feat(container): update image docker.io/thecodingmachine/gotenberg (8.26.0 → 8.29.1)

[bot-akira]

This PR contains the following updates:

Package	Update	Change
docker.io/thecodingmachine/gotenberg	minor	8.26.0 → 8.29.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

gotenberg/gotenberg (docker.io/thecodingmachine/gotenberg)

v8.29.1: 8.29.1

Compare Source

Bug Fix (Chromium)

Assets were no longer being correctly loaded in HTML files. This is now fixed. Thanks @​ARawles-GFSC for the heads up!

v8.29.0: 8.29.0

Compare Source

Security Fixes ⚠️

• ExifTool Arbitrary File Write: The /forms/pdfengines/metadata/write endpoint allowed users to pass FileName and Directory pseudo-tags in the metadata JSON, enabling file rename/move to arbitrary paths. User-supplied metadata is now filtered through a blocklist before being passed to ExifTool.
• Chromium file:// Sub-Resource Restriction: When converting HTML/Markdown via file://, sub-resources are now restricted to the request's working directory, preventing cross-request file access in /tmp.

New Features

OpenTelemetry

• Full OpenTelemetry Support: Distributed tracing, metrics export, and structured logging: all configurable via standard OTEL environment variables (OTEL_TRACES_EXPORTER, OTEL_METRICS_EXPORTER, OTEL_LOGS_EXPORTER, OTEL_EXPORTER_OTLP_ENDPOINT, etc.). Every HTTP request gets a span. External tool calls (Chromium, LibreOffice, QPDF, pdfcpu, pdftk, ExifTool, webhook delivery, download-from) create child spans. Trace context is propagated to outbound HTTP calls via W3C headers.
• Structured Logging Migration: Migrated from custom logging module to slog-based structured logging with OTEL log bridge. Supports auto/JSON/text formats with optional GCP-compatible field names.
• Binary Path as Peer Service: server.address span attribute uses the actual binary path (e.g., /usr/bin/qpdf) instead of the software name.
• Telemetry Control for System Routes: New flags to disable telemetry for noisy system routes, all defaulting to disabled: --api-disable-root-route-telemetry, --api-disable-debug-route-telemetry, --api-disable-version-route-telemetry, --prometheus-disable-route-telemetry. The existing --api-disable-health-check-route-telemetry default changed from false to true.

Chromium

• Idle Shutdown: New --chromium-idle-shutdown-timeout flag (default: 0s, disabled) to automatically stop Chromium after a configurable idle period, reclaiming memory on low-traffic servers. The process re-launches lazily on the next request.
• Network Almost Idle Event: New skipNetworkAlmostIdleEvent form field (default: true). When set to false, Gotenberg waits for a "network almost idle" event (at most 2 open connections for 500ms) before conversion. This provides a middle ground between the existing skipNetworkIdleEvent (strict, 0 connections) and no wait at all — useful for pages with long-polling or analytics connections that never fully close.

LibreOffice

• PDF Viewer Preferences (#​1316): 15 new form fields for controlling PDF viewer behavior: initialView, initialPage, magnification, zoom, pageLayout, firstPageOnLeft, resizeWindowToInitialPage, centerWindow, openInFullScreenMode, displayPDFDocumentTitle, hideViewerMenubar, hideViewerToolbar, hideViewerWindowControls, useTransitionEffects, openBookmarkLevels.
• Idle Shutdown: New --libreoffice-idle-shutdown-timeout flag (default: 0s, disabled), same behavior as Chromium.

Webhook

• Event Callbacks (#​1473): New optional Gotenberg-Webhook-Events-Url header. When set, structured JSON events (webhook.success, webhook.error) are POSTed after each webhook operation, with correlationId and timestamp. Additive: existing Gotenberg-Webhook-Url and Gotenberg-Webhook-Error-Url continue to work unchanged.

Security & Networking

• Multiple URL Patterns: All allow/deny list flags (--chromium-allow-list, --chromium-deny-list, --webhook-allow-list, --webhook-deny-list, --webhook-error-allow-list, --webhook-error-deny-list, --api-download-from-allow-list, --api-download-from-deny-list) now accept multiple regex patterns via string slices. Existing single-value configurations continue to work.

Bug Fixes

• Chromium singlePage Margin Accounting (#​1046): The singlePage option now correctly accounts for top/bottom margins when calculating page height, fixing content overflow on tall pages.
• Long Filename Support (#​1500): Files with long names (166+ chars, especially with multi-byte UTF-8) no longer cause "File name too long" errors. Files are now stored on disk with UUID-based names while preserving original filenames for HTTP responses, archive entries, and JSON keys.

Deprecated Flags

Old	New
--log-format	--log-std-format
--log-enable-gcp-fields	--log-std-enable-gcp-fields
--api-trace-header	--api-correlation-id-header
--api-disable-health-check-logging	--api-disable-health-check-route-telemetry
--prometheus-disable-route-logging	--prometheus-disable-route-telemetry

All deprecated flags continue to work.

Chore

• Replaced go.uber.org/multierr with stdlib errors.Join.
• Added integration tests for Chromium screenshot routes (HTML, URL, Markdown).
• Added long filename integration tests across all PDF engine and conversion routes.
• Integration test retry mechanism: failed scenarios are automatically retried up to 3 times.
• Bumped actions/checkout to v6 in all GitHub Actions.

Thanks

Thanks to @​dkrizic (#​814) and @​jbdelhommeau (#​1489) for requesting OpenTelemetry/tracing support, @​eht16 (#​1316), @​nh2 (#​1023), @​Frozen666 (#​1046), @​vofflan (#​1500), @​danxmoran (#​1394), and @​janaka (#​1473) for their issue reports and feature requests!

---

This release represents a significant amount of work: OpenTelemetry integration, security fixes, new features, and hundreds of integration tests. If Gotenberg is useful to you or your team, please consider sponsoring the project. Your support helps keep development going.

v8.28.0: 8.28.0

Compare Source

New Features

PDF Engines

• Watermark: Added POST /forms/pdfengines/watermark route. Applies a watermark (behind page content) to one or more PDF files. Supports text, image, or pdf sources. Also available as optional form fields on Chromium, LibreOffice, merge, and split routes. Configurable via --pdfengines-watermark-engines (default: pdfcpu,pdftk).
• Stamp: Added POST /forms/pdfengines/stamp route. Applies a stamp (on top of page content) to one or more PDF files. Same source types and integration points as watermark. Configurable via --pdfengines-stamp-engines (default: pdfcpu,pdftk).
• Rotate: Added POST /forms/pdfengines/rotate route. Rotates pages by 90°, 180°, or 270° with optional page selection. Also available as optional form fields (rotateAngle, rotatePages) on all composite routes. Configurable via --pdfengines-rotate-engines (default: pdfcpu, pdftk).
• Bookmarks (Read): Added POST /forms/pdfengines/bookmarks/read route. Returns the hierarchical bookmark outline from one or more PDF files as JSON. Configurable via --pdfengines-read-bookmarks-engines (default: pdfcpu).
• Bookmarks (Write): Added POST /forms/pdfengines/bookmarks/write route. Accepts either a flat list (applied to all files) or a filename-keyed map. Configurable via --pdfengines-write-bookmarks-engines (default: pdfcpu, pdftk).
• Merge Bookmark Management: The merge route now supports a bookmarks form field for custom bookmarks with automatic page-offset shifting, and an autoIndexBookmarks option to extract and reindex existing bookmarks from input files.
• PDF/A & PDF/UA Compliance: Reordered the processing pipeline so that PDF/A and PDF/UA conversion runs after watermark, stamp, and flatten operations. Also reject incompatible combinations (e.g., PDF/A + encryption, PDF/A-1/2 + embeds) with a 400 Bad Request.

LibreOffice

• Native Watermarks: Added support for LibreOffice's built-in watermark rendering during PDF export via new form fields: nativeWatermarkText, nativeWatermarkColor, nativeWatermarkFontHeight, nativeWatermarkRotateAngle, nativeWatermarkFontName, and nativeTiledWatermarkText.

API

• Download From: Extended the downloadFrom JSON schema with a field property ("watermark", "stamp", "embedded", or "") to route downloaded files to the appropriate form field bucket. The existing embedded boolean is preserved for backward compatibility.

Chore

• Updated Chromium to 146.0.7680.153-1.
• Updated Go dependencies.

v8.27.0: 8.27.0

Compare Source

New Features

Chromium

• Concurrency Support: Re-introduced support for simultaneous conversions (up to 6 by default). Configurable via CHROMIUM_MAX_CONCURRENCY. Thanks @​TomBrouws!
• Restart Threshold: Updated the default value for CHROMIUM_RESTART_AFTER to 100.
• Emulated Media Features: Added the emulatedMediaFeatures form field. This allows users to pass a JSON array to simulate specific CSS media features, such as prefers-color-scheme: dark or prefers-reduced-motion. Thanks @​danxmoran!

Misc

• Timezone: The default timezone is now explicitly UTC and is visible in the debug route. This remains overridable via the TZ environment variable. Thanks @​davpsh!

Bug Fixes

• PDF Engines: Resolved an issue where unnecessary derived tags were added when writing metadata. Thanks @​znemoe!

Chore

• Updated Chromium to 145.0.7632.109.
• Updated LibreOffice to 26.2.0.
• Updated Go dependencies.
• Bumped Go version to 1.26.0.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[bot-akira]

--- HelmRelease: default/paperless Deployment: default/paperless

+++ HelmRelease: default/paperless Deployment: default/paperless

@@ -125,13 +125,13 @@

         volumeMounts:
         - mountPath: /library
           name: library
       - env:
         - name: DISABLE_GOOGLE_CHROME
           value: '1'
-        image: docker.io/thecodingmachine/gotenberg:8.26.0
+        image: docker.io/thecodingmachine/gotenberg:8.29.1
         name: gotenberg
         resources:
           limits:
             memory: 1Gi
           requests:
             cpu: 100m

[bot-akira]

--- kubernetes/apps/default/paperless/app Kustomization: default/paperless HelmRelease: default/paperless

+++ kubernetes/apps/default/paperless/app Kustomization: default/paperless HelmRelease: default/paperless

@@ -101,13 +101,13 @@

           gotenberg:
             env:
             - name: DISABLE_GOOGLE_CHROME
               value: '1'
             image:
               repository: docker.io/thecodingmachine/gotenberg
-              tag: 8.26.0
+              tag: 8.29.1
             resources:
               limits:
                 memory: 1Gi
               requests:
                 cpu: 100m
                 memory: 128Mi

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.