chore(deps): update quay.io/keycloak/keycloak docker tag to v26.6.1

[renovate-bot-cbcoutinho]

This PR contains the following updates:

Package	Update	Change
quay.io/keycloak/keycloak	minor	26.5.4 → 26.6.1

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[claude]

PR Review: Keycloak Docker Image Bump (26.5.4 → 26.5.5)

This is a straightforward patch version update from Renovate Bot. Here's a quick review:

Summary

A single-line change in docker-compose.yml updating the Keycloak image:

• From: 26.5.4@sha256:ae8efb...
• To: 26.5.5@sha256:a7b0cb...

Assessment

Positive aspects:

• The image digest (SHA256) is pinned alongside the tag, which is best practice for reproducible and secure builds — if the tag were ever mutated upstream, the digest ensures you still get the exact expected image.
• Patch releases typically contain bug fixes and minor security patches, making this a low-risk update.

Considerations:

• Since Keycloak is used in the OAuth integration tests (mcp-keycloak service), this should be validated by running the Keycloak test suite:

  docker-compose up --build -d mcp-keycloak
  uv run pytest -m keycloak -v
  # or the broader OAuth suite:
  uv run pytest -m oauth -v

• It's worth checking the Keycloak 26.5.5 release notes for any breaking changes or deprecations that could affect the token validation / OIDC provider configuration used in this project (e.g., realm import, audience validation).

Verdict

No code quality, security, or architectural concerns. Safe to merge after CI passes and Keycloak OAuth tests are green.

[claude]

This is a routine automated dependency update from Renovate Bot, bumping Keycloak from 26.5.4 to 26.5.6 (patch-level update).

Code quality looks good - digest pinning is correctly maintained alongside the tag update (best practice for tamper-resistant builds), and no configuration or startup flags changed.

From a security perspective, patch releases typically include security fixes, and SHA256 digest pinning prevents supply chain attacks.

One low-risk concern: the service uses --features=preview for Legacy V1 token exchange. Worth checking the 26.5.5/26.5.6 Keycloak changelogs to confirm no breaking changes to token exchange preview features.

No new tests needed for a version bump. CI passing the Keycloak OAuth integration tests is sufficient validation.

Low-risk, routine update.

[claude]

PR Review: Keycloak Docker Image Patch Update (26.5.4 to 26.5.6)

This is a routine Renovate Bot dependency update. Here is my assessment:

Summary: Single-line change bumping the Keycloak Docker image from 26.5.4 to 26.5.6 (patch version). The SHA256 digest is also updated correctly.

Code Quality - Pass

• Clean, minimal diff — exactly what a dependency update should look like.
• Both the tag and the SHA256 digest are updated together, maintaining pinned-digest security hygiene.

Security - Pass

• Patch versions in Keycloak typically contain security fixes and bug fixes. Staying current on patch releases is good security practice.
• The pinned SHA256 digest ensures reproducible builds and protection against tag mutation attacks — this pattern is correctly maintained.

Risk - Low

• Patch releases follow semantic versioning and should be backward-compatible.
• Keycloak is only used in the mcp-keycloak test container, so the blast radius of any regression is limited to the Keycloak OAuth integration tests.

Suggestion: Before merging, confirm the Keycloak OAuth integration tests pass with docker-compose up --build -d mcp-keycloak followed by uv run pytest -m oauth -v --browser firefox.

This is a low-risk, straightforward update — no concerns with the change itself.

[claude]

PR Review

This is a routine Renovate Bot dependency update for the Keycloak Docker image: v26.5.4 to v26.5.6.

Assessment: LGTM

What changed:

• Updated Keycloak image tag from 26.5.4 to 26.5.6 with a pinned SHA256 digest

Positive observations:

1. Pinned digest - The image is pinned to an exact SHA256 digest (@sha256:8d44614c...), ensuring reproducible builds and preventing supply chain attacks from mutable tags. This is a security best practice.
2. Patch version - This is a 26.5.4 to 26.5.6 patch bump, so breaking changes are unlikely per semantic versioning conventions.
3. Minimal scope - Only one line changed in docker-compose.yml; no application logic is affected.

Considerations:

• Keycloak patch releases typically contain bug fixes and security patches. Reviewing the Keycloak changelog for 26.5.5 and 26.5.6 is advisable to confirm no unexpected behavior changes affecting the test environment (realm config, token handling, etc.).
• The keycloak service is used by Keycloak OAuth integration tests (mcp-keycloak container, pytest.mark.oauth tests). If CI runs these tests and they pass, that provides confidence the update is safe.

No code quality, security, or functional concerns with this change.

[claude]

PR Review: Keycloak patch bump 26.5.4 → 26.5.7

This is a clean, minimal Renovate Bot dependency update. Here's a quick review:

Change Summary

• Updates quay.io/keycloak/keycloak from 26.5.4 to 26.5.7 (patch release)
• Digest is pinned to the new image SHA (sha256:45ae20191531eb608...), which is the correct security practice — ensures reproducible builds and prevents silent tag mutation

Code Quality / Correctness

• Single-line change in docker-compose.yml, exactly as expected for a Docker image bump
• No other files are affected; the scope is appropriately narrow

Security

• Patch releases for Keycloak typically contain bug fixes and security patches — this is a low-risk, high-value update to apply
• Pinning by digest (in addition to tag) is good practice and is maintained correctly here

Potential Concerns

• None identified. The Keycloak 26.5.x changelog should be reviewed if you want to confirm what changed between .4 and .7, but patch bumps within the same minor are generally safe
• This image is only used in the keycloak service for local dev/testing (OAuth integration tests), so blast radius is limited to the test environment

Recommendation: Safe to merge. Consider running the Keycloak OAuth integration tests (uv run pytest -m oauth -v with the keycloak container) if you want extra confidence before merging.

[claude]

PR Review: Keycloak Docker Image Update (v26.5.4 → v26.6.0)

This is a straightforward Renovate Bot dependency update. Here's my assessment:

Summary

A minor version bump of the Keycloak Docker image used in the test/development environment.

Positive Observations

• SHA256 digest pinning is maintained: Both the old and new image references include a SHA256 digest (e.g., @sha256:b0e5dbced...), which is excellent practice for reproducibility and supply chain security — it ensures you're pulling an exact, verified image.
• Automated via Renovate: Consistent with good dependency hygiene practices.
• Dev/test only: Keycloak is only used in the docker-compose.yml test environment, so there is no production code impact.

Considerations

• Keycloak minor versions can include breaking changes: Keycloak has historically made configuration and API changes in minor releases. It's worth verifying that the existing keycloak/realm-export.json configuration remains compatible with v26.6.0, especially around realm import format or OIDC configuration.
• CI validation: If the CI pipeline runs Keycloak-based OAuth tests (-m oauth or the mcp-keycloak container profile), a passing CI run would provide good confidence. It's worth ensuring those test suites pass before merging.

Verdict

Low risk update. No code changes are required beyond the image tag. Safe to merge once CI passes (particularly the Keycloak OAuth integration tests).

[claude]

PR Review: Keycloak Dependency Update (26.5.4 to 26.6.1)

This is a routine Renovate Bot dependency update, a single-line change bumping the Keycloak Docker image.

Scope: Development/test infrastructure only (docker-compose.yml) | Risk: Low (minor version bump) | Digest pinning: Correct, SHA256 updated alongside the tag

No code quality, security, or test coverage concerns. This only affects the local Keycloak container used in OAuth integration tests.

A few things worth noting:

1. Realm import compatibility: The --import-realm flag is used at startup. Keycloak occasionally changes realm export/import format between minor versions. If tests fail after this update, the realm JSON file may need re-exporting from the new version.

2. 26.5 to 26.6 changelog: Keycloak 26.6 is a minor release primarily containing bug fixes and security patches. No breaking changes to the admin REST API or token/OIDC behaviour are expected.

3. Digest pinning is good practice - the SHA256 digest is correctly updated, preventing tag mutation issues.

Recommendation: Safe to merge once CI passes. If the Keycloak integration tests (-m oauth or mcp-keycloak container) pass in CI, there are no further concerns.