diff --git a/.github/pull_request_template.md.disabled b/.github/pull_request_template.md.disabled
new file mode 100644
index 0000000000000..a1333460afd09
--- /dev/null
+++ b/.github/pull_request_template.md.disabled
@@ -0,0 +1,5 @@
+# CODE FREEZE NOTICE
+
+An -rc1 tag has been created and a release is being prepared, so please note that
+PRs introducing new features and APIs will be held back until the new version
+has been released.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 1bef3925e9975..0b18b53c6e0f8 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -43,7 +43,7 @@ jobs:
       uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@3f62b754e23e0dd60f91b744033e1dc1654c0ec6
+      uses: github/codeql-action/init@3e7e3b32d0fb8283594bb0a76cc60a00918b0969
       with:
         languages: ${{ matrix.language }}
         config-file: ./.github/codeql-config.yml
@@ -51,7 +51,7 @@ jobs:
     - run: sudo -E .github/workflows/unit_tests.sh SETUP
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@3f62b754e23e0dd60f91b744033e1dc1654c0ec6
+      uses: github/codeql-action/autobuild@3e7e3b32d0fb8283594bb0a76cc60a00918b0969
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@3f62b754e23e0dd60f91b744033e1dc1654c0ec6
+      uses: github/codeql-action/analyze@3e7e3b32d0fb8283594bb0a76cc60a00918b0969
diff --git a/docs/RELEASE.md b/docs/RELEASE.md
index acbfa8e5bb3e4..0d48047f9a8bd 100644
--- a/docs/RELEASE.md
+++ b/docs/RELEASE.md
@@ -13,6 +13,8 @@ SPDX-License-Identifier: LGPL-2.1-or-later
 4. Update hwdb (`ninja -C build update-hwdb`, `ninja -C build update-hwdb-autosuspend`, commit separately).
 5. Update syscall numbers (`ninja -C build update-syscall-tables update-syscall-header`).
 6. [RC1] Update version and library numbers in `meson.build`
+6. [RC1] Rename `.github/pull_request_template.md.disabled` to `.github/pull_request_template.md` to display the warning about soft-freeze for new features
+6. [FINAL] Rename `.github/pull_request_template.md` to `.github/pull_request_template.md.disabled` to hide the warning about soft-freeze for new features
 7. Check dbus docs with `ninja -C build update-dbus-docs`
 8. Tag the release: `version=vXXX-rcY && git tag -s "${version}" -m "systemd ${version}"`
 9. Do `ninja -C build`
diff --git a/src/portable/profile/trusted/service.conf b/src/portable/profile/trusted/service.conf
index 9a6af70b93989..04deeb2262e16 100644
--- a/src/portable/profile/trusted/service.conf
+++ b/src/portable/profile/trusted/service.conf
@@ -1,7 +1,8 @@
-# The "trusted" profile for services, i.e. no restrictions are applied
+# The "trusted" profile for services, i.e. no restrictions are applied apart from a private /tmp
 
 [Service]
 MountAPIVFS=yes
+PrivateTmp=yes
 BindPaths=/run
 BindReadOnlyPaths=/etc/machine-id
 BindReadOnlyPaths=/etc/resolv.conf