docs: add upgrade notes in v1.6 release announcement (#7521)

Signed-off-by: Rudrakh Panigrahi <[email protected]>

Author: rudrakhp

site/content/en/news/releases/notes/v1.6.0.md

@@ -12,7 +12,7 @@ November 10, 2025
 - When a MirrorPolicy is used, the shadow host suffix is no longer automatically appended to the mirrored cluster name.
 - When running `egctl experimental collect`, SDS (Secret Discovery Service) data is no longer included by default. To include SDS data, enable it by adding the `--sds true` flag.
 - When setting `consecutiveGatewayFailure`, `enforcingConsecutiveGatewayFailure` is automatically set to 100.
-- When the OIDC provider issues a refresh token, Envoy Gateway will now automatically use it to refresh access and ID tokens when they expire. To maintain the previous behavior (not using refresh tokens), set `refreshToken` to false in the OIDC authentication configuration. See https://gateway.envoyproxy.io/docs/api/extension_types/#securitypolicyspec for details.
+- When the OIDC provider issues a refresh token, Envoy Gateway will now automatically use it to refresh access and ID tokens when they expire. To maintain the previous behavior (not using refresh tokens), set `refreshToken` to false in the OIDC authentication configuration. See [SecurityPolicy spec](https://gateway.envoyproxy.io/docs/api/extension_types/#securitypolicyspec) for details.
 
 ## Security updates
 - 

site/content/en/news/releases/v1.6.md

@@ -29,7 +29,7 @@ Envoy Gateway v1.6.0 introduces powerful enhancements, resolves critical issues,
 - **MirrorPolicy Cluster Naming**: When a `MirrorPolicy` is used, the shadow host suffix is no longer automatically appended to the mirrored cluster name.
 - **egctl collect SDS Data**: When running `egctl experimental collect`, SDS (Secret Discovery Service) data is no longer included by default. To include SDS data, enable it by adding the `--sds true` flag.
 - **Consecutive Gateway Failure**: When setting `consecutiveGatewayFailure`, `enforcingConsecutiveGatewayFailure` is automatically set to 100.
-- **OIDC Refresh Token Behavior**: When the OIDC provider issues a refresh token, Envoy Gateway will now automatically use it to refresh access and ID tokens when they expire. To maintain the previous behavior (not using refresh tokens), set `refreshToken` to false in the OIDC authentication configuration. See https://gateway.envoyproxy.io/docs/api/extension_types/#securitypolicyspec for details.
+- **OIDC Refresh Token Behavior**: When the OIDC provider issues a refresh token, Envoy Gateway will now automatically use it to refresh access and ID tokens when they expire. To maintain the previous behavior (not using refresh tokens), set `refreshToken` to false in the OIDC authentication configuration. See [SecurityPolicy spec](https://gateway.envoyproxy.io/docs/api/extension_types/#securitypolicyspec) for details.
 
 ---
 
@@ -112,7 +112,11 @@ Envoy Gateway v1.6.0 introduces powerful enhancements, resolves critical issues,
 
 ---
 
-We encourage all users to upgrade to v1.6.0 to take advantage of the new features, security improvements, and performance gains. For full details, see the [Release Notes][] and updated [Documentation][docs].
+## 📝 Upgrade Notes
+
+- We encourage all users to upgrade to v1.6.0 to take advantage of the new features, security improvements, and performance gains. For full details, see the [Release Notes][] and updated [Documentation][docs].
+- It is recommended for users to migrate their resources to use the `v1` Gateway API CRDs soon since `v1alpha3` CRDs are deprecated.  
+- See upgrading from previous version via [helm install](../../v1.6/install/install-helm.md#upgrading-from-the-previous-version) or [yaml install](../../v1.6/install/install-yaml.md#upgrading-from-the-previous-version) for more. Note that CRDs should be upgraded first before gateway controller.
 
 [Release Notes]: ./notes/v1.6.0.md
 [docs]: https://gateway.envoyproxy.io