From af39067e1fdf5505341a0c9653eb7b6e7424219b Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Thu, 22 Jan 2026 16:38:27 -0800
Subject: [PATCH] Pin ArgoCD to v3.2.6 (#44)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Summary
- Pin ArgoCD kustomization to v3.2.6 tag instead of `stable` branch
- This gives intentional control over ArgoCD version upgrades

## Deployment and Testing
- [ ] Sync the `apps` application: `argocd app sync apps`
- [ ] Point argocd at feature branch: `argocd app set argocd --revision feature/pin-argocd-v3.2.6`
- [ ] Sync argocd: `argocd app sync argocd`
- [ ] Verify ArgoCD is running v3.2.6
- [ ] After merge, reset to main: `argocd app set argocd --revision main && argocd app sync argocd`

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/44
---
 argocd/manifests/argocd/kustomization.yaml          | 3 ++-
 argocd/manifests/devpi/statefulset.yaml             | 1 +
 argocd/manifests/kiwix/cronjob-zim-watcher.yaml     | 2 +-
 argocd/manifests/kiwix/deployment.yaml              | 2 +-
 argocd/manifests/miniflux/deployment.yaml           | 2 +-
 argocd/manifests/tailscale-operator/operator.yaml   | 2 +-
 argocd/manifests/tailscale-operator/proxyclass.yaml | 4 ++--
 argocd/manifests/torrent/deployment.yaml            | 2 +-
 8 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/argocd/manifests/argocd/kustomization.yaml b/argocd/manifests/argocd/kustomization.yaml
index 807d37e..6662c4b 100644
--- a/argocd/manifests/argocd/kustomization.yaml
+++ b/argocd/manifests/argocd/kustomization.yaml
@@ -4,7 +4,8 @@ kind: Kustomization
 namespace: argocd
 
 resources:
-  - https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
+  # Pin to specific version for intentional upgrades
+  - https://raw.githubusercontent.com/argoproj/argo-cd/v3.2.6/manifests/install.yaml
   - service-tailscale.yaml
 
 patches:
diff --git a/argocd/manifests/devpi/statefulset.yaml b/argocd/manifests/devpi/statefulset.yaml
index 5d61c13..8afec98 100644
--- a/argocd/manifests/devpi/statefulset.yaml
+++ b/argocd/manifests/devpi/statefulset.yaml
@@ -18,6 +18,7 @@ spec:
         fsGroup: 1000
       containers:
         - name: devpi
+          # TODO: Tag builds with semantic versions (e.g., v1.0.0) for reproducibility
           image: registry.tail8d86e.ts.net/blumeops/devpi:latest
           env:
             - name: DEVPI_ROOT_PASSWORD
diff --git a/argocd/manifests/kiwix/cronjob-zim-watcher.yaml b/argocd/manifests/kiwix/cronjob-zim-watcher.yaml
index b0e92b7..491736f 100644
--- a/argocd/manifests/kiwix/cronjob-zim-watcher.yaml
+++ b/argocd/manifests/kiwix/cronjob-zim-watcher.yaml
@@ -14,7 +14,7 @@ spec:
           serviceAccountName: zim-watcher
           containers:
             - name: watcher
-              image: bitnami/kubectl:latest
+              image: bitnami/kubectl:1.34.1
               command: ["/bin/bash", "-c"]
               args:
                 - |
diff --git a/argocd/manifests/kiwix/deployment.yaml b/argocd/manifests/kiwix/deployment.yaml
index e59dc26..ec141dc 100644
--- a/argocd/manifests/kiwix/deployment.yaml
+++ b/argocd/manifests/kiwix/deployment.yaml
@@ -52,7 +52,7 @@ spec:
 
         # Sidecar: Syncs declarative ZIM torrents to transmission
         - name: torrent-sync
-          image: lscr.io/linuxserver/transmission:latest  # Has transmission-remote CLI
+          image: lscr.io/linuxserver/transmission:4.0.6  # Has transmission-remote CLI
           command: ["/bin/bash", "-c"]
           args:
             - |
diff --git a/argocd/manifests/miniflux/deployment.yaml b/argocd/manifests/miniflux/deployment.yaml
index 3884e1d..ab573c9 100644
--- a/argocd/manifests/miniflux/deployment.yaml
+++ b/argocd/manifests/miniflux/deployment.yaml
@@ -15,7 +15,7 @@ spec:
     spec:
       containers:
         - name: miniflux
-          image: ghcr.io/miniflux/miniflux:latest
+          image: ghcr.io/miniflux/miniflux:2.2.16
           ports:
             - containerPort: 8080
           env:
diff --git a/argocd/manifests/tailscale-operator/operator.yaml b/argocd/manifests/tailscale-operator/operator.yaml
index 1383956..78a84ee 100644
--- a/argocd/manifests/tailscale-operator/operator.yaml
+++ b/argocd/manifests/tailscale-operator/operator.yaml
@@ -5362,7 +5362,7 @@ spec:
                       valueFrom:
                         fieldRef:
                             fieldPath: metadata.uid
-                  image: docker.io/tailscale/k8s-operator:stable
+                  image: docker.io/tailscale/k8s-operator:v1.92.5
                   imagePullPolicy: Always
                   name: operator
                   volumeMounts:
diff --git a/argocd/manifests/tailscale-operator/proxyclass.yaml b/argocd/manifests/tailscale-operator/proxyclass.yaml
index 2e247d7..3e4e2b4 100644
--- a/argocd/manifests/tailscale-operator/proxyclass.yaml
+++ b/argocd/manifests/tailscale-operator/proxyclass.yaml
@@ -18,6 +18,6 @@ spec:
   statefulSet:
     pod:
       tailscaleContainer:
-        image: docker.io/tailscale/tailscale:stable
+        image: docker.io/tailscale/tailscale:v1.92.5
       tailscaleInitContainer:
-        image: docker.io/tailscale/tailscale:stable
+        image: docker.io/tailscale/tailscale:v1.92.5
diff --git a/argocd/manifests/torrent/deployment.yaml b/argocd/manifests/torrent/deployment.yaml
index 78bc436..8f331bb 100644
--- a/argocd/manifests/torrent/deployment.yaml
+++ b/argocd/manifests/torrent/deployment.yaml
@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
         - name: transmission
-          image: lscr.io/linuxserver/transmission:latest
+          image: lscr.io/linuxserver/transmission:4.0.6
           env:
             - name: PUID
               value: "1000"