v2.16.0

ACM 2.16.0 released March 10, 2026

🚀 Features

• feat: allow skipObject to override mapping errors by @dhaiducek in ocm-io/405 for ACM-23563 via #1553
• NamespaceSelector handling of terminating namespaces by @JustinKuli in ocm-io/429 for ACM-24296 via #1625
• feat: support template function denylist for ConfigurationPolicy by @jan-law in ocm-io/434 for ACM-27751 via #1643

🛡️ Vulnerability Fixes

• chore(deps): update module golang.org/x/crypto to v0.45.0 [security] by @red-hat-konflux[bot] in #1572

🐛 Bug Fixes

• fix: compliant with mustnothave and objectselector by @dhaiducek in ocm-io/408 for ACM-25562 via #1557
• Handle non-string labels and annotations by @JustinKuli in ocm-io/411 for ACM-26186 via #1559
• Better handling of OperatorPolicy advanced fields by @JustinKuli in ocm-io/414 for ACM-22555 via #1617
• Fix operatorpolicy confusing status when invalid by @yiraeChristineKim in ocm-io/413 for ACM-16781 via #1620
• Fix handling of missing status fields by @JustinKuli in ocm-io/430 for ACM-28224 via #1630

⚙️ Other Notable Changes

• chore: upgrade to Go 1.25 by @dhaiducek in #1595 for ACM-27466
• refactor operatorpolicy tests to run faster by @jan-law in ocm-io/419 for ACM-26519 and ACM-23597 via #1630
• fix: add ACM_VERSION to base image scope by @dhaiducek in #1637

New Contributors

• @jan-law made their first contribution in #1643

Full Changelog: v2.15.0...v2.16.0-fc

v2.15.1

ACM 2.15.1 released January 25, 2026

🛡️ Vulnerability Fixes

• chore(deps): update module golang.org/x/crypto to v0.45.0 [security] by @red-hat-konflux[bot] in #1573

🐛 Bug Fixes

• Fix handling of missing status fields by @JustinKuli in ocm-io/430 for ACM-28224 via #1631

⚙️ Other Notable Changes

• chore: add cpe label to Konflux build by @dhaiducek in #1580
• chore: upgrade to Go 1.25 by @dhaiducek in #1596 for ACM-27466
• chore: add latest tag by @dhaiducek in #1608
• test: delete case13 secret before recreating by @jan-law in ocm-io/420 for ACM-27174 via #1604
• fix: use correct kubeconfig by @dhaiducek in ocm-io/431 via #1632

Full Changelog: v2.15.0...v2.15.1

v2.15.0

ACM 2.15.0 released December 3, 2025

🚀 Features

• Record compliance history in the status by @JustinKuli in ocm-io/376 for ACM-20803 via #1444
• Rate limit ConfigurationPolicy evaluations by @JustinKuli in ocm-io/380 for ACM-22682 via #1541
• Bump go-template-utils to v7.1.0 by @JustinKuli in ocm-io/403 for ACM-18626 via #1545
• feat: allow skipObject to override mapping errors by @dhaiducek in ocm-io/405 for ACM-23563 via #1558

🐛 Bug Fixes

• fix: Allow templated namespace without namespaceSelector by @dhaiducek in ocm-io/373 for ACM-21804 via #1399
• Handle some additional errors in ConfigurationPolicies by @JustinKuli in ocm-io/374 for ACM-21504 and ACM-21944 via #1408
• fix: Properly handle objectSelector with namespaceSelector by @dhaiducek in ocm-io/379 for ACM-22676 via #1434
• Remove unused serverVersion field by @JustinKuli in ocm-io/381 for ACM-22679 via #1438
• Add RelatedObject property when compliant dry run overrides policy mismatch by @jan-law in ocm-io/377 for ACM-14577 via #1466
• Handle CSV approvals with unconventional package names by @jan-law in ocm-io/385 for ACM-20500 via #1494
• Ensure new namespaces can trigger a reconcile by @JustinKuli in ocm-io/395 for ACM-24595 via #1533
• Correct compliance on no-op dryrun updates by @JustinKuli in ocm-io/404 for ACM-25694 via #1546
• fix: compliant with mustnothave and objectselector by @dhaiducek in ocm-io/408 for ACM-25562 via #1558
• Handle non-string labels and annotations by @JustinKuli in ocm-io/411 for ACM-26186 via #1560

⚙️ Other Notable Changes

• Move to common konflux pipeline by @JustinKuli in #1477 for ACM-23301
• Set up MintMaker image updates and digest pinning by @dhaiducek in #1484
• Re-enable gomod MintMaker updates by @dhaiducek in #1490
• Add repository url label to container images by @gparvin in #1503 for ACM-23275
• Update to Go v1.24 by @dhaiducek in ocm-io/389 for ACM-24264 via #1509
• Optionally read cluster resources with dryrun CLI by @jan-law in ocm-io/388 for ACM-22932 via #1512
• Add CLAUDE.md by @dhaiducek in ocm-io/390 via #1512
• chore: disable Mintmaker containerfile updates by @dhaiducek in #1521
• Add repo-level architecture diagram by @jan-law in ocm-io/382 via #1542

Full Changelog: v2.14.0...v2.15.0

v2.13.5

ACM 2.13.5 released January 15, 2026

🛡️ Vulnerability Fixes

• chore(deps): update module golang.org/x/crypto to v0.43.0 [security] by @red-hat-konflux[bot] in #1563
• chore(deps): update module golang.org/x/crypto to v0.45.0 [security] by @red-hat-konflux[bot] in #1571

⚙️ Other Notable Changes

• Update client-go to v0.32.9 by @JustinKuli in #1511 for ACM-24976
• Update to Go v1.24 by @dhaiducek in #1506 for ACM-24264
• chore: add cpe label to Konflux build by @dhaiducek in #1581
• chore: populate url image label by @dhaiducek in #1592
• chore: upgrade to Go 1.25 by @dhaiducek in #1598

Full Changelog: v2.13.4...v2.13.5

v2.12.7

What's Changed

• chore(deps): update konflux references to 67f0290 (main) by @red-hat-konflux[bot] in #1061
• 🤖 Sync from open-cluster-management-io/config-policy-controller: #306 by @magic-mirror-bot[bot] in #1064
• [release-2.12] 🤖 Sync from open-cluster-management-io/config-policy-controller: #307 by @openshift-cherrypick-robot in #1075
• chore(deps): update konflux references (main) by @red-hat-konflux[bot] in #1079
• [release-2.12] 🤖 Sync from open-cluster-management-io/config-policy-controller: #308 by @openshift-cherrypick-robot in #1067
• [release-2.12] 🤖 Sync from open-cluster-management-io/config-policy-controller: #310 by @openshift-cherrypick-robot in #1069
• chore(deps): update konflux references (release-2.12) by @red-hat-konflux[bot] in #1083
• chore(deps): update konflux references (release-2.12) by @red-hat-konflux[bot] in #1094
• [release-2.12] Adopt existing sub when packagemanifest not found by @JustinKuli in #1089
• [release-2.12] 🤖 Sync from open-cluster-management-io/config-policy-controller: #318 by @openshift-cherrypick-robot in #1106
• chore(deps): update konflux references (release-2.12) by @red-hat-konflux[bot] in #1101
• chore(deps): update konflux references (release-2.12) by @red-hat-konflux[bot] in #1111
• [release-2.12] 🤖 Sync from open-cluster-management-io/config-policy-controller: #316 by @openshift-cherrypick-robot in #1115
• [release-2.12] 🤖 Sync from open-cluster-management-io/config-policy-controller: #322 by @openshift-cherrypick-robot in #1117
• chore(deps): update konflux references (release-2.12) by @red-hat-konflux[bot] in #1125
• chore(deps): update konflux references (release-2.12) by @red-hat-konflux[bot] in #1130
• [release-2.12] Update net and crypto pkgs by @dhaiducek in #1137
• chore(deps): update konflux references (release-2.12) by @red-hat-konflux[bot] in #1145
• chore(deps): update konflux references to 9e33cbc (release-2.12) by @red-hat-konflux[bot] in #1146
• chore(deps): update konflux references (release-2.12) by @red-hat-konflux[bot] in #1153
• chore(deps): update konflux references (release-2.12) by @red-hat-konflux[bot] in #1158
• chore(deps): update konflux references (release-2.12) by @red-hat-konflux[bot] in #1161
• chore(deps): update konflux references (release-2.12) by @red-hat-konflux[bot] in #1166
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1173
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1183
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1190
• chore(deps): update konflux references to b78123a by @red-hat-konflux[bot] in #1212
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1230
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1255
• [release-2.12] Address oauth2 vuln by @dhaiducek in #1265
• [release-2.12] Address crypto vuln by @dhaiducek in #1275
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1278
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1300
• [release-2.12] Add shell and unicode sast pipeline tasks by @dhaiducek in #1305
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1312
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1318
• Konflux build pipeline service account migration by @red-hat-konflux[bot] in #1326
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1333
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1341
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1344
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1352
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1355
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1361
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1377
• [release-2.12] fix: Record the diff for enforce by @dhaiducek in #1372
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1385
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1388
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1393
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1411
• [release-2.12] Update OWNERS by @dhaiducek in #1404
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1418
• Red Hat Konflux update config-policy-controller-acm-212 by @red-hat-konflux[bot] in #1424
• [2.12] 22681 serverversion panic by @JustinKuli in #1437
• chore(deps): update quay.io/konflux-ci/konflux-vanguard/task-rpms-signature-scan:0.2 docker digest to b5c2ba8 by @red-hat-konflux[bot] in #1455
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1452
• [release-2.12] 🤖 Sync from open-cluster-management-io/config-policy-controller: #328 by @openshift-cherrypick-robot in #1465
• [2.12] Move to common konflux pipeline by @JustinKuli in #1480
• chore(deps): pin dependencies by @red-hat-konflux[bot] in #1485
• chore(deps): update module golang.org/x/net to v0.38.0 [security] by @red-hat-konflux[bot] in #1491
• [release-2.12] uninstallation coverage by @JustinKuli in #1514
• [release-2.12] Update to Go v1.24 by @dhaiducek in #1507
• chore(deps): update containerfile images [release-2.12] by @red-hat-konflux[bot] in #1498

Full Changelog: v2.12.0...v2.12.7

v2.11.9

What's Changed

• Update Konflux references (release-2.11) by @red-hat-konflux[bot] in #954
• [release-2.11] 🤖 Sync from open-cluster-management-io/config-policy-controller: #272 by @openshift-cherrypick-robot in #952
• [release-2.11] 🤖 Sync from open-cluster-management-io/config-policy-controller: #273 by @openshift-cherrypick-robot in #949
• Update Konflux references (release-2.11) by @red-hat-konflux[bot] in #962
• Update Konflux references (release-2.11) by @red-hat-konflux[bot] in #967
• Update Konflux references (release-2.11) by @red-hat-konflux[bot] in #976
• [2.11] Fix a bug when no namespace selector is specified by @mprahl in #979
• [2.11] Use the controller-runtime cache to get the decryption key by @mprahl in #980
• [2.11] Add the censored diff message on OpenShift 3.11 by @mprahl in #981
• [2.11] Ensure pod restart when target kubeconfig changes by @zyjjay in #984
• Update Konflux references (release-2.11) by @red-hat-konflux[bot] in #986
• fix(KONFLUX-3663): format PipelineRun files and upload SAST results by @ccronca in #991
• chore(deps): update konflux references (release-2.11) by @red-hat-konflux[bot] in #992
• [release-2.11] Use --server-side for null test by @dhaiducek in #998
• chore(deps): update konflux references (release-2.11) by @red-hat-konflux[bot] in #996
• chore(deps): update konflux references (release-2.11) by @red-hat-konflux[bot] in #1003
• chore(deps): update konflux references (release-2.11) by @red-hat-konflux[bot] in #1007
• [release-2.11] Update to Go v1.22 by @dhaiducek in #1017
• chore(deps): update konflux references (release-2.11) by @red-hat-konflux[bot] in #1026
• chore(deps): update konflux references (release-2.11) by @red-hat-konflux[bot] in #1031
• chore(deps): update konflux references (release-2.11) by @red-hat-konflux[bot] in #1047
• [release-2.11] Add rpms-signature-scan to Konflux by @dhaiducek in #1054
• chore(deps): update konflux references (release-2.11) by @red-hat-konflux[bot] in #1051
• chore(deps): update konflux references to 67f0290 (release-2.11) by @red-hat-konflux[bot] in #1062
• [release-2.11] 🤖 Sync from open-cluster-management-io/config-policy-controller: #306 by @openshift-cherrypick-robot in #1065
• chore(deps): update konflux references (release-2.11) by @red-hat-konflux[bot] in #1072
• [release-2.11] 🤖 Sync from open-cluster-management-io/config-policy-controller: #307 by @openshift-cherrypick-robot in #1076
• chore(deps): update konflux references (release-2.11) by @red-hat-konflux[bot] in #1081
• chore(deps): update konflux references (release-2.11) by @red-hat-konflux[bot] in #1086
• chore(deps): update konflux references (release-2.11) by @red-hat-konflux[bot] in #1092
• [release-2.11] 🤖 Sync from open-cluster-management-io/config-policy-controller: #308 by @openshift-cherrypick-robot in #1088
• chore(deps): update konflux references (release-2.11) by @red-hat-konflux[bot] in #1103
• chore(deps): update konflux references (release-2.11) by @red-hat-konflux[bot] in #1114
• [release-2.11] 🤖 Sync from open-cluster-management-io/config-policy-controller: #322 by @openshift-cherrypick-robot in #1118
• chore(deps): update konflux references (release-2.11) by @red-hat-konflux[bot] in #1123
• chore(deps): update konflux references (release-2.11) by @red-hat-konflux[bot] in #1131
• [release-2.11] Update net and crypto pkgs by @dhaiducek in #1138
• chore(deps): update konflux references (release-2.11) by @red-hat-konflux[bot] in #1142
• chore(deps): update konflux references to 9e33cbc (release-2.11) by @red-hat-konflux[bot] in #1149
• chore(deps): update konflux references (release-2.11) by @red-hat-konflux[bot] in #1151
• chore(deps): update konflux references (release-2.11) by @red-hat-konflux[bot] in #1156
• chore(deps): update konflux references (release-2.11) by @red-hat-konflux[bot] in #1163
• chore(deps): update konflux references (release-2.11) by @red-hat-konflux[bot] in #1165
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1174
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1182
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1188
• chore(deps): update konflux references to b78123a by @red-hat-konflux[bot] in #1213
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1233
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1256
• [release-2.11] Address oauth2 vuln by @dhaiducek in #1269
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1280
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1298
• [release-2.11] Add shell and unicode sast pipeline tasks by @dhaiducek in #1304
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1311
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1316
• Konflux build pipeline service account migration by @red-hat-konflux[bot] in #1325
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1331
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1340
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1347
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1353
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1357
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1363
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1375
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1381
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1389
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1392
• chore(deps): update konflux references by @red-hat-konflux[bot] in #1414
• [release-2.11] Update OWNERS by @dhaiducek in #1405
• chore(deps): update konflux references by @red-hat-konflux[bot] in https://github.com/stolostron/config-policy-...

v2.14.1

ACM 2.14.1 was release October 30, 2025

♻️ CI changes:

• Move to common konflux pipeline by @JustinKuli in #1478
• chore(KONFLUX-6210): fix and set name and cpe label for config-policy-controller-acm-214 by @ralphbean in #1496

🛠️ Bug Fixes:

• fix: Allow templated namespace without namespaceSelector by @dhaiducek in ocm-io/373 for ACM-21804 via #1400
• fix: Properly handle objectSelector with namespaceSelector by @dhaiducek in ocm-io/379 for ACM-22676 via #1435
• Handle some additiona errors in ConfigurationPolicies by @JustinKuli in ocm-io/374 for ACM-21504 and ACM-21944 via #1446
• Remove unused serverVersion field by @JustinKuli in ocm-io/381 for ACM-22679 via #1447
• Adjust cleanup to avoid panics and getting stuck by @JustinKuli for ACM-22713 in #1463

⚠️ Vulnerability Fixes:

There are likely container vulnerabilities resolved by updates to the base image, but they are not listed here.

New Contributors

• @ralphbean made their first contribution in #1496

Full Changelog: v2.14.0...v2.14.1

(Compiled partially automatically, then adjusted by @JustinKuli - apologies for any omissions or errors)

v2.13.4

ACM 2.13.4 was released September 17, 2025.

✨ Changes:

• Record the diff for enforce by @dhaiducek in #1370
• Allow templated namespace without nsSelector by @dhaiducek in #1401
• Add helpful errors for unwatchable resources by @JustinKuli in #1431
• Do a server-side dry-run for missing keys by @JustinKuli in #1461

♻️ CI changes:

• Update OWNERS by @dhaiducek in #1403
• Move to common konflux pipeline by @JustinKuli in #1479

🛠️ Bug Fixes:

• Remove unused code to prevent serverversion panic by @JustinKuli in #1436
• Fix linebreaks in some standalone hub templates by @JustinKuli in #1462
• Adjust cleanup to avoid panics and getting stuck by @JustinKuli in #1464

Full Changelog: v2.13.3...v2.13.4

(Compiled by @JustinKuli - apologies for any omissions or errors)

v2.14.0

ACM 2.14.0 was released August 1, 2025.

Caution

Known Issue: When you use both the objectSelector and the namespaceSelector fields in a ConfigurationPolicy resource, the objects that the objectSelector return get applied to all the namespaces that the namespaceSelector return. The ConfigurationPolicy incorrectly processes the results. To workaround this issue, apply the object-templates-raw field to iterate over the objects. The issue is resolved in 2.14.1 and 2.15.0.

✨ Changes:

• Use lowercase APIMapping by @dhaiducek in ocm-io/346 via #1250
• Make spec required by @dhaiducek in ocm-io/349 via #1261
• Upgrade addon-framework to v0.12.0 by @yiraeChristineKim in ocm-io/353 for ACM-19001 via #1297
• Enable skipObject arguments by @dhaiducek in ocm-io/354 for ACM-19753 via #1302
• Refactor skipObject to report arg types by @dhaiducek in ocm-io/355 via #1307
• Adjust --no-colors behaviors by @dhaiducek in ocm-io/359 via #1322
• Refactor tests to walk embed.FS directly by @dhaiducek in ocm-io/360 via #1323
• Add Object context variable by @dhaiducek in ocm-io/361 for ACM-15970 via #1335
• Remove dryrun dev preview marker by @dhaiducek in ocm-io/364 for ACM-20097 via #1337
• Allow multiple versions in one entry by @JustinKuli in ocm-io/367 for ACM-20804 via #1360
• Add helpful errors for unwatchable resources by @JustinKuli in ocm-io/370 for ACM-19965 via #1371

♻️ CI changes:

• Upgrade golangci-lint to v1.64.8 by @yiraeChristineKim in ocm-io/347 for ACM-8341 via #1264
• Disable gomod updates by @dhaiducek in #1295
• Add multiarch build to konflux pipeline by @JustinKuli in #1354
• Update CEL to release-2.14 by @dhaiducek in #1398
• Update OWNERS by @dhaiducek in #1402

🛠️ Bug Fixes:

• Support policy resources in dryrun by @yiraeChristineKim in ocm-io/344 for ACM-18135 via #1245
• Fix Issue with Mapping File Not Working by @yiraeChristineKim in ocm-io/345 for ACM-18134 via #1248
• Watch correct openshift templates by @JustinKuli in ocm-io/350 for ACM-18827 via #1272
• Colored diffs are displayed as output. by @yiraeChristineKim in ocm-io/357 for ACM-18908 via #1309
• Add a flag to show the complete diff during dry run by @yiraeChristineKim in ocm-io/358 for ACM-18907 via #1315
• fix: address .Object bugs by @dhaiducek in ocm-io/368 for ACM-20863 via #1367
• fix: Record the diff for enforce by @dhaiducek in ocm-io/369 for ACM-19111 via #1368
• Use JSON instead of YAML for hub templates by @JustinKuli in ocm-io/371 for ACM-21394 via #1378
• Do a server-side dry-run check to know if resource updates are necessary by @JustinKuli in ocm-io/366 for ACM-19156 via #1380

⚠️ Vulnerability Fixes:

• Address oauth2 vuln by @dhaiducek for CVE-2025-22868 in ocm-io/351 via #1267
• Fix the crypto cve by @gparvin for CVE-2025-22869 in ocm-io/352 via #1276

Full Changelog: v2.13.0...v2.14.0

(Compiled partially automatically, then adjusted by @JustinKuli - apologies for any omissions or errors)

v2.13.3

ACM 2.13.3 was released June 4, 2025.

Changes:

• Add shell and unicode sast pipeline tasks by @dhaiducek in #1306
• Enable skipObject arguments by @dhaiducek for ACM-19753 in #1308

Full Changelog: v2.13.2...v2.13.3

(Compiled manually by @JustinKuli - apologies for any omissions or errors)