You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Triage: YELLOW -- possible breakage, reviewer requested
Quick summary
Patch-level Helm chart bump (18.6.9 → 18.6.10) within the Bitnami PostgreSQL 18.6.x series. Both versions share identical app version (18.4.0), dependencies, and no published changelog. The chart digest changed, indicating a rebuild (likely BSI container image reference update), but the exact changes cannot be verified. Provenance research failed due to token limits and must be manually verified before merge.
Updates table
Package
Old
New
Breaking
Changelog
Provenance
postgresql
18.6.9
18.6.10
skipped (user focus)
no changelog
failed
Required actions
postgresql -- provenance research failed (token limit exceeded). Manually verify the chart source and digest before merge. Check the Bitnami charts repository and Artifact Hub for any unexpected changes between 18.6.9 and 18.6.10.
postgresql -- no changelog published for either version. Review the chart archive diff (compare Chart.yaml and values.yaml between the two versions) to confirm the change is limited to BSI container image digest rotation, as expected for a routine patch bump.
Update summary
postgresql 18.6.9 → 18.6.10
Patch-level bump within the 18.6.x series; app version remains 18.4.0.
Both versions share identical chart dependencies (common 2.40.0) and no security updates flagged.
Chart archive digest rotated (3561176e... → d8ed2935...), indicating a rebuild — most likely a BSI container image reference update.
No changelog published by Bitnami for the 18.x BSI series; exact changes unverifiable without manual diff.
Both versions are cosign-signed with clean security reports (0 CVEs).
Provenance
Provenance research failed due to token limits and could not complete. The chart is from the expected Bitnami publisher (Artifact Hub), and both versions are cosign-signed, but the full provenance assessment (source correspondence, publisher continuity, metadata drift) could not be verified. Manual verification is required before merge.
Sub-agent reports — postgresql
Breaking-change impact
RESEARCH_SKIPPED: the breaking researcher was not run for this update because the user's focus targeted only specific researchers. Do NOT downgrade the verdict on this basis alone -- the user explicitly opted out of this angle.
Upstream changelog
I now have all the data needed. The Artifact Hub API confirms both versions exist and provides the key metadata. Let me compile the structured output.
Key findings from the API:
18.6.9: app_version: "18.4.0", contains_security_updates: false, published ~2026-05-30 (ts: 1780109246), dependency: common 2.40.0
18.6.10: app_version: "18.4.0", contains_security_updates: false, published ~2026-05-30 (ts: 1780162112), dependency: common 2.40.0
Both have has_changelog: false
Both have identical data.dependencies: common 2.40.0
The chart digest changed: 3561176e... → d8ed2935...
Both are signed with cosign
The two versions were published within ~53,000 seconds (~14.7 hours) of each other on the same day. The app_version, dependency versions, and all metadata are identical. This is a routine dependency reference update (BSI image digest rotation) with no changelog published.
Versions in range:18.6.10 only (single-step patch bump, no intermediate versions)
Source repo: The Bitnami charts repository (BSI chart; note: the public Bitnami charts GitHub repo hosts the legacy 16.x series; the 18.x BSI series is published directly to OCI without a public GitHub-tracked CHANGELOG)
Primary sources used: Artifact Hub API and Artifact Hub package page
Major version boundary crossed: No (18.6.9 → 18.6.10, patch bump within 18.6.x)
Confidence: low — has_changelog: false for both versions on Artifact Hub; no public CHANGELOG for the 18.x BSI series; change content inferred from identical metadata fields
Breaking Changes
None found.
Both versions share identical app_version (18.4.0), identical chart dependency (common 2.40.0), and contains_security_updates: false. The chart digest changed, indicating a rebuild, but no structural chart changes are documented. This is consistent with the established BSI pattern of routine dependency reference / BSI image digest rotation updates.
Other Notable Changes
Chart archive digest rotated: 3561176e... → d8ed2935... — indicates a chart rebuild, most likely a BSI container image reference update (new image digest for bitnami/postgresql:18.4.0 or sidecar images). No image tag or appVersion change. (Artifact Hub)
Both versions are cosign-signed and carry a clean security report (0 CVEs at all severity levels).
Deprecations Introduced
None found.
Gaps and Caveats
No changelog published:has_changelog: false confirmed by Artifact Hub API for both 18.6.9 and 18.6.10. The Bitnami 18.x BSI chart series does not publish a CHANGELOG to Artifact Hub or to the public Bitnami charts repository (which only tracks the legacy 16.x series).
Exact image digest change unverifiable: The specific BSI container image digest(s) that changed between the two chart versions cannot be confirmed without pulling the chart archives and diffing Chart.yaml annotations. The pattern across all prior 18.6.x bumps (per prior research) is consistent with image digest rotation only.
contains_security_updates: false is self-reported by the publisher; it indicates no CVE-driven security patch in this release per Bitnami's own classification.
No migration guide exists or is expected for a patch-level BSI chart bump of this type.
Provenance
RESEARCH_FAILED: provenance researcher could not complete.
Reason: Prompt error: CompletionError: ProviderError: {"error":{"message":"{\"type\":\"error\",\"error\":{\"type\":\"invalid_request_error\",\"message\":\"prompt is too long: 201901 tokens > 200000 maximum\"},\"request_id\":\"req_011CbZD7KasYavLXMCBjPXG1\"}. Received Model Group=claude-haiku-4-5\nAvailable Model Group Fallbacks=['claude-haiku-4-5-fallback']\nError doing the fallback: {\"type\":\"error\",\"error\":{\"type\":\"invalid_request_error\",\"message\":\"prompt is too long: 201739 tokens > 200000 maximum\"},\"request_id\":\"req_011CbZD7MzV9Jczpb5fAiAKD\"}
The categorizer must treat this as an unverified signal and downgrade the verdict accordingly (do not assume safety).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
18.6.9→18.6.10Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Configuration
📅 Schedule: (in timezone America/Los_Angeles)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.