chore(deps): Bump github.com/fluxcd/source-controller/api from 1.8.4 to 1.8.5

[dependabot]

Bumps github.com/fluxcd/source-controller/api from 1.8.4 to 1.8.5.

Release notes

Sourced from github.com/fluxcd/source-controller/api's releases.

v1.8.5

Changelog

v1.8.5 changelog

Container images

• docker.io/fluxcd/source-controller:v1.8.5
• ghcr.io/fluxcd/source-controller:v1.8.5

Supported architectures: linux/amd64, linux/arm64 and linux/arm/v7.

The container images are built on GitHub hosted runners and are signed with cosign and GitHub OIDC. To verify the images and their provenance (SLSA level 3), please see the security documentation.

Changelog

Sourced from github.com/fluxcd/source-controller/api's changelog.

1.8.5

Release date: 2026-05-20

This patch release hardens path handling in the source reconcilers and updates go-git to v5.19.1, which fixes CVE-2026-45571 (crafted repositories may modify the main and submodule .git directories) and CVE-2026-45570 (improper single-quote escaping in the SSH transport). It also fixes Helm chart resolution for OCI tags that encode semver build metadata, updates Helm to v4.2.0 to align with helm-controller, and adds support for GCP sovereign cloud artifact registries via the fluxcd/pkg update.

Fixes:

• Improve path handling in source reconcilers #2055
• Support Helm semver encoding in OCI repositories #2051

Improvements:

• Update Helm to v4.2.0 #2049
• Upgrade k8s to 1.36.1, c-r to 0.24.1, cli-utils to 1.2.1 #2052
• Update fluxcd/pkg dependencies #2056

Commits

• e9faef4 Merge pull request #2058 from fluxcd/release-v1.8.5
• 35aac36 Release v1.8.5
• 06a570c Add changelog entry for v1.8.5
• 372d3f3 Merge pull request #2056 from fluxcd/update-pkg-deps/release/v1.8.x
• e8c664f Update fluxcd/pkg dependencies
• 10643c9 Merge pull request #2055 from fluxcd/backport-2054-to-release/v1.8.x
• 153b7ab Resolve sparse checkout paths with SecureJoin
• 3dcb00c Resolve bucket object paths with SecureJoin
• 493e0bb Merge pull request #2052 from fluxcd/upgrade-deps
• 0fab7d8 Upgrade k8s to 1.36.1, c-r to 0.24.1, cli-utils to 1.2.1
• Additional commits viewable in compare view

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[github-actions]

✅MegaLinter analysis: Success

✅ Linters with no issues

actionlint, bash-exec, git_diff, hadolint, jscpd, jsonlint, lychee, markdown-table-formatter, markdownlint, prettier, prettier, shellcheck, shfmt, stylelint, syft, trivy-sbom, trufflehog, v8r, v8r, yamllint

Notices

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts

Show us your support by starring ⭐ the repository

[github-code-quality]

Code Coverage Overview

Languages: Go

Go / code-coverage/go

The overall coverage remains at 55%, unchanged from the main branch.

---

_{Updated May 29, 2026 15:55 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.}

[github-actions]

⚠️ Performance Alert ⚠️

Possible performance regression was detected for benchmark.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 1.50.

Benchmark suite	Current: 4ec1370	Previous: 8674c45	Ratio
BenchmarkCluster_MarshalJSON/FullProductionCluster (github.com/devantler-tech/ksail/v7/pkg/apis/cluster/v1alpha1)	160035 ns/op 24658 B/op 547 allocs/op	91871 ns/op 24647 B/op 547 allocs/op	1.74
BenchmarkCluster_MarshalJSON/FullProductionCluster (github.com/devantler-tech/ksail/v7/pkg/apis/cluster/v1alpha1) - ns/op	160035 ns/op	91871 ns/op	1.74
BenchmarkYAMLEncode/Minimal (github.com/devantler-tech/ksail/v7/pkg/apis/cluster/v1alpha1)	163917 ns/op 25304 B/op 470 allocs/op	87514 ns/op 25304 B/op 470 allocs/op	1.87
BenchmarkYAMLEncode/Minimal (github.com/devantler-tech/ksail/v7/pkg/apis/cluster/v1alpha1) - ns/op	163917 ns/op	87514 ns/op	1.87
BenchmarkYAMLEncode/FullProductionCluster (github.com/devantler-tech/ksail/v7/pkg/apis/cluster/v1alpha1)	200294 ns/op 36432 B/op 515 allocs/op	96196 ns/op 36432 B/op 515 allocs/op	2.08
BenchmarkYAMLEncode/FullProductionCluster (github.com/devantler-tech/ksail/v7/pkg/apis/cluster/v1alpha1) - ns/op	200294 ns/op	96196 ns/op	2.08

This comment was automatically generated by workflow using github-action-benchmark.

[devantler]

@dependabot recreate

[dependabot]

Dependabot can't resolve your Go dependency files. Because of this, Dependabot cannot update this pull request.

[devantler]

@dependabot recreate

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.