chore: sync our fork to 3.1.5 sync branch

.dockerignore

@@ -17,6 +17,8 @@ manifests/
 hack/
 docs/
 examples/
+.dockerignore
+.git/
 .github/
 !test/container
 !test/e2e/testdata

.github/ISSUE_TEMPLATE/config.yml

@@ -5,7 +5,7 @@ contact_links:
     url: https://argo-cd.readthedocs.io/
     about: Much help can be found in the docs
   - name: Ask a question
-    url: https://github.com/argoproj/argo-cd/discussions/new
+    url: https://github.com/codefresh-io/argo-cd/discussions/new
     about: Ask a question or start a discussion about Argo CD
   - name: Chat on Slack
     url: https://argoproj.github.io/community/join-slack

.github/workflows/ci-build.yaml

@@ -2,14 +2,16 @@ name: Integration tests
 on:
   push:
     branches:
-      - 'master'
-      - 'release-*'
-      - '!release-1.4'
-      - '!release-1.5'
+      - 'sync-*'
+      # - 'master'
+      # - 'release-*'
+      # - '!release-1.4'
+      # - '!release-1.5'
   pull_request:
     branches:
-      - 'master'
-      - 'release-*'
+      - 'sync-*'
+      # - 'master'
+      # - 'release-*'
 
 env:
   # Golang version to use across CI steps
@@ -392,7 +394,7 @@ jobs:
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
       - name: Upload test results to Codecov
-        if: github.ref == 'refs/heads/master' && github.event_name == 'push' && github.repository == 'argoproj/argo-cd'
+        if: startsWith(github.ref, 'refs/heads/sync-') && github.event_name == 'push' && github.repository == 'codefresh-io/argo-cd'
         uses: codecov/test-results-action@47f89e9acb64b76debcd5ea40642d25a4adced9f # v1.1.1
         with:
           file: test-results/junit.xml
@@ -403,7 +405,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         uses: SonarSource/sonarqube-scan-action@2500896589ef8f7247069a56136f8dc177c27ccf # v5.2.0
-        if: env.sonar_secret != ''
+        if: false && env.sonar_secret != ''
   test-e2e:
     name: Run end-to-end tests
     if: ${{ needs.changes.outputs.backend == 'true' }}
@@ -496,7 +498,7 @@ jobs:
         run: |
           docker pull ghcr.io/dexidp/dex:v2.43.0
           docker pull argoproj/argo-cd-ci-builder:v1.0.0
-          docker pull redis:7.2.7-alpine
+          docker pull redis:8.2.1-alpine
       - name: Create target directory for binaries in the build-process
         run: |
           mkdir -p dist

.github/workflows/image.yaml

@@ -3,10 +3,10 @@ name: Image
 on:
   push:
     branches:
-      - master
+      - sync-*
   pull_request:
     branches:
-      - master
+      - sync-*
     types: [labeled, unlabeled, opened, synchronize, reopened]
 
 concurrency:
@@ -19,17 +19,25 @@ jobs:
   set-vars:
     permissions:
       contents: read
-    if: github.repository == 'argoproj/argo-cd'
+    if: github.repository == 'codefresh-io/argo-cd'
     runs-on: ubuntu-22.04
     outputs:
-      image-tag: ${{ steps.image.outputs.tag}}
+      image-tag: ${{ steps.image-pr.outputs.tag || steps.image-push.outputs.tag }}
       platforms: ${{ steps.platforms.outputs.platforms }}
     steps:
       - uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
 
-      - name: Set image tag for ghcr
-        run: echo "tag=$(cat ./VERSION)-${GITHUB_SHA::8}" >> $GITHUB_OUTPUT
-        id: image
+      - name: Set image tag (push to feature branch)
+        if: ${{ github.repository == 'codefresh-io/argo-cd' && github.event_name == 'pull_request' }}
+        run: |
+          CLEAN_REF=$(echo "${{ github.head_ref }}" | sed 's|^refs/[^/]*||; s|/|_|g')
+          echo "tag=v$(cat ./VERSION)-${CLEAN_REF}-${GITHUB_SHA::8}" >> $GITHUB_OUTPUT
+        id: image-pr
+
+      - name: Set image tag (push to sync-* branch)
+        if: ${{ github.repository == 'codefresh-io/argo-cd' && github.event_name == 'push' }}
+        run: echo "tag=v$(cat ./VERSION)-$(date +%Y-%m-%d)-${GITHUB_SHA::8}" >> $GITHUB_OUTPUT
+        id: image-push
 
       - name: Determine image platforms to use
         id: platforms
@@ -48,7 +56,7 @@ jobs:
       contents: read
       packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
       id-token: write # for creating OIDC tokens for signing.
-    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name != 'push' }}
+    if: ${{ false }}
     uses: ./.github/workflows/image-reuse.yaml
     with:
       # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
@@ -63,11 +71,11 @@ jobs:
       contents: read
       packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
       id-token: write # for creating OIDC tokens for signing.
-    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
+    if: ${{ github.repository == 'codefresh-io/argo-cd' }}
     uses: ./.github/workflows/image-reuse.yaml
     with:
-      quay_image_name: quay.io/argoproj/argocd:latest
-      ghcr_image_name: ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }}
+      quay_image_name: ${{ github.event_name == 'pull_request' && 'quay.io/codefresh/dev/argocd' || 'quay.io/codefresh/argocd' }}:${{ needs.set-vars.outputs.image-tag }}
+      # ghcr_image_name: ghcr.io/codefresh-io/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }}
       # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
       # renovate: datasource=golang-version packageName=golang
       go-version: 1.24.6
@@ -86,7 +94,7 @@ jobs:
       actions: read # for detecting the Github Actions environment.
       id-token: write # for creating OIDC tokens for signing.
       packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
-    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
+    if: ${{ false }}
     # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
     uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
     with:
@@ -103,7 +111,7 @@ jobs:
     permissions:
       contents: write # for git to push upgrade commit if not already deployed
       packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
-    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
+    if: ${{ false }}
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0

.mockery.yaml

@@ -7,6 +7,9 @@ template-data:
   unroll-variadic: true
 
 packages:
+  github.com/argoproj/argo-cd/v3/acr_controller/application:
+    interfaces:
+      ApplicationClient:
   github.com/argoproj/argo-cd/v3/applicationset/generators:
     interfaces:
       Generator: {}

Dockerfile

@@ -1,4 +1,4 @@
-ARG BASE_IMAGE=docker.io/library/ubuntu:24.04@sha256:80dd3c3b9c6cecb9f1667e9290b3bc61b78c2678c02cbdae5f0fea92cc6734ab
+ARG BASE_IMAGE=docker.io/library/ubuntu:25.04@sha256:10bb10bb062de665d4dc3e0ea36715270ead632cfcb74d08ca2273712a0dfb42
 ####################################################################################################
 # Builder image
 # Initial stage which pulls prepares build dependencies and CLI tooling we need for our final image
@@ -55,6 +55,9 @@ RUN groupadd -g $ARGOCD_USER_ID argocd && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
+# To make sure that the latesst version of sqlite is installed that addresses this CVE-2025-6965
+RUN apt update && apt install --only-upgrade libsqlite3-0
+
 COPY hack/gpg-wrapper.sh \
     hack/git-verify-wrapper.sh \
     entrypoint.sh \
@@ -138,6 +141,7 @@ COPY --from=argocd-build /go/src/github.com/argoproj/argo-cd/dist/argocd* /usr/l
 USER root
 RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-server && \
     ln -s /usr/local/bin/argocd /usr/local/bin/argocd-repo-server && \
+    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-application-change-revision-controller  && \
     ln -s /usr/local/bin/argocd /usr/local/bin/argocd-cmp-server && \
     ln -s /usr/local/bin/argocd /usr/local/bin/argocd-application-controller && \
     ln -s /usr/local/bin/argocd /usr/local/bin/argocd-dex && \

Dockerfile.dev

@@ -7,6 +7,7 @@ COPY argocd /usr/local/bin/
 USER root
 RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-server && \
     ln -s /usr/local/bin/argocd /usr/local/bin/argocd-repo-server && \
+    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-application-change-revision-controller  && \
     ln -s /usr/local/bin/argocd /usr/local/bin/argocd-application-controller && \
     ln -s /usr/local/bin/argocd /usr/local/bin/argocd-dex && \
     ln -s /usr/local/bin/argocd /usr/local/bin/argocd-notifications && \

Makefile

@@ -134,6 +134,7 @@ define run-in-test-client
 		-e GITHUB_TOKEN \
 		-e GOCACHE=/tmp/go-build-cache \
 		-e ARGOCD_LINT_GOGC=$(ARGOCD_LINT_GOGC) \
+		-e GOSUMDB=off \
 		-v ${DOCKER_SRC_MOUNT} \
 		-v ${GOPATH}/pkg/mod:/go/pkg/mod${VOLUME_MOUNT} \
 		-v ${GOCACHE}:/tmp/go-build-cache${VOLUME_MOUNT} \
@@ -154,7 +155,7 @@ PATH:=$(PATH):$(PWD)/hack
 
 # docker image publishing options
 DOCKER_PUSH?=false
-IMAGE_NAMESPACE?=
+IMAGE_NAMESPACE?=quay.io/codefresh
 # perform static compilation
 DEFAULT_STATIC_BUILD:=true
 ifeq ($(IS_DARWIN),true)

Merge-upstream.md

@@ -0,0 +1,60 @@
+## Process of merging upstream changes
+
+1. create "sync-3.0.2" branch on top of upstream v3.0.2 tag (git checkout -b sync-3.0.2 v3.0.2), push to codefresh-io/argocd
+2. create branch "make-cf-changes" on current release (sync-2.14.9 HEAD)
+3. rebase onto sync-3.0.2 ("git rebase --onto sync-3.0.2 v2.14.9 make-cf-changes)
+4. make a pr from "make-cf-changes" into "sync-3.0.2". 
+   1. the pr will trigger dev image builds, e2e runs, etc (quay.io/codefresh/dev/argocd)
+5. fix conflicts, test, fixes, whatever (by instuction in following section)
+6. merge pr
+   1. merge will create official image of fork (quay.io/codefresh/argocd)
+   2. manually create tag "v3.0.2-YYYY-MM-DD-SHA"
+   3. THERE IS NOT GITHUB RELEASE
+
+## Resolving conflicts during upstream changes merge 
+
+This docs include info about places where codefresh made it's customizations:
+
+#### General notes:
+1. All files that're deleted in our branches - we can keep deleted (accept ours).
+2. all `xxx.pb.go` - apply theirs and after resolving conflicts re-generate.
+
+#### Paths and actions on them
+1. `.github/workflows` - accept ours (yours).
+2. `applicationset` - accept theirs
+3. `assets / swagger` - accept ours. Later run codegen and commit new version
+4. `cmd / argocd` - accept ours if files deleted.
+5. `cmd / argocd-application-controller` - no custom thing from our side, so just resolve conflicts.
+6. `cmd / notifications` - no custom thing from our side, so just accept theirs.
+7. `cmd / argocd-repo-server` - includes our changes with codefresh related parameters.
+8. `cmd / common` - includes our changes with codefresh related constants (event-reporter)
+9. `cmd / controller / application.go` - includes our changes to resource node (to return labels and annotations getResourceTree method)
+10. `cmd / controller / state.go` - includes our changes (GetRepoObjs method)
+11. `cmd / controller / state_test.go - includes our changes. Replace manifest values with our struct `apiclient.Manifest`
+12. `docs` - apply theirs
+13. `examples` - apply theirs
+14. `hack` - apply theirs
+15. `manifests` - accept theirs
+16. `notification_controller` - apply theirs
+17. `pkg/apis/application/v1alpha` - generatedXXX - apply theirs (than re-generate). types.go  - merge (includes our changes with ForceNamespace).
+18. `server / application.go` - merge (includes our v1 event-reporter.)
+19. `ui` - accept theirs.
+20. `util / kustomize` - merge, as it includes ours changes.
+21. `mkdocs.yaml` - apply theirs.
+22. `go.mod` - merge direct dependencies. go.sum accept theirs. Run go mod tidy. Check `replace` section, perform cleanup if needed.
+23. `reposerver / sepository.go` - merge, includes: cf appVersion logic; type manifest struct (with path to file, rawManifest);
+
+
+#### Post actions:
+1. run `go mod tidy`
+2. run `go mod download`
+3. run `go mod vendor`
+4. run `make install-tools-local`
+5. run `make lint-local`
+6. run `make protogen-fast` - because sometimes gogen won't work if types from protogen used
+7. run `make codegen`
+8. run `make test-local`
+
+### Thoughts
+
+1. Revert cherry picks before merges - as they cause issues later if in upstream decided to slightly move some parts of such changes. In this case no conflicts will occur during merge as they on different lines but then you need cleanup them manually.

acr_controller/application/client.go

@@ -0,0 +1,94 @@
+package application_change_revision_controller
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"time"
+
+	"google.golang.org/grpc"
+
+	appclient "github.com/argoproj/argo-cd/v3/pkg/apiclient/application"
+)
+
+type ApplicationClient interface {
+	GetChangeRevision(ctx context.Context, in *appclient.ChangeRevisionRequest, opts ...grpc.CallOption) (*appclient.ChangeRevisionResponse, error)
+}
+
+type httpApplicationClient struct {
+	httpClient *http.Client
+	baseURL    string
+	token      string
+}
+
+func NewHTTPApplicationClient(token string, address string, rootpath string) ApplicationClient {
+	if rootpath != "" && !strings.HasPrefix(rootpath, "/") {
+		rootpath = "/" + rootpath
+	}
+
+	if !strings.Contains(address, "http") {
+		address = "http://" + address
+	}
+
+	if rootpath != "" {
+		address = address + rootpath
+	}
+
+	return &httpApplicationClient{
+		httpClient: &http.Client{
+			Timeout: 30 * time.Second,
+			Transport: &http.Transport{
+				// Support for insecure connections
+				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+			},
+		},
+		baseURL: address,
+		token:   token,
+	}
+}
+
+func (c *httpApplicationClient) execute(ctx context.Context, url string, result any) error {
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, http.NoBody)
+	if err != nil {
+		return err
+	}
+
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Authorization", "Bearer "+c.token)
+
+	res, err := c.httpClient.Do(req)
+	if err != nil {
+		return err
+	}
+	defer res.Body.Close()
+
+	b, _ := io.ReadAll(res.Body)
+
+	isStatusOK := res.StatusCode >= 200 && res.StatusCode < 300
+	if !isStatusOK {
+		return fmt.Errorf("argocd server respond with code %d, msg is: %s", res.StatusCode, string(b))
+	}
+
+	err = json.Unmarshal(b, &result)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func (c *httpApplicationClient) GetChangeRevision(ctx context.Context, in *appclient.ChangeRevisionRequest, _ ...grpc.CallOption) (*appclient.ChangeRevisionResponse, error) {
+	params := fmt.Sprintf("?appName=%s&namespace=%s&currentRevision=%s&previousRevision=%s", in.GetAppName(), in.GetNamespace(), in.GetCurrentRevision(), in.GetPreviousRevision())
+
+	url := fmt.Sprintf("%s/api/v1/application/changeRevision%s", c.baseURL, params)
+
+	changeRevisionResponse := &appclient.ChangeRevisionResponse{}
+	err := c.execute(ctx, url, changeRevisionResponse)
+	if err != nil {
+		return nil, err
+	}
+	return changeRevisionResponse, nil
+}