chore(deps): update oryd/hydra docker tag to v25

[renovate]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change
oryd/hydra (source)	major	v1.11.10 → v25.4.0

---

Release Notes

ory/hydra (oryd/hydra)

v25.4.0

Compare Source

v25.4.0 brings first-class support for agentic authorization with the Device Authorization Grant (RFC 8628) and OAuth 2.1 discovery endpoint, making it easier for agents, IoT devices, and headless clients to obtain and manage access securely. Combined with new consent-chain revocation and migration fixes for CockroachDB v25+, Hydra v25.4 strengthens its role as the web and AI scale-ready OAuth 2.1 and OpenID Connect server for modern applications.

Ory has moved to a new versioning scheme. Read about our new version scheme. Interested in self-hosting Ory with support, SLAs, and advanced features? Check out our offerings.

Highlights

Agentic authentication use cases

This release makes Ory Hydra a stronger foundation for agentic authentication, where autonomous agents or constrained devices need to obtain and manage access without a full browser or direct human interaction. Two key updates enable this:

• Device authorization grant (RFC 8628): Essential for headless or limited-input clients (e.g., smart TVs, IoT devices, AI agents). It allows users to securely authorize agents through a secondary device, solving a common gap in agentic workflows.
• OAuth 2.1 discovery endpoint: Hydra now serves both OpenID Connect and OAuth 2.1 discovery documents, aligning with emerging standards. This simplifies integration for agents that expect OAuth 2.1 metadata and removes friction in federated or automated flows.

Together, these features address longstanding issues for agentic use cases by combining standards compliance with Hydra’s production-grade session and consent handling.

Device authorization grant (RFC 8628)

Adds full device flow support for devices without a browser or with limited input (smart TVs, consoles, agents).

Revoke token chains by consent challenge ID

New capability to revoke the entire token chain (refresh token and all derived access tokens) produced by a specific consent session.

OAuth 2.1 discovery endpoint

Hydra now serves /.well-known/oauth-authorization-server in addition to /.well-known/openid-configuration to aid OAuth 2.1 and certain integrations (per RFC 8414).

Improvements

• Lower latency when revoking linked Kratos sessions by making revocation asynchronous.
• Client updates with JWKS URI: PATCH/PUT no longer blocked when json_web_keys_uri is set (and json_web_keys present).
• JWT query performance: added an index for faster JWT-related lookups.
• CLI: clearer usage/help examples.

Fixes

• CockroachDB v25+ migrations: corrected/updated migration scripts; includes device-flow down/auto-commit fixes.
• Postgres UUIDs: use uuid_generate_v4() instead of MD5-based generation (enable the uuid-ossp extension if not already).
• Case-insensitive user_code scrubbing in device flow.
• Validation: tos_uri validation corrected.
• Docs: fixed JWT access token documentation link.

Security and dependencies

• go-jose v3.0.4 with a backport for CVE-2025-27144.
• Go toolchain upgrades (1.24.x) and crypto stack updates (e.g., ThalesGroup/crypto11, circl) addressing advisories.
• General dependency hygiene and CI hardening.

Upgrade notes

1. Run migrations before rolling out v2.4.0.
   • CockroachDB users on v25+: this release includes specific migration fixes; ensure your migration runner picks up the updated scripts.
   • Postgres users: ensure uuid-ossp is enabled (CREATE EXTENSION IF NOT EXISTS "uuid-ossp";) to support native UUIDs.
2. Device flow UI: add the two required screens/routes in your login/consent app to use RFC 8628.
3. Monitoring: if you scrape Prometheus on public endpoints, expect additional metrics.

Auto-generated release notes

Bug Fixes

• Add repo syncing for polis (46d17f8):

• Add virtual expiry column to flow for easy cross-db querying (1c402e3):

• Allow updating when JWKS URI is set (#​3935) (#​3946) (fb1655b):

  The client validator no longer rejects PATCH and PUT updates when JSONWebKeysURI is non-empty and JSONWebKeys is not nil.

• Always use EC private keys in tests (7481827):

• Better tracing in proxy HTTP (0d8a797):

• Case-insensitive user_code scrubbing (#​3979) (d389fd0)

• changelog-oel: Cap grace period for refresh token rotation at 30d (35d5d58):

• changelog-oel: Reduce rows read when checking past consents (ace80c2):

• changelog-oel: Replace returning * with defined column names (0b26e27):

• changelog-oel: Update expires_at on token use (0588744):

• changelog-oel: Use keyset pagination instead of offset (cbf14c0):

• CLI usage help examples (#​3943) (e24f9a7)

• Copybara script (7b33358):

• Correct multiple instances of 'stragegy' typo (#​3906) (50eefbc):

  This commit addresses several occurrences where 'strategy' was
  misspelled as 'stragegy' throughout the codebase.

  Additionally, a similar issue was found and corrected in the Ory
  documentation repository (ory/docs), with a corresponding pull request
  submitted.

• Deduplicate down migrations (02baf36):

• deps: Update go-x (582a3c5):

• Escape IPv6 regex string (0ba326a):

• Failing CI in OSS repos (c900985):

• Fix expires_at timestamp not in UTC leading to local test failures (337000a):

• Fixed typo in description of api (4551eb6):

• Force autocommit for device auth code migration (#​3991) (29761f4), closes #​1234 #​1234:

• Force SQL operator precedence in pagination v2 to ensure nid isolation (43c9be1):

• Hydra CI (dde63d8):

• Hydra tracing (38ee050):

• hydra: Instrument metrics also on public endpoints (8aee364):

• hydra: Use prometheus metrics instead of SQA metrics (7a6592e):

• Identity queries (a30f021):

• Ignore flaky keys in Hydra HSM tests (469b2ad):

• Ignore non SQL files when applying migrations (38a28d4):

• Implicit transactions for cockroach v23.5 and simplified migration logic (fbc982a):

• Include go.mod in vendored oryx (08a3ab4):

• Increase refresh token grace period (50608c2):

• infrastructure: Hydra oss CI (e846541):

• Jsonx.ApplyJSONPatch (c6fa2a6):

• JWT documentation link to point to the correct resource (#​3907) (b746e41):

  The previous link in the documentation led to a page unrelated to JWT.
  Updated the URL to https://www.ory.sh/docs/oauth2-oidc/jwt-access-token,
  which provides proper JWT guidance.

• Migration problems (fe459ea):

• Migrations on CockroachDB v25+ (#​3994) (38efece), closes #​3964 #​3993:

  I've added some output to the generated migrations files to make them
  easier to recreate, hence the big diff.

  These are important:

  persistence/sql/migrations/20211004110001000000_change_client_primary_key.cockroach.down.sql
  persistence/sql/migrations/20211004110001000000_change_client_primary_key.cockroach.up.sql
  persistence/sql/migrations/20211004110003000000_change_client_primary_key.cockroach.down.sql
  persistence/sql/migrations/20211004110003000000_change_client_primary_key.cockroach.up.sql
  
  persistence/sql/migrations/20211011000001000000_change_jwk_primary_key.cockroach.down.sql
  persistence/sql/migrations/20211011000001000000_change_jwk_primary_key.cockroach.up.sql
  persistence/sql/migrations/20211011000003000000_change_jwk_primary_key.cockroach.down.sql
  persistence/sql/migrations/20211011000003000000_change_jwk_primary_key.cockroach.up.sql
  
  persistence/sql/src/20220210000001_nid/20220210000001000000_nid.cockroach.up.sql
  

• Otlp sampling rate default (cbd5094):

• Print correct content of down migrations (4a4a088):

• Regression in UsedTimes calculation (b432e46):

• Reject invalid migration names (eb3b6ac):

• Remove strict decoding on consent and login endpoints (fb7dc75):

• Return 404 on schema file not exists (76079c0):

• Revert "fix: otlp sampling rate default (#​9055)" (02e86bc):

• Revoke by consent request ID (#​3947) (5d8635c), closes #​3932 #​3932 #​3941

• Routes in AX with identity_schema (5014348):

• Simplify and fix Copybara sync job (f998d09):

• Tos_uri validation (#​3945) (007e224):

  Contributes to ory-corp/cloud#7395

• Towards fixing fosite CI (061d3fb):

• Update debian version in httpd test image (f6720c4):

• Upgrade to go 1.24.4 to fix CVE-2025-4673 (c14e538):

• Use batch insert to speed up project changes (692e41c):

• Use git hash to render ory x schema references (0a6ea5b):

• Use hard-coded fallback key instead of panic (e1f6450):

• Use main branch for polis (6c24e68):

• Using uuid_generate_v4 function (#​3958) (c206066):

  Removing the md5 function for the uuid generation with native pgsql
  function https://www.postgresql.org/docs/current/uuid-ossp.html

  Closes #​3844

Code Generation

• Prepare for OSS release - v25.4.0 (de9baaa):

Code Refactoring

• Move database meta functions to root x folder for reusability (7e49133):

Features

• Add allowed domains configuration for captcha (df3f05c):

• Add error reason to OAuth2TokenExchangeError event (#​3971) (241dd45)

• Add handler for /.well-known/oauth-authorization-server. (#​3980) (5baca28):

  In order to support OAuth2.1 and some specific integrations that
  leverage the /.well-known/oauth-authorization-server endpoint, this PR
  adds a handler for the specific endpoint. The
  /.well-known/openid-configuration endpoint already supports all
  configuration items that conform to this endpoint as seen here:
  https://datatracker.ietf.org/doc/html/rfc8414

• Autoconfigure kratos-changefeed (d92dabe):

• Bump CRDB, establish foreign key, (52c0432):

• changelog-oel: Add hydra debug challenge command (a94662f):

• changelog-oel: Add expiry and TTL to authentication_session table (d9ea549):

• changelog-oel: Choose identity schema in self-service registration and login flows (a398b64):

• changelog-oel: Improved tracing and metrics for the high-performance SQL connection pool (17a4c4f):

• changelog-oel: Reduce hydra CPU and memory consumption (018709e):

• changelog: Graceful refresh count limit (470713d):

• changelog: Migrate http router to stdlib router (a147e3b):

• Custom page token column extraction (756708e):

• Domain telemetry improvements (abd5f04):

• Expose Ory-Error-Id HTTP header (8ff62f8):

• Full user-code configuration (b6ac894):

• hydra: Configurable JWK cache (994ea18):

• hydra: Split up persister (bea6b4d):

• Implement RFC 8628 (#​3912) (5215d24), closes #​3851 #​3252 #​3230 #​2416:

  This patch introduces the OAuth 2.0 Device Authorization Grant to Ory
  Hydra. The OAuth 2.0 device authorization grant is designed for
  Internet-connected devices that either lack a browser to perform a
  user-agent-based authorization or are input constrained to the extent
  that requiring the user to input text in order to authenticate during
  the authorization flow is impractical. It enables OAuth clients on such
  devices (like smart TVs, media consoles, digital picture frames, and
  printers) to obtain user authorization to access protected resources by
  using a user agent on a separate device.

  The OAuth 2.0 Device Authorization Grant may also become relevant for AI
  Agent authentication flows and is generally an amazing step and
  innovation for this project.

  A very special thanks goes to @​nsklikas from
  Canonical, @​supercairos from
  shadow.tech and @​BuzzBumbleBee.

  For more details, please check out the documentation
  (ory/docs#2026)

  To implement this feature, you will need to implement two additional
  screens in your login and consent application. A reference
  implementation can be found
  here.

• Improve domain telemetry for OSS (Hydra & Kratos) (02c5757):

• Improve oauth2 event data (#​3975) (6da0fd3)

• Improve openapi spec (#​3908) (4053c9e), closes #​1234 #​1234:

• Improved events and identity recent activity (a8449c8):

• List clients by ID (f8a53b0):

• Monorepo (3ff992e):

• Monorepo (a77b206):

• Move config testhelpers to ory/x (3a4ba08):

• Revoke Kratos session asynchronously (#​3936) (a0e7ee2):

  This change makes the session revocation in Kratos async to improve
  observed latency.

• Revoke token chain by consent challenge ID (#​3932) (4a40193):

  This change adds the ability to revoke token chains by "consent
  challenge ID".

"Consent sessions"

Each time the user goes through a `GET
/oauth2/auth?response_type=code&...` auth code flow, we persist a new
"consent session" to the database.

This is independent of whether the user has previously logged in and/or
granted consent, or whether the user was actively asked to grant consent
by the consent app. A successful journey through the auth code flow
results in a new "consent session".

This consent session is uniquely identified by its "consent challenge
ID". This ID is obtained from the [`GET
/admin/oauth2/auth/requests/consent?consent_challenge=...`](https://www.ory.sh/docs/reference/api#tag/oAuth2/operation/getOAuth2ConsentRequest)
API. Note that it is not the same as the `consent_challenge=...` query
parameter!

Any access and refresh tokens obtained from a token exchange following
that particular user journey are bound to that consent session.

We call the totality of all refresh+access tokens derived from a
particular consent session a "token chain".

Token revocation

Revoking an access token (AT) is simple: send the AT to `/oauth2/revoke`
and it is revoked. If this AT was derived from a refresh token (RT), the
parent RT is not revoked.

Revoking a refresh token (RT) also revokes associated access tokens.

Revocation by consent challenge ID

During an authorization code flow, save the consent challenge ID into
the access token session data:

```
GET /admin/oauth2/auth/requests/consent?consent_challenge=abcdef
```
Response:
```
{
  "acr": ...,
  "challenge": "G_TIM3XABG14UwIgDoT1DRfipjhC1uix" # <- this is the ID we need
  ...
}
```

Accept the consent request:
```
PUT /admin/oauth2/auth/requests/consent/accept?consent_challenge=abcdef
{
  "remember": true,
  "remember_for": 3600,
  "session": {
    "access_token": {
      "ccid": "G_TIM3XABG14UwIgDoT1DRfipjhC1uix"
    }
  },
  ...
}
```

To revoke the token chain associated with this consent challenge ID, use

```
POST admin/oauth2/auth/sessions/consent?consent_challenge_id=G_TIM3XABG14UwIgDoT1DRfipjhC1uix
```

• Use stdlib HTTP router in Kratos (8f81931):

• Use vendored jackson (a0a9062):

• Use vendored ory/x (6581e01):

Performance Improvements

• Add index to optimize jwt query (72fa16d):

• Index hint for CRDB consents query (919b73f):

Tests

• Add golangci-lint config and GHA (1209de7):

• Ensure current encoded flows stay valid (f4301e6):

• hydra: Add snapshots for login & consent requests (687cfae):

• hydra: Clean oauth2 session setup (699e382):

• hydra: Clean up some helpers (7840b0e):

• hydra: Convert custom JWT claim tests to table (8391d1b):

• hydra: New and better e2e go tests (aefe5e2):

• hydra: Refactor consent handler tests (4d61925):

• Parallelize and improve (#​3989) (a47e395)

• Resturcture and improve integration tests (2769a75):

• Split up consent manager test (42b6a79):

Unclassified

• Merge branch 'fosite-monorepo' (2c3ba13):

• Merge 3834fab into 4dae0f4 (dc84053):

Changelog

• 1ec40dd chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.3 to 3.0.4 in the go_modules group (#​3952)
• 35d6393 chore(deps): bump golang.org/x/net from 0.33.0 to 0.36.0 in the go_modules group across 1 directory (#​3961)
• 36f21d0 chore(deps): update actions/setup-node action to v6
• edb9ba8 chore(deps): update dependency node to v24
• 1449aff chore(deps): update hadolint/hadolint-action action to v3.3.0
• ea8f607 chore(deps): update hydra
• 6ac3c31 chore(deps): update hydra workflows
• ad05646 chore(deps): update oss workflows
• fbae239 chore(hydra): clean up command setup
• 29ba474 chore(hydra): improve test config setup
• add73e4 chore(hydra): minor internal improvements
• dd97ec8 chore(hydra): registry setup refactoring
• ae2dda1 chore(hydra): remove CreateConsentRequest
• 6ba796b chore(hydra): remove unnecessary registry functionality
• 7f02e54 chore(kratos): cleanup and improve some tests
• 0e7f000 chore: add migration tests in kratos non-oss for crdb
• dcd696d chore: add pagination secrets for Kratos
• ceacf86 chore: add pre-release workflows for oss
• b688b9b chore: additional pop options
• afc5ade chore: axios update
• e55a1fa chore: bump Go everywhere
• cc92fea chore: bump dependencies and move tools (#​3968)
• 241f513 chore: bump deps
• 1ca1020 chore: bump go deps
• cd2f9e5 chore: bump go to 1.24.6
• 8d0537a chore: bump pop to master
• f5b1e6b chore: bump sec deps
• 6445cd1 chore: cleanup oss workflows
• 35a6403 chore: dedicated state transition helper
• cdfb025 chore: explicitly skip errnorows errors in token rotation
• 4999d20 chore: fix all hydra linter issues
• 1c3dbb0 chore: fix build for kratos-oss
• af36516 chore: fix down migrations for device flow (#​3988)
• a5854b1 chore: fix vulnerable dependencies
• 50739a1 chore: force replacements where expected
• 7c47137 chore: gh actions and node lib updates
• 1a110c9 chore: go mod tidy to unblock CI
• 6884b97 chore: improve migration testdata and assertions
• 20d419b chore: merge ory/x repo
• f6427da chore: more gh actions and npm lib updates
• a6bec8f chore: move flowctx to flow
• ba6c18a chore: npm security updates
• 4b09dfd chore: reduce complexity of invalidating login
• cb0f1de chore: reduce use of external-facing AcceptOAuth2ConsentRequest
• c309185 chore: refactored fosite interfaces
• 0692df7 chore: remove CreateLoginRequest*
• d0ec7e3 chore: remove counting courier messages
• ba0cb06 chore: remove db tags from fields that are not supposed to be stored
• 3c33a64 chore: remove device challenge ID from API
• 9a226af chore: remove internal fields from device challenge
• 8e3a7b8 chore: remove non-existing key from OpenAPI spec
• bbac4a4 chore: remove redundant internal state
• 800f3fe chore: remove sdk generation action
• 63e28b0 chore: remove superfluous flow fields and states
• 1c6dc2a chore: remove two more db field tags
• c463c64 chore: remove unused random verifier fields
• 82ea6a2 chore: replace ThalesIgnite/crypto11 with ThalesGroup/crypto11 (#​3966)
• 9a683de chore: replace deprecated usages
• c6f6ae4 chore: run oss cypress tests on custom runners
• 2d28980 chore: shared serve config
• d170459 chore: simplify CreateDeviceUserAuthRequest
• 5745f7d chore: simplify GetDeviceUserAuthRequest
• 83e2251 chore: simplify HandleLoginRequest
• 1c8ba50 chore: simplify VerifyAndInvalidateDeviceUserAuthRequest
• 550274a chore: simplify consent challenge decoding
• bb675f4 chore: simplify consent matching logic
• a64f8fa chore: simplify consent verifier invalidation
• 6abc899 chore: simplify login challenge decoding
• 442c5d0 chore: simplify login verifier invalidation
• 5a76849 chore: simplify service and option loading
• 172b36b chore: split up consent manager
• 9a80353 chore: template migration command help
• a88bf39 chore: update Hydra dependencies
• 0be582a chore: update OSS readme
• 66c66ab chore: update actions-cache to v4 (#​3948)
• bbeee84 chore: update copybara rules
• 49e0815 chore: update copybara transformation
• 7a92fb2 chore: update fosite to latest master commit
• 573ce56 chore: update gha in oss
• 05968cd chore: update github actions
• 5170fe7 chore: update github actions
• ab35ad4 chore: update opencontainers/runc to v1.3.3
• 4de96ef chore: update repository templates to ory/meta@bc603a6
• 605649e chore: update repository templates to ory/meta@d919e6f
• 12b62b6 chore: update repository templates to ory/meta@fc1b4d6
• 29cbfe6 chore: updated circl to resolve GHSA-2x5j-vhc8-9cwm
• 6b496e2 chore: upgrade crdb to v25.2 everywhere & deflake CI!
• 4103f1b chore: use TLS termination validation middleware from ory/x (#​3984)
• 96aec6f chore: use dedicated ory fork of pop
• 63e6176 chore: use un-deprecated WithStack and cmp.Or
• 7f1b922 ci: renew certificates and increase validity days
• 470713d feat(changelog): graceful refresh count limit
• a147e3b feat(changelog): migrate http router to stdlib router
• a94662f feat(changelog-oel): add hydra debug challenge command
• d9ea549 feat(changelog-oel): add expiry and TTL to authentication_session table
• a398b64 feat(changelog-oel): choose identity schema in self-service registration and login flows
• 17a4c4f feat(changelog-oel): improved tracing and metrics for the high-performance SQL connection pool
• 018709e feat(changelog-oel): reduce hydra CPU and memory consumption
• 994ea18 feat(hydra): configurable JWK cache
• bea6b4d feat(hydra): split up persister
• df3f05c feat: add allowed domains configuration for captcha
• 241dd45 feat: add error reason to OAuth2TokenExchangeError event (#​3971)
• 5baca28 feat: add handler for /.well-known/oauth-authorization-server. (#​3980)
• d92dabe feat: autoconfigure kratos-changefeed
• 52c0432 feat: bump CRDB, establish foreign key,
• 756708e feat: custom page token column extraction
• abd5f04 feat: domain telemetry improvements
• 8ff62f8 feat: expose Ory-Error-Id HTTP header
• b6ac894 feat: full user-code configuration
• 5215d24 feat: implement RFC 8628 (#​3912)
• 02c5757 feat: improve domain telemetry for OSS (Hydra & Kratos)
• 6da0fd3 feat: improve oauth2 event data (#​3975)
• 4053c9e feat: improve openapi spec (#​3908)
• a8449c8 feat: improved events and identity recent activity
• f8a53b0 feat: list clients by ID
• 3ff992e feat: monorepo
• a77b206 feat: monorepo
• 3a4ba08 feat: move config testhelpers to ory/x
• a0e7ee2 feat: revoke Kratos session asynchronously (#​3936)
• 4a40193 feat: revoke token chain by consent challenge ID (#​3932)
• 8f81931 feat: use stdlib HTTP router in Kratos
• a0a9062 feat: use vendored jackson
• 6581e01 feat: use vendored ory/x
• 35d5d58 fix(changelog-oel): cap grace period for refresh token rotation at 30d
• ace80c2 fix(changelog-oel): reduce rows read when checking past consents
• 0b26e27 fix(changelog-oel): replace returning * with defined column names
• 0588744 fix(changelog-oel): update expires_at on token use
• cbf14c0 fix(changelog-oel): use keyset pagination instead of offset
• 582a3c5 fix(deps): update go-x
• 8aee364 fix(hydra): instrument metrics also on public endpoints
• 7a6592e fix(hydra): use prometheus metrics instead of SQA metrics
• e846541 fix(infrastructure): hydra oss CI
• e24f9a7 fix: CLI usage help examples (#​3943)
• 50eefbc fix: Correct multiple instances of 'stragegy' typo (#​3906)
• b746e41 fix: JWT documentation link to point to the correct resource (#​3907)
• 46d17f8 fix: add repo syncing for polis
• 1c402e3 fix: add virtual expiry column to flow for easy cross-db querying
• fb1655b fix: allow updating when JWKS URI is set (#​3935) (#​3946)
• 7481827 fix: always use EC private keys in tests
• 0d8a797 fix: better tracing in proxy HTTP
• d389fd0 fix: case-insensitive user_code scrubbing (#​3979)
• 7b33358 fix: copybara script
• 02baf36 fix: deduplicate down migrations
• 0ba326a fix: escape IPv6 regex string
• c900985 fix: failing CI in OSS repos
• 337000a fix: fix expires_at timestamp not in UTC leading to local test failures
• 4551eb6 fix: fixed typo in description of api
• 43c9be1 fix: force SQL operator precedence in pagination v2 to ensure nid isolation
• 29761f4 fix: force autocommit for device auth code migration (#​3991)
• dde63d8 fix: hydra CI
• 38ee050 fix: hydra tracing
• a30f021 fix: identity queries
• 469b2ad fix: ignore flaky keys in Hydra HSM tests
• 38a28d4 fix: ignore non SQL files when applying migrations
• fbc982a fix: implicit transactions for cockroach v23.5 and simplified migration logic
• 08a3ab4 fix: include go.mod in vendored oryx
• 50608c2 fix: increase refresh token grace period
• c6fa2a6 fix: jsonx.ApplyJSONPatch
• fe459ea fix: migration problems
• 38efece fix: migrations on CockroachDB v25+ (#​3994)
• cbd5094 fix: otlp sampling rate default
• 4a4a088 fix: print correct content of down migrations
• b432e46 fix: regression in UsedTimes calculation
• eb3b6ac fix: reject invalid migration names
• fb7dc75 fix: remove strict decoding on consent and login endpoints
• 76079c0 fix: return 404 on schema file not exists
• 02e86bc fix: revert "fix: otlp sampling rate default (#​9055)"
• 5d8635c fix: revoke by consent request ID (#​3947)
• 5014348 fix: routes in AX with identity_schema
• f998d09 fix: simplify and fix Copybara sync job
• 007e224 fix: tos_uri validation (#​3945)
• 061d3fb fix: towards fixing fosite CI
• f6720c4 fix: update debian version in httpd test image
• c14e538 fix: upgrade to go 1.24.4 to fix CVE-2025-4673
• 692e41c fix: use batch insert to speed up project changes
• 0a6ea5b fix: use git hash to render ory x schema references
• e1f6450 fix: use hard-coded fallback key instead of panic
• 6c24e68 fix: use main branch for polis
• c206066 fix: using uuid_generate_v4 function (#​3958)
• 72fa16d perf: add index to optimize jwt query
• 919b73f perf: index hint for CRDB consents query
• 7e49133 refactor: move database meta functions to root x folder for reusability
• 687cfae test(hydra): add snapshots for login & consent requests
• 699e382 test(hydra): clean oauth2 session setup
• 7840b0e test(hydra): clean up some helpers
• 8391d1b test(hydra): convert custom JWT claim tests to table
• aefe5e2 test(hydra): new and better e2e go tests
• 4d61925 test(hydra): refactor consent handler tests
• 1209de7 test: add golangci-lint config and GHA
• [f4301e6](https://redirect.github.com/ory/hydra/commit/f

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.