feat(container): update image mirror.gcr.io/gotenberg/gotenberg ( 8.28.0 → 8.29.0 )

[labassistantbot]

This PR contains the following updates:

Package	Update	Change
mirror.gcr.io/gotenberg/gotenberg	minor	8.28.0 → 8.29.0

---

Release Notes

gotenberg/gotenberg (mirror.gcr.io/gotenberg/gotenberg)

v8.29.0: 8.29.0

Compare Source

Security Fixes ⚠️

• ExifTool Arbitrary File Write: The /forms/pdfengines/metadata/write endpoint allowed users to pass FileName and Directory pseudo-tags in the metadata JSON, enabling file rename/move to arbitrary paths. User-supplied metadata is now filtered through a blocklist before being passed to ExifTool.
• Chromium file:// Sub-Resource Restriction: When converting HTML/Markdown via file://, sub-resources are now restricted to the request's working directory, preventing cross-request file access in /tmp.

New Features

OpenTelemetry

• Full OpenTelemetry Support: Distributed tracing, metrics export, and structured logging: all configurable via standard OTEL environment variables (OTEL_TRACES_EXPORTER, OTEL_METRICS_EXPORTER, OTEL_LOGS_EXPORTER, OTEL_EXPORTER_OTLP_ENDPOINT, etc.). Every HTTP request gets a span. External tool calls (Chromium, LibreOffice, QPDF, pdfcpu, pdftk, ExifTool, webhook delivery, download-from) create child spans. Trace context is propagated to outbound HTTP calls via W3C headers.
• Structured Logging Migration: Migrated from custom logging module to slog-based structured logging with OTEL log bridge. Supports auto/JSON/text formats with optional GCP-compatible field names.
• Binary Path as Peer Service: server.address span attribute uses the actual binary path (e.g., /usr/bin/qpdf) instead of the software name.
• Telemetry Control for System Routes: New flags to disable telemetry for noisy system routes, all defaulting to disabled: --api-disable-root-route-telemetry, --api-disable-debug-route-telemetry, --api-disable-version-route-telemetry, --prometheus-disable-route-telemetry. The existing --api-disable-health-check-route-telemetry default changed from false to true.

Chromium

• Idle Shutdown: New --chromium-idle-shutdown-timeout flag (default: 0s, disabled) to automatically stop Chromium after a configurable idle period, reclaiming memory on low-traffic servers. The process re-launches lazily on the next request.
• Network Almost Idle Event: New skipNetworkAlmostIdleEvent form field (default: true). When set to false, Gotenberg waits for a "network almost idle" event (at most 2 open connections for 500ms) before conversion. This provides a middle ground between the existing skipNetworkIdleEvent (strict, 0 connections) and no wait at all — useful for pages with long-polling or analytics connections that never fully close.

LibreOffice

• PDF Viewer Preferences (#​1316): 15 new form fields for controlling PDF viewer behavior: initialView, initialPage, magnification, zoom, pageLayout, firstPageOnLeft, resizeWindowToInitialPage, centerWindow, openInFullScreenMode, displayPDFDocumentTitle, hideViewerMenubar, hideViewerToolbar, hideViewerWindowControls, useTransitionEffects, openBookmarkLevels.
• Idle Shutdown: New --libreoffice-idle-shutdown-timeout flag (default: 0s, disabled), same behavior as Chromium.

Webhook

• Event Callbacks (#​1473): New optional Gotenberg-Webhook-Events-Url header. When set, structured JSON events (webhook.success, webhook.error) are POSTed after each webhook operation, with correlationId and timestamp. Additive: existing Gotenberg-Webhook-Url and Gotenberg-Webhook-Error-Url continue to work unchanged.

Security & Networking

• Multiple URL Patterns: All allow/deny list flags (--chromium-allow-list, --chromium-deny-list, --webhook-allow-list, --webhook-deny-list, --webhook-error-allow-list, --webhook-error-deny-list, --api-download-from-allow-list, --api-download-from-deny-list) now accept multiple regex patterns via string slices. Existing single-value configurations continue to work.

Bug Fixes

• Chromium singlePage Margin Accounting (#​1046): The singlePage option now correctly accounts for top/bottom margins when calculating page height, fixing content overflow on tall pages.
• Long Filename Support (#​1500): Files with long names (166+ chars, especially with multi-byte UTF-8) no longer cause "File name too long" errors. Files are now stored on disk with UUID-based names while preserving original filenames for HTTP responses, archive entries, and JSON keys.

Deprecated Flags

Old	New
--log-format	--log-std-format
--log-enable-gcp-fields	--log-std-enable-gcp-fields
--api-trace-header	--api-correlation-id-header
--api-disable-health-check-logging	--api-disable-health-check-route-telemetry
--prometheus-disable-route-logging	--prometheus-disable-route-telemetry

All deprecated flags continue to work.

Chore

• Replaced go.uber.org/multierr with stdlib errors.Join.
• Added integration tests for Chromium screenshot routes (HTML, URL, Markdown).
• Added long filename integration tests across all PDF engine and conversion routes.
• Integration test retry mechanism: failed scenarios are automatically retried up to 3 times.
• Bumped actions/checkout to v6 in all GitHub Actions.

Thanks

Thanks to @​dkrizic (#​814) and @​jbdelhommeau (#​1489) for requesting OpenTelemetry/tracing support, @​eht16 (#​1316), @​nh2 (#​1023), @​Frozen666 (#​1046), @​vofflan (#​1500), @​danxmoran (#​1394), and @​janaka (#​1473) for their issue reports and feature requests!

---

This release represents a significant amount of work: OpenTelemetry integration, security fixes, new features, and hundreds of integration tests. If Gotenberg is useful to you or your team, please consider sponsoring the project. Your support helps keep development going.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[labassistantbot]

--- HelmRelease: self-hosted/paperless Deployment: self-hosted/paperless

+++ HelmRelease: self-hosted/paperless Deployment: self-hosted/paperless

@@ -142,13 +142,13 @@

         - mountPath: /var/run/secrets/postgresql
           name: postgres-certs
       - command:
         - gotenberg
         - --chromium-disable-javascript=true
         - --chromium-allow-list=file:///tmp/.*
-        image: mirror.gcr.io/gotenberg/gotenberg:8.28.0
+        image: mirror.gcr.io/gotenberg/gotenberg:8.29.0
         name: gotenberg
         ports:
         - containerPort: 3000
         resources:
           limits:
             cpu: 500m

[labassistantbot]

--- kubernetes/apps/self-hosted/paperless/app Kustomization: self-hosted/paperless HelmRelease: self-hosted/paperless

+++ kubernetes/apps/self-hosted/paperless/app Kustomization: self-hosted/paperless HelmRelease: self-hosted/paperless

@@ -96,13 +96,13 @@

             command:
             - gotenberg
             - --chromium-disable-javascript=true
             - --chromium-allow-list=file:///tmp/.*
             image:
               repository: mirror.gcr.io/gotenberg/gotenberg
-              tag: 8.28.0
+              tag: 8.29.0
             ports:
             - containerPort: 3000
             resources:
               limits:
                 cpu: 500m
                 memory: 512Mi