chore: cf-runtime 7.9.2 with security fixes in runtime images (#592)

vitalii-codefresh · web-flow · commit cae769cf7aee · 2025-07-10T12:50:41.000+03:00
diff --git a/charts/cf-runtime/Chart.yaml b/charts/cf-runtime/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 description: A Helm chart for Codefresh Runner
 name: cf-runtime
-version: 7.9.1
+version: 7.9.2
 keywords:
   - codefresh
   - runner
@@ -17,8 +17,10 @@ annotations:
   artifacthub.io/containsSecurityUpdates: "true"
   # Supported kinds: `added`, `changed`, `deprecated`, `removed`, `fixed`, `security`:
   artifacthub.io/changes: |
-    - kind: added
-      description: "Added documentation on migrating from CLI installation"
+    - kind: security
+      description: "Bump runtime images with security fixes"
+    - kind: security
+      description: "Bump codefresh/cli with security fixes"
 dependencies:
   - name: cf-common
     repository: oci://quay.io/codefresh/charts
diff --git a/charts/cf-runtime/README.md b/charts/cf-runtime/README.md
@@ -1,6 +1,6 @@
 ## Codefresh Runner
 
-![Version: 7.9.1](https://img.shields.io/badge/Version-7.9.1-informational?style=flat-square)
+![Version: 7.9.2](https://img.shields.io/badge/Version-7.9.2-informational?style=flat-square)
 
 Helm chart for deploying [Codefresh Runner](https://codefresh.io/docs/docs/installation/codefresh-runner/) to Kubernetes.
 
@@ -1242,7 +1242,7 @@ Install the Helm chart
 | runner.enabled | bool | `true` | Enable the runner |
 | runner.env | object | `{}` | Add additional env vars |
 | runner.image | object | `{"digest":"sha256:bcc6e7495186f1f9c3e885afa891a3bda11b5374a577f069f34ddc75142342ef","registry":"quay.io","repository":"codefresh/venona","tag":"2.0.0"}` | Set image |
-| runner.init | object | `{"image":{"digest":"sha256:b256d150ff8a636851ddc1d5fb0490114d5036cc5bff357eac6a9899fea87562","registry":"quay.io","repository":"codefresh/cli","tag":"0.88.4-rootless"},"resources":{"limits":{"cpu":"1","memory":"512Mi"},"requests":{"cpu":"0.2","memory":"256Mi"}}}` | Init container |
+| runner.init | object | `{"image":{"digest":"sha256:ea37c7064a95a68269cb93f17e05501f87403706665319ed8f3c646c77e3880c","registry":"quay.io","repository":"codefresh/cli","tag":"0.89.2-rootless"},"resources":{"limits":{"cpu":"1","memory":"512Mi"},"requests":{"cpu":"0.2","memory":"256Mi"}}}` | Init container |
 | runner.name | string | `""` | Set runner deployment name |
 | runner.nodeSelector | object | `{}` | Set node selector |
 | runner.podAnnotations | object | `{}` | Set pod annotations |
@@ -1289,7 +1289,7 @@ Install the Helm chart
 | runtime.dind.userVolumeMounts | object | `{}` | Add extra volume mounts |
 | runtime.dind.userVolumes | object | `{}` | Add extra volumes |
 | runtime.dindDaemon | object | See below | DinD pod daemon config |
-| runtime.engine | object | `{"affinity":{},"command":["npm","run","start"],"env":{"CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS":1000,"DOCKER_REQUEST_TIMEOUT_MS":30000,"FORCE_COMPOSE_SERIAL_PULL":false,"LOGGER_LEVEL":"debug","LOG_OUTGOING_HTTP_REQUESTS":false,"METRICS_PROMETHEUS_COLLECT_PROCESS_METRICS":false,"METRICS_PROMETHEUS_ENABLED":true,"METRICS_PROMETHEUS_ENABLE_LEGACY_METRICS":false,"METRICS_PROMETHEUS_HOST":"0.0.0.0","METRICS_PROMETHEUS_PORT":9100,"METRICS_PROMETHEUS_SCRAPE_TIMEOUT":"15000","TRUSTED_QEMU_IMAGES":"tonistiigi/binfmt"},"image":{"digest":"sha256:a00c29cb523c18896b0e069624e8cc32f84450e495330a409620dbbcf1339c8e","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/engine","tag":"1.178.0"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"resources":{"limits":{"cpu":"1000m","memory":"2048Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"runtimeImages":{"alpine":{"digest":"sha256:115729ec5cb049ba6359c3ab005ac742012d92bbaa5b8bc1a878f1e8f62c0cb8","registry":"docker.io","repository":"alpine","tag":"edge"},"compose":{"digest":"sha256:e74494370100678ccb1c1058e6ef3ddcf67b21fcd37da8b3482376c8282549ad","registry":"quay.io","repository":"codefresh/compose","tag":"v2.37.0-1.5.4"},"container-logger":{"digest":"sha256:9152151faf828dfd3bf52ea568b6d70bcc88ef99d5fa7d011f7b4d9beed652cc","registry":"quay.io","repository":"codefresh/cf-container-logger","tag":"1.12.5"},"cosign-image-signer":{"digest":"sha256:f28c2f9f99cc963b190f260c3d5b7374512fcfb93cedf94ba7a0ea7caa2a5833","registry":"quay.io","repository":"codefresh/cf-cosign-image-signer","tag":"2.5.0-cf.1"},"default-qemu":{"digest":"sha256:1b804311fe87047a4c96d38b4b3ef6f62fca8cd125265917a9e3dc3c996c39e6","registry":"docker.io","repository":"tonistiigi/binfmt","tag":"qemu-v9.2.2"},"docker-builder":{"digest":"sha256:94683c11ac66705ef752b7d4c7f8fb57445cb96d4f1425a52b5b3a9428ec852b","registry":"quay.io","repository":"codefresh/cf-docker-builder","tag":"1.4.6"},"docker-puller":{"digest":"sha256:fdcae9ab57fd5121409fd7f669795eda2ddcb94e4e50e08f4ff3830a9bf40064","registry":"quay.io","repository":"codefresh/cf-docker-puller","tag":"8.0.21"},"docker-pusher":{"digest":"sha256:3753503dcfee41065ffa6ca1527453604ce69fbf31fce5d356d679bf26579417","registry":"quay.io","repository":"codefresh/cf-docker-pusher","tag":"6.0.19"},"docker-tag-pusher":{"digest":"sha256:d0f09428b74da4bcae581477db519e694669702bb42a55f4a7977014f2ed21b2","registry":"quay.io","repository":"codefresh/cf-docker-tag-pusher","tag":"1.3.17"},"fs-ops":{"digest":"sha256:70d53821b9314d88e3571dfb096e8f577caf3e4c2199253621b8d0c85d20b8ad","registry":"quay.io","repository":"codefresh/fs-ops","tag":"1.2.10"},"gc-builder":{"digest":"sha256:33ac914e6b844909f188a208cf90e569358cafa5aaa60f49848f49d99bcaf875","registry":"quay.io","repository":"codefresh/cf-gc-builder","tag":"0.5.3"},"git-cloner":{"digest":"sha256:2a7854d00287a181c056ea932652ec8a21300ff729d2e6f5f5b517cf4a3f0abf","registry":"quay.io","repository":"codefresh/cf-git-cloner","tag":"10.3.1"},"kube-deploy":{"digest":"sha256:35649b14eb43717d3752d08597ada77d3737b2508f1b8e1f52f67b7a0e5ff263","registry":"quay.io","repository":"codefresh/cf-deploy-kubernetes","tag":"16.2.9"},"pipeline-debugger":{"digest":"sha256:37975653b4ef5378bd1e38d453c7dac4721cba1c1977a5ca6118a67b98a47925","registry":"quay.io","repository":"codefresh/cf-debugger","tag":"1.3.9"},"template-engine":{"digest":"sha256:b3f499fcf93037e69fba599d2f292cfc9f28a158052dd57d5de9cdf9756f1f60","registry":"quay.io","repository":"codefresh/pikolo","tag":"0.14.6"}},"runtimeImagesRegisty":"","schedulerName":"","serviceAccount":"codefresh-engine","terminationGracePeriodSeconds":180,"tolerations":[],"userEnvVars":[],"workflowLimits":{"MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS":600,"MAXIMUM_ALLOWED_WORKFLOW_AGE_BEFORE_TERMINATION":86400,"MAXIMUM_ELECTED_STATE_AGE_ALLOWED":900,"MAXIMUM_RETRY_ATTEMPTS_ALLOWED":20,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED":900,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED_WITHOUT_UPDATE":300,"TIME_ENGINE_INACTIVE_UNTIL_TERMINATION":300,"TIME_ENGINE_INACTIVE_UNTIL_UNHEALTHY":60,"TIME_INACTIVE_UNTIL_TERMINATION":2700}}` | Parameters for Engine pod (aka "pipeline" orchestrator). |
+| runtime.engine | object | `{"affinity":{},"command":["npm","run","start"],"env":{"CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS":1000,"DOCKER_REQUEST_TIMEOUT_MS":30000,"FORCE_COMPOSE_SERIAL_PULL":false,"LOGGER_LEVEL":"debug","LOG_OUTGOING_HTTP_REQUESTS":false,"METRICS_PROMETHEUS_COLLECT_PROCESS_METRICS":false,"METRICS_PROMETHEUS_ENABLED":true,"METRICS_PROMETHEUS_ENABLE_LEGACY_METRICS":false,"METRICS_PROMETHEUS_HOST":"0.0.0.0","METRICS_PROMETHEUS_PORT":9100,"METRICS_PROMETHEUS_SCRAPE_TIMEOUT":"15000","TRUSTED_QEMU_IMAGES":"tonistiigi/binfmt"},"image":{"digest":"sha256:a00c29cb523c18896b0e069624e8cc32f84450e495330a409620dbbcf1339c8e","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/engine","tag":"1.178.0"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"resources":{"limits":{"cpu":"1000m","memory":"2048Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"runtimeImages":{"alpine":{"digest":"sha256:115729ec5cb049ba6359c3ab005ac742012d92bbaa5b8bc1a878f1e8f62c0cb8","registry":"docker.io","repository":"alpine","tag":"edge"},"compose":{"digest":"sha256:e74494370100678ccb1c1058e6ef3ddcf67b21fcd37da8b3482376c8282549ad","registry":"quay.io","repository":"codefresh/compose","tag":"v2.37.0-1.5.4"},"container-logger":{"digest":"sha256:83bf409f43502748cce98798197dd7daa29c8844069b6f4e5bf3790966be60a2","registry":"quay.io","repository":"codefresh/cf-container-logger","tag":"1.12.7"},"cosign-image-signer":{"digest":"sha256:ad74291dc11833e13dbf7ae1919446dee2baedb16b96a8a3acc600b5499c716d","registry":"quay.io","repository":"codefresh/cf-cosign-image-signer","tag":"2.5.2-cf.1"},"default-qemu":{"digest":"sha256:1b804311fe87047a4c96d38b4b3ef6f62fca8cd125265917a9e3dc3c996c39e6","registry":"docker.io","repository":"tonistiigi/binfmt","tag":"qemu-v9.2.2"},"docker-builder":{"digest":"sha256:1d02df4dcf703a97c7a64b147cd2c3f6ec2c708aad16be5abbd337f3c13a48ad","registry":"quay.io","repository":"codefresh/cf-docker-builder","tag":"1.4.7"},"docker-puller":{"digest":"sha256:914f071bcb1893bcb42c3f8907f8f3874f1f30db1a2ccaa4b825dab9bb157e60","registry":"quay.io","repository":"codefresh/cf-docker-puller","tag":"8.0.22"},"docker-pusher":{"digest":"sha256:bad3773029a68f33953f1dc245cb92c386b5311a996340eea41fe6b9cc52a96c","registry":"quay.io","repository":"codefresh/cf-docker-pusher","tag":"6.0.20"},"docker-tag-pusher":{"digest":"sha256:0833366c74055251fefba728807b847b8d8a5e094d94ccc0912ec7d6f0fedf51","registry":"quay.io","repository":"codefresh/cf-docker-tag-pusher","tag":"1.3.18"},"fs-ops":{"digest":"sha256:70d53821b9314d88e3571dfb096e8f577caf3e4c2199253621b8d0c85d20b8ad","registry":"quay.io","repository":"codefresh/fs-ops","tag":"1.2.10"},"gc-builder":{"digest":"sha256:33ac914e6b844909f188a208cf90e569358cafa5aaa60f49848f49d99bcaf875","registry":"quay.io","repository":"codefresh/cf-gc-builder","tag":"0.5.3"},"git-cloner":{"digest":"sha256:2e09eef18d5caddae708058ec63247825ac4e4ee5e5763986f65e1312fbcc449","registry":"quay.io","repository":"codefresh/cf-git-cloner","tag":"10.3.2"},"kube-deploy":{"digest":"sha256:35649b14eb43717d3752d08597ada77d3737b2508f1b8e1f52f67b7a0e5ff263","registry":"quay.io","repository":"codefresh/cf-deploy-kubernetes","tag":"16.2.9"},"pipeline-debugger":{"digest":"sha256:37975653b4ef5378bd1e38d453c7dac4721cba1c1977a5ca6118a67b98a47925","registry":"quay.io","repository":"codefresh/cf-debugger","tag":"1.3.9"},"template-engine":{"digest":"sha256:b3f499fcf93037e69fba599d2f292cfc9f28a158052dd57d5de9cdf9756f1f60","registry":"quay.io","repository":"codefresh/pikolo","tag":"0.14.6"}},"runtimeImagesRegisty":"","schedulerName":"","serviceAccount":"codefresh-engine","terminationGracePeriodSeconds":180,"tolerations":[],"userEnvVars":[],"workflowLimits":{"MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS":600,"MAXIMUM_ALLOWED_WORKFLOW_AGE_BEFORE_TERMINATION":86400,"MAXIMUM_ELECTED_STATE_AGE_ALLOWED":900,"MAXIMUM_RETRY_ATTEMPTS_ALLOWED":20,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED":900,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED_WITHOUT_UPDATE":300,"TIME_ENGINE_INACTIVE_UNTIL_TERMINATION":300,"TIME_ENGINE_INACTIVE_UNTIL_UNHEALTHY":60,"TIME_INACTIVE_UNTIL_TERMINATION":2700}}` | Parameters for Engine pod (aka "pipeline" orchestrator). |
 | runtime.engine.affinity | object | `{}` | Set affinity |
 | runtime.engine.command | list | `["npm","run","start"]` | Set container command. |
 | runtime.engine.env | object | `{"CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS":1000,"DOCKER_REQUEST_TIMEOUT_MS":30000,"FORCE_COMPOSE_SERIAL_PULL":false,"LOGGER_LEVEL":"debug","LOG_OUTGOING_HTTP_REQUESTS":false,"METRICS_PROMETHEUS_COLLECT_PROCESS_METRICS":false,"METRICS_PROMETHEUS_ENABLED":true,"METRICS_PROMETHEUS_ENABLE_LEGACY_METRICS":false,"METRICS_PROMETHEUS_HOST":"0.0.0.0","METRICS_PROMETHEUS_PORT":9100,"METRICS_PROMETHEUS_SCRAPE_TIMEOUT":"15000","TRUSTED_QEMU_IMAGES":"tonistiigi/binfmt"}` | Set additional env vars. |
@@ -1331,7 +1331,7 @@ Install the Helm chart
 | runtime.inCluster | bool | `true` | (for On-Premise only) Set inCluster runtime |
 | runtime.kubeconfigFilePath | string | `""` | (for On-Premise only) Set kubeconfig name and path |
 | runtime.patch | object | See below | Parameters for `runtime-patch` post-upgrade/install hook |
-| runtime.patch.cronjob | object | `{"affinity":{},"enabled":true,"failedJobsHistory":1,"image":{"digest":"sha256:0ea571fd0d4b2f787baad48c1216100cfe4fb598dda6fc550fc120855e5684a1","registry":"quay.io","repository":"codefresh/cli","tag":"0.89.0-rootless"},"nodeSelector":{},"podSecurityContext":{},"resources":{},"schedule":"0/5 * * * *","successfulJobsHistory":1,"tolerations":[]}` | CronJob to update the runtime on schedule |
+| runtime.patch.cronjob | object | `{"affinity":{},"enabled":true,"failedJobsHistory":1,"image":{"digest":"sha256:ea37c7064a95a68269cb93f17e05501f87403706665319ed8f3c646c77e3880c","registry":"quay.io","repository":"codefresh/cli","tag":"0.89.2-rootless"},"nodeSelector":{},"podSecurityContext":{},"resources":{},"schedule":"0/5 * * * *","successfulJobsHistory":1,"tolerations":[]}` | CronJob to update the runtime on schedule |
 | runtime.rbac | object | `{"create":true,"rules":[]}` | RBAC parameters |
 | runtime.rbac.create | bool | `true` | Create RBAC resources |
 | runtime.rbac.rules | list | `[]` | Add custom rule to the engine role |
diff --git a/charts/cf-runtime/values.yaml b/charts/cf-runtime/values.yaml
@@ -81,8 +81,8 @@ runner:
     image:
       registry: quay.io
       repository: codefresh/cli
-      tag: 0.88.4-rootless
-      digest: sha256:b256d150ff8a636851ddc1d5fb0490114d5036cc5bff357eac6a9899fea87562
+      tag: 0.89.2-rootless
+      digest: sha256:ea37c7064a95a68269cb93f17e05501f87403706665319ed8f3c646c77e3880c
     resources:
       limits:
         memory: 512Mi
@@ -535,28 +535,28 @@ runtime:
       container-logger:
         registry: quay.io
         repository: codefresh/cf-container-logger
-        tag: 1.12.5
-        digest: sha256:9152151faf828dfd3bf52ea568b6d70bcc88ef99d5fa7d011f7b4d9beed652cc
+        tag: 1.12.7
+        digest: sha256:83bf409f43502748cce98798197dd7daa29c8844069b6f4e5bf3790966be60a2
       docker-builder:
         registry: quay.io
         repository: codefresh/cf-docker-builder
-        tag: 1.4.6
-        digest: sha256:94683c11ac66705ef752b7d4c7f8fb57445cb96d4f1425a52b5b3a9428ec852b
+        tag: 1.4.7
+        digest: sha256:1d02df4dcf703a97c7a64b147cd2c3f6ec2c708aad16be5abbd337f3c13a48ad
       docker-puller:
         registry: quay.io
         repository: codefresh/cf-docker-puller
-        tag: 8.0.21
-        digest: sha256:fdcae9ab57fd5121409fd7f669795eda2ddcb94e4e50e08f4ff3830a9bf40064
+        tag: 8.0.22
+        digest: sha256:914f071bcb1893bcb42c3f8907f8f3874f1f30db1a2ccaa4b825dab9bb157e60
       docker-pusher:
         registry: quay.io
         repository: codefresh/cf-docker-pusher
-        tag: 6.0.19
-        digest: sha256:3753503dcfee41065ffa6ca1527453604ce69fbf31fce5d356d679bf26579417
+        tag: 6.0.20
+        digest: sha256:bad3773029a68f33953f1dc245cb92c386b5311a996340eea41fe6b9cc52a96c
       docker-tag-pusher:
         registry: quay.io
         repository: codefresh/cf-docker-tag-pusher
-        tag: 1.3.17
-        digest: sha256:d0f09428b74da4bcae581477db519e694669702bb42a55f4a7977014f2ed21b2
+        tag: 1.3.18
+        digest: sha256:0833366c74055251fefba728807b847b8d8a5e094d94ccc0912ec7d6f0fedf51
       fs-ops:
         registry: quay.io
         repository: codefresh/fs-ops
@@ -565,8 +565,8 @@ runtime:
       git-cloner:
         registry: quay.io
         repository: codefresh/cf-git-cloner
-        tag: 10.3.1
-        digest: sha256:2a7854d00287a181c056ea932652ec8a21300ff729d2e6f5f5b517cf4a3f0abf
+        tag: 10.3.2
+        digest: sha256:2e09eef18d5caddae708058ec63247825ac4e4ee5e5763986f65e1312fbcc449
       kube-deploy:
         registry: quay.io
         repository: codefresh/cf-deploy-kubernetes
@@ -585,8 +585,8 @@ runtime:
       cosign-image-signer:
         registry: quay.io
         repository: codefresh/cf-cosign-image-signer
-        tag: 2.5.0-cf.1
-        digest: sha256:f28c2f9f99cc963b190f260c3d5b7374512fcfb93cedf94ba7a0ea7caa2a5833
+        tag: 2.5.2-cf.1
+        digest: sha256:ad74291dc11833e13dbf7ae1919446dee2baedb16b96a8a3acc600b5499c716d
       gc-builder:
         registry: quay.io
         repository: codefresh/cf-gc-builder
@@ -698,8 +698,8 @@ runtime:
       image:
         registry: quay.io
         repository: codefresh/cli
-        tag: 0.89.0-rootless
-        digest: sha256:0ea571fd0d4b2f787baad48c1216100cfe4fb598dda6fc550fc120855e5684a1
+        tag: 0.89.2-rootless
+        digest: sha256:ea37c7064a95a68269cb93f17e05501f87403706665319ed8f3c646c77e3880c
       rbac:
         enabled: true
       annotations: {}
@@ -720,8 +720,8 @@ runtime:
       image:
         registry: quay.io
         repository: codefresh/cli
-        tag: 0.89.0-rootless
-        digest: sha256:0ea571fd0d4b2f787baad48c1216100cfe4fb598dda6fc550fc120855e5684a1
+        tag: 0.89.2-rootless
+        digest: sha256:ea37c7064a95a68269cb93f17e05501f87403706665319ed8f3c646c77e3880c
       affinity: {}
       nodeSelector: {}
       podSecurityContext: {}
