From 9ede062eac78f1c7d4f26b229ce64210af09f7c2 Mon Sep 17 00:00:00 2001
From: Vadim Kharin <vadim.kharin@codefresh.io>
Date: Fri, 15 May 2026 12:17:49 +0300
Subject: [PATCH 1/3] chore: fix various security vulnerabilities in
 argo-workflows, cap-app-proxy, cf-argocd-extras, codefresh-gitops-operator,
 gitops-runtime-installer

---
 charts/gitops-runtime/Chart.yaml  |  2 +-
 charts/gitops-runtime/values.yaml | 10 +++++-----
 installer-image/Dockerfile        |  6 +++---
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml
index c215599b..4d3b18f4 100644
--- a/charts/gitops-runtime/Chart.yaml
+++ b/charts/gitops-runtime/Chart.yaml
@@ -25,7 +25,7 @@ dependencies:
     version: 9.5.11
   - name: argo-workflows
     repository: https://codefresh-io.github.io/argo-helm
-    version: 0.45.21-v3.6.7-cap-CR-38757
+    version: 0.45.22-v3.6.7-cap-CR-39681
     condition: argo-workflows.enabled
   - name: sealed-secrets
     repository: https://bitnami-labs.github.io/sealed-secrets/
diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml
index 8094e10a..2ca30a16 100644
--- a/charts/gitops-runtime/values.yaml
+++ b/charts/gitops-runtime/values.yaml
@@ -136,7 +136,7 @@ global:
     image:
       registry: quay.io
       repository: codefresh/cf-argocd-extras
-      tag: "06801ec"
+      tag: "7d96f83"
     nodeSelector: {}
     tolerations: []
     affinity: {}
@@ -459,14 +459,14 @@ app-proxy:
           tag: 1.1.27-main
   image:
     repository: quay.io/codefresh/cap-app-proxy
-    tag: 1.4092.0
+    tag: 1.4093.0
     pullPolicy: IfNotPresent
   # -- Extra volume mounts for main container
   extraVolumeMounts: []
   initContainer:
     image:
       repository: quay.io/codefresh/cap-app-proxy-init
-      tag: 1.4092.0
+      tag: 1.4093.0
       pullPolicy: IfNotPresent
     command:
       - ./init.sh
@@ -647,7 +647,7 @@ gitops-operator:
   image:
     registry: quay.io
     repository: codefresh/codefresh-gitops-operator
-    tag: bc5c4eb
+    tag: 79a7f3b
   env:
     !!merge <<:
       - *otel-config
@@ -679,7 +679,7 @@ argo-gateway:
   image:
     registry: quay.io
     repository: codefresh/cf-argocd-extras
-    tag: "06801ec"
+    tag: "7d96f83"
   nodeSelector: {}
   tolerations: []
   affinity: {}
diff --git a/installer-image/Dockerfile b/installer-image/Dockerfile
index 362a39be..5e0e8e60 100644
--- a/installer-image/Dockerfile
+++ b/installer-image/Dockerfile
@@ -1,9 +1,9 @@
 # syntax=docker/dockerfile:1
 
 # DHI source: https://hub.docker.com/repository/docker/octopusdeploy/dhi-golang/tags/1.25-debian13-dev
-FROM octopusdeploy/dhi-golang:1.25-debian13-dev@sha256:b2c03c829a4df4f724712501d18321e46a2ac770377f0b6e2f383bc9d02b99d3 AS build
+FROM octopusdeploy/dhi-golang:1.25-debian13-dev@sha256:6ab2431d046a2e21dbcbcb5111e94bec59650d302ec0ac34e696e7e44f708044 AS build
 ARG TARGETARCH
-ARG CF_CLI_VERSION=v1.0.2
+ARG CF_CLI_VERSION=v1.0.3
 RUN go install github.com/davidrjonas/semver-cli@latest \
   && cp $GOPATH/bin/semver-cli /tmp/semver-cli
 RUN apt-get update && apt-get install -y --no-install-recommends sed && rm -rf /var/lib/apt/lists/*
@@ -11,7 +11,7 @@ ADD --unpack=true --chown=nonroot:nonroot --chmod=755 https://github.com/codefre
 
 
 # DHI source: https://hub.docker.com/repository/docker/octopusdeploy/dhi-debian-base/customizations/8106437942896324135
-FROM octopusdeploy/dhi-debian-base:trixie_cf-gitops-runtime-installer-debian13@sha256:ab35aedc53ad95d3a95094d6f2c9d052c2cdb43b605ce1f9a4ea677911373b99 AS production
+FROM octopusdeploy/dhi-debian-base:trixie_cf-gitops-runtime-installer-debian13@sha256:3c5a8f5bf49a3777527797677b3c8c426b0a38a466f3a79f5e059b6adc21943d AS production
 ARG TARGETARCH
 COPY --from=build --chown=nonroot:nonroot --chmod=755 /tmp/cf/cf-linux-${TARGETARCH} /usr/local/bin/cf
 COPY --from=build --chown=nonroot:nonroot --chmod=755 /tmp/semver-cli /usr/local/bin/semver-cli

From 40910ce3175b13e7304d80f273639bb5388a1959 Mon Sep 17 00:00:00 2001
From: Vadim Kharin <vadim.kharin@codefresh.io>
Date: Fri, 15 May 2026 12:57:00 +0300
Subject: [PATCH 2/3] update argocd to v3.3.10

---
 charts/gitops-runtime/values.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml
index 2ca30a16..b41229c3 100644
--- a/charts/gitops-runtime/values.yaml
+++ b/charts/gitops-runtime/values.yaml
@@ -258,6 +258,9 @@ sealed-secrets:
 argo-cd:
   enabled: true
   fullnameOverride: argo-cd
+  global:
+    image:
+      tag: v3.3.10
   notifications:
     enabled: false
   redis:

From d46d6410bf5ade17efbfc88dde304ae7bd01aa29 Mon Sep 17 00:00:00 2001
From: Vadim Kharin <vadim.kharin@codefresh.io>
Date: Fri, 15 May 2026 13:31:49 +0300
Subject: [PATCH 3/3] update Chart.yaml

---
 charts/gitops-runtime/Chart.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml
index 4d3b18f4..89f4d736 100644
--- a/charts/gitops-runtime/Chart.yaml
+++ b/charts/gitops-runtime/Chart.yaml
@@ -19,6 +19,8 @@ annotations:
     - kind: fixed
       description: 'cap-app-proxy: support arbitrary user IDs for OpenShift'
 dependencies:
+  # The image for this chart was overridden because argocd doesn’t release the chart for 3.3.10 version.
+  # Don't forget to remove the image override after updating to a new version of the chart.
   - name: argo-cd
     repository: https://argoproj.github.io/argo-helm
     condition: argo-cd.enabled