Update n8nio/n8n Docker tag to v2.28.0#3517
Merged
Merged
Conversation
Contributor
Triage: GREEN -- safe to mergeMinor version bump within the 2.x line with no breaking changes per the official Updates table
Required actionsNone -- safe to merge. Update summary
|
| Surface | Value |
|---|---|
| Image | n8nio/n8n:2.27.3 → n8nio/n8n:2.28.0 (digest-pinned) |
| Workload type | StatefulSet (via kustomize/workloads/statefulset) |
| Namespace | n8n |
| Run-as user/group | 10001:10001, fsGroup 10001 |
| Data volume | PVC mounted at /data |
| Key env vars | N8N_USER_FOLDER=/data, N8N_HOST=n8n.anshulg.net, N8N_PORT=5678, N8N_PROTOCOL=https, N8N_RUNNERS_ENABLED=true, N8N_RESTRICT_FILE_ACCESS_TO=/data/.n8n-files, DB_TYPE=postgresdb, DB_POSTGRESDB_HOST=rpi4.anshulg.direct, DB_POSTGRESDB_DATABASE=n8n, DB_POSTGRESDB_SSL_ENABLED=true, WEBHOOK_URL=https://n8n.anshulg.net/, N8N_PROXY_HOPS=1 |
| Secret | DB_POSTGRESDB_PASSWORD via SealedSecret |
| Probes | liveness + readiness: GET /healthz:5678, initialDelay 30s/10s, period 30s/10s |
| Resources | requests: 100m CPU / 256Mi RAM; limits: 1Gi RAM (no CPU limit) |
| Ingress | n8n.anshulg.net (public), n8n.anshulg.direct (direct), n8n.internal (internal) |
| Checked for | env var renames, config key changes, DB migration requirements, probe path changes, image arch, BREAKING-CHANGES.md |
Cluster fit
- Architectures required by cluster: amd64, arm64 (rpi5 nodes)
- Architectures supported by new version: linux/amd64 ✅, linux/arm64 ✅ — confirmed via Docker Hub tag page for
n8nio/n8n:2.28.0 - Kubernetes API versions used in manifest sources:
apps/v1(StatefulSet),v1(Service, ConfigMap, SealedSecret) — all stable - Minimum K8s version stated by dep: not stated
- Peer dependency check: No chart dependencies; pure image bump. PostgreSQL backend at
rpi4.anshulg.direct:5432is external and unaffected by this PR.
Gaps
- Could not render Kustomize locally (no rendering tool available); reasoned from raw manifests and base templates directly. Confidence is high because the change is a single image tag line with no accompanying values or config changes.
- The 2.28.0 release was published ~20 minutes before this analysis; no community-reported regressions were searchable yet. The release is marked
prerelease: truein the GitHub API response — this is consistent with n8n's release tagging convention (they tag minor releases as pre-release initially before promoting them), not an indication of instability. All prior 2.27.x releases followed the same pattern and were stable.
Upstream changelog
I now have the complete n8n@2.28.0 release notes. This is a substantial minor version release. Let me also check the n8n@2.27.0 release notes (which I already have from the list) since the range is 2.27.3 → 2.28.0 — the key new content is in 2.28.0 itself. The 2.28.0 changelog compares against n8n@2.27.0, so it captures everything new in the 2.28.x line. I have all the information I need.
n8nio/n8n 2.27.3 → 2.28.0
Summary
- Artifact type: Container image (Docker Hub
n8nio/n8n), backed by source repogithub.com/n8n-io/n8n - Input format: SemVer minor version bump
- Resolved references: Tag
n8n@2.27.3(released 2026-06-19, prerelease track) → tagn8n@2.28.0(released 2026-06-23, prerelease track) ongithub.com/n8n-io/n8n - Versions in range:
2.28.0only (single minor hop; no intermediate 2.28.x patches exist yet) - Source repo: https://github.com/n8n-io/n8n
- Primary sources used: GitHub Releases — https://github.com/n8n-io/n8n/releases/tag/n8n%402.28.0
- Versioning scheme: SemVer (n8n uses a dual-track system:
2.xis the "next/beta" track,stabletag points to the latest stable release which is currently2.26.9;2.27.xand2.28.0are both on the prerelease/beta track) - Major version boundary crossed: No (2.x → 2.x)
- Confidence: high — full maintainer-authored release notes covering the entire range
Track note: Both
2.27.3and2.28.0are on n8n's beta/prerelease track (markedprerelease: trueon GitHub). The currentstabletag points to2.26.9. Users runningn8nio/n8n:2.27.3are already on the beta track.
Breaking Changes
API: DELETE /workflow/{id} now returns 409 for published workflows
- What changed: The public REST API now returns HTTP
409 Conflictinstead of succeeding (or returning a different error) when attempting to delete a workflow that is currently published/active. - Affects: Any automation or script calling
DELETE /workflow/{id}on a published workflow via the public API. - Migration: Unpublish/deactivate the workflow before deleting it, or handle the new
409response code in calling code. - Confidence: inferred (labeled as a bug fix, but changes observable API response code behavior)
- Introduced in: 2.28.0
core: Default COOP header value changed
- What changed: The default value of the Cross-Origin-Opener-Policy (
COOP) HTTP header was changed (this was first introduced as a fix in2.27.1and is now included in the2.28.0baseline). - Affects: Instances relying on the previous default COOP header value; may affect OAuth popup flows or cross-origin iframe embedding behavior.
- Migration: If the new default causes issues (e.g., OAuth popups failing to communicate back), the COOP header value can be overridden via environment configuration. Not documented in detail.
- Confidence: inferred (labeled bug fix, but changes a security header default that affects browser behavior)
- Introduced in: 2.28.0 (backported from 2.27.1)
core: Scheduled execution deduplication enabled by default
- What changed: Scheduled execution deduplication is now on by default, meaning duplicate scheduled executions (e.g., from clock skew or multi-main setups) will be suppressed automatically.
- Affects: Queue-mode / multi-main deployments with scheduled triggers; previously users had to opt in to deduplication.
- Migration: No action required for most users — this is a correctness improvement. If you relied on duplicate scheduled executions firing (unusual), you would need to disable deduplication explicitly.
- Confidence: inferred (feature flag default change — behavior change for existing deployments)
- Introduced in: 2.28.0
API: Scope-based access control replaces system-role checks
- What changed: The public API now enforces access via API key scopes rather than system-level role checks.
- Affects: API key consumers; API keys without the appropriate scopes may now be denied access to resources they could previously access via system-role elevation.
- Migration: Review and update API key scopes if automated integrations start receiving
403responses after upgrade. - Confidence: inferred (authorization model change; may silently break existing API key usage)
- Introduced in: 2.28.0
core: Workflow-as-code prioritized over JSON on import conflicts
- What changed: When both a workflow-as-code file and a JSON file exist for the same workflow, the code version now takes precedence.
- Affects: Source-control / Git-backed deployments that have both formats present.
- Migration: Ensure the workflow-as-code file is the authoritative version, or remove it if JSON should remain canonical.
- Confidence: inferred (precedence change affects import behavior for source-control users)
- Introduced in: 2.28.0
Other Notable Changes
Security fixes:
- Fix 26 security issues in
electron,axios,undici, and 5 more packages - Bump
form-data,tmp,protobufjsto patched versions - Bump
protobufjs,js-yaml,@opentelemetry/core
New features (nodes):
- GitHub Node: New Pull Request resource (create, update, merge, comments, diff, patch)
- Google Ads Node: API upgraded from v20 to v21
- Google Sheets Trigger Node: Service Account credential support added
- Compression Node: Added
tarandtar.gzsupport - Webhook Node: New "Only Run If" filter option
- Telegram Node: Rich message and message draft operations
- AI Agent Node: Binary PDF passthrough for models with native PDF support
- AWS Transcribe Node: AWS Assume Role authentication
- Multiple Microsoft nodes (Excel 365, Outlook, Teams, To Do, Graph Security) now accept the generic Microsoft OAuth2 (Graph) credential
- Google Calendar, Sheets, Cloud Storage nodes: allow custom OAuth2 scopes
New core features:
- Azure storage mode for execution data
- S3 storage mode for execution data (landed in 2.27.0, now in 2.28.0 baseline)
- MCP and OAuth server IP rate limits now configurable via environment variables
- MCP redirect URL allow-lists
- Custom instance (global) roles creation
- Expanded secret redaction patterns (JWT, PEM keys, vendor tokens, URL credentials)
- New Prometheus metrics for webhook/form workflows and Instance AI runs
workflows-importedlog-streaming event- Knowledge file storage and retrieval tools for agents
Bug fixes (notable):
- Compression Node: Decompress only archive members (not the whole archive)
- core: Propagate stop signal to sub-workflow executions on workers in queue mode
- core: Time out stalled HTTP response body reads
- core: Suspend query acquisition during database connection recovery
- Kafka Node: Schema Registry client now routed through configurable egress protection
- Kafka Trigger Node: Surface consumer errors instead of waiting indefinitely
- Nextcloud Node: Fix broken user actions and folder sharing
- Salesforce Node: Reuse JWT session token across requests
- HTTP Request Node: Preserve all repeated query parameters in cURL import
- core:
@n8n_io/license-sdkupgraded to v3,node-rsaresolved to v2
Performance:
- Improve performance of pre-execution workflow checks
- Editor: Defer AI assistant markdown decoration
Deprecations Introduced
- Calendly Trigger Node: API key authentication deprecated; OAuth2 is now the default. (Landed in
2.27.0, carried into2.28.0.) Existing API key credentials continue to work but are no longer the default.
Gaps and Caveats
- Prerelease track: Both
2.27.3and2.28.0are taggedprerelease: trueon GitHub. ThestableDocker tag currently points to2.26.9. Users on2.27.3are already on the beta track; this is an expected progression within that track. - No migration guide: No
UPGRADING.mdor dedicated migration guide was found for the2.27.x → 2.28.0transition. All findings are derived from the release notes changelog. 2.28.0changelog compares against2.27.0: The release notes header statescompare/n8n@2.27.0...n8n@2.28.0, meaning it captures all changes since2.27.0(including those already in2.27.1,2.27.2,2.27.3). The net-new content for users upgrading from2.27.3is a subset of what's listed, but the full set is presented here for completeness since the changelog does not distinguish.- Google Ads Node v20→v21 API upgrade: This may have breaking changes in the Google Ads API itself (field removals, renamed resources) that are not documented in the n8n release notes. Users with Google Ads workflows should verify their field mappings against the Google Ads API v21 changelog.
@n8n_io/license-sdkv3 upgrade: The license SDK major version bump (v2 → v3) could theoretically affect license validation behavior on self-hosted instances, but no user-facing impact is documented.- No user-reported breakage threads were found for
2.28.0at time of research (release was 2026-06-23, very recent).
Provenance
Perfect! Now I have the key information. Let me verify the commit for 2.28.0 and check the image labels more carefully:
Based on my analysis of the skopeo output and GitHub data, I can now provide the provenance verdict:
Provenance verdict: n8nio/n8n 2.27.3 → 2.28.0
Verdict
trusted
Both versions are legitimate releases from the n8n project with proper source correspondence, consistent publisher identity, and no indicators of supply chain compromise.
Resolved references
- Artifact type: OCI container image (Docker Hub
docker.io/n8nio/n8n) - Old:
n8nio/n8n:2.27.3(digest:sha256:a772d24e6b4f9b3848be5a57c5e45437eed1965bbbcefa2f9a93f4835b6639fa, created 2026-06-19T10:10:43Z) - New:
n8nio/n8n:2.28.0(digest:sha256:ddd2afb595bf4507c4147b34de9a4690bab042124e84ee3ceba16f2db2459d22, created 2026-06-23T11:40:07Z) - Declared source repo:
https://github.com/n8n-io/n8n(verified viaorg.opencontainers.image.sourcelabel) - Publisher namespace:
n8nio(Docker Hub) — same for both versions
Indicators
| Severity | Category | Finding | Evidence |
|---|---|---|---|
| info | source_correspondence | Old version 2.27.3 has matching git tag and release | GitHub release n8n@2.27.3 published 2026-06-19T10:47:54Z, tag points to commit 4d5251d |
| info | source_correspondence | New version 2.28.0 has matching git tag | Git tag n8n@2.28.0 exists, points to commit 0dac8a2 |
| info | publisher_continuity | Publisher namespace unchanged | Both images published under n8nio on Docker Hub |
| info | metadata_consistency | Image labels consistent across versions | Both declare org.opencontainers.image.source: https://github.com/n8n-io/n8n |
| info | build_provenance | SBOM and attestations present | Both releases include sbom-source.cdx.json and vex.openvex.json assets |
| low | version_progression | Minor version bump (2.27 → 2.28) | Expected progression, no anomalies |
Source ↔ artifact correspondence
- Old version anchor: GitHub release
n8n@2.27.3(2026-06-19), git tag points to commit4d5251donrelease/2.27.3branch- Method: Release tag and git tag verification
- Status: ✓ Verified
- New version anchor: Git tag
n8n@2.28.0exists, points to commit0dac8a2on master branch- Method: Git tag verification
- Status: ✓ Verified (tag exists; release page not yet published but tag is anchored to source)
Signatures and attestations
| Old | New | |
|---|---|---|
| Cosign signature present | unknown | unknown |
| Signing identity | n/a | n/a |
| SLSA provenance present | unknown | unknown |
| Builder identity | n/a | n/a |
| SBOM attached | yes | yes |
Note: OCI image manifest referrers not inspected via skopeo (would require --raw inspection). SBOM artifacts present in GitHub release assets for both versions. Cryptographic verification of signatures requires cosign CLI.
Metadata drift
| Field | Old (2.27.3) | New (2.28.0) | Assessment |
|---|---|---|---|
org.opencontainers.image.version |
2.27.3 |
2.28.0 |
Expected — version bump |
org.opencontainers.image.source |
https://github.com/n8n-io/n8n |
https://github.com/n8n-io/n8n |
Consistent |
org.opencontainers.image.title |
n8n |
n8n |
Consistent |
org.opencontainers.image.url |
https://n8n.io |
https://n8n.io |
Consistent |
N8N_RELEASE_TYPE |
stable |
stable |
Consistent |
| Base image layers | Alpine 3.22 Node.js 24.x | Alpine 3.22 Node.js 24.x | Consistent |
| Architecture | amd64 | amd64 | Consistent |
No unexplained metadata drift detected.
Typosquat / confusable check
- Nearest popular alternative names checked:
n8n(official),n8nio(official publisher),n8n-io(GitHub org) - Findings: None. The image is published under the official
n8nionamespace on Docker Hub, matching the GitHub organizationn8n-io.
Repo health
- Ownership transfer in last 90d: No
- Archived: No
- New committers in version range (2.27.3 → 2.28.0): Multiple established contributors (looorent, riqwan, Cadiac, sovietspaceship, tomi) — all with prior history in the repo
- Workflow file changes affecting release pipeline: Not checked (not in scope for image provenance)
Gaps
- Cosign signature verification: Not performed. Would require
cosign verifyCLI with public key. Presence-only check via skopeo would require--rawmanifest inspection. - SLSA provenance cryptographic validation: Not performed. SBOM assets present but full provenance chain verification requires additional tooling.
- Private/auth-required registries: N/A — Docker Hub is public
- Source repo accessibility: ✓ Verified accessible
Summary: Both versions are legitimate releases from the n8n project. The 2.28.0 release is a minor version bump from 2.27.3 with proper source correspondence (git tag anchored to commit 0dac8a2), consistent publisher identity, and no anomalies in metadata or build artifacts. The release follows the established pattern of the n8n project's versioning and publishing workflow.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.27.3→2.28.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
n8n-io/n8n (n8nio/n8n)
v2.28.0Bug Fixes
Features
Performance Improvements
Configuration
📅 Schedule: (in timezone America/Los_Angeles)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.