Upgrade klone dependencies

[inteon]

Upgrades klone dependencies (using make upgrade-klone).

Upgrades go to 1.26.4.

[wallrj-cyberark]

Review Summary

Standard klone dependency upgrade. All changes are auto-generated by make upgrade-klone.

Changes

• Go: 1.26.3 → 1.26.4
• kind: v0.31.0 → v0.32.0 (drops Kube 1.31/1.32, adds 1.36, bumps 1.33–1.35)
• actions/checkout: v6.0.2 → v6.0.3 (SHA pin verified)
• Tool bumps: kyverno v1.18.0→v1.18.1, protoc v34.1→v35.0, trivy v0.70.0→v0.71.0, ytt v0.55.0→v0.55.1, rclone v1.74.1→v1.74.2, istioctl 1.29.2→1.30.0, goreleaser v2.15.4→v2.16.0, syft v1.44.0→v1.45.0, gh v2.92.0→v2.93.0, preflight 1.18.0→1.19.0, openapi-gen date bump
• klone.yaml: all module hashes updated to cert-manager/makefile-modules@42a2144

govulncheck comparison

I ran make verify-govulncheck on both master (Go 1.26.3) and this branch (Go 1.26.4):

master — 4 symbol-level vulnerabilities:

1. GO-2026-5039 (net/textproto) — arbitrary inputs in errors without escaping
2. GO-2026-5038 (mime) — quadratic complexity in WordDecoder.DecodeHeader
3. GO-2026-5037 (crypto/x509) — inefficient candidate hostname parsing
4. GO-2026-5026 (golang.org/x/net/idna) — Punycode label validation failure

This PR — 1 symbol-level vulnerability:

1. GO-2026-5026 (golang.org/x/net/idna) — still present (golang.org/x/net v0.53.0, fixed in v0.55.0)

The Go 1.26.4 upgrade fixes 3 of 4 symbol-level vulnerabilities in the actual code path. The remaining golang.org/x/net vulnerability requires a go.mod dependency bump (v0.53.0 → v0.55.0), which is out of scope for a klone upgrade but worth a follow-up.

CI: test and verify pass. E2E jobs skipped (as expected for this type of change).

Review conducted with assistance from Claude (Opus 4.6)

[wallrj-cyberark]

LGTM. The Go 1.26.4 upgrade fixes 3 of 4 symbol-level govulncheck findings on the actual code path.

Generated with Claude (Opus 4.6)