From 4298d9dccae7f1d92db5d8f168eb50af91a23873 Mon Sep 17 00:00:00 2001 From: Vadim Kharin Date: Thu, 14 May 2026 17:02:49 +0300 Subject: [PATCH 1/5] chore: fix various security vulnerabilities in gitops-runtime-installer --- installer-image/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/installer-image/Dockerfile b/installer-image/Dockerfile index 362a39be..84b9f0d0 100644 --- a/installer-image/Dockerfile +++ b/installer-image/Dockerfile @@ -1,9 +1,9 @@ # syntax=docker/dockerfile:1 # DHI source: https://hub.docker.com/repository/docker/octopusdeploy/dhi-golang/tags/1.25-debian13-dev -FROM octopusdeploy/dhi-golang:1.25-debian13-dev@sha256:b2c03c829a4df4f724712501d18321e46a2ac770377f0b6e2f383bc9d02b99d3 AS build +FROM octopusdeploy/dhi-golang:1.25-debian13-dev@sha256:6ab2431d046a2e21dbcbcb5111e94bec59650d302ec0ac34e696e7e44f708044 AS build ARG TARGETARCH -ARG CF_CLI_VERSION=v1.0.2 +ARG CF_CLI_VERSION=v1.0.3 RUN go install github.com/davidrjonas/semver-cli@latest \ && cp $GOPATH/bin/semver-cli /tmp/semver-cli RUN apt-get update && apt-get install -y --no-install-recommends sed && rm -rf /var/lib/apt/lists/* From 6ea0ced3932361bb1c076e00502c3e142bf4e7a1 Mon Sep 17 00:00:00 2001 From: Vadim Kharin Date: Fri, 15 May 2026 12:06:44 +0300 Subject: [PATCH 2/5] chore: fix various security vulnerabilities in cap-app-proxy, argo-workflows, codefresh-gitops-operator --- charts/gitops-runtime/Chart.yaml | 2 +- charts/gitops-runtime/values.yaml | 6 +++--- installer-image/Dockerfile | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 71c6cd25..30bce3db 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -20,7 +20,7 @@ dependencies: version: 9.4.17 - name: argo-workflows repository: https://codefresh-io.github.io/argo-helm - version: 0.45.21-v3.6.7-cap-CR-38757 + version: 0.45.22-v3.6.7-cap-CR-39681 condition: argo-workflows.enabled - name: sealed-secrets repository: https://bitnami-labs.github.io/sealed-secrets/ diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index 737c01b5..6bb281bd 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -459,14 +459,14 @@ app-proxy: tag: 1.1.27-main image: repository: quay.io/codefresh/cap-app-proxy - tag: 1.4092.0 + tag: 1.4093.0 pullPolicy: IfNotPresent # -- Extra volume mounts for main container extraVolumeMounts: [] initContainer: image: repository: quay.io/codefresh/cap-app-proxy-init - tag: 1.4092.0 + tag: 1.4093.0 pullPolicy: IfNotPresent command: - ./init.sh @@ -647,7 +647,7 @@ gitops-operator: image: registry: quay.io repository: codefresh/codefresh-gitops-operator - tag: bc5c4eb + tag: 79a7f3b env: !!merge <<: - *otel-config diff --git a/installer-image/Dockerfile b/installer-image/Dockerfile index 84b9f0d0..5e0e8e60 100644 --- a/installer-image/Dockerfile +++ b/installer-image/Dockerfile @@ -11,7 +11,7 @@ ADD --unpack=true --chown=nonroot:nonroot --chmod=755 https://github.com/codefre # DHI source: https://hub.docker.com/repository/docker/octopusdeploy/dhi-debian-base/customizations/8106437942896324135 -FROM octopusdeploy/dhi-debian-base:trixie_cf-gitops-runtime-installer-debian13@sha256:ab35aedc53ad95d3a95094d6f2c9d052c2cdb43b605ce1f9a4ea677911373b99 AS production +FROM octopusdeploy/dhi-debian-base:trixie_cf-gitops-runtime-installer-debian13@sha256:3c5a8f5bf49a3777527797677b3c8c426b0a38a466f3a79f5e059b6adc21943d AS production ARG TARGETARCH COPY --from=build --chown=nonroot:nonroot --chmod=755 /tmp/cf/cf-linux-${TARGETARCH} /usr/local/bin/cf COPY --from=build --chown=nonroot:nonroot --chmod=755 /tmp/semver-cli /usr/local/bin/semver-cli From c34fac6d02c0e3a28236c1fc944b9088f4b348ce Mon Sep 17 00:00:00 2001 From: Vadim Kharin Date: Fri, 15 May 2026 12:20:37 +0300 Subject: [PATCH 3/5] chore: fix various security vulnerabilities in cf-argocd-extras --- charts/gitops-runtime/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index 6bb281bd..b8424072 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -136,7 +136,7 @@ global: image: registry: quay.io repository: codefresh/cf-argocd-extras - tag: "06801ec" + tag: "7d96f83" nodeSelector: {} tolerations: [] affinity: {} @@ -679,7 +679,7 @@ argo-gateway: image: registry: quay.io repository: codefresh/cf-argocd-extras - tag: "06801ec" + tag: "7d96f83" nodeSelector: {} tolerations: [] affinity: {} From ee7ae3db02d176e230acf8b50047a7e0e1447882 Mon Sep 17 00:00:00 2001 From: Vadim Kharin Date: Fri, 15 May 2026 12:55:52 +0300 Subject: [PATCH 4/5] update argocd to v3.3.10 --- charts/gitops-runtime/values.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index b8424072..82f84f03 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -258,6 +258,9 @@ sealed-secrets: argo-cd: enabled: true fullnameOverride: argo-cd + global: + image: + tag: v3.3.10 notifications: enabled: false redis: From 40a497e7f2f1cdc2f11d1074f3f89ee8f18a2972 Mon Sep 17 00:00:00 2001 From: Vadim Kharin Date: Fri, 15 May 2026 13:32:34 +0300 Subject: [PATCH 5/5] update Chart.yaml --- charts/gitops-runtime/Chart.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 30bce3db..75b9d2db 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -14,6 +14,8 @@ maintainers: annotations: artifacthub.io/alternativeName: "codefresh-gitops-runtime" dependencies: + # The image for this chart was overridden because argocd doesn’t release the chart for 3.3.10 version. + # Don't forget to remove the image override after updating to a new version of the chart. - name: argo-cd repository: https://argoproj.github.io/argo-helm condition: argo-cd.enabled