chore: fix various security vulnerabilities in argo-cd, argo-workflows, cap-app-proxy, cf-argocd-extras, codefresh-gitops-operator, gitops-runtime-installer (#1206)

* chore: fix various security vulnerabilities in argo-workflows, cap-app-proxy, cf-argocd-extras, codefresh-gitops-operator, gitops-runtime-installer

* update argocd to v3.3.10

* update Chart.yaml

Author: vadim-kharin-codefresh

charts/gitops-runtime/Chart.yaml

@@ -19,13 +19,15 @@ annotations:
     - kind: fixed
       description: 'cap-app-proxy: support arbitrary user IDs for OpenShift'
 dependencies:
+  # The image for this chart was overridden because argocd doesn’t release the chart for 3.3.10 version.
+  # Don't forget to remove the image override after updating to a new version of the chart.
   - name: argo-cd
     repository: https://argoproj.github.io/argo-helm
     condition: argo-cd.enabled
     version: 9.5.11
   - name: argo-workflows
     repository: https://codefresh-io.github.io/argo-helm
-    version: 0.45.21-v3.6.7-cap-CR-38757
+    version: 0.45.22-v3.6.7-cap-CR-39681
     condition: argo-workflows.enabled
   - name: sealed-secrets
     repository: https://bitnami-labs.github.io/sealed-secrets/

charts/gitops-runtime/values.yaml

@@ -136,7 +136,7 @@ global:
     image:
       registry: quay.io
       repository: codefresh/cf-argocd-extras
-      tag: "06801ec"
+      tag: "7d96f83"
     nodeSelector: {}
     tolerations: []
     affinity: {}
@@ -258,6 +258,9 @@ sealed-secrets:
 argo-cd:
   enabled: true
   fullnameOverride: argo-cd
+  global:
+    image:
+      tag: v3.3.10
   notifications:
     enabled: false
   redis:
@@ -459,14 +462,14 @@ app-proxy:
           tag: 1.1.27-main
   image:
     repository: quay.io/codefresh/cap-app-proxy
-    tag: 1.4092.0
+    tag: 1.4093.0
     pullPolicy: IfNotPresent
   # -- Extra volume mounts for main container
   extraVolumeMounts: []
   initContainer:
     image:
       repository: quay.io/codefresh/cap-app-proxy-init
-      tag: 1.4092.0
+      tag: 1.4093.0
       pullPolicy: IfNotPresent
     command:
       - ./init.sh
@@ -647,7 +650,7 @@ gitops-operator:
   image:
     registry: quay.io
     repository: codefresh/codefresh-gitops-operator
-    tag: bc5c4eb
+    tag: 79a7f3b
   env:
     !!merge <<:
       - *otel-config
@@ -679,7 +682,7 @@ argo-gateway:
   image:
     registry: quay.io
     repository: codefresh/cf-argocd-extras
-    tag: "06801ec"
+    tag: "7d96f83"
   nodeSelector: {}
   tolerations: []
   affinity: {}

installer-image/Dockerfile

@@ -1,17 +1,17 @@
 # syntax=docker/dockerfile:1
 
 # DHI source: https://hub.docker.com/repository/docker/octopusdeploy/dhi-golang/tags/1.25-debian13-dev
-FROM octopusdeploy/dhi-golang:1.25-debian13-dev@sha256:b2c03c829a4df4f724712501d18321e46a2ac770377f0b6e2f383bc9d02b99d3 AS build
+FROM octopusdeploy/dhi-golang:1.25-debian13-dev@sha256:6ab2431d046a2e21dbcbcb5111e94bec59650d302ec0ac34e696e7e44f708044 AS build
 ARG TARGETARCH
-ARG CF_CLI_VERSION=v1.0.2
+ARG CF_CLI_VERSION=v1.0.3
 RUN go install github.com/davidrjonas/semver-cli@latest \
   && cp $GOPATH/bin/semver-cli /tmp/semver-cli
 RUN apt-get update && apt-get install -y --no-install-recommends sed && rm -rf /var/lib/apt/lists/*
 ADD --unpack=true --chown=nonroot:nonroot --chmod=755 https://github.com/codefresh-io/cli-v2/releases/download/${CF_CLI_VERSION}/cf-linux-${TARGETARCH}.tar.gz /tmp/cf/
 
 
 # DHI source: https://hub.docker.com/repository/docker/octopusdeploy/dhi-debian-base/customizations/8106437942896324135
-FROM octopusdeploy/dhi-debian-base:trixie_cf-gitops-runtime-installer-debian13@sha256:ab35aedc53ad95d3a95094d6f2c9d052c2cdb43b605ce1f9a4ea677911373b99 AS production
+FROM octopusdeploy/dhi-debian-base:trixie_cf-gitops-runtime-installer-debian13@sha256:3c5a8f5bf49a3777527797677b3c8c426b0a38a466f3a79f5e059b6adc21943d AS production
 ARG TARGETARCH
 COPY --from=build --chown=nonroot:nonroot --chmod=755 /tmp/cf/cf-linux-${TARGETARCH} /usr/local/bin/cf
 COPY --from=build --chown=nonroot:nonroot --chmod=755 /tmp/semver-cli /usr/local/bin/semver-cli