From 15e88eaca2043ceddc2b0c55a0c62b039a35c7d8 Mon Sep 17 00:00:00 2001
From: autonomic-bot <autonomic-bot@git.autonomic.zone>
Date: Fri, 19 Jun 2026 02:49:42 +0000
Subject: [PATCH] upstream(hedgedoc): add release-notes sources registry

---
 cc-ci-plan/upstream/hedgedoc.md | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 cc-ci-plan/upstream/hedgedoc.md

diff --git a/cc-ci-plan/upstream/hedgedoc.md b/cc-ci-plan/upstream/hedgedoc.md
new file mode 100644
index 0000000..28816c5
--- /dev/null
+++ b/cc-ci-plan/upstream/hedgedoc.md
@@ -0,0 +1,11 @@
+# Upstream sources — hedgedoc
+
+| service | image | source repo | releases / changelog |
+|---------|-------|-------------|----------------------|
+| app | quay.io/hedgedoc/hedgedoc | https://github.com/hedgedoc/hedgedoc | https://github.com/hedgedoc/hedgedoc/releases |
+| db | pgautoupgrade/pgautoupgrade | https://github.com/pgautoupgrade/pgautoupgrade | https://github.com/pgautoupgrade/pgautoupgrade/releases |
+
+## Standing notes
+- hedgedoc 1.11.0 (2026): 4 security CVEs fixed (HTML injection, YAML DoS, CSRF via Gist export, rate-limit bypass). No breaking changes, no migrations, no schema changes. Optional new env var `CMD_RATE_LIMIT_USING_CLOUDFLARE` only needed if running behind Cloudflare — not required for standard deployments.
+- pgautoupgrade: handles Postgres major-version upgrades automatically on container start. Bump ONE major at a time (16→17, then 17→18 on next cycle). The image tag is `<pg-major>-alpine`.
+- cc-ci tests use the sqlite backend (default compose.yml), not the postgresql compose override — so pgautoupgrade bumps do not affect CI test coverage.