chore(deps): update tools

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence	Update
github.com/golangci/golangci-lint/v2	v2.7.2 → v2.8.0					minor
google/yamlfmt	v0.20.0 → v0.21.0					minor
hashicorp/vault	v1.21.1 → v1.21.2					patch

---

Release Notes

golangci/golangci-lint (github.com/golangci/golangci-lint/v2)

v2.8.0

Compare Source

Released on 2026-01-07

1. Linters new features or changes
   • godoc-lint: from 0.10.2 to 0.11.1 (new rule: require-stdlib-doclink)
   • golines: from 442fd00 to 0.14.0
   • gomoddirectives: from 0.7.1 to 0.8.0
   • gosec: from daccba6 to 2.22.11 (new rule: G116)
   • modernize: from 0.39.0 to 0.40.0 (new analyzers: stringscut, unsafefuncs)
   • prealloc: from 1.0.0 to 1.0.1 (message changes)
   • unqueryvet: from 1.3.0 to 1.4.0 (new options: check-aliased-wildcard, check-string-concat, check-format-strings, check-string-builder, check-subqueries, ignored-functions, sql-builders)
2. Linters bug fixes
   • go-critic: from 0.14.2 to 0.14.3
   • go-errorlint: from 1.8.0 to 1.9.0
   • govet: from 0.39.0 to 0.40.0
   • protogetter: from 0.3.17 to 0.3.18
   • revive: add missing enable-default-rules setting
3. Documentation
   • docs: split installation page

google/yamlfmt (google/yamlfmt)

v0.21.0

Compare Source

Sorry to folks who were likely waiting on the stuff in this release, it's pretty packed. I got sick in December and took my holiday leave early, and I decided to fully and completely disconnect. Lots of stuff packed into this one now that I'm back. Happy new year!

Features

Force single or double quotes #​288

You can now force all quoted strings in a yaml document to be ' or ". See the basic formatter docs for more info.

KYAML Formatter #​302

yamlfmt can now support the new KYAML format from the Kubernetes project. The support for this is via a new formatter type called kyaml. I built support for alternate formatters into the architecture of yamlfmt all the way back when I first started the tool, but this is the first time I'm actually publishing a new formatter. I recommend a full read of the formatter documentation to get a sense of how to use this alternate formatter.

Bug Fixes

Gitlab output format #​272

I don't use Gitlab and didn't implement the feature so I'm not sure if this has been broken the whole time or if there was a schema change somewhere that bricked it, but Gitlab output format from yamlfmt was missing some required fields. This should work now with the new fields added into the output schema.

/dev/stdin as an argument instead of - did not work #​291

You're only allowed to read from stdin once in POSIX, but I inadvertently had a codepath that would read the file for a different purpose before reading it for formatting. This caused yamlfmt not to work under that circumstance. This edge case is handled now.

Filepath collector panic #​300

In a scenario where filepath.Walk fails to read something from the filesystem, I wasn't handling the error case properly. This never came up because I never had an error case ever appear locally and the linter that would yell at me about missed error checks didn't pick up that particular pattern that filepath.Walk propogates errors with. There should no longer be panics in error scenarios; new behaviour is that paths that failed to read will be surfaced and all other successful reads will be formatted.

Contributions

Thanks to @​slipknois for fixing the Gitlab output format.

hashicorp/vault (hashicorp/vault)

v1.21.2

Compare Source

1.21.2

January 07, 2026

CHANGES:

• auth/oci: bump plugin to v0.20.1
• core: Bump Go version to 1.25.5
• packaging: Container images are now exported using a compressed OCI image layout.
• packaging: UBI container images are now built on the UBI 10 minimal image.
• secrets/azure: Update plugin to v0.25.1+ent. Improves retry handling during Azure application and service principal creation to reduce transient failures.
• storage: Upgrade aerospike client library to v8.

IMPROVEMENTS:

• core: check rotation manager queue every 5 seconds instead of 10 seconds to improve responsiveness
• go: update to golang/x/crypto to v0.45.0 to resolve GHSA-f6x5-jh6r-wrfv, GHSA-j5w8-q4qc-rx2x, GO-2025-4134 and GO-2025-4135.
• rotation: Ensure rotations for shared paths only execute on the Primary cluster's active node. Ensure rotations for local paths execute on the cluster-local active node.
• sdk/rotation: Prevent rotation attempts on read-only storage.
• secrets-sync (enterprise): Added support for a boolean force_delete flag (default: false). When set to true, this flag allows deletion of a destination even if its associations cannot be unsynced. This option should be used only as a last-resort deletion mechanism, as any secrets already synced to the external provider will remain orphaned and require manual cleanup.
• secrets/pki: Avoid loading issuer information multiple times per leaf certificate signing.

BUG FIXES:

• core/activitylog (enterprise): Resolve a stability issue where Vault Enterprise could encounter a panic during month-end billing activity rollover.
• http: skip JSON limit parsing on cluster listener.
• quotas: Vault now protects plugins with ResolveRole operations from panicking on quota creation.
• replication (enterprise): fix rare panic due to race when enabling a secondary with Consul storage.
• rotation: Fix a bug where a performance secondary would panic if a write was made to a local mount.
• secret-sync (enterprise): Improved unsync error handling by treating cases where the destination no longer exists as successful.
• secrets-sync (enterprise): Corrected a bug where the deletion of the latest KV-V2 secret version caused the associated external secret to be deleted entirely. The sync job now implements a version fallback mechanism to find and sync the highest available active version, ensuring continuity and preventing the unintended deletion of the external secret resource.
• secrets-sync (enterprise): Fix issue where secrets were not properly un-synced after destination config changes.
• secrets-sync (enterprise): Fix issue where sync store deletion could be attempted when sync is disabled.
• ui/pki: Fix handling of values that contain commas in list fields like crl_distribution_points.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[inteon]

/approve
/lgtm

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: inteon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [inteon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment