chore(CR-30180): cf-runtime-8-0-5 with security fixes in runtime images (#601)

vitalii-codefresh · web-flow · commit fd9945f39c63 · 2025-07-31T10:46:15.000+03:00
diff --git a/charts/cf-runtime/Chart.yaml b/charts/cf-runtime/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 description: A Helm chart for Codefresh Runner
 name: cf-runtime
-version: 8.0.4
+version: 8.0.5
 keywords:
   - codefresh
   - runner
@@ -17,8 +17,8 @@ annotations:
   artifacthub.io/containsSecurityUpdates: "true"
   # Supported kinds: `added`, `changed`, `deprecated`, `removed`, `fixed`, `security`:
   artifacthub.io/changes: |
-    - kind: fixed
-      description: "Remove token from output of patch Job"
+    - kind: security
+      description: "Contains security fixes in: engine, container-logger, docker-tag-pusher"
 dependencies:
   - name: cf-common
     repository: oci://quay.io/codefresh/charts
diff --git a/charts/cf-runtime/README.md b/charts/cf-runtime/README.md
@@ -1,6 +1,6 @@
 ## Codefresh Runner
 
-![Version: 8.0.4](https://img.shields.io/badge/Version-8.0.4-informational?style=flat-square)
+![Version: 8.0.5](https://img.shields.io/badge/Version-8.0.5-informational?style=flat-square)
 
 Helm chart for deploying [Codefresh Runner](https://codefresh.io/docs/docs/installation/codefresh-runner/) to Kubernetes.
 
@@ -1300,7 +1300,7 @@ Install the Helm chart
 | runtime.dind.userVolumeMounts | object | `{}` | Add extra volume mounts |
 | runtime.dind.userVolumes | object | `{}` | Add extra volumes |
 | runtime.dindDaemon | object | See below | DinD pod daemon config |
-| runtime.engine | object | `{"affinity":{},"command":["npm","run","start"],"env":{"CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS":1000,"DOCKER_REQUEST_TIMEOUT_MS":30000,"FORCE_COMPOSE_SERIAL_PULL":false,"LOGGER_LEVEL":"debug","LOG_OUTGOING_HTTP_REQUESTS":false,"METRICS_PROMETHEUS_COLLECT_PROCESS_METRICS":false,"METRICS_PROMETHEUS_ENABLED":true,"METRICS_PROMETHEUS_ENABLE_LEGACY_METRICS":false,"METRICS_PROMETHEUS_HOST":"0.0.0.0","METRICS_PROMETHEUS_PORT":9100,"METRICS_PROMETHEUS_SCRAPE_TIMEOUT":"15000","TRUSTED_QEMU_IMAGES":"tonistiigi/binfmt"},"image":{"digest":"sha256:a00c29cb523c18896b0e069624e8cc32f84450e495330a409620dbbcf1339c8e","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/engine","tag":"1.178.0"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"resources":{"limits":{"cpu":"1000m","memory":"2048Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"runtimeImages":{"alpine":{"digest":"sha256:115729ec5cb049ba6359c3ab005ac742012d92bbaa5b8bc1a878f1e8f62c0cb8","registry":"docker.io","repository":"alpine","tag":"edge"},"compose":{"digest":"sha256:e74494370100678ccb1c1058e6ef3ddcf67b21fcd37da8b3482376c8282549ad","registry":"quay.io","repository":"codefresh/compose","tag":"v2.37.0-1.5.4"},"container-logger":{"digest":"sha256:83bf409f43502748cce98798197dd7daa29c8844069b6f4e5bf3790966be60a2","registry":"quay.io","repository":"codefresh/cf-container-logger","tag":"1.12.7"},"cosign-image-signer":{"digest":"sha256:ad74291dc11833e13dbf7ae1919446dee2baedb16b96a8a3acc600b5499c716d","registry":"quay.io","repository":"codefresh/cf-cosign-image-signer","tag":"2.5.2-cf.1"},"default-qemu":{"digest":"sha256:1b804311fe87047a4c96d38b4b3ef6f62fca8cd125265917a9e3dc3c996c39e6","registry":"docker.io","repository":"tonistiigi/binfmt","tag":"qemu-v9.2.2"},"docker-builder":{"digest":"sha256:1d02df4dcf703a97c7a64b147cd2c3f6ec2c708aad16be5abbd337f3c13a48ad","registry":"quay.io","repository":"codefresh/cf-docker-builder","tag":"1.4.7"},"docker-puller":{"digest":"sha256:914f071bcb1893bcb42c3f8907f8f3874f1f30db1a2ccaa4b825dab9bb157e60","registry":"quay.io","repository":"codefresh/cf-docker-puller","tag":"8.0.22"},"docker-pusher":{"digest":"sha256:bad3773029a68f33953f1dc245cb92c386b5311a996340eea41fe6b9cc52a96c","registry":"quay.io","repository":"codefresh/cf-docker-pusher","tag":"6.0.20"},"docker-tag-pusher":{"digest":"sha256:0833366c74055251fefba728807b847b8d8a5e094d94ccc0912ec7d6f0fedf51","registry":"quay.io","repository":"codefresh/cf-docker-tag-pusher","tag":"1.3.18"},"fs-ops":{"digest":"sha256:70d53821b9314d88e3571dfb096e8f577caf3e4c2199253621b8d0c85d20b8ad","registry":"quay.io","repository":"codefresh/fs-ops","tag":"1.2.10"},"gc-builder":{"digest":"sha256:33ac914e6b844909f188a208cf90e569358cafa5aaa60f49848f49d99bcaf875","registry":"quay.io","repository":"codefresh/cf-gc-builder","tag":"0.5.3"},"git-cloner":{"digest":"sha256:2e09eef18d5caddae708058ec63247825ac4e4ee5e5763986f65e1312fbcc449","registry":"quay.io","repository":"codefresh/cf-git-cloner","tag":"10.3.2"},"kube-deploy":{"digest":"sha256:35649b14eb43717d3752d08597ada77d3737b2508f1b8e1f52f67b7a0e5ff263","registry":"quay.io","repository":"codefresh/cf-deploy-kubernetes","tag":"16.2.9"},"pipeline-debugger":{"digest":"sha256:37975653b4ef5378bd1e38d453c7dac4721cba1c1977a5ca6118a67b98a47925","registry":"quay.io","repository":"codefresh/cf-debugger","tag":"1.3.9"},"template-engine":{"digest":"sha256:b3f499fcf93037e69fba599d2f292cfc9f28a158052dd57d5de9cdf9756f1f60","registry":"quay.io","repository":"codefresh/pikolo","tag":"0.14.6"}},"runtimeImagesRegisty":"","schedulerName":"","serviceAccount":"codefresh-engine","terminationGracePeriodSeconds":180,"tolerations":[],"userEnvVars":[],"workflowLimits":{"MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS":600,"MAXIMUM_ALLOWED_WORKFLOW_AGE_BEFORE_TERMINATION":86400,"MAXIMUM_ELECTED_STATE_AGE_ALLOWED":900,"MAXIMUM_RETRY_ATTEMPTS_ALLOWED":20,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED":900,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED_WITHOUT_UPDATE":300,"TIME_ENGINE_INACTIVE_UNTIL_TERMINATION":300,"TIME_ENGINE_INACTIVE_UNTIL_UNHEALTHY":60,"TIME_INACTIVE_UNTIL_TERMINATION":2700}}` | Parameters for Engine pod (aka "pipeline" orchestrator). |
+| runtime.engine | object | `{"affinity":{},"command":["npm","run","start"],"env":{"CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS":1000,"DOCKER_REQUEST_TIMEOUT_MS":30000,"FORCE_COMPOSE_SERIAL_PULL":false,"LOGGER_LEVEL":"debug","LOG_OUTGOING_HTTP_REQUESTS":false,"METRICS_PROMETHEUS_COLLECT_PROCESS_METRICS":false,"METRICS_PROMETHEUS_ENABLED":true,"METRICS_PROMETHEUS_ENABLE_LEGACY_METRICS":false,"METRICS_PROMETHEUS_HOST":"0.0.0.0","METRICS_PROMETHEUS_PORT":9100,"METRICS_PROMETHEUS_SCRAPE_TIMEOUT":"15000","TRUSTED_QEMU_IMAGES":"tonistiigi/binfmt"},"image":{"digest":"sha256:c8e74362a3462a635cad70ac81877a7d3a0d4833cfaefb8d3b8b4b90e8c95159","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/engine","tag":"1.178.3"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"resources":{"limits":{"cpu":"1000m","memory":"2048Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"runtimeImages":{"alpine":{"digest":"sha256:115729ec5cb049ba6359c3ab005ac742012d92bbaa5b8bc1a878f1e8f62c0cb8","registry":"docker.io","repository":"alpine","tag":"edge"},"compose":{"digest":"sha256:e74494370100678ccb1c1058e6ef3ddcf67b21fcd37da8b3482376c8282549ad","registry":"quay.io","repository":"codefresh/compose","tag":"v2.37.0-1.5.4"},"container-logger":{"digest":"sha256:6e376bb00e824827cb038e15160ccf0fead4f868197b75bbc80dbd6bc34af8d6","registry":"quay.io","repository":"codefresh/cf-container-logger","tag":"1.12.8"},"cosign-image-signer":{"digest":"sha256:ad74291dc11833e13dbf7ae1919446dee2baedb16b96a8a3acc600b5499c716d","registry":"quay.io","repository":"codefresh/cf-cosign-image-signer","tag":"2.5.2-cf.1"},"default-qemu":{"digest":"sha256:1b804311fe87047a4c96d38b4b3ef6f62fca8cd125265917a9e3dc3c996c39e6","registry":"docker.io","repository":"tonistiigi/binfmt","tag":"qemu-v9.2.2"},"docker-builder":{"digest":"sha256:1d02df4dcf703a97c7a64b147cd2c3f6ec2c708aad16be5abbd337f3c13a48ad","registry":"quay.io","repository":"codefresh/cf-docker-builder","tag":"1.4.7"},"docker-puller":{"digest":"sha256:914f071bcb1893bcb42c3f8907f8f3874f1f30db1a2ccaa4b825dab9bb157e60","registry":"quay.io","repository":"codefresh/cf-docker-puller","tag":"8.0.22"},"docker-pusher":{"digest":"sha256:bad3773029a68f33953f1dc245cb92c386b5311a996340eea41fe6b9cc52a96c","registry":"quay.io","repository":"codefresh/cf-docker-pusher","tag":"6.0.20"},"docker-tag-pusher":{"digest":"sha256:ec4416525bbf4912786035fbb2e1f26ae04f94559c535f02232b48eb0a1c5fa7","registry":"quay.io","repository":"codefresh/cf-docker-tag-pusher","tag":"1.3.19"},"fs-ops":{"digest":"sha256:70d53821b9314d88e3571dfb096e8f577caf3e4c2199253621b8d0c85d20b8ad","registry":"quay.io","repository":"codefresh/fs-ops","tag":"1.2.10"},"gc-builder":{"digest":"sha256:33ac914e6b844909f188a208cf90e569358cafa5aaa60f49848f49d99bcaf875","registry":"quay.io","repository":"codefresh/cf-gc-builder","tag":"0.5.3"},"git-cloner":{"digest":"sha256:2e09eef18d5caddae708058ec63247825ac4e4ee5e5763986f65e1312fbcc449","registry":"quay.io","repository":"codefresh/cf-git-cloner","tag":"10.3.2"},"kube-deploy":{"digest":"sha256:35649b14eb43717d3752d08597ada77d3737b2508f1b8e1f52f67b7a0e5ff263","registry":"quay.io","repository":"codefresh/cf-deploy-kubernetes","tag":"16.2.9"},"pipeline-debugger":{"digest":"sha256:37975653b4ef5378bd1e38d453c7dac4721cba1c1977a5ca6118a67b98a47925","registry":"quay.io","repository":"codefresh/cf-debugger","tag":"1.3.9"},"template-engine":{"digest":"sha256:b3f499fcf93037e69fba599d2f292cfc9f28a158052dd57d5de9cdf9756f1f60","registry":"quay.io","repository":"codefresh/pikolo","tag":"0.14.6"}},"runtimeImagesRegisty":"","schedulerName":"","serviceAccount":"codefresh-engine","terminationGracePeriodSeconds":180,"tolerations":[],"userEnvVars":[],"workflowLimits":{"MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS":600,"MAXIMUM_ALLOWED_WORKFLOW_AGE_BEFORE_TERMINATION":86400,"MAXIMUM_ELECTED_STATE_AGE_ALLOWED":900,"MAXIMUM_RETRY_ATTEMPTS_ALLOWED":20,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED":900,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED_WITHOUT_UPDATE":300,"TIME_ENGINE_INACTIVE_UNTIL_TERMINATION":300,"TIME_ENGINE_INACTIVE_UNTIL_UNHEALTHY":60,"TIME_INACTIVE_UNTIL_TERMINATION":2700}}` | Parameters for Engine pod (aka "pipeline" orchestrator). |
 | runtime.engine.affinity | object | `{}` | Set affinity |
 | runtime.engine.command | list | `["npm","run","start"]` | Set container command. |
 | runtime.engine.env | object | `{"CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS":1000,"DOCKER_REQUEST_TIMEOUT_MS":30000,"FORCE_COMPOSE_SERIAL_PULL":false,"LOGGER_LEVEL":"debug","LOG_OUTGOING_HTTP_REQUESTS":false,"METRICS_PROMETHEUS_COLLECT_PROCESS_METRICS":false,"METRICS_PROMETHEUS_ENABLED":true,"METRICS_PROMETHEUS_ENABLE_LEGACY_METRICS":false,"METRICS_PROMETHEUS_HOST":"0.0.0.0","METRICS_PROMETHEUS_PORT":9100,"METRICS_PROMETHEUS_SCRAPE_TIMEOUT":"15000","TRUSTED_QEMU_IMAGES":"tonistiigi/binfmt"}` | Set additional env vars. |
@@ -1316,7 +1316,7 @@ Install the Helm chart
 | runtime.engine.env.METRICS_PROMETHEUS_PORT | int | `9100` | Port for Prometheus metrics server |
 | runtime.engine.env.METRICS_PROMETHEUS_SCRAPE_TIMEOUT | string | `"15000"` | The timeout till the engine waits for Prometheus to pull the latest metrics before engine shuts down (in milliseconds) |
 | runtime.engine.env.TRUSTED_QEMU_IMAGES | string | `"tonistiigi/binfmt"` | Trusted QEMU images used for docker builds - when left blank defaults to .runtime.engine.runtimeImages.DEFAULT_QEMU_IMAGE value |
-| runtime.engine.image | object | `{"digest":"sha256:a00c29cb523c18896b0e069624e8cc32f84450e495330a409620dbbcf1339c8e","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/engine","tag":"1.178.0"}` | Set image. |
+| runtime.engine.image | object | `{"digest":"sha256:c8e74362a3462a635cad70ac81877a7d3a0d4833cfaefb8d3b8b4b90e8c95159","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/engine","tag":"1.178.3"}` | Set image. |
 | runtime.engine.nodeSelector | object | `{}` | Set node selector. |
 | runtime.engine.podAnnotations | object | `{}` | Set pod annotations. |
 | runtime.engine.podLabels | object | `{}` | Set pod labels. |
diff --git a/charts/cf-runtime/values.yaml b/charts/cf-runtime/values.yaml
@@ -503,9 +503,9 @@ runtime:
     image:
       registry: quay.io
       repository: codefresh/engine
-      tag: 1.178.0
+      tag: 1.178.3
       pullPolicy: IfNotPresent
-      digest: sha256:a00c29cb523c18896b0e069624e8cc32f84450e495330a409620dbbcf1339c8e
+      digest: sha256:c8e74362a3462a635cad70ac81877a7d3a0d4833cfaefb8d3b8b4b90e8c95159
     # -- Set container command.
     command:
       - npm
@@ -534,8 +534,8 @@ runtime:
       container-logger:
         registry: quay.io
         repository: codefresh/cf-container-logger
-        tag: 1.12.7
-        digest: sha256:83bf409f43502748cce98798197dd7daa29c8844069b6f4e5bf3790966be60a2
+        tag: 1.12.8
+        digest: sha256:6e376bb00e824827cb038e15160ccf0fead4f868197b75bbc80dbd6bc34af8d6
       docker-builder:
         registry: quay.io
         repository: codefresh/cf-docker-builder
@@ -554,8 +554,8 @@ runtime:
       docker-tag-pusher:
         registry: quay.io
         repository: codefresh/cf-docker-tag-pusher
-        tag: 1.3.18
-        digest: sha256:0833366c74055251fefba728807b847b8d8a5e094d94ccc0912ec7d6f0fedf51
+        tag: 1.3.19
+        digest: sha256:ec4416525bbf4912786035fbb2e1f26ae04f94559c535f02232b48eb0a1c5fa7
       fs-ops:
         registry: quay.io
         repository: codefresh/fs-ops
