chore(deps): update container updates

[homelab-okd]

This PR contains the following updates:

Package	Update	Change
docker.io/gitea/gitea	patch	1.25.4-rootless → 1.25.5-rootless
docker.io/renovate/renovate (source)	minor	43.66.0-full → 43.75.0-full
ghcr.io/cloudnative-pg/cloudnative-pg	minor	1.28.1 → 1.29.0-rc1-ubi9-index

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

go-gitea/gitea (docker.io/gitea/gitea)

v1.25.5

Compare Source

• SECURITY
  • Toolchain Update to Go 1.25.6 (#​36480) (#​36487)
  • Adjust the toolchain version (#​36537) (#​36542)
  • Update toolchain to 1.25.8 for v1.25 (#​36888)
  • Prevent redirect bypasses via backslash-encoded paths (#​36660) (#​36716)
  • Fix get release draft permission check (#​36659) (#​36715)
  • Fix a bug user could change another user's primary email (#​36586) (#​36607)
  • Fix OAuth2 authorization code expiry and reuse handling (#​36797) (#​36851)
  • Add validation constraints for repository creation fields (#​36671) (#​36757)
  • Fix bug to check whether user can update pull request branch or rebase branch (#​36465) (#​36838)
  • Add migration http transport for push/sync mirror lfs (#​36665) (#​36691)
  • Fix track time list permission check (#​36662) (#​36744)
  • Fix track time issue id (#​36664) (#​36689)
  • Fix path resolving (#​36734) (#​36746)
  • Fix dump release asset bug (#​36799) (#​36839)
  • Fix org permission API visibility checks for hidden members and private orgs (#​36798) (#​36841)
  • Fix forwarded proto handling for public URL detection (#​36810) (#​36836)
  • Add a git grep search timeout (#​36809) (#​36835)
  • Fix oauth2 s256 (#​36462) (#​36477)
• ENHANCEMENTS
  • Make security-check informational only (#​36681) (#​36852)
  • Upgrade to github.com/cloudflare/circl 1.6.3, svgo 4.0.1, markdownlint-cli 0.48.0 (#​36840)
  • Add some validation on values provided to USER_DISABLED_FEATURES and EXTERNAL_USER_DISABLED_FEATURES (#​36688) (#​36692)
  • Upgrade gogit to 5.16.5 (#​36687)
  • Add wrap to runner label list (#​36565) (#​36574)
  • Add dnf5 command for Fedora in RPM package instructions (#​36527) (#​36572)
  • Allow scroll propagation outside code editor (#​36502) (#​36510)
• BUGFIXES
  • Fix non-admins unable to automerge PRs from forks (#​36833) (#​36843)
  • Fix bug when pushing mirror with wiki (#​36795) (#​36807)
  • Fix artifacts v4 backend upload problems (#​36805) (#​36834)
  • Fix CRAN package version validation to allow more than 4 version components (#​36813) (#​36821)
  • Fix force push time-line commit comments of pull request (#​36653) (#​36717)
  • Fix SVG height calculation in diff viewer (#​36748) (#​36750)
  • Fix push time bug (#​36693) (#​36713)
  • Fix bug the protected branch rule name is conflicted with renamed branch name (#​36650) (#​36661)
  • Fix bug when do LFS GC (#​36500) (#​36608)
  • Fix focus lost bugs in the Monaco editor (#​36609)
  • Reprocess htmx content after loading more files (#​36568) (#​36577)
  • Fix assignee sidebar links and empty placeholder (#​36559) (#​36563)
  • Fix issues filter dropdown showing empty label scope section (#​36535) (#​36544)
  • Fix various mermaid bugs (#​36547) (#​36552)
  • Fix data race when uploading container blobs concurrently (#​36524) (#​36526)
  • Correct spacing between username and bot label (#​36473) (#​36484)

renovatebot/renovate (docker.io/renovate/renovate)

v43.75.0

Compare Source

Features

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.25.0 (main) (#​41927) (425ca26)

v43.74.0

Compare Source

Features

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.24.0 (main) (#​41926) (4847242)

Miscellaneous Chores

• deps: update dependency pnpm to v10.31.0 (main) (#​41925) (a70c005)

v43.73.2

Compare Source

Bug Fixes

• lint errors (#​41808) (d6c85ec)

v43.73.1

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.23.1 (main) (#​41920) (dd1a102)

Miscellaneous Chores

• deps: update dependency eslint to v9.39.4 (main) (#​41917) (a51cf81)

v43.71.0

Compare Source

Features

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.22.0 (main) (#​41909) (5906313)

v43.70.0

Compare Source

Features

• maven-wrapper: support checksum updates when updating versions (#​40481) (49fbc83), closes #​33444 #​40929 #​40923 #​40090 #​40911 #​40910 #​40906 #​40899 #​39979 #​40871 #​40883 #​40882 #​40880 #​40028 #​40878 #​40876 #​40877 #​40874 #​40873 #​40872 #​40669

Bug Fixes

• swift: don't use v prefix with Package.resolved (#​41782) (25c77c6), closes #​41780

Miscellaneous Chores

• deps: update containerbase/internal-tools action to v4.4.1 (main) (#​41907) (ba21ce6)

v43.69.0

Compare Source

Features

• add Home Assistant Manifest manager (#​39906) (6fb659a)

v43.66.5

Compare Source

Bug Fixes

• maven-wrapper: drop explicit versioning (#​41872) (93e215f)

Miscellaneous Chores

• deps: update containerbase/internal-tools action to v4.2.3 (main) (#​41880) (5be6098)
• deps: update pnpm/action-setup action to v4.4.0 (main) (#​41888) (447ec1a)

v43.66.4

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.21.10 (main) (#​41871) (3145b2d)

Miscellaneous Chores

• deps: update dependency @​types/node to v24.12.0 (main) (#​41870) (6ef198c)

v43.66.3

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.21.9 (main) (#​41869) (4473d6c)

v43.66.2

Compare Source

Miscellaneous Chores

• deps: update dependency @​types/node to v24.11.2 (main) (#​41868) (0ba12a9)

Build System

• deps: update dependency @​renovatebot/pgp to v1.3.4 (main) (#​41867) (95de30a)

v43.66.1

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.21.8 (main) (#​41865) (7465ff1)

Miscellaneous Chores

• deps: update dependency @​types/node to v24.11.1 (main) (#​41864) (cabe4d3)

cloudnative-pg/cloudnative-pg (ghcr.io/cloudnative-pg/cloudnative-pg)

v1.29.0-rc1

Compare Source

Release date: Mar 13, 2026

Important changes

• Updated the deprecation notice for native (in-tree) Barman Cloud support to reflect that it will now be removed in CloudNativePG 1.30.0, rather than 1.29.0. Users are still encouraged to migrate to the Barman Cloud Plugin. (#​10167)

Features

• PostgreSQL extensions in image catalogs: extended the ImageCatalog functionality to support PostgreSQL extensions. This allows users to define and manage extension-specific images within a catalog, simplifying the deployment of customized PostgreSQL builds. (#​9781)

• Dynamic network access control via pod selectors: introduced the declarative definition of podSelectorRefs to manage pg_hba.conf rules dynamically. By using label selectors to identify client pods, the operator automatically resolves their ephemeral IP addresses and updates the PostgreSQL host-based authentication rules accordingly. This ensures that only authorized workloads in the same namespace can connect to the database, eliminating the need for manual IP management or static CIDR ranges. (#​10148)

• Shared ServiceAccount support: added an optional serviceAccountName field to both Cluster and Pooler specifications. This allows multiple resources to share a pre-existing ServiceAccount, facilitating one-time IAM configurations (such as AWS IRSA, GCP Workload Identity, or Azure Workload Identity) across all clusters and poolers. Contributed by @​bozkayasalihx. (#​9287)

Enhancements

• Improved the Pooler CRD with support for granular configuration of TLS cipher suites and minimum/maximum TLS versions. This enables administrators to meet strict security compliance requirements for pooler-to-client and pooler-to-server connections. Contributed by @​alex1989hu. (#​9571)

• Improved the reliability of major upgrades by setting BackoffLimit=0 on the upgrade job, preventing unnecessary retries of a failed pg_upgrade. The operator now automatically deletes the failed job when a user reverts the container image, allowing the cluster to restart gracefully on the original version. (#​10104)

• Improved the operator's observability by emitting native Kubernetes events during key phases of the reconciliation loop. This provides much better visibility into the operator's decision-making process and the lifecycle of managed resources directly through kubectl get events. (#​10040)

• Extended support for the cnpg.io/reconciliationDisabled annotation on Backup resources. This allows administrators to temporarily freeze the operator's reconciliation logic for specific backup objects. Contributed by @​GabriFedi97. (#​10020)

• Added a bin_path field to the postgresql.extensions stanza, as well as in ImageCatalog and ClusterImageCatalog resources. This allows extensions to specify directory paths for external binaries, which are automatically appended to the PATH environment variable of the Postgres process. (#​10250)

• Implemented a finalizer for plugins to ensure that resources managed by a plugin are gracefully cleaned up when the corresponding service is deleted. (#​9560)

• Enhanced the security and reliability of role management by verifying the primary status of an instance before each reconciliation cycle. (#​9971)

• The operator now honors the primaryUpdateMethod when adding new PVCs to a cluster, ensuring that the rollout strategy (e.g., switchover vs. restart) is respected during storage expansion or additions. (#​9720)

• Refined the alpha.cnpg.io/unrecoverable annotation logic to allow it to function even on pods that have not yet reached the Ready state, facilitating the recovery of stuck instances. (#​9968)

• Introduced a "Terminal Error" phase for backups that encounter unrecoverable issues (such as invalid credentials or non-existent cloud buckets). This ensures the operator stops retrying doomed operations, preventing resource exhaustion and providing immediate, clear feedback in the status. (#​9353)

• Improved monitoring of long-running backups by introducing reconciliationStartedAt and reconciliationTerminatedAt fields to the Backup status. This change separates the operator's internal lifecycle from the actual backup tool's execution timing (startedAt/stoppedAt), allowing users to track when the operator begins processing a request. (#​9351)

• Added a Pending phase to the Backup status to explicitly indicate when a backup is queued and waiting for an available worker or instance availability. (#​9364)

Security and Supply Chain

• Security best practices integration: integrated the OpenSSF baseline scanner and added a SECURITY-INSIGHTS.yaml file to the repository to align with industry-standard security reporting. (#​10054, #​10062)

• SLSA provenance and SBOMs: added SLSA (Supply-chain Levels for Software Artifacts) provenance to release binaries and container images. Additionally, enabled Software Bill of Materials (SBOM) generation within the GoReleaser pipeline for improved dependency transparency. (#​10048, #​10074)

• Password leak prevention: fixed a potential security risk where PostgreSQL could leak role passwords in the logs during specific reconciliation phases. (#​9950)

Changes

• Updated the default PostgreSQL version to 18.3 (image 18.3-system-trixie). (#​10090)

Fixes

• Fixed an issue where replicas would get stuck in a Pending state if the VolumeSnapshot used for the initial bootstrap had been deleted. The operator now validates snapshot existence before use; if a snapshot is missing, it attempts to use the next available candidate or falls back to pg_basebackup. (#​10192)

• Prevented the "supervised primary" rollout strategy from consuming all available rollout slots, which previously caused delays in scheduled updates. Contributed by @​ermakov-oleg. (#​9977)

• Fixed an issue where certain hot-standby parameter changes were not being correctly applied to replica clusters. (#​9952)

• Fixed a bug in the CNPG-I reconciler hook that could lead to skipping subsequent plugins when a "continue" result was returned. Contributed by @​sharifmshaker. (#​9978)

• Fixed a deadlock scenario that occurred when attempting to resize a filesystem on a PVC that was not currently attached to a Pod. Contributed by @​jmealo. (#​9981)

• Refined the bootstrap recovery logic by adding a missing check for ConnectionParameters and updating error messages to include all valid configuration types. (#​10268)

• Volume names for extensions and tablespaces are now prefixed to avoid naming collisions with standard cluster volumes. (#​9973)

• Improved feedback when hibernating a non-healthy cluster. While the operator correctly defers hibernation until a cluster recovers, this state is now explicitly reported via a WaitingForHealthy condition, making it visible through cnpg status. (#​10193)

• Removed unnecessary pod existence checks from the FencingMetadataExecutor to streamline the fencing process, particularly in environments where pods may be quickly deleted. (#​10035)

• Fixed the cluster and pooler service reconcilers to detect changes to all spec fields (such as loadBalancerSourceRanges) when using the patch update strategy, which previously only compared selectors, labels, and annotations. (#​10190)

• Fixed a race condition in the deprecated in-tree Barman Cloud backup implementation affecting parallel WAL restore, where prefetched files could be read while still being downloaded, causing PostgreSQL recovery to fail with "invalid checkpoint record" errors. (#​10285)

• cnpg plugin:

  • The cnpg plugin now correctly propagates ImagePullSecrets to the pgbench Job pod template. (#​10174)

Supported versions

• Kubernetes 1.35, 1.34, and 1.33
• PostgreSQL 18, 17, 16, 15, and 14
  • PostgreSQL 18.3 is the default image
  • PostgreSQL 14 support ends on November 12, 2026

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[homelab-okd]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.