v1.0.0

Changelog

Security

• Dependency updates address GHSA-78h2-9frx-2jm8.
• Container image now runs the process as a non-root user (app) instead of root.
• Github Actions workflow now produces provenance attestations and SBOMs for the container image.

What's new

• Notifications use Shoutrrr (maintained fork). Configure one or more notify.urls with Shoutrrr service URLs — for example chat (Slack, Discord, Mattermost, Telegram, Microsoft Teams), push (Gotify, ntfy, Pushover), incidents (PagerDuty, OpsGenie), SMTP (smtp://…), generic webhooks, and others.
• --version-json prints version metadata as JSON (for scripts and automation).
• Published CLI reference in-repo (USAGE.md), kept in sync with the binary.
• Help and flags reorganized (context-sensitive --help, clearer groups). --allow-single-node is now unhidden; it was previously hidden.
• Logging now uses structured logs. Log output can still go to stderr and/or a file; see --help and USAGE.md for current flags.
• TLS for Vault is configurable beyond skip-verify: server name, CA certificate (file, inline PEM, or directory), and optional client certificate and key for mTLS. Flags live under --tls.* (see USAGE.md, TLS Options).
• Workers recreate the Vault API client on each check loop, so TLS settings and certificates are reapplied periodically (for example after rotation). Before, it required a restart.
• Docker image now supports linux/arm64 platform, in addition to linux/amd64.

Breaking changes

• Some logging options are removed (--log.quiet, --log.pretty). Use --log.level (including none to turn logging off) and JSON logging as documented.
  • JSON logging will have a different format.
  • Pretty logging (textual based, with ANSI colors) is now the default. JSON logging is still available with --log.json.
• TLS flags: the global --tls-skip-verify flag is deprecated and will be removed in a future release. Use --tls.skip-verify (environment variable remains TLS_SKIP_VERIFY). Other TLS options use the --tls.-prefixed flags and TLS_-prefixed env vars documented in USAGE.md.
  • YAML: top-level tls_skip_verify is deprecated in favor of tls.skip_verify (and the rest of the tls map), and will be removed in a future release. The old key is still read for compatibility; prefer migrating to tls in config.
• Container: the process no longer runs as root. Confirm writable paths for logs or other files you mount in.
• Email-style configuration is deprecated (CLI --email.*, environment EMAIL_*, YAML email). Switch to using notify.urls with Shoutrrr URLs. Existing email settings will eventually be removed: they are converted to an smtp:// Shoutrrr URL during validation (same behavior, different wiring).
• Notification timing flags renamed: --notify-max-elapsed and --notify-queue-delay are deprecated in favor of --notify.max-elapsed and --notify.queue-delay. In YAML, prefer the notify map keys max_elapsed and queue_delay instead of top-level notify_max_elapsed and notify_queue_delay. Same environment variable names (see USAGE.md).

🧹 Misc

• 193ab06: feat(config): refactor cli flags; misc deps tweaks (@lrstanley)
• 1e720f8: feat(config): add more tls configuration options (@lrstanley)
• 069a9e1: feat: refactor notifications, deprecate email (@lrstanley)
• fc0486e: feat: test provenance and arm builds (@lrstanley)
• 646b7e2: feat: add platforms to test workflow (@lrstanley)
• f6bd279: chore(release): re-enable scanning option for docker releases (@lrstanley)

Dependency updates

• 6503041: chore(deps): upgrade Go deps (@lrstanley)
• 72c7a08: chore(deps): fix clix/v2 version ref (@lrstanley)
• d8a86b3: chore(deps): upgrade go deps (@lrstanley)

🐳 Container Images (ghcr)

$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:latest
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:1.0.0
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:1.0
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:1

🧪 Build info

• 📂 Full changelog: v0.7.2..v1.0.0
• ❤️ Built with: go version go1.26.2 linux/amd64
• ⚙️ Release job: release/go-release triggered by @lrstanley.

💬 What to do next?

• 🙋‍♂️ Running into an issue or want a specific feature? Take a look here!
• ⌚ Find previous releases.
• 🗝️ Find a vulnerability? Check out our Security and Disclosure policy.
• 🔗 Other useful links:
  • License
  • Contributing
  • Support
  • Code of Conduct

v1.0.0-rc.0

📣 Release Candidate 📣

WARNING: This is a release candidate, and thus not subject to support or security guarantees. You may find issues with this release (please submit an issue if you do!), and as such, this version should not be used in a stable and/or production environment. You've been warned!

Changelog

Security

• Dependency updates address GHSA-78h2-9frx-2jm8.
• Container image now runs the process as a non-root user (app) instead of root.
• Github Actions workflow now produces provenance attestations and SBOMs for the container image.

What's new

• Notifications use Shoutrrr (maintained fork). Configure one or more notify.urls with Shoutrrr service URLs — for example chat (Slack, Discord, Mattermost, Telegram, Microsoft Teams), push (Gotify, ntfy, Pushover), incidents (PagerDuty, OpsGenie), SMTP (smtp://…), generic webhooks, and others.
• --version-json prints version metadata as JSON (for scripts and automation).
• Published CLI reference in-repo (USAGE.md), kept in sync with the binary.
• Help and flags reorganized (context-sensitive --help, clearer groups). --allow-single-node is now unhidden; it was previously hidden.
• Logging now uses structured logs. Log output can still go to stderr and/or a file; see --help and USAGE.md for current flags.
• TLS for Vault is configurable beyond skip-verify: server name, CA certificate (file, inline PEM, or directory), and optional client certificate and key for mTLS. Flags live under --tls.* (see USAGE.md, TLS Options).
• Workers recreate the Vault API client on each check loop, so TLS settings and certificates are reapplied periodically (for example after rotation). Before, it required a restart.
• Docker image now supports linux/arm64 platform, in addition to linux/amd64.

Breaking changes

• Some logging options are removed (--log.quiet, --log.pretty). Use --log.level (including none to turn logging off) and JSON logging as documented.
  • JSON logging will have a different format.
  • Pretty logging (textual based, with ANSI colors) is now the default. JSON logging is still available with --log.json.
• TLS flags: the global --tls-skip-verify flag is deprecated and will be removed in a future release. Use --tls.skip-verify (environment variable remains TLS_SKIP_VERIFY). Other TLS options use the --tls.-prefixed flags and TLS_-prefixed env vars documented in USAGE.md.
  • YAML: top-level tls_skip_verify is deprecated in favor of tls.skip_verify (and the rest of the tls map), and will be removed in a future release. The old key is still read for compatibility; prefer migrating to tls in config.
• Container: the process no longer runs as root. Confirm writable paths for logs or other files you mount in.
• Email-style configuration is deprecated (CLI --email.*, environment EMAIL_*, YAML email). Switch to using notify.urls with Shoutrrr URLs. Existing email settings will eventually be removed: they are converted to an smtp:// Shoutrrr URL during validation (same behavior, different wiring).
• Notification timing flags renamed: --notify-max-elapsed and --notify-queue-delay are deprecated in favor of --notify.max-elapsed and --notify.queue-delay. In YAML, prefer the notify map keys max_elapsed and queue_delay instead of top-level notify_max_elapsed and notify_queue_delay. Same environment variable names (see USAGE.md).

🧹 Misc

• 193ab06: feat(config): refactor cli flags; misc deps tweaks (@lrstanley)
• 1e720f8: feat(config): add more tls configuration options (@lrstanley)
• 069a9e1: feat: refactor notifications, deprecate email (@lrstanley)
• fc0486e: feat: test provenance and arm builds (@lrstanley)
• 646b7e2: feat: add platforms to test workflow (@lrstanley)
• f6bd279: chore(release): re-enable scanning option for docker releases (@lrstanley)

Dependency updates

• 6503041: chore(deps): upgrade Go deps (@lrstanley)
• 72c7a08: chore(deps): fix clix/v2 version ref (@lrstanley)

🐳 Container Images (ghcr)

$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:1.0.0-rc.0

🧪 Build info

• 📂 Full changelog: v0.7.2..v1.0.0-rc.0
• ❤️ Built with: go version go1.26.1 linux/amd64
• ⚙️ Release job: release/go-release triggered by @lrstanley.

💬 What to do next?

• 🙋‍♂️ Running into an issue or want a specific feature? Take a look here!
• ⌚ Find previous releases.
• 🗝️ Find a vulnerability? Check out our Security and Disclosure policy.
• 🔗 Other useful links:
  • License
  • Contributing
  • Support
  • Code of Conduct

v0.7.2

Changelog

🧹 Misc

• bb32ceb: more actions tweaks (@lrstanley)
• e62eb62: fix: not accounting for addl. goroutine in notifier logic (@lrstanley)

🐳 Container Images (ghcr)

$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:latest
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:0.7.2
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:0.7
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:0

🧪 Build info

• 📂 Full changelog: v0.7.1..v0.7.2
• ❤️ Built with: go version go1.24.4 linux/amd64
• ⚙️ Release job: release/go-release triggered by @lrstanley.

💬 What to do next?

• 🙋‍♂️ Running into an issue or want a specific feature? Take a look here!
• ⌚ Find previous releases.
• 🗝️ Find a vulnerability? Check out our Security and Disclosure policy.
• 🔗 Other useful links:
  • License
  • Contributing
  • Support
  • Code of Conduct

v0.7.1

Changelog

🧹 Misc

• 64c89a0: misc actions tweaks (@lrstanley)

Dependency updates

• 580b194: chore(deps): upgrade deps (@lrstanley)

🐳 Container Images (ghcr)

$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:latest
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:0.7.1
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:0.7
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:0

🧪 Build info

• 📂 Full changelog: v0.7.0..v0.7.1
• ❤️ Built with: go version go1.24.4 linux/amd64
• ⚙️ Release job: release/go-release triggered by @lrstanley.

💬 What to do next?

• 🙋‍♂️ Running into an issue or want a specific feature? Take a look here!
• ⌚ Find previous releases.
• 🗝️ Find a vulnerability? Check out our Security and Disclosure policy.
• 🔗 Other useful links:
  • License
  • Contributing
  • Support
  • Code of Conduct

v0.7.0

Changelog

🧹 Misc

• c2f08ac: feat(docker): upgrade alpine linux (@lrstanley)

Dependency updates

• 1cea1a6: chore(deps): upgrade go deps (@lrstanley)

🐳 Container Images (ghcr)

$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:latest
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:0.7.0
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:0.7
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:0

🧪 Build info

• 📂 Full changelog: v0.6.0..v0.7.0
• ❤️ Built with: go version go1.23.4 linux/amd64
• ⚙️ Release job: release/go-release triggered by @lrstanley.

💬 What to do next?

• 🙋‍♂️ Running into an issue or want a specific feature? Take a look here!
• ⌚ Find previous releases.
• 🗝️ Find a vulnerability? Check out our Security and Disclosure policy.
• 🔗 Other useful links:
  • License
  • Contributing
  • Support
  • Code of Conduct

v0.6.0

Changelog

🧹 Misc

• 9f0621f: update license email (@lrstanley)
• 7eb8b18: feat: upgrade deps; remove legacy deps; misc cleanup (@lrstanley)

🐳 Container Images (ghcr)

$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:latest
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:0.6.0
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:0.6
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:0

🧪 Build info

• 📂 Full changelog: v0.5.1..v0.6.0
• ❤️ Built with: go version go1.22.6 linux/amd64
• ⚙️ Release job: release/go-release triggered by @lrstanley.

💬 What to do next?

• 🙋‍♂️ Running into an issue or want a specific feature? Take a look here!
• ⌚ Find previous releases.
• 🗝️ Find a vulnerability? Check out our Security and Disclosure policy.
• 🔗 Other useful links:
  • License
  • Contributing
  • Support
  • Code of Conduct

v0.5.1

Changelog

🧹 Misc

• 9c23c0c: build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1 (@dependabot[bot])
• 74fe78f: build(deps): bump golang.org/x/crypto from 0.14.0 to 0.17.0 (@dependabot[bot])
• 0f6d3f3: Merge pull request #39 from lrstanley/dependabot/go_modules/golang.org/x/crypto-0.17.0 (@lrstanley)
• 8b91c0a: Merge pull request #36 from lrstanley/dependabot/go_modules/github.com/go-jose/go-jose/v3-3.0.1 (@lrstanley)

🐳 Container Images (ghcr)

$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:latest
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:0.5.1
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:0.5
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:0

🧪 Build info

• 📂 Full changelog: v0.5.0..v0.5.1
• ❤️ Built with: go version go1.21.5 linux/amd64
• ⚙️ Release job: release/go-release triggered by @lrstanley.

💬 What to do next?

• 🙋‍♂️ Running into an issue or want a specific feature? Take a look here!
• ⌚ Find previous releases.
• 🗝️ Find a vulnerability? Check out our Security and Disclosure policy.
• 🔗 Other useful links:
  • License
  • Contributing
  • Support
  • Code of Conduct

v0.5.0

Changelog

🧹 Misc

• 03d9087: fix: add default okd mode 440 (@heurtematte)
• 17a04a7: chore(deps): upgrade go deps (@lrstanley)
• 7e9dc0d: fix: update permissions error message (@lrstanley)
• 0a8d253: Merge pull request #34 from heurtematte/master (@lrstanley)
• b153d6e: Merge branch 'master' of github.com:lrstanley/vault-unseal (@lrstanley)

🐳 Container Images (ghcr)

$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:latest
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:0.5.0
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:0.5
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:0

🧪 Build info

• 📂 Full changelog: v0.4.1..v0.5.0
• ❤️ Built with: go version go1.21.3 linux/amd64
• ⚙️ Release job: release/go-release triggered by @lrstanley.

💬 What to do next?

• 🙋‍♂️ Running into an issue or want a specific feature? Take a look here!
• ⌚ Find previous releases.
• 🗝️ Find a vulnerability? Check out our Security and Disclosure policy.
• 🔗 Other useful links:
  • License
  • Contributing
  • Support
  • Code of Conduct

v0.4.1

Changelog

🧹 Misc

• d0e7c05: fix: version, commit, date not being updated in release binaries (@lrstanley)

🐳 Container Images (ghcr)

$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:latest
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:0.4.1
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:0.4
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:0

🧪 Build info

• 📂 Full changelog: v0.4.0..v0.4.1
• ❤️ Built with: go version go1.21.1 linux/amd64
• ⚙️ Release job: release/go-release triggered by @lrstanley.

💬 What to do next?

• 🙋‍♂️ Running into an issue or want a specific feature? Take a look here!
• ⌚ Find previous releases.
• 🗝️ Find a vulnerability? Check out our Security and Disclosure policy.
• 🔗 Other useful links:
  • License
  • Contributing
  • Support
  • Code of Conduct

v0.4.0

Changelog

🧹 Misc

• b4eb290: chore(deps): upgrade go deps (@lrstanley)
• 3ac9bd7: build(deps): bump alpine from 3.17 to 3.18 (@dependabot[bot])
• fdc06c5: Merge pull request #31 from lrstanley/dependabot/docker/alpine-3.18 (@lrstanley)
• d794c35: chore(deps): upgrade go deps (@lrstanley)
• 2cf2daf: Merge branch 'master' of github.com:lrstanley/vault-unseal (@lrstanley)
• 4a7b643: feat: refactoring from lint results (@lrstanley)
• 10b96b9: feat: add caching to dockerfile; remove no longer required nsswitch.conf overrides (@lrstanley)

🐳 Container Images (ghcr)

$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:latest
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:0.4.0
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:0.4
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:0

🧪 Build info

• 📂 Full changelog: v0.3.0..v0.4.0
• ❤️ Built with: go version go1.21.1 linux/amd64
• ⚙️ Release job: release/go-release triggered by @lrstanley.

💬 What to do next?

• 🙋‍♂️ Running into an issue or want a specific feature? Take a look here!
• ⌚ Find previous releases.
• 🗝️ Find a vulnerability? Check out our Security and Disclosure policy.
• 🔗 Other useful links:
  • License
  • Contributing
  • Support
  • Code of Conduct