Update oryd/oathkeeper Docker tag to v25

[renovate]

This PR contains the following updates:

Package	Update	Change
oryd/oathkeeper (source)	major	v0.40.9 -> v25.4.0

---

Release Notes

ory/oathkeeper (oryd/oathkeeper)

v25.4.0

Compare Source

This release brings internal improvements to configuration handling, observability, and repo management. It also aligns Oathkeeper more closely with the rest of the Ory ecosystem by migrating to vendored libraries, modernizing infrastructure, and improving CI/CD pipelines.

Ory has moved to a new versioning scheme. Read about our new version scheme. Interested in self-hosting Ory with support, SLAs, and advanced features? Check out our offerings.

Features

• Monorepo migration: Oathkeeper has been consolidated into the Ory monorepo for better cross-project consistency and maintainability.
• Vendored Ory/x: Oathkeeper now uses vendored versions of ory/x to reduce dependency issues and simplify builds.
• Goreleaser integration: Release builds are now managed via goreleaser, improving reproducibility across platforms.
• Config helpers moved to ory/x: Shared configuration test helpers were migrated for reuse across the ecosystem.
• OTLP tracing improvements: Enhanced telemetry support with better defaults and sampling control.

Auto-generated release notes

Bug Fixes

• Add repo syncing for polis (d9d0564):

• Better tracing in proxy HTTP (154aa3a):

• Copybara script (e378207):

• Deduplicate down migrations (2a9de87):

• deps: Update go-x (596d47f):

• Escape IPv6 regex string (1c941f8):

• Failing CI in OSS repos (ef037fc):

• Force SQL operator precedence in pagination v2 to ensure nid isolation (352dc27):

• hydra: Instrument metrics also on public endpoints (9fb2738):

• hydra: Use prometheus metrics instead of SQA metrics (2e8a272):

• Ignore non SQL files when applying migrations (190f33f):

• Implicit transactions for cockroach v23.5 and simplified migration logic (f80141c):

• Include go.mod in vendored oryx (682fcc1):

• Jsonx.ApplyJSONPatch (7afa2f9):

• Lint (637e831):

• Otlp sampling rate default (eb7f97f):

• Print correct content of down migrations (d84193b):

• Reject invalid migration names (dfc957a):

• Return 404 on schema file not exists (62b1711):

• Revert "fix: otlp sampling rate default (#​9055)" (2941afc):

• Simplify and fix Copybara sync job (1492be0):

• Use batch insert to speed up project changes (269a260):

• Use git hash to render ory x schema references (7f7962c):

• Use hard-coded fallback key instead of panic (70be40a):

• Use main branch for polis (bf316f3):

Code Generation

• Prepare for OSS release - v25.4.0 (2020997):

Code Refactoring

• Move database meta functions to root x folder for reusability (5dd0c61):

Features

• Add allowed domains configuration for captcha (1635888):

• Autoconfigure kratos-changefeed (cb91816):

• Bump CRDB, establish foreign key, (d525767):

• changelog-oel: Choose identity schema in self-service registration and login flows (afe66df):

• changelog-oel: Improved tracing and metrics for the high-performance SQL connection pool (e2e2c1b):

• changelog: Migrate http router to stdlib router (8350c72):

• Custom page token column extraction (d1cab42):

• Domain telemetry improvements (897ec02):

• Expose Ory-Error-Id HTTP header (4caf155):

• Extend Copybara pipelines to sync PRs from OSS repositories (da827d3):

• Goreleaser (009ad5c):

• hydra: Split up persister (51c7a2a):

• Improve domain telemetry for OSS (Hydra & Kratos) (54ce1f5):

• Improved events and identity recent activity (b11af64):

• Monorepo (809577e):

• Move config testhelpers to ory/x (933e770):

• Use stdlib HTTP router in Kratos (e2cc330):

• Use vendored ory/x (3c2c499):

Tests

• Add golangci-lint config and GHA (35de51f):

• hydra: Add snapshots for login & consent requests (c668a49):

• Resturcture and improve integration tests (df4e14b):

Changelog

• 996bcaf chore(deps): update actions/setup-node action to v6
• 95d5ec4 chore(deps): update actions/setup-node action to v6
• ff602dd chore(deps): update dependency node to v24
• f32259a chore(deps): update oathkeeper gha
• d20aefc chore(hydra): registry setup refactoring
• e59c492 chore(kratos): cleanup and improve some tests
• 71ed442 chore: add migration tests in kratos non-oss for crdb
• 9e30681 chore: add pagination secrets for Kratos
• d2d49b1 chore: add pre-release workflows for oss
• bef3eb9 chore: additional pop options
• 43aee43 chore: axios update
• 99d23a9 chore: bump Go everywhere
• 88dfaf2 chore: bump deps
• 52e01e7 chore: bump go deps
• 405e21b chore: bump go to 1.24.6
• 69d68e4 chore: bump sec deps
• f77f609 chore: cleanup oss workflows
• 0f29a1b chore: fix build for kratos-oss
• 971b1bc chore: fix vulnerable dependencies
• 083c2e4 chore: gh actions and node lib updates
• ea42f28 chore: go mod tidy to unblock CI
• b7cdaae chore: improve migration testdata and assertions
• 6ea1e01 chore: merge ory/x repo
• 6c5e2b2 chore: more gh actions and npm lib updates
• 1352a8c chore: remove counting courier messages
• 4a35143 chore: remove sdk generation action
• bcf2f81 chore: replace deprecated usages
• fd1fb80 chore: set GitOrigin-RevId (#​1227)
• edb9061 chore: shared serve config
• 29db785 chore: simplify service and option loading
• 6fa6664 chore: template migration command help
• fcc486b chore: update OSS readme
• 0d1c41b chore: update copybara rules
• 23bce23 chore: update copybara transformation
• 3828f94 chore: update github actions
• 2451cbf chore: update github actions
• cae1157 chore: update linter settings
• 8b82b03 chore: update opencontainers/runc to v1.3.3
• b1b4363 chore: update oss release workflows
• ded5047 chore: update repository templates to ory/meta@bc603a6
• 15c4955 chore: update repository templates to ory/meta@d919e6f
• 962d15b chore: update repository templates to ory/meta@fc1b4d6
• 593b8a5 chore: updated node to lts
• bc7ed9a chore: upgrade crdb to v25.2 everywhere & deflake CI!
• 31eb2a9 chore: use dedicated ory fork of pop
• 56ccdb1 ci: update oss workflows and add to renovate
• 8350c72 feat(changelog): migrate http router to stdlib router
• afe66df feat(changelog-oel): choose identity schema in self-service registration and login flows
• e2e2c1b feat(changelog-oel): improved tracing and metrics for the high-performance SQL connection pool
• 51c7a2a feat(hydra): split up persister
• 1635888 feat: add allowed domains configuration for captcha
• cb91816 feat: autoconfigure kratos-changefeed
• d525767 feat: bump CRDB, establish foreign key,
• d1cab42 feat: custom page token column extraction
• 897ec02 feat: domain telemetry improvements
• 4caf155 feat: expose Ory-Error-Id HTTP header
• da827d3 feat: extend Copybara pipelines to sync PRs from OSS repositories
• 009ad5c feat: goreleaser
• 54ce1f5 feat: improve domain telemetry for OSS (Hydra & Kratos)
• b11af64 feat: improved events and identity recent activity
• 809577e feat: monorepo
• 933e770 feat: move config testhelpers to ory/x
• e2cc330 feat: use stdlib HTTP router in Kratos
• 3c2c499 feat: use vendored ory/x
• 596d47f fix(deps): update go-x
• 9fb2738 fix(hydra): instrument metrics also on public endpoints
• 2e8a272 fix(hydra): use prometheus metrics instead of SQA metrics
• d9d0564 fix: add repo syncing for polis
• 154aa3a fix: better tracing in proxy HTTP
• e378207 fix: copybara script
• 2a9de87 fix: deduplicate down migrations
• 1c941f8 fix: escape IPv6 regex string
• ef037fc fix: failing CI in OSS repos
• 352dc27 fix: force SQL operator precedence in pagination v2 to ensure nid isolation
• 190f33f fix: ignore non SQL files when applying migrations
• f80141c fix: implicit transactions for cockroach v23.5 and simplified migration logic
• 682fcc1 fix: include go.mod in vendored oryx
• 7afa2f9 fix: jsonx.ApplyJSONPatch
• 637e831 fix: lint
• eb7f97f fix: otlp sampling rate default
• d84193b fix: print correct content of down migrations
• dfc957a fix: reject invalid migration names
• 62b1711 fix: return 404 on schema file not exists
• 2941afc fix: revert "fix: otlp sampling rate default (#​9055)"
• 1492be0 fix: simplify and fix Copybara sync job
• 269a260 fix: use batch insert to speed up project changes
• 7f7962c fix: use git hash to render ory x schema references
• 70be40a fix: use hard-coded fallback key instead of panic
• bf316f3 fix: use main branch for polis
• 5dd0c61 refactor: move database meta functions to root x folder for reusability
• c668a49 test(hydra): add snapshots for login & consent requests
• 35de51f test: add golangci-lint config and GHA
• df4e14b test: resturcture and improve integration tests

Artifacts can be verified with cosign using this public key.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.