Skip to content

fix: update grpc for CVE-2026-33186#6108

Merged
Skarlso merged 1 commit intoexternal-secrets:mainfrom
Skarlso:fix-vuln-CVE-2026-33186
Mar 19, 2026
Merged

fix: update grpc for CVE-2026-33186#6108
Skarlso merged 1 commit intoexternal-secrets:mainfrom
Skarlso:fix-vuln-CVE-2026-33186

Conversation

@Skarlso
Copy link
Copy Markdown
Contributor

@Skarlso Skarlso commented Mar 19, 2026
edited by coderabbitai bot
Loading

Problem Statement

What is the problem you're trying to solve?

Related Issue

Fixes #...

Proposed Changes

How do you like to solve the issue and why?

Format

Please ensure that your PR follows the following format for the title:

feat(scope): add new feature
fix(scope): fix bug
docs(scope): update documentation
chore(scope): update build tool or dependencies
ref(scope): refactor code
clean(scope): provider cleanup
test(scope): add tests
perf(scope): improve performance
desig(scope): improve design

Where scope is optionally one of:

  • charts
  • release
  • testing
  • security
  • templating

Checklist

  • I have read the contribution guidelines
  • All commits are signed with git commit --signoff
  • My changes have reasonable test coverage
  • All tests pass with make test
  • I ensured my PR is ready for review with make reviewable

Changes

Updated gRPC and related indirect dependencies across multiple go.mod files to address CVE-2026-33186.

Key updates:

  • google.golang.org/grpc: v1.76.0 → v1.79.3 (updated where present)
  • google.golang.org/genproto/googleapis/api and /rpc: moved to newer pseudo-versions
  • golang.org/x/* modules: version bumps for crypto, net, sync, sys, term, text, mod, tools as applicable
  • OpenTelemetry: go.opentelemetry.io/otel (and /metric, /trace, /auto/sdk) bumped to v1.39.0 / v1.2.1 where applicable

Affected files:

  • go.mod
  • e2e/go.mod
  • generators/v1/gcr/go.mod
  • generators/v1/vault/go.mod
  • providers/v1/akeyless/go.mod
  • providers/v1/gcp/go.mod
  • providers/v1/infisical/go.mod
  • providers/v1/nebius/go.mod
  • providers/v1/vault/go.mod
  • providers/v1/cloudru/go.mod
  • providers/v1/gitlab/go.mod
  • providers/v1/yandex/go.mod

Notes:

  • All changes are dependency version bumps (mostly indirect). No source code, exported API, module paths, or replace directives were modified.

@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Mar 19, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2ff9ed18-748c-46d9-96db-1a5a7983bcd3

📥 Commits

Reviewing files that changed from the base of the PR and between e1ad283 and b10fffb.

⛔ Files ignored due to path filters (12)
  • e2e/go.sum is excluded by !**/*.sum
  • generators/v1/gcr/go.sum is excluded by !**/*.sum
  • generators/v1/vault/go.sum is excluded by !**/*.sum
  • go.sum is excluded by !**/*.sum
  • providers/v1/akeyless/go.sum is excluded by !**/*.sum
  • providers/v1/cloudru/go.sum is excluded by !**/*.sum
  • providers/v1/gcp/go.sum is excluded by !**/*.sum
  • providers/v1/gitlab/go.sum is excluded by !**/*.sum
  • providers/v1/infisical/go.sum is excluded by !**/*.sum
  • providers/v1/nebius/go.sum is excluded by !**/*.sum
  • providers/v1/vault/go.sum is excluded by !**/*.sum
  • providers/v1/yandex/go.sum is excluded by !**/*.sum
📒 Files selected for processing (12)
  • e2e/go.mod
  • generators/v1/gcr/go.mod
  • generators/v1/vault/go.mod
  • go.mod
  • providers/v1/akeyless/go.mod
  • providers/v1/cloudru/go.mod
  • providers/v1/gcp/go.mod
  • providers/v1/gitlab/go.mod
  • providers/v1/infisical/go.mod
  • providers/v1/nebius/go.mod
  • providers/v1/vault/go.mod
  • providers/v1/yandex/go.mod
✅ Files skipped from review due to trivial changes (10)
  • providers/v1/cloudru/go.mod
  • providers/v1/yandex/go.mod
  • providers/v1/vault/go.mod
  • providers/v1/gcp/go.mod
  • providers/v1/gitlab/go.mod
  • generators/v1/gcr/go.mod
  • generators/v1/vault/go.mod
  • providers/v1/akeyless/go.mod
  • providers/v1/nebius/go.mod
  • go.mod
🚧 Files skipped from review as they are similar to previous changes (2)
  • providers/v1/infisical/go.mod
  • e2e/go.mod

Walkthrough

Bumped versions in multiple go.mod files: OpenTelemetry modules (mostly to v1.39.0), google.golang.org/grpc (to v1.79.3), and many golang.org/x/* indirect modules. Some genproto entries moved to newer pseudo-versions. No source or public API changes.

Changes

Cohort / File(s) Summary
Root module
go.mod		 Updated indirect pins: OpenTelemetry → v1.39.0, google.golang.org/grpc → v1.79.3, golang.org/x/* packages and google.golang.org/genproto pseudo-versions.
E2E
e2e/go.mod		 Bumped OpenTelemetry to v1.39.0, golang.org/x/crypto → v0.49.0, golang.org/x/net → v0.52.0, advanced gRPC and various golang.org/x/* indirect versions.
Generators
generators/v1/gcr/go.mod, generators/v1/vault/go.mod		 Updated OpenTelemetry to v1.39.0 (vault also: auto/sdk v1.1.0→v1.2.1), bumped golang.org/x/* indirect versions, and advanced gRPC/genproto pseudo-versions.
Providers (bulk)
providers/v1/akeyless/go.mod, providers/v1/gcp/go.mod, providers/v1/infisical/go.mod, providers/v1/vault/go.mod, providers/v1/cloudru/go.mod, providers/v1/gitlab/go.mod, providers/v1/yandex/go.mod		 Unified bumps: OpenTelemetry (where present) to v1.39.0 or auto/sdk to v1.2.1, google.golang.org/grpc → v1.79.3, golang.org/x/* indirect upgrades, and updated genproto pseudo-versions.
Providers (nebius)
providers/v1/nebius/go.mod		 Advanced golang.org/x/* and gRPC versions; removed explicit indirect OpenTelemetry entries and updated genproto/rpc pseudo-version.
📝 Coding Plan
  • Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions github-actions bot added kind/bug Categorizes issue or PR as related to a bug. kind/dependency dependabot and upgrades labels Mar 19, 2026
IdanAdar
IdanAdar previously approved these changes Mar 19, 2026
View reviewed changes
coderabbitai[bot]
coderabbitai bot reviewed Mar 19, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 104: Update the pinned gRPC version by replacing the dependency line
"google.golang.org/grpc v1.72.2" with "google.golang.org/grpc v1.79.3" in each
of the three affected module manifests; ensure the go.mod files that still
reference the older version are updated consistently and run `go mod tidy`
afterwards to refresh the go.sum and verify builds.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d07823e3-3b7d-492b-bfb9-a4e6228488f2

📥 Commits

Reviewing files that changed from the base of the PR and between 07191d1 and e1ad283.

⛔ Files ignored due to path filters (9)
  • e2e/go.sum is excluded by !**/*.sum
  • generators/v1/gcr/go.sum is excluded by !**/*.sum
  • generators/v1/vault/go.sum is excluded by !**/*.sum
  • go.sum is excluded by !**/*.sum
  • providers/v1/akeyless/go.sum is excluded by !**/*.sum
  • providers/v1/gcp/go.sum is excluded by !**/*.sum
  • providers/v1/infisical/go.sum is excluded by !**/*.sum
  • providers/v1/nebius/go.sum is excluded by !**/*.sum
  • providers/v1/vault/go.sum is excluded by !**/*.sum
📒 Files selected for processing (9)
  • e2e/go.mod
  • generators/v1/gcr/go.mod
  • generators/v1/vault/go.mod
  • go.mod
  • providers/v1/akeyless/go.mod
  • providers/v1/gcp/go.mod
  • providers/v1/infisical/go.mod
  • providers/v1/nebius/go.mod
  • providers/v1/vault/go.mod

go.mod
google.golang.org/api v0.254.0 // indirect
google.golang.org/genproto v0.0.0-20251029180050-ab9386a59fda // indirect
google.golang.org/grpc v1.76.0 // indirect
google.golang.org/grpc v1.79.3 // indirect
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 19, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== go.mod files and grpc pins =="
fd '^go\.mod$' -t f | while read -r mod; do
  echo "-- $mod"
  rg -n '^\s*google\.golang\.org/grpc\s+v' "$mod" || true
done

echo
echo "== Any grpc pins below v1.79.3 (best-effort semver check) =="
python - <<'PY'
import re, pathlib
target=(1,79,3)
def parse(v):
    m=re.match(r'v(\d+)\.(\d+)\.(\d+)', v)
    return tuple(map(int,m.groups())) if m else None
for p in pathlib.Path(".").rglob("go.mod"):
    for i,l in enumerate(p.read_text().splitlines(),1):
        m=re.search(r'google\.golang\.org/grpc\s+(v[0-9]+\.[0-9]+\.[0-9]+)', l)
        if not m:
            continue
        v=m.group(1); pv=parse(v)
        if pv and pv<target:
            print(f"{p}:{i}: {v} < v1.79.3")
PY

echo
echo "== Residual old grpc entries in go.sum (if present) =="
if [ -f go.sum ]; then
  rg -n 'google\.golang\.org/grpc v1\.(7[0-8]|[0-6][0-9])\.' go.sum || true
else
  echo "go.sum not present at repo root"
fi

Repository: external-secrets/external-secrets

Length of output: 4609

Three module manifests still pinning gRPC v1.72.2 instead of v1.79.3 — update required to complete CVE fix.

The following go.mod files are outdated and should be upgraded to match the target version:

  • providers/v1/cloudru/go.mod line 13
  • providers/v1/gitlab/go.mod line 94
  • providers/v1/yandex/go.mod line 14

All other module manifests are correctly pinned to v1.79.3 or higher.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 104, Update the pinned gRPC version by replacing the
dependency line "google.golang.org/grpc v1.72.2" with "google.golang.org/grpc
v1.79.3" in each of the three affected module manifests; ensure the go.mod files
that still reference the older version are updated consistently and run `go mod
tidy` afterwards to refresh the go.sum and verify builds.

Copy link
Copy Markdown
Contributor Author

@Skarlso Skarlso Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

dang it... nice I was looking for 0 and not 2...

Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Skarlso Easy to miss when you're doing a targeted search! 😄 The three files that need updating are:

  • providers/v1/cloudru/go.mod (line 13)
  • providers/v1/gitlab/go.mod (line 94)
  • providers/v1/yandex/go.mod (line 14)

Each needs google.golang.org/grpc v1.72.2 bumped to v1.79.3 to fully close the CVE across all module manifests. Let me know if you'd like me to plan those changes!

🧠 Learnings used 
Learnt from: Skarlso
Repo: external-secrets/external-secrets PR: 5834
File: providers/v1/secretserver/go.mod:16-16
Timestamp: 2026-01-18T20:52:31.160Z
Learning: When Skarlso uses a fork replacement directive (e.g., replacing upstream packages with github.com/Skarlso/... forks) in go.mod files, these are typically intentional debug builds for investigation purposes and should not be flagged for version mismatches or missing releases.

Learnt from: gusfcarvalho
Repo: external-secrets/external-secrets PR: 5933
File: docs/introduction/stability-support.md:21-22
Timestamp: 2026-02-06T13:42:21.344Z
Learning: For the `external-secrets/external-secrets` repository: Before adding any review comments about releases (whether questioning if a release exists, commenting on release dates, or suggesting changes to version documentation), ALWAYS directly verify the release exists using `gh release view <tag> --repo external-secrets/external-secrets` command first. Do NOT rely on web search results or internal cache, as they may be stale. Only after confirming the release status with the GitHub CLI should you make comments about releases or version documentation.

@Skarlso
fix: update grpc for CVE-2026-33186
b10fffb 
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
@Skarlso Skarlso force-pushed the fix-vuln-CVE-2026-33186 branch from e1ad283 to b10fffb Compare March 19, 2026 07:49
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Mar 19, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@Skarlso Skarlso merged commit 83f1861 into external-secrets:main Mar 19, 2026
43 of 44 checks passed
alexlebens pushed a commit to alexlebens/infrastructure that referenced this pull request Mar 20, 2026
@alexlebens
chore(deps): update dependency external-secrets/external-secrets to v…
f4922e0 
…2.2.0 (#4923)

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [external-secrets/external-secrets](https://github.com/external-secrets/external-secrets) | minor | `v2.1.0` → `v2.2.0` |

---

> ⚠️ **Warning**
>
> Some dependencies could not be looked up. Check the [Dependency Dashboard](issues/2) for more information.

---

### Release Notes

<details>
<summary>external-secrets/external-secrets (external-secrets/external-secrets)</summary>

### [`v2.2.0`](https://github.com/external-secrets/external-secrets/releases/tag/v2.2.0)

[Compare Source](external-secrets/external-secrets@v2.1.0...v2.2.0)

Image: `ghcr.io/external-secrets/external-secrets:v2.2.0`
Image: `ghcr.io/external-secrets/external-secrets:v2.2.0-ubi`
Image: `ghcr.io/external-secrets/external-secrets:v2.2.0-ubi-boringssl`

<!-- Release notes generated using configuration in .github/release.yml at main -->

#### What's Changed

##### General

- chore: release charts v2.1.0 by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;6030](external-secrets/external-secrets#6030)
- chore: fix the stability doc by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;6035](external-secrets/external-secrets#6035)
- fix(security): Fix vulnerabilities by [@&#8203;othomann](https://github.com/othomann) in [#&#8203;6052](external-secrets/external-secrets#6052)
- fix(aws): sync tags and resource policy even when secret value unchanged by [@&#8203;evs-secops](https://github.com/evs-secops) in [#&#8203;6025](external-secrets/external-secrets#6025)
- fix: publish now uses docker build v4 which required some changes by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;6062](external-secrets/external-secrets#6062)
- feat(gcpsm): auto-detect projectID from GCP metadata server by [@&#8203;patjlm](https://github.com/patjlm) in [#&#8203;5922](external-secrets/external-secrets#5922)
- chore(templating): Remove years in license and their checks by [@&#8203;evrardj-roche](https://github.com/evrardj-roche) in [#&#8203;5955](external-secrets/external-secrets#5955)
- docs: Add Roche to official ADOPTERS by [@&#8203;evrardj-roche](https://github.com/evrardj-roche) in [#&#8203;6076](external-secrets/external-secrets#6076)
- feat: Add Last Sync column to ExternalSecret and PushSecret printers by [@&#8203;jaruwat-panturat](https://github.com/jaruwat-panturat) in [#&#8203;6068](external-secrets/external-secrets#6068)
- fix(onepassword): support native item IDs by [@&#8203;chadxz](https://github.com/chadxz) in [#&#8203;6073](external-secrets/external-secrets#6073)
- feat: extract LGTM processor to external JS file with tests by [@&#8203;mateenali66](https://github.com/mateenali66) in [#&#8203;6074](external-secrets/external-secrets#6074)
- feat: fail fast if LGTM label does not exist in repository by [@&#8203;mateenali66](https://github.com/mateenali66) in [#&#8203;6078](external-secrets/external-secrets#6078)
- feat(passbolt): add support for Passbolt V5 API by [@&#8203;cedricherzog-passbolt](https://github.com/cedricherzog-passbolt) in [#&#8203;5919](external-secrets/external-secrets#5919)
- fix(infisical): dataFrom.find.path should filter by secret path not name by [@&#8203;johnvox](https://github.com/johnvox) in [#&#8203;6086](external-secrets/external-secrets#6086)
- fix: disable the priority queue which misbehaves at scale by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;6083](external-secrets/external-secrets#6083)
- chore: update go version to 1.26.1 by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;6072](external-secrets/external-secrets#6072)
- docs(aws): fix PushSecret metadata indentation in resource policy exa... by [@&#8203;Br1an67](https://github.com/Br1an67) in [#&#8203;6056](external-secrets/external-secrets#6056)
- fix(aws): prevent EC2 IMDS fallback when explicit credentials are pro... by [@&#8203;Br1an67](https://github.com/Br1an67) in [#&#8203;6036](external-secrets/external-secrets#6036)
- feat(templating): Add certSANs function to extract SANs from certificates by [@&#8203;mzdeb](https://github.com/mzdeb) in [#&#8203;6058](external-secrets/external-secrets#6058)
- docs: document template.metadata labels/annotations behavior by [@&#8203;lucpas](https://github.com/lucpas) in [#&#8203;6102](external-secrets/external-secrets#6102)
- fix: CODEOWNERS are seriously out of date by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;6106](external-secrets/external-secrets#6106)
- feat(helm): add readinessProbe support for external-secrets deployment by [@&#8203;AlexOQ](https://github.com/AlexOQ) in [#&#8203;5831](external-secrets/external-secrets#5831)
- fix: update grpc for CVE-2026-33186 by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;6108](external-secrets/external-secrets#6108)
- feat(azurekv): add expiration time to azure kv secret by [@&#8203;muraliavarma](https://github.com/muraliavarma) in [#&#8203;5935](external-secrets/external-secrets#5935)
- feat: add path to cloud.ru provider by [@&#8203;heavyandrew](https://github.com/heavyandrew) in [#&#8203;5952](external-secrets/external-secrets#5952)
- fix(add-eso-version): fix separator line pattern in add\_eso\_version.sh script by [@&#8203;riccardomc](https://github.com/riccardomc) in [#&#8203;6113](external-secrets/external-secrets#6113)

##### Dependencies

- chore(deps): bump zizmorcore/zizmor-action from 0.5.0 to 0.5.2 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6038](external-secrets/external-secrets#6038)
- chore(deps): bump charset-normalizer from 3.4.4 to 3.4.5 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6047](external-secrets/external-secrets#6047)
- chore(deps): bump platformdirs from 4.9.2 to 4.9.4 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6050](external-secrets/external-secrets#6050)
- chore(deps): bump mkdocs-material from 9.7.3 to 9.7.4 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6049](external-secrets/external-secrets#6049)
- chore(deps): bump github/codeql-action from 4.32.4 to 4.32.6 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6039](external-secrets/external-secrets#6039)
- chore(deps): bump step-security/harden-runner from 2.15.0 to 2.15.1 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6043](external-secrets/external-secrets#6043)
- chore(deps): bump actions/dependency-review-action from 4.8.3 to 4.9.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6040](external-secrets/external-secrets#6040)
- chore(deps): bump crazy-max/ghaction-import-gpg from 6.3.0 to 7.0.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6044](external-secrets/external-secrets#6044)
- chore(deps): bump docker/login-action from 3.7.0 to 4.0.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6042](external-secrets/external-secrets#6042)
- chore(deps): bump docker/setup-buildx-action from 3.12.0 to 4.0.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6041](external-secrets/external-secrets#6041)
- chore(deps): bump docker/setup-qemu-action from 3.7.0 to 4.0.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6046](external-secrets/external-secrets#6046)
- chore(deps): bump aquasecurity/trivy-action from 0.34.1 to 0.35.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6048](external-secrets/external-secrets#6048)
- chore(deps): bump anchore/sbom-action from 0.23.0 to 0.23.1 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6093](external-secrets/external-secrets#6093)
- chore(deps): bump distroless/static from `28efbe9` to `47b2d72` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6088](external-secrets/external-secrets#6088)
- chore(deps): bump ubi9/ubi from `cecb1cd` to `6ed9f6f` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6087](external-secrets/external-secrets#6087)
- chore(deps): bump mkdocs-material from 9.7.4 to 9.7.5 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6096](external-secrets/external-secrets#6096)
- chore(deps): bump tornado from 6.5.4 to 6.5.5 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6094](external-secrets/external-secrets#6094)
- chore(deps): bump charset-normalizer from 3.4.5 to 3.4.6 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6095](external-secrets/external-secrets#6095)
- chore(deps): bump step-security/harden-runner from 2.15.1 to 2.16.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6089](external-secrets/external-secrets#6089)
- chore(deps): bump sigstore/cosign-installer from 4.0.0 to 4.1.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6092](external-secrets/external-secrets#6092)
- chore(deps): bump softprops/action-gh-release from 2.5.0 to 2.6.1 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6090](external-secrets/external-secrets#6090)
- chore(deps): bump actions/create-github-app-token from 2.2.1 to 3.0.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6091](external-secrets/external-secrets#6091)

#### New Contributors

- [@&#8203;othomann](https://github.com/othomann) made their first contribution in [#&#8203;6052](external-secrets/external-secrets#6052)
- [@&#8203;evs-secops](https://github.com/evs-secops) made their first contribution in [#&#8203;6025](external-secrets/external-secrets#6025)
- [@&#8203;patjlm](https://github.com/patjlm) made their first contribution in [#&#8203;5922](external-secrets/external-secrets#5922)
- [@&#8203;jaruwat-panturat](https://github.com/jaruwat-panturat) made their first contribution in [#&#8203;6068](external-secrets/external-secrets#6068)
- [@&#8203;chadxz](https://github.com/chadxz) made their first contribution in [#&#8203;6073](external-secrets/external-secrets#6073)
- [@&#8203;mateenali66](https://github.com/mateenali66) made their first contribution in [#&#8203;6074](external-secrets/external-secrets#6074)
- [@&#8203;cedricherzog-passbolt](https://github.com/cedricherzog-passbolt) made their first contribution in [#&#8203;5919](external-secrets/external-secrets#5919)
- [@&#8203;johnvox](https://github.com/johnvox) made their first contribution in [#&#8203;6086](external-secrets/external-secrets#6086)
- [@&#8203;Br1an67](https://github.com/Br1an67) made their first contribution in [#&#8203;6056](external-secrets/external-secrets#6056)
- [@&#8203;mzdeb](https://github.com/mzdeb) made their first contribution in [#&#8203;6058](external-secrets/external-secrets#6058)
- [@&#8203;lucpas](https://github.com/lucpas) made their first contribution in [#&#8203;6102](external-secrets/external-secrets#6102)
- [@&#8203;AlexOQ](https://github.com/AlexOQ) made their first contribution in [#&#8203;5831](external-secrets/external-secrets#5831)
- [@&#8203;muraliavarma](https://github.com/muraliavarma) made their first contribution in [#&#8203;5935](external-secrets/external-secrets#5935)
- [@&#8203;heavyandrew](https://github.com/heavyandrew) made their first contribution in [#&#8203;5952](external-secrets/external-secrets#5952)

**Full Changelog**: <external-secrets/external-secrets@v2.1.0...v2.2.0>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41OS4yIiwidXBkYXRlZEluVmVyIjoiNDMuNTkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiaW1hZ2UiXX0=-->

Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/4923
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
alexlebens pushed a commit to alexlebens/infrastructure that referenced this pull request Mar 20, 2026
@alexlebens
chore(deps): update helm release external-secrets to v2.2.0 (#4927)
71eddc4 
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [external-secrets](https://github.com/external-secrets/external-secrets) | minor | `2.1.0` → `2.2.0` |

---

> ⚠️ **Warning**
>
> Some dependencies could not be looked up. Check the [Dependency Dashboard](issues/2) for more information.

---

### Release Notes

<details>
<summary>external-secrets/external-secrets (external-secrets)</summary>

### [`v2.2.0`](https://github.com/external-secrets/external-secrets/releases/tag/v2.2.0)

[Compare Source](external-secrets/external-secrets@v2.1.0...v2.2.0)

Image: `ghcr.io/external-secrets/external-secrets:v2.2.0`
Image: `ghcr.io/external-secrets/external-secrets:v2.2.0-ubi`
Image: `ghcr.io/external-secrets/external-secrets:v2.2.0-ubi-boringssl`

<!-- Release notes generated using configuration in .github/release.yml at main -->

##### What's Changed

##### General

- chore: release charts v2.1.0 by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;6030](external-secrets/external-secrets#6030)
- chore: fix the stability doc by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;6035](external-secrets/external-secrets#6035)
- fix(security): Fix vulnerabilities by [@&#8203;othomann](https://github.com/othomann) in [#&#8203;6052](external-secrets/external-secrets#6052)
- fix(aws): sync tags and resource policy even when secret value unchanged by [@&#8203;evs-secops](https://github.com/evs-secops) in [#&#8203;6025](external-secrets/external-secrets#6025)
- fix: publish now uses docker build v4 which required some changes by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;6062](external-secrets/external-secrets#6062)
- feat(gcpsm): auto-detect projectID from GCP metadata server by [@&#8203;patjlm](https://github.com/patjlm) in [#&#8203;5922](external-secrets/external-secrets#5922)
- chore(templating): Remove years in license and their checks by [@&#8203;evrardj-roche](https://github.com/evrardj-roche) in [#&#8203;5955](external-secrets/external-secrets#5955)
- docs: Add Roche to official ADOPTERS by [@&#8203;evrardj-roche](https://github.com/evrardj-roche) in [#&#8203;6076](external-secrets/external-secrets#6076)
- feat: Add Last Sync column to ExternalSecret and PushSecret printers by [@&#8203;jaruwat-panturat](https://github.com/jaruwat-panturat) in [#&#8203;6068](external-secrets/external-secrets#6068)
- fix(onepassword): support native item IDs by [@&#8203;chadxz](https://github.com/chadxz) in [#&#8203;6073](external-secrets/external-secrets#6073)
- feat: extract LGTM processor to external JS file with tests by [@&#8203;mateenali66](https://github.com/mateenali66) in [#&#8203;6074](external-secrets/external-secrets#6074)
- feat: fail fast if LGTM label does not exist in repository by [@&#8203;mateenali66](https://github.com/mateenali66) in [#&#8203;6078](external-secrets/external-secrets#6078)
- feat(passbolt): add support for Passbolt V5 API by [@&#8203;cedricherzog-passbolt](https://github.com/cedricherzog-passbolt) in [#&#8203;5919](external-secrets/external-secrets#5919)
- fix(infisical): dataFrom.find.path should filter by secret path not name by [@&#8203;johnvox](https://github.com/johnvox) in [#&#8203;6086](external-secrets/external-secrets#6086)
- fix: disable the priority queue which misbehaves at scale by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;6083](external-secrets/external-secrets#6083)
- chore: update go version to 1.26.1 by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;6072](external-secrets/external-secrets#6072)
- docs(aws): fix PushSecret metadata indentation in resource policy exa... by [@&#8203;Br1an67](https://github.com/Br1an67) in [#&#8203;6056](external-secrets/external-secrets#6056)
- fix(aws): prevent EC2 IMDS fallback when explicit credentials are pro... by [@&#8203;Br1an67](https://github.com/Br1an67) in [#&#8203;6036](external-secrets/external-secrets#6036)
- feat(templating): Add certSANs function to extract SANs from certificates by [@&#8203;mzdeb](https://github.com/mzdeb) in [#&#8203;6058](external-secrets/external-secrets#6058)
- docs: document template.metadata labels/annotations behavior by [@&#8203;lucpas](https://github.com/lucpas) in [#&#8203;6102](external-secrets/external-secrets#6102)
- fix: CODEOWNERS are seriously out of date by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;6106](external-secrets/external-secrets#6106)
- feat(helm): add readinessProbe support for external-secrets deployment by [@&#8203;AlexOQ](https://github.com/AlexOQ) in [#&#8203;5831](external-secrets/external-secrets#5831)
- fix: update grpc for CVE-2026-33186 by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;6108](external-secrets/external-secrets#6108)
- feat(azurekv): add expiration time to azure kv secret by [@&#8203;muraliavarma](https://github.com/muraliavarma) in [#&#8203;5935](external-secrets/external-secrets#5935)
- feat: add path to cloud.ru provider by [@&#8203;heavyandrew](https://github.com/heavyandrew) in [#&#8203;5952](external-secrets/external-secrets#5952)
- fix(add-eso-version): fix separator line pattern in add\_eso\_version.sh script by [@&#8203;riccardomc](https://github.com/riccardomc) in [#&#8203;6113](external-secrets/external-secrets#6113)

##### Dependencies

- chore(deps): bump zizmorcore/zizmor-action from 0.5.0 to 0.5.2 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6038](external-secrets/external-secrets#6038)
- chore(deps): bump charset-normalizer from 3.4.4 to 3.4.5 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6047](external-secrets/external-secrets#6047)
- chore(deps): bump platformdirs from 4.9.2 to 4.9.4 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6050](external-secrets/external-secrets#6050)
- chore(deps): bump mkdocs-material from 9.7.3 to 9.7.4 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6049](external-secrets/external-secrets#6049)
- chore(deps): bump github/codeql-action from 4.32.4 to 4.32.6 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6039](external-secrets/external-secrets#6039)
- chore(deps): bump step-security/harden-runner from 2.15.0 to 2.15.1 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6043](external-secrets/external-secrets#6043)
- chore(deps): bump actions/dependency-review-action from 4.8.3 to 4.9.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6040](external-secrets/external-secrets#6040)
- chore(deps): bump crazy-max/ghaction-import-gpg from 6.3.0 to 7.0.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6044](external-secrets/external-secrets#6044)
- chore(deps): bump docker/login-action from 3.7.0 to 4.0.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6042](external-secrets/external-secrets#6042)
- chore(deps): bump docker/setup-buildx-action from 3.12.0 to 4.0.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6041](external-secrets/external-secrets#6041)
- chore(deps): bump docker/setup-qemu-action from 3.7.0 to 4.0.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6046](external-secrets/external-secrets#6046)
- chore(deps): bump aquasecurity/trivy-action from 0.34.1 to 0.35.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6048](external-secrets/external-secrets#6048)
- chore(deps): bump anchore/sbom-action from 0.23.0 to 0.23.1 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6093](external-secrets/external-secrets#6093)
- chore(deps): bump distroless/static from `28efbe9` to `47b2d72` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6088](external-secrets/external-secrets#6088)
- chore(deps): bump ubi9/ubi from `cecb1cd` to `6ed9f6f` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6087](external-secrets/external-secrets#6087)
- chore(deps): bump mkdocs-material from 9.7.4 to 9.7.5 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6096](external-secrets/external-secrets#6096)
- chore(deps): bump tornado from 6.5.4 to 6.5.5 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6094](external-secrets/external-secrets#6094)
- chore(deps): bump charset-normalizer from 3.4.5 to 3.4.6 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6095](external-secrets/external-secrets#6095)
- chore(deps): bump step-security/harden-runner from 2.15.1 to 2.16.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6089](external-secrets/external-secrets#6089)
- chore(deps): bump sigstore/cosign-installer from 4.0.0 to 4.1.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6092](external-secrets/external-secrets#6092)
- chore(deps): bump softprops/action-gh-release from 2.5.0 to 2.6.1 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6090](external-secrets/external-secrets#6090)
- chore(deps): bump actions/create-github-app-token from 2.2.1 to 3.0.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6091](external-secrets/external-secrets#6091)

##### New Contributors

- [@&#8203;othomann](https://github.com/othomann) made their first contribution in [#&#8203;6052](external-secrets/external-secrets#6052)
- [@&#8203;evs-secops](https://github.com/evs-secops) made their first contribution in [#&#8203;6025](external-secrets/external-secrets#6025)
- [@&#8203;patjlm](https://github.com/patjlm) made their first contribution in [#&#8203;5922](external-secrets/external-secrets#5922)
- [@&#8203;jaruwat-panturat](https://github.com/jaruwat-panturat) made their first contribution in [#&#8203;6068](external-secrets/external-secrets#6068)
- [@&#8203;chadxz](https://github.com/chadxz) made their first contribution in [#&#8203;6073](external-secrets/external-secrets#6073)
- [@&#8203;mateenali66](https://github.com/mateenali66) made their first contribution in [#&#8203;6074](external-secrets/external-secrets#6074)
- [@&#8203;cedricherzog-passbolt](https://github.com/cedricherzog-passbolt) made their first contribution in [#&#8203;5919](external-secrets/external-secrets#5919)
- [@&#8203;johnvox](https://github.com/johnvox) made their first contribution in [#&#8203;6086](external-secrets/external-secrets#6086)
- [@&#8203;Br1an67](https://github.com/Br1an67) made their first contribution in [#&#8203;6056](external-secrets/external-secrets#6056)
- [@&#8203;mzdeb](https://github.com/mzdeb) made their first contribution in [#&#8203;6058](external-secrets/external-secrets#6058)
- [@&#8203;lucpas](https://github.com/lucpas) made their first contribution in [#&#8203;6102](external-secrets/external-secrets#6102)
- [@&#8203;AlexOQ](https://github.com/AlexOQ) made their first contribution in [#&#8203;5831](external-secrets/external-secrets#5831)
- [@&#8203;muraliavarma](https://github.com/muraliavarma) made their first contribution in [#&#8203;5935](external-secrets/external-secrets#5935)
- [@&#8203;heavyandrew](https://github.com/heavyandrew) made their first contribution in [#&#8203;5952](external-secrets/external-secrets#5952)

**Full Changelog**: <external-secrets/external-secrets@v2.1.0...v2.2.0>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41OS4yIiwidXBkYXRlZEluVmVyIjoiNDMuNTkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiY2hhcnQiXX0=-->

Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/4927
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
@coderabbitai coderabbitai bot mentioned this pull request Mar 21, 2026
Merged
5 tasks
@github-actions github-actions bot mentioned this pull request Mar 30, 2026
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@IdanAdar IdanAdar IdanAdar approved these changes

Assignees

No one assigned

Labels

kind/bug Categorizes issue or PR as related to a bug. kind/dependency dependabot and upgrades size/l

Projects

External Secrets
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Skarlso @IdanAdar