Update dependency external-secrets/external-secrets to v0.20.3 (main)
This MR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| external-secrets/external-secrets | Kustomization | minor |
v0.19.2 -> v0.20.3
|
Release Notes
external-secrets/external-secrets (external-secrets/external-secrets)
v0.20.3
Image: ghcr.io/external-secrets/external-secrets:v0.20.3
Image: ghcr.io/external-secrets/external-secrets:v0.20.3-ubi
Image: ghcr.io/external-secrets/external-secrets:v0.20.3-ubi-boringssl
What's Changed
General
- chore: release helm chart for v0.20.2 by @Skarlso in #5403
- fix(ci): Remove PAUL by @evrardjp in #5406
- docs: add note on Vault 1.21 audience requirement for roles by @AddRain1 in #5411
- docs: extend bitwarden example and integration to accomodate the ssh key feature by @luilegeant in #5414
- chore: update dependencies by @eso-service-account-app[bot] in #5427
- docs(getting-started): Change apply to use File (-f) instead of Kustomize (-k) by @smellems in #5433
- docs(release): Resolve incorrect references in documentation samples by @blast-hardcheese in #5431
- docs: Update scaleway json doc by @RobinFrcd in #5429
- chore(previder): Update Previder Provider dependency and fix ReadOnly token by @gkwmiddelkamp in #5327
- chore(linter): fix revive linter issues in
pkgby @Lumexralph in #5412 - chore: move to new GCP account, temporarily disable delinea by @moolen in #5438
- chore(actions): always run helm test and update make check-diff by @Skarlso in #5440
- fix: make port in the schema file either a string of an integer by @Skarlso in #5439
- fix: use maps.Equal instead of bytes.Compare for JSON value by @Skarlso in #5448
- chore(docs): update refresh interval format by @Skarlso in #5447
- chore(docs): update ADOPTERS.md to include Criteo by @alikhil in #5446
Dependencies
- chore(deps): bump softprops/action-gh-release from 2.3.3 to 2.3.4 by @dependabot[bot] in #5417
- chore(deps): bump github/codeql-action from 3.30.5 to 3.30.6 by @dependabot[bot] in #5420
- chore(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by @dependabot[bot] in #5418
- chore(deps): bump golang from
6ad9415toc423747in /e2e by @dependabot[bot] in #5423 - chore(deps): bump mkdocs-material from 9.6.20 to 9.6.21 in /hack/api-docs by @dependabot[bot] in #5425
- chore(deps): bump certifi from 2025.8.3 to 2025.10.5 in /hack/api-docs by @dependabot[bot] in #5424
- chore(deps): bump docker/login-action from 3.5.0 to 3.6.0 by @dependabot[bot] in #5422
- chore(deps): bump actions/stale from 10.0.0 to 10.1.0 by @dependabot[bot] in #5416
- chore(deps): bump peter-evans/create-or-update-comment from 4.0.0 to 5.0.0 by @dependabot[bot] in #5421
- chore(deps): bump golang from
b6ed3fdtob6ed3fdby @dependabot[bot] in #5419
New Contributors
- @AddRain1 made their first contribution in #5411
- @luilegeant made their first contribution in #5414
- @smellems made their first contribution in #5433
- @blast-hardcheese made their first contribution in #5431
- @RobinFrcd made their first contribution in #5429
- @alikhil made their first contribution in #5446
Full Changelog: https://github.com/external-secrets/external-secrets/compare/v0.20.2...v0.20.3
v0.20.2
Image: ghcr.io/external-secrets/external-secrets:v0.20.2
Image: ghcr.io/external-secrets/external-secrets:v0.20.2-ubi
Image: ghcr.io/external-secrets/external-secrets:v0.20.2-ubi-boringssl
What's Changed
General
- fix(typo): Google misspelled by @evrardjp in #5348
- chore: update helm charts v0.20.1 by @Skarlso in #5352
- chore(docs): update stability and support table for 0.20.x by @jakobmoellerdev in #5354
- chore: update dependencies by @eso-service-account-app[bot] in #5349
- chore(docs): update the release flow by @Skarlso in #5358
- feat: add support for decryption scheme from properties in senhasegura Devops Secrets Management (DSM) provider by @felipeosantos in #3895
- feat(ci): use separate github app for lgtm workflow. by @webstradev in #5365
- fix(ci): listing required roles should NOT mention/tag the roles, just name them. by @webstradev in #5363
- fix(ci): run lgtm label remover in pull_request_target context instead by @webstradev in #5366
- chore: update codeql action to also run for actions by @Skarlso in #5360
- feat(oracle): switch provider to maintained status by @anders-swanson in #5367
- fix: liveness probe would include invalid value
enableby @Skarlso in #5369 - feat: introduce priorityPolicy in merge rewrite by @riccardomc in #5329
- docs: update community meeting section by @webstradev in #5364
- docs: issue-5350: Updates CRD and docs with write-only limitation for github provider by @bharath-b-rh in #5361
- fix: IBM Cloud Secrets Manager Imported Cert does not always require intermediate cert by @varksvader in #5370
- feat(gcp): get latest enabled secret by @itaispiegel in #5131
- feat(ci): zizmor github actions vuln scanner by @arielrahamim in #5368
- chore(docs): update pull request approval process by @Skarlso in #5374
- fix(release): Validate GCP GetSecret json format by @Gabrielmadrid73 in #5336
- fix(charts): exclude 'address' key from livenessProbe definition by @baprx in #5377
- feat: add ngrok provider by @jonstacks in #5160
- chore: update dependencies by @eso-service-account-app[bot] in #5386
- docs(release): CyberArk Conjur name change updates by @akosasi in #5359
- chore: bump go, e2e: flux/argo & restructure e2e-bin build by @moolen in #5333
- fix: remove unused secret by @moolen in #5391
- feat(charts): add startupProbe to cert controller by @KyriosGN0 in #5297
- fix: issue-5388: Fixes GCP Workload Identity Federation auth issue by @bharath-b-rh in #5392
- chore(lint): fix revive lint errors
(pkg/providers)by @Lumexralph in #5362 - feat: make cert auth mount path configurable by @shaxbee in #5400
Dependencies
- chore(deps): bump step-security/harden-runner from 2.13.0 to 2.13.1 by @dependabot[bot] in #5379
- chore(deps): bump pyyaml from 6.0.2 to 6.0.3 in /hack/api-docs by @dependabot[bot] in #5380
- chore(deps): bump actions/dependency-review-action from 4.7.3 to 4.8.0 by @dependabot[bot] in #5381
- chore(deps): bump github/codeql-action from 3.30.3 to 3.30.5 by @dependabot[bot] in #5384
- chore(deps): bump markupsafe from 3.0.2 to 3.0.3 in /hack/api-docs by @dependabot[bot] in #5383
- chore(deps): bump mkdocs-macros-plugin from 1.3.9 to 1.4.0 in /hack/api-docs by @dependabot[bot] in #5385
- chore(deps): bump actions/cache from 4.2.4 to 4.3.0 by @dependabot[bot] in #5382
New Contributors
- @evrardjp made their first contribution in #5348
- @felipeosantos made their first contribution in #3895
- @varksvader made their first contribution in #5370
- @itaispiegel made their first contribution in #5131
- @arielrahamim made their first contribution in #5368
- @Gabrielmadrid73 made their first contribution in #5336
- @baprx made their first contribution in #5377
- @akosasi made their first contribution in #5359
- @Lumexralph made their first contribution in #5362
- @shaxbee made their first contribution in #5400
Full Changelog: https://github.com/external-secrets/external-secrets/compare/v0.20.0...v0.20.2
v0.20.1
Image: ghcr.io/external-secrets/external-secrets:v0.20.1
Image: ghcr.io/external-secrets/external-secrets:v0.20.1-ubi
Image: ghcr.io/external-secrets/external-secrets:v0.20.1-ubi-boringssl
What's Changed
General
- chore: release 0.19.2 by @moolen in #5136
- chore: update readme by @gusfcarvalho in #5137
- fix(kubernetes): make auth field optional by @mhrabovcin in #5064
- chore: Fix Markdown spelling issues found by codespell by @mjtrangoni in #5139
- Fix yaml codeblock for oracle-vault provider docs by @muckelba in #5146
- feat: add liveness probe to eso controller by @Skarlso in #4930
- fix(helm): add boolean for processClusterGenerator by @DrummyFloyd in #5144
- chore: add Cisco to ADOPTERS.md by @sriaradhyula in #5159
- docs: Fix provider stability and support table by @jonstacks in #5161
- feat(helm): Add control of response to missing prometheus CRDs by @jcpunk in #5087
- chore: Added release notes configuration by @bonddim in #5148
- chore: bump bitwarden helm chart version by @Skarlso in #5044
- chore(docs): update
ADOPTERS.mdto include SAP by @jakobmoellerdev in #5165 - feat: add externalsecret namespace for webhook provider by @matheusmazzoni in #5155
- fix: add unknown status for secret store by @alvin-rw in #5070
- Fix pushing to an AWS Secrets Manager Secret when there are no secret values by @nirajsapkota in #4878
- add extralabels for dashboard to be scraped by multiple grafana instances by @L1ghtman2k in #5138
- fix: the api docs are not referencing sshkey generator by @Skarlso in #5170
- Update github.md by @gecube in #5171
- Update anchore-engine-credentials.md by @gecube in #5172
- docs: update infisical docs to clarify missing system:auth-delegator need by @Skarlso in #5174
- Adding support different type auth sources by @preved911 in #4877
- fix: stability update document did not update the stability table correctly by @Skarlso in #5176
- Add esv1.AnnotationForceSync for CES and ES by @ntnn in #5156
- fix: helm build failing by @Skarlso in #5178
- fix: remove release- branch automation by @moolen in #5182
- chore: update dependencies by @eso-service-account-app[bot] in #5181
- docs: update bitwarden documentation for dataFrom field usage by @Skarlso in #5196
- feat: add contributor ladder by @gusfcarvalho in #5150
- feat: support vault provider check and set for push secrets by @webstradev in #5197
- chore(docs): update helm charts by @gusfcarvalho in #5203
- chore(ci): fix sonarqube security warnings in helm.yml by @webstradev in #5202
- chore: add pull request maintenance auto labelling and sizes by @Skarlso in #5200
- fix: update the label verification step by @Skarlso in #5209
- feat: add infisical k8s auth with Client JWT as Reviewer JWT Token support by @tuxtof in #5168
- feat: improve error message for json marshalling/unmarshalling by @webstradev in #5211
- chore: enhance
helm-values-schema-jsonschema plugin management logic by @jakobmoellerdev in #5212 - fix(aws): stop incrementing the UUID for versions by @Skarlso in #5175
- feat: enable secure serving for metrics [issue 4614] by @rkferreira in #5169
- fix(infisical): fix TokenAuth auth method by escaping the token revocation by @arthlr in #5217
- fix: tilt build was failing to rebuild by @Skarlso in #5225
- feat: add selectable fields to the CRDs by @Skarlso in #5226
- ref: removing Yandex Cloud specific common types declaration duplication by @preved911 in #4905
- fix: missing codeowners file from .github folder by @Skarlso in #5228
- feat: add setting remote namespace to metadata for kubernetes provider by @Skarlso in #5224
- feat: add support for certs only in pkcs12 by @devnopt in #4875
- docs: document redundant clusterName/clusterLocation parameters in GCP Secret Manager docs by @ionicsolutions in #5208
- feat: Allow adding finalizers from template by @malovme in #5140
- fix: controller-runtime update by @gusfcarvalho in #5239
- chore: update dependencies by @eso-service-account-app[bot] in #5229
- fix: Prevent secretstore reconcile loop when provider error response is dynamic by @dakotaharden in #5247
- feat: add finalizers to SecretStores when referenced by PushSecrets with DeletionPolicy=Delete by @matheusmazzoni in #5163
- fix: keepersecurity support for shortcuts by @pepordev in #5245
- feat: add support for GCP Workload Identity Federation by @bharath-b-rh in #4654
- feat: support fetching secrets and certificates by name in Yandex Lockbox & Certificate Manager by @alliseeisgold in #5022
- chore(charts): Adds new make target for installing unittest plugin by @bharath-b-rh in #5250
- docs(templating): added clarifying comments to Github generator example by @nielstenboom in #5248
- feat(release): add new workflow to label first time contributor issues by @mouhsen-ibrahim in #5243
- feat(security): Adds an option to make HTTP2 configurable by @siddhibhor-56 in #5231
- feat: add retry for onepassword on authorization error by @Skarlso in #5253
- fix: handle namespace deletion race conditions with finalizers by @framsouza in #5154
- docs: update stability and support by @anders-swanson in #5257
- fix(akeyless): Upgrade Akeyless Provider Go SDK to v4 by @kgal-akl in #5263
- feat: support Pod Identity authentication for Vault Provider by @webstradev in #5201
- feat: add domain field to secretserver provider by @rkferreira in #5258
- chore(release): Migrate to actions/create-github-app-token action by @mouhsen-ibrahim in #5264
- chore: just updating the crd conformance tests by @Skarlso in #5265
- chore(revert): "chore(release): Migrate to actions/create-github-app-token action" by @Skarlso in #5269
- chore: azure sdk update by @hauswio in #5162
- feat: add support for fetching Secret by Path on Delinea Secret Server provider by @DelineaSahilWankhede in #5270
- feat: migrate from tibdex to actions/create-github-app-token by @rkferreira in #5286
- fix: license headers across all Go files - standardize format, add missing copyright, fix typos by @Copilot in #5288
- fix: the boilerplate was missing the right license format by @Skarlso in #5289
- chore(license): add automated license header checking using Apache SkyWalking Eyes GitHub Action by @Copilot in #5290
- chore(docs): remove GitHub Discussions references and update support channels by @jakobmoellerdev in #5292
- docs: updated the ladder with two new tracks: documentation and community by @Skarlso in #5298
- docs(release): create upgrading section by @rkferreira in #5310
- docs: readme update for health of the project by @Skarlso in #5309
- fix: validate namespace in secretRef by @moolen in #5311
- docs: add burnout prevention strategies and mitigation policy document by @Skarlso in #5307
- feat: add missing go sbom by @moolen in #5313
- feat: make vault e2e tests run locally by @moolen in #5246
- chore: update dependencies by @eso-service-account-app[bot] in #5324
- feat: add Cloudsmith generator for container registry authentication by @cloudsmith-iduffy in #5267
- feat: Add lgtm review automation step to ci workflows. by @webstradev in #5251
- feat(provider): add Volcengine provider support by @kevinyancn in #5306
- test: add more information to potentially flaky test by @Skarlso in #5330
- fix(docs): Fix typo in controller options doc by @tspearconquest in #5299
- chore(testing): Add licence.check make target by @jonstacks in #5335
- docs(gitlab-variables): document environment scope fallback by @s1nyx in #5300
Dependencies
- chore(deps): bump mkdocs-macros-plugin from 1.3.7 to 1.3.9 in /hack/api-docs by @dependabot[bot] in #5190
- chore(deps): bump requests from 2.32.4 to 2.32.5 in /hack/api-docs by @dependabot[bot] in #5191
- chore(deps): bump golang from 1.24.6-bookworm to 1.25.0-bookworm in /e2e by @dependabot[bot] in #5189
- chore(deps): bump goreleaser/goreleaser-action from 6.3.0 to 6.4.0 by @dependabot[bot] in #5188
- chore(deps): bump actions/create-github-app-token from 2.1.0 to 2.1.1 by @dependabot[bot] in #5187
- chore(deps): bump anchore/sbom-action from 0.20.4 to 0.20.5 by @dependabot[bot] in #5186
- chore(deps): bump codecov/codecov-action from 5.4.3 to 5.5.0 by @dependabot[bot] in #5184
- chore(deps): bump golang from 1.24.6 to 1.25.0 by @dependabot[bot] in #5194
- chore(deps): bump github/codeql-action from 3.29.8 to 3.29.11 by @dependabot[bot] in #5195
- chore(deps): bump ubi8/ubi from
4f0a4e4to7010e70by @dependabot[bot] in #5193 - chore(deps): bump mkdocs-material from 9.6.16 to 9.6.18 in /hack/api-docs by @dependabot[bot] in #5192
- chore(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @dependabot[bot] in #5198
- chore(deps): bump actions/dependency-review-action from 4.7.1 to 4.7.2 by @dependabot[bot] in #5199
- chore(deps): bump aquasecurity/trivy-action from 0.32.0 to 0.33.0 by @dependabot[bot] in #5234
- chore(deps): bump actions/dependency-review-action from 4.7.2 to 4.7.3 by @dependabot[bot] in #5236
- chore(deps): bump ubi8/ubi from
7010e70to534c2c0by @dependabot[bot] in #5237 - chore(deps): bump actions/attest-build-provenance from 2.4.0 to 3.0.0 by @dependabot[bot] in #5238
- chore(deps): bump regex from 2025.7.34 to 2025.8.29 in /hack/api-docs by @dependabot[bot] in #5242
- chore(deps): bump platformdirs from 4.3.8 to 4.4.0 in /hack/api-docs by @dependabot[bot] in #5241
- chore(deps): bump distroless/static from
2e114d2tof2ff10aby @dependabot[bot] in #5240 - chore(deps): bump golang from 1.25.0 to 1.25.1 by @dependabot[bot] in #5275
- chore(deps): bump actions/github-script from 7.0.1 to 8.0.0 by @dependabot[bot] in #5274
- chore(deps): bump actions/stale from 9.1.0 to 10.0.0 by @dependabot[bot] in #5273
- chore(deps): bump actions/setup-go from 5.5.0 to 6.0.0 by @dependabot[bot] in #5276
- chore(deps): bump mkdocs-material from 9.6.18 to 9.6.19 in /hack/api-docs by @dependabot[bot] in #5279
- chore(deps): bump codecov/codecov-action from 5.5.0 to 5.5.1 by @dependabot[bot] in #5278
- chore(deps): bump github/codeql-action from 3.29.11 to 3.30.1 by @dependabot[bot] in #5277
- chore(deps): bump markdown from 3.8.2 to 3.9 in /hack/api-docs by @dependabot[bot] in #5281
- chore(deps): bump golang from 1.25.0-bookworm to 1.25.1-bookworm in /e2e by @dependabot[bot] in #5280
- chore(deps): bump regex from 2025.8.29 to 2025.9.1 in /hack/api-docs by @dependabot[bot] in #5282
- chore(deps): bump golang from
b6ed3fdtob6ed3fdby @dependabot[bot] in #5318 - chore(deps): bump actions/setup-python from 5.6.0 to 6.0.0 by @dependabot[bot] in #5317
- chore(deps): bump github/codeql-action from 3.30.1 to 3.30.3 by @dependabot[bot] in #5319
- chore(deps): bump distroless/static from
f2ff10ato87bce11by @dependabot[bot] in #5320 - chore(deps): bump actions/labeler from 5.0.0 to 6.0.1 by @dependabot[bot] in #5323
- chore(deps): bump softprops/action-gh-release from 2.3.2 to 2.3.3 by @dependabot[bot] in #5321
- chore(deps): bump actions/create-github-app-token from 2.1.1 to 2.1.4 by @dependabot[bot] in #5322
- chore(deps): bump actions/create-github-app-token from 2.1.1 to 2.1.4 by @dependabot[bot] in #5339
- chore(deps): bump aquasecurity/trivy-action from 0.33.0 to 0.33.1 by @dependabot[bot] in #5344
- chore(deps): bump mkdocs-material from 9.6.19 to 9.6.20 in /hack/api-docs by @dependabot[bot] in #5345
- chore(deps): bump step-security/harden-runner from 2.13.0 to 2.13.1 by @dependabot[bot] in #5343
- chore(deps): bump sigstore/cosign-installer from 3.9.2 to 3.10.0 by @dependabot[bot] in #5340
- chore(deps): bump anchore/sbom-action from 0.20.5 to 0.20.6 by @dependabot[bot] in #5341
- chore(deps): bump regex from 2025.9.1 to 2025.9.18 in /hack/api-docs by @dependabot[bot] in #5346
- chore(deps): bump apache/skywalking-eyes from 0.6.0 to 0.7.0 by @dependabot[bot] in #5342
New Contributors
- @mjtrangoni made their first contribution in #5139
- @muckelba made their first contribution in #5146
- @DrummyFloyd made their first contribution in #5144
- @sriaradhyula made their first contribution in #5159
- @jonstacks made their first contribution in #5161
- @matheusmazzoni made their first contribution in #5155
- @nirajsapkota made their first contribution in #4878
- @L1ghtman2k made their first contribution in #5138
- @gecube made their first contribution in #5171
- @preved911 made their first contribution in #4877
- @ntnn made their first contribution in #5156
- @webstradev made their first contribution in #5197
- @rkferreira made their first contribution in #5169
- @arthlr made their first contribution in #5217
- @devnopt made their first contribution in #4875
- @dakotaharden made their first contribution in #5247
- @bharath-b-rh made their first contribution in #4654
- @alliseeisgold made their first contribution in #5022
- @nielstenboom made their first contribution in #5248
- @siddhibhor-56 made their first contribution in #5231
- @framsouza made their first contribution in #5154
- @kgal-akl made their first contribution in #5263
- @hauswio made their first contribution in #5162
- @Copilot made their first contribution in #5288
- @cloudsmith-iduffy made their first contribution in #5267
- @kevinyancn made their first contribution in #5306
- @s1nyx made their first contribution in #5300
Full Changelog: https://github.com/external-secrets/external-secrets/compare/v0.19.2...v0.20.1
v0.20.0
WARNING This release has been accidentally created as immutable, which causes us to not be able to push our usual manifest and provenance files in here. While the images are available and signed, we will publish a new version of the release (v0.20.1) to remediate this.
Image: ghcr.io/external-secrets/external-secrets:v0.20.0
Image: ghcr.io/external-secrets/external-secrets:v0.20.0-ubi
Image: ghcr.io/external-secrets/external-secrets:v0.20.0-ubi-boringssl
What's Changed
General
- chore: release 0.19.2 by @moolen in #5136
- chore: update readme by @gusfcarvalho in #5137
- fix(kubernetes): make auth field optional by @mhrabovcin in #5064
- chore: Fix Markdown spelling issues found by codespell by @mjtrangoni in #5139
- Fix yaml codeblock for oracle-vault provider docs by @muckelba in #5146
- feat: add liveness probe to eso controller by @Skarlso in #4930
- fix(helm): add boolean for processClusterGenerator by @DrummyFloyd in #5144
- chore: add Cisco to ADOPTERS.md by @sriaradhyula in #5159
- docs: Fix provider stability and support table by @jonstacks in #5161
- feat(helm): Add control of response to missing prometheus CRDs by @jcpunk in #5087
- chore: Added release notes configuration by @bonddim in #5148
- chore: bump bitwarden helm chart version by @Skarlso in #5044
- chore(docs): update
ADOPTERS.mdto include SAP by @jakobmoellerdev in #5165 - feat: add externalsecret namespace for webhook provider by @matheusmazzoni in #5155
- fix: add unknown status for secret store by @alvin-rw in #5070
- Fix pushing to an AWS Secrets Manager Secret when there are no secret values by @nirajsapkota in #4878
- add extralabels for dashboard to be scraped by multiple grafana instances by @L1ghtman2k in #5138
- fix: the api docs are not referencing sshkey generator by @Skarlso in #5170
- Update github.md by @gecube in #5171
- Update anchore-engine-credentials.md by @gecube in #5172
- docs: update infisical docs to clarify missing system:auth-delegator need by @Skarlso in #5174
- Adding support different type auth sources by @preved911 in #4877
- fix: stability update document did not update the stability table correctly by @Skarlso in #5176
- Add esv1.AnnotationForceSync for CES and ES by @ntnn in #5156
- fix: helm build failing by @Skarlso in #5178
- fix: remove release- branch automation by @moolen in #5182
- chore: update dependencies by @eso-service-account-app[bot] in #5181
- docs: update bitwarden documentation for dataFrom field usage by @Skarlso in #5196
- feat: add contributor ladder by @gusfcarvalho in #5150
- feat: support vault provider check and set for push secrets by @webstradev in #5197
- chore(docs): update helm charts by @gusfcarvalho in #5203
- chore(ci): fix sonarqube security warnings in helm.yml by @webstradev in #5202
- chore: add pull request maintenance auto labelling and sizes by @Skarlso in #5200
- fix: update the label verification step by @Skarlso in #5209
- feat: add infisical k8s auth with Client JWT as Reviewer JWT Token support by @tuxtof in #5168
- feat: improve error message for json marshalling/unmarshalling by @webstradev in #5211
- chore: enhance
helm-values-schema-jsonschema plugin management logic by @jakobmoellerdev in #5212 - fix(aws): stop incrementing the UUID for versions by @Skarlso in #5175
- feat: enable secure serving for metrics [issue 4614] by @rkferreira in #5169
- fix(infisical): fix TokenAuth auth method by escaping the token revocation by @arthlr in #5217
- fix: tilt build was failing to rebuild by @Skarlso in #5225
- feat: add selectable fields to the CRDs by @Skarlso in #5226
- ref: removing Yandex Cloud specific common types declaration duplication by @preved911 in #4905
- fix: missing codeowners file from .github folder by @Skarlso in #5228
- feat: add setting remote namespace to metadata for kubernetes provider by @Skarlso in #5224
- feat: add support for certs only in pkcs12 by @devnopt in #4875
- docs: document redundant clusterName/clusterLocation parameters in GCP Secret Manager docs by @ionicsolutions in #5208
- feat: Allow adding finalizers from template by @malovme in #5140
- fix: controller-runtime update by @gusfcarvalho in #5239
- chore: update dependencies by @eso-service-account-app[bot] in #5229
- fix: Prevent secretstore reconcile loop when provider error response is dynamic by @dakotaharden in #5247
- feat: add finalizers to SecretStores when referenced by PushSecrets with DeletionPolicy=Delete by @matheusmazzoni in #5163
- fix: keepersecurity support for shortcuts by @pepordev in #5245
- feat: add support for GCP Workload Identity Federation by @bharath-b-rh in #4654
- feat: support fetching secrets and certificates by name in Yandex Lockbox & Certificate Manager by @alliseeisgold in #5022
- chore(charts): Adds new make target for installing unittest plugin by @bharath-b-rh in #5250
- docs(templating): added clarifying comments to Github generator example by @nielstenboom in #5248
- feat(release): add new workflow to label first time contributor issues by @mouhsen-ibrahim in #5243
- feat(security): Adds an option to make HTTP2 configurable by @siddhibhor-56 in #5231
- feat: add retry for onepassword on authorization error by @Skarlso in #5253
- fix: handle namespace deletion race conditions with finalizers by @framsouza in #5154
- docs: update stability and support by @anders-swanson in #5257
- fix(akeyless): Upgrade Akeyless Provider Go SDK to v4 by @kgal-akl in #5263
- feat: support Pod Identity authentication for Vault Provider by @webstradev in #5201
- feat: add domain field to secretserver provider by @rkferreira in #5258
- chore(release): Migrate to actions/create-github-app-token action by @mouhsen-ibrahim in #5264
- chore: just updating the crd conformance tests by @Skarlso in #5265
- chore(revert): "chore(release): Migrate to actions/create-github-app-token action" by @Skarlso in #5269
- chore: azure sdk update by @hauswio in #5162
- feat: add support for fetching Secret by Path on Delinea Secret Server provider by @DelineaSahilWankhede in #5270
- feat: migrate from tibdex to actions/create-github-app-token by @rkferreira in #5286
- fix: license headers across all Go files - standardize format, add missing copyright, fix typos by @Copilot in #5288
- fix: the boilerplate was missing the right license format by @Skarlso in #5289
- chore(license): add automated license header checking using Apache SkyWalking Eyes GitHub Action by @Copilot in #5290
- chore(docs): remove GitHub Discussions references and update support channels by @jakobmoellerdev in #5292
- docs: updated the ladder with two new tracks: documentation and community by @Skarlso in #5298
- docs(release): create upgrading section by @rkferreira in #5310
- docs: readme update for health of the project by @Skarlso in #5309
- fix: validate namespace in secretRef by @moolen in #5311
- docs: add burnout prevention strategies and mitigation policy document by @Skarlso in #5307
- feat: add missing go sbom by @moolen in #5313
- feat: make vault e2e tests run locally by @moolen in #5246
- chore: update dependencies by @eso-service-account-app[bot] in #5324
- feat: add Cloudsmith generator for container registry authentication by @cloudsmith-iduffy in #5267
- feat: Add lgtm review automation step to ci workflows. by @webstradev in #5251
- feat(provider): add Volcengine provider support by @kevinyancn in #5306
- test: add more information to potentially flaky test by @Skarlso in #5330
- fix(docs): Fix typo in controller options doc by @tspearconquest in #5299
- chore(testing): Add licence.check make target by @jonstacks in #5335
- docs(gitlab-variables): document environment scope fallback by @s1nyx in #5300
Dependencies
- chore(deps): bump mkdocs-macros-plugin from 1.3.7 to 1.3.9 in /hack/api-docs by @dependabot[bot] in #5190
- chore(deps): bump requests from 2.32.4 to 2.32.5 in /hack/api-docs by @dependabot[bot] in #5191
- chore(deps): bump golang from 1.24.6-bookworm to 1.25.0-bookworm in /e2e by @dependabot[bot] in #5189
- chore(deps): bump goreleaser/goreleaser-action from 6.3.0 to 6.4.0 by @dependabot[bot] in #5188
- chore(deps): bump actions/create-github-app-token from 2.1.0 to 2.1.1 by @dependabot[bot] in #5187
- chore(deps): bump anchore/sbom-action from 0.20.4 to 0.20.5 by @dependabot[bot] in #5186
- chore(deps): bump codecov/codecov-action from 5.4.3 to 5.5.0 by @dependabot[bot] in #5184
- chore(deps): bump golang from 1.24.6 to 1.25.0 by @dependabot[bot] in #5194
- chore(deps): bump github/codeql-action from 3.29.8 to 3.29.11 by @dependabot[bot] in #5195
- chore(deps): bump ubi8/ubi from
4f0a4e4to7010e70by @dependabot[bot] in #5193 - chore(deps): bump mkdocs-material from 9.6.16 to 9.6.18 in /hack/api-docs by @dependabot[bot] in #5192
- chore(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @dependabot[bot] in #5198
- chore(deps): bump actions/dependency-review-action from 4.7.1 to 4.7.2 by @dependabot[bot] in #5199
- chore(deps): bump aquasecurity/trivy-action from 0.32.0 to 0.33.0 by @dependabot[bot] in #5234
- chore(deps): bump actions/dependency-review-action from 4.7.2 to 4.7.3 by @dependabot[bot] in #5236
- chore(deps): bump ubi8/ubi from
7010e70to534c2c0by @dependabot[bot] in #5237 - chore(deps): bump actions/attest-build-provenance from 2.4.0 to 3.0.0 by @dependabot[bot] in #5238
- chore(deps): bump regex from 2025.7.34 to 2025.8.29 in /hack/api-docs by @dependabot[bot] in #5242
- chore(deps): bump platformdirs from 4.3.8 to 4.4.0 in /hack/api-docs by @dependabot[bot] in #5241
- chore(deps): bump distroless/static from
2e114d2tof2ff10aby @dependabot[bot] in #5240 - chore(deps): bump golang from 1.25.0 to 1.25.1 by @dependabot[bot] in #5275
- chore(deps): bump actions/github-script from 7.0.1 to 8.0.0 by @dependabot[bot] in #5274
- chore(deps): bump actions/stale from 9.1.0 to 10.0.0 by @dependabot[bot] in #5273
- chore(deps): bump actions/setup-go from 5.5.0 to 6.0.0 by @dependabot[bot] in #5276
- chore(deps): bump mkdocs-material from 9.6.18 to 9.6.19 in /hack/api-docs by @dependabot[bot] in #5279
- chore(deps): bump codecov/codecov-action from 5.5.0 to 5.5.1 by @dependabot[bot] in #5278
- chore(deps): bump github/codeql-action from 3.29.11 to 3.30.1 by @dependabot[bot] in #5277
- chore(deps): bump markdown from 3.8.2 to 3.9 in /hack/api-docs by @dependabot[bot] in #5281
- chore(deps): bump golang from 1.25.0-bookworm to 1.25.1-bookworm in /e2e by @dependabot[bot] in #5280
- chore(deps): bump regex from 2025.8.29 to 2025.9.1 in /hack/api-docs by @dependabot[bot] in #5282
- chore(deps): bump golang from
b6ed3fdtob6ed3fdby @dependabot[bot] in #5318 - chore(deps): bump actions/setup-python from 5.6.0 to 6.0.0 by @dependabot[bot] in #5317
- chore(deps): bump github/codeql-action from 3.30.1 to 3.30.3 by @dependabot[bot] in #5319
- chore(deps): bump distroless/static from
f2ff10ato87bce11by @dependabot[bot] in #5320 - chore(deps): bump actions/labeler from 5.0.0 to 6.0.1 by @dependabot[bot] in #5323
- chore(deps): bump softprops/action-gh-release from 2.3.2 to 2.3.3 by @dependabot[bot] in #5321
- chore(deps): bump actions/create-github-app-token from 2.1.1 to 2.1.4 by @dependabot[bot] in #5322
- chore(deps): bump actions/create-github-app-token from 2.1.1 to 2.1.4 by @dependabot[bot] in #5339
- chore(deps): bump aquasecurity/trivy-action from 0.33.0 to 0.33.1 by @dependabot[bot] in #5344
- chore(deps): bump mkdocs-material from 9.6.19 to 9.6.20 in /hack/api-docs by @dependabot[bot] in #5345
- chore(deps): bump step-security/harden-runner from 2.13.0 to 2.13.1 by @dependabot[bot] in #5343
- chore(deps): bump sigstore/cosign-installer from 3.9.2 to 3.10.0 by @dependabot[bot] in #5340
- chore(deps): bump anchore/sbom-action from 0.20.5 to 0.20.6 by @dependabot[bot] in #5341
- chore(deps): bump regex from 2025.9.1 to 2025.9.18 in /hack/api-docs by @dependabot[bot] in #5346
- chore(deps): bump apache/skywalking-eyes from 0.6.0 to 0.7.0 by @dependabot[bot] in #5342
New Contributors
- @mjtrangoni made their first contribution in #5139
- @muckelba made their first contribution in #5146
- @DrummyFloyd made their first contribution in #5144
- @sriaradhyula made their first contribution in #5159
- @jonstacks made their first contribution in #5161
- @matheusmazzoni made their first contribution in #5155
- @nirajsapkota made their first contribution in #4878
- @L1ghtman2k made their first contribution in #5138
- @gecube made their first contribution in #5171
- @preved911 made their first contribution in #4877
- @ntnn made their first contribution in #5156
- @webstradev made their first contribution in #5197
- @rkferreira made their first contribution in #5169
- @arthlr made their first contribution in #5217
- @devnopt made their first contribution in #4875
- @dakotaharden made their first contribution in #5247
- @bharath-b-rh made their first contribution in #4654
- @alliseeisgold made their first contribution in #5022
- @nielstenboom made their first contribution in #5248
- @siddhibhor-56 made their first contribution in #5231
- @framsouza made their first contribution in #5154
- @kgal-akl made their first contribution in #5263
- @hauswio made their first contribution in #5162
- @Copilot made their first contribution in #5288
- @cloudsmith-iduffy made their first contribution in #5267
- @kevinyancn made their first contribution in #5306
- @s1nyx made their first contribution in #5300
Full Changelog: https://github.com/external-secrets/external-secrets/compare/v0.19.2...v0.20.0
Configuration
-
If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot.
Edited by Sylva Renovate bot