diff --git a/.github/workflows/functions.yaml b/.github/workflows/functions.yaml
index 7d809102e8..9531b0c81d 100644
--- a/.github/workflows/functions.yaml
+++ b/.github/workflows/functions.yaml
@@ -77,14 +77,6 @@ jobs:
       - name: Run Unit Tests
         run: make test
 
-      - uses: codecov/codecov-action@v5
-        with:
-          files: ./coverage.txt
-          flags: unit ${{ matrix.os }}
-          fail_ci_if_error: true
-          verbose: true
-          token: ${{ secrets.CODECOV_TOKEN }}
-
   # --------------
   # TEMPLATE TESTS
   # --------------
@@ -161,6 +153,8 @@ jobs:
 
       - name: Install Binaries
         run: ./hack/binaries.sh
+      - name: Configure IPv6
+        run: ./hack/configure-nat64.sh
       - name: Allocate Cluster
         run: ./hack/cluster.sh
       - name: Start Local Registry
@@ -175,14 +169,6 @@ jobs:
       - name: Run Integration Tests
         run: make test-integration
 
-      - uses: codecov/codecov-action@v5
-        with:
-          files: ./coverage.txt
-          flags: integration
-          fail_ci_if_error: true
-          verbose: true
-          token: ${{ secrets.CODECOV_TOKEN }}
-
       # Preserve Cluster Logs
       - name: Dump Cluster Logs
         if: always()
@@ -221,6 +207,8 @@ jobs:
 
       - name: Install Binaries
         run: ./hack/binaries.sh
+      - name: Configure IPv6
+        run: ./hack/configure-nat64.sh
       - name: Allocate Cluster
         run: ./hack/cluster.sh
       - name: Start Local Registry
@@ -231,14 +219,6 @@ jobs:
       - name: Run Basic E2E Tests (core, metadata, remote)
         run: make test-e2e
 
-      - uses: codecov/codecov-action@v5
-        with:
-          files: ./coverage.txt
-          flags: e2e
-          fail_ci_if_error: true
-          verbose: true
-          token: ${{ secrets.CODECOV_TOKEN }}
-
       # Preserve Cluster Logs
       - name: Dump Cluster Logs
         if: always()
@@ -286,6 +266,8 @@ jobs:
 
       - name: Install Binaries
         run: ./hack/binaries.sh
+      - name: Configure IPv6
+        run: ./hack/configure-nat64.sh
       - name: Allocate Cluster
         run: ./hack/cluster.sh
       - name: Start Local Registry
@@ -294,14 +276,6 @@ jobs:
       - name: Run E2E Podman Tests
         run: make test-e2e-podman
 
-      - uses: codecov/codecov-action@v5
-        with:
-          files: ./coverage.txt
-          flags: e2e
-          fail_ci_if_error: true
-          verbose: true
-          token: ${{ secrets.CODECOV_TOKEN }}
-
       # Preserve Cluster Logs
       - name: Dump Cluster Logs
         if: always()
@@ -373,6 +347,8 @@ jobs:
       # Allocate Cluster
       - name: Install Binaries
         run: ./hack/binaries.sh
+      - name: Configure IPv6
+        run: ./hack/configure-nat64.sh
       - name: Allocate Cluster
         run: ./hack/cluster.sh
       - name: Start Local Registry
@@ -383,15 +359,6 @@ jobs:
       - name: Run Test - ${{ matrix.runtime }}
         run: make test-e2e-matrix
 
-      # Coverage and Logs
-      - uses: codecov/codecov-action@v5
-        with:
-          files: ./coverage.txt
-          flags: e2e ${{ matrix.runtime }}
-          fail_ci_if_error: true
-          verbose: true
-          token: ${{ secrets.CODECOV_TOKEN }}
-
       # Preserve Cluster Logs
       - name: Dump Cluster Logs
         if: always()
@@ -429,6 +396,8 @@ jobs:
 
       - name: Install Binaries
         run: ./hack/binaries.sh
+      - name: Configure IPv6
+        run: ./hack/configure-nat64.sh
       - name: Allocate Cluster
         run: ./hack/cluster.sh
       - name: Start Local Registry
@@ -439,14 +408,6 @@ jobs:
       - name: Run Config CI E2E Tests
         run: make test-e2e-config-ci
 
-      - uses: codecov/codecov-action@v5
-        with:
-          files: ./coverage.txt
-          flags: e2e-config-ci
-          fail_ci_if_error: true
-          verbose: true
-          token: ${{ secrets.CODECOV_TOKEN }}
-
       # Preserve Cluster Logs
       - name: Dump Cluster Logs
         if: always()
diff --git a/.github/workflows/test-podman-next.yaml b/.github/workflows/test-podman-next.yaml
index 38a77aeb2d..7f19ed9a97 100644
--- a/.github/workflows/test-podman-next.yaml
+++ b/.github/workflows/test-podman-next.yaml
@@ -35,6 +35,8 @@ jobs:
       - uses: knative/actions/setup-go@main
       - name: Install Binaries
         run: ./hack/binaries.sh
+      - name: Configure IPv6
+        run: ./hack/configure-nat64.sh
       - name: Allocate Cluster
         run: ./hack/cluster.sh
       - name: Local Registry
diff --git a/hack/binaries.sh b/hack/binaries.sh
index 1b1b313c23..69d558390b 100755
--- a/hack/binaries.sh
+++ b/hack/binaries.sh
@@ -28,7 +28,7 @@ install_binaries() {
 
   local kubectl_version=1.33.1
   local kind_version=0.31.0
-  local dapr_version=1.16.0
+  local dapr_version=1.17.1
   local helm_version=3.18.0
   local stern_version=1.32.0
   local kn_version=1.18.0
diff --git a/hack/cluster.sh b/hack/cluster.sh
index 296ab0f4c5..9b769a44be 100755
--- a/hack/cluster.sh
+++ b/hack/cluster.sh
@@ -108,16 +108,29 @@ kubernetes() {
   cat <<EOF | $KIND create cluster --name=func --kubeconfig="${KUBECONFIG}" --wait=60s --config=-
 kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
+networking:
+  apiServerAddress: "::1"
+  apiServerPort: 6443
+  ipFamily: ipv6
 nodes:
   - role: control-plane
     image: kindest/node:${kind_node_version}
     extraPortMappings:
+    - containerPort: 80
+      hostPort: 80
+      listenAddress: "::1"
     - containerPort: 80
       hostPort: 80
       listenAddress: "127.0.0.1"
+    - containerPort: 443
+      hostPort: 443
+      listenAddress: "::1"
     - containerPort: 443
       hostPort: 443
       listenAddress: "127.0.0.1"
+    - containerPort: 30022
+      hostPort: 30022
+      listenAddress: "::1"
     - containerPort: 30022
       hostPort: 30022
       listenAddress: "127.0.0.1"
@@ -131,6 +144,15 @@ containerdConfigPatches:
     endpoint = ["http://func-registry:5000"]
   [plugins."io.containerd.grpc.v1.cri".registry.mirrors."quay.io"]
     endpoint = ["http://func-registry:5000"]
+kubeadmConfigPatches:
+  - |
+    kind: ClusterConfiguration
+    apiServer:
+      certSANs:
+        - "localhost"
+        - "localtest.me"
+        - "::"
+        - "::1"
 EOF
   sleep 10
   $KUBECTL wait pod --for=condition=Ready -l '!job-name' -n kube-system --timeout=5m
@@ -148,6 +170,12 @@ serving() {
 
   curl -L -s https://github.com/knative/serving/releases/download/knative-$knative_serving_version/serving-core.yaml | $KUBECTL apply -f -
 
+  # Patch autoscaler image: upstream Knative bug hardcodes EndpointSlice
+  # AddressType to IPv4, crashing the autoscaler on IPv6-only clusters.
+  # This patched image detects the IP family from POD_IP.
+  $KUBECTL set image deployment/autoscaler -n knative-serving \
+    autoscaler="quay.io/mvasek/knative/autoscaler@sha256:6a2f328833e9ed516dd281aba891923082ddaa69e5907f0f0cef6d2402732e4c"
+
   sleep 2
   $KUBECTL wait pod --for=condition=Ready -l '!job-name' -n knative-serving --timeout=5m
 
@@ -239,8 +267,9 @@ networking() {
 
   echo "Installing a configured Contour."
   curl -sSL "https://github.com/knative/net-contour/releases/download/knative-${contour_version}/contour.yaml" \
+    | $YQ '(select(.kind == "Deployment" and .metadata.name == "contour").spec.template.spec.containers[0].args[] | select(. == "--xds-address=0.0.0.0")) = "--xds-address=::"' \
     | $YQ '(select(.kind == "Deployment" and .metadata.name == "contour").spec.template.spec.containers[0].args)
-          += ["--envoy-service-http-address=::", "--envoy-service-https-address=::"]' \
+          += ["--envoy-service-http-address=::", "--envoy-service-https-address=::", "--stats-address=::"]' \
     | $KUBECTL apply -f -
 
   sleep 5
@@ -412,6 +441,7 @@ dapr_runtime() {
   if [ "${GITHUB_ACTIONS:-false}" = "true" ]; then
     dapr_flags="--image-registry=ghcr.io/dapr --log-as-json"
   fi
+  dapr_flags="--image-registry=quay.io/mvasek/dapr --log-as-json"
 
   # Install Dapr Runtime
   # shellcheck disable=SC2086
diff --git a/hack/configure-nat64.sh b/hack/configure-nat64.sh
new file mode 100755
index 0000000000..d34b8a69e2
--- /dev/null
+++ b/hack/configure-nat64.sh
@@ -0,0 +1,169 @@
+#!/usr/bin/env bash
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#
+# Configure DNS64 (Unbound) + NAT64 (TAYGA) on a GitHub Actions runner
+# to provide fake IPv6 internet connectivity. This must run before cluster.sh.
+#
+# Network flow after setup:
+#   DNS query  -> Unbound (dns64-synthall) -> AAAA 64:ff9b::<ipv4>
+#   IPv6 packet to 64:ff9b::/96 -> TAYGA -> IPv4 -> internet
+#
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+source "$(cd "$(dirname "$0")" && pwd)/common.sh"
+
+readonly NAT64_PREFIX="64:ff9b::/96"
+readonly TAYGA_IPV4="192.168.255.1"
+readonly TAYGA_IPV6="fd00:64:64::1"
+readonly TAYGA_POOL="192.168.255.0/24"
+readonly TAYGA_DEV="nat64"
+
+main() {
+  echo "${blue}Configuring DNS64 + NAT64${reset}"
+
+  local upstream_dns
+  upstream_dns="$(get_upstream_dns)"
+  echo "Upstream DNS: ${upstream_dns}"
+
+  install_packages
+  configure_dns64 "${upstream_dns}"
+  configure_nat64
+  verify
+
+  echo "${green}✅ DNS64 + NAT64${reset}"
+}
+
+get_upstream_dns() {
+  local dns=""
+  if [[ -f /run/systemd/resolve/resolv.conf ]]; then
+    dns="$(awk '/^nameserver/ { print $2; exit }' /run/systemd/resolve/resolv.conf)"
+  fi
+  if [[ -z "${dns}" ]]; then
+    dns="8.8.8.8"
+  fi
+  echo "${dns}"
+}
+
+install_packages() {
+  echo "${blue}Installing unbound and tayga${reset}"
+  sudo apt-get update -qq
+  sudo apt-get install -y -qq unbound tayga
+}
+
+configure_dns64() {
+  local upstream_dns="$1"
+
+  echo "${blue}Configuring Unbound (DNS64)${reset}"
+
+  # Stop systemd-resolved so we can take over port 53
+  sudo systemctl stop systemd-resolved || true
+  sudo systemctl disable systemd-resolved || true
+
+  # Point the system resolver at our local Unbound
+  sudo tee /etc/resolv.conf > /dev/null <<EOF
+nameserver 127.0.0.1
+EOF
+
+  # Write Unbound config with DNS64 synthesis
+  sudo tee /etc/unbound/unbound.conf > /dev/null <<EOF
+server:
+  interface: 127.0.0.1
+  interface: ::1
+  access-control: 127.0.0.0/8 allow
+  access-control: ::1/128 allow
+
+  module-config: "dns64 iterator"
+  dns64-prefix: ${NAT64_PREFIX}
+  dns64-synthall: yes
+
+  # Serve localhost records so local services resolve correctly
+  local-zone: "localhost." static
+  local-data: "localhost. IN A 127.0.0.1"
+  local-data: "localhost. IN AAAA ::1"
+
+forward-zone:
+  name: "."
+  forward-addr: ${upstream_dns}
+EOF
+
+  sudo systemctl restart unbound
+  sudo systemctl enable unbound
+
+  echo "${green}Unbound configured${reset}"
+}
+
+configure_nat64() {
+  echo "${blue}Configuring TAYGA (NAT64)${reset}"
+
+  # Write TAYGA config
+  # ipv6-addr is required when using the well-known prefix 64:ff9b::/96
+  # with a non-global (RFC 1918) ipv4-addr.
+  sudo tee /etc/tayga.conf > /dev/null <<EOF
+tun-device ${TAYGA_DEV}
+prefix ${NAT64_PREFIX}
+ipv4-addr ${TAYGA_IPV4}
+ipv6-addr ${TAYGA_IPV6}
+dynamic-pool ${TAYGA_POOL}
+data-dir /var/db/tayga
+EOF
+
+  sudo mkdir -p /var/db/tayga
+
+  # Create the TUN device and configure it
+  sudo tayga --mktun
+  sudo ip link set ${TAYGA_DEV} up
+  sudo ip addr add ${TAYGA_IPV4} dev ${TAYGA_DEV}
+  sudo ip addr add ${TAYGA_IPV6} dev ${TAYGA_DEV}
+  sudo ip route add ${TAYGA_POOL} dev ${TAYGA_DEV}
+  sudo ip route add ${NAT64_PREFIX} dev ${TAYGA_DEV}
+
+  # Enable forwarding
+  sudo sysctl -w net.ipv4.ip_forward=1
+  sudo sysctl -w net.ipv6.conf.all.forwarding=1
+
+  # NAT the TAYGA pool so translated packets can reach the internet
+  sudo iptables -t nat -A POSTROUTING -s ${TAYGA_POOL} -j MASQUERADE
+
+  # Start TAYGA
+  sudo tayga
+
+  echo "${green}TAYGA configured${reset}"
+}
+
+verify() {
+  echo "${blue}Verifying DNS64 + NAT64${reset}"
+
+  # Verify DNS64 synthesis
+  local aaaa
+  aaaa="$(dig +short AAAA github.com @127.0.0.1)"
+  if [[ "${aaaa}" != *"64:ff9b::"* ]]; then
+    echo "${red}DNS64 verification failed: expected 64:ff9b:: prefix in AAAA record${reset}"
+    echo "Got: ${aaaa}"
+    exit 1
+  fi
+  echo "DNS64 OK: github.com -> ${aaaa}"
+
+  # Verify NAT64 connectivity
+  if ! curl -6 --max-time 10 -sSf -o /dev/null https://github.com; then
+    echo "${red}NAT64 verification failed: cannot reach github.com over IPv6${reset}"
+    exit 1
+  fi
+  echo "NAT64 OK: curl -6 github.com succeeded"
+}
+
+main "$@"