Bump version to 2.4.7

chore: upgrade parse-url to avoid SNYK-JS-PARSEURL-2936249 (#9826 )
2026-03-02 22:48:48 +01:00 · 2022-07-18 21:07:45 +00:00 · 2022-07-18 21:07:38 +00:00 · 2022-07-18 14:13:15 -04:00 · 2022-07-18 11:02:26 -04:00 · 2022-07-16 12:21:39 -04:00
3124 changed files with 49540 additions and 402168 deletions
--- a/.codecov.yml
+++ b/.codecov.yml
@@ -8,7 +8,6 @@ ignore:
 - "pkg/client/.*"
 - "vendor/.*"
 - "test/.*"
 - "**/mocks/*"
 coverage:
  status:
    # we've found this not to be useful
--- a/.dockerignore
+++ b/.dockerignore
@@ -11,19 +11,3 @@ cmd/**/debug
 debug.test
 coverage.out
 ui/node_modules/
 test-results/
 test/
 manifests/
 hack/
 docs/
 examples/
 .github/
 !test/container
 !test/e2e/testdata
 !test/fixture
 !test/remote
 !hack/installers
 !hack/gpg-wrapper.sh
 !hack/git-verify-wrapper.sh
 !hack/tool-versions.sh
 !hack/install.sh
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,13 +0,0 @@
 **/*.pb.go linguist-generated=true
 **/mocks/*.go linguist-generated=true
 assets/swagger.json linguist-generated=true
 docs/operator-manual/resource_actions_builtin.md linguist-generated=true
 docs/operator-manual/server-commands/argocd-*.md linguist-generated=true
 docs/user-guide/commands/argocd_*.md linguist-generated=true
 manifests/core-install.yaml linguist-generated=true
 manifests/crds/*-crd.yaml linguist-generated=true
 manifests/ha/install.yaml linguist-generated=true
 manifests/ha/namespace-install.yaml linguist-generated=true
 manifests/install.yaml linguist-generated=true
 manifests/namespace-install.yaml linguist-generated=true
 pkg/apis/api-rules/violation_exceptions.list linguist-generated=true
--- a/.github/ISSUE_TEMPLATE/new_dev_tool.md
+++ b/.github/ISSUE_TEMPLATE/new_dev_tool.md
@@ -1,43 +0,0 @@
 ---
 name: New Dev Tool Request
 about: This is a request for adding a new tool for setting up a dev environment.
 title: ''
 labels: ''
 assignees: ''
 ---
 Checklist:
 * [ ] I am willing to maintain this tool, or have another Argo CD maintainer who is. 
 * [ ] I have another Argo CD maintainer who is willing to help maintain this tool (there needs to be at least two maintainers willing to maintain this tool)
 * [ ] I have a lead sponsor who is a core Argo CD maintainer
 * [ ] There is a PR which adds said tool - this is so that the maintainers can assess the impact of having this in the tree
 * [ ] I have given a motivation why this should be added
 ### The proposer
 <-- The username(s) of the person(s) proposing the tool -->
 ### The proposed tool
 <!-- The tool itself, with a link to the tool’s website -->
 ### Motivation
 <!-- Why this tool would be useful to have in the tree. --> 
 ### Link to PR (Optional)
 <!-- A PR adding the tool to the tree -->
 ### Lead Sponsor(s)
 Final approval requires sponsorship from at least one core maintainer.
 - @<sponsor-1>
 ### Co-sponsors
 These will be the co-maintainers of the specified tool.
 - @<sponsor-1>
--- a/.github/ISSUE_TEMPLATE/release.md
+++ b/.github/ISSUE_TEMPLATE/release.md
@@ -1,26 +0,0 @@
 ---
 name: Argo CD Release
 about: Used by our Release Champion to track progress of a minor release
 title: 'Argo CD Release vX.X'
 labels: 'release'
 assignees: ''
 ---
 Target RC1 date: ___. __, ____
 Target GA date: ___. __, ____
 - [ ] 1wk before feature freeze post in #argo-contributors that PRs must be merged by DD-MM-YYYY to be included in the release - ask approvers to drop items from milestone they can’t merge
 - [ ] At least two days before RC1 date, draft RC blog post and submit it for review (or delegate this task)
 - [ ] Cut RC1 (or delegate this task to an Approver and coordinate timing)
 - [ ] Create new release branch
    - [ ] Add the release branch to ReadTheDocs
    - [ ] Confirm that tweet and blog post are ready
    - [ ] Trigger the release
    - [ ] After the release is finished, publish tweet and blog post
    - [ ] Post in #argo-cd and #argo-announcements with lots of emojis announcing the release and requesting help testing
 - [ ] Monitor support channels for issues, cherry-picking bugfixes and docs fixes as appropriate (or delegate this task to an Approver and coordinate timing)
 - [ ] At release date, evaluate if any bugs justify delaying the release. If not, cut the release (or delegate this task to an Approver and coordinate timing)
 - [ ] If unreleased changes are on the release branch for {current minor version minus 3}, cut a final patch release for that series (or delegate this task to an Approver and coordinate timing)
 - [ ] After the release, post in #argo-cd that the {current minor version minus 3} has reached EOL (example: https://cloud-native.slack.com/archives/C01TSERG0KZ/p1667336234059729)
 - [ ] (For the next release champion) Review the [items scheduled for the next release](https://github.com/orgs/argoproj/projects/25). If any item does not have an assignee who can commit to finish the feature, move it to the next release.
 - [ ] (For the next release champion) Schedule a time mid-way through the release cycle to review items again.
--- a/.github/ISSUE_TEMPLATE/security_logs.md
+++ b/.github/ISSUE_TEMPLATE/security_logs.md
@@ -1,19 +0,0 @@
 ---
 name: Security log
 about: Propose adding security-related logs or tagging existing logs with security fields
 title: "seclog: [Event Description]"
 labels: security-log
 assignees: notfromstatefarm
 ---
 # Event to be logged
 Specify the event that needs to be logged or existing logs that need to be tagged.
 # Proposed level
 What security level should these events be logged under? Refer to https://argo-cd.readthedocs.io/en/latest/operator-manual/security/#security-field for more info.
 # Common Weakness Enumeration
 Is there an associated [CWE](https://cwe.mitre.org/) that could be tagged as well?
--- a/.github/cherry-pick-bot.yml
+++ b/.github/cherry-pick-bot.yml
@@ -1,3 +0,0 @@
 enabled: true
 preservePullRequestTitle: true
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,58 +0,0 @@
 version: 2
 updates:
  - package-ecosystem: "gomod"
    directory: "/"
    schedule:
      interval: "daily"
    open-pull-requests-limit: 20
    ignore:
    - dependency-name: k8s.io/*
    groups:
      otel:
        patterns:
          - "^go.opentelemetry.io/.*"
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "daily"
  - package-ecosystem: "npm"
    directory: "/ui/"
    schedule:
      interval: "daily"
  - package-ecosystem: "npm"
    directory: "/ui-test/"
    schedule:
      interval: "daily"
  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "daily"
    ignore:
      # We use consistent go and node versions across a lot of different files, and updating via dependabot would cause
      # drift among those files, instead we let renovate bot handle them.
      - dependency-name: "library/golang"
      - dependency-name: "library/node"
  - package-ecosystem: "docker"
    directory: "/test/container/"
    schedule:
      interval: "daily"
  - package-ecosystem: "docker"
    directory: "/test/e2e/multiarch-container/"
    schedule:
      interval: "daily"
  - package-ecosystem: "docker"
    directory: "/test/remote/"
    schedule:
      interval: "daily"
  - package-ecosystem: "docker"
    directory: "/ui-test/"
    schedule:
      interval: "daily"
--- a/.github/pr-title-checker-config.json
+++ b/.github/pr-title-checker-config.json
@@ -1,15 +0,0 @@
 {
    "LABEL": {
      "name": "title needs formatting",
      "color": "EEEEEE"
    },
    "CHECKS": {
      "prefixes": ["[Bot] docs: "],
      "regexp": "^(feat|fix|docs|test|ci|chore)!?(\\(.*\\))?!?:.*"
    },
    "MESSAGES": {
      "success": "PR title is valid",
      "failure": "PR title is invalid",
      "notice": "PR Title needs to pass regex '^(feat|fix|docs|test|ci|chore)!?(\\(.*\\))?!?:.*"
    }
  }
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,24 +1,17 @@
 <!--
 Note on DCO:
 If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the *Details* link next to the DCO action for instructions on how to resolve this.
 -->
 Checklist:
 * [ ] Either (a) I've created an [enhancement proposal](https://github.com/argoproj/argo-cd/issues/new/choose) and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
 * [ ] The title of the PR states what changed and the related issues number (used for the release note).
 * [ ] The title of the PR conforms to the [Toolchain Guide](https://argo-cd.readthedocs.io/en/latest/developer-guide/toolchain-guide/#title-of-the-pr)
 * [ ] I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
 * [ ] I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
 * [ ] Does this PR require documentation updates?
 * [ ] I've updated documentation as required by this PR.
 * [ ] I have signed off all my commits as required by [DCO](https://github.com/argoproj/argoproj/blob/master/community/CONTRIBUTING.md#legal)
 * [ ] I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
 * [ ] My build is green ([troubleshooting builds](https://argo-cd.readthedocs.io/en/latest/developer-guide/ci/)).
 * [ ] My new feature complies with the [feature status](https://github.com/argoproj/argoproj/blob/master/community/feature-status.md) guidelines.
 * [ ] I have added a brief description of why this PR is necessary and/or what this PR solves.
 * [ ] Optional. My organization is added to USERS.md.
-* [ ] Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).
+* [ ] I have signed off all my commits as required by [DCO](https://github.com/argoproj/argoproj/tree/master/community#contributing-to-argo)
 * [ ] I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
 * [ ] My build is green ([troubleshooting builds](https://argo-cd.readthedocs.io/en/latest/developer-guide/ci/)). 
 <!-- Please see [Contribution FAQs](https://argo-cd.readthedocs.io/en/latest/developer-guide/faq/) if you have questions about your pull-request. -->
--- a/.github/workflows/README.md
+++ b/.github/workflows/README.md
@@ -1,39 +0,0 @@
 # Workflows
 | Workflow           | Description                                                    |
 |--------------------|----------------------------------------------------------------|
 | ci-build.yaml      | Build, lint, test, codegen, build-ui, analyze, e2e-test        |
 | codeql.yaml        | CodeQL analysis                                                |
 | image-reuse.yaml   | Build, push, and Sign container images                         |
 | image.yaml         | Build container image for PR's & publish for push events       |
 | init-release.yaml  | Build manifests and version then create a PR for release branch|
 | pr-title-check.yaml| Lint PR for semantic information                               |
 | release.yaml       | Build images, cli-binaries, provenances, and post actions      |
 | scorecard.yaml     | Generate scorecard for supply-chain security                   |
 | update-snyk.yaml   | Scheduled snyk reports                                         |
 # Reusable workflows
 ## image-reuse.yaml
 - The resuable workflow can be used to publish or build images with multiple container registries(Quay,GHCR, dockerhub), and then sign them with cosign when an image is published.
 - A GO version `must` be specified e.g. 1.21
 - The image name for each registry *must* contain the tag. Note: multiple tags are allowed for each registry using a CSV type.
 - Multiple platforms can be specified e.g. linux/amd64,linux/arm64
 - Images are not published by default. A boolean value must be set to `true` to push images.
 - An optional target can be specified.
 | Inputs            | Description                         | Type        | Required | Defaults        |
 |-------------------|-------------------------------------|-------------|----------|-----------------|
 | go-version        | Version of Go to be used            | string      | true     | none            |
 | quay_image_name   | Full image name and tag             | CSV, string | false    | none            |
 | ghcr_image_name   | Full image name and tag             | CSV, string | false    | none            |
 | docker_image_name | Full image name and tag             | CSV, string | false    | none            |
 | platforms         | Platforms to build (linux/amd64)    | CSV, string | false    | linux/amd64     |
 | push              | Whether to push image/s to registry | boolean     | false    | false           |
 | target            | Target build stage                  | string      | false    | none            |
 | Outputs     | Description                              | Type  |
 |-------------|------------------------------------------|-------|
 |image-digest | Image digest of image container created  | string|
--- a/.github/workflows/ci-build.yaml
+++ b/.github/workflows/ci-build.yaml
@@ -1,5 +1,5 @@
 name: Integration tests
-on:
+on: 
  push:
    branches:
      - 'master'
@@ -9,80 +9,46 @@ on:
  pull_request:
    branches:
      - 'master'
      - 'release-*'
 env:
  # Golang version to use across CI steps
-  # renovate: datasource=golang-version packageName=golang
+  GOLANG_VERSION: '1.18'
  GOLANG_VERSION: '1.23.3'
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 permissions:
  contents: read
 jobs:
  changes:
    runs-on: ubuntu-latest
    outputs:
      backend: ${{ steps.filter.outputs.backend_any_changed }}
      frontend: ${{ steps.filter.outputs.frontend_any_changed }}
      docs: ${{ steps.filter.outputs.docs_any_changed }}
    steps:
      - uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
      - uses: tj-actions/changed-files@bab30c2299617f6615ec02a68b9a40d10bd21366 # v45.0.5
        id: filter
        with:
          # Any file which is not under docs/, ui/ or is not a markdown file is counted as a backend file
          files_yaml: |
            backend:
              - '!ui/**'
              - '!**.md'            
              - '!**/*.md'
              - '!docs/**'
            frontend:
              - 'ui/**'
              - Dockerfile
            docs:
              - 'docs/**'
  check-go:
    name: Ensure Go modules synchronicity
-    if: ${{ needs.changes.outputs.backend == 'true' }}
+    runs-on: ubuntu-latest
    runs-on: ubuntu-22.04
    needs:
      - changes
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@v2
      - name: Setup Golang
-        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        uses: actions/setup-go@v1
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Download all Go modules
        run: |
          go mod download
-      - name: Check for tidiness of go.mod and go.sum
+      - name: Check for tidyness of go.mod and go.sum
        run: |
          go mod tidy
          git diff --exit-code -- .
  build-go:
    name: Build & cache Go code
-    if: ${{ needs.changes.outputs.backend == 'true' }}
+    runs-on: ubuntu-latest
    runs-on: ubuntu-22.04
    needs:
      - changes
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@v2
      - name: Setup Golang
-        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        uses: actions/setup-go@v1
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Restore go build cache
-        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        uses: actions/cache@v1
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -93,47 +59,38 @@ jobs:
        run: make build-local
  lint-go:
    permissions:
      contents: read  # for actions/checkout to fetch code
      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
    name: Lint Go code
-    if: ${{ needs.changes.outputs.backend == 'true' }}
+    runs-on: ubuntu-latest
    runs-on: ubuntu-22.04
    needs:
      - changes
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@v2
      - name: Setup Golang
-        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        uses: actions/setup-go@v1
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
+        uses: golangci/golangci-lint-action@v3
        with:
-          # renovate: datasource=go packageName=github.com/golangci/golangci-lint versioning=regex:^v(?<major>\d+)\.(?<minor>\d+)\.(?<patch>\d+)?$
+          version: v1.45.2
-          version: v1.62.2
+          args: --timeout 10m --exclude SA5011 --verbose
          args: --verbose
  test-go:
    name: Run unit tests for Go packages
-    if: ${{ needs.changes.outputs.backend == 'true' }}
+    runs-on: ubuntu-latest
    runs-on: ubuntu-22.04
    needs:
      - build-go
      - changes
    env:
      GITHUB_TOKEN: ${{ secrets.E2E_TEST_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
-      GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}
+      GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}      
    steps:
      - name: Create checkout directory
        run: mkdir -p ~/go/src/github.com/argoproj
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@v2
      - name: Create symlink in GOPATH
        run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
      - name: Setup Golang
-        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        uses: actions/setup-go@v1
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Install required packages
@@ -153,17 +110,13 @@ jobs:
        run: |
          echo "/usr/local/bin" >> $GITHUB_PATH
      - name: Restore go build cache
-        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        uses: actions/cache@v1
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
      - name: Install all tools required for building & testing
        run: |
          make install-test-tools-local
        # We install kustomize in the dist directory
      - name: Add dist to PATH
        run: |
          echo "/home/runner/work/argo-cd/argo-cd/dist" >> $GITHUB_PATH
      - name: Setup git username and email
        run: |
          git config --global user.name "John Doe"
@@ -173,31 +126,34 @@ jobs:
          go mod download
      - name: Run all unit tests
        run: make test-local
      - name: Generate code coverage artifacts
        uses: actions/upload-artifact@v2
        with:
          name: code-coverage
          path: coverage.out
      - name: Generate test results artifacts
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@v2
        with:
          name: test-results
-          path: test-results
+          path: test-results/
  test-go-race:
-    name: Run unit tests with -race for Go packages
+    name: Run unit tests with -race, for Go packages
-    if: ${{ needs.changes.outputs.backend == 'true' }}
+    runs-on: ubuntu-latest
    runs-on: ubuntu-22.04
    needs:
      - build-go
      - changes
    env:
      GITHUB_TOKEN: ${{ secrets.E2E_TEST_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
-      GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}
+      GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}  
    steps:
      - name: Create checkout directory
        run: mkdir -p ~/go/src/github.com/argoproj
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@v2
      - name: Create symlink in GOPATH
        run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
      - name: Setup Golang
-        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        uses: actions/setup-go@v1
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Install required packages
@@ -217,17 +173,13 @@ jobs:
        run: |
          echo "/usr/local/bin" >> $GITHUB_PATH
      - name: Restore go build cache
-        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        uses: actions/cache@v1
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
      - name: Install all tools required for building & testing
        run: |
          make install-test-tools-local
        # We install kustomize in the dist directory
      - name: Add dist to PATH
        run: |
          echo "/home/runner/work/argo-cd/argo-cd/dist" >> $GITHUB_PATH
      - name: Setup git username and email
        run: |
          git config --global user.name "John Doe"
@@ -238,22 +190,19 @@ jobs:
      - name: Run all unit tests
        run: make test-race-local
      - name: Generate test results artifacts
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@v2
        with:
          name: race-results
          path: test-results/
  codegen:
    name: Check changes to generated code
-    if: ${{ needs.changes.outputs.backend == 'true' || needs.changes.outputs.docs == 'true'}}
+    runs-on: ubuntu-latest
    runs-on: ubuntu-22.04
    needs:
      - changes
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@v2
      - name: Setup Golang
-        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        uses: actions/setup-go@v1
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Create symlink in GOPATH
@@ -277,10 +226,6 @@ jobs:
          make install-codegen-tools-local
          make install-go-tools-local
        working-directory: /home/runner/go/src/github.com/argoproj/argo-cd
        # We install kustomize in the dist directory
      - name: Add dist to PATH
        run: |
          echo "/home/runner/work/argo-cd/argo-cd/dist" >> $GITHUB_PATH
      - name: Run codegen
        run: |
          set -x
@@ -296,22 +241,17 @@ jobs:
  build-ui:
    name: Build, test & lint UI code
-    # We run UI logic for backend changes so that we have a complete set of coverage documents to send to codecov.
+    runs-on: ubuntu-latest
    if: ${{ needs.changes.outputs.backend == 'true' || needs.changes.outputs.frontend == 'true' }}
    runs-on: ubuntu-22.04
    needs:
      - changes
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@v2
      - name: Setup NodeJS
-        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        uses: actions/setup-node@v1
        with:
-          # renovate: datasource=node-version packageName=node versioning=node
+          node-version: '12.18.4'
          node-version: '22.9.0'
      - name: Restore node dependency cache
        id: cache-dependencies
-        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        uses: actions/cache@v1
        with:
          path: ui/node_modules
          key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -326,8 +266,6 @@ jobs:
          NODE_ENV: production
          NODE_ONLINE_ENV: online
          HOST_ARCH: amd64
          # If we're on the master branch, set the codecov token so that we upload bundle analysis
          CODECOV_TOKEN: ${{ github.ref == 'refs/heads/master' && secrets.CODECOV_TOKEN || '' }}
        working-directory: ui/
      - name: Run ESLint
        run: yarn lint
@@ -335,86 +273,78 @@ jobs:
  analyze:
    name: Process & analyze test artifacts
-    if: ${{ needs.changes.outputs.backend == 'true' || needs.changes.outputs.frontend == 'true' }}
+    runs-on: ubuntu-latest
    runs-on: ubuntu-22.04
    needs:
      - test-go
      - build-ui
      - changes
      - test-e2e
    env:
      sonar_secret: ${{ secrets.SONAR_TOKEN }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@v2
        with:
          fetch-depth: 0
      - name: Restore node dependency cache
        id: cache-dependencies
-        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        uses: actions/cache@v1
        with:
          path: ui/node_modules
          key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
      - name: Remove other node_modules directory
        run: |
          rm -rf ui/node_modules/argo-ui/node_modules
-      - name: Get e2e code coverage
+      - name: Create test-results directory
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        run: |
          mkdir -p test-results
      - name: Get code coverage artifiact
        uses: actions/download-artifact@v2
        with:
-          name: e2e-code-coverage
+          name: code-coverage
-          path: e2e-code-coverage
+      - name: Get test result artifact
-      - name: Get unit test code coverage
+        uses: actions/download-artifact@v2
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: test-results
          path: test-results
      - name: combine-go-coverage
        # We generate coverage reports for all Argo CD components, but only the applicationset-controller,
        # app-controller, repo-server, and commit-server report contain coverage data. The other components currently
        # don't shut down gracefully, so no coverage data is produced. Once those components are fixed, we can add
        # references to their coverage output directories.
        run: |
          go tool covdata percent -i=test-results,e2e-code-coverage/applicationset-controller,e2e-code-coverage/repo-server,e2e-code-coverage/app-controller,e2e-code-coverage/commit-server -o test-results/full-coverage.out
      - name: Upload code coverage information to codecov.io
-        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
+        uses: codecov/codecov-action@v1
        with:
-          file: test-results/full-coverage.out
+          file: coverage.out
          fail_ci_if_error: true
        env:
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
      - name: Upload test results to Codecov
        if: github.ref == 'refs/heads/master' && github.event_name == 'push' && github.repository == 'argoproj/argo-cd'
        uses: codecov/test-results-action@9739113ad922ea0a9abb4b2c0f8bf6a4aa8ef820 # v1.0.1
        with:
          file: test-results/junit.xml
          fail_ci_if_error: true
          token: ${{ secrets.CODECOV_TOKEN }}
      - name: Perform static code analysis using SonarCloud
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        uses: SonarSource/sonarqube-scan-action@1b442ee39ac3fa7c2acdd410208dcb2bcfaae6c4 # v4.1.0
+          SCANNER_VERSION: 4.2.0.1873
          SCANNER_PATH: /tmp/cache/scanner
          OS: linux
        run: |
            # We do not use the provided action, because it does contain an old
            # version of the scanner, and also takes time to build.
            set -e
            mkdir -p ${SCANNER_PATH}
            export SONAR_USER_HOME=${SCANNER_PATH}/.sonar
            if [[ ! -x "${SCANNER_PATH}/sonar-scanner-${SCANNER_VERSION}-${OS}/bin/sonar-scanner" ]]; then
              curl -Ol https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SCANNER_VERSION}-${OS}.zip
              unzip -qq -o sonar-scanner-cli-${SCANNER_VERSION}-${OS}.zip -d ${SCANNER_PATH}
            fi
            chmod +x ${SCANNER_PATH}/sonar-scanner-${SCANNER_VERSION}-${OS}/bin/sonar-scanner
            chmod +x ${SCANNER_PATH}/sonar-scanner-${SCANNER_VERSION}-${OS}/jre/bin/java
            # Explicitly set NODE_MODULES
            export NODE_MODULES=${PWD}/ui/node_modules
            export NODE_PATH=${PWD}/ui/node_modules
            ${SCANNER_PATH}/sonar-scanner-${SCANNER_VERSION}-${OS}/bin/sonar-scanner
        if: env.sonar_secret != ''
  test-e2e:
    name: Run end-to-end tests
-    if: ${{ needs.changes.outputs.backend == 'true' }}
+    runs-on: ubuntu-latest
    runs-on: ubuntu-22.04
    strategy:
      fail-fast: false
      matrix:
-        k3s:
+        k3s-version: [v1.23.3, v1.22.6, v1.21.2]
-          - version: v1.31.0
+    needs: 
            # We designate the latest version because we only collect code coverage for that version.
            latest: true
          - version: v1.30.4
            latest: false
          - version: v1.29.8
            latest: false
          - version: v1.28.13
            latest: false
    needs:
      - build-go
      - changes
    env:
      GOPATH: /home/runner/go
      ARGOCD_FAKE_IN_CLUSTER: "true"
@@ -424,15 +354,14 @@ jobs:
      ARGOCD_E2E_K3S: "true"
      ARGOCD_IN_CI: "true"
      ARGOCD_E2E_APISERVER_PORT: "8088"
      ARGOCD_APPLICATION_NAMESPACES: "argocd-e2e-external,argocd-e2e-external-2"
      ARGOCD_SERVER: "127.0.0.1:8088"
      GITHUB_TOKEN: ${{ secrets.E2E_TEST_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
-      GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}
+      GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}  
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@v2
      - name: Setup Golang
-        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        uses: actions/setup-go@v1
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: GH actions workaround - Kill XSP4 process
@@ -440,7 +369,7 @@ jobs:
          sudo pkill mono || true
      - name: Install K3S
        env:
-          INSTALL_K3S_VERSION: ${{ matrix.k3s.version }}+k3s1
+          INSTALL_K3S_VERSION: ${{ matrix.k3s-version }}+k3s1
        run: |
          set -x
          curl -sfL https://get.k3s.io | sh -
@@ -448,10 +377,9 @@ jobs:
          sudo mkdir -p $HOME/.kube && sudo chown -R runner $HOME/.kube
          sudo k3s kubectl config view --raw > $HOME/.kube/config
          sudo chown runner $HOME/.kube/config
          sudo chmod go-r $HOME/.kube/config
          kubectl version
      - name: Restore go build cache
-        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        uses: actions/cache@v1
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -477,9 +405,9 @@ jobs:
          git config --global user.email "john.doe@example.com"
      - name: Pull Docker image required for tests
        run: |
-          docker pull ghcr.io/dexidp/dex:v2.41.1
+          docker pull quay.io/dexidp/dex:v2.25.0
          docker pull argoproj/argo-cd-ci-builder:v1.0.0
-          docker pull redis:7.0.15-alpine
+          docker pull redis:7.0.0-alpine
      - name: Create target directory for binaries in the build-process
        run: |
          mkdir -p dist
@@ -492,7 +420,7 @@ jobs:
          # port 8080 which is not visible in netstat -tulpen, but still there
          # with a HTTP listener. We have API server listening on port 8088
          # instead.
-          make start-e2e-local COVERAGE_ENABLED=true 2>&1 | sed -r "s/[[:cntrl:]]\[[0-9]{1,3}m//g" > /tmp/e2e-server.log &
+          make start-e2e-local 2>&1 | sed -r "s/[[:cntrl:]]\[[0-9]{1,3}m//g" > /tmp/e2e-server.log &
          count=1
          until curl -f http://127.0.0.1:8088/healthz; do
            sleep 10;
@@ -506,40 +434,9 @@ jobs:
        run: |
          set -x
          make test-e2e-local
          goreman run stop-all || echo "goreman trouble"
          sleep 30
      - name: Upload e2e coverage report
        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        with:
          name: e2e-code-coverage
          path: /tmp/coverage
        if: ${{ matrix.k3s.latest }}
      - name: Upload e2e-server logs
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@v2
        with:
-          name: e2e-server-k8s${{ matrix.k3s.version }}.log
+          name: e2e-server-k8s${{ matrix.k3s-version }}.log
          path: /tmp/e2e-server.log
        if: ${{ failure() }}
  # workaround for status checks -- check this one job instead of each individual E2E job in the matrix
  # this allows us to skip the entire matrix when it doesn't need to run while still having accurate status checks
  # see:
  # https://github.com/argoproj/argo-workflows/pull/12006
  # https://github.com/orgs/community/discussions/9141#discussioncomment-2296809
  # https://github.com/orgs/community/discussions/26822#discussioncomment-3305794
  test-e2e-composite-result:
    name: E2E Tests - Composite result
    if: ${{ always() }}
    needs:
      - test-e2e
      - changes
    runs-on: ubuntu-22.04
    steps:
      - run: |
          result="${{ needs.test-e2e.result }}"
          # mark as successful even if skipped
          if [[ $result == "success" || $result == "skipped" ]]; then
            exit 0
          else
            exit 1
          fi
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -5,7 +5,6 @@ on:
    # Secrets aren't available for dependabot on push. https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/troubleshooting-the-codeql-workflow#error-403-resource-not-accessible-by-integration-when-using-dependabot
    branches-ignore:
      - 'dependabot/**'
      - 'cherry-pick-*'
  pull_request:
  schedule:
    - cron: '0 19 * * 0'
@@ -14,32 +13,20 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 permissions:
  contents: read
 jobs:
  CodeQL-Build:
-    permissions:
+    if: github.repository == 'argoproj/argo-cd'
      actions: read  # for github/codeql-action/init to get workflow details
      contents: read  # for actions/checkout to fetch code
      security-events: write  # for github/codeql-action/autobuild to send a status report
    if: github.repository == 'argoproj/argo-cd' || vars.enable_codeql
    # CodeQL runs on ubuntu-latest and windows-latest
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
    steps:
    - name: Checkout repository
-      uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+      uses: actions/checkout@v2
    # Use correct go version. https://github.com/github/codeql-action/issues/1842#issuecomment-1704398087
    - name: Setup Golang
      uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
      with:
        go-version-file: go.mod
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@8fcfedf57053e09257688fce7a0beeb18b1b9ae3 # v2.17.2
+      uses: github/codeql-action/init@v1
      # Override language selection by uncommenting this and choosing your languages
      # with:
      #   languages: go, javascript, csharp, python, cpp, java
@@ -47,7 +34,7 @@ jobs:
    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
-      uses: github/codeql-action/autobuild@8fcfedf57053e09257688fce7a0beeb18b1b9ae3 # v2.17.2
+      uses: github/codeql-action/autobuild@v1
    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 https://git.io/JvXDl
@@ -61,4 +48,4 @@ jobs:
    #   make release
    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@8fcfedf57053e09257688fce7a0beeb18b1b9ae3 # v2.17.2
+      uses: github/codeql-action/analyze@v1
--- a/.github/workflows/image-reuse.yaml
+++ b/.github/workflows/image-reuse.yaml
@@ -1,171 +0,0 @@
 name: Publish and Sign Container Image
 on:
  workflow_call:
    inputs:
      go-version:
        required: true
        type: string
      quay_image_name:
        required: false
        type: string
      ghcr_image_name:
        required: false
        type: string
      docker_image_name:
        required: false
        type: string
      platforms:
        required: true
        type: string
        default: linux/amd64
      push:
        required: true
        type: boolean
        default: false
      target:
        required: false
        type: string
    secrets:
      quay_username:
        required: false
      quay_password:
        required: false
      ghcr_username:
        required: false
      ghcr_password:
        required: false
      docker_username:
        required: false
      docker_password:
        required: false
    outputs:
      image-digest:
        description: "sha256 digest of container image"
        value: ${{ jobs.publish.outputs.image-digest }}
 permissions: {}
 jobs:
  publish:
    permissions:
      contents: read
      packages: write # Used to push images to `ghcr.io` if used.
      id-token: write # Needed to create an OIDC token for keyless signing
    runs-on: ubuntu-22.04
    outputs:
      image-digest: ${{ steps.image.outputs.digest }}
    steps:
      - name: Checkout code
        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
        if: ${{ github.ref_type == 'tag'}}
      - name: Checkout code
        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
        if: ${{ github.ref_type != 'tag'}}
      - name: Setup Golang
        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version: ${{ inputs.go-version }}
      - name: Install cosign
        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
      - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
      - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
      - name: Setup tags for container image as a CSV type
        run: |
          IMAGE_TAGS=$(for str in \
            ${{ inputs.quay_image_name }} \
            ${{ inputs.ghcr_image_name }} \
            ${{ inputs.docker_image_name}}; do
            echo -n "${str}",;done | sed 's/,$//')
          echo $IMAGE_TAGS
          echo "TAGS=$IMAGE_TAGS" >> $GITHUB_ENV
      - name: Setup image namespace for signing, strip off the tag
        run: |
          TAGS=$(for tag in \
            ${{ inputs.quay_image_name }} \
            ${{ inputs.ghcr_image_name }} \
            ${{ inputs.docker_image_name}}; do
            echo -n "${tag}" | awk -F ":" '{print $1}' -;done)
            echo $TAGS
            echo 'SIGNING_TAGS<<EOF' >> $GITHUB_ENV
            echo $TAGS >> $GITHUB_ENV
            echo 'EOF' >> $GITHUB_ENV
      - name: Login to Quay.io
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: quay.io
          username: ${{ secrets.quay_username }}
          password: ${{ secrets.quay_password }}
        if: ${{ inputs.quay_image_name && inputs.push }}
      - name: Login to GitHub Container Registry
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ghcr.io
          username: ${{ secrets.ghcr_username }}
          password: ${{ secrets.ghcr_password }}
        if: ${{ inputs.ghcr_image_name && inputs.push }}
      - name: Login to dockerhub Container Registry
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          username: ${{ secrets.docker_username }}
          password: ${{ secrets.docker_password }}
        if: ${{ inputs.docker_image_name && inputs.push }}
      - name: Set up build args for container image
        run: |
            echo "GIT_TAG=$(if [ -z "`git status --porcelain`" ]; then git describe --exact-match --tags HEAD 2>/dev/null; fi)" >> $GITHUB_ENV
            echo "GIT_COMMIT=$(git rev-parse HEAD)" >> $GITHUB_ENV
            echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_ENV
            echo "GIT_TREE_STATE=$(if [ -z "`git status --porcelain`" ]; then echo "clean" ; else echo "dirty"; fi)" >> $GITHUB_ENV
      - name: Free Disk Space (Ubuntu)
        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be
        with:
          large-packages: false
          docker-images: false
          swap-storage: false
          tool-cache: false
      - name: Build and push container image
        id: image
        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 #v6.10.0
        with:
          context: .
          platforms: ${{ inputs.platforms }}
          push: ${{ inputs.push }}
          tags: ${{ env.TAGS }}
          target: ${{ inputs.target }}
          provenance: false
          sbom: false
          build-args: |
            GIT_TAG=${{env.GIT_TAG}}
            GIT_COMMIT=${{env.GIT_COMMIT}}
            BUILD_DATE=${{env.BUILD_DATE}}
            GIT_TREE_STATE=${{env.GIT_TREE_STATE}}
      - name: Sign container images
        run: |
          for signing_tag in $SIGNING_TAGS; do
            cosign sign \
            -a "repo=${{ github.repository }}" \
            -a "workflow=${{ github.workflow }}" \
            -a "sha=${{ github.sha }}" \
            -y \
            "$signing_tag"@${{ steps.image.outputs.digest }}
          done
        if: ${{ inputs.push }}
--- a/.github/workflows/image.yaml
+++ b/.github/workflows/image.yaml
@@ -9,111 +9,117 @@ on:
      - master
    types: [ labeled, unlabeled, opened, synchronize, reopened ]
 env:
  GOLANG_VERSION: '1.18'
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 permissions: {}
 jobs:
-  set-vars:
+  publish:
    permissions:
      contents: read
    if: github.repository == 'argoproj/argo-cd'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
-    outputs:
+    env:
-      image-tag: ${{ steps.image.outputs.tag}}
+      GOPATH: /home/runner/work/argo-cd/argo-cd
      platforms: ${{ steps.platforms.outputs.platforms }}
    steps:
-      - uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+      - uses: actions/setup-go@v1
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - uses: actions/checkout@master
        with:
          path: src/github.com/argoproj/argo-cd
-      - name: Set image tag for ghcr
+      # get image tag
-        run: echo "tag=$(cat ./VERSION)-${GITHUB_SHA::8}" >> $GITHUB_OUTPUT
+      - run: echo ::set-output name=tag::$(cat ./VERSION)-${GITHUB_SHA::8}
        working-directory: ./src/github.com/argoproj/argo-cd
        id: image
-      - name: Determine image platforms to use
+      # login
-        id: platforms
+      - run: |
          docker login ghcr.io --username $USERNAME --password $PASSWORD
          docker login quay.io --username "${DOCKER_USERNAME}" --password "${DOCKER_TOKEN}"
        if: github.event_name == 'push'
        env:
          USERNAME: ${{ secrets.USERNAME }}
          PASSWORD: ${{ secrets.TOKEN }}
          DOCKER_USERNAME: ${{ secrets.RELEASE_QUAY_USERNAME }}
          DOCKER_TOKEN: ${{ secrets.RELEASE_QUAY_TOKEN }}
      # build
      - uses: docker/setup-qemu-action@v1
      - uses: docker/setup-buildx-action@v1
      - name: Setup cache for argocd-ui docker layer
        uses: actions/cache@v2
        with:
          path: /tmp/.buildx-cache
          key: ${{ runner.os }}-single-buildx-${{ github.sha }}
          restore-keys: |
            ${{ runner.os }}-single-buildx
      - name: Build cache for argocd-ui stage
        uses: docker/build-push-action@v2
        with:
          context: ./src/github.com/argoproj/argo-cd
          target: argocd-ui
          push: false
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
        if: github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'test-arm-image')
      - name: Run non-container Snyk scans
        if: github.event_name == 'push'
        working-directory: ./src/github.com/argoproj/argo-cd
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        run: |
          npm install -g snyk
          # Run with high threshold to fail build.
          snyk test --org=argoproj --all-projects --exclude=docs,site --severity-threshold=high --policy-path=.snyk
          snyk iac test manifests/install.yaml --org=argoproj --severity-threshold=high --policy-path=.snyk
      - run: |
          IMAGE_PLATFORMS=linux/amd64
-          if [[ "${{ github.event_name }}" == "push" || "${{ contains(github.event.pull_request.labels.*.name, 'test-multi-image') }}" == "true" ]]
+          if [[ "${{ github.event_name }}" == "push" || "${{ contains(github.event.pull_request.labels.*.name, 'test-arm-image') }}" == "true" ]]
          then
            IMAGE_PLATFORMS=linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
          fi
          echo "Building image for platforms: $IMAGE_PLATFORMS"
-          echo "platforms=$IMAGE_PLATFORMS" >> $GITHUB_OUTPUT
+          docker buildx build --platform $IMAGE_PLATFORMS --push="${{ github.event_name == 'push' }}" \
            --cache-from "type=local,src=/tmp/.buildx-cache" \
            -t ghcr.io/argoproj/argocd:${{ steps.image.outputs.tag }} \
            -t quay.io/argoproj/argocd:latest .
        working-directory: ./src/github.com/argoproj/argo-cd
-  build-only:
+      - name: Run container Snyk scan
-    needs: [set-vars]
+        if: github.event_name == 'push'
-    permissions:
+        working-directory: ./src/github.com/argoproj/argo-cd
-      contents: read
+        env:
-      packages: write  # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-      id-token: write # for creating OIDC tokens for signing.
+        run: |
-    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name != 'push' }}
+          snyk container test quay.io/argoproj/argocd:latest --org=argoproj --file=Dockerfile --severity-threshold=high
    uses: ./.github/workflows/image-reuse.yaml
    with:
      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
      # renovate: datasource=golang-version packageName=golang
      go-version: 1.23.3
      platforms: ${{ needs.set-vars.outputs.platforms }}
      push: false
-  build-and-publish:
+        # Temp fix
-    needs: [set-vars]
+        # https://github.com/docker/build-push-action/issues/252
-    permissions:
+        # https://github.com/moby/buildkit/issues/1896
-      contents: read
+      - name: Clean up build cache
-      packages: write  # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
+        run: |
-      id-token: write # for creating OIDC tokens for signing.
+          rm -rf /tmp/.buildx-cache
-    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
+          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
-    uses: ./.github/workflows/image-reuse.yaml
+        if: github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'test-arm-image')
    with:
      quay_image_name: quay.io/argoproj/argocd:latest
      ghcr_image_name: ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }}
      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
      # renovate: datasource=golang-version packageName=golang
      go-version: 1.23.3
      platforms: ${{ needs.set-vars.outputs.platforms }}
      push: true
    secrets:
      quay_username: ${{ secrets.RELEASE_QUAY_USERNAME }}
      quay_password: ${{ secrets.RELEASE_QUAY_TOKEN }}
      ghcr_username: ${{ github.actor }}
      ghcr_password: ${{ secrets.GITHUB_TOKEN }}
-  build-and-publish-provenance: # Push attestations to GHCR, latest image is polluting quay.io
+      # deploy
    needs:
      - build-and-publish
    permissions:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
    # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
    with:
      image: ghcr.io/argoproj/argo-cd/argocd
      digest: ${{ needs.build-and-publish.outputs.image-digest }}
      registry-username: ${{ github.actor }}
    secrets:
      registry-password: ${{ secrets.GITHUB_TOKEN }}
  Deploy:
    needs:
      - build-and-publish
      - set-vars
    permissions:
      contents: write  # for git to push upgrade commit if not already deployed
      packages: write  # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
      - run: git clone "https://$TOKEN@github.com/argoproj/argoproj-deployments"
        if: github.event_name == 'push'
        env:
          TOKEN: ${{ secrets.TOKEN }}
      - run: |
-          docker run -u $(id -u):$(id -g) -v $(pwd):/src -w /src --rm -t ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }} kustomize edit set image quay.io/argoproj/argocd=ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }}
+          docker run -u $(id -u):$(id -g) -v $(pwd):/src -w /src --rm -t ghcr.io/argoproj/argocd:${{ steps.image.outputs.tag }} kustomize edit set image quay.io/argoproj/argocd=ghcr.io/argoproj/argocd:${{ steps.image.outputs.tag }}
          git config --global user.email 'ci@argoproj.com'
          git config --global user.name 'CI'
-          git diff --exit-code && echo 'Already deployed' || (git commit -am 'Upgrade argocd to ${{ needs.set-vars.outputs.image-tag }}' && git push)
+          git diff --exit-code && echo 'Already deployed' || (git commit -am 'Upgrade argocd to ${{ steps.image.outputs.tag }}' && git push)
        if: github.event_name == 'push'
        working-directory: argoproj-deployments/argocd
-
+      # TODO: clean up old images once github supports it: https://github.community/t5/How-to-use-Git-and-GitHub/Deleting-images-from-GitHub-Package-Registry/m-p/41202/thread-id/9811
--- a/.github/workflows/init-release.yaml
+++ b/.github/workflows/init-release.yaml
@@ -1,77 +0,0 @@
 name: Init ArgoCD Release
 on:
  workflow_dispatch:
    inputs:
      TARGET_BRANCH:
        description: 'TARGET_BRANCH to checkout (e.g. release-2.5)'
        required: true
        type: string
      TARGET_VERSION:
        description: 'TARGET_VERSION to build manifests (e.g. 2.5.0-rc1) Note: the `v` prefix is not used'
        required: true
        type: string
 permissions: {}
 jobs:
  prepare-release:
    permissions:
      contents: write  # for peter-evans/create-pull-request to create branch
      pull-requests: write  # for peter-evans/create-pull-request to create a PR
    name: Automatically generate version and manifests on ${{ inputs.TARGET_BRANCH }}
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694  # v4.0.0
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
          ref: ${{ inputs.TARGET_BRANCH }}
      - name: Check if TARGET_VERSION is well formed.
        run: |
          set -xue
          # Target version must not contain 'v' prefix
          if echo "${{ inputs.TARGET_VERSION }}" | grep -e '^v'; then
            echo "::error::Target version '${{ inputs.TARGET_VERSION }}' should not begin with a 'v' prefix, refusing to continue." >&2
            exit 1
          fi
      - name: Create VERSION information
        run: |
          set -ue
          echo "Bumping version from $(cat VERSION) to ${{ inputs.TARGET_VERSION }}"
          echo "${{ inputs.TARGET_VERSION }}" > VERSION
        # We install kustomize in the dist directory
      - name: Add dist to PATH
        run: |
          echo "/home/runner/work/argo-cd/argo-cd/dist" >> $GITHUB_PATH
      - name: Generate new set of manifests
        run: |
          set -ue
          make install-codegen-tools-local
          make manifests-local VERSION=${{ inputs.TARGET_VERSION }}
          git diff
      - name: Generate version compatibility table
        run: |
          git stash
          bash hack/update-supported-versions.sh
          git add -u .
          git stash pop
      - name: Create pull request
        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f  # v7.0.5
        with:
          commit-message: "Bump version to ${{ inputs.TARGET_VERSION }}"
          title: "Bump version to ${{ inputs.TARGET_VERSION }} on ${{ inputs.TARGET_BRANCH }} branch"
          body: Updating VERSION and manifests to ${{ inputs.TARGET_VERSION }}
          branch: update-version
          branch-suffix: random
          signoff: true
          labels: release
--- a/.github/workflows/pr-title-check.yml
+++ b/.github/workflows/pr-title-check.yml
@@ -1,29 +0,0 @@
 name: "Lint PR"
 on:
  pull_request_target:
    types: [opened, edited, reopened, synchronize]
 # IMPORTANT: No checkout actions, scripts, or builds should be added to this workflow. Permissions should always be used
 # with extreme caution. https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
 permissions: {}
 # PR updates can happen in quick succession leading to this
 # workflow being trigger a number of times. This limits it
 # to one run per PR.
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
  validate:
    permissions:
      contents: read
      pull-requests: read
    name: Validate PR Title
    runs-on: ubuntu-latest
    steps:
      - uses: thehanimo/pr-title-checker@7fbfe05602bdd86f926d3fb3bccb6f3aed43bc70 # v1.4.3
        with:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          configuration_path: ".github/pr-title-checker-config.json"
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -1,160 +1,239 @@
-name: Publish ArgoCD Release
+name: Create ArgoCD release
 on:
  push:
    tags:
-      - 'v*'
+      - "release-v*"
-      - '!v2.4*'
+      - "!release-v1.5*"
-      - '!v2.5*'
+      - "!release-v1.4*"
-      - '!v2.6*'
+      - "!release-v1.3*"
-
+      - "!release-v1.2*"
-permissions: {}
+      - "!release-v1.1*"
      - "!release-v1.0*"
      - "!release-v0*"
 env:
-  # renovate: datasource=golang-version packageName=golang
+    GOLANG_VERSION: '1.18'
  GOLANG_VERSION: '1.23.3' # Note: go-version must also be set in job argocd-image.with.go-version
 jobs:
-  argocd-image:
+  prepare-release:
-    permissions:
+    name: Perform automatic release on trigger ${{ github.ref }}
      contents: read
      id-token: write # for creating OIDC tokens for signing.
      packages: write # used to push images to `ghcr.io` if used.
    if: github.repository == 'argoproj/argo-cd'
-    uses: ./.github/workflows/image-reuse.yaml
+    runs-on: ubuntu-latest
-    with:
+    env:
-      quay_image_name: quay.io/argoproj/argocd:${{ github.ref_name }}
+      # The name of the tag as supplied by the GitHub event
-      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
+      SOURCE_TAG: ${{ github.ref }}
-      # renovate: datasource=golang-version packageName=golang
+      # The image namespace where Docker image will be published to
-      go-version: 1.23.3
+      IMAGE_NAMESPACE: quay.io/argoproj
-      platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
+      # Whether to create & push image and release assets
-      push: true
+      DRY_RUN: false
-    secrets:
+      # Whether a draft release should be created, instead of public one
-      quay_username: ${{ secrets.RELEASE_QUAY_USERNAME }}
+      DRAFT_RELEASE: false
-      quay_password: ${{ secrets.RELEASE_QUAY_TOKEN }}
+      # Whether to update homebrew with this release as well
-
+      # Set RELEASE_HOMEBREW_TOKEN secret in repository for this to work - needs
-  argocd-image-provenance:
+      # access to public repositories
-      needs: [argocd-image]
+      UPDATE_HOMEBREW: false
-      permissions:
+      # Name of the GitHub user for Git config
-        actions: read # for detecting the Github Actions environment.
+      GIT_USERNAME: argo-bot
-        id-token: write # for creating OIDC tokens for signing.
+      # E-Mail of the GitHub user for Git config
-        packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
+      GIT_EMAIL: argoproj@gmail.com
      # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
      if: github.repository == 'argoproj/argo-cd'
      uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
      with:
        image: quay.io/argoproj/argocd
        digest: ${{ needs.argocd-image.outputs.image-digest }}
      secrets:
        registry-username: ${{ secrets.RELEASE_QUAY_USERNAME }}
        registry-password: ${{ secrets.RELEASE_QUAY_TOKEN }}
  goreleaser:
    needs:
      - argocd-image
      - argocd-image-provenance
    permissions:
      contents: write # used for uploading assets
    if: github.repository == 'argoproj/argo-cd'
    runs-on: ubuntu-22.04
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@v2
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
-      - name: Fetch all tags
+      - name: Check if the published tag is well formed and setup vars
        run: git fetch --force --tags
      - name: Setup Golang
        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Set GORELEASER_PREVIOUS_TAG # Workaround, GoReleaser uses 'git-describe' to determine a previous tag. Our tags are created in release branches.
        run: |
          set -xue
-          echo "GORELEASER_PREVIOUS_TAG=$(go run hack/get-previous-release/get-previous-version-for-release-notes.go ${{ github.ref_name }})" >> $GITHUB_ENV
+          # Target version must match major.minor.patch and optional -rcX suffix
-
+          # where X must be a number.
-      - name: Set environment variables for ldflags
+          TARGET_VERSION=${SOURCE_TAG#*release-v}
-        id: set_ldflag
+          if ! echo "${TARGET_VERSION}" | egrep '^[0-9]+\.[0-9]+\.[0-9]+(-rc[0-9]+)*$'; then
-        run: |
+            echo "::error::Target version '${TARGET_VERSION}' is malformed, refusing to continue." >&2
-          echo "KUBECTL_VERSION=$(go list -m k8s.io/client-go | head -n 1 | rev | cut -d' ' -f1 | rev)" >> $GITHUB_ENV
+            exit 1
          echo "GIT_TREE_STATE=$(if [ -z "`git status --porcelain`" ]; then echo "clean" ; else echo "dirty"; fi)" >> $GITHUB_ENV
      - name: Free Disk Space (Ubuntu)
        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be
        with:
          large-packages: false
          docker-images: false
          swap-storage: false
          tool-cache: false
      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
        id: run-goreleaser
        with:
          version: latest
          args: release --clean --timeout 55m
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          KUBECTL_VERSION: ${{ env.KUBECTL_VERSION }}
          GIT_TREE_STATE: ${{ env.GIT_TREE_STATE }}
      - name: Generate subject for provenance
        id: hash
        env:
          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
        run: |
          set -euo pipefail
          hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
          if test "$hashes" = ""; then # goreleaser < v1.13.0
            checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
            hashes=$(cat $checksum_file | base64 -w0)
          fi
          echo "hashes=$hashes" >> $GITHUB_OUTPUT
-  goreleaser-provenance:
+          # Target branch is the release branch we're going to operate on
-    needs: [goreleaser]
+          # Its name is 'release-<major>.<minor>'
-    permissions:
+          TARGET_BRANCH="release-${TARGET_VERSION%\.[0-9]*}"
      actions: read # for detecting the Github Actions environment
      id-token: write # Needed for provenance signing and ID
      contents: write #  Needed for release uploads
    if: github.repository == 'argoproj/argo-cd'
    # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
    with:
      base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
      provenance-name: "argocd-cli.intoto.jsonl"
      upload-assets: true
-  generate-sbom:
+          # The release tag is the source tag, minus the release- prefix
-    name: Create SBOM and generate hash
+          RELEASE_TAG="${SOURCE_TAG#*release-}"
-    needs:
+
-      - argocd-image
+          # Whether this is a pre-release (indicated by -rc suffix)
-      - goreleaser
+          PRE_RELEASE=false
-    permissions:
+          if echo "${RELEASE_TAG}" | egrep -- '-rc[0-9]+$'; then
-      contents: write # Needed for release uploads
+            PRE_RELEASE=true
-    outputs:
+          fi
-      hashes: ${{ steps.sbom-hash.outputs.hashes}}
+
-    if: github.repository == 'argoproj/argo-cd'
+          # We must not have a release trigger within the same release branch,
-    runs-on: ubuntu-22.04
+          # because that means a release for this branch is already running.
-    steps:
+          if git tag -l | grep "release-v${TARGET_VERSION%\.[0-9]*}" | grep -v "release-v${TARGET_VERSION}"; then
-      - name: Checkout code
+            echo "::error::Another release for branch ${TARGET_BRANCH} is currently in progress."
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+            exit 1
-        with:
+          fi
-          fetch-depth: 0
+
-          token: ${{ secrets.GITHUB_TOKEN }}
+          # Ensure that release do not yet exist
          if git rev-parse ${RELEASE_TAG}; then
            echo "::error::Release tag ${RELEASE_TAG} already exists in repository. Refusing to continue."
            exit 1
          fi
          # Make the variables available in follow-up steps
          echo "TARGET_VERSION=${TARGET_VERSION}" >> $GITHUB_ENV
          echo "TARGET_BRANCH=${TARGET_BRANCH}" >> $GITHUB_ENV
          echo "RELEASE_TAG=${RELEASE_TAG}" >> $GITHUB_ENV
          echo "PRE_RELEASE=${PRE_RELEASE}" >> $GITHUB_ENV
      - name: Check if our release tag has a correct annotation
        run: |
          set -ue
          # Fetch all tag information as well
          git fetch --prune --tags --force
          echo "=========== BEGIN COMMIT MESSAGE ============="
          git show ${SOURCE_TAG}
          echo "============ END COMMIT MESSAGE =============="
          # Quite dirty hack to get the release notes from the annotated tag
          # into a temporary file.
          RELEASE_NOTES=$(mktemp -p /tmp release-notes.XXXXXX)
          prefix=true
          begin=false
          git show ${SOURCE_TAG} | while read line; do
            # Whatever is in commit history for the tag, we only want that
            # annotation from our tag. We discard everything else.
            if test "$begin" = "false"; then
              if echo "$line" | grep -q "tag ${SOURCE_TAG#refs/tags/}"; then begin="true"; fi
              continue
            fi
            if test "$prefix" = "true"; then
                  if test -z "$line"; then prefix=false; fi
            else
                  if echo "$line" | egrep -q '^commit [0-9a-f]+'; then
                          break
                  fi
                  echo "$line" >> ${RELEASE_NOTES}
            fi
          done
          # For debug purposes
          echo "============BEGIN RELEASE NOTES================="
          cat ${RELEASE_NOTES}
          echo "=============END RELEASE NOTES=================="
          # Too short release notes are suspicious. We need at least 100 bytes.
          relNoteLen=$(stat -c '%s' $RELEASE_NOTES)
          if test $relNoteLen -lt 100; then
            echo "::error::No release notes provided in tag annotation (or tag is not annotated)"
            exit 1
          fi
          # Check for magic string '## Quick Start' in head of release notes
          if ! head -2 ${RELEASE_NOTES} | grep -iq '## Quick Start'; then
            echo "::error::Release notes seem invalid, quick start section not found."
            exit 1
          fi
          # We store path to temporary release notes file for later reading, we
          # need it when creating release.
          echo "RELEASE_NOTES=${RELEASE_NOTES}" >> $GITHUB_ENV
      - name: Setup Golang
-        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        uses: actions/setup-go@v2
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Setup Git author information
        run: |
          set -ue
          git config --global user.email "${GIT_EMAIL}"
          git config --global user.name "${GIT_USERNAME}"
      - name: Checkout corresponding release branch
        run: |
          set -ue
          echo "Switching to release branch '${TARGET_BRANCH}'"
          if ! git checkout ${TARGET_BRANCH}; then
            echo "::error::Checking out release branch '${TARGET_BRANCH}' for target version '${TARGET_VERSION}' (tagged '${RELEASE_TAG}') failed. Does it exist in repo?"
            exit 1
          fi
      - name: Create VERSION information
        run: |
          set -ue
          echo "Bumping version from $(cat VERSION) to ${TARGET_VERSION}"
          echo "${TARGET_VERSION}" > VERSION
          git commit -m "Bump version to ${TARGET_VERSION}" VERSION
      - name: Generate new set of manifests
        run: |
          set -ue
          make install-codegen-tools-local
          make manifests-local VERSION=${TARGET_VERSION}
          git diff
          git commit manifests/ -m "Bump version to ${TARGET_VERSION}"
      - name: Create the release tag
        run: |
          set -ue
          echo "Creating release ${RELEASE_TAG}"
          git tag ${RELEASE_TAG}
      - name: Login to docker repositories
        env:
          DOCKER_USERNAME: ${{ secrets.RELEASE_DOCKERHUB_USERNAME }}
          DOCKER_TOKEN: ${{ secrets.RELEASE_DOCKERHUB_TOKEN }}
          QUAY_USERNAME: ${{ secrets.RELEASE_QUAY_USERNAME }}
          QUAY_TOKEN: ${{ secrets.RELEASE_QUAY_TOKEN }}
        run: |
          set -ue
          docker login quay.io --username "${QUAY_USERNAME}" --password "${QUAY_TOKEN}"
          # Remove the following when Docker Hub is gone
          docker login --username "${DOCKER_USERNAME}" --password "${DOCKER_TOKEN}"
        if: ${{ env.DRY_RUN != 'true' }}
      - uses: docker/setup-qemu-action@v1
      - uses: docker/setup-buildx-action@v1
      - name: Build and push Docker image for release
        run: |
          set -ue
          git clean -fd
          mkdir -p dist/
          docker buildx build --platform linux/amd64,linux/arm64,linux/s390x,linux/ppc64le --push -t ${IMAGE_NAMESPACE}/argocd:v${TARGET_VERSION} -t argoproj/argocd:v${TARGET_VERSION} .
          make release-cli
          make checksums
          chmod +x ./dist/argocd-linux-amd64
          ./dist/argocd-linux-amd64 version --client
        if: ${{ env.DRY_RUN != 'true' }}
      - name: Read release notes file
        id: release-notes
        uses: juliangruber/read-file-action@v1
        with:
          path: ${{ env.RELEASE_NOTES }}
      - name: Push changes to release branch
        run: |
          set -ue
          git push origin ${TARGET_BRANCH}
          git push origin ${RELEASE_TAG}
      - name: Dry run GitHub release
        uses: actions/create-release@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        id: create_release
        with:
          tag_name: ${{ env.RELEASE_TAG }}
          release_name: ${{ env.RELEASE_TAG }}
          draft: ${{ env.DRAFT_RELEASE }}
          prerelease: ${{ env.PRE_RELEASE }}
          body: ${{ steps.release-notes.outputs.content }}
        if: ${{ env.DRY_RUN == 'true' }}
      - name: Generate SBOM (spdx)
        id: spdx-builder
        env:
@@ -164,9 +243,9 @@ jobs:
          SIGS_BOM_VERSION: v0.2.1
          # comma delimited list of project relative folders to inspect for package
          # managers (gomod, yarn, npm).
-          PROJECT_FOLDERS: ".,./ui"
+          PROJECT_FOLDERS: ".,./ui" 
          # full qualified name of the docker image to be inspected
-          DOCKER_IMAGE: quay.io/argoproj/argocd:${{ github.ref_name }}
+          DOCKER_IMAGE: ${{env.IMAGE_NAMESPACE}}/argocd:v${{env.TARGET_VERSION}}
        run: |
          yarn install --cwd ./ui
          go install github.com/spdx/spdx-sbom-generator/cmd/generator@$SPDX_GEN_VERSION
@@ -184,122 +263,34 @@ jobs:
          fi
          cd /tmp && tar -zcf sbom.tar.gz *.spdx
        if: ${{ env.DRY_RUN != 'true' }}
-      - name: Generate SBOM hash
+      - name: Create GitHub release
-        shell: bash
+        uses: softprops/action-gh-release@v1
        id: sbom-hash
        run: |
          # sha256sum generates sha256 hash for sbom.
          # base64 -w0 encodes to base64 and outputs on a single line.
          # sha256sum /tmp/sbom.tar.gz ... | base64 -w0
          echo "hashes=$(sha256sum /tmp/sbom.tar.gz | base64 -w0)" >> "$GITHUB_OUTPUT"
      - name: Upload SBOM
        uses: softprops/action-gh-release@7b4da11513bf3f43f9999e90eabced41ab8bb048 # v2.2.0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          name: ${{ env.RELEASE_TAG }}
          tag_name: ${{ env.RELEASE_TAG }}
          draft: ${{ env.DRAFT_RELEASE }}
          prerelease: ${{ env.PRE_RELEASE }}
          body: ${{ steps.release-notes.outputs.content }}
          files: |
            dist/argocd-*
            /tmp/sbom.tar.gz
        if: ${{ env.DRY_RUN != 'true' }}
-  sbom-provenance:
+      - name: Update homebrew formula
-    needs: [generate-sbom]
+        env:
-    permissions:
+          HOMEBREW_TOKEN: ${{ secrets.RELEASE_HOMEBREW_TOKEN }}
-      actions: read # for detecting the Github Actions environment
+        uses: dawidd6/action-homebrew-bump-formula@v3
      id-token: write # Needed for provenance signing and ID
      contents: write #  Needed for release uploads
    if: github.repository == 'argoproj/argo-cd'
    # Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
    with:
      base64-subjects: "${{ needs.generate-sbom.outputs.hashes }}"
      provenance-name: "argocd-sbom.intoto.jsonl"
      upload-assets: true
  post-release:
    needs:
      - argocd-image
      - goreleaser
      - generate-sbom
    permissions:
      contents: write # Needed to push commit to update stable tag
      pull-requests: write # Needed to create PR for VERSION update.
    if: github.repository == 'argoproj/argo-cd'
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
        with:
-          fetch-depth: 0
+          token: ${{env.HOMEBREW_TOKEN}}
-          token: ${{ secrets.GITHUB_TOKEN }}
+          formula: argocd
        if: ${{ env.HOMEBREW_TOKEN != '' && env.UPDATE_HOMEBREW == 'true' && env.PRE_RELEASE != 'true' }}
-      - name: Setup Git author information
+      - name: Delete original request tag from repository
        run: |
          set -ue
-          git config --global user.email 'ci@argoproj.com'
+          git push --delete origin ${SOURCE_TAG}
-          git config --global user.name 'CI'
+        if: ${{ always() }}
      - name: Check if tag is the latest version and not a pre-release
        run: |
          set -xue
          # Fetch all tag information
          git fetch --prune --tags --force
          LATEST_TAG=$(git -c 'versionsort.suffix=-rc' tag --list --sort=version:refname | tail -n1)
          PRE_RELEASE=false
          # Check if latest tag is a pre-release
          if echo $LATEST_TAG | grep -E -- '-rc[0-9]+$';then
            PRE_RELEASE=true
          fi
          # Ensure latest tag matches github.ref_name & not a pre-release
          if [[ $LATEST_TAG == ${{ github.ref_name }} ]] && [[ $PRE_RELEASE != 'true' ]];then
            echo "TAG_STABLE=true" >> $GITHUB_ENV
          else
            echo "TAG_STABLE=false" >> $GITHUB_ENV
          fi
      - name: Update stable tag to latest version
        run: |
          git tag -f stable ${{ github.ref_name }}
          git push -f origin stable
        if: ${{ env.TAG_STABLE == 'true' }}
      - name: Check to see if VERSION should be updated on master branch
        run: |
          set -xue
          SOURCE_TAG=${{ github.ref_name }}
          VERSION_REF="${SOURCE_TAG#*v}"
          COMMIT_HASH=$(git rev-parse HEAD)
          if echo "$VERSION_REF" | grep -E -- '^[0-9]+\.[0-9]+\.0-rc1';then
            VERSION=$(awk 'BEGIN {FS=OFS="."} {$2++; print}' <<< "${VERSION_REF%-rc1}")
            echo "Updating VERSION to: $VERSION"
            echo "UPDATE_VERSION=true" >> $GITHUB_ENV
            echo "NEW_VERSION=$VERSION" >> $GITHUB_ENV
            echo "COMMIT_HASH=$COMMIT_HASH" >> $GITHUB_ENV
          else
            echo "Not updating VERSION"
            echo "UPDATE_VERSION=false" >> $GITHUB_ENV
          fi
      - name: Update VERSION on master branch
        run: |
          echo ${{ env.NEW_VERSION }} > VERSION
          # Replace the 'project-release: vX.X.X-rcX' line in SECURITY-INSIGHTS.yml
          sed -i "s/project-release: v.*$/project-release: v${{ env.NEW_VERSION }}/" SECURITY-INSIGHTS.yml
          # Update the 'commit-hash: XXXXXXX' line in SECURITY-INSIGHTS.yml
          sed -i "s/commit-hash: .*/commit-hash: ${{ env.COMMIT_HASH }}/" SECURITY-INSIGHTS.yml
        if: ${{ env.UPDATE_VERSION == 'true' }}
      - name: Create PR to update VERSION on master branch
        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
        with:
          commit-message: Bump version in master
          title: "chore: Bump version in master"
          body: All images built from master should indicate which version we are on track for.
          signoff: true
          branch: update-version
          branch-suffix: random
          base: master
        if: ${{ env.UPDATE_VERSION == 'true' }}
--- a/.github/workflows/scorecard.yaml
+++ b/.github/workflows/scorecard.yaml
@@ -1,67 +0,0 @@
 name: Scorecards supply-chain security
 on:
  # Only the default branch is supported.
  branch_protection_rule:
  schedule:
    - cron: "39 9 * * 2"
  push:
    branches: ["master"]
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 # Declare default permissions as read only.
 permissions: read-all
 jobs:
  analysis:
    name: Scorecards analysis
    runs-on: ubuntu-22.04
    permissions:
      # Needed to upload the results to code-scanning dashboard.
      security-events: write
      # Used to receive a badge. (Upcoming feature)
      id-token: write
      # Needs for private repositories.
      contents: read
      actions: read
    if: github.repository == 'argoproj/argo-cd'
    steps:
      - name: "Checkout code"
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          persist-credentials: false
      - name: "Run analysis"
        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
        with:
          results_file: results.sarif
          results_format: sarif
          # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if:
          # - you want to enable the Branch-Protection check on a *public* repository, or
          # - you are installing Scorecards on a *private* repository
          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
          # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
          # Publish the results for public repositories to enable scorecard badges. For more details, see
          # https://github.com/ossf/scorecard-action#publishing-results.
          # For private repositories, `publish_results` will automatically be set to `false`, regardless
          # of the value entered here.
          publish_results: true
      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
      - name: "Upload artifact"
        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5
      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload to code-scanning"
        uses: github/codeql-action/upload-sarif@8fcfedf57053e09257688fce7a0beeb18b1b9ae3 # v2.17.2
        with:
          sarif_file: results.sarif
--- a/.github/workflows/update-snyk.yaml
+++ b/.github/workflows/update-snyk.yaml
@@ -1,36 +0,0 @@
 name: Snyk report update
 on:
  workflow_dispatch: {}
  schedule:
    - cron: '0 0 * * 0' # midnight every Sunday
 permissions:
  contents: read
 jobs:
  snyk-report:
    permissions:
      contents: write
      pull-requests: write
    if: github.repository == 'argoproj/argo-cd'
    name: Update Snyk report in the docs directory
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Build reports
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        run: |
          make snyk-report
          pr_branch="snyk-update-$(echo $RANDOM | md5sum | head -c 20)"
          git checkout -b "$pr_branch"
          git config --global user.email 'ci@argoproj.com'
          git config --global user.name 'CI'
          git add docs/snyk
          git commit -m "[Bot] docs: Update Snyk reports" --signoff
          git push --set-upstream origin "$pr_branch"
          gh pr create -B master -H "$pr_branch" --title '[Bot] docs: Update Snyk report' --body ''
--- a/.gitignore
+++ b/.gitignore
@@ -1,7 +1,6 @@
 .vscode/
 .idea/
 .DS_Store
 .run/
 vendor/
 dist/*
 ui/dist/app/*
@@ -18,9 +17,6 @@ test-results
 node_modules/
 .kube/
 ./test/cmp/*.sock
 .envrc.remote
 .*.swp
 rerunreport.txt
 # ignore built binaries
 cmd/argocd/argocd
--- a/.gitpod.Dockerfile
+++ b/.gitpod.Dockerfile
@@ -1,21 +1,17 @@
-FROM gitpod/workspace-full@sha256:230285e0b949e6d728d384b2029a4111db7b9c87c182f22f32a0be9e36b225df
+FROM gitpod/workspace-full
 USER root
 RUN curl -o /usr/local/bin/kubectl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" && \
    chmod +x /usr/local/bin/kubectl
-RUN curl -L https://github.com/kubernetes-sigs/kubebuilder/releases/download/v2.3.1/kubebuilder_2.3.1_$(go env GOOS)_$(go env GOARCH).tar.gz | \
+RUN curl -L https://go.kubebuilder.io/dl/2.3.1/$(go env GOOS)/$(go env GOARCH) | \
    tar -xz -C /tmp/ && mv /tmp/kubebuilder_2.3.1_$(go env GOOS)_$(go env GOARCH) /usr/local/kubebuilder
 ENV GOCACHE=/go-build-cache
 RUN apt-get install redis-server -y
 RUN go install github.com/mattn/goreman@latest
 RUN chown -R gitpod:gitpod /go-build-cache
 USER gitpod
 ENV ARGOCD_REDIS_LOCAL=true
-ENV KUBECONFIG=/tmp/kubeconfig
+ENV KUBECONFIG=/tmp/kubeconfig
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -1,59 +0,0 @@
 issues:
  exclude:
    - SA5011
  max-issues-per-linter: 0
  max-same-issues: 0
  exclude-rules:
    - path: '(.+)_test\.go'
      linters:
        - unparam
 linters:
  enable:
    - errcheck
    - errorlint
    - gocritic
    - gofumpt
    - goimports
    - gosimple
    - govet
    - ineffassign
    - misspell
    - perfsprint
    - staticcheck
    - testifylint
    - thelper
    - unparam
    - unused
    - usestdlibvars
    - whitespace 
 linters-settings:
  gocritic:
    disabled-checks:
      - appendAssign
      - assignOp  # Keep it disabled for readability
      - badCond
      - commentFormatting
      - exitAfterDefer
      - ifElseChain
      - mapKey
      - singleCaseSwitch
      - typeSwitchVar
  goimports:
    local-prefixes: github.com/argoproj/argo-cd/v2
  perfsprint:
    # Optimizes even if it requires an int or uint type cast.
    int-conversion: true
    # Optimizes into `err.Error()` even if it is only equivalent for non-nil errors.
    err-error: false
    # Optimizes `fmt.Errorf`.
    errorf: false
    # Optimizes `fmt.Sprintf` with only one argument.
    sprintf1: true
    # Optimizes into strings concatenation.
    strconcat: false
  testifylint:
    enable-all: true
    disable:
      - go-require
 run:
  timeout: 50m
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -1,123 +0,0 @@
 version: 2
 project_name: argocd
 before:
  hooks:
    - go mod download
    - make build-ui
 builds:
  - id: argocd-cli
    main: ./cmd
    binary: argocd-{{ .Os}}-{{ .Arch}}
    env:
      - CGO_ENABLED=0
    flags:
      - -v
    ldflags:
      - -X github.com/argoproj/argo-cd/v2/common.version={{ .Version }}
      - -X github.com/argoproj/argo-cd/v2/common.buildDate={{ .Date }}
      - -X github.com/argoproj/argo-cd/v2/common.gitCommit={{ .FullCommit }}
      - -X github.com/argoproj/argo-cd/v2/common.gitTreeState={{ .Env.GIT_TREE_STATE }}
      - -X github.com/argoproj/argo-cd/v2/common.kubectlVersion={{ .Env.KUBECTL_VERSION }}
      - -extldflags="-static"
    goos:
      - linux
      - darwin
      - windows
    goarch:
      - amd64
      - arm64
      - s390x
      - ppc64le
    ignore:
      - goos: darwin
        goarch: s390x
      - goos: darwin
        goarch: ppc64le
      - goos: windows
        goarch: s390x
      - goos: windows
        goarch: ppc64le
      - goos: windows
        goarch: arm64
 archives:
  - id: argocd-archive
    builds:
    - argocd-cli
    name_template: |-
      {{ .ProjectName }}-{{ .Os }}-{{ .Arch }}
    format: binary
 checksum:
  name_template: 'cli_checksums.txt'
  algorithm: sha256
 release:
  prerelease: auto
  draft: false
  header: |
    ## Quick Start
    ### Non-HA:
    ```shell
    kubectl create namespace argocd
    kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/{{.Tag}}/manifests/install.yaml
    ```
    ### HA:
    ```shell
    kubectl create namespace argocd
    kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/{{.Tag}}/manifests/ha/install.yaml
    ```
    ## Release Signatures and Provenance
    All Argo CD container images are signed by cosign.  A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the [documentation](https://argo-cd.readthedocs.io/en/stable/operator-manual/signed-release-assets) on how to verify.
    ## Upgrading
    If upgrading from a different minor version, be sure to read the [upgrading](https://argo-cd.readthedocs.io/en/stable/operator-manual/upgrading/overview/) documentation.
  footer: |
    **Full Changelog**: https://github.com/argoproj/argo-cd/compare/{{ .PreviousTag }}...{{ .Tag }}
    <a href="https://argoproj.github.io/cd/"><img src="https://raw.githubusercontent.com/argoproj/argo-site/master/content/pages/cd/gitops-cd.png" width="25%" ></a>
 snapshot: #### To be removed for PR
  name_template: "2.6.0"
 changelog:
  use:
    github
  sort: asc
  abbrev: 0
  groups: # Regex use RE2 syntax as defined here: https://github.com/google/re2/wiki/Syntax.
    - title: 'Features'
      regexp: '^.*?feat(\([[:word:]]+\))??!?:.+$'
      order: 100
    - title: 'Bug fixes'
      regexp: '^.*?fix(\([[:word:]]+\))??!?:.+$'
      order: 200
    - title: 'Documentation'
      regexp: '^.*?docs(\([[:word:]]+\))??!?:.+$'
      order: 300
    - title: 'Dependency updates'
      regexp: '^.*?(feat|fix|chore)\(deps?.+\)!?:.+$'
      order: 400
    - title: 'Other work'
      order: 999
  filters:
    exclude:
      - '^test:'
      - '^.*?Bump(\([[:word:]]+\))?.+$'
      - '^.*?\[Bot\](\([[:word:]]+\))?.+$'
 # yaml-language-server: $schema=https://goreleaser.com/static/schema.json
--- a/.mockery.yaml
+++ b/.mockery.yaml
@@ -1,76 +0,0 @@
 # global config
 filename: "{{.InterfaceName}}.go"
 dir: "{{.InterfaceDir}}/mocks"
 outpkg: "mocks"
 mockname: "{{.InterfaceName}}"
 with-expecter: false
 # individual interface config
 packages:
  github.com/argoproj/argo-cd/v2/applicationset/generators:
    interfaces:
      Generator:
  github.com/argoproj/argo-cd/v2/applicationset/services:
    interfaces:
      Repos:
  github.com/argoproj/argo-cd/v2/applicationset/services/scm_provider:
    config:
      dir: "applicationset/services/scm_provider/aws_codecommit/mocks"
    interfaces:
      AWSCodeCommitClient:
      AWSTaggingClient:
  github.com/microsoft/azure-devops-go-api/azuredevops/git:
    config:
      dir: "applicationset/services/scm_provider/azure_devops/git/mocks"
    interfaces:
      Client:
  github.com/argoproj/argo-cd/v2/applicationset/utils:
    interfaces:
      Renderer:
  github.com/argoproj/argo-cd/v2/commitserver/commit:
    interfaces:
      RepoClientFactory:
  github.com/argoproj/argo-cd/v2/commitserver/apiclient:
    interfaces:
      CommitServiceClient:
      Clientset:
  github.com/argoproj/argo-cd/v2/controller/cache:
    interfaces:
      LiveStateCache:
  github.com/argoproj/argo-cd/v2/reposerver/apiclient:
    interfaces:
      RepoServerServiceClient:
      RepoServerService_GenerateManifestWithFilesClient:
  github.com/argoproj/argo-cd/v2/server/application:
    interfaces:
      Broadcaster:
  github.com/argoproj/argo-cd/v2/server/extension:
    interfaces:
      ApplicationGetter:
      ExtensionMetricsRegistry:
      ProjectGetter:
      RbacEnforcer:
      SettingsGetter:
      UserGetter:
  github.com/argoproj/argo-cd/v2/util/db:
    interfaces:
      ArgoDB:
  github.com/argoproj/argo-cd/v2/util/git:
    interfaces:
      Client:
  github.com/argoproj/argo-cd/v2/util/helm:
    interfaces:
      Client:
  github.com/argoproj/argo-cd/v2/util/io:
    interfaces:
      TempPaths:
  github.com/argoproj/argo-cd/v2/util/notification/argocd:
    interfaces:
      Service:
  # These mocks are not currently used, but they are part of the public API of this package.      
  github.com/argoproj/argo-cd/v2/pkg/apiclient/session:
    interfaces:
      SessionServiceServer:
      SessionServiceClient:
  github.com/argoproj/argo-cd/v2/pkg/apiclient/cluster:
    interfaces:
      ClusterServiceServer:
--- a/.readthedocs.yaml
+++ b/.readthedocs.yaml
@@ -1,11 +0,0 @@
 version: 2
 formats: all
 mkdocs:
  fail_on_warning: false
 python:
  install:
    - requirements: docs/requirements.txt
 build:
  os: "ubuntu-22.04"
  tools:
    python: "3.12"
--- a/.readthedocs.yml
+++ b/.readthedocs.yml
@@ -0,0 +1,7 @@
 version: 2
 formats: all
 mkdocs:
  fail_on_warning: false
 python:
  install:
    - requirements: docs/requirements.txt
--- a/.snyk
+++ b/.snyk
@@ -18,23 +18,5 @@ ignore:
    - '*':
        reason: >-
          Code is only run client-side. No risk of directory traversal.
  SNYK-GOLANG-GITHUBCOMEMICKLEIGORESTFUL-2435653:
    - '*':
        reason: >-
          Argo CD uses go-restful as a transitive dependency of kube-openapi. kube-openapi is used to generate openapi
          specs. We do not use go-restul at runtime and are therefore not vulnerable to this CORS misconfiguration
          issue in go-restful.
  SNYK-JS-FORMIDABLE-2838956:
    - '*':
        reason: >-
          Code is only run client-side. No risk of arbitrary file upload.
  SNYK-JS-PARSEPATH-2936439:
    - '*':
        reason: >-
          The issue is that, for specific URLs, parse-path may incorrectly identify the "resource" (domain name)
          portion. For example, in "http://127.0.0.1#@example.com", it identifies "example.com" as the "resource".
          We use parse-path on the client side, but permissions for git URLs are checked server-side. This is a
          potential usability issue, but it is not a security issue.
 patch: {}
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,208 +1,33 @@
 # Changelog
-## v2.4.8 (2022-07-29)
+## v2.4.0 (Unreleased)
-### Bug fixes
+### Web Terminal In Argo CD UI
 - feat: support application level extensions (#9923)
 - feat: support multiple extensions per resource group/kind (#9834)
 - fix: extensions is not loading for ConfigMap/Pods (#10010)
 - fix: upgrade moment from 2.29.2 to 2.29.3 (#9330)
 - fix: skip redirect url validation when it's the base href (#10058) (#10116)
 - fix: avoid CVE-2022-28948 (#10093)
 - fix: Set HOST_ARCH for yarn build from platform (#10018)
 ### Other changes
 - chore(deps): bump moment from 2.29.3 to 2.29.4 in /ui (#9897)
 - docs: add OpenSSH breaking change notes (#10104)
 - chore: update parse-url (#10101)
 - docs: add api field example in the appset security doc (#10087)
 - chore: update redis to 7.0.4 avoid CVE-2022-30065 (#10059)
 - docs: add argocd-server grpc metric usage (#10007)
 - chore: upgrade Dex to 2.32.0 (#10036) (#10042)
 - chore: update redis to avoid CVE-2022-2097 (#10031)
 - chore: update haproxy to 2.0.29 for redis-ha (#10045)
 ## v2.4.7 (2022-07-18)
 ### Bug fixes
 fix: Support files in argocd.argoproj.io/manifest-generate-paths annotation (#9908)
 fix: terminal websocket write lock to avoid races (#10011)
 fix: updated all a tags to Link tags in app summary (#9777)
 fix: e2e test to use func from clusterauth instead creating one with old logic (#9989)
 fix: add missing download CLI tool URL response for ppc64le, s390x (#9983)
 ### Other
 chore: upgrade parse-url to avoid SNYK-JS-PARSEURL-2936249 (#9826)
 docs: use quotes to emphasize that ConfigMap value is a string (#9995)
 docs: document directory app include/exclude fields (#9997)
 docs: simplify Docker toolchain docs (#9966) (#10006)
 docs: supported versions (#9876)
 ## v2.4.6 (2022-07-12)
 ### Features
 * feat: Treat connection reset as a retryable error (#9739)
 ### Bug fixes
 * fix: 'unexpected reserved bits' breaking web terminal (#9605) (#9895)
 * fix: argocd login just hangs on 2.4.0 #9679 (#9935)
 * fix: CMP manifest generation fails with ENHANCE_YOUR_CALM if over 40s (#9922)
 * fix: NotAfter is not set when ValidFor is set (#9911)
 * fix: add missing download CLI tool link for ppc64le, s390x (#9649)
 * fix: Check tracking annotation for being self-referencing (#9791)
 * fix: Make change of tracking method work at runtime (#9820)
 * fix: argo-cd git submodule is using SSH auth instead of HTTPs (#3118) (#9821)
 ### Other
 * docs: fix typo in Generators-Git.md (#9949)
 * docs: add terminal documentation (#9948)
 * test: Use dedicated multi-arch workloads in e2e tests (#9921)
 * docs: Adding blank line so list is formatted correctly (#9880)
 * docs: small fix for plugin stream filtering (#9871)
 * docs: Document the possibility of rendering Helm charts with Kustomize (#9841)
 * docs: getting started notes on self-signed cert (#9429) (#9784)
 * test: check for error messages from CI env (#9953)
 ## v2.4.5 (2022-07-12)
 ### Security fixes
 * HIGH: Certificate verification is skipped for connections to OIDC providers ([GHSA-7943-82jg-wmw5](https://github.com/argoproj/argo-cd/security/advisories/GHSA-7943-82jg-wmw5))
 * LOW: A leaked API server encryption key can allow XSS for SSO users ([GHSA-pmjg-52h9-72qv](https://github.com/argoproj/argo-cd/security/advisories/GHSA-pmjg-52h9-72qv))
 ### Potentially-breaking changes
 The fix for GHSA-7943-82jg-wmw5 enables TLS certificate validation by default for connections to OIDC providers. If
 connections to your OIDC provider fails validation, SSO will be broken for your Argo CD instance. You should test 2.4.5
 before upgrading it to production. From the new documentation:
 > By default, all connections made by the API server to OIDC providers (either external providers or the bundled Dex
 > instance) must pass certificate validation. These connections occur when getting the OIDC provider's well-known
 > configuration, when getting the OIDC provider's keys, and  when exchanging an authorization code or verifying an ID
 > token as part of an OIDC login flow.
 >
 > Disabling certificate verification might make sense if:
 > * You are using the bundled Dex instance **and** your Argo CD instance has TLS configured with a self-signed certificate
    >   **and** you understand and accept the risks of skipping OIDC provider cert verification.
 > * You are using an external OIDC provider **and** that provider uses an invalid certificate **and** you cannot solve
    >   the problem by setting `oidcConfig.rootCA` **and** you understand and accept the risks of skipping OIDC provider cert
    >   verification.
 >
 > If either of those two applies, then you can disable OIDC provider certificate verification by setting
 > `oidc.tls.insecure.skip.verify` to `"true"` in the `argocd-cm` ConfigMap.
 ### Bug fixes
 * fix: webhook typo in case of error in GetManifests (#9671)
 ## v2.4.4 (2022-07-07)
 ### Bug fixes
 - fix: missing path segments for git file generator (#9839)
 - fix: make sure api server informer does not stop after setting change (#9842)
 - fix: support resource logs and exec (#9833)
 - fix: configurable CMP tar exclusions (#9675) (#9789)
 - fix: prune any deleted refs before fetching (#9504)
 ### Other
 - test: Remove circular symlinks from testdata (#9886)
 - docs: custom secret must be labeled (#9835)
 - docs: update archlinux install with official package (#9718)
 - docs: explain rightmost git generator path parameter behavior (#9799)
 ## v2.4.3 (2022-06-27)
 ### Bug fixes
 - fix: respect OIDC providers' supported token signing algorithms (#9433) (#9761)
 - fix websockets for terminal not working on subPath (#9795)
 - fix: avoid closing and re-opening port of api server settings change (#9778)
 - fix: [ArgoCD] Fixing webhook typo in case of error in GetManifests (#9671)
 - fix: overrides should not appear in the manifest cache key (#9601)
 ## v2.4.2 (2022-06-21)
 ### Bug fixes
 * fix: project filter (#9651) (#9709)
 * fix: broken symlink in Dockerfile (#9674)
 * fix: updated baseHRefRegex to perform lazy match (#9724)
 * fix: updated config file permission requirements for windows (#9666)
 ### Other
 * docs: Update sync-options.md (#9687)
 * test/remote: Allow override of base image (#9734)
 ## v2.4.1 (2022-06-21)
 ### Security fixes
 * CRITICAL: External URLs for Deployments can include javascript ([GHSA-h4w9-6x78-8vrj](https://github.com/argoproj/argo-cd/security/advisories/GHSA-h4w9-6x78-8vrj))
 * HIGH: Insecure entropy in PKCE/Oauth2/OIDC params ([GHSA-2m7h-86qq-fp4v](https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v))
 * MODERATE: DoS through large directory app manifest files ([GHSA-jhqp-vf4w-rpwq](https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwq))
 * MODERATE: Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server ([GHSA-q4w5-4gq2-98vm](https://github.com/argoproj/argo-cd/security/advisories/GHSA-q4w5-4gq2-98vm))
 ### Potentially-breaking changes
 From the [GHSA-2m7h-86qq-fp4v](https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v) description:
 > The patch introduces a new `reposerver.max.combined.directory.manifests.size` config parameter, which you should tune before upgrading in production. It caps the maximum total file size of .yaml/.yml/.json files in directory-type (raw manifest) Applications. The default max is 10M per Application. This max is designed to keep any single app from consuming more than 3G of memory in the repo-server (manifests consume more space in memory than on disk). The 300x ratio assumes a maliciously-crafted manifest file. If you only want to protect against accidental excessive memory use, it is probably safe to use a smaller ratio.
 >
 > If your organization uses directory-type Applications with very many manifests or very large manifests then check the size of those manifests and tune the config parameter before deploying this change to production. When testing, make sure to do a "hard refresh" in either the CLI or UI to test your directory-type App. That will make sure you're using the new max logic instead of relying on cached manifest responses from Redis.
 ### Other
 * test: directory app manifest generation (#9503)
 * chore: Implement tests to validate aws auth retry (#9627)
 * chore: Implement a retry in aws auth command (#9618)
 * test: Remove temp directories from repo server tests (#9501)
 * test: Make context tests idempodent (#9502)
 * test: fix plugin var test for OSX (#9590)
 * docs: Document how to deploy from the root of the git repository (#9632)
 * docs: added environment variables documentation (#8680)
 ## v2.4.0 (2022-06-10)
 ### Web Terminal In Argo CD UI
 Feature enables engineers to start a shell in the running application container without leaving the web interface. Just find the required Kubernetes
 Pod using the Application Details page, click on it and select the Terminal tab. The shell starts automatically and enables you to execute the required
 commands, and helps to troubleshoot the application state.
-### Access Control For Pod Logs & Web Terminal
+### Access Control For Pod Logs & Web Terminal
 Argo CD is used to manage the critical infrastructure of multiple organizations, which makes security the top priority of the project. We've listened to
 your feedback and introduced additional access control settings that control access to Kubernetes Pod logs and the new Web Terminal feature.
-#### Pod Logs UI
+#### Known UI Issue for Pod Logs Access
-Since 2.4.9, the LOGS tab in pod view is visible in the UI only for users with explicit allow get logs policy.
+Currently, upon pressing the "LOGS" tab in pod view by users who don't have an explicit allow get logs policy, the red "unable to load data: Internal error" is received in the bottom of the screen, and "Failed to load data, please try again" is displayed.
 #### Known pod logs UI issue prior to 2.4.9
 Upon pressing the "LOGS" tab in pod view by users who don't have an explicit allow get logs policy, the red "unable to load data: Internal error" is received in the bottom of the screen, and "Failed to load data, please try again" is displayed.
 ### OpenTelemetry Tracing Integration
 The new feature allows emitting richer telemetry data that might make identifying performance bottlenecks easier. The new feature is available for argocd-server
 and argocd-repo-server components and can be enabled using the --otlp-address flag.
-### Power PC and IBM Z Support
+### Power PC and IBM Z Support
 The list of supported architectures has been expanded, and now includes IBM Z (s390x) and PowerPC (ppc64le). Starting with the v2.4 release the official quay.io
 repository is going to have images for amd64, arm64, ppc64le, and s390x architectures.
-### Other Notable Changes
+### Other Notable Changes
 Overall v2.4 release includes more than 300 hundred commits from nearly 90 contributors. Here is a short sample of the contributions:
@@ -211,116 +36,6 @@ Overall v2.4 release includes more than 300 hundred commits from nearly 90 contr
 * Secured Redis connection
 * ApplicationSet Gitea support
 ## v2.3.7 (2022-07-29)
 ### Notes
 This is mainly a security related release and updates compatibility with Kubernetes 1.24.
 **Attention:** The base image for 2.3.x reached end-of-life on July 14, 2022. This release upgraded the base image to Ubuntu 22.04 LTS. The change should have no effect on the majority of users. But if any of your git providers only supports now-deprecated key hash algorithms, then Application syncing might break. See the [2.2-to-2.3 upgrade notes](https://argo-cd.readthedocs.io/en/latest/operator-manual/upgrading/2.2-2.3/#support-for-private-repo-ssh-keys-using-the-sha-1-signature-hash-algorithm-is-removed-in-237) for details and workaround instructions.
 ### Bug fixes
 - fix: skip redirect url validation when it's the base href (#10058) (#10116)
 - fix: upgrade moment from 2.29.2 to 2.29.3 (#9330)
 - fix: avoid CVE-2022-28948 (#10093)
 - fix: use serviceaccount name instead of struct (#9614)
 - fix: create serviceaccount token for v1.24 clusters (#9546)
 ### Other changes
 - test: Remove cluster e2e tests not intended for release-2.3
 - test: Remove circular symlinks from testdata (#9886)
 - chore(deps): bump moment from 2.29.3 to 2.29.4 in /ui (#9897)
 - chore: upgrade moment to latest version to fix CVE (#9005)
 - chore: move dependencies to dev dependencies (#8541)
 - docs: add OpenSSH breaking change notes (#10104)
 - chore: update parse-url (#10101)
 - chore: upgrade base image to 22.04 (#10103)
 - docs: simplify Docker toolchain docs (#9966) (#10006)
 - chore: update redis to 6.2.7 avoid CVE-2022-30065/CVE-2022-2097 (#10062)
 - chore: upgrade Dex to 2.32.0 (#10036) (#10042)
 - chore: update haproxy to 2.0.29 for redis-ha (#10045)
 - test: check for error messages from CI env (#9953)
 ## v2.3.6 (2022-07-12)
 ### Security fixes
 * HIGH: Certificate verification is skipped for connections to OIDC providers ([GHSA-7943-82jg-wmw5](https://github.com/argoproj/argo-cd/security/advisories/GHSA-7943-82jg-wmw5))
 * LOW: A leaked API server encryption key can allow XSS for SSO users ([GHSA-pmjg-52h9-72qv](https://github.com/argoproj/argo-cd/security/advisories/GHSA-pmjg-52h9-72qv))
 ### Potentially-breaking changes
 The fix for GHSA-7943-82jg-wmw5 enables TLS certificate validation by default for connections to OIDC providers. If
 connections to your OIDC provider fails validation, SSO will be broken for your Argo CD instance. You should test 2.3.6
 before upgrading it to production. From the new documentation:
 > By default, all connections made by the API server to OIDC providers (either external providers or the bundled Dex
 > instance) must pass certificate validation. These connections occur when getting the OIDC provider's well-known
 > configuration, when getting the OIDC provider's keys, and  when exchanging an authorization code or verifying an ID
 > token as part of an OIDC login flow.
 >
 > Disabling certificate verification might make sense if:
 > * You are using the bundled Dex instance **and** your Argo CD instance has TLS configured with a self-signed certificate
    >   **and** you understand and accept the risks of skipping OIDC provider cert verification.
 > * You are using an external OIDC provider **and** that provider uses an invalid certificate **and** you cannot solve
    >   the problem by setting `oidcConfig.rootCA` **and** you understand and accept the risks of skipping OIDC provider cert
    >   verification.
 >
 > If either of those two applies, then you can disable OIDC provider certificate verification by setting
 > `oidc.tls.insecure.skip.verify` to `"true"` in the `argocd-cm` ConfigMap.
 ### Bug fixes
 * fix: webhook typo in case of error in GetManifests (#9671)
 ## v2.3.5 (2022-06-21)
 ### Security fixes
 * CRITICAL: External URLs for Deployments can include javascript ([GHSA-h4w9-6x78-8vrj](https://github.com/argoproj/argo-cd/security/advisories/GHSA-h4w9-6x78-8vrj))
 * HIGH: Insecure entropy in PKCE/Oauth2/OIDC params ([GHSA-2m7h-86qq-fp4v](https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v))
 * MODERATE: DoS through large directory app manifest files ([GHSA-jhqp-vf4w-rpwq](https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwq))
 * MODERATE: Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server ([GHSA-q4w5-4gq2-98vm](https://github.com/argoproj/argo-cd/security/advisories/GHSA-q4w5-4gq2-98vm))
 ### Potentially-breaking changes
 From the [GHSA-2m7h-86qq-fp4v](https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v) description:
 > The patch introduces a new `reposerver.max.combined.directory.manifests.size` config parameter, which you should tune before upgrading in production. It caps the maximum total file size of .yaml/.yml/.json files in directory-type (raw manifest) Applications. The default max is 10M per Application. This max is designed to keep any single app from consuming more than 3G of memory in the repo-server (manifests consume more space in memory than on disk). The 300x ratio assumes a maliciously-crafted manifest file. If you only want to protect against accidental excessive memory use, it is probably safe to use a smaller ratio.
 >
 > If your organization uses directory-type Applications with very many manifests or very large manifests then check the size of those manifests and tune the config parameter before deploying this change to production. When testing, make sure to do a "hard refresh" in either the CLI or UI to test your directory-type App. That will make sure you're using the new max logic instead of relying on cached manifest responses from Redis.
 ### Bug fixes
 * fix: missing Helm params (#9565) (#9566)
 ### Other
 * test: directory app manifest generation (#9503)
 * chore: eliminate go-mpatch dependency (#9045)
 * chore: Make unit tests run on platforms other than amd64 (#8995)
 * chore: remove obsolete repo-server unit test (#9559)
 * chore: update golangci-lint (#8988)
 * fix: test race (#9469)
 * chore: upgrade golangci-lint to v1.46.2 (#9448)
 * test: fix ErrorContains (#9445)
 ## v2.3.4 (2022-05-18)
 ### Security fixes
 - CRITICAL: Argo CD will trust invalid JWT claims if anonymous access is enabled (https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj)
 - LOW: Login screen allows message spoofing if SSO is enabled (https://github.com/argoproj/argo-cd/security/advisories/GHSA-xmg8-99r8-jc2j)
 - MODERATE: Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server (https://github.com/argoproj/argo-cd/security/advisories/GHSA-6gcg-hp2x-q54h)
 ### Bug Fixes
 - fix: Fix docs build error (#8895)
 - fix: fix broken monaco editor collapse icons (#8709)
 - chore: upgrade to go 1.17.8 (#8866) (#9004)
 - fix: allow cli/ui to follow logs (#8987) (#9065)
 ## v2.3.3 (2022-03-29)
@@ -462,174 +177,6 @@ Both bundled Helm and Kustomize binaries have been upgraded to the latest versio
 - refactor: Introduce 'byClusterName' secret index to speedup cluster server URL lookup (#8133)
 - refactor: Move project filtering to server side (#8102)
 ## v2.2.12 (2022-07-29)
 ### Notes
 This is mainly a security related release and updates compatibility with Kubernetes 1.24.
 **Attention:** The base image for 2.2.x reached end-of-life on January 20, 2022. This release upgraded the base image to Ubuntu 22.04 LTS. The change should have no effect on the majority of users. But if any of your git providers only supports now-deprecated key hash algorithms, then Application syncing might break. See the [2.1-to-2.2 upgrade notes](https://argo-cd.readthedocs.io/en/latest/operator-manual/upgrading/2.1-2.2/#support-for-private-repo-ssh-keys-using-the-sha-1-signature-hash-algorithm-is-removed-in-2212) for details and workaround instructions.
 ### Bug fixes
 - fix: create serviceaccount token for v1.24 clusters (#9546)
 - fix: upgrade moment from 2.29.2 to 2.29.3 (#9330)
 - fix: avoid CVE-2022-28948 (#10093)
 ### Other changes
 - chore: Remove deprecated K8s versions from test matrix
 - chore: Go mod tidy
 - test: Remove circular symlinks from testdata (#9886)
 - test: Fix e2e tests for release-2.2 branch
 - chore: bump redoc vesion to avoid CVE-2021-23820 (#8604)
 - chore(deps): bump moment from 2.29.3 to 2.29.4 in /ui (#9897)
 - chore: upgrade moment to latest version to fix CVE (#9005)
 - chore: move dependencies to dev dependencies (#8541)
 - docs: add OpenSSH breaking change notes (#10104)
 - chore: update parse-url (#10101)
 - chore: fix codegen
 - chore: fix codegen
 - chore: upgrade base image to 22.04 (#10105)
 - docs: simplify Docker toolchain docs (#9966) (#10006)
 - chore: update redis to 6.2.7 avoid CVE-2022-30065/CVE-2022-2097 (#10068)
 - chore: upgrade Dex to 2.32.0 (#10036) (#10042)
 - chore: update haproxy to 2.0.29 for redis-ha (#10045)
 - test: check for error messages from CI env (#9953)
 ## v2.2.11 (2022-07-12)
 ### Security fixes
 * HIGH: Certificate verification is skipped for connections to OIDC providers ([GHSA-7943-82jg-wmw5](https://github.com/argoproj/argo-cd/security/advisories/GHSA-7943-82jg-wmw5))
 * LOW: A leaked API server encryption key can allow XSS for SSO users ([GHSA-pmjg-52h9-72qv](https://github.com/argoproj/argo-cd/security/advisories/GHSA-pmjg-52h9-72qv))
 ### Potentially-breaking changes
 The fix for GHSA-7943-82jg-wmw5 enables TLS certificate validation by default for connections to OIDC providers. If
 connections to your OIDC provider fails validation, SSO will be broken for your Argo CD instance. You should test 2.2.11
 before upgrading it to production. From the new documentation:
 > By default, all connections made by the API server to OIDC providers (either external providers or the bundled Dex
 > instance) must pass certificate validation. These connections occur when getting the OIDC provider's well-known
 > configuration, when getting the OIDC provider's keys, and  when exchanging an authorization code or verifying an ID
 > token as part of an OIDC login flow.
 >
 > Disabling certificate verification might make sense if:
 > * You are using the bundled Dex instance **and** your Argo CD instance has TLS configured with a self-signed certificate
    >   **and** you understand and accept the risks of skipping OIDC provider cert verification.
 > * You are using an external OIDC provider **and** that provider uses an invalid certificate **and** you cannot solve
    >   the problem by setting `oidcConfig.rootCA` **and** you understand and accept the risks of skipping OIDC provider cert
    >   verification.
 >
 > If either of those two applies, then you can disable OIDC provider certificate verification by setting
 > `oidc.tls.insecure.skip.verify` to `"true"` in the `argocd-cm` ConfigMap.
 ### Features
 * feat: enable specifying root ca for oidc (#6712)
 ### Bug fixes
 * fix: webhook typo in case of error in GetManifests (#9671)
 ## v2.2.10 (2022-06-21)
 ### Security fixes
 * CRITICAL: External URLs for Deployments can include javascript ([GHSA-h4w9-6x78-8vrj](https://github.com/argoproj/argo-cd/security/advisories/GHSA-h4w9-6x78-8vrj))
 * HIGH: Insecure entropy in PKCE/Oauth2/OIDC params ([GHSA-2m7h-86qq-fp4v](https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v))
 * MODERATE: DoS through large directory app manifest files ([GHSA-jhqp-vf4w-rpwq](https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwq))
 * MODERATE: Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server ([GHSA-q4w5-4gq2-98vm](https://github.com/argoproj/argo-cd/security/advisories/GHSA-q4w5-4gq2-98vm))
 ### Potentially-breaking changes
 From the [GHSA-2m7h-86qq-fp4v](https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v) description:
 > The patch introduces a new `reposerver.max.combined.directory.manifests.size` config parameter, which you should tune before upgrading in production. It caps the maximum total file size of .yaml/.yml/.json files in directory-type (raw manifest) Applications. The default max is 10M per Application. This max is designed to keep any single app from consuming more than 3G of memory in the repo-server (manifests consume more space in memory than on disk). The 300x ratio assumes a maliciously-crafted manifest file. If you only want to protect against accidental excessive memory use, it is probably safe to use a smaller ratio.
 >
 > If your organization uses directory-type Applications with very many manifests or very large manifests then check the size of those manifests and tune the config parameter before deploying this change to production. When testing, make sure to do a "hard refresh" in either the CLI or UI to test your directory-type App. That will make sure you're using the new max logic instead of relying on cached manifest responses from Redis.
 ### Bug fixes
 * fix: missing Helm params (#9565) (#9566)
 ### Other
 * test: directory app manifest generation (#9503)
 * test: fix erroneous test change
 * chore: eliminate go-mpatch dependency (#9045)
 * chore: Make unit tests run on platforms other than amd64 (#8995)
 * chore: remove obsolete repo-server unit test (#9559)
 * chore: upgrade golangci-lint to v1.46.2 (#9448)
 * chore: update golangci-lint (#8988)
 ## v2.2.9 (2022-05-18)
 ### Notes
 This is a security release. We urge all users of the 2.2.z branch to update as soon as possible. Please refer to the _Security fixes_ section below for more details.
 ### Security fixes
 - CRITICAL: Argo CD will trust invalid JWT claims if anonymous access is enabled (https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj)
 - LOW: Login screen allows message spoofing if SSO is enabled (https://github.com/argoproj/argo-cd/security/advisories/GHSA-xmg8-99r8-jc2j)
 - MODERATE: Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server (https://github.com/argoproj/argo-cd/security/advisories/GHSA-6gcg-hp2x-q54h)
 ## v2.2.8 (2022-03-22)
 ### Special notes
 This release contains the fix for a security issue with critical severity. We recommend users on the 2.2 release branch to update to this release as soon as possible.
 More information can be found in the related
 [security advisory](https://github.com/argoproj/argo-cd/security/advisories/GHSA-2f5v-8r3f-8pww).
 ### Changes
 As part of the security fix, the Argo CD UI no longer automatically presents child resources of allow-listed resources unless the child resources are also allow-listed. For example, Pods are not going to show up if only Deployment is added to the allow-list.
 If you have [projects](https://argo-cd.readthedocs.io/en/stable/user-guide/projects/) configured with allow-lists, make sure the allow-lists include all the resources you want users to be able to view/manage through the UI. For example, if your project allows `Deployments`, you would add `ReplicaSets` and `Pods`.
 #### Bug Fixes
 - fix: application resource APIs must enforce project restrictions
 ## v2.2.7 (2022-03-08)
 ### Bug Fixes
 - fix: correct jsonnet paths resolution (#8721)
 ## v2.2.6 (2022-03-06)
 ### Bug Fixes
 - fix: prevent file traversal using helm file values param and application details api (#8606)
 - fix!: enforce app create/update privileges when getting repo details (#8558)
 - feat: support custom helm values file schemes (#8535)
 ## v2.2.5 (2022-02-04)
 - fix: Resolve symlinked value files correctly (#8387)
 ## v2.2.4 (2022-02-03)
 ### Special notes
 This release contains the fix for a security issue with high severity. We recommend users on the 2.2 release branch to update to this release as soon as possible.
 More information can be found in the related
 [security advisory](https://github.com/argoproj/argo-cd/security/advisories/GHSA-63qx-x74g-jcr7)
 ### Bug Fixes
 - fix: Prevent value files outside repository root
 ### Other changes
 - chore: upgrade dex to v2.30.2 (backport of #8237) (#8257)
 ## v2.2.3 (2022-01-18)
 - fix: Application exist panic when execute api call (#8188)
@@ -687,117 +234,6 @@ as there are no conflicts with other Kubernetes tools, and you can easily instal
 * Cluster name support in project destinations (#7198)
 * around 30 more features and a total of 84 bug fixes
 ## v2.1.16 (2022-06-21)
 ### Security fixes
 * CRITICAL: External URLs for Deployments can include javascript ([GHSA-h4w9-6x78-8vrj](https://github.com/argoproj/argo-cd/security/advisories/GHSA-h4w9-6x78-8vrj))
 * HIGH: Insecure entropy in PKCE/Oauth2/OIDC params ([GHSA-2m7h-86qq-fp4v](https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v))
 * MODERATE: DoS through large directory app manifest files ([GHSA-jhqp-vf4w-rpwq](https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwq))
 * MODERATE: Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server ([GHSA-q4w5-4gq2-98vm](https://github.com/argoproj/argo-cd/security/advisories/GHSA-q4w5-4gq2-98vm))
 **Note:** This will be the last security fix release in the 2.1.x series. Please [upgrade to a newer minor version](https://argo-cd.readthedocs.io/en/latest/operator-manual/upgrading/overview/) to continue to get security fixes.
 ### Potentially-breaking changes
 From the [GHSA-2m7h-86qq-fp4v](https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v) description:
 > The patch introduces a new `reposerver.max.combined.directory.manifests.size` config parameter, which you should tune before upgrading in production. It caps the maximum total file size of .yaml/.yml/.json files in directory-type (raw manifest) Applications. The default max is 10M per Application. This max is designed to keep any single app from consuming more than 3G of memory in the repo-server (manifests consume more space in memory than on disk). The 300x ratio assumes a maliciously-crafted manifest file. If you only want to protect against accidental excessive memory use, it is probably safe to use a smaller ratio.
 >
 > If your organization uses directory-type Applications with very many manifests or very large manifests then check the size of those manifests and tune the config parameter before deploying this change to production. When testing, make sure to do a "hard refresh" in either the CLI or UI to test your directory-type App. That will make sure you're using the new max logic instead of relying on cached manifest responses from Redis.
 ### Bug fixes
 * fix: missing Helm params (#9565) (#9566)
 ### Other
 * test: directory app manifest generation (#9503)
 * test: fix erroneous test change
 * chore: eliminate go-mpatch dependency (#9045)
 * chore: Make unit tests run on platforms other than amd64 (#8995)
 * chore: remove obsolete repo-server unit test (#9559)
 * chore: upgrade golangci-lint to v1.46.2 (#9448)
 * chore: update golangci-lint (#8988)
 * test: fix ErrorContains (#9445)
 ## v2.1.15 (2022-05-18)
 ### Notes
 This is a security release. We urge all users of the 2.1.z branch to update as soon as possible. Please refer to the _Security fixes_ section below for more details.
 ### Security fixes
 - CRITICAL: Argo CD will trust invalid JWT claims if anonymous access is enabled (https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj)
 - LOW: Login screen allows message spoofing if SSO is enabled (https://github.com/argoproj/argo-cd/security/advisories/GHSA-xmg8-99r8-jc2j)
 - MODERATE: Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server (https://github.com/argoproj/argo-cd/security/advisories/GHSA-6gcg-hp2x-q54h)
 ## v2.1.14 (2022-03-22)
 ### Special notes
 This release contains the fix for a security issue with critical severity. We recommend users on the 2.1 release branch to update to this release as soon as possible.
 More information can be found in the related
 [security advisory](https://github.com/argoproj/argo-cd/security/advisories/GHSA-2f5v-8r3f-8pww).
 ### Changes
 As part of the security fix, the Argo CD UI no longer automatically presents child resources of allow-listed resources unless the child resources are also allow-listed. For example, Pods are not going to show up if only Deployment is added to the allow-list.
 If you have [projects](https://argo-cd.readthedocs.io/en/stable/user-guide/projects/) configured with allow-lists, make sure the allow-lists include all the resources you want users to be able to view/manage through the UI. For example, if your project allows `Deployments`, you would add `ReplicaSets` and `Pods`.
 #### Bug Fixes
 - fix: application resource APIs must enforce project restrictions
 ## v2.1.13 (2022-03-22)
 Unused release number.
 ## v2.1.12 (2022-03-08)
 ### Bug Fixes
 - fix: correct jsonnet paths resolution (#8721)
 ## v2.1.11 (2022-03-06)
 ### Bug Fixes
 - fix: prevent file traversal using helm file values param and application details api (#8606)
 - fix!: enforce app create/update privileges when getting repo details (#8558)
 - feat: support custom helm values file schemes (#8535)
 ## v2.1.10 (2022-02-04)
 ### Bug Fixes
 - fix: Resolve symlinked value files correctly (#8387)
 ## v2.1.9 (2022-02-03)
 ### Special notes
 This release contains the fix for a security issue with high severity. We recommend users on the 2.1 release branch to update to this release as soon as possible.
 More information can be found in the related
 [security advisory](https://github.com/argoproj/argo-cd/security/advisories/GHSA-63qx-x74g-jcr7)
 ### Bug Fixes
 - fix: Prevent value files outside repository root
 ## v2.1.8 (2021-12-13)
 ### Bug Fixes
 - fix: issue with keepalive (#7861)
 - fix nil pointer dereference error (#7905)
 - fix: env vars to tune cluster cache were broken (#7779)
 - fix: upgraded gitops engine to v0.4.2 (fixes #7561)
 ## v2.1.7 (2021-12-14)
 - fix: issue with keepalive (#7861)
@@ -1008,7 +444,7 @@ resources, you will have to adapt your cluster resources allow lists to explicit
 ## v1.8.4 (2021-02-05)
 - feat: set X-XSS-Protection while serving static content (#5412)
- fix: version info should be available if anonymous access is enabled (#5422)
+- fix: version info should be avaialble if anonymous access is enabled (#5422)
 - fix: disable jwt claim audience validation #5381 (#5413)
 - fix: /api/version should not return tools version for unauthenticated requests (#5415)
 - fix: account tokens should be rejected if required capability is disabled (#5414)
--- a/14
+++ b/14
@@ -1,14 +0,0 @@
 # All
 ** @argoproj/argocd-approvers
 # Docs
 /docs/**     @argoproj/argocd-approvers @argoproj/argocd-approvers-docs
 /USERS.md    @argoproj/argocd-approvers @argoproj/argocd-approvers-docs
 /README.md   @argoproj/argocd-approvers @argoproj/argocd-approvers-docs
 /mkdocs.yml  @argoproj/argocd-approvers @argoproj/argocd-approvers-docs
 # CI
 /.codecov.yml             @argoproj/argocd-approvers @argoproj/argocd-approvers-ci
 /.github/**               @argoproj/argocd-approvers @argoproj/argocd-approvers-ci
 /.goreleaser.yaml         @argoproj/argocd-approvers @argoproj/argocd-approvers-ci
 /sonar-project.properties @argoproj/argocd-approvers @argoproj/argocd-approvers-ci
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1 +0,0 @@
 Please refer to [the Contribution Guide](https://argo-cd.readthedocs.io/en/latest/developer-guide/code-contributions/)
--- a/45
+++ b/45
@@ -1,12 +1,12 @@
-ARG BASE_IMAGE=docker.io/library/ubuntu:24.04@sha256:3f85b7caad41a95462cf5b787d8a04604c8262cdcdf9a472b8c52ef83375fe15
+ARG BASE_IMAGE=docker.io/library/ubuntu:22.04
 ####################################################################################################
 # Builder image
 # Initial stage which pulls prepares build dependencies and CLI tooling we need for our final image
 # Also used as the image in CI jobs so needs all dependencies
 ####################################################################################################
-FROM docker.io/library/golang:1.23.3@sha256:d56c3e08fe5b27729ee3834854ae8f7015af48fd651cd25d1e3bcf3c19830174 AS builder
+FROM docker.io/library/golang:1.18 AS builder
-RUN echo 'deb http://archive.debian.org/debian buster-backports main' >> /etc/apt/sources.list
+RUN echo 'deb http://deb.debian.org/debian buster-backports main' >> /etc/apt/sources.list
 RUN apt-get update && apt-get install --no-install-recommends -y \
    openssh-server \
@@ -28,7 +28,7 @@ WORKDIR /tmp
 COPY hack/install.sh hack/tool-versions.sh ./
 COPY hack/installers installers
-RUN ./install.sh helm && \
+RUN ./install.sh helm-linux && \
    INSTALL_PATH=/usr/local/bin ./install.sh kustomize
 ####################################################################################################
@@ -36,22 +36,19 @@ RUN ./install.sh helm && \
 ####################################################################################################
 FROM $BASE_IMAGE AS argocd-base
 LABEL org.opencontainers.image.source="https://github.com/argoproj/argo-cd"
 USER root
 ENV ARGOCD_USER_ID=999
 ENV DEBIAN_FRONTEND=noninteractive
-RUN groupadd -g $ARGOCD_USER_ID argocd && \
+RUN groupadd -g 999 argocd && \
-    useradd -r -u $ARGOCD_USER_ID -g argocd argocd && \
+    useradd -r -u 999 -g argocd argocd && \
    mkdir -p /home/argocd && \
    chown argocd:0 /home/argocd && \
    chmod g=u /home/argocd && \
    apt-get update && \
    apt-get dist-upgrade -y && \
    apt-get install -y \
-    git git-lfs tini gpg tzdata connect-proxy && \
+    git git-lfs tini gpg tzdata && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
@@ -77,13 +74,13 @@ RUN mkdir -p tls && \
 ENV USER=argocd
-USER $ARGOCD_USER_ID
+USER 999
 WORKDIR /home/argocd
 ####################################################################################################
 # Argo CD UI stage
 ####################################################################################################
-FROM --platform=$BUILDPLATFORM docker.io/library/node:23.0.0@sha256:e643c0b70dca9704dff42e12b17f5b719dbe4f95e6392fc2dfa0c5f02ea8044d AS argocd-ui
+FROM --platform=$BUILDPLATFORM docker.io/library/node:12.18.4 AS argocd-ui
 WORKDIR /src
 COPY ["ui/package.json", "ui/yarn.lock", "./"]
@@ -95,13 +92,12 @@ COPY ["ui/", "."]
 ARG ARGO_VERSION=latest
 ENV ARGO_VERSION=$ARGO_VERSION
-ARG TARGETARCH
+RUN HOST_ARCH='amd64' NODE_ENV='production' NODE_ONLINE_ENV='online' NODE_OPTIONS=--max_old_space_size=8192 yarn build
 RUN HOST_ARCH=$TARGETARCH NODE_ENV='production' NODE_ONLINE_ENV='online' NODE_OPTIONS=--max_old_space_size=8192 yarn build
 ####################################################################################################
 # Argo CD Build stage which performs the actual build of Argo CD binaries
 ####################################################################################################
-FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.23.3@sha256:d56c3e08fe5b27729ee3834854ae8f7015af48fd651cd25d1e3bcf3c19830174 AS argocd-build
+FROM --platform=$BUILDPLATFORM  docker.io/library/golang:1.18 AS argocd-build
 WORKDIR /go/src/github.com/argoproj/argo-cd
@@ -113,18 +109,7 @@ COPY . .
 COPY --from=argocd-ui /src/dist/app /go/src/github.com/argoproj/argo-cd/ui/dist/app
 ARG TARGETOS
 ARG TARGETARCH
-# These build args are optional; if not specified the defaults will be taken from the Makefile
+RUN GOOS=$TARGETOS GOARCH=$TARGETARCH make argocd-all
 ARG GIT_TAG
 ARG BUILD_DATE
 ARG GIT_TREE_STATE
 ARG GIT_COMMIT
 RUN GIT_COMMIT=$GIT_COMMIT \
    GIT_TREE_STATE=$GIT_TREE_STATE \
    GIT_TAG=$GIT_TAG \
    BUILD_DATE=$BUILD_DATE \
    GOOS=$TARGETOS \
    GOARCH=$TARGETARCH \
    make argocd-all
 ####################################################################################################
 # Final image
@@ -140,8 +125,6 @@ RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-server && \
    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-dex && \
    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-notifications && \
    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-applicationset-controller && \
-    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-k8s-auth && \
+    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-k8s-auth
    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-commit-server
-USER $ARGOCD_USER_ID
+USER 999
 ENTRYPOINT ["/usr/bin/tini", "--"]
--- a/255
+++ b/255
@@ -3,41 +3,31 @@ CURRENT_DIR=$(shell pwd)
 DIST_DIR=${CURRENT_DIR}/dist
 CLI_NAME=argocd
 BIN_NAME=argocd
 CGO_FLAG=0
 GEN_RESOURCES_CLI_NAME=argocd-resources-gen
 HOST_OS:=$(shell go env GOOS)
 HOST_ARCH:=$(shell go env GOARCH)
 TARGET_ARCH?=linux/amd64
 VERSION=$(shell cat ${CURRENT_DIR}/VERSION)
-BUILD_DATE:=$(if $(BUILD_DATE),$(BUILD_DATE),$(shell date -u +'%Y-%m-%dT%H:%M:%SZ'))
+BUILD_DATE=$(shell date -u +'%Y-%m-%dT%H:%M:%SZ')
-GIT_COMMIT:=$(if $(GIT_COMMIT),$(GIT_COMMIT),$(shell git rev-parse HEAD))
+GIT_COMMIT=$(shell git rev-parse HEAD)
-GIT_TAG:=$(if $(GIT_TAG),$(GIT_TAG),$(shell if [ -z "`git status --porcelain`" ]; then git describe --exact-match --tags HEAD 2>/dev/null; fi))
+GIT_TAG=$(shell if [ -z "`git status --porcelain`" ]; then git describe --exact-match --tags HEAD 2>/dev/null; fi)
-GIT_TREE_STATE:=$(if $(GIT_TREE_STATE),$(GIT_TREE_STATE),$(shell if [ -z "`git status --porcelain`" ]; then echo "clean" ; else echo "dirty"; fi))
+GIT_TREE_STATE=$(shell if [ -z "`git status --porcelain`" ]; then echo "clean" ; else echo "dirty"; fi)
 VOLUME_MOUNT=$(shell if test "$(go env GOOS)" = "darwin"; then echo ":delegated"; elif test selinuxenabled; then echo ":delegated"; else echo ""; fi)
 KUBECTL_VERSION=$(shell go list -m k8s.io/client-go | head -n 1 | rev | cut -d' ' -f1 | rev)
 GOPATH?=$(shell if test -x `which go`; then go env GOPATH; else echo "$(HOME)/go"; fi)
 GOCACHE?=$(HOME)/.cache/go-build
 # Docker command to use
 DOCKER?=docker
 ifeq ($(DOCKER),podman)
 PODMAN_ARGS=--userns keep-id
 else
 PODMAN_ARGS=
 endif
 DOCKER_SRCDIR?=$(GOPATH)/src
 DOCKER_WORKDIR?=/go/src/github.com/argoproj/argo-cd
 ARGOCD_PROCFILE?=Procfile
-# pointing to python 3.7 to match https://github.com/argoproj/argo-cd/blob/master/.readthedocs.yml
+# Strict mode has been disabled in latest versions of mkdocs-material. 
-MKDOCS_DOCKER_IMAGE?=python:3.7-alpine
+# Thus pointing to the older image of mkdocs-material matching the version used by argo-cd.
 MKDOCS_DOCKER_IMAGE?=squidfunk/mkdocs-material:4.1.1
 MKDOCS_RUN_ARGS?=
 # Configuration for building argocd-test-tools image
@@ -57,7 +47,7 @@ ARGOCD_E2E_DEX_PORT?=5556
 ARGOCD_E2E_YARN_HOST?=localhost
 ARGOCD_E2E_DISABLE_AUTH?=
-ARGOCD_E2E_TEST_TIMEOUT?=90m
+ARGOCD_E2E_TEST_TIMEOUT?=30m
 ARGOCD_IN_CI?=false
 ARGOCD_TEST_E2E?=true
@@ -74,20 +64,13 @@ else
 DOCKER_SRC_MOUNT="$(PWD):/go/src/github.com/argoproj/argo-cd$(VOLUME_MOUNT)"
 endif
 # User and group IDs to map to the test container
 CONTAINER_UID=$(shell id -u)
 CONTAINER_GID=$(shell id -g)
 # Set SUDO to sudo to run privileged commands with sudo
 SUDO?=
 # Runs any command in the argocd-test-utils container in server mode
 # Server mode container will start with uid 0 and drop privileges during runtime
 define run-in-test-server
-	$(SUDO) $(DOCKER) run --rm -it \
+	docker run --rm -it \
 		--name argocd-test-server \
-		-u $(CONTAINER_UID):$(CONTAINER_GID) \
+		-u $(shell id -u):$(shell id -g) \
-		-e USER_ID=$(CONTAINER_UID) \
+		-e USER_ID=$(shell id -u) \
 		-e HOME=/home/user \
 		-e GOPATH=/go \
 		-e GOCACHE=/tmp/go-build-cache \
@@ -98,8 +81,6 @@ define run-in-test-server
 		-e ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} \
 		-e ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} \
 		-e ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} \
 		-e ARGOCD_APPLICATION_NAMESPACES \
 		-e GITHUB_TOKEN \
 		-v ${DOCKER_SRC_MOUNT} \
 		-v ${GOPATH}/pkg/mod:/go/pkg/mod${VOLUME_MOUNT} \
 		-v ${GOCACHE}:/tmp/go-build-cache${VOLUME_MOUNT} \
@@ -109,20 +90,18 @@ define run-in-test-server
 		-p ${ARGOCD_E2E_APISERVER_PORT}:8080 \
 		-p 4000:4000 \
 		-p 5000:5000 \
 		$(PODMAN_ARGS) \
 		$(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE):$(TEST_TOOLS_TAG) \
 		bash -c "$(1)"
 endef
 # Runs any command in the argocd-test-utils container in client mode
 define run-in-test-client
-	$(SUDO) $(DOCKER) run --rm -it \
+	docker run --rm -it \
 	  --name argocd-test-client \
-		-u $(CONTAINER_UID):$(CONTAINER_GID) \
+		-u $(shell id -u):$(shell id -g) \
 		-e HOME=/home/user \
 		-e GOPATH=/go \
 		-e ARGOCD_E2E_K3S=$(ARGOCD_E2E_K3S) \
 		-e GITHUB_TOKEN \
 		-e GOCACHE=/tmp/go-build-cache \
 		-e ARGOCD_LINT_GOGC=$(ARGOCD_LINT_GOGC) \
 		-v ${DOCKER_SRC_MOUNT} \
@@ -131,14 +110,13 @@ define run-in-test-client
 		-v ${HOME}/.kube:/home/user/.kube${VOLUME_MOUNT} \
 		-v /tmp:/tmp${VOLUME_MOUNT} \
 		-w ${DOCKER_WORKDIR} \
 		$(PODMAN_ARGS) \
 		$(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE):$(TEST_TOOLS_TAG) \
 		bash -c "$(1)"
 endef
-#
+# 
 define exec-in-test-server
-	$(SUDO) $(DOCKER) exec -it -u $(CONTAINER_UID):$(CONTAINER_GID) -e ARGOCD_E2E_RECORD=$(ARGOCD_E2E_RECORD) -e ARGOCD_E2E_K3S=$(ARGOCD_E2E_K3S) argocd-test-server $(1)
+	docker exec -it -u $(shell id -u):$(shell id -g) -e ARGOCD_E2E_K3S=$(ARGOCD_E2E_K3S) argocd-test-server $(1)
 endef
 PATH:=$(PATH):$(PWD)/hack
@@ -153,20 +131,12 @@ DEV_IMAGE?=false
 ARGOCD_GPG_ENABLED?=true
 ARGOCD_E2E_APISERVER_PORT?=8080
 ifeq (${COVERAGE_ENABLED}, true)
 # We use this in the cli-local target to enable code coverage for e2e tests.
 COVERAGE_FLAG=-cover
 else
 COVERAGE_FLAG=
 endif
 override LDFLAGS += \
  -X ${PACKAGE}.version=${VERSION} \
  -X ${PACKAGE}.buildDate=${BUILD_DATE} \
  -X ${PACKAGE}.gitCommit=${GIT_COMMIT} \
  -X ${PACKAGE}.gitTreeState=${GIT_TREE_STATE}\
-  -X ${PACKAGE}.kubectlVersion=${KUBECTL_VERSION}\
+  -X ${PACKAGE}.kubectlVersion=${KUBECTL_VERSION}
  -X "${PACKAGE}.extraBuildInfo=${EXTRA_BUILD_INFO}"
 ifeq (${STATIC_BUILD}, true)
 override LDFLAGS += -extldflags "-static"
@@ -192,25 +162,29 @@ endif
 .PHONY: all
 all: cli image
-.PHONY: mockgen
+# We have some legacy requirements for being checked out within $GOPATH.
-mockgen:
+# The ensure-gopath target can be used as dependency to ensure we are running
-	./hack/generate-mock.sh
+# within these boundaries.
 .PHONY: ensure-gopath
 ensure-gopath:
 ifneq ("$(PWD)","$(LEGACY_PATH)")
 	@echo "Due to legacy requirements for codegen, repository needs to be checked out within \$$GOPATH"
 	@echo "Location of this repo should be '$(LEGACY_PATH)' but is '$(PWD)'"
 	@exit 1
 endif
 .PHONY: gogen
-gogen:
+gogen: ensure-gopath
 	export GO111MODULE=off
-	go generate ./...
+	go generate ./util/argo/...
 .PHONY: protogen
-protogen: mod-vendor-local protogen-fast
+protogen: ensure-gopath mod-vendor-local
 .PHONY: protogen-fast
 protogen-fast:
 	export GO111MODULE=off
 	./hack/generate-proto.sh
 .PHONY: openapigen
-openapigen:
+openapigen: ensure-gopath
 	export GO111MODULE=off
 	./hack/update-openapi.sh
@@ -225,25 +199,19 @@ notification-docs:
 .PHONY: clientgen
-clientgen:
+clientgen: ensure-gopath
 	export GO111MODULE=off
 	./hack/update-codegen.sh
 .PHONY: clidocsgen
-clidocsgen:
+clidocsgen: ensure-gopath
-	go run tools/cmd-docs/main.go
+	go run tools/cmd-docs/main.go	
 .PHONY: actionsdocsgen
 actionsdocsgen:
 	hack/generate-actions-list.sh
 .PHONY: codegen-local
-codegen-local: mod-vendor-local mockgen gogen protogen clientgen openapigen clidocsgen actionsdocsgen manifests-local notification-docs notification-catalog
+codegen-local: ensure-gopath mod-vendor-local notification-docs notification-catalog gogen protogen clientgen openapigen clidocsgen manifests-local
 	rm -rf vendor/
 .PHONY: codegen-local-fast
 codegen-local-fast: mockgen gogen protogen-fast clientgen openapigen clidocsgen manifests-local notification-docs notification-catalog
 .PHONY: codegen
 codegen: test-tools-image
 	$(call run-in-test-client,make codegen-local)
@@ -254,11 +222,11 @@ cli: test-tools-image
 .PHONY: cli-local
 cli-local: clean-debug
-	CGO_ENABLED=${CGO_FLAG} GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -gcflags="all=-N -l" $(COVERAGE_FLAG) -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${CLI_NAME} ./cmd
+	CGO_ENABLED=0 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${CLI_NAME} ./cmd
 .PHONY: gen-resources-cli-local
 gen-resources-cli-local: clean-debug
-	CGO_ENABLED=${CGO_FLAG} GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${GEN_RESOURCES_CLI_NAME} ./hack/gen-resources/cmd
+	CGO_ENABLED=0 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${GEN_RESOURCES_CLI_NAME} ./hack/gen-resources/cmd
 .PHONY: release-cli
 release-cli: clean-debug build-ui
@@ -272,10 +240,8 @@ release-cli: clean-debug build-ui
 .PHONY: test-tools-image
 test-tools-image:
-ifndef SKIP_TEST_TOOLS_IMAGE
+	docker build --build-arg UID=$(shell id -u) -t $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE) -f test/container/Dockerfile .
-	$(SUDO) $(DOCKER) build --build-arg UID=$(CONTAINER_UID) -t $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE) -f test/container/Dockerfile .
+	docker tag $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE) $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE):$(TEST_TOOLS_TAG)
 	$(SUDO) $(DOCKER) tag $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE) $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE):$(TEST_TOOLS_TAG)
 endif
 .PHONY: manifests-local
 manifests-local:
@@ -288,25 +254,25 @@ manifests: test-tools-image
 # consolidated binary for cli, util, server, repo-server, controller
 .PHONY: argocd-all
 argocd-all: clean-debug
-	CGO_ENABLED=${CGO_FLAG} GOOS=${GOOS} GOARCH=${GOARCH} GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${BIN_NAME} ./cmd
+	CGO_ENABLED=0 GOOS=${GOOS} GOARCH=${GOARCH} go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${BIN_NAME} ./cmd
 .PHONY: server
 server: clean-debug
-	CGO_ENABLED=${CGO_FLAG} GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-server ./cmd
+	CGO_ENABLED=0 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-server ./cmd
 .PHONY: repo-server
 repo-server:
-	CGO_ENABLED=${CGO_FLAG} GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-repo-server ./cmd
+	CGO_ENABLED=0 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-repo-server ./cmd
 .PHONY: controller
 controller:
-	CGO_ENABLED=${CGO_FLAG} GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-application-controller ./cmd
+	CGO_ENABLED=0 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-application-controller ./cmd
 .PHONY: build-ui
 build-ui:
-	DOCKER_BUILDKIT=1 $(DOCKER) build -t argocd-ui --platform=$(TARGET_ARCH) --target argocd-ui .
+	DOCKER_BUILDKIT=1 docker build -t argocd-ui --target argocd-ui .
 	find ./ui/dist -type f -not -name gitkeep -delete
-	$(DOCKER) run -v ${CURRENT_DIR}/ui/dist/app:/tmp/app --rm -t argocd-ui sh -c 'cp -r ./dist/app/* /tmp/app/'
+	docker run -v ${CURRENT_DIR}/ui/dist/app:/tmp/app --rm -t argocd-ui sh -c 'cp -r ./dist/app/* /tmp/app/'
 .PHONY: image
 ifeq ($(DEV_IMAGE), true)
@@ -315,29 +281,29 @@ ifeq ($(DEV_IMAGE), true)
 # the dist directory is under .dockerignore.
 IMAGE_TAG="dev-$(shell git describe --always --dirty)"
 image: build-ui
-	DOCKER_BUILDKIT=1 $(DOCKER) build --platform=$(TARGET_ARCH) -t argocd-base --target argocd-base .
+	DOCKER_BUILDKIT=1 docker build -t argocd-base --target argocd-base .
-	CGO_ENABLED=${CGO_FLAG} GOOS=linux GOARCH=amd64 GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd ./cmd
+	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd ./cmd
 	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-server
 	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-application-controller
 	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-repo-server
 	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-cmp-server
 	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-dex
 	cp Dockerfile.dev dist
-	DOCKER_BUILDKIT=1 $(DOCKER) build --platform=$(TARGET_ARCH) -t $(IMAGE_PREFIX)argocd:$(IMAGE_TAG) -f dist/Dockerfile.dev dist
+	docker build -t $(IMAGE_PREFIX)argocd:$(IMAGE_TAG) -f dist/Dockerfile.dev dist
 else
 image:
-	DOCKER_BUILDKIT=1 $(DOCKER) build -t $(IMAGE_PREFIX)argocd:$(IMAGE_TAG) --platform=$(TARGET_ARCH) .
+	DOCKER_BUILDKIT=1 docker build -t $(IMAGE_PREFIX)argocd:$(IMAGE_TAG) .
 endif
-	@if [ "$(DOCKER_PUSH)" = "true" ] ; then $(DOCKER) push $(IMAGE_PREFIX)argocd:$(IMAGE_TAG) ; fi
+	@if [ "$(DOCKER_PUSH)" = "true" ] ; then docker push $(IMAGE_PREFIX)argocd:$(IMAGE_TAG) ; fi
 .PHONY: armimage
 armimage:
-	$(DOCKER) build -t $(IMAGE_PREFIX)argocd:$(IMAGE_TAG)-arm .
+	docker build -t $(IMAGE_PREFIX)argocd:$(IMAGE_TAG)-arm .
 .PHONY: builder-image
 builder-image:
-	$(DOCKER) build  -t $(IMAGE_PREFIX)argo-cd-ci-builder:$(IMAGE_TAG) --target builder .
+	docker build  -t $(IMAGE_PREFIX)argo-cd-ci-builder:$(IMAGE_TAG) --target builder .
-	@if [ "$(DOCKER_PUSH)" = "true" ] ; then $(DOCKER) push $(IMAGE_PREFIX)argo-cd-ci-builder:$(IMAGE_TAG) ; fi
+	@if [ "$(DOCKER_PUSH)" = "true" ] ; then docker push $(IMAGE_PREFIX)argo-cd-ci-builder:$(IMAGE_TAG) ; fi
 .PHONY: mod-download
 mod-download: test-tools-image
@@ -355,7 +321,7 @@ mod-vendor: test-tools-image
 mod-vendor-local: mod-download-local
 	go mod vendor
-# Deprecated - replace by install-tools-local
+# Deprecated - replace by install-local-tools
 .PHONY: install-lint-tools
 install-lint-tools:
 	./hack/install.sh lint-tools
@@ -371,7 +337,7 @@ lint-local:
 	golangci-lint --version
 	# NOTE: If you get a "Killed" OOM message, try reducing the value of GOGC
 	# See https://github.com/golangci/golangci-lint#memory-usage-of-golangci-lint
-	GOGC=$(ARGOCD_LINT_GOGC) GOMAXPROCS=2 golangci-lint run --fix --verbose
+	GOGC=$(ARGOCD_LINT_GOGC) GOMAXPROCS=2 golangci-lint run --fix --verbose --timeout 300s
 .PHONY: lint-ui
 lint-ui: test-tools-image
@@ -390,7 +356,7 @@ build: test-tools-image
 # Build all Go code (local version)
 .PHONY: build-local
 build-local:
-	GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -v `go list ./... | grep -v 'resource_customizations\|test/e2e'`
+	go build -v `go list ./... | grep -v 'resource_customizations\|test/e2e'`
 # Run all unit tests
 #
@@ -405,9 +371,9 @@ test: test-tools-image
 .PHONY: test-local
 test-local:
 	if test "$(TEST_MODULE)" = ""; then \
-		DIST_DIR=${DIST_DIR} RERUN_FAILS=0 PACKAGES=`go list ./... | grep -v 'test/e2e'` ./hack/test.sh -args -test.gocoverdir="$(PWD)/test-results"; \
+		./hack/test.sh -coverprofile=coverage.out `go list ./... | grep -v 'test/e2e'`; \
 	else \
-		DIST_DIR=${DIST_DIR} RERUN_FAILS=0 PACKAGES="$(TEST_MODULE)" ./hack/test.sh -args -test.gocoverdir="$(PWD)/test-results" "$(TEST_MODULE)"; \
+		./hack/test.sh -coverprofile=coverage.out "$(TEST_MODULE)"; \
 	fi
 .PHONY: test-race
@@ -419,9 +385,9 @@ test-race: test-tools-image
 .PHONY: test-race-local
 test-race-local:
 	if test "$(TEST_MODULE)" = ""; then \
-		DIST_DIR=${DIST_DIR} RERUN_FAILS=0 PACKAGES=`go list ./... | grep -v 'test/e2e'` ./hack/test.sh -race -args -test.gocoverdir="$(PWD)/test-results"; \
+		./hack/test.sh -race -coverprofile=coverage.out `go list ./... | grep -v 'test/e2e'`; \
 	else \
-		DIST_DIR=${DIST_DIR} RERUN_FAILS=0 PACKAGES="$(TEST_MODULE)" ./hack/test.sh -race -args -test.gocoverdir="$(PWD)/test-results"; \
+		./hack/test.sh -race -coverprofile=coverage.out "$(TEST_MODULE)"; \
 	fi
 # Run the E2E test suite. E2E test servers (see start-e2e target) must be
@@ -435,7 +401,7 @@ test-e2e:
 test-e2e-local: cli-local
 	# NO_PROXY ensures all tests don't go out through a proxy if one is configured on the test system
 	export GO111MODULE=off
-	DIST_DIR=${DIST_DIR} RERUN_FAILS=5 PACKAGES="./test/e2e" ARGOCD_E2E_RECORD=${ARGOCD_E2E_RECORD} ARGOCD_GPG_ENABLED=true NO_PROXY=* ./hack/test.sh -timeout $(ARGOCD_E2E_TEST_TIMEOUT) -v -args -test.gocoverdir="$(PWD)/test-results"
+	ARGOCD_GPG_ENABLED=true NO_PROXY=* ./hack/test.sh -timeout $(ARGOCD_E2E_TEST_TIMEOUT) -v ./test/e2e
 # Spawns a shell in the test server container for debugging purposes
 debug-test-server: test-tools-image
@@ -448,7 +414,7 @@ debug-test-client: test-tools-image
 # Starts e2e server in a container
 .PHONY: start-e2e
 start-e2e: test-tools-image
-	$(DOCKER) version
+	docker version
 	mkdir -p ${GOCACHE}
 	$(call run-in-test-server,make ARGOCD_PROCFILE=test/container/Procfile start-e2e-local)
@@ -456,8 +422,6 @@ start-e2e: test-tools-image
 .PHONY: start-e2e-local
 start-e2e-local: mod-vendor-local dep-ui-local cli-local
 	kubectl create ns argocd-e2e || true
 	kubectl create ns argocd-e2e-external || true
 	kubectl create ns argocd-e2e-external-2 || true
 	kubectl config set-context --current --namespace=argocd-e2e
 	kustomize build test/manifests/base | kubectl apply -f -
 	kubectl apply -f https://raw.githubusercontent.com/open-cluster-management/api/a6845f2ebcb186ec26b832f60c988537a58f3859/cluster/v1alpha1/0000_04_clusters.open-cluster-management.io_placementdecisions.crd.yaml
@@ -466,13 +430,6 @@ start-e2e-local: mod-vendor-local dep-ui-local cli-local
 	mkdir -p /tmp/argo-e2e/app/config/gpg/keys && chmod 0700 /tmp/argo-e2e/app/config/gpg/keys
 	mkdir -p /tmp/argo-e2e/app/config/gpg/source && chmod 0700 /tmp/argo-e2e/app/config/gpg/source
 	mkdir -p /tmp/argo-e2e/app/config/plugin && chmod 0700 /tmp/argo-e2e/app/config/plugin
 	# create folders to hold go coverage results for each component
 	mkdir -p /tmp/coverage/app-controller
 	mkdir -p /tmp/coverage/api-server
 	mkdir -p /tmp/coverage/repo-server
 	mkdir -p /tmp/coverage/applicationset-controller
 	mkdir -p /tmp/coverage/notification
 	mkdir -p /tmp/coverage/commit-server
 	# set paths for locally managed ssh known hosts and tls certs data
 	ARGOCD_SSH_DATA_PATH=/tmp/argo-e2e/app/config/ssh \
 	ARGOCD_TLS_DATA_PATH=/tmp/argo-e2e/app/config/tls \
@@ -485,18 +442,13 @@ start-e2e-local: mod-vendor-local dep-ui-local cli-local
 	ARGOCD_ZJWT_FEATURE_FLAG=always \
 	ARGOCD_IN_CI=$(ARGOCD_IN_CI) \
 	BIN_MODE=$(ARGOCD_BIN_MODE) \
 	ARGOCD_APPLICATION_NAMESPACES=argocd-e2e-external,argocd-e2e-external-2 \
 	ARGOCD_APPLICATIONSET_CONTROLLER_NAMESPACES=argocd-e2e-external,argocd-e2e-external-2 \
 	ARGOCD_APPLICATIONSET_CONTROLLER_TOKENREF_STRICT_MODE=true \
 	ARGOCD_APPLICATIONSET_CONTROLLER_ALLOWED_SCM_PROVIDERS=http://127.0.0.1:8341,http://127.0.0.1:8342,http://127.0.0.1:8343,http://127.0.0.1:8344 \
 	ARGOCD_E2E_TEST=true \
 		goreman -f $(ARGOCD_PROCFILE) start ${ARGOCD_START}
 	ls -lrt /tmp/coverage
 # Cleans VSCode debug.test files from sub-dirs to prevent them from being included in by golang embed
 .PHONY: clean-debug
 clean-debug:
-	-find ${CURRENT_DIR} -name debug.test -exec rm -f {} +
+	-find ${CURRENT_DIR} -name debug.test | xargs rm -f
 .PHONY: clean
 clean: clean-debug
@@ -504,12 +456,12 @@ clean: clean-debug
 .PHONY: start
 start: test-tools-image
-	$(DOCKER) version
+	docker version
 	$(call run-in-test-server,make ARGOCD_PROCFILE=test/container/Procfile start-local ARGOCD_START=${ARGOCD_START})
 # Starts a local instance of ArgoCD
 .PHONY: start-local
-start-local: mod-vendor-local dep-ui-local cli-local
+start-local: mod-vendor-local dep-ui-local
 	# check we can connect to Docker to start Redis
 	killall goreman || true
 	kubectl create ns argocd || true
@@ -517,13 +469,10 @@ start-local: mod-vendor-local dep-ui-local cli-local
 	mkdir -p /tmp/argocd-local
 	mkdir -p /tmp/argocd-local/gpg/keys && chmod 0700 /tmp/argocd-local/gpg/keys
 	mkdir -p /tmp/argocd-local/gpg/source
 	REDIS_PASSWORD=$(shell kubectl get secret argocd-redis -o jsonpath='{.data.auth}' | base64 -d) \
 	ARGOCD_ZJWT_FEATURE_FLAG=always \
 	ARGOCD_IN_CI=false \
 	ARGOCD_GPG_ENABLED=$(ARGOCD_GPG_ENABLED) \
 	BIN_MODE=$(ARGOCD_BIN_MODE) \
 	ARGOCD_E2E_TEST=false \
 	ARGOCD_APPLICATION_NAMESPACES=$(ARGOCD_APPLICATION_NAMESPACES) \
 		goreman -f $(ARGOCD_PROCFILE) start ${ARGOCD_START}
 # Run goreman start with exclude option , provide exclude env variable with list of services
@@ -555,7 +504,7 @@ build-docs-local:
 .PHONY: build-docs
 build-docs:
-	$(DOCKER) run ${MKDOCS_RUN_ARGS} --rm -it -v ${CURRENT_DIR}:/docs -w /docs --entrypoint "" ${MKDOCS_DOCKER_IMAGE} sh -c 'pip install mkdocs; pip install $$(mkdocs get-deps); mkdocs build'
+	docker run ${MKDOCS_RUN_ARGS} --rm -it -p 8000:8000 -v ${CURRENT_DIR}:/docs ${MKDOCS_DOCKER_IMAGE} build
 .PHONY: serve-docs-local
 serve-docs-local:
@@ -563,7 +512,8 @@ serve-docs-local:
 .PHONY: serve-docs
 serve-docs:
-	$(DOCKER) run ${MKDOCS_RUN_ARGS} --rm -it -p 8000:8000 -v ${CURRENT_DIR}:/docs -w /docs --entrypoint "" ${MKDOCS_DOCKER_IMAGE} sh -c 'pip install mkdocs; pip install $$(mkdocs get-deps); mkdocs serve -a $$(ip route get 1 | awk '\''{print $$7}'\''):8000'
+	docker run ${MKDOCS_RUN_ARGS} --rm -it -p 8000:8000 -v ${CURRENT_DIR}:/docs ${MKDOCS_DOCKER_IMAGE} serve -a 0.0.0.0:8000
 # Verify that kubectl can connect to your K8s cluster from Docker
 .PHONY: verify-kube-connect
@@ -586,8 +536,7 @@ install-tools-local: install-test-tools-local install-codegen-tools-local instal
 .PHONY: install-test-tools-local
 install-test-tools-local:
 	./hack/install.sh kustomize
-	./hack/install.sh helm
+	./hack/install.sh helm-linux
 	./hack/install.sh gotestsum
 # Installs all tools required for running codegen (Linux packages)
 .PHONY: install-codegen-tools-local
@@ -615,72 +564,8 @@ list:
 .PHONY: applicationset-controller
 applicationset-controller:
-	GODEBUG="tarinsecurepath=0,zipinsecurepath=0" CGO_ENABLED=${CGO_FLAG} go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-applicationset-controller ./cmd
+	CGO_ENABLED=0 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-applicationset-controller ./cmd
 .PHONY: checksums
 checksums:
-	sha256sum ./dist/$(BIN_NAME)-* | awk -F './dist/' '{print $$1 $$2}' > ./dist/$(BIN_NAME)-$(TARGET_VERSION)-checksums.txt
+	for f in ./dist/$(BIN_NAME)-*; do openssl dgst -sha256 "$$f" | awk ' { print $$2 }' > "$$f".sha256 ; done
 .PHONY: snyk-container-tests
 snyk-container-tests:
 	./hack/snyk-container-tests.sh
 .PHONY: snyk-non-container-tests
 snyk-non-container-tests:
 	./hack/snyk-non-container-tests.sh
 .PHONY: snyk-report
 snyk-report:
 	./hack/snyk-report.sh $(target_branch)
 .PHONY: help
 help:
 	@echo 'Note: Generally an item w/ (-local) will run inside docker unless you use the -local variant'
 	@echo
 	@echo 'Common targets'
 	@echo
 	@echo 'all -- make cli and image'
 	@echo
 	@echo 'components:'
 	@echo '  applicationset-controller -- applicationset controller'
 	@echo '  cli(-local)               -- argocd cli program'
 	@echo '  controller                -- controller (orchestrator)'
 	@echo '  repo-server               -- repo server (manage repository instances)'
 	@echo '  server                    -- argocd web application'
 	@echo
 	@echo 'build:'
 	@echo '  image                     -- make image of the following items'
 	@echo '  build(-local)             -- compile go'
 	@echo '  build-docs(-local)        -- build docs'
 	@echo '  build-ui                  -- compile typescript'
 	@echo
 	@echo 'run:'
 	@echo '  run                       -- run the components locally'
 	@echo '  serve-docs(-local)        -- expose the documents for viewing in a browser'
 	@echo
 	@echo 'release:'
 	@echo '  release-cli'
 	@echo '  release-precheck'
 	@echo '  checksums'
 	@echo
 	@echo 'docs:'
 	@echo '  build-docs(-local)'
 	@echo '  serve-docs(-local)'
 	@echo '  notification-docs'
 	@echo '  clidocsgen'
 	@echo
 	@echo 'testing:'
 	@echo '  test(-local)'
 	@echo '  start-e2e(-local)'
 	@echo '  test-e2e(-local)'
 	@echo '  test-race(-local)'
 	@echo
 	@echo 'debug:'
 	@echo '  list -- list all make targets'
 	@echo '  install-tools-local -- install all the tools below'
 	@echo '  install-lint-tools(-local)'
 	@echo
 	@echo 'codegen:'
 	@echo '  codegen(-local) -- if using -local, run the following targets first'
 	@echo '  install-codegen-tools-local -- run this to install the codegen tools'
 	@echo '  install-go-tools-local -- run this to install go libraries for codegen'
--- a/5
+++ b/5
@@ -1,12 +1,10 @@
 owners:
 - alexmt
 - crenshaw-dev
 - jessesuen
 approvers:
 - alexec
 - alexmt
 - gdsoumya
 - jannfis
 - jessesuen
 - jgwest
@@ -29,6 +27,3 @@ reviewers:
 - wanghong230
 - ciiay
 - saumeya
 - zachaller
 - 34fathombelow
 - alexef
--- a/17
+++ b/17
@@ -1,13 +1,12 @@
-controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/app-controller} HOSTNAME=testappcontroller-1  FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-application-controller $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --server-side-diff-enabled=${ARGOCD_APPLICATION_CONTROLLER_SERVER_SIDE_DIFF:-'false'}"
+controller: [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-application-controller $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --otlp-address=${ARGOCD_OTLP_ADDRESS}"
-api-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/api-server} FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-server $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''}"
+api-server: [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-server $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} --otlp-address=${ARGOCD_OTLP_ADDRESS}"
-dex: sh -c "ARGOCD_BINARY_NAME=argocd-dex go run github.com/argoproj/argo-cd/v2/cmd gendexcfg -o `pwd`/dist/dex.yaml && (test -f dist/dex.yaml || { echo 'Failed to generate dex configuration'; exit 1; }) && docker run --rm -p ${ARGOCD_E2E_DEX_PORT:-5556}:${ARGOCD_E2E_DEX_PORT:-5556} -v `pwd`/dist/dex.yaml:/dex.yaml ghcr.io/dexidp/dex:$(grep "image: ghcr.io/dexidp/dex" manifests/base/dex/argocd-dex-server-deployment.yaml | cut -d':' -f3) dex serve /dex.yaml"
+dex: sh -c "ARGOCD_BINARY_NAME=argocd-dex go run github.com/argoproj/argo-cd/v2/cmd gendexcfg -o `pwd`/dist/dex.yaml && docker run --rm -p ${ARGOCD_E2E_DEX_PORT:-5556}:${ARGOCD_E2E_DEX_PORT:-5556} -v `pwd`/dist/dex.yaml:/dex.yaml ghcr.io/dexidp/dex:v2.30.2 dex serve /dex.yaml"
-redis: hack/start-redis-with-password.sh
+redis: bash -c "if [ \"$ARGOCD_REDIS_LOCAL\" == 'true' ]; then redis-server --save '' --appendonly no --port ${ARGOCD_E2E_REDIS_PORT:-6379}; else docker run --rm --name argocd-redis -i -p ${ARGOCD_E2E_REDIS_PORT:-6379}:${ARGOCD_E2E_REDIS_PORT:-6379} redis:7.0.0-alpine --save '' --appendonly no --port ${ARGOCD_E2E_REDIS_PORT:-6379}; fi"
-repo-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/repo-server} FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_GNUPGHOME=${ARGOCD_GNUPGHOME:-/tmp/argocd-local/gpg/keys} ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp}  ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-repo-server ARGOCD_GPG_ENABLED=${ARGOCD_GPG_ENABLED:-false} $COMMAND --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --otlp-address=${ARGOCD_OTLP_ADDRESS}"
+repo-server: [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_GNUPGHOME=${ARGOCD_GNUPGHOME:-/tmp/argocd-local/gpg/keys} ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp}  ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-repo-server ARGOCD_GPG_ENABLED=${ARGOCD_GPG_ENABLED:-false} $COMMAND --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --otlp-address=${ARGOCD_OTLP_ADDRESS}"
-cmp-server: [ "$ARGOCD_E2E_TEST" = 'true' ] && exit 0 || [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_BINARY_NAME=argocd-cmp-server ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp} $COMMAND --config-dir-path ./test/cmp --loglevel debug --otlp-address=${ARGOCD_OTLP_ADDRESS}"
+cmp-server: [ "$ARGOCD_E2E_TEST" == 'true' ] && exit 0 || [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_BINARY_NAME=argocd-cmp-server ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp} $COMMAND --config-dir-path ./test/cmp --loglevel debug --otlp-address=${ARGOCD_OTLP_ADDRESS}"
 commit-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/commit-server} FORCE_LOG_COLORS=1 ARGOCD_BINARY_NAME=argocd-commit-server $COMMAND --loglevel debug --port ${ARGOCD_E2E_COMMITSERVER_PORT:-8086}"
 ui: sh -c 'cd ui && ${ARGOCD_E2E_YARN_CMD:-yarn} start'
 git-server: test/fixture/testrepos/start-git.sh
 helm-registry: test/fixture/testrepos/start-helm-registry.sh
 dev-mounter: [[ "$ARGOCD_E2E_TEST" != "true" ]] && go run hack/dev-mounter/main.go --configmap argocd-ssh-known-hosts-cm=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} --configmap argocd-tls-certs-cm=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} --configmap argocd-gpg-keys-cm=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source}
-applicationset-controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/applicationset-controller} FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-applicationset-controller $COMMAND --loglevel debug --metrics-addr localhost:12345 --probe-addr localhost:12346 --argocd-repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081}"
+applicationset-controller: [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_ASK_PASS_SOCK=/tmp/applicationset-ask-pass.sock ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-applicationset-controller $COMMAND --loglevel debug --metrics-addr localhost:12345 --probe-addr localhost:12346 --argocd-repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081}"
-notification: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/notification} FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_BINARY_NAME=argocd-notifications $COMMAND --loglevel debug --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --self-service-notification-enabled=${ARGOCD_NOTIFICATION_CONTROLLER_SELF_SERVICE_NOTIFICATION_ENABLED:-'false'}"
+notification: [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_BINARY_NAME=argocd-notifications $COMMAND --loglevel debug"
--- a/README.md
+++ b/README.md
@@ -1,18 +1,4 @@
-**Releases:**
+[![Integration tests](https://github.com/argoproj/argo-cd/workflows/Integration%20tests/badge.svg?branch=master)](https://github.com/argoproj/argo-cd/actions?query=workflow%3A%22Integration+tests%22) [![slack](https://img.shields.io/badge/slack-argoproj-brightgreen.svg?logo=slack)](https://argoproj.github.io/community/join-slack) [![codecov](https://codecov.io/gh/argoproj/argo-cd/branch/master/graph/badge.svg)](https://codecov.io/gh/argoproj/argo-cd) [![Release Version](https://img.shields.io/github/v/release/argoproj/argo-cd?label=argo-cd)](https://github.com/argoproj/argo-cd/releases/latest) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4486/badge)](https://bestpractices.coreinfrastructure.org/projects/4486) [![Twitter Follow](https://img.shields.io/twitter/follow/argoproj?style=social)](https://twitter.com/argoproj)
 [![Release Version](https://img.shields.io/github/v/release/argoproj/argo-cd?label=argo-cd)](https://github.com/argoproj/argo-cd/releases/latest)
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/argo-cd)](https://artifacthub.io/packages/helm/argo/argo-cd)
 [![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev)
 **Code:** 
 [![Integration tests](https://github.com/argoproj/argo-cd/workflows/Integration%20tests/badge.svg?branch=master)](https://github.com/argoproj/argo-cd/actions?query=workflow%3A%22Integration+tests%22)
 [![codecov](https://codecov.io/gh/argoproj/argo-cd/branch/master/graph/badge.svg)](https://codecov.io/gh/argoproj/argo-cd)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4486/badge)](https://bestpractices.coreinfrastructure.org/projects/4486)
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/argoproj/argo-cd/badge)](https://scorecard.dev/viewer/?uri=github.com/argoproj/argo-cd)
 **Social:**
 [![Twitter Follow](https://img.shields.io/twitter/follow/argoproj?style=social)](https://twitter.com/argoproj)
 [![Slack](https://img.shields.io/badge/slack-argoproj-brightgreen.svg?logo=slack)](https://argoproj.github.io/community/join-slack)
 [![LinkedIn](https://img.shields.io/badge/LinkedIn-argoproj-blue.svg?logo=linkedin)](https://www.linkedin.com/company/argoproj/)
 # Argo CD - Declarative Continuous Delivery for Kubernetes
@@ -56,7 +42,7 @@ Participation in the Argo CD project is governed by the [CNCF Code of Conduct](h
 ### Blogs and Presentations
 1. [Awesome-Argo: A Curated List of Awesome Projects and Resources Related to Argo](https://github.com/terrytangyuan/awesome-argo)
-1. [Unveil the Secret Ingredients of Continuous Delivery at Enterprise Scale with Argo CD](https://akuity.io/blog/secret-ingredients-of-continuous-delivery-at-enterprise-scale-with-argocd/)
+1. [Unveil the Secret Ingredients of Continuous Delivery at Enterprise Scale with Argo CD](https://blog.akuity.io/unveil-the-secret-ingredients-of-continuous-delivery-at-enterprise-scale-with-argo-cd-7c5b4057ee49)
 1. [GitOps Without Pipelines With ArgoCD Image Updater](https://youtu.be/avPUQin9kzU)
 1. [Combining Argo CD (GitOps), Crossplane (Control Plane), And KubeVela (OAM)](https://youtu.be/eEcgn_gU3SM)
 1. [How to Apply GitOps to Everything - Combining Argo CD and Crossplane](https://youtu.be/yrj4lmScKHQ)
@@ -82,8 +68,7 @@ Participation in the Argo CD project is governed by the [CNCF Code of Conduct](h
 1. [Applied GitOps with Argo CD](https://thenewstack.io/applied-gitops-with-argocd/)
 1. [Solving configuration drift using GitOps with Argo CD](https://www.cncf.io/blog/2020/12/17/solving-configuration-drift-using-gitops-with-argo-cd/)
 1. [Decentralized GitOps over environments](https://blogs.sap.com/2021/05/06/decentralized-gitops-over-environments/)
 1. [How GitOps and Operators mark the rise of Infrastructure-As-Software](https://paytmlabs.com/blog/2021/10/how-to-improve-operational-work-with-operators-and-gitops/)
 1. [Getting Started with ArgoCD for GitOps Deployments](https://youtu.be/AvLuplh1skA)
 1. [Using Argo CD & Datree for Stable Kubernetes CI/CD Deployments](https://youtu.be/17894DTru2Y)
 1. [How to create Argo CD Applications Automatically using ApplicationSet? "Automation of GitOps"](https://amralaayassen.medium.com/how-to-create-argocd-applications-automatically-using-applicationset-automation-of-the-gitops-59455eaf4f72)
 1. [Progressive Delivery with Service Mesh – Argo Rollouts with Istio](https://www.cncf.io/blog/2022/12/16/progressive-delivery-with-service-mesh-argo-rollouts-with-istio/)
--- a/SECURITY-INSIGHTS.yml
+++ b/SECURITY-INSIGHTS.yml
@@ -1,128 +0,0 @@
 header:
  schema-version: 1.0.0
  expiration-date: '2024-10-31T00:00:00.000Z' # One year from initial release.
  last-updated: '2023-10-27'
  last-reviewed: '2023-10-27'
  commit-hash: 74a367d10e7110209610ba3ec225539ebe5f7522
  project-url: https://github.com/argoproj/argo-cd
  project-release: v2.14.0
  changelog: https://github.com/argoproj/argo-cd/releases
  license: https://github.com/argoproj/argo-cd/blob/master/LICENSE
 project-lifecycle:
  status: active
  roadmap: https://github.com/orgs/argoproj/projects/25
  bug-fixes-only: false
  core-maintainers:
    - https://github.com/argoproj/argoproj/blob/master/MAINTAINERS.md
  release-cycle: https://argo-cd.readthedocs.io/en/stable/developer-guide/release-process-and-cadence/
  release-process: https://argo-cd.readthedocs.io/en/stable/developer-guide/release-process-and-cadence/#release-process
 contribution-policy:
  accepts-pull-requests: true
  accepts-automated-pull-requests: true
  automated-tools-list:
    - automated-tool: dependabot
      action: allowed
      path:
        - /
    - automated-tool: snyk-report
      action: allowed
      path:
        - docs/snyk
      comment: |
        This tool runs Snyk and generates a report of vulnerabilities in the project's dependencies. The report is 
        placed in the project's documentation. The workflow is defined here:
        https://github.com/argoproj/argo-cd/blob/master/.github/workflows/update-snyk.yaml
  contributing-policy: https://argo-cd.readthedocs.io/en/stable/developer-guide/code-contributions/
  code-of-conduct: https://github.com/cncf/foundation/blob/master/code-of-conduct.md
 documentation:
  - https://argo-cd.readthedocs.io/
 distribution-points:
  - https://github.com/argoproj/argo-cd/releases
  - https://quay.io/repository/argoproj/argocd
 security-artifacts:
  threat-model:
    threat-model-created: true
    evidence-url:
      - https://github.com/argoproj/argoproj/blob/master/docs/argo_threat_model.pdf
      - https://github.com/argoproj/argoproj/blob/master/docs/end_user_threat_model.pdf
  self-assessment:
    self-assessment-created: false
    comment: |
      An extensive self-assessment was performed for CNCF graduation. Because the self-assessment process was evolving
      at the time, no standardized document has been published.
 security-testing:
  - tool-type: sca
    tool-name: Dependabot
    tool-version: "2"
    tool-url: https://github.com/dependabot
    integration:
      ad-hoc: false
      ci: false
      before-release: false
    tool-rulesets:
      - https://github.com/argoproj/argo-cd/blob/master/.github/dependabot.yml
  - tool-type: sca
    tool-name: Snyk
    tool-version: latest
    tool-url: https://snyk.io/
    integration:
      ad-hoc: true
      ci: true
      before-release: false
  - tool-type: sast
    tool-name: CodeQL
    tool-version: latest
    tool-url: https://codeql.github.com/
    integration:
      ad-hoc: false
      ci: true
      before-release: false
    comment: |
      We use the default configuration with the latest version.
 security-assessments:
  - auditor-name: Trail of Bits
    auditor-url: https://trailofbits.com
    auditor-report: https://github.com/argoproj/argoproj/blob/master/docs/argo_security_final_report.pdf
    report-year: 2021
  - auditor-name: Ada Logics
    auditor-url: https://adalogics.com
    auditor-report: https://github.com/argoproj/argoproj/blob/master/docs/argo_security_audit_2022.pdf
    report-year: 2022
  - auditor-name: Ada Logics
    auditor-url: https://adalogics.com
    auditor-report: https://github.com/argoproj/argoproj/blob/master/docs/audit_fuzzer_adalogics_2022.pdf
    report-year: 2022
    comment: |
      Part of the audit was performed by Ada Logics, focussed on fuzzing.
  - auditor-name: Chainguard
    auditor-url: https://chainguard.dev
    auditor-report: https://github.com/argoproj/argoproj/blob/master/docs/software_supply_chain_slsa_assessment_chainguard_2023.pdf
    report-year: 2023
    comment: |
      Confirmed the project's release process as achieving SLSA (v0.1) level 3.
 security-contacts:
  - type: email
    value: cncf-argo-security@lists.cncf.io
    primary: true
 vulnerability-reporting:
  accepts-vulnerability-reports: true
  email-contact: cncf-argo-security@lists.cncf.io
  security-policy: https://github.com/argoproj/argo-cd/security/policy
  bug-bounty-available: true
  bug-bounty-url: https://hackerone.com/ibb/policy_scopes
  out-scope:
    - vulnerable and outdated components # See https://github.com/argoproj/argo-cd/blob/master/SECURITY.md#a-word-about-security-scanners
    - security logging and monitoring failures
 dependencies:
  third-party-packages: true
  dependencies-lists:
    - https://github.com/argoproj/argo-cd/blob/master/go.mod
    - https://github.com/argoproj/argo-cd/blob/master/Dockerfile
    - https://github.com/argoproj/argo-cd/blob/master/ui/package.json
  sbom:
    - sbom-file: https://github.com/argoproj/argo-cd/releases # Every release's assets include SBOMs.
      sbom-format: SPDX
  dependencies-lifecycle:
    policy-url: https://argo-cd.readthedocs.io/en/stable/developer-guide/release-process-and-cadence/#dependencies-lifecycle-policy
  env-dependencies-policy:
    policy-url: https://argo-cd.readthedocs.io/en/stable/developer-guide/release-process-and-cadence/#dependencies-lifecycle-policy
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,6 +1,6 @@
 # Security Policy for Argo CD
-Version: **v1.5 (2023-03-06)**
+Version: **v1.4 (2022-01-23)**
 ## Preface
@@ -35,11 +35,13 @@ impact on Argo CD before opening an issue at least roughly.
 ## Supported Versions
-We currently support the last 3 minor versions of Argo CD with security and bug fixes.
+We currently support the most recent release (`N`, e.g. `1.8`) and the release
 previous to the most recent one (`N-1`, e.g. `1.7`). With the release of
 `N+1`, `N-1` drops out of support and `N` becomes `N-1`.
 We regularly perform patch releases (e.g. `1.8.5` and `1.7.12`) for the
 supported versions, which will contain fixes for security vulnerabilities and
-important bugs. Prior releases might receive critical security fixes on best
+important bugs. Prior releases might receive critical security fixes on a best
 effort basis, however, it cannot be guaranteed that security fixes get
 back-ported to these unsupported versions.
@@ -50,7 +52,7 @@ of releasing it within a patch branch for the currently supported releases.
 ## Reporting a Vulnerability
-If you find a security related bug in Argo CD, we kindly ask you for responsible
+If you find a security related bug in ArgoCD, we kindly ask you for responsible
 disclosure and for giving us appropriate time to react, analyze and develop a
 fix to mitigate the found security vulnerability.
@@ -59,28 +61,13 @@ and disclosure with you. Sometimes, it might take a little longer for us to
 react (e.g. out of office conditions), so please bear with us in these cases.
 We will publish security advisories using the
-[GitHub Security Advisories](https://github.com/argoproj/argo-cd/security/advisories)
+[Git Hub Security Advisories](https://github.com/argoproj/argo-cd/security/advisories)
-feature to keep our community well-informed, and will credit you for your
+feature to keep our community well informed, and will credit you for your
 findings (unless you prefer to stay anonymous, of course).
-There are two ways to report a vulnerability to the Argo CD team:
+Please report vulnerabilities by e-mail to the following address:
-* By opening a draft GitHub security advisory: https://github.com/argoproj/argo-cd/security/advisories/new
+* cncf-argo-security@lists.cncf.io
 * By e-mail to the following address: cncf-argo-security@lists.cncf.io
 ## Internet Bug Bounty collaboration
 We're happy to announce that the Argo project is collaborating with the great
 folks over at
 [Hacker One](https://hackerone.com/) and their
 [Internet Bug Bounty program](https://hackerone.com/ibb)
 to reward the awesome people who find security vulnerabilities in the four
 main Argo projects (CD, Events, Rollouts and Workflows) and then work with
 us to fix and disclose them in a responsible manner.
 If you report a vulnerability to us as outlined in this security policy, we
 will work together with you to find out whether your finding is eligible for
 claiming a bounty, and also on how to claim it.
 ## Securing your Argo CD Instance
--- a/2
+++ b/2
@@ -1,7 +1,7 @@
 # Defined below are the security contacts for this repo.
 #
 # DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE
-# INSTRUCTIONS AT https://github.com/argoproj/argo-cd/security/policy
+# INSTRUCTIONS AT https://argo-cd.readthedocs.io/en/latest/security_considerations/#reporting-vulnerabilities
 alexmt
 edlee2121
--- a/USERS.md
+++ b/USERS.md
@@ -1,201 +1,105 @@
 ## Who uses Argo CD?
-As the Argo Community grows, we'd like to keep track of our users. Please send a
+As the Argo Community grows, we'd like to keep track of our users. Please send a PR with your organization name if you are using Argo CD.
 PR with your organization name if you are using Argo CD.
 Currently, the following organizations are **officially** using Argo CD:
 1. [127Labs](https://127labs.com/)
 1. [3Rein](https://www.3rein.com/)
 1. [4data](https://4data.ch/)
 1. [7shifts](https://www.7shifts.com/)
 1. [Adevinta](https://www.adevinta.com/)
 1. [Adfinis](https://adfinis.com)
 1. [Adobe](https://www.adobe.com/)
 1. [Adventure](https://jp.adventurekk.com/)
 1. [Adyen](https://www.adyen.com)
 1. [AirQo](https://airqo.net/)
 1. [Akuity](https://akuity.io/)
 1. [Alarm.com](https://alarm.com/)
 1. [Alauda](https://alauda.io/)
 1. [Albert Heijn](https://ah.nl/)
 1. [Alibaba Group](https://www.alibabagroup.com/)
 1. [Allianz Direct](https://www.allianzdirect.de/)
 1. [AlphaSense](https://www.alpha-sense.com/)
 1. [Amadeus IT Group](https://amadeus.com/)
 1. [Ambassador Labs](https://www.getambassador.io/)
 1. [Ancestry](https://www.ancestry.com/)
 1. [Andgo Systems](https://www.andgosystems.com/)
 1. [ANSTO - Australian Synchrotron](https://www.synchrotron.org.au/)
 1. [Ant Group](https://www.antgroup.com/)
 1. [AppDirect](https://www.appdirect.com)
 1. [Arctiq Inc.](https://www.arctiq.ca)
-2. [Arturia](https://www.arturia.com)
+1. [ARZ Allgemeines Rechenzentrum GmbH ](https://www.arz.at/)
 1. [ARZ Allgemeines Rechenzentrum GmbH](https://www.arz.at/)
 1. [Augury](https://www.augury.com/)
 1. [Autodesk](https://www.autodesk.com)
 1. [Axians ACSP](https://www.axians.fr)
 1. [Axual B.V.](https://axual.com)
 1. [Back Market](https://www.backmarket.com)
 1. [Bajaj Finserv Health Ltd.](https://www.bajajfinservhealth.in)
 1. [Baloise](https://www.baloise.com)
 1. [BCDevExchange DevOps Platform](https://bcdevexchange.org/DevOpsPlatform)
 1. [Beat](https://thebeat.co/en/)
 1. [Beez Innovation Labs](https://www.beezlabs.com/)
 1. [Bedag Informatik AG](https://www.bedag.ch/)
 1. [Beleza Na Web](https://www.belezanaweb.com.br/)
 1. [Believable Bots](https://believablebots.io)
 1. [BigPanda](https://bigpanda.io)
 1. [BioBox Analytics](https://biobox.io)
 1. [BMW Group](https://www.bmwgroup.com/)
 1. [Boozt](https://www.booztgroup.com/)
 1. [Bosch](https://www.bosch.com/)
 1. [Boticario](https://www.boticario.com.br/)
 1. [Broker Consulting, a.s.](https://www.bcas.cz/en/)
 1. [Bulder Bank](https://bulderbank.no)
 1. [Cabify](https://cabify.com/en)
 1. [CAM](https://cam-inc.co.jp)
 1. [Camptocamp](https://camptocamp.com)
 1. [Candis](https://www.candis.io)
 1. [Capital One](https://www.capitalone.com)
 1. [CARFAX Europe](https://www.carfax.eu)
 1. [CARFAX](https://www.carfax.com)
 1. [Carrefour Group](https://www.carrefour.com)
 1. [Casavo](https://casavo.com)
 1. [Celonis](https://www.celonis.com/)
 1. [CERN](https://home.cern/)
 1. [Chainnodes](https://chainnodes.org)
 1. [Chargetrip](https://chargetrip.com)
 1. [Chime](https://www.chime.com)
 1. [Cisco ET&I](https://eti.cisco.com/)
 1. [Cloud Posse](https://www.cloudposse.com/)
 1. [Cloud Scale](https://cloudscaleinc.com/)
 1. [CloudScript](https://www.cloudscript.com.br/)
 1. [CloudGeometry](https://www.cloudgeometry.io/)
 1. [Cloudmate](https://cloudmt.co.kr/)
 1. [Cloudogu](https://cloudogu.com/)
 1. [Cobalt](https://www.cobalt.io/)
 1. [Codefresh](https://www.codefresh.io/)
 1. [Codility](https://www.codility.com/)
 1. [Cognizant](https://www.cognizant.com/)
 1. [Commonbond](https://commonbond.co/)
 1. [Compatio.AI](https://compatio.ai/)
 1. [Contlo](https://contlo.com/)
 1. [Coralogix](https://coralogix.com/)
 1. [Crédit Agricole CIB](https://www.ca-cib.com)
 1. [CROZ d.o.o.](https://croz.net/)
 1. [Crédit Agricole CIB](https://www.ca-cib.com)
 1. [CyberAgent](https://www.cyberagent.co.jp/en/)
 1. [Cybozu](https://cybozu-global.com)
 1. [D2iQ](https://www.d2iq.com)
 1. [DaoCloud](https://daocloud.io/)
 1. [Datarisk](https://www.datarisk.io/)
 1. [Daydream](https://daydream.ing)
 1. [Deloitte](https://www.deloitte.com/)
 1. [Deutsche Telekom AG](https://telekom.com)
 1. [Devopsi - Poland Software/DevOps Consulting](https://devopsi.pl/)
 1. [Devtron Labs](https://github.com/devtron-labs/devtron)
 1. [DigitalOcean](https://www.digitalocean.com)
 1. [Divistant](https://divistant.com)
 1. [Dott](https://ridedott.com)
 1. [Doximity](https://www.doximity.com/)
 1. [EDF Renewables](https://www.edf-re.com/)
 1. [edX](https://edx.org)
-1. [Elastic](https://elastic.co/)
+1. [Electronic Arts Inc. ](https://www.ea.com)
 1. [Electronic Arts Inc.](https://www.ea.com)
 1. [Elementor](https://elementor.com/)
 1. [Elium](https://www.elium.com)
 1. [END.](https://www.endclothing.com/)
 1. [Energisme](https://energisme.com/)
 1. [enigmo](https://enigmo.co.jp/)
 1. [Envoy](https://envoy.com/)
 1. [Factorial](https://factorialhr.com/)
 1. [Farfetch](https://www.farfetch.com)
 1. [Faro](https://www.faro.com/)
 1. [Fave](https://myfave.com)
 1. [Flexport](https://www.flexport.com/)
 1. [Flip](https://flip.id)
 1. [Fly Security](https://www.flysecurity.com.br/)
 1. [Fonoa](https://www.fonoa.com/)
 1. [Fortra](https://www.fortra.com)
 1. [freee](https://corp.freee.co.jp/en/company/)
 1. [Freshop, Inc](https://www.freshop.com/)
 1. [Future PLC](https://www.futureplc.com/)
 1. [Flagler Health](https://www.flaglerhealth.io/)
 1. [G DATA CyberDefense AG](https://www.gdata-software.com/)
 1. [G-Research](https://www.gresearch.com/teams/open-source-software/)
 1. [Garner](https://www.garnercorp.com)
 1. [Generali Deutschland AG](https://www.generali.de/)
 1. [Gepardec](https://gepardec.com/)
 1. [Getir](https://getir.com)
 1. [GetYourGuide](https://www.getyourguide.com/)
 1. [Gitpod](https://www.gitpod.io)
 1. [Gllue](https://gllue.com)
 1. [gloat](https://gloat.com/)
 1. [GLOBIS](https://globis.com)
 1. [Glovo](https://www.glovoapp.com)
 1. [GlueOps](https://glueops.dev)
 1. [GMETRI](https://gmetri.com/)
 1. [Gojek](https://www.gojek.io/)
 1. [GoTo Financial](https://gotofinancial.com/)
 1. [GoTo](https://www.goto.com/)
 1. [Greenpass](https://www.greenpass.com.br/)
 1. [Gridfuse](https://gridfuse.com/)
 1. [Groww](https://groww.in)
 1. [Grupo MasMovil](https://grupomasmovil.com/en/)
 1. [Handelsbanken](https://www.handelsbanken.se)
 1. [Hazelcast](https://hazelcast.com/)
 1. [Healy](https://www.healyworld.net)
 1. [Helio](https://helio.exchange)
 1. [Hetki](https://hetki.ai)
 1. [hipages](https://hipages.com.au/)
 1. [Hiya](https://hiya.com)
 1. [Honestbank](https://honestbank.com)
 1. [Hostinger](https://www.hostinger.com)
 1. [IABAI](https://www.iab.ai)
 1. [IBM](https://www.ibm.com/)
 1. [Ibotta](https://home.ibotta.com)
 1. [IFS](https://www.ifs.com)
 1. [IITS-Consulting](https://iits-consulting.de)
 1. [IllumiDesk](https://www.illumidesk.com)
 1. [imaware](https://imaware.health)
 1. [Indeed](https://indeed.com)
 1. [Index Exchange](https://www.indexexchange.com/)
 1. [Info Support](https://www.infosupport.com/)
 1. [InsideBoard](https://www.insideboard.com)
 1. [Instruqt](https://www.instruqt.com)
 1. [Intuit](https://www.intuit.com/)
 1. [Jellysmack](https://www.jellysmack.com)
 1. [Joblift](https://joblift.com/)
 1. [JovianX](https://www.jovianx.com/)
 1. [Kaltura](https://corp.kaltura.com/)
 1. [Kandji](https://www.kandji.io/)
 1. [Karrot](https://www.daangn.com/)
 1. [KarrotPay](https://www.daangnpay.com/)
 1. [Karrot](https://www.daangn.com/)
 1. [Kasa](https://kasa.co.kr/)
 1. [Kave Home](https://kavehome.com)
 1. [Keeeb](https://www.keeeb.com/)
 1. [KelkooGroup](https://www.kelkoogroup.com)
 1. [Keptn](https://keptn.sh)
 1. [Kinguin](https://www.kinguin.net/)
 1. [KintoHub](https://www.kintohub.com/)
 1. [KompiTech GmbH](https://www.kompitech.com/)
 1. [Kong Inc.](https://konghq.com/)
 1. [KPMG](https://kpmg.com/uk)
 1. [KubeSphere](https://github.com/kubesphere)
 1. [Kurly](https://www.kurly.com/)
 1. [Kvist](https://kvistsolutions.com)
 1. [Kyriba](https://www.kyriba.com/)
 1. [LeFigaro](https://www.lefigaro.fr/)
 1. [Lely](https://www.lely.com/)
 1. [LexisNexis](https://www.lexisnexis.com/)
 1. [Lian Chu Securities](https://lczq.com)
 1. [Liatrio](https://www.liatrio.com)
 1. [Lightricks](https://www.lightricks.com/)
 1. [LINE](https://linecorp.com/en/)
 1. [Loom](https://www.loom.com/)
 1. [Lucid Motors](https://www.lucidmotors.com/)
 1. [Lytt](https://www.lytt.co/)
 1. [Magic Leap](https://www.magicleap.com/)
 1. [Majid Al Futtaim](https://www.majidalfuttaim.com/)
 1. [Major League Baseball](https://mlb.com)
 1. [Mambu](https://www.mambu.com/)
@@ -203,131 +107,59 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Mattermost](https://www.mattermost.com)
 1. [Max Kelsen](https://www.maxkelsen.com/)
 1. [MeDirect](https://medirect.com.mt/)
 1. [Meican](https://meican.com/)
 1. [Meilleurs Agents](https://www.meilleursagents.com/)
 1. [Mercedes-Benz Tech Innovation](https://www.mercedes-benz-techinnovation.com/)
 1. [Mercedes-Benz.io](https://www.mercedes-benz.io/)
 1. [Metacore Games](https://metacoregames.com/)
 1. [Metanet](http://www.metanet.co.kr/en/)
 1. [MindSpore](https://mindspore.cn)
 1. [Mirantis](https://mirantis.com/)
 1. [Mission Lane](https://missionlane.com)
 1. [mixi Group](https://mixi.co.jp/)
 1. [Moengage](https://www.moengage.com/)
 1. [Money Forward](https://corp.moneyforward.com/en/)
 1. [MOO Print](https://www.moo.com/)
 1. [Mozilla](https://www.mozilla.org)
 1. [MTN Group](https://www.mtn.com/)
 1. [Municipality of The Hague](https://www.denhaag.nl/)
 1. [My Job Glasses](https://myjobglasses.com)
 1. [Natura &Co](https://naturaeco.com/)
 1. [Nethopper](https://nethopper.io)
 1. [New Relic](https://newrelic.com/)
 1. [Nextbasket](https://nextbasket.com)
 1. [Nextdoor](https://nextdoor.com/)
 1. [Next Fit Sistemas](https://nextfit.com.br/)
 1. [Nikkei](https://www.nikkei.co.jp/nikkeiinfo/en/)
 1. [Nitro](https://gonitro.com)
 1. [NYCU, CS IT Center](https://it.cs.nycu.edu.tw)
 1. [Objective](https://www.objective.com.br/)
 1. [OCCMundial](https://occ.com.mx)
 1. [Octadesk](https://octadesk.com)
 1. [Octopus Deploy](https://octopus.com)
 1. [Olfeo](https://www.olfeo.com/)
 1. [omegaUp](https://omegaUp.com)
 1. [Omni](https://omni.se/)
 1. [Oncourse Home Solutions](https://oncoursehome.com/)
 1. [Open Analytics](https://openanalytics.eu)
 1. [openEuler](https://openeuler.org)
 1. [openGauss](https://opengauss.org/)
 1. [OpenGov](https://opengov.com)
 1. [openLooKeng](https://openlookeng.io)
 1. [OpenSaaS Studio](https://opensaas.studio)
 1. [Opensurvey](https://www.opensurvey.co.kr/)
 1. [OpsMx](https://opsmx.io)
 1. [OpsVerse](https://opsverse.io)
 1. [Optoro](https://www.optoro.com/)
 1. [Orbital Insight](https://orbitalinsight.com/)
 1. [Oscar Health Insurance](https://hioscar.com/)
 1. [Outpost24](https://outpost24.com/)
 1. [p3r](https://www.p3r.one/)
 1. [Packlink](https://www.packlink.com/)
 1. [PagerDuty](https://www.pagerduty.com/)
 1. [Pandosearch](https://www.pandosearch.com/en/home)
 1. [Patreon](https://www.patreon.com/)
 1. [PayIt](https://payitgov.com/)
 1. [PayPay](https://paypay.ne.jp/)
 1. [Peloton Interactive](https://www.onepeloton.com/)
 1. [Percona](https://percona.com/)
 1. [PGS](https://www.pgs.com)
 1. [Pigment](https://www.gopigment.com/)
 1. [Pipedrive](https://www.pipedrive.com/)
 1. [Pipefy](https://www.pipefy.com/)
 1. [Pipekit](https://pipekit.io/)
 1. [Pismo](https://pismo.io/)
 1. [PITS Globale Datenrettungsdienste](https://www.pitsdatenrettung.de/)
 1. [Platform9 Systems](https://platform9.com/)
 1. [Polarpoint.io](https://polarpoint.io)
 1. [PostFinance](https://github.com/postfinance)
 1. [Preferred Networks](https://preferred.jp/en/)
 1. [Previder BV](https://previder.nl)
 1. [Priceline](https://priceline.com)
 1. [Procore](https://www.procore.com)
 1. [Productboard](https://www.productboard.com/)
 1. [Prudential](https://prudential.com.sg)
 1. [PT Boer Technology (Btech)](https://btech.id/)
 1. [PUBG](https://www.pubg.com)
 1. [Puzzle ITC](https://www.puzzle.ch/)
 1. [Pvotal Technologies](https://pvotal.tech/)
 1. [Qonto](https://qonto.com)
 1. [QuintoAndar](https://quintoandar.com.br)
 1. [Quipper](https://www.quipper.com/)
-1. [RapidAPI](https://www.rapidapi.com/)
+1. [Recreation.gov](https://www.recreation.gov/)
 1. [rebuy](https://www.rebuy.de/)
 1. [Red Hat](https://www.redhat.com/)
 1. [Redpill Linpro](https://www.redpill-linpro.com/)
 1. [Reenigne Cloud](https://reenigne.ca)
 1. [reev.com](https://www.reev.com/)
 1. [Relex Solutions](https://www.relexsolutions.com/)
 1. [RightRev](https://rightrev.com/)
 1. [Rijkswaterstaat](https://www.rijkswaterstaat.nl/en)
 1. [Rise](https://www.risecard.eu/)
 1. [Riskified](https://www.riskified.com/)
 1. [Robotinfra](https://www.robotinfra.com)
 1. [Rocket.Chat](https://rocket.chat)
 1. [Rogo](https://rogodata.com)
 1. [Rubin Observatory](https://www.lsst.org)
 1. [Saildrone](https://www.saildrone.com/)
 1. [Salad Technologies](https://salad.com/)
 1. [Saloodo! GmbH](https://www.saloodo.com)
 1. [Sap Labs](http://sap.com)
 1. [Sauce Labs](https://saucelabs.com/)
 1. [Schwarz IT](https://jobs.schwarz/it-mission)
 1. [SCRM Lidl International Hub](https://scrm.lidl)
 1. [SEEK](https://seek.com.au)
 1. [SEKAI](https://www.sekai.io/)
 1. [Semgrep](https://semgrep.com)
 1. [Shield](https://shield.com)
 1. [SI Analytics](https://si-analytics.ai)
 1. [Sidewalk Entertainment](https://sidewalkplay.com/)
 1. [Skit](https://skit.ai/)
 1. [Skribble](https://skribble.com) 
 1. [Skyscanner](https://www.skyscanner.net/)
 1. [Smart Pension](https://www.smartpension.co.uk/)
 1. [Smilee.io](https://smilee.io)
 1. [Smilegate Stove](https://www.onstove.com/)
 1. [Smood.ch](https://www.smood.ch/)
 1. [Snapp](https://snapp.ir/)
 1. [Snyk](https://snyk.io/)
 1. [Softway Medical](https://www.softwaymedical.fr/)
 1. [South China Morning Post (SCMP)](https://www.scmp.com/)
 1. [Speee](https://speee.jp/)
 1. [Spendesk](https://spendesk.com/)
 1. [Splunk](https://splunk.com/)
 1. [Spores Labs](https://spores.app)
 1. [Statsig](https://statsig.com)
 1. [SternumIOT](https://sternumiot.com)
 1. [StreamNative](https://streamnative.io)
 1. [Stuart](https://stuart.com/)
 1. [Sumo Logic](https://sumologic.com/)
 1. [Sutpc](http://www.sutpc.com/)
@@ -335,62 +167,42 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Swisscom](https://www.swisscom.ch)
 1. [Swissquote](https://github.com/swissquote)
 1. [Syncier](https://syncier.com/)
 1. [Syself](https://syself.com)
 1. [TableCheck](https://tablecheck.com/)
 1. [Tailor Brands](https://www.tailorbrands.com)
 1. [Tamkeen Technologies](https://tamkeentech.sa/)
 1. [TBC Bank](https://tbcbank.ge/)
 1. [Techcombank](https://www.techcombank.com.vn/trang-chu)
 1. [Technacy](https://www.technacy.it/)
 1. [Telavita](https://www.telavita.com.br/)
 1. [Tesla](https://tesla.com/)
 1. [TextNow](https://www.textnow.com/)
 1. [The Scale Factory](https://www.scalefactory.com/)
 1. [ThousandEyes](https://www.thousandeyes.com/)
 1. [Ticketmaster](https://ticketmaster.com)
 1. [Tiger Analytics](https://www.tigeranalytics.com/)
 1. [Tigera](https://www.tigera.io/)
 1. [Toss](https://toss.im/en)
 1. [Trendyol](https://www.trendyol.com/)
 1. [tru.ID](https://tru.id)
 1. [Trusting Social](https://trustingsocial.com/)
 1. [Twilio Segment](https://segment.com/)
 1. [Twilio SendGrid](https://sendgrid.com)
 1. [tZERO](https://www.tzero.com/)
 1. [U.S. Veterans Affairs Department](https://www.va.gov/)
 1. [UBIO](https://ub.io/)
 1. [UFirstGroup](https://www.ufirstgroup.com/en/)
 1. [ungleich.ch](https://ungleich.ch/)
 1. [Unifonic Inc](https://www.unifonic.com/)
 1. [Universidad Mesoamericana](https://www.umes.edu.gt/)
 1. [Upsider Inc.](https://up-sider.com/lp/)
 1. [Urbantz](https://urbantz.com/)
 1. [Vectra](https://www.vectra.ai)
 1. [Veepee](https://www.veepee.com)
 1. [Verkada](https://www.verkada.com)
 1. [Viaduct](https://www.viaduct.ai/)
 1. [VietMoney](https://vietmoney.vn/)
 1. [Vinted](https://vinted.com/)
 1. [Virtuo](https://www.govirtuo.com/)
 1. [VISITS Technologies](https://visits.world/en)
 1. [Volvo Cars](https://www.volvocars.com/)
 1. [Voyager Digital](https://www.investvoyager.com/)
 1. [VSHN - The DevOps Company](https://vshn.ch/)
 1. [Walkbase](https://www.walkbase.com/)
 1. [Webstores](https://www.webstores.nl)
 1. [Wehkamp](https://www.wehkamp.nl/)
 1. [WeMaintain](https://www.wemaintain.com/)
 1. [WeMo Scooter](https://www.wemoscooter.com/)
 1. [Whitehat Berlin](https://whitehat.berlin) by Guido Maria Serra +Fenaroli
 1. [Witick](https://witick.io/)
 1. [Wolffun Game](https://www.wolffungame.com/)
 1. [WooliesX](https://wooliesx.com.au/)
 1. [Woolworths Group](https://www.woolworthsgroup.com.au/)
 1. [WSpot](https://www.wspot.com.br/)
 1. [Yieldlab](https://www.yieldlab.de/)
 1. [Youverify](https://youverify.co/)
 1. [Yubo](https://www.yubo.live/)
 1. [ZDF](https://www.zdf.de/)
 1. [Zimpler](https://www.zimpler.com/)
 1. [ZipRecuiter](https://www.ziprecruiter.com/)
 1. [ZOZO](https://corp.zozo.com/)
 1. [Trendyol](https://www.trendyol.com/)
 1. [RapidAPI](https://www.rapidapi.com/)
--- a/2
+++ b/2
@@ -1 +1 @@
-2.14.0
+2.4.7
--- a/applicationset/controllers/applicationset_controller.go
+++ b/applicationset/controllers/applicationset_controller.go
--- a/applicationset/controllers/applicationset_controller_test.go
+++ b/applicationset/controllers/applicationset_controller_test.go
--- a/applicationset/controllers/clustereventhandler.go
+++ b/applicationset/controllers/clustereventhandler.go
@@ -2,9 +2,6 @@ package controllers
 import (
 	"context"
 	"fmt"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 	log "github.com/sirupsen/logrus"
@@ -14,43 +11,44 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/event"
-	"github.com/argoproj/argo-cd/v2/common"
+	"github.com/argoproj/argo-cd/v2/applicationset/generators"
-	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/applicationset/v1alpha1"
 )
 // clusterSecretEventHandler is used when watching Secrets to check if they are ArgoCD Cluster Secrets, and if so
 // requeue any related ApplicationSets.
 type clusterSecretEventHandler struct {
-	// handler.EnqueueRequestForOwner
+	//handler.EnqueueRequestForOwner
 	Log    log.FieldLogger
 	Client client.Client
 }
-func (h *clusterSecretEventHandler) Create(ctx context.Context, e event.CreateEvent, q workqueue.TypedRateLimitingInterface[reconcile.Request]) {
+func (h *clusterSecretEventHandler) Create(e event.CreateEvent, q workqueue.RateLimitingInterface) {
-	h.queueRelatedAppGenerators(ctx, q, e.Object)
+	h.queueRelatedAppGenerators(q, e.Object)
 }
-func (h *clusterSecretEventHandler) Update(ctx context.Context, e event.UpdateEvent, q workqueue.TypedRateLimitingInterface[reconcile.Request]) {
+func (h *clusterSecretEventHandler) Update(e event.UpdateEvent, q workqueue.RateLimitingInterface) {
-	h.queueRelatedAppGenerators(ctx, q, e.ObjectNew)
+	h.queueRelatedAppGenerators(q, e.ObjectNew)
 }
-func (h *clusterSecretEventHandler) Delete(ctx context.Context, e event.DeleteEvent, q workqueue.TypedRateLimitingInterface[reconcile.Request]) {
+func (h *clusterSecretEventHandler) Delete(e event.DeleteEvent, q workqueue.RateLimitingInterface) {
-	h.queueRelatedAppGenerators(ctx, q, e.Object)
+	h.queueRelatedAppGenerators(q, e.Object)
 }
-func (h *clusterSecretEventHandler) Generic(ctx context.Context, e event.GenericEvent, q workqueue.TypedRateLimitingInterface[reconcile.Request]) {
+func (h *clusterSecretEventHandler) Generic(e event.GenericEvent, q workqueue.RateLimitingInterface) {
-	h.queueRelatedAppGenerators(ctx, q, e.Object)
+	h.queueRelatedAppGenerators(q, e.Object)
 }
 // addRateLimitingInterface defines the Add method of workqueue.RateLimitingInterface, allow us to easily mock
 // it for testing purposes.
-type addRateLimitingInterface[T comparable] interface {
+type addRateLimitingInterface interface {
-	Add(item T)
+	Add(item interface{})
 }
-func (h *clusterSecretEventHandler) queueRelatedAppGenerators(ctx context.Context, q addRateLimitingInterface[reconcile.Request], object client.Object) {
+func (h *clusterSecretEventHandler) queueRelatedAppGenerators(q addRateLimitingInterface, object client.Object) {
 	// Check for label, lookup all ApplicationSets that might match the cluster, queue them all
-	if object.GetLabels()[common.LabelKeySecretType] != common.LabelValueSecretTypeCluster {
+	if object.GetLabels()[generators.ArgoCDSecretTypeLabel] != generators.ArgoCDSecretTypeCluster {
 		return
 	}
@@ -60,7 +58,7 @@ func (h *clusterSecretEventHandler) queueRelatedAppGenerators(ctx context.Contex
 	}).Info("processing event for cluster secret")
 	appSetList := &argoprojiov1alpha1.ApplicationSetList{}
-	err := h.Client.List(ctx, appSetList)
+	err := h.Client.List(context.Background(), appSetList)
 	if err != nil {
 		h.Log.WithError(err).Error("unable to list ApplicationSets")
 		return
@@ -68,98 +66,19 @@ func (h *clusterSecretEventHandler) queueRelatedAppGenerators(ctx context.Contex
 	h.Log.WithField("count", len(appSetList.Items)).Info("listed ApplicationSets")
 	for _, appSet := range appSetList.Items {
 		foundClusterGenerator := false
 		for _, generator := range appSet.Spec.Generators {
 			if generator.Clusters != nil {
 				foundClusterGenerator = true
 				break
 			}
 			if generator.Matrix != nil {
 				ok, err := nestedGeneratorsHaveClusterGenerator(generator.Matrix.Generators)
 				if err != nil {
 					h.Log.
 						WithFields(log.Fields{
 							"namespace": appSet.GetNamespace(),
 							"name":      appSet.GetName(),
 						}).
 						WithError(err).
 						Error("Unable to check if ApplicationSet matrix generators have cluster generator")
 				}
 				if ok {
 					foundClusterGenerator = true
 					break
 				}
 			}
 			if generator.Merge != nil {
 				ok, err := nestedGeneratorsHaveClusterGenerator(generator.Merge.Generators)
 				if err != nil {
 					h.Log.
 						WithFields(log.Fields{
 							"namespace": appSet.GetNamespace(),
 							"name":      appSet.GetName(),
 						}).
 						WithError(err).
 						Error("Unable to check if ApplicationSet merge generators have cluster generator")
 				}
 				if ok {
 					foundClusterGenerator = true
 					break
 				}
 			}
 		}
 		if foundClusterGenerator {
 			// TODO: only queue the AppGenerator if the labels match this cluster
 			req := ctrl.Request{NamespacedName: types.NamespacedName{Namespace: appSet.Namespace, Name: appSet.Name}}
 			q.Add(req)
 		}
 	}
 }
 // nestedGeneratorsHaveClusterGenerator iterate over provided nested generators to check if they have a cluster generator.
 func nestedGeneratorsHaveClusterGenerator(generators []argoprojiov1alpha1.ApplicationSetNestedGenerator) (bool, error) {
 	for _, generator := range generators {
 		if ok, err := nestedGeneratorHasClusterGenerator(generator); ok || err != nil {
 			return ok, err
 		}
 	}
 	return false, nil
 }
 // nestedGeneratorHasClusterGenerator checks if the provided generator has a cluster generator.
 func nestedGeneratorHasClusterGenerator(nested argoprojiov1alpha1.ApplicationSetNestedGenerator) (bool, error) {
 	if nested.Clusters != nil {
 		return true, nil
 	}
 	if nested.Matrix != nil {
 		nestedMatrix, err := argoprojiov1alpha1.ToNestedMatrixGenerator(nested.Matrix)
 		if err != nil {
 			return false, fmt.Errorf("unable to get nested matrix generator: %w", err)
 		}
 		if nestedMatrix != nil {
 			hasClusterGenerator, err := nestedGeneratorsHaveClusterGenerator(nestedMatrix.ToMatrixGenerator().Generators)
 			if err != nil {
 				return false, fmt.Errorf("error evaluating nested matrix generator: %w", err)
 			}
 			return hasClusterGenerator, nil
 		}
 	}
 	if nested.Merge != nil {
 		nestedMerge, err := argoprojiov1alpha1.ToNestedMergeGenerator(nested.Merge)
 		if err != nil {
 			return false, fmt.Errorf("unable to get nested merge generator: %w", err)
 		}
 		if nestedMerge != nil {
 			hasClusterGenerator, err := nestedGeneratorsHaveClusterGenerator(nestedMerge.ToMergeGenerator().Generators)
 			if err != nil {
 				return false, fmt.Errorf("error evaluating nested merge generator: %w", err)
 			}
 			return hasClusterGenerator, nil
 		}
 	}
 	return false, nil
 }
--- a/applicationset/controllers/clustereventhandler_test.go
+++ b/applicationset/controllers/clustereventhandler_test.go
@@ -1,16 +1,11 @@
 package controllers
 import (
 	"context"
 	"testing"
 	argocommon "github.com/argoproj/argo-cd/v2/common"
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
@@ -18,32 +13,35 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 	"github.com/argoproj/argo-cd/v2/applicationset/generators"
 	argov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/applicationset/v1alpha1"
 )
 func TestClusterEventHandler(t *testing.T) {
 	scheme := runtime.NewScheme()
-	err := argov1alpha1.AddToScheme(scheme)
+	err := argoprojiov1alpha1.AddToScheme(scheme)
-	require.NoError(t, err)
+	assert.Nil(t, err)
 	err = argov1alpha1.AddToScheme(scheme)
-	require.NoError(t, err)
+	assert.Nil(t, err)
 	tests := []struct {
 		name             string
-		items            []argov1alpha1.ApplicationSet
+		items            []argoprojiov1alpha1.ApplicationSet
 		secret           corev1.Secret
 		expectedRequests []ctrl.Request
 	}{
 		{
 			name:  "no application sets should mean no requests",
-			items: []argov1alpha1.ApplicationSet{},
+			items: []argoprojiov1alpha1.ApplicationSet{},
 			secret: corev1.Secret{
 				ObjectMeta: v1.ObjectMeta{
 					Namespace: "argocd",
 					Name:      "my-secret",
 					Labels: map[string]string{
-						argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
+						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
 					},
 				},
 			},
@@ -51,16 +49,16 @@ func TestClusterEventHandler(t *testing.T) {
 		},
 		{
 			name: "a cluster generator should produce a request",
-			items: []argov1alpha1.ApplicationSet{
+			items: []argoprojiov1alpha1.ApplicationSet{
 				{
 					ObjectMeta: v1.ObjectMeta{
 						Name:      "my-app-set",
 						Namespace: "argocd",
 					},
-					Spec: argov1alpha1.ApplicationSetSpec{
+					Spec: argoprojiov1alpha1.ApplicationSetSpec{
-						Generators: []argov1alpha1.ApplicationSetGenerator{
+						Generators: []argoprojiov1alpha1.ApplicationSetGenerator{
 							{
-								Clusters: &argov1alpha1.ClusterGenerator{},
+								Clusters: &argoprojiov1alpha1.ClusterGenerator{},
 							},
 						},
 					},
@@ -71,7 +69,7 @@ func TestClusterEventHandler(t *testing.T) {
 					Namespace: "argocd",
 					Name:      "my-secret",
 					Labels: map[string]string{
-						argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
+						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
 					},
 				},
 			},
@@ -81,16 +79,16 @@ func TestClusterEventHandler(t *testing.T) {
 		},
 		{
 			name: "multiple cluster generators should produce multiple requests",
-			items: []argov1alpha1.ApplicationSet{
+			items: []argoprojiov1alpha1.ApplicationSet{
 				{
 					ObjectMeta: v1.ObjectMeta{
 						Name:      "my-app-set",
 						Namespace: "argocd",
 					},
-					Spec: argov1alpha1.ApplicationSetSpec{
+					Spec: argoprojiov1alpha1.ApplicationSetSpec{
-						Generators: []argov1alpha1.ApplicationSetGenerator{
+						Generators: []argoprojiov1alpha1.ApplicationSetGenerator{
 							{
-								Clusters: &argov1alpha1.ClusterGenerator{},
+								Clusters: &argoprojiov1alpha1.ClusterGenerator{},
 							},
 						},
 					},
@@ -100,10 +98,10 @@ func TestClusterEventHandler(t *testing.T) {
 						Name:      "my-app-set2",
 						Namespace: "argocd",
 					},
-					Spec: argov1alpha1.ApplicationSetSpec{
+					Spec: argoprojiov1alpha1.ApplicationSetSpec{
-						Generators: []argov1alpha1.ApplicationSetGenerator{
+						Generators: []argoprojiov1alpha1.ApplicationSetGenerator{
 							{
-								Clusters: &argov1alpha1.ClusterGenerator{},
+								Clusters: &argoprojiov1alpha1.ClusterGenerator{},
 							},
 						},
 					},
@@ -114,7 +112,7 @@ func TestClusterEventHandler(t *testing.T) {
 					Namespace: "argocd",
 					Name:      "my-secret",
 					Labels: map[string]string{
-						argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
+						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
 					},
 				},
 			},
@@ -125,16 +123,16 @@ func TestClusterEventHandler(t *testing.T) {
 		},
 		{
 			name: "non-cluster generator should not match",
-			items: []argov1alpha1.ApplicationSet{
+			items: []argoprojiov1alpha1.ApplicationSet{
 				{
 					ObjectMeta: v1.ObjectMeta{
 						Name:      "my-app-set",
 						Namespace: "another-namespace",
 					},
-					Spec: argov1alpha1.ApplicationSetSpec{
+					Spec: argoprojiov1alpha1.ApplicationSetSpec{
-						Generators: []argov1alpha1.ApplicationSetGenerator{
+						Generators: []argoprojiov1alpha1.ApplicationSetGenerator{
 							{
-								Clusters: &argov1alpha1.ClusterGenerator{},
+								Clusters: &argoprojiov1alpha1.ClusterGenerator{},
 							},
 						},
 					},
@@ -144,10 +142,10 @@ func TestClusterEventHandler(t *testing.T) {
 						Name:      "app-set-non-cluster",
 						Namespace: "argocd",
 					},
-					Spec: argov1alpha1.ApplicationSetSpec{
+					Spec: argoprojiov1alpha1.ApplicationSetSpec{
-						Generators: []argov1alpha1.ApplicationSetGenerator{
+						Generators: []argoprojiov1alpha1.ApplicationSetGenerator{
 							{
-								List: &argov1alpha1.ListGenerator{},
+								List: &argoprojiov1alpha1.ListGenerator{},
 							},
 						},
 					},
@@ -158,7 +156,7 @@ func TestClusterEventHandler(t *testing.T) {
 					Namespace: "argocd",
 					Name:      "my-secret",
 					Labels: map[string]string{
-						argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
+						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
 					},
 				},
 			},
@@ -166,18 +164,19 @@ func TestClusterEventHandler(t *testing.T) {
 				{NamespacedName: types.NamespacedName{Namespace: "another-namespace", Name: "my-app-set"}},
 			},
 		},
 		{
 			name: "non-argo cd secret should not match",
-			items: []argov1alpha1.ApplicationSet{
+			items: []argoprojiov1alpha1.ApplicationSet{
 				{
 					ObjectMeta: v1.ObjectMeta{
 						Name:      "my-app-set",
 						Namespace: "another-namespace",
 					},
-					Spec: argov1alpha1.ApplicationSetSpec{
+					Spec: argoprojiov1alpha1.ApplicationSetSpec{
-						Generators: []argov1alpha1.ApplicationSetGenerator{
+						Generators: []argoprojiov1alpha1.ApplicationSetGenerator{
 							{
-								Clusters: &argov1alpha1.ClusterGenerator{},
+								Clusters: &argoprojiov1alpha1.ClusterGenerator{},
 							},
 						},
 					},
@@ -191,353 +190,13 @@ func TestClusterEventHandler(t *testing.T) {
 			},
 			expectedRequests: []reconcile.Request{},
 		},
 		{
 			name: "a matrix generator with a cluster generator should produce a request",
 			items: []argov1alpha1.ApplicationSet{
 				{
 					ObjectMeta: v1.ObjectMeta{
 						Name:      "my-app-set",
 						Namespace: "argocd",
 					},
 					Spec: argov1alpha1.ApplicationSetSpec{
 						Generators: []argov1alpha1.ApplicationSetGenerator{
 							{
 								Matrix: &argov1alpha1.MatrixGenerator{
 									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
 										{
 											Clusters: &argov1alpha1.ClusterGenerator{},
 										},
 									},
 								},
 							},
 						},
 					},
 				},
 			},
 			secret: corev1.Secret{
 				ObjectMeta: v1.ObjectMeta{
 					Namespace: "argocd",
 					Name:      "my-secret",
 					Labels: map[string]string{
 						argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
 					},
 				},
 			},
 			expectedRequests: []reconcile.Request{{
 				NamespacedName: types.NamespacedName{Namespace: "argocd", Name: "my-app-set"},
 			}},
 		},
 		{
 			name: "a matrix generator with non cluster generator should not match",
 			items: []argov1alpha1.ApplicationSet{
 				{
 					ObjectMeta: v1.ObjectMeta{
 						Name:      "my-app-set",
 						Namespace: "argocd",
 					},
 					Spec: argov1alpha1.ApplicationSetSpec{
 						Generators: []argov1alpha1.ApplicationSetGenerator{
 							{
 								Matrix: &argov1alpha1.MatrixGenerator{
 									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
 										{
 											List: &argov1alpha1.ListGenerator{},
 										},
 									},
 								},
 							},
 						},
 					},
 				},
 			},
 			secret: corev1.Secret{
 				ObjectMeta: v1.ObjectMeta{
 					Namespace: "argocd",
 					Name:      "my-secret",
 					Labels: map[string]string{
 						argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
 					},
 				},
 			},
 			expectedRequests: []reconcile.Request{},
 		},
 		{
 			name: "a matrix generator with a nested matrix generator containing a cluster generator should produce a request",
 			items: []argov1alpha1.ApplicationSet{
 				{
 					ObjectMeta: v1.ObjectMeta{
 						Name:      "my-app-set",
 						Namespace: "argocd",
 					},
 					Spec: argov1alpha1.ApplicationSetSpec{
 						Generators: []argov1alpha1.ApplicationSetGenerator{
 							{
 								Matrix: &argov1alpha1.MatrixGenerator{
 									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
 										{
 											Matrix: &apiextensionsv1.JSON{
 												Raw: []byte(
 													`{
 														"generators": [
 														  {
 															"clusters": {
 															  "selector": {
 																"matchLabels": {
 																  "argocd.argoproj.io/secret-type": "cluster"
 																}
 															  }
 															}
 														  }
 														]
 													  }`,
 												),
 											},
 										},
 									},
 								},
 							},
 						},
 					},
 				},
 			},
 			secret: corev1.Secret{
 				ObjectMeta: v1.ObjectMeta{
 					Namespace: "argocd",
 					Name:      "my-secret",
 					Labels: map[string]string{
 						argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
 					},
 				},
 			},
 			expectedRequests: []reconcile.Request{{
 				NamespacedName: types.NamespacedName{Namespace: "argocd", Name: "my-app-set"},
 			}},
 		},
 		{
 			name: "a matrix generator with a nested matrix generator containing non cluster generator should not match",
 			items: []argov1alpha1.ApplicationSet{
 				{
 					ObjectMeta: v1.ObjectMeta{
 						Name:      "my-app-set",
 						Namespace: "argocd",
 					},
 					Spec: argov1alpha1.ApplicationSetSpec{
 						Generators: []argov1alpha1.ApplicationSetGenerator{
 							{
 								Matrix: &argov1alpha1.MatrixGenerator{
 									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
 										{
 											Matrix: &apiextensionsv1.JSON{
 												Raw: []byte(
 													`{
 														"generators": [
 														  {
 															"list": {
 															  "elements": [
 																"a",
 																"b"
 															  ]
 															}
 														  }
 														]
 													  }`,
 												),
 											},
 										},
 									},
 								},
 							},
 						},
 					},
 				},
 			},
 			secret: corev1.Secret{
 				ObjectMeta: v1.ObjectMeta{
 					Namespace: "argocd",
 					Name:      "my-secret",
 					Labels: map[string]string{
 						argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
 					},
 				},
 			},
 			expectedRequests: []reconcile.Request{},
 		},
 		{
 			name: "a merge generator with a cluster generator should produce a request",
 			items: []argov1alpha1.ApplicationSet{
 				{
 					ObjectMeta: v1.ObjectMeta{
 						Name:      "my-app-set",
 						Namespace: "argocd",
 					},
 					Spec: argov1alpha1.ApplicationSetSpec{
 						Generators: []argov1alpha1.ApplicationSetGenerator{
 							{
 								Merge: &argov1alpha1.MergeGenerator{
 									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
 										{
 											Clusters: &argov1alpha1.ClusterGenerator{},
 										},
 									},
 								},
 							},
 						},
 					},
 				},
 			},
 			secret: corev1.Secret{
 				ObjectMeta: v1.ObjectMeta{
 					Namespace: "argocd",
 					Name:      "my-secret",
 					Labels: map[string]string{
 						argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
 					},
 				},
 			},
 			expectedRequests: []reconcile.Request{{
 				NamespacedName: types.NamespacedName{Namespace: "argocd", Name: "my-app-set"},
 			}},
 		},
 		{
 			name: "a matrix generator with non cluster generator should not match",
 			items: []argov1alpha1.ApplicationSet{
 				{
 					ObjectMeta: v1.ObjectMeta{
 						Name:      "my-app-set",
 						Namespace: "argocd",
 					},
 					Spec: argov1alpha1.ApplicationSetSpec{
 						Generators: []argov1alpha1.ApplicationSetGenerator{
 							{
 								Merge: &argov1alpha1.MergeGenerator{
 									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
 										{
 											List: &argov1alpha1.ListGenerator{},
 										},
 									},
 								},
 							},
 						},
 					},
 				},
 			},
 			secret: corev1.Secret{
 				ObjectMeta: v1.ObjectMeta{
 					Namespace: "argocd",
 					Name:      "my-secret",
 					Labels: map[string]string{
 						argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
 					},
 				},
 			},
 			expectedRequests: []reconcile.Request{},
 		},
 		{
 			name: "a merge generator with a nested merge generator containing a cluster generator should produce a request",
 			items: []argov1alpha1.ApplicationSet{
 				{
 					ObjectMeta: v1.ObjectMeta{
 						Name:      "my-app-set",
 						Namespace: "argocd",
 					},
 					Spec: argov1alpha1.ApplicationSetSpec{
 						Generators: []argov1alpha1.ApplicationSetGenerator{
 							{
 								Merge: &argov1alpha1.MergeGenerator{
 									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
 										{
 											Merge: &apiextensionsv1.JSON{
 												Raw: []byte(
 													`{
 														"generators": [
 														  {
 															"clusters": {
 															  "selector": {
 																"matchLabels": {
 																  "argocd.argoproj.io/secret-type": "cluster"
 																}
 															  }
 															}
 														  }
 														]
 													  }`,
 												),
 											},
 										},
 									},
 								},
 							},
 						},
 					},
 				},
 			},
 			secret: corev1.Secret{
 				ObjectMeta: v1.ObjectMeta{
 					Namespace: "argocd",
 					Name:      "my-secret",
 					Labels: map[string]string{
 						argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
 					},
 				},
 			},
 			expectedRequests: []reconcile.Request{{
 				NamespacedName: types.NamespacedName{Namespace: "argocd", Name: "my-app-set"},
 			}},
 		},
 		{
 			name: "a merge generator with a nested merge generator containing non cluster generator should not match",
 			items: []argov1alpha1.ApplicationSet{
 				{
 					ObjectMeta: v1.ObjectMeta{
 						Name:      "my-app-set",
 						Namespace: "argocd",
 					},
 					Spec: argov1alpha1.ApplicationSetSpec{
 						Generators: []argov1alpha1.ApplicationSetGenerator{
 							{
 								Merge: &argov1alpha1.MergeGenerator{
 									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
 										{
 											Merge: &apiextensionsv1.JSON{
 												Raw: []byte(
 													`{
 														"generators": [
 														  {
 															"list": {
 															  "elements": [
 																"a",
 																"b"
 															  ]
 															}
 														  }
 														]
 													  }`,
 												),
 											},
 										},
 									},
 								},
 							},
 						},
 					},
 				},
 			},
 			secret: corev1.Secret{
 				ObjectMeta: v1.ObjectMeta{
 					Namespace: "argocd",
 					Name:      "my-secret",
 					Labels: map[string]string{
 						argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
 					},
 				},
 			},
 			expectedRequests: []reconcile.Request{},
 		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			appSetList := argov1alpha1.ApplicationSetList{
+
 			appSetList := argoprojiov1alpha1.ApplicationSetList{
 				Items: test.items,
 			}
@@ -550,83 +209,26 @@ func TestClusterEventHandler(t *testing.T) {
 			mockAddRateLimitingInterface := mockAddRateLimitingInterface{}
-			handler.queueRelatedAppGenerators(context.Background(), &mockAddRateLimitingInterface, &test.secret)
+			handler.queueRelatedAppGenerators(&mockAddRateLimitingInterface, &test.secret)
 			assert.False(t, mockAddRateLimitingInterface.errorOccurred)
 			assert.ElementsMatch(t, mockAddRateLimitingInterface.addedItems, test.expectedRequests)
 		})
 	}
 }
 // Add checks the type, and adds it to the internal list of received additions
-func (obj *mockAddRateLimitingInterface) Add(item reconcile.Request) {
+func (obj *mockAddRateLimitingInterface) Add(item interface{}) {
-	obj.addedItems = append(obj.addedItems, item)
+	if req, ok := item.(ctrl.Request); ok {
 		obj.addedItems = append(obj.addedItems, req)
 	} else {
 		obj.errorOccurred = true
 	}
 }
 type mockAddRateLimitingInterface struct {
-	addedItems []reconcile.Request
+	errorOccurred bool
-}
+	addedItems    []ctrl.Request
 func TestNestedGeneratorHasClusterGenerator_NestedClusterGenerator(t *testing.T) {
 	nested := argov1alpha1.ApplicationSetNestedGenerator{
 		Clusters: &argov1alpha1.ClusterGenerator{},
 	}
 	hasClusterGenerator, err := nestedGeneratorHasClusterGenerator(nested)
 	require.NoError(t, err)
 	assert.True(t, hasClusterGenerator)
 }
 func TestNestedGeneratorHasClusterGenerator_NestedMergeGenerator(t *testing.T) {
 	nested := argov1alpha1.ApplicationSetNestedGenerator{
 		Merge: &apiextensionsv1.JSON{
 			Raw: []byte(
 				`{
 					"generators": [
 					  {
 						"clusters": {
 						  "selector": {
 							"matchLabels": {
 							  "argocd.argoproj.io/secret-type": "cluster"
 							}
 						  }
 						}
 					  }
 					]
 				  }`,
 			),
 		},
 	}
 	hasClusterGenerator, err := nestedGeneratorHasClusterGenerator(nested)
 	require.NoError(t, err)
 	assert.True(t, hasClusterGenerator)
 }
 func TestNestedGeneratorHasClusterGenerator_NestedMergeGeneratorWithInvalidJSON(t *testing.T) {
 	nested := argov1alpha1.ApplicationSetNestedGenerator{
 		Merge: &apiextensionsv1.JSON{
 			Raw: []byte(
 				`{
 					"generators": [
 					  {
 						"clusters": {
 						  "selector": {
 							"matchLabels": {
 							  "argocd.argoproj.io/secret-type": "cluster"
 							}
 						  }
 						}
 					  }
 					]
 				  `,
 			),
 		},
 	}
 	hasClusterGenerator, err := nestedGeneratorHasClusterGenerator(nested)
 	require.Error(t, err)
 	assert.False(t, hasClusterGenerator)
 }
--- a/applicationset/controllers/requeue_after_test.go
+++ b/applicationset/controllers/requeue_after_test.go
@@ -1,210 +0,0 @@
 package controllers
 import (
 	"context"
 	"testing"
 	"time"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	dynfake "k8s.io/client-go/dynamic/fake"
 	kubefake "k8s.io/client-go/kubernetes/fake"
 	"k8s.io/client-go/tools/record"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	"github.com/argoproj/argo-cd/v2/applicationset/generators"
 	appsetmetrics "github.com/argoproj/argo-cd/v2/applicationset/metrics"
 	"github.com/argoproj/argo-cd/v2/applicationset/services/mocks"
 	argov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )
 func TestRequeueAfter(t *testing.T) {
 	mockServer := &mocks.Repos{}
 	ctx := context.Background()
 	scheme := runtime.NewScheme()
 	err := argov1alpha1.AddToScheme(scheme)
 	require.NoError(t, err)
 	gvrToListKind := map[schema.GroupVersionResource]string{{
 		Group:    "mallard.io",
 		Version:  "v1",
 		Resource: "ducks",
 	}: "DuckList"}
 	appClientset := kubefake.NewSimpleClientset()
 	k8sClient := fake.NewClientBuilder().Build()
 	duckType := &unstructured.Unstructured{
 		Object: map[string]interface{}{
 			"apiVersion": "v2quack",
 			"kind":       "Duck",
 			"metadata": map[string]interface{}{
 				"name":      "mightyduck",
 				"namespace": "namespace",
 				"labels":    map[string]interface{}{"duck": "all-species"},
 			},
 			"status": map[string]interface{}{
 				"decisions": []interface{}{
 					map[string]interface{}{
 						"clusterName": "staging-01",
 					},
 					map[string]interface{}{
 						"clusterName": "production-01",
 					},
 				},
 			},
 		},
 	}
 	fakeDynClient := dynfake.NewSimpleDynamicClientWithCustomListKinds(runtime.NewScheme(), gvrToListKind, duckType)
 	scmConfig := generators.NewSCMConfig("", []string{""}, true, nil, true)
 	terminalGenerators := map[string]generators.Generator{
 		"List":                    generators.NewListGenerator(),
 		"Clusters":                generators.NewClusterGenerator(k8sClient, ctx, appClientset, "argocd"),
 		"Git":                     generators.NewGitGenerator(mockServer, "namespace"),
 		"SCMProvider":             generators.NewSCMProviderGenerator(fake.NewClientBuilder().WithObjects(&corev1.Secret{}).Build(), scmConfig),
 		"ClusterDecisionResource": generators.NewDuckTypeGenerator(ctx, fakeDynClient, appClientset, "argocd"),
 		"PullRequest":             generators.NewPullRequestGenerator(k8sClient, scmConfig),
 	}
 	nestedGenerators := map[string]generators.Generator{
 		"List":                    terminalGenerators["List"],
 		"Clusters":                terminalGenerators["Clusters"],
 		"Git":                     terminalGenerators["Git"],
 		"SCMProvider":             terminalGenerators["SCMProvider"],
 		"ClusterDecisionResource": terminalGenerators["ClusterDecisionResource"],
 		"PullRequest":             terminalGenerators["PullRequest"],
 		"Matrix":                  generators.NewMatrixGenerator(terminalGenerators),
 		"Merge":                   generators.NewMergeGenerator(terminalGenerators),
 	}
 	topLevelGenerators := map[string]generators.Generator{
 		"List":                    terminalGenerators["List"],
 		"Clusters":                terminalGenerators["Clusters"],
 		"Git":                     terminalGenerators["Git"],
 		"SCMProvider":             terminalGenerators["SCMProvider"],
 		"ClusterDecisionResource": terminalGenerators["ClusterDecisionResource"],
 		"PullRequest":             terminalGenerators["PullRequest"],
 		"Matrix":                  generators.NewMatrixGenerator(nestedGenerators),
 		"Merge":                   generators.NewMergeGenerator(nestedGenerators),
 	}
 	client := fake.NewClientBuilder().WithScheme(scheme).Build()
 	metrics := appsetmetrics.NewFakeAppsetMetrics(client)
 	r := ApplicationSetReconciler{
 		Client:     client,
 		Scheme:     scheme,
 		Recorder:   record.NewFakeRecorder(0),
 		Generators: topLevelGenerators,
 		Metrics:    metrics,
 	}
 	type args struct {
 		appset               *argov1alpha1.ApplicationSet
 		requeueAfterOverride string
 	}
 	tests := []struct {
 		name    string
 		args    args
 		want    time.Duration
 		wantErr assert.ErrorAssertionFunc
 	}{
 		{name: "Cluster", args: args{
 			appset: &argov1alpha1.ApplicationSet{
 				Spec: argov1alpha1.ApplicationSetSpec{
 					Generators: []argov1alpha1.ApplicationSetGenerator{{Clusters: &argov1alpha1.ClusterGenerator{}}},
 				},
 			}, requeueAfterOverride: "",
 		}, want: generators.NoRequeueAfter, wantErr: assert.NoError},
 		{name: "ClusterMergeNested", args: args{&argov1alpha1.ApplicationSet{
 			Spec: argov1alpha1.ApplicationSetSpec{
 				Generators: []argov1alpha1.ApplicationSetGenerator{
 					{Clusters: &argov1alpha1.ClusterGenerator{}},
 					{Merge: &argov1alpha1.MergeGenerator{
 						Generators: []argov1alpha1.ApplicationSetNestedGenerator{
 							{
 								Clusters: &argov1alpha1.ClusterGenerator{},
 								Git:      &argov1alpha1.GitGenerator{},
 							},
 						},
 					}},
 				},
 			},
 		}, ""}, want: generators.DefaultRequeueAfterSeconds, wantErr: assert.NoError},
 		{name: "ClusterMatrixNested", args: args{&argov1alpha1.ApplicationSet{
 			Spec: argov1alpha1.ApplicationSetSpec{
 				Generators: []argov1alpha1.ApplicationSetGenerator{
 					{Clusters: &argov1alpha1.ClusterGenerator{}},
 					{Matrix: &argov1alpha1.MatrixGenerator{
 						Generators: []argov1alpha1.ApplicationSetNestedGenerator{
 							{
 								Clusters: &argov1alpha1.ClusterGenerator{},
 								Git:      &argov1alpha1.GitGenerator{},
 							},
 						},
 					}},
 				},
 			},
 		}, ""}, want: generators.DefaultRequeueAfterSeconds, wantErr: assert.NoError},
 		{name: "ListGenerator", args: args{appset: &argov1alpha1.ApplicationSet{
 			Spec: argov1alpha1.ApplicationSetSpec{
 				Generators: []argov1alpha1.ApplicationSetGenerator{{List: &argov1alpha1.ListGenerator{}}},
 			},
 		}}, want: generators.NoRequeueAfter, wantErr: assert.NoError},
 		{name: "DuckGenerator", args: args{appset: &argov1alpha1.ApplicationSet{
 			Spec: argov1alpha1.ApplicationSetSpec{
 				Generators: []argov1alpha1.ApplicationSetGenerator{{ClusterDecisionResource: &argov1alpha1.DuckTypeGenerator{}}},
 			},
 		}}, want: generators.DefaultRequeueAfterSeconds, wantErr: assert.NoError},
 		{name: "OverrideRequeueDuck", args: args{
 			appset: &argov1alpha1.ApplicationSet{
 				Spec: argov1alpha1.ApplicationSetSpec{
 					Generators: []argov1alpha1.ApplicationSetGenerator{{ClusterDecisionResource: &argov1alpha1.DuckTypeGenerator{}}},
 				},
 			}, requeueAfterOverride: "1h",
 		}, want: 1 * time.Hour, wantErr: assert.NoError},
 		{name: "OverrideRequeueGit", args: args{&argov1alpha1.ApplicationSet{
 			Spec: argov1alpha1.ApplicationSetSpec{
 				Generators: []argov1alpha1.ApplicationSetGenerator{
 					{Git: &argov1alpha1.GitGenerator{}},
 				},
 			},
 		}, "1h"}, want: 1 * time.Hour, wantErr: assert.NoError},
 		{name: "OverrideRequeueMatrix", args: args{&argov1alpha1.ApplicationSet{
 			Spec: argov1alpha1.ApplicationSetSpec{
 				Generators: []argov1alpha1.ApplicationSetGenerator{
 					{Clusters: &argov1alpha1.ClusterGenerator{}},
 					{Merge: &argov1alpha1.MergeGenerator{
 						Generators: []argov1alpha1.ApplicationSetNestedGenerator{
 							{
 								Clusters: &argov1alpha1.ClusterGenerator{},
 								Git:      &argov1alpha1.GitGenerator{},
 							},
 						},
 					}},
 				},
 			},
 		}, "5m"}, want: 5 * time.Minute, wantErr: assert.NoError},
 		{name: "OverrideRequeueMerge", args: args{&argov1alpha1.ApplicationSet{
 			Spec: argov1alpha1.ApplicationSetSpec{
 				Generators: []argov1alpha1.ApplicationSetGenerator{
 					{Clusters: &argov1alpha1.ClusterGenerator{}},
 					{Merge: &argov1alpha1.MergeGenerator{
 						Generators: []argov1alpha1.ApplicationSetNestedGenerator{
 							{
 								Clusters: &argov1alpha1.ClusterGenerator{},
 								Git:      &argov1alpha1.GitGenerator{},
 							},
 						},
 					}},
 				},
 			},
 		}, "12s"}, want: 12 * time.Second, wantErr: assert.NoError},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Setenv("ARGOCD_APPLICATIONSET_CONTROLLER_REQUEUE_AFTER", tt.args.requeueAfterOverride)
 			assert.Equalf(t, tt.want, r.getMinRequeueAfter(tt.args.appset), "getMinRequeueAfter(%v)", tt.args.appset)
 		})
 	}
 }
--- a/applicationset/controllers/template/patch.go
+++ b/applicationset/controllers/template/patch.go
@@ -1,43 +0,0 @@
 package template
 import (
 	"encoding/json"
 	"fmt"
 	"k8s.io/apimachinery/pkg/util/strategicpatch"
 	"github.com/argoproj/argo-cd/v2/applicationset/utils"
 	appv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )
 func applyTemplatePatch(app *appv1.Application, templatePatch string) (*appv1.Application, error) {
 	appString, err := json.Marshal(app)
 	if err != nil {
 		return nil, fmt.Errorf("error while marhsalling Application %w", err)
 	}
 	convertedTemplatePatch, err := utils.ConvertYAMLToJSON(templatePatch)
 	if err != nil {
 		return nil, fmt.Errorf("error while converting template to json %q: %w", convertedTemplatePatch, err)
 	}
 	if err := json.Unmarshal([]byte(convertedTemplatePatch), &appv1.Application{}); err != nil {
 		return nil, fmt.Errorf("invalid templatePatch %q: %w", convertedTemplatePatch, err)
 	}
 	data, err := strategicpatch.StrategicMergePatch(appString, []byte(convertedTemplatePatch), appv1.Application{})
 	if err != nil {
 		return nil, fmt.Errorf("error while applying templatePatch template to json %q: %w", convertedTemplatePatch, err)
 	}
 	finalApp := appv1.Application{}
 	err = json.Unmarshal(data, &finalApp)
 	if err != nil {
 		return nil, fmt.Errorf("error while unmarhsalling patched application: %w", err)
 	}
 	// Prevent changes to the `project` field. This helps prevent malicious template patches
 	finalApp.Spec.Project = app.Spec.Project
 	return &finalApp, nil
 }
--- a/applicationset/controllers/template/patch_test.go
+++ b/applicationset/controllers/template/patch_test.go
@@ -1,249 +0,0 @@
 package template
 import (
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	appv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )
 func Test_ApplyTemplatePatch(t *testing.T) {
 	testCases := []struct {
 		name          string
 		appTemplate   *appv1.Application
 		templatePatch string
 		expectedApp   *appv1.Application
 	}{
 		{
 			name: "patch with JSON",
 			appTemplate: &appv1.Application{
 				TypeMeta: metav1.TypeMeta{
 					Kind:       "Application",
 					APIVersion: "argoproj.io/v1alpha1",
 				},
 				ObjectMeta: metav1.ObjectMeta{
 					Name:       "my-cluster-guestbook",
 					Namespace:  "namespace",
 					Finalizers: []string{"resources-finalizer.argocd.argoproj.io"},
 				},
 				Spec: appv1.ApplicationSpec{
 					Project: "default",
 					Source: &appv1.ApplicationSource{
 						RepoURL:        "https://github.com/argoproj/argocd-example-apps.git",
 						TargetRevision: "HEAD",
 						Path:           "guestbook",
 					},
 					Destination: appv1.ApplicationDestination{
 						Server:    "https://kubernetes.default.svc",
 						Namespace: "guestbook",
 					},
 				},
 			},
 			templatePatch: `{
 				"metadata": {
 					"annotations": {
 						"annotation-some-key": "annotation-some-value"
 					}
 				},
 				"spec": {
 					"source": {
 						"helm": {
 							"valueFiles": [
 								"values.test.yaml",
 								"values.big.yaml"
 							]
 						}
 					},
 					"syncPolicy": {
 						"automated": {
 							"prune": true
 						}
 					}
 				}
 			}`,
 			expectedApp: &appv1.Application{
 				TypeMeta: metav1.TypeMeta{
 					Kind:       "Application",
 					APIVersion: "argoproj.io/v1alpha1",
 				},
 				ObjectMeta: metav1.ObjectMeta{
 					Name:       "my-cluster-guestbook",
 					Namespace:  "namespace",
 					Finalizers: []string{"resources-finalizer.argocd.argoproj.io"},
 					Annotations: map[string]string{
 						"annotation-some-key": "annotation-some-value",
 					},
 				},
 				Spec: appv1.ApplicationSpec{
 					Project: "default",
 					Source: &appv1.ApplicationSource{
 						RepoURL:        "https://github.com/argoproj/argocd-example-apps.git",
 						TargetRevision: "HEAD",
 						Path:           "guestbook",
 						Helm: &appv1.ApplicationSourceHelm{
 							ValueFiles: []string{
 								"values.test.yaml",
 								"values.big.yaml",
 							},
 						},
 					},
 					Destination: appv1.ApplicationDestination{
 						Server:    "https://kubernetes.default.svc",
 						Namespace: "guestbook",
 					},
 					SyncPolicy: &appv1.SyncPolicy{
 						Automated: &appv1.SyncPolicyAutomated{
 							Prune: true,
 						},
 					},
 				},
 			},
 		},
 		{
 			name: "patch with YAML",
 			appTemplate: &appv1.Application{
 				TypeMeta: metav1.TypeMeta{
 					Kind:       "Application",
 					APIVersion: "argoproj.io/v1alpha1",
 				},
 				ObjectMeta: metav1.ObjectMeta{
 					Name:       "my-cluster-guestbook",
 					Namespace:  "namespace",
 					Finalizers: []string{"resources-finalizer.argocd.argoproj.io"},
 				},
 				Spec: appv1.ApplicationSpec{
 					Project: "default",
 					Source: &appv1.ApplicationSource{
 						RepoURL:        "https://github.com/argoproj/argocd-example-apps.git",
 						TargetRevision: "HEAD",
 						Path:           "guestbook",
 					},
 					Destination: appv1.ApplicationDestination{
 						Server:    "https://kubernetes.default.svc",
 						Namespace: "guestbook",
 					},
 				},
 			},
 			templatePatch: `
 metadata:
  annotations:
    annotation-some-key: annotation-some-value
 spec:
  source:
    helm:
      valueFiles:
        - values.test.yaml
        - values.big.yaml
  syncPolicy:
    automated:
      prune: true`,
 			expectedApp: &appv1.Application{
 				TypeMeta: metav1.TypeMeta{
 					Kind:       "Application",
 					APIVersion: "argoproj.io/v1alpha1",
 				},
 				ObjectMeta: metav1.ObjectMeta{
 					Name:       "my-cluster-guestbook",
 					Namespace:  "namespace",
 					Finalizers: []string{"resources-finalizer.argocd.argoproj.io"},
 					Annotations: map[string]string{
 						"annotation-some-key": "annotation-some-value",
 					},
 				},
 				Spec: appv1.ApplicationSpec{
 					Project: "default",
 					Source: &appv1.ApplicationSource{
 						RepoURL:        "https://github.com/argoproj/argocd-example-apps.git",
 						TargetRevision: "HEAD",
 						Path:           "guestbook",
 						Helm: &appv1.ApplicationSourceHelm{
 							ValueFiles: []string{
 								"values.test.yaml",
 								"values.big.yaml",
 							},
 						},
 					},
 					Destination: appv1.ApplicationDestination{
 						Server:    "https://kubernetes.default.svc",
 						Namespace: "guestbook",
 					},
 					SyncPolicy: &appv1.SyncPolicy{
 						Automated: &appv1.SyncPolicyAutomated{
 							Prune: true,
 						},
 					},
 				},
 			},
 		},
 		{
 			name: "project field isn't overwritten",
 			appTemplate: &appv1.Application{
 				TypeMeta: metav1.TypeMeta{
 					Kind:       "Application",
 					APIVersion: "argoproj.io/v1alpha1",
 				},
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "my-cluster-guestbook",
 					Namespace: "namespace",
 				},
 				Spec: appv1.ApplicationSpec{
 					Project: "default",
 					Source: &appv1.ApplicationSource{
 						RepoURL:        "https://github.com/argoproj/argocd-example-apps.git",
 						TargetRevision: "HEAD",
 						Path:           "guestbook",
 					},
 					Destination: appv1.ApplicationDestination{
 						Server:    "https://kubernetes.default.svc",
 						Namespace: "guestbook",
 					},
 				},
 			},
 			templatePatch: `
 spec:
  project: my-project`,
 			expectedApp: &appv1.Application{
 				TypeMeta: metav1.TypeMeta{
 					Kind:       "Application",
 					APIVersion: "argoproj.io/v1alpha1",
 				},
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "my-cluster-guestbook",
 					Namespace: "namespace",
 				},
 				Spec: appv1.ApplicationSpec{
 					Project: "default",
 					Source: &appv1.ApplicationSource{
 						RepoURL:        "https://github.com/argoproj/argocd-example-apps.git",
 						TargetRevision: "HEAD",
 						Path:           "guestbook",
 					},
 					Destination: appv1.ApplicationDestination{
 						Server:    "https://kubernetes.default.svc",
 						Namespace: "guestbook",
 					},
 				},
 			},
 		},
 	}
 	for _, tc := range testCases {
 		tcc := tc
 		t.Run(tcc.name, func(t *testing.T) {
 			result, err := applyTemplatePatch(tcc.appTemplate, tcc.templatePatch)
 			require.NoError(t, err)
 			assert.Equal(t, *tcc.expectedApp, *result)
 		})
 	}
 }
 func TestError(t *testing.T) {
 	app := &appv1.Application{}
 	result, err := applyTemplatePatch(app, "hello world")
 	require.Error(t, err)
 	require.Nil(t, result)
 }
--- a/applicationset/controllers/template/template.go
+++ b/applicationset/controllers/template/template.go
@@ -1,101 +0,0 @@
 package template
 import (
 	"fmt"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	log "github.com/sirupsen/logrus"
 	"github.com/argoproj/argo-cd/v2/applicationset/generators"
 	"github.com/argoproj/argo-cd/v2/applicationset/utils"
 	argov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )
 func GenerateApplications(logCtx *log.Entry, applicationSetInfo argov1alpha1.ApplicationSet, g map[string]generators.Generator, renderer utils.Renderer, client client.Client) ([]argov1alpha1.Application, argov1alpha1.ApplicationSetReasonType, error) {
 	var res []argov1alpha1.Application
 	var firstError error
 	var applicationSetReason argov1alpha1.ApplicationSetReasonType
 	for _, requestedGenerator := range applicationSetInfo.Spec.Generators {
 		t, err := generators.Transform(requestedGenerator, g, applicationSetInfo.Spec.Template, &applicationSetInfo, map[string]interface{}{}, client)
 		if err != nil {
 			logCtx.WithError(err).WithField("generator", requestedGenerator).
 				Error("error generating application from params")
 			if firstError == nil {
 				firstError = err
 				applicationSetReason = argov1alpha1.ApplicationSetReasonApplicationParamsGenerationError
 			}
 			continue
 		}
 		for _, a := range t {
 			tmplApplication := GetTempApplication(a.Template)
 			for _, p := range a.Params {
 				app, err := renderer.RenderTemplateParams(tmplApplication, applicationSetInfo.Spec.SyncPolicy, p, applicationSetInfo.Spec.GoTemplate, applicationSetInfo.Spec.GoTemplateOptions)
 				if err != nil {
 					logCtx.WithError(err).WithField("params", a.Params).WithField("generator", requestedGenerator).
 						Error("error generating application from params")
 					if firstError == nil {
 						firstError = err
 						applicationSetReason = argov1alpha1.ApplicationSetReasonRenderTemplateParamsError
 					}
 					continue
 				}
 				if applicationSetInfo.Spec.TemplatePatch != nil {
 					patchedApplication, err := renderTemplatePatch(renderer, app, applicationSetInfo, p)
 					if err != nil {
 						log.WithError(err).WithField("params", a.Params).WithField("generator", requestedGenerator).
 							Error("error generating application from params")
 						if firstError == nil {
 							firstError = err
 							applicationSetReason = argov1alpha1.ApplicationSetReasonRenderTemplateParamsError
 						}
 						continue
 					}
 					app = patchedApplication
 				}
 				// The app's namespace must be the same as the AppSet's namespace to preserve the appsets-in-any-namespace
 				// security boundary.
 				app.Namespace = applicationSetInfo.Namespace
 				res = append(res, *app)
 			}
 		}
 		if log.IsLevelEnabled(log.DebugLevel) {
 			logCtx.WithField("generator", requestedGenerator).Debugf("apps from generator: %+v", res)
 		} else {
 			logCtx.Infof("generated %d applications", len(res))
 		}
 	}
 	return res, applicationSetReason, firstError
 }
 func renderTemplatePatch(r utils.Renderer, app *argov1alpha1.Application, applicationSetInfo argov1alpha1.ApplicationSet, params map[string]interface{}) (*argov1alpha1.Application, error) {
 	replacedTemplate, err := r.Replace(*applicationSetInfo.Spec.TemplatePatch, params, applicationSetInfo.Spec.GoTemplate, applicationSetInfo.Spec.GoTemplateOptions)
 	if err != nil {
 		return nil, fmt.Errorf("error replacing values in templatePatch: %w", err)
 	}
 	return applyTemplatePatch(app, replacedTemplate)
 }
 func GetTempApplication(applicationSetTemplate argov1alpha1.ApplicationSetTemplate) *argov1alpha1.Application {
 	var tmplApplication argov1alpha1.Application
 	tmplApplication.Annotations = applicationSetTemplate.Annotations
 	tmplApplication.Labels = applicationSetTemplate.Labels
 	tmplApplication.Namespace = applicationSetTemplate.Namespace
 	tmplApplication.Name = applicationSetTemplate.Name
 	tmplApplication.Spec = applicationSetTemplate.Spec
 	tmplApplication.Finalizers = applicationSetTemplate.Finalizers
 	return &tmplApplication
 }
--- a/applicationset/controllers/template/template_test.go
+++ b/applicationset/controllers/template/template_test.go
@@ -1,350 +0,0 @@
 package template
 import (
 	"fmt"
 	"maps"
 	"testing"
 	"github.com/stretchr/testify/mock"
 	"github.com/stretchr/testify/require"
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"github.com/argoproj/argo-cd/v2/applicationset/generators"
 	genmock "github.com/argoproj/argo-cd/v2/applicationset/generators/mocks"
 	"github.com/argoproj/argo-cd/v2/applicationset/utils"
 	rendmock "github.com/argoproj/argo-cd/v2/applicationset/utils/mocks"
 	"github.com/argoproj/argo-cd/v2/pkg/apis/application"
 	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )
 func TestGenerateApplications(t *testing.T) {
 	scheme := runtime.NewScheme()
 	err := v1alpha1.AddToScheme(scheme)
 	require.NoError(t, err)
 	err = v1alpha1.AddToScheme(scheme)
 	require.NoError(t, err)
 	for _, c := range []struct {
 		name                string
 		params              []map[string]interface{}
 		template            v1alpha1.ApplicationSetTemplate
 		generateParamsError error
 		rendererError       error
 		expectErr           bool
 		expectedReason      v1alpha1.ApplicationSetReasonType
 	}{
 		{
 			name:   "Generate two applications",
 			params: []map[string]interface{}{{"name": "app1"}, {"name": "app2"}},
 			template: v1alpha1.ApplicationSetTemplate{
 				ApplicationSetTemplateMeta: v1alpha1.ApplicationSetTemplateMeta{
 					Name:      "name",
 					Namespace: "namespace",
 					Labels:    map[string]string{"label_name": "label_value"},
 				},
 				Spec: v1alpha1.ApplicationSpec{},
 			},
 			expectedReason: "",
 		},
 		{
 			name:                "Handles error from the generator",
 			generateParamsError: fmt.Errorf("error"),
 			expectErr:           true,
 			expectedReason:      v1alpha1.ApplicationSetReasonApplicationParamsGenerationError,
 		},
 		{
 			name:   "Handles error from the render",
 			params: []map[string]interface{}{{"name": "app1"}, {"name": "app2"}},
 			template: v1alpha1.ApplicationSetTemplate{
 				ApplicationSetTemplateMeta: v1alpha1.ApplicationSetTemplateMeta{
 					Name:      "name",
 					Namespace: "namespace",
 					Labels:    map[string]string{"label_name": "label_value"},
 				},
 				Spec: v1alpha1.ApplicationSpec{},
 			},
 			rendererError:  fmt.Errorf("error"),
 			expectErr:      true,
 			expectedReason: v1alpha1.ApplicationSetReasonRenderTemplateParamsError,
 		},
 	} {
 		cc := c
 		app := v1alpha1.Application{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      "test",
 				Namespace: "namespace",
 			},
 			TypeMeta: metav1.TypeMeta{
 				Kind:       application.ApplicationKind,
 				APIVersion: "argoproj.io/v1alpha1",
 			},
 		}
 		t.Run(cc.name, func(t *testing.T) {
 			generatorMock := genmock.Generator{}
 			generator := v1alpha1.ApplicationSetGenerator{
 				List: &v1alpha1.ListGenerator{},
 			}
 			generatorMock.On("GenerateParams", &generator, mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).
 				Return(cc.params, cc.generateParamsError)
 			generatorMock.On("GetTemplate", &generator).
 				Return(&v1alpha1.ApplicationSetTemplate{})
 			rendererMock := rendmock.Renderer{}
 			var expectedApps []v1alpha1.Application
 			if cc.generateParamsError == nil {
 				for _, p := range cc.params {
 					if cc.rendererError != nil {
 						rendererMock.On("RenderTemplateParams", GetTempApplication(cc.template), mock.AnythingOfType("*v1alpha1.ApplicationSetSyncPolicy"), p, false, []string(nil)).
 							Return(nil, cc.rendererError)
 					} else {
 						rendererMock.On("RenderTemplateParams", GetTempApplication(cc.template), mock.AnythingOfType("*v1alpha1.ApplicationSetSyncPolicy"), p, false, []string(nil)).
 							Return(&app, nil)
 						expectedApps = append(expectedApps, app)
 					}
 				}
 			}
 			generators := map[string]generators.Generator{
 				"List": &generatorMock,
 			}
 			renderer := &rendererMock
 			got, reason, err := GenerateApplications(log.NewEntry(log.StandardLogger()), v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "name",
 					Namespace: "namespace",
 				},
 				Spec: v1alpha1.ApplicationSetSpec{
 					Generators: []v1alpha1.ApplicationSetGenerator{generator},
 					Template:   cc.template,
 				},
 			},
 				generators,
 				renderer,
 				nil,
 			)
 			if cc.expectErr {
 				require.Error(t, err)
 			} else {
 				require.NoError(t, err)
 			}
 			assert.Equal(t, expectedApps, got)
 			assert.Equal(t, cc.expectedReason, reason)
 			generatorMock.AssertNumberOfCalls(t, "GenerateParams", 1)
 			if cc.generateParamsError == nil {
 				rendererMock.AssertNumberOfCalls(t, "RenderTemplateParams", len(cc.params))
 			}
 		})
 	}
 }
 func TestMergeTemplateApplications(t *testing.T) {
 	for _, c := range []struct {
 		name             string
 		params           []map[string]interface{}
 		template         v1alpha1.ApplicationSetTemplate
 		overrideTemplate v1alpha1.ApplicationSetTemplate
 		expectedMerged   v1alpha1.ApplicationSetTemplate
 		expectedApps     []v1alpha1.Application
 	}{
 		{
 			name:   "Generate app",
 			params: []map[string]interface{}{{"name": "app1"}},
 			template: v1alpha1.ApplicationSetTemplate{
 				ApplicationSetTemplateMeta: v1alpha1.ApplicationSetTemplateMeta{
 					Name:      "name",
 					Namespace: "namespace",
 					Labels:    map[string]string{"label_name": "label_value"},
 				},
 				Spec: v1alpha1.ApplicationSpec{},
 			},
 			overrideTemplate: v1alpha1.ApplicationSetTemplate{
 				ApplicationSetTemplateMeta: v1alpha1.ApplicationSetTemplateMeta{
 					Name:   "test",
 					Labels: map[string]string{"foo": "bar"},
 				},
 				Spec: v1alpha1.ApplicationSpec{},
 			},
 			expectedMerged: v1alpha1.ApplicationSetTemplate{
 				ApplicationSetTemplateMeta: v1alpha1.ApplicationSetTemplateMeta{
 					Name:      "test",
 					Namespace: "namespace",
 					Labels:    map[string]string{"label_name": "label_value", "foo": "bar"},
 				},
 				Spec: v1alpha1.ApplicationSpec{},
 			},
 			expectedApps: []v1alpha1.Application{
 				{
 					ObjectMeta: metav1.ObjectMeta{
 						Name:      "test",
 						Namespace: "test",
 						Labels:    map[string]string{"foo": "bar"},
 					},
 					Spec: v1alpha1.ApplicationSpec{},
 				},
 			},
 		},
 	} {
 		cc := c
 		t.Run(cc.name, func(t *testing.T) {
 			generatorMock := genmock.Generator{}
 			generator := v1alpha1.ApplicationSetGenerator{
 				List: &v1alpha1.ListGenerator{},
 			}
 			generatorMock.On("GenerateParams", &generator, mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).
 				Return(cc.params, nil)
 			generatorMock.On("GetTemplate", &generator).
 				Return(&cc.overrideTemplate)
 			rendererMock := rendmock.Renderer{}
 			rendererMock.On("RenderTemplateParams", GetTempApplication(cc.expectedMerged), mock.AnythingOfType("*v1alpha1.ApplicationSetSyncPolicy"), cc.params[0], false, []string(nil)).
 				Return(&cc.expectedApps[0], nil)
 			generators := map[string]generators.Generator{
 				"List": &generatorMock,
 			}
 			renderer := &rendererMock
 			got, _, _ := GenerateApplications(log.NewEntry(log.StandardLogger()), v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "name",
 					Namespace: "namespace",
 				},
 				Spec: v1alpha1.ApplicationSetSpec{
 					Generators: []v1alpha1.ApplicationSetGenerator{generator},
 					Template:   cc.template,
 				},
 			},
 				generators,
 				renderer,
 				nil,
 			)
 			assert.Equal(t, cc.expectedApps, got)
 		})
 	}
 }
 // Test app generation from a go template application set using a pull request generator
 func TestGenerateAppsUsingPullRequestGenerator(t *testing.T) {
 	for _, cases := range []struct {
 		name        string
 		params      []map[string]interface{}
 		template    v1alpha1.ApplicationSetTemplate
 		expectedApp []v1alpha1.Application
 	}{
 		{
 			name: "Generate an application from a go template application set manifest using a pull request generator",
 			params: []map[string]interface{}{
 				{
 					"number":                                "1",
 					"title":                                 "title1",
 					"branch":                                "branch1",
 					"branch_slug":                           "branchSlug1",
 					"head_sha":                              "089d92cbf9ff857a39e6feccd32798ca700fb958",
 					"head_short_sha":                        "089d92cb",
 					"branch_slugify_default":                "feat/a_really+long_pull_request_name_to_test_argo_slugification_and_branch_name_shortening_feature",
 					"branch_slugify_smarttruncate_disabled": "feat/areallylongpullrequestnametotestargoslugificationandbranchnameshorteningfeature",
 					"branch_slugify_smarttruncate_enabled":  "feat/testwithsmarttruncateenabledramdomlonglistofcharacters",
 					"labels":                                []string{"label1"},
 				},
 			},
 			template: v1alpha1.ApplicationSetTemplate{
 				ApplicationSetTemplateMeta: v1alpha1.ApplicationSetTemplateMeta{
 					Name: "AppSet-{{.branch}}-{{.number}}",
 					Labels: map[string]string{
 						"app1":         "{{index .labels 0}}",
 						"branch-test1": "AppSet-{{.branch_slugify_default | slugify }}",
 						"branch-test2": "AppSet-{{.branch_slugify_smarttruncate_disabled | slugify 49 false }}",
 						"branch-test3": "AppSet-{{.branch_slugify_smarttruncate_enabled | slugify 50 true }}",
 					},
 				},
 				Spec: v1alpha1.ApplicationSpec{
 					Source: &v1alpha1.ApplicationSource{
 						RepoURL:        "https://testurl/testRepo",
 						TargetRevision: "{{.head_short_sha}}",
 					},
 					Destination: v1alpha1.ApplicationDestination{
 						Server:    "https://kubernetes.default.svc",
 						Namespace: "AppSet-{{.branch_slug}}-{{.head_sha}}",
 					},
 				},
 			},
 			expectedApp: []v1alpha1.Application{
 				{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "AppSet-branch1-1",
 						Labels: map[string]string{
 							"app1":         "label1",
 							"branch-test1": "AppSet-feat-a-really-long-pull-request-name-to-test-argo",
 							"branch-test2": "AppSet-feat-areallylongpullrequestnametotestargoslugific",
 							"branch-test3": "AppSet-feat",
 						},
 					},
 					Spec: v1alpha1.ApplicationSpec{
 						Source: &v1alpha1.ApplicationSource{
 							RepoURL:        "https://testurl/testRepo",
 							TargetRevision: "089d92cb",
 						},
 						Destination: v1alpha1.ApplicationDestination{
 							Server:    "https://kubernetes.default.svc",
 							Namespace: "AppSet-branchSlug1-089d92cbf9ff857a39e6feccd32798ca700fb958",
 						},
 					},
 				},
 			},
 		},
 	} {
 		t.Run(cases.name, func(t *testing.T) {
 			generatorMock := genmock.Generator{}
 			generator := v1alpha1.ApplicationSetGenerator{
 				PullRequest: &v1alpha1.PullRequestGenerator{},
 			}
 			generatorMock.On("GenerateParams", &generator, mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).
 				Return(cases.params, nil)
 			generatorMock.On("GetTemplate", &generator).
 				Return(&cases.template, nil)
 			generators := map[string]generators.Generator{
 				"PullRequest": &generatorMock,
 			}
 			renderer := &utils.Render{}
 			gotApp, _, _ := GenerateApplications(log.NewEntry(log.StandardLogger()), v1alpha1.ApplicationSet{
 				Spec: v1alpha1.ApplicationSetSpec{
 					GoTemplate: true,
 					Generators: []v1alpha1.ApplicationSetGenerator{{
 						PullRequest: &v1alpha1.PullRequestGenerator{},
 					}},
 					Template: cases.template,
 				},
 			},
 				generators,
 				renderer,
 				nil,
 			)
 			assert.EqualValues(t, cases.expectedApp[0].ObjectMeta.Name, gotApp[0].ObjectMeta.Name)
 			assert.EqualValues(t, cases.expectedApp[0].Spec.Source.TargetRevision, gotApp[0].Spec.Source.TargetRevision)
 			assert.EqualValues(t, cases.expectedApp[0].Spec.Destination.Namespace, gotApp[0].Spec.Destination.Namespace)
 			assert.True(t, maps.Equal(cases.expectedApp[0].ObjectMeta.Labels, gotApp[0].ObjectMeta.Labels))
 		})
 	}
 }
--- a/applicationset/examples/applications-sync-policies/create-only.yaml
+++ b/applicationset/examples/applications-sync-policies/create-only.yaml
@@ -1,35 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
  name: guestbook
 spec:
  goTemplate: true
  generators:
  - list:
      elements:
      - cluster: engineering-dev
        url: https://kubernetes.default.svc
        foo: bar
      # Update foo value with foo: bar
      # Application engineering-prod-guestbook labels will still be baz
      # Delete this element
      # Application engineering-prod-guestbook will be kept
      - cluster: engineering-prod
        url: https://kubernetes.default.svc
        foo: baz
  template:
    metadata:
      name: '{{.cluster}}-guestbook'
      labels:
        foo: '{{.foo}}'
    spec:
      project: default
      source:
        repoURL: https://github.com/argoproj/argo-cd.git
        targetRevision: HEAD
        path: applicationset/examples/list-generator/guestbook/{{.cluster}}
      destination:
        server: '{{.url}}'
        namespace: guestbook
  syncPolicy:
    applicationsSync: create-only
--- a/applicationset/examples/applications-sync-policies/create-update.yaml
+++ b/applicationset/examples/applications-sync-policies/create-update.yaml
@@ -1,35 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
  name: guestbook
 spec:
  goTemplate: true
  generators:
  - list:
      elements:
      - cluster: engineering-dev
        url: https://kubernetes.default.svc
        foo: bar
      # Update foo value with foo: bar
      # Application engineering-prod-guestbook labels will change to foo: bar
      # Delete this element
      # Application engineering-prod-guestbook will be kept
      - cluster: engineering-prod
        url: https://kubernetes.default.svc
        foo: baz
  template:
    metadata:
      name: '{{.cluster}}-guestbook'
      labels:
        foo: '{{.foo}}'
    spec:
      project: default
      source:
        repoURL: https://github.com/argoproj/argo-cd.git
        targetRevision: HEAD
        path: applicationset/examples/list-generator/guestbook/{{.cluster}}
      destination:
        server: '{{.url}}'
        namespace: guestbook
  syncPolicy:
    applicationsSync: create-update
--- a/applicationset/examples/applications-sync-policies/guestbook/engineering-dev/guestbook-ui-deployment.yaml
+++ b/applicationset/examples/applications-sync-policies/guestbook/engineering-dev/guestbook-ui-deployment.yaml
@@ -1,20 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: guestbook-ui
 spec:
  replicas: 1
  revisionHistoryLimit: 3
  selector:
    matchLabels:
      app: guestbook-ui
  template:
    metadata:
      labels:
        app: guestbook-ui
    spec:
      containers:
      - image: gcr.io/heptio-images/ks-guestbook-demo:0.2
        name: guestbook-ui
        ports:
        - containerPort: 80
--- a/applicationset/examples/applications-sync-policies/guestbook/engineering-dev/guestbook-ui-svc.yaml
+++ b/applicationset/examples/applications-sync-policies/guestbook/engineering-dev/guestbook-ui-svc.yaml
@@ -1,10 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: guestbook-ui
 spec:
  ports:
  - port: 80
    targetPort: 80
  selector:
    app: guestbook-ui
--- a/applicationset/examples/applications-sync-policies/guestbook/engineering-prod/guestbook-ui-deployment.yaml
+++ b/applicationset/examples/applications-sync-policies/guestbook/engineering-prod/guestbook-ui-deployment.yaml
@@ -1,20 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: guestbook-ui
 spec:
  replicas: 1
  revisionHistoryLimit: 3
  selector:
    matchLabels:
      app: guestbook-ui
  template:
    metadata:
      labels:
        app: guestbook-ui
    spec:
      containers:
      - image: gcr.io/heptio-images/ks-guestbook-demo:0.2
        name: guestbook-ui
        ports:
        - containerPort: 80
--- a/applicationset/examples/applications-sync-policies/guestbook/engineering-prod/guestbook-ui-svc.yaml
+++ b/applicationset/examples/applications-sync-policies/guestbook/engineering-prod/guestbook-ui-svc.yaml
@@ -1,10 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: guestbook-ui
 spec:
  ports:
  - port: 80
    targetPort: 80
  selector:
    app: guestbook-ui
--- a/applicationset/examples/cluster/cluster-example-fasttemplate.yaml
+++ b/applicationset/examples/cluster/cluster-example-fasttemplate.yaml
@@ -1,19 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
  name: guestbook
 spec:
  generators:
  - clusters: {}
  template:
    metadata:
      name: '{{name}}-guestbook'
    spec:
      project: "default"
      source:
        repoURL: https://github.com/argoproj/argocd-example-apps/
        targetRevision: HEAD
        path: guestbook
      destination:
        server: '{{server}}'
        namespace: guestbook
--- a/applicationset/examples/cluster/cluster-example.yaml
+++ b/applicationset/examples/cluster/cluster-example.yaml
@@ -3,13 +3,11 @@ kind: ApplicationSet
 metadata:
  name: guestbook
 spec:
  goTemplate: true
  goTemplateOptions: ["missingkey=error"]
  generators:
  - clusters: {}
  template:
    metadata:
-      name: '{{.name}}-guestbook'
+      name: '{{name}}-guestbook'
    spec:
      project: "default"
      source:
@@ -17,5 +15,5 @@ spec:
        targetRevision: HEAD
        path: guestbook
      destination:
-        server: '{{.server}}'
+        server: '{{server}}'
        namespace: guestbook
--- a/applicationset/examples/clusterDecisionResource/ducktype-example-fasttemplate.yaml
+++ b/applicationset/examples/clusterDecisionResource/ducktype-example-fasttemplate.yaml
@@ -1,27 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
  name: book-import
 spec:
  generators:
    - clusterDecisionResource:
        configMapRef: ocm-placement
        name: test-placement
        requeueAfterSeconds: 30
  template:
    metadata:
      name: '{{clusterName}}-book-import'
    spec:
      project: "default"
      source:
        repoURL: https://github.com/open-cluster-management/application-samples.git
        targetRevision: HEAD
        path: book-import
      destination:
        name: '{{clusterName}}'
        namespace: bookimport
      syncPolicy:
        automated:
          prune: true
        syncOptions:
          - CreateNamespace=true
--- a/applicationset/examples/clusterDecisionResource/ducktype-example.yaml
+++ b/applicationset/examples/clusterDecisionResource/ducktype-example.yaml
@@ -3,8 +3,6 @@ kind: ApplicationSet
 metadata:
  name: book-import
 spec:
  goTemplate: true
  goTemplateOptions: ["missingkey=error"]
  generators:
    - clusterDecisionResource:
        configMapRef: ocm-placement
@@ -12,7 +10,7 @@ spec:
        requeueAfterSeconds: 30
  template:
    metadata:
-      name: '{{.clusterName}}-book-import'
+      name: '{{clusterName}}-book-import'
    spec:
      project: "default"
      source:
@@ -20,7 +18,7 @@ spec:
        targetRevision: HEAD
        path: book-import
      destination:
-        name: '{{.clusterName}}'
+        name: '{{clusterName}}'
        namespace: bookimport
      syncPolicy:
        automated:
--- a/applicationset/examples/design-doc/applicationset-fasttemplate.yaml
+++ b/applicationset/examples/design-doc/applicationset-fasttemplate.yaml
@@ -1,22 +0,0 @@
 # This is an example of a typical ApplicationSet which uses the cluster generator.
 # An ApplicationSet is comprised with two stanzas:
 #  - spec.generator - producer of a list of values supplied as arguments to an app template
 #  - spec.template - an application template, which has been parameterized
 apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
  name: guestbook
 spec:
  generators:
  - clusters: {}
  template:
    metadata:
      name: '{{name}}-guestbook'
    spec:
      source:
        repoURL: https://github.com/infra-team/cluster-deployments.git
        targetRevision: HEAD
        chart: guestbook
      destination:
        server: '{{server}}'
        namespace: guestbook
--- a/applicationset/examples/design-doc/applicationset.yaml
+++ b/applicationset/examples/design-doc/applicationset.yaml
@@ -7,18 +7,16 @@ kind: ApplicationSet
 metadata:
  name: guestbook
 spec:
  goTemplate: true
  goTemplateOptions: ["missingkey=error"]
  generators:
  - clusters: {}
  template:
    metadata:
-      name: '{{.name}}-guestbook'
+      name: '{{name}}-guestbook'
    spec:
      source:
        repoURL: https://github.com/infra-team/cluster-deployments.git
        targetRevision: HEAD
        chart: guestbook
      destination:
-        server: '{{.server}}'
+        server: '{{server}}'
        namespace: guestbook
--- a/applicationset/examples/design-doc/clusters.yaml
+++ b/applicationset/examples/design-doc/clusters.yaml
@@ -19,15 +19,15 @@ spec:
        project: default
  template:
    metadata:
-      name: '{{.name}}-guestbook'
+      name: '{{name}}-guestbook'
      labels:
-        environment: '{{.metadata.labels.environment}}'
+        environment: '{{metadata.labels.environment}}'
    spec:
-      project: '{{.values.project}}'
+      project: '{{values.project}}'
      source:
        repoURL: https://github.com/infra-team/cluster-deployments.git
        targetRevision: HEAD
        chart: guestbook
      destination:
-        server: '{{.server}}'
+        server: '{{server}}'
        namespace: guestbook
--- a/applicationset/examples/design-doc/git-directory-discovery-fasttemplate.yaml
+++ b/applicationset/examples/design-doc/git-directory-discovery-fasttemplate.yaml
@@ -1,44 +0,0 @@
 # This example demonstrates the git directory generator, which produces an items list 
 # based on discovery of directories in a git repo matching a specified pattern.
 # Git generators automatically provide {{path}} and {{path.basename}} as available
 # variables to the app template.
 #
 # Suppose the following git directory structure (note the use of different config tools):
 #
 # cluster-deployments
 # └── add-ons
 #     ├── argo-rollouts
 #     │   ├── all.yaml
 #     │   └── kustomization.yaml
 #     ├── argo-workflows
 #     │   └── install.yaml
 #     ├── grafana
 #     │   ├── Chart.yaml
 #     │   └── values.yaml
 #     └── prometheus-operator
 #         ├── Chart.yaml
 #         └── values.yaml
 #
 # The following ApplicationSet would produce four applications (in different namespaces),
 # using the directory basename as both the namespace and application name. 
 apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
  name: cluster-addons
 spec:
  generators:
  - git:
      repoURL: https://github.com/infra-team/cluster-deployments.git
      directories:
      - path: add-ons/*
  template:
    metadata:
      name: '{{path.basename}}'
    spec:
      source:
        repoURL: https://github.com/infra-team/cluster-deployments.git
        targetRevision: HEAD
        path: '{{path}}'
      destination:
        server: http://kubernetes.default.svc
        namespace: '{{path.basename}}'
--- a/applicationset/examples/design-doc/git-directory-discovery.yaml
+++ b/applicationset/examples/design-doc/git-directory-discovery.yaml
@@ -26,8 +26,6 @@ kind: ApplicationSet
 metadata:
  name: cluster-addons
 spec:
  goTemplate: true
  goTemplateOptions: ["missingkey=error"]
  generators:
  - git:
      repoURL: https://github.com/infra-team/cluster-deployments.git
@@ -35,12 +33,12 @@ spec:
      - path: add-ons/*
  template:
    metadata:
-      name: '{{.path.basename}}'
+      name: '{{path.basename}}'
    spec:
      source:
        repoURL: https://github.com/infra-team/cluster-deployments.git
        targetRevision: HEAD
-        path: '{{.path.path}}'
+        path: '{{path}}'
      destination:
        server: http://kubernetes.default.svc
-        namespace: '{{.path.basename}}'
+        namespace: '{{path.basename}}'
--- a/applicationset/examples/design-doc/git-files-discovery-fasttemplate.yaml
+++ b/applicationset/examples/design-doc/git-files-discovery-fasttemplate.yaml
@@ -1,55 +0,0 @@
 # This example demonstrates a git file generator which traverses the directory structure of a git
 # repository to discover items based on a filename convention. For each file discovered, the
 # contents of the discovered files themselves, act as the set of inputs to the app template.
 #
 # Suppose the following git directory structure:
 #
 # cluster-deployments
 # ├── apps
 # │   └── guestbook
 # │       └── install.yaml
 # └── cluster-config
 #     ├── engineering
 #     │   ├── dev
 #     │   │   └── config.json
 #     │   └── prod
 #     │       └── config.json
 #     └── finance
 #         ├── dev
 #         │   └── config.json
 #         └── prod
 #             └── config.json
 #
 # The discovered files (e.g. config.json) files can be any structured data supplied to the
 # generated application. e.g.:
 # {
 #    "aws_account": "123456",
 #    "asset_id": "11223344"
 #    "cluster": {
 #        "owner": "Jesse_Suen@intuit.com",
 #        "name": "engineering-dev",
 #        "address": "http://1.2.3.4"
 #    }
 # }
 #
 apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
  name: guestbook
 spec:
  generators:
  - git:
      repoURL: https://github.com/infra-team/cluster-deployments.git
      files:
      - path: "**/config.json"
  template:
    metadata:
      name: '{{cluster.name}}-guestbook'
    spec:
      source:
        repoURL: https://github.com/infra-team/cluster-deployments.git
        targetRevision: HEAD
        path: apps/guestbook
      destination:
        server: '{{cluster.address}}'
        namespace: guestbook
--- a/applicationset/examples/design-doc/git-files-discovery.yaml
+++ b/applicationset/examples/design-doc/git-files-discovery.yaml
@@ -37,8 +37,6 @@ kind: ApplicationSet
 metadata:
  name: guestbook
 spec:
  goTemplate: true
  goTemplateOptions: ["missingkey=error"]
  generators:
  - git:
      repoURL: https://github.com/infra-team/cluster-deployments.git
@@ -46,12 +44,12 @@ spec:
      - path: "**/config.json"
  template:
    metadata:
-      name: '{{.cluster.name}}-guestbook'
+      name: '{{cluster.name}}-guestbook'
    spec:
      source:
        repoURL: https://github.com/infra-team/cluster-deployments.git
        targetRevision: HEAD
        path: apps/guestbook
      destination:
-        server: '{{.cluster.address}}'
+        server: '{{cluster.address}}'
        namespace: guestbook
--- a/applicationset/examples/design-doc/git-files-literal-fasttemplate.yaml
+++ b/applicationset/examples/design-doc/git-files-literal-fasttemplate.yaml
@@ -1,68 +0,0 @@
 # This example demonstrates a git file generator which produces its items based on one or
 # more files referenced in a git repo. The referenced files would contain a json/yaml list of
 # arbitrary structured objects. Each item of the list would become a set of parameters to a
 # generated application.
 #
 # Suppose the following git directory structure:
 #  
 # cluster-deployments
 # ├── apps
 # │   └── guestbook
 # │       ├── v1.0
 # │       │   └── install.yaml
 # │       └── v2.0
 # │           └── install.yaml
 # └── config
 #     └── clusters.json
 #
 # In this example, the `clusters.json` file is json list of structured data:
 # [
 #     {
 #         "account": "123456",
 #         "asset_id": "11223344",
 #         "cluster": {
 #             "owner": "Jesse_Suen@intuit.com",
 #             "name": "engineering-dev",
 #             "address": "http://1.2.3.4"
 #         },
 #         "appVersions": {
 #             "prometheus-operator": "v0.38",
 #             "guestbook": "v2.0"
 #         }
 #     },
 #     {
 #         "account": "456789",
 #         "asset_id": "55667788",
 #         "cluster": {
 #             "owner": "Alexander_Matyushentsev@intuit.com",
 #             "name": "engineering-prod",
 #             "address": "http://2.4.6.8"
 #         },
 #         "appVersions": {
 #             "prometheus-operator": "v0.38",
 #             "guestbook": "v1.0"
 #         }
 #     }
 # ]
 #
 apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
  name: guestbook
 spec:
  generators:
  - git:
      repoURL: https://github.com/infra-team/cluster-deployments.git
      files:
      - path: config/clusters.json
  template:
    metadata:
      name: '{{cluster.name}}-guestbook'
    spec:
      source:
        repoURL: https://github.com/infra-team/cluster-deployments.git
        targetRevision: HEAD
        path: apps/guestbook/{{appVersions.guestbook}}
      destination:
        server: http://kubernetes.default.svc
        namespace: guestbook
--- a/applicationset/examples/design-doc/git-files-literal.yaml
+++ b/applicationset/examples/design-doc/git-files-literal.yaml
@@ -50,8 +50,6 @@ kind: ApplicationSet
 metadata:
  name: guestbook
 spec:
  goTemplate: true
  goTemplateOptions: ["missingkey=error"]
  generators:
  - git:
      repoURL: https://github.com/infra-team/cluster-deployments.git
@@ -59,12 +57,12 @@ spec:
      - path: config/clusters.json
  template:
    metadata:
-      name: '{{.cluster.name}}-guestbook'
+      name: '{{cluster.name}}-guestbook'
    spec:
      source:
        repoURL: https://github.com/infra-team/cluster-deployments.git
        targetRevision: HEAD
-        path: apps/guestbook/{{.appVersions.guestbook}}
+        path: apps/guestbook/{{appVersions.guestbook}}
      destination:
        server: http://kubernetes.default.svc
        namespace: guestbook
--- a/applicationset/examples/design-doc/list-fasttemplate.yaml
+++ b/applicationset/examples/design-doc/list-fasttemplate.yaml
@@ -1,33 +0,0 @@
 # The list generator specifies a literal list of argument values to the app spec template.
 apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
  name: guestbook
 spec:
  generators:
  - list:
      elements:
      - cluster: engineering-dev
        url: https://1.2.3.4
        values:
          project: dev
      - cluster: engineering-prod
        url: https://2.4.6.8
        values:
          project: prod
      - cluster: finance-preprod
        url: https://9.8.7.6
        values:
          project: preprod
  template:
    metadata:
      name: '{{cluster}}-guestbook'
    spec:
      project: '{{values.project}}'
      source:
        repoURL: https://github.com/infra-team/cluster-deployments.git
        targetRevision: HEAD
        path: guestbook/{{cluster}}
      destination:
        server: '{{url}}'
        namespace: guestbook
--- a/applicationset/examples/design-doc/list.yaml
+++ b/applicationset/examples/design-doc/list.yaml
@@ -4,8 +4,6 @@ kind: ApplicationSet
 metadata:
  name: guestbook
 spec:
  goTemplate: true
  goTemplateOptions: ["missingkey=error"]
  generators:
  - list:
      elements:
@@ -23,13 +21,13 @@ spec:
          project: preprod
  template:
    metadata:
-      name: '{{.cluster}}-guestbook'
+      name: '{{cluster}}-guestbook'
    spec:
-      project: '{{.values.project}}'
+      project: '{{values.project}}'
      source:
        repoURL: https://github.com/infra-team/cluster-deployments.git
        targetRevision: HEAD
-        path: guestbook/{{.cluster}}
+        path: guestbook/{{cluster}}
      destination:
-        server: '{{.url}}'
+        server: '{{url}}'
        namespace: guestbook
--- a/applicationset/examples/design-doc/template-override-fasttemplate.yaml
+++ b/applicationset/examples/design-doc/template-override-fasttemplate.yaml
@@ -1,48 +0,0 @@
 # App templates can also be defined as part of the generator's template stanza. Sometimes it is
 # useful to do this in order to override the spec.template stanza, and when simple string
 # parameterization are insufficient. In the below examples, the generators[].XXX.template is 
 # a partial definition, which overrides/patch the default template.
 apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
  name: guestbook
 spec:
  generators:
  - list:
      elements:
        - cluster: engineering-dev
          url: https://1.2.3.4
      template:
        metadata: {}
        spec:
          project: "project"
          source:
            repoURL: https://github.com/infra-team/cluster-deployments.git
            path: '{{cluster}}-override'
          destination: {}
  - list:
      elements:
        - cluster: engineering-prod
          url: https://1.2.3.4
      template:
        metadata: {}
        spec:
          project: "project2"
          source:
            repoURL: https://github.com/infra-team/cluster-deployments.git
            path: '{{cluster}}-override2'
          destination: {}
  template:
    metadata:
      name: '{{cluster}}-guestbook'
    spec:
      project: "project"
      source:
        repoURL: https://github.com/infra-team/cluster-deployments.git
        targetRevision: HEAD
        path: guestbook/{{cluster}}
      destination:
        server: '{{url}}'
        namespace: guestbook
--- a/applicationset/examples/design-doc/template-override.yaml
+++ b/applicationset/examples/design-doc/template-override.yaml
@@ -7,8 +7,6 @@ kind: ApplicationSet
 metadata:
  name: guestbook
 spec:
  goTemplate: true
  goTemplateOptions: ["missingkey=error"]
  generators:
  - list:
      elements:
@@ -20,7 +18,7 @@ spec:
          project: "project"
          source:
            repoURL: https://github.com/infra-team/cluster-deployments.git
-            path: '{{.cluster}}-override'
+            path: '{{cluster}}-override'
          destination: {}
  - list:
@@ -33,18 +31,18 @@ spec:
          project: "project2"
          source:
            repoURL: https://github.com/infra-team/cluster-deployments.git
-            path: '{{.cluster}}-override2'
+            path: '{{cluster}}-override2'
          destination: {}
  template:
    metadata:
-      name: '{{.cluster}}-guestbook'
+      name: '{{cluster}}-guestbook'
    spec:
      project: "project"
      source:
        repoURL: https://github.com/infra-team/cluster-deployments.git
        targetRevision: HEAD
-        path: guestbook/{{.cluster}}
+        path: guestbook/{{cluster}}
      destination:
-        server: '{{.url}}'
+        server: '{{url}}'
        namespace: guestbook
--- a/applicationset/examples/git-generator-directory/cluster-addons/argo-workflows/kustomization.yaml
+++ b/applicationset/examples/git-generator-directory/cluster-addons/argo-workflows/kustomization.yaml
@@ -1,6 +1,6 @@
 #namePrefix: kustomize-
 resources:
- https://github.com/argoproj/argo-workflows/releases/download/v3.4.0/namespace-install.yaml
+- namespace-install.yaml
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
--- a/applicationset/examples/git-generator-directory/cluster-addons/argo-workflows/namespace-install.yaml
+++ b/applicationset/examples/git-generator-directory/cluster-addons/argo-workflows/namespace-install.yaml
@@ -0,0 +1,417 @@
 # This is an auto-generated file. DO NOT EDIT
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: clusterworkflowtemplates.argoproj.io
 spec:
  group: argoproj.io
  names:
    kind: ClusterWorkflowTemplate
    listKind: ClusterWorkflowTemplateList
    plural: clusterworkflowtemplates
    shortNames:
    - clusterwftmpl
    - cwft
    singular: clusterworkflowtemplate
  scope: Cluster
  version: v1alpha1
  versions:
  - name: v1alpha1
    served: true
    storage: true
 ---
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: cronworkflows.argoproj.io
 spec:
  group: argoproj.io
  names:
    kind: CronWorkflow
    listKind: CronWorkflowList
    plural: cronworkflows
    shortNames:
    - cwf
    - cronwf
    singular: cronworkflow
  scope: Namespaced
  version: v1alpha1
  versions:
  - name: v1alpha1
    served: true
    storage: true
 ---
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: workfloweventbindings.argoproj.io
 spec:
  group: argoproj.io
  names:
    kind: WorkflowEventBinding
    listKind: WorkflowEventBindingList
    plural: workfloweventbindings
    shortNames:
    - wfeb
    singular: workfloweventbinding
  scope: Namespaced
  version: v1alpha1
  versions:
  - name: v1alpha1
    served: true
    storage: true
 ---
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: workflows.argoproj.io
 spec:
  additionalPrinterColumns:
  - JSONPath: .status.phase
    description: Status of the workflow
    name: Status
    type: string
  - JSONPath: .status.startedAt
    description: When the workflow was started
    format: date-time
    name: Age
    type: date
  group: argoproj.io
  names:
    kind: Workflow
    listKind: WorkflowList
    plural: workflows
    shortNames:
    - wf
    singular: workflow
  scope: Namespaced
  subresources: {}
  version: v1alpha1
  versions:
  - name: v1alpha1
    served: true
    storage: true
 ---
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: workflowtemplates.argoproj.io
 spec:
  group: argoproj.io
  names:
    kind: WorkflowTemplate
    listKind: WorkflowTemplateList
    plural: workflowtemplates
    shortNames:
    - wftmpl
    singular: workflowtemplate
  scope: Namespaced
  version: v1alpha1
  versions:
  - name: v1alpha1
    served: true
    storage: true
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: argo
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: argo-server
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: argo-role
 rules:
 - apiGroups:
  - ""
  resources:
  - pods
  - pods/exec
  verbs:
  - create
  - get
  - list
  - watch
  - update
  - patch
  - delete
 - apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - watch
  - list
 - apiGroups:
  - ""
  resources:
  - persistentvolumeclaims
  verbs:
  - create
  - delete
  - get
 - apiGroups:
  - argoproj.io
  resources:
  - workflows
  - workflows/finalizers
  verbs:
  - get
  - list
  - watch
  - update
  - patch
  - delete
  - create
 - apiGroups:
  - argoproj.io
  resources:
  - workflowtemplates
  - workflowtemplates/finalizers
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - get
  - list
 - apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
 - apiGroups:
  - argoproj.io
  resources:
  - cronworkflows
  - cronworkflows/finalizers
  verbs:
  - get
  - list
  - watch
  - update
  - patch
  - delete
 - apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
 - apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - create
  - get
  - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: argo-server-role
 rules:
 - apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - watch
  - list
 - apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - create
 - apiGroups:
  - ""
  resources:
  - pods
  - pods/exec
  - pods/log
  verbs:
  - get
  - list
  - watch
  - delete
 - apiGroups:
  - ""
  resources:
  - events
  verbs:
  - watch
  - create
  - patch
 - apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - get
  - list
 - apiGroups:
  - argoproj.io
  resources:
  - workflows
  - workfloweventbindings
  - workflowtemplates
  - cronworkflows
  - cronworkflows/finalizers
  verbs:
  - create
  - get
  - list
  - watch
  - update
  - patch
  - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: argo-binding
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: argo-role
 subjects:
 - kind: ServiceAccount
  name: argo
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: argo-server-binding
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: argo-server-role
 subjects:
 - kind: ServiceAccount
  name: argo-server
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: workflow-controller-configmap
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: argo-server
 spec:
  ports:
  - name: web
    port: 2746
    targetPort: 2746
  selector:
    app: argo-server
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: workflow-controller-metrics
 spec:
  ports:
  - name: metrics
    port: 9090
    protocol: TCP
    targetPort: 9090
  selector:
    app: workflow-controller
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: argo-server
 spec:
  selector:
    matchLabels:
      app: argo-server
  template:
    metadata:
      labels:
        app: argo-server
    spec:
      containers:
      - args:
        - server
        - --namespaced
        image: argoproj/argocli:v2.12.5
        name: argo-server
        ports:
        - containerPort: 2746
          name: web
        readinessProbe:
          httpGet:
            path: /
            port: 2746
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 20
        volumeMounts:
        - mountPath: /tmp
          name: tmp
      nodeSelector:
        kubernetes.io/os: linux
      securityContext:
        runAsNonRoot: true
      serviceAccountName: argo-server
      volumes:
      - emptyDir: {}
        name: tmp
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: workflow-controller
 spec:
  selector:
    matchLabels:
      app: workflow-controller
  template:
    metadata:
      labels:
        app: workflow-controller
    spec:
      containers:
      - args:
        - --configmap
        - workflow-controller-configmap
        - --executor-image
        - argoproj/argoexec:v2.12.5
        - --namespaced
        command:
        - workflow-controller
        image: argoproj/workflow-controller:v2.12.5
        livenessProbe:
          httpGet:
            path: /metrics
            port: metrics
          initialDelaySeconds: 30
          periodSeconds: 30
        name: workflow-controller
        ports:
        - containerPort: 9090
          name: metrics
      nodeSelector:
        kubernetes.io/os: linux
      securityContext:
        runAsNonRoot: true
      serviceAccountName: argo
--- a/applicationset/examples/git-generator-directory/cluster-addons/prometheus-operator/Chart.yaml
+++ b/applicationset/examples/git-generator-directory/cluster-addons/prometheus-operator/Chart.yaml
@@ -11,4 +11,4 @@ version: 0.1.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: "1.0"
+appVersion: "1.0"
--- a/applicationset/examples/git-generator-directory/cluster-addons/prometheus-operator/requirements.yaml
+++ b/applicationset/examples/git-generator-directory/cluster-addons/prometheus-operator/requirements.yaml
@@ -1,4 +1,4 @@
 dependencies:
 - name: kube-prometheus-stack
-  version: 40.5.0
+  version: 9.4.10
  repository: https://prometheus-community.github.io/helm-charts
--- a/applicationset/examples/git-generator-directory/excludes/cluster-addons/argo-workflows/kustomization.yaml
+++ b/applicationset/examples/git-generator-directory/excludes/cluster-addons/argo-workflows/kustomization.yaml
@@ -1,6 +1,6 @@
 #namePrefix: kustomize-
 resources:
- https://github.com/argoproj/argo-workflows/releases/download/v3.4.0/namespace-install.yaml
+- namespace-install.yaml
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
--- a/applicationset/examples/git-generator-directory/excludes/cluster-addons/argo-workflows/namespace-install.yaml
+++ b/applicationset/examples/git-generator-directory/excludes/cluster-addons/argo-workflows/namespace-install.yaml
@@ -0,0 +1,417 @@
 # This is an auto-generated file. DO NOT EDIT
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: clusterworkflowtemplates.argoproj.io
 spec:
  group: argoproj.io
  names:
    kind: ClusterWorkflowTemplate
    listKind: ClusterWorkflowTemplateList
    plural: clusterworkflowtemplates
    shortNames:
    - clusterwftmpl
    - cwft
    singular: clusterworkflowtemplate
  scope: Cluster
  version: v1alpha1
  versions:
  - name: v1alpha1
    served: true
    storage: true
 ---
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: cronworkflows.argoproj.io
 spec:
  group: argoproj.io
  names:
    kind: CronWorkflow
    listKind: CronWorkflowList
    plural: cronworkflows
    shortNames:
    - cwf
    - cronwf
    singular: cronworkflow
  scope: Namespaced
  version: v1alpha1
  versions:
  - name: v1alpha1
    served: true
    storage: true
 ---
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: workfloweventbindings.argoproj.io
 spec:
  group: argoproj.io
  names:
    kind: WorkflowEventBinding
    listKind: WorkflowEventBindingList
    plural: workfloweventbindings
    shortNames:
    - wfeb
    singular: workfloweventbinding
  scope: Namespaced
  version: v1alpha1
  versions:
  - name: v1alpha1
    served: true
    storage: true
 ---
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: workflows.argoproj.io
 spec:
  additionalPrinterColumns:
  - JSONPath: .status.phase
    description: Status of the workflow
    name: Status
    type: string
  - JSONPath: .status.startedAt
    description: When the workflow was started
    format: date-time
    name: Age
    type: date
  group: argoproj.io
  names:
    kind: Workflow
    listKind: WorkflowList
    plural: workflows
    shortNames:
    - wf
    singular: workflow
  scope: Namespaced
  subresources: {}
  version: v1alpha1
  versions:
  - name: v1alpha1
    served: true
    storage: true
 ---
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: workflowtemplates.argoproj.io
 spec:
  group: argoproj.io
  names:
    kind: WorkflowTemplate
    listKind: WorkflowTemplateList
    plural: workflowtemplates
    shortNames:
    - wftmpl
    singular: workflowtemplate
  scope: Namespaced
  version: v1alpha1
  versions:
  - name: v1alpha1
    served: true
    storage: true
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: argo
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: argo-server
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: argo-role
 rules:
 - apiGroups:
  - ""
  resources:
  - pods
  - pods/exec
  verbs:
  - create
  - get
  - list
  - watch
  - update
  - patch
  - delete
 - apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - watch
  - list
 - apiGroups:
  - ""
  resources:
  - persistentvolumeclaims
  verbs:
  - create
  - delete
  - get
 - apiGroups:
  - argoproj.io
  resources:
  - workflows
  - workflows/finalizers
  verbs:
  - get
  - list
  - watch
  - update
  - patch
  - delete
  - create
 - apiGroups:
  - argoproj.io
  resources:
  - workflowtemplates
  - workflowtemplates/finalizers
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - get
  - list
 - apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
 - apiGroups:
  - argoproj.io
  resources:
  - cronworkflows
  - cronworkflows/finalizers
  verbs:
  - get
  - list
  - watch
  - update
  - patch
  - delete
 - apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
 - apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - create
  - get
  - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: argo-server-role
 rules:
 - apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - watch
  - list
 - apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - create
 - apiGroups:
  - ""
  resources:
  - pods
  - pods/exec
  - pods/log
  verbs:
  - get
  - list
  - watch
  - delete
 - apiGroups:
  - ""
  resources:
  - events
  verbs:
  - watch
  - create
  - patch
 - apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - get
  - list
 - apiGroups:
  - argoproj.io
  resources:
  - workflows
  - workfloweventbindings
  - workflowtemplates
  - cronworkflows
  - cronworkflows/finalizers
  verbs:
  - create
  - get
  - list
  - watch
  - update
  - patch
  - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: argo-binding
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: argo-role
 subjects:
 - kind: ServiceAccount
  name: argo
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: argo-server-binding
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: argo-server-role
 subjects:
 - kind: ServiceAccount
  name: argo-server
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: workflow-controller-configmap
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: argo-server
 spec:
  ports:
  - name: web
    port: 2746
    targetPort: 2746
  selector:
    app: argo-server
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: workflow-controller-metrics
 spec:
  ports:
  - name: metrics
    port: 9090
    protocol: TCP
    targetPort: 9090
  selector:
    app: workflow-controller
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: argo-server
 spec:
  selector:
    matchLabels:
      app: argo-server
  template:
    metadata:
      labels:
        app: argo-server
    spec:
      containers:
      - args:
        - server
        - --namespaced
        image: argoproj/argocli:v2.12.5
        name: argo-server
        ports:
        - containerPort: 2746
          name: web
        readinessProbe:
          httpGet:
            path: /
            port: 2746
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 20
        volumeMounts:
        - mountPath: /tmp
          name: tmp
      nodeSelector:
        kubernetes.io/os: linux
      securityContext:
        runAsNonRoot: true
      serviceAccountName: argo-server
      volumes:
      - emptyDir: {}
        name: tmp
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: workflow-controller
 spec:
  selector:
    matchLabels:
      app: workflow-controller
  template:
    metadata:
      labels:
        app: workflow-controller
    spec:
      containers:
      - args:
        - --configmap
        - workflow-controller-configmap
        - --executor-image
        - argoproj/argoexec:v2.12.5
        - --namespaced
        command:
        - workflow-controller
        image: argoproj/workflow-controller:v2.12.5
        livenessProbe:
          httpGet:
            path: /metrics
            port: metrics
          initialDelaySeconds: 30
          periodSeconds: 30
        name: workflow-controller
        ports:
        - containerPort: 9090
          name: metrics
      nodeSelector:
        kubernetes.io/os: linux
      securityContext:
        runAsNonRoot: true
      serviceAccountName: argo
--- a/applicationset/examples/git-generator-directory/excludes/cluster-addons/prometheus-operator/Chart.yaml
+++ b/applicationset/examples/git-generator-directory/excludes/cluster-addons/prometheus-operator/Chart.yaml
@@ -1,14 +1 @@
 apiVersion: v2
 name: helm-prometheus-operator
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
 version: 0.1.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 appVersion: "1.0"
--- a/applicationset/examples/git-generator-directory/excludes/cluster-addons/prometheus-operator/requirements.yaml
+++ b/applicationset/examples/git-generator-directory/excludes/cluster-addons/prometheus-operator/requirements.yaml
@@ -1,4 +1,4 @@
 dependencies:
 - name: kube-prometheus-stack
-  version: 40.5.0
+  version: 9.4.10
  repository: https://prometheus-community.github.io/helm-charts
--- a/applicationset/examples/git-generator-directory/excludes/git-directories-exclude-example-fasttemplate.yaml
+++ b/applicationset/examples/git-generator-directory/excludes/git-directories-exclude-example-fasttemplate.yaml
@@ -1,29 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
  name: cluster-addons
  namespace: argocd
 spec:
  generators:
  - git:
      repoURL: https://github.com/argoproj/argo-cd.git
      revision: HEAD
      directories:
      - path: applicationset/examples/git-generator-directory/excludes/cluster-addons/*
      - exclude: true
        path: applicationset/examples/git-generator-directory/excludes/cluster-addons/exclude-helm-guestbook
  template:
    metadata:
      name: '{{path.basename}}'
    spec:
      project: "my-project"
      source:
        repoURL: https://github.com/argoproj/argo-cd.git
        targetRevision: HEAD
        path: '{{path}}'
      destination:
        server: https://kubernetes.default.svc
        namespace: '{{path.basename}}'
      syncPolicy:
        syncOptions:
        - CreateNamespace=true
--- a/applicationset/examples/git-generator-directory/excludes/git-directories-exclude-example.yaml
+++ b/applicationset/examples/git-generator-directory/excludes/git-directories-exclude-example.yaml
@@ -2,10 +2,7 @@ apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
  name: cluster-addons
  namespace: argocd
 spec:
  goTemplate: true
  goTemplateOptions: ["missingkey=error"]
  generators:
  - git:
      repoURL: https://github.com/argoproj/argo-cd.git
@@ -16,16 +13,13 @@ spec:
        path: applicationset/examples/git-generator-directory/excludes/cluster-addons/exclude-helm-guestbook
  template:
    metadata:
-      name: '{{.path.basename}}'
+      name: '{{path.basename}}'
    spec:
-      project: "my-project"
+      project: default
      source:
        repoURL: https://github.com/argoproj/argo-cd.git
        targetRevision: HEAD
-        path: '{{.path}}'
+        path: '{{path}}'
      destination:
        server: https://kubernetes.default.svc
-        namespace: '{{.path.basename}}'
+        namespace: '{{path.basename}}'
      syncPolicy:
        syncOptions:
        - CreateNamespace=true
--- a/applicationset/examples/git-generator-directory/git-directories-example-fasttemplate.yaml
+++ b/applicationset/examples/git-generator-directory/git-directories-example-fasttemplate.yaml
@@ -1,27 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
  name: cluster-addons
  namespace: argocd
 spec:
  generators:
  - git:
      repoURL: https://github.com/argoproj/argo-cd.git
      revision: HEAD
      directories:
      - path: applicationset/examples/git-generator-directory/cluster-addons/*
  template:
    metadata:
      name: '{{path.basename}}'
    spec:
      project: "my-project"
      source:
        repoURL: https://github.com/argoproj/argo-cd.git
        targetRevision: HEAD
        path: '{{path}}'
      destination:
        server: https://kubernetes.default.svc
        namespace: '{{path.basename}}'
      syncPolicy:
        syncOptions:
        - CreateNamespace=true
--- a/applicationset/examples/git-generator-directory/git-directories-example.yaml
+++ b/applicationset/examples/git-generator-directory/git-directories-example.yaml
@@ -2,10 +2,7 @@ apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
  name: cluster-addons
  namespace: argocd
 spec:
  goTemplate: true
  goTemplateOptions: ["missingkey=error"]
  generators:
  - git:
      repoURL: https://github.com/argoproj/argo-cd.git
@@ -14,16 +11,13 @@ spec:
      - path: applicationset/examples/git-generator-directory/cluster-addons/*
  template:
    metadata:
-      name: '{{.path.basename}}'
+      name: '{{path.basename}}'
    spec:
-      project: "my-project"
+      project: default
      source:
        repoURL: https://github.com/argoproj/argo-cd.git
        targetRevision: HEAD
-        path: '{{.path.path}}'
+        path: '{{path}}'
      destination:
        server: https://kubernetes.default.svc
-        namespace: '{{.path.basename}}'
+        namespace: '{{path.basename}}'
      syncPolicy:
        syncOptions:
        - CreateNamespace=true
--- a/applicationset/examples/git-generator-files-discovery/git-generator-files-fasttemplate.yaml
+++ b/applicationset/examples/git-generator-files-discovery/git-generator-files-fasttemplate.yaml
@@ -1,24 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
  name: guestbook
 spec:
  generators:
    - git:
        repoURL: https://github.com/argoproj/argo-cd.git
        revision: HEAD
        files:
        - path: "applicationset/examples/git-generator-files-discovery/cluster-config/**/config.json"
  template:
    metadata:
      name: '{{cluster.name}}-guestbook'
    spec:
      project: default
      source:
        repoURL: https://github.com/argoproj/argo-cd.git
        targetRevision: HEAD
        path: "applicationset/examples/git-generator-files-discovery/apps/guestbook"
      destination:
        server: https://kubernetes.default.svc
        #server: '{{cluster.address}}'
        namespace: guestbook
--- a/applicationset/examples/git-generator-files-discovery/git-generator-files.yaml
+++ b/applicationset/examples/git-generator-files-discovery/git-generator-files.yaml
@@ -3,8 +3,6 @@ kind: ApplicationSet
 metadata:
  name: guestbook
 spec:
  goTemplate: true
  goTemplateOptions: ["missingkey=error"]
  generators:
    - git:
        repoURL: https://github.com/argoproj/argo-cd.git
@@ -13,7 +11,7 @@ spec:
        - path: "applicationset/examples/git-generator-files-discovery/cluster-config/**/config.json"
  template:
    metadata:
-      name: '{{.cluster.name}}-guestbook'
+      name: '{{cluster.name}}-guestbook'
    spec:
      project: default
      source:
@@ -22,5 +20,5 @@ spec:
        path: "applicationset/examples/git-generator-files-discovery/apps/guestbook"
      destination:
        server: https://kubernetes.default.svc
-        #server: '{{.cluster.address}}'
+        #server: '{{cluster.address}}'
        namespace: guestbook
--- a/applicationset/examples/list-generator/list-elementsYaml-example.yaml
+++ b/applicationset/examples/list-generator/list-elementsYaml-example.yaml
@@ -1,14 +0,0 @@
 key:
  components:
    - name: component1
      chart: podinfo
      version: "6.3.2"
      releaseName: component1
      repoUrl: "https://stefanprodan.github.io/podinfo"
      namespace: component1
    - name: component2
      chart: podinfo
      version: "6.3.3"
      releaseName: component2
      repoUrl: "ghcr.io/stefanprodan/charts"
      namespace: component2
--- a/applicationset/examples/list-generator/list-example-fasttemplate.yaml
+++ b/applicationset/examples/list-generator/list-example-fasttemplate.yaml
@@ -1,24 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
  name: guestbook
 spec:
  generators:
  - list:
      elements:
      - cluster: engineering-dev
        url: https://kubernetes.default.svc
      - cluster: engineering-prod
        url: https://kubernetes.default.svc
  template:
    metadata:
      name: '{{cluster}}-guestbook'
    spec:
      project: default
      source:
        repoURL: https://github.com/argoproj/argo-cd.git
        targetRevision: HEAD
        path: applicationset/examples/list-generator/guestbook/{{cluster}}
      destination:
        server: '{{url}}'
        namespace: guestbook
--- a/applicationset/examples/list-generator/list-example.yaml
+++ b/applicationset/examples/list-generator/list-example.yaml
@@ -3,8 +3,6 @@ kind: ApplicationSet
 metadata:
  name: guestbook
 spec:
  goTemplate: true
  goTemplateOptions: ["missingkey=error"]
  generators:
  - list:
      elements:
@@ -14,13 +12,13 @@ spec:
        url: https://kubernetes.default.svc
  template:
    metadata:
-      name: '{{.cluster}}-guestbook'
+      name: '{{cluster}}-guestbook'
    spec:
      project: default
      source:
        repoURL: https://github.com/argoproj/argo-cd.git
        targetRevision: HEAD
-        path: applicationset/examples/list-generator/guestbook/{{.cluster}}
+        path: applicationset/examples/list-generator/guestbook/{{cluster}}
      destination:
-        server: '{{.url}}'
+        server: '{{url}}'
        namespace: guestbook
--- a/applicationset/examples/matrix/cluster-and-git-fasttemplate.yaml
+++ b/applicationset/examples/matrix/cluster-and-git-fasttemplate.yaml
@@ -1,33 +0,0 @@
 # This example demonstrates the combining of the git generator with a cluster generator
 # The expected output would be an application per git directory and a cluster (application_count = git directory * clusters)
 #
 #
 apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
  name: cluster-git
 spec:
  generators:
  - matrix:
      generators:
        - git:
            repoURL: https://github.com/argoproj/argo-cd.git
            revision: HEAD
            directories:
            - path: applicationset/examples/matrix/cluster-addons/*
        - clusters:
            selector:
              matchLabels:
                argocd.argoproj.io/secret-type: cluster
  template:
    metadata:
      name: '{{path.basename}}-{{name}}'
    spec:
      project: '{{metadata.labels.environment}}'
      source:
        repoURL: https://github.com/argoproj/argo-cd.git
        targetRevision: HEAD
        path: '{{path}}'
      destination:
        server: '{{server}}'
        namespace: '{{path.basename}}'
--- a/applicationset/examples/matrix/cluster-and-git.yaml
+++ b/applicationset/examples/matrix/cluster-and-git.yaml
@@ -7,8 +7,6 @@ kind: ApplicationSet
 metadata:
  name: cluster-git
 spec:
  goTemplate: true
  goTemplateOptions: ["missingkey=error"]
  generators:
  - matrix:
      generators:
@@ -23,13 +21,13 @@ spec:
                argocd.argoproj.io/secret-type: cluster
  template:
    metadata:
-      name: '{{.path.basename}}-{{.name}}'
+      name: '{{path.basename}}-{{name}}'
    spec:
-      project: '{{.metadata.labels.environment}}'
+      project: '{{metadata.labels.environment}}'
      source:
        repoURL: https://github.com/argoproj/argo-cd.git
        targetRevision: HEAD
-        path: '{{.path.path}}'
+        path: '{{path}}'
      destination:
-        server: '{{.server}}'
+        server: '{{server}}'
-        namespace: '{{.path.basename}}'
+        namespace: '{{path.basename}}'
--- a/applicationset/examples/matrix/list-and-git-fasttemplate.yaml
+++ b/applicationset/examples/matrix/list-and-git-fasttemplate.yaml
@@ -1,39 +0,0 @@
 # This example demonstrates the combining of the git generator with a list generator
 # The expected output would be an application per git directory and a list entry (application_count = git directory * list entries)
 #
 #
 apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
  name: list-git
 spec:
  generators:
  - matrix:
      generators:
      - git:
          repoURL: https://github.com/argoproj/argo-cd.git
          revision: HEAD
          directories:
          - path: applicationset/examples/matrix/cluster-addons/*
      - list:
          elements:
          - cluster: engineering-dev
            url: https://1.2.3.4
            values:
              project: dev
          - cluster: engineering-prod
            url: https://2.4.6.8
            values:
              project: prod
  template:
    metadata:
      name: '{{path.basename}}-{{cluster}}'
    spec:
      project: '{{values.project}}'
      source:
        repoURL: https://github.com/argoproj/argo-cd.git
        targetRevision: HEAD
        path: '{{path}}'
      destination:
        server: '{{url}}'
        namespace: '{{path.basename}}'
--- a/applicationset/examples/matrix/list-and-git.yaml
+++ b/applicationset/examples/matrix/list-and-git.yaml
@@ -7,8 +7,6 @@ kind: ApplicationSet
 metadata:
  name: list-git
 spec:
  goTemplate: true
  goTemplateOptions: ["missingkey=error"]
  generators:
  - matrix:
      generators:
@@ -29,13 +27,13 @@ spec:
              project: prod
  template:
    metadata:
-      name: '{{.path.basename}}-{{.cluster}}'
+      name: '{{path.basename}}-{{cluster}}'
    spec:
-      project: '{{.values.project}}'
+      project: '{{values.project}}'
      source:
        repoURL: https://github.com/argoproj/argo-cd.git
        targetRevision: HEAD
-        path: '{{.path.path}}'
+        path: '{{path}}'
      destination:
-        server: '{{.url}}'
+        server: '{{url}}'
-        namespace: '{{.path.basename}}'
+        namespace: '{{path.basename}}'
--- a/applicationset/examples/matrix/list-and-list-fasttemplate.yaml
+++ b/applicationset/examples/matrix/list-and-list-fasttemplate.yaml
@@ -1,37 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
  name: list-and-list
  namespace: argocd
 spec:
  generators:
    - matrix:
        generators:
          - list:
              elements:
                - cluster: engineering-dev
                  url: https://kubernetes.default.svc
                  values:
                    project: default
                - cluster: engineering-prod
                  url: https://kubernetes.default.svc
                  values:
                    project: default
          - list:
              elements:
                - values:
                    suffix: '1'
                - values:
                    suffix: '2'
  template:
    metadata:
      name: '{{cluster}}-{{values.suffix}}'
    spec:
      project: '{{values.project}}'
      source:
        repoURL: https://github.com/argoproj/argo-cd.git
        targetRevision: HEAD
        path: '{{path}}'
      destination:
        server: '{{url}}'
        namespace: '{{path.basename}}'
--- a/applicationset/examples/matrix/list-and-list.yaml
+++ b/applicationset/examples/matrix/list-and-list.yaml
@@ -4,8 +4,6 @@ metadata:
  name: list-and-list
  namespace: argocd
 spec:
  goTemplate: true
  goTemplateOptions: ["missingkey=error"]
  generators:
    - matrix:
        generators:
@@ -27,13 +25,13 @@ spec:
                    suffix: '2'
  template:
    metadata:
-      name: '{{.cluster}}-{{.values.suffix}}'
+      name: '{{cluster}}-{{values.suffix}}'
    spec:
-      project: '{{.values.project}}'
+      project: '{{values.project}}'
      source:
        repoURL: https://github.com/argoproj/argo-cd.git
        targetRevision: HEAD
-        path: '{{.path.path}}'
+        path: '{{path}}'
      destination:
-        server: '{{.url}}'
+        server: '{{url}}'
-        namespace: '{{.path.basename}}'
+        namespace: '{{path.basename}}'
--- a/applicationset/examples/matrix/matrix-and-union-in-matrix-fasttemplate.yaml
+++ b/applicationset/examples/matrix/matrix-and-union-in-matrix-fasttemplate.yaml
@@ -1,67 +0,0 @@
 # The matrix generator can contain other combination-type generators (matrix and union). But nested matrix and union
 # generators cannot contain further-nested matrix or union generators.
 #
 # The generators are evaluated from most-nested to least-nested. In this case:
 #  1. The union generator joins two lists to make 3 parameter sets.
 #  2. The inner matrix generator takes the cartesian product of the two lists to make 4 parameters sets.
 #  3. The outer matrix generator takes the cartesian product of the 3 union and the 4 inner matrix parameter sets to
 #     make 3*4=12 final parameter sets.
 #  4. The 12 final parameter sets are evaluated against the top-level template to generate 12 Applications.
 apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
  name: matrix-and-union-in-matrix
 spec:
  generators:
    - matrix:
        generators:
          - union:
              mergeKeys:
                - cluster
              generators:
                - list:
                    elements:
                      - cluster: engineering-dev
                        url: https://kubernetes.default.svc
                        values:
                          project: default
                      - cluster: engineering-prod
                        url: https://kubernetes.default.svc
                        values:
                          project: default
                - list:
                    elements:
                      - cluster: engineering-dev
                        url: https://kubernetes.default.svc
                        values:
                          project: default
                      - cluster: engineering-test
                        url: https://kubernetes.default.svc
                        values:
                          project: default
          - matrix:
              generators:
                - list:
                    elements:
                      - values:
                          suffix: '1'
                      - values:
                          suffix: '2'
                - list:
                    elements:
                      - values:
                          prefix: 'first'
                      - values:
                          prefix: 'second'
  template:
    metadata:
      name: '{{values.prefix}}-{{cluster}}-{{values.suffix}}'
    spec:
      project: '{{values.project}}'
      source:
        repoURL: https://github.com/argoproj/argo-cd.git
        targetRevision: HEAD
        path: '{{path}}'
      destination:
        server: '{{url}}'
        namespace: '{{path.basename}}'
--- a/applicationset/examples/matrix/matrix-and-union-in-matrix.yaml
+++ b/applicationset/examples/matrix/matrix-and-union-in-matrix.yaml
@@ -12,8 +12,6 @@ kind: ApplicationSet
 metadata:
  name: matrix-and-union-in-matrix
 spec:
  goTemplate: true
  goTemplateOptions: ["missingkey=error"]
  generators:
    - matrix:
        generators:
@@ -57,13 +55,13 @@ spec:
                          prefix: 'second'
  template:
    metadata:
-      name: '{{.values.prefix}}-{{.cluster}}-{{.values.suffix}}'
+      name: '{{values.prefix}}-{{cluster}}-{{values.suffix}}'
    spec:
-      project: '{{.values.project}}'
+      project: '{{values.project}}'
      source:
        repoURL: https://github.com/argoproj/argo-cd.git
        targetRevision: HEAD
-        path: '{{.path.path}}'
+        path: '{{path}}'
      destination:
-        server: '{{.url}}'
+        server: '{{url}}'
-        namespace: '{{.path.basename}}'
+        namespace: '{{path.basename}}'
--- a/applicationset/examples/merge/merge-clusters-and-list-fasttemplate.yaml
+++ b/applicationset/examples/merge/merge-clusters-and-list-fasttemplate.yaml
@@ -1,44 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
  name: merge-clusters-and-list
 spec:
  generators:
    - merge:
        mergeKeys:
          - server
        generators:
          - clusters:
              values:
                kafka: 'true'
                redis: 'false'
          # For clusters with a specific label, enable Kafka.
          - clusters:
              selector:
                matchLabels:
                  use-kafka: 'false'
              values:
                kafka: 'false'
          # For a specific cluster, enable Redis.
          - list:
              elements:
                - server: https://some-specific-cluster
                  values.redis: 'true'
  template:
    metadata:
      name: '{{name}}'
    spec:
      project: default
      source:
        repoURL: https://github.com/argoproj/argocd-example-apps/
        targetRevision: HEAD
        path: helm-guestbook
        helm:
          parameters:
            - name: kafka
              value: '{{values.kafka}}'
            - name: redis
              value: '{{values.redis}}'
      destination:
        server: '{{server}}'
        namespace: default
--- a/applicationset/examples/merge/merge-clusters-and-list.yaml
+++ b/applicationset/examples/merge/merge-clusters-and-list.yaml
@@ -3,8 +3,6 @@ kind: ApplicationSet
 metadata:
  name: merge-clusters-and-list
 spec:
  goTemplate: true
  goTemplateOptions: ["missingkey=error"]
  generators:
    - merge:
        mergeKeys:
@@ -28,7 +26,7 @@ spec:
                  values.redis: 'true'
  template:
    metadata:
-      name: '{{.name}}'
+      name: '{{name}}'
    spec:
      project: default
      source:
@@ -38,9 +36,9 @@ spec:
        helm:
          parameters:
            - name: kafka
-              value: '{{.values.kafka}}'
+              value: '{{values.kafka}}'
            - name: redis
-              value: '{{.values.redis}}'
+              value: '{{values.redis}}'
      destination:
-        server: '{{.server}}'
+        server: '{{server}}'
        namespace: default
--- a/Show More
+++ b/Show More
		`@@ -1,3 +0,0 @@`
			`enabled: true`
			`preservePullRequestTitle: true`
		`@@ -1 +0,0 @@`
			`Please refer to [the Contribution Guide](https://argo-cd.readthedocs.io/en/latest/developer-guide/code-contributions/)`