chore(deps): bump github.com/argoproj/argo-cd/v2 from v2.13.8 to v2.14.15

[cjcocokrisp]

Upgrades the github.com/argoproj/argo-cd/v2 dependency from v2.13.8 to v2.14.15. When dependabot tried to upgrade them before in PRs #1087 and #1120 there was the following error.

#19 [builder 7/7] RUN mkdir -p dist && 	make controller
#19 0.154 CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags '-extldflags "-static" -X github.com/argoproj-labs/argocd-image-updater/pkg/version.version=99.9.9 -X github.com/argoproj-labs/argocd-image-updater/pkg/version.gitCommit=c88c27dd5fd6513214ee29855c55024dea6c373f -X github.com/argoproj-labs/argocd-image-updater/pkg/version.buildDate=2025-05-01T14:45:45Z' -o dist/argocd-image-updater cmd/*.go
#19 2.100 cmd/ask_pass.go:15:2: no required module provides package github.com/argoproj/argo-cd/v2/reposerver/askpass; to add it:
#19 2.100 	go get github.com/argoproj/argo-cd/v2/reposerver/askpass
#19 2.104 make: *** [Makefile:86: controller] Error 1

This is because the askpass module was moved from reposerver/askpass to util/askpass.
I looked into the diffs of these files and here are the results:
askpass.pb.go

diff --git a/reposerver/askpass/askpass.pb.go b/util/askpass/askpass.pb.go
index d1d2a4612..c41b7336e 100644
--- a/reposerver/askpass/askpass.pb.go
+++ b/util/askpass/askpass.pb.go
@@ -1,5 +1,5 @@
 // Code generated by protoc-gen-gogo. DO NOT EDIT.
-// source: reposerver/askpass/askpass.proto
+// source: util/askpass/askpass.proto
 
 package askpass
 
@@ -37,7 +37,7 @@ func (m *CredentialsRequest) Reset()         { *m = CredentialsRequest{} }
 func (m *CredentialsRequest) String() string { return proto.CompactTextString(m) }
 func (*CredentialsRequest) ProtoMessage()    {}
 func (*CredentialsRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_099f282cab154dba, []int{0}
+	return fileDescriptor_1c7c1d31cf056104, []int{0}
 }
 func (m *CredentialsRequest) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -85,7 +85,7 @@ func (m *CredentialsResponse) Reset()         { *m = CredentialsResponse{} }
 func (m *CredentialsResponse) String() string { return proto.CompactTextString(m) }
 func (*CredentialsResponse) ProtoMessage()    {}
 func (*CredentialsResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_099f282cab154dba, []int{1}
+	return fileDescriptor_1c7c1d31cf056104, []int{1}
 }
 func (m *CredentialsResponse) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -133,25 +133,25 @@ func init() {
 	proto.RegisterType((*CredentialsResponse)(nil), "askpass.CredentialsResponse")
 }
 
-func init() { proto.RegisterFile("reposerver/askpass/askpass.proto", fileDescriptor_099f282cab154dba) }
+func init() { proto.RegisterFile("util/askpass/askpass.proto", fileDescriptor_1c7c1d31cf056104) }
 
-var fileDescriptor_099f282cab154dba = []byte{
-	// 231 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0x52, 0x28, 0x4a, 0x2d, 0xc8,
-	0x2f, 0x4e, 0x2d, 0x2a, 0x4b, 0x2d, 0xd2, 0x4f, 0x2c, 0xce, 0x2e, 0x48, 0x2c, 0x2e, 0x86, 0xd1,
-	0x7a, 0x05, 0x45, 0xf9, 0x25, 0xf9, 0x42, 0xec, 0x50, 0xae, 0x92, 0x16, 0x97, 0x90, 0x73, 0x51,
-	0x6a, 0x4a, 0x6a, 0x5e, 0x49, 0x66, 0x62, 0x4e, 0x71, 0x50, 0x6a, 0x61, 0x69, 0x6a, 0x71, 0x89,
-	0x90, 0x08, 0x17, 0x6b, 0x5e, 0x7e, 0x5e, 0x72, 0xaa, 0x04, 0xa3, 0x02, 0xa3, 0x06, 0x67, 0x10,
-	0x84, 0xa3, 0xe4, 0xcb, 0x25, 0x8c, 0xa2, 0xb6, 0xb8, 0x20, 0x3f, 0xaf, 0x38, 0x55, 0x48, 0x8a,
-	0x8b, 0xa3, 0xb4, 0x38, 0xb5, 0x28, 0x2f, 0x31, 0x17, 0xa6, 0x1e, 0xce, 0x07, 0xc9, 0x81, 0xac,
-	0x29, 0xcf, 0x2f, 0x4a, 0x91, 0x60, 0x82, 0xc8, 0xc1, 0xf8, 0x46, 0xf1, 0x5c, 0x7c, 0x8e, 0xc5,
-	0xd9, 0x01, 0x89, 0xc5, 0xc5, 0xc1, 0xa9, 0x45, 0x65, 0x99, 0xc9, 0xa9, 0x42, 0xbe, 0x5c, 0x7c,
-	0xee, 0xa9, 0x25, 0x48, 0x76, 0x08, 0x49, 0xeb, 0xc1, 0xdc, 0x8d, 0xe9, 0x4a, 0x29, 0x19, 0xec,
-	0x92, 0x10, 0x67, 0x29, 0x31, 0x38, 0xd9, 0x9f, 0x78, 0x24, 0xc7, 0x78, 0xe1, 0x91, 0x1c, 0xe3,
-	0x83, 0x47, 0x72, 0x8c, 0x51, 0x86, 0xe9, 0x99, 0x25, 0x19, 0xa5, 0x49, 0x7a, 0xc9, 0xf9, 0xb9,
-	0xfa, 0x89, 0x45, 0xe9, 0xf9, 0x05, 0x45, 0xf9, 0x59, 0x60, 0x86, 0x6e, 0x72, 0x8a, 0x7e, 0x99,
-	0x91, 0x3e, 0x66, 0x98, 0x25, 0xb1, 0x81, 0x03, 0xcb, 0x18, 0x10, 0x00, 0x00, 0xff, 0xff, 0x5a,
-	0x1e, 0xa9, 0xaf, 0x50, 0x01, 0x00, 0x00,
+var fileDescriptor_1c7c1d31cf056104 = []byte{
+	// 225 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0x92, 0x2a, 0x2d, 0xc9, 0xcc,
+	0xd1, 0x4f, 0x2c, 0xce, 0x2e, 0x48, 0x2c, 0x2e, 0x86, 0xd1, 0x7a, 0x05, 0x45, 0xf9, 0x25, 0xf9,
+	0x42, 0xec, 0x50, 0xae, 0x92, 0x16, 0x97, 0x90, 0x73, 0x51, 0x6a, 0x4a, 0x6a, 0x5e, 0x49, 0x66,
+	0x62, 0x4e, 0x71, 0x50, 0x6a, 0x61, 0x69, 0x6a, 0x71, 0x89, 0x90, 0x08, 0x17, 0x6b, 0x5e, 0x7e,
+	0x5e, 0x72, 0xaa, 0x04, 0xa3, 0x02, 0xa3, 0x06, 0x67, 0x10, 0x84, 0xa3, 0xe4, 0xcb, 0x25, 0x8c,
+	0xa2, 0xb6, 0xb8, 0x20, 0x3f, 0xaf, 0x38, 0x55, 0x48, 0x8a, 0x8b, 0xa3, 0xb4, 0x38, 0xb5, 0x28,
+	0x2f, 0x31, 0x17, 0xa6, 0x1e, 0xce, 0x07, 0xc9, 0x81, 0xac, 0x29, 0xcf, 0x2f, 0x4a, 0x91, 0x60,
+	0x82, 0xc8, 0xc1, 0xf8, 0x46, 0xf1, 0x5c, 0x7c, 0x8e, 0xc5, 0xd9, 0x01, 0x89, 0xc5, 0xc5, 0xc1,
+	0xa9, 0x45, 0x65, 0x99, 0xc9, 0xa9, 0x42, 0xbe, 0x5c, 0x7c, 0xee, 0xa9, 0x25, 0x48, 0x76, 0x08,
+	0x49, 0xeb, 0xc1, 0xdc, 0x8d, 0xe9, 0x4a, 0x29, 0x19, 0xec, 0x92, 0x10, 0x67, 0x29, 0x31, 0x38,
+	0x59, 0x9e, 0x78, 0x24, 0xc7, 0x78, 0xe1, 0x91, 0x1c, 0xe3, 0x83, 0x47, 0x72, 0x8c, 0x51, 0xda,
+	0xe9, 0x99, 0x25, 0x19, 0xa5, 0x49, 0x7a, 0xc9, 0xf9, 0xb9, 0xfa, 0x89, 0x45, 0xe9, 0xf9, 0x05,
+	0x45, 0xf9, 0x59, 0x60, 0x86, 0x6e, 0x72, 0x8a, 0x7e, 0x99, 0x91, 0x3e, 0x72, 0x68, 0x25, 0xb1,
+	0x81, 0x83, 0xc9, 0x18, 0x10, 0x00, 0x00, 0xff, 0xff, 0xa8, 0xcc, 0x96, 0x87, 0x44, 0x01, 0x00,
+	0x00,
 }
 
 // Reference imports to suppress errors if they are not otherwise used.
@@ -231,7 +231,7 @@ var _AskPassService_serviceDesc = grpc.ServiceDesc{
 		},
 	},
 	Streams:  []grpc.StreamDesc{},
-	Metadata: "reposerver/askpass/askpass.proto",
+	Metadata: "util/askpass/askpass.proto",
 }
 
 func (m *CredentialsRequest) Marshal() (dAtA []byte, err error) {

askpass.proto

diff --git a/reposerver/askpass/askpass.proto b/util/askpass/askpass.proto
index 4547edc3a..f4c378818 100644
--- a/reposerver/askpass/askpass.proto
+++ b/util/askpass/askpass.proto
@@ -1,5 +1,5 @@
 syntax = "proto3";
-option go_package = "github.com/argoproj/argo-cd/v2/reposerver/askpass";
+option go_package = "github.com/argoproj/argo-cd/v2/util/askpass";
 
 package askpass;

common.go

diff --git a/reposerver/askpass/common.go b/util/askpass/common.go
index c9757f587..2a34cca52 100644
--- a/reposerver/askpass/common.go
+++ b/util/askpass/common.go
@@ -11,6 +11,8 @@ const (
 	ASKPASS_NONCE_ENV = "ARGOCD_GIT_ASKPASS_NONCE"
 	// AKSPASS_SOCKET_PATH_ENV is the environment variable that is used to pass the socket path to the askpass script
 	AKSPASS_SOCKET_PATH_ENV = "ARGOCD_ASK_PASS_SOCK"
+	// CommitServerSocketPath is the path to the socket used by the commit server to communicate with the askpass server
+	CommitServerSocketPath = "/tmp/commit-server-ask-pass.sock"
 )
 
 func init() {

server.go

diff --git a/reposerver/askpass/server.go b/util/askpass/server.go
index 2eb9f8986..b6a1bbfc4 100644
--- a/reposerver/askpass/server.go
+++ b/util/askpass/server.go
@@ -22,6 +22,20 @@ type Server interface {
 	Run(path string) error
 }
 
+// server is a gRPC server that provides a way for an external process (usually git) to access credentials without those
+// credentials being set directly in the git process's environment. Before invoking git, the caller invokes Add to add a
+// new credential, which returns a unique id. The caller then sets the GIT_ASKPASS environment variable to the path of
+// the argocd-git-ask-pass binary and sets the ASKPASS_NONCE environment variable to the id. When git needs credentials,
+// it will invoke the argocd-git-ask-pass binary, which will use the ASKPASS_NONCE to look up the credentials and return
+// them to git. After the git process completes, the caller should invoke Remove to remove the credential.
+//
+// This is meant to solve a class of problems that was demonstrated by an old bug in Kustomize. We needed to enable
+// Kustomize to invoke git to fetch a private repository. But Kustomize had a bug that allowed a user to dump the
+// environment variables of the process into manifests, which would expose the credentials. Kustomize eventually fixed
+// the bug. But to prevent this from happening again, we now only set the ASKPASS_NONCE environment variable instead of
+// directly passing the git credentials via environment variables. Even if the nonce leaks, 1) the user probably doesn't
+// have access to the server to look up the corresponding git credentials, and 2) the nonce should be deleted from
+// the server before the user even sees the manifests.
 type server struct {
 	lock       sync.Mutex
 	creds      map[string]Creds

server_test.go

N/A

Does not look like any important changes were made from the diffs. The what I'm assuming is auto-generated files have new data to represent the move. There a few comments added and a constant is added in common.go.

Because version v2.14.15 of ArgoCD requires Golang version 1.24.4, the Dockerfile's base image for the builder step has been changed to golang:1.24.

Another issue was with the dependency 'github.com/cyphar/filepath-securejoin.' For some reason the 2.14.X versions of ArgoCD upgrade the dependency which in the case of ArgoCD v2.14.15 is v0.4.1. This causes a breaking change in the util/io/files/secure_mkdir_linux.go which causes it not to compile. To fix this I pinned the version of the dependency to v0.3.6 which is what it was before. For more information see this issue from ArgoCD.

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 63.27%. Comparing base (f93f013) to head (bfabcba).

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #1187   +/-   ##
=======================================
  Coverage   63.27%   63.27%           
=======================================
  Files          15       15           
  Lines        2358     2358           
=======================================
  Hits         1492     1492           
  Misses        771      771           
  Partials       95       95           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[chengfang]

Can you rebase to the latest master to take in recent changes to go.mod, and re-generate go.sum?

[cjcocokrisp]

Rebased the branch and re-generated the go.sum. Let me know if there is anything else that needs to be updated.