diff --git a/.github/pull_request_template.md.disabled b/.github/pull_request_template.md.disabled
new file mode 100644
index 0000000000000..a1333460afd09
--- /dev/null
+++ b/.github/pull_request_template.md.disabled
@@ -0,0 +1,5 @@
+# CODE FREEZE NOTICE
+
+An -rc1 tag has been created and a release is being prepared, so please note that
+PRs introducing new features and APIs will be held back until the new version
+has been released.
diff --git a/.github/workflows/issue_labeler.yml b/.github/workflows/issue_labeler.yml
index 64774e67cc30f..094f72c4b97ce 100644
--- a/.github/workflows/issue_labeler.yml
+++ b/.github/workflows/issue_labeler.yml
@@ -22,7 +22,7 @@ jobs:
     steps:
       - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
 
-      - uses: actions/setup-node@eeb10cff27034e7acf239c5d29f62154018672fd
+      - uses: actions/setup-node@2fddd8803e2f5c9604345a0b591c3020ee971a93
         with:
           node-version: '16'
 
diff --git a/docs/RELEASE.md b/docs/RELEASE.md
index acbfa8e5bb3e4..0d48047f9a8bd 100644
--- a/docs/RELEASE.md
+++ b/docs/RELEASE.md
@@ -13,6 +13,8 @@ SPDX-License-Identifier: LGPL-2.1-or-later
 4. Update hwdb (`ninja -C build update-hwdb`, `ninja -C build update-hwdb-autosuspend`, commit separately).
 5. Update syscall numbers (`ninja -C build update-syscall-tables update-syscall-header`).
 6. [RC1] Update version and library numbers in `meson.build`
+6. [RC1] Rename `.github/pull_request_template.md.disabled` to `.github/pull_request_template.md` to display the warning about soft-freeze for new features
+6. [FINAL] Rename `.github/pull_request_template.md` to `.github/pull_request_template.md.disabled` to hide the warning about soft-freeze for new features
 7. Check dbus docs with `ninja -C build update-dbus-docs`
 8. Tag the release: `version=vXXX-rcY && git tag -s "${version}" -m "systemd ${version}"`
 9. Do `ninja -C build`
diff --git a/src/portable/profile/trusted/service.conf b/src/portable/profile/trusted/service.conf
index 9a6af70b93989..04deeb2262e16 100644
--- a/src/portable/profile/trusted/service.conf
+++ b/src/portable/profile/trusted/service.conf
@@ -1,7 +1,8 @@
-# The "trusted" profile for services, i.e. no restrictions are applied
+# The "trusted" profile for services, i.e. no restrictions are applied apart from a private /tmp
 
 [Service]
 MountAPIVFS=yes
+PrivateTmp=yes
 BindPaths=/run
 BindReadOnlyPaths=/etc/machine-id
 BindReadOnlyPaths=/etc/resolv.conf