diff --git a/.github/workflows/conformance.yaml b/.github/workflows/conformance.yaml
index 4bf3391cfd..ce2dae02b2 100644
--- a/.github/workflows/conformance.yaml
+++ b/.github/workflows/conformance.yaml
@@ -961,6 +961,60 @@ jobs:
         if: failure()
         uses: ./.github/actions/kyverno-logs
 
+  helm-upgrade:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: read
+    strategy:
+      fail-fast: false
+      matrix:
+        k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
+        kyverno-version: [ '3.2' ]
+    needs: [ prepare-images ]
+    steps:
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+    - name: Install helm
+      id: helm
+      uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+    # create cluster
+    - name: Create kind cluster
+      uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
+      with:
+        node_image: kindest/node:${{ matrix.k8s-version }}
+        cluster_name: kind
+        config: ./scripts/config/kind/default.yaml
+    # deploy kyverno
+    - name: Download kyverno images archive
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      with:
+        name: kyverno.tar
+    - name: Load kyverno images archive in kind cluster
+      shell: bash
+      run: |
+        set -e
+        kind load image-archive kyverno.tar --name kind
+    - name: Install kyverno
+      shell: bash
+      run: |
+        set -e
+        ${{ steps.helm.outputs.helm-path }} install kyverno --namespace kyverno --create-namespace --wait \
+          --repo https://kyverno.github.io/kyverno kyverno \
+          --version ${{ matrix.kyverno-version }}
+    - name: Wait for kyverno ready
+      uses: ./.github/actions/kyverno-wait-ready
+    - name: Upgrade kyverno
+      shell: bash
+      run: |
+        set -e
+        export HELM=${{ steps.helm.outputs.helm-path }}
+        make kind-install-kyverno
+    - name: Wait for kyverno ready
+      uses: ./.github/actions/kyverno-wait-ready
+    # debug
+    - name: Debug failure
+      if: failure()
+      uses: ./.github/actions/kyverno-logs
+
   conformance-required-success:
     name: conformance-required
     needs:
@@ -992,6 +1046,7 @@ jobs:
       - custom-sigstore
       - monitor-helm-secret-size
       - check-tests
+      - helm-upgrade
     runs-on: ubuntu-latest
     if: ${{ success() }}
     steps:
@@ -1028,6 +1083,7 @@ jobs:
       - custom-sigstore
       - monitor-helm-secret-size
       - check-tests
+      - helm-upgrade
     runs-on: ubuntu-latest
     if: ${{ failure() || cancelled() }}
     steps: