Cherry-pick 3.3.9

[sarabala1979]

• 61211f9 fix: Add workflow failures before hooks run. Fixes {{ workflow.failures }} doesn't get a value in lifecycle hook #8882 (fix: Add workflow failures before hooks run. Fixes #8882 #9009)
• f5f1a34 fix: sync lock should be released only if we're retrying (fix: sync lock should be released only if we're retrying #9063)
• 89f3433 fix: workflow.status is now set properly in metrics. Fixes {{workflow.status}} is not working in metrics #8895 (fix: workflow.status is now set properly in metrics. Fixes #8895 #8939)
• 6228748 fix: Treat 'connection reset by peer' as a transient network error. Fixes "connection reset by peer" transient error not handled in workflow-of-workflows #9013 (Treat 'connection reset by peer' as a transient network error. Fixes #9013 #9017)
• e31ffcd fix: Correct kill command. Fixes Wait container is terminated with wrong command #8687 (fix: Correct kill command. Fixes #8687 #8908)
• 416fce7 fix: Fork sub-process. Fixes fix: Revert controller readiness changes. Fixes #8441 #8454 (fix: Fork sub-process. Fixes #8680 #8906)
• 750c4e1 fix: Only signal running containers, ignore failures. (fix: Only signal running containers, ignore failures. #8909)
• ede1a39 fix: workflowMetadata needs to be loaded into globalParams in both ArgoServer and Controller (fix: workflowMetadata needs to be loaded into globalParams in both ArgoServer and Controller #8907)
• 7dacb5b fix: Fixed Swagger error. Fixes Errors in swagger.json when opening with https://editor.swagger.io #8830 (fix: Fixed Swagger error. Fixes #8830 #8886)
• bc01003 fix: Change to distroless. Fixes Get "https://index.docker.io/v2/": x509: certificate signed by unknown authority #8805 (fix: Change to distroless. Fixes #8805 #8806)
• fbb8246 fix: set NODE_OPTIONS to no-experimental-fetch to prevent yarn start error (fix: set NODE_OPTIONS to no-experimental-fetch to prevent yarn start error #8802)
• 39fbdb2 fix: fix a command in the quick-start page (fix: fix a command in the quick-start page #8782)
• 961f731 fix: Omitted task result should also be valid (fix: Omitted task result should also be valid #8776)
• 178bbbc fix: Temporarily fix CI build. Fixes CI build on master appears to be broken #8757. (fix: Temporarily fix CI build. Fixes #8757. #8758)
• aa366db fix: remove list and watch on secrets. Fixes Server with SSO enabled should not require List on all Secrets #8534 (fix!: remove list and watch on secrets. Fixes #8534 #8555)
• 342abcd fix: mkdocs uses 4space indent for nested list (fix: mkdocs uses 4space indent for nested list #8740)
• b3bf327 fix: Fix the resursive example to call the coinflip template (docs: fix coinflip recursive example #8696)
• 9ddae87 fix: Fixed podName in killing daemon pods. Fixes Daemon containers not getting destroyed when enabling POD_NAMES as v2 #8692 (fix: Fixed podName in killing daemon pods. Fixes #8692 #8708)
• 72d3f32 fix: update go-color path/version (fix: update go-color path/version #8707)
• 92b3ef2 fix: upgrade moment from 2.29.2 to 2.29.3 ([Snyk] Upgrade moment from 2.29.2 to 2.29.3 #8679)
• 859ebe9 fix: Terminate, rather than delete, deadlined pods. Fixes containers in containersets not appropriately reporting status if terminated #8545 (fix: Terminate, rather than delete, deadlined pods. Fixes #8545 #8620)
• 3fdf30d fix: Enhance artifact visualization. Fixes The horizontal/vertical option on the graph panel does not persist #8619 (fix: Enhance artifact visualization. Fixes #8619 #8655)
• 16fef4e fix: enable ARGO_REMOVE_PVC_PROTECTION_FINALIZER by default. Fixes Enable ARGO_REMOVE_PVC_PROTECTION_FINALIZER by default. #8592 (fix: enable ARGO_REMOVE_PVC_PROTECTION_FINALIZER by default. Fixes #8592 #8661)
• ed351ff fix: ArtifactGC moved from Template to Artifact. Fixes ArtifactGC should be on Artifact not Template #8556. (fix: ArtifactGC moved from Template to Artifact. Fixes #8556. #8581)
• 9740315 fix: Polish artifact visualisation. Fixes Visualizations in the Argo UI #7743 (fix: Polish artifact visualisation. Fixes #7743 #8552)
• 98dd898 fix: Correct CSP. Fixes Artifact CSP and X-Frame-Options are wrong values #8560 (fix: Correct CSP. Fixes #8560 #8579)
• 5b8638f fix: modified SearchArtifact to return ArtifactSearchResults. Fixes Artifact GC: SearchArtifact to return ArtifactSearchResults #8543 (fix(Artifact GC): modified SearchArtifact to return ArtifactSearchResults. Fixes #8543 #8557)
• ecd91b1 fix: added json tag to ArtifactGCStrategies (fix: added json tag to ArtifactGCStrategies #8523)
• f223bb8 fix: ArtifactGCOnWorkflowDeletion typo quick fix (fix: ArtifactGCOnWorkflowDeletion typo quick fix #8519)
• 8c0a957 fix: Fix bug in entrypoint lookup (fix: Fix bug in entrypoint lookup #8453)
• 4471b59 fix: open minio dashboard on different port in quick-start (fix: open minio dashboard on different port in quick-start #8407)
• d47081f fix: upgrade react-moment from 1.0.0 to 1.1.1 ([Snyk] Upgrade react-moment from 1.0.0 to 1.1.1 #8389)
• 010e359 fix: upgrade react-datepicker from 2.14.1 to 2.16.0 ([Snyk] Upgrade react-datepicker from 2.14.1 to 2.16.0 #8388)
• 0c9d88b fix: upgrade prop-types from 15.7.2 to 15.8.1 ([Snyk] Upgrade prop-types from 15.7.2 to 15.8.1 #8387)
• 2d91646 fix: upgrade js-yaml from 3.13.1 to 3.14.1 ([Snyk] Upgrade js-yaml from 3.13.1 to 3.14.1 #8374)
• 54eaed0 fix: upgrade cron-parser from 2.16.3 to 2.18.0 ([Snyk] Upgrade cron-parser from 2.16.3 to 2.18.0 #8373)
• e9de085 fix: Erratum in docs. Fixes Erratum in docs #8342 (fix: Erratum in docs. Fixes #8342 #8359)
• a3d1d07 fix: upgrade react-chartjs-2 from 2.10.0 to 2.11.2 ([Snyk] Upgrade react-chartjs-2 from 2.10.0 to 2.11.2 #8357)
• b199cb9 fix: upgrade history from 4.7.2 to 4.10.1 ([Snyk] Upgrade history from 4.7.2 to 4.10.1 #8356)
• e405215 fix: upgrade multiple dependencies with Snyk ([Snyk] Upgrade: react, react-dom #8355)
• 8c893bd fix: upgrade com.google.code.gson:gson from 2.8.9 to 2.9.0 ([Snyk] Upgrade com.google.code.gson:gson from 2.8.9 to 2.9.0 #8354)
• ae38815 fix: examples/README.md: overriten => overridden (fix: typo in examples/README.md: overriten => overridden #8351)
• ab21eed fix: upgrade io.swagger:swagger-annotations from 1.6.2 to 1.6.5 ([Snyk] Upgrade io.swagger:swagger-annotations from 1.6.2 to 1.6.5 #8335)
• f708528 fix: upgrade react-monaco-editor from 0.36.0 to 0.47.0 ([Snyk] Upgrade react-monaco-editor from 0.36.0 to 0.47.0 #8339)
• 3c35bd2 fix: upgrade cronstrue from 1.109.0 to 1.125.0 ([Snyk] Upgrade cronstrue from 1.109.0 to 1.125.0 #8338)
• 7ee17dd fix: upgrade com.squareup.okhttp3:logging-interceptor from 4.9.1 to 4.9.3 ([Snyk] Upgrade com.squareup.okhttp3:logging-interceptor from 4.9.1 to 4.9.3 #8336)
• aa9ff17 fix: Remove path traversal CWE-23 (fix: Remove path traversal CWE-23 #8331)
• 14a9a1d fix: ui/package.json & ui/yarn.lock to reduce vulnerabilities ([Snyk] Fix for 2 vulnerabilities #8328)
• 58052c2 fix: sdks/java/pom.xml to reduce vulnerabilities ([Snyk] Fix for 9 vulnerabilities #8327)
• e232340 fix: grep pattern (fix: grep pattern in Makefile #8238)
• 8a1fbb8 fix: removed deprecated k8sapi executor. Fixes Remove k8sapi executor #7802 (fix: removed deprecated k8sapi executor. Fixes #7802 #8205)

[terrytangyuan]

I propose to cherry pick the following commits related to security:

• aa9ff17 fix: Remove path traversal CWE-23 (fix: Remove path traversal CWE-23 #8331)
• chore: upgrade kube-openapi Fixes #9149 #9235

[sarabala1979]

• fix: retryStrategy.Limit is now read properly for backoff strategy. F…

…ixes #9170. (#9213)

[sarabala1979]

I propose to cherry pick the following commits related to security:

• aa9ff17 fix: Remove path traversal CWE-23 (fix: Remove path traversal CWE-23 #8331)
• chore: upgrade kube-openapi Fixes #9149 #9235

This fix contains other feature changes. We could cherry pick

[sarabala1979]

I am busy with priority work. I will try to release before the end of this week.

[sarabala1979]

@terrytangyuan Do you have bandwidth do cherry-pick?

[mcgrawia]

Hi @terrytangyuan @sarabala1979, is this something I could help out with? If one of you can provide a quick write up of what needs to be done, happy to take a stab at it.

[terrytangyuan]

Yes, I can try cherry-picking to release-3.3 branch.

Update: it's cherry-picked but CI is failing. Investigating https://github.com/argoproj/argo-workflows/runs/7634723040?check_suite_focus=true

[terrytangyuan]

@mcgrawia @sarabala1979 #9235 has been cherry-picked and CI is passing in the release branch.

[terrytangyuan]

• fix: retryStrategy.Limit is now read properly for backoff strategy. Fixes #9170. (#9213)

I cherry-picked this one as well.

[mcgrawia]

Hi @terrytangyuan, it looks like the changes are ready to go on the release branch. Is there anything else that needs to be done before the patch can be released?

[sarabala1979]

@terrytangyuan Sorry I forgot to mention. Cherry-pick process is to cherry-pick all fixes (exclude new feature fixes or fixes in new code).
we will cherry-pick the issue and mark selected here.
Can you try to cherry-pick the above list of issues?

[terrytangyuan]

Okay I thought you only needed help with the mentioned fixes. Unfortunately I am on vacation starting today. Would you be able to take it from here?

[mcgrawia]

Hi @sarabala1979, I see some progress was made on cherry picking the commits to the release branch. Just offering again to see if there's anything I can do to get this over the finish line. The Critical level CVE was identified 26 days ago and we are about to break our 30 day patch SLAs with our customers if we cannot get this released asap. Please let me know, thanks

[sarabala1979]

Release 3.3.9

[mcgrawia]

Thank you so much @sarabala1979!!