Draft: Update Helm release external-secrets to v0.20.2 (!8471) · Merge requests · GitLab.com / GitLab Infrastructure Team / Kubernetes Workloads / GitLab Helmfiles

This MR contains the following updates:

Package	Type	Update	Change
external-secrets	nonprod	minor	`0.18.2` -> `0.20.2`

⚠️ Warning

Some dependencies could not be looked up. Check the warning logs for more information.

Release Notes

external-secrets/external-secrets (external-secrets)

`v0.20.2`

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.20.2 Image: ghcr.io/external-secrets/external-secrets:v0.20.2-ubi Image: ghcr.io/external-secrets/external-secrets:v0.20.2-ubi-boringssl

What's Changed

General

fix(typo): Google misspelled by @evrardjp in #5348
chore: update helm charts v0.20.1 by @Skarlso in #5352
chore(docs): update stability and support table for 0.20.x by @jakobmoellerdev in #5354
chore: update dependencies by @eso-service-account-app[bot] in #5349
chore(docs): update the release flow by @Skarlso in #5358
feat: add support for decryption scheme from properties in senhasegura Devops Secrets Management (DSM) provider by @felipeosantos in #3895
feat(ci): use separate github app for lgtm workflow. by @webstradev in #5365
fix(ci): listing required roles should NOT mention/tag the roles, just name them. by @webstradev in #5363
fix(ci): run lgtm label remover in pull_request_target context instead by @webstradev in #5366
chore: update codeql action to also run for actions by @Skarlso in #5360
feat(oracle): switch provider to maintained status by @anders-swanson in #5367
fix: liveness probe would include invalid value enable by @Skarlso in #5369
feat: introduce priorityPolicy in merge rewrite by @riccardomc in #5329
docs: update community meeting section by @webstradev in #5364
docs: issue-5350: Updates CRD and docs with write-only limitation for github provider by @bharath-b-rh in #5361
fix: IBM Cloud Secrets Manager Imported Cert does not always require intermediate cert by @varksvader in #5370
feat(gcp): get latest enabled secret by @itaispiegel in #5131
feat(ci): zizmor github actions vuln scanner by @arielrahamim in #5368
chore(docs): update pull request approval process by @Skarlso in #5374
fix(release): Validate GCP GetSecret json format by @Gabrielmadrid73 in #5336
fix(charts): exclude 'address' key from livenessProbe definition by @baprx in #5377
feat: add ngrok provider by @jonstacks in #5160
chore: update dependencies by @eso-service-account-app[bot] in #5386
docs(release): CyberArk Conjur name change updates by @akosasi in #5359
chore: bump go, e2e: flux/argo & restructure e2e-bin build by @moolen in #5333
fix: remove unused secret by @moolen in #5391
feat(charts): add startupProbe to cert controller by @KyriosGN0 in #5297
fix: issue-5388: Fixes GCP Workload Identity Federation auth issue by @bharath-b-rh in #5392
chore(lint): fix revive lint errors (pkg/providers) by @Lumexralph in #5362
feat: make cert auth mount path configurable by @shaxbee in #5400

Dependencies

chore(deps): bump step-security/harden-runner from 2.13.0 to 2.13.1 by @dependabot[bot] in #5379
chore(deps): bump pyyaml from 6.0.2 to 6.0.3 in /hack/api-docs by @dependabot[bot] in #5380
chore(deps): bump actions/dependency-review-action from 4.7.3 to 4.8.0 by @dependabot[bot] in #5381
chore(deps): bump github/codeql-action from 3.30.3 to 3.30.5 by @dependabot[bot] in #5384
chore(deps): bump markupsafe from 3.0.2 to 3.0.3 in /hack/api-docs by @dependabot[bot] in #5383
chore(deps): bump mkdocs-macros-plugin from 1.3.9 to 1.4.0 in /hack/api-docs by @dependabot[bot] in #5385
chore(deps): bump actions/cache from 4.2.4 to 4.3.0 by @dependabot[bot] in #5382

New Contributors

@evrardjp made their first contribution in #5348
@felipeosantos made their first contribution in #3895
@varksvader made their first contribution in #5370
@itaispiegel made their first contribution in #5131
@arielrahamim made their first contribution in #5368
@Gabrielmadrid73 made their first contribution in #5336
@baprx made their first contribution in #5377
@akosasi made their first contribution in #5359
@Lumexralph made their first contribution in #5362
@shaxbee made their first contribution in #5400

Full Changelog: https://github.com/external-secrets/external-secrets/compare/v0.20.0...v0.20.2

`v0.20.1`

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.20.1 Image: ghcr.io/external-secrets/external-secrets:v0.20.1-ubi Image: ghcr.io/external-secrets/external-secrets:v0.20.1-ubi-boringssl

What's Changed

General

chore: release 0.19.2 by @moolen in #5136
chore: update readme by @gusfcarvalho in #5137
fix(kubernetes): make auth field optional by @mhrabovcin in #5064
chore: Fix Markdown spelling issues found by codespell by @mjtrangoni in #5139
Fix yaml codeblock for oracle-vault provider docs by @muckelba in #5146
feat: add liveness probe to eso controller by @Skarlso in #4930
fix(helm): add boolean for processClusterGenerator by @DrummyFloyd in #5144
chore: add Cisco to ADOPTERS.md by @sriaradhyula in #5159
docs: Fix provider stability and support table by @jonstacks in #5161
feat(helm): Add control of response to missing prometheus CRDs by @jcpunk in #5087
chore: Added release notes configuration by @bonddim in #5148
chore: bump bitwarden helm chart version by @Skarlso in #5044
chore(docs): update ADOPTERS.md to include SAP by @jakobmoellerdev in #5165
feat: add externalsecret namespace for webhook provider by @matheusmazzoni in #5155
fix: add unknown status for secret store by @alvin-rw in #5070
Fix pushing to an AWS Secrets Manager Secret when there are no secret values by @nirajsapkota in #4878
add extralabels for dashboard to be scraped by multiple grafana instances by @L1ghtman2k in #5138
fix: the api docs are not referencing sshkey generator by @Skarlso in #5170
Update github.md by @gecube in #5171
Update anchore-engine-credentials.md by @gecube in #5172
docs: update infisical docs to clarify missing system:auth-delegator need by @Skarlso in #5174
Adding support different type auth sources by @preved911 in #4877
fix: stability update document did not update the stability table correctly by @Skarlso in #5176
Add esv1.AnnotationForceSync for CES and ES by @ntnn in #5156
fix: helm build failing by @Skarlso in #5178
fix: remove release- branch automation by @moolen in #5182
chore: update dependencies by @eso-service-account-app[bot] in #5181
docs: update bitwarden documentation for dataFrom field usage by @Skarlso in #5196
feat: add contributor ladder by @gusfcarvalho in #5150
feat: support vault provider check and set for push secrets by @webstradev in #5197
chore(docs): update helm charts by @gusfcarvalho in #5203
chore(ci): fix sonarqube security warnings in helm.yml by @webstradev in #5202
chore: add pull request maintenance auto labelling and sizes by @Skarlso in #5200
fix: update the label verification step by @Skarlso in #5209
feat: add infisical k8s auth with Client JWT as Reviewer JWT Token support by @tuxtof in #5168
feat: improve error message for json marshalling/unmarshalling by @webstradev in #5211
chore: enhance helm-values-schema-json schema plugin management logic by @jakobmoellerdev in #5212
fix(aws): stop incrementing the UUID for versions by @Skarlso in #5175
feat: enable secure serving for metrics [issue 4614] by @rkferreira in #5169
fix(infisical): fix TokenAuth auth method by escaping the token revocation by @arthlr in #5217
fix: tilt build was failing to rebuild by @Skarlso in #5225
feat: add selectable fields to the CRDs by @Skarlso in #5226
ref: removing Yandex Cloud specific common types declaration duplication by @preved911 in #4905
fix: missing codeowners file from .github folder by @Skarlso in #5228
feat: add setting remote namespace to metadata for kubernetes provider by @Skarlso in #5224
feat: add support for certs only in pkcs12 by @devnopt in #4875
docs: document redundant clusterName/clusterLocation parameters in GCP Secret Manager docs by @ionicsolutions in #5208
feat: Allow adding finalizers from template by @malovme in #5140
fix: controller-runtime update by @gusfcarvalho in #5239
chore: update dependencies by @eso-service-account-app[bot] in #5229
fix: Prevent secretstore reconcile loop when provider error response is dynamic by @dakotaharden in #5247
feat: add finalizers to SecretStores when referenced by PushSecrets with DeletionPolicy=Delete by @matheusmazzoni in #5163
fix: keepersecurity support for shortcuts by @pepordev in #5245
feat: add support for GCP Workload Identity Federation by @bharath-b-rh in #4654
feat: support fetching secrets and certificates by name in Yandex Lockbox & Certificate Manager by @alliseeisgold in #5022
chore(charts): Adds new make target for installing unittest plugin by @bharath-b-rh in #5250
docs(templating): added clarifying comments to Github generator example by @nielstenboom in #5248
feat(release): add new workflow to label first time contributor issues by @mouhsen-ibrahim in #5243
feat(security): Adds an option to make HTTP2 configurable by @siddhibhor-56 in #5231
feat: add retry for onepassword on authorization error by @Skarlso in #5253
fix: handle namespace deletion race conditions with finalizers by @framsouza in #5154
docs: update stability and support by @anders-swanson in #5257
fix(akeyless): Upgrade Akeyless Provider Go SDK to v4 by @kgal-akl in #5263
feat: support Pod Identity authentication for Vault Provider by @webstradev in #5201
feat: add domain field to secretserver provider by @rkferreira in #5258
chore(release): Migrate to actions/create-github-app-token action by @mouhsen-ibrahim in #5264
chore: just updating the crd conformance tests by @Skarlso in #5265
chore(revert): "chore(release): Migrate to actions/create-github-app-token action" by @Skarlso in #5269
chore: azure sdk update by @hauswio in #5162
feat: add support for fetching Secret by Path on Delinea Secret Server provider by @DelineaSahilWankhede in #5270
feat: migrate from tibdex to actions/create-github-app-token by @rkferreira in #5286
fix: license headers across all Go files - standardize format, add missing copyright, fix typos by @Copilot in #5288
fix: the boilerplate was missing the right license format by @Skarlso in #5289
chore(license): add automated license header checking using Apache SkyWalking Eyes GitHub Action by @Copilot in #5290
chore(docs): remove GitHub Discussions references and update support channels by @jakobmoellerdev in #5292
docs: updated the ladder with two new tracks: documentation and community by @Skarlso in #5298
docs(release): create upgrading section by @rkferreira in #5310
docs: readme update for health of the project by @Skarlso in #5309
fix: validate namespace in secretRef by @moolen in #5311
docs: add burnout prevention strategies and mitigation policy document by @Skarlso in #5307
feat: add missing go sbom by @moolen in #5313
feat: make vault e2e tests run locally by @moolen in #5246
chore: update dependencies by @eso-service-account-app[bot] in #5324
feat: add Cloudsmith generator for container registry authentication by @cloudsmith-iduffy in #5267
feat: Add lgtm review automation step to ci workflows. by @webstradev in #5251
feat(provider): add Volcengine provider support by @kevinyancn in #5306
test: add more information to potentially flaky test by @Skarlso in #5330
fix(docs): Fix typo in controller options doc by @tspearconquest in #5299
chore(testing): Add licence.check make target by @jonstacks in #5335
docs(gitlab-variables): document environment scope fallback by @s1nyx in #5300

Dependencies

chore(deps): bump mkdocs-macros-plugin from 1.3.7 to 1.3.9 in /hack/api-docs by @dependabot[bot] in #5190
chore(deps): bump requests from 2.32.4 to 2.32.5 in /hack/api-docs by @dependabot[bot] in #5191
chore(deps): bump golang from 1.24.6-bookworm to 1.25.0-bookworm in /e2e by @dependabot[bot] in #5189
chore(deps): bump goreleaser/goreleaser-action from 6.3.0 to 6.4.0 by @dependabot[bot] in #5188
chore(deps): bump actions/create-github-app-token from 2.1.0 to 2.1.1 by @dependabot[bot] in #5187
chore(deps): bump anchore/sbom-action from 0.20.4 to 0.20.5 by @dependabot[bot] in #5186
chore(deps): bump codecov/codecov-action from 5.4.3 to 5.5.0 by @dependabot[bot] in #5184
chore(deps): bump golang from 1.24.6 to 1.25.0 by @dependabot[bot] in #5194
chore(deps): bump github/codeql-action from 3.29.8 to 3.29.11 by @dependabot[bot] in #5195
chore(deps): bump ubi8/ubi from 4f0a4e4 to 7010e70 by @dependabot[bot] in #5193
chore(deps): bump mkdocs-material from 9.6.16 to 9.6.18 in /hack/api-docs by @dependabot[bot] in #5192
chore(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @dependabot[bot] in #5198
chore(deps): bump actions/dependency-review-action from 4.7.1 to 4.7.2 by @dependabot[bot] in #5199
chore(deps): bump aquasecurity/trivy-action from 0.32.0 to 0.33.0 by @dependabot[bot] in #5234
chore(deps): bump actions/dependency-review-action from 4.7.2 to 4.7.3 by @dependabot[bot] in #5236
chore(deps): bump ubi8/ubi from 7010e70 to 534c2c0 by @dependabot[bot] in #5237
chore(deps): bump actions/attest-build-provenance from 2.4.0 to 3.0.0 by @dependabot[bot] in #5238
chore(deps): bump regex from 2025.7.34 to 2025.8.29 in /hack/api-docs by @dependabot[bot] in #5242
chore(deps): bump platformdirs from 4.3.8 to 4.4.0 in /hack/api-docs by @dependabot[bot] in #5241
chore(deps): bump distroless/static from 2e114d2 to f2ff10a by @dependabot[bot] in #5240
chore(deps): bump golang from 1.25.0 to 1.25.1 by @dependabot[bot] in #5275
chore(deps): bump actions/github-script from 7.0.1 to 8.0.0 by @dependabot[bot] in #5274
chore(deps): bump actions/stale from 9.1.0 to 10.0.0 by @dependabot[bot] in #5273
chore(deps): bump actions/setup-go from 5.5.0 to 6.0.0 by @dependabot[bot] in #5276
chore(deps): bump mkdocs-material from 9.6.18 to 9.6.19 in /hack/api-docs by @dependabot[bot] in #5279
chore(deps): bump codecov/codecov-action from 5.5.0 to 5.5.1 by @dependabot[bot] in #5278
chore(deps): bump github/codeql-action from 3.29.11 to 3.30.1 by @dependabot[bot] in #5277
chore(deps): bump markdown from 3.8.2 to 3.9 in /hack/api-docs by @dependabot[bot] in #5281
chore(deps): bump golang from 1.25.0-bookworm to 1.25.1-bookworm in /e2e by @dependabot[bot] in #5280
chore(deps): bump regex from 2025.8.29 to 2025.9.1 in /hack/api-docs by @dependabot[bot] in #5282
chore(deps): bump golang from b6ed3fd to b6ed3fd by @dependabot[bot] in #5318
chore(deps): bump actions/setup-python from 5.6.0 to 6.0.0 by @dependabot[bot] in #5317
chore(deps): bump github/codeql-action from 3.30.1 to 3.30.3 by @dependabot[bot] in #5319
chore(deps): bump distroless/static from f2ff10a to 87bce11 by @dependabot[bot] in #5320
chore(deps): bump actions/labeler from 5.0.0 to 6.0.1 by @dependabot[bot] in #5323
chore(deps): bump softprops/action-gh-release from 2.3.2 to 2.3.3 by @dependabot[bot] in #5321
chore(deps): bump actions/create-github-app-token from 2.1.1 to 2.1.4 by @dependabot[bot] in #5322
chore(deps): bump actions/create-github-app-token from 2.1.1 to 2.1.4 by @dependabot[bot] in #5339
chore(deps): bump aquasecurity/trivy-action from 0.33.0 to 0.33.1 by @dependabot[bot] in #5344
chore(deps): bump mkdocs-material from 9.6.19 to 9.6.20 in /hack/api-docs by @dependabot[bot] in #5345
chore(deps): bump step-security/harden-runner from 2.13.0 to 2.13.1 by @dependabot[bot] in #5343
chore(deps): bump sigstore/cosign-installer from 3.9.2 to 3.10.0 by @dependabot[bot] in #5340
chore(deps): bump anchore/sbom-action from 0.20.5 to 0.20.6 by @dependabot[bot] in #5341
chore(deps): bump regex from 2025.9.1 to 2025.9.18 in /hack/api-docs by @dependabot[bot] in #5346
chore(deps): bump apache/skywalking-eyes from 0.6.0 to 0.7.0 by @dependabot[bot] in #5342

New Contributors

@mjtrangoni made their first contribution in #5139
@muckelba made their first contribution in #5146
@DrummyFloyd made their first contribution in #5144
@sriaradhyula made their first contribution in #5159
@jonstacks made their first contribution in #5161
@matheusmazzoni made their first contribution in #5155
@nirajsapkota made their first contribution in #4878
@L1ghtman2k made their first contribution in #5138
@gecube made their first contribution in #5171
@preved911 made their first contribution in #4877
@ntnn made their first contribution in #5156
@webstradev made their first contribution in #5197
@rkferreira made their first contribution in #5169
@arthlr made their first contribution in #5217
@devnopt made their first contribution in #4875
@dakotaharden made their first contribution in #5247
@bharath-b-rh made their first contribution in #4654
@alliseeisgold made their first contribution in #5022
@nielstenboom made their first contribution in #5248
@siddhibhor-56 made their first contribution in #5231
@framsouza made their first contribution in #5154
@kgal-akl made their first contribution in #5263
@hauswio made their first contribution in #5162
@Copilot made their first contribution in #5288
@cloudsmith-iduffy made their first contribution in #5267
@kevinyancn made their first contribution in #5306
@s1nyx made their first contribution in #5300

Full Changelog: https://github.com/external-secrets/external-secrets/compare/v0.19.2...v0.20.1

`v0.19.2`

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.19.2 Image: ghcr.io/external-secrets/external-secrets:v0.19.2-ubi Image: ghcr.io/external-secrets/external-secrets:v0.19.2-ubi-boringssl

What's Changed

chore: release helm chart for v0.19.1 by @Skarlso in #5111
fix: update governance by @gusfcarvalho in #5115
chore(deps): bump golang from 1.24.5 to 1.24.6 and helm-values-schema-json plugin to 2.2.1 by @jakobmoellerdev in #5126
fix: bump image digest to fix e2e tests by @moolen in #5127
chore(deps): bump charset-normalizer from 3.4.2 to 3.4.3 in /hack/api-docs by @dependabot[bot] in #5125
chore(deps): bump tornado from 6.5.1 to 6.5.2 in /hack/api-docs by @dependabot[bot] in #5124
chore(deps): bump actions/create-github-app-token from 2.0.6 to 2.1.0 by @dependabot[bot] in #5123
feat(infisical): Kubernetes, AWS, and token auth methods by @x032205 in #5080
chore: update MAINTAINERS.md with information by @Skarlso in #5128
chore(deps): bump actions/cache from 4.2.3 to 4.2.4 by @dependabot[bot] in #5122
chore(deps): bump github/codeql-action from 3.29.7 to 3.29.8 by @dependabot[bot] in #5120
chore(deps): bump docker/login-action from 3.4.0 to 3.5.0 by @dependabot[bot] in #5119
chore(deps): bump distroless/static from b7b9a69 to 2e114d2 by @dependabot[bot] in #5118
chore(deps): bump ubi8/ubi from a463a8e to 4f0a4e4 by @dependabot[bot] in #5116
fix: select secretstores in same ns as pushsecret by @gracedo in #5109
fix: scope secret list call to the namespace the push secret was created by @moolen in #5133
fix: bump support table by @moolen in #5135

New Contributors

@x032205 made their first contribution in #5080
@gracedo made their first contribution in #5109

Full Changelog: https://github.com/external-secrets/external-secrets/compare/v0.19.1...v0.19.2

`v0.19.1`

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.19.1 Image: ghcr.io/external-secrets/external-secrets:v0.19.1-ubi Image: ghcr.io/external-secrets/external-secrets:v0.19.1-ubi-boringssl

What's Changed

chore: release helm chart for v0.19.0 by @Skarlso in #5093
chore: remove ubi note by @Skarlso in #5094
chore(deps): bump pymdown-extensions from 10.16 to 10.16.1 in /hack/api-docs by @dependabot[bot] in #5100
chore(deps): bump ubi8/ubi from a910ffa to a463a8e by @dependabot[bot] in #5099
chore(deps): bump certifi from 2025.7.14 to 2025.8.3 in /hack/api-docs by @dependabot[bot] in #5097
chore(deps): bump regex from 2024.11.6 to 2025.7.34 in /hack/api-docs by @dependabot[bot] in #5096
Fail helm install if ClusterPushSecrets processing is enabled but PushSecrets processing is disabled. by @tspearconquest in #4896
fix: use server-side apply for CRD installation in Makefile by @alekc in #5103
deployment strategy support by @jjacobs-poa in #5091
feat: migration from endpoint to endpointslice by @xvirgov in #5008
feat(helm) Just use named port for webhook by @jcpunk in #5108
add support for overriding name of PDB by @megashby in #5090
fix: do not run ApplyTemplate for immutable secrets in mutationFunc by @jakobmoellerdev in #5110

New Contributors

@tspearconquest made their first contribution in #4896
@jjacobs-poa made their first contribution in #5091
@xvirgov made their first contribution in #5008
@jcpunk made their first contribution in #5108
@megashby made their first contribution in #5090
@jakobmoellerdev made their first contribution in #5110

Full Changelog: https://github.com/external-secrets/external-secrets/compare/v0.19.0...v0.19.1

Please note that this a breaking change because our CRDs are now too big. Meaning a simple kubectl apply or Argo's default client side apply WILL NOT WORK! You have to add --server-side to kubectl apply and in argo add:

spec:
  project: default
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
    - CreateNamespace=true
    - ServerSideApply=true

How to do it in kubectl:

kubectl apply --server-side ...

for it to correctly install the CRDs. Thank you.

Image: ghcr.io/external-secrets/external-secrets:v0.19.0 Image: ghcr.io/external-secrets/external-secrets:v0.19.0-ubi Image: ghcr.io/external-secrets/external-secrets:v0.19.0-ubi-boringssl

What's Changed

chore: release helm chart for v0.18.2 by @Skarlso in #4985
chore(deps): bump golang from ee7ff13 to 10f549d in /e2e by @dependabot[bot] in #4997
chore(deps): bump golang from 68932fa to 68932fa by @dependabot[bot] in #5000
chore(deps): bump mkdocs-material from 9.6.14 to 9.6.15 in /hack/api-docs by @dependabot[bot] in #4998
chore(deps): bump anchore/sbom-action from 0.20.1 to 0.20.2 by @dependabot[bot] in #5001
chore(deps): bump github/codeql-action from 3.29.1 to 3.29.2 by @dependabot[bot] in #5003
chore(deps): bump aquasecurity/trivy-action from 0.31.0 to 0.32.0 by @dependabot[bot] in #5002
fix: do not turn original value into string on value scope by @Skarlso in #5011
fix: add uuid in edit and view clusterroles by @sylvainOL in #5017
chore: update dependencies by @eso-service-account-app[bot] in #4999
fix: template data should not be the secret Data itself by @gusfcarvalho in #5023
Fix: Return appropriate error in ValidateStore by @prakash-218 in #5019
feat(helm): allow to set init containers by @rclsilver in #4745
chore(deps): bump certifi from 2025.6.15 to 2025.7.14 in /hack/api-docs by @dependabot[bot] in #5032
Fix: Remove root/buildinfo from ubi build files by @bainsy88 in #5037
chore(deps): bump ubi8/ubi from 19eae3d to c0b0729 by @dependabot[bot] in #5033
chore(deps): bump golang from 1.24.4-bookworm to 1.24.5-bookworm in /e2e by @dependabot[bot] in #5029
chore(deps): bump golang from 1.24.4 to 1.24.5 by @dependabot[bot] in #5034
chore: update dependencies by @eso-service-account-app[bot] in #5031
Add Red Hat OpenShift in Adopters by @KeenonLee in #5039
fix: remove authentication option with JWT token from STSSessionToken generator by @Skarlso in #5026
fix: add validation constraints to ExternalSecretRewrite by @Aakkash-Suresh in #5006
fix: stability support matrix by @gusfcarvalho in #5043
docs(decoding-strategy): clarify base64 auto-detection limitations by @orymate in #5004
feat(infisical): auth methods by @DanielHougaard in #5040
chore(deps): bump alpine from 3.22.0 to 3.22.1 in /e2e by @dependabot[bot] in #5046
chore(aws): parameterstore unit tests improvement by @ivankatliarchuk in #4986
fix(helm): grafana dashboard: fix heatmaps to actually be heatmaps, not time series by @desaintmartin in #5069
chore(deps): bump sigstore/cosign-installer from 3.9.1 to 3.9.2 by @dependabot[bot] in #5047
chore(deps): bump step-security/harden-runner from 2.12.2 to 2.13.0 by @dependabot[bot] in #5048
chore(deps): bump golang from ddf5200 to daae04e by @dependabot[bot] in #5049
chore(deps): bump alpine from 8a1f59f to 4bcff63 by @dependabot[bot] in #5051
chore(deps): bump alpine from 8a1f59f to 4bcff63 in /hack/api-docs by @dependabot[bot] in #5052
chore(deps): bump mkdocs-material from 9.6.15 to 9.6.16 in /hack/api-docs by @dependabot[bot] in #5077
Add SelfSubjectAccessReview as a fallback for failing SelfSubjectRulesReview by @alvin-rw in #5025
chore(deps): bump golang from 69adc37 to ef8c5c7 in /e2e by @dependabot[bot] in #5076
chore(deps): bump ubi8/ubi from c0b0729 to 785d38c by @dependabot[bot] in #5075
chore(deps): bump github/codeql-action from 3.29.2 to 3.29.4 by @dependabot[bot] in #5072
chore(deps): bump anchore/sbom-action from 0.20.2 to 0.20.4 by @dependabot[bot] in #5073
SSHKey generator by @dex4er in #5083
fix: restore AWS credential chain resolution for ECRAuthorizationToken generator by @aditmeno in #5082
fix(helm): grafana dashboard: add widget for sum of not ready secrets by @desaintmartin in #5086
feat(aws): secretsmanager to update/patch/delete tags by @ivankatliarchuk in #4984
fix: update the e2e test with the new store status value by @Skarlso in #5089
fix: correct usage of if in dlc and update for server side apply by @Skarlso in #5092

New Contributors

@sylvainOL made their first contribution in #5017
@prakash-218 made their first contribution in #5019
@rclsilver made their first contribution in #4745
@bainsy88 made their first contribution in #5037
@KeenonLee made their first contribution in #5039
@orymate made their first contribution in #5004
@desaintmartin made their first contribution in #5069
@alvin-rw made their first contribution in #5025
@dex4er made their first contribution in #5083
@aditmeno made their first contribution in #5082

Full Changelog: https://github.com/external-secrets/external-secrets/compare/v0.18.2...v0.19.0

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Edited Oct 10, 2025 by Soos

Draft: Update Helm release external-secrets to v0.20.2

Release Notes

`v0.20.2`

What's Changed

General

Dependencies

New Contributors

`v0.20.1`

What's Changed

General

Dependencies

New Contributors

`v0.19.2`

What's Changed

New Contributors

`v0.19.1`

What's Changed

New Contributors

`v0.19.0`

BREAKING CHANGE

What's Changed

New Contributors

Configuration

Draft: Update Helm release external-secrets to v0.20.2

Release Notes

v0.20.2

What's Changed

General

Dependencies

New Contributors

v0.20.1

What's Changed

General

Dependencies

New Contributors

v0.19.2

What's Changed

New Contributors

v0.19.1

What's Changed

New Contributors

v0.19.0

BREAKING CHANGE

What's Changed

New Contributors

Configuration

Merge request reports

`v0.20.2`

`v0.20.1`

`v0.19.2`

`v0.19.1`

`v0.19.0`