diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml index 51de323f3b76c..b03f578445dec 100644 --- a/.github/workflows/ci-build.yaml +++ b/.github/workflows/ci-build.yaml @@ -31,7 +31,7 @@ jobs: docs: ${{ steps.filter.outputs.docs_any_changed }} steps: - uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0 - - uses: tj-actions/changed-files@d6babd6899969df1a11d14c368283ea4436bca78 # v44.5.2 + - uses: tj-actions/changed-files@cc733854b1f224978ef800d29e4709d5ee2883e4 # v44.5.5 id: filter with: # Any file which is not under docs/, ui/ or is not a markdown file is counted as a backend file diff --git a/.github/workflows/image-reuse.yaml b/.github/workflows/image-reuse.yaml index 4cb2ca2614e80..269640de21e26 100644 --- a/.github/workflows/image-reuse.yaml +++ b/.github/workflows/image-reuse.yaml @@ -143,7 +143,7 @@ jobs: - name: Build and push container image id: image - uses: docker/build-push-action@c382f710d39a5bb4e430307530a720f50c2d3318 #v6.0.0 + uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 #v6.1.0 with: context: . platforms: ${{ inputs.platforms }} diff --git a/.github/workflows/init-release.yaml b/.github/workflows/init-release.yaml index 70de72d391dba..bc318d4f4b7dc 100644 --- a/.github/workflows/init-release.yaml +++ b/.github/workflows/init-release.yaml @@ -64,7 +64,7 @@ jobs: git stash pop - name: Create pull request - uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5 + uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 with: commit-message: "Bump version to ${{ inputs.TARGET_VERSION }}" title: "Bump version to ${{ inputs.TARGET_VERSION }} on ${{ inputs.TARGET_BRANCH }} branch" diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index b2a64d09aa9a6..e87f0b286cdbf 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -197,7 +197,7 @@ jobs: echo "hashes=$(sha256sum /tmp/sbom.tar.gz | base64 -w0)" >> "$GITHUB_OUTPUT" - name: Upload SBOM - uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87 # v2.0.5 + uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2.0.6 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -295,7 +295,7 @@ jobs: if: ${{ env.UPDATE_VERSION == 'true' }} - name: Create PR to update VERSION on master branch - uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5 + uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 with: commit-message: Bump version in master title: "chore: Bump version in master" diff --git a/.golangci.yaml b/.golangci.yaml index 589e1fa376af7..2351f11e0fecc 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -36,7 +36,6 @@ linters-settings: testifylint: enable-all: true disable: - - float-compare - go-require run: timeout: 50m diff --git a/Dockerfile b/Dockerfile index b6ad75c6e0c37..5cf5c4c766bcc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ ARG BASE_IMAGE=docker.io/library/ubuntu:24.04@sha256:3f85b7caad41a95462cf5b787d8 # Initial stage which pulls prepares build dependencies and CLI tooling we need for our final image # Also used as the image in CI jobs so needs all dependencies #################################################################################################### -FROM docker.io/library/golang:1.22.4@sha256:c2010b9c2342431a24a2e64e33d9eb2e484af49e72c820e200d332d214d5e61f AS builder +FROM docker.io/library/golang:1.22.4@sha256:a66eda637829ce891e9cf61ff1ee0edf544e1f6c5b0e666c7310dce231a66f28 AS builder RUN echo 'deb http://archive.debian.org/debian buster-backports main' >> /etc/apt/sources.list @@ -101,7 +101,7 @@ RUN HOST_ARCH=$TARGETARCH NODE_ENV='production' NODE_ONLINE_ENV='online' NODE_OP #################################################################################################### # Argo CD Build stage which performs the actual build of Argo CD binaries #################################################################################################### -FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.22.4@sha256:c2010b9c2342431a24a2e64e33d9eb2e484af49e72c820e200d332d214d5e61f AS argocd-build +FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.22.4@sha256:a66eda637829ce891e9cf61ff1ee0edf544e1f6c5b0e666c7310dce231a66f28 AS argocd-build WORKDIR /go/src/github.com/argoproj/argo-cd diff --git a/USERS.md b/USERS.md index 609129ee498dd..ead03be9281a0 100644 --- a/USERS.md +++ b/USERS.md @@ -155,6 +155,7 @@ Currently, the following organizations are **officially** using Argo CD: 1. [Karrot](https://www.daangn.com/) 1. [KarrotPay](https://www.daangnpay.com/) 1. [Kasa](https://kasa.co.kr/) +1. [Kave Home](https://kavehome.com) 1. [Keeeb](https://www.keeeb.com/) 1. [KelkooGroup](https://www.kelkoogroup.com) 1. [Keptn](https://keptn.sh) diff --git a/controller/appcontroller_test.go b/controller/appcontroller_test.go index 389466908e71d..b0c536295203e 100644 --- a/controller/appcontroller_test.go +++ b/controller/appcontroller_test.go @@ -1645,7 +1645,7 @@ func TestProcessRequestedAppOperation_FailedHasRetries(t *testing.T) { message, _, _ := unstructured.NestedString(receivedPatch, "status", "operationState", "message") assert.Contains(t, message, "Retrying attempt #1") retryCount, _, _ := unstructured.NestedFloat64(receivedPatch, "status", "operationState", "retryCount") - assert.Equal(t, float64(1), retryCount) + assert.InEpsilon(t, float64(1), retryCount, 0.0001) } func TestProcessRequestedAppOperation_RunningPreviouslyFailed(t *testing.T) { diff --git a/docs/operator-manual/ingress.md b/docs/operator-manual/ingress.md index a46853546a28a..2a462e9601349 100644 --- a/docs/operator-manual/ingress.md +++ b/docs/operator-manual/ingress.md @@ -617,7 +617,7 @@ Edit the `--insecure` flag in the `argocd-server` command of the argocd-server d ### Creating a service -Now you need an externally accessible service. This is practically the same as the internal service Argo CD has, but with Google Cloud annotations. Note that this service is annotated to use a [Network Endpoint Group](https://cloud.google.com/load-balancing/docs/negs) (NEG) to allow your load balancer to send traffic directly to your pods without using kube-proxy, so remove the `neg` annotation it that's not what you want. +Now you need an externally accessible service. This is practically the same as the internal service Argo CD has, but with Google Cloud annotations. Note that this service is annotated to use a [Network Endpoint Group](https://cloud.google.com/load-balancing/docs/negs) (NEG) to allow your load balancer to send traffic directly to your pods without using kube-proxy, so remove the `neg` annotation if that's not what you want. The service: diff --git a/docs/operator-manual/signed-release-assets.md b/docs/operator-manual/signed-release-assets.md index b574876345b5b..3c42b27fd4e10 100644 --- a/docs/operator-manual/signed-release-assets.md +++ b/docs/operator-manual/signed-release-assets.md @@ -32,7 +32,8 @@ Argo CD container images are signed by [cosign](https://github.com/sigstore/cosi cosign verify \ --certificate-identity-regexp https://github.com/argoproj/argo-cd/.github/workflows/image-reuse.yaml@refs/tags/v \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ -quay.io/argoproj/argocd:v2.7.0 | jq +--certificate-github-workflow-repository "argoproj/argo-cd" \ +quay.io/argoproj/argocd:v2.11.3 | jq ``` The command should output the following if the container image was correctly verified: ```bash diff --git a/docs/snyk/index.md b/docs/snyk/index.md index 0b14ff28d76d5..0d30a7733f3bb 100644 --- a/docs/snyk/index.md +++ b/docs/snyk/index.md @@ -17,12 +17,26 @@ recent minor releases. | [ui/yarn.lock](master/argocd-test.html) | 0 | 0 | 1 | 0 | | [dex:v2.38.0](master/ghcr.io_dexidp_dex_v2.38.0.html) | 0 | 0 | 6 | 3 | | [haproxy:2.6.17-alpine](master/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html) | 0 | 0 | 2 | 1 | -| [redis:7.0.15-alpine](master/public.ecr.aws_docker_library_redis_7.0.15-alpine.html) | 0 | 0 | 2 | 1 | +| [redis:7.0.15-alpine](master/public.ecr.aws_docker_library_redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 | | [argocd:latest](master/quay.io_argoproj_argocd_latest.html) | 0 | 0 | 3 | 11 | -| [redis:7.0.15-alpine](master/redis_7.0.15-alpine.html) | 0 | 0 | 2 | 1 | +| [redis:7.0.15-alpine](master/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 | | [install.yaml](master/argocd-iac-install.html) | - | - | - | - | | [namespace-install.yaml](master/argocd-iac-namespace-install.html) | - | - | - | - | +### v2.12.0-rc1 + +| | Critical | High | Medium | Low | +|---:|:--------:|:----:|:------:|:---:| +| [go.mod](v2.12.0-rc1/argocd-test.html) | 0 | 0 | 7 | 0 | +| [ui/yarn.lock](v2.12.0-rc1/argocd-test.html) | 0 | 0 | 1 | 0 | +| [dex:v2.38.0](v2.12.0-rc1/ghcr.io_dexidp_dex_v2.38.0.html) | 0 | 0 | 6 | 3 | +| [haproxy:2.6.17-alpine](v2.12.0-rc1/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html) | 0 | 0 | 2 | 1 | +| [redis:7.0.15-alpine](v2.12.0-rc1/public.ecr.aws_docker_library_redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 | +| [argocd:v2.12.0-rc1](v2.12.0-rc1/quay.io_argoproj_argocd_v2.12.0-rc1.html) | 0 | 0 | 3 | 11 | +| [redis:7.0.15-alpine](v2.12.0-rc1/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 | +| [install.yaml](v2.12.0-rc1/argocd-iac-install.html) | - | - | - | - | +| [namespace-install.yaml](v2.12.0-rc1/argocd-iac-namespace-install.html) | - | - | - | - | + ### v2.11.3 | | Critical | High | Medium | Low | @@ -45,7 +59,7 @@ recent minor releases. | [dex:v2.37.0](v2.10.12/ghcr.io_dexidp_dex_v2.37.0.html) | 1 | 1 | 10 | 3 | | [haproxy:2.6.14-alpine](v2.10.12/haproxy_2.6.14-alpine.html) | 0 | 1 | 7 | 3 | | [argocd:v2.10.12](v2.10.12/quay.io_argoproj_argocd_v2.10.12.html) | 0 | 0 | 4 | 19 | -| [redis:7.0.15-alpine](v2.10.12/redis_7.0.15-alpine.html) | 0 | 0 | 2 | 1 | +| [redis:7.0.15-alpine](v2.10.12/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 | | [install.yaml](v2.10.12/argocd-iac-install.html) | - | - | - | - | | [namespace-install.yaml](v2.10.12/argocd-iac-namespace-install.html) | - | - | - | - | @@ -58,6 +72,6 @@ recent minor releases. | [dex:v2.37.0](v2.9.17/ghcr.io_dexidp_dex_v2.37.0.html) | 1 | 1 | 10 | 3 | | [haproxy:2.6.14-alpine](v2.9.17/haproxy_2.6.14-alpine.html) | 0 | 1 | 7 | 3 | | [argocd:v2.9.17](v2.9.17/quay.io_argoproj_argocd_v2.9.17.html) | 0 | 0 | 4 | 19 | -| [redis:7.0.15-alpine](v2.9.17/redis_7.0.15-alpine.html) | 0 | 0 | 2 | 1 | +| [redis:7.0.15-alpine](v2.9.17/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 | | [install.yaml](v2.9.17/argocd-iac-install.html) | - | - | - | - | | [namespace-install.yaml](v2.9.17/argocd-iac-namespace-install.html) | - | - | - | - | diff --git a/docs/snyk/master/argocd-iac-install.html b/docs/snyk/master/argocd-iac-install.html index 7c5eefc353e7c..3e493a5a72da9 100644 --- a/docs/snyk/master/argocd-iac-install.html +++ b/docs/snyk/master/argocd-iac-install.html @@ -456,7 +456,7 @@
Note: Versions mentioned in the description apply only to the upstream busybox
package and not the busybox
package as distributed by Alpine
.
- See How to fix?
for Alpine:3.20
relevant fixed versions and status.
A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.
-Upgrade Alpine:3.20
busybox
to version 1.36.1-r29 or higher.
Note: Versions mentioned in the description apply only to the upstream busybox
package and not the busybox
package as distributed by Alpine
.
- See How to fix?
for Alpine:3.20
relevant fixed versions and status.
A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function.
-Upgrade Alpine:3.20
busybox
to version 1.36.1-r29 or higher.
This vulnerability has not been analyzed by NVD yet.
-Upgrade Alpine:3.20
openssl
to version 3.3.0-r3 or higher.