Bump version to 3.1.13 on release-3.1 branch (#27007)

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: reggie-k <19544836+reggie-k@users.noreply.github.com>

VERSION

@@ -1 +1 @@
-3.1.12
+3.1.13

hack/update-manifests.sh

@@ -18,6 +18,10 @@ IMAGE_TAG="${IMAGE_TAG:-}"
 # if the tag has not been declared, and we are on a release branch, use the VERSION file.
 if [ "$IMAGE_TAG" = "" ]; then
   branch=$(git rev-parse --abbrev-ref HEAD)
+  # In GitHub Actions PRs, HEAD is detached; use GITHUB_BASE_REF (the target branch) instead
+  if [ "$branch" = "HEAD" ] && [ -n "${GITHUB_BASE_REF:-}" ]; then
+    branch="$GITHUB_BASE_REF"
+  fi
   if [[ $branch = release-* ]]; then
     pwd
     IMAGE_TAG=v$(cat $SRCROOT/VERSION)

manifests/base/commit-server/kustomization.yaml

@@ -12,4 +12,4 @@ resources:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v3.1.12
+  newTag: v3.1.13

manifests/base/kustomization.yaml

@@ -5,7 +5,7 @@ kind: Kustomization
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v3.1.12
+  newTag: v3.1.13
 resources:
 - ./application-controller
 - ./dex

manifests/core-install-with-hydrator.yaml

@@ -24705,7 +24705,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -24831,7 +24831,7 @@ spec:
               key: log.format.timestamp
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -24959,7 +24959,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -25250,7 +25250,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -25302,7 +25302,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -25644,7 +25644,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/core-install.yaml

@@ -24673,7 +24673,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -24793,7 +24793,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -25084,7 +25084,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -25136,7 +25136,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -25478,7 +25478,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/core-install/kustomization.yaml

@@ -12,4 +12,4 @@ resources:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v3.1.12
+  newTag: v3.1.13

manifests/ha/base/kustomization.yaml

@@ -12,7 +12,7 @@ patches:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v3.1.12
+  newTag: v3.1.13
 resources:
 - ../../base/application-controller
 - ../../base/applicationset-controller

manifests/ha/install-with-hydrator.yaml

@@ -26071,7 +26071,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -26197,7 +26197,7 @@ spec:
               key: log.format.timestamp
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -26348,7 +26348,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -26444,7 +26444,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -26568,7 +26568,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -26885,7 +26885,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -26937,7 +26937,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -27311,7 +27311,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -27689,7 +27689,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/ha/install.yaml

@@ -26041,7 +26041,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -26184,7 +26184,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -26280,7 +26280,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -26404,7 +26404,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -26721,7 +26721,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -26773,7 +26773,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -27147,7 +27147,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -27525,7 +27525,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/ha/namespace-install-with-hydrator.yaml

@@ -1874,7 +1874,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -2000,7 +2000,7 @@ spec:
               key: log.format.timestamp
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -2151,7 +2151,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -2247,7 +2247,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -2371,7 +2371,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -2688,7 +2688,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -2740,7 +2740,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -3114,7 +3114,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -3492,7 +3492,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/ha/namespace-install.yaml

@@ -1844,7 +1844,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -1987,7 +1987,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -2083,7 +2083,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -2207,7 +2207,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -2524,7 +2524,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -2576,7 +2576,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -2950,7 +2950,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -3328,7 +3328,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/install-with-hydrator.yaml

@@ -25165,7 +25165,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -25291,7 +25291,7 @@ spec:
               key: log.format.timestamp
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -25442,7 +25442,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -25538,7 +25538,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -25640,7 +25640,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -25931,7 +25931,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -25983,7 +25983,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -26355,7 +26355,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -26733,7 +26733,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/install.yaml

@@ -25133,7 +25133,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -25276,7 +25276,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -25372,7 +25372,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -25474,7 +25474,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -25765,7 +25765,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -25817,7 +25817,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -26189,7 +26189,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -26567,7 +26567,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/namespace-install-with-hydrator.yaml

@@ -968,7 +968,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -1094,7 +1094,7 @@ spec:
               key: log.format.timestamp
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -1245,7 +1245,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -1341,7 +1341,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -1443,7 +1443,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -1734,7 +1734,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -1786,7 +1786,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -2158,7 +2158,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2536,7 +2536,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/namespace-install.yaml

@@ -936,7 +936,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -1079,7 +1079,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -1175,7 +1175,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -1277,7 +1277,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -1568,7 +1568,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -1620,7 +1620,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -1992,7 +1992,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2370,7 +2370,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.1.12
+        image: quay.io/argoproj/argocd:v3.1.13
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

server/server.go

@@ -942,6 +942,8 @@ func (server *ArgoCDServer) newGRPCServer(prometheusRegistry *prometheus.Registr
 	// NOTE: notice we do not configure the gRPC server here with TLS (e.g. grpc.Creds(creds))
 	// This is because TLS handshaking occurs in cmux handling
 	sOpts = append(sOpts, grpc.ChainStreamInterceptor(
+		// for mitigation of grpc-go CVE-2026-33186, see https://github.com/argoproj/argo-cd/issues/26932
+		grpc_util.InvalidMethodNameErrorStreamServerInterceptor(),
 		otelgrpc.StreamServerInterceptor(), //nolint:staticcheck // TODO: ignore SA1019 for depreciation: see https://github.com/argoproj/argo-cd/issues/18258
 		logging.StreamServerInterceptor(grpc_util.InterceptorLogger(server.log)),
 		serverMetrics.StreamServerInterceptor(),
@@ -955,6 +957,8 @@ func (server *ArgoCDServer) newGRPCServer(prometheusRegistry *prometheus.Registr
 		recovery.StreamServerInterceptor(recovery.WithRecoveryHandler(grpc_util.LoggerRecoveryHandler(server.log))),
 	))
 	sOpts = append(sOpts, grpc.ChainUnaryInterceptor(
+		// for mitigation of grpc-go CVE-2026-33186, see https://github.com/argoproj/argo-cd/issues/26932
+		grpc_util.InvalidMethodNameErrorUnaryServerInterceptor(),
 		bug21955WorkaroundInterceptor,
 		otelgrpc.UnaryServerInterceptor(), //nolint:staticcheck // TODO: ignore SA1019 for depreciation: see https://github.com/argoproj/argo-cd/issues/18258
 		logging.UnaryServerInterceptor(grpc_util.InterceptorLogger(server.log)),

server/server_test.go

@@ -18,6 +18,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc"
 	"google.golang.org/grpc/metadata"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -29,6 +30,7 @@ import (
 
 	"github.com/argoproj/argo-cd/v3/common"
 	"github.com/argoproj/argo-cd/v3/pkg/apiclient"
+	"github.com/argoproj/argo-cd/v3/pkg/apiclient/project"
 	"github.com/argoproj/argo-cd/v3/pkg/apiclient/session"
 	"github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 	apps "github.com/argoproj/argo-cd/v3/pkg/client/clientset/versioned/fake"
@@ -40,6 +42,10 @@ import (
 	"github.com/argoproj/argo-cd/v3/util/cache"
 	appstatecache "github.com/argoproj/argo-cd/v3/util/cache/appstate"
 	"github.com/argoproj/argo-cd/v3/util/oidc"
+
+	"google.golang.org/grpc/credentials/insecure"
+
+	grpc_util "github.com/argoproj/argo-cd/v3/util/grpc"
 	"github.com/argoproj/argo-cd/v3/util/rbac"
 	settings_util "github.com/argoproj/argo-cd/v3/util/settings"
 	testutil "github.com/argoproj/argo-cd/v3/util/test"
@@ -1710,3 +1716,101 @@ func Test_StaticAssetsDir_no_symlink_traversal(t *testing.T) {
 	resp = w.Result()
 	assert.Equal(t, http.StatusOK, resp.StatusCode, "should have been able to access the normal file")
 }
+
+// test mitigation for  grpc-go CVE-2026-33186, see https://github.com/argoproj/argo-cd/issues/26932
+func TestGrpcInvalidMethodNameCVEFix(t *testing.T) {
+	timeout := 10 * time.Second
+	listenHost := "localhost"
+	listenPort, err := test.GetFreePort()
+	require.NoError(t, err)
+	serverAddr := fmt.Sprintf("%s:%d", listenHost, listenPort)
+	redis, redisCloser := test.NewInMemoryRedis()
+	defer redisCloser()
+	argoCDOpts := ArgoCDServerOpts{
+		DisableAuth:   true,
+		Insecure:      true,
+		ListenPort:    listenPort,
+		ListenHost:    listenHost,
+		Namespace:     test.FakeArgoCDNamespace,
+		KubeClientset: fake.NewSimpleClientset(test.NewFakeConfigMap(), test.NewFakeSecret()),
+		AppClientset:  apps.NewSimpleClientset(),
+		RepoClientset: &mocks.Clientset{RepoServerServiceClient: &mocks.RepoServerServiceClient{}},
+		RedisClient:   redis,
+	}
+	runCtx, runCancel := context.WithTimeout(t.Context(), timeout)
+	defer runCancel()
+	argocd := NewServer(runCtx, argoCDOpts, ApplicationSetOpts{})
+	assert.NotNil(t, argocd)
+	listeners, err := argocd.Listen()
+	require.NoError(t, err)
+	ctx, cancel := context.WithCancel(t.Context())
+	defer cancel()
+	argocd.Init(ctx)
+
+	wg := gosync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		argocd.Run(ctx, listeners)
+	}()
+
+	err = test.WaitForPortListen(serverAddr, timeout)
+	require.NoError(t, err)
+
+	var dialOpts []grpc.DialOption
+	creds := insecure.NewCredentials()
+	conn, err := grpc_util.BlockingDial(ctx, "tcp", serverAddr, creds, dialOpts...)
+	require.NoError(t, err)
+	defer conn.Close()
+
+	projectGetOut := new(v1alpha1.AppProject)
+	projectGetIn := &project.ProjectQuery{Name: "default"}
+	invalidunaryServiceName := "project.ProjectService/Get"
+	invalidStreamingMethodName := "application.ApplicationService/GetManifestsWithFiles"
+
+	streamDesc := &grpc.StreamDesc{
+		StreamName:    "dummy_stream",
+		ClientStreams: true,
+		ServerStreams: false,
+	}
+
+	t.Run("unary method with invalid name", func(t *testing.T) {
+		err = conn.Invoke(ctx, invalidunaryServiceName, projectGetIn, projectGetOut)
+		// it should fail with the "malformed method name" error message from interceptor,
+		// but it does not, because unary methods do not seem to be vulnerable because of
+		// the way their handler code is autogenerated: if there are interceptors
+		// it implicitly sanitizes the service name before calling the actual handler,
+		require.NoError(t, err)
+	})
+	t.Run("unary method with valid name", func(t *testing.T) {
+		err = conn.Invoke(ctx, "/"+invalidunaryServiceName, projectGetIn, projectGetOut)
+		require.NoError(t, err)
+	})
+	t.Run("streaming method with invalid name", func(t *testing.T) {
+		stream, err := conn.NewStream(ctx, streamDesc, invalidStreamingMethodName)
+		require.NoError(t, err)
+		err = stream.CloseSend()
+		require.NoError(t, err)
+		var resp any
+		err = stream.RecvMsg(&resp)
+		// ensure we get error method from interceptor
+		require.ErrorContains(t, err, "code = InvalidArgument desc = malformed method name: \""+invalidStreamingMethodName+"\"")
+	})
+	t.Run("streaming method with valid name", func(t *testing.T) {
+		stream, err := conn.NewStream(ctx, streamDesc, "/"+invalidStreamingMethodName)
+		require.NoError(t, err)
+		err = stream.CloseSend()
+		require.NoError(t, err)
+		var resp any
+		err = stream.RecvMsg(&resp)
+		// ensure we get the expected error from the actual logic of the method
+		require.ErrorContains(t, err, "code = Unknown desc = error getting query: failed to receive header: EOF")
+	})
+	argocd.stopCh <- syscall.SIGINT
+	wg.Wait()
+
+	err = argocd.healthCheck(&http.Request{URL: &url.URL{Path: "/healthz", RawQuery: "full=true"}})
+	require.Error(t, err, "API Server is terminating and unable to serve requests.")
+	assert.True(t, argocd.terminateRequested.Load())
+	assert.False(t, argocd.available.Load())
+}

ui/src/app/applications/components/application-status-panel/application-status-panel.tsx

@@ -8,6 +8,7 @@ import {services} from '../../../shared/services';
 import {
     ApplicationSyncWindowStatusIcon,
     ComparisonStatusIcon,
+    formatApplicationSetProgressiveSyncStep,
     getAppDefaultSource,
     getAppDefaultSyncRevisionExtra,
     getAppOperationState,
@@ -130,7 +131,7 @@ const ProgressiveSyncStatus = ({application}: {application: models.Application})
                         <div className='application-status-panel__item-value' style={{color: getProgressiveSyncStatusColor(appResource.status)}}>
                             {getProgressiveSyncStatusIcon({status: appResource.status})}&nbsp;{appResource.status}
                         </div>
-                        {appResource?.step && <div className='application-status-panel__item-value'>Wave: {appResource.step}</div>}
+                        {appResource?.step !== undefined && <div className='application-status-panel__item-value'>{formatApplicationSetProgressiveSyncStep(appResource.step)}</div>}
                         {lastTransitionTime && (
                             <div className='application-status-panel__item-name' style={{marginBottom: '0.5em'}}>
                                 Last Transition: <br />

ui/src/app/applications/components/utils.tsx

@@ -1705,6 +1705,14 @@ export function getAppUrl(app: appModels.Application): string {
     return `applications/${app.metadata.namespace}/${app.metadata.name}`;
 }
 
+/** RollingSync step for display; backend uses -1 when no step matches the app's labels. */
+export function formatApplicationSetProgressiveSyncStep(step: string | undefined): string {
+    if (step === '-1') {
+        return 'Step: unmatched label';
+    }
+    return `Step: ${step ?? ''}`;
+}
+
 export const getProgressiveSyncStatusIcon = ({status, isButton}: {status: string; isButton?: boolean}) => {
     const getIconProps = () => {
         switch (status) {

ui/yarn.lock

@@ -6437,9 +6437,9 @@ locate-path@^6.0.0:
     p-locate "^5.0.0"
 
 lodash-es@^4.17.21, lodash-es@^4.2.1:
-  version "4.17.21"
-  resolved "https://registry.yarnpkg.com/lodash-es/-/lodash-es-4.17.21.tgz#43e626c46e6591b7750beb2b50117390c609e3ee"
-  integrity sha512-mKnC+QJ9pWVzv+C4/U3rRsHapFfHvQFoFB92e52xeyGMcX6/OlIl78je1u8vePzYZSkkogMPJ2yjxxsb89cxyw==
+  version "4.17.23"
+  resolved "https://registry.yarnpkg.com/lodash-es/-/lodash-es-4.17.23.tgz#58c4360fd1b5d33afc6c0bbd3d1149349b1138e0"
+  integrity sha512-kVI48u3PZr38HdYz98UmfPnXl2DXrpdctLrFLCd3kOx1xUkOmpFPx7gCWWM5MPkL/fD8zb+Ph0QzjGFs4+hHWg==
 
 lodash.memoize@4.x:
   version "4.1.2"
@@ -6452,9 +6452,9 @@ lodash.merge@^4.6.2:
   integrity sha512-0KpjqXRVvrYyCsX1swR/XTK0va6VQkQM6MNo7PqW77ByjAhoARA8EfrP1N4+KlKj8YS0ZUCtRT/YUuhyYDujIQ==
 
 lodash@^4.17.14, lodash@^4.17.15, lodash@^4.17.20, lodash@^4.17.21, lodash@^4.2.1, lodash@^4.6.1:
-  version "4.17.21"
-  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#679591c564c3bffaae8454cf0b3df370c3d6911c"
-  integrity sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==
+  version "4.17.23"
+  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.23.tgz#f113b0378386103be4f6893388c73d0bde7f2c5a"
+  integrity sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==
 
 loose-envify@^1.0.0, loose-envify@^1.1.0, loose-envify@^1.2.0, loose-envify@^1.3.1, loose-envify@^1.4.0:
   version "1.4.0"

util/grpc/errors.go

@@ -3,6 +3,8 @@ package grpc
 import (
 	"context"
 	"errors"
+	"fmt"
+	"strings"
 
 	giterr "github.com/go-git/go-git/v5/plumbing/transport"
 	"google.golang.org/grpc"
@@ -132,3 +134,25 @@ func ErrorCodeK8sStreamServerInterceptor() grpc.StreamServerInterceptor {
 		return kubeErrToGRPC(err)
 	}
 }
+
+// InvalidMethodNameErrorUnaryServerInterceptor is for mitigation of grpc-go CVE-2026-33186
+// see discussion in https://github.com/argoproj/argo-cd/issues/26932
+func InvalidMethodNameErrorUnaryServerInterceptor() grpc.UnaryServerInterceptor {
+	return func(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (resp any, err error) {
+		if !strings.HasPrefix(info.FullMethod, "/") {
+			return nil, status.Error(codes.InvalidArgument, fmt.Sprintf("malformed method name: %q", info.FullMethod))
+		}
+		return handler(ctx, req)
+	}
+}
+
+// InvalidMethodNameErrorStreamServerInterceptor is for mitigation of grpc-go CVE-2026-33186
+// see discussion in https://github.com/argoproj/argo-cd/issues/26932
+func InvalidMethodNameErrorStreamServerInterceptor() grpc.StreamServerInterceptor {
+	return func(srv any, ss grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler) error {
+		if !strings.HasPrefix(info.FullMethod, "/") {
+			return status.Error(codes.InvalidArgument, fmt.Sprintf("malformed method name: %q", info.FullMethod))
+		}
+		return handler(srv, ss)
+	}
+}

util/grpc/errors_test.go

@@ -1,10 +1,12 @@
 package grpc
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"testing"
 
+	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -153,3 +155,56 @@ func Test_kubeErrToGRPC(t *testing.T) {
 		})
 	}
 }
+
+func checkGrpcError(t *testing.T, err error, msg string) {
+	t.Helper()
+	require.Error(t, err)
+	s, ok := status.FromError(err)
+	assert.True(t, ok)
+	assert.Equal(t, codes.InvalidArgument, s.Code())
+	assert.ErrorContains(t, err, msg)
+}
+
+func TestInvalidMethodNameErrorUnaryServerInterceptor(t *testing.T) {
+	interceptor := InvalidMethodNameErrorUnaryServerInterceptor()
+	handler := func(_ context.Context, _ any) (any, error) {
+		return nil, nil
+	}
+	t.Run("Test invalid method name", func(t *testing.T) {
+		info := &grpc.UnaryServerInfo{FullMethod: "foo"}
+		_, err := interceptor(t.Context(), nil, info, handler)
+		checkGrpcError(t, err, "malformed method name: \"foo\"")
+	})
+	t.Run("Test empty method name", func(t *testing.T) {
+		info := &grpc.UnaryServerInfo{FullMethod: ""}
+		_, err := interceptor(t.Context(), nil, info, handler)
+		checkGrpcError(t, err, "malformed method name: \"\"")
+	})
+	t.Run("Test valid method name", func(t *testing.T) {
+		info := &grpc.UnaryServerInfo{FullMethod: "/foo"}
+		_, err := interceptor(t.Context(), nil, info, handler)
+		assert.NoError(t, err)
+	})
+}
+
+func TestInvalidMethodNameErrorStreamServerInterceptor(t *testing.T) {
+	interceptor := InvalidMethodNameErrorStreamServerInterceptor()
+	handler := func(_ any, _ grpc.ServerStream) error {
+		return nil
+	}
+	t.Run("Test invalid method name", func(t *testing.T) {
+		info := &grpc.StreamServerInfo{FullMethod: "foo"}
+		err := interceptor(t.Context(), nil, info, handler)
+		checkGrpcError(t, err, "malformed method name: \"foo\"")
+	})
+	t.Run("Test empty method name", func(t *testing.T) {
+		info := &grpc.StreamServerInfo{FullMethod: ""}
+		err := interceptor(t.Context(), nil, info, handler)
+		checkGrpcError(t, err, "malformed method name: \"\"")
+	})
+	t.Run("Test valid method name", func(t *testing.T) {
+		info := &grpc.StreamServerInfo{FullMethod: "/foo"}
+		err := interceptor(nil, nil, info, handler)
+		assert.NoError(t, err)
+	})
+}