diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 1dfcda70..21aa6d6f 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2023-11-07T19:17:25Z by kres latest.
+# Generated on 2023-11-13T17:09:48Z by kres latest.
 
 name: default
 concurrency:
@@ -54,17 +54,6 @@ jobs:
               platforms: linux/arm64
           driver: remote
           endpoint: tcp://localhost:1234
-      - name: Save PR number
-        if: github.event_name == 'pull_request' && always()
-        run: |
-          echo ${{ github.event.number }} > pr-number.txt
-      - name: Upload PR number
-        if: github.event_name == 'pull_request' && always()
-        uses: actions/upload-artifact@v3
-        with:
-          name: pr-number
-          path: pr-number.txt
-          retention-days: "1"
       - name: Build
         run: |
           make
diff --git a/.github/workflows/cron.yaml b/.github/workflows/cron.yaml
deleted file mode 100644
index 66aefcd7..00000000
--- a/.github/workflows/cron.yaml
+++ /dev/null
@@ -1,38 +0,0 @@
-name: weekly
-concurrency:
-  group: ${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-on:
-  schedule:
-    - cron: '30 1 * * 1'
-jobs:
-  reproducibility:
-    runs-on:
-      - self-hosted
-      - pkgs
-    services:
-      buildkitd:
-        image: moby/buildkit:buildx-stable-1
-        ports:
-          - 1234:1234
-        options: --privileged
-        volumes:
-          - /var/lib/buildkit/${{ github.repository }}:/var/lib/buildkit
-          - /usr/etc/buildkit/buildkitd.toml:/etc/buildkit/buildkitd.toml
-    steps:
-      - name: checkout
-        uses: actions/checkout@v3
-      - name: Unshallow
-        run: |
-          git fetch --prune --unshallow
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          driver: remote
-          endpoint: tcp://localhost:1234
-          append: |
-            - endpoint: tcp://buildkit-arm64.ci.svc.cluster.local:1234
-              platforms: linux/arm64
-      - name: reproducibility
-        run: |
-          make reproducibility-test
diff --git a/.github/workflows/slack-notify.yaml b/.github/workflows/slack-notify.yaml
index 212b7516..6d589d5e 100644
--- a/.github/workflows/slack-notify.yaml
+++ b/.github/workflows/slack-notify.yaml
@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2023-11-07T19:17:25Z by kres latest.
+# Generated on 2023-11-13T17:09:48Z by kres latest.
 
 name: slack-notify
 "on":
@@ -17,33 +17,13 @@ jobs:
       - generic
     if: github.event.workflow_run.conclusion != 'skipped'
     steps:
-      - name: Download PR artifact
-        if: github.event.workflow_run.event == 'pull_request'
-        uses: actions/github-script@v6
-        with:
-          script: |-
-            let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                run_id: context.payload.workflow_run.id,
-            });
-            let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
-                return artifact.name == "pr-number"
-            })[0];
-            let download = await github.rest.actions.downloadArtifact({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                artifact_id: matchArtifact.id,
-                archive_format: 'zip',
-            });
-            let fs = require('fs');
-            fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/pr-number.zip`, Buffer.from(download.data));
       - name: Get PR number
         id: get-pr-number
         if: github.event.workflow_run.event == 'pull_request'
+        env:
+          GH_TOKEN: ${{ github.token }}
         run: |
-          unzip pr-number.zip
-          echo pull_request_number=$(cat pr-number.txt) >> $GITHUB_OUTPUT
+          echo pull_request_number=$(gh pr view -R ${{ github.repository }} ${{ github.event.workflow_run.head_repository.owner.login }}:${{ github.event.workflow_run.head_branch }} --json number --jq .number) >> $GITHUB_OUTPUT
       - name: Slack Notify
         uses: slackapi/slack-github-action@v1
         with:
diff --git a/.github/workflows/weekly.yaml b/.github/workflows/weekly.yaml
index 3754e5b1..1f9fe3cd 100644
--- a/.github/workflows/weekly.yaml
+++ b/.github/workflows/weekly.yaml
@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2023-11-07T19:17:25Z by kres latest.
+# Generated on 2023-11-13T17:09:48Z by kres latest.
 
 name: weekly
 concurrency:
diff --git a/.kres.yaml b/.kres.yaml
index 73385596..ffc2093a 100644
--- a/.kres.yaml
+++ b/.kres.yaml
@@ -10,6 +10,7 @@ spec:
     - chelsio-drivers
     - chelsio-firmware
     - drbd
+    - ecr-credential-provider
     - fuse3
     - gasket-driver
     - gvisor
diff --git a/Makefile b/Makefile
index c1b377bd..33b6de19 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2023-11-08T13:30:42Z by kres latest.
+# Generated on 2023-11-13T17:10:23Z by kres latest.
 
 # common variables
 
@@ -57,6 +57,7 @@ TARGETS += btrfs
 TARGETS += chelsio-drivers
 TARGETS += chelsio-firmware
 TARGETS += drbd
+TARGETS += ecr-credential-provider
 TARGETS += fuse3
 TARGETS += gasket-driver
 TARGETS += gvisor
diff --git a/README.md b/README.md
index 330af66f..c7ef0487 100644
--- a/README.md
+++ b/README.md
@@ -44,6 +44,7 @@ cosign verify --certificate-identity-regexp '@siderolabs\.com$' --certificate-oi
 | ----------------------------------- | ------------------------------------------------------------------------------------------- | ----------------------------------------------- | ---------------------------------- |
 | [gvisor](container-runtime/gvisor/) | [ghcr.io/siderolabs/gvisor](https://github.com/siderolabs/extensions/pkgs/container/gvisor) | [gVisor](https://gvisor.dev/) container runtime | `upstream version`-`talos version` |
 | [stargz-snapshotter](container-runtime/stargz-snapshotter/) | [ghcr.io/siderolabs/stargz-snapshotter](https://github.com/siderolabs/extensions/pkgs/container/stargz-snapshotter) | [Stargz Snapshotter](https://github.com/containerd/stargz-snapshotter) container runtime | `upstream version`-`talos version` |
+| [ecr-credential-provider](container-runtime/ecr-credential-provider) | [ghcr.io/siderolabs/ecr-credential-provider](https://github.com/siderolabs/extensions/pkgs/container/ecr-credential-provider) | [ECR Credential Provider](https://github.com/kubernetes/cloud-provider-aws/tree/master/cmd/ecr-credential-provider) kubelet plugin | `upstream version` |
 
 ### Firmware
 
diff --git a/container-runtime/ecr-credential-provider/README.md b/container-runtime/ecr-credential-provider/README.md
new file mode 100644
index 00000000..451a583d
--- /dev/null
+++ b/container-runtime/ecr-credential-provider/README.md
@@ -0,0 +1,36 @@
+# Kubelet ECR Credential Provider extension
+
+This extension provides the [ecr-credential-provider](https://github.com/kubernetes/cloud-provider-aws/tree/master/cmd/ecr-credential-provider) binary,
+which can be executed by Kubelet to provide a short-lived token for pulling container images
+from Amazon Web Services' Elastic Container Registry (ECR).
+
+## Installation
+
+See [Installing Extensions](https://github.com/siderolabs/extensions#installing-extensions).
+
+You also need to configure `ecr-credential-provider` as a Kubelet image
+credential provider. For this you'll need patch the machine config with the following:
+
+```yaml
+machine:
+  kubelet:
+    credentialProviderConfig:
+      apiVersion: kubelet.config.k8s.io/v1
+      kind: CredentialProviderConfig
+      providers:
+        - name: ecr-credential-provider
+          matchImages:
+            - "*.dkr.ecr.*.amazonaws.com"
+            - "*.dkr.ecr.*.amazonaws.com.cn"
+            - "*.dkr.ecr-fips.*.amazonaws.com"
+            - "*.dkr.ecr.us-iso-east-1.c2s.ic.gov"
+            - "*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov"
+          defaultCacheDuration: "12h"
+          apiVersion: credentialprovider.kubelet.k8s.io/v1
+```
+
+## More Information
+
+- <https://cloud-provider-aws.sigs.k8s.io/credential_provider/>
+- <https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/>
+- <https://kubernetes.io/docs/reference/config-api/kubelet-credentialprovider.v1/>
diff --git a/container-runtime/ecr-credential-provider/manifest.yaml b/container-runtime/ecr-credential-provider/manifest.yaml
new file mode 100644
index 00000000..73657781
--- /dev/null
+++ b/container-runtime/ecr-credential-provider/manifest.yaml
@@ -0,0 +1,11 @@
+version: v1alpha1
+metadata:
+  name: ecr-credential-provider
+  version: "$VERSION"
+  author: Florian Ströger
+  description: |
+    This system extension provides a binary which implements Kubelet's CredentialProvider API
+    to authenticate against AWS' Elastic Container Registry and pull images.
+  compatibility:
+    talos:
+      version: ">= v1.6.0"
diff --git a/container-runtime/ecr-credential-provider/pkg.yaml b/container-runtime/ecr-credential-provider/pkg.yaml
new file mode 100644
index 00000000..a362394b
--- /dev/null
+++ b/container-runtime/ecr-credential-provider/pkg.yaml
@@ -0,0 +1,40 @@
+name: ecr-credential-provider
+variant: scratch
+shell: /toolchain/bin/bash
+dependencies:
+  - stage: base
+steps:
+  - sources:
+      - url: https://github.com/kubernetes/cloud-provider-aws/archive/refs/tags/{{ .VERSION }}.tar.gz
+        destination: cloud-provider-aws.tar.gz
+        sha256: 9d3e20d79facf336a466a1647dff8033007385fb628005c8bf84eb67330ba004
+        sha512: b9adc389be9301dc4be36c6bf546f354b9f2895cbad13d28d074dbab77f9aecec8d5fd02590d21c2a4acc91b559371adfe9702898c7880d92aea6657b315a539
+    env:
+      GOPATH: /go
+    prepare:
+      - |
+        sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
+      - |
+        mkdir -p ${GOPATH}/src/k8s.io/cloud-provider-aws
+
+        tar -xzf cloud-provider-aws.tar.gz --strip-components=1 -C ${GOPATH}/src/k8s.io/cloud-provider-aws
+    build:
+      - |
+        export PATH=${PATH}:${TOOLCHAIN}/go/bin
+
+        go build \
+          -C ${GOPATH}/src/k8s.io/cloud-provider-aws \
+          -o ./dist/ecr-credential-provider \
+          -ldflags "-s -w \
+                   -X k8s.io/component-base/version.gitVersion={{ .VERSION }} \
+                   -X main.gitVersion={{ .VERSION }}" \
+          ./cmd/ecr-credential-provider
+    install:
+      - install -D -m 0755
+        ${GOPATH}/src/k8s.io/cloud-provider-aws/dist/ecr-credential-provider
+        /rootfs/usr/local/lib/kubelet/credentialproviders/ecr-credential-provider
+finalize:
+  - from: /rootfs
+    to: /rootfs
+  - from: /pkg/manifest.yaml
+    to: /
diff --git a/container-runtime/ecr-credential-provider/vars.yaml b/container-runtime/ecr-credential-provider/vars.yaml
new file mode 100644
index 00000000..d99b1fce
--- /dev/null
+++ b/container-runtime/ecr-credential-provider/vars.yaml
@@ -0,0 +1 @@
+VERSION: "{{ .CLOUD_PROVIDER_AWS_VERSION }}"
diff --git a/container-runtime/vars.yaml b/container-runtime/vars.yaml
index 0e90ef78..238a45f1 100644
--- a/container-runtime/vars.yaml
+++ b/container-runtime/vars.yaml
@@ -2,3 +2,5 @@
 GVISOR_VERSION: 20231214.0
 # renovate: datasource=github-releases  depName=containerd/stargz-snapshotter
 STARGZ_SNAPSHOTTER_VERSION: v0.14.3
+# renovate: datasource=github-releases depName=kubernetes/cloud-provider-aws
+CLOUD_PROVIDER_AWS_VERSION: v1.28.1