build: upgrade dind

masontikhonov · masontikhonov · commit 9485ccf53b59 · 2025-08-21T19:58:20.000+04:00
diff --git a/charts/cf-runtime/Chart.yaml b/charts/cf-runtime/Chart.yaml
@@ -14,13 +14,13 @@ maintainers:
     url: https://codefresh-io.github.io/
 annotations:
   # 💡 Do not forget to update this annotation:
-  artifacthub.io/containsSecurityUpdates: "false"
+  artifacthub.io/containsSecurityUpdates: "true"
   # Supported kinds: `added`, `changed`, `deprecated`, `removed`, `fixed`, `security`:
   artifacthub.io/changes: |
     - kind: changed
-      description: "Update \"engine\" to version 1.179.3."
-    - kind: changed
-      description: "Improve \"cf.classic.build.step.name\" attribute values for internal steps for better clarity."
+      description: "Update \"dind\" to version 28.3.3-3.0.2."
+    - kind: security
+      description: "Fix CVE-2025-48060, CVE-2024-23337, CVE-2024-53427, GO-2025-3787, CVE-2025-32728, CVE-2025-5025."
 dependencies:
   - name: cf-common
     repository: oci://quay.io/codefresh/charts
diff --git a/charts/cf-runtime/README.md b/charts/cf-runtime/README.md
@@ -1299,11 +1299,11 @@ Install the Helm chart
 | runtime.accounts | list | `[]` | (for On-Premise only) Assign accounts to runtime (list of account ids) |
 | runtime.agent | bool | `true` | (for On-Premise only) Enable agent |
 | runtime.description | string | `""` | Runtime description |
-| runtime.dind | object | `{"affinity":{},"containerSecurityContext":{},"env":{},"image":{"digest":"sha256:e6f8044b6963b3d1fbf728853aa31edff0bb26ce7613595d3b2a470482bd2cc3","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/dind","tag":"28.1.1-3.0.1"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"podSecurityContext":{},"pvcs":{"dind":{"annotations":{},"name":"dind","reuseVolumeSelector":"codefresh-app,io.codefresh.accountName","reuseVolumeSortOrder":"pipeline_id","storageClassName":"{{ include \"dind-volume-provisioner.storageClassName\" . }}","volumeSize":"16Gi"}},"resources":{"limits":{"cpu":"400m","memory":"800Mi"},"requests":null},"schedulerName":"","serviceAccount":"codefresh-engine","terminationGracePeriodSeconds":30,"tolerations":[],"userAccess":true,"userVolumeMounts":{},"userVolumes":{},"volumePermissions":{"enabled":false,"image":{"digest":"sha256:de0eb0b3f2a47ba1eb89389859a9bd88b28e82f5826b6969ad604979713c2d4f","registry":"docker.io","repository":"alpine","tag":3.18},"resources":{},"securityContext":{"runAsUser":0}}}` | Parameters for DinD (docker-in-docker) pod (aka "runtime" pod). |
+| runtime.dind | object | `{"affinity":{},"containerSecurityContext":{},"env":{},"image":{"digest":"sha256:0f2a83603e27e6d88768a6ab8ead3e2426eaf989cd93919fa1128d98a7c617c6","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/dind","tag":"28.3.3-3.0.2"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"podSecurityContext":{},"pvcs":{"dind":{"annotations":{},"name":"dind","reuseVolumeSelector":"codefresh-app,io.codefresh.accountName","reuseVolumeSortOrder":"pipeline_id","storageClassName":"{{ include \"dind-volume-provisioner.storageClassName\" . }}","volumeSize":"16Gi"}},"resources":{"limits":{"cpu":"400m","memory":"800Mi"},"requests":null},"schedulerName":"","serviceAccount":"codefresh-engine","terminationGracePeriodSeconds":30,"tolerations":[],"userAccess":true,"userVolumeMounts":{},"userVolumes":{},"volumePermissions":{"enabled":false,"image":{"digest":"sha256:de0eb0b3f2a47ba1eb89389859a9bd88b28e82f5826b6969ad604979713c2d4f","registry":"docker.io","repository":"alpine","tag":3.18},"resources":{},"securityContext":{"runAsUser":0}}}` | Parameters for DinD (docker-in-docker) pod (aka "runtime" pod). |
 | runtime.dind.affinity | object | `{}` | Set affinity |
 | runtime.dind.containerSecurityContext | object | `{}` | Set container security context. |
 | runtime.dind.env | object | `{}` | Set additional env vars. |
-| runtime.dind.image | object | `{"digest":"sha256:e6f8044b6963b3d1fbf728853aa31edff0bb26ce7613595d3b2a470482bd2cc3","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/dind","tag":"28.1.1-3.0.1"}` | Set dind image. |
+| runtime.dind.image | object | `{"digest":"sha256:0f2a83603e27e6d88768a6ab8ead3e2426eaf989cd93919fa1128d98a7c617c6","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/dind","tag":"28.3.3-3.0.2"}` | Set dind image. |
 | runtime.dind.nodeSelector | object | `{}` | Set node selector. |
 | runtime.dind.podAnnotations | object | `{}` | Set pod annotations. |
 | runtime.dind.podLabels | object | `{}` | Set pod labels. |
diff --git a/charts/cf-runtime/values.yaml b/charts/cf-runtime/values.yaml
@@ -413,9 +413,9 @@ runtime:
     image:
       registry: quay.io
       repository: codefresh/dind
-      tag: 28.1.1-3.0.1 # use `latest-rootless/rootless/28.1.1-3.0.1-rootless` tags for rootless-dind
+      tag: 28.3.3-3.0.2 # use `latest-rootless/rootless/28.3.3-3.0.2-rootless` tags for rootless-dind
       pullPolicy: IfNotPresent
-      digest: sha256:e6f8044b6963b3d1fbf728853aa31edff0bb26ce7613595d3b2a470482bd2cc3
+      digest: sha256:0f2a83603e27e6d88768a6ab8ead3e2426eaf989cd93919fa1128d98a7c617c6
     # -- Set dind resources.
     resources:
       requests: null
