You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Triage: YELLOW -- possible breakage, reviewer requested
Reloader chart v2.2.12 is a patch bump with no breaking changes to the chart itself, but the bundled app version (v1.4.17) includes Go dependency security updates. Provenance research failed due to a backend error, so manual verification of the source is recommended before merge.
Chart version is a patch bump; no breaking changes to templates, values, or RBAC.
appVersion bumped from v1.4.16 to v1.4.17 — default container image tag will change unless you pin image.tag explicitly in your values.
Go dependency security updates in the bundled controller binary: golang.org/x/net, golang.org/x/sys, golang.org/x/text, golang.org/x/term all bumped to patch versions addressing known vulnerabilities.
Go toolchain updated from 1.26.2 to 1.26.3 in the build.
CI/docs changes only (Helm action version bump, docs infrastructure removal, workflow hardening) — no runtime impact.
No functional changes to the Reloader controller itself; no migration action required.
Provenance
Provenance research failed for reloader due to a backend error (token limit exceeded). The source is the official Reloader GitHub repository (https://github.com/stakater/Reloader), but automated signature/metadata verification could not complete. Recommend manual inspection of the release tag and commit history before merge.
Sub-agent reports — reloader
Breaking-change impact
RESEARCH_SKIPPED: the breaking researcher was not run for this update because the user's focus targeted only specific researchers. Do NOT downgrade the verdict on this basis alone -- the user explicitly opted out of this angle.
Upstream changelog
I have all the information needed. Here is the structured output:
reloader 2.2.11 → 2.2.12
Summary
Artifact type: Helm chart
Input format: SemVer (chart version)
Resolved references: Git tag chart-v2.2.11 → chart-v2.2.12 on github.com/stakater/Reloader; full commit range: chart-v2.2.11...chart-v2.2.12
Versions in range: 2.2.12 only (no intermediate chart releases between 2.2.11 and 2.2.12)
Versioning scheme: SemVer for chart version; separate SemVer for appVersion (the Reloader controller binary)
Major version boundary crossed: No (2.2.x → 2.2.x)
Confidence: high — full diff available for all changes; release notes match commit history exactly
Breaking Changes
None found.
No chart template changes, no values.yaml key additions/removals/renames, no API version changes, no RBAC changes. The chart diff is limited to version metadata and CI workflow updates.
Other Notable Changes
appVersion bumped from v1.4.16 to v1.4.17 — the default container image tag in values.yaml (image.tag) changes from v1.4.16 to v1.4.17. Deployments using image.tag: "" or relying on the chart default will pull the new controller image. Users pinning image.tag explicitly are unaffected. Source: PR #1155 diff
Security: vulnerable Go dependencies bumped — golang.org/x/net upgraded v0.52.0 → v0.55.0; golang.org/x/sysv0.42.0 → v0.45.0; golang.org/x/textv0.35.0 → v0.37.0; golang.org/x/termv0.41.0 → v0.43.0. These are indirect dependencies in the controller binary (baked into the v1.4.17 image). No chart-level impact. Source: PR #1151
Go toolchain version bumped — Dockerfile builder image changed from golang:1.26.2 to golang:1.26 (floating patch); go.mod directive updated go 1.26.2 → go 1.26.3. Affects only the controller binary build, not the chart. Source: PR #1151 diff
CI: Helm version in workflows upgraded — azure/setup-helm version bumped from v3.11.3 to v3.20.2 across all GitHub Actions workflows (pull_request-helm.yaml, push-helm-chart.yaml, push.yaml, release.yaml). No runtime impact. Source: PR #1155 diff
CI: GitHub Actions workflows hardened against cache poisoning — workflow security improvements merged via PR #1149. No runtime impact.
Docs: in-repo docs build infrastructure removed — Dockerfile-docs, docs-nginx.conf, theme files, and pull_request_docs.yaml workflow deleted (PR #1140). Documentation is now hosted externally. No runtime impact.
README revised — Reloader Enterprise section and badges updated (PR #1136, PR #1138). No runtime impact.
Base image updated — registry.access.redhat.com/ubi9/ubi bumped to v9.8-1779374378 in the controller container build (PR #1152). Baked into the v1.4.17 image; no chart-level impact.
Deprecations Introduced
None found.
Gaps and Caveats
No CHANGELOG.md or UPGRADING.md exists in the repository at standard paths; all change information is sourced from GitHub release notes and PR diffs, which are complete and consistent for this range.
The appVersion field in Chart.yaml changed from v1.4.16 to v1.4.17. The app release v1.4.17 contains no functional/behavioral changes to the Reloader controller itself — only dependency security bumps, CI hardening, and documentation changes. No migration action is required for the controller upgrade.
The release notes for v1.4.17 reference the full changelog as chart-v2.2.11...v1.4.17 (cross-tag comparison), which is an artifact of the dual-tagging scheme (separate chart-v* and v* tags). Both tags point to the same set of commits in this release cycle.
Provenance
RESEARCH_FAILED: provenance researcher could not complete.
Reason: Prompt error: CompletionError: ProviderError: {"error":{"message":"{\"type\":\"error\",\"error\":{\"type\":\"invalid_request_error\",\"message\":\"max_tokens: 65536 > 64000, which is the maximum allowed number of output tokens for claude-haiku-4-5-20251001\"},\"request_id\":\"req_011CbPRSnbiLbe7GVbZ2vU3E\"}. Received Model Group=claude-haiku-4-5\nAvailable Model Group Fallbacks=['claude-haiku-4-5-fallback']\nError doing the fallback: {\"type\":\"error\",\"error\":{\"type\":\"authentication_error\",\"message\":\"x-api-key header is required\"},\"request_id\":\"req_011CbPRSwwnxXKLxT1pv6ZCT\"}"
The categorizer must treat this as an unverified signal and downgrade the verdict accordingly (do not assume safety).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.2.11→2.2.12Configuration
📅 Schedule: (in timezone America/Los_Angeles)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.