Elgato_dark/argo-cd
1
0
Fork 0
mirror of https://github.com/argoproj/argo-cd synced 2026-04-21 08:57:17 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 14
argo-cd/docs/operator-manual/upgrading/3.4-3.5.md
Michael Crenshaw 25b3037485
fix(ci): pnpm sbom generation (#27337) (#27339) 
Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
2026-04-19 07:53:06 -04:00

2.3 KiB
Raw Blame History

v3.4 to 3.5

Breaking Changes

Behavioral Improvements / Fixes

Impersonation extended to server operations

When impersonation is enabled, it now applies to all API server operations, not just sync operations. This means that actions triggered through the UI or API (viewing logs, listing events, deleting resources, running resource actions, etc.) will use the impersonated service account derived from the AppProject's destinationServiceAccounts configuration.

Previously, impersonation only applied to sync operations.

Affected operations and required permissions:

Operation Kubernetes API call Required RBAC verbs
Get resource GET on the target resource get
Patch resource PATCH on the target resource get, patch
Delete resource DELETE on the target resource delete
List resource events LIST on events (core/v1) list
View pod logs GET on pods and pods/log get
Run resource action GET, CREATE, PATCH on the target resource get, create, patch

This list covers built-in operations. Custom resource actions may require additional permissions depending on what Kubernetes API calls they make.

Users with impersonation enabled must ensure the service accounts configured in destinationServiceAccounts have permissions for these operations.

No action is required for users who do not have impersonation enabled.

API Changes

Security Changes

Deprecated Items

Kustomize Upgraded

Helm Upgraded

Custom Healthchecks Added

Other Changes

Release sbom.tar.gz contents

For normal GitHub releases, sbom.tar.gz still includes bom-go-mod.spdx (Go dependencies, tag-value SPDX from spdx-sbom-generator) and bom-docker-image.spdx (the published release image, tag-value SPDX from sigs.k8s.io/bom). The UI dependency list is now bom-ui-pnpm.spdx.json: SPDX 2.3 JSON from pnpm sbom, replacing the old tag-value ./ui output from spdx-sbom-generator.

If you consume this archive with tooling that only looked at *.spdx files, extend it to handle bom-ui-pnpm.spdx.json as well, or verify sbom.tar.gz using argocd-sbom.intoto.jsonl without depending on a fixed internal file list.