Bump version to 3.0.1 on release-3.0 branch (#22968)

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: reggie-k <19544836+reggie-k@users.noreply.github.com>

.github/workflows/release.yaml

@@ -77,7 +77,8 @@ jobs:
       - name: Set GORELEASER_PREVIOUS_TAG # Workaround, GoReleaser uses 'git-describe' to determine a previous tag. Our tags are created in release branches.
         run: |
           set -xue
-          echo "GORELEASER_PREVIOUS_TAG=$(go run hack/get-previous-release/get-previous-version-for-release-notes.go ${{ github.ref_name }})" >> $GITHUB_ENV
+          GORELEASER_PREVIOUS_TAG=$(go run hack/get-previous-release/get-previous-version-for-release-notes.go ${{ github.ref_name }}) || exit 1
+          echo "GORELEASER_PREVIOUS_TAG=$GORELEASER_PREVIOUS_TAG" >> $GITHUB_ENV
 
       - name: Set environment variables for ldflags
         id: set_ldflag

Dockerfile

@@ -6,6 +6,8 @@ ARG BASE_IMAGE=docker.io/library/ubuntu:24.04@sha256:80dd3c3b9c6cecb9f1667e9290b
 ####################################################################################################
 FROM docker.io/library/golang:1.24.1@sha256:c5adecdb7b3f8c5ca3c88648a861882849cc8b02fed68ece31e25de88ad13418 AS builder
 
+WORKDIR /tmp
+
 RUN echo 'deb http://archive.debian.org/debian buster-backports main' >> /etc/apt/sources.list
 
 RUN apt-get update && apt-get install --no-install-recommends -y \
@@ -23,8 +25,6 @@ RUN apt-get update && apt-get install --no-install-recommends -y \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
-WORKDIR /tmp
-
 COPY hack/install.sh hack/tool-versions.sh ./
 COPY hack/installers installers
 
@@ -40,8 +40,8 @@ LABEL org.opencontainers.image.source="https://github.com/argoproj/argo-cd"
 
 USER root
 
-ENV ARGOCD_USER_ID=999
-ENV DEBIAN_FRONTEND=noninteractive
+ENV ARGOCD_USER_ID=999 \
+    DEBIAN_FRONTEND=noninteractive
 
 RUN groupadd -g $ARGOCD_USER_ID argocd && \
     useradd -r -u $ARGOCD_USER_ID -g argocd argocd && \
@@ -55,11 +55,13 @@ RUN groupadd -g $ARGOCD_USER_ID argocd && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
-COPY hack/gpg-wrapper.sh /usr/local/bin/gpg-wrapper.sh
-COPY hack/git-verify-wrapper.sh /usr/local/bin/git-verify-wrapper.sh
+COPY hack/gpg-wrapper.sh \
+    hack/git-verify-wrapper.sh \
+    entrypoint.sh \
+    /usr/local/bin/
 COPY --from=builder /usr/local/bin/helm /usr/local/bin/helm
 COPY --from=builder /usr/local/bin/kustomize /usr/local/bin/kustomize
-COPY entrypoint.sh /usr/local/bin/entrypoint.sh
+
 # keep uid_entrypoint.sh for backward compatibility
 RUN ln -s /usr/local/bin/entrypoint.sh /usr/local/bin/uid_entrypoint.sh
 
@@ -111,13 +113,13 @@ RUN go mod download
 # Perform the build
 COPY . .
 COPY --from=argocd-ui /src/dist/app /go/src/github.com/argoproj/argo-cd/ui/dist/app
-ARG TARGETOS
-ARG TARGETARCH
+ARG TARGETOS \
+    TARGETARCH
 # These build args are optional; if not specified the defaults will be taken from the Makefile
-ARG GIT_TAG
-ARG BUILD_DATE
-ARG GIT_TREE_STATE
-ARG GIT_COMMIT
+ARG GIT_TAG \
+    BUILD_DATE \
+    GIT_TREE_STATE \
+    GIT_COMMIT
 RUN GIT_COMMIT=$GIT_COMMIT \
     GIT_TREE_STATE=$GIT_TREE_STATE \
     GIT_TAG=$GIT_TAG \
@@ -130,6 +132,7 @@ RUN GIT_COMMIT=$GIT_COMMIT \
 # Final image
 ####################################################################################################
 FROM argocd-base
+ENTRYPOINT ["/usr/bin/tini", "--"]
 COPY --from=argocd-build /go/src/github.com/argoproj/argo-cd/dist/argocd* /usr/local/bin/
 
 USER root
@@ -144,4 +147,3 @@ RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-server && \
     ln -s /usr/local/bin/argocd /usr/local/bin/argocd-commit-server
 
 USER $ARGOCD_USER_ID
-ENTRYPOINT ["/usr/bin/tini", "--"]

VERSION

@@ -1 +1 @@
-3.0.0
+3.0.1

applicationset/services/pull_request/github.go

@@ -26,7 +26,11 @@ func NewGithubService(token, url, owner, repo string, labels []string) (PullRequ
 	httpClient := &http.Client{}
 	var client *github.Client
 	if url == "" {
-		client = github.NewClient(httpClient).WithAuthToken(token)
+		if token == "" {
+			client = github.NewClient(httpClient)
+		} else {
+			client = github.NewClient(httpClient).WithAuthToken(token)
+		}
 	} else {
 		var err error
 		client, err = github.NewClient(httpClient).WithEnterpriseURLs(url, url)

applicationset/services/scm_provider/github.go

@@ -25,7 +25,11 @@ func NewGithubProvider(organization string, token string, url string, allBranche
 	httpClient := &http.Client{}
 	var client *github.Client
 	if url == "" {
-		client = github.NewClient(httpClient).WithAuthToken(token)
+		if token == "" {
+			client = github.NewClient(httpClient)
+		} else {
+			client = github.NewClient(httpClient).WithAuthToken(token)
+		}
 	} else {
 		var err error
 		client, err = github.NewClient(httpClient).WithEnterpriseURLs(url, url)

cmd/argocd-application-controller/commands/argocd_application_controller.go

@@ -44,9 +44,13 @@ const (
 	// CLIName is the name of the CLI
 	cliName = common.ApplicationController
 	// Default time in seconds for application resync period
-	defaultAppResyncPeriod = 180
+	defaultAppResyncPeriod = 120
+	// Default time in seconds for application resync period jitter
+	defaultAppResyncPeriodJitter = 60
 	// Default time in seconds for application hard resync period
 	defaultAppHardResyncPeriod = 0
+	// Default time in seconds for ignoring consecutive errors when comminicating with repo-server
+	defaultRepoErrorGracePeriod = defaultAppResyncPeriod + defaultAppResyncPeriodJitter
 )
 
 func NewCommand() *cobra.Command {
@@ -252,8 +256,8 @@ func NewCommand() *cobra.Command {
 	clientConfig = cli.AddKubectlFlagsToCmd(&command)
 	command.Flags().Int64Var(&appResyncPeriod, "app-resync", int64(env.ParseDurationFromEnv("ARGOCD_RECONCILIATION_TIMEOUT", defaultAppResyncPeriod*time.Second, 0, math.MaxInt64).Seconds()), "Time period in seconds for application resync.")
 	command.Flags().Int64Var(&appHardResyncPeriod, "app-hard-resync", int64(env.ParseDurationFromEnv("ARGOCD_HARD_RECONCILIATION_TIMEOUT", defaultAppHardResyncPeriod*time.Second, 0, math.MaxInt64).Seconds()), "Time period in seconds for application hard resync.")
-	command.Flags().Int64Var(&appResyncJitter, "app-resync-jitter", int64(env.ParseDurationFromEnv("ARGOCD_RECONCILIATION_JITTER", 0*time.Second, 0, math.MaxInt64).Seconds()), "Maximum time period in seconds to add as a delay jitter for application resync.")
-	command.Flags().Int64Var(&repoErrorGracePeriod, "repo-error-grace-period-seconds", int64(env.ParseDurationFromEnv("ARGOCD_REPO_ERROR_GRACE_PERIOD_SECONDS", defaultAppResyncPeriod*time.Second, 0, math.MaxInt64).Seconds()), "Grace period in seconds for ignoring consecutive errors while communicating with repo server.")
+	command.Flags().Int64Var(&appResyncJitter, "app-resync-jitter", int64(env.ParseDurationFromEnv("ARGOCD_RECONCILIATION_JITTER", defaultAppResyncPeriodJitter*time.Second, 0, math.MaxInt64).Seconds()), "Maximum time period in seconds to add as a delay jitter for application resync.")
+	command.Flags().Int64Var(&repoErrorGracePeriod, "repo-error-grace-period-seconds", int64(env.ParseDurationFromEnv("ARGOCD_REPO_ERROR_GRACE_PERIOD_SECONDS", defaultRepoErrorGracePeriod*time.Second, 0, math.MaxInt64).Seconds()), "Grace period in seconds for ignoring consecutive errors while communicating with repo server.")
 	command.Flags().StringVar(&repoServerAddress, "repo-server", env.StringFromEnv("ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER", common.DefaultRepoServerAddr), "Repo server address.")
 	command.Flags().IntVar(&repoServerTimeoutSeconds, "repo-server-timeout-seconds", env.ParseNumFromEnv("ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS", 60, 0, math.MaxInt64), "Repo server RPC call timeout seconds.")
 	command.Flags().StringVar(&commitServerAddress, "commit-server", env.StringFromEnv("ARGOCD_APPLICATION_CONTROLLER_COMMIT_SERVER", common.DefaultCommitServerAddr), "Commit server address.")

controller/appcontroller.go

@@ -886,6 +886,9 @@ func (ctrl *ApplicationController) Run(ctx context.Context, statusProcessors int
 	ctrl.RegisterClusterSecretUpdater(ctx)
 	ctrl.metricsServer.RegisterClustersInfoSource(ctx, ctrl.stateCache, ctrl.db, ctrl.metricsClusterLabels)
 
+	go ctrl.appInformer.Run(ctx.Done())
+	go ctrl.projInformer.Run(ctx.Done())
+
 	if ctrl.dynamicClusterDistributionEnabled {
 		// only start deployment informer if dynamic distribution is enabled
 		go ctrl.deploymentInformer.Informer().Run(ctx.Done())
@@ -904,9 +907,6 @@ func (ctrl *ApplicationController) Run(ctx context.Context, statusProcessors int
 		}
 	}
 
-	go ctrl.appInformer.Run(ctx.Done())
-	go ctrl.projInformer.Run(ctx.Done())
-
 	errors.CheckError(ctrl.stateCache.Init())
 
 	if !cache.WaitForCacheSync(ctx.Done(), ctrl.appInformer.HasSynced, ctrl.projInformer.HasSynced) {

controller/cache/cache.go

@@ -126,7 +126,7 @@ func init() {
 	clusterCacheListSemaphoreSize = env.ParseInt64FromEnv(EnvClusterCacheListSemaphore, clusterCacheListSemaphoreSize, 0, math.MaxInt64)
 	clusterCacheAttemptLimit = int32(env.ParseNumFromEnv(EnvClusterCacheAttemptLimit, int(clusterCacheAttemptLimit), 1, math.MaxInt32))
 	clusterCacheRetryUseBackoff = env.ParseBoolFromEnv(EnvClusterCacheRetryUseBackoff, false)
-	clusterCacheBatchEventsProcessing = env.ParseBoolFromEnv(EnvClusterCacheBatchEventsProcessing, false)
+	clusterCacheBatchEventsProcessing = env.ParseBoolFromEnv(EnvClusterCacheBatchEventsProcessing, true)
 	clusterCacheEventsProcessingInterval = env.ParseDurationFromEnv(EnvClusterCacheEventsProcessingInterval, clusterCacheEventsProcessingInterval, 0, math.MaxInt64)
 }
 

controller/health.go

@@ -80,15 +80,15 @@ func setApplicationHealth(resources []managedResource, statuses []appv1.Resource
 			appHealth.Status = healthStatus.Status
 		}
 	}
+	// if the status didn't change, don't update the timestamp
+	if app.Status.Health.Status == appHealth.Status && app.Status.Health.LastTransitionTime != nil {
+		appHealth.LastTransitionTime = app.Status.Health.LastTransitionTime
+	} else {
+		now := metav1.Now()
+		appHealth.LastTransitionTime = &now
+	}
 	if persistResourceHealth {
 		app.Status.ResourceHealthSource = appv1.ResourceHealthLocationInline
-		// if the status didn't change, don't update the timestamp
-		if app.Status.Health.Status == appHealth.Status && app.Status.Health.LastTransitionTime != nil {
-			appHealth.LastTransitionTime = app.Status.Health.LastTransitionTime
-		} else {
-			now := metav1.Now()
-			appHealth.LastTransitionTime = &now
-		}
 	} else {
 		app.Status.ResourceHealthSource = appv1.ResourceHealthLocationAppTree
 	}

controller/health_test.go

@@ -109,6 +109,7 @@ func TestSetApplicationHealth_ResourceHealthNotPersisted(t *testing.T) {
 	healthStatus, err := setApplicationHealth(resources, resourceStatuses, lua.ResourceHealthOverrides{}, app, false)
 	require.NoError(t, err)
 	assert.Equal(t, health.HealthStatusDegraded, healthStatus.Status)
+	assert.NotNil(t, healthStatus.LastTransitionTime)
 
 	assert.Nil(t, resourceStatuses[0].Health)
 }

docs/faq.md

@@ -147,7 +147,7 @@ See [#1482](https://github.com/argoproj/argo-cd/issues/1482).
 
 ## How often does Argo CD check for changes to my Git or Helm repository ?
 
-The default polling interval is 3 minutes (180 seconds) with a configurable jitter.
+The default maximum polling interval is 3 minutes (120 seconds + 60 seconds jitter).
 You can change the setting by updating the `timeout.reconciliation` value and the `timeout.reconciliation.jitter` in the [argocd-cm](https://github.com/argoproj/argo-cd/blob/2d6ce088acd4fb29271ffb6f6023dbb27594d59b/docs/operator-manual/argocd-cm.yaml#L279-L282) config map. If there are any Git changes, Argo CD will only update applications with the [auto-sync setting](user-guide/auto_sync.md) enabled. If you set it to `0` then Argo CD will stop polling Git repositories automatically and you can only use alternative methods such as [webhooks](operator-manual/webhook.md) and/or manual syncs for deploying applications.
 
 

docs/operator-manual/argocd-cm.yaml

@@ -280,9 +280,9 @@ data:
   # You can change the resource tracking method Argo CD uses by changing the
   # setting application.resourceTrackingMethod to the desired method.
   # The following methods are available:
-  # - label            : Uses the application.instanceLabelKey label for tracking
   # - annotation       : Uses an annotation with additional metadata for tracking instead of the label
   # - annotation+label : Also uses an annotation for tracking, but additionally labels the resource with the application name
+  # - label            : Uses the application.instanceLabelKey label for tracking
   application.resourceTrackingMethod: annotation
 
   # Optional installation id. Allows to have multiple installations of Argo CD in the same cluster.
@@ -325,17 +325,18 @@ data:
   # at the bottom of the page. Change the value as needed.
   # ui.bannerposition: "bottom"
 
-  # Application reconciliation timeout is the max amount of time required to discover if a new manifests version got
-  # published to the repository. Reconciliation by timeout is disabled if timeout is set to 0. Three minutes by default.
+  # Application reconciliation timeout is the amount of time spent before Argo tries to discover if a new manifests version got
+  # published to the repository. Reconciliation by timeout is disabled if timeout is set to 0. Two minutes by default with additional jitter.
   # > Note: The argocd-repo-server deployment and the argocd-application-controller statefulset (or deployment, if
   # configured) must be manually restarted after changing the setting.
-  timeout.reconciliation: 180s
+  timeout.reconciliation: 120s
+
   # With a large number of applications, the periodic refresh for each application can cause a spike in the refresh queue
   # and can cause a spike in the repo-server component. To avoid this, you can set a jitter to the sync timeout, which will
   # spread out the refreshes and give time to the repo-server to catch up. The jitter is the maximum duration that can be
   # added to the sync timeout. So, if the sync timeout is 3 minutes and the jitter is 1 minute, then the actual timeout will
-  # be between 3 and 4 minutes. Disabled when the value is 0, defaults to 0.
-  timeout.reconciliation.jitter: "0"
+  # be between 3 and 4 minutes. Disabled when the value is 0, defaults to 1 minute.
+  timeout.reconciliation.jitter: 60s
 
   # cluster.inClusterEnabled indicates whether to allow in-cluster server address. This is enabled by default.
   cluster.inClusterEnabled: "true"

docs/operator-manual/argocd-cmd-params-cm.yaml

@@ -93,7 +93,7 @@ data:
   controller.profile.enabled: "false"
   # Enables batch-processing mode in the controller's cluster cache. This can help improve performance for clusters that
   # have high "churn," i.e. lots of resource modifications.
-  controller.cluster.cache.batch.events.processing: "false"
+  controller.cluster.cache.batch.events.processing: "true"
   # This sets the interval at which the controller's cluster cache processes a batch of cluster events. A lower value
   # will increase the speed at which Argo CD becomes aware of external cluster state. A higher value will reduce cluster
   # cache lock contention and better handle high-churn clusters.

docs/operator-manual/high_availability.md

@@ -132,8 +132,8 @@ stringData:
 
 * `ARGOCD_CLUSTER_CACHE_BATCH_EVENTS_PROCESSING` - environment variable that enables the controller to collect events
   for Kubernetes resources and process them in a batch. This is useful when the cluster contains a large number of resources,
-  and the controller is overwhelmed by the number of events. The default value is `false`, which means that the controller
-  processes events one by one.
+  and the controller is overwhelmed by the number of events. The default value is `true`. `false` would mean that the controller
+  would process events one by one.
 
 * `ARGOCD_CLUSTER_CACHE_EVENTS_PROCESSING_INTERVAL` - environment variable controlling the interval for processing events in a batch.
   The valid value is in the format of Go time duration string, e.g. `1ms`, `1s`, `1m`, `1h`. The default value is `100ms`.

docs/operator-manual/server-commands/argocd-application-controller.md

@@ -16,8 +16,8 @@ argocd-application-controller [flags]
 
 ```
       --app-hard-resync int                                       Time period in seconds for application hard resync.
-      --app-resync int                                            Time period in seconds for application resync. (default 180)
-      --app-resync-jitter int                                     Maximum time period in seconds to add as a delay jitter for application resync.
+      --app-resync int                                            Time period in seconds for application resync. (default 120)
+      --app-resync-jitter int                                     Maximum time period in seconds to add as a delay jitter for application resync. (default 60)
       --app-state-cache-expiration duration                       Cache expiration for app state (default 1h0m0s)
       --application-namespaces strings                            List of additional namespaces that applications are allowed to be reconciled from
       --as string                                                 Username to impersonate for the operation

docs/operator-manual/tested-kubernetes-versions.md

@@ -1,2 +1,5 @@
-This page is populated for released Argo CD versions. Use the version selector to view this table for a specific 
-version. 
+| Argo CD version | Kubernetes versions |
+|-----------------|---------------------|
+| 3.0 | v1.32, v1.31, v1.30, v1.29 |
+| 2.14 | v1.31, v1.30, v1.29, v1.28 |
+| 2.13 | v1.30, v1.29, v1.28, v1.27 |

docs/operator-manual/upgrading/2.14-3.0.md

@@ -1,22 +1,21 @@
 # v2.14 to 3.0
 
-Argo CD 3.0 is meant to be a low-risk upgrade, containing some minor breaking changes. For each change, the next
+Argo CD 3.0 is meant to be a low-risk upgrade containing only minor breaking changes. For each change, the next
 section will describe how to quickly determine if you are impacted, how to remediate the breaking change, and (if
-applicable) how to opt out of the change.
+applicable) restore Argo CD 2.x default behavior.
 
 Once 3.0 is released, no more 2.x minor versions will be released. We will continue to cut patch releases for the two
-most recent minor versions (so 2.14 until 3.2 is released, and 2.13 until 3.1 is released).
+most recent minor versions (so 2.14 until 3.2 is released and 2.13 until 3.1 is released).
 
 ## Breaking Changes
 
 ### Fine-Grained RBAC for application `update` and `delete` sub-resources
 
-The default behavior of fine-grained policies have changed so they do not apply to sub-resources anymore.
-Prior to v3, when `update` or `delete` actions were allowed on an application, it gave the permission to
-update and delete the application itself and any of its sub-resources.
+The default behavior of fine-grained policies have changed so they no longer apply to sub-resources.
+Prior to v3, policies granting `update` or `delete` to an application also applied to any of its sub-resources.
 
-Starting with v3, the `update` or `delete` actions only apply on the application. New policies must be defined
-to allow the `update/*` or `delete/*` actions on the application to give permissions on sub-resources.
+Starting with v3, the `update` or `delete` actions only apply to the application itself. New policies must be defined
+to allow the `update/*` or `delete/*` actions on an Application's managed resources.
 
 The v2 behavior can be preserved by setting the config value `server.rbac.disableApplicationFineGrainedRBACInheritance`
 to `false` in the Argo CD ConfigMap `argocd-cm`.
@@ -36,35 +35,37 @@ Starting from 3.0, this flag is removed and the logs RBAC is enforced by default
 
 #### Detection
 
-Users who have `server.rbac.log.enforce.enable: "true"` in their `argocd-cm` ConfigMap, are unaffected by this change.   
+Users who have `server.rbac.log.enforce.enable: "true"` in their `argocd-cm` ConfigMap, are unaffected by this change.
 
-Users who have `policy.default: role:readonly` or `policy.default: role:admin` in their `argocd-rbac-cm` ConfigMap, are unaffected.   
+Users who have `policy.default: role:readonly` or `policy.default: role:admin` in their `argocd-rbac-cm` ConfigMap, are unaffected.
 
-Users who don't have a `policy.default` in their `argocd-rbac-cm` ConfigMap, and either have `server.rbac.log.enforce.enable` set to `false` or don't have this setting at all in their `argocd-cm` ConfigMap are affected and should perform the below remediation steps.   
+Users who don't have a `policy.default` in their `argocd-rbac-cm` ConfigMap, and either have `server.rbac.log.enforce.enable` set to `false` or don't have this setting at all in their `argocd-cm` ConfigMap are affected and should perform the below remediation steps.
 
-After the upgrade, it is recommended to remove the setting `server.rbac.log.enforce.enable` from `argocd-cm` ConfigMap, if it was there before the upgrade.  
+After the upgrade, it is recommended to remove the setting `server.rbac.log.enforce.enable` from `argocd-cm` ConfigMap, if it was there before the upgrade.
 
 #### Remediation
 
-##### Quick remediation (global change)     
-For users with an existing default policy with a custom role, add this policy to `policy.csv` for your custom role: `p, role:<YOUR_DEFAULT_ROLE>, logs, get, */*, allow`.   
-For users without a default policy, add this policy to `policy.csv`: `p, role:global-log-viewer, logs, get, */*, allow` and add the default policy for this role: `policy.default: role:global-log-viewer`   
+##### Quick remediation (global change)
+
+For users with an existing default policy with a custom role, add this policy to `policy.csv` for your custom role: `p, role:<YOUR_DEFAULT_ROLE>, logs, get, */*, allow`.
+For users without a default policy, add this policy to `policy.csv`: `p, role:global-log-viewer, logs, get, */*, allow` and add the default policy for this role: `policy.default: role:global-log-viewer`
 
 ##### Recommended remediation (per-policy change)
-Explicitly add a `logs, get` policy to every role that has a policy for `applications, get` or for `applications, *`.   
-This is the recommended way for maintaining the principle of least-privilege.       
-Similarly to the way you currently manage the access to Applications, the access to logs can be either granted on a Project scope level (Project resource) or on the `argocd-rbac-cm` ConfigMap level.      
-See this [example](../upgrading/2.3-2.4.md#example-1) for more details.   
+
+Explicitly add a `logs, get` policy to every role that has a policy for `applications, get` or for `applications, *`.
+This is the recommended way to maintain the principle of least privilege.
+Similar to the way access to Applications are currently managed, access to logs can be either granted on a Project scope level (Project resource) or on the `argocd-rbac-cm` ConfigMap level.
+See this [example](../upgrading/2.3-2.4.md#example-1) for more details.
 
 ### Default `resource.exclusions` configurations
 
 Argo CD manifest now contains a default configuration for `resource.exclusions` in the `argocd-cm` to exclude resources that
-are known to be created by controller and not usually managed in Git. The exclusions contains high volume and high churn objects
+are known to be created by controllers and not usually managed in Git. The exclusions contain high volume and high churn objects
 which we exclude for performance reasons, reducing connections and load to the K8s API servers of managed clusters.
 
 The excluded Kinds are:
 
-- **Kubernetes Resources**: `Endpoints`, `EndpointSlice`, `APIService`, `Lease`, `SelfSubjectReview`, `TokenReview`, `LocalSubjectAccessReview`, `SelfSubjectAccessReview`, `SelfSubjectRulesReview`, `SubjectAccessReview`, `CertificateSigningRequest`, `PolicyReport` and `ClusterPolicyReport`.
+- **Kubernetes Resources**: `Endpoints`, `EndpointSlice`, `Lease`, `SelfSubjectReview`, `TokenReview`, `LocalSubjectAccessReview`, `SelfSubjectAccessReview`, `SelfSubjectRulesReview`, `SubjectAccessReview`, `CertificateSigningRequest`, `PolicyReport` and `ClusterPolicyReport`.
 - **Cert Manager**: `CertificateRequest`.
 - **Kyverno**: `EphemeralReport`, `ClusterEphemeralReport`, `AdmissionReport`, `ClusterAdmissionReport`, `BackgroundScanReport`, `ClusterBackgroundScanReport` and `UpdateRequest`.
 - **Cilium**: `CiliumIdentity`, `CiliumEndpoint` and `CiliumEndpointSlice`.
@@ -217,16 +218,70 @@ spec:
         namespace: guestbook
 ```
 
-### Upgraded Helm version with breaking changes 
-Helm was upgraded to 3.17.1.   
-This may require changing your `values.yaml` files for subcharts, if the `values.yaml` contain a section with a `null` object.   
-See related issue in [Helm GitHub repository](https://github.com/helm/helm/issues/12469)   
-See Helm 3.17.1 [release notes](https://github.com/helm/helm/releases/tag/v3.17.1)   
-Example of such a [problem and resolution](https://github.com/argoproj/argo-cd/pull/22035/files)   
+### Upgraded Helm version with breaking changes
+
+Helm was upgraded to 3.17.1.
+This may require changing your `values.yaml` files for subcharts, if the `values.yaml` contain a section with a `null` object.
+See related issue in [Helm GitHub repository](https://github.com/helm/helm/issues/12469)
+See Helm 3.17.1 [release notes](https://github.com/helm/helm/releases/tag/v3.17.1)
+Example of such a [problem and resolution](https://github.com/argoproj/argo-cd/pull/22035/files)
 Explanation:
+
 - Prior to Helm 3.17.1, `null` object in `values.yaml` resulted in a warning: `cannot overwrite table with non table` upon performing `helm template`, and the resulting K8s object was not overridden with the invalid `null` value.
 - In Helm 3.17.1, this behavior changed and `null` object in `values.yaml` still results in this warning upon performing `helm template`, but the resulting K8s object will be overridden with the invalid `null` value.
-- To resolve the issue, identify `values.yaml` with `null` object values, and remove those `null` values.   
+- To resolve the issue, identify `values.yaml` with `null` object values, and remove those `null` values.
+
+### Use Annotation-Based Tracking by Default
+
+The default behavior for [tracking resources](../../user-guide/resource_tracking.md) has changed to use annotation-based
+tracking instead of label-based tracking. Annotation-based tracking is more reliable and less prone to errors caused by
+external code copying tracking labels from one resource to another.
+
+#### Detection
+
+To detect if you are impacted, check the `argocd-cm` ConfigMap for the `application.resourceTrackingMethod` field. If it
+unset or is set to `label`, you are using label-based tracking. If it is set to `annotation`, you are already using
+annotation-based tracking and are not impacted by this change.
+
+```sh
+kubectl get cm argocd-cm -n argocd -o jsonpath='{.data.application\.resourceTrackingMethod}'
+```
+
+#### Remediation
+
+For most users, it is safe to upgrade to Argo CD 3.0 and use annotation-based tracking. Labels will be replaced with
+annotations on the next sync. Applications will not be marked as out-of-sync if labels are not present on the
+resources.
+
+!!! warning "Potential for orphaned resources"
+
+    There is a known edge case when switching from label-based tracking to annotation-based tracking that may cause
+    resources to be orphaned. If the first sync operation after switching to annotation-based tracking includes a
+    resource being deleted, Argo CD will fail to recognize that the resource is managed by the Application and will not
+    delete it. To avoid this edge case, it is recommended to perform a sync operation on your Applications, even if
+    they are not out of sync, so that orphan resource detection will work as expected on the next sync.
+
+Some users rely on label-based tracking to track resources that are not managed by Argo CD. They may set annotations
+to have Argo CD ignore the resource as extraneous or to disable pruning. If you are using label-based tracking to track
+resources that are not managed by Argo CD, you will need to construct tracking annotations instead of tracking labels
+and apply them to the relevant resources. The format of the tracking annotation is:
+
+```yaml
+argocd.argoproj.io/tracking-id: <app name>:<resource group>/<resource kind>:<resource namespace>/<resource name>
+```
+
+For cluster-scoped resources, the namespace is set to the value in the Application's `spec.destination.namespace` field.
+
+!!! warning
+
+    Manually constructing and applying tracking labels and annotations is not an officially supported feature, and Argo
+    CD's behavior may change in the future. It is recommended to manage resources with Argo CD via GitOps.
+
+#### Opting Out
+
+If you are not ready to use annotation-based tracking, you can opt out of this change by setting the
+`application.resourceTrackingMethod` field in the `argocd-cm` ConfigMap to `label`. There are no current plans to remove
+label-based tracking.
 
 ## Other changes
 
@@ -264,6 +319,7 @@ Example of a status field in the Application CR persisting health:
 status:
   health:
     status: Healthy
+    lastTransitionTime: "2025-01-01T00:00:00Z"
   resources:
     - group: apps
       health:
@@ -283,6 +339,7 @@ Example of a status field in the Application CR _not_ persisting health:
 status:
   health:
     status: Healthy
+    lastTransitionTime: "2025-01-01T00:00:00Z"
   resourceHealthSource: appTree
   resources:
     - group: apps
@@ -342,8 +399,8 @@ spec:
 
 By default, the existing system-level `ignoreDifferences` customizations will be added to ignore resource updates as well.
 
-Logically, if a field is configured to be ignore for the difference, there is no reason to gnerate the diff for the application
-whenever that field changes.
+Logically, if differences to a field are configured to be ignored, there is no reason to generate the diff for the application
+when that field changes.
 
 To disable this behavior and preserve the v2 default, the `ignoreDifferencesOnResourceUpdates` can be set to false:
 

docs/user-guide/auto_sync.md

@@ -96,4 +96,4 @@ which is controlled by `--self-heal-timeout-seconds` flag of `argocd-application
   and parameters had failed.
 
 * Rollback cannot be performed against an application with automated sync enabled.
-* The automatic sync interval is determined by [the `timeout.reconciliation` value in the `argocd-cm` ConfigMap](../faq.md#how-often-does-argo-cd-check-for-changes-to-my-git-or-helm-repository), which defaults to `180s` (3 minutes).
+* The automatic sync interval is determined by [the `timeout.reconciliation` value in the `argocd-cm` ConfigMap](../faq.md#how-often-does-argo-cd-check-for-changes-to-my-git-or-helm-repository), which defaults to `120s` with added jitter of `60s` for a maximum period of 3 minutes.

docs/user-guide/ci_automation.md

@@ -52,4 +52,4 @@ argocd app wait guestbook
 
 If [automated synchronization](auto_sync.md) is configured for the application, this step is
 unnecessary. The controller will automatically detect the new config (fast tracked using a
-[webhook](../operator-manual/webhook.md), or polled every 3 minutes), and automatically sync the new manifests.
+[webhook](../operator-manual/webhook.md), or polled at least every 3 minutes by default), and automatically sync the new manifests.

docs/user-guide/commands/argocd_appset_generate.md

@@ -2,7 +2,7 @@
 
 ## argocd appset generate
 
-Generate apps from ApplicationSet rendered templates and display the output.
+Generate apps of ApplicationSet rendered templates
 
 ```
 argocd appset generate [flags]

docs/user-guide/commands/argocd_appset_update.md

@@ -24,7 +24,7 @@ argocd appset update [flags]
 ### Options inherited from parent commands
 
 ```
-      --auth-token string               Authentication token
+      --auth-token string               Authentication token; set this or the ARGOCD_AUTH_TOKEN environment variable
       --client-crt string               Client certificate file
       --client-crt-key string           Client certificate key file
       --config string                   Path to Argo CD config (default "/home/user/.config/argocd/config")

docs/user-guide/resource_tracking.md

@@ -1,8 +1,46 @@
 # Resource Tracking
 
+## Tracking Kubernetes resources by annotation
+
+Argo CD can be instructed to use the following methods for tracking:
+
+1. `annotation` (default) - Argo CD uses the `argocd.argoproj.io/tracking-id` annotation to track application resources. Use this when you don't need to maintain both the label and the annotation.
+1. `annotation+label` - Argo CD uses the `app.kubernetes.io/instance` label but only for informational purposes. The label is not used for tracking purposes, and the value is still truncated if longer than 63 characters. The annotation `argocd.argoproj.io/tracking-id` is used instead to track application resources. Use this for resources that you manage with Argo CD, but still need compatibility with other tools that require the instance label.
+1. `label` - Argo CD uses the `app.kubernetes.io/instance` label
+
+
+Here is an example of using the annotation method for tracking resources:
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: my-deployment
+  namespace: default
+  annotations:
+    argocd.argoproj.io/tracking-id: my-app:apps/Deployment:default/my-deployment
+```
+
+The advantages of using the tracking id annotation is that there are no clashes any
+more with other Kubernetes tools and Argo CD is never confused about the owner of a resource. The `annotation+label` can also be used if you want other tools to understand resources managed by Argo CD.
+
+### Installation ID
+
+If you are managing one cluster using multiple Argo CD instances, you will need to set `installationID` in the Argo CD ConfigMap. This will prevent conflicts between
+the different Argo CD instances:
+
+* Each managed resource will have the annotation `argocd.argoproj.io/installation-id: <installation-id>`
+* It is possible to have applications with the same name in Argo CD instances without causing conflicts.
+
+### Non self-referencing annotations
+When using the tracking method `annotation` or `annotation+label`, Argo CD will consider the resource properties in the annotation (name, namespace, group and kind) to determine whether the resource should be compared against the desired state. If the tracking annotation does not reference the resource it is applied to, the resource will neither affect the application's sync status nor be marked for pruning.
+
+This allows other kubernetes tools (e.g. [HNC](https://github.com/kubernetes-sigs/hierarchical-namespaces)) to copy a resource to a different namespace without impacting the Argo CD application's sync status. Copied resources will be visible on the UI at top level. They will have no sync status and won't impact the application's sync status.
+
+
 ## Tracking Kubernetes resources by label
 
-Argo CD identifies resources it manages by setting the application instance label to the name of the managing Application on all resources that are managed (i.e. reconciled from Git). The default label used is the well-known label `app.kubernetes.io/instance`.
+In this mode, Argo CD identifies resources it manages by setting the application instance label to the name of the managing Application on all resources that are managed (i.e. reconciled from Git). The default label used is the well-known label `app.kubernetes.io/instance`.
 
 Example:
 
@@ -40,44 +78,6 @@ data:
   application.instanceLabelKey: argocd.argoproj.io/instance
 ```
 
-## Additional tracking methods via an annotation
-
->v2.2
-
-To offer more flexible options for tracking resources and solve some of the issues outlined in the previous section Argo CD can be instructed to use the following methods for tracking:
-
-1. `label` (default) - Argo CD uses the `app.kubernetes.io/instance` label
-1. `annotation+label` - Argo CD uses the `app.kubernetes.io/instance` label but only for informational purposes. The label is not used for tracking purposes, and the value is still truncated if longer than 63 characters. The annotation `argocd.argoproj.io/tracking-id` is used instead to track application resources. Use this for resources that you manage with Argo CD, but still need compatibility with other tools that require the instance label.
-1. `annotation` - Argo CD uses the `argocd.argoproj.io/tracking-id` annotation to track application resources. Use this when you don't need to maintain both the label and the annotation.
-
-Here is an example of using the annotation method for tracking resources:
-
-```yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: my-deployment
-  namespace: default
-  annotations:
-    argocd.argoproj.io/tracking-id: my-app:apps/Deployment:default/nginx-deployment
-```
-
-The advantages of using the tracking id annotation is that there are no clashes any
-more with other Kubernetes tools and Argo CD is never confused about the owner of a resource. The `annotation+label` can also be used if you want other tools to understand resources managed by Argo CD.
-
-### Installation ID
-
-If you are managing one cluster using multiple Argo CD instances, you will need to set `installationID` in the Argo CD ConfigMap. This will prevent conflicts between
-the different Argo CD instances:
-
-* Each managed resource will have the annotation `argocd.argoproj.io/tracking-id: <installation-id>`
-* It is possible to have applications with the same name in Argo CD instances without causing conflicts.
-
-### Non self-referencing annotations
-When using the tracking method `annotation` or `annotation+label`, Argo CD will consider the resource properties in the annotation (name, namespace, group and kind) to determine whether the resource should be compared against the desired state. If the tracking annotation does not reference the resource it is applied to, the resource will neither affect the application's sync status nor be marked for pruning. 
-
-This allows other kubernetes tools (e.g. [HNC](https://github.com/kubernetes-sigs/hierarchical-namespaces)) to copy a resource to a different namespace without impacting the Argo CD application's sync status. Copied resources will be visible on the UI at top level. They will have no sync status and won't impact the application's sync status.
-
 ## Choosing a tracking method
 
 To actually select your preferred tracking method edit the `resourceTrackingMethod` value contained inside the `argocd-cm` configmap.
@@ -93,8 +93,8 @@ metadata:
 data:
   application.resourceTrackingMethod: annotation
 ```
-Possible values are `label`, `annotation+label` and `annotation` as described in the previous section.
+Possible values are `label`, `annotation+label` and `annotation` as described above.
 
 Note that once you change the value you need to sync your applications again (or wait for the sync mechanism to kick-in) in order to apply your changes.
 
-You can revert to a previous choice, by changing again the configmap.
+You can revert to a previous choice, by changing the configmap again.

go.mod

@@ -7,12 +7,12 @@ require (
 	dario.cat/mergo v1.0.1
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.2
-	github.com/Azure/kubelogin v0.1.8
+	github.com/Azure/kubelogin v0.1.9
 	github.com/Masterminds/semver/v3 v3.3.1
 	github.com/Masterminds/sprig/v3 v3.3.0
 	github.com/TomOnTime/utfutil v1.0.0
 	github.com/alicebob/miniredis/v2 v2.34.0
-	github.com/argoproj/gitops-engine v0.7.1-0.20250305152649-acb47d5407b6
+	github.com/argoproj/gitops-engine v0.7.1-0.20250314164314-7258614f5041
 	github.com/argoproj/notifications-engine v0.4.1-0.20250309174002-87bf0576a872
 	github.com/argoproj/pkg v0.13.7-0.20250305113207-cbc37dc61de5
 	github.com/aws/aws-sdk-go v1.55.6
@@ -23,7 +23,7 @@ require (
 	github.com/casbin/govaluate v1.3.0
 	github.com/cespare/xxhash/v2 v2.3.0
 	github.com/chainguard-dev/git-urls v1.0.2
-	github.com/coreos/go-oidc/v3 v3.12.0
+	github.com/coreos/go-oidc/v3 v3.13.0
 	github.com/cyphar/filepath-securejoin v0.4.1
 	github.com/dlclark/regexp2 v1.11.5
 	github.com/dustin/go-humanize v1.0.1
@@ -42,7 +42,7 @@ require (
 	github.com/gobwas/glob v0.2.3
 	github.com/gogits/go-gogs-client v0.0.0-20210131175652-1d7215cd8d85
 	github.com/gogo/protobuf v1.3.2
-	github.com/golang-jwt/jwt/v5 v5.2.1
+	github.com/golang-jwt/jwt/v5 v5.2.2
 	github.com/golang/protobuf v1.5.4
 	github.com/google/btree v1.1.3
 	github.com/google/go-cmp v0.7.0
@@ -107,7 +107,7 @@ require (
 	k8s.io/client-go v0.32.2
 	k8s.io/code-generator v0.32.2
 	k8s.io/klog/v2 v2.130.1
-	k8s.io/kube-openapi v0.0.0-20241212222426-2c72e554b1e7
+	k8s.io/kube-openapi v0.0.0-20250304201544-e5f78fe3ede9
 	k8s.io/kubectl v0.32.2
 	k8s.io/utils v0.0.0-20241210054802-24370beab758
 	layeh.com/gopher-json v0.0.0-20190114024228-97fed8db8427
@@ -185,7 +185,7 @@ require (
 	github.com/go-openapi/strfmt v0.23.0 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-openapi/validate v0.24.0 // indirect
-	github.com/golang-jwt/jwt/v4 v4.5.1 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
 	github.com/golang/glog v1.2.4 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/google/gnostic-models v0.6.9 // indirect
@@ -287,6 +287,7 @@ require (
 	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
 	sigs.k8s.io/kustomize/api v0.18.0 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.18.1 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
 )
 
 replace (

go.sum

@@ -70,8 +70,8 @@ github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+Z
 github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
 github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo=
 github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
-github.com/Azure/kubelogin v0.1.8 h1:G5lQO7TPmD0TPdfW41sOnhqPfywc+oVl4ERd88llAko=
-github.com/Azure/kubelogin v0.1.8/go.mod h1:QdijBoCq0W24IEdGNB7lwI+SWI32w9nMo6GFjJQGd5k=
+github.com/Azure/kubelogin v0.1.9 h1:OwaVyCyf4rtm9UYOISoe3y5KmWIPA5Z1u9s2MVnpIfQ=
+github.com/Azure/kubelogin v0.1.9/go.mod h1:3snUrz9Ykw4hU/zZmzHsDo02ALe5nY43J6wFWn3pk7Y=
 github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM=
 github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.3.3 h1:H5xDQaE3XowWfhZRUpnfC+rGZMEVoSiji+b+/HFAPU4=
@@ -114,8 +114,8 @@ github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFI
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
 github.com/appscode/go v0.0.0-20191119085241-0887d8ec2ecc/go.mod h1:OawnOmAL4ZX3YaPdN+8HTNwBveT1jMsqP74moa9XUbE=
-github.com/argoproj/gitops-engine v0.7.1-0.20250305152649-acb47d5407b6 h1:3H0jvRZDjQHgZ7bMpeXmSn6/NTBIhzGEdSbFJvwr1+c=
-github.com/argoproj/gitops-engine v0.7.1-0.20250305152649-acb47d5407b6/go.mod h1:KMB51dChCgd0J96CcqAVfCtSyNzqncQgWakdi++ZIg4=
+github.com/argoproj/gitops-engine v0.7.1-0.20250314164314-7258614f5041 h1:2QuxuGZ7ZLokBqmwr02MHhI2N3ffShms/IxSbvaFtVM=
+github.com/argoproj/gitops-engine v0.7.1-0.20250314164314-7258614f5041/go.mod h1:4KL2HCRSGA/yLM8nOCcv+NbFsYohxmT9Lb47kWFhWYw=
 github.com/argoproj/notifications-engine v0.4.1-0.20250309174002-87bf0576a872 h1:ADGAdyN9ty0+RmTT/yn+xV9vwkqvLn9O1ccqeP0Zeas=
 github.com/argoproj/notifications-engine v0.4.1-0.20250309174002-87bf0576a872/go.mod h1:d1RazGXWvKRFv9//rg4MRRR7rbvbE7XLgTSMT5fITTE=
 github.com/argoproj/pkg v0.13.7-0.20250305113207-cbc37dc61de5 h1:YBoLSjpoaJXaXAldVvBRKJuOPvIXz9UOv6S96gMJM/Q=
@@ -201,8 +201,8 @@ github.com/cloudflare/circl v1.6.0/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZ
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0/go.mod h1:4Zcjuz89kmFXt9morQgcfYZAYZ5n8WHjt81YYWIwtTM=
 github.com/codeskyblue/go-sh v0.0.0-20190412065543-76bd3d59ff27/go.mod h1:VQx0hjo2oUeQkQUET7wRwradO6f+fN5jzXgB/zROxxE=
-github.com/coreos/go-oidc/v3 v3.12.0 h1:sJk+8G2qq94rDI6ehZ71Bol3oUHy63qNYmkiSjrc/Jo=
-github.com/coreos/go-oidc/v3 v3.12.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0=
+github.com/coreos/go-oidc/v3 v3.13.0 h1:M66zd0pcc5VxvBNM4pB331Wrsanby+QomQYjN8HamW8=
+github.com/coreos/go-oidc/v3 v3.13.0/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
 github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
@@ -362,10 +362,10 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
 github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
-github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo=
-github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
-github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
-github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
+github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
+github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/glog v1.2.4 h1:CNNw5U8lSiiBk7druxtSHHTsRWcxKoac6kZKm2peBBc=
 github.com/golang/glog v1.2.4/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
@@ -858,8 +858,8 @@ go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwE
 go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-go.uber.org/mock v0.4.0 h1:VcM4ZOtdbR4f6VXfiOpwpVJDL6lCReaZ6mw31wqh7KU=
-go.uber.org/mock v0.4.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc=
+go.uber.org/mock v0.5.0 h1:KAMbZvZPyBPWgD14IrIQ38QCyjwpvVVV6K/bHl1IwQU=
+go.uber.org/mock v0.5.0/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
@@ -1323,8 +1323,8 @@ k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kube-aggregator v0.32.2 h1:kg9pke+i2qRbJwX1UKwZV4fsCRvmbaCEFk38R4FqHmw=
 k8s.io/kube-aggregator v0.32.2/go.mod h1:rRm+xY1yIFIt3zBc727nG5SBLYywywD87klfIAw+7+c=
-k8s.io/kube-openapi v0.0.0-20241212222426-2c72e554b1e7 h1:hcha5B1kVACrLujCKLbr8XWMxCxzQx42DY8QKYJrDLg=
-k8s.io/kube-openapi v0.0.0-20241212222426-2c72e554b1e7/go.mod h1:GewRfANuJ70iYzvn+i4lezLDAFzvjxZYK1gn1lWcfas=
+k8s.io/kube-openapi v0.0.0-20250304201544-e5f78fe3ede9 h1:t0huyHnz6HsokckRxAF1bY0cqPFwzINKCL7yltEjZQc=
+k8s.io/kube-openapi v0.0.0-20250304201544-e5f78fe3ede9/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8=
 k8s.io/kubectl v0.32.2 h1:TAkag6+XfSBgkqK9I7ZvwtF0WVtUAvK8ZqTt+5zi1Us=
 k8s.io/kubectl v0.32.2/go.mod h1:+h/NQFSPxiDZYX/WZaWw9fwYezGLISP0ud8nQKg+3g8=
 k8s.io/kubernetes v1.32.2 h1:mShetlA102UpjRVSGzB+5vjJwy8oPy8FMWrkTH5f37o=
@@ -1348,8 +1348,9 @@ sigs.k8s.io/kustomize/api v0.18.0 h1:hTzp67k+3NEVInwz5BHyzc9rGxIauoXferXyjv5lWPo
 sigs.k8s.io/kustomize/api v0.18.0/go.mod h1:f8isXnX+8b+SGLHQ6yO4JG1rdkZlvhaCf/uZbLVMb0U=
 sigs.k8s.io/kustomize/kyaml v0.18.1 h1:WvBo56Wzw3fjS+7vBjN6TeivvpbW9GmRaWZ9CIVmt4E=
 sigs.k8s.io/kustomize/kyaml v0.18.1/go.mod h1:C3L2BFVU1jgcddNBE1TxuVLgS46TjObMwW5FT9FcjYo=
-sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016 h1:kXv6kKdoEtedwuqMmkqhbkgvYKeycVbC8+iPCP9j5kQ=
 sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
+sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/structured-merge-diff/v4 v4.6.0 h1:IUA9nvMmnKWcj5jl84xn+T5MnlZKThmUW1TdblaLVAc=
 sigs.k8s.io/structured-merge-diff/v4 v4.6.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps=
 sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=

hack/get-previous-release/get-previous-version-for-release-notes.go

@@ -6,7 +6,6 @@ import (
 	"os"
 	"os/exec"
 	"regexp"
-	"strconv"
 	"strings"
 )
 
@@ -52,61 +51,59 @@ func extractPatchAndRC(tag string) (string, string, error) {
 	return patch, rc, nil
 }
 
-func findPreviousTag(proposedTag string, tags []string) (string, error) {
-	var previousTag string
-	proposedMajor := semver.Major(proposedTag)
-	proposedMinor := semver.MajorMinor(proposedTag)
-
-	proposedPatch, proposedRC, err := extractPatchAndRC(proposedTag)
-	if err != nil {
-		return "", err
-	}
-
-	// If the current tag is a .0 patch release or a 1 release candidate, adjust to the previous minor release series.
-	if (proposedPatch == "0" && proposedRC == "0") || proposedRC == "1" {
-		proposedMinorInt, err := strconv.Atoi(strings.TrimPrefix(proposedMinor, proposedMajor+"."))
-		if err != nil {
-			return "", fmt.Errorf("invalid minor version: %v", err)
-		}
-		if proposedMinorInt > 0 {
-			proposedMinor = fmt.Sprintf("%s.%d", proposedMajor, proposedMinorInt-1)
-		}
-	}
-
+func removeInvalidTags(tags []string) []string {
+	var validTags []string
 	for _, tag := range tags {
-		if tag == proposedTag {
-			continue
-		}
-		tagMajor := semver.Major(tag)
-		tagMinor := semver.MajorMinor(tag)
-		tagPatch, tagRC, err := extractPatchAndRC(tag)
-		if err != nil {
-			continue
-		}
-
-		// Only bother considering tags with the same major and minor version.
-		if tagMajor == proposedMajor && tagMinor == proposedMinor {
-			// If it's a non-RC release...
-			if proposedRC == "0" {
-				// Only consider non-RC tags.
-				if tagRC == "0" {
-					if semver.Compare(tag, previousTag) > 0 {
-						previousTag = tag
-					}
-				}
-			} else {
-				if tagRC != "0" && tagPatch == proposedPatch {
-					if semver.Compare(tag, previousTag) > 0 {
-						previousTag = tag
-					}
-				} else if tagRC == "0" {
-					if semver.Compare(tag, previousTag) > 0 {
-						previousTag = tag
-					}
-				}
-			}
+		if _, _, err := extractPatchAndRC(tag); err == nil {
+			validTags = append(validTags, tag)
 		}
 	}
+	return validTags
+}
+
+func removeNewerOrEqualTags(proposedTag string, tags []string) []string {
+	var validTags []string
+	for _, tag := range tags {
+		if semver.Compare(tag, proposedTag) < 0 {
+			validTags = append(validTags, tag)
+		}
+	}
+	return validTags
+}
+
+func removeTagsFromSameMinorSeries(proposedTag string, tags []string) []string {
+	var validTags []string
+	proposedMinor := semver.MajorMinor(proposedTag)
+	for _, tag := range tags {
+		if semver.MajorMinor(tag) != proposedMinor {
+			validTags = append(validTags, tag)
+		}
+	}
+	return validTags
+}
+
+func getMostRecentTag(tags []string) string {
+	var mostRecentTag string
+	for _, tag := range tags {
+		if mostRecentTag == "" || semver.Compare(tag, mostRecentTag) > 0 {
+			mostRecentTag = tag
+		}
+	}
+	return mostRecentTag
+}
+
+func findPreviousTag(proposedTag string, tags []string) (string, error) {
+	tags = removeInvalidTags(tags)
+	tags = removeNewerOrEqualTags(proposedTag, tags)
+
+	proposedPatch, proposedRC, _ := extractPatchAndRC(proposedTag) // Ignore the error, we already filtered out invalid tags.
+	if proposedRC == "0" && proposedPatch == "0" {
+		// If we're cutting the first patch of a new minor release series, don't consider tags in the same minor release
+		// series. We want to compare to the latest tag in the previous minor release series.
+		tags = removeTagsFromSameMinorSeries(proposedTag, tags)
+	}
+
+	previousTag := getMostRecentTag(tags)
 	if previousTag == "" {
 		return "", fmt.Errorf("no matching tag found for tags: " + strings.Join(tags, ", "))
 	}

hack/get-previous-release/get-previous-version-for-release-notes_test.go

@@ -76,6 +76,13 @@ func TestFindPreviousTagRules(t *testing.T) {
 		{"Rule 3: 1 release candidate", "v2.14.0-rc1", "v2.13.0-rc3", false},
 		// Rule 4: If we're releasing a non-1 release candidate, get the most recent rc tag on the current minor release series.
 		{"Rule 4: non-1 release candidate", "v2.13.0-rc4", "v2.13.0-rc3", false},
+		// Rule 5: If we're releasing a major version RC, get the most recent tag on the previous major release series.
+		{"Rule 5: major version RC", "v3.0.0-rc1", "v2.13.0-rc3", false},
+		// Rule 6: If we're releasing a major version, get the most recent tag on the previous major release series,
+		//         even if it's an RC.
+		{"Rule 6: major version", "v3.0.0", "v2.13.0-rc3", false},
+		// Rule 7: If the proposed tag already exists, don't return it.
+		{"Rule 7: proposed tag already exists", "v2.12.5", "v2.12.4", false},
 	}
 
 	for _, test := range tests {

hack/update-supported-versions.sh

@@ -7,8 +7,9 @@ argocd_minor_version=$(git rev-parse --abbrev-ref HEAD | sed 's/release-//')
 argocd_major_version_num=$(echo "$argocd_minor_version" | sed -E 's/\.[0-9]+//')
 argocd_minor_version_num=$(echo "$argocd_minor_version" | sed -E 's/[0-9]+\.//')
 
-for n in 0 1 2; do
-  minor_version_num=$((argocd_minor_version_num - n))
+minor_version_decrement=0
+for _ in {1..3}; do
+  minor_version_num=$((argocd_minor_version_num - minor_version_decrement))
   minor_version="${argocd_major_version_num}.${minor_version_num}"
   git checkout "release-$minor_version" > /dev/null || exit 1
 
@@ -19,9 +20,22 @@ for n in 0 1 2; do
     jq --arg minor_version "$minor_version" --raw-input --slurp --raw-output \
     'split("\n")[:-1] | map(sub("\\.[0-9]+$"; "")) | join(", ") | "| \($minor_version) | \(.) |"')
   out+="$line\n"
+
+  minor_version_decrement=$((minor_version_decrement + 1))
+
+  # If we're at minor version 0, there's no further version back in this series. Instead, move to the latest version in
+  # the previous major release series.
+  if [ "$argocd_minor_version_num" -eq 0 ]; then
+    argocd_major_version_num=$((argocd_major_version_num - 1))
+    # Get the latest minor version in the previous series.
+    argocd_minor_version_num=$(git tag -l "v$argocd_major_version_num.*" | sort -V | tail -n 1 | sed -E 's/\.[0-9]+$//' | sed -E 's/^v[0-9]+\.//')
+
+    # Don't decrement the minor version, since we're switching to the previous major release series. We want the latest
+    # minor version in that series.
+    minor_version_decrement=0
+  fi
 done
 
 git checkout "release-$argocd_minor_version"
 
-
 printf "$out" > docs/operator-manual/tested-kubernetes-versions.md

manifests/base/config/argocd-cm.yaml

@@ -70,10 +70,6 @@ data:
       - Endpoints
       - EndpointSlice
     ### Internal Kubernetes resources excluded reduce the number of watched events
-    - apiGroups:
-      - apiregistration.k8s.io
-      kinds:
-      - APIService
     - apiGroups:
       - coordination.k8s.io
       kinds:

manifests/base/kustomization.yaml

@@ -5,7 +5,7 @@ kind: Kustomization
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: latest
+  newTag: v3.0.1
 resources:
 - ./application-controller
 - ./dex

manifests/core-install-with-hydrator.yaml

@@ -24217,10 +24217,6 @@ data:
       - Endpoints
       - EndpointSlice
     ### Internal Kubernetes resources excluded reduce the number of watched events
-    - apiGroups:
-      - apiregistration.k8s.io
-      kinds:
-      - APIService
     - apiGroups:
       - coordination.k8s.io
       kinds:
@@ -24613,7 +24609,7 @@ spec:
               key: applicationsetcontroller.requeue.after
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -24889,7 +24885,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -25162,7 +25158,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -25214,7 +25210,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -25544,7 +25540,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/core-install.yaml

@@ -24208,10 +24208,6 @@ data:
       - Endpoints
       - EndpointSlice
     ### Internal Kubernetes resources excluded reduce the number of watched events
-    - apiGroups:
-      - apiregistration.k8s.io
-      kinds:
-      - APIService
     - apiGroups:
       - coordination.k8s.io
       kinds:
@@ -24581,7 +24577,7 @@ spec:
               key: applicationsetcontroller.requeue.after
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -24701,7 +24697,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -24974,7 +24970,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -25026,7 +25022,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -25356,7 +25352,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/core-install/kustomization.yaml

@@ -12,4 +12,4 @@ resources:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: latest
+  newTag: v3.0.1

manifests/ha/base/kustomization.yaml

@@ -12,7 +12,7 @@ patches:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: latest
+  newTag: v3.0.1
 resources:
 - ../../base/application-controller
 - ../../base/applicationset-controller

manifests/ha/base/redis-ha/chart/upstream.yaml

@@ -1101,7 +1101,7 @@ spec:
         fsGroup: 99
         runAsNonRoot: true
         runAsUser: 99
-      automountServiceAccountToken: false
+      automountServiceAccountToken: true
       nodeSelector:
         {}
       tolerations:

manifests/ha/base/redis-ha/chart/values.yaml

@@ -21,6 +21,8 @@ redis-ha:
     checkInterval: 3s
     metrics:
       enabled: true
+    serviceAccount:
+      automountToken: true
   image:
     tag: 7.2.7-alpine
   sentinel:

manifests/ha/install-with-hydrator.yaml

@@ -24626,10 +24626,6 @@ data:
       - Endpoints
       - EndpointSlice
     ### Internal Kubernetes resources excluded reduce the number of watched events
-    - apiGroups:
-      - apiregistration.k8s.io
-      kinds:
-      - APIService
     - apiGroups:
       - coordination.k8s.io
       kinds:
@@ -25978,7 +25974,7 @@ spec:
               key: applicationsetcontroller.requeue.after
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -26277,7 +26273,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -26373,7 +26369,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -26448,7 +26444,7 @@ spec:
               matchLabels:
                 app.kubernetes.io/name: argocd-redis-ha-haproxy
             topologyKey: kubernetes.io/hostname
-      automountServiceAccountToken: false
+      automountServiceAccountToken: true
       containers:
       - env:
         - name: AUTH
@@ -26497,7 +26493,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -26796,7 +26792,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -26848,7 +26844,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -27222,7 +27218,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -27588,7 +27584,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/ha/install.yaml

@@ -24617,10 +24617,6 @@ data:
       - Endpoints
       - EndpointSlice
     ### Internal Kubernetes resources excluded reduce the number of watched events
-    - apiGroups:
-      - apiregistration.k8s.io
-      kinds:
-      - APIService
     - apiGroups:
       - coordination.k8s.io
       kinds:
@@ -25948,7 +25944,7 @@ spec:
               key: applicationsetcontroller.requeue.after
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -26091,7 +26087,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -26187,7 +26183,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -26262,7 +26258,7 @@ spec:
               matchLabels:
                 app.kubernetes.io/name: argocd-redis-ha-haproxy
             topologyKey: kubernetes.io/hostname
-      automountServiceAccountToken: false
+      automountServiceAccountToken: true
       containers:
       - env:
         - name: AUTH
@@ -26311,7 +26307,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -26610,7 +26606,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -26662,7 +26658,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -27036,7 +27032,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -27402,7 +27398,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/ha/namespace-install-with-hydrator.yaml

@@ -513,10 +513,6 @@ data:
       - Endpoints
       - EndpointSlice
     ### Internal Kubernetes resources excluded reduce the number of watched events
-    - apiGroups:
-      - apiregistration.k8s.io
-      kinds:
-      - APIService
     - apiGroups:
       - coordination.k8s.io
       kinds:
@@ -1865,7 +1861,7 @@ spec:
               key: applicationsetcontroller.requeue.after
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -2164,7 +2160,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -2260,7 +2256,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -2335,7 +2331,7 @@ spec:
               matchLabels:
                 app.kubernetes.io/name: argocd-redis-ha-haproxy
             topologyKey: kubernetes.io/hostname
-      automountServiceAccountToken: false
+      automountServiceAccountToken: true
       containers:
       - env:
         - name: AUTH
@@ -2384,7 +2380,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -2683,7 +2679,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -2735,7 +2731,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -3109,7 +3105,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -3475,7 +3471,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/ha/namespace-install.yaml

@@ -504,10 +504,6 @@ data:
       - Endpoints
       - EndpointSlice
     ### Internal Kubernetes resources excluded reduce the number of watched events
-    - apiGroups:
-      - apiregistration.k8s.io
-      kinds:
-      - APIService
     - apiGroups:
       - coordination.k8s.io
       kinds:
@@ -1835,7 +1831,7 @@ spec:
               key: applicationsetcontroller.requeue.after
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -1978,7 +1974,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -2074,7 +2070,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -2149,7 +2145,7 @@ spec:
               matchLabels:
                 app.kubernetes.io/name: argocd-redis-ha-haproxy
             topologyKey: kubernetes.io/hostname
-      automountServiceAccountToken: false
+      automountServiceAccountToken: true
       containers:
       - env:
         - name: AUTH
@@ -2198,7 +2194,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -2497,7 +2493,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -2549,7 +2545,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -2923,7 +2919,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -3289,7 +3285,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/install-with-hydrator.yaml

@@ -24577,10 +24577,6 @@ data:
       - Endpoints
       - EndpointSlice
     ### Internal Kubernetes resources excluded reduce the number of watched events
-    - apiGroups:
-      - apiregistration.k8s.io
-      kinds:
-      - APIService
     - apiGroups:
       - coordination.k8s.io
       kinds:
@@ -25073,7 +25069,7 @@ spec:
               key: applicationsetcontroller.requeue.after
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -25372,7 +25368,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -25468,7 +25464,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -25570,7 +25566,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -25843,7 +25839,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -25895,7 +25891,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -26267,7 +26263,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -26633,7 +26629,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/install.yaml

@@ -24568,10 +24568,6 @@ data:
       - Endpoints
       - EndpointSlice
     ### Internal Kubernetes resources excluded reduce the number of watched events
-    - apiGroups:
-      - apiregistration.k8s.io
-      kinds:
-      - APIService
     - apiGroups:
       - coordination.k8s.io
       kinds:
@@ -25041,7 +25037,7 @@ spec:
               key: applicationsetcontroller.requeue.after
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -25184,7 +25180,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -25280,7 +25276,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -25382,7 +25378,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -25655,7 +25651,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -25707,7 +25703,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -26079,7 +26075,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -26445,7 +26441,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/namespace-install-with-hydrator.yaml

@@ -464,10 +464,6 @@ data:
       - Endpoints
       - EndpointSlice
     ### Internal Kubernetes resources excluded reduce the number of watched events
-    - apiGroups:
-      - apiregistration.k8s.io
-      kinds:
-      - APIService
     - apiGroups:
       - coordination.k8s.io
       kinds:
@@ -960,7 +956,7 @@ spec:
               key: applicationsetcontroller.requeue.after
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -1259,7 +1255,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -1355,7 +1351,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -1457,7 +1453,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -1730,7 +1726,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -1782,7 +1778,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -2154,7 +2150,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2520,7 +2516,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/namespace-install.yaml

@@ -455,10 +455,6 @@ data:
       - Endpoints
       - EndpointSlice
     ### Internal Kubernetes resources excluded reduce the number of watched events
-    - apiGroups:
-      - apiregistration.k8s.io
-      kinds:
-      - APIService
     - apiGroups:
       - coordination.k8s.io
       kinds:
@@ -928,7 +924,7 @@ spec:
               key: applicationsetcontroller.requeue.after
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -1071,7 +1067,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -1167,7 +1163,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -1269,7 +1265,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -1542,7 +1538,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -1594,7 +1590,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -1966,7 +1962,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2332,7 +2328,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v3.0.1
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

mkdocs.yml

@@ -130,6 +130,7 @@ nav:
     - operator-manual/server-commands/additional-configuration-method.md
   - Upgrading:
     - operator-manual/upgrading/overview.md
+    - operator-manual/upgrading/2.14-3.0.md
     - operator-manual/upgrading/2.13-2.14.md
     - operator-manual/upgrading/2.12-2.13.md
     - operator-manual/upgrading/2.11-2.12.md

reposerver/repository/repository.go

@@ -338,7 +338,7 @@ func (s *Service) runRepoOperation(
 
 	if source.IsHelm() {
 		if settings.noCache {
-			err = helmClient.CleanChartCache(source.Chart, revision, repo.Project)
+			err = helmClient.CleanChartCache(source.Chart, revision)
 			if err != nil {
 				return err
 			}
@@ -347,7 +347,7 @@ func (s *Service) runRepoOperation(
 		if source.Helm != nil {
 			helmPassCredentials = source.Helm.PassCredentials
 		}
-		chartPath, closer, err := helmClient.ExtractChart(source.Chart, revision, repo.Project, helmPassCredentials, s.initConstants.HelmManifestMaxExtractedSize, s.initConstants.DisableHelmManifestMaxExtractedSize)
+		chartPath, closer, err := helmClient.ExtractChart(source.Chart, revision, helmPassCredentials, s.initConstants.HelmManifestMaxExtractedSize, s.initConstants.DisableHelmManifestMaxExtractedSize)
 		if err != nil {
 			return err
 		}
@@ -1155,7 +1155,7 @@ func helmTemplate(appPath string, repoRoot string, env *v1alpha1.Env, q *apiclie
 			referencedSource := getReferencedSource(p.Path, q.RefSources)
 			if referencedSource != nil {
 				// If the $-prefixed path appears to reference another source, do env substitution _after_ resolving the source
-				resolvedPath, err = getResolvedRefValueFile(p.Path, env, q.GetValuesFileSchemes(), referencedSource.Repo.Repo, gitRepoPaths, referencedSource.Repo.Project)
+				resolvedPath, err = getResolvedRefValueFile(p.Path, env, q.GetValuesFileSchemes(), referencedSource.Repo.Repo, gitRepoPaths)
 				if err != nil {
 					return nil, "", fmt.Errorf("error resolving set-file path: %w", err)
 				}
@@ -1276,7 +1276,7 @@ func getResolvedValueFiles(
 		referencedSource := getReferencedSource(rawValueFile, refSources)
 		if referencedSource != nil {
 			// If the $-prefixed path appears to reference another source, do env substitution _after_ resolving that source.
-			resolvedPath, err = getResolvedRefValueFile(rawValueFile, env, allowedValueFilesSchemas, referencedSource.Repo.Repo, gitRepoPaths, referencedSource.Repo.Project)
+			resolvedPath, err = getResolvedRefValueFile(rawValueFile, env, allowedValueFilesSchemas, referencedSource.Repo.Repo, gitRepoPaths)
 			if err != nil {
 				return nil, fmt.Errorf("error resolving value file path: %w", err)
 			}
@@ -1309,15 +1309,9 @@ func getResolvedRefValueFile(
 	allowedValueFilesSchemas []string,
 	refSourceRepo string,
 	gitRepoPaths io.TempPaths,
-	project string,
 ) (pathutil.ResolvedFilePath, error) {
 	pathStrings := strings.Split(rawValueFile, "/")
-
-	keyData, err := json.Marshal(map[string]string{"url": git.NormalizeGitURL(refSourceRepo), "project": project})
-	if err != nil {
-		return "", err
-	}
-	repoPath := gitRepoPaths.GetPathIfExists(string(keyData))
+	repoPath := gitRepoPaths.GetPathIfExists(git.NormalizeGitURL(refSourceRepo))
 	if repoPath == "" {
 		return "", fmt.Errorf("failed to find repo %q", refSourceRepo)
 	}
@@ -2353,7 +2347,7 @@ func (s *Service) GetRevisionChartDetails(_ context.Context, q *apiclient.RepoSe
 	if err != nil {
 		return nil, fmt.Errorf("helm client error: %w", err)
 	}
-	chartPath, closer, err := helmClient.ExtractChart(q.Name, revision, q.Repo.Project, false, s.initConstants.HelmManifestMaxExtractedSize, s.initConstants.DisableHelmManifestMaxExtractedSize)
+	chartPath, closer, err := helmClient.ExtractChart(q.Name, revision, false, s.initConstants.HelmManifestMaxExtractedSize, s.initConstants.DisableHelmManifestMaxExtractedSize)
 	if err != nil {
 		return nil, fmt.Errorf("error extracting chart: %w", err)
 	}
@@ -2383,11 +2377,7 @@ func fileParameters(q *apiclient.RepoServerAppDetailsQuery) []v1alpha1.HelmFileP
 }
 
 func (s *Service) newClient(repo *v1alpha1.Repository, opts ...git.ClientOpts) (git.Client, error) {
-	keyData, err := json.Marshal(map[string]string{"url": git.NormalizeGitURL(repo.Repo), "project": repo.Project})
-	if err != nil {
-		return nil, err
-	}
-	repoPath, err := s.gitRepoPaths.GetPath(string(keyData))
+	repoPath, err := s.gitRepoPaths.GetPath(git.NormalizeGitURL(repo.Repo))
 	if err != nil {
 		return nil, err
 	}

reposerver/repository/repository_test.go

@@ -126,10 +126,10 @@ func newServiceWithMocks(t *testing.T, root string, signed bool) (*Service, *git
 			chart:    {{Version: "1.0.0"}, {Version: version}},
 			oobChart: {{Version: "1.0.0"}, {Version: version}},
 		}}, nil)
-		helmClient.On("ExtractChart", chart, version, "", false, int64(0), false).Return("./testdata/my-chart", io.NopCloser, nil)
-		helmClient.On("ExtractChart", oobChart, version, "", false, int64(0), false).Return("./testdata2/out-of-bounds-chart", io.NopCloser, nil)
-		helmClient.On("CleanChartCache", chart, version, "").Return(nil)
-		helmClient.On("CleanChartCache", oobChart, version, "").Return(nil)
+		helmClient.On("ExtractChart", chart, version, false, int64(0), false).Return("./testdata/my-chart", io.NopCloser, nil)
+		helmClient.On("ExtractChart", oobChart, version, false, int64(0), false).Return("./testdata2/out-of-bounds-chart", io.NopCloser, nil)
+		helmClient.On("CleanChartCache", chart, version).Return(nil)
+		helmClient.On("CleanChartCache", oobChart, version).Return(nil)
 		helmClient.On("DependencyBuild").Return(nil)
 
 		paths.On("Add", mock.Anything, mock.Anything).Return(root, nil)
@@ -3270,8 +3270,7 @@ func Test_getResolvedValueFiles(t *testing.T) {
 	tempDir := t.TempDir()
 	paths := io.NewRandomizedTempPaths(tempDir)
 
-	key, _ := json.Marshal(map[string]string{"url": git.NormalizeGitURL("https://github.com/org/repo1"), "project": ""})
-	paths.Add(string(key), path.Join(tempDir, "repo1"))
+	paths.Add(git.NormalizeGitURL("https://github.com/org/repo1"), path.Join(tempDir, "repo1"))
 
 	testCases := []struct {
 		name         string

resource_customizations/k8s.keycloak.org/Keycloak/health.lua

@@ -7,8 +7,18 @@ if obj.status == nil or obj.status.conditions == nil then
 end
 
 -- Sort conditions by lastTransitionTime, from old to new.
+-- Ensure that conditions with nil lastTransitionTime are always sorted after those with non-nil values.
 table.sort(obj.status.conditions, function(a, b)
-  return a.lastTransitionTime < b.lastTransitionTime
+  -- Nil values are considered "less than" non-nil values.
+  -- This means that conditions with nil lastTransitionTime will be sorted to the end.
+  if a.lastTransitionTime == nil then
+    return false
+  elseif b.lastTransitionTime == nil then
+    return true
+  else
+    -- If both have non-nil lastTransitionTime, compare them normally.
+    return a.lastTransitionTime < b.lastTransitionTime
+  end
 end)
 
 for _, condition in ipairs(obj.status.conditions) do

resource_customizations/k8s.keycloak.org/Keycloak/health_test.yaml

@@ -14,4 +14,8 @@ tests:
 - healthStatus:
     status: Degraded
     message: "Has Errors: Waiting for foo/keycloak-1 due to CrashLoopBackOff: back-off 10s"
-  inputPath: testdata/degraded.yaml
+  inputPath: testdata/degraded.yaml
+- healthStatus:
+    status: Healthy
+    message: ""
+  inputPath: testdata/nil_last_transition_time.yaml

resource_customizations/k8s.keycloak.org/Keycloak/testdata/nil_last_transition_time.yaml

@@ -0,0 +1,13 @@
+apiVersion: k8s.keycloak.org/v1alpha1
+kind: Keycloak
+metadata:
+  name: keycloak-23
+  namespace: keycloak
+status:
+  conditions:
+    - type: Ready
+      status: "True"
+      lastTransitionTime: "2025-05-06T12:00:00Z" # Non-nil lastTransitionTime
+    - type: HasErrors
+      status: "False"
+      lastTransitionTime: null # Nil lastTransitionTime

test/e2e/app_management_test.go

@@ -1262,6 +1262,7 @@ definitions:
     result = {}
     result[1] = impactedResource1
 
+    obj.metadata.labels = {}
     obj.metadata.labels["aKey"] = 'aValue'
     impactedResource2 = {}
     impactedResource2.operation = "patch"
@@ -2691,6 +2692,7 @@ func TestSwitchTrackingMethod(t *testing.T) {
 func TestSwitchTrackingLabel(t *testing.T) {
 	ctx := Given(t)
 
+	require.NoError(t, fixture.SetTrackingMethod(string(argo.TrackingMethodLabel)))
 	ctx.
 		Path("deployment").
 		When().

test/e2e/deployment_test.go

@@ -115,10 +115,9 @@ func TestDeploymentWithoutTrackingMode(t *testing.T) {
 		And(func(_ *Application) {
 			out, err := RunCli("app", "manifests", ctx.AppName())
 			require.NoError(t, err)
-			assert.Contains(t, out, fmt.Sprintf(`labels:
-    app: nginx
-    app.kubernetes.io/instance: %s
-`, ctx.AppName()))
+			assert.Contains(t, out, fmt.Sprintf(`annotations:
+    argocd.argoproj.io/tracking-id: %s:apps/Deployment:%s/nginx-deployment
+`, ctx.AppName(), DeploymentNamespace()))
 		})
 }
 

test/e2e/helm_test.go

@@ -544,8 +544,9 @@ func TestHelmRepoDiffLocal(t *testing.T) {
 				"--key-file", "../fixture/certs/argocd-test-client.key",
 				"--ca-file", "../fixture/certs/argocd-test-ca.crt",
 			))
-			diffOutput := errors.NewHandler(t).FailOnErr(fixture.RunCli("app", "diff", app.Name, "--local", "testdata/helm")).(string)
+			diffOutput, err := fixture.RunCli("app", "diff", app.Name, "--local", "testdata/helm")
 			assert.Empty(t, diffOutput)
+			assert.NoError(t, err)
 		})
 }
 

test/e2e/scoped_repository_test.go

@@ -232,3 +232,41 @@ func TestGetRepoCLIOutput(t *testing.T) {
 git         https://github.com/argoproj/argo-cd.git  false     false  false  false  Successful           argo-project`, output)
 		})
 }
+
+func TestCreateRepoWithSameURLInTwoProjects(t *testing.T) {
+	projectFixture.Given(t).
+		When().
+		Name("project-one").
+		Create().
+		Then()
+
+	projectFixture.Given(t).
+		When().
+		Name("project-two").
+		Create().
+		Then()
+
+	path := "https://github.com/argoproj/argo-cd.git"
+
+	// Create repository in first project
+	repoFixture.GivenWithSameState(t).
+		When().
+		Path(path).
+		Project("project-one").
+		Create().
+		Then().
+		And(func(r *Repository, _ error) {
+			assert.Equal(t, r.Repo, path)
+		})
+
+	// Create repository with same URL in second project
+	repoFixture.GivenWithSameState(t).
+		When().
+		Path(path).
+		Project("project-two").
+		Create().
+		Then().
+		And(func(r *Repository, _ error) {
+			assert.Equal(t, r.Repo, path)
+		})
+}

ui/src/app/applications/components/application-operation-state/application-operation-state.tsx

@@ -15,7 +15,7 @@ interface Props {
     application: models.Application;
     operationState: models.OperationState;
 }
-const buildResourceUniqueId = (res: Omit<models.ResourceRef, 'uid'>) => `${res.group}-${res.kind}-${res.version}-${res.namespace}-${res.name}`;
+const buildResourceUniqueId = (res: Omit<models.ResourceRef, 'uid'>) => `${res.group || ''}-${res.kind || ''}-${res.version || ''}-${res.namespace || ''}-${res.name}`;
 const FilterableMessageStatuses = ['Changed', 'Unchanged'];
 
 const Filter = (props: {filters: string[]; setFilters: (f: string[]) => void; options: string[]; title: string; style?: React.CSSProperties}) => {
@@ -158,13 +158,20 @@ export const ApplicationOperationState: React.StatelessComponent<Props> = ({appl
     // const hookPhases = ['Running', 'Terminating', 'Failed', 'Error', 'Succeeded'];
     const resourceHealth = application.status.resources.reduce(
         (acc, res) => {
-            if (res.health) {
-                acc[buildResourceUniqueId(res)] = res.health;
-            }
+            acc[buildResourceUniqueId(res)] = {
+                health: res.health,
+                syncWave: res.syncWave
+            };
 
             return acc;
         },
-        {} as Record<string, models.HealthStatus>
+        {} as Record<
+            string,
+            {
+                health: models.HealthStatus;
+                syncWave: number;
+            }
+        >
     );
 
     const combinedHealthSyncResult: models.SyncResourceResult[] = syncResult?.resources?.map(syncResultItem => {
@@ -176,10 +183,12 @@ export const ApplicationOperationState: React.StatelessComponent<Props> = ({appl
             ...syncResultItem
         };
 
-        if (healthStatus) {
-            syncResultWithHealth.health = healthStatus;
+        if (healthStatus?.health) {
+            syncResultWithHealth.health = healthStatus.health;
         }
 
+        syncResultWithHealth.syncWave = healthStatus?.syncWave;
+
         return syncResultWithHealth;
     });
     let filtered: models.SyncResourceResult[] = [];
@@ -242,7 +251,8 @@ export const ApplicationOperationState: React.StatelessComponent<Props> = ({appl
                     <div className='argo-table-list'>
                         <div className='argo-table-list__head'>
                             <div className='row'>
-                                <div className='columns large-2 show-for-large application-operation-state__icons_container_padding'>KIND</div>
+                                <div className='columns large-1 show-for-large application-operation-state__icons_container_padding'>SYNC WAVE</div>
+                                <div className='columns large-1 show-for-large application-operation-state__icons_container_padding'>KIND</div>
                                 <div className='columns large-1 show-for-large'>NAMESPACE</div>
                                 <div className='columns large-2 small-2'>NAME</div>
                                 <div className='columns large-1 small-2'>STATUS</div>
@@ -255,10 +265,13 @@ export const ApplicationOperationState: React.StatelessComponent<Props> = ({appl
                             filtered.map((resource, i) => (
                                 <div className='argo-table-list__row' key={i}>
                                     <div className='row'>
-                                        <div className='columns large-2 show-for-large application-operation-state__icons_container_padding'>
+                                        <div className='columns large-1 show-for-large application-operation-state__icons_container_padding' style={{textAlign: 'center'}}>
                                             <div className='application-operation-state__icons_container'>
                                                 {resource.hookType && <i title='Resource lifecycle hook' className='fa fa-anchor' />}
                                             </div>
+                                            {resource.syncWave || '0'}
+                                        </div>
+                                        <div className='columns large-1 show-for-large'>
                                             <span title={getKind(resource)}>{getKind(resource)}</span>
                                         </div>
                                         <div className='columns large-1 show-for-large' title={resource.namespace}>

ui/src/app/applications/components/application-status-panel/application-status-panel.tsx

@@ -117,13 +117,15 @@ export const ApplicationStatusPanel = ({application, showDiff, showOperation, sh
                         <div className='application-status-panel__item-name'>{application.status.sourceHydrator.currentOperation.message}</div>
                     )}
                     <div className='application-status-panel__item-name'>
-                        <RevisionMetadataPanel
-                            appName={application.metadata.name}
-                            appNamespace={application.metadata.namespace}
-                            type={''}
-                            revision={application.status.sourceHydrator.currentOperation.drySHA}
-                            versionId={utils.getAppCurrentVersion(application)}
-                        />
+                        {application.status.sourceHydrator.currentOperation.drySHA && (
+                            <RevisionMetadataPanel
+                                appName={application.metadata.name}
+                                appNamespace={application.metadata.namespace}
+                                type={''}
+                                revision={application.status.sourceHydrator.currentOperation.drySHA}
+                                versionId={utils.getAppCurrentVersion(application)}
+                            />
+                        )}
                     </div>
                 </div>
             )}

ui/src/app/settings/components/repos-list/repos-list.tsx

@@ -219,7 +219,7 @@ export class ReposList extends React.Component<
                     tlsClientCertKey: !validURLValues.tlsClientCertKey && validURLValues.tlsClientCertData && 'TLS client cert key is required if TLS client cert is given.',
                     bearerToken:
                         (validURLValues.password && validURLValues.bearerToken && 'Either the password or the bearer token must be set, but not both.') ||
-                        (validURLValues.type != 'git' && 'Bearer token is only supported for Git BitBucket Data Center repositories.')
+                        (validURLValues.bearerToken && validURLValues.type != 'git' && 'Bearer token is only supported for Git BitBucket Data Center repositories.')
                 };
             case ConnectionMethod.GITHUBAPP:
                 const githubAppValues = params as NewGitHubAppRepoParams;

ui/src/app/shared/models.ts

@@ -129,6 +129,7 @@ export interface ResourceResult {
 
 export type SyncResourceResult = ResourceResult & {
     health?: HealthStatus;
+    syncWave?: number;
 };
 
 export const AnnotationRefreshKey = 'argocd.argoproj.io/refresh';

util/argo/resource_tracking.go

@@ -6,6 +6,7 @@ import (
 	"regexp"
 	"strings"
 
+	kubeutil "github.com/argoproj/gitops-engine/pkg/utils/kube"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 
 	"github.com/argoproj/argo-cd/v3/common"
@@ -55,7 +56,7 @@ func NewResourceTracking() ResourceTracking {
 func GetTrackingMethod(settingsMgr *settings.SettingsManager) v1alpha1.TrackingMethod {
 	tm, err := settingsMgr.GetTrackingMethod()
 	if err != nil || tm == "" {
-		return TrackingMethodLabel
+		return TrackingMethodAnnotation
 	}
 	return v1alpha1.TrackingMethod(tm)
 }
@@ -100,11 +101,7 @@ func (rt *resourceTracking) GetAppName(un *unstructured.Unstructured, key string
 	case TrackingMethodAnnotation:
 		return retrieveAppInstanceValue()
 	default:
-		label, err := kube.GetAppInstanceLabel(un, key)
-		if err != nil {
-			return ""
-		}
-		return label
+		return retrieveAppInstanceValue()
 	}
 }
 
@@ -185,11 +182,7 @@ func (rt *resourceTracking) SetAppInstance(un *unstructured.Unstructured, key, v
 		}
 		return nil
 	default:
-		err := kube.SetAppInstanceLabel(un, key, val)
-		if err != nil {
-			return fmt.Errorf("failed to set app instance label: %w", err)
-		}
-		return nil
+		return setAppInstanceAnnotation()
 	}
 }
 
@@ -240,6 +233,11 @@ func (rt *resourceTracking) Normalize(config, live *unstructured.Unstructured, l
 		return nil
 	}
 
+	if kubeutil.IsCRD(live) {
+		// CRDs don't get tracking annotations.
+		return nil
+	}
+
 	annotation, err := kube.GetAppInstanceAnnotation(config, common.AnnotationKeyAppInstance)
 	if err != nil {
 		return err

util/argo/resource_tracking_test.go

@@ -204,6 +204,50 @@ func TestResourceIdNormalizer_Normalize(t *testing.T) {
 	assert.False(t, hasOldLabel)
 }
 
+func TestResourceIdNormalizer_NormalizeCRD(t *testing.T) {
+	rt := NewResourceTracking()
+
+	// live object is a CRD resource
+	liveObj := &unstructured.Unstructured{
+		Object: map[string]any{
+			"apiVersion": "apiextensions.k8s.io/v1",
+			"kind":       "CustomResourceDefinition",
+			"metadata": map[string]any{
+				"name": "crontabs.stable.example.com",
+				"labels": map[string]any{
+					common.LabelKeyAppInstance: "my-app",
+				},
+			},
+			"spec": map[string]any{
+				"group": "stable.example.com",
+				"scope": "Namespaced",
+			},
+		},
+	}
+
+	// config object is a CRD resource
+	configObj := &unstructured.Unstructured{
+		Object: map[string]any{
+			"apiVersion": "apiextensions.k8s.io/v1",
+			"kind":       "CustomResourceDefinition",
+			"metadata": map[string]any{
+				"name": "crontabs.stable.example.com",
+				"labels": map[string]any{
+					common.LabelKeyAppInstance: "my-app",
+				},
+			},
+			"spec": map[string]any{
+				"group": "stable.example.com",
+				"scope": "Namespaced",
+			},
+		},
+	}
+
+	require.NoError(t, rt.Normalize(configObj, liveObj, common.LabelKeyAppInstance, string(TrackingMethodAnnotation)))
+	// the normalization should not apply any changes to the live object
+	require.NotContains(t, liveObj.GetAnnotations(), common.AnnotationKeyAppInstance)
+}
+
 func TestResourceIdNormalizer_Normalize_ConfigHasOldLabel(t *testing.T) {
 	rt := NewResourceTracking()
 

util/git/client.go

@@ -424,11 +424,14 @@ func (m *nativeGitClient) Fetch(revision string) error {
 func (m *nativeGitClient) LsFiles(path string, enableNewGitFileGlobbing bool) ([]string, error) {
 	if enableNewGitFileGlobbing {
 		// This is the new way with safer globbing
-		err := os.Chdir(m.root)
+
+		// evaluating the root path for symlinks
+		realRoot, err := filepath.EvalSymlinks(m.root)
 		if err != nil {
 			return nil, err
 		}
-		allFiles, err := doublestar.FilepathGlob(path)
+		// searching for the pattern inside the root path
+		allFiles, err := doublestar.FilepathGlob(filepath.Join(realRoot, path))
 		if err != nil {
 			return nil, err
 		}
@@ -442,10 +445,16 @@ func (m *nativeGitClient) LsFiles(path string, enableNewGitFileGlobbing bool) ([
 			if err != nil {
 				return nil, err
 			}
-			if strings.HasPrefix(absPath, m.root) {
-				files = append(files, file)
+
+			if strings.HasPrefix(absPath, realRoot) {
+				// removing the repository root prefix from the file path
+				relativeFile, err := filepath.Rel(realRoot, file)
+				if err != nil {
+					return nil, err
+				}
+				files = append(files, relativeFile)
 			} else {
-				log.Warnf("Absolute path for %s is outside of repository, removing it", file)
+				log.Warnf("Absolute path for %s is outside of repository, ignoring it", file)
 			}
 		}
 		return files, nil

util/git/client_test.go

@@ -9,6 +9,7 @@ import (
 	"path"
 	"path/filepath"
 	"strings"
+	"sync"
 	"testing"
 	"time"
 
@@ -979,6 +980,65 @@ func Test_nativeGitClient_runCredentialedCmd(t *testing.T) {
 	}
 }
 
+func Test_LsFiles_RaceCondition(t *testing.T) {
+	// Create two temporary directories and initialize them as git repositories
+	tempDir1 := t.TempDir()
+	tempDir2 := t.TempDir()
+
+	client1, err := NewClient("file://"+tempDir1, NopCreds{}, true, false, "", "")
+	require.NoError(t, err)
+	client2, err := NewClient("file://"+tempDir2, NopCreds{}, true, false, "", "")
+	require.NoError(t, err)
+
+	err = client1.Init()
+	require.NoError(t, err)
+	err = client2.Init()
+	require.NoError(t, err)
+
+	// Add different files to each repository
+	file1 := filepath.Join(client1.Root(), "file1.txt")
+	err = os.WriteFile(file1, []byte("content1"), 0o644)
+	require.NoError(t, err)
+	err = runCmd(client1.Root(), "git", "add", "file1.txt")
+	require.NoError(t, err)
+	err = runCmd(client1.Root(), "git", "commit", "-m", "Add file1")
+	require.NoError(t, err)
+
+	file2 := filepath.Join(client2.Root(), "file2.txt")
+	err = os.WriteFile(file2, []byte("content2"), 0o644)
+	require.NoError(t, err)
+	err = runCmd(client2.Root(), "git", "add", "file2.txt")
+	require.NoError(t, err)
+	err = runCmd(client2.Root(), "git", "commit", "-m", "Add file2")
+	require.NoError(t, err)
+
+	// Assert that LsFiles returns the correct files when called sequentially
+	files1, err := client1.LsFiles("*", true)
+	require.NoError(t, err)
+	require.Contains(t, files1, "file1.txt")
+
+	files2, err := client2.LsFiles("*", true)
+	require.NoError(t, err)
+	require.Contains(t, files2, "file2.txt")
+
+	// Define a function to call LsFiles multiple times in parallel
+	var wg sync.WaitGroup
+	callLsFiles := func(client Client, expectedFile string) {
+		defer wg.Done()
+		for i := 0; i < 100; i++ {
+			files, err := client.LsFiles("*", true)
+			require.NoError(t, err)
+			require.Contains(t, files, expectedFile)
+		}
+	}
+
+	// Call LsFiles in parallel for both clients
+	wg.Add(2)
+	go callLsFiles(client1, "file1.txt")
+	go callLsFiles(client2, "file2.txt")
+	wg.Wait()
+}
+
 type mockCreds struct {
 	environ    []string
 	environErr bool

util/helm/client.go

@@ -46,8 +46,8 @@ type indexCache interface {
 }
 
 type Client interface {
-	CleanChartCache(chart string, version string, project string) error
-	ExtractChart(chart string, version string, project string, passCredentials bool, manifestMaxExtractedSize int64, disableManifestMaxExtractedSize bool) (string, argoio.Closer, error)
+	CleanChartCache(chart string, version string) error
+	ExtractChart(chart string, version string, passCredentials bool, manifestMaxExtractedSize int64, disableManifestMaxExtractedSize bool) (string, argoio.Closer, error)
 	GetIndex(noCache bool, maxIndexSize int64) (*Index, error)
 	GetTags(chart string, noCache bool) (*TagsList, error)
 	TestHelmOCI() (bool, error)
@@ -110,8 +110,8 @@ func fileExist(filePath string) (bool, error) {
 	return true, nil
 }
 
-func (c *nativeHelmChart) CleanChartCache(chart string, version string, project string) error {
-	cachePath, err := c.getCachedChartPath(chart, version, project)
+func (c *nativeHelmChart) CleanChartCache(chart string, version string) error {
+	cachePath, err := c.getCachedChartPath(chart, version)
 	if err != nil {
 		return fmt.Errorf("error getting cached chart path: %w", err)
 	}
@@ -138,7 +138,7 @@ func untarChart(tempDir string, cachedChartPath string, manifestMaxExtractedSize
 	return files.Untgz(tempDir, reader, manifestMaxExtractedSize, false)
 }
 
-func (c *nativeHelmChart) ExtractChart(chart string, version string, project string, passCredentials bool, manifestMaxExtractedSize int64, disableManifestMaxExtractedSize bool) (string, argoio.Closer, error) {
+func (c *nativeHelmChart) ExtractChart(chart string, version string, passCredentials bool, manifestMaxExtractedSize int64, disableManifestMaxExtractedSize bool) (string, argoio.Closer, error) {
 	// always use Helm V3 since we don't have chart content to determine correct Helm version
 	helmCmd, err := NewCmdWithVersion("", c.enableOci, c.proxy, c.noProxy)
 	if err != nil {
@@ -152,7 +152,7 @@ func (c *nativeHelmChart) ExtractChart(chart string, version string, project str
 		return "", nil, fmt.Errorf("error creating temporary directory: %w", err)
 	}
 
-	cachedChartPath, err := c.getCachedChartPath(chart, version, project)
+	cachedChartPath, err := c.getCachedChartPath(chart, version)
 	if err != nil {
 		_ = os.RemoveAll(tempDir)
 		return "", nil, fmt.Errorf("error getting cached chart path: %w", err)
@@ -387,8 +387,8 @@ func normalizeChartName(chart string) string {
 	return nc
 }
 
-func (c *nativeHelmChart) getCachedChartPath(chart string, version string, project string) (string, error) {
-	keyData, err := json.Marshal(map[string]string{"url": c.repoURL, "chart": chart, "version": version, "project": project})
+func (c *nativeHelmChart) getCachedChartPath(chart string, version string) (string, error) {
+	keyData, err := json.Marshal(map[string]string{"url": c.repoURL, "chart": chart, "version": version})
 	if err != nil {
 		return "", fmt.Errorf("error marshaling cache key data: %w", err)
 	}

util/helm/client_test.go

@@ -80,7 +80,7 @@ func TestIndex(t *testing.T) {
 
 func Test_nativeHelmChart_ExtractChart(t *testing.T) {
 	client := NewClient("https://argoproj.github.io/argo-helm", HelmCreds{}, false, "", "")
-	path, closer, err := client.ExtractChart("argo-cd", "0.7.1", "", false, math.MaxInt64, true)
+	path, closer, err := client.ExtractChart("argo-cd", "0.7.1", false, math.MaxInt64, true)
 	require.NoError(t, err)
 	defer io.Close(closer)
 	info, err := os.Stat(path)
@@ -90,13 +90,13 @@ func Test_nativeHelmChart_ExtractChart(t *testing.T) {
 
 func Test_nativeHelmChart_ExtractChartWithLimiter(t *testing.T) {
 	client := NewClient("https://argoproj.github.io/argo-helm", HelmCreds{}, false, "", "")
-	_, _, err := client.ExtractChart("argo-cd", "0.7.1", "", false, 100, false)
+	_, _, err := client.ExtractChart("argo-cd", "0.7.1", false, 100, false)
 	require.Error(t, err, "error while iterating on tar reader: unexpected EOF")
 }
 
 func Test_nativeHelmChart_ExtractChart_insecure(t *testing.T) {
 	client := NewClient("https://argoproj.github.io/argo-helm", HelmCreds{InsecureSkipVerify: true}, false, "", "")
-	path, closer, err := client.ExtractChart("argo-cd", "0.7.1", "", false, math.MaxInt64, true)
+	path, closer, err := client.ExtractChart("argo-cd", "0.7.1", false, math.MaxInt64, true)
 	require.NoError(t, err)
 	defer io.Close(closer)
 	info, err := os.Stat(path)

util/helm/mocks/Client.go

@@ -14,17 +14,17 @@ type Client struct {
 	mock.Mock
 }
 
-// CleanChartCache provides a mock function with given fields: chart, version, project
-func (_m *Client) CleanChartCache(chart string, version string, project string) error {
-	ret := _m.Called(chart, version, project)
+// CleanChartCache provides a mock function with given fields: chart, version
+func (_m *Client) CleanChartCache(chart string, version string) error {
+	ret := _m.Called(chart, version)
 
 	if len(ret) == 0 {
 		panic("no return value specified for CleanChartCache")
 	}
 
 	var r0 error
-	if rf, ok := ret.Get(0).(func(string, string, string) error); ok {
-		r0 = rf(chart, version, project)
+	if rf, ok := ret.Get(0).(func(string, string) error); ok {
+		r0 = rf(chart, version)
 	} else {
 		r0 = ret.Error(0)
 	}
@@ -32,9 +32,9 @@ func (_m *Client) CleanChartCache(chart string, version string, project string)
 	return r0
 }
 
-// ExtractChart provides a mock function with given fields: chart, version, project, passCredentials, manifestMaxExtractedSize, disableManifestMaxExtractedSize
-func (_m *Client) ExtractChart(chart string, version string, project string, passCredentials bool, manifestMaxExtractedSize int64, disableManifestMaxExtractedSize bool) (string, io.Closer, error) {
-	ret := _m.Called(chart, version, project, passCredentials, manifestMaxExtractedSize, disableManifestMaxExtractedSize)
+// ExtractChart provides a mock function with given fields: chart, version, passCredentials, manifestMaxExtractedSize, disableManifestMaxExtractedSize
+func (_m *Client) ExtractChart(chart string, version string, passCredentials bool, manifestMaxExtractedSize int64, disableManifestMaxExtractedSize bool) (string, io.Closer, error) {
+	ret := _m.Called(chart, version, passCredentials, manifestMaxExtractedSize, disableManifestMaxExtractedSize)
 
 	if len(ret) == 0 {
 		panic("no return value specified for ExtractChart")
@@ -43,25 +43,25 @@ func (_m *Client) ExtractChart(chart string, version string, project string, pas
 	var r0 string
 	var r1 io.Closer
 	var r2 error
-	if rf, ok := ret.Get(0).(func(string, string, string, bool, int64, bool) (string, io.Closer, error)); ok {
-		return rf(chart, version, project, passCredentials, manifestMaxExtractedSize, disableManifestMaxExtractedSize)
+	if rf, ok := ret.Get(0).(func(string, string, bool, int64, bool) (string, io.Closer, error)); ok {
+		return rf(chart, version, passCredentials, manifestMaxExtractedSize, disableManifestMaxExtractedSize)
 	}
-	if rf, ok := ret.Get(0).(func(string, string, string, bool, int64, bool) string); ok {
-		r0 = rf(chart, version, project, passCredentials, manifestMaxExtractedSize, disableManifestMaxExtractedSize)
+	if rf, ok := ret.Get(0).(func(string, string, bool, int64, bool) string); ok {
+		r0 = rf(chart, version, passCredentials, manifestMaxExtractedSize, disableManifestMaxExtractedSize)
 	} else {
 		r0 = ret.Get(0).(string)
 	}
 
-	if rf, ok := ret.Get(1).(func(string, string, string, bool, int64, bool) io.Closer); ok {
-		r1 = rf(chart, version, project, passCredentials, manifestMaxExtractedSize, disableManifestMaxExtractedSize)
+	if rf, ok := ret.Get(1).(func(string, string, bool, int64, bool) io.Closer); ok {
+		r1 = rf(chart, version, passCredentials, manifestMaxExtractedSize, disableManifestMaxExtractedSize)
 	} else {
 		if ret.Get(1) != nil {
 			r1 = ret.Get(1).(io.Closer)
 		}
 	}
 
-	if rf, ok := ret.Get(2).(func(string, string, string, bool, int64, bool) error); ok {
-		r2 = rf(chart, version, project, passCredentials, manifestMaxExtractedSize, disableManifestMaxExtractedSize)
+	if rf, ok := ret.Get(2).(func(string, string, bool, int64, bool) error); ok {
+		r2 = rf(chart, version, passCredentials, manifestMaxExtractedSize, disableManifestMaxExtractedSize)
 	} else {
 		r2 = ret.Error(2)
 	}

util/kube/portforwarder.go

@@ -16,10 +16,29 @@ import (
 	"k8s.io/client-go/tools/portforward"
 	"k8s.io/client-go/transport/spdy"
 	cmdutil "k8s.io/kubectl/pkg/cmd/util"
+	"k8s.io/kubectl/pkg/util/podutils"
 
 	"github.com/argoproj/argo-cd/v3/util/io"
 )
 
+func selectPodForPortForward(clientSet kubernetes.Interface, namespace string, podSelectors ...string) (*corev1.Pod, error) {
+	for _, podSelector := range podSelectors {
+		pods, err := clientSet.CoreV1().Pods(namespace).List(context.Background(), metav1.ListOptions{
+			LabelSelector: podSelector,
+		})
+		if err != nil {
+			return nil, err
+		}
+
+		for _, po := range pods.Items {
+			if po.Status.Phase == corev1.PodRunning && podutils.IsPodReady(&po) {
+				return &po, nil
+			}
+		}
+	}
+	return nil, fmt.Errorf("cannot find ready pod with selector: %v - use the --{component}-name flag in this command or set the environmental variable (Refer to https://argo-cd.readthedocs.io/en/stable/user-guide/environment-variables), to change the Argo CD component name in the CLI", podSelectors)
+}
+
 func PortForward(targetPort int, namespace string, overrides *clientcmd.ConfigOverrides, podSelectors ...string) (int, error) {
 	loadingRules := clientcmd.NewDefaultClientConfigLoadingRules()
 	loadingRules.DefaultClientConfig = &clientcmd.DefaultClientConfig
@@ -41,24 +60,9 @@ func PortForward(targetPort int, namespace string, overrides *clientcmd.ConfigOv
 		return -1, err
 	}
 
-	var pod *corev1.Pod
-
-	for _, podSelector := range podSelectors {
-		pods, err := clientSet.CoreV1().Pods(namespace).List(context.Background(), metav1.ListOptions{
-			LabelSelector: podSelector,
-		})
-		if err != nil {
-			return -1, err
-		}
-
-		if len(pods.Items) > 0 {
-			pod = &pods.Items[0]
-			break
-		}
-	}
-
-	if pod == nil {
-		return -1, fmt.Errorf("cannot find pod with selector: %v - use the --{component}-name flag in this command or set the environmental variable (Refer to https://argo-cd.readthedocs.io/en/stable/user-guide/environment-variables), to change the Argo CD component name in the CLI", podSelectors)
+	pod, err := selectPodForPortForward(clientSet, namespace, podSelectors...)
+	if err != nil {
+		return -1, err
 	}
 
 	url := clientSet.CoreV1().RESTClient().Post().

util/kube/portforwarder_test.go

@@ -0,0 +1,83 @@
+package kube
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes/fake"
+)
+
+func Test_selectPodForPortForward(t *testing.T) {
+	// Mock the Kubernetes client
+	client := fake.NewSimpleClientset(
+		&corev1.Pod{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "test-pod",
+				Namespace: "default",
+				Labels: map[string]string{
+					"app": "test-app",
+				},
+			},
+			Status: corev1.PodStatus{
+				Conditions: []corev1.PodCondition{
+					{
+						Type:               corev1.PodReady,
+						Status:             corev1.ConditionTrue,
+						LastTransitionTime: metav1.Now(),
+					},
+				},
+				Phase: corev1.PodRunning,
+			},
+		},
+		&corev1.Pod{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "test2-pod-broken",
+				Namespace: "default",
+				Labels: map[string]string{
+					"app": "test2",
+				},
+			},
+			Status: corev1.PodStatus{
+				Conditions: []corev1.PodCondition{
+					{
+						Type:               corev1.PodReady,
+						Status:             corev1.ConditionFalse,
+						LastTransitionTime: metav1.Now(),
+					},
+				},
+				Phase: corev1.PodFailed,
+			},
+		},
+		&corev1.Pod{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "test2-pod-working",
+				Namespace: "default",
+				Labels: map[string]string{
+					"app": "test2",
+				},
+			},
+			Status: corev1.PodStatus{
+				Conditions: []corev1.PodCondition{
+					{
+						Type:               corev1.PodReady,
+						Status:             corev1.ConditionTrue,
+						LastTransitionTime: metav1.Now(),
+					},
+				},
+				Phase: corev1.PodRunning,
+			},
+		},
+	)
+
+	// Test selecting the pod
+	selectedPod, err := selectPodForPortForward(client, "default", "app=test-app")
+	require.NoError(t, err)
+	require.Equal(t, "test-pod", selectedPod.Name)
+
+	// Test selecting the working pod
+	selectedPod2, err := selectPodForPortForward(client, "default", "app=test2")
+	require.NoError(t, err)
+	require.Equal(t, "test2-pod-working", selectedPod2.Name)
+}

util/webhook/webhook.go

@@ -11,6 +11,7 @@ import (
 	"strings"
 	"sync"
 
+	"github.com/Masterminds/semver/v3"
 	"github.com/go-playground/webhooks/v6/azuredevops"
 	"github.com/go-playground/webhooks/v6/bitbucket"
 	bitbucketserver "github.com/go-playground/webhooks/v6/bitbucket-server"
@@ -306,6 +307,22 @@ func (a *ArgoCDWebhookHandler) HandleEvent(payload any) {
 			continue
 		}
 		for _, app := range filteredApps {
+			if app.Spec.SourceHydrator != nil {
+				drySource := app.Spec.SourceHydrator.GetDrySource()
+				if sourceRevisionHasChanged(drySource, revision, touchedHead) && sourceUsesURL(drySource, webURL, repoRegexp) {
+					refreshPaths := path.GetAppRefreshPaths(&app)
+					if path.AppFilesHaveChanged(refreshPaths, changedFiles) {
+						namespacedAppInterface := a.appClientset.ArgoprojV1alpha1().Applications(app.ObjectMeta.Namespace)
+						log.Infof("webhook trigger refresh app to hydrate '%s'", app.ObjectMeta.Name)
+						_, err = argo.RefreshApp(namespacedAppInterface, app.ObjectMeta.Name, v1alpha1.RefreshTypeNormal, true)
+						if err != nil {
+							log.Warnf("Failed to hydrate app '%s' for controller reprocessing: %v", app.ObjectMeta.Name, err)
+							continue
+						}
+					}
+				}
+			}
+
 			for _, source := range app.Spec.GetSources() {
 				if sourceRevisionHasChanged(source, revision, touchedHead) && sourceUsesURL(source, webURL, repoRegexp) {
 					refreshPaths := path.GetAppRefreshPaths(&app)
@@ -413,11 +430,33 @@ func sourceRevisionHasChanged(source v1alpha1.ApplicationSource, revision string
 	targetRevisionHasPrefixList := []string{"refs/heads/", "refs/tags/"}
 	for _, prefix := range targetRevisionHasPrefixList {
 		if strings.HasPrefix(source.TargetRevision, prefix) {
-			return revision == targetRev
+			return compareRevisions(revision, targetRev)
 		}
 	}
 
-	return source.TargetRevision == revision
+	return compareRevisions(revision, source.TargetRevision)
+}
+
+func compareRevisions(revision string, targetRevision string) bool {
+	if revision == targetRevision {
+		return true
+	}
+
+	// If basic equality checking fails, it might be that the target revision is
+	// a semver version constraint
+	constraint, err := semver.NewConstraint(targetRevision)
+	if err != nil {
+		// The target revision is not a constraint
+		return false
+	}
+
+	version, err := semver.NewVersion(revision)
+	if err != nil {
+		// The new revision is not a valid semver version, so it can't match the constraint.
+		return false
+	}
+
+	return constraint.Check(version)
 }
 
 func sourceUsesURL(source v1alpha1.ApplicationSource, webURL string, repoRegexp *regexp.Regexp) bool {

util/webhook/webhook_test.go

@@ -276,6 +276,72 @@ func TestGitHubCommitEvent_AppsInOtherNamespaces(t *testing.T) {
 	hook.Reset()
 }
 
+// TestGitHubCommitEvent_Hydrate makes sure that a webhook will hydrate an app when dry source changed.
+func TestGitHubCommitEvent_Hydrate(t *testing.T) {
+	hook := test.NewGlobal()
+	var patched bool
+	reaction := func(action kubetesting.Action) (handled bool, ret runtime.Object, err error) {
+		patchAction := action.(kubetesting.PatchAction)
+		assert.Equal(t, "app-to-hydrate", patchAction.GetName())
+		patched = true
+		return true, nil, nil
+	}
+	h := NewMockHandler(&reactorDef{"patch", "applications", reaction}, []string{}, &v1alpha1.Application{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "app-to-hydrate",
+			Namespace: "argocd",
+		},
+		Spec: v1alpha1.ApplicationSpec{
+			SourceHydrator: &v1alpha1.SourceHydrator{
+				DrySource: v1alpha1.DrySource{
+					RepoURL:        "https://github.com/jessesuen/test-repo",
+					TargetRevision: "HEAD",
+					Path:           ".",
+				},
+				SyncSource: v1alpha1.SyncSource{
+					TargetBranch: "environments/dev",
+					Path:         ".",
+				},
+				HydrateTo: nil,
+			},
+		},
+	}, &v1alpha1.Application{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "app-to-ignore",
+		},
+		Spec: v1alpha1.ApplicationSpec{
+			Sources: v1alpha1.ApplicationSources{
+				{
+					RepoURL: "https://github.com/some/unrelated-repo",
+					Path:    ".",
+				},
+			},
+		},
+	},
+	)
+	req := httptest.NewRequest(http.MethodPost, "/api/webhook", nil)
+	req.Header.Set("X-GitHub-Event", "push")
+	eventJSON, err := os.ReadFile("testdata/github-commit-event.json")
+	require.NoError(t, err)
+	req.Body = io.NopCloser(bytes.NewReader(eventJSON))
+	w := httptest.NewRecorder()
+	h.Handler(w, req)
+	close(h.queue)
+	h.Wait()
+	assert.Equal(t, http.StatusOK, w.Code)
+	assert.True(t, patched)
+
+	logMessages := make([]string, 0, len(hook.Entries))
+	for _, entry := range hook.Entries {
+		logMessages = append(logMessages, entry.Message)
+	}
+
+	assert.Contains(t, logMessages, "webhook trigger refresh app to hydrate 'app-to-hydrate'")
+	assert.NotContains(t, logMessages, "webhook trigger refresh app to hydrate 'app-to-ignore'")
+
+	hook.Reset()
+}
+
 func TestGitHubTagEvent(t *testing.T) {
 	hook := test.NewGlobal()
 	h := NewMockHandler(nil, []string{})
@@ -466,8 +532,15 @@ func TestAppRevisionHasChanged(t *testing.T) {
 		{"dev target revision, dev, did not touch head", getSource("dev"), "dev", false, true},
 		{"refs/heads/dev target revision, master, touched head", getSource("refs/heads/dev"), "master", true, false},
 		{"refs/heads/dev target revision, dev, did not touch head", getSource("refs/heads/dev"), "dev", false, true},
+		{"refs/tags/dev target revision, dev, did not touch head", getSource("refs/tags/dev"), "dev", false, true},
 		{"env/test target revision, env/test, did not touch head", getSource("env/test"), "env/test", false, true},
 		{"refs/heads/env/test target revision, env/test, did not touch head", getSource("refs/heads/env/test"), "env/test", false, true},
+		{"refs/tags/env/test target revision, env/test, did not touch head", getSource("refs/tags/env/test"), "env/test", false, true},
+		{"three/part/rev target revision, rev, did not touch head", getSource("three/part/rev"), "rev", false, false},
+		{"1.* target revision (matching), 1.1.0, did not touch head", getSource("1.*"), "1.1.0", false, true},
+		{"refs/tags/1.* target revision (matching), 1.1.0, did not touch head", getSource("refs/tags/1.*"), "1.1.0", false, true},
+		{"1.* target revision (not matching), 2.0.0, did not touch head", getSource("1.*"), "2.0.0", false, false},
+		{"1.* target revision, dev (not semver), did not touch head", getSource("1.*"), "dev", false, false},
 	}
 
 	for _, tc := range testCases {