure({ retries: 1 })` inside the describe block
+- **Timeouts**: `test.setTimeout(180_000)` per test or in `beforeAll`
+- **Conditional skip**: `test.skip(isLinux, 'Not supported on Linux')`
+- **Runner options**: `test.use({ runnerOptions: new RunnerOptions({ ... }) })` for custom profiles
+- **Cleanup in afterAll**: Always wrap in `try/finally` with `runner.close()` in `finally`
+
+### Naming Conventions
+
+- Spec files: `kebab-case-smoke.spec.ts` (use `-smoke` suffix for smoke tests)
+- Prefix with `z-` for suites that must run last (e.g. `z-podman-machine-tests.spec.ts`)
+- POM files: `feature-page.ts` in `model/pages/`, `feature-component.ts` in `model/components/`
+
+## Runner and RunnerOptions
+
+### Runner Lifecycle
+
+`Runner` is a singleton that launches the Electron app:
+
+1. `Runner.getInstance({ runnerOptions })` — creates/reuses the singleton, calls `electron.launch()`
+2. `runner.getPage()` — returns the `Page` from `firstWindow()`
+3. `runner.setVideoAndTraceName('name')` — sets artifact naming (call in `beforeAll`)
+4. `runner.close()` — stops tracing, closes app, saves artifacts
+
+### RunnerOptions
+
+Configure with `test.use()`:
+
+```typescript
+test.use({
+  runnerOptions: new RunnerOptions({
+    customFolder: 'my-test-profile', // isolated profile directory
+    extensionsDisabled: ['podman'], // disable specific extensions
+    autoUpdate: false, // disable auto-update checks
+    saveTracesOnPass: true, // keep traces even on pass
+    customSettings: { key: 'value' }, // inject settings.json values
+  }),
+});
+```
+
+### Environment Variables
+
+| Variable                | Purpose                                                                 |
+| ----------------------- | ----------------------------------------------------------------------- |
+| `PODMAN_DESKTOP_BINARY` | Path to packaged binary (mutually exclusive with `PODMAN_DESKTOP_ARGS`) |
+| `PODMAN_DESKTOP_ARGS`   | Path to repo for dev mode                                               |
+| `KEEP_TRACES_ON_PASS`   | Retain traces on passing tests                                          |
+| `KEEP_VIDEOS_ON_PASS`   | Retain videos on passing tests                                          |
+
+## Wait Utilities
+
+Use the project's wait helpers from `/@/utility/wait`, not custom polling:
+
+```typescript
+import { waitUntil, waitWhile, waitForPodmanMachineStartup } from '/@/utility/wait';
+
+await waitUntil(() => someCondition(), { timeout: 10_000, diff: 500, message: 'Condition not met' });
+await waitWhile(() => dialogIsOpen(), { timeout: 5_000 });
+await waitForPodmanMachineStartup(page);
+```
+
+Parameters: `timeout` (ms, default 5000), `diff` (polling interval ms, default 500), `sendError` (throw on timeout, default true), `message` (error text).
+
+## Locator Strategy
+
+1. **`getByRole`** — primary choice, use `exact: true` when needed
+2. **`getByLabel`** — form inputs and ARIA-labeled elements
+3. **`getByText`** — visible text
+4. **`getByTestId`** — when no semantic option exists
+5. **CSS locators** — last resort
+
+Scope locators to parent regions when possible:
+
+```typescript
+this.pullImageButton = this.additionalActions.getByRole('button', { name: 'Pull', exact: true });
+```
+
+## Running Tests
+
+Tests execute from the **repo root** (not from `tests/playwright/`):
+
+```bash
+# All E2E tests (excluding k8s)
+npx playwright test tests/playwright/src/specs/ --grep-invert @k8s_e2e
+
+# Smoke tests only
+npx playwright test tests/playwright/src/specs/ --grep @smoke
+
+# Single spec file
+npx playwright test tests/playwright/src/specs/image-smoke.spec.ts
+
+# View report
+pnpm exec playwright show-report tests/playwright/output/html-results
+```
+
+## Troubleshooting
+
+### Podman machine stuck in STARTING
+
+The `waitForPodmanMachineStartup` utility handles this by resetting via CLI. If tests time out waiting for RUNNING state, check that Podman is installed and the machine provider is available.
+
+### No Container Engine
+
+Some POM methods (e.g. `openPullImage`) use `waitWhile(() => this.noContainerEngine())` to gate on engine availability. If tests fail with "No Container Engine", the Podman machine likely didn't start.
+
+### Platform-specific skips
+
+Use helpers from `/@/utility/platform`:
+
+```typescript
+import { isLinux, isMac, isWindows, isCI } from '/@/utility/platform';
+test.skip(isLinux, 'Not supported on Linux');
+```
+
+## Additional Resources
+
+- For the project's wait utilities, operation helpers, and framework API, see [references/reference.md](references/reference.md)
+- For concrete examples from actual spec files, see [references/examples.md](references/examples.md)

.agents/skills/playwright-testing/references/examples.md

@@ -0,0 +1,397 @@
+# Examples
+
+Concrete examples drawn from actual Podman Desktop spec files and POMs.
+
+## Example 1: Minimal Smoke Test Spec
+
+From `welcome-page-smoke.spec.ts` — the simplest spec pattern:
+
+```typescript
+import { RunnerOptions } from '/@/runner/runner-options';
+import { expect as playExpect, test } from '/@/utility/fixtures';
+
+test.use({ runnerOptions: new RunnerOptions({ customFolder: 'welcome-podman-desktop' }) });
+
+test.beforeAll(async ({ runner }) => {
+  runner.setVideoAndTraceName('welcome-page-e2e');
+});
+
+test.afterAll(async ({ runner }) => {
+  await runner.close();
+});
+
+test.describe.serial(
+  'Basic e2e verification of podman desktop start',
+  {
+    tag: ['@smoke', '@windows_sanity', '@macos_sanity'],
+  },
+  () => {
+    test('Check the Welcome page is displayed', async ({ welcomePage }) => {
+      await playExpect(welcomePage.welcomeMessage).toBeVisible();
+    });
+
+    test('Telemetry checkbox is present and set to true', async ({ welcomePage }) => {
+      await playExpect(welcomePage.telemetryConsent).toBeVisible();
+      await playExpect(welcomePage.telemetryConsent).toBeChecked();
+    });
+
+    test('Redirection from Welcome page to Dashboard works', async ({ welcomePage }) => {
+      const dashboardPage = await welcomePage.closeWelcomePage();
+      await playExpect(dashboardPage.heading).toBeVisible();
+    });
+  },
+);
+```
+
+Key points:
+
+- Imports from `/@/utility/fixtures`
+- `test.use()` for isolated profile
+- `runner.setVideoAndTraceName()` in `beforeAll`
+- `runner.close()` in `afterAll`
+- `test.describe.serial` with tag array
+- Destructures `welcomePage` fixture directly
+
+## Example 2: Full Smoke Test with Podman Machine Setup
+
+From `image-smoke.spec.ts` — standard pattern for tests needing a running engine:
+
+```typescript
+import { expect as playExpect, test } from '/@/utility/fixtures';
+import { waitForPodmanMachineStartup } from '/@/utility/wait';
+
+const helloContainer = 'ghcr.io/podmandesktop-ci/hello';
+
+test.beforeAll(async ({ runner, welcomePage, page }) => {
+  runner.setVideoAndTraceName('pull-image-e2e');
+  await welcomePage.handleWelcomePage(true);
+  await waitForPodmanMachineStartup(page);
+});
+
+test.afterAll(async ({ runner }) => {
+  await runner.close();
+});
+
+test.describe.serial('Image workflow verification', { tag: '@smoke' }, () => {
+  test.describe.configure({ retries: 1 });
+
+  test('Pull image', async ({ navigationBar }) => {
+    const imagesPage = await navigationBar.openImages();
+    await playExpect(imagesPage.heading).toBeVisible();
+
+    const pullImagePage = await imagesPage.openPullImage();
+    const updatedImages = await pullImagePage.pullImage(helloContainer);
+    await playExpect(updatedImages.heading).toBeVisible({ timeout: 10_000 });
+
+    await playExpect
+      .poll(async () => updatedImages.waitForImageExists(helloContainer, 30_000), { timeout: 0 })
+      .toBeTruthy();
+  });
+
+  test('Delete image', async ({ navigationBar }) => {
+    let imagesPage = await navigationBar.openImages();
+    const imageDetailPage = await imagesPage.openImageDetails(helloContainer);
+    imagesPage = await imageDetailPage.deleteImage();
+
+    await playExpect
+      .poll(async () => await imagesPage.waitForImageDelete(helloContainer, 60_000), { timeout: 0 })
+      .toBeTruthy();
+  });
+});
+```
+
+Key points:
+
+- `welcomePage.handleWelcomePage(true)` dismisses the welcome screen
+- `waitForPodmanMachineStartup(page)` ensures engine is ready
+- `test.describe.configure({ retries: 1 })` for flaky-tolerant CI
+- POM methods chain: `navigationBar.openImages()` → `imagesPage.openPullImage()` → `pullImagePage.pullImage()`
+- `playExpect.poll()` with `{ timeout: 0 }` wraps methods that have their own internal timeout
+
+## Example 3: Concrete Page Object (MainPage Subclass)
+
+Abridged from `images-page.ts`:
+
+```typescript
+import type { Locator, Page } from '@playwright/test';
+import test, { expect as playExpect } from '@playwright/test';
+
+import { handleConfirmationDialog } from '/@/utility/operations';
+import { waitUntil, waitWhile } from '/@/utility/wait';
+
+import { BuildImagePage } from './build-image-page';
+import { ImageDetailsPage } from './image-details-page';
+import { MainPage } from './main-page';
+import { PullImagePage } from './pull-image-page';
+
+export class ImagesPage extends MainPage {
+  readonly pullImageButton: Locator;
+  readonly pruneImagesButton: Locator;
+  readonly buildImageButton: Locator;
+
+  constructor(page: Page) {
+    super(page, 'images');
+    this.pullImageButton = this.additionalActions.getByRole('button', { name: 'Pull', exact: true });
+    this.pruneImagesButton = this.additionalActions.getByRole('button', { name: 'Prune', exact: true });
+    this.buildImageButton = this.additionalActions.getByRole('button', { name: 'Build', exact: true });
+  }
+
+  async openPullImage(): Promise<PullImagePage> {
+    return test.step('Open pull image page', async () => {
+      await waitWhile(() => this.noContainerEngine(), {
+        timeout: 50_000,
+        message: 'No Container Engine is available, cannot pull an image',
+      });
+      await this.pullImageButton.click();
+      return new PullImagePage(this.page);
+    });
+  }
+
+  async pullImage(image: string): Promise<ImagesPage> {
+    return test.step(`Pull image: ${image}`, async () => {
+      const pullImagePage = await this.openPullImage();
+      await playExpect(pullImagePage.heading).toBeVisible();
+      return await pullImagePage.pullImage(image);
+    });
+  }
+
+  async openImageDetails(name: string): Promise<ImageDetailsPage> {
+    return test.step(`Open image details page for image: ${name}`, async () => {
+      const imageRow = await this.getImageRowByName(name);
+      if (imageRow === undefined) {
+        throw Error(`Image: '${name}' does not exist`);
+      }
+      const imageRowName = imageRow.getByRole('cell').nth(3);
+      await imageRowName.click();
+      return new ImageDetailsPage(this.page, name);
+    });
+  }
+
+  async waitForImageExists(name: string, timeout = 5_000): Promise<boolean> {
+    return test.step(`Wait for image: ${name} to exist`, async () => {
+      await waitUntil(async () => await this.imageExists(name), { timeout });
+      return true;
+    });
+  }
+}
+```
+
+Key points:
+
+- Extends `MainPage` with `super(page, 'images')`
+- Locators scoped to inherited `this.additionalActions`
+- Every method wrapped in `test.step()`
+- Uses `waitWhile`/`waitUntil` from project utilities
+- Navigation methods return new POM instances
+- `handleConfirmationDialog` for modal dialogs
+
+## Example 4: NavigationBar Usage
+
+The `NavigationBar` POM provides navigation to all main pages:
+
+```typescript
+// In a test — navigationBar comes from fixtures
+test('Navigate to containers', async ({ navigationBar }) => {
+  const containersPage = await navigationBar.openContainers();
+  await playExpect(containersPage.heading).toBeVisible();
+});
+
+// Navigate through multiple pages in sequence
+test('Check all main pages', async ({ navigationBar }) => {
+  const images = await navigationBar.openImages();
+  await playExpect(images.heading).toBeVisible();
+
+  const containers = await navigationBar.openContainers();
+  await playExpect(containers.heading).toBeVisible();
+
+  const volumes = await navigationBar.openVolumes();
+  await playExpect(volumes.heading).toBeVisible();
+
+  const pods = await navigationBar.openPods();
+  await playExpect(pods.heading).toBeVisible();
+});
+```
+
+Available navigation methods:
+
+- `openDashboard()` → `DashboardPage`
+- `openImages()` → `ImagesPage`
+- `openContainers()` → `ContainersPage`
+- `openPods()` → `PodsPage`
+- `openVolumes()` → `VolumesPage`
+- `openSettings()` → `SettingsBar`
+- `openKubernetes()` → `KubernetesBar`
+- `openExtensions()` → `ExtensionsPage`
+- `openNetworks()` → `NetworksPage`
+
+## Example 5: Test with Timeouts and Build Resources
+
+From `image-smoke.spec.ts` — building an image with file paths:
+
+```typescript
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+import { ArchitectureType } from '/@/model/core/platforms';
+import { expect as playExpect, test } from '/@/utility/fixtures';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+test('Build image', async ({ navigationBar }) => {
+  let imagesPage = await navigationBar.openImages();
+  await playExpect(imagesPage.heading).toBeVisible();
+
+  const buildImagePage = await imagesPage.openBuildImage();
+  await playExpect(buildImagePage.heading).toBeVisible();
+
+  const dockerfilePath = path.resolve(__dirname, '..', '..', 'resources', 'test-containerfile');
+  const contextDirectory = path.resolve(__dirname, '..', '..', 'resources');
+
+  imagesPage = await buildImagePage.buildImage('build-image-test', dockerfilePath, contextDirectory);
+  playExpect(await imagesPage.waitForImageExists('docker.io/library/build-image-test')).toBeTruthy();
+
+  const imageDetailsPage = await imagesPage.openImageDetails('docker.io/library/build-image-test');
+  await playExpect(imageDetailsPage.heading).toBeVisible();
+  imagesPage = await imageDetailsPage.deleteImage();
+  playExpect(await imagesPage.waitForImageDelete('docker.io/library/build-image-test')).toBeTruthy();
+});
+
+test('Build with target stage', async ({ navigationBar }) => {
+  test.setTimeout(180_000);
+  // ... similar but with stage parameter
+});
+```
+
+Key points:
+
+- `__dirname` derived from `import.meta.url` (ESM)
+- Resources in `tests/playwright/resources/`
+- Path resolution relative to the spec file
+- `test.setTimeout()` for long-running operations
+
+## Example 6: Conditional Skipping and Platform Checks
+
+```typescript
+import { isLinux, isMac, isCI } from '/@/utility/platform';
+
+// Skip at describe level
+test.describe.serial('Compose tests', { tag: '@smoke' }, () => {
+  test.skip(isCI && isLinux, 'Compose not available on Linux CI');
+
+  test('deploy compose file', async ({ navigationBar }) => {
+    // ...
+  });
+});
+
+// Skip individual tests
+test('macOS-only feature', async ({ page }) => {
+  test.skip(!isMac, 'Only runs on macOS');
+  // ...
+});
+
+// Skip based on env var
+test('registry push', async ({ page }) => {
+  test.skip(!process.env.REGISTRY_URL, 'No registry configured');
+  // ...
+});
+```
+
+## Example 7: Cleanup Pattern with try/finally
+
+From typical `afterAll` blocks:
+
+```typescript
+test.afterAll(async ({ runner, page }) => {
+  test.setTimeout(90_000);
+  try {
+    const imagesPage = await new NavigationBar(page).openImages();
+    await imagesPage.deleteAllUnusedImages();
+  } catch (error) {
+    console.log(`Cleanup error (non-fatal): ${error}`);
+  } finally {
+    await runner.close();
+  }
+});
+```
+
+`runner.close()` must always be called, even if cleanup fails.
+
+## Example 8: Polling with playExpect.poll
+
+The codebase wraps methods that have internal timeouts with `{ timeout: 0 }`:
+
+```typescript
+// The inner method (waitForImageExists) has its own timeout.
+// The outer poll with timeout: 0 prevents double-timeout issues.
+await playExpect
+  .poll(async () => updatedImages.waitForImageExists(helloContainer, 30_000), { timeout: 0 })
+  .toBeTruthy();
+
+// Polling for a count to change
+await playExpect
+  .poll(async () => await imagesPage.countImagesByName('<none>'), { timeout: 60_000 })
+  .toBeGreaterThan(baselineCount);
+```
+
+## Example 9: DetailsPage Subclass
+
+Pattern for a resource details page:
+
+```typescript
+import type { Locator, Page } from '@playwright/test';
+import test, { expect as playExpect } from '@playwright/test';
+
+import { DetailsPage } from './details-page';
+import { ImagesPage } from './images-page';
+
+export class ImageDetailsPage extends DetailsPage {
+  readonly summaryTab: Locator;
+  readonly historyTab: Locator;
+  readonly inspectTab: Locator;
+
+  constructor(page: Page, imageName: string) {
+    super(page, imageName);
+    this.summaryTab = this.tabs.getByRole('link', { name: 'Summary' });
+    this.historyTab = this.tabs.getByRole('link', { name: 'History' });
+    this.inspectTab = this.tabs.getByRole('link', { name: 'Inspect' });
+  }
+
+  async deleteImage(): Promise<ImagesPage> {
+    return test.step('Delete image from details', async () => {
+      const deleteButton = this.controlActions.getByRole('button', { name: 'Delete Image' });
+      await playExpect(deleteButton).toBeEnabled();
+      await deleteButton.click();
+      await handleConfirmationDialog(this.page);
+      return new ImagesPage(this.page);
+    });
+  }
+}
+```
+
+Key points:
+
+- Extends `DetailsPage` with resource name
+- Tab locators scoped to inherited `this.tabs`
+- Action buttons scoped to inherited `this.controlActions`
+- Returns parent list page POM after destructive actions
+
+## Example 10: Using test.use for Custom Runner Options
+
+```typescript
+import { RunnerOptions } from '/@/runner/runner-options';
+import { test } from '/@/utility/fixtures';
+
+// Disable specific extensions for this test file
+test.use({
+  runnerOptions: new RunnerOptions({
+    customFolder: 'extension-test',
+    extensionsDisabled: ['compose', 'kind'],
+    autoUpdate: false,
+    autoCheckUpdates: false,
+  }),
+});
+
+// Tests in this file get an isolated Podman Desktop profile
+// with compose and kind extensions disabled
+```

.agents/skills/playwright-testing/references/reference.md

@@ -0,0 +1,266 @@
+# Framework Reference
+
+Detailed reference for the Podman Desktop Playwright test framework internals.
+
+## Runner Internals
+
+### Singleton Pattern
+
+`Runner` enforces a single Electron instance across all tests in a worker:
+
+```typescript
+const runner = await Runner.getInstance({ runnerOptions });
+```
+
+Internally this calls `electron.launch()` with options derived from `RunnerOptions`
+and environment variables, then stores `firstWindow()` as the `page`.
+
+### Launch Options
+
+The runner resolves its launch configuration from:
+
+1. `PODMAN_DESKTOP_BINARY` env var — packaged app path
+2. `PODMAN_DESKTOP_ARGS` env var — path to repo root (dev mode, uses `node_modules/.bin/electron`)
+3. `RunnerOptions` — profile directory, settings, extensions, DevTools
+
+These are mutually exclusive: `PODMAN_DESKTOP_BINARY` takes precedence.
+
+### Tracing and Video
+
+- `runner.setVideoAndTraceName('feature-e2e')` — call in `beforeAll` to name artifacts
+- On `runner.close()`: tracing stops, video saves, process terminates
+- By default, traces and videos are deleted on pass unless `KEEP_TRACES_ON_PASS` / `KEEP_VIDEOS_ON_PASS` env vars are set, or `RunnerOptions` has `saveTracesOnPass: true` / `saveVideosOnPass: true`
+
+### Browser Window Access
+
+For Electron-specific checks:
+
+```typescript
+const browserWindow = await runner.getBrowserWindow();
+const state = await runner.getBrowserWindowState();
+// state: { isVisible, isDevToolsOpened, isCrashed, isFocused }
+```
+
+## RunnerOptions Full API
+
+```typescript
+new RunnerOptions({
+  profile: '', // Profile suffix
+  customFolder: 'podman-desktop', // Home directory subfolder
+  customOutputFolder: 'tests/playwright/output/',
+  openDevTools: 'none', // 'none' | 'right' | 'bottom' | 'undocked'
+  autoUpdate: true,
+  autoCheckUpdates: true,
+  extensionsDisabled: [], // Array of extension IDs to disable
+  aiLabModelUploadDisabled: false,
+  binaryPath: undefined, // Override binary path
+  saveTracesOnPass: false,
+  saveVideosOnPass: false,
+  customSettings: {}, // Injected into settings.json
+});
+```
+
+The `createSettingsJson()` method serializes these into the settings file that
+Runner writes to the profile directory before launch.
+
+## Fixtures Internals
+
+### How Fixtures Wire Together
+
+```
+runnerOptions (option, overridable via test.use)
+    └─→ runner (Runner.getInstance)
+          └─→ page (runner.getPage())
+                ├─→ navigationBar (new NavigationBar(page))
+                ├─→ welcomePage (new WelcomePage(page))
+                └─→ statusBar (new StatusBar(page))
+```
+
+### Overriding RunnerOptions
+
+Use `test.use()` at the file level for custom profiles:
+
+```typescript
+import { RunnerOptions } from '/@/runner/runner-options';
+import { test } from '/@/utility/fixtures';
+
+test.use({
+  runnerOptions: new RunnerOptions({
+    customFolder: 'my-isolated-test',
+    extensionsDisabled: ['podman'],
+  }),
+});
+```
+
+## Wait Utilities API
+
+### waitUntil
+
+Polls until a condition becomes `true`:
+
+```typescript
+await waitUntil(() => someAsyncCheck(), {
+  timeout: 5_000, // max wait (ms), default 5000
+  diff: 500, // polling interval (ms), default 500
+  sendError: true, // throw on timeout, default true
+  message: '', // custom error message
+});
+```
+
+### waitWhile
+
+Polls until a condition becomes `false`:
+
+```typescript
+await waitWhile(() => dialogIsStillOpen(), { timeout: 10_000, message: 'Dialog did not close' });
+```
+
+### waitForPodmanMachineStartup
+
+Ensures Podman machine is running before tests proceed:
+
+```typescript
+await waitForPodmanMachineStartup(page, timeout);
+```
+
+This:
+
+1. Creates a Podman machine via CLI if needed
+2. Opens the Dashboard page
+3. Waits for the status label to show "RUNNING"
+4. If stuck in "STARTING", resets and retries once
+
+## Operations Utility
+
+`/@/utility/operations` provides workflow helpers used across specs:
+
+- `handleConfirmationDialog(page, title?, confirm?, buttonName?, inputText?, timeout?, waitForClose?)` — handles modal confirmation dialogs
+- `untagImagesFromPodman(imageName)` — CLI-based image untagging
+- `deleteContainer(page, name)`, `deleteImage(page, name)` — cleanup helpers
+- `createPodmanMachineFromCLI()`, `resetPodmanMachinesFromCLI()` — machine management
+
+## Platform Utilities
+
+```typescript
+import { isLinux, isMac, isWindows, isCI } from '/@/utility/platform';
+```
+
+These are boolean constants, not functions. Use directly in `test.skip()`:
+
+```typescript
+test.skip(isLinux, 'Compose not supported on Linux CI');
+test.skip(isCI && isMac, 'Flaky on macOS CI');
+```
+
+## Playwright Configuration
+
+The config lives at the **repo root** (`playwright.config.ts`), not under `tests/playwright/`:
+
+```typescript
+export default defineConfig({
+  outputDir: 'tests/playwright/output/',
+  workers: 1,
+  timeout: 90_000,
+  reporter: [
+    ['list'],
+    ['junit', { outputFile: 'tests/playwright/output/junit-results.xml' }],
+    ['json', { outputFile: 'tests/playwright/output/json-results.json' }],
+    ['html', { open: 'never', outputFolder: 'tests/playwright/output/html-results/' }],
+  ],
+  projects: [
+    {
+      name: 'chromium',
+      use: { ...devices['Desktop Chrome'] },
+    },
+  ],
+});
+```
+
+The `chromium` project is declared for tooling compatibility (`auth-utils.ts`).
+The actual app under test is Electron, launched by `Runner` — not by Playwright's
+project configuration.
+
+Tracing and video are managed by `Runner`, not the config's `use` block.
+
+## MainPage Shared Methods
+
+`MainPage` provides methods inherited by all list pages:
+
+- `pageIsEmpty()` — checks for "No Container Engine" or "No {title}" headings
+- `noContainerEngine()` — checks engine availability
+- `getAllTableRows()` — returns all `row` locators from the content table
+- `getRowByName(name, exact?)` — finds a row by its ARIA label
+- `waitForRowToExists(name, timeout?)` — polls until a row appears
+- `waitForRowToBeDelete(name, timeout?)` — polls until a row disappears
+- `countRowsFromTable()` — counts data rows (excludes header)
+- `getRowsFromTableByStatus(status)` — filters rows by status cell content
+- `checkAllRows()` / `uncheckAllRows()` — toggle selection checkbox
+
+## DetailsPage Shared Methods
+
+`DetailsPage` provides:
+
+- `activateTab(tabName)` — clicks a tab in the detail view
+- `closeButton` / `backLink` — breadcrumb navigation locators
+- `heading` — scoped to the resource name
+- `controlActions` — action button group in the header
+
+## Locator Patterns in This Codebase
+
+### Region-Scoped Locators
+
+The Podman Desktop UI uses ARIA regions extensively. POMs scope locators to
+their containing region:
+
+```typescript
+this.mainPage = page.getByRole('region', { name: 'images' });
+this.header = this.mainPage.getByRole('region', { name: 'header' });
+this.additionalActions = this.header.getByRole('group', { name: 'additionalActions' });
+this.pullImageButton = this.additionalActions.getByRole('button', { name: 'Pull', exact: true });
+```
+
+### Row-Based Locators
+
+Table rows are found by intersecting `getByRole('row')` with `getByLabel(name)`:
+
+```typescript
+const locator = this.page
+  .getByRole('row')
+  .and(this.page.getByLabel(name, { exact: true }))
+  .first();
+```
+
+### Force Clicks
+
+Navigation links use `click({ force: true })` to bypass actionability checks
+when the Electron app's focus state can be unreliable:
+
+```typescript
+await this.imagesLink.click({ force: true });
+```
+
+## Test Tags
+
+Tags control which tests run in CI:
+
+| Tag               | Meaning                                       |
+| ----------------- | --------------------------------------------- |
+| `@smoke`          | Core smoke tests — always run                 |
+| `@k8s_e2e`        | Kubernetes tests — excluded from default runs |
+| `@windows_sanity` | Windows-specific sanity checks                |
+| `@macos_sanity`   | macOS-specific sanity checks                  |
+
+Filter with `--grep` / `--grep-invert`:
+
+```bash
+npx playwright test --grep @smoke
+npx playwright test --grep-invert @k8s_e2e
+```
+
+## CI/CD Patterns
+
+- Tests run from the monorepo root with `xvfb-maybe` on Linux
+- Single worker (`workers: 1`) — Electron app is a singleton
+- `PODMAN_DESKTOP_BINARY` env var points to the packaged app in CI
+- Output directory archived for traces, screenshots, and JUnit results
+- Retries configured per-describe: `test.describe.configure({ retries: 2 })`

.agents/skills/playwright-trace-analysis/SKILL.md

@@ -0,0 +1,474 @@
+---
+name: playwright-trace-analysis
+description: >-
+  Analyzes Playwright trace archives (`trace.zip`) to diagnose test failures,
+  flaky behavior, and unexpected UI states using trace steps, console output,
+  network activity, and screenshots. Use when the user provides a trace path or
+  trace artifact, asks why a Playwright or E2E test failed, wants root-cause
+  analysis from CI artifacts, mentions the trace viewer, or asks whether a
+  failure is flaky or an application bug.
+---
+
+# Playwright Trace Analysis
+
+## When to use
+
+Apply when the user provides:
+
+- A `trace.zip` path
+- A trace artifact to inspect
+- A failing Playwright/E2E test and asks for root-cause analysis from the trace
+- Two traces to compare, such as passing vs failing or retry-0 vs retry-1
+
+## Immediate behavior
+
+If the user already provided a usable trace path or attached trace artifact, start analysis immediately.
+
+Do **not** ask for extra context up front unless one of these is true:
+
+- The trace path is missing
+- The path is ambiguous or unresolved
+- The user supplied multiple traces and did not say which one to analyze
+
+Optional context like test title, CI log, expected behavior, or retry history can help, but it is not required for the first analysis pass.
+
+## Inputs
+
+- Absolute path to `trace.zip`
+- Or a workspace-relative path you can resolve safely
+- Optional: test title, spec file, CI snippet, expected behavior, retry history, second trace
+
+If the user points to a directory instead of a zip, locate the trace archive inside it before analyzing. If multiple candidate zips exist, ask one focused follow-up question.
+
+## MCP tools
+
+Use the `user-playwright-analyzer` MCP server.
+
+Before the first MCP call in a session, read the server tool descriptors from the Cursor MCP directory and use the schema exactly as written. Do not guess parameter names.
+
+All current tools require `traceZipPath`.
+
+| toolName                    | Use                                                     | Important parameters               |
+| --------------------------- | ------------------------------------------------------- | ---------------------------------- |
+| `analyze-trace`             | Combined first-pass overview. **Start here.**           | —                                  |
+| `get-trace`                 | Step-by-step actions and console context                | `filterPreset`, `raw`              |
+| `get-network-log`           | Request/response details                                | `raw`                              |
+| `get-screenshots`           | Relevant screenshots around errors and critical actions | —                                  |
+| `view-screenshot`           | Inspect one screenshot by filename                      | `filename`                         |
+| `get-raw-trace-paginated`   | Raw trace when filtered output is insufficient          | `browserIndex`, `page`, `pageSize` |
+| `get-raw-network-paginated` | Raw network when filtered output is insufficient        | `browserIndex`, `page`, `pageSize` |
+
+### MCP fallback — manually-created traces
+
+Some test frameworks create traces manually using Playwright's tracing API (`tracing.start()` / `tracing.stop()`) rather than relying on Playwright's built-in per-test trace mechanism. These traces are structurally valid but may use naming conventions or internal layouts that the MCP tool does not recognize.
+
+**When the MCP tool returns "No trace files found" or similar errors but the zip does contain `trace.trace` / `trace.network` files, fall back to manual analysis.** Do not assume the trace is empty or broken — verify by listing the zip contents first.
+
+See the [Manual trace parsing](#manual-trace-parsing) section below and [reference.md](reference.md) for the detailed file format and parsing scripts.
+
+### Escalation rules
+
+Prefer the smallest useful call sequence:
+
+1. `analyze-trace`
+2. If the MCP tool returns errors or empty results, verify the zip contents (`unzip -l`) and fall back to [manual trace parsing](#manual-trace-parsing)
+3. `get-trace` with `filterPreset: "minimal"` if the overview is not enough
+4. One or more corroborating calls based on the failure signal:
+   - `get-screenshots` for locator, visibility, or wrong-page problems
+   - `get-network-log` for failed or missing requests
+   - `get-trace` with `filterPreset: "moderate"` for console-heavy or sequence-heavy failures
+5. `get-trace` with `filterPreset: "conservative"` only if prior calls are still inconclusive
+6. Raw paginated tools only as a last resort
+
+Avoid jumping to `raw: true` early. Large raw payloads are harder to reason about and more likely to be truncated.
+
+### Parallel tool calls
+
+When the overview suggests you need multiple corroborating signals, call them in parallel rather than sequentially. For example, if a locator timed out and you suspect both a visual issue and a network issue, call `get-screenshots` and `get-network-log` in the same tool-call batch.
+
+Good parallel combinations:
+
+- `get-screenshots` + `get-network-log` — locator timeout with possible data-loading cause
+- `get-screenshots` + `get-trace` (moderate) — wrong visual state with unknown trigger
+- `get-network-log` + `get-trace` (moderate) — API failure with unclear console context
+
+Do not parallelize calls that depend on each other's output (e.g., don't call `view-screenshot` until you know the filename from `get-screenshots`).
+
+## Standard workflow
+
+### Step 1: Run the overview
+
+Call `analyze-trace` first and extract:
+
+- The failing test or action if available
+- The exact error text
+- The first meaningful failing step
+- Any obvious screenshot or network clues
+- Action durations — note any step that took significantly longer than its peers
+
+### Step 2: Read the test source
+
+Once you know the failing test file and approximate line, read the relevant spec file and any page objects it uses. This gives you:
+
+- **Intent**: what the test was trying to verify
+- **Locator context**: whether the locator is reasonable or brittle
+- **Assertion context**: whether the expected value still makes sense
+- **Flow context**: what earlier steps should have set up the state for the failing assertion
+
+If the test file path is not in the trace output, search the workspace for the test name or assertion text.
+
+### Step 3: Find the first meaningful failure
+
+Prioritize the earliest causal failure, not the later cascade.
+
+Build a mental timeline by mapping:
+
+1. The last successful action before the failure
+2. Any console errors or warnings between success and failure
+3. Any network requests initiated or completed in that window
+4. The screenshot state at the moment of failure
+
+Examples of likely causal signals:
+
+- Assertion mismatch
+- Locator timeout or actionability failure
+- Navigation timeout or unexpected URL
+- Console exception before the failing assertion
+- 4xx/5xx request or a required request never being sent
+- Action duration spike (a step taking 10x longer than similar steps)
+
+### Step 4: Corroborate with additional signals
+
+Before concluding, check at least one additional source unless the trace already contains a direct smoking gun.
+
+Recommended pairings:
+
+| Primary signal                | Best corroboration                         |
+| ----------------------------- | ------------------------------------------ |
+| Locator timeout               | Screenshots                                |
+| Assertion mismatch            | Network or console                         |
+| Wrong page / navigation issue | Screenshots and network                    |
+| Console exception             | Trace step immediately before it           |
+| API failure                   | Network details and screenshot state       |
+| Slow action duration          | Network log (pending request?) and console |
+
+### Step 5: Correlate with code changes (when useful)
+
+If the failure looks like a regression (test was previously passing), check recent changes:
+
+- Run `git log --oneline -10 -- <failing-source-file>` on the app code the trace points to
+- Run `git log --oneline -10 -- <spec-file>` on the test itself
+- Check if the locator targets something that was recently renamed or restructured
+
+This is especially valuable when the failure classification is "app bug" or "test bug" — it often reveals the introducing commit.
+
+### Step 6: Classify the failure
+
+Use one of these buckets:
+
+- **App bug**: the trace shows the application produced the wrong state or errored
+- **Test bug**: the trace shows the app behaved correctly but the test asserted the wrong thing or used a bad locator
+- **Likely flaky**: the trace shows a timing-sensitive race, loading state, animation, or ordering issue
+- **Environment / infra**: the failure is caused by CI runner state, missing dependencies, or external service unavailability
+- **Unknown**: the available trace data is insufficient
+
+Do not classify unless the trace supports it. State your confidence level explicitly.
+
+### Step 7: Report
+
+See the reporting contract below. Lead with the root cause, back every claim with trace evidence, and propose a specific fix.
+
+## Decision guide
+
+| What you see                                            | What to do next                                                                                                |
+| ------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- |
+| MCP returns "No trace files found" or similar error     | List zip contents with `unzip -l`; if `trace.trace` exists, use [manual trace parsing](#manual-trace-parsing)  |
+| Clear assertion mismatch and obvious cause in overview  | Report it; extra MCP calls may be unnecessary                                                                  |
+| Locator timeout or hidden element                       | Run `get-screenshots`                                                                                          |
+| Overview mentions console errors but not enough context | Run `get-trace` with `filterPreset: "minimal"` or `"moderate"`                                                 |
+| Network summary shows 4xx/5xx or missing response       | Run `get-network-log`                                                                                          |
+| Screenshot looks wrong but not enough detail            | Run `view-screenshot` for the named frame                                                                      |
+| Filtered output omits the needed detail                 | Escalate to `conservative`, then raw paginated tools                                                           |
+| Multiple browser sessions exist                         | Use `browserIndex` on paginated raw tools                                                                      |
+| Failure looks like a regression                         | Check git history for the affected file                                                                        |
+| Test source uses a brittle locator                      | Read the spec file and propose a resilient alternative                                                         |
+| CI artifact is a nested zip (not a direct trace zip)    | Extract the inner trace zip first, then analyze                                                                |
+| Multiple runs fail the same way                         | Do **not** default to flaky; run [exhaustive console analysis](#exhaustive-console-analysis) across all traces |
+
+## Common patterns
+
+### Locator and actionability failures
+
+- `waiting for locator(...)` then timeout: element never appeared, selector changed, or page never reached the expected state
+- `not visible` / `not enabled`: overlay, modal, disabled control, or incomplete render
+- `strict mode violation`: selector is too broad and matched multiple elements
+
+Check screenshots first, then console or network if the UI looks incomplete.
+
+### Assertion failures
+
+- Expected text/value/count differs from actual: stale data, wrong element, race with data loading, or changed product behavior
+- Expected visible but got hidden: render failure, delayed data, or transient UI state
+
+Check whether the expected state arrives later than the assertion window before calling it flaky.
+
+### Navigation failures
+
+- `goto` or `waitForURL` timeout: redirect loop, app crash, auth redirect, slow load, or wrong expectation
+- Unexpected page in screenshot: navigation intercepted or user flow diverged earlier
+
+Check network and screenshots together.
+
+### Network failures
+
+- 4xx before assertion: auth/session/request contract issue
+- 5xx: backend failure
+- Request never sent: frontend logic never fired, earlier JS error blocked it, or user action failed
+- CORS/preflight issue: cross-origin misconfiguration
+
+### Timing and duration anomalies
+
+- A single action taking 5-10x longer than peers: likely waiting on a network response, animation, or resource load
+- Gradual slowdown across steps: possible memory leak or resource exhaustion
+- Timeout at exactly the configured limit (e.g., 30000ms): the condition was never met, not just slow
+
+### Electron-specific patterns
+
+- **IPC failures**: console errors mentioning `ipcRenderer`, `ipcMain`, or channel names indicate broken communication between main and renderer processes
+- **Webview loading**: if the test interacts with a webview, check whether the webview's `document` loaded (look for webview-related console messages or navigation events)
+- **Multi-window issues**: Electron apps can have multiple `BrowserWindow` instances; verify the trace is from the correct window
+- **Preload script errors**: errors during preload indicate the renderer lacks expected APIs — check console output for preload-related messages
+
+### Flakiness indicators
+
+Treat as likely flaky only when the trace suggests timing or nondeterminism, for example:
+
+- Screenshot shows spinner/loading/skeleton instead of final UI
+- Expected state appears after the timeout window
+- Animation or transition seems to block the action
+- Request ordering matters and looks variable
+- Retry history or CI context indicates pass-on-retry behavior
+
+If you suspect flakiness, say why and recommend the stabilization point, such as waiting for a specific response, element state, or post-animation condition.
+
+### Deterministic failures across multiple runs
+
+When multiple traces from separate CI runs are provided and they all fail the same way, **raise the bar significantly before classifying as flaky**. A failure that reproduces N/N times across independent runs is almost certainly deterministic. Even if the test has `continue-on-error: true` or is known to be occasionally flaky, consistent reproduction points to an app bug or environment regression — not timing luck.
+
+In this scenario:
+
+1. **Do not default to "likely flaky"** — consistent reproduction is strong counter-evidence against flakiness.
+2. **Perform an exhaustive console log scan** (see [Exhaustive console analysis](#exhaustive-console-analysis) below) before drawing conclusions. The root cause often hides in a log-level message that a severity-filtered search misses.
+3. **Look for a common causal event** across all traces rather than analyzing each in isolation. If the same console error, network failure, or UI state appears in every trace, that is almost certainly the root cause.
+4. Classify as flaky only if the traces show genuinely different failure modes or if some runs pass and others fail.
+
+## Reporting contract
+
+Every analysis must include all of the sections below. The report should be structured so a developer can read it top-to-bottom in under 2 minutes and know exactly what happened, why, and what to do.
+
+### Required sections
+
+1. **Failure summary** — One or two sentences: what failed and the most likely cause.
+2. **Event timeline** — A compact chronological sequence of the key events leading to the failure. Include timestamps or step numbers when available. This gives the reader the narrative arc.
+3. **Evidence** — Each claim must cite a specific artifact from the trace. Use this format:
+   - `[trace step N]` — reference to a specific action or event in the trace
+   - `[screenshot: filename]` — reference to a screenshot, with a brief description of what it shows
+   - `[network: METHOD url → status]` — reference to a specific request
+   - `[console: level] message` — reference to a console log entry
+4. **Root cause** — A confidence-labeled explanation. Format: `[Confirmed|Likely|Unknown] explanation`. If `Likely` or `Unknown`, briefly state what additional evidence would upgrade the confidence.
+5. **What was ruled out** — Briefly list alternative hypotheses you investigated and why they don't fit. This builds trust in the conclusion and saves the developer from re-investigating dead ends.
+6. **Recommended action** — A specific, actionable fix. When the fix is in test code, include the file path, the problematic line or locator, and the suggested replacement. When the fix is in application code, point to the relevant source file and describe the expected behavior change.
+
+### Report template
+
+Use markdown headers matching the required sections above. Cite evidence with these prefixes: `[trace step N]`, `[screenshot: filename]`, `[network: METHOD url → status]`, `[console: level] message`. See [reference.md](reference.md) for the full citation format reference.
+
+For test code fixes, include the file path, problematic line/locator, and suggested replacement. For app code fixes, point to the relevant source file and describe the expected behavior change.
+
+### Severity annotation (optional but encouraged)
+
+When context is available, annotate the failure with severity:
+
+- **Blocking**: test suite cannot proceed, or the failure indicates a critical app regression
+- **Significant**: test fails reliably, indicating a real but non-critical issue
+- **Minor**: cosmetic or low-impact, or the test itself is overly strict
+- **Infra-only**: failure is caused by CI environment, not application or test code
+
+## Multi-trace comparison
+
+When two traces are provided:
+
+1. Run `analyze-trace` on both (in parallel)
+2. Find where their step sequences diverge
+3. Compare screenshots and network behavior at the divergence point
+4. Report the **delta**, not two separate full summaries
+
+Focus on: "the failing trace diverges here, and this is the first difference that plausibly explains the failure."
+
+### Retry-trace comparison
+
+When Playwright retries produce multiple traces for the same test:
+
+1. Compare the traces to determine whether the failure is consistent or intermittent
+2. If the retry passes, focus on what differs — typically network timing, element ordering, or data availability
+3. A consistent failure across retries is likely deterministic; a pass-on-retry is likely flaky
+4. Report the specific divergence point and the stabilization needed
+
+### Batch analysis
+
+When multiple traces from a CI run are provided:
+
+1. Run `analyze-trace` on each (in parallel, up to 3-4 at a time)
+2. Look for common failure patterns — same error message, same failing API endpoint, same console exception
+3. Group failures by root cause rather than reporting each individually
+4. If a single root cause explains multiple failures, say so explicitly and list the affected tests
+
+## If the trace is insufficient
+
+State that directly. Good examples:
+
+- "The trace shows the assertion timing out, but not why the data never loaded."
+- "I can confirm the UI was still loading, but I cannot tell from this trace alone whether the delay came from the app or the test environment."
+
+Then name the single best next action:
+
+- Escalate `get-trace` to `moderate` or `conservative`
+- Inspect `get-network-log` (possibly with `raw: true` if the filtered version omits relevant requests)
+- Compare with a passing trace
+- Review the failing locator or assertion in the test source
+- Check for a video artifact alongside the trace
+- Look at CI runner logs for environment issues (OOM, disk, network)
+
+Do not leave the analysis open-ended. Always propose a concrete next step even when the trace is insufficient.
+
+## Exhaustive console analysis
+
+Console messages in Playwright traces carry a `messageType` field (`log`, `debug`, `info`, `warning`, `error`). **Do not filter solely by `error` or `warning` severity.** Application code frequently logs critical errors at `log` or `info` level — for example, a `catch` block that calls `console.log(\`Error while ...: ${err}\`)`instead of`console.error(...)`. Filtering only by severity will miss these, potentially causing you to misdiagnose the failure entirely.
+
+### Required console scanning procedure
+
+When performing manual trace parsing, always run **two passes** over console messages:
+
+1. **Severity pass** — collect all `error` and `warning` messages.
+2. **Keyword pass** — collect messages at **any** severity level whose text matches failure-related patterns. Use a broad keyword set:
+
+```
+error, fail, TypeError, ReferenceError, SyntaxError, reject, crash,
+abort, ECONNREFUSED, ENOTFOUND, ETIMEDOUT, fetch failed, tls, cert,
+ssl, socket, refused, timeout, 4xx, 5xx, unauthorized, forbidden,
+not found, unreachable, cannot, unable
+```
+
+Report the union of both passes. When a message appears at an unexpected severity (e.g., an error message at `log` level), flag the mismatch explicitly — it often indicates a swallowed error in the application code that is central to the failure.
+
+### Why this matters
+
+A real-world example: `TypeError: fetch failed` from the Kubernetes client was logged via `console.log()` (not `console.error()`). Filtering only for `error`-level messages missed it entirely, leading to a misdiagnosis of "test flakiness / timing issue" when the actual root cause was the app's `fetch()` calls failing due to a build configuration change. The error was present in all traces and was the direct cause of "Cluster not reachable" — but it was invisible to a severity-only filter.
+
+## Manual trace parsing
+
+When the MCP tool cannot parse the trace (common with manually-created traces), analyze the files directly. The trace zip typically contains three components: `trace.trace`, `trace.network`, and `resources/` with screenshots.
+
+### Step 1: Verify zip contents and extract
+
+```bash
+unzip -l /path/to/trace.zip | head -20
+```
+
+Look for `trace.trace`, `trace.network`, and `resources/*.jpeg`. If the trace zip is nested inside a CI artifact archive, extract the inner zip first.
+
+### Step 2: Parse actions and locator resolutions from trace.trace
+
+The `trace.trace` file is newline-delimited JSON. Each line is an object with a `type` field. The key types for failure analysis are `before` (action start), `after` (action result), `log` (Playwright internal logs), and `console` (browser console output). See [reference.md](reference.md) for the full format specification and ready-to-use parsing scripts.
+
+Extract the action timeline and errors:
+
+```bash
+python3 -c "
+import json
+with open('trace.trace') as f:
+    for line in f:
+        obj = json.loads(line.strip())
+        t = obj.get('type', '')
+        if t == 'before':
+            cid = obj.get('callId', '')
+            api = obj.get('apiName', '')
+            sel = obj.get('params', {}).get('selector', '')[:100]
+            print(f'[{cid}] {api} selector={sel}')
+        elif t == 'after' and obj.get('error'):
+            print(f'[{obj[\"callId\"]}] ERROR: {obj[\"error\"]}')
+        elif t == 'log':
+            msg = obj.get('message', '')[:200]
+            if any(k in msg.lower() for k in ['error', 'fail', 'timeout', 'locator resolved']):
+                print(f'  LOG: {msg}')
+        elif t == 'console':
+            args = obj.get('args', [])
+            text_parts = [a.get('preview', '') or a.get('value', '') for a in args]
+            text = ' '.join(str(p) for p in text_parts if p)[:300]
+            msg_type = obj.get('messageType', '')
+            # Always show error/warning level
+            if msg_type in ('error', 'warning'):
+                print(f'  CONSOLE [{msg_type}]: {text}')
+            # Also show ANY level if text matches failure keywords
+            elif text and any(k in text.lower() for k in [
+                'error', 'fail', 'typeerror', 'referenceerror', 'reject',
+                'crash', 'abort', 'econnrefused', 'enotfound', 'etimedout',
+                'fetch failed', 'tls', 'cert', 'ssl', 'socket', 'refused',
+                'timeout', 'unauthorized', 'forbidden', 'unreachable',
+                'cannot', 'unable']):
+                print(f'  CONSOLE [{msg_type}]: {text}')
+"
+```
+
+**Important:** The console extraction above scans messages at **all** severity levels for failure-related keywords, not just `error`/`warning`. This is essential — application code may log critical errors via `console.log()` rather than `console.error()`. See [Exhaustive console analysis](#exhaustive-console-analysis) for the rationale.
+
+The `log` entries with "locator resolved to" are critical — they show exactly which DOM element Playwright matched for each retry of an assertion. Repeated resolution to a hidden or wrong element (as seen in `.first()` matching a `class="hidden"` span) is a strong signal for locator bugs.
+
+### Step 3: View screenshots at specific timestamps
+
+Screenshot filenames encode timestamps: `page@<hash>-<timestamp>.jpeg`. Use the timestamps to correlate with trace events, or use `view-screenshot` from the MCP tool (which still works even when trace parsing fails).
+
+### Step 4: Check network log
+
+```bash
+python3 -c "
+import json
+with open('trace.network') as f:
+    for line in f:
+        obj = json.loads(line.strip())
+        snap = obj.get('snapshot', {})
+        url = snap.get('request', {}).get('url', '')
+        status = snap.get('response', {}).get('status', '')
+        if not url.startswith('file://'):
+            print(f'{snap[\"request\"][\"method\"]} {url} -> {status}')
+"
+```
+
+For Electron apps, the network log typically only captures renderer-process requests (local `file://` resource loads). API calls made by the main process (e.g., Octokit calls to GitHub) are not captured in the trace.
+
+## CI artifact structure
+
+CI artifacts nest traces inside larger archives. Extract the inner trace zip before analyzing. See [reference.md](reference.md) for the full layout, `json-results.json` parsing scripts, and `error-context.md` usage.
+
+```bash
+unzip -l artifact.zip | grep trace.zip
+unzip artifact.zip "path/to/trace.zip" -d /tmp/analysis
+```
+
+## If MCP is unavailable
+
+Fall back to the Playwright CLI viewer. See [reference.md](reference.md) for details.
+
+```bash
+pnpm exec playwright show-trace /absolute/path/to/trace.zip
+```
+
+## After analysis
+
+- If the likely issue is in the Playwright spec, page object, or test config, follow the [playwright-testing skill](../playwright-testing/SKILL.md).
+- If the trace points to application code, navigate to the relevant source and propose a fix grounded in the trace evidence.
+- When proposing fixes, always include the specific file path and line reference — never leave the developer to hunt for the right location.
+
+## Additional resources
+
+- Extended tool details, signal correlation, and Electron-specific guidance: [reference.md](reference.md)

.agents/skills/playwright-trace-analysis/reference.md

@@ -0,0 +1,516 @@
+# Playwright Trace Analysis — Reference
+
+## Agent behavior
+
+If the user already supplied a usable `trace.zip` path or attached artifact, begin analysis immediately.
+
+Ask a follow-up question only when:
+
+- No trace path or artifact was provided
+- The path cannot be resolved
+- Multiple candidate trace archives exist and the target is unclear
+
+Do not block the first pass on optional context like test name, CI logs, or expected behavior.
+
+## Path handling
+
+- Prefer absolute paths when calling MCP tools
+- Resolve workspace-relative paths before the call
+- If the user provides a directory, locate the relevant `trace.zip` inside it
+- If more than one matching archive is present, ask one targeted clarification instead of guessing
+
+## Trace archive layout
+
+A `trace.zip` typically contains (layout varies by Playwright version):
+
+| File/directory  | Contents                                                             |
+| --------------- | -------------------------------------------------------------------- |
+| `trace.trace`   | Newline-delimited JSON — actions, events, console logs, snapshots    |
+| `trace.network` | Newline-delimited JSON — HAR-like network request/response data      |
+| `resources/`    | Screenshots (JPEG), snapshot HTML, and media referenced by the trace |
+
+When MCP tools can parse the trace, use them. When they cannot (common with manually-created traces — see below), parse the files directly using the format specification in this section.
+
+## Manually-created vs automatic traces
+
+Playwright supports two trace creation modes:
+
+1. **Automatic** (per-test): configured via `playwright.config.ts` with `trace: 'on'` or `trace: 'retain-on-failure'`. Playwright creates one trace per test with rich metadata (test name, step annotations, source locations). MCP tools are designed for this format.
+
+2. **Manual** (API-driven): the test framework calls `page.context().tracing.start()` and `tracing.stop({ path })` explicitly. This produces a valid trace zip but may lack per-test metadata, use continuous recording across multiple tests, or use non-standard file naming. The MCP tool may report "No trace files found" for these.
+
+**Always verify the zip contents with `unzip -l` before concluding a trace is empty.** If `trace.trace` and `trace.network` exist, the data is there — it just needs manual parsing.
+
+## trace.trace file format
+
+Newline-delimited JSON. Each line is a self-contained JSON object with a `type` field.
+
+### Entry types
+
+| Type               | Description                                                  | Key fields                                                           |
+| ------------------ | ------------------------------------------------------------ | -------------------------------------------------------------------- |
+| `context-options`  | First line. Browser/Playwright config, env vars, launch args | `browserName`, `playwrightVersion`, `options.env`                    |
+| `before`           | Action started (click, fill, expect, etc.)                   | `callId`, `apiName`, `params.selector`, `wallTime`                   |
+| `after`            | Action completed                                             | `callId`, `error` (present only on failure)                          |
+| `log`              | Playwright internal log (locator resolution, wait status)    | `message`                                                            |
+| `console`          | Browser console output                                       | `messageType` (`log`, `error`, `warning`, `debug`), `args[].preview` |
+| `frame-snapshot`   | DOM snapshot reference                                       | `sha1` (references a file in `resources/`)                           |
+| `screencast-frame` | Screenshot frame reference                                   | `sha1`, `timestamp`                                                  |
+| `input`            | User input event                                             | `type` (e.g., `mousedown`), coordinates                              |
+
+### Critical fields for failure analysis
+
+**`before` entries:**
+
+```json
+{
+  "type": "before",
+  "callId": "call@1716",
+  "apiName": "expect.toBeVisible",
+  "params": {
+    "selector": "internal:role=region[name=\"Onboarding Body\"i] >> internal:label=\"Onboarding Status Message\"i >> ...",
+    "isNot": false
+  },
+  "wallTime": 1774063988000
+}
+```
+
+**`after` entries (with error):**
+
+```json
+{
+  "type": "after",
+  "callId": "call@1716",
+  "error": { "name": "Expect", "message": "Expect failed" }
+}
+```
+
+**`log` entries — locator resolution:**
+
+```
+locator resolved to <span contenteditable="false" class="hidden s-qNHuh0m3pQVo">...</span>
+```
+
+These entries are the most diagnostic for locator bugs. When the same `callId` produces repeated `log` entries showing resolution to the same element, it means Playwright is retrying the assertion and consistently matching that element. If the element is hidden or wrong, this reveals the root cause.
+
+**`console` entries:**
+
+```json
+{
+  "type": "console",
+  "messageType": "error",
+  "args": [{ "preview": "main ↪️", "type": "string" }]
+}
+```
+
+Note: in Electron apps, console messages from the main process are forwarded to the renderer with a `main ↪️` prefix. These are often truncated in the `preview` field.
+
+### Parsing scripts
+
+**Full action timeline with errors and key logs:**
+
+```python
+import json
+with open('trace.trace') as f:
+    for line in f:
+        obj = json.loads(line.strip())
+        t = obj.get('type', '')
+        if t == 'before':
+            cid = obj.get('callId', '')
+            api = obj.get('apiName', '')
+            sel = obj.get('params', {}).get('selector', '')[:120]
+            print(f'[{cid}] BEFORE {api} selector={sel}')
+        elif t == 'after':
+            cid = obj.get('callId', '')
+            err = obj.get('error')
+            if err:
+                print(f'[{cid}] AFTER error={err}')
+        elif t == 'log':
+            msg = obj.get('message', '')[:200]
+            if any(k in msg.lower() for k in ['error', 'fail', 'timeout', 'locator resolved']):
+                print(f'  LOG: {msg}')
+        elif t == 'console':
+            args = obj.get('args', [])
+            text = args[0].get('preview', '')[:200] if args else ''
+            msgtype = obj.get('messageType', '')
+            if msgtype == 'error' or 'rate limit' in text.lower():
+                print(f'  CONSOLE [{msgtype}]: {text}')
+```
+
+**Summary of entry types (useful for orientation):**
+
+```python
+import json
+from collections import Counter
+types = Counter()
+with open('trace.trace') as f:
+    for line in f:
+        obj = json.loads(line.strip())
+        types[obj.get('type', 'unknown')] += 1
+for t, c in types.most_common():
+    print(f'{t}: {c}')
+```
+
+## trace.network file format
+
+Newline-delimited JSON. Each line is a `resource-snapshot` entry with HAR-like structure:
+
+```json
+{
+  "type": "resource-snapshot",
+  "snapshot": {
+    "pageref": "page@<hash>",
+    "startedDateTime": "2026-03-21T03:33:03.269Z",
+    "request": {
+      "method": "GET",
+      "url": "file:///path/to/resource.css",
+      "headers": [...]
+    },
+    "response": {
+      "status": 200,
+      "statusText": "OK",
+      "content": { "size": 168765, "mimeType": "text/css" }
+    }
+  }
+}
+```
+
+**Electron caveat:** For Electron apps, the network log typically only captures renderer-process requests — local `file://` loads for CSS, JS, fonts, and images. API calls made by the main process (e.g., Octokit calls to GitHub, Docker API calls) are **not** captured because they run in Node.js, not the browser context. Do not expect to find external HTTP traffic here.
+
+## Screenshot naming and timestamps
+
+Screenshots in `resources/` follow the pattern:
+
+```
+page@<context-hash>-<unix-timestamp-ms>.jpeg
+```
+
+The timestamp is a Unix epoch in milliseconds. Use it to:
+
+- Correlate screenshots with trace events (match against `wallTime` in `before` entries)
+- Calculate elapsed time between screenshots
+- Identify the visual state at any point during the test
+
+To find screenshots around a specific event, compute the target timestamp from the trace and select the nearest screenshot filenames.
+
+## CI artifact structure
+
+CI runs typically package results in an outer archive containing multiple files. The trace zip is nested inside:
+
+```
+ci-artifact.zip
+└── results/
+    └── podman-desktop/
+        ├── traces/<name>_trace.zip        ← the Playwright trace
+        ├── videos/<name>.webm             ← screen recording
+        ├── html-results/                  ← Playwright HTML report
+        ├── json-results.json              ← structured test results with errors
+        ├── junit-results.xml              ← JUnit XML for CI
+        ├── output.log                     ← CI build/test output
+        └── <test-hash>/error-context.md   ← page accessibility snapshot at failure
+```
+
+### json-results.json
+
+Contains structured test results with the exact error message and locator call log. Parse it to extract failure details:
+
+```python
+import json
+with open('json-results.json') as f:
+    data = json.load(f)
+
+def walk(suites):
+    for suite in suites:
+        for spec in suite.get('specs', []):
+            for test in spec.get('tests', []):
+                for result in test.get('results', []):
+                    if result.get('status') not in ('passed', 'skipped'):
+                        error = result.get('error', {})
+                        print(f"FAILED: {spec['title']}")
+                        print(f"  {error.get('message', '')[:500]}")
+        walk(suite.get('suites', []))
+
+walk(data.get('suites', []))
+```
+
+The error message often contains the exact locator used, the element it resolved to, and the retry count — which can directly reveal the root cause without needing to parse the trace at all.
+
+### error-context.md
+
+Contains the page's accessibility tree (ARIA snapshot) at the moment of failure. This shows what Playwright "saw" in the DOM, which may differ from what was visually rendered. Key uses:
+
+- Verify whether an expected element exists in the DOM
+- Check element text content and ARIA attributes
+- Identify whether a dialog or overlay is present in the DOM tree
+- Compare against screenshots to find discrepancies between DOM state and visual state
+
+## MCP tool parameter reference
+
+All tools require `traceZipPath` (string): the absolute path to the trace zip.
+
+### analyze-trace
+
+No additional parameters. Returns a combined overview of execution steps, network summary, and key screenshots. Always call this first.
+
+### get-trace
+
+| Parameter      | Type                                            | Default     | Description                                                                                                                                                     |
+| -------------- | ----------------------------------------------- | ----------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `filterPreset` | `"minimal"` \| `"moderate"` \| `"conservative"` | `"minimal"` | Controls how much trace data is retained (see escalation below)                                                                                                 |
+| `raw`          | boolean                                         | `false`     | When `true`, returns the complete unfiltered trace including all DOM snapshots. Overrides `filterPreset`. Use only as a last resort — output can be very large. |
+
+**Filter preset escalation:**
+
+1. `minimal` — maximum filtering. Removes DOM snapshots and redundant entries. Retains error logs, action steps, and basic console output. Start here.
+2. `moderate` — retains more console logs, context around actions, and additional event metadata. Use when `minimal` doesn't show enough detail around the failure.
+3. `conservative` — retains almost everything except raw DOM snapshots. Use for complex failures where prior levels are inconclusive.
+4. `raw: true` — completely unfiltered. Only use when even `conservative` is insufficient. Prefer the paginated tool instead to avoid output truncation.
+
+### get-network-log
+
+| Parameter | Type    | Default | Description                                                                                                   |
+| --------- | ------- | ------- | ------------------------------------------------------------------------------------------------------------- |
+| `raw`     | boolean | `false` | When `true`, includes analytics, third-party services, and verbose metadata that are filtered out by default. |
+
+The filtered (default) view removes noise from analytics trackers and third-party scripts, focusing on app-relevant HTTP traffic.
+
+### get-screenshots
+
+No additional parameters. Returns screenshots around errors and critical actions, intelligently filtered to avoid timeout-duplicate frames.
+
+### view-screenshot
+
+| Parameter  | Type   | Required | Description                                                          |
+| ---------- | ------ | -------- | -------------------------------------------------------------------- |
+| `filename` | string | yes      | Screenshot filename from the trace, e.g., `page@hash-timestamp.jpeg` |
+
+Use when `get-screenshots` omitted a frame you need, or when `analyze-trace` references a filename you want to inspect closely.
+
+### get-raw-trace-paginated
+
+| Parameter      | Type   | Default | Description                                      |
+| -------------- | ------ | ------- | ------------------------------------------------ |
+| `browserIndex` | number | `0`     | Browser session index (for multi-browser traces) |
+| `page`         | number | `1`     | Page number (1-based)                            |
+| `pageSize`     | number | `50`    | Number of trace entries per page                 |
+
+Use when filtered trace tools lack the detail you need. Paginate through the full raw trace without hitting output size limits. Start at page 1 and increment until you find the relevant section, or jump to later pages if you know the failure occurred late in the test.
+
+### get-raw-network-paginated
+
+| Parameter      | Type   | Default | Description                         |
+| -------------- | ------ | ------- | ----------------------------------- |
+| `browserIndex` | number | `0`     | Browser session index               |
+| `page`         | number | `1`     | Page number (1-based)               |
+| `pageSize`     | number | `20`    | Number of network requests per page |
+
+Same pagination approach as the raw trace tool. Useful when the filtered network log omits requests you suspect are relevant (e.g., requests to third-party auth providers).
+
+## Signal correlation matrix
+
+When diagnosing a failure, cross-reference signals from multiple sources:
+
+| Primary signal                  | Secondary signal to check  | What the combination reveals                                            |
+| ------------------------------- | -------------------------- | ----------------------------------------------------------------------- |
+| Locator timeout (trace step)    | Screenshot at failure time | Whether the page rendered at all, or rendered wrong content             |
+| Locator timeout (trace step)    | Network log                | Whether a required data-fetching call failed or is still pending        |
+| Assertion mismatch (trace step) | Console output             | Whether a JS error prevented correct rendering                          |
+| Assertion mismatch (trace step) | Network response body      | Whether the API returned unexpected data                                |
+| Console error/exception         | Trace step before it       | Which user action or navigation triggered the error                     |
+| Network 4xx/5xx                 | Trace steps after it       | Whether the test continued despite the failure (missing error handling) |
+| Network timeout/no response     | Screenshot                 | Whether the UI shows a loading state or error message                   |
+| Blank page in screenshot        | Console output             | Whether there's an uncaught exception or module load failure            |
+| Wrong URL in trace step         | Network log                | Whether a redirect occurred or navigation was intercepted               |
+| Slow action duration            | Network log at same time   | Whether a pending request is blocking the UI                            |
+| Slow action duration            | Console output             | Whether a heavy computation or error-retry loop is running              |
+| IPC/preload error in console    | Trace steps around it      | Which renderer action triggered the IPC failure                         |
+
+## Minimal sufficient analysis
+
+Unless the overview is already conclusive, a good first-pass analysis usually contains:
+
+1. One `analyze-trace` result
+2. The test source code read and understood
+3. One or two corroborating signals from screenshots, console/steps, or network
+4. A confidence-labeled conclusion with a concrete next step
+
+Avoid dumping all available artifacts when one or two focused follow-up calls are enough.
+
+## Source code correlation
+
+After identifying the failing step, always read the test source to understand intent:
+
+1. **Spec file**: read the test function containing the failure. Check whether the assertion and locator are reasonable given the current app state.
+2. **Page objects**: if the failing action is in a POM method, read that method to understand what it does and what locators it uses.
+3. **App source**: if the trace points to an app-side issue (wrong rendering, missing data, console exception), navigate to the relevant component or module.
+
+This step prevents misdiagnosis. A locator timeout might look like an app bug from the trace alone, but reading the test source reveals the locator targets a removed element (test bug).
+
+## Timing and duration analysis
+
+Trace steps include duration information. Use it to identify:
+
+| Duration pattern                        | Likely cause                                         | Investigation                                                    |
+| --------------------------------------- | ---------------------------------------------------- | ---------------------------------------------------------------- |
+| Single step 5-10x slower than peers     | Waiting on network, animation, or resource           | Check network log for pending request at that time               |
+| Gradual slowdown across all steps       | Memory leak, DOM bloat, or resource exhaustion       | Check console for warnings; compare early vs late step durations |
+| Step hits exact timeout (e.g., 30000ms) | Condition was never met                              | Focus on _why_ it wasn't met, not the timeout itself             |
+| All steps slow                          | CI runner under load, or app startup not complete    | Check if the first action also took unusually long               |
+| Click takes >2s                         | Element not yet actionable, or animation in progress | Check screenshot for overlay, spinner, or disabled state         |
+
+## Interpreting screenshots
+
+When viewing screenshots from `get-screenshots` or `view-screenshot`, look for:
+
+| Visual signal                         | Implication                                                 |
+| ------------------------------------- | ----------------------------------------------------------- |
+| Blank/white page                      | App crashed, failed to load, or navigated to wrong URL      |
+| Loading spinner or skeleton UI        | Data not loaded yet — timing issue, test asserted too early |
+| Error dialog or toast notification    | App-level error — read the message text                     |
+| Modal or overlay blocking content     | Locator is targeting an element behind the overlay          |
+| Different page than expected          | Navigation didn't complete, or redirected elsewhere         |
+| Partial render (missing sections)     | Component error or failed data dependency                   |
+| Stale/old data displayed              | Cache issue or API returned outdated response               |
+| Element present but visually obscured | CSS overlap, z-index issue, or off-screen position          |
+
+### Sequential screenshot comparison
+
+When `get-screenshots` returns multiple frames, compare consecutive screenshots to understand state transitions:
+
+- **What changed** between action N and action N+1? A new element appearing, data loading, a navigation.
+- **What didn't change** when it should have? A click that didn't navigate, a form submission that didn't update the UI.
+- **What disappeared** unexpectedly? An element that was present then removed by a re-render.
+
+This before/after comparison is often the fastest way to pinpoint the exact moment things went wrong.
+
+## Flakiness investigation
+
+### Common flakiness patterns
+
+| Pattern                              | How it manifests in trace                                                    | Stabilization approach                                                 |
+| ------------------------------------ | ---------------------------------------------------------------------------- | ---------------------------------------------------------------------- |
+| Race between data load and assertion | Assertion step fires while network request is still pending                  | Wait for the network response or use `expect` with auto-retry          |
+| Animation/transition timing          | Click targets an element that's mid-animation                                | Add `waitFor({ state: 'stable' })` or wait for animation class removal |
+| Non-deterministic list ordering      | `toHaveText` fails because items rendered in different order                 | Sort before comparing, or use `toContainText` for individual items     |
+| Websocket reconnection               | Console shows disconnect/reconnect around failure                            | Wait for connection re-establishment before asserting                  |
+| Shared state between tests           | Test passes in isolation but fails in suite                                  | Check for missing cleanup in `afterEach`/`afterAll`                    |
+| Viewport-dependent rendering         | Element off-screen on CI runner's viewport size                              | Check viewport config; use `scrollIntoViewIfNeeded`                    |
+| Stale Electron IPC state             | First test passes, later test sees stale data from previous test's IPC calls | Ensure proper state reset between tests                                |
+
+### Confirming flakiness vs deterministic failure
+
+A failure is more likely **deterministic** if:
+
+- It reproduces on every retry (check CI retry history).
+- The trace shows a clear app error (500 response, unhandled exception).
+- The expected value in the assertion is fundamentally wrong (code change broke the contract).
+
+A failure is more likely **flaky** if:
+
+- It passes on retry without code changes.
+- The trace shows the correct state arriving _after_ the assertion timeout.
+- Network response times vary significantly between runs.
+
+### Retry trace analysis
+
+When multiple trace files exist for the same test (retry-0, retry-1, etc.):
+
+1. Run `analyze-trace` on each retry's trace in parallel
+2. Identify whether the failure is identical across retries (same step, same error, same screenshot state)
+3. If the failure differs between retries, focus on what varies — this points to the nondeterministic factor
+4. If a later retry passes, the failing retry's trace shows the flaky window — identify the timing-sensitive point
+
+## Electron and Podman Desktop patterns
+
+### IPC communication failures
+
+- Console messages containing `ipcRenderer`, `ipcMain`, or channel name strings indicate IPC issues
+- A missing or undefined return value from an IPC call causes downstream rendering failures
+- Check whether the preload script exposed the expected API by looking for preload-related console errors
+
+### Webview interactions
+
+- Webviews in Electron have separate document contexts; a locator targeting the main page won't find webview content
+- If the trace shows a click on a webview element that doesn't respond, the webview may not have finished loading
+- Look for webview navigation events and `dom-ready` signals in console output
+
+### Extension loading
+
+- Extensions load asynchronously; tests that depend on extension-provided UI must wait for the extension to activate
+- Console messages about extension activation, provider registration, or extension errors are key signals
+- A missing provider or command often means the extension failed to load rather than an app bug
+
+### Multi-window
+
+- Electron apps can spawn multiple `BrowserWindow` instances
+- Verify the trace corresponds to the correct window (check URL, page title, or content in screenshots)
+- If the trace shows actions on the wrong window, the test's page reference may have shifted
+
+## Git history correlation
+
+When a failure looks like a regression, use git history to narrow the cause:
+
+```bash
+git log --oneline -10 -- path/to/affected/file
+git log --oneline --since="3 days ago" -- path/to/affected/directory/
+```
+
+Useful when:
+
+- The test was previously passing and started failing without test code changes
+- The locator targets something that may have been renamed or restructured
+- The assertion's expected value may be outdated after a product change
+
+Include the relevant commit in the report when it strengthens the root cause explanation.
+
+## CI artifact locations
+
+Traces from this project's CI are typically stored at:
+
+```
+tests/playwright/output/traces/<test-name>_trace.zip
+```
+
+The naming pattern is `{videoAndTraceName}_trace.zip`, set by the test runner. Traces for passing tests are removed by default unless `KEEP_TRACES_ON_PASS` is set.
+
+Other CI artifacts that may complement trace analysis:
+
+| Artifact    | Location                                    | Use                                                          |
+| ----------- | ------------------------------------------- | ------------------------------------------------------------ |
+| Video       | `tests/playwright/output/videos/`           | Shows real-time playback; useful for animation/timing issues |
+| HTML report | `tests/playwright/output/html-results/`     | Provides test-level pass/fail summary and embedded traces    |
+| JUnit XML   | `tests/playwright/output/junit-results.xml` | Machine-readable results for CI integration                  |
+| Screenshots | `tests/playwright/output/screenshots/`      | Failure screenshots captured by Playwright config            |
+
+## CLI viewer
+
+When MCP tools are unavailable:
+
+```bash
+pnpm exec playwright show-trace /absolute/path/to/trace.zip
+```
+
+The viewer provides:
+
+- **Timeline**: visual step-by-step with duration bars
+- **Actions**: each Playwright action with before/after screenshots
+- **Console**: browser console output
+- **Network**: request waterfall with timing
+- **Source**: test source code highlighting the current line
+
+Navigate to the failing step and work backwards from there.
+
+## Evidence citation format
+
+When writing the report, cite trace evidence consistently:
+
+| Prefix     | Format                           | Example                                                                                   |
+| ---------- | -------------------------------- | ----------------------------------------------------------------------------------------- |
+| Trace step | `[trace step N]`                 | `[trace step 14]: click on "Submit" button timed out after 30s`                           |
+| Screenshot | `[screenshot: filename]`         | `[screenshot: page@abc-1234.jpeg]: shows empty data table with loading spinner`           |
+| Network    | `[network: METHOD url → status]` | `[network: GET /api/containers → 500]: server returned internal error`                    |
+| Console    | `[console: level] message`       | `[console: error] "TypeError: Cannot read property 'map' of undefined"`                   |
+| Duration   | `[duration: step → time]`        | `[duration: step 14 → 28500ms]: approaching 30s timeout, element never became actionable` |
+| Source     | `[source: file:line]`            | `[source: containers.spec.ts:42]: assertion expects 3 rows but API returned empty array`  |
+
+This format makes it easy for the reader to trace each claim back to its evidence and re-inspect if needed.

.chocolatey/podman-desktop/podman-desktop.nuspec

@@ -3,7 +3,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
   <metadata>
     <id>podman-desktop</id>
-    <version>1.23.1</version>
+    <version>1.26.2</version>
     <title>Podman Desktop</title>
     <authors>Florent Benoit</authors>
     <owners>https://github.com/containers</owners>
@@ -32,7 +32,7 @@
 ### You can also bring new features with Podman Desktop plug-ins or Docker Desktop extensions
     </description>
     <summary>Manage Podman and other container engines from a single UI and tray.</summary>
-    <releaseNotes>https://github.com/containers/podman-desktop/releases/expanded_assets/v1.23.1</releaseNotes>
+    <releaseNotes>https://github.com/podman-desktop/podman-desktop/releases/tag/v1.26.2</releaseNotes>
     <copyright>2022 Red Hat, Inc</copyright>
     <tags>podman desktop podman-machine containers ui</tags>
     <packageSourceUrl>https://github.com/containers/podman-desktop/tree/main/.chocolatey</packageSourceUrl>

.chocolatey/podman-desktop/tools/chocolateyInstall.ps1

@@ -5,9 +5,9 @@ $packageArgs = @{
   fileType       = 'exe'
   softwareName   = 'PodmanDesktop'
 
-  url64bit       = 'https://github.com/podman-desktop/podman-desktop/releases/download/v1.23.1/podman-desktop-1.23.1-setup.exe'
+  url64bit       = 'https://github.com/podman-desktop/podman-desktop/releases/download/v1.26.2/podman-desktop-1.26.2-setup.exe'
   checksumType   = 'sha256'
-  checksum64     = '072a526c0adde75846e23202df75bb35f0241f1c73353d1da3ee02b9802ae974'
+  checksum64     = '6542e94a998e66309951b2dc7bfb26e54c8a9c92666f3209a478d9933a8ad523'
 
   silentArgs     = '/S'
   validExitCodes = @(0)

.chocolatey/podman-desktop/update.ps1

@@ -1,7 +1,7 @@
 import-module au
 
 $version = $env:VERSION
-$releases = 'https://github.com/containers/podman-desktop/releases/expanded_assets/v' + $version
+$apiUrl = 'https://api.github.com/repos/containers/podman-desktop/releases/tags/' + 'v' + $version
 
 function global:au_SearchReplace {
    @{
@@ -17,15 +17,21 @@ function global:au_SearchReplace {
 }
 
 function global:au_GetLatest {
-    $download_page = Invoke-WebRequest -Uri $releases
+    $release = Invoke-RestMethod -Uri $apiUrl -Headers @{ 'User-Agent' = 'PowerShell' }
 
-    $url64   = $download_page.links | ? href -match '-setup.exe$' | % href | select -First 1
-    $version = (Split-Path ( Split-Path $url64 ) -Leaf).Substring(1)
+    $asset = $release.assets | Where-Object { $_.name -match '-setup\.exe$' } | Select-Object -First 1
+
+    if (-not $asset) {
+        throw "no -setup.exe asset found for $version"
+    }
+
+    $url64 = $asset.browser_download_url
+    $releaseNotes = $release.html_url
 
     @{
-        URL64   = 'https://github.com' + $url64
+        URL64   = $url64
         Version = $version
-        ReleaseNotes = $releases
+        ReleaseNotes = $releaseNotes
     }
 }
 

.claude/skills

@@ -0,0 +1 @@
+../.agents/skills

.electron-builder.config.cjs

@@ -73,7 +73,7 @@ async function addElectronFuses(context) {
  *
  * @remarks it should be called in the beforePack to populate the folder extensions-extra before electron builder pack them
  */
-async function packageRemoteExtensions() {
+async function packageRemoteExtensions(context) {
   const downloadScript = path.join('packages', 'main', 'dist', 'download-remote-extensions.cjs');
   if (!fs.existsSync(downloadScript)) {
     console.warn(`${downloadScript} not found, skipping remote extension download`);
@@ -82,17 +82,23 @@ async function packageRemoteExtensions() {
 
   const destination = path.resolve('./extensions-extra');
 
-  return new Promise((resolve, reject) => {
-    execFile('node', [downloadScript, `--output=${destination}`], (error, stdout, stderr) => {
-      console.log(stdout);
-      console.log(stderr);
-      if (error) {
-        reject(error);
-      } else {
-        resolve();
-      }
-    });
+  await new Promise((resolve, reject) => {
+    execFile(
+      'node',
+      [downloadScript, `--output=${destination}`],
+      { maxBuffer: 10 * 1024 * 1024 }, // use 10MB else default size is too small and we get stdout maxBuffer length exceeded
+      (error, stdout, stderr) => {
+        console.log(stdout);
+        console.log(stderr);
+        if (error) {
+          reject(error);
+        } else {
+          resolve();
+        }
+      },
+    );
   });
+  context.packager.config.extraResources.push('./extensions-extra/**');
 }
 
 /**
@@ -114,7 +120,7 @@ const config = {
     context.packager.config.extraResources = DEFAULT_ASSETS;
 
     // download & package remote extensions
-    await packageRemoteExtensions();
+    await packageRemoteExtensions(context);
 
     // include product.json
     context.packager.config.extraResources.push({
@@ -151,11 +157,11 @@ const config = {
       });
       // add podman installer
       if (context.arch === Arch.x64) {
-        context.packager.config.extraResources.push(`${PODMAN_EXTENSION_ASSETS}/podman-installer-windows-amd64.exe`);
+        context.packager.config.extraResources.push(`${PODMAN_EXTENSION_ASSETS}/podman-installer-windows-amd64.msi`);
         context.packager.config.extraResources.push(`${PODMAN_EXTENSION_ASSETS}/podman-image-x64.zst`);
       }
       if (context.arch === Arch.arm64) {
-        context.packager.config.extraResources.push(`${PODMAN_EXTENSION_ASSETS}/podman-installer-windows-arm64.exe`);
+        context.packager.config.extraResources.push(`${PODMAN_EXTENSION_ASSETS}/podman-installer-windows-arm64.msi`);
         context.packager.config.extraResources.push(`${PODMAN_EXTENSION_ASSETS}/podman-image-arm64.zst`);
       }
     }
@@ -163,12 +169,7 @@ const config = {
   afterPack: async context => {
     await addElectronFuses(context);
   },
-  files: [
-    'packages/**/dist/**',
-    'extensions-extra/**',
-    'extensions/**/builtin/*.cdix/**',
-    'packages/main/src/assets/**',
-  ],
+  files: ['packages/**/dist/**', 'extensions/**/builtin/*.cdix/**', 'packages/main/src/assets/**'],
   portable: {
     artifactName: `${product.artifactName}${artifactNameSuffix}-\${version}-\${arch}.\${ext}`,
   },
@@ -205,6 +206,12 @@ const config = {
       '--device=dri',
       // Read/write home directory access
       '--filesystem=home',
+      // Read-only access to /usr and /etc for managed-configuration support.
+      // Flatpak sandboxes these directories, so we can't use --filesystem=/usr/share/podman-desktop:ro directly.
+      // host-os:ro only exposes /usr and parts of /etc (not the full filesystem).
+      // See: https://github.com/flatpak/flatpak/issues/5575
+      // See: https://man7.org/linux/man-pages/man5/flatpak-metadata.5.html (host-os section)
+      '--filesystem=host-os:ro',
       // Read podman socket
       '--filesystem=xdg-run/podman:create',
       // Read/write containers directory access (ability to save the application preferences)
@@ -225,6 +232,8 @@ const config = {
       '--talk-name=org.kde.StatusNotifierWatcher',
       // Allow to interact with Flatpak system to execute commands outside the application's sandbox
       '--talk-name=org.freedesktop.Flatpak',
+      // required to fix cursor scaling on wayland https://github.com/electron/electron/issues/19810 when the user uses --socket=wayland in their flatpak run
+      '--env=XCURSOR_PATH=/run/host/user-share/icons:/run/host/share/icons',
       '--env=XDG_SESSION_TYPE=x11',
     ],
     useWaylandFlags: 'false',
@@ -239,19 +248,22 @@ const config = {
   linux: {
     category: 'Development',
     icon: './buildResources/icon-512x512.png',
+    executableName: product.artifactName,
+    artifactName: `${product.artifactName}${artifactNameSuffix}-\${version}-\${arch}.\${ext}`,
     target: ['flatpak', { target: 'tar.gz', arch: ['x64', 'arm64'] }],
   },
   mac: {
     artifactName: `${product.artifactName}${artifactNameSuffix}-\${version}-\${arch}.\${ext}`,
     hardenedRuntime: true,
     entitlements: './node_modules/electron-builder-notarize/entitlements.mac.inherit.plist',
+    x64ArchFiles: 'Contents/Resources/app.asar.unpacked/**/*.node',
     target: {
       target: 'default',
       arch: macosArches,
     },
   },
   dmg: {
-    background: 'buildResources/dmg-background@2x.png',
+    background: 'buildResources/dmg-background.png',
     window: {
       width: 540,
       height: 380,

.electron-vendors.cache.json

@@ -1,4 +1,4 @@
 {
   "chrome": "98",
-  "node": "22"
+  "node": "24"
 }

.flatpak-appdata.xml

@@ -110,6 +110,10 @@
   <content_rating type="oars-1.1" />
   <update_contact>fbenoit_at_redhat_com</update_contact>
   <releases>
+    <release version="1.27.0" date="2026-04-20"/>
+    <release version="1.26.0" date="2026-03-16"/>
+    <release version="1.25.0" date="2026-01-19"/>
+    <release version="1.24.0" date="2025-12-08"/>
     <release version="1.23.0" date="2025-11-12"/>
     <release version="1.22.0" date="2025-09-29"/>
     <release version="1.21.0" date="2025-08-19"/>

.github/ISSUE_TEMPLATE/UX_Template.yml

@@ -1,5 +1,6 @@
 name: UX Request
 description: UX Request Form
+type: UX (design spec)
 labels: [UX/UI Issue, Graphic design]
 projects: ["podman-desktop/4"]
 

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -1,7 +1,6 @@
 name: Bug 🐞
 description: Report a bug report
 type: bug
-labels: [kind/bug 🐞]
 projects: ["podman-desktop/4"]
 
 body:
@@ -51,8 +50,12 @@ body:
       label: Version
       description: What version of the software are you running?
       options:
-        - "1.23.0"
+        - "1.27.0"
         - "next (development version)"
+        - "1.26.0"
+        - "1.25.0"
+        - "1.24.0"
+        - "1.23.0"
         - "1.22.0"
         - "1.21.x"
         - "1.20.x"

.github/ISSUE_TEMPLATE/epic.yml

@@ -1,7 +1,6 @@
 name: Epic ⚡
 description: A high-level feature
 type: epic
-labels: [kind/epic ⚡]
 projects: ["podman-desktop/4","podman-desktop/7"]
 
 body:

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -1,7 +1,6 @@
 name: Feature 💡
 description: A request, idea, or new functionality
 type: feature
-labels: [kind/feature 💡]
 projects: ["podman-desktop/4"]
 
 body:

.github/dependabot.yml

@@ -67,4 +67,8 @@ updates:
           - "typedoc"
           - "typedoc-plugin-markdown"
           - "docusaurus-plugin-typedoc"
+      xterm:
+        applies-to: version-updates
+        patterns:
+          - "@xterm/*"
 

.github/labeler.yml

@@ -1,32 +0,0 @@
-#
-# Copyright (C) 2025 Red Hat, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-
-# Visual changes
-"area/ui":
-  - changed-files:
-    - any-glob-to-any-file:
-      - "packages/renderer/**/*"
-      - "packages/ui/**/*"
-      - "storybook/**/*"
-      - "**/*.svelte"
-      - "**/*.css"
-
-# Website changes
-"area/website":
-  - changed-files:
-    - any-glob-to-any-file:
-      - "website/**/*"

.github/workflows/argos.yaml

@@ -49,15 +49,15 @@ jobs:
     # disable on forks as secrets are not available
     if: github.event.repository.fork == false
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
         name: Install pnpm
         with:
           run_install: false
 
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 22
+          node-version: 24
           cache: 'pnpm'
 
       - name: Execute pnpm

.github/workflows/codecov-next.yaml

@@ -34,15 +34,15 @@ jobs:
     if: github.event.repository.fork == false
     timeout-minutes: 60
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
         name: Install pnpm
         with:
           run_install: false
 
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 22
+          node-version: 24
           cache: 'pnpm'
 
       - name: Execute pnpm
@@ -52,6 +52,6 @@ jobs:
         run: pnpm test:unit:coverage
 
       - name: publish codecov report
-        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
         with:
           token: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/daily-testing-build.yaml

@@ -42,7 +42,7 @@ jobs:
       releaseId: ${{ steps.create_release.outputs.id }}
 
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           token: ${{ secrets.PODMAN_DESKTOP_BOT_TOKEN }}
           fetch-depth: 0
@@ -92,7 +92,7 @@ jobs:
 
       - name: Create Release
         id: create_release
-        uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0
+        uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1.21.0
         with:
           tag: ${{ steps.TAG_UTIL.outputs.githubTag }}
           name: ${{ steps.TAG_UTIL.outputs.githubTag }}
@@ -117,19 +117,19 @@ jobs:
         os: [ubuntu-24.04, windows-2025, macos-15]
     timeout-minutes: 60
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: podman-desktop/testing-prereleases
           ref: ${{ needs.tag.outputs.githubTag }}
 
-      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
         name: Install pnpm
         with:
           run_install: false
 
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 22
+          node-version: 24
           cache: 'pnpm'
 
       - name: Execute pnpm

.github/workflows/downloads-count.yaml

@@ -32,7 +32,7 @@ jobs:
     runs-on: ubuntu-24.04
 
     steps:
-      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         id: process-downloads
         with:
           script: |

.github/workflows/e2e-kubernetes-main.yaml

@@ -58,13 +58,13 @@ jobs:
     permissions:
       checks: write # required for mikepenz/action-junit-report
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: ${{ github.event.inputs.organization }}/${{ github.event.inputs.repositoryName }}
           ref: ${{ github.event.inputs.branch }}
         if: github.event_name == 'workflow_dispatch'
 
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         if: github.event_name == 'push'
 
       - name: Set the default provider type variable
@@ -82,14 +82,14 @@ jobs:
       - name: Setup testenv using external action
         uses: podman-desktop/e2e/.github/actions/pde2e-testenv-prepare@13e2c57c759137bfc1f437f221967461e8a98e2a
 
-      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
         name: Install pnpm
         with:
           run_install: false
 
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 22
+          node-version: 24
           cache: 'pnpm'
 
       - name: Execute pnpm
@@ -111,7 +111,7 @@ jobs:
           pnpm test:e2e:k8s
 
       - name: Publish Test Report
-        uses: mikepenz/action-junit-report@e08919a3b1fb83a78393dfb775a9c37f17d8eea6 # v6.0.1
+        uses: mikepenz/action-junit-report@bccf2e31636835cf0874589931c4116687171386 # v6.4.0
         if: always() # always run even if the previous step fails
         with:
           fail_on_failure: true
@@ -121,7 +121,7 @@ jobs:
           require_tests:  true
           report_paths: '**/*results.xml'
 
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: always()
         with:
           name: k8s-e2e-tests

.github/workflows/e2e-main-tf.yaml

@@ -28,14 +28,9 @@ on:
         type: string
         required: true
       npm_target:
-        description: npm tests target
-        type: choice
-        default: 'all'
-        options:
-          - e2e
-          - kubernetes
-          - smoke
-          - all
+        description: 'TMT plan target to run (e.g. smoke, e2e, kubernetes, all)'
+        type: string
+        default: 'e2e'
 
 jobs:
   pd-e2e-testing-farm-ci:
@@ -51,9 +46,11 @@ jobs:
         env:
           DEFAULT_NPM_TARGET: 'all'
           DEFAULT_PODMAN_VERSION: 'latest'
+          DEFAULT_NODE_VERSION: 'v24.11.1'
         run: |
           echo "NPM_TARGET=${{ github.event.inputs.npm_target || env.DEFAULT_NPM_TARGET }}" >> $GITHUB_ENV
           echo "PODMAN_VERSION=${{ github.event.inputs.podman_version || env.DEFAULT_PODMAN_VERSION }}" >> $GITHUB_ENV
+          echo "NODE_VERSION=${{ env.DEFAULT_NODE_VERSION }}" >> $GITHUB_ENV
 
       - name: Run Podman Desktop Playwright E2E tests on Testing Farm CI
         id: run-e2e-tf
@@ -63,7 +60,7 @@ jobs:
           create_github_summary: "false"
           compose: ${{ matrix.fedora-version }}
           tmt_plan_filter: 'name:/tests/tmt/plans/pd-e2e-plan/${{ env.NPM_TARGET }}'
-          variables: COMPOSE=${{ matrix.fedora-version }};ARCH=x86_64;PODMAN_VERSION=${{ env.PODMAN_VERSION }}
+          variables: COMPOSE=${{ matrix.fedora-version }};ARCH=x86_64;PODMAN_VERSION=${{ env.PODMAN_VERSION }};NODE_VERSION=${{ env.NODE_VERSION }}
 
       - name: Extract Testing Farm work ID and base URL
         if: always()
@@ -85,7 +82,7 @@ jobs:
 
       - name: Publish test report to PR
         if: always()
-        uses: mikepenz/action-junit-report@e08919a3b1fb83a78393dfb775a9c37f17d8eea6
+        uses: mikepenz/action-junit-report@bccf2e31636835cf0874589931c4116687171386
         with:
           fail_on_failure: true
           include_passed: true
@@ -125,7 +122,7 @@ jobs:
 
       - name: Upload test artifacts
         if: always()
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v7.0.1
         with:
           name: testing-farm-artifacts-${{ matrix.fedora-version }}
           path: |

.github/workflows/e2e-main.yaml

@@ -81,20 +81,24 @@ permissions:
 
 jobs:
   e2e-tests:
-    name: Run All E2E tests
+    name: Run E2E tests - ${{ matrix.installation }}
     runs-on: ubuntu-24.04
     # disable on forks as secrets are not available
     if: github.event.repository.fork == false
     permissions:
       checks: write # required for mikepenz/action-junit-report
+    strategy:
+      fail-fast: false
+      matrix:
+        installation: [source-build, flatpak-build]
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: ${{ github.event.inputs.organization }}/${{ github.event.inputs.repositoryName }}
           ref: ${{ github.event.inputs.branch }}
         if: github.event_name == 'workflow_dispatch'
 
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         if: github.event_name == 'push'
 
       - name: Set the default env. variables
@@ -114,20 +118,29 @@ jobs:
       - name: Setup testenv using external action
         uses: podman-desktop/e2e/.github/actions/pde2e-testenv-prepare@13e2c57c759137bfc1f437f221967461e8a98e2a
 
-      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
         name: Install pnpm
         with:
           run_install: false
 
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 22
+          node-version: 24
           cache: 'pnpm'
 
       - name: Execute pnpm
         run: pnpm install
 
+      - name: Install flatpak build dependencies
+        if: matrix.installation == 'flatpak-build'
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y flatpak flatpak-builder elfutils
+          flatpak remote-add --if-not-exists flathub --user https://flathub.org/repo/flathub.flatpakrepo
+          flatpak install --user -y flathub org.flatpak.Builder org.freedesktop.Platform//25.08 org.freedesktop.Sdk//25.08
+
       - name: Run E2E tests in Production Mode
+        if: matrix.installation == 'source-build'
         env:
           PODMANDESKTOP_CI_BOT_TOKEN: ${{ secrets.PODMANDESKTOP_CI_BOT_TOKEN }}
           TEST_PODMAN_MACHINE: 'true'
@@ -142,8 +155,27 @@ jobs:
           export PODMAN_DESKTOP_BINARY=$path
           pnpm ${{ env.NPM_TARGET }}
 
+      - name: Run E2E tests on Flatpak bundle
+        if: matrix.installation == 'flatpak-build'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PODMANDESKTOP_CI_BOT_TOKEN: ${{ secrets.PODMANDESKTOP_CI_BOT_TOKEN }}
+          TEST_PODMAN_MACHINE: 'true'
+          SKIP_KIND_INSTALL: 'true'
+          KIND_PROVIDER_GHA: ${{ env.KIND_PROVIDER }}
+          ELECTRON_ENABLE_INSPECT: true
+        run: |
+          echo "Building Podman Desktop flatpak bundle"
+          pnpm compile:current --linux flatpak
+          echo "Installing built flatpak bundle"
+          flatpak install --bundle --user -y dist/*.flatpak
+          path=$(realpath $(flatpak info --show-location io.podman_desktop.PodmanDesktop)/files/lib/io.podman_desktop.PodmanDesktop/podman-desktop)
+          echo "Podman Desktop flatpak binary: $path"
+          export PODMAN_DESKTOP_BINARY=$path
+          pnpm ${{ env.NPM_TARGET }}
+
       - name: Publish Test Report
-        uses: mikepenz/action-junit-report@e08919a3b1fb83a78393dfb775a9c37f17d8eea6 # v6.0.1
+        uses: mikepenz/action-junit-report@bccf2e31636835cf0874589931c4116687171386 # v6.4.0
         if: always() # always run even if the previous step fails
         with:
           fail_on_failure: true
@@ -153,10 +185,10 @@ jobs:
           require_tests:  true
           report_paths: '**/*results.xml'
 
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: always()
         with:
-          name: e2e-tests
+          name: e2e-tests-${{ matrix.installation }}
           path: |
             ./tests/**/output/
             !./tests/**/traces/raw
@@ -189,23 +221,23 @@ jobs:
           echo "UPDATE_TARGET_REPO=${{ github.event.inputs.update_target_repo || env.DEFAULT_UPDATE_TARGET_REPO }}" >> $env:GITHUB_ENV
           echo "UPDATE_PRERELEASE=${{ github.event.inputs.update_prerelease || env.DEFAULT_UPDATE_PRERELEASE }}" >> $env:GITHUB_ENV
 
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: ${{ github.event.inputs.organization }}/${{ github.event.inputs.repositoryName }}
           ref: ${{ github.event.inputs.branch }}
         if: github.event_name == 'workflow_dispatch'
 
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         if: github.event_name == 'push'
 
-      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
         name: Install pnpm
         with:
           run_install: false
 
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 22
+          node-version: 24
           cache: 'pnpm'
 
       - name: Execute pnpm
@@ -250,7 +282,7 @@ jobs:
             Set-Content -ErrorAction Stop $updateFile
           echo "Show app-update.yml after replace..."
           cat "$env:PD_DIST_PATH/resources/app-update.yml"
-          
+
       - name: Run E2E Update test
         env:
           INSTALLATION_TYPE: ${{ matrix.installation }}
@@ -260,7 +292,7 @@ jobs:
           pnpm test:e2e:update:run
 
       - name: Publish Test Report
-        uses: mikepenz/action-junit-report@e08919a3b1fb83a78393dfb775a9c37f17d8eea6 # v6.0.1
+        uses: mikepenz/action-junit-report@bccf2e31636835cf0874589931c4116687171386 # v6.4.0
         if: always() # always run even if the previous step fails
         with:
           fail_on_failure: true
@@ -270,7 +302,7 @@ jobs:
           require_tests:  true
           report_paths: '**/*results.xml'
 
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: always()
         with:
           name: ${{ matrix.os }}-update-e2e-test-${{ matrix.installation }}
@@ -282,8 +314,8 @@ jobs:
     name: ${{ matrix.os }} update e2e tests
     strategy:
       fail-fast: false
-      matrix: 
-        os: [macos-15, macos-13]
+      matrix:
+        os: [macos-26, macos-15-intel]
     runs-on: ${{ matrix.os }}
     # disable on forks as secrets are not available
     if: github.event.repository.fork == false
@@ -301,23 +333,23 @@ jobs:
           echo "UPDATE_TARGET_REPO=${{ github.event.inputs.update_target_repo || env.DEFAULT_UPDATE_TARGET_REPO }}" >> $GITHUB_ENV
           echo "UPDATE_PRERELEASE=${{ github.event.inputs.update_prerelease || env.DEFAULT_UPDATE_PRERELEASE }}" >> $GITHUB_ENV
 
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: ${{ github.event.inputs.organization }}/${{ github.event.inputs.repositoryName }}
           ref: ${{ github.event.inputs.branch }}
         if: github.event_name == 'workflow_dispatch'
 
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         if: github.event_name == 'push'
 
-      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
         name: Install pnpm
         with:
           run_install: false
 
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 22
+          node-version: 24
           cache: 'pnpm'
 
       - name: Execute pnpm
@@ -371,7 +403,7 @@ jobs:
           pnpm test:e2e:update:run
 
       - name: Publish Test Report
-        uses: mikepenz/action-junit-report@e08919a3b1fb83a78393dfb775a9c37f17d8eea6 # v6.0.1
+        uses: mikepenz/action-junit-report@bccf2e31636835cf0874589931c4116687171386 # v6.4.0
         if: always() # always run even if the previous step fails
         with:
           fail_on_failure: true
@@ -381,7 +413,7 @@ jobs:
           require_tests:  true
           report_paths: '**/*results.xml'
 
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: always()
         with:
           name: ${{ matrix.os }}-update-e2e-test

.github/workflows/managed-configuration.yaml

@@ -0,0 +1,99 @@
+name: Managed configuration tests
+
+on:
+  workflow_dispatch: {}
+  push:
+    branches: [ main ]
+
+jobs:
+  managed-configuration:
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    name: Managed configuration tests - ${{ matrix.os }}
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: ${{ matrix.timeout }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ 'ubuntu-latest', 'macos-latest', 'windows-2025' ]
+        timeout: [ 15 ]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Setup testenv using external action
+        uses: podman-desktop/e2e/.github/actions/pde2e-testenv-prepare@13e2c57c759137bfc1f437f221967461e8a98e2a
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
+        with:
+          run_install: false
+
+      - name: Setup Node
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version: 24
+          cache: 'pnpm'
+
+      - name: Install dependencies
+        run: pnpm install
+
+      # --- OS-specific administrative setup ---
+      - name: Linux managed configuration files
+        if: ${{ startsWith(matrix.os, 'ubuntu') }}
+        run: |
+          echo "Managed configuration set-up for Linux"
+          sudo mkdir -p /usr/share/podman-desktop
+          sudo cp tests/playwright/resources/managed-configuration/default-settings.json /usr/share/podman-desktop/default-settings.json
+          sudo cp tests/playwright/resources/managed-configuration/locked.json /usr/share/podman-desktop/locked.json
+          echo "Default settings:" && sudo cat /usr/share/podman-desktop/default-settings.json
+          echo "Locked settings:" && sudo cat /usr/share/podman-desktop/locked.json
+      - name: MacOS managed configuration files
+        if: ${{ startsWith(matrix.os, 'macos') }}
+        run: |
+          echo "Managed configuration set-up for macOS"
+          sudo mkdir -p /Library/Application\ Support/io.podman_desktop.PodmanDesktop/
+          sudo cp tests/playwright/resources/managed-configuration/default-settings.json "/Library/Application Support/io.podman_desktop.PodmanDesktop/default-settings.json"
+          sudo cp tests/playwright/resources/managed-configuration/locked.json "/Library/Application Support/io.podman_desktop.PodmanDesktop/locked.json"
+          echo "Default settings:" && sudo cat /Library/Application\ Support/io.podman_desktop.PodmanDesktop/default-settings.json
+          echo "Locked settings:" && sudo cat /Library/Application\ Support/io.podman_desktop.PodmanDesktop/locked.json
+      - name: Windows managed configuration files
+        if: ${{ startsWith(matrix.os, 'windows') }}
+        shell: pwsh
+        run: |
+          Write-Host "Managed configuration set-up for Windows"
+          $managedDir = Join-Path $env:ProgramData 'Podman Desktop'
+          New-Item -Path $managedDir -ItemType Directory -Force | Out-Null
+          Copy-Item -Path 'tests\playwright\resources\managed-configuration\default-settings.json' -Destination (Join-Path $managedDir 'default-settings.json') -Force
+          Copy-Item -Path 'tests\playwright\resources\managed-configuration\locked.json' -Destination (Join-Path $managedDir 'locked.json') -Force
+          Write-Host "Default settings:"
+          Get-Content -Path (Join-Path $managedDir 'default-settings.json')
+          Write-Host "Locked settings:"
+          Get-Content -Path (Join-Path $managedDir 'locked.json')
+      # ========================================
+
+      - name: Run managed configuration spec
+        shell: bash
+        run: |
+          echo "Runner OS: $RUNNER_OS, matrix.os: ${{ matrix.os }}"
+          pnpm test:e2e:managed-configuration
+
+      - name: Publish Test Report
+        uses: mikepenz/action-junit-report@bccf2e31636835cf0874589931c4116687171386 # v6.4.0
+        if: always()
+        with:
+          fail_on_failure: true
+          include_passed: true
+          detailed_summary: true
+          annotate_only: true
+          require_tests: true
+          report_paths: '**/*results.xml'
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        if: always()
+        with:
+          name: managed-configuration-${{ matrix.os }}
+          path: |
+            ./tests/**/output/
+            !./tests/**/traces/raw

.github/workflows/next-build.yaml

@@ -43,7 +43,7 @@ jobs:
       releaseId: ${{ steps.create_release.outputs.id}}
 
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
          token: ${{ secrets.PODMAN_DESKTOP_BOT_TOKEN }}
          fetch-depth: 0
@@ -65,10 +65,11 @@ jobs:
           git config --local user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
           sed -i  "s#version\":\ \"\(.*\)\",#version\":\ \"${{ steps.TAG_UTIL.outputs.desktopVersion }}\",#g" package.json
           find extensions/* -maxdepth 2 -name "package.json" | xargs -I {} sed -i "s#version\":\ \"\(.*\)\",#version\":\ \"${{ steps.TAG_UTIL.outputs.desktopVersion }}\",#g" {}
+          find packages/* -maxdepth 1 -name "package.json" | xargs -I {} sed -i "s#version\":\ \"\(.*\)\",#version\":\ \"${{ steps.TAG_UTIL.outputs.desktopVersion }}\",#g" {}
           # change the repository field to be the prerelease repository in package.json file
           sed -i "s#\"repository\":\ \"\(.*\)\",#\"repository\":\ \"https://github.com/podman-desktop/prereleases\",#g" package.json
           cat package.json
-          git add package.json extensions/*/package.json
+          git add package.json extensions/*/package.json extensions/*/packages/extension/package.json packages/*/package.json
           git commit -m "chore: tag ${{ steps.TAG_UTIL.outputs.githubTag }}"
           echo "Tagging with ${{ steps.TAG_UTIL.outputs.githubTag }}"
           git tag ${{ steps.TAG_UTIL.outputs.githubTag }}
@@ -78,14 +79,14 @@ jobs:
 
       - name: Create Release
         id: create_release
-        uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0
+        uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1.21.0
         with:
           tag: ${{ steps.TAG_UTIL.outputs.githubTag }}
           name: ${{ steps.TAG_UTIL.outputs.githubTag }}
           draft: true
           prerelease: true
-          owner: containers
-          repo: podman-desktop-prereleases
+          owner: podman-desktop
+          repo: prereleases
           token: ${{ secrets.PODMAN_DESKTOP_BOT_TOKEN }}
 
   build:
@@ -98,22 +99,22 @@ jobs:
         os: [windows-2025, ubuntu-24.04, macos-15]
     timeout-minutes: 60
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: podman-desktop/prereleases
           ref: ${{ needs.tag.outputs.githubTag}}
 
-      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
         name: Install pnpm
         with:
           run_install: false
 
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 22
+          node-version: 24
           cache: 'pnpm'
 
-      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: "3.x"
 
@@ -173,5 +174,5 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.PODMAN_DESKTOP_BOT_TOKEN }}
         with:
           id: ${{ needs.tag.outputs.releaseId}}
-          repo: podman-desktop-prereleases
+          repo: prereleases
           owner: podman-desktop

.github/workflows/npmjs-publish.yaml

@@ -38,7 +38,7 @@ jobs:
       github-tag: ${{ steps.set-version.outputs.github-tag }}
       is-tag: ${{ steps.set-version.outputs.is-tag }}
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set version / dist-tag depending on ref
         id: set-version
@@ -83,14 +83,14 @@ jobs:
     permissions:
       id-token: write
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
         name: Install pnpm
         with:
           run_install: false
 
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 24 # 24.x for npm publish with OIDC
           cache: 'pnpm'

.github/workflows/pr-check.yaml

@@ -20,7 +20,6 @@ name: pr-check
 on:
   merge_group:
   pull_request:
-    types: [labeled, synchronize, opened, ready_for_review, reopened]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
@@ -38,16 +37,16 @@ jobs:
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
         name: Install pnpm
         with:
           run_install: false
 
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 22
+          node-version: 24
           cache: 'pnpm'
 
       - name: Execute pnpm
@@ -60,22 +59,22 @@ jobs:
       - name: List Build
         run: ls ./dist/
 
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: windows-installer-x64
           path: ./dist/podman-desktop*-setup-x64.exe
 
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: windows-installer-arm64
           path: ./dist/podman-desktop*-setup-arm64.exe
 
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: windows-exe-x64
           path: ./dist/podman-desktop*-next-x64.exe
 
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: windows-exe-arm64
           path: ./dist/podman-desktop*-next-arm64.exe
@@ -88,16 +87,16 @@ jobs:
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
         name: Install pnpm
         with:
           run_install: false
 
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 22
+          node-version: 24
           cache: 'pnpm'
 
       - name: Execute pnpm
@@ -119,12 +118,12 @@ jobs:
       - name: List Build
         run: ls -la ./dist/
 
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: linux
           path: ./dist/podman-desktop-*.tar.gz
 
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: flatpak
           path: ./dist/podman-desktop-*.flatpak
@@ -137,16 +136,16 @@ jobs:
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
         name: Install pnpm
         with:
           run_install: false
 
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 22
+          node-version: 24
           cache: 'pnpm'
 
       - name: Execute pnpm
@@ -159,15 +158,15 @@ jobs:
       - name: List Build
         run: ls -la ./dist/
 
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: macos-x64-dmg
           path: ./dist/podman-desktop-*x64.dmg
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: macos-arm64-dmg
           path: ./dist/podman-desktop-*arm64.dmg
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: macos-universal-dmg
           path: ./dist/podman-desktop-*universal.dmg
@@ -177,15 +176,15 @@ jobs:
     name: build website
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
         name: Install pnpm
         with:
           run_install: false
 
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 22
+          node-version: 24
           cache: 'pnpm'
 
       - name: Execute pnpm
@@ -200,7 +199,7 @@ jobs:
           echo "${{ github.event.pull_request.head.sha }}" > PR_SHA
 
       - name: Upload artifact website-content
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: website-content
           path: |
@@ -214,15 +213,15 @@ jobs:
     runs-on: ubuntu-24.04
     timeout-minutes: 40
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
         name: Install pnpm
         with:
           run_install: false
 
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 22
+          node-version: 24
           cache: 'pnpm'
 
       - name: Execute pnpm
@@ -234,6 +233,9 @@ jobs:
       - name: Run formatter
         run: pnpm format:check
 
+      - name: Generate schemas
+        run: pnpm generate:schemas
+
       # Check we don't have changes in git
       - name: Check no changes in git
         run: |
@@ -248,15 +250,15 @@ jobs:
     runs-on: ubuntu-24.04
     timeout-minutes: 40
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
         name: Install pnpm
         with:
           run_install: false
 
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 22
+          node-version: 24
           cache: 'pnpm'
 
       - name: Execute pnpm
@@ -275,15 +277,15 @@ jobs:
       matrix:
         os: [windows-2025, ubuntu-24.04, macos-15]
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
         name: Install pnpm
         with:
           run_install: false
 
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 22
+          node-version: 24
           cache: 'pnpm'
 
       - name: Execute pnpm
@@ -302,7 +304,7 @@ jobs:
         # publish codecov report if linux
       - name: publish codecov report
         if: ${{ matrix.os=='ubuntu-24.04' }}
-        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
 
@@ -311,10 +313,11 @@ jobs:
     name: smoke e2e tests
     runs-on: ubuntu-24.04
     strategy:
+      fail-fast: false
       matrix:
         mode: [production, development]
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Install Podman v5 using external action
         # Use the action from the other repository
@@ -325,14 +328,14 @@ jobs:
       - name: Setup testenv using external action
         uses: podman-desktop/e2e/.github/actions/pde2e-testenv-prepare@13e2c57c759137bfc1f437f221967461e8a98e2a
 
-      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
         name: Install pnpm
         with:
           run_install: false
 
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 22
+          node-version: 24
           cache: 'pnpm'
 
       - name: Execute pnpm
@@ -351,7 +354,7 @@ jobs:
           pnpm test:e2e:smoke
 
       - name: Publish Test Report
-        uses: mikepenz/action-junit-report@e08919a3b1fb83a78393dfb775a9c37f17d8eea6 # v6.0.1
+        uses: mikepenz/action-junit-report@bccf2e31636835cf0874589931c4116687171386 # v6.4.0
         if: always() # always run even if the previous step fails
         with:
           fail_on_failure: true
@@ -361,7 +364,7 @@ jobs:
           require_tests:  true
           report_paths: '**/*results.xml'
 
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: always()
         with:
           name: ${{ matrix.mode }}-smoke-e2e-tests
@@ -374,21 +377,21 @@ jobs:
     name: windows sanity check e2e tests
     runs-on: windows-2025
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Install latest Podman version using external action
-        uses: redhat-actions/podman-install@15cb93f5a6b78a758fd8f4d1cecbf6651d4bcea3
+        uses: redhat-actions/podman-install@38597414074271e07efa9fb2292cff7eea8d374d
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
-      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
         name: Install pnpm
         with:
           run_install: false
 
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 22
+          node-version: 24
           cache: 'pnpm'
 
       - name: Execute pnpm
@@ -398,7 +401,7 @@ jobs:
         run: pnpm test:e2e:windows-sanity
 
       - name: Publish Test Report
-        uses: mikepenz/action-junit-report@e08919a3b1fb83a78393dfb775a9c37f17d8eea6 # v6.0.1
+        uses: mikepenz/action-junit-report@bccf2e31636835cf0874589931c4116687171386 # v6.4.0
         if: always() # always run even if the previous step fails
         with:
           fail_on_failure: true
@@ -408,7 +411,7 @@ jobs:
           require_tests:  true
           report_paths: '**/*results.xml'
 
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: always()
         with:
           name: windows-sanity-e2e-tests
@@ -416,13 +419,58 @@ jobs:
             ./tests/**/output/
             !./tests/**/traces/raw
   
+  macos-sanity-check-e2e-tests:
+    if: ${{ contains(github.event.pull_request.labels.*.name, 'area/ci') || !github.event.pull_request.draft }}
+    name: macos sanity check e2e tests
+    runs-on: macos-26
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    timeout-minutes: 60
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
+        name: Install pnpm
+        with:
+          run_install: false
+
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version: 24
+          cache: 'pnpm'
+
+      - name: Execute pnpm
+        run: pnpm install
+
+      - name: Run macOS Sanity Check E2E tests in Development Mode
+        run: pnpm test:e2e:macos-sanity
+
+      - name: Publish Test Report
+        uses: mikepenz/action-junit-report@bccf2e31636835cf0874589931c4116687171386 # v6.4.0
+        if: always() # always run even if the previous step fails
+        with:
+          fail_on_failure: true
+          include_passed: true
+          detailed_summary: true
+          annotate_only: true
+          require_tests:  true
+          report_paths: '**/*results.xml'
+
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        if: always()
+        with:
+          name: macos-sanity-e2e-tests
+          path: |
+            ./tests/**/output/
+            !./tests/**/traces/raw
+
   k8s-sanity-e2e-tests:
     if: ${{ contains(github.event.pull_request.labels.*.name, 'area/ci') || !github.event.pull_request.draft }}
     name: k8s sanity e2e tests
     runs-on: ubuntu-24.04
     continue-on-error: true
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set the default provider type variable
         env:
@@ -438,14 +486,14 @@ jobs:
       - name: Setup testenv using external action
         uses: podman-desktop/e2e/.github/actions/pde2e-testenv-prepare@13e2c57c759137bfc1f437f221967461e8a98e2a
 
-      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
         name: Install pnpm
         with:
           run_install: false
 
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 22
+          node-version: 24
           cache: 'pnpm'
 
       - name: Execute pnpm
@@ -458,7 +506,7 @@ jobs:
         run: pnpm test:e2e:k8s-sanity
 
       - name: Publish Test Report
-        uses: mikepenz/action-junit-report@e08919a3b1fb83a78393dfb775a9c37f17d8eea6 # v6.0.1
+        uses: mikepenz/action-junit-report@bccf2e31636835cf0874589931c4116687171386 # v6.4.0
         if: always() # always run even if the previous step fails
         with:
           fail_on_failure: true
@@ -468,7 +516,7 @@ jobs:
           require_tests: true
           report_paths: '**/*results.xml'
 
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: always()
         with:
           name: k8s-sanity-e2e-tests
@@ -484,7 +532,7 @@ jobs:
       pnpm_lock_changed: ${{ steps.pnpm_changed.outputs.PNPM_LOCK_CHANGED }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 2
 
@@ -512,16 +560,16 @@ jobs:
     runs-on: ${{ matrix.os }}
     timeout-minutes: 60
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
         name: Install pnpm
         with:
           run_install: false
 
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 22
+          node-version: 24
           cache: 'pnpm'
 
       - name: Execute pnpm
@@ -559,7 +607,7 @@ jobs:
           pnpm test:e2e:update:run
 
       - name: Publish Test Report
-        uses: mikepenz/action-junit-report@e08919a3b1fb83a78393dfb775a9c37f17d8eea6 # v6.0.1
+        uses: mikepenz/action-junit-report@bccf2e31636835cf0874589931c4116687171386 # v6.4.0
         if: always() # always run even if the previous step fails
         with:
           fail_on_failure: true
@@ -569,7 +617,7 @@ jobs:
           require_tests:  true
           report_paths: '**/*results.xml'
 
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: always()
         with:
           name: ${{ matrix.os }}-update-e2e-test
@@ -584,22 +632,22 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [macos-15, macos-13]
+        os: [macos-26, macos-15-intel]
     runs-on: ${{ matrix.os }}
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     timeout-minutes: 60
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
         name: Install pnpm
         with:
           run_install: false
 
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 22
+          node-version: 24
           cache: 'pnpm'
 
       - name: Execute pnpm
@@ -650,7 +698,7 @@ jobs:
           pnpm test:e2e:update:run
 
       - name: Publish Test Report
-        uses: mikepenz/action-junit-report@e08919a3b1fb83a78393dfb775a9c37f17d8eea6 # v6.0.1
+        uses: mikepenz/action-junit-report@bccf2e31636835cf0874589931c4116687171386 # v6.4.0
         if: always() # always run even if the previous step fails
         with:
           fail_on_failure: true
@@ -660,7 +708,7 @@ jobs:
           require_tests:  true
           report_paths: '**/*results.xml'
 
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: always()
         with:
           name: ${{ matrix.os}}-update-e2e-test

.github/workflows/pr-labeler.yaml

@@ -1,36 +0,0 @@
-#
-# Copyright (C) 2025 Red Hat, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-
-name: "PR Labeler"
-
-on:
-  pull_request_target:
-    types: [labeled, synchronize, opened, ready_for_review, reopened]
-
-permissions:
-  contents: read
-  pull-requests: write
-
-jobs:
-  labeler:
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Labeler
-        uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b
-        with:
-          repo-token: "${{ secrets.PODMAN_DESKTOP_BOT_TOKEN }}"
-          configuration-path: .github/labeler.yml

.github/workflows/publish-flathub.yaml

@@ -37,7 +37,7 @@ jobs:
     name: Publish Podman Desktop to flathub
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: 'flathub/io.podman_desktop.PodmanDesktop'
           ref: 'master'

.github/workflows/publish-to-chocolatey.yaml

@@ -68,7 +68,7 @@ jobs:
       run:
         shell: powershell
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Install the Chocolatey Automatic Package Updater Module
         run: choco install au -y
       - name: Build the Podman Desktop chocolatey Package by making sure we're using the latest release

.github/workflows/publish-to-podman_io.yaml

@@ -55,7 +55,7 @@ jobs:
             version="${version:1}"
           fi
           echo "desktopVersion=$version" >> ${GITHUB_OUTPUT}
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: containers/podman.io
           ref: refs/heads/main

.github/workflows/publish-website-pr-cloudflare.yaml

@@ -36,7 +36,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Download website content artifact
-        uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # v11
+        uses: dawidd6/action-download-artifact@8305c0f1062bb0d184d09ef4493ecb9288447732 # v20
         with:
           workflow: ${{ github.event.workflow_run.workflow_id }}
           name: website-content

.github/workflows/release-generate-sbom.yaml

@@ -36,7 +36,7 @@ jobs:
       contents: write
 
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ env.RELEASE_TAG }}
 
@@ -48,7 +48,7 @@ jobs:
           artifact-name: podman-desktop-sbom.spdx.json
 
       - name: Upload sbom file to release
-        uses: svenstaro/upload-release-action@6b7fa9f267e90b50a19fef07b3596790bb941741 # v2
+        uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # v2
         with:
           repo_token: ${{ secrets.GITHUB_TOKEN }}
           file: ./podman-desktop-sbom.spdx.json

.github/workflows/release.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2022-2024 Red Hat, Inc.
+# Copyright (C) 2022-2025 Red Hat, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -47,9 +47,10 @@ jobs:
       releaseId: ${{ steps.create_release.outputs.id}}
 
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ github.event.inputs.branch }}
+          token: ${{ secrets.PODMAN_DESKTOP_BOT_TOKEN }}
       - name: Generate tag utilities
         id: TAG_UTIL
         run: |
@@ -63,8 +64,9 @@ jobs:
 
           # Add the new version in package.json file
           sed -i  "s#version\":\ \"\(.*\)\",#version\":\ \"${{ steps.TAG_UTIL.outputs.desktopVersion }}\",#g" package.json
+          find packages/* -maxdepth 1 -name "package.json" | xargs -I {} sed -i "s#version\":\ \"\(.*\)\",#version\":\ \"${{ steps.TAG_UTIL.outputs.desktopVersion }}\",#g" {}
           find extensions/* -maxdepth 5 -name "package.json" | xargs -I {} sed -i "s#version\":\ \"\(.*\)\",#version\":\ \"${{ steps.TAG_UTIL.outputs.desktopVersion }}\",#g" {}
-          git add package.json extensions/*/package.json extensions/*/packages/extension/package.json
+          git add package.json extensions/*/package.json extensions/*/packages/extension/package.json packages/*/package.json
 
           # Update the issue template with the new version and move old version below
           nextVersionLineNumber=$(grep -n "next (development version)" .github/ISSUE_TEMPLATE/bug_report.yml | cut -d ":" -f 1 | head -n 1)
@@ -91,7 +93,7 @@ jobs:
           git push origin ${{ steps.TAG_UTIL.outputs.githubTag }}
       - name: Create Release
         id: create_release
-        uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0
+        uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1.21.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -112,7 +114,9 @@ jobs:
           git checkout -b "${bumpedBranchName}"
           sed -i  "s#version\":\ \"\(.*\)\",#version\":\ \"${bumpedVersion}-next\",#g" package.json
           find extensions/* -maxdepth 5 -name "package.json" | xargs -I {} sed -i "s#version\":\ \"\(.*\)\",#version\":\ \"${bumpedVersion}-next\",#g" {}
-          git add package.json extensions/*/package.json extensions/*/packages/extension/package.json
+          find packages/* -maxdepth 1 -name "package.json" | xargs -I {} sed -i "s#version\":\ \"\(.*\)\",#version\":\ \"${bumpedVersion}-next\",#g" {}
+          git add package.json extensions/*/package.json extensions/*/packages/extension/package.json packages/*/package.json
+
           git commit -s --amend -m "chore: bump version to ${bumpedVersion}"
           git push origin "${bumpedBranchName}"
           echo -e "📢 Bump version to ${bumpedVersion}\n\n${{ steps.TAG_UTIL.outputs.desktopVersion }} has been released.\n\n Time to switch to the new ${bumpedVersion} version 🥳" > /tmp/pr-title
@@ -145,21 +149,21 @@ jobs:
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ needs.tag.outputs.githubTag}}
 
-      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
         name: Install pnpm
         with:
           run_install: false
 
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 22
+          node-version: 24
           cache: 'pnpm'
 
-      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: "3.x"
 
@@ -233,22 +237,22 @@ jobs:
         arch: [amd64, arm64]
 
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ needs.tag.outputs.githubTag}}
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
       - name: create the pnpm store from the dependencies
         run: |
-          podman run --platform linux/${{ matrix.arch }} -v $(pwd):/project --rm -it --entrypoint=sh node:22 -c "cd /project && npm install -g corepack@latest && corepack enable pnpm && COREPACK_ENABLE_DOWNLOAD_PROMPT=0 pnpm install --frozen-lockfile  --store-dir pnpm-store"
+          podman run --platform linux/${{ matrix.arch }} -v $(pwd):/project --rm -it --entrypoint=sh node:24 -c "cd /project && npm install -g corepack@latest && corepack enable pnpm && COREPACK_ENABLE_DOWNLOAD_PROMPT=0 pnpm install --frozen-lockfile  --store-dir pnpm-store"
           # now the store is in the pnpm-store directory
           # create a tarball of the store
           echo "Creating the archive store-cache-pnpm-${{ matrix.arch }}.tgz"
           tar -czf store-cache-pnpm-${{ matrix.arch }}.tgz pnpm-store
 
       - name: Upload binaries to release
-        uses: svenstaro/upload-release-action@6b7fa9f267e90b50a19fef07b3596790bb941741 # v2
+        uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # v2
         with:
           repo_token: ${{ secrets.GITHUB_TOKEN }}
           file: store-cache-pnpm-${{ matrix.arch }}.tgz

.github/workflows/scorecard.yml

@@ -47,7 +47,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
@@ -61,7 +61,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4  # v5.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: SARIF file
           path: results.sarif
@@ -70,6 +70,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412  # v3.29.5
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225  # v3.29.5
         with:
           sarif_file: results.sarif

.github/workflows/stale.yaml

@@ -33,7 +33,7 @@ jobs:
 
     runs-on: ubuntu-24.04
     steps:
-    - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1
+    - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         # Please refer to https://github.com/actions/stale/

.github/workflows/update-podman-version.yml

@@ -27,7 +27,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Get current Podman version
         id: get_current_version
         run: |
@@ -45,9 +45,9 @@ jobs:
           echo "LATEST_VERSION=${LATEST_VERSION}" >> $GITHUB_ENV
           echo "$ASSETS" > assets.txt
 
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 22
+          node-version: 24
 
       - name: Compare version numbers using semver
         id: compare_version_numbers

.github/workflows/website-next.yaml

@@ -45,17 +45,17 @@ jobs:
     if: github.event.repository.fork == false
     timeout-minutes: 60
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ needs.tag.outputs.githubTag}}
-      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
         name: Install pnpm
         with:
           run_install: false
 
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 22
+          node-version: 24
           cache: 'pnpm'
 
       - name: Execute pnpm

.gitignore

@@ -15,3 +15,5 @@ dist
 yarn.lock
 extensions/podman/assets/
 extensions-extra/
+__mocks__/@podman-desktop/api.ts
+contexts/meta/

.nvmrc

@@ -1 +1 @@
-22
+24

AGENTS.md

@@ -0,0 +1,286 @@
+# AGENTS.md
+
+This file provides guidance for AI agents working with Podman Desktop code in this repository.
+
+## Overview
+
+Podman Desktop is a graphical desktop application for managing containers and Kubernetes. It's built with:
+
+- **Frontend:** Svelte 5+ and TypeScript
+- **Runtime:** Electron (multi-process architecture)
+- **Styling:** Tailwind CSS 4+
+- **Build tooling:** Vite 7+ and pnpm 10+ workspaces
+
+> **Note:** Version numbers indicate minimum supported versions. The project supports these versions and higher.
+
+The application supports multiple container engines (Podman, Docker, Lima, CRC) and can be extended through a plugin-based extension system.
+
+## Quick Start
+
+```bash
+# Prerequisites: Node.js 24+, pnpm 10.x
+pnpm install              # Install all dependencies
+pnpm watch                # Start development with hot reload
+pnpm compile:current      # Build production binary for local platform
+```
+
+**macOS Note:** After compiling, ad-hoc sign the binary:
+
+```bash
+codesign --force --deep --sign - "dist/mac-arm64/Podman Desktop.app"
+```
+
+## Essential Commands
+
+### Development & Build
+
+```bash
+pnpm watch                # Development mode with hot reload
+pnpm build                # Build all packages
+pnpm build:main           # Build main process only
+pnpm build:renderer       # Build renderer process only
+pnpm build:extensions     # Build all built-in extensions
+pnpm build:ui             # Build UI component library
+pnpm compile:current      # Create production binary for current platform
+```
+
+> **Note:** Additional build targets are available. See `package.json` for the complete list.
+
+### Testing
+
+Unit tests use **Vitest**. E2E tests use **Playwright**.
+
+```bash
+# Unit Tests (Vitest)
+pnpm test:unit            # Run all unit tests
+pnpm test:unit:coverage   # Run with coverage report
+pnpm test:watch           # Watch mode for development
+pnpm test:main            # Test main process only
+pnpm test:renderer        # Test renderer process only
+pnpm test:ui              # Test UI components
+pnpm test:preload         # Test preload scripts
+pnpm test:extensions      # Test all extensions
+
+# Run a single test file (Vitest)
+pnpm exec vitest run path/to/test-file.spec.ts
+
+# E2E Tests (Playwright)
+pnpm test:e2e             # Full E2E suite (excludes @k8s_e2e)
+pnpm test:e2e:smoke       # Smoke tests only
+pnpm test:e2e:extension   # Extension installation tests
+
+# View E2E Results
+pnpm exec playwright show-report tests/playwright/output/html-results
+```
+
+### Code Quality
+
+```bash
+# Run before committing
+pnpm lint-staged          # Lint and format staged files
+
+# Individual checks
+pnpm typecheck            # TypeScript type checking (all packages)
+pnpm lint:check           # ESLint check
+pnpm lint:fix             # ESLint auto-fix
+pnpm format:check         # Biome + Prettier check
+pnpm format:fix           # Biome + Prettier auto-fix
+```
+
+## Architecture
+
+Podman Desktop follows Electron's multi-process architecture with a pnpm monorepo structure.
+
+### Process Architecture
+
+**Main Process** (`packages/main`)
+
+- Node.js backend environment
+- Container engine integrations (Podman, Docker, Lima)
+- Kubernetes provider management
+- Extension system host
+- System tray and menu management
+
+**Renderer Process** (`packages/renderer`)
+
+- Svelte 5+ UI application
+- Runs in Chromium environment
+- Communicates with main via IPC
+
+**Preload Scripts** (`packages/preload*`)
+
+- Security bridge between main and renderer
+- Exposes safe APIs to renderer
+- Separate preloads for main app, webviews, and Docker extensions
+
+### Key Packages
+
+```
+packages/
+├── main/              - Electron main process (backend)
+├── renderer/          - Svelte UI (frontend)
+├── ui/                - Shared UI components (@podman-desktop/ui-svelte)
+├── api/               - Types shared between the renderer, main and preloads packages
+├── extension-api/     - Extension API implementation (published as `@podman-desktop/api`)
+├── preload/           - Main preload bridge
+├── preload-docker-extension/  - Docker extension preload
+└── preload-webview/   - Webview preload
+
+extensions/            - Built-in extensions
+├── compose/           - Docker Compose support
+├── docker/            - Docker engine integration
+├── podman/            - Podman engine integration
+├── kind/              - Kind (Kubernetes in Docker)
+├── kubectl-cli/       - kubectl CLI manager
+└── ...
+
+tests/playwright/      - E2E tests
+storybook/            - UI component showcase
+website/              - Documentation site (Docusaurus)
+```
+
+### Technology Stack
+
+| Layer            | Technologies                                                |
+| ---------------- | ----------------------------------------------------------- |
+| **Runtime**      | Electron 40+, Node.js 24+                                   |
+| **Language**     | TypeScript 5.9+ (strict mode)                               |
+| **UI Framework** | Svelte 5+                                                   |
+| **Styling**      | Tailwind CSS 4+                                             |
+| **Build**        | Vite 7+, pnpm 10+                                           |
+| **Testing**      | Vitest 4+ (unit), Playwright (E2E), @testing-library/svelte |
+| **Linting**      | ESLint 9+, Biome                                            |
+| **Formatting**   | Biome, Prettier (markdown only)                             |
+
+### Extension System
+
+Extensions can:
+
+- Add custom container engine providers
+- Register Kubernetes providers
+- Contribute UI views and commands
+- Hook into application lifecycle events
+- Extend Docker Desktop compatibility
+
+Built-in extensions are in `extensions/` and follow the same API as external extensions.
+
+## Important Guidelines
+
+### Before Making Changes
+
+1. **Read first:** See [CODE-GUIDELINES.md](CODE-GUIDELINES.md) for coding standards
+2. **Run tests:** Ensure existing tests pass
+3. **Type safety:** Maintain strict TypeScript compliance
+4. **Format code:** Run `pnpm lint-staged` before committing
+
+### Testing Requirements
+
+- **Unit tests** are mandatory for new features (Vitest)
+- **E2E tests** required for UI workflows (Playwright)
+- Maintain or improve code coverage
+- Test on multiple platforms when possible (macOS, Linux, Windows)
+
+### Code Style
+
+- TypeScript strict mode enforced
+- Use Svelte 5 runes syntax (`$state`, `$derived`, `$effect`)
+- Follow ESLint and Biome rules
+- Tailwind CSS for styling (no custom CSS unless necessary)
+
+### ESLint Rules
+
+Before writing or modifying code, always check `eslint.config.mjs` to understand which linting rules are active. Rules vary by file type and package — consult the config directly rather than assuming defaults.
+
+### Svelte Reactive Patterns
+
+When setting a variable reactively, prefer in this order:
+
+1. **`$derived` (with optional `await`)** — use when the value can be computed from existing state or an async source. Svelte 5.36+ supports `await` inside `$derived`.
+2. **`onMount`** — use when you need to fetch or set a value once after the component mounts and `$derived` is not applicable.
+3. **`$effect`** — use only as a last resort for side effects that cannot be expressed as a derivation.
+
+```ts
+// ✅ Preferred: $derived (sync or async)
+let items = $derived(await fetchItems());
+
+// ✅ Acceptable: onMount when $derived does not fit
+let items = $state<Item[]>([]);
+onMount(async () => {
+  items = await fetchItems();
+});
+
+// 🚫 Avoid: $effect for setting variables
+let items = $state<Item[]>([]);
+$effect(() => {
+  fetchItems().then(result => {
+    items = result;
+  });
+});
+```
+
+> **Note:** `$derived` variables are read-only — you cannot reassign them (e.g. `items = [something]` will be a compile error). If you need to mutate the variable elsewhere in the component (e.g. in response to a user action), use `$state` + `onMount` instead:
+>
+> ```ts
+> // 🚫 Won't work — cannot assign to a $derived variable
+> let items = $derived(await fetchItems());
+> items = []; // ❌ compile error
+>
+> // ✅ Use $state + onMount when you also need to write to the variable
+> let items = $state<Item[]>([]);
+> onMount(async () => {
+>   items = await fetchItems();
+> });
+> // later in the component:
+> items = []; // ✅ fine
+> ```
+
+### Testing Patterns
+
+- When mocking modules, use `vi.mock(import('./path/to/module'))` (with a dynamic `import()` expression) instead of `vi.mock('./path/to/module')` (string literal). This provides better type inference and IDE support.
+- Use `vi.mocked(fn)` to get a typed mock reference, then configure it with `.mockReturnValue()` / `.mockResolvedValue()` and assert with `expect()`.
+
+```ts
+// ✅ Preferred
+vi.mock(import('node:fs'));
+vi.mock(import('./Compo2.svelte'));
+
+// 🚫 Avoid
+vi.mock('node:fs');
+vi.mock('./Compo2.svelte');
+```
+
+**Setting up and asserting mocks:**
+
+```ts
+import { readFileSync } from 'node:fs';
+import { beforeEach, expect, test, vi } from 'vitest';
+
+vi.mock(import('node:fs'));
+
+beforeEach(() => {
+  vi.resetAllMocks();
+});
+
+test('returns parsed content', () => {
+  vi.mocked(readFileSync).mockReturnValue('hello');
+  const result = parseFile('/some/path');
+  expect(result).toBe('hello');
+  expect(readFileSync).toHaveBeenCalledWith('/some/path', 'utf-8');
+});
+```
+
+For comprehensive coding and testing guidelines, see [CODE-GUIDELINES.md](CODE-GUIDELINES.md).
+
+### Commits & Pull requests
+
+- We use semantic commits (E.g. `feat(renderer): updating something`)
+- Every commit must be signed
+- AI assisted commit should be mentioned
+- Respect the GitHub template for the pull request body
+
+## Resources
+
+- **Comprehensive guidelines:** [CODE-GUIDELINES.md](CODE-GUIDELINES.md)
+- **Contributing guide:** [CONTRIBUTING.md](CONTRIBUTING.md)
+- **API documentation:** `website/docs/extensions/`
+- **Component library:** Run `pnpm --filter storybook dev`

CLAUDE.md

@@ -0,0 +1 @@
+AGENTS.md

CODE-GUIDELINES.md

@@ -65,6 +65,172 @@ async function onButtonClicked(object: Object): Promise<void> {
 {/each}
 ```
 
+### Usage of Icon component
+
+The Icon component is a unified icon wrapper that supports multiple icon formats:
+
+- FontAwesome `IconDefinition` object uses `<Fa>` from `svelte-fa`
+- Font class icons strings starting with fas fa-, far fa-, fab fa- or ending with -icon Renders as `<span>` with CSS classes
+- Data URI images strings starting with data:image/ Renders as `<img>`
+- Svelte Components
+
+✅ **Use this pattern:**
+
+```ts
+<script lang="ts">
+import { CustomSVGIcon } from '/@/icons';
+import { faGear } from '@fortawesome/free-solid-svg-icons';
+import { Icon } from '@podman-desktop/ui-svelte/icons';
+</script>
+
+<Icon icon={CustomSVGIcon} size="2x" />
+<Icon icon={faGear} size="xs" />
+```
+
+🚫 **Instead of:**
+
+```ts
+<script lang="ts">
+import { CustomSVGIcon } from '/@/icons';
+import { faGear } from '@fortawesome/free-solid-svg-icons';
+import Fa from 'svelte-fa';
+</script>
+
+<CustomSVGIcon size='2x' />
+<Fa size="xs" icon={faGear} />
+<i class="fas fa-angle-down"></i>
+```
+
+Use typescript imports rather than string definitions
+
+✅ **Use this pattern:**
+
+```ts
+<script lang="ts">
+import { faGear } from '@fortawesome/free-solid-svg-icons';
+import { Icon } from '@podman-desktop/ui-svelte/icons';
+</script>
+
+<Icon icon={faGear} />
+```
+
+🚫 **Instead of:**
+
+```ts
+<script lang="ts">
+</script>
+
+<i class="fas fa-gear"></i>
+```
+
+Another example:
+
+✅ **Use this pattern:**
+
+```ts
+<script lang="ts">
+import { Icon } from '@podman-desktop/ui-svelte/icons';
+
+interface Props {
+  icon: unknown;
+}
+
+let { icon }: Props = $props();
+</script>
+
+<Icon icon={icon} />
+```
+
+🚫 **Instead of:**
+
+```ts
+<script lang="ts">
+import Fa from 'svelte-fa';
+
+interface Props {
+  icon: unknown;
+}
+
+let { icon }: Props = $props();
+</script>
+
+{#if isFontAwesomeIcon(icon)}
+  <Fa icon={icon} size="4x" />
+{:else}
+  {@const IconComponent = icon}
+  <IconComponent size='42' />
+{/if}
+```
+
+### Using async/await in expressions
+
+As of Svelte 5.36+, you can use the `await` keyword directly inside component expressions in three places: at the top level of the component's `<script>`, inside `$derived(...)` declarations, and inside your markup. This enables cleaner code without needing explicit promise handling.
+
+✅ **Use this pattern:**
+
+```ts
+<script lang="ts">
+async function fetchData(): Promise<Data> {
+  // async logic here
+  return data;
+}
+
+let data = $derived(await fetchData());
+</script>
+
+<p>Data: {data}</p>
+```
+
+🚫 **Instead of:**
+
+```ts
+<script lang="ts">
+async function fetchData(): Promise<Data> {
+  // async logic here
+  return data;
+}
+
+// Without await, this produces a Promise
+let dataPromise = $derived(fetchData());
+</script>
+
+{#await dataPromise}
+  <p>Loading...</p>
+{:then data}
+  <p>Data: {data}</p>
+{:catch error}
+  <p>Error: {error.message}</p>
+{/await}
+```
+
+This is much simpler than managing promises manually and avoids the need for `{#await}` blocks when you just need the final value.
+
+For more details on async patterns in Svelte, see the [Svelte documentation on await expressions](https://svelte.dev/docs/svelte/await-expressions).
+
+### Svelte Attachments (Svelte 5.29+)
+
+You can use attachments to add DOM behavior that runs on mount and cleans up on detach.
+
+Example:
+
+```ts
+<script lang="ts">
+  import type { Attachment } from 'svelte/attachments';
+
+  const clickOnce: Attachment = (el) => {
+    const onClick = () => {
+      // handle click
+    };
+    el.addEventListener('click', onClick);
+    return () => el.removeEventListener('click', onClick);
+  };
+</script>
+
+<button {@attach clickOnce}>...</button>
+```
+
+References: [@attach](https://svelte.dev/docs/svelte/@attach), [svelte/attachments](https://svelte.dev/docs/svelte/svelte-attachments)
+
 ## Unit tests code
 
 ### Use `vi.mocked`, not a generic `myFunctionMock`
@@ -397,3 +563,91 @@ afterEach(() => {
   vi.useRealTimers();
 });
 ```
+
+### Snapshots
+
+Vitest snapshots are a powerful tool to ensure UI components and complex data structures do not change unexpectedly. They are particularly effective for catching regressions in rendered HTML or large objects without writing manual assertions for every property. When a snapshot detects a diff, you can update it using the `-u` param:
+
+#### Updating Snapshots
+
+When a test fails due to an intentional change, you can update the stored snapshots by appending the `-u` (or `--update`) flag to your test command.
+
+#### 1. Standard Snapshots (External Files)
+
+Use standard snapshots for large outputs like rendered HTML. These are stored in a separate **snapshots** directory.
+
+##### Example: Testing Rendered HTML
+
+```ts
+test('multiple container connection should display a dropdown', async () => {
+  providerInfos.set([MULTI_CONNECTIONS]);
+
+  const { getByRole } = render(CreateContainerFromExistingImage);
+  const dropdown = getByRole('button', { name: 'Container Engine' });
+  expect(dropdown).toBeEnabled();
+
+  expect(dropdown).toMatchSnapshot();
+});
+```
+
+**How to update:**
+
+```bash
+cd packages/renderer/
+pnpm test src/lib/container/CreateContainerFromExistingImage.s -u
+```
+
+**Result:** A snapshot file is created or updated at:
+
+`src/lib/container/__snapshots__/CreateContainerFromExistingImage.spec.ts.snap`
+
+#### 2. Inline Snapshots
+
+Inline snapshots are preferred for small data structures. They are written directly back into your test file, making the expected output easier to review during code sessions.
+
+#### Example: Testing an Object
+
+```ts
+test('should parse targets with some special characters', async () => {
+  const info = await containerFileParser.parseContent(`
+    FROM busybox as base
+    ARG TARGETPLATFORM
+    RUN echo $TARGETPLATFORM > /plt
+    FROM --platform=\${TARGETPLATFORM} base AS base-target
+    FROM --platform=$BUILDPLATFORM base AS base-build
+  `);
+  expect(info).toMatchInlineSnapshot(`
+    {
+      "targets": [],
+    }
+  `);
+});
+```
+
+**How to update:**
+
+```bash
+cd packages/main/
+pnpm test:unit src/plugin/containerfile-parser.spec.ts --u
+```
+
+**Result:** Vitest replaces the code in your .spec.ts file with the updated values:
+
+```ts
+expect(info).toMatchInlineSnapshot(`
+  {
+    "targets": [
+      "base",
+      "base-build",
+    ],
+  }
+`);
+```
+
+**Best Practices**
+
+- **Review Before Committing:** Always inspect the diff of a snapshot update. It is easy to accidentally "fix" a test by updating a snapshot that actually contains a bug.
+- **Keep Snapshots Focused:** Avoid snapshotting entire massive objects if you only care about one or two fields; use specific assertions instead to keep tests readable.
+- **Use Inline for Small Data:** If the snapshot is less than 10 lines, prefer `toMatchInlineSnapshot()` for better visibility.
+
+For more details, see the [Vitest snapshot guide](https://vitest.dev/guide/snapshot.html).

CODEOWNERS

@@ -1,10 +0,0 @@
-# Default Owners
-* @podman-desktop/reviewers @benoitf
-
-# website
-website/** @podman-desktop/reviewers @slemeur @cdrage @benoitf @Firewall
-website/docs/** @podman-desktop/reviewers @shipsing @slemeur @cdrage @benoitf @Firewall
-
-# playwright tests
-tests/playwright/** @podman-desktop/reviewers @podman-desktop/qe-reviewers @benoitf
-

CONTRIBUTING.md

@@ -71,7 +71,7 @@ You can develop on either: `Windows`, `macOS` or `Linux`.
 
 Requirements:
 
-- [Node.js 22+](https://nodejs.org/en/)
+- [Node.js 24+](https://nodejs.org/en/)
 - [pnpm v10.x](https://pnpm.io/installation) (`corepack enable pnpm`)
 
 Optional Linux requirements:
@@ -252,6 +252,16 @@ This will create a binary according to your local system and output it to the `d
 
 > **_macOS NOTE:_** On macOS the `dist/` folder will contain folders for `arm64` and `universal` `.app` files. Ignore these and use the `.app` file in the `dist/mac/` folder for testing.
 
+> **_macOS CODE SIGNING:_** When testing the compiled binary on macOS, you must ad-hoc sign the application before launching it. Without signing, macOS will terminate the app with a `Code Signature Invalid` error. Run the following command after compiling:
+>
+> ```sh
+> # Compile
+> pnpm compile:current
+>
+> # Sign the binary
+> codesign --force --deep --sign - "dist/mac-arm64/Podman Desktop.app"
+> ```
+
 ## Submitting Pull Requests
 
 ### Process
@@ -450,10 +460,16 @@ Each sprint a new "Triage manager" will be assigned.
 
 Your responsibilities include:
 
-- Reviewing the [status/need-triage](https://github.com/podman-desktop/podman-desktop/issues?q=is%3Aopen+is%3Aissue+label%3Astatus%2Fneed-triage) label on new issues. As a maintainer, you will need to categorize these issues under the correct [area labels](https://github.com/podman-desktop/podman-desktop/labels?q=area%2F). Once categorized, remove the `status/need-triage` label and apply the appropriate area label.
-- Evaluating the severity of new issues. If an issue is classified as "critical" or "high priority" and requires immediate attention, tag a maintainer in the issue and notify them via the public community channel.
-- Identifying issues that are simple to resolve and marking them as "good first issue," thereby encouraging newcomers to contribute to the project.
-- Evaluating any stale / lingering pull requests and pinging the respective contributors. If the pull request has been opened for an extensive amount of time, ping someone to contact the contributor / push any changes required to get it merged in. If there is no communication / the pull request is stale, close them.
+- Review the [status/need-triage](https://github.com/podman-desktop/podman-desktop/issues?q=is%3Aopen+is%3Aissue+label%3Astatus%2Fneed-triage) label on new issues. As a maintainer, you will need to categorize these issues under the correct [domain labels](https://github.com/podman-desktop/podman-desktop/labels?q=domain%2F).
+- Validate the issue type. Since issues can be opened without templates or may not align with the chosen template, ensure the issue is correctly classified and update labels accordingly. For example, an issue opened as a bug may actually be a feature request and should be relabeled to reflect the correct type.
+- Add `dev/investigate` label if there is a need for the engineering team to take an initial look and provide some info on where the changes could be and categorize the issue in appropriate area. Add the issue to the current sprint.
+- Add `qe/review` label if we want QE to reproduce this issue.
+- Add `status/info-needed` label if logs are missing or additional info is needed from the user filing the issue
+- Add `external-user` label if the issue is opened by someone outside the Podman Desktop organization maintainers.
+- Identify issues that are simple to resolve and marking them as "good first issue," thereby encouraging newcomers to contribute to the project.
+- Once categorized, remove the `status/need-triage` label.
+- Evaluate the severity of new issues. If an issue is classified as "critical" or "high priority" and requires immediate attention, tag a maintainer in the issue and notify them via the public community channel.
+- Evaluate any stale / lingering pull requests and pinging the respective contributors. If the pull request has been opened for an extensive amount of time, ping someone to contact the contributor / push any changes required to get it merged in. If there is no communication / the pull request is stale, close them.
 
 ## Website Contributions
 

GOVERNANCE.md

@@ -0,0 +1,232 @@
+# Podman Desktop Governance
+
+This is the governance policy for the Podman Desktop project. It applies to all repositories
+in the [Podman Desktop GitHub organization](https://github.com/podman-desktop).
+
+## Table of Contents
+
+- [Code of Conduct](#code-of-conduct)
+- [Project Roles](#project-roles)
+  - [Contributor](#contributor)
+  - [Organization Member](#organization-member)
+  - [Extension Maintainer](#extension-maintainer)
+- [Conflict Resolution](#conflict-resolution)
+- [Changing Roles](#changing-roles)
+  - [Inactivity](#inactivity)
+  - [Involuntary Removal or Demotion](#involuntary-removal-or-demotion)
+  - [Stepping Down/Emeritus Process](#stepping-downemeritus-process)
+- [Changes to this Document](#changes-to-this-document)
+
+## Code of Conduct
+
+All members of the Podman Desktop community are expected to follow the
+[Code of Conduct](https://github.com/podman-desktop/podman-desktop/blob/main/CODE-OF-CONDUCT.md)
+
+## Project Roles
+
+### Contributor
+
+A Contributor contributes directly to the project and adds value to it. Contributions need not be code.
+People at the Contributor level may be new contributors, or they may only contribute occasionally.
+
+#### Responsibilities
+
+- Follow the [Code of Conduct](https://github.com/podman-desktop/podman-desktop/blob/main/CODE-OF-CONDUCT.md)
+- Follow the project [contributing guide](https://github.com/podman-desktop/podman-desktop/blob/main/CONTRIBUTING.md)
+
+#### How to get involved
+
+- Participate in community discussions
+- Help other users
+- Submit bug reports and feature requests
+- Comment on issues
+- Try out new releases
+- Attend community events
+
+#### How to contribute
+
+- Report and sometimes resolve issues
+- Occasionally submit PRs
+- Contribute to the documentation
+- Participate in meetings
+- Answer questions from other community members
+- Submit feedback on issues and PRs
+- Test releases and patches and submit reviews
+- Run or help run events
+- Promote the project externally
+
+### Organization Member
+
+An org member is a frequent contributor that has become a member of the Podman Desktop GitHub organization.
+In addition to the responsibilities of contributors, an org member is also expected to be reasonably active
+in the community through continuous contributions of any type.
+
+An Organization Member must meet the responsibilities and has the requirements of a Contributor.
+
+#### Responsibilities
+
+- Continues to contribute regularly, as demonstrated by having at least 10 GitHub contributions per year
+
+#### Requirements
+
+There are two paths to become an Organization Member:
+
+1. Individual org member path:
+
+- Must have at least 10 contributions to the project in the form of:
+  - Accepted PRs
+  - Helpful PR reviews
+  - Resolving GitHub issues
+  - Or some equivalent contributions to the project
+- Must have been contributing for at least 3 months
+
+2. Team member of an existing project area maintainer team:
+
+- In the case where a team at an organization owns a project area, all the members of that team are
+  automatically able to become Organization Members. This must be approved by at least one of the existing Core Maintainers
+
+#### Privileges
+
+- Membership in the podman-desktop GitHub Organization
+
+### Extension Maintainer
+
+An Extension Maintainer is responsible for maintaining an individual Podman Desktop extension.
+This includes responding to issues filed against the extension, contributing to it, reviewing contributions,
+and keeping the extension up to date.
+
+Extension repositories are named extension-\<name\>, e.g. https://github.com/podman-desktop/extension-minikube.
+
+Extension Maintainer is a lightweight form of ownership and is reflected through CODEOWNERS in each extension repository.
+Each extension can have one or more maintainers.
+
+An Extension Maintainer has all the rights and responsibilities of an Organization Member.
+
+#### Responsibilities
+
+- Review the majority of PRs towards the extension
+- Respond to GitHub issues related to the extension
+- Keep the extension up-to-date with Podman Desktop extension APIs and other dependencies
+- Periodically release the extension and publish to the catalog
+
+#### Requirements
+
+- Is supportive of new and occasional contributors and helps get useful PRs in shape to merge
+- Owns at least one extension in the https://github.com/podman-desktop organization.
+
+#### Privileges
+
+- Write access to the https://github.com/podman-desktop/extension-\<name\> repository
+- GitHub [code owner](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners)
+  of the extension, with rights to approve and merge PRs towards the extension
+
+#### Becoming an Extension Maintainer
+
+There are two ways to become an extension maintainer:
+
+1. By contributing a new extension repository to this organization.
+   The extension contribution must be approved by the community Core Maintainers and follow all CNCF rules for ownership change, IP transfer, etc.
+   When the contribution is merged by the Core Maintainers you will remain as the code owner of the extension and granted Extension Maintainer status.
+
+2. Organization Members can become an Extension Maintainer through continued high-quality contributions to a
+   particular extension. New Extension Maintainers can be added to an extension by a
+   [super-majority](https://en.wikipedia.org/wiki/Supermajority#Two-thirds_vote) vote of the existing maintainers.
+   
+   A potential maintainer may be nominated by an existing maintainer or Organization Member. A vote is conducted
+   in private between the current maintainers over the course of a one week voting period. At the end of the week,
+   votes are counted, the maintainer is given write access to the repository and a pull request is made adding the
+   new maintainer to the code owners.
+
+### Core Maintainer
+
+Core Maintainers are responsible for the Podman Desktop project as a whole, including all repositories. Final decisions
+on the project reside with the Core Maintainers. They help review and merge project-level pull requests as well as
+coordinate work affecting multiple project areas. Core Maintainers should also mentor and seek out new maintainers,
+lead community meetings, and communicate with the CNCF on behalf of the project.
+
+#### Responsibilities
+
+- Take part in the incoming issue triage and PR review process. PRs are shared equally among all maintainers
+- Drive refactoring and manage tech health across the entire project
+- Participate in CNCF maintainer activities
+- Respond to security incidents in accordance to our [security policy](https://github.com/podman-desktop/podman-desktop/blob/main/SECURITY.md)
+- Determine strategy and policy for the project
+- Participate in and/or lead community meetings
+
+#### Requirements
+
+- Experience as an Organization Member for at least 6 months
+- Demonstrates a broad knowledge of the project
+- Is able to exercise judgment for the good of the project, independent of their employer, friends, or team
+- Mentors other contributors
+
+#### Privileges
+
+- Write access to all repositories under the podman-desktop GitHub Organization
+- Approve PRs
+- Merge PRs
+- Represent the project in public as a Maintainer
+- Communicate with the CNCF on behalf of the project
+- Have a vote in Maintainer decision-making meetings
+- Drive the direction and roadmap of the project
+
+#### Becoming a Core Maintainer
+
+New Core Maintainers can be added to the project by a
+[super-majority](https://en.wikipedia.org/wiki/Supermajority#Two-thirds_vote) vote of the existing maintainers.
+A potential maintainer may be nominated by an existing core maintainer or Organization Member. A vote is conducted
+in private between the current maintainers over the course of a one week voting period. At the end of the week,
+votes are counted, the maintainer is given write access to repositories and a pull request is made adding the
+new maintainer to the code owners.
+
+## Conflict Resolution
+
+Final decisions on the project reside with the Core Maintainers. If the Core Maintainers cannot agree
+on an issue, the issue will be resolved by voting. The voting process is based on a
+[super-majority](https://en.wikipedia.org/wiki/Supermajority#Two-thirds_vote) vote where each Core Maintainer is given one vote.
+
+## Changing Roles
+
+### Inactivity
+
+Inactivity is measured by periods of no contributions without explanation, for longer than:
+
+- Core Maintainer: 6 months
+- Extension Maintainer: 12 months
+- Organization Member: 12 months
+
+Consequences of being inactive include:
+
+- Involuntary removal or demotion
+- Being asked to move to Emeritus status
+
+### Involuntary Removal or Demotion
+
+Involuntary removal/demotion of a contributor happens when responsibilities or requirements aren't being met.
+This may include repeated patterns of inactivity, extended periods of inactivity, a period of failing to meet
+the requirements of your role, and/or a violation of the Code of Conduct. This process is important because
+it protects the community and its deliverables while also opening up opportunities for new contributors to
+step in.
+
+Involuntary removal or demotion is handled through a vote by a
+[super-majority](https://en.wikipedia.org/wiki/Supermajority#Two-thirds_vote) of the current Core Maintainers.
+
+### Stepping Down/Emeritus Process
+
+If and when contributors' commitment levels change, contributors can consider voluntarily stepping down
+(moving down the contributor ladder) or moving to emeritus status (completely stepping away from the project).
+
+Contact the Core Maintainers about changing to Emeritus status or reducing your contributor level.
+
+Emeritus contributors will remain listed in a dedicated section of the contributors file.
+
+Emeritus Maintainers are former Maintainers or Core Maintainers whose status has lapsed, either voluntarily
+or through inactivity. We recognize these former maintainers for their past contributions, their valuable
+experience and insights, and they maintain Emeritus status as a way of recognizing this. Emeritus Maintainer
+also offers a fast-tracked path to becoming a Maintainer again, should the contributor wish to return to the
+project. Emeritus Maintainers have no responsibilities or requirements beyond those of an ordinary Contributor.
+
+## Changes to this Document
+
+Changes to this governance document require a pull request with approval from a
+[super-majority](https://en.wikipedia.org/wiki/Supermajority#Two-thirds_vote) of the current maintainers.

README.md

@@ -1,4 +1,4 @@
-# Podman Desktop - A graphical tool for developing on containers and Kubernetes
+# Podman Desktop – A graphical tool for developing on containers and Kubernetes
 
 ![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)
 ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/podman-desktop/podman-desktop)
@@ -16,7 +16,7 @@
 [![LFX Active Contributors](https://insights.linuxfoundation.org/api/badge/active-contributors?project=podman-desktop)](https://insights.linuxfoundation.org/project/podman-desktop)
 
 <p align="center">
-  <img alt="Podman Desktop" src="/website/static/img/features/manage-containers.webp">
+  <img alt="Podman Desktop" src="/website/static/img/features/homepage.webp" width="100%">
 </p>
 
 ## Documentation
@@ -29,6 +29,7 @@
 - [**Contributing**](#contributing)
 - [**Communication**](#communication)
 - [**Code of Conduct**](#code-of-conduct)
+- [**Share your Feedback**](#share-your-feedback)
 - [**License**](#license)
 
 ## Overview
@@ -131,10 +132,16 @@ Kubernetes questions & development:
 [![Mastodon](https://img.shields.io/badge/mastodon-6364ff?style=for-the-badge&logo=mastodon&logoColor=white)](https://fosstodon.org/@podmandesktop)
 [![Bluesky](https://img.shields.io/badge/bluesky-1283FE.svg?style=for-the-badge&logo=Bluesky&logoColor=white)](https://bsky.app/profile/podman-desktop.io)
 
+## Share Your Feedback
 
-### Adopters
+Are you using **Podman Desktop** at your company?
+We’d love to hear how you’re using (or planning to use) Podman Desktop. Spend **30 minutes** chatting with us about your use case, and we’ll send you some Podman Desktop swag as a thank-you!
 
-Check out the [list of companies](./ADOPTERS.md) already using Podman Desktop.
+👉 Please complete this [form](https://forms.gle/mTagLs36275B4L198), and we’ll be in touch to arrange a time.
+
+Check out the growing [list of companies](./ADOPTERS.md) already using Podman Desktop, and add your organization to be part of the community of adopters.
+
+Your feedback is invaluable and will play a direct role in guiding the evolution of Podman Desktop. We greatly appreciate your time and perspective.
 
 ## Code of Conduct
 
@@ -142,7 +149,7 @@ This project uses the [Containers Community Code of Conduct](https://github.com/
 
 ## Testing
 
-[![Covered by Argos Visual Testing](https://argos-ci.com/badge-large.svg)](https://app.argos-ci.com/containers/podman-desktop/reference)
+[![Covered by Argos Visual Testing](https://argos-ci.com/badge-large.svg)](https://app.argos-ci.com/containers/podman-desktop-website)
 
 ## License
 

RELEASE.md

@@ -57,11 +57,18 @@ The release may be tested using the assets generated within the pre-release.
 
 **Cherry picking:**
 
-If there are fixes that need to be made to the release as brought up by QE the following steps need to be completed:
+If there are fixes that need to be made to the release as brought up by QE the following steps need to be completed (using hypothetical release 0.12.0 as an example):
 
-1. Create a branch **FROM THE RELEASE**. Example, 0.12.x of release 0.12.0. **IMPORTANT NOTE:** Literally `0.12.x` not `0.12.1`.
-2. Create PR(s) with the fixes that merge into the main branch and use mergify.io to open a backport PR(s) to the 0.12.x branch by adding the following comment in the main PR(s): `@Mergifyio backport 0.12.x`
-3. Make sure all PR's are merged
+1. Create the cherry-fix branch `0.12.x` from tag `0.12.0`:
+
+```sh
+$ git fetch --tags
+$ git checkout -b 0.12.x v0.12.0
+$ git push origin 0.12.x
+```
+
+2. Create PRs with the fixes that merge into `main` and use Mergify to open backport PRs to `0.12.x` by adding the following comment in the main PRs: `@Mergifyio backport 0.12.x`
+3. Make sure all PRs are merged, before re-spinning a release.
 
 **Re-spin a release:**
 

SECURITY.md

@@ -1,3 +1,37 @@
-## Security and Disclosure Information Policy for the Podman Desktop Project
+# Security and Disclosure Information Policy for the Podman Desktop Project
 
-The Podman Desktop Project follows the [Security and Disclosure Information Policy](https://github.com/containers/common/blob/main/SECURITY.md) for the Containers Projects.
+This is the security policy for the Podman Desktop project. It applies to all repositories
+in the [Podman Desktop GitHub organization](https://github.com/podman-desktop).
+
+- [Reporting a Vulnerability](#Reporting-a-Vulnerability)
+- [Security Announcements](#Security-Announcements)
+- [Security Vulnerability Response](#Security-Vulnerability-Response)
+
+## Reporting a Vulnerability
+
+If you think you've identified a security issue in a Podman Desktop project,
+please **DO NOT** report the issue publicly via the GitHub issue tracker,
+mailing list, or chat. Instead, you have two options:
+
+- Open a private GitHub Security Vulnerability Advisory
+  ([GitHub documentation](https://docs.github.com/en/code-security/how-tos/report-and-fix-vulnerabilities/report-a-vulnerability/privately-reporting-a-security-vulnerability)).
+- Send an email with as many details as possible to
+  [cncf-podman-desktop-security@lists.cncf.io](mailto:cncf-podman-desktop-security@lists.cncf.io?subject=Security%20Vulnerablity%20Report).
+  This is a private mailing list for the core maintainers.
+
+## Security Announcements
+
+The [cncf-podman-desktop-maintainers@lists.cncf.io](mailto:cncf-podman-desktop-maintainers@lists.cncf.io) email
+list is used for messages about Podman Desktop security announcements as well as general announcements and discussions.
+You can join the list [here](https://lists.cncf.io/g/cncf-podman-desktop-maintainers/join)
+or by sending an email to [cncf-podman-desktop-maintainers+subscribe@lists.cncf.io](mailto:cncf-podman-desktop-maintainers+subscribe@lists.cncf.io?subject=subscribe).
+
+## Security Vulnerability Response
+
+Each report is acknowledged and analyzed by the core maintainers within 3 working days.
+
+Any vulnerability information shared with core maintainers stays within a Podman Desktop project
+and will not be disseminated to other projects unless it is necessary to get the issue fixed.
+
+As the security issue moves from triage, to an identified fix, to release planning, the core
+maintainers will keep the reporter updated.

__mocks__/@podman-desktop/api.js

@@ -1,170 +0,0 @@
-/**********************************************************************
- * Copyright (C) 2022-2025 Red Hat, Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * SPDX-License-Identifier: Apache-2.0
- ***********************************************************************/
-
-import { vi, beforeEach } from 'vitest';
-import product from './product.json' with { type: 'json' };
-
-/**
- * Mock the extension API for vitest.
- * This file is referenced from vitest.config.js file.
- */
-
-const cli = {
-  createCliTool: vi.fn(),
-};
-
-const commands = {
-  registerCommand: vi.fn(),
-};
-
-const configuration = {
-  onDidChangeConfiguration: vi.fn(),
-  getConfiguration: vi.fn(),
-};
-
-const containerEngine = {
-  info: vi.fn(),
-  listContainers: vi.fn(),
-  saveImage: vi.fn(),
-  onEvent: vi.fn(),
-};
-
-const context = {
-  setValue: vi.fn(),
-};
-
-const env = {
-  createTelemetryLogger: vi.fn(),
-  openExternal: vi.fn(),
-
-  appName: product.name,
-
-  isLinux: false,
-  isWindows: false,
-  isMac: false,
-};
-
-const kubernetes = {
-  createResources: vi.fn(),
-  getKubeconfig: vi.fn(),
-  onDidUpdateKubeconfig: vi.fn(),
-};
-
-const net = {
-  getFreePort: vi.fn(),
-};
-
-const process = {
-  exec: vi.fn(),
-};
-
-const eventEmitterListeners = [];
-
-const extensions = {
-  getExtension: vi.fn(),
-};
-
-const proxy = {
-  isEnabled: vi.fn(),
-  onDidUpdateProxy: vi.fn(),
-  onDidStateChange: vi.fn(),
-  getProxySettings: vi.fn(),
-};
-
-const provider = {
-  createProvider: vi.fn(),
-  onDidRegisterContainerConnection: vi.fn(),
-  onDidUnregisterContainerConnection: vi.fn(),
-  onDidUpdateProvider: vi.fn(),
-  onDidUpdateContainerConnection: vi.fn(),
-  onDidUpdateVersion: vi.fn(),
-  registerUpdate: vi.fn(),
-  getContainerConnections: vi.fn(),
-};
-
-const registry = {
-  registerRegistryProvider: vi.fn(),
-  registerRegistry: vi.fn(),
-  unregisterRegistry: vi.fn(),
-  onDidRegisterRegistry: vi.fn(),
-  onDidUnregisterRegistry: vi.fn(),
-  onDidUpdateRegistry: vi.fn(),
-  suggestRegistry: vi.fn(),
-};
-
-const window = {
-  showInformationMessage: vi.fn(),
-  showErrorMessage: vi.fn(),
-  withProgress: vi.fn(),
-  showNotification: vi.fn(),
-  showWarningMessage: vi.fn(),
-
-  showQuickPick: vi.fn(),
-  showInputBox: vi.fn(),
-  createStatusBarItem: vi.fn(),
-};
-
-const Disposable = { from: vi.fn(), dispose: vi.fn() };
-
-class EventEmitter {
-  event(callback) {
-    eventEmitterListeners.push(callback);
-  }
-
-  fire(data) {
-    eventEmitterListeners.forEach(listener => listener(data));
-  }
-
-  dispose() {}
-}
-
-const ProgressLocation = {
-  APP_ICON: 1,
-  TASK_WIDGET: 2,
-};
-
-const Uri = {
-  parse: vi.fn(),
-};
-
-const plugin = {
-  cli,
-  commands,
-  configuration,
-  containerEngine,
-  context,
-  env,
-  extensions,
-  kubernetes,
-  net,
-  process,
-  provider,
-  proxy,
-  registry,
-  window,
-  Disposable,
-  EventEmitter,
-  ProgressLocation,
-  Uri,
-};
-
-beforeEach(() => {
-  eventEmitterListeners.length = 0;
-});
-
-module.exports = plugin;

__mocks__/api.mustache

@@ -0,0 +1,69 @@
+/**********************************************************************
+ * Copyright (C) 2026 Red Hat, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ ***********************************************************************/
+
+/* This file is auto-generated by a vitest globalSetup hook */
+import { beforeEach, vi } from 'vitest';
+
+import product from '../../product.json' with { type: 'json' };
+
+const namespaceMocks = {} as Record<string, Record<string, unknown>>;
+{{#namespaces}}
+namespaceMocks.{{name}} = {};
+{{#functions}}
+namespaceMocks.{{name}}.{{.}} = vi.fn();
+{{/functions}}
+{{/namespaces}}
+
+const classesMocks = {} as Record<string, unknown>;
+{{#classes}}
+  const {{name}}Instance: Record<string, unknown> = {};
+  {{#methods}}
+  {{name}}Instance.{{.}} = vi.fn();
+  {{/methods}}
+  classesMocks.{{name}} = {{name}}Instance;
+{{/classes}}
+
+const eventEmitterListeners: Array<(data: unknown) => unknown> = [];
+beforeEach(() => { eventEmitterListeners.length = 0; });
+class EventEmitter {
+  event(callback: (e: unknown) => unknown): void { eventEmitterListeners.push(callback); }
+  fire(data: unknown): void { for (const listener of eventEmitterListeners) { listener(data); } }
+  dispose(): void {}
+}
+EventEmitter.prototype.dispose = vi.fn();
+
+// Normalize env mock
+if (!namespaceMocks.env) namespaceMocks.env = {};
+namespaceMocks.env.isWindows = false;
+namespaceMocks.env.isMac = false;
+namespaceMocks.env.isLinux = false;
+namespaceMocks.env.appName = product.name;
+
+const extensionAPI = {
+  ...namespaceMocks,
+  ...classesMocks,
+  EventEmitter,
+  ProgressLocation: { APP_ICON: 1, TASK_WIDGET: 2 },
+  StatusBarAlignLeft: 'LEFT',
+  StatusBarAlignRight: 'RIGHT',
+  StatusBarItemDefaultPriority: 0,
+  InputBoxValidationSeverity: { Info: 1, Warning: 2, Error: 3 },
+  QuickPickItemKind: { Separator: -1, Default: 0 },
+};
+
+module.exports = extensionAPI;

__mocks__/vitest-generate-api-global-setup.ts

@@ -0,0 +1,125 @@
+/**********************************************************************
+ * Copyright (C) 2026 Red Hat, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ ***********************************************************************/
+
+import path from 'node:path';
+import fs from 'node:fs/promises';
+import typescript from 'typescript';
+import Mustache from 'mustache';
+import { fileURLToPath } from 'node:url';
+
+type Namespaces = { [key: string]: string[] };
+type Classes = { [key: string]: string[] };
+
+async function extractNamespacesAndClassesFromAPI(
+  filePath: string,
+): Promise<{ namespaces: Namespaces; classes: Classes }> {
+  const fileContent = await fs.readFile(filePath, 'utf-8');
+  const sourceFile = typescript.createSourceFile(filePath, fileContent, typescript.ScriptTarget.Latest, true);
+
+  const namespaces: Namespaces = {};
+  const classes: Classes = {};
+
+  const visit = (node: typescript.Node): void => {
+    if (typescript.isModuleDeclaration(node) && node.name.text) {
+      if (node.name.text === '@podman-desktop/api') {
+        typescript.forEachChild(node, visit);
+        return;
+      }
+
+      const namespaceName = node.name.text;
+      const functions: string[] = [];
+
+      if (node.body && typescript.isModuleBlock(node.body)) {
+        for (const statement of node.body.statements) {
+          if (typescript.isFunctionDeclaration(statement) && statement.name) {
+            functions.push(statement.name.text);
+          } else if (typescript.isVariableStatement(statement)) {
+            for (const declaration of statement.declarationList.declarations) {
+              if (typescript.isIdentifier(declaration.name)) {
+                functions.push(declaration.name.text);
+              }
+            }
+          }
+        }
+      }
+
+      if (functions.length > 0) {
+        // Deduplicate to handle function overloads
+        namespaces[namespaceName] = Array.from(new Set(functions));
+      }
+    }
+
+    if (typescript.isClassDeclaration(node) && node.name) {
+      const modifiers = typescript.getModifiers(node);
+      const isExported = modifiers?.some(m => m.kind === typescript.SyntaxKind.ExportKeyword);
+      if (isExported) {
+        const className = node.name.text;
+        const methods: string[] = [];
+        for (const member of node.members) {
+          if (typescript.isMethodDeclaration(member) && member.name && typescript.isIdentifier(member.name)) {
+            methods.push(member.name.text);
+          }
+        }
+        // Deduplicate to handle method overloads
+        classes[className] = Array.from(new Set(methods));
+      }
+    }
+
+    typescript.forEachChild(node, visit);
+  };
+
+  visit(sourceFile);
+  return { namespaces, classes };
+}
+
+function toTemplateData(data: { namespaces: Namespaces; classes: Classes }) {
+  const namespaces = Object.entries(data.namespaces).map(([name, functions]) => ({ name, functions }));
+  const classes = Object.entries(data.classes).map(([name, methods]) => ({ name, methods }));
+  return { namespaces, classes };
+}
+
+export default async function setup(): Promise<void> {
+  const __filename = fileURLToPath(import.meta.url);
+  const __dirname = path.dirname(__filename);
+  const repoRoot = path.resolve(__dirname, '..');
+  const extensionApiTypePath = path.join(repoRoot, 'packages', 'extension-api', 'src', 'extension-api.d.ts');
+  const podmanDesktopApiMocksDir = path.join(repoRoot, '__mocks__', '@podman-desktop');
+  const apiGeneratedFile = path.join(podmanDesktopApiMocksDir, 'api.ts');
+  const templatePath = path.join(repoRoot, '__mocks__', 'api.mustache');
+
+  // skip if api.ts is already newer (from template or extension-api.d.ts file)
+  const extensionApiPathStats = await fs.stat(extensionApiTypePath);
+  const templatePathStats = await fs.stat(templatePath);
+  try {
+    const outputStats = await fs.stat(apiGeneratedFile);
+    const newestInputMtime = Math.max(extensionApiPathStats.mtimeMs, templatePathStats.mtimeMs);
+    if (outputStats.mtimeMs >= newestInputMtime) {
+      console.debug(' 🚀 __mocks__/@podman-desktop/api.ts up-to-date; skipping regeneration');
+      return;
+    }
+  } catch {
+    console.debug(' ⚙️ __mocks__/@podman-desktop/api.ts does not exist yet; generating it now…');
+  }
+  const data = await extractNamespacesAndClassesFromAPI(extensionApiTypePath);
+  const template = await fs.readFile(templatePath, 'utf-8');
+  const content = Mustache.render(template, toTemplateData(data));
+
+  await fs.mkdir(podmanDesktopApiMocksDir, { recursive: true });
+  await fs.writeFile(apiGeneratedFile, content, 'utf-8');
+  console.debug(' ✅ __mocks__/@podman-desktop/api.ts has been generated.');
+}

buildResources/installer.nsh

@@ -1,6 +1,6 @@
 !macro customUnInit
   ; Remove startup registry entry
-  DeleteRegValue HKCU "Software\Microsoft\Windows\CurrentVersion\Run" "Podman Desktop"
-  DeleteRegValue HKCU "Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" "Podman Desktop"
+  DeleteRegValue HKCU "Software\Microsoft\Windows\CurrentVersion\Run" "${PRODUCT_NAME}"
+  DeleteRegValue HKCU "Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" "${PRODUCT_NAME}"
 
 !macroend

eslint.config.mjs

@@ -35,6 +35,7 @@ import redundantUndefined from 'eslint-plugin-redundant-undefined';
 import simpleImportSort from 'eslint-plugin-simple-import-sort';
 import fileProgress from 'eslint-plugin-file-progress';
 import vitest from '@vitest/eslint-plugin';
+import nodePlugin from 'eslint-plugin-n';
 import svelteConfig from './svelte.config.js';
 
 const __filename = fileURLToPath(import.meta.url);
@@ -93,10 +94,11 @@ export default [
   ),
   {
     plugins: {
-      // compliant v9 plug-ins
+      // compliant v10 plug-ins
       unicorn,
-      'file-progress': fileProgress,
-      // non-compliant v9 plug-ins
+      n: nodePlugin,
+      // non-compliant v10 plug-ins
+      'file-progress': fixupPluginRules(fileProgress),
       etc: fixupPluginRules(etc),
       import: fixupPluginRules(importPlugin),
       'no-null': fixupPluginRules(noNull),
@@ -148,6 +150,7 @@ export default [
     rules: {
       'vitest/no-import-node-test': 'error',
       'vitest/no-identical-title': 'error',
+      'vitest/prefer-import-in-mock': 'error',
       eqeqeq: 'error',
       'prefer-promise-reject-errors': 'error',
       semi: ['error', 'always'],
@@ -194,6 +197,14 @@ export default [
       // unicorn custom rules
       'unicorn/prefer-node-protocol': 'error',
 
+      // node custom rules
+      'n/no-sync': [
+        'warn',
+        {
+          ignores: ['existsSync'],
+        },
+      ],
+
       // sonarjs custom rules
       'sonarjs/cognitive-complexity': 'off',
       'sonarjs/no-duplicate-string': 'off',
@@ -248,6 +259,10 @@ export default [
       // simple-import-sort custom rules
       'simple-import-sort/imports': 'error',
       'simple-import-sort/exports': 'error',
+
+      // new rule that has been added as a recommended one in eslint v10
+      // but comment it by default until we can fix all the issues in the codebase
+      'preserve-caught-error': 'off',
     },
   },
 
@@ -295,6 +310,22 @@ export default [
       ],
     },
   },
+  {
+    files: ['packages/main/**'],
+    rules: {
+      'no-restricted-imports': [
+        'error',
+        {
+          patterns: [
+            {
+              group: ['../**'],
+              message: 'Parent relative imports are not allowed. Use path aliases (e.g. /@/) instead.',
+            },
+          ],
+        },
+      ],
+    },
+  },
 
   {
     files: ['packages/renderer/**'],
@@ -320,6 +351,18 @@ export default [
 
       // reactive statements are not expressions
       'sonarjs/no-unused-expressions': 'off',
+
+      'no-restricted-imports': [
+        'error',
+        {
+          patterns: [
+            {
+              group: ['../*'],
+              message: 'Parent relative imports are not allowed. Use path aliases (e.g. /@/) instead.',
+            },
+          ],
+        },
+      ],
     },
   },
 
@@ -360,4 +403,21 @@ export default [
       'sonarjs/no-unused-collection': 'off',
     },
   },
+
+  {
+    files: ['packages/api/**'],
+    rules: {
+      'no-restricted-imports': [
+        'error',
+        {
+          patterns: [
+            {
+              group: ['../**'],
+              message: 'Parent relative imports are not allowed. Use path aliases (e.g. /@/) instead.',
+            },
+          ],
+        },
+      ],
+    },
+  },
 ];

extensions/compose/package.json

@@ -2,7 +2,7 @@
   "name": "compose",
   "displayName": "Compose",
   "description": "Install Compose binary to work with Podman",
-  "version": "1.24.0-next",
+  "version": "1.28.0-next",
   "icon": "icon.png",
   "publisher": "podman-desktop",
   "license": "Apache-2.0",
@@ -55,11 +55,24 @@
             ]
           ]
         },
+        {
+          "id": "versionCheckFailedView",
+          "title": "Unable to retrieve Compose version",
+          "when": "onboardingContext:composeVersionCheckFailed",
+          "state": "failed",
+          "content": [
+            [
+              {
+                "value": "Unable to retrieve the latest Compose version. This may be caused by a GitHub API rate limit or a network issue.\n\nPlease try again later or check your network connection."
+              }
+            ]
+          ]
+        },
         {
           "id": "welcomeDownloadView",
           "label": "Compose Download",
           "title": "Compose download",
-          "when": "!compose.isComposeInstalledSystemWide && !compose.isPodmanComposeInstalledSystemWide && onboardingContext:composeIsNotDownloaded",
+          "when": "!compose.isComposeInstalledSystemWide && !compose.isPodmanComposeInstalledSystemWide && onboardingContext:composeIsNotDownloaded && !onboardingContext:composeVersionCheckFailed",
           "content": [
             [
               {
@@ -84,7 +97,7 @@
           "id": "downloadCommand",
           "title": "Downloading Compose ${onboardingContext:composeDownloadVersion}",
           "description": "Downloading the binary.\n\nOnce downloaded, the next step will install Compose system-wide.",
-          "when": "!compose.isComposeInstalledSystemWide && !compose.isPodmanComposeInstalledSystemWide && !compose.isPodmanComposeInstalledSystemWide && onboardingContext:composeIsNotDownloaded",
+          "when": "!compose.isComposeInstalledSystemWide && !compose.isPodmanComposeInstalledSystemWide && onboardingContext:composeIsNotDownloaded && !onboardingContext:composeVersionCheckFailed",
           "command": "compose.onboarding.downloadCommand",
           "completionEvents": [
             "onCommand:compose.onboarding.downloadCommand"
@@ -194,9 +207,9 @@
   "devDependencies": {
     "@podman-desktop/api": "workspace:*",
     "@types/mustache": "^4.2.6",
-    "adm-zip": "^0.5.16",
+    "adm-zip": "^0.5.17",
     "mkdirp": "^3.0.1",
-    "vite": "^7.2.7",
-    "vitest": "^4.0.10"
+    "vite": "^7.3.2",
+    "vitest": "^4.1.4"
   }
 }

extensions/compose/src/cli-run.spec.ts

@@ -25,17 +25,9 @@ import { afterEach, beforeEach, expect, test, vi } from 'vitest';
 import { getSystemBinaryPath, installBinaryToSystem, localBinDir } from './cli-run';
 
 // mock exists sync
-vi.mock('node:fs', async () => {
-  return {
-    existsSync: vi.fn(),
-    copyFileSync: vi.fn(),
-    promises: {
-      copyFile: vi.fn(),
-    },
-  };
-});
+vi.mock(import('node:fs'));
 
-let previousPath: string | undefined;
+const previousPath = process.env.PATH;
 
 beforeEach(() => {
   vi.resetAllMocks();

extensions/compose/src/compose-github-releases.spec.ts

@@ -24,6 +24,8 @@ import { afterEach, beforeEach, describe, expect, test, vi } from 'vitest';
 
 import { ComposeGitHubReleases } from './compose-github-releases';
 
+vi.mock(import('node:fs'));
+
 let composeGitHubReleases: ComposeGitHubReleases;
 
 const listReleaseAssetsMock = vi.fn();
@@ -154,8 +156,6 @@ describe.each([
 });
 
 test('should download the file if parent folder does exist', async () => {
-  vi.mock('node:fs');
-
   getReleaseAssetMock.mockImplementation(() => {
     return { data: 'foo' };
   });
@@ -178,8 +178,6 @@ test('should download the file if parent folder does exist', async () => {
 });
 
 test('should download the file if parent folder does not exist', async () => {
-  vi.mock('node:fs');
-
   getReleaseAssetMock.mockImplementation(() => {
     return { data: 'foo' };
   });

extensions/compose/src/detect.spec.ts

@@ -37,11 +37,9 @@ const osMock: OS = {
 
 let detect: Detect;
 
-vi.mock('shell-path', () => {
-  return {
-    shellPath: vi.fn(),
-  };
-});
+vi.mock(import('shell-path'));
+vi.mock(import('node:fs'));
+vi.mock(import('node:http'));
 
 const originalConsoleDebug = console.debug;
 
@@ -117,7 +115,6 @@ describe('Check storage path', async () => {
   });
 
   test('found', async () => {
-    vi.mock('node:fs');
     const existSyncSpy = vi.mocked(fs.existsSync);
     existSyncSpy.mockImplementation(() => true);
 
@@ -225,14 +222,6 @@ describe('Check docker socket', async () => {
     const socketPathMock = vi.spyOn(detect, 'getSocketPath');
     socketPathMock.mockResolvedValue('/foo/docker.sock');
 
-    // mock http request
-
-    vi.mock('node:http', () => {
-      return {
-        get: vi.fn(),
-      };
-    });
-
     const spyGet: MockInstance<HttpGet> = vi.spyOn(http, 'get');
     const clientRequestEmitter = new EventEmitter();
     const myRequest = clientRequestEmitter as http.ClientRequest;
@@ -258,14 +247,6 @@ describe('Check docker socket', async () => {
     const socketPathMock = vi.spyOn(detect, 'getSocketPath');
     socketPathMock.mockResolvedValue('/foo/docker.sock');
 
-    // mock http request
-
-    vi.mock('node:http', () => {
-      return {
-        get: vi.fn(),
-      };
-    });
-
     const spyGet: MockInstance<HttpGet> = vi.spyOn(http, 'get');
     const clientRequestEmitter = new EventEmitter();
     const myRequest = clientRequestEmitter as http.ClientRequest;
@@ -288,14 +269,6 @@ describe('Check docker socket', async () => {
     const socketPathMock = vi.spyOn(detect, 'getSocketPath');
     socketPathMock.mockResolvedValue('/foo/docker.sock');
 
-    // mock http request
-
-    vi.mock('node:http', () => {
-      return {
-        get: vi.fn(),
-      };
-    });
-
     const spyGet: MockInstance<HttpGet> = vi.spyOn(http, 'get');
     const clientRequestEmitter = new EventEmitter();
     const myRequest = clientRequestEmitter as http.ClientRequest;

extensions/compose/src/detect.ts

@@ -18,8 +18,8 @@
 
 import * as fs from 'node:fs';
 import * as http from 'node:http';
-import { resolve } from 'node:path';
 import * as path from 'node:path';
+import { resolve } from 'node:path';
 
 import * as extensionApi from '@podman-desktop/api';
 import { shellPath } from 'shell-path';

extensions/compose/src/download.spec.ts

@@ -27,6 +27,8 @@ import { ComposeDownload } from './download';
 import { OS } from './os';
 import * as utils from './utils';
 
+vi.mock(import('node:fs'));
+
 // Create the OS class as well as fake extensionContext
 const os = new OS();
 const extensionContext: extensionApi.ExtensionContext = {
@@ -112,7 +114,6 @@ test('test download of compose passes and that mkdir and executable mocks are ca
   const downloadReleaseAssetMock = vi.spyOn(composeGitHubReleasesMock, 'downloadReleaseAsset');
 
   // Mock that the storage path does not exist
-  vi.mock('node:fs');
   vi.spyOn(fs, 'existsSync').mockImplementation(() => {
     return false;
   });

extensions/compose/src/extension.spec.ts

@@ -17,7 +17,7 @@
  ***********************************************************************/
 import * as fs from 'node:fs';
 
-import type { CliTool, Logger } from '@podman-desktop/api';
+import type { CliTool, Logger, Provider, ProviderUpdate } from '@podman-desktop/api';
 import * as extensionApi from '@podman-desktop/api';
 import { afterEach, beforeEach, describe, expect, test, vi } from 'vitest';
 
@@ -27,12 +27,7 @@ import { Detect } from './detect';
 import { ComposeDownload } from './download';
 import { activate, deactivate } from './extension';
 
-vi.mock('node:fs', () => ({
-  promises: {
-    unlink: vi.fn(),
-  },
-  existsSync: vi.fn(),
-}));
+vi.mock(import('node:fs'));
 
 const cliToolMock = {
   registerUpdate: vi.fn(),
@@ -54,6 +49,10 @@ beforeEach(() => {
     get: vi.fn(),
     has: vi.fn(),
   });
+  vi.mocked(extensionApi.provider.createProvider).mockReturnValue({
+    registerUpdate: vi.fn().mockReturnValue({ dispose: vi.fn() }),
+    updateVersion: vi.fn(),
+  } as unknown as Provider);
 });
 
 afterEach(() => {
@@ -358,6 +357,9 @@ describe('registerCLITool', () => {
       installationSource: 'extension',
       version: '1.0.0',
     });
+
+    const providerMock = vi.mocked(extensionApi.provider.createProvider).mock.results[0].value as Provider;
+    expect(providerMock.updateVersion).toHaveBeenCalledWith('1.0.0');
   });
 
   test('by uninstalling it should delete all executables', async () => {
@@ -391,6 +393,9 @@ describe('registerCLITool', () => {
     await installer?.doUninstall({} as unknown as Logger);
     expect(fs.promises.unlink).toHaveBeenNthCalledWith(1, 'storage-path');
     expect(extensionApi.process.exec).toHaveBeenCalledWith('rm', ['system-wide-path'], { isAdmin: true });
+
+    const providerMock = vi.mocked(extensionApi.provider.createProvider).mock.results[0].value as Provider;
+    expect(providerMock.updateVersion).toHaveBeenCalledWith('');
   });
 
   test('if unlink fails because of a permission issue, it should delete all binaries as admin', async () => {
@@ -472,6 +477,40 @@ describe('registerCLITool', () => {
     });
   });
 
+  test('checkDownloadedCommand sets composeVersionCheckFailed when version fetch fails', async () => {
+    vi.mocked(Detect.prototype.getStoragePath).mockResolvedValue('');
+    vi.mocked(Detect.prototype.checkSystemWideDockerCompose).mockResolvedValue(false);
+    vi.mocked(ComposeDownload.prototype.getLatestVersionAsset).mockRejectedValue(new Error('API rate limit exceeded'));
+
+    await activate(extensionContextMock);
+
+    const checkDownloadedHandler = vi.mocked(extensionApi.commands.registerCommand).mock.calls[1][1];
+    await checkDownloadedHandler();
+
+    expect(extensionApi.context.setValue).toHaveBeenCalledWith('composeVersionCheckFailed', true, 'onboarding');
+    expect(extensionApi.context.setValue).not.toHaveBeenCalledWith(
+      'composeDownloadVersion',
+      expect.anything(),
+      'onboarding',
+    );
+  });
+
+  test('checkDownloadedCommand sets composeDownloadVersion on success', async () => {
+    vi.mocked(Detect.prototype.getStoragePath).mockResolvedValue('');
+    vi.mocked(Detect.prototype.checkSystemWideDockerCompose).mockResolvedValue(false);
+    vi.mocked(ComposeDownload.prototype.getLatestVersionAsset).mockResolvedValue({
+      tag: 'v2.30.0',
+    } as unknown as ComposeGithubReleaseArtifactMetadata);
+
+    await activate(extensionContextMock);
+
+    const checkDownloadedHandler = vi.mocked(extensionApi.commands.registerCommand).mock.calls[1][1];
+    await checkDownloadedHandler();
+
+    expect(extensionApi.context.setValue).toHaveBeenCalledWith('composeDownloadVersion', 'v2.30.0', 'onboarding');
+    expect(extensionApi.context.setValue).toHaveBeenCalledWith('composeVersionCheckFailed', false, 'onboarding');
+  });
+
   test('onboarding download command shows error message if version list cannot be obtained', async () => {
     await activate(extensionContextMock);
     const downloadCommandHandler = vi.mocked(extensionApi.commands.registerCommand).mock.calls[2][1];
@@ -481,3 +520,115 @@ describe('registerCLITool', () => {
     expect(extensionApi.window.showErrorMessage).toHaveBeenCalledOnce();
   });
 });
+
+describe('provider registerUpdate (Resources page)', () => {
+  let registerUpdateSpy: ReturnType<typeof vi.fn>;
+  let updateVersionSpy: ReturnType<typeof vi.fn>;
+
+  beforeEach(() => {
+    registerUpdateSpy = vi.fn().mockReturnValue({ dispose: vi.fn() });
+    updateVersionSpy = vi.fn();
+    vi.mocked(extensionApi.provider.createProvider).mockReturnValue({
+      registerUpdate: registerUpdateSpy,
+      updateVersion: updateVersionSpy,
+    } as unknown as Provider);
+  });
+
+  function mockExtensionInstalledCompose(): void {
+    vi.mocked(Detect.prototype.checkSystemWideDockerCompose).mockResolvedValue(true);
+    vi.mocked(Detect.prototype.getDockerComposeBinaryInfo).mockResolvedValue({
+      version: 'v2.0.0',
+      path: 'system-wide-path',
+      updatable: true,
+    });
+    vi.spyOn(cliRun, 'getSystemBinaryPath').mockReturnValue('system-wide-path');
+  }
+
+  function mockCliToolWithVersion(
+    resolveRegisterUpdate: (listener: extensionApi.CliToolSelectUpdate) => void,
+    options: { version?: string },
+  ): CliTool {
+    return {
+      registerUpdate: (listener: extensionApi.CliToolSelectUpdate | extensionApi.CliToolUpdate) => {
+        if ('selectVersion' in listener) {
+          resolveRegisterUpdate(listener);
+        }
+        return { dispose: vi.fn() };
+      },
+      registerInstaller: vi.fn().mockReturnValue({ dispose: vi.fn() }),
+      updateVersion: vi.fn(),
+      dispose: vi.fn(),
+      onDidUpdateVersion: vi.fn().mockReturnValue({ dispose: vi.fn() }),
+      get version(): string | undefined {
+        return options.version;
+      },
+    } as unknown as CliTool;
+  }
+
+  test('registers provider update when a newer compose version is available', async () => {
+    mockExtensionInstalledCompose();
+    vi.mocked(ComposeDownload.prototype.getLatestVersionAsset).mockResolvedValue({
+      tag: 'v2.5.0',
+    } as unknown as ComposeGithubReleaseArtifactMetadata);
+
+    const deferredCliUpdate: Promise<extensionApi.CliToolSelectUpdate> = new Promise(resolve => {
+      vi.mocked(extensionApi.cli.createCliTool).mockImplementation(opts =>
+        mockCliToolWithVersion(resolve, opts as { version?: string }),
+      );
+    });
+
+    await activate(extensionContextMock);
+    await deferredCliUpdate;
+
+    expect(registerUpdateSpy).toHaveBeenCalledOnce();
+    expect(registerUpdateSpy.mock.calls[0][0]).toEqual(expect.objectContaining({ version: '2.5.0' }));
+  });
+
+  test('does not register provider update when compose is already the latest version', async () => {
+    vi.mocked(Detect.prototype.checkSystemWideDockerCompose).mockResolvedValue(true);
+    vi.mocked(Detect.prototype.getDockerComposeBinaryInfo).mockResolvedValue({
+      version: 'v2.5.0',
+      path: 'system-wide-path',
+      updatable: true,
+    });
+    vi.spyOn(cliRun, 'getSystemBinaryPath').mockReturnValue('system-wide-path');
+    vi.mocked(ComposeDownload.prototype.getLatestVersionAsset).mockResolvedValue({
+      tag: 'v2.5.0',
+    } as unknown as ComposeGithubReleaseArtifactMetadata);
+
+    const deferredCliUpdate: Promise<extensionApi.CliToolSelectUpdate> = new Promise(resolve => {
+      vi.mocked(extensionApi.cli.createCliTool).mockImplementation(opts =>
+        mockCliToolWithVersion(resolve, opts as { version?: string }),
+      );
+    });
+
+    await activate(extensionContextMock);
+    await deferredCliUpdate;
+
+    expect(registerUpdateSpy).not.toHaveBeenCalled();
+  });
+
+  test('provider update callback downloads and installs compose', async () => {
+    mockExtensionInstalledCompose();
+    vi.mocked(ComposeDownload.prototype.getLatestVersionAsset).mockResolvedValue({
+      tag: 'v2.5.0',
+    } as unknown as ComposeGithubReleaseArtifactMetadata);
+    vi.mocked(Detect.prototype.getStoragePath).mockResolvedValue('storage-path');
+
+    const deferredCliUpdate: Promise<extensionApi.CliToolSelectUpdate> = new Promise(resolve => {
+      vi.mocked(extensionApi.cli.createCliTool).mockImplementation(opts =>
+        mockCliToolWithVersion(resolve, opts as { version?: string }),
+      );
+    });
+
+    await activate(extensionContextMock);
+    await deferredCliUpdate;
+
+    const providerUpdate = registerUpdateSpy.mock.calls[0][0] as ProviderUpdate;
+    await providerUpdate.update({} as unknown as Logger);
+
+    expect(ComposeDownload.prototype.download).toHaveBeenCalled();
+    expect(cliRun.installBinaryToSystem).toHaveBeenCalledWith('storage-path', 'docker-compose');
+    expect(updateVersionSpy).toHaveBeenCalledWith('2.5.0');
+  });
+});

extensions/compose/src/extension.ts

@@ -20,6 +20,7 @@ import * as fs from 'node:fs';
 import * as path from 'node:path';
 
 import { Octokit } from '@octokit/rest';
+import type { Logger, ProviderUpdate } from '@podman-desktop/api';
 import * as extensionApi from '@podman-desktop/api';
 
 import { getSystemBinaryPath, installBinaryToSystem } from './cli-run';
@@ -72,6 +73,21 @@ export async function activate(extensionContext: extensionApi.ExtensionContext):
   const composeGitHubReleases = new ComposeGitHubReleases(octokit);
   const composeDownload = new ComposeDownload(extensionContext, composeGitHubReleases, os);
 
+  // Need to "ADD" a provider so we can actually press the button!
+  // We set this to "unknown" so it does not appear on the dashboard (we only want it in preferences).
+  const providerOptions: extensionApi.ProviderOptions = {
+    name: composeDisplayName,
+    id: composeDisplayName,
+    status: 'unknown',
+    images: {
+      icon: imageLocation,
+    },
+  };
+
+  providerOptions.emptyConnectionMarkdownDescription = composeDescription;
+  const provider = extensionApi.provider.createProvider(providerOptions);
+  extensionContext.subscriptions.push(provider);
+
   // add a command to display the onboarding page
   const openOnboardingCommand = extensionApi.commands.registerCommand('compose.openComposeOnboarding', async () => {
     await extensionApi.navigation.navigateToOnboarding();
@@ -99,12 +115,16 @@ export async function activate(extensionContext: extensionApi.ExtensionContext):
       // we will run getLatestVersionAsset so we can show the user the latest
       // latest version of compose that is available.
       if (!isDownloaded) {
-        // Get the latest version and store the metadata in a local variable
-        const composeLatestVersion = await composeDownload.getLatestVersionAsset();
-        // Set the value in the context to the version we're downloading so it appears in the onboarding sequence
-        if (composeLatestVersion) {
-          composeVersionMetadata = composeLatestVersion;
-          extensionApi.context.setValue('composeDownloadVersion', composeVersionMetadata.tag, 'onboarding');
+        try {
+          const composeLatestVersion = await composeDownload.getLatestVersionAsset();
+          if (composeLatestVersion) {
+            composeVersionMetadata = composeLatestVersion;
+            extensionApi.context.setValue('composeDownloadVersion', composeVersionMetadata.tag, 'onboarding');
+            extensionApi.context.setValue('composeVersionCheckFailed', false, 'onboarding');
+          }
+        } catch (error: unknown) {
+          console.error('Failed to retrieve latest Compose version:', error);
+          extensionApi.context.setValue('composeVersionCheckFailed', true, 'onboarding');
         }
       }
 
@@ -135,7 +155,7 @@ export async function activate(extensionContext: extensionApi.ExtensionContext):
 
         // register the cli tool if necessary
         if (!composeCliTool) {
-          await registerCLITool(composeDownload, detect, extensionContext);
+          await registerCLITool(composeDownload, detect, extensionContext, provider);
         }
       } catch (error) {
         await extensionApi.window.showErrorMessage(`Unable to download docker-compose binary: ${error}`);
@@ -217,24 +237,9 @@ export async function activate(extensionContext: extensionApi.ExtensionContext):
     onboardingInstallSystemWideCommand,
   );
 
-  // Need to "ADD" a provider so we can actually press the button!
-  // We set this to "unknown" so it does not appear on the dashboard (we only want it in preferences).
-  const providerOptions: extensionApi.ProviderOptions = {
-    name: composeDisplayName,
-    id: composeDisplayName,
-    status: 'unknown',
-    images: {
-      icon: imageLocation,
-    },
-  };
-
-  providerOptions.emptyConnectionMarkdownDescription = composeDescription;
-  const provider = extensionApi.provider.createProvider(providerOptions);
-  extensionContext.subscriptions.push(provider);
-
   // Push the CLI tool as well (but it will do it postActivation so it does not block the activate() function)
   // Post activation
-  registerCLITool(composeDownload, detect, extensionContext).catch((error: unknown) => {
+  registerCLITool(composeDownload, detect, extensionContext, provider).catch((error: unknown) => {
     console.error('Error activating extension', error);
   });
 }
@@ -244,6 +249,7 @@ async function registerCLITool(
   composeDownload: ComposeDownload,
   detect: Detect,
   context: extensionApi.ExtensionContext,
+  provider: extensionApi.Provider,
 ): Promise<void> {
   // build executable name for current platform
   const executable = os.isWindows() ? composeCliName + '.exe' : composeCliName;
@@ -311,6 +317,9 @@ async function registerCLITool(
 
   const latestVersion = latestVersionAsset ? removeVersionPrefix(latestVersionAsset.tag) : undefined;
 
+  let composeProviderUpdateDisposable: extensionApi.Disposable | undefined;
+  let composeProviderUpdate: ProviderUpdate | undefined;
+
   const update = {
     version: latestVersion !== composeCliTool.version ? latestVersion : undefined,
     selectVersion: async (): Promise<string> => {
@@ -345,12 +354,14 @@ async function registerCLITool(
       // get the binary in the extension folder
       const storagePath = await detect.getStoragePath();
       binaryPath = await installBinaryToSystem(storagePath, composeCliName);
+      const installedVersion = releaseVersionToUpdateTo;
       composeCliTool?.updateVersion({
-        version: releaseVersionToUpdateTo,
+        version: installedVersion,
         path: binaryPath,
         installationSource: 'extension',
       });
-      binaryVersion = releaseVersionToUpdateTo;
+      binaryVersion = installedVersion;
+      provider.updateVersion(installedVersion);
       releaseVersionToUpdateTo = undefined;
       releaseToUpdateTo = undefined;
     },
@@ -364,8 +375,14 @@ async function registerCLITool(
     composeCliTool.onDidUpdateVersion((version: string) => {
       if (version === latestVersion) {
         delete update.version;
+        composeProviderUpdateDisposable?.dispose();
       } else {
         update.version = latestVersion;
+        if (composeProviderUpdate) {
+          composeProviderUpdate.version = latestVersion ?? composeProviderUpdate.version;
+          composeProviderUpdateDisposable?.dispose();
+          composeProviderUpdateDisposable = provider.registerUpdate(composeProviderUpdate);
+        }
       }
     }),
   );
@@ -403,6 +420,7 @@ async function registerCLITool(
         installationSource: 'extension',
       });
       binaryVersion = releaseVersionToInstall;
+      provider.updateVersion(releaseVersionToInstall);
       releaseVersionToInstall = undefined;
       releaseToInstall = undefined;
       extensionApi.context.setValue('compose.isComposeInstalledSystemWide', true);
@@ -423,7 +441,9 @@ async function registerCLITool(
       // update the version to undefined
       binaryVersion = undefined;
       binaryPath = undefined;
+      provider.updateVersion('');
       extensionApi.context.setValue('compose.isComposeInstalledSystemWide', false);
+      composeProviderUpdateDisposable?.dispose();
     },
   });
 
@@ -433,6 +453,18 @@ async function registerCLITool(
   }
 
   composeCliToolUpdaterDisposable = composeCliTool.registerUpdate(update);
+
+  if (update.version) {
+    composeProviderUpdate = {
+      version: update.version,
+      update: async (_logger: Logger): Promise<void> => {
+        releaseToUpdateTo = undefined;
+        releaseVersionToUpdateTo = undefined;
+        await update.doUpdate();
+      },
+    };
+    composeProviderUpdateDisposable = provider.registerUpdate(composeProviderUpdate);
+  }
 }
 
 async function deleteFile(filePath: string): Promise<void> {

extensions/compose/src/handler.spec.ts

@@ -22,7 +22,7 @@ import { beforeEach, describe, expect, test, vi } from 'vitest';
 import * as detect from './detect';
 import * as handler from './handler';
 
-vi.mock('./detect');
+vi.mock(import('./detect'));
 
 const extensionContextMock: extensionApi.ExtensionContext = {
   storagePath: '/storage-path',
@@ -49,33 +49,33 @@ test('updateConfigAndContextComposeBinary: make sure configuration gets updated
   await handler.updateConfigAndContextComposeBinary(extensionContextMock);
 
   expect(configUpdateSpy).toHaveBeenCalledWith('binary.installComposeSystemWide', true);
-
-  describe('podman-compose', async () => {
-    test('updateConfigAndContextComposeBinary: should set isPodmanComposeInstalledSystemWide context to true when podman-compose is installed', async () => {
-      vi.mocked(detect.Detect.prototype.checkSystemWideDockerCompose).mockResolvedValue(true);
-      vi.mocked(detect.Detect.prototype.checkSystemWidePodmanCompose).mockResolvedValue(true);
-
-      // Run updateConfigAndContextComposeBinary
-      await handler.updateConfigAndContextComposeBinary(extensionContextMock);
-
-      expect(vi.mocked(extensionApi.context.setValue)).toHaveBeenCalledWith(
-        'compose.isPodmanComposeInstalledSystemWide',
-        true,
-      );
-    });
-
-    test('updateConfigAndContextComposeBinary: should set isPodmanComposeInstalledSystemWide context to false when podman-compose is not installed', async () => {
-      vi.mocked(detect.Detect.prototype.checkSystemWideDockerCompose).mockResolvedValue(false);
-      vi.mocked(detect.Detect.prototype.checkSystemWidePodmanCompose).mockResolvedValue(false);
-
-      // Run updateConfigAndContextComposeBinary
-      await handler.updateConfigAndContextComposeBinary(extensionContextMock);
-
-      expect(vi.mocked(extensionApi.context.setValue)).toHaveBeenCalledWith(
-        'compose.isPodmanComposeInstalledSystemWide',
-        false,
-      );
-    });
-  });
   expect(contextUpdateSpy).toHaveBeenCalledWith('compose.isComposeInstalledSystemWide', true);
 });
+
+describe('podman-compose', async () => {
+  test('updateConfigAndContextComposeBinary: should set isPodmanComposeInstalledSystemWide context to true when podman-compose is installed', async () => {
+    vi.mocked(detect.Detect.prototype.checkSystemWideDockerCompose).mockResolvedValue(true);
+    vi.mocked(detect.Detect.prototype.checkSystemWidePodmanCompose).mockResolvedValue(true);
+
+    // Run updateConfigAndContextComposeBinary
+    await handler.updateConfigAndContextComposeBinary(extensionContextMock);
+
+    expect(vi.mocked(extensionApi.context.setValue)).toHaveBeenCalledWith(
+      'compose.isPodmanComposeInstalledSystemWide',
+      true,
+    );
+  });
+
+  test('updateConfigAndContextComposeBinary: should set isPodmanComposeInstalledSystemWide context to false when podman-compose is not installed', async () => {
+    vi.mocked(detect.Detect.prototype.checkSystemWideDockerCompose).mockResolvedValue(false);
+    vi.mocked(detect.Detect.prototype.checkSystemWidePodmanCompose).mockResolvedValue(false);
+
+    // Run updateConfigAndContextComposeBinary
+    await handler.updateConfigAndContextComposeBinary(extensionContextMock);
+
+    expect(vi.mocked(extensionApi.context.setValue)).toHaveBeenCalledWith(
+      'compose.isPodmanComposeInstalledSystemWide',
+      false,
+    );
+  });
+});

extensions/compose/src/handler.ts

@@ -32,13 +32,6 @@ export async function updateConfigAndContextComposeBinary(
   await checkAndUpdateComposeBinaryInstalledContexts(detect);
 }
 
-export async function isDockerComposeInstalledSystemWide(
-  extensionContext: extensionApi.ExtensionContext,
-): Promise<boolean> {
-  const detect = new Detect(os, extensionContext.storagePath);
-  return await detect.checkSystemWideDockerCompose();
-}
-
 // Handle configuration changes (for example, when the user toggles the "Install compose system-wide" setting)
 export function handleConfigurationChanges(extensionContext: extensionApi.ExtensionContext): void {
   const detect = new Detect(os, extensionContext.storagePath);

extensions/compose/vite.config.js

@@ -57,6 +57,7 @@ const config = {
     globals: true,
     environment: 'node',
     include: ['src/**/*.{test,spec}.?(c|m)[jt]s?(x)'],
+    globalSetup: [join(PACKAGE_ROOT, '..', '..', '__mocks__', 'vitest-generate-api-global-setup.ts')],
     alias: {
       '@podman-desktop/api': join(PACKAGE_ROOT, '..', '..', '__mocks__/@podman-desktop/api.js'),
     },

extensions/docker/packages/extension/package.json

@@ -2,7 +2,7 @@
   "name": "docker",
   "displayName": "Docker",
   "description": "Integration for Docker engine",
-  "version": "1.24.0-next",
+  "version": "1.28.0-next",
   "icon": "icon.png",
   "publisher": "podman-desktop",
   "license": "Apache-2.0",
@@ -22,10 +22,10 @@
   "devDependencies": {
     "@podman-desktop/api": "workspace:*",
     "@podman-desktop/docker-extension-api": "workspace:*",
-    "adm-zip": "^0.5.16",
+    "adm-zip": "^0.5.17",
     "mkdirp": "^3.0.1",
-    "vite": "^7.2.7",
-    "vitest": "^4.0.10"
+    "vite": "^7.3.2",
+    "vitest": "^4.1.4"
   },
   "contributes": {
     "commands": [

extensions/docker/packages/extension/src/docker-cli.ts

@@ -17,22 +17,7 @@
  ***********************************************************************/
 import * as extensionApi from '@podman-desktop/api';
 
-const macosExtraPath = '/usr/local/bin:/opt/homebrew/bin:/opt/local/bin';
-
-export function getInstallationPath(): string | undefined {
-  const env = process.env;
-  if (extensionApi.env.isMac) {
-    if (!env.PATH) {
-      return macosExtraPath;
-    } else {
-      return env.PATH.concat(':').concat(macosExtraPath);
-    }
-  } else {
-    return env.PATH;
-  }
-}
-
-export function getDockerCli(): string {
+function getDockerCli(): string {
   if (extensionApi.env.isWindows) {
     return 'docker.exe';
   }

extensions/docker/packages/extension/src/docker-context-handler.spec.ts

@@ -41,7 +41,7 @@ class TestDockerContextHandler extends DockerContextHandler {
 }
 
 // mock exists sync
-vi.mock('node:fs');
+vi.mock(import('node:fs'));
 
 const originalConsoleError = console.error;
 let dockerContextHandler: TestDockerContextHandler;

extensions/docker/packages/extension/vite.config.js

@@ -57,6 +57,7 @@ const config = {
     globals: true,
     environment: 'node',
     include: ['src/**/*.{test,spec}.?(c|m)[jt]s?(x)'],
+    globalSetup: [join(PACKAGE_ROOT, '..', '..', '..', '..', '__mocks__', 'vitest-generate-api-global-setup.ts')],
     alias: {
       '@podman-desktop/api': join(PACKAGE_ROOT, '..', '..', '..', '..', '__mocks__/@podman-desktop/api.js'),
     },

extensions/kind/package.json

@@ -2,7 +2,7 @@
   "name": "kind",
   "displayName": "Kind",
   "description": "Integration for Kind: run local Kubernetes clusters using container “nodes”",
-  "version": "1.24.0-next",
+  "version": "1.28.0-next",
   "icon": "icon.png",
   "publisher": "podman-desktop",
   "license": "Apache-2.0",
@@ -113,14 +113,14 @@
     "@kubernetes/client-node": "^1.4.0",
     "@podman-desktop/api": "workspace:*",
     "mustache": "^4.2.0",
-    "yaml": "^2.8.2"
+    "yaml": "^2.8.3"
   },
   "devDependencies": {
-    "adm-zip": "^0.5.16",
+    "adm-zip": "^0.5.17",
     "mkdirp": "^3.0.1",
     "tmp-promise": "^3.0.3",
     "tsx": "^4.21.0",
-    "vite": "^7.2.7",
-    "vitest": "^4.0.10"
+    "vite": "^7.3.2",
+    "vitest": "^4.1.4"
   }
 }

extensions/kind/src/create-cluster.spec.ts

@@ -31,16 +31,7 @@ import { getKindPath, getMemTotalInfo } from './util';
 vi.mock(import('./kind-cluster-watcher'));
 vi.mock(import('@kubernetes/client-node'));
 vi.mock(import('./util'));
-
-vi.mock('node:fs', () => ({
-  promises: {
-    writeFile: vi.fn(),
-    readFile: vi.fn(),
-    mkdtemp: vi.fn(),
-    rm: vi.fn(),
-  },
-  readFileSync: vi.fn(),
-}));
+vi.mock(import('node:fs'));
 
 beforeEach(() => {
   vi.resetAllMocks();
@@ -407,7 +398,7 @@ test('check that consilience check returns warning message', async () => {
   expect(checks.records.length).toBe(1);
   expect(checks.records[0]).to.contains({
     type: 'info',
-    record: 'It is recommend to install Kind on a virtual machine with at least 6GB of memory.',
+    record: 'It is recommended to install Kind on a virtual machine with at least 6GB of memory.',
   } as AuditRecord);
 });
 

extensions/kind/src/create-cluster.ts

@@ -211,7 +211,7 @@ export async function connectionAuditor(provider: string, items: AuditRequestIte
     if (memTotal < 6000000000) {
       records.push({
         type: 'info',
-        record: 'It is recommend to install Kind on a virtual machine with at least 6GB of memory.',
+        record: 'It is recommended to install Kind on a virtual machine with at least 6GB of memory.',
       });
     }
   }

extensions/kind/src/extension.spec.ts

@@ -28,7 +28,7 @@ import type { KindGithubReleaseArtifactMetadata } from './kind-installer';
 import { KindInstaller } from './kind-installer';
 import * as util from './util';
 
-vi.mock('node:fs');
+vi.mock(import('node:fs'));
 vi.mock(import('./util'));
 vi.mock(import('./image-handler'));
 vi.mock(import('./create-cluster'));
@@ -50,6 +50,7 @@ const PROVIDER_MOCK: podmanDesktopApi.Provider = {
   onDidUpdateVersion: vi.fn(),
   updateVersion: vi.fn(),
   registerUpdate: vi.fn(),
+  updateWarnings: vi.fn(),
 } as unknown as podmanDesktopApi.Provider;
 
 beforeEach(() => {
@@ -72,6 +73,7 @@ beforeEach(() => {
   vi.mocked(podmanDesktopApi.containerEngine.listContainers).mockResolvedValue([]);
   vi.mocked(util.removeVersionPrefix).mockReturnValue('1.0.0');
   vi.mocked(util.getSystemBinaryPath).mockReturnValue('test-storage-path/kind');
+  vi.mocked(podmanDesktopApi.provider.getContainerConnections).mockReturnValue([]);
 });
 
 afterEach(() => {
@@ -106,8 +108,10 @@ test('check we received notifications ', async () => {
     callbackCalled = true;
   });
 
-  const fakeProvider = {} as unknown as podmanDesktopApi.Provider;
-  extension.refreshKindClustersOnProviderConnectionUpdate(fakeProvider);
+  const fakeProvider = { updateWarnings: vi.fn() } as unknown as podmanDesktopApi.Provider;
+  const fakeTelemetryLogger = { logUsage: vi.fn() } as unknown as extensionApi.TelemetryLogger;
+
+  extension.refreshKindClustersOnProviderConnectionUpdate(fakeProvider, fakeTelemetryLogger);
   expect(callbackCalled).toBeTruthy();
   expect(listContainersMock).toBeCalledTimes(1);
 });
@@ -209,6 +213,7 @@ test('Ensuring a progress task is created when calling kind.image.move command',
     setKubernetesProviderConnectionFactory: vi.fn(),
     onDidUpdateVersion: vi.fn(),
     updateVersion: vi.fn(),
+    updateWarnings: vi.fn(),
   }));
 
   const listContainersMock = vi.fn();
@@ -311,6 +316,14 @@ describe('cli#update', () => {
 
     expect(disposeMock).toHaveBeenCalled();
   });
+
+  test('uninstall should clear the provider version', async () => {
+    vi.mocked(KindInstaller.prototype.getLatestVersionAsset).mockResolvedValue(mockV1Release);
+
+    await (await getCliToolInstaller()).doUninstall({} as unknown as extensionApi.Logger);
+
+    expect(PROVIDER_MOCK.updateVersion).toHaveBeenCalledWith('');
+  });
 });
 
 /**
@@ -390,6 +403,7 @@ describe('cli#install', () => {
       path: 'path',
       version: '1.0.2',
     });
+    expect(PROVIDER_MOCK.updateVersion).toHaveBeenCalledWith('1.0.2');
   });
 
   test('if installing system wide fails, it should not throw', async () => {
@@ -480,11 +494,51 @@ describe('kubernetes create factory', () => {
     );
   });
 
-  test('activate should register a kubernetes create factory', async () => {
-    expect(PROVIDER_MOCK.setKubernetesProviderConnectionFactory).toHaveBeenCalledOnce();
+  test('activate should register a kubernetes create factory when running connections exist', async () => {
+    vi.mocked(podmanDesktopApi.provider.getContainerConnections).mockReturnValue([
+      {
+        connection: {
+          name: 'podman-machine-default',
+          status: () => 'started',
+          type: 'podman',
+        },
+      } as unknown as extensionApi.ProviderContainerConnection,
+    ]);
+
+    await extension.activate(
+      vi.mocked<extensionApi.ExtensionContext>({
+        subscriptions: {
+          push: vi.fn(),
+        },
+      } as unknown as extensionApi.ExtensionContext),
+    );
+
+    expect(PROVIDER_MOCK.setKubernetesProviderConnectionFactory).toHaveBeenCalled();
+  });
+
+  test('activate should NOT register factory when no running connections', async () => {
+    expect(PROVIDER_MOCK.setKubernetesProviderConnectionFactory).not.toHaveBeenCalled();
   });
 
   test('expect info message to be displayed when no binary installed and cluster created called', async () => {
+    vi.mocked(podmanDesktopApi.provider.getContainerConnections).mockReturnValue([
+      {
+        connection: {
+          name: 'podman-machine-default',
+          status: () => 'started',
+          type: 'podman',
+        },
+      } as unknown as extensionApi.ProviderContainerConnection,
+    ]);
+
+    await extension.activate(
+      vi.mocked<extensionApi.ExtensionContext>({
+        subscriptions: {
+          push: vi.fn(),
+        },
+      } as unknown as extensionApi.ExtensionContext),
+    );
+
     // get the create method
     const { create } = vi.mocked(PROVIDER_MOCK.setKubernetesProviderConnectionFactory).mock.calls[0][0];
     expect(create).toBeDefined();
@@ -501,6 +555,24 @@ describe('kubernetes create factory', () => {
   });
 
   test('user confirm installation should install latest', async () => {
+    vi.mocked(podmanDesktopApi.provider.getContainerConnections).mockReturnValue([
+      {
+        connection: {
+          name: 'podman-machine-default',
+          status: () => 'started',
+          type: 'podman',
+        },
+      } as unknown as extensionApi.ProviderContainerConnection,
+    ]);
+
+    await extension.activate(
+      vi.mocked<extensionApi.ExtensionContext>({
+        subscriptions: {
+          push: vi.fn(),
+        },
+      } as unknown as extensionApi.ExtensionContext),
+    );
+
     // get the create method
     const { create } = vi.mocked(PROVIDER_MOCK.setKubernetesProviderConnectionFactory).mock.calls[0][0];
     expect(create).toBeDefined();
@@ -538,6 +610,15 @@ describe('provider#update', () => {
     expect(PROVIDER_MOCK.registerUpdate).toHaveBeenCalled();
   });
 
+  test('Register update in provider is not called if CLI is not installed', async () => {
+    vi.mocked(util.getKindBinaryInfo).mockRejectedValue(new Error('not found'));
+    vi.mocked(KindInstaller.prototype.getLatestVersionAsset).mockResolvedValue({
+      tag: 'v1.5.6',
+    } as unknown as KindGithubReleaseArtifactMetadata);
+    await activate();
+    expect(PROVIDER_MOCK.registerUpdate).not.toHaveBeenCalled();
+  });
+
   test('Register update in provider is not called if there is no update available', async () => {
     vi.mocked(KindInstaller.prototype.getLatestVersionAsset).mockResolvedValue({
       tag: 'v0.0.1',
@@ -557,3 +638,78 @@ describe('provider#update', () => {
     expect(disposeMock).toHaveBeenCalledTimes(1);
   });
 });
+
+describe('provider warnings', () => {
+  beforeEach(() => {
+    vi.mocked(util.getKindBinaryInfo).mockResolvedValue({
+      path: 'kind',
+      version: '0.0.1',
+    });
+    (podmanDesktopApi.env.isLinux as unknown as boolean) = false;
+  });
+
+  test('should clear warnings when running container connections exist', async () => {
+    vi.mocked(podmanDesktopApi.provider.getContainerConnections).mockReturnValue([
+      {
+        connection: {
+          name: 'podman-machine-default',
+          status: () => 'started',
+          type: 'podman',
+        },
+      } as unknown as extensionApi.ProviderContainerConnection,
+    ]);
+
+    await activate();
+
+    expect(PROVIDER_MOCK.updateWarnings).toHaveBeenCalledWith([]);
+  });
+
+  test('should show warning when no running container connections exist (non-Linux)', async () => {
+    (podmanDesktopApi.env.isLinux as unknown as boolean) = false;
+    vi.mocked(podmanDesktopApi.provider.getContainerConnections).mockReturnValue([]);
+
+    await activate();
+
+    expect(PROVIDER_MOCK.updateWarnings).toHaveBeenCalledWith([
+      {
+        name: 'Container Engine Required',
+        details: 'Start your container provider (e.g. Podman) to create Kind clusters',
+      },
+    ]);
+  });
+
+  test('should show warning when no running container connections exist (Linux)', async () => {
+    (podmanDesktopApi.env.isLinux as unknown as boolean) = true;
+    vi.mocked(podmanDesktopApi.provider.getContainerConnections).mockReturnValue([]);
+
+    await activate();
+
+    expect(PROVIDER_MOCK.updateWarnings).toHaveBeenCalledWith([
+      {
+        name: 'Container Engine Required',
+        details: 'Install and start a container engine (e.g. Podman) to create Kind clusters',
+      },
+    ]);
+  });
+
+  test('should show warning when container connections exist but none are running', async () => {
+    vi.mocked(podmanDesktopApi.provider.getContainerConnections).mockReturnValue([
+      {
+        connection: {
+          name: 'podman-machine-default',
+          status: () => 'stopped',
+          type: 'podman',
+        },
+      } as unknown as extensionApi.ProviderContainerConnection,
+    ]);
+
+    await activate();
+
+    expect(PROVIDER_MOCK.updateWarnings).toHaveBeenCalledWith([
+      {
+        name: 'Container Engine Required',
+        details: 'Start your container provider (e.g. Podman) to create Kind clusters',
+      },
+    ]);
+  });
+});

extensions/kind/src/extension.ts

@@ -21,8 +21,8 @@ import * as path from 'node:path';
 
 import { Octokit } from '@octokit/rest';
 import type { AuditRequestItems, CancellationToken, CliTool, Logger } from '@podman-desktop/api';
-import { window } from '@podman-desktop/api';
 import * as extensionApi from '@podman-desktop/api';
+import { window } from '@podman-desktop/api';
 
 import { connectionAuditor, createCluster } from './create-cluster';
 import type { ImageInfo } from './image-handler';
@@ -93,12 +93,15 @@ async function installLatestKind(): Promise<string> {
   return cliPath;
 }
 
-async function registerProvider(
-  extensionContext: extensionApi.ExtensionContext,
+/**
+ * Registers the Kubernetes provider connection factory for creating Kind clusters.
+ * Should only be called when container connections are available.
+ */
+function registerKubernetesFactory(
   provider: extensionApi.Provider,
   telemetryLogger: extensionApi.TelemetryLogger,
-): Promise<void> {
-  const disposable = provider.setKubernetesProviderConnectionFactory(
+): extensionApi.Disposable {
+  return provider.setKubernetesProviderConnectionFactory(
     {
       create: async (params: { [key: string]: unknown }, logger?: Logger, token?: CancellationToken) => {
         // if kind is not installed, let's ask the user to install it
@@ -122,9 +125,43 @@ async function registerProvider(
       },
     },
   );
-  extensionContext.subscriptions.push(disposable);
+}
 
-  // search
+/**
+ * Updates the Kind Kubernetes factory registration based on container connection availability.
+ * Registers factory when running connections exist, unregisters when none are available.
+ */
+function updateKubernetesFactoryRegistration(
+  provider: extensionApi.Provider,
+  telemetryLogger: extensionApi.TelemetryLogger,
+): void {
+  const containerConnections = extensionApi.provider.getContainerConnections();
+  const runningConnections = containerConnections.filter(conn => conn.connection.status() === 'started');
+
+  if (runningConnections.length > 0) {
+    kubernetesFactoryDisposable ??= registerKubernetesFactory(provider, telemetryLogger);
+    provider.updateWarnings([]);
+  } else {
+    if (kubernetesFactoryDisposable) {
+      kubernetesFactoryDisposable.dispose();
+      kubernetesFactoryDisposable = undefined;
+    }
+    provider.updateWarnings([
+      {
+        name: 'Container Engine Required',
+        details: extensionApi.env.isLinux
+          ? 'Install and start a container engine (e.g. Podman) to create Kind clusters'
+          : 'Start your container provider (e.g. Podman) to create Kind clusters',
+      },
+    ]);
+  }
+}
+
+async function registerProvider(
+  provider: extensionApi.Provider,
+  telemetryLogger: extensionApi.TelemetryLogger,
+): Promise<void> {
+  updateKubernetesFactoryRegistration(provider, telemetryLogger);
   await searchKindClusters(provider);
   console.log('kind extension is active');
 }
@@ -282,15 +319,20 @@ async function searchKindClusters(provider: extensionApi.Provider): Promise<void
   await updateClusters(provider, kindContainers);
 }
 
-export function refreshKindClustersOnProviderConnectionUpdate(provider: extensionApi.Provider): void {
+export function refreshKindClustersOnProviderConnectionUpdate(
+  provider: extensionApi.Provider,
+  telemetryLogger: extensionApi.TelemetryLogger,
+): void {
   // when a provider is changing, update the status
   extensionApi.provider.onDidUpdateContainerConnection(async () => {
     // needs to search for kind clusters
     await searchKindClusters(provider);
+    updateKubernetesFactoryRegistration(provider, telemetryLogger);
   });
 }
 
 let currentUpdateDisposable: extensionApi.Disposable | undefined = undefined;
+let kubernetesFactoryDisposable: extensionApi.Disposable | undefined = undefined;
 
 export async function createProvider(
   extensionContext: extensionApi.ExtensionContext,
@@ -316,7 +358,7 @@ export async function createProvider(
   provider = extensionApi.provider.createProvider(providerOptions);
 
   extensionContext.subscriptions.push(provider);
-  await registerProvider(extensionContext, provider, telemetryLogger);
+  await registerProvider(provider, telemetryLogger);
   extensionContext.subscriptions.push(
     extensionApi.commands.registerCommand(KIND_MOVE_IMAGE_COMMAND, async image => {
       telemetryLogger.logUsage('moveImage');
@@ -328,7 +370,7 @@ export async function createProvider(
     }),
   );
 
-  if (latestAsset && latestAsset.tag.slice(1) !== kindCli?.version && providerUpdate) {
+  if (kindPath && latestAsset && latestAsset.tag.slice(1) !== kindCli?.version && providerUpdate) {
     currentUpdateDisposable = provider.registerUpdate(providerUpdate);
   }
 
@@ -341,16 +383,18 @@ export async function createProvider(
   });
 
   // when a container provider connection is changing, search for kind clusters
-  refreshKindClustersOnProviderConnectionUpdate(provider);
+  refreshKindClustersOnProviderConnectionUpdate(provider, telemetryLogger);
 
   // search when a new container is updated or removed
   extensionApi.provider.onDidRegisterContainerConnection(async () => {
     await searchKindClusters(provider);
+    updateKubernetesFactoryRegistration(provider, telemetryLogger);
   });
   extensionApi.provider.onDidUnregisterContainerConnection(async () => {
     await searchKindClusters(provider);
+    updateKubernetesFactoryRegistration(provider, telemetryLogger);
   });
-  extensionApi.provider.onDidUpdateProvider(async () => registerProvider(extensionContext, provider, telemetryLogger));
+  extensionApi.provider.onDidUpdateProvider(async () => registerProvider(provider, telemetryLogger));
   // search for kind clusters on boot
   await searchKindClusters(provider);
 }
@@ -561,6 +605,7 @@ async function registerCliTool(
         installationSource: 'extension',
       });
       kindPath = cliPath;
+      provider.updateVersion(releaseVersionToInstall);
       if (releaseVersionToInstall === latestVersion) {
         delete update.version;
       } else {
@@ -585,6 +630,7 @@ async function registerCliTool(
       // update the version and path to undefined
       kindPath = undefined;
 
+      provider.updateVersion('');
       currentUpdateDisposable?.dispose();
     },
   });
@@ -645,6 +691,12 @@ async function deleteExecutableAsAdmin(filePath: string): Promise<void> {
 
 export function deactivate(): void {
   console.log('stopping kind extension');
+
+  if (kubernetesFactoryDisposable) {
+    kubernetesFactoryDisposable.dispose();
+    kubernetesFactoryDisposable = undefined;
+  }
+
   kindPath = undefined;
   kindCli = undefined;
 }

extensions/kind/src/image-handler.spec.ts

@@ -16,25 +16,28 @@
  * SPDX-License-Identifier: Apache-2.0
  ***********************************************************************/
 
-import * as fs from 'node:fs';
+import { writeFileSync } from 'node:fs';
+import * as os from 'node:os';
 
 import * as extensionApi from '@podman-desktop/api';
 import type { Mock } from 'vitest';
 import { beforeEach, expect, test, vi } from 'vitest';
 
 import { ImageHandler } from './image-handler';
-import { getKindPath } from './util';
+import { getKindPath, getTempDir } from './util';
 
 let imageHandler: ImageHandler;
 
-vi.mock('./util', async () => {
+vi.mock(import('./util'), async () => {
   return {
     getKindPath: vi.fn(),
+    getTempDir: vi.fn(),
   };
 });
 
 beforeEach(() => {
   vi.clearAllMocks();
+  vi.mocked(getTempDir).mockResolvedValue(os.tmpdir());
   imageHandler = new ImageHandler();
 });
 
@@ -58,7 +61,10 @@ test('expect error to be raised if no clusters are given', async () => {
 
 test('expect image name to be given', async () => {
   (extensionApi.containerEngine.saveImage as Mock).mockImplementation(
-    (engineId: string, id: string, filename: string) => fs.promises.open(filename, 'w'),
+    (_engineId: string, _id: string, filename: string) => {
+      writeFileSync(filename, '');
+      return Promise.resolve();
+    },
   );
 
   await imageHandler.moveImage(
@@ -71,7 +77,7 @@ test('expect image name to be given', async () => {
 
 test('expect getting showInformationMessage when image is pushed', async () => {
   (extensionApi.containerEngine.saveImage as Mock).mockImplementation(
-    (engineId: string, id: string, filename: string) => fs.promises.open(filename, 'w'),
+    (_engineId: string, _id: string, filename: string) => writeFileSync(filename, ''),
   );
 
   await imageHandler.moveImage(
@@ -84,7 +90,7 @@ test('expect getting showInformationMessage when image is pushed', async () => {
 
 test('expect image name and tag to be given', async () => {
   (extensionApi.containerEngine.saveImage as Mock).mockImplementation(
-    (engineId: string, id: string, filename: string) => fs.promises.open(filename, 'w'),
+    (_engineId: string, _id: string, filename: string) => writeFileSync(filename, ''),
   );
 
   await imageHandler.moveImage(
@@ -97,7 +103,7 @@ test('expect image name and tag to be given', async () => {
 
 test('expect cli is called with right PATH', async () => {
   (extensionApi.containerEngine.saveImage as Mock).mockImplementation(
-    (engineId: string, id: string, filename: string) => fs.promises.open(filename, 'w'),
+    (_engineId: string, _id: string, filename: string) => writeFileSync(filename, ''),
   );
 
   (getKindPath as Mock).mockReturnValue('my-custom-path');

extensions/kind/src/image-handler.ts

@@ -16,12 +16,12 @@
  * SPDX-License-Identifier: Apache-2.0
  ***********************************************************************/
 import * as fs from 'node:fs';
+import { join } from 'node:path';
 
 import * as extensionApi from '@podman-desktop/api';
-import { tmpName } from 'tmp-promise';
 
 import type { KindCluster } from './extension';
-import { getKindPath } from './util';
+import { getKindPath, getTempDir } from './util';
 
 export type ImageInfo = { engineId: string; name?: string; tag?: string };
 
@@ -56,6 +56,7 @@ export class ImageHandler {
     // Only proceed if a cluster was selected
     if (selectedCluster) {
       let name = image.name;
+      let tmpDirectory: string | undefined;
       let filename: string | undefined;
       const env: { [key: string]: string } = {};
 
@@ -73,8 +74,12 @@ export class ImageHandler {
 
       env.PATH = getKindPath() ?? '';
       try {
-        // Create a temporary file to store the image
-        filename = await tmpName();
+        // Create a temporary directory to store the image archive.
+        // In Flatpak, /tmp is sandbox-private; getTempDir() returns a shared directory
+        // so the host-side `kind` process can access the file via flatpak-spawn.
+        const baseDir = await getTempDir();
+        tmpDirectory = await fs.promises.mkdtemp(join(baseDir, 'kind-image-'));
+        filename = join(tmpDirectory, 'image.tar');
 
         // Save the image to the temporary file
         await extensionApi.containerEngine.saveImage(image.engineId, name, filename);
@@ -98,9 +103,9 @@ export class ImageHandler {
         // Throw the errors to the console aswell
         throw new Error(`Unable to push image to Kind cluster: ${err}`);
       } finally {
-        // Remove the temporary file if one was created
-        if (filename !== undefined) {
-          await fs.promises.rm(filename);
+        // Remove the temporary directory and its contents
+        if (tmpDirectory !== undefined) {
+          await fs.promises.rm(tmpDirectory, { recursive: true });
         }
       }
     }

extensions/kind/src/kind-cluster-watcher.spec.ts

@@ -16,13 +16,13 @@
  * SPDX-License-Identifier: Apache-2.0
  ***********************************************************************/
 
-import { KubeConfig } from '@kubernetes/client-node';
 import * as k8s from '@kubernetes/client-node';
+import { KubeConfig } from '@kubernetes/client-node';
 import { beforeEach, describe, expect, test, vi } from 'vitest';
 
 import { KindClusterWatcher } from './kind-cluster-watcher';
 
-vi.mock('@kubernetes/client-node');
+vi.mock(import('@kubernetes/client-node'));
 
 describe('KindClusterWatcher', () => {
   let mockKubeConfig: KubeConfig;

extensions/kind/src/kind-installer.spec.ts

@@ -31,7 +31,7 @@ import * as util from './util';
 
 let installer: KindInstaller;
 
-vi.mock('node:os', async () => {
+vi.mock(import('node:os'), async () => {
   return {
     platform: vi.fn(),
     arch: vi.fn(),
@@ -239,7 +239,7 @@ describe('install', () => {
     });
     vi.mocked(os.platform).mockReturnValue('win32');
     vi.mocked(os.arch).mockReturnValue('x64');
-    vi.mock('node:fs');
+    vi.mock(import('node:fs'));
     vi.mocked(fs.existsSync).mockReturnValue(true);
     const chmodMock = vi.spyOn(fs.promises, 'chmod');
     const downloadReleaseAssetMock = vi
@@ -264,7 +264,7 @@ describe('install', () => {
     });
     vi.mocked(os.platform).mockReturnValue('darwin');
     vi.mocked(os.arch).mockReturnValue('x64');
-    vi.mock('node:fs');
+    vi.mock(import('node:fs'));
     vi.mocked(fs.existsSync).mockReturnValue(true);
     const chmodMock = vi.spyOn(fs.promises, 'chmod').mockResolvedValue();
     const downloadReleaseAssetMock = vi
@@ -278,7 +278,7 @@ describe('install', () => {
 
 describe('downloadReleaseAsset', () => {
   test('should download the file if parent folder does exist', async () => {
-    vi.mock('node:fs');
+    vi.mock(import('node:fs'));
 
     getReleaseAssetMock.mockImplementation(() => {
       return { data: 'foo' };
@@ -302,7 +302,7 @@ describe('downloadReleaseAsset', () => {
   });
 
   test('should download the file if parent folder does not exist', async () => {
-    vi.mock('node:fs');
+    vi.mock(import('node:fs'));
 
     getReleaseAssetMock.mockImplementation(() => {
       return { data: 'foo' };

extensions/kind/src/util.spec.ts

@@ -0,0 +1,68 @@
+/**********************************************************************
+ * Copyright (C) 2026 Red Hat, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ ***********************************************************************/
+
+import * as fs from 'node:fs';
+import * as os from 'node:os';
+import { join } from 'node:path';
+
+import { afterEach, beforeEach, describe, expect, test, vi } from 'vitest';
+
+import { getTempDir } from './util';
+
+vi.mock(import('node:fs'));
+
+describe('getTempDir', () => {
+  const originalEnv = process.env;
+
+  beforeEach(() => {
+    vi.resetAllMocks();
+    process.env = { ...originalEnv };
+    delete process.env['FLATPAK_ID'];
+    delete process.env['XDG_CACHE_HOME'];
+    vi.mocked(fs.promises.mkdir).mockResolvedValue(undefined);
+  });
+
+  afterEach(() => {
+    process.env = originalEnv;
+  });
+
+  test('returns os.tmpdir() when not running in Flatpak', async () => {
+    const result = await getTempDir();
+    expect(result).toBe(os.tmpdir());
+    expect(fs.promises.mkdir).not.toHaveBeenCalled();
+  });
+
+  test('returns XDG_CACHE_HOME/kind-tmp when running in Flatpak with XDG_CACHE_HOME set', async () => {
+    process.env['FLATPAK_ID'] = 'io.podman_desktop.PodmanDesktop';
+    process.env['XDG_CACHE_HOME'] = '/custom/cache';
+
+    const result = await getTempDir();
+    const expected = join('/custom/cache', 'kind-tmp');
+    expect(result).toBe(expected);
+    expect(fs.promises.mkdir).toHaveBeenCalledWith(expected, { recursive: true });
+  });
+
+  test('falls back to ~/.cache/kind-tmp when running in Flatpak without XDG_CACHE_HOME', async () => {
+    process.env['FLATPAK_ID'] = 'io.podman_desktop.PodmanDesktop';
+
+    const result = await getTempDir();
+    const expected = join(os.homedir(), '.cache', 'kind-tmp');
+    expect(result).toBe(expected);
+    expect(fs.promises.mkdir).toHaveBeenCalledWith(expected, { recursive: true });
+  });
+});

extensions/kind/src/util.ts

@@ -16,6 +16,7 @@
  * SPDX-License-Identifier: Apache-2.0
  ***********************************************************************/
 
+import * as fs from 'node:fs';
 import * as http from 'node:http';
 import * as os from 'node:os';
 import { isAbsolute, join } from 'node:path';
@@ -197,3 +198,18 @@ export async function getMemTotalInfo(socketPath: string): Promise<number> {
 export function removeVersionPrefix(version: string): string {
   return version.replace('v', '').trim();
 }
+
+/**
+ * Returns a temp directory accessible from both the Flatpak sandbox and the host.
+ * In Flatpak, /tmp is a private tmpfs, so we use ~/.cache/kind-tmp/ which is
+ * shared via --filesystem=home.
+ */
+export async function getTempDir(): Promise<string> {
+  if (process.env['FLATPAK_ID']) {
+    const cacheHome = process.env['XDG_CACHE_HOME'] ?? join(os.homedir(), '.cache');
+    const tmpDir = join(cacheHome, 'kind-tmp');
+    await fs.promises.mkdir(tmpDir, { recursive: true });
+    return tmpDir;
+  }
+  return os.tmpdir();
+}

extensions/kind/vite.config.js

@@ -57,6 +57,7 @@ const config = {
     globals: true,
     environment: 'node',
     include: ['src/**/*.{test,spec}.?(c|m)[jt]s?(x)'],
+    globalSetup: [join(PACKAGE_ROOT, '..', '..', '__mocks__', 'vitest-generate-api-global-setup.ts')],
     alias: {
       '@podman-desktop/api': join(PACKAGE_ROOT, '..', '..', '__mocks__/@podman-desktop/api.js'),
     },

extensions/kube-context/package.json

@@ -2,7 +2,7 @@
   "name": "kube-context",
   "displayName": "Kube Context",
   "description": "Easily switch between Kubernetes contexts",
-  "version": "1.24.0-next",
+  "version": "1.28.0-next",
   "icon": "icon.png",
   "publisher": "podman-desktop",
   "license": "Apache-2.0",
@@ -42,10 +42,10 @@
     "js-yaml": "^4.1.1"
   },
   "devDependencies": {
-    "adm-zip": "^0.5.16",
+    "adm-zip": "^0.5.17",
     "@types/js-yaml": "^4.0.9",
     "mkdirp": "^3.0.1",
-    "vite": "^7.2.7",
-    "vitest": "^4.0.10"
+    "vite": "^7.3.2",
+    "vitest": "^4.1.4"
   }
 }

extensions/kube-context/src/extension.spec.ts

@@ -29,17 +29,6 @@ const item = {
   text: '',
 };
 
-vi.mock('@podman-desktop/api', async () => {
-  return {
-    window: {
-      createStatusBarItem: vi.fn(),
-    },
-    tray: {
-      registerMenuItem: vi.fn(),
-    },
-  };
-});
-
 beforeAll(() => {
   (podmanDesktopApi.window.createStatusBarItem as Mock).mockReturnValue(item);
 });

extensions/kube-context/vite.config.js

@@ -57,6 +57,7 @@ const config = {
     globals: true,
     environment: 'node',
     include: ['src/**/*.{test,spec}.?(c|m)[jt]s?(x)'],
+    globalSetup: [join(PACKAGE_ROOT, '..', '..', '__mocks__', 'vitest-generate-api-global-setup.ts')],
     alias: {
       '@podman-desktop/api': join(PACKAGE_ROOT, '..', '..', '__mocks__/@podman-desktop/api.js'),
     },

extensions/kubectl-cli/package.json

@@ -2,7 +2,7 @@
   "name": "kubectl-cli",
   "displayName": "kubectl CLI",
   "description": "Install and update kubectl CLI Tools without leaving Podman Desktop",
-  "version": "1.24.0-next",
+  "version": "1.28.0-next",
   "icon": "icon.png",
   "publisher": "podman-desktop",
   "license": "Apache-2.0",
@@ -148,16 +148,16 @@
   "dependencies": {
     "@octokit/rest": "^22.0.1",
     "@podman-desktop/api": "workspace:*",
-    "semver": "^7.7.3",
+    "semver": "^7.7.4",
     "shell-path": "^3.1.0"
   },
   "devDependencies": {
     "@types/semver": "^7.7.1",
-    "adm-zip": "^0.5.16",
+    "adm-zip": "^0.5.17",
     "byline": "^5.0.0",
     "copyfiles": "^2.4.1",
     "mkdirp": "^3.0.1",
-    "vite": "^7.2.7",
-    "vitest": "^4.0.10"
+    "vite": "^7.3.2",
+    "vitest": "^4.1.4"
   }
 }

extensions/kubectl-cli/src/cli-run.spec.ts

@@ -25,7 +25,7 @@ import { beforeEach, expect, test, vi } from 'vitest';
 import { installBinaryToSystem } from './cli-run';
 
 // mock exists sync
-vi.mock('node:fs', async () => {
+vi.mock(import('node:fs'), async () => {
   return {
     existsSync: vi.fn(),
   };

extensions/kubectl-cli/src/detect.spec.ts

@@ -34,7 +34,7 @@ const osMock: OS = {
 
 let detect: Detect;
 
-vi.mock('shell-path', () => {
+vi.mock(import('shell-path'), () => {
   return {
     shellPath: vi.fn(),
   };
@@ -101,7 +101,7 @@ describe('Check storage path', async () => {
   });
 
   test('found', async () => {
-    vi.mock('node:fs');
+    vi.mock(import('node:fs'));
     const existSyncSpy = vi.spyOn(fs, 'existsSync');
     existSyncSpy.mockImplementation(() => true);
 

extensions/kubectl-cli/src/download.spec.ts

@@ -124,7 +124,7 @@ test('test download of kubectl passes and that mkdir and executable mocks are ca
   const downloadReleaseAssetMock = vi.spyOn(kubectlGitHubReleasesMock, 'downloadReleaseAsset');
 
   // Mock that the storage path does not exist
-  vi.mock('node:fs');
+  vi.mock(import('node:fs'));
   vi.spyOn(fs, 'existsSync').mockImplementation(() => {
     return false;
   });

extensions/kubectl-cli/src/extension.spec.ts

@@ -20,7 +20,7 @@ import * as fs from 'node:fs';
 import { tmpdir } from 'node:os';
 import * as path from 'node:path';
 
-import type { CliToolSelectUpdate, Configuration, Logger } from '@podman-desktop/api';
+import type { CliToolSelectUpdate, Configuration, Logger, Provider, ProviderUpdate } from '@podman-desktop/api';
 import * as extensionApi from '@podman-desktop/api';
 import { afterEach, beforeEach, describe, expect, test, vi } from 'vitest';
 
@@ -37,21 +37,17 @@ const extensionContext = {
 
 vi.mock(import('./cli-run'));
 vi.mock(import('./kubectl-github-releases'));
-
-vi.mock('node:fs', () => ({
-  promises: {
-    chmod: vi.fn(),
-    mkdir: vi.fn(),
-    unlink: vi.fn(),
-  },
-  existsSync: vi.fn(),
-}));
+vi.mock(import('node:fs'));
 
 beforeEach(() => {
   vi.mocked(extensionApi.configuration.getConfiguration).mockReturnValue({
     update: vi.fn(),
   } as unknown as Configuration);
   vi.mocked(extensionApi.process.exec).mockClear();
+  vi.mocked(extensionApi.provider.createProvider).mockReturnValue({
+    registerUpdate: vi.fn().mockReturnValue({ dispose: vi.fn() }),
+    updateVersion: vi.fn(),
+  } as unknown as Provider);
 
   vi.mocked(KubectlGitHubReleases.prototype.grabLatestsReleasesMetadata).mockResolvedValue([
     {
@@ -523,6 +519,9 @@ describe('postActivate', () => {
     expect(vi.mocked(cliRun.installBinaryToSystem).mock.calls[0][0]).toContain(
       path.resolve(extensionContext.storagePath, 'bin', 'kubectl'),
     );
+
+    const providerMock = vi.mocked(extensionApi.provider.createProvider).mock.results[0].value as Provider;
+    expect(providerMock.updateVersion).toHaveBeenCalledWith('1.2.0');
   });
 
   test('doInstall should download and install selected binary', async () => {
@@ -652,6 +651,9 @@ describe('postActivate', () => {
 
     expect(fs.promises.unlink).toHaveBeenCalledWith(path.join(extensionContext.storagePath, 'bin', 'kubectl'));
     expect(extensionApi.process.exec).toHaveBeenCalledWith('rm', ['system-path'], { isAdmin: true });
+
+    const providerMock = vi.mocked(extensionApi.provider.createProvider).mock.results[0].value as Provider;
+    expect(providerMock.updateVersion).toHaveBeenCalledWith('');
   });
 
   test('if unlink fails because of a permission issue, it should delete all binaries as admin', async () => {
@@ -717,4 +719,136 @@ describe('postActivate', () => {
       { isAdmin: true },
     );
   });
+
+  describe('provider registerUpdate (Resources page)', () => {
+    let registerUpdateSpy: ReturnType<typeof vi.fn>;
+
+    beforeEach(() => {
+      registerUpdateSpy = vi.fn().mockReturnValue({ dispose: vi.fn() });
+      vi.mocked(extensionApi.provider.createProvider).mockReturnValue({
+        registerUpdate: registerUpdateSpy,
+        updateVersion: vi.fn(),
+      } as unknown as Provider);
+    });
+
+    function mockExtensionInstalledKubectl(): void {
+      vi.spyOn(cliRun, 'getSystemBinaryPath').mockReturnValue('system-path');
+      vi.mocked(extensionApi.process.exec).mockImplementation(
+        (_command: string, _args?: string[], _options?: extensionApi.RunOptions) =>
+          new Promise<extensionApi.RunResult>(resolve => {
+            if (_args?.[0] === 'version') {
+              resolve({
+                stderr: '',
+                stdout: JSON.stringify(jsonStdout),
+                command: 'kubectl version --client=true -o=json',
+              });
+              return;
+            }
+            resolve({
+              stderr: '',
+              stdout: 'system-path',
+              command: 'which kubectl',
+            });
+          }),
+      );
+    }
+
+    /** Real CliTool exposes `version`; the extension compares it to the latest release tag. */
+    function mockCliToolWithVersion(
+      resolveRegisterUpdate: (listener: CliToolSelectUpdate) => void,
+      options: { version?: string },
+    ): extensionApi.CliTool {
+      return {
+        registerUpdate: (listener: CliToolSelectUpdate) => {
+          resolveRegisterUpdate(listener);
+          return {
+            dispose: vi.fn(),
+          };
+        },
+        registerInstaller: vi.fn(),
+        updateVersion: vi.fn(),
+        get version(): string | undefined {
+          return options.version;
+        },
+      } as unknown as extensionApi.CliTool;
+    }
+
+    test('registers provider update when a newer kubectl version is available', async () => {
+      mockExtensionInstalledKubectl();
+      const deferredCliUpdate: Promise<CliToolSelectUpdate> = new Promise<CliToolSelectUpdate>(resolve => {
+        vi.mocked(extensionApi.cli.createCliTool).mockImplementation(opts =>
+          mockCliToolWithVersion(resolve, opts as { version?: string }),
+        );
+      });
+
+      await KubectlExtension.activate(extensionContext);
+      await deferredCliUpdate;
+
+      expect(registerUpdateSpy).toHaveBeenCalledOnce();
+      expect(registerUpdateSpy.mock.calls[0][0]).toEqual(expect.objectContaining({ version: '1.30.3' }));
+    });
+
+    test('does not register provider update when kubectl is already the latest version', async () => {
+      vi.mocked(KubectlGitHubReleases.prototype.grabLatestsReleasesMetadata).mockResolvedValue([
+        {
+          label: 'Kubernetes v1.28.3',
+          tag: 'v1.28.3',
+          id: 165829199,
+        },
+      ]);
+      vi.spyOn(cliRun, 'getSystemBinaryPath').mockReturnValue('system-path');
+      vi.mocked(extensionApi.process.exec).mockImplementation(
+        (_command: string, _args?: string[], _options?: extensionApi.RunOptions) =>
+          new Promise<extensionApi.RunResult>(resolve => {
+            if (_args?.[0] === 'version') {
+              resolve({
+                stderr: '',
+                stdout: JSON.stringify(jsonStdout),
+                command: 'kubectl version --client=true -o=json',
+              });
+              return;
+            }
+            resolve({
+              stderr: '',
+              stdout: 'system-path',
+              command: 'which kubectl',
+            });
+          }),
+      );
+      const deferredCliUpdate: Promise<CliToolSelectUpdate> = new Promise<CliToolSelectUpdate>(resolve => {
+        vi.mocked(extensionApi.cli.createCliTool).mockImplementation(opts =>
+          mockCliToolWithVersion(resolve, opts as { version?: string }),
+        );
+      });
+
+      await KubectlExtension.activate(extensionContext);
+      await deferredCliUpdate;
+
+      expect(registerUpdateSpy).not.toHaveBeenCalled();
+    });
+
+    test('provider update callback downloads and installs kubectl', async () => {
+      mockExtensionInstalledKubectl();
+      const deferredCliUpdate: Promise<CliToolSelectUpdate> = new Promise<CliToolSelectUpdate>(resolve => {
+        vi.mocked(extensionApi.cli.createCliTool).mockImplementation(opts =>
+          mockCliToolWithVersion(resolve, opts as { version?: string }),
+        );
+      });
+
+      await KubectlExtension.activate(extensionContext);
+      await deferredCliUpdate;
+
+      const providerUpdate = registerUpdateSpy.mock.calls[0][0] as ProviderUpdate;
+      await providerUpdate.update({} as unknown as Logger);
+
+      expect(KubectlGitHubReleases.prototype.downloadReleaseAsset).toHaveBeenCalledWith(
+        'dummy download url',
+        expect.anything(),
+      );
+      expect(cliRun.installBinaryToSystem).toHaveBeenCalledWith(expect.anything(), 'kubectl');
+      expect(vi.mocked(cliRun.installBinaryToSystem).mock.calls[0][0]).toContain(
+        path.resolve(extensionContext.storagePath, 'bin', 'kubectl'),
+      );
+    });
+  });
 });

extensions/kubectl-cli/src/extension.ts

@@ -20,7 +20,7 @@ import * as fs from 'node:fs';
 import * as path from 'node:path';
 
 import { Octokit } from '@octokit/rest';
-import type { CliTool } from '@podman-desktop/api';
+import type { CliTool, Logger, ProviderUpdate } from '@podman-desktop/api';
 import * as extensionApi from '@podman-desktop/api';
 
 import { getSystemBinaryPath, installBinaryToSystem } from './cli-run';
@@ -239,7 +239,7 @@ export async function activate(extensionContext: extensionApi.ExtensionContext):
 
   // Push the CLI tool as well (but it will do it postActivation so it does not block the activate() function)
   // Post activation
-  postActivate(extensionContext, kubectlDownload).catch((error: unknown) => {
+  postActivate(extensionContext, kubectlDownload, provider).catch((error: unknown) => {
     console.error('Error activating extension', error);
   });
 }
@@ -309,6 +309,7 @@ export async function findKubeCtl(extensionContext: extensionApi.ExtensionContex
 async function postActivate(
   extensionContext: extensionApi.ExtensionContext,
   kubectlDownload: KubectlDownload,
+  provider: extensionApi.Provider,
 ): Promise<void> {
   await findKubeCtl(extensionContext);
 
@@ -352,6 +353,9 @@ async function postActivate(
     console.error('Error when downloading kubectl CLI latest release information.', String(error));
   }
 
+  let kubectlProviderUpdateDisposable: extensionApi.Disposable | undefined;
+  let kubectlProviderUpdate: ProviderUpdate | undefined;
+
   const update = {
     version: latestAsset?.tag.slice(1) !== kubectlCliTool.version ? latestAsset?.tag.slice(1) : undefined,
     selectVersion: async (): Promise<string> => {
@@ -377,10 +381,17 @@ async function postActivate(
         installationSource: 'extension',
       });
       vpState.version = releaseVersionToUpdateTo;
+      provider.updateVersion(releaseVersionToUpdateTo);
       if (releaseToUpdateTo === latestAsset) {
         delete update.version;
+        kubectlProviderUpdateDisposable?.dispose();
       } else {
         update.version = latestAsset?.tag.slice(1);
+        if (kubectlProviderUpdate) {
+          kubectlProviderUpdate.version = latestAsset?.tag.slice(1) ?? kubectlProviderUpdate.version;
+          kubectlProviderUpdateDisposable?.dispose();
+          kubectlProviderUpdateDisposable = provider.registerUpdate(kubectlProviderUpdate);
+        }
       }
       releaseVersionToUpdateTo = undefined;
       releaseToUpdateTo = undefined;
@@ -414,6 +425,7 @@ async function postActivate(
         installationSource: 'extension',
       });
       vpState.version = releaseVersionToInstall;
+      provider.updateVersion(releaseVersionToInstall);
       if (releaseToInstall === latestAsset) {
         delete update.version;
       } else {
@@ -437,6 +449,8 @@ async function postActivate(
 
       // update the version to undefined
       vpState.version = undefined;
+      provider.updateVersion('');
+      kubectlProviderUpdateDisposable?.dispose();
     },
   });
 
@@ -450,6 +464,18 @@ async function postActivate(
   kubectlCliToolUpdaterDisposable = kubectlCliTool.registerUpdate(update);
 
   extensionContext.subscriptions.push(kubectlCliToolUpdaterDisposable);
+
+  if (update.version) {
+    kubectlProviderUpdate = {
+      version: update.version,
+      update: async (_logger: Logger): Promise<void> => {
+        releaseToUpdateTo = undefined;
+        releaseVersionToUpdateTo = undefined;
+        await update.doUpdate();
+      },
+    };
+    kubectlProviderUpdateDisposable = provider.registerUpdate(kubectlProviderUpdate);
+  }
 }
 
 function extractVersion(stdout: string): string {

extensions/kubectl-cli/src/kubectl-github-releases.spec.ts

@@ -116,7 +116,7 @@ describe('Grab asset id for a given release id', async () => {
 });
 
 test('should download the file if parent folder does exist', async () => {
-  vi.mock('node:fs');
+  vi.mock(import('node:fs'));
 
   getReleaseAssetMock.mockImplementation(() => {
     return { data: 'foo' };
@@ -140,7 +140,7 @@ test('should download the file if parent folder does exist', async () => {
 });
 
 test('should download the file if parent folder does not exist', async () => {
-  vi.mock('node:fs');
+  vi.mock(import('node:fs'));
 
   getReleaseAssetMock.mockReturnValue({ data: 'foo' });
 

extensions/kubectl-cli/vite.config.js

@@ -58,6 +58,7 @@ const config = {
     globals: true,
     environment: 'node',
     include: ['src/**/*.{test,spec}.?(c|m)[jt]s?(x)'],
+    globalSetup: [join(PACKAGE_ROOT, '..', '..', '__mocks__', 'vitest-generate-api-global-setup.ts')],
     alias: {
       '@podman-desktop/api': join(PACKAGE_ROOT, '..', '..', '__mocks__/@podman-desktop/api.js'),
     },

extensions/lima/package.json

@@ -2,7 +2,7 @@
   "name": "lima",
   "displayName": "Lima",
   "description": "Integration for Lima: Linux Machines (typically macOS)",
-  "version": "1.24.0-next",
+  "version": "1.28.0-next",
   "icon": "icon.png",
   "publisher": "podman-desktop",
   "license": "Apache-2.0",
@@ -72,10 +72,10 @@
     "@podman-desktop/api": "workspace:*"
   },
   "devDependencies": {
-    "adm-zip": "^0.5.16",
+    "adm-zip": "^0.5.17",
     "mkdirp": "^3.0.1",
-    "vite": "^7.2.7",
-    "vitest": "^4.0.10",
+    "vite": "^7.3.2",
+    "vitest": "^4.1.4",
     "tmp-promise": "^3.0.3"
   }
 }

extensions/lima/src/limactl.ts

@@ -47,6 +47,6 @@ export function getLimactl(): string {
 
 // Get the limactl binary path from configuration lima.binary.path
 // return string or undefined
-export function getCustomBinaryPath(): string | undefined {
+function getCustomBinaryPath(): string | undefined {
   return extensionApi.configuration.getConfiguration('lima').get('binary.path');
 }

extensions/lima/vite.config.js

@@ -57,6 +57,7 @@ const config = {
     globals: true,
     environment: 'node',
     include: ['src/**/*.{test,spec}.?(c|m)[jt]s?(x)'],
+    globalSetup: [join(PACKAGE_ROOT, '..', '..', '__mocks__', 'vitest-generate-api-global-setup.ts')],
     alias: {
       '@podman-desktop/api': join(PACKAGE_ROOT, '..', '..', '__mocks__/@podman-desktop/api.js'),
     },