Update Helm release semaphore to v16.1.2

[renovate]

This PR contains the following updates:

Package	Update	Change
semaphore (source)	minor	16.0.11 → 16.1.2

---

Release Notes

semaphoreui/charts (semaphore)

v16.1.2

Compare Source

Modern UI and powerful API for Ansible, Terraform, OpenTofu, PowerShell and other DevOps tools

---

Configuration

📅 Schedule: (in timezone America/New_York)

• Branch creation
  • "after 2am and before 8am on monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

semaphore (chart) (helm) 16.0.11 -> 16.1.2, semaphoreui/semaphore (image) (docker) 2.16.47 -> 2.17.34

Risk: 🟡 Caution

The Deep Dive

Update Scope

Renovate bumps the semaphoreui/charts Helm chart from 16.0.11 to 16.1.2 in kubernetes/semaphore/Chart.yaml. The chart's appVersion jumps from 2.16.47 to 2.17.34, so the rendered helm/deployment.yaml now points at semaphoreui/semaphore:v2.17.34. The repo has no kustomize image override, so this is the version that will actually be deployed. Bundled mariadb (23.2.2) and postgresql (18.1.4) sub-chart pins are unchanged.

Performance & Stability

• v2.17.4 — perf(tasks): decrease db queries (PR 3619). Reduces DB load on the task list page; relevant for the Postgres-backed deployment in kubernetes/semaphore/semaphore-postgres-cluster.yaml.
• v2.17.32 — runner-distribution and shutdown reliability (PR 3722, PR 3738), plus a nil-pointer fix in UpdateRunner (PR 3727). Only matters if external runners are registered — the in-process runner this homelab uses is unaffected.
• v2.17.5 — fixes scheduled-task property persistence (issue 3304). No scheduled tasks are configured in repo, but if any exist in the live DB this is a real fix.

Features & UX

• Custom CA bundle for outbound TLS (chart PR 20, new customCertificates.* keys in values.yaml). Adds an init container that prepends a configmap/secret-supplied CA cert onto ca-certificates.crt and exports SSL_CERT_FILE, REQUESTS_CA_BUNDLE, GIT_SSL_CAINFO. Default enabled: false. Not used in this deployment (grep customCertificates kubernetes/semaphore/ returns no hits) — fine to ignore unless on-prem git-over-private-CA becomes a need.
• Active-active HA (v2.17.2 / PR 3608). Multiple Semaphore replicas can now run simultaneously. Repo runs replicaCount: 1 (values.yaml:2) so no behavior change, but the option is now available.
• RFC 5424 syslog (v2.17.7 / PR 3624). Only relevant if SEMAPHORE_*SYSLOG* is configured — repo has no such env vars.
• Force-stop-all-tasks button (v2.17.0, v2.17.8 / PR 3633). UI-only, no config needed.
• Custom UI views & expanded textarea (v2.17.0). UI-only.
• Read secrets from raw file (v2.17.15 / PR 3654). Useful pattern for K8s secret mounts; opt-in per secret.
• CLI --register flag for runner + import project (v2.17.0). CLI/setup ergonomics; no impact on running web/server config.

Security

• axios 1.13.5 / 1.13.6 security bumps — front-end dep, ships in the bundled UI.
• go-git/go-git v5.16.5 security bump — used by Semaphore's git-clone path for repos. Worth-having.
• LDAP filter injection fix was merged into v2.17.36, AFTER the version this PR proposes. Repo runs with SEMAPHORE_LDAP_ENABLE="false" (helm/deployment.yaml — confirmed), so this deployment is not exposed regardless. No GHSA advisories are listed for this repo on GitHub.
• No CVEs are introduced by this change. Pre-existing CVEs (e.g. #2711 rsync in image, #1769 go-git) are not made worse by the bump.

Key Fixes

• v2.17.14 — null pointer in Backups.
• v2.17.22 — integrations permission handling.
• v2.17.24 — race condition for terraform task statuses (#3686). The repo deploys OpenTofu via Semaphore (per .claude/rules/ansible/semaphore.md), so terraform-task path is exercised here.
• v2.17.26 — secrets null pointer.
• v2.17.27 — Terragrunt run bug.
• v2.17.30 — fix(env): allow empty secret prefix.
• v2.17.32 — git branch names containing slashes were truncated (#3717); useful if any project branches use feature/foo style names.

Newer Versions

Two releases exist after the proposed v2.17.34:

• v2.17.36 — LDAP filter injection fix + subscription-message fix. LDAP is disabled in this deployment, so no impact.
• v2.17.38 — Vault namespace support (Pro/Enterprise) and a critical fix to BoltDB migration. The deployment uses Postgres (values.yaml:4-13, semaphore-postgres-cluster.yaml), not BoltDB, so unaffected.

Neither newer release fixes a regression introduced in the 2.16.47 → 2.17.34 range, so there is no reason to wait for a newer chart bump. Renovate will pick up the next chart cut on its normal schedule.

Hazards & Risks

• Large minor jump on the app side. v2.16.47 → v2.17.34 is ~570 commits and crosses the 2.17 minor line. No removed features were called out in any release note, but the surface area is wide (HA, syslog formatter, runner refactors, secret-loading paths).
• Implicit DB schema migration. v2.17.28 added a runner_id column to the task table (PR 3712). Semaphore applies migrations automatically on startup; the CloudNativePG-managed semaphore user owns the database (per semaphore-postgres-cluster.yaml), so no manual GRANT is required. A failed migration will manifest as a CrashLoopBackOff on the new pod — tail the pod log immediately after rollout.
• Custom command override is preserved. patch-deployment.yaml:15-16 overrides the container command to /config-map/scripts---init-tools.sh. The chart's image entrypoint may have changed in 2.17, but because we override command outright, this is unaffected. The init script ultimately execs semaphore server; if the new binary changed any default config-file expectations the script will surface it on startup.
• No breaking chart-side changes. Diff of stable/semaphore/values.yaml between 16.0.11 and 16.1.2 is purely additive (customCertificates.* block + cosmetic comment fixes). No removed/renamed keys; existing values.yaml continues to validate against the new values.schema.json.

Sources

• Chart release: semaphore-16.1.2
• Chart compare semaphore-16.0.11...semaphore-16.1.2
• Chart 16.1.2 values.yaml
• App release: v2.17.0 (minor headline)
• Semaphore v2.17 release page
• App compare v2.16.47...v2.17.34
• v2.17.28 release notes (runner_id schema add)
• v2.17.32 release notes
• v2.17.36 release notes (LDAP filter injection fix)
• v2.17.38 release notes (BoltDB migration fix)
• go-git security update PR #3596
• axios security update PR #3603

---

🟡 Verdict: Caution

Worth deploying — the chart-side change is purely additive and the app jump pulls in real fixes (Terragrunt/Terraform task race, branch-with-slash, secrets nullptr) plus opt-in HA and syslog. Caution rather than safe because of the ~570-commit minor jump and the implicit runner_id schema migration in v2.17.28; tail the Semaphore pod log after rollout to confirm the migration completes and the OIDC login still works.