feat: add path to cloud.ru provider by heavyandrew · Pull Request #5952 · external-secrets/external-secrets

heavyandrew · 2026-02-11T07:05:42Z

Problem Statement

This PR adds ability to get secret by path from cloud.ru provider

Related Issue

Checklist

I have read the contribution guidelines
All commits are signed with git commit --signoff
My changes have reasonable test coverage
All tests pass with make test
I ensured my PR is ready for review with make reviewable

Overview

Adds path-based secret retrieval to the Cloud.ru provider so secrets can be searched by path in addition to name and tags. Fixes #5953.

Changes

Documentation

docs/provider/cloudru.md: Added four path-based examples for dataFrom.find (path-only, path + name.regexp, path + tags, path + name.regexp + tags).

Implementation

providers/v1/cloudru/secretmanager/client.go
- GetAllSecrets now accepts and forwards Path from ExternalSecretFind into the search request.
- Validation updated to require at least one of tags, name, or path.
providers/v1/cloudru/secretmanager/adapter/csm_client.go
- Added Path string to ListSecretsRequest and propagate it into the SearchSecretRequest/ListSecrets call.

Tests

providers/v1/cloudru/secretmanager/client_test.go
- ExternalSecretFind now includes Path.
- Added path-only success test and updated the missing-filter error test to include path as a required filter.

Notes

No changes to exported API surface beyond added Path fields on request/test types; documentation, implementation, and tests wired Path through listing and retrieval.

coderabbitai · 2026-02-11T07:06:03Z

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

@coderabbitai resume to resume automatic reviews.
@coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

▶️ Resume reviews
🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: acfc97cf-148d-4ee1-83c6-d8846f65555b

📥 Commits

Reviewing files that changed from the base of the PR and between 2f4e5ab and 65a5d5f.

📒 Files selected for processing (1)

docs/provider/cloudru.md

✅ Files skipped from review due to trivial changes (1)

docs/provider/cloudru.md

Walkthrough

Adds path-based filtering to Cloud.ru secret discovery: docs include path-search examples; client and adapter accept and propagate a Path filter; GetAllSecrets validation now requires at least one of tags, name, or path; tests added/updated to exercise path-only and combined filters.

Changes

Cohort / File(s)	Summary
Cloud.ru Documentation `docs/provider/cloudru.md`	Adds examples showing path-based secret searches with `ExternalSecret` `dataFrom.find`, covering path-only, name regexp, tag filters, and combinations of name + tags.
Cloud.ru Client Implementation `providers/v1/cloudru/secretmanager/client.go`	Updates `GetAllSecrets` validation to require at least one of tags, name, or path; passes `ref.Path` into the search request and returns results using the provided path filter.
Cloud.ru Adapter Request `providers/v1/cloudru/secretmanager/adapter/csm_client.go`	Adds `Path string` to `ListSecretsRequest` and sets `searchReq.Path` when present to enable path filtering in list/search calls.
Cloud.ru Tests / API Struct `providers/v1/cloudru/secretmanager/client_test.go`	Adds `Path *string` to `ExternalSecretFind` usage in tests, introduces a path-only success test case, and updates the missing-filters validation test to include `path`.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	The pull request implements path-based secret retrieval for Cloud.ru provider as requested in issue `#5953`.
Out of Scope Changes check	✅ Passed	All changes are directly related to adding path-based filtering for Cloud.ru secrets; no unrelated modifications detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

📝 Coding Plan

Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can use your project's `golangci-lint` configuration to improve the quality of Go code reviews.

Add a configuration file to your project to customize how CodeRabbit runs golangci-lint.

coderabbitai

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

providers/v1/cloudru/secretmanager/client_test.go (1)
254-278: ⚠️ Potential issue | 🔴 Critical

Bug: the "success" test should fail — "storage/secret" does not start with "secret".

strings.HasPrefix("storage/secret", "secret") is false, so the path filter will skip that secret. The expected payload includes both entries but only "secret1" will pass the filter. This test will fail at the length assertion.

Either remove the Path field from this test case (if the intent is to test name+tags only), or adjust the mock paths and expected payload to be consistent with the prefix filter.
Option A: remove Path from this test (preserves original intent)
 			ref: esv1.ExternalSecretFind{
 				Name: &esv1.FindName{RegExp: "secret.*"},
 				Tags: map[string]string{
 					"env": "prod",
 				},
-				Path: func() *string {
-					s := "secret"
-					return &s
-				}(),
 			},
Option B: fix the mock data so both paths match the prefix
 				mock.MockListSecrets([]*smsV2.Secret{
 					{Id: keyID, Name: "secret1", Path: "secret1"},
-					{Id: anotherKeyID, Name: "secret", Path: "storage/secret"},
+					{Id: anotherKeyID, Name: "secret", Path: "secret/storage"},
 				}, nil)
And update the expected payload key accordingly.

🧹 Nitpick comments (1)

docs/provider/cloudru.md (1)

194-211: Documentation examples are clear and comprehensive.

The four new examples cover the key path-based search scenarios well.

One minor note: line 134 above states "You can use either name or tags to filter the secrets", which is now outdated since path is also supported. Consider updating that sentence to mention path as well.

coderabbitai

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@providers/v1/cloudru/secretmanager/client.go`:
- Around line 111-112: The guard that validates ref.Tags, ref.Name, and ref.Path
allows ref.Path == "" to pass and leads to an unfiltered secret listing; update
the validation in client.go to treat empty strings as unset: require that
ref.Tags is non-empty OR ref.Name is non-nil and non-empty OR ref.Path is
non-nil and non-empty (check the pointed string value, not just nil). Change the
conditional that currently checks len(ref.Tags) == 0 && ref.Name == nil &&
ref.Path == nil to also consider empty name/path values and return the same
fmt.Errorf when all three are effectively empty; reference ref.Tags, ref.Name,
and ref.Path to locate the check and ensure compatibility with csm_client.go
which skips empty paths.

coderabbitai · 2026-02-12T08:01:27Z

providers/v1/cloudru/secretmanager/client.go

+	if len(ref.Tags) == 0 && ref.Name == nil && ref.Path == nil {
+		return nil, fmt.Errorf("at least one of the following fields must be set: tags, name, path")


⚠️ Potential issue | 🟡 Minor

Empty-string Path bypasses the validation guard.

If ref.Path points to "", the nil check passes but no meaningful filter is applied (since csm_client.go skips empty paths). With tags and name also absent, this silently results in an unfiltered search listing all secrets.

Proposed fix

- if len(ref.Tags) == 0 && ref.Name == nil && ref.Path == nil { - return nil, fmt.Errorf("at least one of the following fields must be set: tags, name, path") + if len(ref.Tags) == 0 && ref.Name == nil && (ref.Path == nil || *ref.Path == "") { + return nil, fmt.Errorf("at least one of the following fields must be set: tags, name, path") }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

if len(ref.Tags) == 0 && ref.Name == nil && ref.Path == nil {

return nil, fmt.Errorf("at least one of the following fields must be set: tags, name, path")

if len(ref.Tags) == 0 && ref.Name == nil && (ref.Path == nil || *ref.Path == "") {

return nil, fmt.Errorf("at least one of the following fields must be set: tags, name, path")

}

🤖 Prompt for AI Agents

In `@providers/v1/cloudru/secretmanager/client.go` around lines 111 - 112, The guard that validates ref.Tags, ref.Name, and ref.Path allows ref.Path == "" to pass and leads to an unfiltered secret listing; update the validation in client.go to treat empty strings as unset: require that ref.Tags is non-empty OR ref.Name is non-nil and non-empty OR ref.Path is non-nil and non-empty (check the pointed string value, not just nil). Change the conditional that currently checks len(ref.Tags) == 0 && ref.Name == nil && ref.Path == nil to also consider empty name/path values and return the same fmt.Errorf when all three are effectively empty; reference ref.Tags, ref.Name, and ref.Path to locate the check and ensure compatibility with csm_client.go which skips empty paths.

coderabbitai

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docs/provider/cloudru.md (1)
134-134: ⚠️ Potential issue | 🟡 Minor

Update the note to include path as a valid filter.

The note currently says you can use either name or tags, but path is now also supported and documented below. Please reflect that here for consistency.
✏️ Suggested edit
-  NOTE: You can use *either* `name` or `tags` to filter the secrets. Here are basic examples of both:
+  NOTE: You can use *either* `name`, `tags`, or `path` (or combine them) to filter secrets. Here are basic examples:

coderabbitai

🧹 Nitpick comments (1)

providers/v1/cloudru/secretmanager/client_test.go (1)
303-306: Consider using a helper for pointer creation.

The inline function for creating a string pointer is verbose. If this pattern is used elsewhere in the codebase, consider using a helper like ptr.To() from k8s.io/utils/ptr (already commonly used in Kubernetes projects) for cleaner test code.
♻️ Suggested simplification
 		{
 			name: "success_path_only",
 			ref: esv1.ExternalSecretFind{
-				Path: func() *string {
-					s := "oss/snmp-auths"
-					return &s
-				}(),
+				Path: ptr.To("oss/snmp-auths"),
 			},
This requires importing "k8s.io/utils/ptr".
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@providers/v1/cloudru/secretmanager/client_test.go` around lines 303 - 306,
The test contains a verbose inline function used to create a *string for the
Path field (the anonymous func returning &s); replace that pattern with a
pointer helper to reduce noise—import "k8s.io/utils/ptr" and use
ptr.To("oss/snmp-auths") for the Path value (and similarly replace any other
inline pointer funcs in providers/v1/cloudru/secretmanager/client_test.go, e.g.,
other instances constructing *string via anonymous funcs).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@providers/v1/cloudru/secretmanager/client_test.go`:
- Around line 303-306: The test contains a verbose inline function used to
create a *string for the Path field (the anonymous func returning &s); replace
that pattern with a pointer helper to reduce noise—import "k8s.io/utils/ptr" and
use ptr.To("oss/snmp-auths") for the Path value (and similarly replace any other
inline pointer funcs in providers/v1/cloudru/secretmanager/client_test.go, e.g.,
other instances constructing *string via anonymous funcs).

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8dedc830-72a2-4e97-bb9f-a375e81777a0

📥 Commits

Reviewing files that changed from the base of the PR and between e9ab6f0 and 2f4e5ab.

📒 Files selected for processing (4)

docs/provider/cloudru.md
providers/v1/cloudru/secretmanager/adapter/csm_client.go
providers/v1/cloudru/secretmanager/client.go
providers/v1/cloudru/secretmanager/client_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

docs/provider/cloudru.md

Skarlso · 2026-03-19T06:29:53Z

@heavyandrew hello. This is ready, but you need to update your branch in order to merge it.

add ability to get secret by path from cloud.ru provider Signed-off-by: aoboyarskiy <aoboyarskiy@cloud.ru>

sonarqubecloud · 2026-03-20T08:23:30Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

heavyandrew · 2026-03-20T08:25:31Z

@heavyandrew hello. This is ready, but you need to update your branch in order to merge it.

done

…2.2.0 (#4923) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [external-secrets/external-secrets](https://github.com/external-secrets/external-secrets) | minor | `v2.1.0` → `v2.2.0` | --- > ⚠️ **Warning** > > Some dependencies could not be looked up. Check the [Dependency Dashboard](issues/2) for more information. --- ### Release Notes <details> <summary>external-secrets/external-secrets (external-secrets/external-secrets)</summary> ### [`v2.2.0`](https://github.com/external-secrets/external-secrets/releases/tag/v2.2.0) [Compare Source](external-secrets/external-secrets@v2.1.0...v2.2.0) Image: `ghcr.io/external-secrets/external-secrets:v2.2.0` Image: `ghcr.io/external-secrets/external-secrets:v2.2.0-ubi` Image: `ghcr.io/external-secrets/external-secrets:v2.2.0-ubi-boringssl`  #### What's Changed ##### General - chore: release charts v2.1.0 by [@Skarlso](https://github.com/Skarlso) in [#6030](external-secrets/external-secrets#6030) - chore: fix the stability doc by [@Skarlso](https://github.com/Skarlso) in [#6035](external-secrets/external-secrets#6035) - fix(security): Fix vulnerabilities by [@othomann](https://github.com/othomann) in [#6052](external-secrets/external-secrets#6052) - fix(aws): sync tags and resource policy even when secret value unchanged by [@evs-secops](https://github.com/evs-secops) in [#6025](external-secrets/external-secrets#6025) - fix: publish now uses docker build v4 which required some changes by [@Skarlso](https://github.com/Skarlso) in [#6062](external-secrets/external-secrets#6062) - feat(gcpsm): auto-detect projectID from GCP metadata server by [@patjlm](https://github.com/patjlm) in [#5922](external-secrets/external-secrets#5922) - chore(templating): Remove years in license and their checks by [@evrardj-roche](https://github.com/evrardj-roche) in [#5955](external-secrets/external-secrets#5955) - docs: Add Roche to official ADOPTERS by [@evrardj-roche](https://github.com/evrardj-roche) in [#6076](external-secrets/external-secrets#6076) - feat: Add Last Sync column to ExternalSecret and PushSecret printers by [@jaruwat-panturat](https://github.com/jaruwat-panturat) in [#6068](external-secrets/external-secrets#6068) - fix(onepassword): support native item IDs by [@chadxz](https://github.com/chadxz) in [#6073](external-secrets/external-secrets#6073) - feat: extract LGTM processor to external JS file with tests by [@mateenali66](https://github.com/mateenali66) in [#6074](external-secrets/external-secrets#6074) - feat: fail fast if LGTM label does not exist in repository by [@mateenali66](https://github.com/mateenali66) in [#6078](external-secrets/external-secrets#6078) - feat(passbolt): add support for Passbolt V5 API by [@cedricherzog-passbolt](https://github.com/cedricherzog-passbolt) in [#5919](external-secrets/external-secrets#5919) - fix(infisical): dataFrom.find.path should filter by secret path not name by [@johnvox](https://github.com/johnvox) in [#6086](external-secrets/external-secrets#6086) - fix: disable the priority queue which misbehaves at scale by [@Skarlso](https://github.com/Skarlso) in [#6083](external-secrets/external-secrets#6083) - chore: update go version to 1.26.1 by [@Skarlso](https://github.com/Skarlso) in [#6072](external-secrets/external-secrets#6072) - docs(aws): fix PushSecret metadata indentation in resource policy exa... by [@Br1an67](https://github.com/Br1an67) in [#6056](external-secrets/external-secrets#6056) - fix(aws): prevent EC2 IMDS fallback when explicit credentials are pro... by [@Br1an67](https://github.com/Br1an67) in [#6036](external-secrets/external-secrets#6036) - feat(templating): Add certSANs function to extract SANs from certificates by [@mzdeb](https://github.com/mzdeb) in [#6058](external-secrets/external-secrets#6058) - docs: document template.metadata labels/annotations behavior by [@lucpas](https://github.com/lucpas) in [#6102](external-secrets/external-secrets#6102) - fix: CODEOWNERS are seriously out of date by [@Skarlso](https://github.com/Skarlso) in [#6106](external-secrets/external-secrets#6106) - feat(helm): add readinessProbe support for external-secrets deployment by [@AlexOQ](https://github.com/AlexOQ) in [#5831](external-secrets/external-secrets#5831) - fix: update grpc for CVE-2026-33186 by [@Skarlso](https://github.com/Skarlso) in [#6108](external-secrets/external-secrets#6108) - feat(azurekv): add expiration time to azure kv secret by [@muraliavarma](https://github.com/muraliavarma) in [#5935](external-secrets/external-secrets#5935) - feat: add path to cloud.ru provider by [@heavyandrew](https://github.com/heavyandrew) in [#5952](external-secrets/external-secrets#5952) - fix(add-eso-version): fix separator line pattern in add\_eso\_version.sh script by [@riccardomc](https://github.com/riccardomc) in [#6113](external-secrets/external-secrets#6113) ##### Dependencies - chore(deps): bump zizmorcore/zizmor-action from 0.5.0 to 0.5.2 by [@dependabot](https://github.com/dependabot)\[bot] in [#6038](external-secrets/external-secrets#6038) - chore(deps): bump charset-normalizer from 3.4.4 to 3.4.5 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6047](external-secrets/external-secrets#6047) - chore(deps): bump platformdirs from 4.9.2 to 4.9.4 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6050](external-secrets/external-secrets#6050) - chore(deps): bump mkdocs-material from 9.7.3 to 9.7.4 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6049](external-secrets/external-secrets#6049) - chore(deps): bump github/codeql-action from 4.32.4 to 4.32.6 by [@dependabot](https://github.com/dependabot)\[bot] in [#6039](external-secrets/external-secrets#6039) - chore(deps): bump step-security/harden-runner from 2.15.0 to 2.15.1 by [@dependabot](https://github.com/dependabot)\[bot] in [#6043](external-secrets/external-secrets#6043) - chore(deps): bump actions/dependency-review-action from 4.8.3 to 4.9.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6040](external-secrets/external-secrets#6040) - chore(deps): bump crazy-max/ghaction-import-gpg from 6.3.0 to 7.0.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6044](external-secrets/external-secrets#6044) - chore(deps): bump docker/login-action from 3.7.0 to 4.0.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6042](external-secrets/external-secrets#6042) - chore(deps): bump docker/setup-buildx-action from 3.12.0 to 4.0.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6041](external-secrets/external-secrets#6041) - chore(deps): bump docker/setup-qemu-action from 3.7.0 to 4.0.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6046](external-secrets/external-secrets#6046) - chore(deps): bump aquasecurity/trivy-action from 0.34.1 to 0.35.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6048](external-secrets/external-secrets#6048) - chore(deps): bump anchore/sbom-action from 0.23.0 to 0.23.1 by [@dependabot](https://github.com/dependabot)\[bot] in [#6093](external-secrets/external-secrets#6093) - chore(deps): bump distroless/static from `28efbe9` to `47b2d72` by [@dependabot](https://github.com/dependabot)\[bot] in [#6088](external-secrets/external-secrets#6088) - chore(deps): bump ubi9/ubi from `cecb1cd` to `6ed9f6f` by [@dependabot](https://github.com/dependabot)\[bot] in [#6087](external-secrets/external-secrets#6087) - chore(deps): bump mkdocs-material from 9.7.4 to 9.7.5 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6096](external-secrets/external-secrets#6096) - chore(deps): bump tornado from 6.5.4 to 6.5.5 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6094](external-secrets/external-secrets#6094) - chore(deps): bump charset-normalizer from 3.4.5 to 3.4.6 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6095](external-secrets/external-secrets#6095) - chore(deps): bump step-security/harden-runner from 2.15.1 to 2.16.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6089](external-secrets/external-secrets#6089) - chore(deps): bump sigstore/cosign-installer from 4.0.0 to 4.1.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6092](external-secrets/external-secrets#6092) - chore(deps): bump softprops/action-gh-release from 2.5.0 to 2.6.1 by [@dependabot](https://github.com/dependabot)\[bot] in [#6090](external-secrets/external-secrets#6090) - chore(deps): bump actions/create-github-app-token from 2.2.1 to 3.0.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6091](external-secrets/external-secrets#6091) #### New Contributors - [@othomann](https://github.com/othomann) made their first contribution in [#6052](external-secrets/external-secrets#6052) - [@evs-secops](https://github.com/evs-secops) made their first contribution in [#6025](external-secrets/external-secrets#6025) - [@patjlm](https://github.com/patjlm) made their first contribution in [#5922](external-secrets/external-secrets#5922) - [@jaruwat-panturat](https://github.com/jaruwat-panturat) made their first contribution in [#6068](external-secrets/external-secrets#6068) - [@chadxz](https://github.com/chadxz) made their first contribution in [#6073](external-secrets/external-secrets#6073) - [@mateenali66](https://github.com/mateenali66) made their first contribution in [#6074](external-secrets/external-secrets#6074) - [@cedricherzog-passbolt](https://github.com/cedricherzog-passbolt) made their first contribution in [#5919](external-secrets/external-secrets#5919) - [@johnvox](https://github.com/johnvox) made their first contribution in [#6086](external-secrets/external-secrets#6086) - [@Br1an67](https://github.com/Br1an67) made their first contribution in [#6056](external-secrets/external-secrets#6056) - [@mzdeb](https://github.com/mzdeb) made their first contribution in [#6058](external-secrets/external-secrets#6058) - [@lucpas](https://github.com/lucpas) made their first contribution in [#6102](external-secrets/external-secrets#6102) - [@AlexOQ](https://github.com/AlexOQ) made their first contribution in [#5831](external-secrets/external-secrets#5831) - [@muraliavarma](https://github.com/muraliavarma) made their first contribution in [#5935](external-secrets/external-secrets#5935) - [@heavyandrew](https://github.com/heavyandrew) made their first contribution in [#5952](external-secrets/external-secrets#5952) **Full Changelog**: <external-secrets/external-secrets@v2.1.0...v2.2.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/4923 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [external-secrets](https://github.com/external-secrets/external-secrets) | minor | `2.1.0` → `2.2.0` | --- > ⚠️ **Warning** > > Some dependencies could not be looked up. Check the [Dependency Dashboard](issues/2) for more information. --- ### Release Notes <details> <summary>external-secrets/external-secrets (external-secrets)</summary> ### [`v2.2.0`](https://github.com/external-secrets/external-secrets/releases/tag/v2.2.0) [Compare Source](external-secrets/external-secrets@v2.1.0...v2.2.0) Image: `ghcr.io/external-secrets/external-secrets:v2.2.0` Image: `ghcr.io/external-secrets/external-secrets:v2.2.0-ubi` Image: `ghcr.io/external-secrets/external-secrets:v2.2.0-ubi-boringssl`  ##### What's Changed ##### General - chore: release charts v2.1.0 by [@Skarlso](https://github.com/Skarlso) in [#6030](external-secrets/external-secrets#6030) - chore: fix the stability doc by [@Skarlso](https://github.com/Skarlso) in [#6035](external-secrets/external-secrets#6035) - fix(security): Fix vulnerabilities by [@othomann](https://github.com/othomann) in [#6052](external-secrets/external-secrets#6052) - fix(aws): sync tags and resource policy even when secret value unchanged by [@evs-secops](https://github.com/evs-secops) in [#6025](external-secrets/external-secrets#6025) - fix: publish now uses docker build v4 which required some changes by [@Skarlso](https://github.com/Skarlso) in [#6062](external-secrets/external-secrets#6062) - feat(gcpsm): auto-detect projectID from GCP metadata server by [@patjlm](https://github.com/patjlm) in [#5922](external-secrets/external-secrets#5922) - chore(templating): Remove years in license and their checks by [@evrardj-roche](https://github.com/evrardj-roche) in [#5955](external-secrets/external-secrets#5955) - docs: Add Roche to official ADOPTERS by [@evrardj-roche](https://github.com/evrardj-roche) in [#6076](external-secrets/external-secrets#6076) - feat: Add Last Sync column to ExternalSecret and PushSecret printers by [@jaruwat-panturat](https://github.com/jaruwat-panturat) in [#6068](external-secrets/external-secrets#6068) - fix(onepassword): support native item IDs by [@chadxz](https://github.com/chadxz) in [#6073](external-secrets/external-secrets#6073) - feat: extract LGTM processor to external JS file with tests by [@mateenali66](https://github.com/mateenali66) in [#6074](external-secrets/external-secrets#6074) - feat: fail fast if LGTM label does not exist in repository by [@mateenali66](https://github.com/mateenali66) in [#6078](external-secrets/external-secrets#6078) - feat(passbolt): add support for Passbolt V5 API by [@cedricherzog-passbolt](https://github.com/cedricherzog-passbolt) in [#5919](external-secrets/external-secrets#5919) - fix(infisical): dataFrom.find.path should filter by secret path not name by [@johnvox](https://github.com/johnvox) in [#6086](external-secrets/external-secrets#6086) - fix: disable the priority queue which misbehaves at scale by [@Skarlso](https://github.com/Skarlso) in [#6083](external-secrets/external-secrets#6083) - chore: update go version to 1.26.1 by [@Skarlso](https://github.com/Skarlso) in [#6072](external-secrets/external-secrets#6072) - docs(aws): fix PushSecret metadata indentation in resource policy exa... by [@Br1an67](https://github.com/Br1an67) in [#6056](external-secrets/external-secrets#6056) - fix(aws): prevent EC2 IMDS fallback when explicit credentials are pro... by [@Br1an67](https://github.com/Br1an67) in [#6036](external-secrets/external-secrets#6036) - feat(templating): Add certSANs function to extract SANs from certificates by [@mzdeb](https://github.com/mzdeb) in [#6058](external-secrets/external-secrets#6058) - docs: document template.metadata labels/annotations behavior by [@lucpas](https://github.com/lucpas) in [#6102](external-secrets/external-secrets#6102) - fix: CODEOWNERS are seriously out of date by [@Skarlso](https://github.com/Skarlso) in [#6106](external-secrets/external-secrets#6106) - feat(helm): add readinessProbe support for external-secrets deployment by [@AlexOQ](https://github.com/AlexOQ) in [#5831](external-secrets/external-secrets#5831) - fix: update grpc for CVE-2026-33186 by [@Skarlso](https://github.com/Skarlso) in [#6108](external-secrets/external-secrets#6108) - feat(azurekv): add expiration time to azure kv secret by [@muraliavarma](https://github.com/muraliavarma) in [#5935](external-secrets/external-secrets#5935) - feat: add path to cloud.ru provider by [@heavyandrew](https://github.com/heavyandrew) in [#5952](external-secrets/external-secrets#5952) - fix(add-eso-version): fix separator line pattern in add\_eso\_version.sh script by [@riccardomc](https://github.com/riccardomc) in [#6113](external-secrets/external-secrets#6113) ##### Dependencies - chore(deps): bump zizmorcore/zizmor-action from 0.5.0 to 0.5.2 by [@dependabot](https://github.com/dependabot)\[bot] in [#6038](external-secrets/external-secrets#6038) - chore(deps): bump charset-normalizer from 3.4.4 to 3.4.5 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6047](external-secrets/external-secrets#6047) - chore(deps): bump platformdirs from 4.9.2 to 4.9.4 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6050](external-secrets/external-secrets#6050) - chore(deps): bump mkdocs-material from 9.7.3 to 9.7.4 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6049](external-secrets/external-secrets#6049) - chore(deps): bump github/codeql-action from 4.32.4 to 4.32.6 by [@dependabot](https://github.com/dependabot)\[bot] in [#6039](external-secrets/external-secrets#6039) - chore(deps): bump step-security/harden-runner from 2.15.0 to 2.15.1 by [@dependabot](https://github.com/dependabot)\[bot] in [#6043](external-secrets/external-secrets#6043) - chore(deps): bump actions/dependency-review-action from 4.8.3 to 4.9.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6040](external-secrets/external-secrets#6040) - chore(deps): bump crazy-max/ghaction-import-gpg from 6.3.0 to 7.0.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6044](external-secrets/external-secrets#6044) - chore(deps): bump docker/login-action from 3.7.0 to 4.0.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6042](external-secrets/external-secrets#6042) - chore(deps): bump docker/setup-buildx-action from 3.12.0 to 4.0.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6041](external-secrets/external-secrets#6041) - chore(deps): bump docker/setup-qemu-action from 3.7.0 to 4.0.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6046](external-secrets/external-secrets#6046) - chore(deps): bump aquasecurity/trivy-action from 0.34.1 to 0.35.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6048](external-secrets/external-secrets#6048) - chore(deps): bump anchore/sbom-action from 0.23.0 to 0.23.1 by [@dependabot](https://github.com/dependabot)\[bot] in [#6093](external-secrets/external-secrets#6093) - chore(deps): bump distroless/static from `28efbe9` to `47b2d72` by [@dependabot](https://github.com/dependabot)\[bot] in [#6088](external-secrets/external-secrets#6088) - chore(deps): bump ubi9/ubi from `cecb1cd` to `6ed9f6f` by [@dependabot](https://github.com/dependabot)\[bot] in [#6087](external-secrets/external-secrets#6087) - chore(deps): bump mkdocs-material from 9.7.4 to 9.7.5 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6096](external-secrets/external-secrets#6096) - chore(deps): bump tornado from 6.5.4 to 6.5.5 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6094](external-secrets/external-secrets#6094) - chore(deps): bump charset-normalizer from 3.4.5 to 3.4.6 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6095](external-secrets/external-secrets#6095) - chore(deps): bump step-security/harden-runner from 2.15.1 to 2.16.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6089](external-secrets/external-secrets#6089) - chore(deps): bump sigstore/cosign-installer from 4.0.0 to 4.1.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6092](external-secrets/external-secrets#6092) - chore(deps): bump softprops/action-gh-release from 2.5.0 to 2.6.1 by [@dependabot](https://github.com/dependabot)\[bot] in [#6090](external-secrets/external-secrets#6090) - chore(deps): bump actions/create-github-app-token from 2.2.1 to 3.0.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6091](external-secrets/external-secrets#6091) ##### New Contributors - [@othomann](https://github.com/othomann) made their first contribution in [#6052](external-secrets/external-secrets#6052) - [@evs-secops](https://github.com/evs-secops) made their first contribution in [#6025](external-secrets/external-secrets#6025) - [@patjlm](https://github.com/patjlm) made their first contribution in [#5922](external-secrets/external-secrets#5922) - [@jaruwat-panturat](https://github.com/jaruwat-panturat) made their first contribution in [#6068](external-secrets/external-secrets#6068) - [@chadxz](https://github.com/chadxz) made their first contribution in [#6073](external-secrets/external-secrets#6073) - [@mateenali66](https://github.com/mateenali66) made their first contribution in [#6074](external-secrets/external-secrets#6074) - [@cedricherzog-passbolt](https://github.com/cedricherzog-passbolt) made their first contribution in [#5919](external-secrets/external-secrets#5919) - [@johnvox](https://github.com/johnvox) made their first contribution in [#6086](external-secrets/external-secrets#6086) - [@Br1an67](https://github.com/Br1an67) made their first contribution in [#6056](external-secrets/external-secrets#6056) - [@mzdeb](https://github.com/mzdeb) made their first contribution in [#6058](external-secrets/external-secrets#6058) - [@lucpas](https://github.com/lucpas) made their first contribution in [#6102](external-secrets/external-secrets#6102) - [@AlexOQ](https://github.com/AlexOQ) made their first contribution in [#5831](external-secrets/external-secrets#5831) - [@muraliavarma](https://github.com/muraliavarma) made their first contribution in [#5935](external-secrets/external-secrets#5935) - [@heavyandrew](https://github.com/heavyandrew) made their first contribution in [#5952](external-secrets/external-secrets#5952) **Full Changelog**: <external-secrets/external-secrets@v2.1.0...v2.2.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/4927 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>

github-project-automation bot added this to External Secrets Feb 11, 2026

github-actions bot added kind/feature Categorizes issue or PR as related to a new feature. kind/documentation Categorizes issue or PR as related to documentation. size/m labels Feb 11, 2026

coderabbitai bot reviewed Feb 11, 2026

View reviewed changes

github-actions bot added the size/xl label Feb 11, 2026

heavyandrew force-pushed the feat/cloudru-secret-by-path branch from 6952648 to ee9e86b Compare February 12, 2026 07:59

coderabbitai bot reviewed Feb 12, 2026

View reviewed changes

heavyandrew force-pushed the feat/cloudru-secret-by-path branch from ee9e86b to e9ab6f0 Compare February 16, 2026 08:45

coderabbitai bot reviewed Feb 16, 2026

View reviewed changes

heavyandrew force-pushed the feat/cloudru-secret-by-path branch from e9ab6f0 to 0423a03 Compare February 20, 2026 11:56

evrardj-roche added the area/cloudrusm label Mar 9, 2026

heavyandrew force-pushed the feat/cloudru-secret-by-path branch from 0423a03 to 2f4e5ab Compare March 13, 2026 07:54

coderabbitai bot reviewed Mar 13, 2026

View reviewed changes

Skarlso approved these changes Mar 13, 2026

View reviewed changes

feat: add path to cloud.ru provider

65a5d5f

add ability to get secret by path from cloud.ru provider Signed-off-by: aoboyarskiy <aoboyarskiy@cloud.ru>

heavyandrew force-pushed the feat/cloudru-secret-by-path branch from 2f4e5ab to 65a5d5f Compare March 20, 2026 08:22

Skarlso merged commit 395e4e3 into external-secrets:main Mar 20, 2026
33 checks passed

github-project-automation bot moved this to Done in External Secrets Mar 20, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat: add path to cloud.ru provider#5952

feat: add path to cloud.ru provider#5952
Skarlso merged 1 commit intoexternal-secrets:mainfrom
cloudru-tech:feat/cloudru-secret-by-path

heavyandrew commented Feb 11, 2026 •

edited by coderabbitai bot

Loading

Uh oh!

coderabbitai bot commented Feb 11, 2026 •

edited

Loading

Reviews paused

Uh oh!

coderabbitai bot left a comment

Uh oh!

coderabbitai bot left a comment

Uh oh!

coderabbitai bot Feb 12, 2026

Uh oh!

coderabbitai bot left a comment

Uh oh!

coderabbitai bot left a comment

Uh oh!

Skarlso commented Mar 19, 2026

Uh oh!

sonarqubecloud bot commented Mar 20, 2026

Uh oh!

heavyandrew commented Mar 20, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

		if len(ref.Tags) == 0 && ref.Name == nil && ref.Path == nil {
		return nil, fmt.Errorf("at least one of the following fields must be set: tags, name, path")

Uh oh!

Conversation

heavyandrew commented Feb 11, 2026 • edited by coderabbitai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Problem Statement

Related Issue

Checklist

Overview

Changes

Notes

Uh oh!

coderabbitai bot commented Feb 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Reviews paused

Walkthrough

Changes

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Feb 12, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Skarlso commented Mar 19, 2026

Uh oh!

sonarqubecloud bot commented Mar 20, 2026

Quality Gate passed

Uh oh!

heavyandrew commented Mar 20, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

heavyandrew commented Feb 11, 2026 •

edited by coderabbitai bot

Loading

coderabbitai bot commented Feb 11, 2026 •

edited

Loading