Home Search Books Tags About Github ARTICLE

Argo Workflows v3.7.15 - Semaphore Fixes and Security Patches

   |   4 minute read   |   Using 644 words

Argo Workflows v3.7.15 shipped on June 10, 2026 as a stable patch on the 3.7 line. The headline fix is semaphore and mutex initialization soundness, which matters if you run workflows that depend on sync limits across controllers.

The full release notes and downloads are on the GitHub release page. The GitHub release body points to the changelog and the Argo blog for a longer writeup.

Controller sync and workflow lifecycle

This patch backports several controller fixes from the 4.0 line. The most operationally sensitive is the semaphore and mutex unsoundness fix during initialization. If your cluster uses synchronization blocks with semaphores or mutexes, a bad init path could leave locks in an inconsistent state. Upgrading removes that class of failure.

Database backed installs get a retry path for transaction errors. That helps when the workflow archive or persistence layer hits transient DB faults instead of failing the whole operation.

The onExitNode handler no longer re runs after it already completed. That closes a long standing bug where exit hooks could fire twice and duplicate cleanup work. Teams with onExit templates for notifications or artifact uploads should notice fewer duplicate side effects.

Metadata merge behavior is also corrected. Workflows that combine labels or annotations from multiple sources should see fewer cases where later values silently disappear.

Artifacts, S3, and list pagination

S3 artifact storage gets a reliability tweak: bare HTTP 5xx responses without a structured error body are now treated as transient. Retries kick in instead of marking the step failed on the first ambiguous server error. That matters for S3 compatible backends that return minimal error pages.

Pagination with continue tokens no longer breaks when a resource version match is set. Large workflow or archive listings that paginate through the API should page cleanly instead of stopping early or returning empty follow up pages.

UI fixes for filters and annotations

The web UI picks up three small but annoying fixes. URL filter parameters populate on first page load, so shared links to filtered workflow lists actually open with the right filters applied. Clicking an anchor inside the filter dropdown now closes the dropdown instead of leaving it stuck open. Title annotations that mix bold and plain markdown render consistently instead of showing half formatted text.

These are not flashy features. They reduce daily friction for anyone who lives in the workflow list view.

Security and base image updates

v3.7.15 bumps several dependencies flagged as security updates on the release-3.7 branch. The selected changes include golang.org/x/crypto, golang.org/x/net, golang.org/x/sys, github.com/go-git/go-git/v5, and the qs npm dependency used by the UI. The distroless base image for controller and server containers is also refreshed.

If you scan container images or Go module SBOMs as part of release approval, treat this tag as a routine but necessary hygiene pass. There is no single CVE called out in the short GitHub release body, but the changelog marks these bumps explicitly as security updates.

Upgrade notes

The GitHub release does not list new breaking changes for v3.7.15. It still tells operators to read the upgrading guide and search existing GitHub issues before moving production clusters.

This is a patch release, not a prerelease. If you are already on v3.7.14, the expected path is a manifest or image tag bump plus a controller rollout. Fresh installs can use the bundled manifests from the release assets.

For the CLI on Mac or Linux, the release ships argo-darwin-amd64.gz and argo-linux-amd64.gz binaries. The controller and server install manifest is install.yaml in the same release.

Where to get it

Controller install from the release manifest:

kubectl create namespace argo
kubectl apply -n argo -f https://github.com/argoproj/argo-workflows/releases/download/v3.7.15/install.yaml

CLI install (Linux example):

curl -sLO "https://github.com/argoproj/argo-workflows/releases/download/v3.7.15/argo-linux-amd64.gz"
gunzip "argo-linux-amd64.gz"
chmod +x "argo-linux-amd64"
mv "./argo-linux-amd64" /usr/local/bin/argo
argo version

For the full commit list between v3.7.14 and v3.7.15, see the changelog section linked from the release page.



Page link: /posts/argo-workflows-v3-7-15-stability-and-security-fixes/
denis256 at denis256.dev