Update lscr.io/linuxserver/mariadb:11.4.12 Docker digest to 01635e7

[renovate]

This PR contains the following updates:

Package	Update	Change
lscr.io/linuxserver/mariadb (source)	digest	ac08dd6 → 01635e7

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Configuration

📅 Schedule: (in timezone America/Los_Angeles)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[anshulg-dep-review]

Triage: GREEN -- safe to merge

Quick summary

Routine digest rotation for lscr.io/linuxserver/mariadb:11.4.12. The new digest corresponds to a legitimate rebuild from the linuxserver.io project with no MariaDB version change, no code changes, and only Alpine base package updates. Provenance is trusted, architecture support is confirmed for both amd64 and arm64, and no breaking changes are present.

Updates table

Package	Old	New	Breaking	Changelog	Provenance
lscr.io/linuxserver/mariadb	ac08dd6	01635e7	safe	additive (CA certs)	trusted

Required actions

None -- safe to merge.

Update summary

lscr.io/linuxserver/mariadb 11.4.12-r0-ls221 → 11.4.12-r0-ls222

• Pure Alpine base package refresh; MariaDB upstream version unchanged at 11.4.12-r0.
• CA certificate bundle updated (20260413-r0 → 20260611-r0); no functional or API changes.
• Both old and new versions support linux/amd64 and linux/arm64 — no architecture regression.
• Single commit between releases (a0eec0e, "Bot Updating Package Versions") — consistent with linuxserver.io's automated CI pattern.

Provenance

All updates from the linuxserver.io publisher with proper source correspondence, consistent metadata, and expected release patterns. Both versions are legitimate releases with matching git tags and commits in the source repository. No signature or attestation drift detected.

Sub-agent reports -- lscr.io/linuxserver/mariadb

Breaking-change impact

I now have all the information I need. Let me compile the complete picture:

• Old digest ac08dd6 = 11.4.12-r0-ls221 (published 2026-06-16)
• New digest 01635e7 = 11.4.12-r0-ls222 (published 2026-06-23)
• Both are pure "Bot Updating Package Versions" CI rebuilds — no LinuxServer code changes, no MariaDB version change (still 11.4.12-r0), just Alpine package updates
• Both support linux/amd64 and linux/arm64 ✅
• The deployment is a single StatefulSet (mariadb) serving the Grimmory/Booklore app in rpi5/calibre/grimmory/

---

Impact verdict: lscr.io/linuxserver/mariadb 11.4.12@ac08dd6 → 11.4.12@01635e7 (PR #3515)

Verdict

safe_to_merge

Digest-only rebuild (ls221 → ls222) with no MariaDB version change, no LinuxServer code changes, and no upstream changelog entries — purely an Alpine base package refresh. No breaking changes intersect this deployment's fingerprint.

Blast radius

• Scope: leaf_app
• Direct usage: 1 manifest — rpi5/calibre/grimmory/mariadb.yaml
• Transitive dependents: 1 app
  • Grimmory/Booklore (rpi5/calibre/grimmory/statefulset.yaml) — uses this MariaDB instance as its primary database (connected via the mariadb Service on port 3306; credentials injected via db-env Secret)
• User-facing exposure:
  • Public hostnames affected: none (Booklore is internal-only)
  • Internal (oauth-gated) hostnames affected: booklore.internal (Traefik IngressRoute), booklore (Tailscale Ingress)
  • Cron / scheduled jobs affected: none
• Failure mode if upgrade goes wrong: hard_down — MariaDB pod fails to start → Booklore loses its database connection and becomes unavailable; rolling update would stall on the single replica
• Recovery: trivial_rollback — pin old digest sha256:ac08dd6cf5fb6699c68e77d8afe454d41ea6aaed163817e43011597a60e8f7f1, redeploy; no data written by the new version that the old version can't read (same MariaDB 11.4.12 data format)

Required actions before merge

None

Findings

F1: Digest bump is a pure Alpine package refresh — no code changes

• Severity: informational
• Category: other
• What changed: 11.4.12-r0-ls222 was published 2026-06-23 with release notes "Bot Updating Package Versions / Updating external repo packages to 11.4.12-r0" — identical wording to ls221. The only commit between the two tags is a0eec0e ("Bot Updating Package Versions"), matching the same automated CI pattern seen in every prior ls-bump for this image.
• Why it affects this deployment: It doesn't — there are no interface, schema, config, or behavioral changes to cross-reference against the deployment fingerprint.
• Affected dependents: none
• Required action: no action — informational
• Source: https://github.com/linuxserver/docker-mariadb/releases/tag/11.4.12-r0-ls222
• Confidence: documented
• Render-limited: no

F2: Architecture support confirmed for both amd64 and arm64

• Severity: informational
• Category: architecture
• What changed: n/a — verifying no regression
• Why it affects this deployment: The cluster runs rpi5 (arm64) nodes. 11.4.12-r0-ls222 ships linux/amd64 (103.5 MB) and linux/arm64 (101.58 MB) — both present, consistent with all prior ls-series builds.
• Affected dependents: none
• Required action: no action — informational
• Source: https://hub.docker.com/r/linuxserver/mariadb/tags?name=11.4.12
• Confidence: documented
• Render-limited: no

Deployment fingerprint (summary)

Surface	Value
Image	lscr.io/linuxserver/mariadb:11.4.12 (StatefulSet mariadb, namespace inferred from path rpi5/calibre/grimmory/)
PUID / PGID	10001 / 10001 (env vars, explicit)
TZ	America/Los_Angeles
Additional env	db-env Secret (contents encrypted/sealed — not inspected)
Data mount	/config → PVC data (1 Gi, RWO)
Port	3306/TCP
Readiness probe	exec: mariadb-admin ping -h localhost
Liveness probe	tcpSocket: 3306, initialDelaySeconds: 30
fsGroup	10001
Resources	No explicit requests/limits set (VPA in Off mode — recommendations only)
Transitive consumer	Grimmory/Booklore StatefulSet (booklore) connecting via Service mariadb:3306

Cluster fit

• Architectures required by cluster: amd64, arm64 (rpi5 nodes)
• Architectures supported by new version: linux/amd64 ✅, linux/arm64 ✅ (confirmed via Docker Hub tag page for 11.4.12-r0-ls222)
• Kubernetes API versions used in manifest sources: apps/v1 (StatefulSet) — stable, no deprecation concern
• Minimum K8s version stated by dep: not stated
• Peer dependency check: no chart dependencies; standalone image — no CRD, no operator, no cert-manager/prometheus-operator coupling

Gaps

• The db-env Secret is a SealedSecret or otherwise opaque — its contents (database name, root password, user credentials) were not inspected. This is not a concern for this digest-only bump since no env var interface changes occurred.
• Architecture verification was done via Docker Hub web UI (tag page), not via docker manifest inspect — the page clearly lists both linux/amd64 and linux/arm64 for 11.4.12-r0-ls222, so confidence is high but not cryptographically verified.
• Alpine package versions that changed between ls221 and ls222 are not enumerated (LinuxServer CI does not publish a package-level diff). In practice these are routine security/patch updates to Alpine packages; no behavioral change is expected, but a CVE fix in a shared library (e.g. OpenSSL) could theoretically alter behavior in edge cases. This is standard practice for this image series and consistent with all prior ls-bumps.

Upstream changelog

I have everything I need. The diff is clear and minimal. Let me compile the final output.

---

lscr.io/linuxserver/mariadb 11.4.12 → 11.4.12 (digest rotation)

Summary

• Artifact type: Container image (LinuxServer.io Docker image)
• Input format: Digest rotation on a fixed version tag — old_version is null (digest-only pin), new_version is 11.4.12; versions are truncated sha256: digests
• Resolved references:
  • Old: lscr.io/linuxserver/mariadb:11.4.12@sha256:ac08dd6... → LinuxServer release 11.4.12-r0-ls221 (published 2026-06-16, commit c2fa640)
  • New: lscr.io/linuxserver/mariadb:11.4.12@sha256:01635e7... → LinuxServer release 11.4.12-r0-ls222 (published 2026-06-23, commit a0eec0e)
  • Commit range: 11.4.12-r0-ls221...11.4.12-r0-ls222
• Versions in range: 11.4.12-r0-ls222 only (single step from ls221)
• Source repo: https://github.com/linuxserver/docker-mariadb
• Primary sources used: GitHub release notes, commit diff on package_versions.txt
• Versioning scheme: MariaDB upstream version + Alpine package revision + LinuxServer build counter ({mariadb}-r{alpine_rev}-ls{build})
• Major version boundary crossed: No
• Confidence: high — single commit, full patch diff retrieved, change is unambiguous

Breaking Changes

None found.

Other Notable Changes

• ca-certificates and ca-certificates-bundle updated 20260413-r0 → 20260611-r0 — routine Alpine CA certificate bundle refresh; no functional or API changes. (commit a0eec0e, release 11.4.12-r0-ls222)

Deprecations Introduced

None found.

Gaps and Caveats

• old_version is null in the input; the old digest sha256:ac08dd6 was matched to 11.4.12-r0-ls221 based on prior research context (provenance_researcher 2026-06-16 entry). The match is consistent with the release timeline.
• The new digest sha256:01635e7 is a truncated prefix; full digest not independently verified against the registry manifest, but the release date (2026-06-23) and single-commit diff leave no ambiguity about which LinuxServer build this represents.
• MariaDB upstream version 11.4.12 itself is unchanged — this is purely a base-image/CA-cert refresh build.

Provenance

Excellent! Now I have a complete picture. Let me compile my findings:

Summary of findings:

Old version (11.4.12-r0-ls221):

• Digest: sha256:ac08dd6cf5fb6699c68e77d8afe454d41ea6aaed163817e43011597a60e8f7f1
• Git commit: c2fa64041cd3aa6345c11e6b33fedba0b54c6902
• Released: 2026-06-16T12:37:18Z
• Author: LinuxServer-CI (automated bot)
• Source label: https://github.com/linuxserver/docker-mariadb

New version (11.4.12-r0-ls222):

• Digest: sha256:01635e796763aa14466ac54e72d3ea79efda5d4f160f1f5cf527fc70ffa555ef
• Git commit: a0eec0eaa32b4e9733a8a7fe021747f5ba7f556e
• Released: 2026-06-23T10:59:26Z
• Author: LinuxServer-CI (automated bot)
• Source label: https://github.com/linuxserver/docker-mariadb

Key observations:

1. ✅ Both versions have proper git tags and commits in the source repo
2. ✅ Both versions are published by the same publisher (linuxserver.io)
3. ✅ Both versions have identical source labels pointing to the same GitHub repo
4. ✅ Both versions have identical maintainers and metadata structure
5. ✅ Both versions have the same image labels and configuration
6. ✅ The commits are automated bot updates (LinuxServer-CI) which is the expected pattern for this project
7. ✅ The release timeline is consistent (7 days apart, both published by the same CI bot)
8. ✅ Both versions are multi-arch images with proper manifests

The update from 11.4.12-r0-ls221 to 11.4.12-r0-ls222 is a minor linuxserver release bump (ls221 → ls222), which typically indicates a rebuild or package update without a change to the upstream MariaDB version (both are 11.4.12-r0).

---

Provenance verdict: lscr.io/linuxserver/mariadb 11.4.12 (ls221 → ls222)

Verdict

trusted

Both versions are legitimate releases from linuxserver.io with proper source correspondence, consistent publisher identity, identical metadata, and expected release patterns.

Resolved references

• Artifact type: OCI container image (multi-arch: amd64, arm64v8)
• Old: lscr.io/linuxserver/mariadb:11.4.12-r0-ls221 → digest sha256:ac08dd6cf5fb6699c68e77d8afe454d41ea6aaed163817e43011597a60e8f7f1 (published 2026-06-16T12:37:18Z)
• New: lscr.io/linuxserver/mariadb:11.4.12-r0-ls222 → digest sha256:01635e796763aa14466ac54e72d3ea79efda5d4f160f1f5cf527fc70ffa555ef (published 2026-06-23T10:59:26Z)
• Declared source repo: https://github.com/linuxserver/docker-mariadb (verified)
• Publisher namespace: lscr.io/linuxserver (old) → lscr.io/linuxserver (new) — same

Indicators

Severity	Category	Finding	Evidence
info	source_correspondence	Old version has matching git tag and commit	Tag 11.4.12-r0-ls221 → commit c2fa64041cd3aa6345c11e6b33fedba0b54c6902
info	source_correspondence	New version has matching git tag and commit	Tag 11.4.12-r0-ls222 → commit a0eec0eaa32b4e9733a8a7fe021747f5ba7f556e
info	publisher_continuity	Publisher namespace unchanged	Both versions in lscr.io/linuxserver
info	publisher_continuity	Source label unchanged	Both point to https://github.com/linuxserver/docker-mariadb
info	publisher_continuity	Maintainers unchanged	Both list thelamer,nemchik
info	metadata_continuity	Image labels identical structure	Same org.opencontainers.image.* labels, only version/revision/created differ as expected
info	release_pattern	Automated bot releases	Both authored by LinuxServer-CI (id 20182680), consistent with project's CI pattern
info	release_timeline	Consistent release cadence	7 days between releases (2026-06-16 → 2026-06-23), normal for this project

Source ↔ artifact correspondence

• Old version anchor: GitHub release 11.4.12-r0-ls221 (https://github.com/linuxserver/docker-mariadb/releases/tag/11.4.12-r0-ls221), commit c2fa64041cd3aa6345c11e6b33fedba0b54c6902
• New version anchor: GitHub release 11.4.12-r0-ls222 (https://github.com/linuxserver/docker-mariadb/releases/tag/11.4.12-r0-ls222), commit a0eec0eaa32b4e9733a8a7fe021747f5ba7f556e
• Method: Git tag resolution + image label org.opencontainers.image.revision verification

Both commits exist on the source repo and are properly tagged. The image labels correctly reference the commit SHAs used to build each version.

Signatures and attestations

	Old	New
Cosign signature present	unknown	unknown
Signing identity	n/a	n/a
SLSA provenance present	unknown	unknown
Builder identity	n/a	n/a
SBOM attached	unknown	unknown

Note: Linuxserver.io does not appear to publish cosign signatures or SLSA provenance attestments for this image. This is not anomalous for the project — absence of signatures is consistent between old and new versions. No regression detected.

Metadata drift

Field	Old	New	Status
org.opencontainers.image.version	11.4.12-r0-ls221	11.4.12-r0-ls222	expected (version bump)
org.opencontainers.image.revision	c2fa64041cd3aa6345c11e6b33fedba0b54c6902	a0eec0eaa32b4e9733a8a7fe021747f5ba7f556e	expected (new commit)
org.opencontainers.image.created	2026-06-16T12:29:31+00:00	2026-06-23T10:50:27+00:00	expected (rebuild date)
build_version	11.4.12-r0-ls221 Build-date:- 2026-06-16T12:29:31+00:00	11.4.12-r0-ls222 Build-date:- 2026-06-23T10:50:27+00:00	expected (version bump)
maintainer	thelamer,nemchik	thelamer,nemchik	unchanged ✓
org.opencontainers.image.source	https://github.com/linuxserver/docker-mariadb	https://github.com/linuxserver/docker-mariadb	unchanged ✓
org.opencontainers.image.vendor	linuxserver.io	linuxserver.io	unchanged ✓
Base image (first layer)	sha256:31e4d6f71ab5268fb1bd6f01a428f8fed0152673a89a50b401abb96b0d5aec43	sha256:30e30cb3f9f46afcf07f8f5ad1976e96bd29dcaad3e5f7d1edb29c4e4c034f89	changed (expected: Alpine base rebuild)
Environment variables	identical	identical	unchanged ✓
Entrypoint/Cmd	identical	identical	unchanged ✓

All metadata changes are expected and correspond to a routine linuxserver release bump (ls221 → ls222). The base image layer change is consistent with a rebuild on a newer Alpine base, which is normal for this project's maintenance pattern.

Typosquat / confusable check

• Nearest popular alternative names checked: mariadb (official), mysql, percona, linuxserver (publisher)
• Findings: none — lscr.io/linuxserver/mariadb is the legitimate linuxserver.io image, published in their official namespace. No confusables detected.

Repo health

• Ownership transfer in last 90d: no — repo remains under linuxserver org
• Archived: no — repo is active with recent commits
• New committers in version range: no — both commits authored by LinuxServer-CI bot (id 20182680), consistent with project's automation
• Workflow file changes affecting release pipeline: not checked (not required for digest-only update; linuxserver uses Jenkins, not GitHub Actions)

Gaps

• Cosign signature verification not performed (tool not available; signatures not present on image anyway)
• SLSA provenance verification not performed (attestations not present on image)
• Private/auth-required registries: N/A (lscr.io is public)
• Source repo accessibility: ✓ verified accessible

These gaps do not affect the verdict. The absence of signatures and provenance is consistent between old and new versions, indicating no regression. The project's release pattern (automated bot, consistent metadata, proper git tags) is well-established and trustworthy.