chore(deps): update ghcr.io/lrstanley/vault-unseal docker tag to v1 - autoclosed #5834

renovate-bot · 2026-04-12T01:56:55Z

renovate-bot commented

2026-04-12 01:56:55 +00:00

This PR contains the following updates:

Package	Update	Change
ghcr.io/lrstanley/vault-unseal	major	`0.7.2` → `1.0.0`

Release Notes

lrstanley/vault-unseal (ghcr.io/lrstanley/vault-unseal)

`v1.0.0`

Compare Source

Changelog

Security

Dependency updates address GHSA-78h2-9frx-2jm8.
Container image now runs the process as a non-root user (app) instead of root.
Github Actions workflow now produces provenance attestations and SBOMs for the container image.

What's new

Notifications use Shoutrrr (maintained fork). Configure one or more notify.urls with Shoutrrr service URLs — for example chat (Slack, Discord, Mattermost, Telegram, Microsoft Teams), push (Gotify, ntfy, Pushover), incidents (PagerDuty, OpsGenie), SMTP (smtp://…), generic webhooks, and others.
--version-json prints version metadata as JSON (for scripts and automation).
Published CLI reference in-repo (USAGE.md), kept in sync with the binary.
Help and flags reorganized (context-sensitive --help, clearer groups). --allow-single-node is now unhidden; it was previously hidden.
Logging now uses structured logs. Log output can still go to stderr and/or a file; see --help and USAGE.md for current flags.
TLS for Vault is configurable beyond skip-verify: server name, CA certificate (file, inline PEM, or directory), and optional client certificate and key for mTLS. Flags live under --tls.* (see USAGE.md, TLS Options).
Workers recreate the Vault API client on each check loop, so TLS settings and certificates are reapplied periodically (for example after rotation). Before, it required a restart.
Docker image now supports linux/arm64 platform, in addition to linux/amd64.

Breaking changes

Some logging options are removed (--log.quiet, --log.pretty). Use --log.level (including none to turn logging off) and JSON logging as documented.
- JSON logging will have a different format.
- Pretty logging (textual based, with ANSI colors) is now the default. JSON logging is still available with --log.json.
TLS flags: the global --tls-skip-verify flag is deprecated and will be removed in a future release. Use --tls.skip-verify (environment variable remains TLS_SKIP_VERIFY). Other TLS options use the --tls.-prefixed flags and TLS_-prefixed env vars documented in USAGE.md.
- YAML: top-level tls_skip_verify is deprecated in favor of tls.skip_verify (and the rest of the tls map), and will be removed in a future release. The old key is still read for compatibility; prefer migrating to tls in config.
Container: the process no longer runs as root. Confirm writable paths for logs or other files you mount in.
Email-style configuration is deprecated (CLI --email.*, environment EMAIL_*, YAML email). Switch to using notify.urls with Shoutrrr URLs. Existing email settings will eventually be removed: they are converted to an smtp:// Shoutrrr URL during validation (same behavior, different wiring).
Notification timing flags renamed: --notify-max-elapsed and --notify-queue-delay are deprecated in favor of --notify.max-elapsed and --notify.queue-delay. In YAML, prefer the notify map keys max_elapsed and queue_delay instead of top-level notify_max_elapsed and notify_queue_delay. Same environment variable names (see USAGE.md).

🧹 Misc

193ab06: feat(config): refactor cli flags; misc deps tweaks (@lrstanley)
1e720f8: feat(config): add more tls configuration options (@lrstanley)
069a9e1: feat: refactor notifications, deprecate email (@lrstanley)
fc0486e: feat: test provenance and arm builds (@lrstanley)
646b7e2: feat: add platforms to test workflow (@lrstanley)
f6bd279: chore(release): re-enable scanning option for docker releases (@lrstanley)

Dependency updates

6503041: chore(deps): upgrade Go deps (@lrstanley)
72c7a08: chore(deps): fix clix/v2 version ref (@lrstanley)
d8a86b3: chore(deps): upgrade go deps (@lrstanley)

🐳 Container Images (ghcr)

$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:latest
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:1.0.0
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:1.0
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:1

🧪 Build info

📂 Full changelog: v0.7.2..v1.0.0
❤️ Built with: go version go1.26.2 linux/amd64
⚙️ Release job: release/go-release triggered by @lrstanley.

💬 What to do next?

🙋‍♂️ Running into an issue or want a specific feature? Take a look here!
⌚ Find previous releases.
🗝️ Find a vulnerability? Check out our Security and Disclosure policy.
🔗 Other useful links:

Configuration

📅 Schedule: (in timezone America/Chicago)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [ghcr.io/lrstanley/vault-unseal](https://github.com/lrstanley/vault-unseal) | major | `0.7.2` → `1.0.0` | --- ### Release Notes <details> <summary>lrstanley/vault-unseal (ghcr.io/lrstanley/vault-unseal)</summary> ### [`v1.0.0`](https://github.com/lrstanley/vault-unseal/releases/tag/v1.0.0) [Compare Source](https://github.com/lrstanley/vault-unseal/compare/v0.7.2...v1.0.0) ##### Changelog ##### Security - Dependency updates address [GHSA-78h2-9frx-2jm8](https://github.com/advisories/GHSA-78h2-9frx-2jm8). - Container image now runs the process as a non-root user (`app`) instead of root. - Github Actions workflow now produces provenance attestations and SBOMs for the container image. ##### What's new - **Notifications use [Shoutrrr](https://github.com/nicholas-fedor/shoutrrr)** (maintained fork). Configure one or more **`notify.urls`** with [Shoutrrr service URLs](https://shoutrrr.nickfedor.com/latest/services/overview/) — for example chat (Slack, Discord, Mattermost, Telegram, Microsoft Teams), push (Gotify, ntfy, Pushover), incidents (PagerDuty, OpsGenie), **SMTP** (`smtp://…`), generic webhooks, and others. - **`--version-json`** prints version metadata as JSON (for scripts and automation). - **Published CLI reference** in-repo (`USAGE.md`), kept in sync with the binary. - **Help and flags reorganized** (context-sensitive `--help`, clearer groups). **`--allow-single-node`** is now unhidden; it was previously hidden. - **Logging** now uses structured logs. Log output can still go to stderr and/or a file; see `--help` and `USAGE.md` for current flags. - **TLS for Vault** is configurable beyond skip-verify: server name, CA certificate (file, inline PEM, or directory), and optional client certificate and key for mTLS. Flags live under **`--tls.*`** (see `USAGE.md`, TLS Options). - **Workers** recreate the Vault API client on each check loop, so TLS settings and certificates are reapplied periodically (for example after rotation). Before, it required a restart. - **Docker image** now supports `linux/arm64` platform, in addition to `linux/amd64`. ##### Breaking changes - **Some logging options are removed** (`--log.quiet`, `--log.pretty`). Use **`--log.level`** (including `none` to turn logging off) and JSON logging as documented. - JSON logging will have a different format. - Pretty logging (textual based, with ANSI colors) is now the default. JSON logging is still available with `--log.json`. - **TLS flags:** the global **`--tls-skip-verify`** flag is deprecated and **will be removed in a future release**. Use **`--tls.skip-verify`** (environment variable remains **`TLS_SKIP_VERIFY`**). Other TLS options use the **`--tls.`**-prefixed flags and **`TLS_`**-prefixed env vars documented in `USAGE.md`. - **YAML:** top-level **`tls_skip_verify`** is deprecated in favor of **`tls.skip_verify`** (and the rest of the **`tls`** map), and **will be removed in a future release**. The old key is still read for compatibility; prefer migrating to `tls` in config. - **Container:** the process no longer runs as root. Confirm writable paths for logs or other files you mount in. - **Email-style configuration is deprecated** (CLI **`--email.*`**, environment **`EMAIL_*`**, YAML **`email`**). Switch to using **`notify.urls`** with Shoutrrr URLs. **Existing `email` settings will eventually be removed**: they are **converted to an `smtp://` Shoutrrr URL** during validation (same behavior, different wiring). - **Notification timing flags renamed:** **`--notify-max-elapsed`** and **`--notify-queue-delay`** are deprecated in favor of **`--notify.max-elapsed`** and **`--notify.queue-delay`**. In YAML, prefer the **`notify`** map keys **`max_elapsed`** and **`queue_delay`** instead of top-level **`notify_max_elapsed`** and **`notify_queue_delay`**. Same environment variable names (see `USAGE.md`). ##### :broom: Misc - [`193ab06`](https://github.com/lrstanley/vault-unseal/commit/193ab06151bb968087f1527b0291c4a3aad30afa): feat(config): refactor cli flags; misc deps tweaks ([@lrstanley](https://github.com/lrstanley)) - [`1e720f8`](https://github.com/lrstanley/vault-unseal/commit/1e720f8074ffe69f54d0b9bf27ea06fae206424b): feat(config): add more tls configuration options ([@lrstanley](https://github.com/lrstanley)) - [`069a9e1`](https://github.com/lrstanley/vault-unseal/commit/069a9e11e0b0a7c0f29a31b4aa5fe14113555f0e): feat: refactor notifications, deprecate email ([@lrstanley](https://github.com/lrstanley)) - [`fc0486e`](https://github.com/lrstanley/vault-unseal/commit/fc0486ed2835b58682555600e848c3e2ba186aa9): feat: test provenance and arm builds ([@lrstanley](https://github.com/lrstanley)) - [`646b7e2`](https://github.com/lrstanley/vault-unseal/commit/646b7e2ac3b36d42c9712c81365433ae44786943): feat: add platforms to test workflow ([@lrstanley](https://github.com/lrstanley)) - [`f6bd279`](https://github.com/lrstanley/vault-unseal/commit/f6bd279ecd52b9572baa6637e39ef33fd299e0dd): chore(release): re-enable scanning option for docker releases ([@lrstanley](https://github.com/lrstanley)) ##### Dependency updates - [`6503041`](https://github.com/lrstanley/vault-unseal/commit/6503041f262bab51c866416ed7e311064366866e): chore(deps): upgrade Go deps ([@lrstanley](https://github.com/lrstanley)) - [`72c7a08`](https://github.com/lrstanley/vault-unseal/commit/72c7a08fadc0ae7b49632beeb0d8e0785ce349a0): chore(deps): fix clix/v2 version ref ([@lrstanley](https://github.com/lrstanley)) - [`d8a86b3`](https://github.com/lrstanley/vault-unseal/commit/d8a86b36f498918d5006d6ccd156eeef9c709cfd): chore(deps): upgrade go deps ([@lrstanley](https://github.com/lrstanley)) ##### :whale: Container Images (ghcr) ```console $ docker run -it --rm ghcr.io/lrstanley/vault-unseal:latest $ docker run -it --rm ghcr.io/lrstanley/vault-unseal:1.0.0 $ docker run -it --rm ghcr.io/lrstanley/vault-unseal:1.0 $ docker run -it --rm ghcr.io/lrstanley/vault-unseal:1 ``` ##### :test\_tube: Build info - :open\_file\_folder: **Full changelog**: [`v0.7.2..v1.0.0`](https://github.com/lrstanley/vault-unseal/compare/v0.7.2...v1.0.0) - :heart: **Built with**: `go version go1.26.2 linux/amd64` - :gear: **Release job**: [release/go-release](https://github.com/lrstanley/vault-unseal/actions/runs/24295821628) triggered by [@lrstanley](https://github.com/lrstanley). ##### :speech\_balloon: What to do next? - :raising\_hand\_man: Running into an issue or want a specific feature? [Take a look here](https://github.com/lrstanley/vault-unseal/issues/new/choose)! - :watch: Find [previous releases](https://github.com/lrstanley/vault-unseal/releases). - :old\_key: Find a vulnerability? Check out our [Security and Disclosure](https://github.com/lrstanley/vault-unseal/security/policy) policy. - :link: Other useful links: - [License](https://github.com/lrstanley/vault-unseal/blob/master/LICENSE) - [Contributing](https://github.com/lrstanley/vault-unseal/blob/master/.github/CONTRIBUTING.md) - [Support](https://github.com/lrstanley/vault-unseal/blob/master/.github/SUPPORT.md) - [Code of Conduct](https://github.com/lrstanley/vault-unseal/blob/master/.github/CODE_OF_CONDUCT.md) </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).

renovate-bot added the docker label 2026-04-12 01:56:55 +00:00

renovate-bot added 1 commit 2026-04-12 19:04:36 +00:00

chore(deps): update ghcr.io/lrstanley/vault-unseal docker tag to v1

lint-test-helm / lint-helm (pull_request) Successful in 30s

Details

lint-test-helm / validate-kubeconform (pull_request) Successful in 35s

Details

lint-test-helm / argo-diff (pull_request) Successful in 46s

Details

render-manifests / render-manifests (pull_request) Has been skipped

Details

e1c078c814

renovate-bot force-pushed renovate/major-unified-vault-unseal from 51218af971 to e1c078c814

2026-04-12 19:04:36 +00:00

Compare

renovate-bot changed title from ~~chore(deps): update ghcr.io/lrstanley/vault-unseal docker tag to v1~~ to chore(deps): update ghcr.io/lrstanley/vault-unseal docker tag to v1 - autoclosed

2026-04-13 00:49:13 +00:00

renovate-bot closed this pull request

2026-04-13 00:49:14 +00:00

lint-test-helm / lint-helm (pull_request) Successful in 30s

Details

lint-test-helm / validate-kubeconform (pull_request) Successful in 35s

Details

lint-test-helm / argo-diff (pull_request) Successful in 46s

Details

render-manifests / render-manifests (pull_request) Has been skipped

Details

Pull request closed

This pull request cannot be reopened because the branch was deleted.

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: alexlebens/infrastructure#5834