fix: Add X-Frame-Options and CSP headers to Swagger UI endpoints (#26521 )

Signed-off-by: rohansood10 <rohansood10@users.noreply.github.com> Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com> Co-authored-by: rohansood10 <rohansood10@users.noreply.github.com> Co-authored-by: Blake Pettersson <blake.pettersson@gmail.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
chore(deps): bump picomatch from 2.3.1 to 2.3.2 in /ui (#27017 )
2026-04-05 00:08:49 +02:00 · 2026-04-04 00:58:32 +00:00 · 2026-04-04 01:37:57 +02:00 · 2026-04-04 01:37:09 +02:00 · 2026-04-04 01:33:37 +02:00 · 2026-04-03 20:08:58 +02:00
16 changed files with 104 additions and 119 deletions
--- a/controller/appcontroller_test.go
+++ b/controller/appcontroller_test.go
@@ -662,8 +662,7 @@ func TestAutoSync(t *testing.T) {

 func TestAutoSyncEnabledSetToTrue(t *testing.T) {
 	app := newFakeApp()
-	enable := true
-	app.Spec.SyncPolicy.Automated = &v1alpha1.SyncPolicyAutomated{Enabled: &enable}
+	app.Spec.SyncPolicy.Automated = &v1alpha1.SyncPolicyAutomated{Enabled: new(true)}
 	ctrl := newFakeController(t.Context(), &fakeData{apps: []runtime.Object{app}}, nil)
 	syncStatus := v1alpha1.SyncStatus{
 		Status:   v1alpha1.SyncStatusCodeOutOfSync,
@@ -789,8 +788,7 @@ func TestSkipAutoSync(t *testing.T) {
 	// Verify we skip when auto-sync is disabled
 	t.Run("AutoSyncEnableFieldIsSetFalse", func(t *testing.T) {
 		app := newFakeApp()
-		enable := false
-		app.Spec.SyncPolicy.Automated = &v1alpha1.SyncPolicyAutomated{Enabled: &enable}
+		app.Spec.SyncPolicy.Automated = &v1alpha1.SyncPolicyAutomated{Enabled: new(false)}
 		ctrl := newFakeController(t.Context(), &fakeData{apps: []runtime.Object{app}}, nil)
 		syncStatus := v1alpha1.SyncStatus{
 			Status:   v1alpha1.SyncStatusCodeOutOfSync,
--- a/docs/developer-guide/submit-your-pr.md
+++ b/docs/developer-guide/submit-your-pr.md
@@ -1,7 +1,8 @@
 # Submitting PRs

 ## Prerequisites
-1. [Development Environment](development-environment.md)   
+
+1. [Development Environment](development-environment.md)
 2. [Toolchain Guide](toolchain-guide.md)
 3. [Development Cycle](development-cycle.md)

@@ -21,10 +22,10 @@ If you need guidance with submitting a PR, or have any other questions regarding

 ## Before Submitting a PR

-1. Rebase your branch against upstream main:
+1. Rebase your branch against upstream master:
 ```shell
 git fetch upstream
-git rebase upstream/main
+git rebase upstream/master
 ```

 2. Run pre-commit checks:
--- a/go.mod
+++ b/go.mod
@@ -149,7 +149,7 @@ require (
 	github.com/RocketChat/Rocket.Chat.Go.SDK v0.0.0-20240116134246-a8cbe886bab0 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.41.5
 	github.com/aws/aws-sdk-go-v2/config v1.32.13
-	github.com/aws/aws-sdk-go-v2/credentials v1.19.14
+	github.com/aws/aws-sdk-go-v2/credentials v1.19.13
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.21 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21 // indirect
@@ -158,10 +158,10 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21 // indirect
 	github.com/aws/aws-sdk-go-v2/service/signin v1.0.9 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sqs v1.38.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.30.15 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.19 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.30.14 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.18 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.41.10
-	github.com/aws/smithy-go v1.24.2
+	github.com/aws/smithy-go v1.24.3
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
@@ -187,7 +187,7 @@ require (
 	github.com/go-fed/httpsig v1.1.0 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.6.2 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.1 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.5 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/analysis v0.24.3 // indirect
 	github.com/go-openapi/errors v0.22.7 // indirect
--- a/go.sum
+++ b/go.sum
@@ -128,8 +128,8 @@ github.com/aws/aws-sdk-go-v2 v1.41.5 h1:dj5kopbwUsVUVFgO4Fi5BIT3t4WyqIDjGKCangnV
 github.com/aws/aws-sdk-go-v2 v1.41.5/go.mod h1:mwsPRE8ceUUpiTgF7QmQIJ7lgsKUPQOUl3o72QBrE1o=
 github.com/aws/aws-sdk-go-v2/config v1.32.13 h1:5KgbxMaS2coSWRrx9TX/QtWbqzgQkOdEa3sZPhBhCSg=
 github.com/aws/aws-sdk-go-v2/config v1.32.13/go.mod h1:8zz7wedqtCbw5e9Mi2doEwDyEgHcEE9YOJp6a8jdSMY=
-github.com/aws/aws-sdk-go-v2/credentials v1.19.14 h1:n+UcGWAIZHkXzYt87uMFBv/l8THYELoX6gVcUvgl6fI=
-github.com/aws/aws-sdk-go-v2/credentials v1.19.14/go.mod h1:cJKuyWB59Mqi0jM3nFYQRmnHVQIcgoxjEMAbLkpr62w=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.13 h1:mA59E3fokBvyEGHKFdnpNNrvaR351cqiHgRg+JzOSRI=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.13/go.mod h1:yoTXOQKea18nrM69wGF9jBdG4WocSZA1h38A+t/MAsk=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.21 h1:NUS3K4BTDArQqNu2ih7yeDLaS3bmHD0YndtA6UP884g=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.21/go.mod h1:YWNWJQNjKigKY1RHVJCuupeWDrrHjRqHm0N9rdrWzYI=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21 h1:Rgg6wvjjtX8bNHcvi9OnXWwcE0a2vGpbwmtICOsvcf4=
@@ -150,14 +150,14 @@ github.com/aws/aws-sdk-go-v2/service/signin v1.0.9 h1:QKZH0S178gCmFEgst8hN0mCX1K
 github.com/aws/aws-sdk-go-v2/service/signin v1.0.9/go.mod h1:7yuQJoT+OoH8aqIxw9vwF+8KpvLZ8AWmvmUWHsGQZvI=
 github.com/aws/aws-sdk-go-v2/service/sqs v1.38.1 h1:ZtgZeMPJH8+/vNs9vJFFLI0QEzYbcN0p7x1/FFwyROc=
 github.com/aws/aws-sdk-go-v2/service/sqs v1.38.1/go.mod h1:Bar4MrRxeqdn6XIh8JGfiXuFRmyrrsZNTJotxEJmWW0=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.15 h1:lFd1+ZSEYJZYvv9d6kXzhkZu07si3f+GQ1AaYwa2LUM=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.15/go.mod h1:WSvS1NLr7JaPunCXqpJnWk1Bjo7IxzZXrZi1QQCkuqM=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.19 h1:dzztQ1YmfPrxdrOiuZRMF6fuOwWlWpD2StNLTceKpys=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.19/go.mod h1:YO8TrYtFdl5w/4vmjL8zaBSsiNp3w0L1FfKVKenZT7w=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.14 h1:GcLE9ba5ehAQma6wlopUesYg/hbcOhFNWTjELkiWkh4=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.14/go.mod h1:WSvS1NLr7JaPunCXqpJnWk1Bjo7IxzZXrZi1QQCkuqM=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.18 h1:mP49nTpfKtpXLt5SLn8Uv8z6W+03jYVoOSAl/c02nog=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.18/go.mod h1:YO8TrYtFdl5w/4vmjL8zaBSsiNp3w0L1FfKVKenZT7w=
 github.com/aws/aws-sdk-go-v2/service/sts v1.41.10 h1:p8ogvvLugcR/zLBXTXrTkj0RYBUdErbMnAFFp12Lm/U=
 github.com/aws/aws-sdk-go-v2/service/sts v1.41.10/go.mod h1:60dv0eZJfeVXfbT1tFJinbHrDfSJ2GZl4Q//OSSNAVw=
-github.com/aws/smithy-go v1.24.2 h1:FzA3bu/nt/vDvmnkg+R8Xl46gmzEDam6mZ1hzmwXFng=
-github.com/aws/smithy-go v1.24.2/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc=
+github.com/aws/smithy-go v1.24.3 h1:XgOAaUgx+HhVBoP4v8n6HCQoTRDhoMghKqw4LNHsDNg=
+github.com/aws/smithy-go v1.24.3/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc=
 github.com/beevik/ntp v0.2.0/go.mod h1:hIHWr+l3+/clUnF44zdK+CWW7fO8dR5cIylAQ76NRpg=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
@@ -311,8 +311,8 @@ github.com/go-git/go-git/v5 v5.14.0/go.mod h1:Z5Xhoia5PcWA3NF8vRLURn9E5FRhSl7dGj
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-jose/go-jose/v3 v3.0.1 h1:pWmKFVtt+Jl0vBZTIpz/eAKwsm6LkIxDVVbFHKkchhA=
-github.com/go-jose/go-jose/v3 v3.0.1/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
+github.com/go-jose/go-jose/v3 v3.0.5 h1:BLLJWbC4nMZOfuPVxoZIxeYsn6Nl2r1fITaJ78UQlVQ=
+github.com/go-jose/go-jose/v3 v3.0.5/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
 github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
 github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
@@ -1004,7 +1004,6 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20190422183909-d864b10871cd/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201216223049-8b5274cf687f/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
--- a/test/e2e/app_autosync_ns_test.go
+++ b/test/e2e/app_autosync_ns_test.go
@@ -24,8 +24,7 @@ func TestNSAutoSyncSelfHealDisabled(t *testing.T) {
 		When().
 		// app should be auto-synced once created
 		CreateFromFile(func(app *Application) {
-			selfHeal := false
-			app.Spec.SyncPolicy = &SyncPolicy{Automated: &SyncPolicyAutomated{SelfHeal: &selfHeal}}
+			app.Spec.SyncPolicy = &SyncPolicy{Automated: &SyncPolicyAutomated{SelfHeal: new(false)}}
 		}).
 		Then().
 		Expect(SyncStatusIs(SyncStatusCodeSynced)).
@@ -53,9 +52,8 @@ func TestNSAutoSyncSelfHealEnabled(t *testing.T) {
 		When().
 		// app should be auto-synced once created
 		CreateFromFile(func(app *Application) {
-			selfHeal := true
 			app.Spec.SyncPolicy = &SyncPolicy{
-				Automated: &SyncPolicyAutomated{SelfHeal: &selfHeal},
+				Automated: &SyncPolicyAutomated{SelfHeal: new(true)},
 				Retry:     &RetryStrategy{Limit: 0},
 			}
 		}).
--- a/test/e2e/app_autosync_test.go
+++ b/test/e2e/app_autosync_test.go
@@ -23,8 +23,7 @@ func TestAutoSyncSelfHealDisabled(t *testing.T) {
 		When().
 		// app should be auto-synced once created
 		CreateFromFile(func(app *Application) {
-			selfHeal := false
-			app.Spec.SyncPolicy = &SyncPolicy{Automated: &SyncPolicyAutomated{SelfHeal: &selfHeal}}
+			app.Spec.SyncPolicy = &SyncPolicy{Automated: &SyncPolicyAutomated{SelfHeal: new(false)}}
 		}).
 		Then().
 		Expect(SyncStatusIs(SyncStatusCodeSynced)).
@@ -51,9 +50,8 @@ func TestAutoSyncSelfHealEnabled(t *testing.T) {
 		When().
 		// app should be auto-synced once created
 		CreateFromFile(func(app *Application) {
-			selfHeal := true
 			app.Spec.SyncPolicy = &SyncPolicy{
-				Automated: &SyncPolicyAutomated{SelfHeal: &selfHeal},
+				Automated: &SyncPolicyAutomated{SelfHeal: new(true)},
 				Retry:     &RetryStrategy{Limit: 0},
 			}
 		}).
@@ -194,9 +192,8 @@ func TestAutoSyncAllowEmptyCanBeDisabled(t *testing.T) {
 		Path(guestbookPath).
 		When().
 		CreateFromFile(func(app *Application) {
-			allowEmpty := true
 			app.Spec.SyncPolicy = &SyncPolicy{
-				Automated: &SyncPolicyAutomated{AllowEmpty: &allowEmpty},
+				Automated: &SyncPolicyAutomated{AllowEmpty: new(true)},
 			}
 		}).
 		Then().
--- a/test/e2e/applicationset_test.go
+++ b/test/e2e/applicationset_test.go
@@ -615,26 +615,6 @@ func TestTemplatePatch(t *testing.T) {
 		},
 	}

-	templatePatch := `{
-		"metadata": {
-			"annotations": {
-				{{- range $k, $v := .annotations }}
-				"{{ $k }}": "{{ $v }}"
-				{{- end }}
-			}
-		},
-		{{- if .createNamespace }}
-		"spec": {
-			"syncPolicy": {
-				"syncOptions": [
-					"CreateNamespace=true"
-				]
-			}
-		}
-		{{- end }}
-	}
-	`
-
 	var expectedAppNewNamespace *v1alpha1.Application
 	var expectedAppNewMetadata *v1alpha1.Application

@@ -658,7 +638,25 @@ func TestTemplatePatch(t *testing.T) {
 					},
 				},
 			},
-			TemplatePatch: &templatePatch,
+			TemplatePatch: new(`{
+		"metadata": {
+			"annotations": {
+				{{- range $k, $v := .annotations }}
+				"{{ $k }}": "{{ $v }}"
+				{{- end }}
+			}
+		},
+		{{- if .createNamespace }}
+		"spec": {
+			"syncPolicy": {
+				"syncOptions": [
+					"CreateNamespace=true"
+				]
+			}
+		}
+		{{- end }}
+	}
+	`),
 			Generators: []v1alpha1.ApplicationSetGenerator{
 				{
 					List: &v1alpha1.ListGenerator{
@@ -878,9 +876,8 @@ func TestSyncPolicyCreateUpdate(t *testing.T) {
 			appset.Spec.Template.Labels = map[string]string{
 				"label-key": "label-value",
 			}
-			applicationsSyncPolicy := v1alpha1.ApplicationsSyncPolicyCreateUpdate
 			appset.Spec.SyncPolicy = &v1alpha1.ApplicationSetSyncPolicy{
-				ApplicationsSync: &applicationsSyncPolicy,
+				ApplicationsSync: new(v1alpha1.ApplicationsSyncPolicyCreateUpdate),
 			}
 		}).Then().Expect(ApplicationsExist([]v1alpha1.Application{*expectedAppNewMetadata})).

@@ -976,9 +973,8 @@ func TestSyncPolicyCreateDelete(t *testing.T) {
 		Update(func(appset *v1alpha1.ApplicationSet) {
 			appset.Spec.Template.Annotations = map[string]string{"annotation-key": "annotation-value"}
 			appset.Spec.Template.Labels = map[string]string{"label-key": "label-value"}
-			applicationsSyncPolicy := v1alpha1.ApplicationsSyncPolicyCreateDelete
 			appset.Spec.SyncPolicy = &v1alpha1.ApplicationSetSyncPolicy{
-				ApplicationsSync: &applicationsSyncPolicy,
+				ApplicationsSync: new(v1alpha1.ApplicationsSyncPolicyCreateDelete),
 			}
 		}).Then().Expect(ApplicationsExist([]v1alpha1.Application{*expectedAppNewNamespace})).

@@ -1075,9 +1071,8 @@ func TestSyncPolicyCreateOnly(t *testing.T) {
 		Update(func(appset *v1alpha1.ApplicationSet) {
 			appset.Spec.Template.Annotations = map[string]string{"annotation-key": "annotation-value"}
 			appset.Spec.Template.Labels = map[string]string{"label-key": "label-value"}
-			applicationsSyncPolicy := v1alpha1.ApplicationsSyncPolicyCreateOnly
 			appset.Spec.SyncPolicy = &v1alpha1.ApplicationSetSyncPolicy{
-				ApplicationsSync: &applicationsSyncPolicy,
+				ApplicationsSync: new(v1alpha1.ApplicationsSyncPolicyCreateOnly),
 			}
 		}).Then().Expect(ApplicationsExist([]v1alpha1.Application{*expectedAppNewNamespace})).

@@ -1334,9 +1329,6 @@ func TestSimpleSCMProviderGenerator(t *testing.T) {
 		},
 	}

-	// Because you can't &"".
-	repoMatch := "argo-cd"
-
 	Given(t).
 		// Create an SCMProviderGenerator-based ApplicationSet
 		When().Create(v1alpha1.ApplicationSet{
@@ -1365,7 +1357,7 @@ func TestSimpleSCMProviderGenerator(t *testing.T) {
 						},
 						Filters: []v1alpha1.SCMProviderGeneratorFilter{
 							{
-								RepositoryMatch: &repoMatch,
+								RepositoryMatch: new("argo-cd"),
 							},
 						},
 					},
@@ -1406,9 +1398,6 @@ func TestSimpleSCMProviderGeneratorGoTemplate(t *testing.T) {
 		},
 	}

-	// Because you can't &"".
-	repoMatch := "argo-cd"
-
 	Given(t).
 		// Create an SCMProviderGenerator-based ApplicationSet
 		When().Create(v1alpha1.ApplicationSet{
@@ -1438,7 +1427,7 @@ func TestSimpleSCMProviderGeneratorGoTemplate(t *testing.T) {
 						},
 						Filters: []v1alpha1.SCMProviderGeneratorFilter{
 							{
-								RepositoryMatch: &repoMatch,
+								RepositoryMatch: new("argo-cd"),
 							},
 						},
 					},
@@ -1473,9 +1462,6 @@ func TestSCMProviderGeneratorSCMProviderNotAllowed(t *testing.T) {
 		},
 	}

-	// Because you can't &"".
-	repoMatch := "argo-cd"
-
 	ctx := Given(t)
 	// Create an SCMProviderGenerator-based ApplicationSet
 	ctx.When().Create(v1alpha1.ApplicationSet{
@@ -1505,7 +1491,7 @@ func TestSCMProviderGeneratorSCMProviderNotAllowed(t *testing.T) {
 						},
 						Filters: []v1alpha1.SCMProviderGeneratorFilter{
 							{
-								RepositoryMatch: &repoMatch,
+								RepositoryMatch: new("argo-cd"),
 							},
 						},
 					},
@@ -1721,9 +1707,6 @@ func TestSimpleSCMProviderGeneratorTokenRefStrictOk(t *testing.T) {
 		},
 	}

-	// Because you can't &"".
-	repoMatch := "argo-cd"
-
 	Given(t).
 		And(func() {
 			_, err := utils.GetE2EFixtureK8sClient(t).KubeClientset.CoreV1().Secrets(fixture.TestNamespace()).Create(t.Context(), &corev1.Secret{
@@ -1772,7 +1755,7 @@ func TestSimpleSCMProviderGeneratorTokenRefStrictOk(t *testing.T) {
 						},
 						Filters: []v1alpha1.SCMProviderGeneratorFilter{
 							{
-								RepositoryMatch: &repoMatch,
+								RepositoryMatch: new("argo-cd"),
 							},
 						},
 					},
@@ -1823,9 +1806,6 @@ func TestSimpleSCMProviderGeneratorTokenRefStrictKo(t *testing.T) {
 		},
 	}

-	// Because you can't &"".
-	repoMatch := "argo-cd"
-
 	ctx := Given(t)
 	ctx.And(func() {
 		_, err := utils.GetE2EFixtureK8sClient(t).KubeClientset.CoreV1().Secrets(fixture.TestNamespace()).Create(t.Context(), &corev1.Secret{
@@ -1875,7 +1855,7 @@ func TestSimpleSCMProviderGeneratorTokenRefStrictKo(t *testing.T) {
 						},
 						Filters: []v1alpha1.SCMProviderGeneratorFilter{
 							{
-								RepositoryMatch: &repoMatch,
+								RepositoryMatch: new("argo-cd"),
 							},
 						},
 					},
--- a/test/e2e/clusterdecisiongenerator_e2e_test.go
+++ b/test/e2e/clusterdecisiongenerator_e2e_test.go
@@ -14,8 +14,6 @@ import (
 	"github.com/argoproj/argo-cd/v3/pkg/apis/application"
 )

-var tenSec = int64(10)
-
 func TestSimpleClusterDecisionResourceGeneratorExternalNamespace(t *testing.T) {
 	externalNamespace := string(utils.ArgoCDExternalNamespace)

@@ -296,7 +294,7 @@ func TestSimpleClusterDecisionResourceGeneratorAddingCluster(t *testing.T) {
 						ClusterDecisionResource: &v1alpha1.DuckTypeGenerator{
 							ConfigMapRef:        "my-configmap",
 							Name:                "my-placementdecision",
-							RequeueAfterSeconds: &tenSec,
+							RequeueAfterSeconds: new(int64(10)),
 						},
 					},
 				},
@@ -389,7 +387,7 @@ func TestSimpleClusterDecisionResourceGeneratorDeletingClusterSecret(t *testing.
 						ClusterDecisionResource: &v1alpha1.DuckTypeGenerator{
 							ConfigMapRef:        "my-configmap",
 							Name:                "my-placementdecision",
-							RequeueAfterSeconds: &tenSec,
+							RequeueAfterSeconds: new(int64(10)),
 						},
 					},
 				},
@@ -490,7 +488,7 @@ func TestSimpleClusterDecisionResourceGeneratorDeletingClusterFromResource(t *te
 						ClusterDecisionResource: &v1alpha1.DuckTypeGenerator{
 							ConfigMapRef:        "my-configmap",
 							Name:                "my-placementdecision",
-							RequeueAfterSeconds: &tenSec,
+							RequeueAfterSeconds: new(int64(10)),
 						},
 					},
 				},
--- a/test/e2e/fixture/app/actions.go
+++ b/test/e2e/fixture/app/actions.go
@@ -199,7 +199,7 @@ func (a *Actions) CreateMultiSourceAppFromFile(flags ...string) *Actions {
 			},
 			SyncPolicy: &v1alpha1.SyncPolicy{
 				Automated: &v1alpha1.SyncPolicyAutomated{
-					SelfHeal: func() *bool { b := true; return &b }(),
+					SelfHeal: new(true),
 				},
 			},
 		},
--- a/test/e2e/git_test.go
+++ b/test/e2e/git_test.go
@@ -129,8 +129,7 @@ func TestAnnotatedTagInStatusSyncRevision(t *testing.T) {
 		// Create Application targeting annotated-tag, with automatedSync: true
 		CreateFromFile(func(app *Application) {
 			app.Spec.Source.TargetRevision = "annotated-tag"
-			prune, selfHeal := true, false
-			app.Spec.SyncPolicy = &SyncPolicy{Automated: &SyncPolicyAutomated{Prune: &prune, SelfHeal: &selfHeal}}
+			app.Spec.SyncPolicy = &SyncPolicy{Automated: &SyncPolicyAutomated{Prune: new(true), SelfHeal: new(false)}}
 		}).
 		Then().
 		Expect(SyncStatusIs(SyncStatusCodeSynced)).
@@ -165,8 +164,7 @@ func TestAutomatedSelfHealingAgainstAnnotatedTag(t *testing.T) {
 		// App should be auto-synced once created
 		CreateFromFile(func(app *Application) {
 			app.Spec.Source.TargetRevision = "annotated-tag"
-			prune, selfHeal := true, false
-			app.Spec.SyncPolicy = &SyncPolicy{Automated: &SyncPolicyAutomated{Prune: &prune, SelfHeal: &selfHeal}}
+			app.Spec.SyncPolicy = &SyncPolicy{Automated: &SyncPolicyAutomated{Prune: new(true), SelfHeal: new(false)}}
 		}).
 		Then().
 		ExpectConsistently(SyncStatusIs(SyncStatusCodeSynced), WaitDuration, time.Second*10).
@@ -218,8 +216,7 @@ func TestAutomatedSelfHealingAgainstLightweightTag(t *testing.T) {
 		// App should be auto-synced once created
 		CreateFromFile(func(app *Application) {
 			app.Spec.Source.TargetRevision = "annotated-tag"
-			prune, selfHeal := true, false
-			app.Spec.SyncPolicy = &SyncPolicy{Automated: &SyncPolicyAutomated{Prune: &prune, SelfHeal: &selfHeal}}
+			app.Spec.SyncPolicy = &SyncPolicy{Automated: &SyncPolicyAutomated{Prune: new(true), SelfHeal: new(false)}}
 		}).
 		Then().
 		ExpectConsistently(SyncStatusIs(SyncStatusCodeSynced), WaitDuration, time.Second*10).
--- a/test/e2e/sync_options_test.go
+++ b/test/e2e/sync_options_test.go
@@ -131,8 +131,7 @@ func TestSyncWithStatusIgnored(t *testing.T) {
 			}))
 		}).
 		CreateFromFile(func(app *Application) {
-			selfHeal := true
-			app.Spec.SyncPolicy = &SyncPolicy{Automated: &SyncPolicyAutomated{SelfHeal: &selfHeal}}
+			app.Spec.SyncPolicy = &SyncPolicy{Automated: &SyncPolicyAutomated{SelfHeal: new(true)}}
 		}).
 		Then().
 		Expect(SyncStatusIs(SyncStatusCodeSynced)).
@@ -181,8 +180,7 @@ func TestSyncWithSkipHook(t *testing.T) {
 		Path(guestbookPath).
 		When().
 		CreateFromFile(func(app *Application) {
-			selfHeal := true
-			app.Spec.SyncPolicy = &SyncPolicy{Automated: &SyncPolicyAutomated{SelfHeal: &selfHeal}}
+			app.Spec.SyncPolicy = &SyncPolicy{Automated: &SyncPolicyAutomated{SelfHeal: new(true)}}
 		}).
 		Then().
 		Expect(SyncStatusIs(SyncStatusCodeSynced)).
--- a/ui/package.json
+++ b/ui/package.json
@@ -28,7 +28,7 @@
    "js-yaml": "^4.1.1",
    "json-merge-patch": "^0.2.3",
    "lodash-es": "^4.17.21",
-    "minimatch": "^3.1.3",
+    "minimatch": "^3.1.4",
    "moment": "^2.29.4",
    "monaco-editor": "^0.33.0",
    "path": "^0.12.7",
--- a/ui/yarn.lock
+++ b/ui/yarn.lock
@@ -4643,9 +4643,9 @@ flat-cache@^4.0.0:
    keyv "^4.5.4"

 flatted@^3.2.9:
-  version "3.3.1"
-  resolved "https://registry.yarnpkg.com/flatted/-/flatted-3.3.1.tgz#21db470729a6734d4997002f439cb308987f567a"
-  integrity sha512-X8cqMLLie7KsNUDSdzeN8FYK9rEt4Dt67OsG/DNGnYTSDBG4uFAJFBnUeiV+zCVAvwFy56IjM9sH51jVaEhNxw==
+  version "3.4.2"
+  resolved "https://registry.yarnpkg.com/flatted/-/flatted-3.4.2.tgz#f5c23c107f0f37de8dbdf24f13722b3b98d52726"
+  integrity sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==

 follow-redirects@^1.0.0:
  version "1.15.6"
@@ -6644,10 +6644,10 @@ minimatch@5.1.6, minimatch@^5.0.1:
  dependencies:
    brace-expansion "^2.0.1"

-minimatch@^3.0.4, minimatch@^3.1.2, minimatch@^3.1.3:
-  version "3.1.3"
-  resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.1.3.tgz#6a5cba9b31f503887018f579c89f81f61162e624"
-  integrity sha512-M2GCs7Vk83NxkUyQV1bkABc4yxgz9kILhHImZiBPAZ9ybuvCb0/H7lEl5XvIg3g+9d4eNotkZA5IWwYl0tibaA==
+minimatch@^3.0.4, minimatch@^3.1.2, minimatch@^3.1.4:
+  version "3.1.4"
+  resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.1.4.tgz#89d910ea3970a77ac8edfd30340ccd038b758079"
+  integrity sha512-twmL+S8+7yIsE9wsqgzU3E8/LumN3M3QELrBZ20OdmQ9jB2JvW5oZtBEmft84k/Gs5CG9mqtWc6Y9vW+JEzGxw==
  dependencies:
    brace-expansion "^1.1.7"

@@ -7260,15 +7260,10 @@ picocolors@^1.1.1:
  resolved "https://registry.yarnpkg.com/picocolors/-/picocolors-1.1.1.tgz#3d321af3eab939b083c8f929a1d12cda81c26b6b"
  integrity sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==

-picomatch@^2.0.4, picomatch@^2.2.1, picomatch@^2.3.1:
-  version "2.3.1"
-  resolved "https://registry.yarnpkg.com/picomatch/-/picomatch-2.3.1.tgz#3ba3833733646d9d3e4995946c1365a67fb07a42"
-  integrity sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==
-
-picomatch@^2.2.3:
-  version "2.3.0"
-  resolved "https://registry.yarnpkg.com/picomatch/-/picomatch-2.3.0.tgz#f1f061de8f6a4bf022892e2d128234fb98302972"
-  integrity sha512-lY1Q/PiJGC2zOv/z391WOTD+Z02bCgsFfvxoXXf6h7kv9o+WmsmzYqrAwY63sNgOxE4xEdq0WyUnXfKeBrSvYw==
+picomatch@^2.0.4, picomatch@^2.2.1, picomatch@^2.2.3, picomatch@^2.3.1:
+  version "2.3.2"
+  resolved "https://registry.yarnpkg.com/picomatch/-/picomatch-2.3.2.tgz#5a942915e26b372dc0f0e6753149a16e6b1c5601"
+  integrity sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==

 pify@^4.0.1:
  version "4.0.1"
--- a/util/lua/lua_test.go
+++ b/util/lua/lua_test.go
@@ -1009,8 +1009,8 @@ func TestExecuteResourceActionWithParams(t *testing.T) {

 	params := []*applicationpkg.ResourceActionParameters{
 		{
-			Name:  func() *string { s := "replicas"; return &s }(),
-			Value: func() *string { s := "3"; return &s }(),
+			Name:  new("replicas"),
+			Value: new("3"),
 		},
 	}

--- a/util/swagger/swagger.go
+++ b/util/swagger/swagger.go
@@ -11,20 +11,29 @@ import (
 // filename of ReDoc script in UI's assets/scripts path
 const redocScriptName = "redoc.standalone.js"

+// withFrameOptions wraps an http.Handler to set headers that prevent iframe embedding (clickjacking protection).
+func withFrameOptions(h http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("X-Frame-Options", "DENY")
+		w.Header().Set("Content-Security-Policy", "frame-ancestors 'none'")
+		h.ServeHTTP(w, r)
+	})
+}
+
 // ServeSwaggerUI serves the Swagger UI and JSON spec.
 func ServeSwaggerUI(mux *http.ServeMux, swaggerJSON string, uiPath string, rootPath string) {
 	prefix := path.Dir(uiPath)
 	swaggerPath := path.Join(prefix, "swagger.json")
-	mux.HandleFunc(swaggerPath, func(w http.ResponseWriter, _ *http.Request) {
+	mux.Handle(swaggerPath, withFrameOptions(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		_, _ = fmt.Fprint(w, swaggerJSON)
-	})
+	})))

 	specURL := path.Join(prefix, rootPath, "swagger.json")
 	scriptURL := path.Join(prefix, rootPath, "assets", "scripts", redocScriptName)
-	mux.Handle(uiPath, middleware.Redoc(middleware.RedocOpts{
+	mux.Handle(uiPath, withFrameOptions(middleware.Redoc(middleware.RedocOpts{
 		BasePath: prefix,
 		SpecURL:  specURL,
 		Path:     path.Base(uiPath),
 		RedocURL: scriptURL,
-	}, http.NotFoundHandler()))
+	}, http.NotFoundHandler())))
 }
--- a/util/swagger/swagger_test.go
+++ b/util/swagger/swagger_test.go
@@ -52,4 +52,19 @@ func TestSwaggerUI(t *testing.T) {
 	require.NoError(t, err)
 	require.Equalf(t, http.StatusOK, resp.StatusCode, "Was expecting status code 200 from swagger-ui, but got %d instead", resp.StatusCode)
 	require.NoError(t, resp.Body.Close())
+
+	// Verify clickjacking protection headers on swagger.json
+	require.Equal(t, "DENY", resp.Header.Get("X-Frame-Options"))
+	require.Equal(t, "frame-ancestors 'none'", resp.Header.Get("Content-Security-Policy"))
+
+	// Verify clickjacking protection headers on swagger-ui
+	uiReq, err := http.NewRequestWithContext(t.Context(), http.MethodGet, server+"/swagger-ui", http.NoBody)
+	require.NoError(t, err)
+
+	uiResp, err := http.DefaultClient.Do(uiReq)
+	require.NoError(t, err)
+	require.Equalf(t, http.StatusOK, uiResp.StatusCode, "Was expecting status code 200 from swagger-ui, but got %d instead", uiResp.StatusCode)
+	require.Equal(t, "DENY", uiResp.Header.Get("X-Frame-Options"))
+	require.Equal(t, "frame-ancestors 'none'", uiResp.Header.Get("Content-Security-Policy"))
+	require.NoError(t, uiResp.Body.Close())
 }
Author	SHA1	Message	Date
Rohan Sood	68cbd05e52	fix: Add X-Frame-Options and CSP headers to Swagger UI endpoints (#26521 ) Signed-off-by: rohansood10 <rohansood10@users.noreply.github.com> Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com> Co-authored-by: rohansood10 <rohansood10@users.noreply.github.com> Co-authored-by: Blake Pettersson <blake.pettersson@gmail.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2026-04-04 00:58:32 +00:00
dependabot[bot]	e21d471965	chore(deps): bump picomatch from 2.3.1 to 2.3.2 in /ui (#27017 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-04-04 01:37:57 +02:00
dependabot[bot]	04e4e080df	chore(deps): bump flatted from 3.3.1 to 3.4.2 in /ui (#26928 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-04-04 01:37:09 +02:00
dependabot[bot]	0c4946f12f	chore(deps): bump minimatch from 3.1.3 to 3.1.4 in /ui (#26641 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-04-04 01:33:37 +02:00
dependabot[bot]	88663928f6	chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.5 (#27142 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-04-03 20:08:58 +02:00
dependabot[bot]	5c03a8b37d	chore(deps): bump github.com/aws/smithy-go from 1.24.2 to 1.24.3 (#27141 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-04-03 20:08:32 +02:00
Seitaro Fujigaki	490f02116c	docs: fix submit-your-pr rebase target to upstream/master (#27144 ) Signed-off-by: seitarof <pyotarou@icloud.com>	2026-04-03 20:07:07 +02:00
Seitaro Fujigaki	82789b7071	refactor: use new(expr) for pointer literals in Go 1.26 (#27143 ) Signed-off-by: seitarof <pyotarou@icloud.com>	2026-04-03 10:57:32 -04:00