Bump version in master

Signed-off-by: GitHub <noreply@github.com>
fix(manifests): use params CM and env var for redis server (#13214 ) (#13396 )
2026-02-20 09:38:49 +01:00 · 2023-05-02 00:55:32 +00:00 · 2023-05-01 19:58:52 -04:00 · 2023-05-01 17:47:43 -04:00 · 2023-05-01 16:40:04 -04:00 · 2023-05-01 15:52:59 -04:00
841 changed files with 121876 additions and 43124 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -11,3 +11,17 @@ cmd/**/debug
 debug.test
 coverage.out
 ui/node_modules/
+test-results/
+test/
+manifests/
+hack/
+docs/
+examples/
+.github/
+!test/fixture
+!test/container
+!hack/installers
+!hack/gpg-wrapper.sh
+!hack/git-verify-wrapper.sh
+!hack/tool-versions.sh
+!hack/install.sh
--- a/.github/ISSUE_TEMPLATE/release.md
+++ b/.github/ISSUE_TEMPLATE/release.md
@@ -0,0 +1,32 @@
+---
+name: Argo CD Release
+about: Used by our Release Champion to track progress of a minor release
+title: 'Argo CD Release vX.X'
+labels: 'release'
+assignees: ''
+---
+
+Target RC1 date: ___. __, ____
+Target GA date: ___. __, ____
+
+ - [ ] Create new section in the [Release Planning doc](https://docs.google.com/document/d/1trJIomcgXcfvLw0aYnERrFWfPjQOfYMDJOCh1S8nMBc/edit?usp=sharing)
+ - [ ] Schedule a Release Planning meeting roughly two weeks before the scheduled Release freeze date by adding it to the community calendar (or delegate this task to someone with write access to the community calendar)
+     - [ ] Include Zoom link in the invite
+ - [ ] Post in #argo-cd and #argo-contributors one week before the meeting
+ - [ ] Post again one hour before the meeting
+ - [ ] At the meeting, remove issues/PRs from the project's column for that release which have not been “claimed” by at least one Approver (add it to the next column if Approver requests that)
+ - [ ] 1wk before feature freeze post in #argo-contributors that PRs must be merged by DD-MM-YYYY to be included in the release - ask approvers to drop items from milestone they can’t merge
+ - [ ] At least two days before RC1 date, draft RC blog post and submit it for review (or delegate this task)
+ - [ ] Cut RC1 (or delegate this task to an Approver and coordinate timing)
+ - [ ] Create new release branch
+    - [ ] Add the release branch to ReadTheDocs
+    - [ ] Confirm that tweet and blog post are ready
+    - [ ] Trigger the release
+    - [ ] After the release is finished, publish tweet and blog post
+    - [ ] Post in #argo-cd and #argo-announcements with lots of emojis announcing the release and requesting help testing
+ - [ ] Monitor support channels for issues, cherry-picking bugfixes and docs fixes as appropriate (or delegate this task to an Approver and coordinate timing)
+ - [ ] At release date, evaluate if any bugs justify delaying the release. If not, cut the release (or delegate this task to an Approver and coordinate timing)
+ - [ ] If unreleased changes are on the release branch for {current minor version minus 3}, cut a final patch release for that series (or delegate this task to an Approver and coordinate timing)
+ - [ ] After the release, post in #argo-cd that the {current minor version minus 3} has reached EOL (example: https://cloud-native.slack.com/archives/C01TSERG0KZ/p1667336234059729)
+ - [ ] (For the next release champion) Review the [items scheduled for the next release](https://github.com/orgs/argoproj/projects/25). If any item does not have an assignee who can commit to finish the feature, move it to the next release.
+ - [ ] (For the next release champion) Schedule a time mid-way through the release cycle to review items again.
--- a/.github/cherry-pick-bot.yml
+++ b/.github/cherry-pick-bot.yml
@@ -0,0 +1,3 @@
+enabled: true
+preservePullRequestTitle: true
+
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,43 @@
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    ignore:
+    - dependency-name: k8s.io/*
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "npm"
+    directory: "/ui/"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "docker"
+    directory: "/test/container/"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "docker"
+    directory: "/test/e2e/multiarch-container/"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "docker"
+    directory: "/test/remote/"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "docker"
+    directory: "/ui-test/"
+    schedule:
+      interval: "daily"
--- a/.github/pr-title-checker-config.json
+++ b/.github/pr-title-checker-config.json
@@ -0,0 +1,15 @@
+{
+    "LABEL": {
+      "name": "title needs formatting",
+      "color": "EEEEEE"
+    },
+    "CHECKS": {
+      "prefixes": ["[Bot] docs: "],
+      "regexp": "^(feat|fix|docs|test|ci|chore)!?(\\(.*\\))?!?:.*"
+    },
+    "MESSAGES": {
+      "success": "PR title is valid",
+      "failure": "PR title is invalid",
+      "notice": "PR Title needs to pass regex '^(feat|fix|docs|test|ci|chore)!?(\\(.*\\))?!?:.*"
+    }
+  }
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -6,12 +6,16 @@ Checklist:

 * [ ] Either (a) I've created an [enhancement proposal](https://github.com/argoproj/argo-cd/issues/new/choose) and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
 * [ ] The title of the PR states what changed and the related issues number (used for the release note).
+* [ ] The title of the PR conforms to the [Toolchain Guide](https://argo-cd.readthedocs.io/en/latest/developer-guide/toolchain-guide/#title-of-the-pr)
 * [ ] I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
 * [ ] I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
 * [ ] Does this PR require documentation updates?
 * [ ] I've updated documentation as required by this PR.
 * [ ] Optional. My organization is added to USERS.md.
-* [ ] I have signed off all my commits as required by [DCO](https://github.com/argoproj/argoproj/tree/master/community#contributing-to-argo)
+* [ ] I have signed off all my commits as required by [DCO](https://github.com/argoproj/argoproj/blob/master/community/CONTRIBUTING.md#legal)
 * [ ] I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
 * [ ] My build is green ([troubleshooting builds](https://argo-cd.readthedocs.io/en/latest/developer-guide/ci/)). 
+* [ ] My new feature complies with the [feature status](https://github.com/argoproj/argoproj/blob/master/community/feature-status.md) guidelines.
+* [ ] I have added a brief description of why this PR is necessary and/or what this PR solves.

+Please see [Contribution FAQs](https://argo-cd.readthedocs.io/en/latest/developer-guide/faq/) if you have questions about your pull-request.
--- a/.github/workflows/README.md
+++ b/.github/workflows/README.md
@@ -0,0 +1,38 @@
+# Workflows
+
+| Workflow           | Description                                                    |
+|--------------------|----------------------------------------------------------------|
+| ci-build.yaml      | Build, lint, test, codegen, build-ui, analyze, e2e-test        |
+| codeql.yaml        | CodeQL analysis                                                |
+| image-reuse.yaml   | Build, push, and Sign container images                         |
+| image.yaml         | Build container image for PR's & publish for push events       |
+| pr-title-check.yaml| Lint PR for semantic information                               |
+| init-release.yaml  | Build manifests and version then create a PR for release branch|
+| release.yaml       | Build images, cli-binaries, provenances, and post actions      |
+| update-snyk.yaml   | Scheduled snyk reports                                         |
+
+# Reusable workflows
+
+## image-reuse.yaml
+
+- The resuable workflow can be used to publish or build images with multiple container registries(Quay,GHCR, dockerhub), and then sign them with cosign when an image is published.
+- A GO version `must` be specified e.g. 1.19
+- The image name for each registry *must* contain the tag. Note: multiple tags are allowed for each registry using a CSV type.
+- Multiple platforms can be specified e.g. linux/amd64,linux/arm64
+- Images are not published by default. A boolean value must be set to `true` to push images.
+- An optional target can be specified.
+
+| Inputs            | Description                         | Type        | Required | Defaults        |
+|-------------------|-------------------------------------|-------------|----------|-----------------|
+| go-version        | Version of Go to be used            | string      | true     | none            |
+| quay_image_name   | Full image name and tag             | CSV, string | false    | none            |
+| ghcr_image_name   | Full image name and tag             | CSV, string | false    | none            |
+| docker_image_name | Full image name and tag             | CSV, string | false    | none            |
+| platforms         | Platforms to build (linux/amd64)    | CSV, string | false    | linux/amd64     |
+| push              | Whether to push image/s to registry | boolean     | false    | false           |
+| target            | Target build stage                  | string      | false    | none            |
+
+| Outputs     | Description                              | Type  |
+|-------------|------------------------------------------|-------|
+|image-digest | Image digest of image container created  | string|
+
--- a/.github/workflows/ci-build.yaml
+++ b/.github/workflows/ci-build.yaml
@@ -9,10 +9,11 @@ on:
  pull_request:
    branches:
      - 'master'
+      - 'release-*'

 env:
  # Golang version to use across CI steps
-  GOLANG_VERSION: '1.18'
+  GOLANG_VERSION: '1.19'

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@@ -27,9 +28,9 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
      - name: Setup Golang
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Download all Go modules
@@ -45,13 +46,13 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
      - name: Setup Golang
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Restore go build cache
-        uses: actions/cache@v1
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -69,15 +70,15 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
      - name: Setup Golang
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@0ad9a0988b3973e851ab0a07adf248ec2e100376 # v3.3.1
        with:
-          version: v1.46.2
+          version: v1.51.0
          args: --timeout 10m --exclude SA5011 --verbose

  test-go:
@@ -92,11 +93,11 @@ jobs:
      - name: Create checkout directory
        run: mkdir -p ~/go/src/github.com/argoproj
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
      - name: Create symlink in GOPATH
        run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
      - name: Setup Golang
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Install required packages
@@ -116,13 +117,17 @@ jobs:
        run: |
          echo "/usr/local/bin" >> $GITHUB_PATH
      - name: Restore go build cache
-        uses: actions/cache@v1
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
      - name: Install all tools required for building & testing
        run: |
          make install-test-tools-local
+        # We install kustomize in the dist directory
+      - name: Add dist to PATH
+        run: |
+          echo "/home/runner/work/argo-cd/argo-cd/dist" >> $GITHUB_PATH
      - name: Setup git username and email
        run: |
          git config --global user.name "John Doe"
@@ -133,12 +138,12 @@ jobs:
      - name: Run all unit tests
        run: make test-local
      - name: Generate code coverage artifacts
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
        with:
          name: code-coverage
          path: coverage.out
      - name: Generate test results artifacts
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
        with:
          name: test-results
          path: test-results/
@@ -155,11 +160,11 @@ jobs:
      - name: Create checkout directory
        run: mkdir -p ~/go/src/github.com/argoproj
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
      - name: Create symlink in GOPATH
        run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
      - name: Setup Golang
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Install required packages
@@ -179,13 +184,17 @@ jobs:
        run: |
          echo "/usr/local/bin" >> $GITHUB_PATH
      - name: Restore go build cache
-        uses: actions/cache@v1
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
      - name: Install all tools required for building & testing
        run: |
          make install-test-tools-local
+        # We install kustomize in the dist directory
+      - name: Add dist to PATH
+        run: |
+          echo "/home/runner/work/argo-cd/argo-cd/dist" >> $GITHUB_PATH
      - name: Setup git username and email
        run: |
          git config --global user.name "John Doe"
@@ -196,7 +205,7 @@ jobs:
      - name: Run all unit tests
        run: make test-race-local
      - name: Generate test results artifacts
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
        with:
          name: race-results
          path: test-results/
@@ -206,9 +215,9 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
      - name: Setup Golang
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Create symlink in GOPATH
@@ -232,6 +241,10 @@ jobs:
          make install-codegen-tools-local
          make install-go-tools-local
        working-directory: /home/runner/go/src/github.com/argoproj/argo-cd
+        # We install kustomize in the dist directory
+      - name: Add dist to PATH
+        run: |
+          echo "/home/runner/work/argo-cd/argo-cd/dist" >> $GITHUB_PATH
      - name: Run codegen
        run: |
          set -x
@@ -250,14 +263,14 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
      - name: Setup NodeJS
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
        with:
-          node-version: '12.18.4'
+          node-version: '18.15.0'
      - name: Restore node dependency cache
        id: cache-dependencies
-        uses: actions/cache@v1
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
        with:
          path: ui/node_modules
          key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -287,12 +300,12 @@ jobs:
      sonar_secret: ${{ secrets.SONAR_TOKEN }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
        with:
          fetch-depth: 0
      - name: Restore node dependency cache
        id: cache-dependencies
-        uses: actions/cache@v1
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
        with:
          path: ui/node_modules
          key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -303,16 +316,16 @@ jobs:
        run: |
          mkdir -p test-results
      - name: Get code coverage artifiact
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
        with:
          name: code-coverage
      - name: Get test result artifact
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
        with:
          name: test-results
          path: test-results
      - name: Upload code coverage information to codecov.io
-        uses: codecov/codecov-action@v1
+        uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70 # v3.1.1
        with:
          file: coverage.out
      - name: Perform static code analysis using SonarCloud
@@ -348,7 +361,7 @@ jobs:
    runs-on: ubuntu-22.04
    strategy:
      matrix:
-        k3s-version: [v1.24.3, v1.23.3, v1.22.6]
+        k3s-version: [v1.26.0, v1.25.4, v1.24.3, v1.23.3]
    needs: 
      - build-go
    env:
@@ -366,9 +379,9 @@ jobs:
      GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}  
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
      - name: Setup Golang
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: GH actions workaround - Kill XSP4 process
@@ -386,7 +399,7 @@ jobs:
          sudo chown runner $HOME/.kube/config
          kubectl version
      - name: Restore go build cache
-        uses: actions/cache@v1
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -412,9 +425,9 @@ jobs:
          git config --global user.email "john.doe@example.com"
      - name: Pull Docker image required for tests
        run: |
-          docker pull ghcr.io/dexidp/dex:v2.35.3-distroless
+          docker pull ghcr.io/dexidp/dex:v2.36.0
          docker pull argoproj/argo-cd-ci-builder:v1.0.0
-          docker pull redis:7.0.5-alpine
+          docker pull redis:7.0.11-alpine
      - name: Create target directory for binaries in the build-process
        run: |
          mkdir -p dist
@@ -442,7 +455,7 @@ jobs:
          set -x
          make test-e2e-local
      - name: Upload e2e-server logs
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
        with:
          name: e2e-server-k8s${{ matrix.k3s-version }}.log
          path: /tmp/e2e-server.log
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -5,6 +5,7 @@ on:
    # Secrets aren't available for dependabot on push. https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/troubleshooting-the-codeql-workflow#error-403-resource-not-accessible-by-integration-when-using-dependabot
    branches-ignore:
      - 'dependabot/**'
+      - 'cherry-pick-*'
  pull_request:
  schedule:
    - cron: '0 19 * * 0'
@@ -29,11 +30,11 @@ jobs:

    steps:
    - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
      
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@8aff97f12c99086bdb92ff62ae06dbbcdf07941b # v2.1.33
      # Override language selection by uncommenting this and choosing your languages
      # with:
      #   languages: go, javascript, csharp, python, cpp, java
@@ -41,7 +42,7 @@ jobs:
    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@8aff97f12c99086bdb92ff62ae06dbbcdf07941b # v2.1.33

    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 https://git.io/JvXDl
@@ -55,4 +56,4 @@ jobs:
    #   make release

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@8aff97f12c99086bdb92ff62ae06dbbcdf07941b # v2.1.33
--- a/.github/workflows/image-reuse.yaml
+++ b/.github/workflows/image-reuse.yaml
@@ -0,0 +1,153 @@
+name: Publish and Sign Container Image
+on:
+  workflow_call:
+    inputs:
+      go-version:
+        required: true
+        type: string
+      quay_image_name:
+        required: false
+        type: string
+      ghcr_image_name:
+        required: false
+        type: string
+      docker_image_name:
+        required: false
+        type: string
+      platforms:
+        required: true
+        type: string
+        default: linux/amd64
+      push:
+        required: true
+        type: boolean
+        default: false
+      target:
+        required: false
+        type: string
+
+    secrets:
+      quay_username:
+        required: false
+      quay_password:
+        required: false
+      ghcr_username:
+        required: false
+      ghcr_password:
+        required: false
+      docker_username:
+        required: false
+      docker_password:
+        required: false
+
+    outputs:
+      image-digest:
+        description: "sha256 digest of container image"
+        value: ${{ jobs.publish.outputs.image-digest }}
+
+permissions: {}
+
+jobs:
+  publish:
+    permissions:
+      contents: read
+      packages: write # Used to push images to `ghcr.io` if used.
+      id-token: write # Needed to create an OIDC token for keyless signing
+    runs-on: ubuntu-22.04
+    outputs:
+      image-digest: ${{ steps.image.outputs.digest }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.3.0
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+        if: ${{ github.ref_type == 'tag'}}
+
+      - name: Checkout code
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        if: ${{ github.ref_type != 'tag'}}
+
+      - name: Setup Golang
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        with:
+          go-version: ${{ inputs.go-version }}
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65 # v3.0.1
+        with:
+          cosign-release: 'v2.0.0'
+
+      - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
+      - uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0
+
+      - name: Setup tags for container image as a CSV type
+        run: |
+          IMAGE_TAGS=$(for str in \
+            ${{ inputs.quay_image_name }} \
+            ${{ inputs.ghcr_image_name }} \
+            ${{ inputs.docker_image_name}}; do
+            echo -n "${str}",;done | sed 's/,$//')
+
+          echo $IMAGE_TAGS
+          echo "TAGS=$IMAGE_TAGS" >> $GITHUB_ENV
+
+      - name: Setup image namespace for signing, strip off the tag
+        run: |
+          TAGS=$(for tag in \
+            ${{ inputs.quay_image_name }} \
+            ${{ inputs.ghcr_image_name }} \
+            ${{ inputs.docker_image_name}}; do
+            echo -n "${tag}" | awk -F ":" '{print $1}' -;done)
+          
+            echo $TAGS
+            echo 'SIGNING_TAGS<<EOF' >> $GITHUB_ENV
+            echo $TAGS >> $GITHUB_ENV
+            echo 'EOF' >> $GITHUB_ENV
+
+      - name: Login to Quay.io
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
+        with:
+          registry: quay.io
+          username: ${{ secrets.quay_username }}
+          password: ${{ secrets.quay_password }}
+        if: ${{ inputs.quay_image_name && inputs.push }}
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
+        with:
+          registry: ghcr.io
+          username: ${{ secrets.ghcr_username }}
+          password: ${{ secrets.ghcr_password }}
+        if: ${{ inputs.ghcr_image_name && inputs.push }}
+
+      - name: Login to dockerhub Container Registry
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
+        with:
+          username: ${{ secrets.docker_username }}
+          password: ${{ secrets.docker_password }}
+        if: ${{ inputs.docker_image_name && inputs.push }}
+
+      - name: Build and push container image
+        id: image
+        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 #v4.0.0
+        with:
+          context: .
+          platforms: ${{ inputs.platforms }}
+          push: ${{ inputs.push }}
+          tags: ${{ env.TAGS }}
+          target: ${{ inputs.target }}
+          provenance: false
+          sbom: false
+ 
+      - name: Sign container images
+        run: |
+          for signing_tag in $SIGNING_TAGS; do
+            cosign sign \
+            -a "repo=${{ github.repository }}" \
+            -a "workflow=${{ github.workflow }}" \
+            -a "sha=${{ github.sha }}" \
+            -y \
+            "$signing_tag"@${{ steps.image.outputs.digest }}
+          done
+        if: ${{ inputs.push }}
--- a/.github/workflows/image.yaml
+++ b/.github/workflows/image.yaml
@@ -9,89 +9,109 @@ on:
      - master
    types: [ labeled, unlabeled, opened, synchronize, reopened ]

-env:
-  GOLANG_VERSION: '1.18'
-
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions:
-  contents: read
+permissions: {}

 jobs:
-  publish:
+  set-vars:
    permissions:
-      contents: write  # for git to push upgrade commit if not already deployed
+      contents: read
    if: github.repository == 'argoproj/argo-cd'
    runs-on: ubuntu-22.04
-    env:
-      GOPATH: /home/runner/work/argo-cd/argo-cd
+    outputs:
+      image-tag: ${{ steps.image.outputs.tag}}
+      platforms: ${{ steps.platforms.outputs.platforms }}
    steps:
-      - uses: actions/setup-go@v3
-        with:
-          go-version: ${{ env.GOLANG_VERSION }}
-      - uses: actions/checkout@master
-        with:
-          path: src/github.com/argoproj/argo-cd
+      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0

-      # get image tag
-      - run: echo ::set-output name=tag::$(cat ./VERSION)-${GITHUB_SHA::8}
-        working-directory: ./src/github.com/argoproj/argo-cd
+      - name: Set image tag for ghcr
+        run: echo "tag=$(cat ./VERSION)-${GITHUB_SHA::8}" >> $GITHUB_OUTPUT
        id: image

-      # login
-      - run: |
-          docker login ghcr.io --username $USERNAME --password $PASSWORD
-          docker login quay.io --username "${DOCKER_USERNAME}" --password "${DOCKER_TOKEN}"
-        if: github.event_name == 'push'
-        env:
-          USERNAME: ${{ secrets.USERNAME }}
-          PASSWORD: ${{ secrets.TOKEN }}
-          DOCKER_USERNAME: ${{ secrets.RELEASE_QUAY_USERNAME }}
-          DOCKER_TOKEN: ${{ secrets.RELEASE_QUAY_TOKEN }}
-
-      # build
-      - uses: docker/setup-qemu-action@v2
-      - uses: docker/setup-buildx-action@v2
-      - run: |
+      - name: Determine image platforms to use
+        id: platforms
+        run: |
          IMAGE_PLATFORMS=linux/amd64
-          if [[ "${{ github.event_name }}" == "push" || "${{ contains(github.event.pull_request.labels.*.name, 'test-arm-image') }}" == "true" ]]
+          if [[ "${{ github.event_name }}" == "push" || "${{ contains(github.event.pull_request.labels.*.name, 'test-multi-image') }}" == "true" ]]
          then
            IMAGE_PLATFORMS=linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
          fi
          echo "Building image for platforms: $IMAGE_PLATFORMS"
-          docker buildx build --platform $IMAGE_PLATFORMS --push="${{ github.event_name == 'push' }}" \
-            -t ghcr.io/argoproj/argocd:${{ steps.image.outputs.tag }} \
-            -t quay.io/argoproj/argocd:latest .
-        working-directory: ./src/github.com/argoproj/argo-cd
+          echo "platforms=$IMAGE_PLATFORMS" >> $GITHUB_OUTPUT

-      # sign container images
-      - name: Install cosign
-        uses: sigstore/cosign-installer@main
-        with:
-          cosign-release: 'v1.13.0'
+  build-only:
+    needs: [set-vars]
+    permissions:
+      contents: read
+      packages: write  # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
+      id-token: write # for creating OIDC tokens for signing.
+    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name != 'push' }}
+    uses: ./.github/workflows/image-reuse.yaml
+    with:
+      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
+      go-version: 1.19
+      platforms: ${{ needs.set-vars.outputs.platforms }}
+      push: false

-      - name: Sign Argo CD latest image
-        run: |
-          cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/argocd:latest
-          # Displays the public key to share.
-          cosign public-key --key env://COSIGN_PRIVATE_KEY
-        env:
-          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
-          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
-        if: ${{ github.event_name == 'push' }}
+  build-and-publish:
+    needs: [set-vars]
+    permissions:
+      contents: read
+      packages: write  # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
+      id-token: write # for creating OIDC tokens for signing.
+    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
+    uses: ./.github/workflows/image-reuse.yaml
+    with:
+      quay_image_name: quay.io/argoproj/argocd:latest
+      ghcr_image_name: ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }}
+      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
+      go-version: 1.19
+      platforms: ${{ needs.set-vars.outputs.platforms }}
+      push: true
+    secrets:
+      quay_username: ${{ secrets.RELEASE_QUAY_USERNAME }}
+      quay_password: ${{ secrets.RELEASE_QUAY_TOKEN }}
+      ghcr_username: ${{ github.actor }}
+      ghcr_password: ${{ secrets.GITHUB_TOKEN }}

-      # deploy
+  build-and-publish-provenance: # Push attestations to GHCR, latest image is polluting quay.io
+    needs:
+      - build-and-publish
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
+    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
+    # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.5.0
+    with:
+      image: ghcr.io/argoproj/argo-cd/argocd
+      digest: ${{ needs.build-and-publish.outputs.image-digest }}
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
+
+  Deploy:
+    needs:
+      - build-and-publish
+      - set-vars
+    permissions:
+      contents: write  # for git to push upgrade commit if not already deployed
+      packages: write  # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
+    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
      - run: git clone "https://$TOKEN@github.com/argoproj/argoproj-deployments"
-        if: github.event_name == 'push'
        env:
          TOKEN: ${{ secrets.TOKEN }}
      - run: |
-          docker run -u $(id -u):$(id -g) -v $(pwd):/src -w /src --rm -t ghcr.io/argoproj/argocd:${{ steps.image.outputs.tag }} kustomize edit set image quay.io/argoproj/argocd=ghcr.io/argoproj/argocd:${{ steps.image.outputs.tag }}
+          docker run -u $(id -u):$(id -g) -v $(pwd):/src -w /src --rm -t ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }} kustomize edit set image quay.io/argoproj/argocd=ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }}
          git config --global user.email 'ci@argoproj.com'
          git config --global user.name 'CI'
-          git diff --exit-code && echo 'Already deployed' || (git commit -am 'Upgrade argocd to ${{ steps.image.outputs.tag }}' && git push)
-        if: github.event_name == 'push'
+          git diff --exit-code && echo 'Already deployed' || (git commit -am 'Upgrade argocd to ${{ needs.set-vars.outputs.image-tag }}' && git push)
        working-directory: argoproj-deployments/argocd
-      # TODO: clean up old images once github supports it: https://github.community/t5/How-to-use-Git-and-GitHub/Deleting-images-from-GitHub-Package-Registry/m-p/41202/thread-id/9811
+
--- a/.github/workflows/init-release.yaml
+++ b/.github/workflows/init-release.yaml
@@ -0,0 +1,70 @@
+name: Init ArgoCD Release
+on:
+  workflow_dispatch:
+    inputs:
+      TARGET_BRANCH:
+        description: 'TARGET_BRANCH to checkout (e.g. release-2.5)'
+        required: true
+        type: string
+
+      TARGET_VERSION:
+        description: 'TARGET_VERSION to build manifests (e.g. 2.5.0-rc1) Note: the `v` prefix is not used'
+        required: true
+        type: string
+
+permissions: {}
+
+jobs:
+  prepare-release:
+    permissions:
+      contents: write  # for peter-evans/create-pull-request to create branch
+      pull-requests: write  # for peter-evans/create-pull-request to create a PR
+    name: Automatically generate version and manifests on ${{ inputs.TARGET_BRANCH }}
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b  # v3.2.0
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+          ref: ${{ inputs.TARGET_BRANCH }}
+
+      - name: Check if TARGET_VERSION is well formed.
+        run: |
+          set -xue
+          # Target version must not contain 'v' prefix
+          if echo "${{ inputs.TARGET_VERSION }}" | grep -e '^v'; then
+            echo "::error::Target version '${{ inputs.TARGET_VERSION }}' should not begin with a 'v' prefix, refusing to continue." >&2
+            exit 1
+          fi
+
+      - name: Create VERSION information
+        run: |
+          set -ue
+          echo "Bumping version from $(cat VERSION) to ${{ inputs.TARGET_VERSION }}"
+          echo "${{ inputs.TARGET_VERSION }}" > VERSION
+
+        # We install kustomize in the dist directory
+      - name: Add dist to PATH
+        run: |
+          echo "/home/runner/work/argo-cd/argo-cd/dist" >> $GITHUB_PATH
+
+      - name: Generate new set of manifests
+        run: |
+          set -ue
+          make install-codegen-tools-local
+          make manifests-local VERSION=${{ inputs.TARGET_VERSION }}
+          git diff
+
+      - name: Create pull request
+        uses: peter-evans/create-pull-request@38e0b6e68b4c852a5500a94740f0e535e0d7ba54  # v4.2.4
+        with:
+          commit-message: "Bump version to ${{ inputs.TARGET_VERSION }}"
+          title: "Bump version to ${{ inputs.TARGET_VERSION }} on ${{ inputs.TARGET_BRANCH }} branch"
+          body: Updating VERSION and manifests to ${{ inputs.TARGET_VERSION }}
+          branch: update-version
+          branch-suffix: random
+          signoff: true
+          labels: release
+
+
--- a/.github/workflows/pr-title-check.yml
+++ b/.github/workflows/pr-title-check.yml
@@ -0,0 +1,29 @@
+name: "Lint PR"
+
+on:
+  pull_request_target:
+    types: [opened, edited, reopened, synchronize]
+
+# IMPORTANT: No checkout actions, scripts, or builds should be added to this workflow. Permissions should always be used
+# with extreme caution. https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
+permissions: {}
+
+# PR updates can happen in quick succession leading to this
+# workflow being trigger a number of times. This limits it
+# to one run per PR.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+
+
+jobs:
+  validate:
+    permissions:
+      contents: read
+      pull-requests: read
+    name: Validate PR Title
+    runs-on: ubuntu-latest
+    steps:
+      - uses: thehanimo/pr-title-checker@cdafc664bf9b25678d4e6df76ff67b2fe21bb5d2 # v1.3.7
+        with:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          configuration_path: ".github/pr-title-checker-config.json"
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -1,259 +1,157 @@
-name: Create ArgoCD release
+name: Publish ArgoCD Release
 on:
  push:
    tags:
-      - "release-v*"
-      - "!release-v1.5*"
-      - "!release-v1.4*"
-      - "!release-v1.3*"
-      - "!release-v1.2*"
-      - "!release-v1.1*"
-      - "!release-v1.0*"
-      - "!release-v0*"
+      - 'v*'
+      - '!v2.4*'
+      - '!v2.5*'
+      - '!v2.6*'
+
+permissions: {}

 env:
-    GOLANG_VERSION: '1.18'
-
-permissions:
-  contents: read
+  GOLANG_VERSION: '1.19' # Note: go-version must also be set in job argocd-image.with.go-version

 jobs:
-  prepare-release:
+  argocd-image:
    permissions:
-      contents: write # To push changes to release branch
-    name: Perform automatic release on trigger ${{ github.ref }}
+      contents: read
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # used to push images to `ghcr.io` if used.
+    if: github.repository == 'argoproj/argo-cd'
+    uses: ./.github/workflows/image-reuse.yaml
+    with:
+      quay_image_name: quay.io/argoproj/argocd:${{ github.ref_name }}
+      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
+      go-version: 1.19
+      platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
+      push: true
+    secrets:
+      quay_username: ${{ secrets.RELEASE_QUAY_USERNAME }}
+      quay_password: ${{ secrets.RELEASE_QUAY_TOKEN }}
+
+  argocd-image-provenance:
+      needs: [argocd-image]
+      permissions:
+        actions: read # for detecting the Github Actions environment.
+        id-token: write # for creating OIDC tokens for signing.
+        packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
+      # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
+      if: github.repository == 'argoproj/argo-cd'
+      uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.5.0
+      with:
+        image: quay.io/argoproj/argocd
+        digest: ${{ needs.argocd-image.outputs.image-digest }}
+      secrets:
+        registry-username: ${{ secrets.RELEASE_QUAY_USERNAME }}
+        registry-password: ${{ secrets.RELEASE_QUAY_TOKEN }}
+
+  goreleaser:
+    needs:
+      - argocd-image
+      - argocd-image-provenance
+    permissions:
+      contents: write # used for uploading assets
    if: github.repository == 'argoproj/argo-cd'
    runs-on: ubuntu-22.04
-    env:
-      # The name of the tag as supplied by the GitHub event
-      SOURCE_TAG: ${{ github.ref }}
-      # The image namespace where Docker image will be published to
-      IMAGE_NAMESPACE: quay.io/argoproj
-      # Whether to create & push image and release assets
-      DRY_RUN: false
-      # Whether a draft release should be created, instead of public one
-      DRAFT_RELEASE: false
-      # Whether to update homebrew with this release as well
-      # Set RELEASE_HOMEBREW_TOKEN secret in repository for this to work - needs
-      # access to public repositories
-      UPDATE_HOMEBREW: false
-      # Name of the GitHub user for Git config
-      GIT_USERNAME: argo-bot
-      # E-Mail of the GitHub user for Git config
-      GIT_EMAIL: argoproj@gmail.com
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}

-      - name: Check if the published tag is well formed and setup vars
+      - name: Fetch all tags
+        run: git fetch --force --tags
+
+      - name: Set GORELEASER_PREVIOUS_TAG # Workaround, GoReleaser uses 'git-describe' to determine a previous tag. Our tags are created in realease branches.
        run: |
          set -xue
-          # Target version must match major.minor.patch and optional -rcX suffix
-          # where X must be a number.
-          TARGET_VERSION=${SOURCE_TAG#*release-v}
-          if ! echo "${TARGET_VERSION}" | egrep '^[0-9]+\.[0-9]+\.[0-9]+(-rc[0-9]+)*$'; then
-            echo "::error::Target version '${TARGET_VERSION}' is malformed, refusing to continue." >&2
-            exit 1
+          if echo ${{ github.ref_name }} | grep -E -- '-rc1+$';then
+            echo "GORELEASER_PREVIOUS_TAG=$(git -c 'versionsort.suffix=-rc' tag --list --sort=version:refname | tail -n 2 | head -n 1)" >> $GITHUB_ENV
+          else
+            echo "This is not the first release on the branch, Using GoReleaser defaults"
          fi

-          # Target branch is the release branch we're going to operate on
-          # Its name is 'release-<major>.<minor>'
-          TARGET_BRANCH="release-${TARGET_VERSION%\.[0-9]*}"
-
-          # The release tag is the source tag, minus the release- prefix
-          RELEASE_TAG="${SOURCE_TAG#*release-}"
-
-          # Whether this is a pre-release (indicated by -rc suffix)
-          PRE_RELEASE=false
-          if echo "${RELEASE_TAG}" | egrep -- '-rc[0-9]+$'; then
-            PRE_RELEASE=true
-          fi
-
-          # We must not have a release trigger within the same release branch,
-          # because that means a release for this branch is already running.
-          if git tag -l | grep "release-v${TARGET_VERSION%\.[0-9]*}" | grep -v "release-v${TARGET_VERSION}"; then
-            echo "::error::Another release for branch ${TARGET_BRANCH} is currently in progress."
-            exit 1
-          fi
-
-          # Ensure that release do not yet exist
-          if git rev-parse ${RELEASE_TAG}; then
-            echo "::error::Release tag ${RELEASE_TAG} already exists in repository. Refusing to continue."
-            exit 1
-          fi
-
-          # Make the variables available in follow-up steps
-          echo "TARGET_VERSION=${TARGET_VERSION}" >> $GITHUB_ENV
-          echo "TARGET_BRANCH=${TARGET_BRANCH}" >> $GITHUB_ENV
-          echo "RELEASE_TAG=${RELEASE_TAG}" >> $GITHUB_ENV
-          echo "PRE_RELEASE=${PRE_RELEASE}" >> $GITHUB_ENV
-
-      - name: Check if our release tag has a correct annotation
-        run: |
-          set -ue
-          # Fetch all tag information as well
-          git fetch --prune --tags --force
-
-          echo "=========== BEGIN COMMIT MESSAGE ============="
-          git show ${SOURCE_TAG}
-          echo "============ END COMMIT MESSAGE =============="
-
-          # Quite dirty hack to get the release notes from the annotated tag
-          # into a temporary file.
-          RELEASE_NOTES=$(mktemp -p /tmp release-notes.XXXXXX)
-
-          prefix=true
-          begin=false
-          git show ${SOURCE_TAG} | while read line; do
-            # Whatever is in commit history for the tag, we only want that
-            # annotation from our tag. We discard everything else.
-            if test "$begin" = "false"; then
-              if echo "$line" | grep -q "tag ${SOURCE_TAG#refs/tags/}"; then begin="true"; fi
-              continue
-            fi
-            if test "$prefix" = "true"; then
-                  if test -z "$line"; then prefix=false; fi
-            else
-                  if echo "$line" | egrep -q '^commit [0-9a-f]+'; then
-                          break
-                  fi
-                  echo "$line" >> ${RELEASE_NOTES}
-            fi
-          done
-
-          # For debug purposes
-          echo "============BEGIN RELEASE NOTES================="
-          cat ${RELEASE_NOTES}
-          echo "=============END RELEASE NOTES=================="
-
-          # Too short release notes are suspicious. We need at least 100 bytes.
-          relNoteLen=$(stat -c '%s' $RELEASE_NOTES)
-          if test $relNoteLen -lt 100; then
-            echo "::error::No release notes provided in tag annotation (or tag is not annotated)"
-            exit 1
-          fi
-
-          # Check for magic string '## Quick Start' in head of release notes
-          if ! head -2 ${RELEASE_NOTES} | grep -iq '## Quick Start'; then
-            echo "::error::Release notes seem invalid, quick start section not found."
-            exit 1
-          fi
-
-          # We store path to temporary release notes file for later reading, we
-          # need it when creating release.
-          echo "RELEASE_NOTES=${RELEASE_NOTES}" >> $GITHUB_ENV
-
      - name: Setup Golang
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}

-      - name: Setup Git author information
+      - name: Set environment variables for ldflags
+        id: set_ldflag
        run: |
-          set -ue
-          git config --global user.email "${GIT_EMAIL}"
-          git config --global user.name "${GIT_USERNAME}"
+          echo "KUBECTL_VERSION=$(go list -m k8s.io/client-go | head -n 1 | rev | cut -d' ' -f1 | rev)" >> $GITHUB_ENV
+          echo "GIT_TREE_STATE=$(if [ -z "`git status --porcelain`" ]; then echo "clean" ; else echo "dirty"; fi)" >> $GITHUB_ENV

-      - name: Checkout corresponding release branch
-        run: |
-          set -ue
-          echo "Switching to release branch '${TARGET_BRANCH}'"
-          if ! git checkout ${TARGET_BRANCH}; then
-            echo "::error::Checking out release branch '${TARGET_BRANCH}' for target version '${TARGET_VERSION}' (tagged '${RELEASE_TAG}') failed. Does it exist in repo?"
-            exit 1
-          fi
-
-      - name: Create VERSION information
-        run: |
-          set -ue
-          echo "Bumping version from $(cat VERSION) to ${TARGET_VERSION}"
-          echo "${TARGET_VERSION}" > VERSION
-          git commit -m "Bump version to ${TARGET_VERSION}" VERSION
-
-      - name: Generate new set of manifests
-        run: |
-          set -ue
-          make install-codegen-tools-local
-          make manifests-local VERSION=${TARGET_VERSION}
-          git diff
-          git commit manifests/ -m "Bump version to ${TARGET_VERSION}"
-
-      - name: Create the release tag
-        run: |
-          set -ue
-          echo "Creating release ${RELEASE_TAG}"
-          git tag ${RELEASE_TAG}
-
-      - name: Login to docker repositories
-        env:
-          DOCKER_USERNAME: ${{ secrets.RELEASE_DOCKERHUB_USERNAME }}
-          DOCKER_TOKEN: ${{ secrets.RELEASE_DOCKERHUB_TOKEN }}
-          QUAY_USERNAME: ${{ secrets.RELEASE_QUAY_USERNAME }}
-          QUAY_TOKEN: ${{ secrets.RELEASE_QUAY_TOKEN }}
-        run: |
-          set -ue
-          docker login quay.io --username "${QUAY_USERNAME}" --password "${QUAY_TOKEN}"
-          # Remove the following when Docker Hub is gone
-          docker login --username "${DOCKER_USERNAME}" --password "${DOCKER_TOKEN}"
-        if: ${{ env.DRY_RUN != 'true' }}
-
-      - uses: docker/setup-qemu-action@v2
-      - uses: docker/setup-buildx-action@v2
-      - name: Build and push Docker image for release
-        run: |
-          set -ue
-          git clean -fd
-          mkdir -p dist/
-          docker buildx build --platform linux/amd64,linux/arm64,linux/s390x,linux/ppc64le --push -t ${IMAGE_NAMESPACE}/argocd:v${TARGET_VERSION} -t argoproj/argocd:v${TARGET_VERSION} .
-          make release-cli
-          make checksums
-          chmod +x ./dist/argocd-linux-amd64
-          ./dist/argocd-linux-amd64 version --client
-        if: ${{ env.DRY_RUN != 'true' }}
-
-      - name: Install cosign
-        uses: sigstore/cosign-installer@main
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0
+        id: run-goreleaser
        with:
-          cosign-release: 'v1.13.0'
-
-      - name: Sign Argo CD container images and assets
-        run: |
-          cosign sign --key env://COSIGN_PRIVATE_KEY ${IMAGE_NAMESPACE}/argocd:v${TARGET_VERSION}
-          cosign sign-blob --key env://COSIGN_PRIVATE_KEY ./dist/argocd-${TARGET_VERSION}-checksums.txt > ./dist/argocd-${TARGET_VERSION}-checksums.sig
-          # Retrieves the public key to release as an asset
-          cosign public-key --key env://COSIGN_PRIVATE_KEY > ./dist/argocd-cosign.pub
-        env:
-          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
-          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
-        if: ${{ env.DRY_RUN != 'true' }}
-
-      - name: Read release notes file
-        id: release-notes
-        uses: juliangruber/read-file-action@v1
-        with:
-          path: ${{ env.RELEASE_NOTES }}
-
-      - name: Push changes to release branch
-        run: |
-          set -ue
-          git push origin ${TARGET_BRANCH}
-          git push origin ${RELEASE_TAG}
-
-      - name: Dry run GitHub release
-        uses: actions/create-release@v1
+          version: latest
+          args: release --clean --timeout 55m
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        id: create_release
+          KUBECTL_VERSION: ${{ env.KUBECTL_VERSION }} 
+          GIT_TREE_STATE: ${{ env.GIT_TREE_STATE }}
+
+      - name: Generate subject for provenance
+        id: hash
+        env:
+          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
+        run: |
+          set -euo pipefail
+
+          hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
+          if test "$hashes" = ""; then # goreleaser < v1.13.0
+            checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
+            hashes=$(cat $checksum_file | base64 -w0)
+          fi
+          echo "hashes=$hashes" >> $GITHUB_OUTPUT
+
+  goreleaser-provenance:
+    needs: [goreleaser]
+    permissions:
+      actions: read # for detecting the Github Actions environment
+      id-token: write # Needed for provenance signing and ID
+      contents: write #  Needed for release uploads
+    if: github.repository == 'argoproj/argo-cd'
+    # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0
+    with:
+      base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
+      provenance-name: "argocd-cli.intoto.jsonl"
+      upload-assets: true
+
+  generate-sbom:
+    name: Create Sbom and sign assets
+    needs:
+      - argocd-image
+      - goreleaser
+    permissions:
+      contents: write # Needed for release uploads
+      id-token: write # Needed for signing Sbom
+    if: github.repository == 'argoproj/argo-cd'
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
        with:
-          tag_name: ${{ env.RELEASE_TAG }}
-          release_name: ${{ env.RELEASE_TAG }}
-          draft: ${{ env.DRAFT_RELEASE }}
-          prerelease: ${{ env.PRE_RELEASE }}
-          body: ${{ steps.release-notes.outputs.content }}
-        if: ${{ env.DRY_RUN == 'true' }}
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Setup Golang
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        with:
+          go-version: ${{ env.GOLANG_VERSION }}
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65 # v3.0.1
+        with:
+          cosign-release: 'v2.0.0'

      - name: Generate SBOM (spdx)
        id: spdx-builder
@@ -264,9 +162,9 @@ jobs:
          SIGS_BOM_VERSION: v0.2.1
          # comma delimited list of project relative folders to inspect for package
          # managers (gomod, yarn, npm).
-          PROJECT_FOLDERS: ".,./ui" 
+          PROJECT_FOLDERS: ".,./ui"
          # full qualified name of the docker image to be inspected
-          DOCKER_IMAGE: ${{env.IMAGE_NAMESPACE}}/argocd:v${{env.TARGET_VERSION}}
+          DOCKER_IMAGE: quay.io/argoproj/argocd:${{ github.ref_name }}
        run: |
          yarn install --cwd ./ui
          go install github.com/spdx/spdx-sbom-generator/cmd/generator@$SPDX_GEN_VERSION
@@ -284,44 +182,101 @@ jobs:
          fi

          cd /tmp && tar -zcf sbom.tar.gz *.spdx
-        if: ${{ env.DRY_RUN != 'true' }}

-      - name: Sign sbom
+      - name: Sign SBOM
        run: |
-          cosign sign-blob --key env://COSIGN_PRIVATE_KEY /tmp/sbom.tar.gz > /tmp/sbom.tar.gz.sig
-        env:
-          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
-          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
-        if: ${{ env.DRY_RUN != 'true' }}
+          cosign sign-blob \
+            --output-certificate=/tmp/sbom.tar.gz.pem \
+            --output-signature=/tmp/sbom.tar.gz.sig \
+            -y \
+            /tmp/sbom.tar.gz

-      - name: Create GitHub release
-        uses: softprops/action-gh-release@v1
+      - name: Upload SBOM and signature assets
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
-          name: ${{ env.RELEASE_TAG }}
-          tag_name: ${{ env.RELEASE_TAG }}
-          draft: ${{ env.DRAFT_RELEASE }}
-          prerelease: ${{ env.PRE_RELEASE }}
-          generate_release_notes: true
-          body: ${{ steps.release-notes.outputs.content }}  # Pre-pended to the generated notes
          files: |
-            dist/argocd-*
-            /tmp/sbom.tar.gz
-            /tmp/sbom.tar.gz.sig
-        if: ${{ env.DRY_RUN != 'true' }}
+            /tmp/sbom.tar.*

-      - name: Update homebrew formula
-        env:
-          HOMEBREW_TOKEN: ${{ secrets.RELEASE_HOMEBREW_TOKEN }}
-        uses: dawidd6/action-homebrew-bump-formula@v3
+  post-release:
+    needs:
+      - argocd-image
+      - goreleaser
+      - generate-sbom
+    permissions:
+      contents: write # Needed to push commit to update stable tag
+      pull-requests: write # Needed to create PR for VERSION update.
+    if: github.repository == 'argoproj/argo-cd'
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
        with:
-          token: ${{env.HOMEBREW_TOKEN}}
-          formula: argocd
-        if: ${{ env.HOMEBREW_TOKEN != '' && env.UPDATE_HOMEBREW == 'true' && env.PRE_RELEASE != 'true' }}
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}

-      - name: Delete original request tag from repository
+      - name: Setup Git author information
        run: |
          set -ue
-          git push --delete origin ${SOURCE_TAG}
-        if: ${{ always() }}
+          git config --global user.email 'ci@argoproj.com'
+          git config --global user.name 'CI'
+
+      - name: Check if tag is the latest version and not a pre-release
+        run: |
+          set -xue
+          # Fetch all tag information
+          git fetch --prune --tags --force
+
+          LATEST_TAG=$(git -c 'versionsort.suffix=-rc' tag --list --sort=version:refname | tail -n1)
+
+          PRE_RELEASE=false
+          # Check if latest tag is a pre-release
+          if echo $LATEST_TAG | grep -E -- '-rc[0-9]+$';then
+            PRE_RELEASE=true
+          fi
+
+          # Ensure latest tag matches github.ref_name & not a pre-release
+          if [[ $LATEST_TAG == ${{ github.ref_name }} ]] && [[ $PRE_RELEASE != 'true' ]];then
+            echo "TAG_STABLE=true" >> $GITHUB_ENV
+          else
+            echo "TAG_STABLE=false" >> $GITHUB_ENV
+          fi
+
+      - name: Update stable tag to latest version
+        run: |
+          git tag -f stable ${{ github.ref_name }}
+          git push -f origin stable
+        if: ${{ env.TAG_STABLE == 'true' }}
+
+      - name: Check to see if VERSION should be updated on master branch
+        run: |
+          set -xue
+          SOURCE_TAG=${{ github.ref_name }}
+          VERSION_REF="${SOURCE_TAG#*v}"
+          if echo "$VERSION_REF" | grep -E -- '^[0-9]+\.[0-9]+\.0$';then
+            VERSION=$(awk 'BEGIN {FS=OFS="."} {$2++; print}' <<< "${VERSION_REF}")
+            echo "Updating VERSION to: $VERSION"
+            echo "UPDATE_VERSION=true" >> $GITHUB_ENV
+            echo "NEW_VERSION=$VERSION" >> $GITHUB_ENV
+          else
+            echo "Not updating VERSION"
+            echo "UPDATE_VERSION=false" >> $GITHUB_ENV
+          fi
+
+      - name: Update VERSION on master branch
+        run: |
+          echo ${{ env.NEW_VERSION }} > VERSION
+        if: ${{ env.UPDATE_VERSION == 'true' }}
+
+      - name: Create PR to update VERSION on master branch
+        uses: peter-evans/create-pull-request@38e0b6e68b4c852a5500a94740f0e535e0d7ba54 # v4.2.4
+        with:
+          commit-message: Bump version in master
+          title: "chore: Bump version in master"
+          body: All images built from master should indicate which version we are on track for.
+          signoff: true
+          branch: update-version
+          branch-suffix: random
+          base: master
+        if: ${{ env.UPDATE_VERSION == 'true' }}
--- a/.github/workflows/scorecard.yaml
+++ b/.github/workflows/scorecard.yaml
@@ -0,0 +1,67 @@
+name: Scorecards supply-chain security
+on:
+  # Only the default branch is supported.
+  branch_protection_rule:
+  schedule:
+    - cron: "39 9 * * 2"
+  push:
+    branches: ["master"]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecards analysis
+    runs-on: ubuntu-22.04
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Used to receive a badge. (Upcoming feature)
+      id-token: write
+      # Needs for private repositories.
+      contents: read
+      actions: read
+    if: github.repository == 'argoproj/argo-cd'
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v2.1.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecards on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
+
+          # Publish the results for public repositories to enable scorecard badges. For more details, see
+          # https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories, `publish_results` will automatically be set to `false`, regardless
+          # of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@3ebbd71c74ef574dbc558c82f70e52732c8b44fe # v2.2.1
+        with:
+          sarif_file: results.sarif
--- a/.github/workflows/update-snyk.yaml
+++ b/.github/workflows/update-snyk.yaml
@@ -17,7 +17,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Build reports
@@ -31,6 +31,6 @@ jobs:
          git config --global user.email 'ci@argoproj.com'
          git config --global user.name 'CI'
          git add docs/snyk
-          git commit -m "[Bot] Update Snyk reports" --signoff
+          git commit -m "[Bot] docs: Update Snyk reports" --signoff
          git push --set-upstream origin "$pr_branch"
          gh pr create -B master -H "$pr_branch" --title '[Bot] docs: Update Snyk report' --body ''
--- a/.gitpod.Dockerfile
+++ b/.gitpod.Dockerfile
@@ -1,4 +1,4 @@
-FROM gitpod/workspace-full
+FROM gitpod/workspace-full@sha256:d5787229cd062aceae91109f1690013d3f25062916492fb7f444d13de3186178

 USER root

--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -0,0 +1,120 @@
+project_name: argocd
+
+before:
+  hooks:
+    - go mod download
+    - make build-ui
+
+builds:
+  - id: argocd-cli
+    main: ./cmd
+    binary: argocd-{{ .Os}}-{{ .Arch}}
+    env:
+      - CGO_ENABLED=0
+    flags:
+      - -v
+    ldflags:
+      - -X github.com/argoproj/argo-cd/v2/common.version={{ .Version }}
+      - -X github.com/argoproj/argo-cd/v2/common.buildDate={{ .Date }}
+      - -X github.com/argoproj/argo-cd/v2/common.gitCommit={{ .FullCommit }}
+      - -X github.com/argoproj/argo-cd/v2/common.gitTreeState={{ .Env.GIT_TREE_STATE }}
+      - -X github.com/argoproj/argo-cd/v2/common.kubectlVersion={{ .Env.KUBECTL_VERSION }}
+      - -extldflags="-static"
+    goos:
+      - linux
+      - darwin
+      - windows
+    goarch:
+      - amd64
+      - arm64
+      - s390x
+      - ppc64le
+    ignore:
+      - goos: darwin
+        goarch: s390x
+      - goos: darwin
+        goarch: ppc64le
+      - goos: windows
+        goarch: s390x
+      - goos: windows
+        goarch: ppc64le
+      - goos: windows
+        goarch: arm64
+
+archives:
+  - id: argocd-archive
+    builds:
+    - argocd-cli
+    name_template: |-
+      {{ .ProjectName }}-{{ .Os }}-{{ .Arch }}
+    format: binary
+
+checksum:
+  name_template: 'cli_checksums.txt'
+  algorithm: sha256
+
+release:
+  prerelease: auto
+  draft: false
+  header: |
+    ## Quick Start
+
+    ### Non-HA:
+
+    ```shell
+    kubectl create namespace argocd
+    kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/{{.Tag}}/manifests/install.yaml
+    ```
+
+    ### HA:
+
+    ```shell
+    kubectl create namespace argocd
+    kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/{{.Tag}}/manifests/ha/install.yaml
+    ```
+
+    ## Release Signatures and Provenance
+
+    All Argo CD container images are signed by cosign.  A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the [documentation](https://argo-cd.readthedocs.io/en/stable/operator-manual/signed-release-assets) on how to verify.
+
+
+    ## Upgrading
+
+    If upgrading from a different minor version, be sure to read the [upgrading](https://argo-cd.readthedocs.io/en/stable/operator-manual/upgrading/overview/) documentation.
+  footer: |
+    **Full Changelog**: https://github.com/argoproj/argo-cd/compare/{{ .PreviousTag }}...{{ .Tag }}
+    
+    <a href="https://argoproj.github.io/cd/"><img src="https://raw.githubusercontent.com/argoproj/argo-site/master/content/pages/cd/gitops-cd.png" width="25%" ></a>
+
+
+snapshot: #### To be removed for PR
+  name_template: "2.6.0"
+
+changelog:
+  use:
+    github
+  sort: asc
+  abbrev: 0
+  groups: # Regex use RE2 syntax as defined here: https://github.com/google/re2/wiki/Syntax.
+    - title: 'Features'
+      regexp: '^.*?feat(\([[:word:]]+\))??!?:.+$'
+      order: 100
+    - title: 'Bug fixes'
+      regexp: '^.*?fix(\([[:word:]]+\))??!?:.+$'
+      order: 200
+    - title: 'Documentation'
+      regexp: '^.*?docs(\([[:word:]]+\))??!?:.+$'
+      order: 300
+    - title: 'Dependency updates'
+      regexp: '^.*?(feat|fix|chore)\(deps?.+\)!?:.+$'
+      order: 400
+    - title: 'Other work'
+      order: 999
+  filters:
+    exclude:
+      - '^test:'
+      - '^.*?Bump(\([[:word:]]+\))?.+$'
+
+
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+
--- a/.readthedocs.yml
+++ b/.readthedocs.yml
@@ -4,4 +4,8 @@ mkdocs:
  fail_on_warning: false
 python:
  install:
-    - requirements: docs/requirements.txt
+    - requirements: docs/requirements.txt
+build:
+  os: "ubuntu-22.04"
+  tools:
+    python: "3.7"
--- a/11
+++ b/11
@@ -1,10 +1,10 @@
-ARG BASE_IMAGE=docker.io/library/ubuntu:22.04
+ARG BASE_IMAGE=docker.io/library/ubuntu:22.04@sha256:9a0bdde4188b896a372804be2384015e90e3f84906b750c1a53539b585fbbe7f
 ####################################################################################################
 # Builder image
 # Initial stage which pulls prepares build dependencies and CLI tooling we need for our final image
 # Also used as the image in CI jobs so needs all dependencies
 ####################################################################################################
-FROM docker.io/library/golang:1.18 AS builder
+FROM docker.io/library/golang:1.19.6@sha256:7ce31d15a3a4dbf20446cccffa4020d3a2974ad2287d96123f55caf22c7adb71 AS builder

 RUN echo 'deb http://deb.debian.org/debian buster-backports main' >> /etc/apt/sources.list

@@ -36,6 +36,8 @@ RUN ./install.sh helm-linux && \
 ####################################################################################################
 FROM $BASE_IMAGE AS argocd-base

+LABEL org.opencontainers.image.source="https://github.com/argoproj/argo-cd"
+
 USER root

 ENV ARGOCD_USER_ID=999
@@ -81,7 +83,7 @@ WORKDIR /home/argocd
 ####################################################################################################
 # Argo CD UI stage
 ####################################################################################################
-FROM --platform=$BUILDPLATFORM docker.io/library/node:12.18.4 AS argocd-ui
+FROM --platform=$BUILDPLATFORM docker.io/library/node:18.15.0@sha256:8d9a875ee427897ef245302e31e2319385b092f1c3368b497e89790f240368f5 AS argocd-ui

 WORKDIR /src
 COPY ["ui/package.json", "ui/yarn.lock", "./"]
@@ -99,7 +101,7 @@ RUN HOST_ARCH=$TARGETARCH NODE_ENV='production' NODE_ONLINE_ENV='online' NODE_OP
 ####################################################################################################
 # Argo CD Build stage which performs the actual build of Argo CD binaries
 ####################################################################################################
-FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.18 AS argocd-build
+FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.19.6@sha256:7ce31d15a3a4dbf20446cccffa4020d3a2974ad2287d96123f55caf22c7adb71 AS argocd-build

 WORKDIR /go/src/github.com/argoproj/argo-cd

@@ -130,3 +132,4 @@ RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-server && \
    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-k8s-auth

 USER $ARGOCD_USER_ID
+ENTRYPOINT ["/usr/bin/tini", "--"]
--- a/104
+++ b/104
@@ -64,13 +64,20 @@ else
 DOCKER_SRC_MOUNT="$(PWD):/go/src/github.com/argoproj/argo-cd$(VOLUME_MOUNT)"
 endif

+# User and group IDs to map to the test container
+CONTAINER_UID=$(shell id -u)
+CONTAINER_GID=$(shell id -g)
+
+# Set SUDO to sudo to run privileged commands with sudo
+SUDO?=
+
 # Runs any command in the argocd-test-utils container in server mode
 # Server mode container will start with uid 0 and drop privileges during runtime
 define run-in-test-server
-	docker run --rm -it \
+	$(SUDO) docker run --rm -it \
 		--name argocd-test-server \
-		-u $(shell id -u):$(shell id -g) \
-		-e USER_ID=$(shell id -u) \
+		-u $(CONTAINER_UID):$(CONTAINER_GID) \
+		-e USER_ID=$(CONTAINER_UID) \
 		-e HOME=/home/user \
 		-e GOPATH=/go \
 		-e GOCACHE=/tmp/go-build-cache \
@@ -98,9 +105,9 @@ endef

 # Runs any command in the argocd-test-utils container in client mode
 define run-in-test-client
-	docker run --rm -it \
+	$(SUDO) docker run --rm -it \
 	  --name argocd-test-client \
-		-u $(shell id -u):$(shell id -g) \
+		-u $(CONTAINER_UID):$(CONTAINER_GID) \
 		-e HOME=/home/user \
 		-e GOPATH=/go \
 		-e ARGOCD_E2E_K3S=$(ARGOCD_E2E_K3S) \
@@ -119,7 +126,7 @@ endef

 #
 define exec-in-test-server
-	docker exec -it -u $(shell id -u):$(shell id -g) -e ARGOCD_E2E_RECORD=$(ARGOCD_E2E_RECORD) -e ARGOCD_E2E_K3S=$(ARGOCD_E2E_K3S) argocd-test-server $(1)
+	$(SUDO) docker exec -it -u $(CONTAINER_UID):$(CONTAINER_GID) -e ARGOCD_E2E_RECORD=$(ARGOCD_E2E_RECORD) -e ARGOCD_E2E_K3S=$(ARGOCD_E2E_K3S) argocd-test-server $(1)
 endef

 PATH:=$(PATH):$(PWD)/hack
@@ -139,7 +146,8 @@ override LDFLAGS += \
  -X ${PACKAGE}.buildDate=${BUILD_DATE} \
  -X ${PACKAGE}.gitCommit=${GIT_COMMIT} \
  -X ${PACKAGE}.gitTreeState=${GIT_TREE_STATE}\
-  -X ${PACKAGE}.kubectlVersion=${KUBECTL_VERSION}
+  -X ${PACKAGE}.kubectlVersion=${KUBECTL_VERSION}\
+  -X "${PACKAGE}.extraBuildInfo=${EXTRA_BUILD_INFO}"

 ifeq (${STATIC_BUILD}, true)
 override LDFLAGS += -extldflags "-static"
@@ -212,7 +220,7 @@ clidocsgen: ensure-gopath


 .PHONY: codegen-local
-codegen-local: ensure-gopath mod-vendor-local notification-docs notification-catalog gogen protogen clientgen openapigen clidocsgen manifests-local
+codegen-local: ensure-gopath mod-vendor-local gogen protogen clientgen openapigen clidocsgen manifests-local notification-docs notification-catalog
 	rm -rf vendor/

 .PHONY: codegen
@@ -225,11 +233,11 @@ cli: test-tools-image

 .PHONY: cli-local
 cli-local: clean-debug
-	CGO_ENABLED=0 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${CLI_NAME} ./cmd
+	CGO_ENABLED=0 GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${CLI_NAME} ./cmd

 .PHONY: gen-resources-cli-local
 gen-resources-cli-local: clean-debug
-	CGO_ENABLED=0 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${GEN_RESOURCES_CLI_NAME} ./hack/gen-resources/cmd
+	CGO_ENABLED=0 GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${GEN_RESOURCES_CLI_NAME} ./hack/gen-resources/cmd

 .PHONY: release-cli
 release-cli: clean-debug build-ui
@@ -244,8 +252,8 @@ release-cli: clean-debug build-ui
 .PHONY: test-tools-image
 test-tools-image:
 ifndef SKIP_TEST_TOOLS_IMAGE
-	docker build --build-arg UID=$(shell id -u) -t $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE) -f test/container/Dockerfile .
-	docker tag $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE) $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE):$(TEST_TOOLS_TAG)
+	$(SUDO) docker build --build-arg UID=$(CONTAINER_UID) -t $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE) -f test/container/Dockerfile .
+	$(SUDO) docker tag $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE) $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE):$(TEST_TOOLS_TAG)
 endif

 .PHONY: manifests-local
@@ -259,19 +267,19 @@ manifests: test-tools-image
 # consolidated binary for cli, util, server, repo-server, controller
 .PHONY: argocd-all
 argocd-all: clean-debug
-	CGO_ENABLED=0 GOOS=${GOOS} GOARCH=${GOARCH} go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${BIN_NAME} ./cmd
+	CGO_ENABLED=0 GOOS=${GOOS} GOARCH=${GOARCH} GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${BIN_NAME} ./cmd

 .PHONY: server
 server: clean-debug
-	CGO_ENABLED=0 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-server ./cmd
+	CGO_ENABLED=0 GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-server ./cmd

 .PHONY: repo-server
 repo-server:
-	CGO_ENABLED=0 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-repo-server ./cmd
+	CGO_ENABLED=0 GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-repo-server ./cmd

 .PHONY: controller
 controller:
-	CGO_ENABLED=0 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-application-controller ./cmd
+	CGO_ENABLED=0 GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-application-controller ./cmd

 .PHONY: build-ui
 build-ui:
@@ -287,7 +295,7 @@ ifeq ($(DEV_IMAGE), true)
 IMAGE_TAG="dev-$(shell git describe --always --dirty)"
 image: build-ui
 	DOCKER_BUILDKIT=1 docker build --platform=linux/amd64 -t argocd-base --target argocd-base .
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd ./cmd
+	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd ./cmd
 	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-server
 	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-application-controller
 	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-repo-server
@@ -326,7 +334,7 @@ mod-vendor: test-tools-image
 mod-vendor-local: mod-download-local
 	go mod vendor

-# Deprecated - replace by install-local-tools
+# Deprecated - replace by install-tools-local
 .PHONY: install-lint-tools
 install-lint-tools:
 	./hack/install.sh lint-tools
@@ -361,7 +369,7 @@ build: test-tools-image
 # Build all Go code (local version)
 .PHONY: build-local
 build-local:
-	go build -v `go list ./... | grep -v 'resource_customizations\|test/e2e'`
+	GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -v `go list ./... | grep -v 'resource_customizations\|test/e2e'`

 # Run all unit tests
 #
@@ -512,7 +520,7 @@ build-docs-local:

 .PHONY: build-docs
 build-docs:
-	docker run ${MKDOCS_RUN_ARGS} --rm -it -p 8000:8000 -v ${CURRENT_DIR}:/docs ${MKDOCS_DOCKER_IMAGE} build
+	docker run ${MKDOCS_RUN_ARGS} --rm -it -v ${CURRENT_DIR}:/docs --entrypoint "" ${MKDOCS_DOCKER_IMAGE} sh -c 'pip install -r docs/requirements.txt; mkdocs build'

 .PHONY: serve-docs-local
 serve-docs-local:
@@ -520,7 +528,7 @@ serve-docs-local:

 .PHONY: serve-docs
 serve-docs:
-	docker run ${MKDOCS_RUN_ARGS} --rm -it -p 8000:8000 -v ${CURRENT_DIR}:/docs ${MKDOCS_DOCKER_IMAGE} serve -a 0.0.0.0:8000
+	docker run ${MKDOCS_RUN_ARGS} --rm -it -p 8000:8000 -v ${CURRENT_DIR}/site:/site -w /site --entrypoint "" ${MKDOCS_DOCKER_IMAGE} python3 -m http.server --bind 0.0.0.0 8000


 # Verify that kubectl can connect to your K8s cluster from Docker
@@ -572,7 +580,7 @@ list:

 .PHONY: applicationset-controller
 applicationset-controller:
-	CGO_ENABLED=0 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-applicationset-controller ./cmd
+	GODEBUG="tarinsecurepath=0,zipinsecurepath=0" CGO_ENABLED=0 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-applicationset-controller ./cmd

 .PHONY: checksums
 checksums:
@@ -589,3 +597,55 @@ snyk-non-container-tests:
 .PHONY: snyk-report
 snyk-report:
 	./hack/snyk-report.sh $(target_branch)
+
+.PHONY: help
+help:
+	@echo 'Note: Generally an item w/ (-local) will run inside docker unless you use the -local variant'
+	@echo
+	@echo 'Common targets'
+	@echo
+	@echo 'all -- make cli and image'
+	@echo
+	@echo 'components:'
+	@echo '  applicationset-controller -- applicationset controller'
+	@echo '  cli(-local)               -- argocd cli program'
+	@echo '  controller                -- controller (orchestrator)'
+	@echo '  repo-server               -- repo server (manage repository instances)'
+	@echo '  server                    -- argocd web application'
+	@echo
+	@echo 'build:'
+	@echo '  image                     -- make image of the following items'
+	@echo '  build(-local)             -- compile go'
+	@echo '  build-docs(-local)        -- build docs'
+	@echo '  build-ui                  -- compile typescript'
+	@echo
+	@echo 'run:'
+	@echo '  run                       -- run the components locally'
+	@echo '  serve-docs(-local)        -- expose the documents for viewing in a browser'
+	@echo
+	@echo 'release:'
+	@echo '  release-cli'
+	@echo '  release-precheck'
+	@echo '  checksums'
+	@echo
+	@echo 'docs:'
+	@echo '  build-docs(-local)'
+	@echo '  serve-docs(-local)'
+	@echo '  notification-docs'
+	@echo '  clidocsgen'
+	@echo
+	@echo 'testing:'
+	@echo '  test(-local)'
+	@echo '  start-e2e(-local)'
+	@echo '  test-e2e(-local)'
+	@echo '  test-race(-local)'
+	@echo
+	@echo 'debug:'
+	@echo '  list -- list all make targets'
+	@echo '  install-tools-local -- install all the tools below'
+	@echo '  install-lint-tools(-local)'
+	@echo
+	@echo 'codegen:'
+	@echo '  codegen(-local) -- if using -local, run the following targets first'
+	@echo '  install-codegen-tools-local -- run this to install the codegen tools'
+	@echo '  install-go-tools-local -- run this to install go libraries for codegen'
--- a/3
+++ b/3
@@ -27,3 +27,6 @@ reviewers:
 - wanghong230
 - ciiay
 - saumeya
+- zachaller
+- 34fathombelow
+- alexef
--- a/14
+++ b/14
@@ -1,12 +1,12 @@
-controller: [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-application-controller $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''}"
-api-server: [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-server $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''}"
+controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-application-controller $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''}"
+api-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-server $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''}"
 dex: sh -c "ARGOCD_BINARY_NAME=argocd-dex go run github.com/argoproj/argo-cd/v2/cmd gendexcfg -o `pwd`/dist/dex.yaml && docker run --rm -p ${ARGOCD_E2E_DEX_PORT:-5556}:${ARGOCD_E2E_DEX_PORT:-5556} -v `pwd`/dist/dex.yaml:/dex.yaml ghcr.io/dexidp/dex:$(grep "image: ghcr.io/dexidp/dex" manifests/base/dex/argocd-dex-server-deployment.yaml | cut -d':' -f3) dex serve /dex.yaml"
-redis: bash -c "if [ \"$ARGOCD_REDIS_LOCAL\" == 'true' ]; then redis-server --save '' --appendonly no --port ${ARGOCD_E2E_REDIS_PORT:-6379}; else docker run --rm --name argocd-redis -i -p ${ARGOCD_E2E_REDIS_PORT:-6379}:${ARGOCD_E2E_REDIS_PORT:-6379} redis:$(grep "image: redis" manifests/base/redis/argocd-redis-deployment.yaml | cut -d':' -f3) --save '' --appendonly no --port ${ARGOCD_E2E_REDIS_PORT:-6379}; fi"
-repo-server: [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_GNUPGHOME=${ARGOCD_GNUPGHOME:-/tmp/argocd-local/gpg/keys} ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp}  ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-repo-server ARGOCD_GPG_ENABLED=${ARGOCD_GPG_ENABLED:-false} $COMMAND --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --otlp-address=${ARGOCD_OTLP_ADDRESS}"
-cmp-server: [ "$ARGOCD_E2E_TEST" == 'true' ] && exit 0 || [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_BINARY_NAME=argocd-cmp-server ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp} $COMMAND --config-dir-path ./test/cmp --loglevel debug --otlp-address=${ARGOCD_OTLP_ADDRESS}"
+redis: bash -c "if [ \"$ARGOCD_REDIS_LOCAL\" = 'true' ]; then redis-server --save '' --appendonly no --port ${ARGOCD_E2E_REDIS_PORT:-6379}; else docker run --rm --name argocd-redis -i -p ${ARGOCD_E2E_REDIS_PORT:-6379}:${ARGOCD_E2E_REDIS_PORT:-6379} redis:$(grep "image: redis" manifests/base/redis/argocd-redis-deployment.yaml | cut -d':' -f3) --save '' --appendonly no --port ${ARGOCD_E2E_REDIS_PORT:-6379}; fi"
+repo-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_GNUPGHOME=${ARGOCD_GNUPGHOME:-/tmp/argocd-local/gpg/keys} ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp}  ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-repo-server ARGOCD_GPG_ENABLED=${ARGOCD_GPG_ENABLED:-false} $COMMAND --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --otlp-address=${ARGOCD_OTLP_ADDRESS}"
+cmp-server: [ "$ARGOCD_E2E_TEST" = 'true' ] && exit 0 || [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_BINARY_NAME=argocd-cmp-server ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp} $COMMAND --config-dir-path ./test/cmp --loglevel debug --otlp-address=${ARGOCD_OTLP_ADDRESS}"
 ui: sh -c 'cd ui && ${ARGOCD_E2E_YARN_CMD:-yarn} start'
 git-server: test/fixture/testrepos/start-git.sh
 helm-registry: test/fixture/testrepos/start-helm-registry.sh
 dev-mounter: [[ "$ARGOCD_E2E_TEST" != "true" ]] && go run hack/dev-mounter/main.go --configmap argocd-ssh-known-hosts-cm=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} --configmap argocd-tls-certs-cm=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} --configmap argocd-gpg-keys-cm=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source}
-applicationset-controller: [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_ASK_PASS_SOCK=/tmp/applicationset-ask-pass.sock ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-applicationset-controller $COMMAND --loglevel debug --metrics-addr localhost:12345 --probe-addr localhost:12346 --argocd-repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081}"
-notification: [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_BINARY_NAME=argocd-notifications $COMMAND --loglevel debug"
+applicationset-controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-applicationset-controller $COMMAND --loglevel debug --metrics-addr localhost:12345 --probe-addr localhost:12346 --argocd-repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081}"
+notification: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_BINARY_NAME=argocd-notifications $COMMAND --loglevel debug"
--- a/README.md
+++ b/README.md
@@ -1,5 +1,18 @@
-[![Integration tests](https://github.com/argoproj/argo-cd/workflows/Integration%20tests/badge.svg?branch=master)](https://github.com/argoproj/argo-cd/actions?query=workflow%3A%22Integration+tests%22) [![slack](https://img.shields.io/badge/slack-argoproj-brightgreen.svg?logo=slack)](https://argoproj.github.io/community/join-slack) [![codecov](https://codecov.io/gh/argoproj/argo-cd/branch/master/graph/badge.svg)](https://codecov.io/gh/argoproj/argo-cd) [![Release Version](https://img.shields.io/github/v/release/argoproj/argo-cd?label=argo-cd)](https://github.com/argoproj/argo-cd/releases/latest) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4486/badge)](https://bestpractices.coreinfrastructure.org/projects/4486) [![Twitter Follow](https://img.shields.io/twitter/follow/argoproj?style=social)](https://twitter.com/argoproj)
+**Releases:**
+[![Release Version](https://img.shields.io/github/v/release/argoproj/argo-cd?label=argo-cd)](https://github.com/argoproj/argo-cd/releases/latest)
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/argo-cd)](https://artifacthub.io/packages/helm/argo/argo-cd)
+[![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev)
+
+**Code:** 
+[![Integration tests](https://github.com/argoproj/argo-cd/workflows/Integration%20tests/badge.svg?branch=master)](https://github.com/argoproj/argo-cd/actions?query=workflow%3A%22Integration+tests%22)
+[![codecov](https://codecov.io/gh/argoproj/argo-cd/branch/master/graph/badge.svg)](https://codecov.io/gh/argoproj/argo-cd)
+[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4486/badge)](https://bestpractices.coreinfrastructure.org/projects/4486)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/argoproj/argo-cd/badge)](https://api.securityscorecards.dev/projects/github.com/argoproj/argo-cd)
+[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fargoproj%2Fargo-cd.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fargoproj%2Fargo-cd?ref=badge_shield)
+
+**Social:**
+[![Twitter Follow](https://img.shields.io/twitter/follow/argoproj?style=social)](https://twitter.com/argoproj)
+[![Slack](https://img.shields.io/badge/slack-argoproj-brightgreen.svg?logo=slack)](https://argoproj.github.io/community/join-slack)

 # Argo CD - Declarative Continuous Delivery for Kubernetes

@@ -69,7 +82,7 @@ Participation in the Argo CD project is governed by the [CNCF Code of Conduct](h
 1. [Applied GitOps with Argo CD](https://thenewstack.io/applied-gitops-with-argocd/)
 1. [Solving configuration drift using GitOps with Argo CD](https://www.cncf.io/blog/2020/12/17/solving-configuration-drift-using-gitops-with-argo-cd/)
 1. [Decentralized GitOps over environments](https://blogs.sap.com/2021/05/06/decentralized-gitops-over-environments/)
-1. [How GitOps and Operators mark the rise of Infrastructure-As-Software](https://paytmlabs.com/blog/2021/10/how-to-improve-operational-work-with-operators-and-gitops/)
 1. [Getting Started with ArgoCD for GitOps Deployments](https://youtu.be/AvLuplh1skA)
 1. [Using Argo CD & Datree for Stable Kubernetes CI/CD Deployments](https://youtu.be/17894DTru2Y)
+1. [How to create Argo CD Applications Automatically using ApplicationSet? "Automation of GitOps"](https://amralaayassen.medium.com/how-to-create-argocd-applications-automatically-using-applicationset-automation-of-the-gitops-59455eaf4f72)

--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,6 +1,6 @@
 # Security Policy for Argo CD

-Version: **v1.4 (2022-01-23)**
+Version: **v1.5 (2023-03-06)**

 ## Preface

@@ -41,7 +41,7 @@ previous to the most recent one (`N-1`, e.g. `1.7`). With the release of

 We regularly perform patch releases (e.g. `1.8.5` and `1.7.12`) for the
 supported versions, which will contain fixes for security vulnerabilities and
-important bugs. Prior releases might receive critical security fixes on a best
+important bugs. Prior releases might receive critical security fixes on best
 effort basis, however, it cannot be guaranteed that security fixes get
 back-ported to these unsupported versions.

@@ -61,14 +61,28 @@ and disclosure with you. Sometimes, it might take a little longer for us to
 react (e.g. out of office conditions), so please bear with us in these cases.

 We will publish security advisories using the
-[Git Hub Security Advisories](https://github.com/argoproj/argo-cd/security/advisories)
-feature to keep our community well informed, and will credit you for your
+[GitHub Security Advisories](https://github.com/argoproj/argo-cd/security/advisories)
+feature to keep our community well-informed, and will credit you for your
 findings (unless you prefer to stay anonymous, of course).

 Please report vulnerabilities by e-mail to the following address:

 * cncf-argo-security@lists.cncf.io

+## Internet Bug Bounty collaboration
+
+We're happy to announce that the Argo project is collaborating with the great
+folks over at
+[Hacker One](https://hackerone.com/) and their
+[Internet Bug Bounty program](https://hackerone.com/ibb)
+to reward the awesome people who find security vulnerabilities in the four
+main Argo projects (CD, Events, Rollouts and Workflows) and then work with
+us to fix and disclose them in a responsible manner.
+
+If you report a vulnerability to us as outlined in this security policy, we
+will work together with you to find out whether your finding is eligible for
+claiming a bounty, and also on how to claim it.
+
 ## Securing your Argo CD Instance

 See the [operator manual security page](docs/operator-manual/security.md) for
--- a/2
+++ b/2
@@ -1,7 +1,7 @@
 # Defined below are the security contacts for this repo.
 #
 # DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE
-# INSTRUCTIONS AT https://argo-cd.readthedocs.io/en/latest/security_considerations/#reporting-vulnerabilities
+# INSTRUCTIONS AT https://github.com/argoproj/argo-cd/security/policy

 alexmt
 edlee2121
--- a/USERS.md
+++ b/USERS.md
@@ -11,9 +11,13 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Adevinta](https://www.adevinta.com/)
 1. [Adfinis](https://adfinis.com)
 1. [Adventure](https://jp.adventurekk.com/)
+1. [Adyen](https://www.adyen.com)
+1. [AirQo](https://airqo.net/)
 1. [Akuity](https://akuity.io/)
+1. [Albert Heijn](https://ah.nl/)
 1. [Alibaba Group](https://www.alibabagroup.com/)
 1. [Allianz Direct](https://www.allianzdirect.de/)
+1. [Amadeus IT Group](https://amadeus.com/)
 1. [Ambassador Labs](https://www.getambassador.io/)
 1. [ANSTO - Australian Synchrotron](https://www.synchrotron.org.au/)
 1. [Ant Group](https://www.antgroup.com/)
@@ -29,18 +33,23 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [BigPanda](https://bigpanda.io)
 1. [BioBox Analytics](https://biobox.io)
 1. [BMW Group](https://www.bmwgroup.com/)
+1. [PT Boer Technology (Btech)](https://btech.id/)
 1. [Boozt](https://www.booztgroup.com/)
 1. [Boticario](https://www.boticario.com.br/)
 1. [Bulder Bank](https://bulderbank.no)
 1. [Camptocamp](https://camptocamp.com)
 1. [Capital One](https://www.capitalone.com)
 1. [CARFAX](https://www.carfax.com)
+1. [CARFAX Europe](https://www.carfax.eu)
 1. [Casavo](https://casavo.com)
 1. [Celonis](https://www.celonis.com/)
 1. [CERN](https://home.cern/)
 1. [Chargetrip](https://chargetrip.com)
 1. [Chime](https://www.chime.com)
 1. [Cisco ET&I](https://eti.cisco.com/)
+1. [Cloud Posse](https://www.cloudposse.com/)
+1. [Cloud Scale](https://cloudscaleinc.com/)
+1. [Cloudmate](https://cloudmt.co.kr/)
 1. [Cobalt](https://www.cobalt.io/)
 1. [Codefresh](https://www.codefresh.io/)
 1. [Codility](https://www.codility.com/)
@@ -56,6 +65,9 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Deutsche Telekom AG](https://telekom.com)
 1. [Devopsi - Poland Software/DevOps Consulting](https://devopsi.pl/)
 1. [Devtron Labs](https://github.com/devtron-labs/devtron)
+1. [DigitalOcean](https://www.digitalocean.com)
+1. [Divistant](https://divistant.com)
+1. [Doximity](https://www.doximity.com/)
 1. [EDF Renewables](https://www.edf-re.com/)
 1. [edX](https://edx.org)
 1. [Elastic](https://elastic.co/)
@@ -65,6 +77,8 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [END.](https://www.endclothing.com/)
 1. [Energisme](https://energisme.com/)
 1. [enigmo](https://enigmo.co.jp/)
+1. [Envoy](https://envoy.com/)
+1. [Farfetch](https://www.farfetch.com)
 1. [Faro](https://www.faro.com/)
 1. [Fave](https://myfave.com)
 1. [Flip](https://flip.id)
@@ -75,7 +89,8 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [G DATA CyberDefense AG](https://www.gdata-software.com/)
 1. [Garner](https://www.garnercorp.com)
 1. [Generali Deutschland AG](https://www.generali.de/)
-2. [Gepardec](https://gepardec.com/)
+1. [Gepardec](https://gepardec.com/)
+1. [GetYourGuide](https://www.getyourguide.com/)
 1. [Gitpod](https://www.gitpod.io)
 1. [Gllue](https://gllue.com)
 1. [gloat](https://gloat.com/)
@@ -85,6 +100,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Gojek](https://www.gojek.io/)
 1. [Greenpass](https://www.greenpass.com.br/)
 1. [Gridfuse](https://gridfuse.com/)
+1. [Groww](https://groww.in)
 1. [Grupo MasMovil](https://grupomasmovil.com/en/)
 1. [Handelsbanken](https://www.handelsbanken.se)
 1. [Healy](https://www.healyworld.net)
@@ -97,7 +113,9 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Ibotta](https://home.ibotta.com)
 1. [IITS-Consulting](https://iits-consulting.de)
 1. [imaware](https://imaware.health)
+1. [Indeed](https://indeed.com)
 1. [Index Exchange](https://www.indexexchange.com/)
+1. [Info Support](https://www.infosupport.com/)
 1. [InsideBoard](https://www.insideboard.com)
 1. [Intuit](https://www.intuit.com/)
 1. [Joblift](https://joblift.com/)
@@ -108,6 +126,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Karrot](https://www.daangn.com/)
 1. [Kasa](https://kasa.co.kr/)
 1. [Keeeb](https://www.keeeb.com/)
+1. [KelkooGroup](https://www.kelkoogroup.com)
 1. [Keptn](https://keptn.sh)
 1. [Kinguin](https://www.kinguin.net/)
 1. [KintoHub](https://www.kintohub.com/)
@@ -116,8 +135,11 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Kurly](https://www.kurly.com/)
 1. [LexisNexis](https://www.lexisnexis.com/)
 1. [Lian Chu Securities](https://lczq.com)
+1. [Liatrio](https://www.liatrio.com)
 1. [Lightricks](https://www.lightricks.com/)
 1. [LINE](https://linecorp.com/en/)
+1. [Loom](https://www.loom.com/)
+1. [Lucid Motors](https://www.lucidmotors.com/)
 1. [Lytt](https://www.lytt.co/)
 1. [Magic Leap](https://www.magicleap.com/)
 1. [Majid Al Futtaim](https://www.majidalfuttaim.com/)
@@ -128,9 +150,11 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Max Kelsen](https://www.maxkelsen.com/)
 1. [MeDirect](https://medirect.com.mt/)
 1. [Meican](https://meican.com/)
+1. [Mercedes-Benz Tech Innovation](https://www.mercedes-benz-techinnovation.com/)
 1. [Metanet](http://www.metanet.co.kr/en/)
 1. [MindSpore](https://mindspore.cn)
 1. [Mirantis](https://mirantis.com/)
+1. [Mission Lane](https://missionlane.com)
 1. [mixi Group](https://mixi.co.jp/)
 1. [Moengage](https://www.moengage.com/)
 1. [Money Forward](https://corp.moneyforward.com/en/)
@@ -142,14 +166,19 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Nextdoor](https://nextdoor.com/)
 1. [Nikkei](https://www.nikkei.co.jp/nikkeiinfo/en/)
 1. [Nitro](https://gonitro.com)
+1. [NYCU, CS IT Center](https://it.cs.nycu.edu.tw)
+1. [Objective](https://www.objective.com.br/)
 1. [OCCMundial](https://occ.com.mx)
 1. [Octadesk](https://octadesk.com)
 1. [omegaUp](https://omegaUp.com)
+1. [Omni](https://omni.se/)
 1. [openEuler](https://openeuler.org)
 1. [openGauss](https://opengauss.org/)
+1. [OpenGov](https://opengov.com)
 1. [openLooKeng](https://openlookeng.io)
 1. [OpenSaaS Studio](https://opensaas.studio)
 1. [Opensurvey](https://www.opensurvey.co.kr/)
+1. [OpsMx](https://opsmx.io)
 1. [OpsVerse](https://opsverse.io)
 1. [Optoro](https://www.optoro.com/)
 1. [Orbital Insight](https://orbitalinsight.com/)
@@ -157,12 +186,17 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Packlink](https://www.packlink.com/)
 1. [Pandosearch](https://www.pandosearch.com/en/home)
 1. [PagerDuty](https://www.pagerduty.com/)
+1. [Patreon](https://www.patreon.com/)
 1. [PayPay](https://paypay.ne.jp/)
 1. [Peloton Interactive](https://www.onepeloton.com/)
+1. [Pigment](https://www.gopigment.com/)
 1. [Pipefy](https://www.pipefy.com/)
 1. [Pismo](https://pismo.io/)
+1. [Platform9 Systems](https://platform9.com/)
 1. [Polarpoint.io](https://polarpoint.io)
+1. [PostFinance](https://github.com/postfinance)
 1. [Preferred Networks](https://preferred.jp/en/)
+1. [Previder BV](https://previder.nl)
 1. [Productboard](https://www.productboard.com/)
 1. [Prudential](https://prudential.com.sg)
 1. [PUBG](https://www.pubg.com)
@@ -172,6 +206,8 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [RapidAPI](https://www.rapidapi.com/)
 1. [Recreation.gov](https://www.recreation.gov/)
 1. [Red Hat](https://www.redhat.com/)
+1. [Redpill Linpro](https://www.redpill-linpro.com/)
+1. [Reenigne Cloud](https://reenigne.ca)
 1. [reev.com](https://www.reev.com/)
 1. [RightRev](https://rightrev.com/)
 1. [Rise](https://www.risecard.eu/)
@@ -181,10 +217,13 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Saildrone](https://www.saildrone.com/)
 1. [Saloodo! GmbH](https://www.saloodo.com)
 1. [Sap Labs](http://sap.com)
+1. [Sauce Labs](https://saucelabs.com/)
 1. [Schwarz IT](https://jobs.schwarz/it-mission)
+1. [SI Analytics](https://si-analytics.ai)
 1. [Skit](https://skit.ai/)
 1. [Skyscanner](https://www.skyscanner.net/)
 1. [Smilee.io](https://smilee.io)
+1. [Smood.ch](https://www.smood.ch/)
 1. [Snapp](https://snapp.ir/)
 1. [Snyk](https://snyk.io/)
 1. [Softway Medical](https://www.softwaymedical.fr/)
@@ -213,6 +252,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Toss](https://toss.im/en)
 1. [Trendyol](https://www.trendyol.com/)
 1. [tru.ID](https://tru.id)
+1. [Trusting Social](https://trustingsocial.com/)
 1. [Twilio SendGrid](https://sendgrid.com)
 1. [tZERO](https://www.tzero.com/)
 1. [UBIO](https://ub.io/)
@@ -220,10 +260,13 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [ungleich.ch](https://ungleich.ch/)
 1. [Unifonic Inc](https://www.unifonic.com/)
 1. [Universidad Mesoamericana](https://www.umes.edu.gt/)
+1. [Vectra](https://www.vectra.ai)
 1. [Viaduct](https://www.viaduct.ai/)
+1. [Vinted](https://vinted.com/)
 1. [Virtuo](https://www.govirtuo.com/)
 1. [VISITS Technologies](https://visits.world/en)
 1. [Volvo Cars](https://www.volvocars.com/)
+1. [Voyager Digital](https://www.investvoyager.com/)
 1. [VSHN - The DevOps Company](https://vshn.ch/)
 1. [Walkbase](https://www.walkbase.com/)
 1. [Webstores](https://www.webstores.nl)
@@ -232,6 +275,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [WeMo Scooter](https://www.wemoscooter.com/)
 1. [Whitehat Berlin](https://whitehat.berlin) by Guido Maria Serra +Fenaroli
 1. [Witick](https://witick.io/)
+1. [Wolffun Game](https://www.wolffungame.com/)
 1. [WooliesX](https://wooliesx.com.au/)
 1. [Woolworths Group](https://www.woolworthsgroup.com.au/)
 1. [WSpot](https://www.wspot.com.br/)
--- a/2
+++ b/2
@@ -1 +1 @@
-2.5.0
+2.8.0
--- a/applicationset/controllers/applicationset_controller.go
+++ b/applicationset/controllers/applicationset_controller.go
@@ -17,6 +17,7 @@ package controllers
 import (
 	"context"
 	"fmt"
+	"reflect"
 	"time"

 	log "github.com/sirupsen/logrus"
@@ -25,12 +26,16 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/record"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+	"sigs.k8s.io/controller-runtime/pkg/event"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
+	"sigs.k8s.io/controller-runtime/pkg/predicate"
 	"sigs.k8s.io/controller-runtime/pkg/source"

 	"github.com/argoproj/argo-cd/v2/applicationset/generators"
@@ -41,6 +46,8 @@ import (
 	argov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	appclientset "github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned"
 	argoutil "github.com/argoproj/argo-cd/v2/util/argo"
+
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application"
 )

 const (
@@ -52,7 +59,7 @@ const (
 )

 var (
-	preservedAnnotations = []string{
+	defaultPreservedAnnotations = []string{
 		NotifiedAnnotationKey,
 		argov1alpha1.AnnotationKeyRefresh,
 	}
@@ -69,6 +76,8 @@ type ApplicationSetReconciler struct {
 	KubeClientset    kubernetes.Interface
 	utils.Policy
 	utils.Renderer
+
+	EnableProgressiveSyncs bool
 }

 // +kubebuilder:rbac:groups=argoproj.io,resources=applicationsets,verbs=get;list;watch;create;update;patch;delete
@@ -134,6 +143,27 @@ func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		return ctrl.Result{RequeueAfter: ReconcileRequeueOnValidationError}, nil
 	}

+	// appMap is a name->app collection of Applications in this ApplicationSet.
+	appMap := map[string]argov1alpha1.Application{}
+	// appSyncMap tracks which apps will be synced during this reconciliation.
+	appSyncMap := map[string]bool{}
+
+	if r.EnableProgressiveSyncs && applicationSetInfo.Spec.Strategy != nil {
+		applications, err := r.getCurrentApplications(ctx, applicationSetInfo)
+		if err != nil {
+			return ctrl.Result{}, fmt.Errorf("failed to get current applications for application set: %w", err)
+		}
+
+		for _, app := range applications {
+			appMap[app.Name] = app
+		}
+
+		appSyncMap, err = r.performProgressiveSyncs(ctx, applicationSetInfo, applications, desiredApplications, appMap)
+		if err != nil {
+			return ctrl.Result{}, fmt.Errorf("failed to perform progressive sync reconciliation for application set: %w", err)
+		}
+	}
+
 	var validApps []argov1alpha1.Application
 	for i := range desiredApplications {
 		if validateErrors[i] == nil {
@@ -162,6 +192,26 @@ func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		)
 	}

+	if r.EnableProgressiveSyncs {
+		// trigger appropriate application syncs if RollingSync strategy is enabled
+		if progressiveSyncsStrategyEnabled(&applicationSetInfo, "RollingSync") {
+			validApps, err = r.syncValidApplications(ctx, &applicationSetInfo, appSyncMap, appMap, validApps)
+
+			if err != nil {
+				_ = r.setApplicationSetStatusCondition(ctx,
+					&applicationSetInfo,
+					argov1alpha1.ApplicationSetCondition{
+						Type:    argov1alpha1.ApplicationSetConditionErrorOccurred,
+						Message: err.Error(),
+						Reason:  argov1alpha1.ApplicationSetReasonSyncApplicationError,
+						Status:  argov1alpha1.ApplicationSetConditionStatusTrue,
+					}, parametersGenerated,
+				)
+				return ctrl.Result{}, err
+			}
+		}
+	}
+
 	if r.Policy.Update() {
 		err = r.createOrUpdateInCluster(ctx, applicationSetInfo, validApps)
 		if err != nil {
@@ -468,7 +518,7 @@ func (r *ApplicationSetReconciler) generateApplications(applicationSetInfo argov
 	return res, applicationSetReason, firstError
 }

-func (r *ApplicationSetReconciler) SetupWithManager(mgr ctrl.Manager) error {
+func (r *ApplicationSetReconciler) SetupWithManager(mgr ctrl.Manager, enableProgressiveSyncs bool) error {
 	if err := mgr.GetFieldIndexer().IndexField(context.TODO(), &argov1alpha1.Application{}, ".metadata.controller", func(rawObj client.Object) []string {
 		// grab the job object, extract the owner...
 		app := rawObj.(*argov1alpha1.Application)
@@ -487,9 +537,11 @@ func (r *ApplicationSetReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		return fmt.Errorf("error setting up with manager: %w", err)
 	}

+	ownsHandler := getOwnsHandlerPredicates(enableProgressiveSyncs)
+
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&argov1alpha1.ApplicationSet{}).
-		Owns(&argov1alpha1.Application{}).
+		Owns(&argov1alpha1.Application{}, builder.WithPredicates(ownsHandler)).
 		Watches(
 			&source.Kind{Type: &corev1.Secret{}},
 			&clusterSecretEventHandler{
@@ -519,7 +571,7 @@ func (r *ApplicationSetReconciler) createOrUpdateInCluster(ctx context.Context,
 				Namespace: generatedApp.Namespace,
 			},
 			TypeMeta: metav1.TypeMeta{
-				Kind:       "Application",
+				Kind:       application.ApplicationKind,
 				APIVersion: "argoproj.io/v1alpha1",
 			},
 		}
@@ -528,9 +580,20 @@ func (r *ApplicationSetReconciler) createOrUpdateInCluster(ctx context.Context,
 			// Copy only the Application/ObjectMeta fields that are significant, from the generatedApp
 			found.Spec = generatedApp.Spec

+			// allow setting the Operation field to trigger a sync operation on an Application
+			if generatedApp.Operation != nil {
+				found.Operation = generatedApp.Operation
+			}
+
+			preservedAnnotations := make([]string, 0)
+			if applicationSet.Spec.PreservedFields != nil {
+				preservedAnnotations = append(preservedAnnotations, applicationSet.Spec.PreservedFields.Annotations...)
+			}
 			// Preserve specially treated argo cd annotations:
 			// * https://github.com/argoproj/applicationset/issues/180
 			// * https://github.com/argoproj/argo-cd/issues/10500
+			preservedAnnotations = append(preservedAnnotations, defaultPreservedAnnotations...)
+
 			for _, key := range preservedAnnotations {
 				if state, exists := found.ObjectMeta.Annotations[key]; exists {
 					if generatedApp.Annotations == nil {
@@ -726,4 +789,610 @@ func (r *ApplicationSetReconciler) removeFinalizerOnInvalidDestination(ctx conte
 	return nil
 }

+func (r *ApplicationSetReconciler) performProgressiveSyncs(ctx context.Context, appset argov1alpha1.ApplicationSet, applications []argov1alpha1.Application, desiredApplications []argov1alpha1.Application, appMap map[string]argov1alpha1.Application) (map[string]bool, error) {
+
+	appDependencyList, appStepMap, err := r.buildAppDependencyList(ctx, appset, desiredApplications)
+	if err != nil {
+		return nil, fmt.Errorf("failed to build app dependency list: %w", err)
+	}
+
+	_, err = r.updateApplicationSetApplicationStatus(ctx, &appset, applications, appStepMap)
+	if err != nil {
+		return nil, fmt.Errorf("failed to update applicationset app status: %w", err)
+	}
+
+	log.Infof("ApplicationSet %v step list:", appset.Name)
+	for i, step := range appDependencyList {
+		log.Infof("step %v: %+v", i+1, step)
+	}
+
+	appSyncMap, err := r.buildAppSyncMap(ctx, appset, appDependencyList, appMap)
+	if err != nil {
+		return nil, fmt.Errorf("failed to build app sync map: %w", err)
+	}
+
+	log.Infof("Application allowed to sync before maxUpdate?: %+v", appSyncMap)
+
+	_, err = r.updateApplicationSetApplicationStatusProgress(ctx, &appset, appSyncMap, appStepMap, appMap)
+	if err != nil {
+		return nil, fmt.Errorf("failed to update applicationset application status progress: %w", err)
+	}
+
+	_, err = r.updateApplicationSetApplicationStatusConditions(ctx, &appset)
+	if err != nil {
+		return nil, fmt.Errorf("failed to update applicationset application status conditions: %w", err)
+	}
+
+	return appSyncMap, nil
+}
+
+// this list tracks which Applications belong to each RollingUpdate step
+func (r *ApplicationSetReconciler) buildAppDependencyList(ctx context.Context, applicationSet argov1alpha1.ApplicationSet, applications []argov1alpha1.Application) ([][]string, map[string]int, error) {
+
+	if applicationSet.Spec.Strategy == nil || applicationSet.Spec.Strategy.Type == "" || applicationSet.Spec.Strategy.Type == "AllAtOnce" {
+		return [][]string{}, map[string]int{}, nil
+	}
+
+	steps := []argov1alpha1.ApplicationSetRolloutStep{}
+	if progressiveSyncsStrategyEnabled(&applicationSet, "RollingSync") {
+		steps = applicationSet.Spec.Strategy.RollingSync.Steps
+	}
+
+	appDependencyList := make([][]string, 0)
+	for range steps {
+		appDependencyList = append(appDependencyList, make([]string, 0))
+	}
+
+	appStepMap := map[string]int{}
+
+	// use applicationLabelSelectors to filter generated Applications into steps and status by name
+	for _, app := range applications {
+		for i, step := range steps {
+
+			selected := true // default to true, assuming the current Application is a match for the given step matchExpression
+
+			allNotInMatched := true // needed to support correct AND behavior between multiple NotIn MatchExpressions
+			notInUsed := false      // since we default to allNotInMatched == true, track whether a NotIn expression was actually used
+
+			for _, matchExpression := range step.MatchExpressions {
+
+				if matchExpression.Operator == "In" {
+					if val, ok := app.Labels[matchExpression.Key]; ok {
+						valueMatched := labelMatchedExpression(val, matchExpression)
+
+						if !valueMatched { // none of the matchExpression values was a match with the Application'ss labels
+							selected = false
+							break
+						}
+					} else {
+						selected = false // no matching label key with In means this Application will not be included in the current step
+						break
+					}
+				} else if matchExpression.Operator == "NotIn" {
+					notInUsed = true // a NotIn selector was used in this matchExpression
+					if val, ok := app.Labels[matchExpression.Key]; ok {
+						valueMatched := labelMatchedExpression(val, matchExpression)
+
+						if !valueMatched { // none of the matchExpression values was a match with the Application's labels
+							allNotInMatched = false
+						}
+					} else {
+						allNotInMatched = false // no matching label key with NotIn means this Application may still be included in the current step
+					}
+				} else { // handle invalid operator selection
+					log.Warnf("skipping AppSet rollingUpdate step Application selection for %q, invalid matchExpression operator provided: %q ", applicationSet.Name, matchExpression.Operator)
+					selected = false
+					break
+				}
+			}
+
+			if notInUsed && allNotInMatched { // check if all NotIn Expressions matched, if so exclude this Application
+				selected = false
+			}
+
+			if selected {
+				appDependencyList[i] = append(appDependencyList[i], app.Name)
+				if val, ok := appStepMap[app.Name]; ok {
+					log.Warnf("AppSet '%v' has a invalid matchExpression that selects Application '%v' label twice, in steps %v and %v", applicationSet.Name, app.Name, val+1, i+1)
+				} else {
+					appStepMap[app.Name] = i
+				}
+			}
+		}
+	}
+
+	return appDependencyList, appStepMap, nil
+}
+
+func labelMatchedExpression(val string, matchExpression argov1alpha1.ApplicationMatchExpression) bool {
+	valueMatched := false
+	for _, value := range matchExpression.Values {
+		if val == value {
+			valueMatched = true
+			break
+		}
+	}
+	return valueMatched
+}
+
+// this map is used to determine which stage of Applications are ready to be updated in the reconciler loop
+func (r *ApplicationSetReconciler) buildAppSyncMap(ctx context.Context, applicationSet argov1alpha1.ApplicationSet, appDependencyList [][]string, appMap map[string]argov1alpha1.Application) (map[string]bool, error) {
+	appSyncMap := map[string]bool{}
+	syncEnabled := true
+
+	// healthy stages and the first non-healthy stage should have sync enabled
+	// every stage after should have sync disabled
+
+	for i := range appDependencyList {
+		// set the syncEnabled boolean for every Application in the current step
+		for _, appName := range appDependencyList[i] {
+			appSyncMap[appName] = syncEnabled
+		}
+
+		// detect if we need to halt before progressing to the next step
+		for _, appName := range appDependencyList[i] {
+
+			idx := findApplicationStatusIndex(applicationSet.Status.ApplicationStatus, appName)
+			if idx == -1 {
+				// no Application status found, likely because the Application is being newly created
+				syncEnabled = false
+				break
+			}
+
+			appStatus := applicationSet.Status.ApplicationStatus[idx]
+
+			if app, ok := appMap[appName]; ok {
+
+				syncEnabled = appSyncEnabledForNextStep(&applicationSet, app, appStatus)
+				if !syncEnabled {
+					break
+				}
+			} else {
+				// application name not found in the list of applications managed by this ApplicationSet, maybe because it's being deleted
+				syncEnabled = false
+				break
+			}
+		}
+	}
+
+	return appSyncMap, nil
+}
+
+func appSyncEnabledForNextStep(appset *argov1alpha1.ApplicationSet, app argov1alpha1.Application, appStatus argov1alpha1.ApplicationSetApplicationStatus) bool {
+
+	if progressiveSyncsStrategyEnabled(appset, "RollingSync") {
+		// we still need to complete the current step if the Application is not yet Healthy or there are still pending Application changes
+		return isApplicationHealthy(app) && appStatus.Status == "Healthy"
+	}
+
+	return true
+}
+
+func progressiveSyncsStrategyEnabled(appset *argov1alpha1.ApplicationSet, strategyType string) bool {
+	if appset.Spec.Strategy == nil || appset.Spec.Strategy.Type != strategyType {
+		return false
+	}
+
+	if strategyType == "RollingSync" && appset.Spec.Strategy.RollingSync == nil {
+		return false
+	}
+
+	return true
+}
+
+func isApplicationHealthy(app argov1alpha1.Application) bool {
+	healthStatusString, syncStatusString, operationPhaseString := statusStrings(app)
+
+	if healthStatusString == "Healthy" && syncStatusString != "OutOfSync" && (operationPhaseString == "Succeeded" || operationPhaseString == "") {
+		return true
+	}
+	return false
+}
+
+func statusStrings(app argov1alpha1.Application) (string, string, string) {
+	healthStatusString := string(app.Status.Health.Status)
+	syncStatusString := string(app.Status.Sync.Status)
+	operationPhaseString := ""
+	if app.Status.OperationState != nil {
+		operationPhaseString = string(app.Status.OperationState.Phase)
+	}
+
+	return healthStatusString, syncStatusString, operationPhaseString
+}
+
+// check the status of each Application's status and promote Applications to the next status if needed
+func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatus(ctx context.Context, applicationSet *argov1alpha1.ApplicationSet, applications []argov1alpha1.Application, appStepMap map[string]int) ([]argov1alpha1.ApplicationSetApplicationStatus, error) {
+
+	now := metav1.Now()
+	appStatuses := make([]argov1alpha1.ApplicationSetApplicationStatus, 0, len(applications))
+
+	for _, app := range applications {
+
+		healthStatusString, syncStatusString, operationPhaseString := statusStrings(app)
+
+		idx := findApplicationStatusIndex(applicationSet.Status.ApplicationStatus, app.Name)
+
+		currentAppStatus := argov1alpha1.ApplicationSetApplicationStatus{}
+
+		if idx == -1 {
+			// AppStatus not found, set default status of "Waiting"
+			currentAppStatus = argov1alpha1.ApplicationSetApplicationStatus{
+				Application:        app.Name,
+				LastTransitionTime: &now,
+				Message:            "No Application status found, defaulting status to Waiting.",
+				Status:             "Waiting",
+				Step:               fmt.Sprint(appStepMap[app.Name] + 1),
+			}
+		} else {
+			// we have an existing AppStatus
+			currentAppStatus = applicationSet.Status.ApplicationStatus[idx]
+		}
+
+		appOutdated := false
+		if progressiveSyncsStrategyEnabled(applicationSet, "RollingSync") {
+			appOutdated = syncStatusString == "OutOfSync"
+		}
+
+		if appOutdated && currentAppStatus.Status != "Waiting" && currentAppStatus.Status != "Pending" {
+			log.Infof("Application %v is outdated, updating its ApplicationSet status to Waiting", app.Name)
+			currentAppStatus.LastTransitionTime = &now
+			currentAppStatus.Status = "Waiting"
+			currentAppStatus.Message = "Application has pending changes, setting status to Waiting."
+			currentAppStatus.Step = fmt.Sprint(appStepMap[currentAppStatus.Application] + 1)
+		}
+
+		if currentAppStatus.Status == "Pending" {
+			if operationPhaseString == "Succeeded" && app.Status.OperationState.StartedAt.After(currentAppStatus.LastTransitionTime.Time) {
+				log.Infof("Application %v has completed a sync successfully, updating its ApplicationSet status to Progressing", app.Name)
+				currentAppStatus.LastTransitionTime = &now
+				currentAppStatus.Status = "Progressing"
+				currentAppStatus.Message = "Application resource completed a sync successfully, updating status from Pending to Progressing."
+				currentAppStatus.Step = fmt.Sprint(appStepMap[currentAppStatus.Application] + 1)
+			} else if operationPhaseString == "Running" || healthStatusString == "Progressing" {
+				log.Infof("Application %v has entered Progressing status, updating its ApplicationSet status to Progressing", app.Name)
+				currentAppStatus.LastTransitionTime = &now
+				currentAppStatus.Status = "Progressing"
+				currentAppStatus.Message = "Application resource became Progressing, updating status from Pending to Progressing."
+				currentAppStatus.Step = fmt.Sprint(appStepMap[currentAppStatus.Application] + 1)
+			}
+		}
+
+		if currentAppStatus.Status == "Waiting" && isApplicationHealthy(app) {
+			log.Infof("Application %v is already synced and healthy, updating its ApplicationSet status to Healthy", app.Name)
+			currentAppStatus.LastTransitionTime = &now
+			currentAppStatus.Status = healthStatusString
+			currentAppStatus.Message = "Application resource is already Healthy, updating status from Waiting to Healthy."
+			currentAppStatus.Step = fmt.Sprint(appStepMap[currentAppStatus.Application] + 1)
+		}
+
+		if currentAppStatus.Status == "Progressing" && isApplicationHealthy(app) {
+			log.Infof("Application %v has completed Progressing status, updating its ApplicationSet status to Healthy", app.Name)
+			currentAppStatus.LastTransitionTime = &now
+			currentAppStatus.Status = healthStatusString
+			currentAppStatus.Message = "Application resource became Healthy, updating status from Progressing to Healthy."
+			currentAppStatus.Step = fmt.Sprint(appStepMap[currentAppStatus.Application] + 1)
+		}
+
+		appStatuses = append(appStatuses, currentAppStatus)
+	}
+
+	err := r.setAppSetApplicationStatus(ctx, applicationSet, appStatuses)
+	if err != nil {
+		return nil, fmt.Errorf("failed to set AppSet application statuses: %w", err)
+	}
+
+	return appStatuses, nil
+}
+
+// check Applications that are in Waiting status and promote them to Pending if needed
+func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatusProgress(ctx context.Context, applicationSet *argov1alpha1.ApplicationSet, appSyncMap map[string]bool, appStepMap map[string]int, appMap map[string]argov1alpha1.Application) ([]argov1alpha1.ApplicationSetApplicationStatus, error) {
+	now := metav1.Now()
+
+	appStatuses := make([]argov1alpha1.ApplicationSetApplicationStatus, 0, len(applicationSet.Status.ApplicationStatus))
+
+	// if we have no RollingUpdate steps, clear out the existing ApplicationStatus entries
+	if applicationSet.Spec.Strategy != nil && applicationSet.Spec.Strategy.Type != "" && applicationSet.Spec.Strategy.Type != "AllAtOnce" {
+		updateCountMap := []int{}
+		totalCountMap := []int{}
+
+		length := 0
+		if progressiveSyncsStrategyEnabled(applicationSet, "RollingSync") {
+			length = len(applicationSet.Spec.Strategy.RollingSync.Steps)
+		}
+		for s := 0; s < length; s++ {
+			updateCountMap = append(updateCountMap, 0)
+			totalCountMap = append(totalCountMap, 0)
+		}
+
+		// populate updateCountMap with counts of existing Pending and Progressing Applications
+		for _, appStatus := range applicationSet.Status.ApplicationStatus {
+			totalCountMap[appStepMap[appStatus.Application]] += 1
+
+			if progressiveSyncsStrategyEnabled(applicationSet, "RollingSync") {
+				if appStatus.Status == "Pending" || appStatus.Status == "Progressing" {
+					updateCountMap[appStepMap[appStatus.Application]] += 1
+				}
+			}
+		}
+
+		for _, appStatus := range applicationSet.Status.ApplicationStatus {
+
+			maxUpdateAllowed := true
+			maxUpdate := &intstr.IntOrString{}
+			if progressiveSyncsStrategyEnabled(applicationSet, "RollingSync") {
+				maxUpdate = applicationSet.Spec.Strategy.RollingSync.Steps[appStepMap[appStatus.Application]].MaxUpdate
+			}
+
+			// by default allow all applications to update if maxUpdate is unset
+			if maxUpdate != nil {
+				maxUpdateVal, err := intstr.GetScaledValueFromIntOrPercent(maxUpdate, totalCountMap[appStepMap[appStatus.Application]], false)
+				if err != nil {
+					log.Warnf("AppSet '%v' has a invalid maxUpdate value '%+v', ignoring maxUpdate logic for this step: %v", applicationSet.Name, maxUpdate, err)
+				}
+
+				// ensure that percentage values greater than 0% always result in at least 1 Application being selected
+				if maxUpdate.Type == intstr.String && maxUpdate.StrVal != "0%" && maxUpdateVal < 1 {
+					maxUpdateVal = 1
+				}
+
+				if updateCountMap[appStepMap[appStatus.Application]] >= maxUpdateVal {
+					maxUpdateAllowed = false
+					log.Infof("Application %v is not allowed to update yet, %v/%v Applications already updating in step %v in AppSet %v", appStatus.Application, updateCountMap[appStepMap[appStatus.Application]], maxUpdateVal, appStepMap[appStatus.Application]+1, applicationSet.Name)
+				}
+
+			}
+
+			if appStatus.Status == "Waiting" && appSyncMap[appStatus.Application] && maxUpdateAllowed {
+				log.Infof("Application %v moved to Pending status, watching for the Application to start Progressing", appStatus.Application)
+				appStatus.LastTransitionTime = &now
+				appStatus.Status = "Pending"
+				appStatus.Message = "Application moved to Pending status, watching for the Application resource to start Progressing."
+				appStatus.Step = fmt.Sprint(appStepMap[appStatus.Application] + 1)
+
+				updateCountMap[appStepMap[appStatus.Application]] += 1
+			}
+
+			appStatuses = append(appStatuses, appStatus)
+		}
+	}
+
+	err := r.setAppSetApplicationStatus(ctx, applicationSet, appStatuses)
+	if err != nil {
+		return nil, fmt.Errorf("failed to set AppSet app status: %w", err)
+	}
+
+	return appStatuses, nil
+}
+
+func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatusConditions(ctx context.Context, applicationSet *argov1alpha1.ApplicationSet) ([]argov1alpha1.ApplicationSetCondition, error) {
+
+	appSetProgressing := false
+	for _, appStatus := range applicationSet.Status.ApplicationStatus {
+		if appStatus.Status != "Healthy" {
+			appSetProgressing = true
+			break
+		}
+	}
+
+	appSetConditionProgressing := false
+	for _, appSetCondition := range applicationSet.Status.Conditions {
+		if appSetCondition.Type == argov1alpha1.ApplicationSetConditionRolloutProgressing && appSetCondition.Status == argov1alpha1.ApplicationSetConditionStatusTrue {
+			appSetConditionProgressing = true
+			break
+		}
+	}
+
+	if appSetProgressing && !appSetConditionProgressing {
+		_ = r.setApplicationSetStatusCondition(ctx,
+			applicationSet,
+			argov1alpha1.ApplicationSetCondition{
+				Type:    argov1alpha1.ApplicationSetConditionRolloutProgressing,
+				Message: "ApplicationSet Rollout Rollout started",
+				Reason:  argov1alpha1.ApplicationSetReasonApplicationSetModified,
+				Status:  argov1alpha1.ApplicationSetConditionStatusTrue,
+			}, false,
+		)
+	} else if !appSetProgressing && appSetConditionProgressing {
+		_ = r.setApplicationSetStatusCondition(ctx,
+			applicationSet,
+			argov1alpha1.ApplicationSetCondition{
+				Type:    argov1alpha1.ApplicationSetConditionRolloutProgressing,
+				Message: "ApplicationSet Rollout Rollout complete",
+				Reason:  argov1alpha1.ApplicationSetReasonApplicationSetRolloutComplete,
+				Status:  argov1alpha1.ApplicationSetConditionStatusFalse,
+			}, false,
+		)
+	}
+
+	return applicationSet.Status.Conditions, nil
+}
+
+func findApplicationStatusIndex(appStatuses []argov1alpha1.ApplicationSetApplicationStatus, application string) int {
+	for i := range appStatuses {
+		if appStatuses[i].Application == application {
+			return i
+		}
+	}
+	return -1
+}
+
+// setApplicationSetApplicationStatus updates the ApplicatonSet's status field
+// with any new/changed Application statuses.
+func (r *ApplicationSetReconciler) setAppSetApplicationStatus(ctx context.Context, applicationSet *argov1alpha1.ApplicationSet, applicationStatuses []argov1alpha1.ApplicationSetApplicationStatus) error {
+	needToUpdateStatus := false
+	for i := range applicationStatuses {
+		appStatus := applicationStatuses[i]
+		idx := findApplicationStatusIndex(applicationSet.Status.ApplicationStatus, appStatus.Application)
+		if idx == -1 {
+			needToUpdateStatus = true
+			break
+		}
+		currentStatus := applicationSet.Status.ApplicationStatus[idx]
+		if currentStatus.Message != appStatus.Message || currentStatus.Status != appStatus.Status {
+			needToUpdateStatus = true
+			break
+		}
+	}
+
+	if needToUpdateStatus {
+		// fetch updated Application Set object before updating it
+		namespacedName := types.NamespacedName{Namespace: applicationSet.Namespace, Name: applicationSet.Name}
+		if err := r.Get(ctx, namespacedName, applicationSet); err != nil {
+			if client.IgnoreNotFound(err) != nil {
+				return nil
+			}
+			return fmt.Errorf("error fetching updated application set: %v", err)
+		}
+
+		for i := range applicationStatuses {
+			applicationSet.Status.SetApplicationStatus(applicationStatuses[i])
+		}
+
+		// Update the newly fetched object with new set of ApplicationStatus
+		err := r.Client.Status().Update(ctx, applicationSet)
+		if err != nil {
+
+			log.Errorf("unable to set application set status: %v", err)
+			return fmt.Errorf("unable to set application set status: %v", err)
+		}
+
+		if err := r.Get(ctx, namespacedName, applicationSet); err != nil {
+			if client.IgnoreNotFound(err) != nil {
+				return nil
+			}
+			return fmt.Errorf("error fetching updated application set: %v", err)
+		}
+	}
+
+	return nil
+}
+
+func (r *ApplicationSetReconciler) syncValidApplications(ctx context.Context, applicationSet *argov1alpha1.ApplicationSet, appSyncMap map[string]bool, appMap map[string]argov1alpha1.Application, validApps []argov1alpha1.Application) ([]argov1alpha1.Application, error) {
+	rolloutApps := []argov1alpha1.Application{}
+	for i := range validApps {
+		pruneEnabled := false
+
+		// ensure that Applications generated with RollingSync do not have an automated sync policy, since the AppSet controller will handle triggering the sync operation instead
+		if validApps[i].Spec.SyncPolicy != nil && validApps[i].Spec.SyncPolicy.Automated != nil {
+			pruneEnabled = validApps[i].Spec.SyncPolicy.Automated.Prune
+			validApps[i].Spec.SyncPolicy.Automated = nil
+		}
+
+		appSetStatusPending := false
+		idx := findApplicationStatusIndex(applicationSet.Status.ApplicationStatus, validApps[i].Name)
+		if idx > -1 && applicationSet.Status.ApplicationStatus[idx].Status == "Pending" {
+			// only trigger a sync for Applications that are in Pending status, since this is governed by maxUpdate
+			appSetStatusPending = true
+		}
+
+		// check appSyncMap to determine which Applications are ready to be updated and which should be skipped
+		if appSyncMap[validApps[i].Name] && appMap[validApps[i].Name].Status.Sync.Status == "OutOfSync" && appSetStatusPending {
+			log.Infof("triggering sync for application: %v, prune enabled: %v", validApps[i].Name, pruneEnabled)
+			validApps[i], _ = syncApplication(validApps[i], pruneEnabled)
+		}
+		rolloutApps = append(rolloutApps, validApps[i])
+	}
+	return rolloutApps, nil
+}
+
+// used by the RollingSync Progressive Sync strategy to trigger a sync of a particular Application resource
+func syncApplication(application argov1alpha1.Application, prune bool) (argov1alpha1.Application, error) {
+
+	operation := argov1alpha1.Operation{
+		InitiatedBy: argov1alpha1.OperationInitiator{
+			Username:  "applicationset-controller",
+			Automated: true,
+		},
+		Info: []*argov1alpha1.Info{
+			{
+				Name:  "Reason",
+				Value: "ApplicationSet RollingSync triggered a sync of this Application resource.",
+			},
+		},
+		Sync: &argov1alpha1.SyncOperation{},
+	}
+
+	if application.Spec.SyncPolicy != nil {
+		if application.Spec.SyncPolicy.Retry != nil {
+			operation.Retry = *application.Spec.SyncPolicy.Retry
+		}
+		if application.Spec.SyncPolicy.SyncOptions != nil {
+			operation.Sync.SyncOptions = application.Spec.SyncPolicy.SyncOptions
+		}
+		operation.Sync.Prune = prune
+	}
+	application.Operation = &operation
+
+	return application, nil
+}
+
+func getOwnsHandlerPredicates(enableProgressiveSyncs bool) predicate.Funcs {
+	return predicate.Funcs{
+		CreateFunc: func(e event.CreateEvent) bool {
+			// if we are the owner and there is a create event, we most likely created it and do not need to
+			// re-reconcile
+			log.Debugln("received create event from owning an application")
+			return false
+		},
+		DeleteFunc: func(e event.DeleteEvent) bool {
+			log.Debugln("received delete event from owning an application")
+			return true
+		},
+		UpdateFunc: func(e event.UpdateEvent) bool {
+			log.Debugln("received update event from owning an application")
+			appOld, isApp := e.ObjectOld.(*argov1alpha1.Application)
+			if !isApp {
+				return false
+			}
+			appNew, isApp := e.ObjectNew.(*argov1alpha1.Application)
+			if !isApp {
+				return false
+			}
+			requeue := shouldRequeueApplicationSet(appOld, appNew, enableProgressiveSyncs)
+			log.Debugf("requeue: %t caused by application %s", requeue, appNew.Name)
+			return requeue
+		},
+		GenericFunc: func(e event.GenericEvent) bool {
+			log.Debugln("received generic event from owning an application")
+			return true
+		},
+	}
+}
+
+// shouldRequeueApplicationSet determines when we want to requeue an ApplicationSet for reconciling based on an owned
+// application change
+// The applicationset controller owns a subset of the Application CR.
+// We do not need to re-reconcile if parts of the application change outside the applicationset's control.
+// An example being, Application.ApplicationStatus.ReconciledAt which gets updated by the application controller.
+// Additionally, Application.ObjectMeta.ResourceVersion and Application.ObjectMeta.Generation which are set by K8s.
+func shouldRequeueApplicationSet(appOld *argov1alpha1.Application, appNew *argov1alpha1.Application, enableProgressiveSyncs bool) bool {
+	if appOld == nil || appNew == nil {
+		return false
+	}
+
+	// the applicationset controller owns the application spec, labels, annotations, and finalizers on the applications
+	if !reflect.DeepEqual(appOld.Spec, appNew.Spec) ||
+		!reflect.DeepEqual(appOld.ObjectMeta.GetAnnotations(), appNew.ObjectMeta.GetAnnotations()) ||
+		!reflect.DeepEqual(appOld.ObjectMeta.GetLabels(), appNew.ObjectMeta.GetLabels()) ||
+		!reflect.DeepEqual(appOld.ObjectMeta.GetFinalizers(), appNew.ObjectMeta.GetFinalizers()) {
+		return true
+	}
+
+	// progressive syncs use the application status for updates. if they differ, requeue to trigger the next progression
+	if enableProgressiveSyncs {
+		if appOld.Status.Health.Status != appNew.Status.Health.Status || appOld.Status.Sync.Status != appNew.Status.Sync.Status {
+			return true
+		}
+
+		if appOld.Status.OperationState != nil && appNew.Status.OperationState != nil {
+			if appOld.Status.OperationState.Phase != appNew.Status.OperationState.Phase ||
+				appOld.Status.OperationState.StartedAt != appNew.Status.OperationState.StartedAt {
+				return true
+			}
+		}
+	}
+
+	return false
+}
+
 var _ handler.EventHandler = &clusterSecretEventHandler{}
--- a/applicationset/controllers/applicationset_controller_test.go
+++ b/applicationset/controllers/applicationset_controller_test.go
--- a/applicationset/controllers/clustereventhandler.go
+++ b/applicationset/controllers/clustereventhandler.go
@@ -2,6 +2,7 @@ package controllers

 import (
 	"context"
+	"fmt"

 	log "github.com/sirupsen/logrus"

@@ -46,7 +47,6 @@ type addRateLimitingInterface interface {
 }

 func (h *clusterSecretEventHandler) queueRelatedAppGenerators(q addRateLimitingInterface, object client.Object) {
-
 	// Check for label, lookup all ApplicationSets that might match the cluster, queue them all
 	if object.GetLabels()[generators.ArgoCDSecretTypeLabel] != generators.ArgoCDSecretTypeCluster {
 		return
@@ -73,6 +73,40 @@ func (h *clusterSecretEventHandler) queueRelatedAppGenerators(q addRateLimitingI
 				foundClusterGenerator = true
 				break
 			}
+
+			if generator.Matrix != nil {
+				ok, err := nestedGeneratorsHaveClusterGenerator(generator.Matrix.Generators)
+				if err != nil {
+					h.Log.
+						WithFields(log.Fields{
+							"namespace": appSet.GetNamespace(),
+							"name":      appSet.GetName(),
+						}).
+						WithError(err).
+						Error("Unable to check if ApplicationSet matrix generators have cluster generator")
+				}
+				if ok {
+					foundClusterGenerator = true
+					break
+				}
+			}
+
+			if generator.Merge != nil {
+				ok, err := nestedGeneratorsHaveClusterGenerator(generator.Merge.Generators)
+				if err != nil {
+					h.Log.
+						WithFields(log.Fields{
+							"namespace": appSet.GetNamespace(),
+							"name":      appSet.GetName(),
+						}).
+						WithError(err).
+						Error("Unable to check if ApplicationSet merge generators have cluster generator")
+				}
+				if ok {
+					foundClusterGenerator = true
+					break
+				}
+			}
 		}
 		if foundClusterGenerator {

@@ -82,3 +116,50 @@ func (h *clusterSecretEventHandler) queueRelatedAppGenerators(q addRateLimitingI
 		}
 	}
 }
+
+// nestedGeneratorsHaveClusterGenerator iterate over provided nested generators to check if they have a cluster generator.
+func nestedGeneratorsHaveClusterGenerator(generators []argoprojiov1alpha1.ApplicationSetNestedGenerator) (bool, error) {
+	for _, generator := range generators {
+		if ok, err := nestedGeneratorHasClusterGenerator(generator); ok || err != nil {
+			return ok, err
+		}
+	}
+	return false, nil
+}
+
+// nestedGeneratorHasClusterGenerator checks if the provided generator has a cluster generator.
+func nestedGeneratorHasClusterGenerator(nested argoprojiov1alpha1.ApplicationSetNestedGenerator) (bool, error) {
+	if nested.Clusters != nil {
+		return true, nil
+	}
+
+	if nested.Matrix != nil {
+		nestedMatrix, err := argoprojiov1alpha1.ToNestedMatrixGenerator(nested.Matrix)
+		if err != nil {
+			return false, fmt.Errorf("unable to get nested matrix generator: %w", err)
+		}
+		if nestedMatrix != nil {
+			hasClusterGenerator, err := nestedGeneratorsHaveClusterGenerator(nestedMatrix.ToMatrixGenerator().Generators)
+			if err != nil {
+				return false, fmt.Errorf("error evaluating nested matrix generator: %w", err)
+			}
+			return hasClusterGenerator, nil
+		}
+	}
+
+	if nested.Merge != nil {
+		nestedMerge, err := argoprojiov1alpha1.ToNestedMergeGenerator(nested.Merge)
+		if err != nil {
+			return false, fmt.Errorf("unable to get nested merge generator: %w", err)
+		}
+		if nestedMerge != nil {
+			hasClusterGenerator, err := nestedGeneratorsHaveClusterGenerator(nestedMerge.ToMergeGenerator().Generators)
+			if err != nil {
+				return false, fmt.Errorf("error evaluating nested merge generator: %w", err)
+			}
+			return hasClusterGenerator, nil
+		}
+	}
+
+	return false, nil
+}
--- a/applicationset/controllers/clustereventhandler_test.go
+++ b/applicationset/controllers/clustereventhandler_test.go
@@ -6,6 +6,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
@@ -163,7 +164,6 @@ func TestClusterEventHandler(t *testing.T) {
 				{NamespacedName: types.NamespacedName{Namespace: "another-namespace", Name: "my-app-set"}},
 			},
 		},
-
 		{
 			name: "non-argo cd secret should not match",
 			items: []argov1alpha1.ApplicationSet{
@@ -189,6 +189,348 @@ func TestClusterEventHandler(t *testing.T) {
 			},
 			expectedRequests: []reconcile.Request{},
 		},
+		{
+			name: "a matrix generator with a cluster generator should produce a request",
+			items: []argov1alpha1.ApplicationSet{
+				{
+					ObjectMeta: v1.ObjectMeta{
+						Name:      "my-app-set",
+						Namespace: "argocd",
+					},
+					Spec: argov1alpha1.ApplicationSetSpec{
+						Generators: []argov1alpha1.ApplicationSetGenerator{
+							{
+								Matrix: &argov1alpha1.MatrixGenerator{
+									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
+										{
+											Clusters: &argov1alpha1.ClusterGenerator{},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			secret: corev1.Secret{
+				ObjectMeta: v1.ObjectMeta{
+					Namespace: "argocd",
+					Name:      "my-secret",
+					Labels: map[string]string{
+						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+					},
+				},
+			},
+			expectedRequests: []reconcile.Request{{
+				NamespacedName: types.NamespacedName{Namespace: "argocd", Name: "my-app-set"},
+			}},
+		},
+		{
+			name: "a matrix generator with non cluster generator should not match",
+			items: []argov1alpha1.ApplicationSet{
+				{
+					ObjectMeta: v1.ObjectMeta{
+						Name:      "my-app-set",
+						Namespace: "argocd",
+					},
+					Spec: argov1alpha1.ApplicationSetSpec{
+						Generators: []argov1alpha1.ApplicationSetGenerator{
+							{
+								Matrix: &argov1alpha1.MatrixGenerator{
+									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
+										{
+											List: &argov1alpha1.ListGenerator{},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			secret: corev1.Secret{
+				ObjectMeta: v1.ObjectMeta{
+					Namespace: "argocd",
+					Name:      "my-secret",
+					Labels: map[string]string{
+						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+					},
+				},
+			},
+			expectedRequests: []reconcile.Request{},
+		},
+		{
+			name: "a matrix generator with a nested matrix generator containing a cluster generator should produce a request",
+			items: []argov1alpha1.ApplicationSet{
+				{
+					ObjectMeta: v1.ObjectMeta{
+						Name:      "my-app-set",
+						Namespace: "argocd",
+					},
+					Spec: argov1alpha1.ApplicationSetSpec{
+						Generators: []argov1alpha1.ApplicationSetGenerator{
+							{
+								Matrix: &argov1alpha1.MatrixGenerator{
+									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
+										{
+											Matrix: &apiextensionsv1.JSON{
+												Raw: []byte(
+													`{
+														"generators": [
+														  {
+															"clusters": {
+															  "selector": {
+																"matchLabels": {
+																  "argocd.argoproj.io/secret-type": "cluster"
+																}
+															  }
+															}
+														  }
+														]
+													  }`,
+												),
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			secret: corev1.Secret{
+				ObjectMeta: v1.ObjectMeta{
+					Namespace: "argocd",
+					Name:      "my-secret",
+					Labels: map[string]string{
+						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+					},
+				},
+			},
+			expectedRequests: []reconcile.Request{{
+				NamespacedName: types.NamespacedName{Namespace: "argocd", Name: "my-app-set"},
+			}},
+		},
+		{
+			name: "a matrix generator with a nested matrix generator containing non cluster generator should not match",
+			items: []argov1alpha1.ApplicationSet{
+				{
+					ObjectMeta: v1.ObjectMeta{
+						Name:      "my-app-set",
+						Namespace: "argocd",
+					},
+					Spec: argov1alpha1.ApplicationSetSpec{
+						Generators: []argov1alpha1.ApplicationSetGenerator{
+							{
+								Matrix: &argov1alpha1.MatrixGenerator{
+									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
+										{
+											Matrix: &apiextensionsv1.JSON{
+												Raw: []byte(
+													`{
+														"generators": [
+														  {
+															"list": {
+															  "elements": [
+																"a",
+																"b"
+															  ]
+															}
+														  }
+														]
+													  }`,
+												),
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			secret: corev1.Secret{
+				ObjectMeta: v1.ObjectMeta{
+					Namespace: "argocd",
+					Name:      "my-secret",
+					Labels: map[string]string{
+						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+					},
+				},
+			},
+			expectedRequests: []reconcile.Request{},
+		},
+		{
+			name: "a merge generator with a cluster generator should produce a request",
+			items: []argov1alpha1.ApplicationSet{
+				{
+					ObjectMeta: v1.ObjectMeta{
+						Name:      "my-app-set",
+						Namespace: "argocd",
+					},
+					Spec: argov1alpha1.ApplicationSetSpec{
+						Generators: []argov1alpha1.ApplicationSetGenerator{
+							{
+								Merge: &argov1alpha1.MergeGenerator{
+									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
+										{
+											Clusters: &argov1alpha1.ClusterGenerator{},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			secret: corev1.Secret{
+				ObjectMeta: v1.ObjectMeta{
+					Namespace: "argocd",
+					Name:      "my-secret",
+					Labels: map[string]string{
+						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+					},
+				},
+			},
+			expectedRequests: []reconcile.Request{{
+				NamespacedName: types.NamespacedName{Namespace: "argocd", Name: "my-app-set"},
+			}},
+		},
+		{
+			name: "a matrix generator with non cluster generator should not match",
+			items: []argov1alpha1.ApplicationSet{
+				{
+					ObjectMeta: v1.ObjectMeta{
+						Name:      "my-app-set",
+						Namespace: "argocd",
+					},
+					Spec: argov1alpha1.ApplicationSetSpec{
+						Generators: []argov1alpha1.ApplicationSetGenerator{
+							{
+								Merge: &argov1alpha1.MergeGenerator{
+									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
+										{
+											List: &argov1alpha1.ListGenerator{},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			secret: corev1.Secret{
+				ObjectMeta: v1.ObjectMeta{
+					Namespace: "argocd",
+					Name:      "my-secret",
+					Labels: map[string]string{
+						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+					},
+				},
+			},
+			expectedRequests: []reconcile.Request{},
+		},
+		{
+			name: "a merge generator with a nested merge generator containing a cluster generator should produce a request",
+			items: []argov1alpha1.ApplicationSet{
+				{
+					ObjectMeta: v1.ObjectMeta{
+						Name:      "my-app-set",
+						Namespace: "argocd",
+					},
+					Spec: argov1alpha1.ApplicationSetSpec{
+						Generators: []argov1alpha1.ApplicationSetGenerator{
+							{
+								Merge: &argov1alpha1.MergeGenerator{
+									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
+										{
+											Merge: &apiextensionsv1.JSON{
+												Raw: []byte(
+													`{
+														"generators": [
+														  {
+															"clusters": {
+															  "selector": {
+																"matchLabels": {
+																  "argocd.argoproj.io/secret-type": "cluster"
+																}
+															  }
+															}
+														  }
+														]
+													  }`,
+												),
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			secret: corev1.Secret{
+				ObjectMeta: v1.ObjectMeta{
+					Namespace: "argocd",
+					Name:      "my-secret",
+					Labels: map[string]string{
+						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+					},
+				},
+			},
+			expectedRequests: []reconcile.Request{{
+				NamespacedName: types.NamespacedName{Namespace: "argocd", Name: "my-app-set"},
+			}},
+		},
+		{
+			name: "a merge generator with a nested merge generator containing non cluster generator should not match",
+			items: []argov1alpha1.ApplicationSet{
+				{
+					ObjectMeta: v1.ObjectMeta{
+						Name:      "my-app-set",
+						Namespace: "argocd",
+					},
+					Spec: argov1alpha1.ApplicationSetSpec{
+						Generators: []argov1alpha1.ApplicationSetGenerator{
+							{
+								Merge: &argov1alpha1.MergeGenerator{
+									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
+										{
+											Merge: &apiextensionsv1.JSON{
+												Raw: []byte(
+													`{
+														"generators": [
+														  {
+															"list": {
+															  "elements": [
+																"a",
+																"b"
+															  ]
+															}
+														  }
+														]
+													  }`,
+												),
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			secret: corev1.Secret{
+				ObjectMeta: v1.ObjectMeta{
+					Namespace: "argocd",
+					Name:      "my-secret",
+					Labels: map[string]string{
+						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+					},
+				},
+			},
+			expectedRequests: []reconcile.Request{},
+		},
 	}

 	for _, test := range tests {
@@ -231,3 +573,68 @@ type mockAddRateLimitingInterface struct {
 	errorOccurred bool
 	addedItems    []ctrl.Request
 }
+
+func TestNestedGeneratorHasClusterGenerator_NestedClusterGenerator(t *testing.T) {
+	nested := argov1alpha1.ApplicationSetNestedGenerator{
+		Clusters: &argov1alpha1.ClusterGenerator{},
+	}
+
+	hasClusterGenerator, err := nestedGeneratorHasClusterGenerator(nested)
+
+	assert.Nil(t, err)
+	assert.True(t, hasClusterGenerator)
+}
+
+func TestNestedGeneratorHasClusterGenerator_NestedMergeGenerator(t *testing.T) {
+	nested := argov1alpha1.ApplicationSetNestedGenerator{
+		Merge: &apiextensionsv1.JSON{
+			Raw: []byte(
+				`{
+					"generators": [
+					  {
+						"clusters": {
+						  "selector": {
+							"matchLabels": {
+							  "argocd.argoproj.io/secret-type": "cluster"
+							}
+						  }
+						}
+					  }
+					]
+				  }`,
+			),
+		},
+	}
+
+	hasClusterGenerator, err := nestedGeneratorHasClusterGenerator(nested)
+
+	assert.Nil(t, err)
+	assert.True(t, hasClusterGenerator)
+}
+
+func TestNestedGeneratorHasClusterGenerator_NestedMergeGeneratorWithInvalidJSON(t *testing.T) {
+	nested := argov1alpha1.ApplicationSetNestedGenerator{
+		Merge: &apiextensionsv1.JSON{
+			Raw: []byte(
+				`{
+					"generators": [
+					  {
+						"clusters": {
+						  "selector": {
+							"matchLabels": {
+							  "argocd.argoproj.io/secret-type": "cluster"
+							}
+						  }
+						}
+					  }
+					]
+				  `,
+			),
+		},
+	}
+
+	hasClusterGenerator, err := nestedGeneratorHasClusterGenerator(nested)
+
+	assert.NotNil(t, err)
+	assert.False(t, hasClusterGenerator)
+}
--- a/applicationset/controllers/requeue_after_test.go
+++ b/applicationset/controllers/requeue_after_test.go
@@ -0,0 +1,152 @@
+package controllers
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/argoproj/argo-cd/v2/applicationset/generators"
+	"github.com/argoproj/argo-cd/v2/applicationset/services/mocks"
+	argov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/stretchr/testify/assert"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	dynfake "k8s.io/client-go/dynamic/fake"
+	kubefake "k8s.io/client-go/kubernetes/fake"
+	"k8s.io/client-go/tools/record"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+)
+
+func TestRequeueAfter(t *testing.T) {
+	mockServer := &mocks.Repos{}
+	ctx := context.Background()
+	scheme := runtime.NewScheme()
+	err := argov1alpha1.AddToScheme(scheme)
+	assert.Nil(t, err)
+	gvrToListKind := map[schema.GroupVersionResource]string{{
+		Group:    "mallard.io",
+		Version:  "v1",
+		Resource: "ducks",
+	}: "DuckList"}
+	appClientset := kubefake.NewSimpleClientset()
+	k8sClient := fake.NewClientBuilder().Build()
+	duckType := &unstructured.Unstructured{
+		Object: map[string]interface{}{
+			"apiVersion": "v2quack",
+			"kind":       "Duck",
+			"metadata": map[string]interface{}{
+				"name":      "mightyduck",
+				"namespace": "namespace",
+				"labels":    map[string]interface{}{"duck": "all-species"},
+			},
+			"status": map[string]interface{}{
+				"decisions": []interface{}{
+					map[string]interface{}{
+						"clusterName": "staging-01",
+					},
+					map[string]interface{}{
+						"clusterName": "production-01",
+					},
+				},
+			},
+		},
+	}
+	fakeDynClient := dynfake.NewSimpleDynamicClientWithCustomListKinds(runtime.NewScheme(), gvrToListKind, duckType)
+
+	terminalGenerators := map[string]generators.Generator{
+		"List":                    generators.NewListGenerator(),
+		"Clusters":                generators.NewClusterGenerator(k8sClient, ctx, appClientset, "argocd"),
+		"Git":                     generators.NewGitGenerator(mockServer),
+		"SCMProvider":             generators.NewSCMProviderGenerator(fake.NewClientBuilder().WithObjects(&corev1.Secret{}).Build(), generators.SCMAuthProviders{}),
+		"ClusterDecisionResource": generators.NewDuckTypeGenerator(ctx, fakeDynClient, appClientset, "argocd"),
+		"PullRequest":             generators.NewPullRequestGenerator(k8sClient, generators.SCMAuthProviders{}),
+	}
+
+	nestedGenerators := map[string]generators.Generator{
+		"List":                    terminalGenerators["List"],
+		"Clusters":                terminalGenerators["Clusters"],
+		"Git":                     terminalGenerators["Git"],
+		"SCMProvider":             terminalGenerators["SCMProvider"],
+		"ClusterDecisionResource": terminalGenerators["ClusterDecisionResource"],
+		"PullRequest":             terminalGenerators["PullRequest"],
+		"Matrix":                  generators.NewMatrixGenerator(terminalGenerators),
+		"Merge":                   generators.NewMergeGenerator(terminalGenerators),
+	}
+
+	topLevelGenerators := map[string]generators.Generator{
+		"List":                    terminalGenerators["List"],
+		"Clusters":                terminalGenerators["Clusters"],
+		"Git":                     terminalGenerators["Git"],
+		"SCMProvider":             terminalGenerators["SCMProvider"],
+		"ClusterDecisionResource": terminalGenerators["ClusterDecisionResource"],
+		"PullRequest":             terminalGenerators["PullRequest"],
+		"Matrix":                  generators.NewMatrixGenerator(nestedGenerators),
+		"Merge":                   generators.NewMergeGenerator(nestedGenerators),
+	}
+
+	client := fake.NewClientBuilder().WithScheme(scheme).Build()
+	r := ApplicationSetReconciler{
+		Client:     client,
+		Scheme:     scheme,
+		Recorder:   record.NewFakeRecorder(0),
+		Generators: topLevelGenerators,
+	}
+
+	type args struct {
+		appset *argov1alpha1.ApplicationSet
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    time.Duration
+		wantErr assert.ErrorAssertionFunc
+	}{
+		{name: "Cluster", args: args{appset: &argov1alpha1.ApplicationSet{
+			Spec: argov1alpha1.ApplicationSetSpec{
+				Generators: []argov1alpha1.ApplicationSetGenerator{{Clusters: &argov1alpha1.ClusterGenerator{}}},
+			},
+		}}, want: generators.NoRequeueAfter, wantErr: assert.NoError},
+		{name: "ClusterMergeNested", args: args{&argov1alpha1.ApplicationSet{
+			Spec: argov1alpha1.ApplicationSetSpec{
+				Generators: []argov1alpha1.ApplicationSetGenerator{
+					{Clusters: &argov1alpha1.ClusterGenerator{}},
+					{Merge: &argov1alpha1.MergeGenerator{
+						Generators: []argov1alpha1.ApplicationSetNestedGenerator{
+							{
+								Clusters: &argov1alpha1.ClusterGenerator{},
+								Git:      &argov1alpha1.GitGenerator{},
+							},
+						},
+					}},
+				},
+			},
+		}}, want: generators.DefaultRequeueAfterSeconds, wantErr: assert.NoError},
+		{name: "ClusterMatrixNested", args: args{&argov1alpha1.ApplicationSet{
+			Spec: argov1alpha1.ApplicationSetSpec{
+				Generators: []argov1alpha1.ApplicationSetGenerator{
+					{Clusters: &argov1alpha1.ClusterGenerator{}},
+					{Matrix: &argov1alpha1.MatrixGenerator{
+						Generators: []argov1alpha1.ApplicationSetNestedGenerator{
+							{
+								Clusters: &argov1alpha1.ClusterGenerator{},
+								Git:      &argov1alpha1.GitGenerator{},
+							},
+						},
+					}},
+				},
+			},
+		}}, want: generators.DefaultRequeueAfterSeconds, wantErr: assert.NoError},
+		{name: "ListGenerator", args: args{appset: &argov1alpha1.ApplicationSet{
+			Spec: argov1alpha1.ApplicationSetSpec{
+				Generators: []argov1alpha1.ApplicationSetGenerator{{List: &argov1alpha1.ListGenerator{}}},
+			},
+		}}, want: generators.NoRequeueAfter, wantErr: assert.NoError},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equalf(t, tt.want, r.getMinRequeueAfter(tt.args.appset), "getMinRequeueAfter(%v)", tt.args.appset)
+		})
+	}
+}
--- a/applicationset/examples/list-generator/list-elementsYaml-example.yaml
+++ b/applicationset/examples/list-generator/list-elementsYaml-example.yaml
@@ -0,0 +1,14 @@
+key:
+  components:
+    - name: component1
+      chart: podinfo
+      version: "6.3.2"
+      releaseName: component1
+      repoUrl: "https://stefanprodan.github.io/podinfo"
+      namespace: component1
+    - name: component2
+      chart: podinfo
+      version: "6.3.3"
+      releaseName: component2
+      repoUrl: "ghcr.io/stefanprodan/charts"
+      namespace: component2
--- a/applicationset/examples/pull-request-generator/pull-request-example.yaml
+++ b/applicationset/examples/pull-request-generator/pull-request-example.yaml
@@ -23,6 +23,8 @@ spec:
  template:
    metadata:
      name: 'myapp-{{ .branch }}-{{ .number }}'
+      labels:
+        key1: '{{ index .labels 0 }}'
    spec:
      source:
        repoURL: 'https://github.com/myorg/myrepo.git'
--- a/applicationset/generators/cluster.go
+++ b/applicationset/generators/cluster.go
@@ -51,6 +51,8 @@ func NewClusterGenerator(c client.Client, ctx context.Context, clientset kuberne
 	return g
 }

+// GetRequeueAfter never requeue the cluster generator because the `clusterSecretEventHandler` will requeue the appsets
+// when the cluster secrets change
 func (g *ClusterGenerator) GetRequeueAfter(appSetGenerator *argoappsetv1alpha1.ApplicationSetGenerator) time.Duration {
 	return NoRequeueAfter
 }
--- a/applicationset/generators/generator_spec_processor.go
+++ b/applicationset/generators/generator_spec_processor.go
@@ -2,7 +2,6 @@ package generators

 import (
 	"fmt"
-	"encoding/json"
 	"reflect"

 	"github.com/argoproj/argo-cd/v2/applicationset/utils"
@@ -25,7 +24,7 @@ type TransformResult struct {
 	Template argoprojiov1alpha1.ApplicationSetTemplate
 }

-//Transform a spec generator to list of paramSets and a template
+// Transform a spec generator to list of paramSets and a template
 func Transform(requestedGenerator argoprojiov1alpha1.ApplicationSetGenerator, allGenerators map[string]Generator, baseTemplate argoprojiov1alpha1.ApplicationSetTemplate, appSet *argoprojiov1alpha1.ApplicationSet, genParams map[string]interface{}) ([]TransformResult, error) {
 	selector, err := metav1.LabelSelectorAsSelector(requestedGenerator.Selector)
 	if err != nil {
@@ -132,27 +131,15 @@ func mergeGeneratorTemplate(g Generator, requestedGenerator *argoprojiov1alpha1.
 	return *dest, err
 }

-// Currently for Matrix Generator. Allows interpolating the matrix's 2nd child generator with values from the 1st child generator
+// InterpolateGenerator allows interpolating the matrix's 2nd child generator with values from the 1st child generator
 // "params" parameter is an array, where each index corresponds to a generator. Each index contains a map w/ that generator's parameters.
 func InterpolateGenerator(requestedGenerator *argoprojiov1alpha1.ApplicationSetGenerator, params map[string]interface{}, useGoTemplate bool) (argoprojiov1alpha1.ApplicationSetGenerator, error) {
-	interpolatedGenerator := requestedGenerator.DeepCopy()
-	tmplBytes, err := json.Marshal(interpolatedGenerator)
-	if err != nil {
-		log.WithError(err).WithField("requestedGenerator", interpolatedGenerator).Error("error marshalling requested generator for interpolation")
-		return *interpolatedGenerator, err
-	}
-
 	render := utils.Render{}
-	replacedTmplStr, err := render.Replace(string(tmplBytes), params, useGoTemplate)
+	interpolatedGenerator, err := render.RenderGeneratorParams(requestedGenerator, params, useGoTemplate)
 	if err != nil {
-		log.WithError(err).WithField("interpolatedGeneratorString", replacedTmplStr).Error("error interpolating generator with other generator's parameter")
+		log.WithError(err).WithField("interpolatedGenerator", interpolatedGenerator).Error("error interpolating generator with other generator's parameter")
 		return *interpolatedGenerator, err
 	}

-	err = json.Unmarshal([]byte(replacedTmplStr), interpolatedGenerator)
-	if err != nil {
-		log.WithError(err).WithField("requestedGenerator", interpolatedGenerator).Error("error unmarshalling requested generator for interpolation")
-		return *interpolatedGenerator, err
-	}
 	return *interpolatedGenerator, nil
 }
--- a/applicationset/generators/generator_spec_processor_test.go
+++ b/applicationset/generators/generator_spec_processor_test.go
@@ -4,8 +4,10 @@ import (
 	"context"
 	"testing"

+	"github.com/argoproj/argo-cd/v2/applicationset/services/mocks"
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

@@ -17,8 +19,6 @@ import (
 	kubefake "k8s.io/client-go/kubernetes/fake"
 	crtclient "sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
-
-	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )

 func TestMatchValues(t *testing.T) {
@@ -69,16 +69,16 @@ func TestMatchValues(t *testing.T) {
 				"List": listGenerator,
 			}

-			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
+			applicationSetInfo := argov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
 				},
-				Spec: argoprojiov1alpha1.ApplicationSetSpec{},
+				Spec: argov1alpha1.ApplicationSetSpec{},
 			}

-			results, err := Transform(argoprojiov1alpha1.ApplicationSetGenerator{
+			results, err := Transform(argov1alpha1.ApplicationSetGenerator{
 				Selector: testCase.selector,
-				List: &argoprojiov1alpha1.ListGenerator{
+				List: &argov1alpha1.ListGenerator{
 					Elements: testCase.elements,
 					Template: emptyTemplate(),
 				}},
@@ -92,8 +92,8 @@ func TestMatchValues(t *testing.T) {
 	}
 }

-func emptyTemplate() argoprojiov1alpha1.ApplicationSetTemplate {
-	return argoprojiov1alpha1.ApplicationSetTemplate{
+func emptyTemplate() argov1alpha1.ApplicationSetTemplate {
+	return argov1alpha1.ApplicationSetTemplate{
 		Spec: argov1alpha1.ApplicationSpec{
 			Project: "project",
 		},
@@ -159,9 +159,9 @@ func getMockClusterGenerator() Generator {
 }

 func getMockGitGenerator() Generator {
-	argoCDServiceMock := argoCDServiceMock{mock: &mock.Mock{}}
-	argoCDServiceMock.mock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything).Return([]string{"app1", "app2", "app_3", "p1/app4"}, nil)
-	var gitGenerator = NewGitGenerator(argoCDServiceMock)
+	argoCDServiceMock := mocks.Repos{}
+	argoCDServiceMock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything).Return([]string{"app1", "app2", "app_3", "p1/app4"}, nil)
+	var gitGenerator = NewGitGenerator(&argoCDServiceMock)
 	return gitGenerator
 }

@@ -176,8 +176,8 @@ func TestGetRelevantGenerators(t *testing.T) {
 	testGenerators["Merge"] = NewMergeGenerator(testGenerators)
 	testGenerators["List"] = NewListGenerator()

-	requestedGenerator := &argoprojiov1alpha1.ApplicationSetGenerator{
-		List: &argoprojiov1alpha1.ListGenerator{
+	requestedGenerator := &argov1alpha1.ApplicationSetGenerator{
+		List: &argov1alpha1.ListGenerator{
 			Elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "cluster","url": "url","values":{"foo":"bar"}}`)}},
 		}}

@@ -185,10 +185,10 @@ func TestGetRelevantGenerators(t *testing.T) {
 	assert.Len(t, relevantGenerators, 1)
 	assert.IsType(t, &ListGenerator{}, relevantGenerators[0])

-	requestedGenerator = &argoprojiov1alpha1.ApplicationSetGenerator{
-		Clusters: &argoprojiov1alpha1.ClusterGenerator{
+	requestedGenerator = &argov1alpha1.ApplicationSetGenerator{
+		Clusters: &argov1alpha1.ClusterGenerator{
 			Selector: metav1.LabelSelector{},
-			Template: argoprojiov1alpha1.ApplicationSetTemplate{},
+			Template: argov1alpha1.ApplicationSetTemplate{},
 			Values:   nil,
 		},
 	}
@@ -197,14 +197,14 @@ func TestGetRelevantGenerators(t *testing.T) {
 	assert.Len(t, relevantGenerators, 1)
 	assert.IsType(t, &ClusterGenerator{}, relevantGenerators[0])

-	requestedGenerator = &argoprojiov1alpha1.ApplicationSetGenerator{
-		Git: &argoprojiov1alpha1.GitGenerator{
+	requestedGenerator = &argov1alpha1.ApplicationSetGenerator{
+		Git: &argov1alpha1.GitGenerator{
 			RepoURL:             "",
 			Directories:         nil,
 			Files:               nil,
 			Revision:            "",
 			RequeueAfterSeconds: nil,
-			Template:            argoprojiov1alpha1.ApplicationSetTemplate{},
+			Template:            argov1alpha1.ApplicationSetTemplate{},
 		},
 	}

@@ -214,8 +214,8 @@ func TestGetRelevantGenerators(t *testing.T) {
 }

 func TestInterpolateGenerator(t *testing.T) {
-	requestedGenerator := &argoprojiov1alpha1.ApplicationSetGenerator{
-		Clusters: &argoprojiov1alpha1.ClusterGenerator{
+	requestedGenerator := &argov1alpha1.ApplicationSetGenerator{
+		Clusters: &argov1alpha1.ClusterGenerator{
 			Selector: metav1.LabelSelector{
 				MatchLabels: map[string]string{
 					"argocd.argoproj.io/secret-type": "cluster",
@@ -241,17 +241,71 @@ func TestInterpolateGenerator(t *testing.T) {
 	assert.Equal(t, "p1", interpolatedGenerator.Clusters.Selector.MatchLabels["path-zero"])
 	assert.Equal(t, "p1/p2/app3", interpolatedGenerator.Clusters.Selector.MatchLabels["path-full"])

-	fileNamePath := argoprojiov1alpha1.GitFileGeneratorItem{
+	fileNamePath := argov1alpha1.GitFileGeneratorItem{
 		Path: "{{name}}",
 	}
-	fileServerPath := argoprojiov1alpha1.GitFileGeneratorItem{
+	fileServerPath := argov1alpha1.GitFileGeneratorItem{
 		Path: "{{server}}",
 	}

-	requestedGenerator = &argoprojiov1alpha1.ApplicationSetGenerator{
-		Git: &argoprojiov1alpha1.GitGenerator{
-			Files:    append([]argoprojiov1alpha1.GitFileGeneratorItem{}, fileNamePath, fileServerPath),
-			Template: argoprojiov1alpha1.ApplicationSetTemplate{},
+	requestedGenerator = &argov1alpha1.ApplicationSetGenerator{
+		Git: &argov1alpha1.GitGenerator{
+			Files:    append([]argov1alpha1.GitFileGeneratorItem{}, fileNamePath, fileServerPath),
+			Template: argov1alpha1.ApplicationSetTemplate{},
+		},
+	}
+	clusterGeneratorParams := map[string]interface{}{
+		"name": "production_01/west", "server": "https://production-01.example.com",
+	}
+	interpolatedGenerator, err = InterpolateGenerator(requestedGenerator, clusterGeneratorParams, false)
+	if err != nil {
+		log.WithError(err).WithField("requestedGenerator", requestedGenerator).Error("error interpolating Generator")
+		return
+	}
+	assert.Equal(t, "production_01/west", interpolatedGenerator.Git.Files[0].Path)
+	assert.Equal(t, "https://production-01.example.com", interpolatedGenerator.Git.Files[1].Path)
+}
+
+func TestInterpolateGenerator_go(t *testing.T) {
+	requestedGenerator := &argov1alpha1.ApplicationSetGenerator{
+		Clusters: &argov1alpha1.ClusterGenerator{
+			Selector: metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					"argocd.argoproj.io/secret-type": "cluster",
+					"path-basename":                  "{{base .path.path}}",
+					"path-zero":                      "{{index .path.segments 0}}",
+					"path-full":                      "{{.path.path}}",
+					"kubernetes.io/environment":      `{{default "foo" .my_label}}`,
+				}},
+		},
+	}
+	gitGeneratorParams := map[string]interface{}{
+		"path": map[string]interface{}{
+			"path":     "p1/p2/app3",
+			"segments": []string{"p1", "p2", "app3"},
+		},
+	}
+	interpolatedGenerator, err := InterpolateGenerator(requestedGenerator, gitGeneratorParams, true)
+	require.NoError(t, err)
+	if err != nil {
+		log.WithError(err).WithField("requestedGenerator", requestedGenerator).Error("error interpolating Generator")
+		return
+	}
+	assert.Equal(t, "app3", interpolatedGenerator.Clusters.Selector.MatchLabels["path-basename"])
+	assert.Equal(t, "p1", interpolatedGenerator.Clusters.Selector.MatchLabels["path-zero"])
+	assert.Equal(t, "p1/p2/app3", interpolatedGenerator.Clusters.Selector.MatchLabels["path-full"])
+
+	fileNamePath := argov1alpha1.GitFileGeneratorItem{
+		Path: "{{.name}}",
+	}
+	fileServerPath := argov1alpha1.GitFileGeneratorItem{
+		Path: "{{.server}}",
+	}
+
+	requestedGenerator = &argov1alpha1.ApplicationSetGenerator{
+		Git: &argov1alpha1.GitGenerator{
+			Files:    append([]argov1alpha1.GitFileGeneratorItem{}, fileNamePath, fileServerPath),
+			Template: argov1alpha1.ApplicationSetTemplate{},
 		},
 	}
 	clusterGeneratorParams := map[string]interface{}{
--- a/applicationset/generators/git.go
+++ b/applicationset/generators/git.go
@@ -58,9 +58,9 @@ func (g *GitGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.Applic

 	var err error
 	var res []map[string]interface{}
-	if appSetGenerator.Git.Directories != nil {
+	if len(appSetGenerator.Git.Directories) != 0 {
 		res, err = g.generateParamsForGitDirectories(appSetGenerator, appSet.Spec.GoTemplate)
-	} else if appSetGenerator.Git.Files != nil {
+	} else if len(appSetGenerator.Git.Files) != 0 {
 		res, err = g.generateParamsForGitFiles(appSetGenerator, appSet.Spec.GoTemplate)
 	} else {
 		return nil, EmptyAppSetGeneratorError
@@ -81,10 +81,11 @@ func (g *GitGenerator) generateParamsForGitDirectories(appSetGenerator *argoproj
 	}

 	log.WithFields(log.Fields{
-		"allPaths": allPaths,
-		"total":    len(allPaths),
-		"repoURL":  appSetGenerator.Git.RepoURL,
-		"revision": appSetGenerator.Git.Revision,
+		"allPaths":        allPaths,
+		"total":           len(allPaths),
+		"repoURL":         appSetGenerator.Git.RepoURL,
+		"revision":        appSetGenerator.Git.Revision,
+		"pathParamPrefix": appSetGenerator.Git.PathParamPrefix,
 	}).Info("applications result from the repo service")

 	requestedApps := g.filterApps(appSetGenerator.Git.Directories, allPaths)
@@ -121,19 +122,17 @@ func (g *GitGenerator) generateParamsForGitFiles(appSetGenerator *argoprojiov1al
 	for _, path := range allPaths {

 		// A JSON / YAML file path can contain multiple sets of parameters (ie it is an array)
-		paramsArray, err := g.generateParamsFromGitFile(path, allFiles[path], useGoTemplate)
+		paramsArray, err := g.generateParamsFromGitFile(path, allFiles[path], useGoTemplate, appSetGenerator.Git.PathParamPrefix)
 		if err != nil {
 			return nil, fmt.Errorf("unable to process file '%s': %v", path, err)
 		}

-		for index := range paramsArray {
-			res = append(res, paramsArray[index])
-		}
+		res = append(res, paramsArray...)
 	}
 	return res, nil
 }

-func (g *GitGenerator) generateParamsFromGitFile(filePath string, fileContent []byte, useGoTemplate bool) ([]map[string]interface{}, error) {
+func (g *GitGenerator) generateParamsFromGitFile(filePath string, fileContent []byte, useGoTemplate bool, pathParamPrefix string) ([]map[string]interface{}, error) {
 	objectsFound := []map[string]interface{}{}

 	// First, we attempt to parse as an array
@@ -167,7 +166,11 @@ func (g *GitGenerator) generateParamsFromGitFile(filePath string, fileContent []
 			paramPath["basenameNormalized"] = utils.SanitizeName(path.Base(paramPath["path"].(string)))
 			paramPath["filenameNormalized"] = utils.SanitizeName(path.Base(paramPath["filename"].(string)))
 			paramPath["segments"] = strings.Split(paramPath["path"].(string), "/")
-			params["path"] = paramPath
+			if pathParamPrefix != "" {
+				params[pathParamPrefix] = map[string]interface{}{"path": paramPath}
+			} else {
+				params["path"] = paramPath
+			}
 		} else {
 			flat, err := flatten.Flatten(objectFound, "", flatten.DotStyle)
 			if err != nil {
@@ -176,14 +179,18 @@ func (g *GitGenerator) generateParamsFromGitFile(filePath string, fileContent []
 			for k, v := range flat {
 				params[k] = fmt.Sprintf("%v", v)
 			}
-			params["path"] = path.Dir(filePath)
-			params["path.basename"] = path.Base(params["path"].(string))
-			params["path.filename"] = path.Base(filePath)
-			params["path.basenameNormalized"] = utils.SanitizeName(path.Base(params["path"].(string)))
-			params["path.filenameNormalized"] = utils.SanitizeName(path.Base(params["path.filename"].(string)))
-			for k, v := range strings.Split(params["path"].(string), "/") {
+			pathParamName := "path"
+			if pathParamPrefix != "" {
+				pathParamName = pathParamPrefix + "." + pathParamName
+			}
+			params[pathParamName] = path.Dir(filePath)
+			params[pathParamName+".basename"] = path.Base(params[pathParamName].(string))
+			params[pathParamName+".filename"] = path.Base(filePath)
+			params[pathParamName+".basenameNormalized"] = utils.SanitizeName(path.Base(params[pathParamName].(string)))
+			params[pathParamName+".filenameNormalized"] = utils.SanitizeName(path.Base(params[pathParamName+".filename"].(string)))
+			for k, v := range strings.Split(params[pathParamName].(string), "/") {
 				if len(v) > 0 {
-					params["path["+strconv.Itoa(k)+"]"] = v
+					params[pathParamName+"["+strconv.Itoa(k)+"]"] = v
 				}
 			}
 		}
@@ -192,7 +199,6 @@ func (g *GitGenerator) generateParamsFromGitFile(filePath string, fileContent []
 	}

 	return res, nil
-
 }

 func (g *GitGenerator) filterApps(Directories []argoprojiov1alpha1.GitDirectoryGeneratorItem, allPaths []string) []string {
@@ -223,9 +229,7 @@ func (g *GitGenerator) filterApps(Directories []argoprojiov1alpha1.GitDirectoryG
 	return res
 }

-func (g *GitGenerator) generateParamsFromApps(requestedApps []string, _ *argoprojiov1alpha1.ApplicationSetGenerator, useGoTemplate bool) []map[string]interface{} {
-	// TODO: At some point, the applicationSetGenerator param should be used
-
+func (g *GitGenerator) generateParamsFromApps(requestedApps []string, appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, useGoTemplate bool) []map[string]interface{} {
 	res := make([]map[string]interface{}, len(requestedApps))
 	for i, a := range requestedApps {

@@ -237,14 +241,22 @@ func (g *GitGenerator) generateParamsFromApps(requestedApps []string, _ *argopro
 			paramPath["basename"] = path.Base(a)
 			paramPath["basenameNormalized"] = utils.SanitizeName(path.Base(a))
 			paramPath["segments"] = strings.Split(paramPath["path"].(string), "/")
-			params["path"] = paramPath
+			if appSetGenerator.Git.PathParamPrefix != "" {
+				params[appSetGenerator.Git.PathParamPrefix] = map[string]interface{}{"path": paramPath}
+			} else {
+				params["path"] = paramPath
+			}
 		} else {
-			params["path"] = a
-			params["path.basename"] = path.Base(a)
-			params["path.basenameNormalized"] = utils.SanitizeName(path.Base(a))
-			for k, v := range strings.Split(params["path"].(string), "/") {
+			pathParamName := "path"
+			if appSetGenerator.Git.PathParamPrefix != "" {
+				pathParamName = appSetGenerator.Git.PathParamPrefix + "." + pathParamName
+			}
+			params[pathParamName] = a
+			params[pathParamName+".basename"] = path.Base(a)
+			params[pathParamName+".basenameNormalized"] = utils.SanitizeName(path.Base(a))
+			for k, v := range strings.Split(params[pathParamName].(string), "/") {
 				if len(v) > 0 {
-					params["path["+strconv.Itoa(k)+"]"] = v
+					params[pathParamName+"["+strconv.Itoa(k)+"]"] = v
 				}
 			}
 		}
--- a/applicationset/generators/git_test.go
+++ b/applicationset/generators/git_test.go
@@ -1,10 +1,10 @@
 package generators

 import (
-	"context"
 	"fmt"
 	"testing"

+	"github.com/argoproj/argo-cd/v2/applicationset/services/mocks"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -12,46 +12,12 @@ import (
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )

-// type clientSet struct {
-// 	RepoServerServiceClient apiclient.RepoServerServiceClient
-// }
-
-// func (c *clientSet) NewRepoServerClient() (io.Closer, apiclient.RepoServerServiceClient, error) {
-// 	return io.NewCloser(func() error { return nil }), c.RepoServerServiceClient, nil
-// }
-
-type argoCDServiceMock struct {
-	mock *mock.Mock
-}
-
-func (a argoCDServiceMock) GetApps(ctx context.Context, repoURL string, revision string) ([]string, error) {
-	args := a.mock.Called(ctx, repoURL, revision)
-
-	return args.Get(0).([]string), args.Error(1)
-}
-
-func (a argoCDServiceMock) GetFiles(ctx context.Context, repoURL string, revision string, pattern string) (map[string][]byte, error) {
-	args := a.mock.Called(ctx, repoURL, revision, pattern)
-
-	return args.Get(0).(map[string][]byte), args.Error(1)
-}
-
-func (a argoCDServiceMock) GetFileContent(ctx context.Context, repoURL string, revision string, path string) ([]byte, error) {
-	args := a.mock.Called(ctx, repoURL, revision, path)
-
-	return args.Get(0).([]byte), args.Error(1)
-}
-
-func (a argoCDServiceMock) GetDirectories(ctx context.Context, repoURL string, revision string) ([]string, error) {
-	args := a.mock.Called(ctx, repoURL, revision)
-	return args.Get(0).([]string), args.Error(1)
-}

 func Test_generateParamsFromGitFile(t *testing.T) {
 	params, err := (*GitGenerator)(nil).generateParamsFromGitFile("path/dir/file_name.yaml", []byte(`
 foo:
  bar: baz
-`), false)
+`), false, "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -69,11 +35,33 @@ foo:
 	}, params)
 }

+func Test_generatePrefixedParamsFromGitFile(t *testing.T) {
+	params, err := (*GitGenerator)(nil).generateParamsFromGitFile("path/dir/file_name.yaml", []byte(`
+foo:
+  bar: baz
+`), false, "myRepo")
+	if err != nil {
+		t.Fatal(err)
+	}
+	assert.Equal(t, []map[string]interface{}{
+		{
+			"foo.bar":                        "baz",
+			"myRepo.path":                    "path/dir",
+			"myRepo.path.basename":           "dir",
+			"myRepo.path.filename":           "file_name.yaml",
+			"myRepo.path.basenameNormalized": "dir",
+			"myRepo.path.filenameNormalized": "file-name.yaml",
+			"myRepo.path[0]":                 "path",
+			"myRepo.path[1]":                 "dir",
+		},
+	}, params)
+}
+
 func Test_generateParamsFromGitFileGoTemplate(t *testing.T) {
 	params, err := (*GitGenerator)(nil).generateParamsFromGitFile("path/dir/file_name.yaml", []byte(`
 foo:
  bar: baz
-`), true)
+`), true, "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -97,15 +85,46 @@ foo:
 	}, params)
 }

+func Test_generatePrefixedParamsFromGitFileGoTemplate(t *testing.T) {
+	params, err := (*GitGenerator)(nil).generateParamsFromGitFile("path/dir/file_name.yaml", []byte(`
+foo:
+  bar: baz
+`), true, "myRepo")
+	if err != nil {
+		t.Fatal(err)
+	}
+	assert.Equal(t, []map[string]interface{}{
+		{
+			"foo": map[string]interface{}{
+				"bar": "baz",
+			},
+			"myRepo": map[string]interface{}{
+				"path": map[string]interface{}{
+					"path":               "path/dir",
+					"basename":           "dir",
+					"filename":           "file_name.yaml",
+					"basenameNormalized": "dir",
+					"filenameNormalized": "file-name.yaml",
+					"segments": []string{
+						"path",
+						"dir",
+					},
+				},
+			},
+		},
+	}, params)
+}
+
 func TestGitGenerateParamsFromDirectories(t *testing.T) {

 	cases := []struct {
-		name          string
-		directories   []argoprojiov1alpha1.GitDirectoryGeneratorItem
-		repoApps      []string
-		repoError     error
-		expected      []map[string]interface{}
-		expectedError error
+		name            string
+		directories     []argoprojiov1alpha1.GitDirectoryGeneratorItem
+		pathParamPrefix string
+		repoApps        []string
+		repoError       error
+		expected        []map[string]interface{}
+		expectedError   error
 	}{
 		{
 			name:        "happy flow - created apps",
@@ -124,6 +143,24 @@ func TestGitGenerateParamsFromDirectories(t *testing.T) {
 			},
 			expectedError: nil,
 		},
+		{
+			name:            "It prefixes path parameters with PathParamPrefix",
+			directories:     []argoprojiov1alpha1.GitDirectoryGeneratorItem{{Path: "*"}},
+			pathParamPrefix: "myRepo",
+			repoApps: []string{
+				"app1",
+				"app2",
+				"app_3",
+				"p1/app4",
+			},
+			repoError: nil,
+			expected: []map[string]interface{}{
+				{"myRepo.path": "app1", "myRepo.path.basename": "app1", "myRepo.path.basenameNormalized": "app1", "myRepo.path[0]": "app1"},
+				{"myRepo.path": "app2", "myRepo.path.basename": "app2", "myRepo.path.basenameNormalized": "app2", "myRepo.path[0]": "app2"},
+				{"myRepo.path": "app_3", "myRepo.path.basename": "app_3", "myRepo.path.basenameNormalized": "app-3", "myRepo.path[0]": "app_3"},
+			},
+			expectedError: nil,
+		},
 		{
 			name:        "It filters application according to the paths",
 			directories: []argoprojiov1alpha1.GitDirectoryGeneratorItem{{Path: "p1/*"}, {Path: "p1/*/*"}},
@@ -200,11 +237,11 @@ func TestGitGenerateParamsFromDirectories(t *testing.T) {
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()

-			argoCDServiceMock := argoCDServiceMock{mock: &mock.Mock{}}
+			argoCDServiceMock := mocks.Repos{}

-			argoCDServiceMock.mock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)
+			argoCDServiceMock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)

-			var gitGenerator = NewGitGenerator(argoCDServiceMock)
+			var gitGenerator = NewGitGenerator(&argoCDServiceMock)
 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -212,9 +249,10 @@ func TestGitGenerateParamsFromDirectories(t *testing.T) {
 				Spec: argoprojiov1alpha1.ApplicationSetSpec{
 					Generators: []argoprojiov1alpha1.ApplicationSetGenerator{{
 						Git: &argoprojiov1alpha1.GitGenerator{
-							RepoURL:     "RepoURL",
-							Revision:    "Revision",
-							Directories: testCaseCopy.directories,
+							RepoURL:         "RepoURL",
+							Revision:        "Revision",
+							Directories:     testCaseCopy.directories,
+							PathParamPrefix: testCaseCopy.pathParamPrefix,
 						},
 					}},
 				},
@@ -229,7 +267,7 @@ func TestGitGenerateParamsFromDirectories(t *testing.T) {
 				assert.Equal(t, testCaseCopy.expected, got)
 			}

-			argoCDServiceMock.mock.AssertExpectations(t)
+			argoCDServiceMock.AssertExpectations(t)
 		})
 	}
 }
@@ -237,12 +275,13 @@ func TestGitGenerateParamsFromDirectories(t *testing.T) {
 func TestGitGenerateParamsFromDirectoriesGoTemplate(t *testing.T) {

 	cases := []struct {
-		name          string
-		directories   []argoprojiov1alpha1.GitDirectoryGeneratorItem
-		repoApps      []string
-		repoError     error
-		expected      []map[string]interface{}
-		expectedError error
+		name            string
+		directories     []argoprojiov1alpha1.GitDirectoryGeneratorItem
+		pathParamPrefix string
+		repoApps        []string
+		repoError       error
+		expected        []map[string]interface{}
+		expectedError   error
 	}{
 		{
 			name:        "happy flow - created apps",
@@ -288,6 +327,57 @@ func TestGitGenerateParamsFromDirectoriesGoTemplate(t *testing.T) {
 			},
 			expectedError: nil,
 		},
+		{
+			name:            "It prefixes path parameters with PathParamPrefix",
+			directories:     []argoprojiov1alpha1.GitDirectoryGeneratorItem{{Path: "*"}},
+			pathParamPrefix: "myRepo",
+			repoApps: []string{
+				"app1",
+				"app2",
+				"app_3",
+				"p1/app4",
+			},
+			repoError: nil,
+			expected: []map[string]interface{}{
+				{
+					"myRepo": map[string]interface{}{
+						"path": map[string]interface{}{
+							"path":               "app1",
+							"basename":           "app1",
+							"basenameNormalized": "app1",
+							"segments": []string{
+								"app1",
+							},
+						},
+					},
+				},
+				{
+					"myRepo": map[string]interface{}{
+						"path": map[string]interface{}{
+							"path":               "app2",
+							"basename":           "app2",
+							"basenameNormalized": "app2",
+							"segments": []string{
+								"app2",
+							},
+						},
+					},
+				},
+				{
+					"myRepo": map[string]interface{}{
+						"path": map[string]interface{}{
+							"path":               "app_3",
+							"basename":           "app_3",
+							"basenameNormalized": "app-3",
+							"segments": []string{
+								"app_3",
+							},
+						},
+					},
+				},
+			},
+			expectedError: nil,
+		},
 		{
 			name:        "It filters application according to the paths",
 			directories: []argoprojiov1alpha1.GitDirectoryGeneratorItem{{Path: "p1/*"}, {Path: "p1/*/*"}},
@@ -442,11 +532,11 @@ func TestGitGenerateParamsFromDirectoriesGoTemplate(t *testing.T) {
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()

-			argoCDServiceMock := argoCDServiceMock{mock: &mock.Mock{}}
+			argoCDServiceMock := mocks.Repos{}

-			argoCDServiceMock.mock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)
+			argoCDServiceMock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)

-			var gitGenerator = NewGitGenerator(argoCDServiceMock)
+			var gitGenerator = NewGitGenerator(&argoCDServiceMock)
 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -455,9 +545,10 @@ func TestGitGenerateParamsFromDirectoriesGoTemplate(t *testing.T) {
 					GoTemplate: true,
 					Generators: []argoprojiov1alpha1.ApplicationSetGenerator{{
 						Git: &argoprojiov1alpha1.GitGenerator{
-							RepoURL:     "RepoURL",
-							Revision:    "Revision",
-							Directories: testCaseCopy.directories,
+							RepoURL:         "RepoURL",
+							Revision:        "Revision",
+							Directories:     testCaseCopy.directories,
+							PathParamPrefix: testCaseCopy.pathParamPrefix,
 						},
 					}},
 				},
@@ -472,7 +563,7 @@ func TestGitGenerateParamsFromDirectoriesGoTemplate(t *testing.T) {
 				assert.Equal(t, testCaseCopy.expected, got)
 			}

-			argoCDServiceMock.mock.AssertExpectations(t)
+			argoCDServiceMock.AssertExpectations(t)
 		})
 	}

@@ -732,11 +823,11 @@ cluster:
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()

-			argoCDServiceMock := argoCDServiceMock{mock: &mock.Mock{}}
-			argoCDServiceMock.mock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything).
+			argoCDServiceMock := mocks.Repos{}
+			argoCDServiceMock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything).
 				Return(testCaseCopy.repoFileContents, testCaseCopy.repoPathsError)

-			var gitGenerator = NewGitGenerator(argoCDServiceMock)
+			var gitGenerator = NewGitGenerator(&argoCDServiceMock)
 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -762,7 +853,7 @@ cluster:
 				assert.ElementsMatch(t, testCaseCopy.expected, got)
 			}

-			argoCDServiceMock.mock.AssertExpectations(t)
+			argoCDServiceMock.AssertExpectations(t)
 		})
 	}
 }
@@ -1081,11 +1172,11 @@ cluster:
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()

-			argoCDServiceMock := argoCDServiceMock{mock: &mock.Mock{}}
-			argoCDServiceMock.mock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything).
+			argoCDServiceMock := mocks.Repos{}
+			argoCDServiceMock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything).
 				Return(testCaseCopy.repoFileContents, testCaseCopy.repoPathsError)

-			var gitGenerator = NewGitGenerator(argoCDServiceMock)
+			var gitGenerator = NewGitGenerator(&argoCDServiceMock)
 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -1112,7 +1203,7 @@ cluster:
 				assert.ElementsMatch(t, testCaseCopy.expected, got)
 			}

-			argoCDServiceMock.mock.AssertExpectations(t)
+			argoCDServiceMock.AssertExpectations(t)
 		})
 	}
 }
--- a/applicationset/generators/list.go
+++ b/applicationset/generators/list.go
@@ -6,6 +6,7 @@ import (
 	"time"

 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"sigs.k8s.io/yaml"
 )

 var _ Generator = (*ListGenerator)(nil)
@@ -73,5 +74,16 @@ func (g *ListGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.Appli
 		}
 	}

+	// Append elements from ElementsYaml to the response
+	if len(appSetGenerator.List.ElementsYaml) > 0 {
+
+		var yamlElements []map[string]interface{}
+		err := yaml.Unmarshal([]byte(appSetGenerator.List.ElementsYaml), &yamlElements)
+		if err != nil {
+			return nil, fmt.Errorf("error unmarshling decoded ElementsYaml %v", err)
+		}
+		res = append(res, yamlElements...)	
+	}
+
 	return res, nil
 }
--- a/applicationset/generators/matrix.go
+++ b/applicationset/generators/matrix.go
@@ -80,28 +80,13 @@ func (m *MatrixGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.App
 }

 func (m *MatrixGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.ApplicationSetNestedGenerator, appSet *argoprojiov1alpha1.ApplicationSet, params map[string]interface{}) ([]map[string]interface{}, error) {
-	var matrix *argoprojiov1alpha1.MatrixGenerator
-	if appSetBaseGenerator.Matrix != nil {
-		// Since nested matrix generator is represented as a JSON object in the CRD, we unmarshall it back to a Go struct here.
-		nestedMatrix, err := argoprojiov1alpha1.ToNestedMatrixGenerator(appSetBaseGenerator.Matrix)
-		if err != nil {
-			return nil, fmt.Errorf("unable to unmarshall nested matrix generator: %v", err)
-		}
-		if nestedMatrix != nil {
-			matrix = nestedMatrix.ToMatrixGenerator()
-		}
+	matrixGen, err := getMatrixGenerator(appSetBaseGenerator)
+	if err != nil {
+		return nil, err
 	}
-
-	var mergeGenerator *argoprojiov1alpha1.MergeGenerator
-	if appSetBaseGenerator.Merge != nil {
-		// Since nested merge generator is represented as a JSON object in the CRD, we unmarshall it back to a Go struct here.
-		nestedMerge, err := argoprojiov1alpha1.ToNestedMergeGenerator(appSetBaseGenerator.Merge)
-		if err != nil {
-			return nil, fmt.Errorf("unable to unmarshall nested merge generator: %v", err)
-		}
-		if nestedMerge != nil {
-			mergeGenerator = nestedMerge.ToMergeGenerator()
-		}
+	mergeGen, err := getMergeGenerator(appSetBaseGenerator)
+	if err != nil {
+		return nil, err
 	}

 	t, err := Transform(
@@ -112,8 +97,8 @@ func (m *MatrixGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.Appli
 			SCMProvider:             appSetBaseGenerator.SCMProvider,
 			ClusterDecisionResource: appSetBaseGenerator.ClusterDecisionResource,
 			PullRequest:             appSetBaseGenerator.PullRequest,
-			Matrix:                  matrix,
-			Merge:                   mergeGenerator,
+			Matrix:                  matrixGen,
+			Merge:                   mergeGen,
 			Selector:                appSetBaseGenerator.Selector,
 		},
 		m.supportedGenerators,
@@ -143,10 +128,15 @@ func (m *MatrixGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.Ap
 	var found bool

 	for _, r := range appSetGenerator.Matrix.Generators {
+		matrixGen, _ := getMatrixGenerator(r)
+		mergeGen, _ := getMergeGenerator(r)
 		base := &argoprojiov1alpha1.ApplicationSetGenerator{
-			List:     r.List,
-			Clusters: r.Clusters,
-			Git:      r.Git,
+			List:        r.List,
+			Clusters:    r.Clusters,
+			Git:         r.Git,
+			PullRequest: r.PullRequest,
+			Matrix:      matrixGen,
+			Merge:       mergeGen,
 		}
 		generators := GetRelevantGenerators(base, m.supportedGenerators)

@@ -167,6 +157,17 @@ func (m *MatrixGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.Ap

 }

+func getMatrixGenerator(r argoprojiov1alpha1.ApplicationSetNestedGenerator) (*argoprojiov1alpha1.MatrixGenerator, error) {
+	if r.Matrix == nil {
+		return nil, nil
+	}
+	matrix, err := argoprojiov1alpha1.ToNestedMatrixGenerator(r.Matrix)
+	if err != nil {
+		return nil, err
+	}
+	return matrix.ToMatrixGenerator(), nil
+}
+
 func (m *MatrixGenerator) GetTemplate(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator) *argoprojiov1alpha1.ApplicationSetTemplate {
 	return &appSetGenerator.Matrix.Template
 }
--- a/applicationset/generators/matrix_test.go
+++ b/applicationset/generators/matrix_test.go
@@ -5,6 +5,8 @@ import (
 	"testing"
 	"time"

+	"github.com/argoproj/argo-cd/v2/applicationset/services/mocks"
+	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -399,6 +401,8 @@ func TestMatrixGetRequeueAfter(t *testing.T) {
 		Elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "Cluster","url": "Url"}`)}},
 	}

+	pullRequestGenerator := &argoprojiov1alpha1.PullRequestGenerator{}
+
 	testCases := []struct {
 		name               string
 		baseGenerators     []argoprojiov1alpha1.ApplicationSetNestedGenerator
@@ -431,6 +435,31 @@ func TestMatrixGetRequeueAfter(t *testing.T) {
 			gitGetRequeueAfter: time.Duration(1),
 			expected:           time.Duration(1),
 		},
+		{
+			name: "returns the minimal time for pull request",
+			baseGenerators: []argoprojiov1alpha1.ApplicationSetNestedGenerator{
+				{
+					Git: gitGenerator,
+				},
+				{
+					PullRequest: pullRequestGenerator,
+				},
+			},
+			gitGetRequeueAfter: time.Duration(15 * time.Second),
+			expected:           time.Duration(15 * time.Second),
+		},
+		{
+			name: "returns the default time if no requeueAfterSeconds is provided",
+			baseGenerators: []argoprojiov1alpha1.ApplicationSetNestedGenerator{
+				{
+					Git: gitGenerator,
+				},
+				{
+					PullRequest: pullRequestGenerator,
+				},
+			},
+			expected: time.Duration(30 * time.Minute),
+		},
 	}

 	for _, testCase := range testCases {
@@ -441,16 +470,18 @@ func TestMatrixGetRequeueAfter(t *testing.T) {

 			for _, g := range testCaseCopy.baseGenerators {
 				gitGeneratorSpec := argoprojiov1alpha1.ApplicationSetGenerator{
-					Git:  g.Git,
-					List: g.List,
+					Git:         g.Git,
+					List:        g.List,
+					PullRequest: g.PullRequest,
 				}
 				mock.On("GetRequeueAfter", &gitGeneratorSpec).Return(testCaseCopy.gitGetRequeueAfter, nil)
 			}

 			var matrixGenerator = NewMatrixGenerator(
 				map[string]Generator{
-					"Git":  mock,
-					"List": &ListGenerator{},
+					"Git":         mock,
+					"List":        &ListGenerator{},
+					"PullRequest": &PullRequestGenerator{},
 				},
 			)

@@ -806,6 +837,174 @@ func TestInterpolatedMatrixGenerateGoTemplate(t *testing.T) {
 	}
 }

+func TestMatrixGenerateListElementsYaml(t *testing.T) {
+
+	gitGenerator := &argoprojiov1alpha1.GitGenerator{
+		RepoURL:  "RepoURL",
+		Revision: "Revision",
+		Files: []argoprojiov1alpha1.GitFileGeneratorItem{
+			{Path: "config.yaml"},
+		},
+	}
+
+	listGenerator := &argoprojiov1alpha1.ListGenerator{
+		Elements: []apiextensionsv1.JSON{},
+		ElementsYaml: "{{ .foo.bar | toJson }}",
+	}
+
+	testCases := []struct {
+		name           string
+		baseGenerators []argoprojiov1alpha1.ApplicationSetNestedGenerator
+		expectedErr    error
+		expected       []map[string]interface{}
+	}{
+		{
+			name: "happy flow - generate params",
+			baseGenerators: []argoprojiov1alpha1.ApplicationSetNestedGenerator{
+				{
+					Git: gitGenerator,
+				},
+				{
+					List: listGenerator,
+				},
+			},
+			expected: []map[string]interface{}{
+				{
+					"chart":         "a",
+					"version":         "1",
+					"foo": map[string]interface{}{
+						"bar": []interface{}{
+							map[string]interface{}{
+								"chart": "a",
+								"version": "1",
+							},
+							map[string]interface{}{
+								"chart": "b",
+								"version": "2",
+							},
+						},
+					},
+					"path": map[string]interface{}{
+						"basename": "dir",
+						"basenameNormalized": "dir",
+						"filename": "file_name.yaml",
+						"filenameNormalized": "file-name.yaml",
+						"path": "path/dir",
+						"segments": []string {
+							"path",
+							"dir",
+						},
+					},
+				},
+				{
+					"chart":         "b",
+					"version":         "2",
+					"foo": map[string]interface{}{
+						"bar": []interface{}{
+							map[string]interface{}{
+								"chart": "a",
+								"version": "1",
+							},
+							map[string]interface{}{
+								"chart": "b",
+								"version": "2",
+							},
+						},
+					},
+					"path": map[string]interface{}{
+						"basename": "dir",
+						"basenameNormalized": "dir",
+						"filename": "file_name.yaml",
+						"filenameNormalized": "file-name.yaml",
+						"path": "path/dir",
+						"segments": []string {
+							"path",
+							"dir",
+						},
+					},
+				},
+
+			},
+		},
+	}
+
+	for _, testCase := range testCases {
+		testCaseCopy := testCase // Since tests may run in parallel
+
+		t.Run(testCaseCopy.name, func(t *testing.T) {
+			genMock := &generatorMock{}
+			appSet := &argoprojiov1alpha1.ApplicationSet{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "set",
+				},
+				Spec: argoprojiov1alpha1.ApplicationSetSpec{
+					GoTemplate: true,
+				},
+			}
+
+			for _, g := range testCaseCopy.baseGenerators {
+
+				gitGeneratorSpec := argoprojiov1alpha1.ApplicationSetGenerator{
+					Git:  g.Git,
+					List: g.List,
+				}
+				genMock.On("GenerateParams", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet).Return([]map[string]any{{
+					"foo": map[string]interface{}{
+						"bar": []interface{}{
+							map[string]interface{}{
+								"chart": "a",
+								"version": "1",
+							},
+							map[string]interface{}{
+								"chart": "b",
+								"version": "2",
+							},
+						},
+					},
+					"path": map[string]interface{}{
+						"basename": "dir",
+						"basenameNormalized": "dir",
+						"filename": "file_name.yaml",
+						"filenameNormalized": "file-name.yaml",
+						"path": "path/dir",
+						"segments": []string {
+							"path",
+							"dir",
+						},
+					},
+
+				}}, nil)
+				genMock.On("GetTemplate", &gitGeneratorSpec).
+					Return(&argoprojiov1alpha1.ApplicationSetTemplate{})
+
+			}
+
+			var matrixGenerator = NewMatrixGenerator(
+				map[string]Generator{
+					"Git":  genMock,
+					"List": &ListGenerator{},
+				},
+			)
+
+			got, err := matrixGenerator.GenerateParams(&argoprojiov1alpha1.ApplicationSetGenerator{
+				Matrix: &argoprojiov1alpha1.MatrixGenerator{
+					Generators: testCaseCopy.baseGenerators,
+					Template:   argoprojiov1alpha1.ApplicationSetTemplate{},
+				},
+			}, appSet)
+
+			if testCaseCopy.expectedErr != nil {
+				assert.ErrorIs(t, err, testCaseCopy.expectedErr)
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, testCaseCopy.expected, got)
+			}
+
+		})
+
+	}
+}
+
 type generatorMock struct {
 	mock.Mock
 }
@@ -828,3 +1027,72 @@ func (g *generatorMock) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.Appl
 	return args.Get(0).(time.Duration)

 }
+
+func TestGitGenerator_GenerateParams_list_x_git_matrix_generator(t *testing.T) {
+	// Given a matrix generator over a list generator and a git files generator, the nested git files generator should
+	// be treated as a files generator, and it should produce parameters.
+
+	// This tests for a specific bug where a nested git files generator was being treated as a directory generator. This
+	// happened because, when the matrix generator was being processed, the nested git files generator was being
+	// interpolated by the deeplyReplace function. That function cannot differentiate between a nil slice and an empty
+	// slice. So it was replacing the `Directories` field with an empty slice, which the ApplicationSet controller
+	// interpreted as meaning this was a directory generator, not a files generator.
+
+	// Now instead of checking for nil, we check whether the field is a non-empty slice. This test prevents a regression
+	// of that bug.
+
+	listGeneratorMock := &generatorMock{}
+	listGeneratorMock.On("GenerateParams", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), mock.AnythingOfType("*v1alpha1.ApplicationSet")).Return([]map[string]interface{}{
+		{"some": "value"},
+	}, nil)
+	listGeneratorMock.On("GetTemplate", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator")).Return(&argoprojiov1alpha1.ApplicationSetTemplate{})
+
+	gitGeneratorSpec := &argoprojiov1alpha1.GitGenerator{
+		RepoURL: "https://git.example.com",
+		Files: []argoprojiov1alpha1.GitFileGeneratorItem{
+			{Path: "some/path.json"},
+		},
+	}
+
+	repoServiceMock := &mocks.Repos{}
+	repoServiceMock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(map[string][]byte{
+		"some/path.json": []byte("test: content"),
+	}, nil)
+	gitGenerator := NewGitGenerator(repoServiceMock)
+
+	matrixGenerator := NewMatrixGenerator(map[string]Generator{
+		"List": listGeneratorMock,
+		"Git":  gitGenerator,
+	})
+
+	matrixGeneratorSpec := &argoprojiov1alpha1.MatrixGenerator{
+		Generators: []argoprojiov1alpha1.ApplicationSetNestedGenerator{
+			{
+				List: &argoprojiov1alpha1.ListGenerator{
+					Elements: []apiextensionsv1.JSON{
+						{
+							Raw: []byte(`{"some": "value"}`),
+						},
+					},
+				},
+			},
+			{
+				Git: gitGeneratorSpec,
+			},
+		},
+	}
+	params, err := matrixGenerator.GenerateParams(&argoprojiov1alpha1.ApplicationSetGenerator{
+		Matrix: matrixGeneratorSpec,
+	}, &argoprojiov1alpha1.ApplicationSet{})
+	require.NoError(t, err)
+	assert.Equal(t, []map[string]interface{}{{
+		"path":                    "some",
+		"path.basename":           "some",
+		"path.basenameNormalized": "some",
+		"path.filename":           "path.json",
+		"path.filenameNormalized": "path.json",
+		"path[0]":                 "some",
+		"some":                    "value",
+		"test":                    "content",
+	}}, params)
+}
--- a/applicationset/generators/merge.go
+++ b/applicationset/generators/merge.go
@@ -137,27 +137,13 @@ func getParamSetsByMergeKey(mergeKeys []string, paramSets []map[string]interface

 // getParams get the parameters generated by this generator.
 func (m *MergeGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.ApplicationSetNestedGenerator, appSet *argoprojiov1alpha1.ApplicationSet) ([]map[string]interface{}, error) {
-
-	var matrix *argoprojiov1alpha1.MatrixGenerator
-	if appSetBaseGenerator.Matrix != nil {
-		nestedMatrix, err := argoprojiov1alpha1.ToNestedMatrixGenerator(appSetBaseGenerator.Matrix)
-		if err != nil {
-			return nil, err
-		}
-		if nestedMatrix != nil {
-			matrix = nestedMatrix.ToMatrixGenerator()
-		}
+	matrixGen, err := getMatrixGenerator(appSetBaseGenerator)
+	if err != nil {
+		return nil, err
 	}
-
-	var mergeGenerator *argoprojiov1alpha1.MergeGenerator
-	if appSetBaseGenerator.Merge != nil {
-		nestedMerge, err := argoprojiov1alpha1.ToNestedMergeGenerator(appSetBaseGenerator.Merge)
-		if err != nil {
-			return nil, err
-		}
-		if nestedMerge != nil {
-			mergeGenerator = nestedMerge.ToMergeGenerator()
-		}
+	mergeGen, err := getMergeGenerator(appSetBaseGenerator)
+	if err != nil {
+		return nil, err
 	}

 	t, err := Transform(
@@ -168,8 +154,8 @@ func (m *MergeGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.Applic
 			SCMProvider:             appSetBaseGenerator.SCMProvider,
 			ClusterDecisionResource: appSetBaseGenerator.ClusterDecisionResource,
 			PullRequest:             appSetBaseGenerator.PullRequest,
-			Matrix:                  matrix,
-			Merge:                   mergeGenerator,
+			Matrix:                  matrixGen,
+			Merge:                   mergeGen,
 			Selector:                appSetBaseGenerator.Selector,
 		},
 		m.supportedGenerators,
@@ -197,10 +183,15 @@ func (m *MergeGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.App
 	var found bool

 	for _, r := range appSetGenerator.Merge.Generators {
+		matrixGen, _ := getMatrixGenerator(r)
+		mergeGen, _ := getMergeGenerator(r)
 		base := &argoprojiov1alpha1.ApplicationSetGenerator{
-			List:     r.List,
-			Clusters: r.Clusters,
-			Git:      r.Git,
+			List:        r.List,
+			Clusters:    r.Clusters,
+			Git:         r.Git,
+			PullRequest: r.PullRequest,
+			Matrix:      matrixGen,
+			Merge:       mergeGen,
 		}
 		generators := GetRelevantGenerators(base, m.supportedGenerators)

@@ -221,6 +212,17 @@ func (m *MergeGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.App

 }

+func getMergeGenerator(r argoprojiov1alpha1.ApplicationSetNestedGenerator) (*argoprojiov1alpha1.MergeGenerator, error) {
+	if r.Merge == nil {
+		return nil, nil
+	}
+	merge, err := argoprojiov1alpha1.ToNestedMergeGenerator(r.Merge)
+	if err != nil {
+		return nil, err
+	}
+	return merge.ToMergeGenerator(), nil
+}
+
 // GetTemplate gets the Template field for the MergeGenerator.
 func (m *MergeGenerator) GetTemplate(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator) *argoprojiov1alpha1.ApplicationSetTemplate {
 	return &appSetGenerator.Merge.Template
--- a/applicationset/generators/pull_request.go
+++ b/applicationset/generators/pull_request.go
@@ -11,7 +11,6 @@ import (

 	"github.com/gosimple/slug"

-	"github.com/argoproj/argo-cd/v2/applicationset/services/pull_request"
 	pullrequest "github.com/argoproj/argo-cd/v2/applicationset/services/pull_request"
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )
@@ -66,7 +65,7 @@ func (g *PullRequestGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 		return nil, fmt.Errorf("failed to select pull request service provider: %v", err)
 	}

-	pulls, err := pull_request.ListPullRequests(ctx, svc, appSetGenerator.PullRequest.Filters)
+	pulls, err := pullrequest.ListPullRequests(ctx, svc, appSetGenerator.PullRequest.Filters)
 	if err != nil {
 		return nil, fmt.Errorf("error listing repos: %v", err)
 	}
@@ -84,19 +83,32 @@ func (g *PullRequestGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 	}

 	var shortSHALength int
+	var shortSHALength7 int
 	for _, pull := range pulls {
 		shortSHALength = 8
 		if len(pull.HeadSHA) < 8 {
 			shortSHALength = len(pull.HeadSHA)
 		}

-		params = append(params, map[string]interface{}{
-			"number":         strconv.Itoa(pull.Number),
-			"branch":         pull.Branch,
-			"branch_slug":    slug.Make(pull.Branch),
-			"head_sha":       pull.HeadSHA,
-			"head_short_sha": pull.HeadSHA[:shortSHALength],
-		})
+		shortSHALength7 = 7
+		if len(pull.HeadSHA) < 7 {
+			shortSHALength7 = len(pull.HeadSHA)
+		}
+
+		paramMap := map[string]interface{}{
+			"number":           strconv.Itoa(pull.Number),
+			"branch":           pull.Branch,
+			"branch_slug":      slug.Make(pull.Branch),
+			"head_sha":         pull.HeadSHA,
+			"head_short_sha":   pull.HeadSHA[:shortSHALength],
+			"head_short_sha_7": pull.HeadSHA[:shortSHALength7],
+		}
+
+		// PR lables will only be supported for Go Template appsets, since fasttemplate will be deprecated.
+		if applicationSetInfo != nil && applicationSetInfo.Spec.GoTemplate {
+			paramMap["labels"] = pull.Labels
+		}
+		params = append(params, paramMap)
 	}
 	return params, nil
 }
--- a/applicationset/generators/pull_request_test.go
+++ b/applicationset/generators/pull_request_test.go
@@ -17,9 +17,10 @@ import (
 func TestPullRequestGithubGenerateParams(t *testing.T) {
 	ctx := context.Background()
 	cases := []struct {
-		selectFunc  func(context.Context, *argoprojiov1alpha1.PullRequestGenerator, *argoprojiov1alpha1.ApplicationSet) (pullrequest.PullRequestService, error)
-		expected    []map[string]interface{}
-		expectedErr error
+		selectFunc     func(context.Context, *argoprojiov1alpha1.PullRequestGenerator, *argoprojiov1alpha1.ApplicationSet) (pullrequest.PullRequestService, error)
+		expected       []map[string]interface{}
+		expectedErr    error
+		applicationSet argoprojiov1alpha1.ApplicationSet
 	}{
 		{
 			selectFunc: func(context.Context, *argoprojiov1alpha1.PullRequestGenerator, *argoprojiov1alpha1.ApplicationSet) (pullrequest.PullRequestService, error) {
@@ -42,6 +43,7 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 					"branch_slug":    "branch1",
 					"head_sha":       "089d92cbf9ff857a39e6feccd32798ca700fb958",
 					"head_short_sha": "089d92cb",
+					"head_short_sha_7": "089d92c",
 				},
 			},
 			expectedErr: nil,
@@ -67,6 +69,7 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 					"branch_slug":    "feat-areally-long-pull-request-name-to-test-argo",
 					"head_sha":       "9b34ff5bd418e57d58891eb0aa0728043ca1e8be",
 					"head_short_sha": "9b34ff5b",
+					"head_short_sha_7": "9b34ff5",
 				},
 			},
 			expectedErr: nil,
@@ -92,6 +95,7 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 					"branch_slug":    "a-very-short-sha",
 					"head_sha":       "abcd",
 					"head_short_sha": "abcd",
+					"head_short_sha_7": "abcd",
 				},
 			},
 			expectedErr: nil,
@@ -107,6 +111,73 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 			expected:    nil,
 			expectedErr: fmt.Errorf("error listing repos: fake error"),
 		},
+		{
+			selectFunc: func(context.Context, *argoprojiov1alpha1.PullRequestGenerator, *argoprojiov1alpha1.ApplicationSet) (pullrequest.PullRequestService, error) {
+				return pullrequest.NewFakeService(
+					ctx,
+					[]*pullrequest.PullRequest{
+						&pullrequest.PullRequest{
+							Number:  1,
+							Branch:  "branch1",
+							HeadSHA: "089d92cbf9ff857a39e6feccd32798ca700fb958",
+							Labels:  []string{"preview"},
+						},
+					},
+					nil,
+				)
+			},
+			expected: []map[string]interface{}{
+				{
+					"number":         "1",
+					"branch":         "branch1",
+					"branch_slug":    "branch1",
+					"head_sha":       "089d92cbf9ff857a39e6feccd32798ca700fb958",
+					"head_short_sha": "089d92cb",
+					"head_short_sha_7": "089d92c",
+					"labels":         []string{"preview"},
+				},
+			},
+			expectedErr: nil,
+			applicationSet: argoprojiov1alpha1.ApplicationSet{
+				Spec: argoprojiov1alpha1.ApplicationSetSpec{
+					// Application set is using Go Template.
+					GoTemplate: true,
+				},
+			},
+		},
+		{
+			selectFunc: func(context.Context, *argoprojiov1alpha1.PullRequestGenerator, *argoprojiov1alpha1.ApplicationSet) (pullrequest.PullRequestService, error) {
+				return pullrequest.NewFakeService(
+					ctx,
+					[]*pullrequest.PullRequest{
+						&pullrequest.PullRequest{
+							Number:  1,
+							Branch:  "branch1",
+							HeadSHA: "089d92cbf9ff857a39e6feccd32798ca700fb958",
+							Labels:  []string{"preview"},
+						},
+					},
+					nil,
+				)
+			},
+			expected: []map[string]interface{}{
+				{
+					"number":         "1",
+					"branch":         "branch1",
+					"branch_slug":    "branch1",
+					"head_sha":       "089d92cbf9ff857a39e6feccd32798ca700fb958",
+					"head_short_sha": "089d92cb",
+					"head_short_sha_7": "089d92c",
+				},
+			},
+			expectedErr: nil,
+			applicationSet: argoprojiov1alpha1.ApplicationSet{
+				Spec: argoprojiov1alpha1.ApplicationSetSpec{
+					// Application set is using fasttemplate.
+					GoTemplate: false,
+				},
+			},
+		},
 	}

 	for _, c := range cases {
@@ -117,7 +188,7 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 			PullRequest: &argoprojiov1alpha1.PullRequestGenerator{},
 		}

-		got, gotErr := gen.GenerateParams(&generatorConfig, nil)
+		got, gotErr := gen.GenerateParams(&generatorConfig, &c.applicationSet)
 		assert.Equal(t, c.expectedErr, gotErr)
 		assert.ElementsMatch(t, c.expected, got)
 	}
--- a/applicationset/generators/scm_provider.go
+++ b/applicationset/generators/scm_provider.go
@@ -122,6 +122,15 @@ func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 		if err != nil {
 			return nil, fmt.Errorf("error initializing Azure Devops service: %v", err)
 		}
+	} else if providerConfig.Bitbucket != nil {
+		appPassword, err := g.getSecretRef(ctx, providerConfig.Bitbucket.AppPasswordRef, applicationSetInfo.Namespace)
+		if err != nil {
+			return nil, fmt.Errorf("error fetching Bitbucket cloud appPassword: %v", err)
+		}
+		provider, err = scm_provider.NewBitBucketCloudProvider(ctx, providerConfig.Bitbucket.Owner, providerConfig.Bitbucket.User, appPassword, providerConfig.Bitbucket.AllBranches)
+		if err != nil {
+			return nil, fmt.Errorf("error initializing Bitbucket cloud service: %v", err)
+		}
 	} else {
 		return nil, fmt.Errorf("no SCM provider implementation configured")
 	}
@@ -133,12 +142,18 @@ func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 	}
 	params := make([]map[string]interface{}, 0, len(repos))
 	var shortSHALength int
+	var shortSHALength7 int
 	for _, repo := range repos {
 		shortSHALength = 8
 		if len(repo.SHA) < 8 {
 			shortSHALength = len(repo.SHA)
 		}

+		shortSHALength7 = 7
+		if len(repo.SHA) < 7 {
+			shortSHALength7 = len(repo.SHA)
+		}
+
 		params = append(params, map[string]interface{}{
 			"organization":     repo.Organization,
 			"repository":       repo.Repository,
@@ -146,6 +161,7 @@ func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 			"branch":           repo.Branch,
 			"sha":              repo.SHA,
 			"short_sha":        repo.SHA[:shortSHALength],
+			"short_sha_7":      repo.SHA[:shortSHALength7],
 			"labels":           strings.Join(repo.Labels, ","),
 			"branchNormalized": utils.SanitizeName(repo.Branch),
 		})
--- a/applicationset/generators/scm_provider_test.go
+++ b/applicationset/generators/scm_provider_test.go
@@ -112,6 +112,8 @@ func TestSCMProviderGenerateParams(t *testing.T) {
 	assert.Equal(t, "0bc57212c3cbbec69d20b34c507284bd300def5b", params[0]["sha"])
 	assert.Equal(t, "0bc57212", params[0]["short_sha"])
 	assert.Equal(t, "59d0", params[1]["short_sha"])
+	assert.Equal(t, "0bc5721", params[0]["short_sha_7"])
+	assert.Equal(t, "59d0", params[1]["short_sha_7"])
 	assert.Equal(t, "prod,staging", params[0]["labels"])
 	assert.Equal(t, "repo2", params[1]["repository"])
 }
--- a/applicationset/services/internal/github_app/client.go
+++ b/applicationset/services/internal/github_app/client.go
@@ -20,10 +20,12 @@ func Client(g github_app_auth.Authentication, url string) (*github.Client, error
 		url = g.EnterpriseBaseURL
 	}
 	var client *github.Client
-	httpClient := http.Client{Transport: rt}
 	if url == "" {
+		httpClient := http.Client{Transport: rt}
 		client = github.NewClient(&httpClient)
 	} else {
+		rt.BaseURL = url
+		httpClient := http.Client{Transport: rt}
 		client, err = github.NewEnterpriseClient(url, url, &httpClient)
 		if err != nil {
 			return nil, fmt.Errorf("failed to create github enterprise client: %w", err)
--- a/applicationset/services/mocks/Repos.go
+++ b/applicationset/services/mocks/Repos.go
@@ -0,0 +1,81 @@
+// Code generated by mockery v2.25.1. DO NOT EDIT.
+
+package mocks
+
+import (
+	context "context"
+
+	mock "github.com/stretchr/testify/mock"
+)
+
+// Repos is an autogenerated mock type for the Repos type
+type Repos struct {
+	mock.Mock
+}
+
+// GetDirectories provides a mock function with given fields: ctx, repoURL, revision
+func (_m *Repos) GetDirectories(ctx context.Context, repoURL string, revision string) ([]string, error) {
+	ret := _m.Called(ctx, repoURL, revision)
+
+	var r0 []string
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, string, string) ([]string, error)); ok {
+		return rf(ctx, repoURL, revision)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, string, string) []string); ok {
+		r0 = rf(ctx, repoURL, revision)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]string)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, string, string) error); ok {
+		r1 = rf(ctx, repoURL, revision)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// GetFiles provides a mock function with given fields: ctx, repoURL, revision, pattern
+func (_m *Repos) GetFiles(ctx context.Context, repoURL string, revision string, pattern string) (map[string][]byte, error) {
+	ret := _m.Called(ctx, repoURL, revision, pattern)
+
+	var r0 map[string][]byte
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, string, string, string) (map[string][]byte, error)); ok {
+		return rf(ctx, repoURL, revision, pattern)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, string, string, string) map[string][]byte); ok {
+		r0 = rf(ctx, repoURL, revision, pattern)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(map[string][]byte)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, string, string, string) error); ok {
+		r1 = rf(ctx, repoURL, revision, pattern)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+type mockConstructorTestingTNewRepos interface {
+	mock.TestingT
+	Cleanup(func())
+}
+
+// NewRepos creates a new instance of Repos. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+func NewRepos(t mockConstructorTestingTNewRepos) *Repos {
+	mock := &Repos{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
--- a/applicationset/services/mocks/RepositoryDB.go
+++ b/applicationset/services/mocks/RepositoryDB.go
@@ -0,0 +1,57 @@
+// Code generated by mockery v2.21.1. DO NOT EDIT.
+
+package mocks
+
+import (
+	context "context"
+
+	mock "github.com/stretchr/testify/mock"
+
+	v1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+)
+
+// RepositoryDB is an autogenerated mock type for the RepositoryDB type
+type RepositoryDB struct {
+	mock.Mock
+}
+
+// GetRepository provides a mock function with given fields: ctx, url
+func (_m *RepositoryDB) GetRepository(ctx context.Context, url string) (*v1alpha1.Repository, error) {
+	ret := _m.Called(ctx, url)
+
+	var r0 *v1alpha1.Repository
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, string) (*v1alpha1.Repository, error)); ok {
+		return rf(ctx, url)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, string) *v1alpha1.Repository); ok {
+		r0 = rf(ctx, url)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*v1alpha1.Repository)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, string) error); ok {
+		r1 = rf(ctx, url)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+type mockConstructorTestingTNewRepositoryDB interface {
+	mock.TestingT
+	Cleanup(func())
+}
+
+// NewRepositoryDB creates a new instance of RepositoryDB. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+func NewRepositoryDB(t mockConstructorTestingTNewRepositoryDB) *RepositoryDB {
+	mock := &RepositoryDB{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
--- a/applicationset/services/pull_request/bitbucket_server.go
+++ b/applicationset/services/pull_request/bitbucket_server.go
@@ -69,6 +69,7 @@ func (b *BitbucketService) List(_ context.Context) ([]*PullRequest, error) {
 				Number:  pull.ID,
 				Branch:  pull.FromRef.DisplayID,    // ID: refs/heads/main DisplayID: main
 				HeadSHA: pull.FromRef.LatestCommit, // This is not defined in the official docs, but works in practice
+				Labels:  []string{},                // Not supported by library
 			})
 		}

--- a/applicationset/services/pull_request/bitbucket_server_test.go
+++ b/applicationset/services/pull_request/bitbucket_server_test.go
@@ -122,16 +122,19 @@ func TestListPullRequestPagination(t *testing.T) {
 		Number:  101,
 		Branch:  "feature-101",
 		HeadSHA: "ab3cf2e4d1517c83e720d2585b9402dbef71f992",
+		Labels:  []string{},
 	}, *pullRequests[0])
 	assert.Equal(t, PullRequest{
 		Number:  102,
 		Branch:  "feature-102",
 		HeadSHA: "bb3cf2e4d1517c83e720d2585b9402dbef71f992",
+		Labels:  []string{},
 	}, *pullRequests[1])
 	assert.Equal(t, PullRequest{
 		Number:  200,
 		Branch:  "feature-200",
 		HeadSHA: "cb3cf2e4d1517c83e720d2585b9402dbef71f992",
+		Labels:  []string{},
 	}, *pullRequests[2])
 }

@@ -155,7 +158,7 @@ func TestListPullRequestBasicAuth(t *testing.T) {

 func TestListResponseError(t *testing.T) {
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(500)
+		w.WriteHeader(http.StatusInternalServerError)
 	}))
 	defer ts.Close()
 	svc, _ := NewBitbucketServiceNoAuth(context.Background(), ts.URL, "PROJECT", "REPO")
@@ -284,11 +287,13 @@ func TestListPullRequestBranchMatch(t *testing.T) {
 		Number:  101,
 		Branch:  "feature-101",
 		HeadSHA: "ab3cf2e4d1517c83e720d2585b9402dbef71f992",
+		Labels:  []string{},
 	}, *pullRequests[0])
 	assert.Equal(t, PullRequest{
 		Number:  102,
 		Branch:  "feature-102",
 		HeadSHA: "bb3cf2e4d1517c83e720d2585b9402dbef71f992",
+		Labels:  []string{},
 	}, *pullRequests[1])

 	regexp = `.*2$`
@@ -305,6 +310,7 @@ func TestListPullRequestBranchMatch(t *testing.T) {
 		Number:  102,
 		Branch:  "feature-102",
 		HeadSHA: "bb3cf2e4d1517c83e720d2585b9402dbef71f992",
+		Labels:  []string{},
 	}, *pullRequests[0])

 	regexp = `[\d{2}`
--- a/applicationset/services/pull_request/gitea.go
+++ b/applicationset/services/pull_request/gitea.go
@@ -57,7 +57,17 @@ func (g *GiteaService) List(ctx context.Context) ([]*PullRequest, error) {
 			Number:  int(pr.Index),
 			Branch:  pr.Head.Ref,
 			HeadSHA: pr.Head.Sha,
+			Labels:  getGiteaPRLabelNames(pr.Labels),
 		})
 	}
 	return list, nil
 }
+
+// Get the Gitea pull request label names.
+func getGiteaPRLabelNames(giteaLabels []*gitea.Label) []string {
+	var labelNames []string
+	for _, giteaLabel := range giteaLabels {
+		labelNames = append(labelNames, giteaLabel.Name)
+	}
+	return labelNames
+}
--- a/applicationset/services/pull_request/gitea_test.go
+++ b/applicationset/services/pull_request/gitea_test.go
@@ -8,6 +8,7 @@ import (
 	"net/http/httptest"
 	"testing"

+	"code.gitea.io/sdk/gitea"
 	"github.com/stretchr/testify/assert"
 )

@@ -257,3 +258,32 @@ func TestGiteaList(t *testing.T) {
 	assert.Equal(t, prs[0].Branch, "test")
 	assert.Equal(t, prs[0].HeadSHA, "7bbaf62d92ddfafd9cc8b340c619abaec32bc09f")
 }
+
+func TestGetGiteaPRLabelNames(t *testing.T) {
+	Tests := []struct {
+		Name           string
+		PullLabels     []*gitea.Label
+		ExpectedResult []string
+	}{
+		{
+			Name: "PR has labels",
+			PullLabels: []*gitea.Label{
+				&gitea.Label{Name: "label1"},
+				&gitea.Label{Name: "label2"},
+				&gitea.Label{Name: "label3"},
+			},
+			ExpectedResult: []string{"label1", "label2", "label3"},
+		},
+		{
+			Name:           "PR does not have labels",
+			PullLabels:     []*gitea.Label{},
+			ExpectedResult: nil,
+		},
+	}
+	for _, test := range Tests {
+		t.Run(test.Name, func(t *testing.T) {
+			labels := getGiteaPRLabelNames(test.PullLabels)
+			assert.Equal(t, test.ExpectedResult, labels)
+		})
+	}
+}
--- a/applicationset/services/pull_request/github.go
+++ b/applicationset/services/pull_request/github.go
@@ -68,6 +68,7 @@ func (g *GithubService) List(ctx context.Context) ([]*PullRequest, error) {
 				Number:  *pull.Number,
 				Branch:  *pull.Head.Ref,
 				HeadSHA: *pull.Head.SHA,
+				Labels:  getGithubPRLabelNames(pull.Labels),
 			})
 		}
 		if resp.NextPage == 0 {
@@ -97,3 +98,12 @@ func containLabels(expectedLabels []string, gotLabels []*github.Label) bool {
 	}
 	return true
 }
+
+// Get the Github pull request label names.
+func getGithubPRLabelNames(gitHubLabels []*github.Label) []string {
+	var labelNames []string
+	for _, gitHubLabel := range gitHubLabels {
+		labelNames = append(labelNames, *gitHubLabel.Name)
+	}
+	return labelNames
+}
--- a/applicationset/services/pull_request/github_test.go
+++ b/applicationset/services/pull_request/github_test.go
@@ -4,6 +4,7 @@ import (
 	"testing"

 	"github.com/google/go-github/v35/github"
+	"github.com/stretchr/testify/assert"
 )

 func toPtr(s string) *string {
@@ -57,3 +58,32 @@ func TestContainLabels(t *testing.T) {
 		})
 	}
 }
+
+func TestGetGitHubPRLabelNames(t *testing.T) {
+	Tests := []struct {
+		Name           string
+		PullLabels     []*github.Label
+		ExpectedResult []string
+	}{
+		{
+			Name: "PR has labels",
+			PullLabels: []*github.Label{
+				&github.Label{Name: toPtr("label1")},
+				&github.Label{Name: toPtr("label2")},
+				&github.Label{Name: toPtr("label3")},
+			},
+			ExpectedResult: []string{"label1", "label2", "label3"},
+		},
+		{
+			Name:           "PR does not have labels",
+			PullLabels:     []*github.Label{},
+			ExpectedResult: nil,
+		},
+	}
+	for _, test := range Tests {
+		t.Run(test.Name, func(t *testing.T) {
+			labels := getGithubPRLabelNames(test.PullLabels)
+			assert.Equal(t, test.ExpectedResult, labels)
+		})
+	}
+}
--- a/applicationset/services/pull_request/gitlab.go
+++ b/applicationset/services/pull_request/gitlab.go
@@ -72,6 +72,7 @@ func (g *GitLabService) List(ctx context.Context) ([]*PullRequest, error) {
 				Number:  mr.IID,
 				Branch:  mr.SourceBranch,
 				HeadSHA: mr.SHA,
+				Labels:  mr.Labels,
 			})
 		}
 		if resp.NextPage == 0 {
--- a/applicationset/services/pull_request/interface.go
+++ b/applicationset/services/pull_request/interface.go
@@ -12,6 +12,8 @@ type PullRequest struct {
 	Branch string
 	// HeadSHA is the SHA of the HEAD from which the pull request originated.
 	HeadSHA string
+	// Labels of the pull request.
+	Labels []string
 }

 type PullRequestService interface {
--- a/applicationset/services/repo_service.go
+++ b/applicationset/services/repo_service.go
@@ -3,25 +3,26 @@ package services
 import (
 	"context"
 	"fmt"
-	"os"
-	"path/filepath"
-	"strings"

 	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/reposerver/apiclient"
+	repoapiclient "github.com/argoproj/argo-cd/v2/reposerver/apiclient"
 	"github.com/argoproj/argo-cd/v2/util/db"
 	"github.com/argoproj/argo-cd/v2/util/git"
+	"github.com/argoproj/argo-cd/v2/util/io"
 )

 // RepositoryDB Is a lean facade for ArgoDB,
-// Using a lean interface makes it more easy to test the functionality the git generator uses
+// Using a lean interface makes it easier to test the functionality of the git generator
 type RepositoryDB interface {
 	GetRepository(ctx context.Context, url string) (*v1alpha1.Repository, error)
 }

 type argoCDService struct {
-	repositoriesDB   RepositoryDB
-	storecreds       git.CredsStore
-	submoduleEnabled bool
+	repositoriesDB      RepositoryDB
+	storecreds          git.CredsStore
+	submoduleEnabled    bool
+	repoServerClientSet repoapiclient.Clientset
 }

 type Repos interface {
@@ -33,121 +34,61 @@ type Repos interface {
 	GetDirectories(ctx context.Context, repoURL string, revision string) ([]string, error)
 }

-func NewArgoCDService(db db.ArgoDB, gitCredStore git.CredsStore, submoduleEnabled bool) Repos {
-
+func NewArgoCDService(db db.ArgoDB, submoduleEnabled bool, repoClientset repoapiclient.Clientset) (Repos, error) {
 	return &argoCDService{
-		repositoriesDB:   db.(RepositoryDB),
-		storecreds:       gitCredStore,
-		submoduleEnabled: submoduleEnabled,
-	}
+		repositoriesDB:      db.(RepositoryDB),
+		submoduleEnabled:    submoduleEnabled,
+		repoServerClientSet: repoClientset,
+	}, nil
 }

 func (a *argoCDService) GetFiles(ctx context.Context, repoURL string, revision string, pattern string) (map[string][]byte, error) {
 	repo, err := a.repositoriesDB.GetRepository(ctx, repoURL)
 	if err != nil {
-		return nil, fmt.Errorf("Error in GetRepository: %w", err)
+		return nil, fmt.Errorf("error in GetRepository: %w", err)
 	}

-	gitRepoClient, err := git.NewClient(repo.Repo, repo.GetGitCreds(a.storecreds), repo.IsInsecure(), repo.IsLFSEnabled(), repo.Proxy)
-
+	fileRequest := &apiclient.GitFilesRequest{
+		Repo:             repo,
+		SubmoduleEnabled: a.submoduleEnabled,
+		Revision:         revision,
+		Path:             pattern,
+	}
+	closer, client, err := a.repoServerClientSet.NewRepoServerClient()
 	if err != nil {
 		return nil, err
 	}
+	defer io.Close(closer)

-	err = checkoutRepo(gitRepoClient, revision, a.submoduleEnabled)
+	fileResponse, err := client.GetGitFiles(ctx, fileRequest)
 	if err != nil {
 		return nil, err
 	}
-
-	paths, err := gitRepoClient.LsFiles(pattern)
-	if err != nil {
-		return nil, fmt.Errorf("Error during listing files of local repo: %w", err)
-	}
-
-	res := map[string][]byte{}
-	for _, filePath := range paths {
-		bytes, err := os.ReadFile(filepath.Join(gitRepoClient.Root(), filePath))
-		if err != nil {
-			return nil, err
-		}
-		res[filePath] = bytes
-	}
-
-	return res, nil
+	return fileResponse.GetMap(), nil
 }

 func (a *argoCDService) GetDirectories(ctx context.Context, repoURL string, revision string) ([]string, error) {
-
 	repo, err := a.repositoriesDB.GetRepository(ctx, repoURL)
 	if err != nil {
-		return nil, fmt.Errorf("Error in GetRepository: %w", err)
+		return nil, fmt.Errorf("error in GetRepository: %w", err)
 	}

-	gitRepoClient, err := git.NewClient(repo.Repo, repo.GetGitCreds(a.storecreds), repo.IsInsecure(), repo.IsLFSEnabled(), repo.Proxy)
+	dirRequest := &apiclient.GitDirectoriesRequest{
+		Repo:             repo,
+		SubmoduleEnabled: a.submoduleEnabled,
+		Revision:         revision,
+	}
+
+	closer, client, err := a.repoServerClientSet.NewRepoServerClient()
 	if err != nil {
-		return nil, fmt.Errorf("error creating a new git client: %w", err)
-	}
-
-	err = checkoutRepo(gitRepoClient, revision, a.submoduleEnabled)
-	if err != nil {
-		return nil, fmt.Errorf("error while checking out repo: %w", err)
-	}
-
-	filteredPaths := []string{}
-
-	repoRoot := gitRepoClient.Root()
-
-	if err := filepath.Walk(repoRoot, func(path string, info os.FileInfo, fnErr error) error {
-		if fnErr != nil {
-			return fmt.Errorf("error walking the file tree: %w", fnErr)
-		}
-		if !info.IsDir() { // Skip files: directories only
-			return nil
-		}
-
-		fname := info.Name()
-		if strings.HasPrefix(fname, ".") { // Skip all folders starts with "."
-			return filepath.SkipDir
-		}
-
-		relativePath, err := filepath.Rel(repoRoot, path)
-		if err != nil {
-			return fmt.Errorf("error constructing relative repo path: %w", err)
-		}
-
-		if relativePath == "." { // Exclude '.' from results
-			return nil
-		}
-
-		filteredPaths = append(filteredPaths, relativePath)
-
-		return nil
-	}); err != nil {
 		return nil, err
 	}
+	defer io.Close(closer)

-	return filteredPaths, nil
+	dirResponse, err := client.GetGitDirectories(ctx, dirRequest)
+	if err != nil {
+		return nil, err
+	}
+	return dirResponse.GetPaths(), nil

 }
-
-func checkoutRepo(gitRepoClient git.Client, revision string, submoduleEnabled bool) error {
-	err := gitRepoClient.Init()
-	if err != nil {
-		return fmt.Errorf("Error during initializing repo: %w", err)
-	}
-
-	err = gitRepoClient.Fetch(revision)
-	if err != nil {
-		return fmt.Errorf("Error during fetching repo: %w", err)
-	}
-
-	commitSHA, err := gitRepoClient.LsRemote(revision)
-	if err != nil {
-		return fmt.Errorf("Error during fetching commitSHA: %w", err)
-	}
-	err = gitRepoClient.Checkout(commitSHA, submoduleEnabled)
-	if err != nil {
-		return fmt.Errorf("Error during repo checkout: %w", err)
-	}
-	return nil
-}
--- a/applicationset/services/repo_service_test.go
+++ b/applicationset/services/repo_service_test.go
@@ -3,231 +3,189 @@ package services
 import (
 	"context"
 	"fmt"
-	"sort"
 	"testing"

+	"github.com/argoproj/argo-cd/v2/applicationset/services/mocks"
+	"github.com/argoproj/argo-cd/v2/reposerver/apiclient"
+	repo_mocks "github.com/argoproj/argo-cd/v2/reposerver/apiclient/mocks"
+	db_mocks "github.com/argoproj/argo-cd/v2/util/db/mocks"
+	"github.com/argoproj/argo-cd/v2/util/git"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"

 	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )

-type ArgocdRepositoryMock struct {
-	mock *mock.Mock
-}
-
-func (a ArgocdRepositoryMock) GetRepository(ctx context.Context, url string) (*v1alpha1.Repository, error) {
-	args := a.mock.Called(ctx, url)
-
-	return args.Get(0).(*v1alpha1.Repository), args.Error(1)
-
-}
-
 func TestGetDirectories(t *testing.T) {

-	// Hardcode a specific revision to changes to argocd-example-apps from regressing this test:
-	//   Author: Alexander Matyushentsev <Alexander_Matyushentsev@intuit.com>
-	//   Date:   Sun Jan 31 09:54:53 2021 -0800
-	//   chore: downgrade kustomize guestbook image tag (#73)
-	exampleRepoRevision := "08f72e2a309beab929d9fd14626071b1a61a47f9"
-
-	for _, c := range []struct {
-		name          string
-		repoURL       string
-		revision      string
-		repoRes       *v1alpha1.Repository
-		repoErr       error
-		expected      []string
-		expectedError error
+	type fields struct {
+		repositoriesDBFuncs   []func(*mocks.RepositoryDB)
+		storecreds            git.CredsStore
+		submoduleEnabled      bool
+		repoServerClientFuncs []func(*repo_mocks.RepoServerServiceClient)
+	}
+	type args struct {
+		ctx      context.Context
+		repoURL  string
+		revision string
+	}
+	tests := []struct {
+		name    string
+		fields  fields
+		args    args
+		want    []string
+		wantErr assert.ErrorAssertionFunc
 	}{
-		{
-			name:     "All child folders should be returned",
-			repoURL:  "https://github.com/argoproj/argocd-example-apps/",
-			revision: exampleRepoRevision,
-			repoRes: &v1alpha1.Repository{
-				Repo: "https://github.com/argoproj/argocd-example-apps/",
+		{name: "ErrorGettingRepos", fields: fields{
+			repositoriesDBFuncs: []func(*mocks.RepositoryDB){
+				func(db *mocks.RepositoryDB) {
+					db.On("GetRepository", mock.Anything, mock.Anything).Return(nil, fmt.Errorf("unable to get repos"))
+				},
 			},
-			repoErr: nil,
-			expected: []string{"apps", "apps/templates", "blue-green", "blue-green/templates", "guestbook", "helm-dependency",
-				"helm-guestbook", "helm-guestbook/templates", "helm-hooks", "jsonnet-guestbook", "jsonnet-guestbook-tla",
-				"ksonnet-guestbook", "ksonnet-guestbook/components", "ksonnet-guestbook/environments", "ksonnet-guestbook/environments/default",
-				"ksonnet-guestbook/environments/dev", "ksonnet-guestbook/environments/prod", "kustomize-guestbook", "plugins", "plugins/kasane",
-				"plugins/kustomized-helm", "plugins/kustomized-helm/overlays", "pre-post-sync", "sock-shop", "sock-shop/base", "sync-waves"},
-		},
-		{
-			name:     "If GetRepository returns an error, it should pass back to caller",
-			repoURL:  "https://github.com/argoproj/argocd-example-apps/",
-			revision: exampleRepoRevision,
-			repoRes: &v1alpha1.Repository{
-				Repo: "https://github.com/argoproj/argocd-example-apps/",
+		}, args: args{}, want: nil, wantErr: assert.Error},
+		{name: "ErrorGettingDirs", fields: fields{
+			repositoriesDBFuncs: []func(*mocks.RepositoryDB){
+				func(db *mocks.RepositoryDB) {
+					db.On("GetRepository", mock.Anything, mock.Anything).Return(&v1alpha1.Repository{}, nil)
+				},
 			},
-			repoErr:       fmt.Errorf("Simulated error from GetRepository"),
-			expected:      nil,
-			expectedError: fmt.Errorf("Error in GetRepository: Simulated error from GetRepository"),
-		},
-		{
-			name: "Test against repository containing no directories",
-			// Here I picked an arbitrary repository in argoproj-labs, with a commit containing no folders.
-			repoURL:  "https://github.com/argoproj-labs/argo-workflows-operator/",
-			revision: "5f50933a576833b73b7a172909d8545a108685f4",
-			repoRes: &v1alpha1.Repository{
-				Repo: "https://github.com/argoproj-labs/argo-workflows-operator/",
+			repoServerClientFuncs: []func(*repo_mocks.RepoServerServiceClient){
+				func(client *repo_mocks.RepoServerServiceClient) {
+					client.On("GetGitDirectories", mock.Anything, mock.Anything).Return(nil, fmt.Errorf("unable to get dirs"))
+				},
 			},
-			repoErr:  nil,
-			expected: []string{},
-		},
-	} {
-		cc := c
-		t.Run(cc.name, func(t *testing.T) {
-			argocdRepositoryMock := ArgocdRepositoryMock{mock: &mock.Mock{}}
-
-			argocdRepositoryMock.mock.On("GetRepository", mock.Anything, cc.repoURL).Return(cc.repoRes, cc.repoErr)
-
-			argocd := argoCDService{
-				repositoriesDB: argocdRepositoryMock,
+		}, args: args{}, want: nil, wantErr: assert.Error},
+		{name: "HappyCase", fields: fields{
+			repositoriesDBFuncs: []func(*mocks.RepositoryDB){
+				func(db *mocks.RepositoryDB) {
+					db.On("GetRepository", mock.Anything, mock.Anything).Return(&v1alpha1.Repository{}, nil)
+				},
+			},
+			repoServerClientFuncs: []func(*repo_mocks.RepoServerServiceClient){
+				func(client *repo_mocks.RepoServerServiceClient) {
+					client.On("GetGitDirectories", mock.Anything, mock.Anything).Return(&apiclient.GitDirectoriesResponse{
+						Paths: []string{"foo", "foo/bar", "bar/foo"},
+					}, nil)
+				},
+			},
+		}, args: args{}, want: []string{"foo", "foo/bar", "bar/foo"}, wantErr: assert.NoError},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			mockDb := &mocks.RepositoryDB{}
+			mockRepoClient := &repo_mocks.RepoServerServiceClient{}
+			// decorate the mocks
+			for i := range tt.fields.repositoriesDBFuncs {
+				tt.fields.repositoriesDBFuncs[i](mockDb)
+			}
+			for i := range tt.fields.repoServerClientFuncs {
+				tt.fields.repoServerClientFuncs[i](mockRepoClient)
 			}

-			got, err := argocd.GetDirectories(context.TODO(), cc.repoURL, cc.revision)
-
-			if cc.expectedError != nil {
-				assert.EqualError(t, err, cc.expectedError.Error())
-			} else {
-				sort.Strings(got)
-				sort.Strings(cc.expected)
-
-				assert.Equal(t, got, cc.expected)
-				assert.NoError(t, err)
+			a := &argoCDService{
+				repositoriesDB:      mockDb,
+				storecreds:          tt.fields.storecreds,
+				submoduleEnabled:    tt.fields.submoduleEnabled,
+				repoServerClientSet: &repo_mocks.Clientset{RepoServerServiceClient: mockRepoClient},
 			}
+			got, err := a.GetDirectories(tt.args.ctx, tt.args.repoURL, tt.args.revision)
+			if !tt.wantErr(t, err, fmt.Sprintf("GetDirectories(%v, %v, %v)", tt.args.ctx, tt.args.repoURL, tt.args.revision)) {
+				return
+			}
+			assert.Equalf(t, tt.want, got, "GetDirectories(%v, %v, %v)", tt.args.ctx, tt.args.repoURL, tt.args.revision)
 		})
 	}
 }

 func TestGetFiles(t *testing.T) {
-
-	// Hardcode a specific commit, so that changes to argoproj/argocd-example-apps/ don't break our tests
-	// "chore: downgrade kustomize guestbook image tag (#73)"
-	commitID := "08f72e2a309beab929d9fd14626071b1a61a47f9"
-
-	tests := []struct {
-		name     string
+	type fields struct {
+		repositoriesDBFuncs   []func(*mocks.RepositoryDB)
+		storecreds            git.CredsStore
+		submoduleEnabled      bool
+		repoServerClientFuncs []func(*repo_mocks.RepoServerServiceClient)
+	}
+	type args struct {
+		ctx      context.Context
 		repoURL  string
 		revision string
 		pattern  string
-		repoRes  *v1alpha1.Repository
-		repoErr  error
-
-		expectSubsetOfPaths []string
-		doesNotContainPaths []string
-		expectedError       error
-	}{
-		{
-			name: "pull a specific revision of example apps and verify the list is expected",
-			repoRes: &v1alpha1.Repository{
-				Insecure:              true,
-				InsecureIgnoreHostKey: true,
-				Repo:                  "https://github.com/argoproj/argocd-example-apps/",
-			},
-			repoURL:  "https://github.com/argoproj/argocd-example-apps/",
-			revision: commitID,
-			pattern:  "*",
-			expectSubsetOfPaths: []string{
-				"apps/Chart.yaml",
-				"apps/templates/helm-guestbook.yaml",
-				"apps/templates/helm-hooks.yaml",
-				"apps/templates/kustomize-guestbook.yaml",
-				"apps/templates/namespaces.yaml",
-				"apps/templates/sync-waves.yaml",
-				"apps/values.yaml",
-				"blue-green/.helmignore",
-				"blue-green/Chart.yaml",
-				"blue-green/README.md",
-				"blue-green/templates/NOTES.txt",
-				"blue-green/templates/rollout.yaml",
-				"blue-green/templates/services.yaml",
-				"blue-green/values.yaml",
-				"guestbook/guestbook-ui-deployment.yaml",
-				"guestbook/guestbook-ui-svc.yaml",
-				"kustomize-guestbook/guestbook-ui-deployment.yaml",
-				"kustomize-guestbook/guestbook-ui-svc.yaml",
-				"kustomize-guestbook/kustomization.yaml",
-			},
-		},
-		{
-			name: "pull an invalid revision, and confirm an error is returned",
-			repoRes: &v1alpha1.Repository{
-				Insecure:              true,
-				InsecureIgnoreHostKey: true,
-				Repo:                  "https://github.com/argoproj/argocd-example-apps/",
-			},
-			repoURL:             "https://github.com/argoproj/argocd-example-apps/",
-			revision:            "this-tag-does-not-exist",
-			pattern:             "*",
-			expectSubsetOfPaths: []string{},
-			expectedError:       fmt.Errorf("Error during fetching repo: `git fetch origin this-tag-does-not-exist --tags --force --prune` failed exit status 128: fatal: couldn't find remote ref this-tag-does-not-exist"),
-		},
-		{
-			name: "pull a specific revision of example apps, and use a ** pattern",
-			repoRes: &v1alpha1.Repository{
-				Insecure:              true,
-				InsecureIgnoreHostKey: true,
-				Repo:                  "https://github.com/argoproj/argocd-example-apps/",
-			},
-			repoURL:  "https://github.com/argoproj/argocd-example-apps/",
-			revision: commitID,
-			pattern:  "**/*.yaml",
-			expectSubsetOfPaths: []string{
-				"apps/Chart.yaml",
-				"apps/templates/helm-guestbook.yaml",
-				"apps/templates/helm-hooks.yaml",
-				"apps/templates/kustomize-guestbook.yaml",
-				"apps/templates/namespaces.yaml",
-				"apps/templates/sync-waves.yaml",
-				"apps/values.yaml",
-				"blue-green/templates/rollout.yaml",
-				"blue-green/templates/services.yaml",
-				"blue-green/values.yaml",
-				"guestbook/guestbook-ui-deployment.yaml",
-				"guestbook/guestbook-ui-svc.yaml",
-				"kustomize-guestbook/guestbook-ui-deployment.yaml",
-				"kustomize-guestbook/guestbook-ui-svc.yaml",
-				"kustomize-guestbook/kustomization.yaml",
-			},
-			doesNotContainPaths: []string{
-				"blue-green/.helmignore",
-				"blue-green/README.md",
-				"blue-green/templates/NOTES.txt",
-			},
-		},
 	}
-
-	for _, cc := range tests {
-
-		// Get all the paths for a repository, and confirm that the expected subset of paths is found (or the expected error is returned)
-		t.Run(cc.name, func(t *testing.T) {
-			argocdRepositoryMock := ArgocdRepositoryMock{mock: &mock.Mock{}}
-
-			argocdRepositoryMock.mock.On("GetRepository", mock.Anything, cc.repoURL).Return(cc.repoRes, cc.repoErr)
-
-			argocd := argoCDService{
-				repositoriesDB: argocdRepositoryMock,
+	tests := []struct {
+		name    string
+		fields  fields
+		args    args
+		want    map[string][]byte
+		wantErr assert.ErrorAssertionFunc
+	}{
+		{name: "ErrorGettingRepos", fields: fields{
+			repositoriesDBFuncs: []func(*mocks.RepositoryDB){
+				func(db *mocks.RepositoryDB) {
+					db.On("GetRepository", mock.Anything, mock.Anything).Return(nil, fmt.Errorf("unable to get repos"))
+				},
+			},
+		}, args: args{}, want: nil, wantErr: assert.Error},
+		{name: "ErrorGettingFiles", fields: fields{
+			repositoriesDBFuncs: []func(*mocks.RepositoryDB){
+				func(db *mocks.RepositoryDB) {
+					db.On("GetRepository", mock.Anything, mock.Anything).Return(&v1alpha1.Repository{}, nil)
+				},
+			},
+			repoServerClientFuncs: []func(*repo_mocks.RepoServerServiceClient){
+				func(client *repo_mocks.RepoServerServiceClient) {
+					client.On("GetGitFiles", mock.Anything, mock.Anything).Return(nil, fmt.Errorf("unable to get files"))
+				},
+			},
+		}, args: args{}, want: nil, wantErr: assert.Error},
+		{name: "HappyCase", fields: fields{
+			repositoriesDBFuncs: []func(*mocks.RepositoryDB){
+				func(db *mocks.RepositoryDB) {
+					db.On("GetRepository", mock.Anything, mock.Anything).Return(&v1alpha1.Repository{}, nil)
+				},
+			},
+			repoServerClientFuncs: []func(*repo_mocks.RepoServerServiceClient){
+				func(client *repo_mocks.RepoServerServiceClient) {
+					client.On("GetGitFiles", mock.Anything, mock.Anything).Return(&apiclient.GitFilesResponse{
+						Map: map[string][]byte{
+							"foo.json": []byte("hello: world!"),
+							"bar.yaml": []byte("yay: appsets"),
+						},
+					}, nil)
+				},
+			},
+		}, args: args{}, want: map[string][]byte{
+			"foo.json": []byte("hello: world!"),
+			"bar.yaml": []byte("yay: appsets"),
+		}, wantErr: assert.NoError},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			mockDb := &mocks.RepositoryDB{}
+			mockRepoClient := &repo_mocks.RepoServerServiceClient{}
+			// decorate the mocks
+			for i := range tt.fields.repositoriesDBFuncs {
+				tt.fields.repositoriesDBFuncs[i](mockDb)
+			}
+			for i := range tt.fields.repoServerClientFuncs {
+				tt.fields.repoServerClientFuncs[i](mockRepoClient)
 			}

-			getPathsRes, err := argocd.GetFiles(context.Background(), cc.repoURL, cc.revision, cc.pattern)
-
-			if cc.expectedError == nil {
-
-				assert.NoError(t, err)
-				for _, path := range cc.expectSubsetOfPaths {
-					assert.Contains(t, getPathsRes, path, "Unable to locate path: %s", path)
-				}
-
-				for _, shouldNotContain := range cc.doesNotContainPaths {
-					assert.NotContains(t, getPathsRes, shouldNotContain, "GetPaths should not contain %s", shouldNotContain)
-				}
-
-			} else {
-				assert.EqualError(t, err, cc.expectedError.Error())
+			a := &argoCDService{
+				repositoriesDB:      mockDb,
+				storecreds:          tt.fields.storecreds,
+				submoduleEnabled:    tt.fields.submoduleEnabled,
+				repoServerClientSet: &repo_mocks.Clientset{RepoServerServiceClient: mockRepoClient},
 			}
+			got, err := a.GetFiles(tt.args.ctx, tt.args.repoURL, tt.args.revision, tt.args.pattern)
+			if !tt.wantErr(t, err, fmt.Sprintf("GetFiles(%v, %v, %v, %v)", tt.args.ctx, tt.args.repoURL, tt.args.revision, tt.args.pattern)) {
+				return
+			}
+			assert.Equalf(t, tt.want, got, "GetFiles(%v, %v, %v, %v)", tt.args.ctx, tt.args.repoURL, tt.args.revision, tt.args.pattern)
 		})
 	}
 }
+
+func TestNewArgoCDService(t *testing.T) {
+	service, err := NewArgoCDService(&db_mocks.ArgoDB{}, false, &repo_mocks.Clientset{})
+	assert.NoError(t, err, err)
+	assert.NotNil(t, service)
+}
--- a/applicationset/services/scm_provider/bitbucket_cloud.go
+++ b/applicationset/services/scm_provider/bitbucket_cloud.go
@@ -29,7 +29,7 @@ func (c *ExtendedClient) GetContents(repo *Repository, path string) (bool, error
 	urlStr += fmt.Sprintf("/repositories/%s/%s/src/%s/%s?format=meta", c.owner, repo.Repository, repo.SHA, path)
 	body := strings.NewReader("")

-	req, err := http.NewRequest("GET", urlStr, body)
+	req, err := http.NewRequest(http.MethodGet, urlStr, body)
 	if err != nil {
 		return false, err
 	}
--- a/applicationset/services/scm_provider/bitbucket_server_test.go
+++ b/applicationset/services/scm_provider/bitbucket_server_test.go
@@ -347,7 +347,7 @@ func TestGetBranchesMissingDefault(t *testing.T) {
 		assert.Empty(t, r.Header.Get("Authorization"))
 		switch r.RequestURI {
 		case "/rest/api/1.0/projects/PROJECT/repos/REPO/branches/default":
-			http.Error(w, "Not found", 404)
+			http.Error(w, "Not found", http.StatusNotFound)
 		}
 		defaultHandler(t)(w, r)
 	}))
@@ -370,7 +370,7 @@ func TestGetBranchesErrorDefaultBranch(t *testing.T) {
 		assert.Empty(t, r.Header.Get("Authorization"))
 		switch r.RequestURI {
 		case "/rest/api/1.0/projects/PROJECT/repos/REPO/branches/default":
-			http.Error(w, "Internal server error", 500)
+			http.Error(w, "Internal server error", http.StatusInternalServerError)
 		}
 		defaultHandler(t)(w, r)
 	}))
@@ -442,7 +442,7 @@ func TestListReposMissingDefaultBranch(t *testing.T) {
 		assert.Empty(t, r.Header.Get("Authorization"))
 		switch r.RequestURI {
 		case "/rest/api/1.0/projects/PROJECT/repos/REPO/branches/default":
-			http.Error(w, "Not found", 404)
+			http.Error(w, "Not found", http.StatusNotFound)
 		}
 		defaultHandler(t)(w, r)
 	}))
@@ -459,7 +459,7 @@ func TestListReposErrorDefaultBranch(t *testing.T) {
 		assert.Empty(t, r.Header.Get("Authorization"))
 		switch r.RequestURI {
 		case "/rest/api/1.0/projects/PROJECT/repos/REPO/branches/default":
-			http.Error(w, "Internal server error", 500)
+			http.Error(w, "Internal server error", http.StatusInternalServerError)
 		}
 		defaultHandler(t)(w, r)
 	}))
@@ -516,17 +516,17 @@ func TestBitbucketServerHasPath(t *testing.T) {
 			_, err = io.WriteString(w, `{"type":"FILE"}`)

 		case "/rest/api/1.0/projects/PROJECT/repos/REPO/browse/anotherpkg/missing.txt?at=main&limit=100&type=true":
-			http.Error(w, "The path \"anotherpkg/missing.txt\" does not exist at revision \"main\"", 404)
+			http.Error(w, "The path \"anotherpkg/missing.txt\" does not exist at revision \"main\"", http.StatusNotFound)
 		case "/rest/api/1.0/projects/PROJECT/repos/REPO/browse/notathing?at=main&limit=100&type=true":
-			http.Error(w, "The path \"notathing\" does not exist at revision \"main\"", 404)
+			http.Error(w, "The path \"notathing\" does not exist at revision \"main\"", http.StatusNotFound)

 		case "/rest/api/1.0/projects/PROJECT/repos/REPO/browse/return-redirect?at=main&limit=100&type=true":
-			http.Redirect(w, r, "http://"+r.Host+"/rest/api/1.0/projects/PROJECT/repos/REPO/browse/redirected?at=main&limit=100&type=true", 301)
+			http.Redirect(w, r, "http://"+r.Host+"/rest/api/1.0/projects/PROJECT/repos/REPO/browse/redirected?at=main&limit=100&type=true", http.StatusMovedPermanently)
 		case "/rest/api/1.0/projects/PROJECT/repos/REPO/browse/redirected?at=main&limit=100&type=true":
 			_, err = io.WriteString(w, `{"type":"DIRECTORY"}`)

 		case "/rest/api/1.0/projects/PROJECT/repos/REPO/browse/unauthorized-response?at=main&limit=100&type=true":
-			http.Error(w, "Authentication failed", 401)
+			http.Error(w, "Authentication failed", http.StatusUnauthorized)

 		default:
 			t.Fail()
--- a/applicationset/services/scm_provider/gitea.go
+++ b/applicationset/services/scm_provider/gitea.go
@@ -47,7 +47,7 @@ func NewGiteaProvider(ctx context.Context, owner, token, url string, allBranches
 func (g *GiteaProvider) GetBranches(ctx context.Context, repo *Repository) ([]*Repository, error) {
 	if !g.allBranches {
 		branch, status, err := g.client.GetRepoBranch(g.owner, repo.Repository, repo.Branch)
-		if status.StatusCode == 404 {
+		if status.StatusCode == http.StatusNotFound {
 			return nil, fmt.Errorf("got 404 while getting default branch %q for repo %q - check your repo config: %w", repo.Branch, repo.Repository, err)
 		}
 		if err != nil {
--- a/applicationset/services/scm_provider/gitea_test.go
+++ b/applicationset/services/scm_provider/gitea_test.go
@@ -247,7 +247,7 @@ func giteaMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 			_, err := io.WriteString(w, testdata.ReposGiteaGoSdkContentsGiteaResponse)
 			require.NoError(t, err)
 		case "/api/v1/repos/gitea/go-sdk/contents/notathing?ref=master":
-			w.WriteHeader(404)
+			w.WriteHeader(http.StatusNotFound)
 			_, err := io.WriteString(w, `{"errors":["object does not exist [id: , rel_path: notathing]"],"message":"GetContentsOrList","url":"https://gitea.com/api/swagger"}`)
 			require.NoError(t, err)
 		default:
--- a/applicationset/services/scm_provider/github.go
+++ b/applicationset/services/scm_provider/github.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"net/http"
 	"os"

 	"github.com/google/go-github/v35/github"
@@ -123,7 +124,7 @@ func (g *GithubProvider) listBranches(ctx context.Context, repo *Repository) ([]
 		if err != nil {
 			var githubErrorResponse *github.ErrorResponse
 			if errors.As(err, &githubErrorResponse) {
-				if githubErrorResponse.Response.StatusCode == 404 {
+				if githubErrorResponse.Response.StatusCode == http.StatusNotFound {
 					// Default branch doesn't exist, so the repo is empty.
 					return []github.Branch{}, nil
 				}
--- a/applicationset/services/scm_provider/github_test.go
+++ b/applicationset/services/scm_provider/github_test.go
@@ -196,7 +196,7 @@ func githubMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 				t.Fail()
 			}
 		default:
-			w.WriteHeader(404)
+			w.WriteHeader(http.StatusNotFound)
 		}
 	}
 }
--- a/applicationset/services/scm_provider/gitlab.go
+++ b/applicationset/services/scm_provider/gitlab.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"net/http"
 	pathpkg "path"

 	gitlab "github.com/xanzy/go-gitlab"
@@ -144,7 +145,11 @@ func (g *GitlabProvider) listBranches(_ context.Context, repo *Repository) ([]gi
 	branches := []gitlab.Branch{}
 	// If we don't specifically want to query for all branches, just use the default branch and call it a day.
 	if !g.allBranches {
-		gitlabBranch, _, err := g.client.Branches.GetBranch(repo.RepositoryId, repo.Branch, nil)
+		gitlabBranch, resp, err := g.client.Branches.GetBranch(repo.RepositoryId, repo.Branch, nil)
+		// 404s are not an error here, just a normal false.
+		if resp != nil && resp.StatusCode == http.StatusNotFound {
+			return []gitlab.Branch{}, nil
+		}
 		if err != nil {
 			return nil, err
 		}
@@ -157,6 +162,10 @@ func (g *GitlabProvider) listBranches(_ context.Context, repo *Repository) ([]gi
 	}
 	for {
 		gitlabBranches, resp, err := g.client.Branches.ListBranches(repo.RepositoryId, opt)
+		// 404s are not an error here, just a normal false.
+		if resp != nil && resp.StatusCode == http.StatusNotFound {
+			return []gitlab.Branch{}, nil
+		}
 		if err != nil {
 			return nil, err
 		}
--- a/applicationset/services/scm_provider/gitlab_test.go
+++ b/applicationset/services/scm_provider/gitlab_test.go
@@ -274,6 +274,8 @@ func gitlabMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 			if err != nil {
 				t.Fail()
 			}
+		case "/api/v4/projects/27084533/repository/branches/foo":
+			w.WriteHeader(http.StatusNotFound)
 		default:
 			_, err := io.WriteString(w, `[]`)
 			if err != nil {
@@ -391,3 +393,29 @@ func TestGitlabHasPath(t *testing.T) {
 		})
 	}
 }
+
+func TestGitlabGetBranches(t *testing.T) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		gitlabMockHandler(t)(w, r)
+	}))
+	host, _ := NewGitlabProvider(context.Background(), "test-argocd-proton", "", ts.URL, false, true)
+
+	repo := &Repository{
+		RepositoryId: 27084533,
+		Branch:       "master",
+	}
+	t.Run("branch exists", func(t *testing.T) {
+		repos, err := host.GetBranches(context.Background(), repo)
+		assert.Nil(t, err)
+		assert.Equal(t, repos[0].Branch, "master")
+	})
+
+	repo2 := &Repository{
+		RepositoryId: 27084533,
+		Branch:       "foo",
+	}
+	t.Run("unknown branch", func(t *testing.T) {
+		_, err := host.GetBranches(context.Background(), repo2)
+		assert.NoError(t, err)
+	})
+}
--- a/applicationset/utils/policy.go
+++ b/applicationset/utils/policy.go
@@ -11,6 +11,7 @@ var Policies = map[string]Policy{
 	"sync":          &SyncPolicy{},
 	"create-only":   &CreateOnlyPolicy{},
 	"create-update": &CreateUpdatePolicy{},
+	"create-delete": &CreateDeletePolicy{},
 }

 type SyncPolicy struct{}
@@ -42,3 +43,13 @@ func (p *CreateOnlyPolicy) Update() bool {
 func (p *CreateOnlyPolicy) Delete() bool {
 	return false
 }
+
+type CreateDeletePolicy struct{}
+
+func (p *CreateDeletePolicy) Update() bool {
+	return false
+}
+
+func (p *CreateDeletePolicy) Delete() bool {
+	return true
+}
--- a/applicationset/utils/utils.go
+++ b/applicationset/utils/utils.go
@@ -12,7 +12,7 @@ import (
 	"text/template"
 	"unsafe"

-	"github.com/Masterminds/sprig"
+	"github.com/Masterminds/sprig/v3"
 	"github.com/valyala/fasttemplate"

 	log "github.com/sirupsen/logrus"
@@ -133,6 +133,16 @@ func (r *Render) deeplyReplace(copy, original reflect.Value, replaceMap map[stri
 			if err := r.deeplyReplace(copyValue, originalValue, replaceMap, useGoTemplate); err != nil {
 				return err
 			}
+
+			// Keys can be templated as well as values (e.g. to template something into an annotation).
+			if key.Kind() == reflect.String {
+				templatedKey, err := r.Replace(key.String(), replaceMap, useGoTemplate)
+				if err != nil {
+					return err
+				}
+				key = reflect.ValueOf(templatedKey)
+			}
+
 			copy.SetMapIndex(key, copyValue)
 		}

@@ -164,7 +174,7 @@ func (r *Render) deeplyReplace(copy, original reflect.Value, replaceMap map[stri

 func (r *Render) RenderTemplateParams(tmpl *argoappsv1.Application, syncPolicy *argoappsv1.ApplicationSetSyncPolicy, params map[string]interface{}, useGoTemplate bool) (*argoappsv1.Application, error) {
 	if tmpl == nil {
-		return nil, fmt.Errorf("application template is empty ")
+		return nil, fmt.Errorf("application template is empty")
 	}

 	if len(params) == 0 {
@@ -194,6 +204,27 @@ func (r *Render) RenderTemplateParams(tmpl *argoappsv1.Application, syncPolicy *
 	return replacedTmpl, nil
 }

+func (r *Render) RenderGeneratorParams(gen *argoappsv1.ApplicationSetGenerator, params map[string]interface{}, useGoTemplate bool) (*argoappsv1.ApplicationSetGenerator, error) {
+	if gen == nil {
+		return nil, fmt.Errorf("generator is empty")
+	}
+
+	if len(params) == 0 {
+		return gen, nil
+	}
+
+	original := reflect.ValueOf(gen)
+	copy := reflect.New(original.Type()).Elem()
+
+	if err := r.deeplyReplace(copy, original, params, useGoTemplate); err != nil {
+		return nil, fmt.Errorf("failed to replace parameters in generator: %w", err)
+	}
+
+	replacedGen := copy.Interface().(*argoappsv1.ApplicationSetGenerator)
+
+	return replacedGen, nil
+}
+
 var isTemplatedRegex = regexp.MustCompile(".*{{.*}}.*")

 // Replace executes basic string substitution of a template with replacement values.
--- a/applicationset/utils/utils_test.go
+++ b/applicationset/utils/utils_test.go
@@ -7,6 +7,7 @@ import (
 	"github.com/sirupsen/logrus"
 	logtest "github.com/sirupsen/logrus/hooks/test"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
@@ -40,7 +41,7 @@ func TestRenderTemplateParams(t *testing.T) {
 			Namespace:         "default",
 		},
 		Spec: argoappsv1.ApplicationSpec{
-			Source: argoappsv1.ApplicationSource{
+			Source: &argoappsv1.ApplicationSource{
 				Path:           "",
 				RepoURL:        "",
 				TargetRevision: "",
@@ -219,7 +220,7 @@ func TestRenderTemplateParamsGoTemplate(t *testing.T) {
 			Namespace:         "default",
 		},
 		Spec: argoappsv1.ApplicationSpec{
-			Source: argoappsv1.ApplicationSource{
+			Source: &argoappsv1.ApplicationSource{
 				Path:           "",
 				RepoURL:        "",
 				TargetRevision: "",
@@ -461,14 +462,56 @@ func TestRenderTemplateParamsGoTemplate(t *testing.T) {
 			}
 		})
 	}
+}

+func TestRenderTemplateKeys(t *testing.T) {
+	t.Run("fasttemplate", func(t *testing.T) {
+		application := &argoappsv1.Application{
+			ObjectMeta: metav1.ObjectMeta{
+				Annotations: map[string]string{
+					"annotation-{{key}}": "annotation-{{value}}",
+				},
+			},
+		}
+
+		params := map[string]interface{}{
+			"key":   "some-key",
+			"value": "some-value",
+		}
+
+		render := Render{}
+		newApplication, err := render.RenderTemplateParams(application, nil, params, false)
+		require.NoError(t, err)
+		require.Contains(t, newApplication.ObjectMeta.Annotations, "annotation-some-key")
+		assert.Equal(t, newApplication.ObjectMeta.Annotations["annotation-some-key"], "annotation-some-value")
+	})
+	t.Run("gotemplate", func(t *testing.T) {
+		application := &argoappsv1.Application{
+			ObjectMeta: metav1.ObjectMeta{
+				Annotations: map[string]string{
+					"annotation-{{ .key }}": "annotation-{{ .value }}",
+				},
+			},
+		}
+
+		params := map[string]interface{}{
+			"key":   "some-key",
+			"value": "some-value",
+		}
+
+		render := Render{}
+		newApplication, err := render.RenderTemplateParams(application, nil, params, true)
+		require.NoError(t, err)
+		require.Contains(t, newApplication.ObjectMeta.Annotations, "annotation-some-key")
+		assert.Equal(t, newApplication.ObjectMeta.Annotations["annotation-some-key"], "annotation-some-value")
+	})
 }

 func TestRenderTemplateParamsFinalizers(t *testing.T) {

 	emptyApplication := &argoappsv1.Application{
 		Spec: argoappsv1.ApplicationSpec{
-			Source: argoappsv1.ApplicationSource{
+			Source: &argoappsv1.ApplicationSource{
 				Path:           "",
 				RepoURL:        "",
 				TargetRevision: "",
--- a/applicationset/webhook/webhook.go
+++ b/applicationset/webhook/webhook.go
@@ -133,7 +133,7 @@ func (h *WebhookHandler) Handler(w http.ResponseWriter, r *http.Request) {
 	if err != nil {
 		log.Infof("Webhook processing failed: %s", err)
 		status := http.StatusBadRequest
-		if r.Method != "POST" {
+		if r.Method != http.MethodPost {
 			status = http.StatusMethodNotAllowed
 		}
 		http.Error(w, fmt.Sprintf("Webhook processing failed: %s", html.EscapeString(err.Error())), status)
--- a/applicationset/webhook/webhook_test.go
+++ b/applicationset/webhook/webhook_test.go
@@ -177,7 +177,7 @@ func TestWebhookHandler(t *testing.T) {
 			h, err := NewWebhookHandler(namespace, set, fc, mockGenerators())
 			assert.Nil(t, err)

-			req := httptest.NewRequest("POST", "/api/webhook", nil)
+			req := httptest.NewRequest(http.MethodPost, "/api/webhook", nil)
 			req.Header.Set(test.headerKey, test.headerValue)
 			eventJSON, err := os.ReadFile(filepath.Join("testdata", test.payloadFile))
 			assert.NoError(t, err)
--- a/argocd-cosign.pub
+++ b/argocd-cosign.pub
@@ -1,4 +0,0 @@
-----BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEesHEB7vX5Y2RxXypjMy1nI1z7iRG
-JI9/gt/sYqzpsa65aaNP4npM43DDxoIy/MQBo9s/mxGxmA+8UXeDpVC9vw==
-----END PUBLIC KEY-----
--- a/assets/swagger.json
+++ b/assets/swagger.json
@@ -271,6 +271,16 @@
            "description": "the application's namespace.",
            "name": "appNamespace",
            "in": "query"
+          },
+          {
+            "type": "array",
+            "items": {
+              "type": "string"
+            },
+            "collectionFormat": "multi",
+            "description": "the project names to restrict returned list applications (legacy name for backwards-compatibility).",
+            "name": "project",
+            "in": "query"
          }
        ],
        "responses": {
@@ -585,6 +595,16 @@
            "description": "the application's namespace.",
            "name": "appNamespace",
            "in": "query"
+          },
+          {
+            "type": "array",
+            "items": {
+              "type": "string"
+            },
+            "collectionFormat": "multi",
+            "description": "the project names to restrict returned list applications (legacy name for backwards-compatibility).",
+            "name": "project",
+            "in": "query"
          }
        ],
        "responses": {
@@ -735,6 +755,42 @@
        }
      }
    },
+    "/api/v1/applications/{name}/links": {
+      "get": {
+        "tags": [
+          "ApplicationService"
+        ],
+        "summary": "ListLinks returns the list of all application deep links",
+        "operationId": "ApplicationService_ListLinks",
+        "parameters": [
+          {
+            "type": "string",
+            "name": "name",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "string",
+            "name": "namespace",
+            "in": "query"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/applicationLinksResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/runtimeError"
+            }
+          }
+        }
+      }
+    },
    "/api/v1/applications/{name}/logs": {
      "get": {
        "tags": [
@@ -1385,6 +1441,112 @@
        }
      }
    },
+    "/api/v1/applications/{name}/resource/links": {
+      "get": {
+        "tags": [
+          "ApplicationService"
+        ],
+        "summary": "ListResourceLinks returns the list of all resource deep links",
+        "operationId": "ApplicationService_ListResourceLinks",
+        "parameters": [
+          {
+            "type": "string",
+            "name": "name",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "string",
+            "name": "namespace",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "name": "resourceName",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "name": "version",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "name": "group",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "name": "kind",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "name": "appNamespace",
+            "in": "query"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/applicationLinksResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/runtimeError"
+            }
+          }
+        }
+      }
+    },
+    "/api/v1/applications/{name}/revisions/{revision}/chartdetails": {
+      "get": {
+        "tags": [
+          "ApplicationService"
+        ],
+        "summary": "Get the chart metadata (description, maintainers, home) for a specific revision of the application",
+        "operationId": "ApplicationService_RevisionChartDetails",
+        "parameters": [
+          {
+            "type": "string",
+            "description": "the application's name",
+            "name": "name",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "string",
+            "description": "the revision of the app",
+            "name": "revision",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "string",
+            "description": "the application's namespace.",
+            "name": "appNamespace",
+            "in": "query"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1alpha1ChartDetails"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/runtimeError"
+            }
+          }
+        }
+      }
+    },
    "/api/v1/applications/{name}/revisions/{revision}/metadata": {
      "get": {
        "tags": [
@@ -2560,6 +2722,37 @@
        }
      }
    },
+    "/api/v1/projects/{name}/links": {
+      "get": {
+        "tags": [
+          "ProjectService"
+        ],
+        "summary": "ListLinks returns all deep links for the particular project",
+        "operationId": "ProjectService_ListLinks",
+        "parameters": [
+          {
+            "type": "string",
+            "name": "name",
+            "in": "path",
+            "required": true
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/applicationLinksResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/runtimeError"
+            }
+          }
+        }
+      }
+    },
    "/api/v1/projects/{name}/syncwindows": {
      "get": {
        "tags": [
@@ -3296,6 +3489,18 @@
            "description": "Reference between project and repository that allow you automatically to be added as item inside SourceRepos project entity.",
            "name": "project",
            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "Google Cloud Platform service account key.",
+            "name": "gcpServiceAccountKey",
+            "in": "query"
+          },
+          {
+            "type": "boolean",
+            "description": "Whether to force HTTP basic auth.",
+            "name": "forceHttpBasicAuth",
+            "in": "query"
          }
        ],
        "responses": {
@@ -3454,6 +3659,29 @@
        }
      }
    },
+    "/api/v1/settings/plugins": {
+      "get": {
+        "tags": [
+          "SettingsService"
+        ],
+        "summary": "Get returns Argo CD plugins",
+        "operationId": "SettingsService_GetPlugins",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/clusterSettingsPluginsResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/runtimeError"
+            }
+          }
+        }
+      }
+    },
    "/api/v1/stream/applications": {
      "get": {
        "tags": [
@@ -3507,6 +3735,16 @@
            "description": "the application's namespace.",
            "name": "appNamespace",
            "in": "query"
+          },
+          {
+            "type": "array",
+            "items": {
+              "type": "string"
+            },
+            "collectionFormat": "multi",
+            "description": "the project names to restrict returned list applications (legacy name for backwards-compatibility).",
+            "name": "project",
+            "in": "query"
          }
        ],
        "responses": {
@@ -3900,6 +4138,34 @@
        }
      }
    },
+    "applicationLinkInfo": {
+      "type": "object",
+      "properties": {
+        "description": {
+          "type": "string"
+        },
+        "iconClass": {
+          "type": "string"
+        },
+        "title": {
+          "type": "string"
+        },
+        "url": {
+          "type": "string"
+        }
+      }
+    },
+    "applicationLinksResponse": {
+      "type": "object",
+      "properties": {
+        "items": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/applicationLinkInfo"
+          }
+        }
+      }
+    },
    "applicationLogEntry": {
      "type": "object",
      "properties": {
@@ -4097,6 +4363,9 @@
        "appLabelKey": {
          "type": "string"
        },
+        "appsInAnyNamespaceEnabled": {
+          "type": "boolean"
+        },
        "configManagementPlugins": {
          "type": "array",
          "items": {
@@ -4177,6 +4446,17 @@
        }
      }
    },
+    "clusterSettingsPluginsResponse": {
+      "type": "object",
+      "properties": {
+        "plugins": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/clusterPlugin"
+          }
+        }
+      }
+    },
    "gpgkeyGnuPGPublicKeyCreateResponse": {
      "type": "object",
      "title": "Response to a public key creation request",
@@ -4197,6 +4477,24 @@
      "type": "object",
      "title": "Generic (empty) response for GPG public key CRUD requests"
    },
+    "intstrIntOrString": {
+      "description": "+protobuf=true\n+protobuf.options.(gogoproto.goproto_stringer)=false\n+k8s:openapi-gen=true",
+      "type": "object",
+      "title": "IntOrString is a type that can hold an int32 or a string.  When used in\nJSON or YAML marshalling and unmarshalling, it produces or consumes the\ninner type.  This allows you to have, for example, a JSON field that can\naccept a name or number.\nTODO: Rename to Int32OrString",
+      "properties": {
+        "intVal": {
+          "type": "integer",
+          "format": "int32"
+        },
+        "strVal": {
+          "type": "string"
+        },
+        "type": {
+          "type": "string",
+          "format": "int64"
+        }
+      }
+    },
    "notificationService": {
      "type": "object",
      "properties": {
@@ -4505,6 +4803,65 @@
        }
      }
    },
+    "repositoryParameterAnnouncement": {
+      "type": "object",
+      "properties": {
+        "array": {
+          "description": "array is the default value of the parameter if the parameter is an array.",
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "collectionType": {
+          "description": "collectionType is the type of value this parameter holds - either a single value (a string) or a collection\n(array or map). If collectionType is set, only the field with that type will be used. If collectionType is not\nset, `string` is the default. If collectionType is set to an invalid value, a validation error is thrown.",
+          "type": "string"
+        },
+        "itemType": {
+          "description": "itemType determines the primitive data type represented by the parameter. Parameters are always encoded as\nstrings, but this field lets them be interpreted as other primitive types.",
+          "type": "string"
+        },
+        "map": {
+          "description": "map is the default value of the parameter if the parameter is a map.",
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          }
+        },
+        "name": {
+          "description": "name is the name identifying a parameter.",
+          "type": "string"
+        },
+        "required": {
+          "description": "required defines if this given parameter is mandatory.",
+          "type": "boolean"
+        },
+        "string": {
+          "description": "string is the default value of the parameter if the parameter is a string.",
+          "type": "string"
+        },
+        "title": {
+          "description": "title is a human-readable text of the parameter name.",
+          "type": "string"
+        },
+        "tooltip": {
+          "description": "tooltip is a human-readable description of the parameter.",
+          "type": "string"
+        }
+      }
+    },
+    "repositoryPluginAppSpec": {
+      "type": "object",
+      "title": "PluginAppSpec contains details about a plugin-type Application",
+      "properties": {
+        "parametersAnnouncement": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/repositoryParameterAnnouncement"
+          }
+        }
+      }
+    },
    "repositoryRefs": {
      "type": "object",
      "title": "A subset of the repository's named refs",
@@ -4551,6 +4908,9 @@
        "kustomize": {
          "$ref": "#/definitions/repositoryKustomizeAppSpec"
        },
+        "plugin": {
+          "$ref": "#/definitions/repositoryPluginAppSpec"
+        },
        "type": {
          "type": "string"
        }
@@ -5373,6 +5733,34 @@
        }
      }
    },
+    "v1alpha1ApplicationMatchExpression": {
+      "type": "object",
+      "properties": {
+        "key": {
+          "type": "string"
+        },
+        "operator": {
+          "type": "string"
+        },
+        "values": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        }
+      }
+    },
+    "v1alpha1ApplicationPreservedFields": {
+      "type": "object",
+      "properties": {
+        "annotations": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        }
+      }
+    },
    "v1alpha1ApplicationSet": {
      "type": "object",
      "title": "ApplicationSet is a set of Application resources\n+genclient\n+genclient:noStatus\n+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object\n+kubebuilder:resource:path=applicationsets,shortName=appset;appsets\n+kubebuilder:subresource:status",
@@ -5388,6 +5776,31 @@
        }
      }
    },
+    "v1alpha1ApplicationSetApplicationStatus": {
+      "type": "object",
+      "title": "ApplicationSetApplicationStatus contains details about each Application managed by the ApplicationSet",
+      "properties": {
+        "application": {
+          "type": "string",
+          "title": "Application contains the name of the Application resource"
+        },
+        "lastTransitionTime": {
+          "$ref": "#/definitions/v1Time"
+        },
+        "message": {
+          "type": "string",
+          "title": "Message contains human-readable message indicating details about the status"
+        },
+        "status": {
+          "type": "string",
+          "title": "Status contains the AppSet's perceived status of the managed Application resource: (Waiting, Pending, Progressing, Healthy)"
+        },
+        "step": {
+          "type": "string",
+          "title": "Step tracks which step this Application should be updated in"
+        }
+      }
+    },
    "v1alpha1ApplicationSetCondition": {
      "type": "object",
      "title": "ApplicationSetCondition contains details about an applicationset condition, which is usally an error or warning",
@@ -5494,6 +5907,31 @@
        }
      }
    },
+    "v1alpha1ApplicationSetRolloutStep": {
+      "type": "object",
+      "properties": {
+        "matchExpressions": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/v1alpha1ApplicationMatchExpression"
+          }
+        },
+        "maxUpdate": {
+          "$ref": "#/definitions/intstrIntOrString"
+        }
+      }
+    },
+    "v1alpha1ApplicationSetRolloutStrategy": {
+      "type": "object",
+      "properties": {
+        "steps": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/v1alpha1ApplicationSetRolloutStep"
+          }
+        }
+      }
+    },
    "v1alpha1ApplicationSetSpec": {
      "description": "ApplicationSetSpec represents a class of application set state.",
      "type": "object",
@@ -5507,6 +5945,12 @@
        "goTemplate": {
          "type": "boolean"
        },
+        "preservedFields": {
+          "$ref": "#/definitions/v1alpha1ApplicationPreservedFields"
+        },
+        "strategy": {
+          "$ref": "#/definitions/v1alpha1ApplicationSetStrategy"
+        },
        "syncPolicy": {
          "$ref": "#/definitions/v1alpha1ApplicationSetSyncPolicy"
        },
@@ -5519,6 +5963,12 @@
      "type": "object",
      "title": "ApplicationSetStatus defines the observed state of ApplicationSet",
      "properties": {
+        "applicationStatus": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/v1alpha1ApplicationSetApplicationStatus"
+          }
+        },
        "conditions": {
          "type": "array",
          "title": "INSERT ADDITIONAL STATUS FIELD - define observed state of cluster\nImportant: Run \"make\" to regenerate code after modifying this file",
@@ -5528,6 +5978,18 @@
        }
      }
    },
+    "v1alpha1ApplicationSetStrategy": {
+      "description": "ApplicationSetStrategy configures how generated Applications are updated in sequence.",
+      "type": "object",
+      "properties": {
+        "rollingSync": {
+          "$ref": "#/definitions/v1alpha1ApplicationSetRolloutStrategy"
+        },
+        "type": {
+          "type": "string"
+        }
+      }
+    },
    "v1alpha1ApplicationSetSyncPolicy": {
      "description": "ApplicationSetSyncPolicy configures how generated Applications will relate to their\nApplicationSet.",
      "type": "object",
@@ -5604,6 +6066,10 @@
        "plugin": {
          "$ref": "#/definitions/v1alpha1ApplicationSourcePlugin"
        },
+        "ref": {
+          "description": "Ref is reference to another source within sources field. This field will not be used if used with a `source` tag.",
+          "type": "string"
+        },
        "repoURL": {
          "type": "string",
          "title": "RepoURL is the URL to the repository (Git or Helm) that contains the application manifests"
@@ -5724,6 +6190,10 @@
            "type": "string"
          }
        },
+        "commonAnnotationsEnvsubst": {
+          "type": "boolean",
+          "title": "CommonAnnotationsEnvsubst specifies whether to apply env variables substitution for annotation values"
+        },
        "commonLabels": {
          "type": "object",
          "title": "CommonLabels is a list of additional labels to add to rendered manifests",
@@ -5754,6 +6224,17 @@
          "type": "string",
          "title": "NameSuffix is a suffix appended to resources for Kustomize apps"
        },
+        "namespace": {
+          "type": "string",
+          "title": "Namespace sets the namespace that Kustomize adds to all resources"
+        },
+        "replicas": {
+          "type": "array",
+          "title": "Replicas is a list of Kustomize Replicas override specifications",
+          "items": {
+            "$ref": "#/definitions/v1alpha1KustomizeReplica"
+          }
+        },
        "version": {
          "type": "string",
          "title": "Version controls which version of Kustomize to use for rendering manifests"
@@ -5772,6 +6253,39 @@
        },
        "name": {
          "type": "string"
+        },
+        "parameters": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/v1alpha1ApplicationSourcePluginParameter"
+          }
+        }
+      }
+    },
+    "v1alpha1ApplicationSourcePluginParameter": {
+      "type": "object",
+      "properties": {
+        "array": {
+          "description": "Array is the value of an array type parameter.",
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "map": {
+          "description": "Map is the value of a map type parameter.",
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          }
+        },
+        "name": {
+          "description": "Name is the name identifying a parameter.",
+          "type": "string"
+        },
+        "string": {
+          "description": "String_ is the value of a string type parameter.",
+          "type": "string"
        }
      }
    },
@@ -5808,6 +6322,13 @@
        "source": {
          "$ref": "#/definitions/v1alpha1ApplicationSource"
        },
+        "sources": {
+          "type": "array",
+          "title": "Sources is a reference to the location of the application's manifests or chart",
+          "items": {
+            "$ref": "#/definitions/v1alpha1ApplicationSource"
+          }
+        },
        "syncPolicy": {
          "$ref": "#/definitions/v1alpha1SyncPolicy"
        }
@@ -5858,6 +6379,13 @@
          "type": "string",
          "title": "SourceType specifies the type of this application"
        },
+        "sourceTypes": {
+          "type": "array",
+          "title": "SourceTypes specifies the type of the sources included in the application",
+          "items": {
+            "type": "string"
+          }
+        },
        "summary": {
          "$ref": "#/definitions/v1alpha1ApplicationSummary"
        },
@@ -5957,6 +6485,26 @@
        }
      }
    },
+    "v1alpha1ChartDetails": {
+      "type": "object",
+      "title": "ChartDetails contains helm chart metadata for a specific version",
+      "properties": {
+        "description": {
+          "type": "string"
+        },
+        "home": {
+          "type": "string",
+          "title": "The URL of this projects home page, e.g. \"http://example.com\""
+        },
+        "maintainers": {
+          "type": "array",
+          "title": "List of maintainer details, name and email, e.g. [\"John Doe <john_doe@my-company.com>\"]",
+          "items": {
+            "type": "string"
+          }
+        }
+      }
+    },
    "v1alpha1Cluster": {
      "type": "object",
      "title": "Cluster is the definition of a cluster resource",
@@ -6155,6 +6703,13 @@
        },
        "source": {
          "$ref": "#/definitions/v1alpha1ApplicationSource"
+        },
+        "sources": {
+          "type": "array",
+          "title": "Sources is a reference to the application's multiple sources used for comparison",
+          "items": {
+            "$ref": "#/definitions/v1alpha1ApplicationSource"
+          }
        }
      }
    },
@@ -6289,6 +6844,9 @@
            "$ref": "#/definitions/v1alpha1GitFileGeneratorItem"
          }
        },
+        "pathParamPrefix": {
+          "type": "string"
+        },
        "repoURL": {
          "type": "string"
        },
@@ -6529,6 +7087,18 @@
        }
      }
    },
+    "v1alpha1KustomizeReplica": {
+      "type": "object",
+      "properties": {
+        "count": {
+          "$ref": "#/definitions/intstrIntOrString"
+        },
+        "name": {
+          "type": "string",
+          "title": "Name of Deployment or StatefulSet"
+        }
+      }
+    },
    "v1alpha1ListGenerator": {
      "type": "object",
      "title": "ListGenerator include items info",
@@ -6539,11 +7109,31 @@
            "$ref": "#/definitions/v1JSON"
          }
        },
+        "elementsYaml": {
+          "type": "string"
+        },
        "template": {
          "$ref": "#/definitions/v1alpha1ApplicationSetTemplate"
        }
      }
    },
+    "v1alpha1ManagedNamespaceMetadata": {
+      "type": "object",
+      "properties": {
+        "annotations": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          }
+        },
+        "labels": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          }
+        }
+      }
+    },
    "v1alpha1MatrixGenerator": {
      "description": "MatrixGenerator generates the cartesian product of two sets of parameters. The parameters are defined by two nested\ngenerators.",
      "type": "object",
@@ -6897,6 +7487,14 @@
          "type": "boolean",
          "title": "EnableOCI specifies whether helm-oci support should be enabled for this repo"
        },
+        "forceHttpBasicAuth": {
+          "type": "boolean",
+          "title": "ForceHttpBasicAuth specifies whether Argo CD should attempt to force basic auth for HTTP connections"
+        },
+        "gcpServiceAccountKey": {
+          "type": "string",
+          "title": "GCPServiceAccountKey specifies the service account key in JSON format to be used for getting credentials to Google Cloud Source repos"
+        },
        "githubAppEnterpriseBaseUrl": {
          "type": "string",
          "title": "GithubAppEnterpriseBaseURL specifies the GitHub API URL for GitHub app authentication. If empty will default to https://api.github.com"
@@ -6919,6 +7517,10 @@
          "type": "string",
          "title": "Password for authenticating at the repo server"
        },
+        "proxy": {
+          "type": "string",
+          "title": "Proxy specifies the HTTP/HTTPS proxy used to access repos at the repo server"
+        },
        "sshPrivateKey": {
          "type": "string",
          "title": "SSHPrivateKey contains the private key data for authenticating at the repo server using SSH (only Git repos)"
@@ -6975,6 +7577,14 @@
          "type": "boolean",
          "title": "EnableOCI specifies whether helm-oci support should be enabled for this repo"
        },
+        "forceHttpBasicAuth": {
+          "type": "boolean",
+          "title": "ForceHttpBasicAuth specifies whether Argo CD should attempt to force basic auth for HTTP connections"
+        },
+        "gcpServiceAccountKey": {
+          "type": "string",
+          "title": "GCPServiceAccountKey specifies the service account key in JSON format to be used for getting credentials to Google Cloud Source repos"
+        },
        "githubAppEnterpriseBaseUrl": {
          "type": "string",
          "title": "GithubAppEnterpriseBaseURL specifies the base URL of GitHub Enterprise installation. If empty will default to https://api.github.com"
@@ -7465,8 +8075,22 @@
          "type": "string",
          "title": "Revision holds the revision the sync was performed against"
        },
+        "revisions": {
+          "type": "array",
+          "title": "Revisions holds the revision of each source in sources field the sync was performed against",
+          "items": {
+            "type": "string"
+          }
+        },
        "source": {
          "$ref": "#/definitions/v1alpha1ApplicationSource"
+        },
+        "sources": {
+          "type": "array",
+          "title": "Sources is a reference to the application sources used for the sync operation",
+          "items": {
+            "$ref": "#/definitions/v1alpha1ApplicationSource"
+          }
        }
      }
    },
@@ -7767,9 +8391,23 @@
          "description": "Revision is the revision (Git) or chart version (Helm) which to sync the application to\nIf omitted, will use the revision specified in app spec.",
          "type": "string"
        },
+        "revisions": {
+          "description": "Revisions is the list of revision (Git) or chart version (Helm) which to sync each source in sources field for the application to\nIf omitted, will use the revision specified in app spec.",
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
        "source": {
          "$ref": "#/definitions/v1alpha1ApplicationSource"
        },
+        "sources": {
+          "type": "array",
+          "title": "Sources overrides the source definition set in the application.\nThis is typically set in a Rollback operation and is nil during a Sync operation",
+          "items": {
+            "$ref": "#/definitions/v1alpha1ApplicationSource"
+          }
+        },
        "syncOptions": {
          "type": "array",
          "title": "SyncOptions provide per-sync sync-options, e.g. Validate=false",
@@ -7815,8 +8453,22 @@
          "type": "string",
          "title": "Revision holds the revision this sync operation was performed to"
        },
+        "revisions": {
+          "type": "array",
+          "title": "Revisions holds the revision this sync operation was performed for respective indexed source in sources field",
+          "items": {
+            "type": "string"
+          }
+        },
        "source": {
          "$ref": "#/definitions/v1alpha1ApplicationSource"
+        },
+        "sources": {
+          "type": "array",
+          "title": "Source records the application source information of the sync, used for comparing auto-sync",
+          "items": {
+            "$ref": "#/definitions/v1alpha1ApplicationSource"
+          }
        }
      }
    },
@@ -7827,6 +8479,9 @@
        "automated": {
          "$ref": "#/definitions/v1alpha1SyncPolicyAutomated"
        },
+        "managedNamespaceMetadata": {
+          "$ref": "#/definitions/v1alpha1ManagedNamespaceMetadata"
+        },
        "retry": {
          "$ref": "#/definitions/v1alpha1RetryStrategy"
        },
@@ -7868,6 +8523,13 @@
          "type": "string",
          "title": "Revision contains information about the revision the comparison has been performed to"
        },
+        "revisions": {
+          "type": "array",
+          "title": "Revisions contains information about the revisions of multiple sources the comparison has been performed to",
+          "items": {
+            "type": "string"
+          }
+        },
        "status": {
          "type": "string",
          "title": "Status is the sync state of the comparison"
@@ -7991,6 +8653,9 @@
        "Compiler": {
          "type": "string"
        },
+        "ExtraBuildInfo": {
+          "type": "string"
+        },
        "GitCommit": {
          "type": "string"
        },
--- a/cmd/argocd-application-controller/commands/argocd_application_controller.go
+++ b/cmd/argocd-application-controller/commands/argocd_application_controller.go
@@ -7,7 +7,7 @@ import (
 	"time"

 	"github.com/argoproj/pkg/stats"
-	"github.com/go-redis/redis/v8"
+	"github.com/redis/go-redis/v9"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"k8s.io/client-go/kubernetes"
@@ -188,7 +188,7 @@ func NewCommand() *cobra.Command {
 	command.Flags().IntVar(&metricsPort, "metrics-port", common.DefaultPortArgoCDMetrics, "Start metrics server on given port")
 	command.Flags().DurationVar(&metricsCacheExpiration, "metrics-cache-expiration", env.ParseDurationFromEnv("ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION", 0*time.Second, 0, math.MaxInt64), "Prometheus metrics cache expiration (disabled  by default. e.g. 24h0m0s)")
 	command.Flags().IntVar(&selfHealTimeoutSeconds, "self-heal-timeout-seconds", env.ParseNumFromEnv("ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_TIMEOUT_SECONDS", 5, 0, math.MaxInt32), "Specifies timeout between application self heal attempts")
-	command.Flags().Int64Var(&kubectlParallelismLimit, "kubectl-parallelism-limit", 20, "Number of allowed concurrent kubectl fork/execs. Any value less the 1 means no limit.")
+	command.Flags().Int64Var(&kubectlParallelismLimit, "kubectl-parallelism-limit", env.ParseInt64FromEnv("ARGOCD_APPLICATION_CONTROLLER_KUBECTL_PARALLELISM_LIMIT", 20, 0, math.MaxInt64), "Number of allowed concurrent kubectl fork/execs. Any value less than 1 means no limit.")
 	command.Flags().BoolVar(&repoServerPlaintext, "repo-server-plaintext", env.ParseBoolFromEnv("ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT", false), "Disable TLS on connections to repo server")
 	command.Flags().BoolVar(&repoServerStrictTLS, "repo-server-strict-tls", env.ParseBoolFromEnv("ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_STRICT_TLS", false), "Whether to use strict validation of the TLS cert presented by the repo server")
 	command.Flags().StringSliceVar(&metricsAplicationLabels, "metrics-application-labels", []string{}, "List of Application labels that will be added to the argocd_application_labels metric")
--- a/cmd/argocd-applicationset-controller/commands/applicationset_controller.go
+++ b/cmd/argocd-applicationset-controller/commands/applicationset_controller.go
@@ -2,10 +2,13 @@ package command

 import (
 	"fmt"
+	"math"
 	"net/http"
 	"os"
 	"time"

+	"github.com/argoproj/argo-cd/v2/reposerver/apiclient"
+	"github.com/argoproj/argo-cd/v2/util/tls"
 	"github.com/argoproj/pkg/stats"
 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -17,7 +20,6 @@ import (
 	"github.com/argoproj/argo-cd/v2/applicationset/webhook"
 	cmdutil "github.com/argoproj/argo-cd/v2/cmd/util"
 	"github.com/argoproj/argo-cd/v2/common"
-	"github.com/argoproj/argo-cd/v2/reposerver/askpass"
 	"github.com/argoproj/argo-cd/v2/util/env"
 	"github.com/argoproj/argo-cd/v2/util/github_app"

@@ -30,7 +32,6 @@ import (
 	"k8s.io/client-go/tools/clientcmd"

 	"github.com/argoproj/argo-cd/v2/applicationset/services"
-	appsetv1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	appv1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	appclientset "github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned"
 	"github.com/argoproj/argo-cd/v2/util/cli"
@@ -46,20 +47,23 @@ func getSubmoduleEnabled() bool {

 func NewCommand() *cobra.Command {
 	var (
-		clientConfig         clientcmd.ClientConfig
-		metricsAddr          string
-		probeBindAddr        string
-		webhookAddr          string
-		enableLeaderElection bool
-		namespace            string
-		argocdRepoServer     string
-		policy               string
-		debugLog             bool
-		dryRun               bool
+		clientConfig             clientcmd.ClientConfig
+		metricsAddr              string
+		probeBindAddr            string
+		webhookAddr              string
+		enableLeaderElection     bool
+		namespace                string
+		argocdRepoServer         string
+		policy                   string
+		debugLog                 bool
+		dryRun                   bool
+		enableProgressiveSyncs   bool
+		repoServerPlaintext      bool
+		repoServerStrictTLS      bool
+		repoServerTimeoutSeconds int
 	)
 	scheme := runtime.NewScheme()
 	_ = clientgoscheme.AddToScheme(scheme)
-	_ = appsetv1alpha1.AddToScheme(scheme)
 	_ = appv1alpha1.AddToScheme(scheme)
 	var command = cobra.Command{
 		Use:   "controller",
@@ -81,15 +85,13 @@ func NewCommand() *cobra.Command {
 			cli.SetLogLevel(cmdutil.LogLevel)

 			restConfig, err := clientConfig.ClientConfig()
-			if err != nil {
-				return err
-			}
+			errors.CheckError(err)

 			restConfig.UserAgent = fmt.Sprintf("argocd-applicationset-controller/%s (%s)", vers.Version, vers.Platform)

 			policyObj, exists := utils.Policies[policy]
 			if !exists {
-				log.Info("Policy value can be: sync, create-only, create-update")
+				log.Info("Policy value can be: sync, create-only, create-update, create-delete")
 				os.Exit(1)
 			}

@@ -111,25 +113,40 @@ func NewCommand() *cobra.Command {
 				os.Exit(1)
 			}
 			dynamicClient, err := dynamic.NewForConfig(mgr.GetConfig())
-			if err != nil {
-				return err
-			}
+			errors.CheckError(err)
 			k8sClient, err := kubernetes.NewForConfig(mgr.GetConfig())
-			if err != nil {
-				return err
-			}
+			errors.CheckError(err)
+
 			argoSettingsMgr := argosettings.NewSettingsManager(ctx, k8sClient, namespace)
 			appSetConfig := appclientset.NewForConfigOrDie(mgr.GetConfig())
 			argoCDDB := db.NewDB(namespace, argoSettingsMgr, k8sClient)

-			askPassServer := askpass.NewServer()
 			scmAuth := generators.SCMAuthProviders{
 				GitHubApps: github_app.NewAuthCredentials(argoCDDB.(db.RepoCredsDB)),
 			}
+
+			tlsConfig := apiclient.TLSConfiguration{
+				DisableTLS:       repoServerPlaintext,
+				StrictValidation: repoServerPlaintext,
+			}
+
+			if !repoServerPlaintext && repoServerStrictTLS {
+				pool, err := tls.LoadX509CertPool(
+					fmt.Sprintf("%s/reposerver/tls/tls.crt", env.StringFromEnv(common.EnvAppConfigPath, common.DefaultAppConfigPath)),
+					fmt.Sprintf("%s/reposerver/tls/ca.crt", env.StringFromEnv(common.EnvAppConfigPath, common.DefaultAppConfigPath)),
+				)
+				errors.CheckError(err)
+				tlsConfig.Certificates = pool
+			}
+
+			repoClientset := apiclient.NewRepoServerClientset(argocdRepoServer, repoServerTimeoutSeconds, tlsConfig)
+			argoCDService, err := services.NewArgoCDService(argoCDDB, getSubmoduleEnabled(), repoClientset)
+			errors.CheckError(err)
+
 			terminalGenerators := map[string]generators.Generator{
 				"List":                    generators.NewListGenerator(),
 				"Clusters":                generators.NewClusterGenerator(mgr.GetClient(), ctx, k8sClient, namespace),
-				"Git":                     generators.NewGitGenerator(services.NewArgoCDService(argoCDDB, askPassServer, getSubmoduleEnabled())),
+				"Git":                     generators.NewGitGenerator(argoCDService),
 				"SCMProvider":             generators.NewSCMProviderGenerator(mgr.GetClient(), scmAuth),
 				"ClusterDecisionResource": generators.NewDuckTypeGenerator(ctx, dynamicClient, k8sClient, namespace),
 				"PullRequest":             generators.NewPullRequestGenerator(mgr.GetClient(), scmAuth),
@@ -166,18 +183,18 @@ func NewCommand() *cobra.Command {
 				startWebhookServer(webhookHandler, webhookAddr)
 			}

-			go func() { errors.CheckError(askPassServer.Run(askpass.SocketPath)) }()
 			if err = (&controllers.ApplicationSetReconciler{
-				Generators:       topLevelGenerators,
-				Client:           mgr.GetClient(),
-				Scheme:           mgr.GetScheme(),
-				Recorder:         mgr.GetEventRecorderFor("applicationset-controller"),
-				Renderer:         &utils.Render{},
-				Policy:           policyObj,
-				ArgoAppClientset: appSetConfig,
-				KubeClientset:    k8sClient,
-				ArgoDB:           argoCDDB,
-			}).SetupWithManager(mgr); err != nil {
+				Generators:             topLevelGenerators,
+				Client:                 mgr.GetClient(),
+				Scheme:                 mgr.GetScheme(),
+				Recorder:               mgr.GetEventRecorderFor("applicationset-controller"),
+				Renderer:               &utils.Render{},
+				Policy:                 policyObj,
+				ArgoAppClientset:       appSetConfig,
+				KubeClientset:          k8sClient,
+				ArgoDB:                 argoCDDB,
+				EnableProgressiveSyncs: enableProgressiveSyncs,
+			}).SetupWithManager(mgr, enableProgressiveSyncs); err != nil {
 				log.Error(err, "unable to create controller", "controller", "ApplicationSet")
 				os.Exit(1)
 			}
@@ -200,11 +217,15 @@ func NewCommand() *cobra.Command {
 			"Enabling this will ensure there is only one active controller manager.")
 	command.Flags().StringVar(&namespace, "namespace", env.StringFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_NAMESPACE", ""), "Argo CD repo namespace (default: argocd)")
 	command.Flags().StringVar(&argocdRepoServer, "argocd-repo-server", env.StringFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER", common.DefaultRepoServerAddr), "Argo CD repo server address")
-	command.Flags().StringVar(&policy, "policy", env.StringFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_POLICY", "sync"), "Modify how application is synced between the generator and the cluster. Default is 'sync' (create & update & delete), options: 'create-only', 'create-update' (no deletion)")
+	command.Flags().StringVar(&policy, "policy", env.StringFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_POLICY", "sync"), "Modify how application is synced between the generator and the cluster. Default is 'sync' (create & update & delete), options: 'create-only', 'create-update' (no deletion), 'create-delete' (no update)")
 	command.Flags().BoolVar(&debugLog, "debug", env.ParseBoolFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_DEBUG", false), "Print debug logs. Takes precedence over loglevel")
 	command.Flags().StringVar(&cmdutil.LogFormat, "logformat", env.StringFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_LOGFORMAT", "text"), "Set the logging format. One of: text|json")
 	command.Flags().StringVar(&cmdutil.LogLevel, "loglevel", env.StringFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_LOGLEVEL", "info"), "Set the logging level. One of: debug|info|warn|error")
 	command.Flags().BoolVar(&dryRun, "dry-run", env.ParseBoolFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_DRY_RUN", false), "Enable dry run mode")
+	command.Flags().BoolVar(&enableProgressiveSyncs, "enable-progressive-syncs", env.ParseBoolFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS", false), "Enable use of the experimental progressive syncs feature.")
+	command.Flags().BoolVar(&repoServerPlaintext, "repo-server-plaintext", env.ParseBoolFromEnv("ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT", false), "Disable TLS on connections to repo server")
+	command.Flags().BoolVar(&repoServerStrictTLS, "repo-server-strict-tls", env.ParseBoolFromEnv("ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_STRICT_TLS", false), "Whether to use strict validation of the TLS cert presented by the repo server")
+	command.Flags().IntVar(&repoServerTimeoutSeconds, "repo-server-timeout-seconds", env.ParseNumFromEnv("ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS", 60, 0, math.MaxInt64), "Repo server RPC call timeout seconds.")
 	return &command
 }

--- a/cmd/argocd-cmp-server/commands/argocd_cmp_server.go
+++ b/cmd/argocd-cmp-server/commands/argocd_cmp_server.go
@@ -30,7 +30,7 @@ func NewCommand() *cobra.Command {
 	var command = cobra.Command{
 		Use:               cliName,
 		Short:             "Run ArgoCD ConfigManagementPlugin Server",
-		Long:              "ArgoCD ConfigManagementPlugin Server is an internal service which runs as sidecar container in reposerver deployment. It can be configured by following options.",
+		Long:              "ArgoCD ConfigManagementPlugin Server is an internal service which runs as sidecar container in reposerver deployment. The following configuration options are available:",
 		DisableAutoGenTag: true,
 		RunE: func(c *cobra.Command, args []string) error {
 			ctx := c.Context()
@@ -44,6 +44,14 @@ func NewCommand() *cobra.Command {
 			config, err := plugin.ReadPluginConfig(configFilePath)
 			errors.CheckError(err)

+			if !config.Spec.Discover.IsDefined() {
+				name := config.Metadata.Name
+				if config.Spec.Version != "" {
+					name = name + "-" + config.Spec.Version
+				}
+				log.Infof("No discovery configuration is defined for plugin %s. To use this plugin, specify %q in the Application's spec.source.plugin.name field.", config.Metadata.Name, name)
+			}
+
 			if otlpAddress != "" {
 				var closer func()
 				var err error
--- a/cmd/argocd-notification/commands/controller.go
+++ b/cmd/argocd-notification/commands/controller.go
@@ -156,7 +156,7 @@ func NewCommand() *cobra.Command {
 	command.Flags().StringVar(&logLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
 	command.Flags().StringVar(&logFormat, "logformat", "text", "Set the logging format. One of: text|json")
 	command.Flags().IntVar(&metricsPort, "metrics-port", defaultMetricsPort, "Metrics port")
-	command.Flags().StringVar(&argocdRepoServer, "argocd-repo-server", "argocd-repo-server:8081", "Argo CD repo server address")
+	command.Flags().StringVar(&argocdRepoServer, "argocd-repo-server", common.DefaultRepoServerAddr, "Argo CD repo server address")
 	command.Flags().BoolVar(&argocdRepoServerPlaintext, "argocd-repo-server-plaintext", false, "Use a plaintext client (non-TLS) to connect to repository server")
 	command.Flags().BoolVar(&argocdRepoServerStrictTLS, "argocd-repo-server-strict-tls", false, "Perform strict validation of TLS certificates when connecting to repo server")
 	command.Flags().StringVar(&configMapName, "config-map-name", "argocd-notifications-cm", "Set notifications ConfigMap name")
--- a/cmd/argocd-repo-server/commands/argocd_repo_server.go
+++ b/cmd/argocd-repo-server/commands/argocd_repo_server.go
@@ -9,7 +9,7 @@ import (
 	"time"

 	"github.com/argoproj/pkg/stats"
-	"github.com/go-redis/redis/v8"
+	"github.com/redis/go-redis/v9"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/health/grpc_health_v1"
--- a/cmd/argocd-server/commands/argocd_server.go
+++ b/cmd/argocd-server/commands/argocd_server.go
@@ -7,7 +7,7 @@ import (
 	"time"

 	"github.com/argoproj/pkg/stats"
-	"github.com/go-redis/redis/v8"
+	"github.com/redis/go-redis/v9"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"k8s.io/client-go/kubernetes"
@@ -71,6 +71,7 @@ func NewCommand() *cobra.Command {
 		dexServerStrictTLS       bool
 		staticAssetsDir          string
 		applicationNamespaces    []string
+		enableProxyExtension     bool
 	)
 	var command = &cobra.Command{
 		Use:               cliName,
@@ -184,6 +185,7 @@ func NewCommand() *cobra.Command {
 				RedisClient:           redisClient,
 				StaticAssetsDir:       staticAssetsDir,
 				ApplicationNamespaces: applicationNamespaces,
+				EnableProxyExtension:  enableProxyExtension,
 			}

 			stats.RegisterStackDumper()
@@ -235,6 +237,7 @@ func NewCommand() *cobra.Command {
 	command.Flags().BoolVar(&dexServerPlaintext, "dex-server-plaintext", env.ParseBoolFromEnv("ARGOCD_SERVER_DEX_SERVER_PLAINTEXT", false), "Use a plaintext client (non-TLS) to connect to dex server")
 	command.Flags().BoolVar(&dexServerStrictTLS, "dex-server-strict-tls", env.ParseBoolFromEnv("ARGOCD_SERVER_DEX_SERVER_STRICT_TLS", false), "Perform strict validation of TLS certificates when connecting to dex server")
 	command.Flags().StringSliceVar(&applicationNamespaces, "application-namespaces", env.StringsFromEnv("ARGOCD_APPLICATION_NAMESPACES", []string{}, ","), "List of additional namespaces where application resources can be managed in")
+	command.Flags().BoolVar(&enableProxyExtension, "enable-proxy-extension", env.ParseBoolFromEnv("ARGOCD_SERVER_ENABLE_PROXY_EXTENSION", false), "Enable Proxy Extension feature")
 	tlsConfigCustomizerSrc = tls.AddTLSFlagsToCmd(command)
 	cacheSrc = servercache.AddCacheFlagsToCmd(command, func(client *redis.Client) {
 		redisClient = client
--- a/cmd/argocd/commands/admin/admin.go
+++ b/cmd/argocd/commands/admin/admin.go
@@ -17,6 +17,8 @@ import (
 	"github.com/argoproj/argo-cd/v2/common"
 	"github.com/argoproj/argo-cd/v2/util/errors"
 	"github.com/argoproj/argo-cd/v2/util/settings"
+
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application"
 )

 const (
@@ -27,9 +29,9 @@ const (
 var (
 	configMapResource       = schema.GroupVersionResource{Group: "", Version: "v1", Resource: "configmaps"}
 	secretResource          = schema.GroupVersionResource{Group: "", Version: "v1", Resource: "secrets"}
-	applicationsResource    = schema.GroupVersionResource{Group: "argoproj.io", Version: "v1alpha1", Resource: "applications"}
-	appprojectsResource     = schema.GroupVersionResource{Group: "argoproj.io", Version: "v1alpha1", Resource: "appprojects"}
-	appplicationSetResource = schema.GroupVersionResource{Group: "argoproj.io", Version: "v1alpha1", Resource: "applicationsets"}
+	applicationsResource    = schema.GroupVersionResource{Group: application.Group, Version: "v1alpha1", Resource: application.ApplicationPlural}
+	appprojectsResource     = schema.GroupVersionResource{Group: application.Group, Version: "v1alpha1", Resource: application.AppProjectPlural}
+	appplicationSetResource = schema.GroupVersionResource{Group: application.Group, Version: "v1alpha1", Resource: application.ApplicationSetPlural}
 )

 // NewAdminCommand returns a new instance of an argocd command
@@ -56,6 +58,7 @@ func NewAdminCommand() *cobra.Command {
 	command.AddCommand(NewExportCommand())
 	command.AddCommand(NewDashboardCommand())
 	command.AddCommand(NewNotificationsCommand())
+	command.AddCommand(NewInitialPasswordCommand())

 	command.Flags().StringVar(&cmdutil.LogFormat, "logformat", "text", "Set the logging format. One of: text|json")
 	command.Flags().StringVar(&cmdutil.LogLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
@@ -192,11 +195,11 @@ func specsEqual(left, right unstructured.Unstructured) bool {
 		leftData, _, _ := unstructured.NestedMap(left.Object, "data")
 		rightData, _, _ := unstructured.NestedMap(right.Object, "data")
 		return reflect.DeepEqual(leftData, rightData)
-	case "AppProject":
+	case application.AppProjectKind:
 		leftSpec, _, _ := unstructured.NestedMap(left.Object, "spec")
 		rightSpec, _, _ := unstructured.NestedMap(right.Object, "spec")
 		return reflect.DeepEqual(leftSpec, rightSpec)
-	case "Application":
+	case application.ApplicationKind:
 		leftSpec, _, _ := unstructured.NestedMap(left.Object, "spec")
 		rightSpec, _, _ := unstructured.NestedMap(right.Object, "spec")
 		leftStatus, _, _ := unstructured.NestedMap(left.Object, "status")
--- a/cmd/argocd/commands/admin/app.go
+++ b/cmd/argocd/commands/admin/app.go
@@ -401,7 +401,12 @@ func reconcileApplications(
 			return nil, err
 		}

-		res := appStateManager.CompareAppState(&app, proj, app.Spec.Source.TargetRevision, app.Spec.Source, false, false, nil)
+		sources := make([]v1alpha1.ApplicationSource, 0)
+		revisions := make([]string, 0)
+		sources = append(sources, app.Spec.GetSource())
+		revisions = append(revisions, app.Spec.GetSource().TargetRevision)
+
+		res := appStateManager.CompareAppState(&app, proj, revisions, sources, false, false, nil, false)
 		items = append(items, appReconcileResult{
 			Name:       app.Name,
 			Conditions: app.Status.Conditions,
--- a/cmd/argocd/commands/admin/app_test.go
+++ b/cmd/argocd/commands/admin/app_test.go
@@ -80,6 +80,7 @@ func TestGetReconcileResults_Refresh(t *testing.T) {
 			Namespace: "default",
 		},
 		Spec: v1alpha1.ApplicationSpec{
+			Source:  &v1alpha1.ApplicationSource{},
 			Project: "default",
 			Destination: v1alpha1.ApplicationDestination{
 				Server:    v1alpha1.KubernetesInternalAPIServerAddr,
--- a/cmd/argocd/commands/admin/backup.go
+++ b/cmd/argocd/commands/admin/backup.go
@@ -17,6 +17,7 @@ import (
 	"k8s.io/client-go/tools/clientcmd"

 	"github.com/argoproj/argo-cd/v2/common"
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application"
 	"github.com/argoproj/argo-cd/v2/util/cli"
 	"github.com/argoproj/argo-cd/v2/util/errors"
 )
@@ -131,7 +132,6 @@ func NewImportCommand() *cobra.Command {
 			errors.CheckError(err)
 			config.QPS = 100
 			config.Burst = 50
-			errors.CheckError(err)
 			namespace, _, err := clientConfig.Namespace()
 			errors.CheckError(err)
 			acdClients := newArgoCDClientsets(config, namespace)
@@ -176,12 +176,12 @@ func NewImportCommand() *cobra.Command {
 			applications, err := acdClients.applications.List(ctx, v1.ListOptions{})
 			errors.CheckError(err)
 			for _, app := range applications.Items {
-				pruneObjects[kube.ResourceKey{Group: "argoproj.io", Kind: "Application", Name: app.GetName()}] = app
+				pruneObjects[kube.ResourceKey{Group: application.Group, Kind: application.ApplicationKind, Name: app.GetName()}] = app
 			}
 			projects, err := acdClients.projects.List(ctx, v1.ListOptions{})
 			errors.CheckError(err)
 			for _, proj := range projects.Items {
-				pruneObjects[kube.ResourceKey{Group: "argoproj.io", Kind: "AppProject", Name: proj.GetName()}] = proj
+				pruneObjects[kube.ResourceKey{Group: application.Group, Kind: application.AppProjectKind, Name: proj.GetName()}] = proj
 			}
 			applicationSets, err := acdClients.applicationSets.List(ctx, v1.ListOptions{})
 			if apierr.IsForbidden(err) || apierr.IsNotFound(err) {
@@ -191,7 +191,7 @@ func NewImportCommand() *cobra.Command {
 			}
 			if applicationSets != nil {
 				for _, appSet := range applicationSets.Items {
-					pruneObjects[kube.ResourceKey{Group: "argoproj.io", Kind: "ApplicationSet", Name: appSet.GetName()}] = appSet
+					pruneObjects[kube.ResourceKey{Group: application.Group, Kind: application.ApplicationSetKind, Name: appSet.GetName()}] = appSet
 				}
 			}

@@ -209,11 +209,11 @@ func NewImportCommand() *cobra.Command {
 					dynClient = acdClients.secrets
 				case "ConfigMap":
 					dynClient = acdClients.configMaps
-				case "AppProject":
+				case application.AppProjectKind:
 					dynClient = acdClients.projects
-				case "Application":
+				case application.ApplicationKind:
 					dynClient = acdClients.applications
-				case "ApplicationSet":
+				case application.ApplicationSetKind:
 					dynClient = acdClients.applicationSets
 				}
 				if !exists {
@@ -260,9 +260,9 @@ func NewImportCommand() *cobra.Command {
 					switch key.Kind {
 					case "Secret":
 						dynClient = acdClients.secrets
-					case "AppProject":
+					case application.AppProjectKind:
 						dynClient = acdClients.projects
-					case "Application":
+					case application.ApplicationKind:
 						dynClient = acdClients.applications
 						if !dryRun {
 							if finalizers := liveObj.GetFinalizers(); len(finalizers) > 0 {
@@ -274,7 +274,7 @@ func NewImportCommand() *cobra.Command {
 								}
 							}
 						}
-					case "ApplicationSet":
+					case application.ApplicationSetKind:
 						dynClient = acdClients.applicationSets
 					default:
 						log.Fatalf("Unexpected kind '%s' in prune list", key.Kind)
@@ -314,7 +314,7 @@ func checkAppHasNoNeedToStopOperation(liveObj unstructured.Unstructured, stopOpe
 		return true
 	}
 	switch liveObj.GetKind() {
-	case "Application":
+	case application.ApplicationKind:
 		return liveObj.Object["operation"] == nil
 	}
 	return true
@@ -353,9 +353,9 @@ func updateLive(bak, live *unstructured.Unstructured, stopOperation bool) *unstr
 	switch live.GetKind() {
 	case "Secret", "ConfigMap":
 		newLive.Object["data"] = bak.Object["data"]
-	case "AppProject":
+	case application.AppProjectKind:
 		newLive.Object["spec"] = bak.Object["spec"]
-	case "Application":
+	case application.ApplicationKind:
 		newLive.Object["spec"] = bak.Object["spec"]
 		if _, ok := bak.Object["status"]; ok {
 			newLive.Object["status"] = bak.Object["status"]
--- a/cmd/argocd/commands/admin/cluster.go
+++ b/cmd/argocd/commands/admin/cluster.go
@@ -11,7 +11,7 @@ import (
 	"time"

 	"github.com/argoproj/gitops-engine/pkg/utils/kube"
-	"github.com/go-redis/redis/v8"
+	"github.com/redis/go-redis/v9"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -265,9 +265,7 @@ func runClusterNamespacesCommand(ctx context.Context, clientConfig clientcmd.Cli
 					}
 				}
 			} else {
-				if app.Spec.Destination.Server == cluster.Server {
-					nsSet[app.Spec.Destination.Namespace] = true
-				}
+				nsSet[app.Spec.Destination.Namespace] = true
 			}
 		}
 		var namespaces []string
@@ -543,6 +541,11 @@ func NewGenClusterConfigCommand(pathOpts *clientcmd.PathOptions) *cobra.Command
 				return
 			}

+			if clusterOpts.InCluster && clusterOpts.ClusterEndpoint != "" {
+				log.Fatal("Can only use one of --in-cluster or --cluster-endpoint")
+				return
+			}
+
 			overrides := clientcmd.ConfigOverrides{
 				Context: *clstContext,
 			}
@@ -582,9 +585,13 @@ func NewGenClusterConfigCommand(pathOpts *clientcmd.PathOptions) *cobra.Command
 			errors.CheckError(err)

 			clst := cmdutil.NewCluster(contextName, clusterOpts.Namespaces, clusterOpts.ClusterResources, conf, bearerToken, awsAuthConf, execProviderConf, labelsMap, annotationsMap)
-			if clusterOpts.InCluster {
+			if clusterOpts.InClusterEndpoint() {
 				clst.Server = argoappv1.KubernetesInternalAPIServerAddr
 			}
+			if clusterOpts.ClusterEndpoint == string(cmdutil.KubePublicEndpoint) {
+				// Ignore `kube-public` cluster endpoints, since this command is intended to run without invoking any network connections.
+				log.Warn("kube-public cluster endpoints are not supported. Falling back to the endpoint listed in the kubconfig context.")
+			}
 			if clusterOpts.Shard >= 0 {
 				clst.Shard = &clusterOpts.Shard
 			}
--- a/cmd/argocd/commands/admin/dashboard.go
+++ b/cmd/argocd/commands/admin/dashboard.go
@@ -9,13 +9,16 @@ import (
 	"github.com/argoproj/argo-cd/v2/cmd/argocd/commands/initialize"
 	"github.com/argoproj/argo-cd/v2/common"
 	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
+	"github.com/argoproj/argo-cd/v2/util/cache"
+	"github.com/argoproj/argo-cd/v2/util/env"
 	"github.com/argoproj/argo-cd/v2/util/errors"
 )

 func NewDashboardCommand() *cobra.Command {
 	var (
-		port    int
-		address string
+		port           int
+		address        string
+		compressionStr string
 	)
 	cmd := &cobra.Command{
 		Use:   "dashboard",
@@ -23,7 +26,9 @@ func NewDashboardCommand() *cobra.Command {
 		Run: func(cmd *cobra.Command, args []string) {
 			ctx := cmd.Context()

-			errors.CheckError(headless.StartLocalServer(ctx, &argocdclient.ClientOptions{Core: true}, initialize.RetrieveContextIfChanged(cmd.Flag("context")), &port, &address))
+			compression, err := cache.CompressionTypeFromString(compressionStr)
+			errors.CheckError(err)
+			errors.CheckError(headless.StartLocalServer(ctx, &argocdclient.ClientOptions{Core: true}, initialize.RetrieveContextIfChanged(cmd.Flag("context")), &port, &address, compression))
 			println(fmt.Sprintf("Argo CD UI is available at http://%s:%d", address, port))
 			<-ctx.Done()
 		},
@@ -31,5 +36,6 @@ func NewDashboardCommand() *cobra.Command {
 	initialize.InitCommand(cmd)
 	cmd.Flags().IntVar(&port, "port", common.DefaultPortAPIServer, "Listen on given port")
 	cmd.Flags().StringVar(&address, "address", common.DefaultAddressAPIServer, "Listen on given address")
+	cmd.Flags().StringVar(&compressionStr, "redis-compress", env.StringFromEnv("REDIS_COMPRESSION", string(cache.RedisCompressionNone)), "Enable this if the application controller is configured with redis compression enabled. (possible values: none, gzip)")
 	return cmd
 }
--- a/cmd/argocd/commands/admin/initial_password.go
+++ b/cmd/argocd/commands/admin/initial_password.go
@@ -0,0 +1,46 @@
+package admin
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/spf13/cobra"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/clientcmd"
+
+	"github.com/argoproj/argo-cd/v2/util/cli"
+	"github.com/argoproj/argo-cd/v2/util/errors"
+)
+
+const initialPasswordSecretName = "argocd-initial-admin-secret"
+
+// NewInitialPasswordCommand defines a new command to retrieve Argo CD initial password.
+func NewInitialPasswordCommand() *cobra.Command {
+	var (
+		clientConfig clientcmd.ClientConfig
+	)
+	var command = cobra.Command{
+		Use:   "initial-password",
+		Short: "Prints initial password to log in to Argo CD for the first time",
+		Run: func(c *cobra.Command, args []string) {
+
+			config, err := clientConfig.ClientConfig()
+			errors.CheckError(err)
+			namespace, _, err := clientConfig.Namespace()
+			errors.CheckError(err)
+
+			kubeClientset := kubernetes.NewForConfigOrDie(config)
+			secret, err := kubeClientset.CoreV1().Secrets(namespace).Get(context.Background(), initialPasswordSecretName, v1.GetOptions{})
+			errors.CheckError(err)
+
+			if initialPass, ok := secret.Data["password"]; ok {
+				fmt.Println(string(initialPass))
+				fmt.Println("\n This password must be only used for first time login. We strongly recommend you update the password using `argocd account update-password`.")
+			}
+		},
+	}
+	clientConfig = cli.AddKubectlFlagsToCmd(&command)
+
+	return &command
+}
--- a/cmd/argocd/commands/admin/notifications.go
+++ b/cmd/argocd/commands/admin/notifications.go
@@ -15,12 +15,13 @@ import (
 	settings "github.com/argoproj/argo-cd/v2/util/notification/settings"
 	"github.com/argoproj/argo-cd/v2/util/tls"

+	"github.com/argoproj/argo-cd/v2/pkg/apis/application"
 	"github.com/argoproj/notifications-engine/pkg/cmd"
 	"github.com/spf13/cobra"
 )

 var (
-	applications = schema.GroupVersionResource{Group: "argoproj.io", Version: "v1alpha1", Resource: "applications"}
+	applications = schema.GroupVersionResource{Group: application.Group, Version: "v1alpha1", Resource: application.ApplicationPlural}
 )

 func NewNotificationsCommand() *cobra.Command {
@@ -33,7 +34,7 @@ func NewNotificationsCommand() *cobra.Command {
 	var argocdService service.Service
 	toolsCommand := cmd.NewToolsCommand(
 		"notifications",
-		"notifications",
+		"argocd admin notifications",
 		applications,
 		settings.GetFactorySettings(argocdService, "argocd-notifications-secret", "argocd-notifications-cm"), func(clientConfig clientcmd.ClientConfig) {
 			k8sCfg, err := clientConfig.ClientConfig()
@@ -64,7 +65,7 @@ func NewNotificationsCommand() *cobra.Command {
 				log.Fatalf("Failed to initialize Argo CD service: %v", err)
 			}
 		})
-	toolsCommand.PersistentFlags().StringVar(&argocdRepoServer, "argocd-repo-server", "argocd-repo-server:8081", "Argo CD repo server address")
+	toolsCommand.PersistentFlags().StringVar(&argocdRepoServer, "argocd-repo-server", common.DefaultRepoServerAddr, "Argo CD repo server address")
 	toolsCommand.PersistentFlags().BoolVar(&argocdRepoServerPlaintext, "argocd-repo-server-plaintext", false, "Use a plaintext client (non-TLS) to connect to repository server")
 	toolsCommand.PersistentFlags().BoolVar(&argocdRepoServerStrictTLS, "argocd-repo-server-strict-tls", false, "Perform strict validation of TLS certificates when connecting to repo server")
 	return toolsCommand
--- a/cmd/argocd/commands/admin/project_allowlist.go
+++ b/cmd/argocd/commands/admin/project_allowlist.go
@@ -28,6 +28,8 @@ import (
 	_ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
 	// load the azure plugin (required to authenticate with AKS clusters).
 	_ "k8s.io/client-go/plugin/pkg/client/auth/azure"
+
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application"
 )

 // NewProjectAllowListGenCommand generates a project from clusterRole
@@ -151,7 +153,7 @@ func generateProjectAllowList(serverResources []*metav1.APIResourceList, cluster
 	}
 	globalProj := v1alpha1.AppProject{
 		TypeMeta: metav1.TypeMeta{
-			Kind:       "AppProject",
+			Kind:       application.AppProjectKind,
 			APIVersion: "argoproj.io/v1alpha1",
 		},
 		ObjectMeta: metav1.ObjectMeta{Name: projName},
--- a/cmd/argocd/commands/admin/settings.go
+++ b/cmd/argocd/commands/admin/settings.go
@@ -206,7 +206,7 @@ var validatorsByGroup = map[string]settingValidator{
 			}
 			ssoProvider = "Dex"
 		} else if general.OIDCConfigRAW != "" {
-			if _, err := settings.UnmarshalOIDCConfig(general.OIDCConfigRAW); err != nil {
+			if err := settings.ValidateOIDCConfig(general.OIDCConfigRAW); err != nil {
 				return "", fmt.Errorf("invalid oidc.config: %v", err)
 			}
 			ssoProvider = "OIDC"
--- a/cmd/argocd/commands/admin/settings_rbac.go
+++ b/cmd/argocd/commands/admin/settings_rbac.go
@@ -292,11 +292,9 @@ func getPolicyFromConfigMap(cm *corev1.ConfigMap) (string, string, string) {
 	if !ok {
 		userPolicy = ""
 	}
-	if defaultRole == "" {
-		defaultRole, ok = cm.Data[rbac.ConfigMapPolicyDefaultKey]
-		if !ok {
-			defaultRole = ""
-		}
+	defaultRole, ok = cm.Data[rbac.ConfigMapPolicyDefaultKey]
+	if !ok {
+		defaultRole = ""
 	}

 	return userPolicy, defaultRole, cm.Data[rbac.ConfigMapMatchModeKey]
--- a/cmd/argocd/commands/app.go
+++ b/cmd/argocd/commands/app.go
@@ -33,7 +33,6 @@ import (

 	"github.com/argoproj/argo-cd/v2/cmd/argocd/commands/headless"
 	cmdutil "github.com/argoproj/argo-cd/v2/cmd/util"
-	argocommon "github.com/argoproj/argo-cd/v2/common"
 	"github.com/argoproj/argo-cd/v2/controller"
 	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
 	"github.com/argoproj/argo-cd/v2/pkg/apiclient/application"
@@ -150,9 +149,6 @@ func NewApplicationCreateCommand(clientOpts *argocdclient.ClientOptions) *cobra.
 					c.HelpFunc()(c, args)
 					os.Exit(1)
 				}
-				if app.Spec.Source.Plugin != nil && app.Spec.Source.Plugin.Name != "" {
-					log.Warnf(argocommon.ConfigMapPluginCLIDeprecationWarning)
-				}
 				if appNamespace != "" {
 					app.Namespace = appNamespace
 				}
@@ -169,7 +165,9 @@ func NewApplicationCreateCommand(clientOpts *argocdclient.ClientOptions) *cobra.

 				// Get app before creating to see if it is being updated or no change
 				existing, err := appIf.Get(ctx, &applicationpkg.ApplicationQuery{Name: &app.Name})
-				if grpc.UnwrapGRPCStatus(err).Code() != codes.NotFound {
+				unwrappedError := grpc.UnwrapGRPCStatus(err).Code()
+				// As part of the fix for CVE-2022-41354, the API will return Permission Denied when an app does not exist.
+				if unwrappedError != codes.NotFound && unwrappedError != codes.PermissionDenied {
 					errors.CheckError(err)
 				}

@@ -294,10 +292,6 @@ func NewApplicationGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Com
 			})
 			errors.CheckError(err)

-			if app.Spec.Source.Plugin != nil && app.Spec.Source.Plugin.Name != "" {
-				log.Warnf(argocommon.ConfigMapPluginCLIDeprecationWarning)
-			}
-
 			pConn, projIf := headless.NewClientOrDie(clientOpts, c).NewProjectClientOrDie()
 			defer argoio.Close(pConn)
 			proj, err := projIf.Get(ctx, &projectpkg.ProjectQuery{Name: app.Spec.Project})
@@ -440,15 +434,16 @@ func NewApplicationLogsCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 }

 func printAppSummaryTable(app *argoappv1.Application, appURL string, windows *argoappv1.SyncWindows) {
+	source := app.Spec.GetSource()
 	fmt.Printf(printOpFmtStr, "Name:", app.QualifiedName())
 	fmt.Printf(printOpFmtStr, "Project:", app.Spec.GetProject())
 	fmt.Printf(printOpFmtStr, "Server:", getServer(app))
 	fmt.Printf(printOpFmtStr, "Namespace:", app.Spec.Destination.Namespace)
 	fmt.Printf(printOpFmtStr, "URL:", appURL)
-	fmt.Printf(printOpFmtStr, "Repo:", app.Spec.Source.RepoURL)
-	fmt.Printf(printOpFmtStr, "Target:", app.Spec.Source.TargetRevision)
-	fmt.Printf(printOpFmtStr, "Path:", app.Spec.Source.Path)
-	printAppSourceDetails(&app.Spec.Source)
+	fmt.Printf(printOpFmtStr, "Repo:", source.RepoURL)
+	fmt.Printf(printOpFmtStr, "Target:", source.TargetRevision)
+	fmt.Printf(printOpFmtStr, "Path:", source.Path)
+	printAppSourceDetails(&source)
 	var wds []string
 	var status string
 	var allow, deny, inactiveAllows bool
@@ -502,11 +497,11 @@ func printAppSummaryTable(app *argoappv1.Application, appURL string, windows *ar
 	syncStatusStr := string(app.Status.Sync.Status)
 	switch app.Status.Sync.Status {
 	case argoappv1.SyncStatusCodeSynced:
-		syncStatusStr += fmt.Sprintf(" to %s", app.Spec.Source.TargetRevision)
+		syncStatusStr += fmt.Sprintf(" to %s", app.Spec.GetSource().TargetRevision)
 	case argoappv1.SyncStatusCodeOutOfSync:
-		syncStatusStr += fmt.Sprintf(" from %s", app.Spec.Source.TargetRevision)
+		syncStatusStr += fmt.Sprintf(" from %s", app.Spec.GetSource().TargetRevision)
 	}
-	if !git.IsCommitSHA(app.Spec.Source.TargetRevision) && !git.IsTruncatedCommitSHA(app.Spec.Source.TargetRevision) && len(app.Status.Sync.Revision) > 7 {
+	if !git.IsCommitSHA(app.Spec.GetSource().TargetRevision) && !git.IsTruncatedCommitSHA(app.Spec.GetSource().TargetRevision) && len(app.Status.Sync.Revision) > 7 {
 		syncStatusStr += fmt.Sprintf(" (%s)", app.Status.Sync.Revision[0:7])
 	}
 	fmt.Printf(printOpFmtStr, "Sync Status:", syncStatusStr)
@@ -575,8 +570,8 @@ func truncateString(str string, num int) string {

 // printParams prints parameters and overrides
 func printParams(app *argoappv1.Application) {
-	if app.Spec.Source.Helm != nil {
-		printHelmParams(app.Spec.Source.Helm)
+	if app.Spec.GetSource().Helm != nil {
+		printHelmParams(app.Spec.GetSource().Helm)
 	}
 }

@@ -624,10 +619,6 @@ func NewApplicationSetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Com
 			app, err := appIf.Get(ctx, &applicationpkg.ApplicationQuery{Name: &appName, AppNamespace: &appNs})
 			errors.CheckError(err)

-			if app.Spec.Source.Plugin != nil && app.Spec.Source.Plugin.Name != "" {
-				log.Warnf(argocommon.ConfigMapPluginCLIDeprecationWarning)
-			}
-
 			visited := cmdutil.SetAppSpecOptions(c.Flags(), &app.Spec, &appOpts)
 			if visited == 0 {
 				log.Error("Please set at least one option to update")
@@ -654,7 +645,9 @@ type unsetOpts struct {
 	namePrefix              bool
 	nameSuffix              bool
 	kustomizeVersion        bool
+	kustomizeNamespace      bool
 	kustomizeImages         []string
+	kustomizeReplicas       []string
 	parameters              []string
 	valuesFiles             []string
 	valuesLiteral           bool
@@ -663,6 +656,17 @@ type unsetOpts struct {
 	passCredentials         bool
 }

+// IsZero returns true when the Application options for kustomize are considered empty
+func (o *unsetOpts) KustomizeIsZero() bool {
+	return o == nil ||
+		!o.namePrefix &&
+			!o.nameSuffix &&
+			!o.kustomizeVersion &&
+			!o.kustomizeNamespace &&
+			len(o.kustomizeImages) == 0 &&
+			len(o.kustomizeReplicas) == 0
+}
+
 // NewApplicationUnsetCommand returns a new instance of an `argocd app unset` command
 func NewApplicationUnsetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	appOpts := cmdutil.AppOptions{}
@@ -692,11 +696,8 @@ func NewApplicationUnsetCommand(clientOpts *argocdclient.ClientOptions) *cobra.C
 			app, err := appIf.Get(ctx, &applicationpkg.ApplicationQuery{Name: &appName, AppNamespace: &appNs})
 			errors.CheckError(err)

-			if app.Spec.Source.Plugin != nil && app.Spec.Source.Plugin.Name != "" {
-				log.Warnf(argocommon.ConfigMapPluginCLIDeprecationWarning)
-			}
-
-			updated, nothingToUnset := unset(&app.Spec.Source, opts)
+			source := app.Spec.GetSource()
+			updated, nothingToUnset := unset(&source, opts)
 			if nothingToUnset {
 				c.HelpFunc()(c, args)
 				os.Exit(1)
@@ -722,7 +723,9 @@ func NewApplicationUnsetCommand(clientOpts *argocdclient.ClientOptions) *cobra.C
 	command.Flags().BoolVar(&opts.nameSuffix, "namesuffix", false, "Kustomize namesuffix")
 	command.Flags().BoolVar(&opts.namePrefix, "nameprefix", false, "Kustomize nameprefix")
 	command.Flags().BoolVar(&opts.kustomizeVersion, "kustomize-version", false, "Kustomize version")
+	command.Flags().BoolVar(&opts.kustomizeNamespace, "kustomize-namespace", false, "Kustomize namespace")
 	command.Flags().StringArrayVar(&opts.kustomizeImages, "kustomize-image", []string{}, "Kustomize images name (e.g. --kustomize-image node --kustomize-image mysql)")
+	command.Flags().StringArrayVar(&opts.kustomizeReplicas, "kustomize-replica", []string{}, "Kustomize replicas name (e.g. --kustomize-replica my-deployment --kustomize-replica my-statefulset)")
 	command.Flags().StringArrayVar(&opts.pluginEnvs, "plugin-env", []string{}, "Unset plugin env variables (e.g --plugin-env name)")
 	command.Flags().BoolVar(&opts.passCredentials, "pass-credentials", false, "Unset passCredentials")
 	return command
@@ -730,7 +733,7 @@ func NewApplicationUnsetCommand(clientOpts *argocdclient.ClientOptions) *cobra.C

 func unset(source *argoappv1.ApplicationSource, opts unsetOpts) (updated bool, nothingToUnset bool) {
 	if source.Kustomize != nil {
-		if !opts.namePrefix && !opts.nameSuffix && !opts.kustomizeVersion && len(opts.kustomizeImages) == 0 {
+		if opts.KustomizeIsZero() {
 			return false, true
 		}

@@ -749,6 +752,11 @@ func unset(source *argoappv1.ApplicationSource, opts unsetOpts) (updated bool, n
 			source.Kustomize.Version = ""
 		}

+		if opts.kustomizeNamespace && source.Kustomize.Namespace != "" {
+			updated = true
+			source.Kustomize.Namespace = ""
+		}
+
 		for _, kustomizeImage := range opts.kustomizeImages {
 			for i, item := range source.Kustomize.Images {
 				if argoappv1.KustomizeImage(kustomizeImage).Match(item) {
@@ -762,6 +770,17 @@ func unset(source *argoappv1.ApplicationSource, opts unsetOpts) (updated bool, n
 				}
 			}
 		}
+
+		for _, kustomizeReplica := range opts.kustomizeReplicas {
+			kustomizeReplicas := source.Kustomize.Replicas
+			for i, item := range kustomizeReplicas {
+				if kustomizeReplica == item.Name {
+					source.Kustomize.Replicas = append(kustomizeReplicas[0:i], kustomizeReplicas[i+1:]...)
+					updated = true
+					break
+				}
+			}
+		}
 	}
 	if source.Helm != nil {
 		if len(opts.parameters) == 0 && len(opts.valuesFiles) == 0 && !opts.valuesLiteral && !opts.ignoreMissingValueFiles && !opts.passCredentials {
@@ -842,18 +861,19 @@ func getLocalObjects(ctx context.Context, app *argoappv1.Application, local, loc

 func getLocalObjectsString(ctx context.Context, app *argoappv1.Application, local, localRepoRoot, appLabelKey, kubeVersion string, apiVersions []string, kustomizeOptions *argoappv1.KustomizeOptions,
 	configManagementPlugins []*argoappv1.ConfigManagementPlugin, trackingMethod string) []string {
-	res, err := repository.GenerateManifests(ctx, local, localRepoRoot, app.Spec.Source.TargetRevision, &repoapiclient.ManifestRequest{
-		Repo:              &argoappv1.Repository{Repo: app.Spec.Source.RepoURL},
+	source := app.Spec.GetSource()
+	res, err := repository.GenerateManifests(ctx, local, localRepoRoot, source.TargetRevision, &repoapiclient.ManifestRequest{
+		Repo:              &argoappv1.Repository{Repo: source.RepoURL},
 		AppLabelKey:       appLabelKey,
 		AppName:           app.Name,
 		Namespace:         app.Spec.Destination.Namespace,
-		ApplicationSource: &app.Spec.Source,
+		ApplicationSource: &source,
 		KustomizeOptions:  kustomizeOptions,
 		KubeVersion:       kubeVersion,
 		ApiVersions:       apiVersions,
 		Plugins:           configManagementPlugins,
 		TrackingMethod:    trackingMethod,
-	}, true, &git.NoopCredsStore{}, resource.MustParse("0"))
+	}, true, &git.NoopCredsStore{}, resource.MustParse("0"), nil)
 	errors.CheckError(err)

 	return res.Manifests
@@ -930,10 +950,6 @@ func NewApplicationDiffCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 			})
 			errors.CheckError(err)

-			if app.Spec.Source.Plugin != nil && app.Spec.Source.Plugin.Name != "" {
-				log.Warnf(argocommon.ConfigMapPluginCLIDeprecationWarning)
-			}
-
 			resources, err := appIf.ManagedResources(ctx, &applicationpkg.ResourcesQuery{ApplicationName: &appName, AppNamespace: &appNs})
 			errors.CheckError(err)
 			conn, settingsIf := clientset.NewSettingsClientOrDie()
@@ -964,7 +980,7 @@ func NewApplicationDiffCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co

 					diffOption.serversideRes = res
 				} else {
-					fmt.Fprintf(os.Stderr, "Warning: local diff without --server-side-generate is deprecated and does not work with plugins. Server-side generation will be the default in v2.6.")
+					fmt.Fprintf(os.Stderr, "Warning: local diff without --server-side-generate is deprecated and does not work with plugins. Server-side generation will be the default in v2.7.")
 					conn, clusterIf := clientset.NewClusterClientOrDie()
 					defer argoio.Close(conn)
 					cluster, err := clusterIf.Get(ctx, &clusterpkg.ClusterQuery{Name: app.Spec.Destination.Name, Server: app.Spec.Destination.Server})
@@ -1247,7 +1263,7 @@ func printApplicationTable(apps []argoappv1.Application, output *string) {
 			formatConditionsSummary(app),
 		}
 		if *output == "wide" {
-			vals = append(vals, app.Spec.Source.RepoURL, app.Spec.Source.Path, app.Spec.Source.TargetRevision)
+			vals = append(vals, app.Spec.GetSource().RepoURL, app.Spec.GetSource().Path, app.Spec.GetSource().TargetRevision)
 		}
 		_, _ = fmt.Fprintf(w, fmtStr, vals...)
 	}
@@ -1298,17 +1314,6 @@ func NewApplicationListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 			if cluster != "" {
 				appList = argo.FilterByCluster(appList, cluster)
 			}
-			var appsWithDeprecatedPlugins []string
-			for _, app := range appList {
-				if app.Spec.Source.Plugin != nil && app.Spec.Source.Plugin.Name != "" {
-					appsWithDeprecatedPlugins = append(appsWithDeprecatedPlugins, app.Name)
-				}
-			}
-
-			if len(appsWithDeprecatedPlugins) > 0 {
-				log.Warnf(argocommon.ConfigMapPluginCLIDeprecationWarning)
-				log.Warnf("The following Applications use deprecated plugins: %s", strings.Join(appsWithDeprecatedPlugins, ", "))
-			}

 			switch output {
 			case "yaml", "json":
@@ -1373,6 +1378,7 @@ const (
 	resourceFieldCount                  = 3
 	resourceFieldNamespaceDelimiter     = "/"
 	resourceFieldNameWithNamespaceCount = 2
+	resourceExcludeIndicator            = "!"
 )

 // resource is GROUP:KIND:NAMESPACE/NAME or GROUP:KIND:NAME
@@ -1397,6 +1403,12 @@ func parseSelectedResources(resources []string) ([]*argoappv1.SyncOperationResou
 	}

 	for _, resource := range resources {
+		isExcluded := false
+		// check if the resource flag starts with a '!'
+		if strings.HasPrefix(resource, resourceExcludeIndicator) {
+			resource = strings.TrimPrefix(resource, resourceExcludeIndicator)
+			isExcluded = true
+		}
 		fields := strings.Split(resource, resourceFieldDelimiter)
 		if len(fields) != resourceFieldCount {
 			return nil, fmt.Errorf("Resource should have GROUP%sKIND%sNAME, but instead got: %s", resourceFieldDelimiter, resourceFieldDelimiter, resource)
@@ -1410,6 +1422,7 @@ func parseSelectedResources(resources []string) ([]*argoappv1.SyncOperationResou
 			Kind:      fields[1],
 			Name:      name,
 			Namespace: namespace,
+			Exclude:   isExcluded,
 		})
 	}
 	return selectedResources, nil
@@ -1444,6 +1457,16 @@ func NewApplicationWaitCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
  # Wait for multiple apps
  argocd app wait my-app other-app

+  # Wait for apps by resource
+  # Resource should be formatted as GROUP:KIND:NAME. If no GROUP is specified then :KIND:NAME.
+  argocd app wait my-app --resource :Service:my-service
+  argocd app wait my-app --resource argoproj.io:Rollout:my-rollout
+  argocd app wait my-app --resource '!apps:Deployment:my-service'
+  argocd app wait my-app --resource apps:Deployment:my-service --resource :Service:my-service
+  argocd app wait my-app --resource '!*:Service:*'
+  # Specify namespace if the application has resources with the same name in different namespaces
+  argocd app wait my-app --resource argoproj.io:Rollout:my-namespace/my-rollout
+
  # Wait for apps by label, in this example we waiting for apps that are children of another app (aka app-of-apps)
  argocd app wait -l app.kubernetes.io/instance=my-app
  argocd app wait -l app.kubernetes.io/instance!=my-app
@@ -1482,7 +1505,7 @@ func NewApplicationWaitCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 	command.Flags().BoolVar(&watch.suspended, "suspended", false, "Wait for suspended")
 	command.Flags().BoolVar(&watch.degraded, "degraded", false, "Wait for degraded")
 	command.Flags().StringVarP(&selector, "selector", "l", "", "Wait for apps by label. Supports '=', '==', '!=', in, notin, exists & not exists. Matching apps must satisfy all of the specified label constraints.")
-	command.Flags().StringArrayVar(&resources, "resource", []string{}, fmt.Sprintf("Sync only specific resources as GROUP%sKIND%sNAME. Fields may be blank. This option may be specified repeatedly", resourceFieldDelimiter, resourceFieldDelimiter))
+	command.Flags().StringArrayVar(&resources, "resource", []string{}, fmt.Sprintf("Sync only specific resources as GROUP%[1]sKIND%[1]sNAME or %[2]sGROUP%[1]sKIND%[1]sNAME. Fields may be blank and '*' can be used. This option may be specified repeatedly", resourceFieldDelimiter, resourceExcludeIndicator))
 	command.Flags().BoolVar(&watch.operation, "operation", false, "Wait for pending operations")
 	command.Flags().UintVar(&timeout, "timeout", defaultCheckTimeoutSeconds, "Time out after this many seconds")
 	return command
@@ -1542,6 +1565,9 @@ func NewApplicationSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
  # Resource should be formatted as GROUP:KIND:NAME. If no GROUP is specified then :KIND:NAME
  argocd app sync my-app --resource :Service:my-service
  argocd app sync my-app --resource argoproj.io:Rollout:my-rollout
+  argocd app sync my-app --resource '!apps:Deployment:my-service'
+  argocd app sync my-app --resource apps:Deployment:my-service --resource :Service:my-service
+  argocd app sync my-app --resource '!*:Service:*'
  # Specify namespace if the application has resources with the same name in different namespaces
  argocd app sync my-app --resource argoproj.io:Rollout:my-namespace/my-rollout`,
 		Run: func(c *cobra.Command, args []string) {
@@ -1625,17 +1651,27 @@ func NewApplicationSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co

 				var localObjsStrings []string
 				diffOption := &DifferenceOption{}
+
+				app, err := appIf.Get(ctx, &applicationpkg.ApplicationQuery{
+					Name:         &appName,
+					AppNamespace: &appNs,
+				})
+				errors.CheckError(err)
+
+				if app.Spec.HasMultipleSources() {
+					log.Fatal("argocd cli does not work on multi-source app")
+					return
+				}
+
+				// filters out only those resources that needs to be synced
+				filteredResources := filterAppResources(app, selectedResources)
+
+				// if resources are provided and no app resources match, then return error
+				if len(resources) > 0 && len(filteredResources) == 0 {
+					log.Fatalf("No matching app resources found for resource filter: %v", strings.Join(resources, ", "))
+				}
+
 				if local != "" {
-					app, err := appIf.Get(ctx, &applicationpkg.ApplicationQuery{
-						Name:         &appName,
-						AppNamespace: &appNs,
-					})
-					errors.CheckError(err)
-
-					if app.Spec.Source.Plugin != nil && app.Spec.Source.Plugin.Name != "" {
-						log.Warnf(argocommon.ConfigMapPluginCLIDeprecationWarning)
-					}
-
 					if app.Spec.SyncPolicy != nil && app.Spec.SyncPolicy.Automated != nil && !dryRun {
 						log.Fatal("Cannot use local sync when Automatic Sync Policy is enabled except with --dry-run")
 					}
@@ -1681,7 +1717,7 @@ func NewApplicationSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 					AppNamespace: &appNs,
 					DryRun:       &dryRun,
 					Revision:     &revision,
-					Resources:    selectedResources,
+					Resources:    filteredResources,
 					Prune:        &prune,
 					Manifests:    localObjsStrings,
 					Infos:        getInfos(infos),
@@ -1709,16 +1745,6 @@ func NewApplicationSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 					}
 				}
 				if diffChanges {
-					app, err := appIf.Get(ctx, &applicationpkg.ApplicationQuery{
-						Name:         &appName,
-						AppNamespace: &appNs,
-					})
-					errors.CheckError(err)
-
-					if app.Spec.Source.Plugin != nil && app.Spec.Source.Plugin.Name != "" {
-						log.Warnf(argocommon.ConfigMapPluginCLIDeprecationWarning)
-					}
-
 					resources, err := appIf.ManagedResources(ctx, &applicationpkg.ResourcesQuery{
 						ApplicationName: &appName,
 						AppNamespace:    &appNs,
@@ -1767,7 +1793,7 @@ func NewApplicationSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 	command.Flags().BoolVar(&dryRun, "dry-run", false, "Preview apply without affecting cluster")
 	command.Flags().BoolVar(&prune, "prune", false, "Allow deleting unexpected resources")
 	command.Flags().StringVar(&revision, "revision", "", "Sync to a specific revision. Preserves parameter overrides")
-	command.Flags().StringArrayVar(&resources, "resource", []string{}, fmt.Sprintf("Sync only specific resources as GROUP%sKIND%sNAME. Fields may be blank. This option may be specified repeatedly", resourceFieldDelimiter, resourceFieldDelimiter))
+	command.Flags().StringArrayVar(&resources, "resource", []string{}, fmt.Sprintf("Sync only specific resources as GROUP%[1]sKIND%[1]sNAME or %[2]sGROUP%[1]sKIND%[1]sNAME. Fields may be blank and '*' can be used. This option may be specified repeatedly", resourceFieldDelimiter, resourceExcludeIndicator))
 	command.Flags().StringVarP(&selector, "selector", "l", "", "Sync apps that match this label. Supports '=', '==', '!=', in, notin, exists & not exists. Matching apps must satisfy all of the specified label constraints.")
 	command.Flags().StringArrayVar(&labels, "label", []string{}, "Sync only specific resources with a label. This option may be specified repeatedly.")
 	command.Flags().UintVar(&timeout, "timeout", defaultCheckTimeoutSeconds, "Time out after this many seconds")
@@ -1892,15 +1918,9 @@ func getResourceStates(app *argoappv1.Application, selectedResources []*argoappv
 	}
 	// filter out not selected resources
 	if len(selectedResources) > 0 {
-		r := []argoappv1.SyncOperationResource{}
-		for _, res := range selectedResources {
-			if res != nil {
-				r = append(r, *res)
-			}
-		}
 		for i := len(states) - 1; i >= 0; i-- {
 			res := states[i]
-			if !argo.ContainsSyncResource(res.Name, res.Namespace, schema.GroupVersionKind{Group: res.Group, Kind: res.Kind}, r) {
+			if !argo.IncludeResource(res.Name, res.Namespace, schema.GroupVersionKind{Group: res.Group, Kind: res.Kind}, selectedResources) {
 				states = append(states[:i], states[i+1:]...)
 			}
 		}
@@ -1908,6 +1928,26 @@ func getResourceStates(app *argoappv1.Application, selectedResources []*argoappv
 	return states
 }

+// filterAppResources selects the app resources that match atleast one of the resource filters.
+func filterAppResources(app *argoappv1.Application, selectedResources []*argoappv1.SyncOperationResource) []*argoappv1.SyncOperationResource {
+	var filteredResources []*argoappv1.SyncOperationResource
+	if app != nil && len(selectedResources) > 0 {
+		for i := range app.Status.Resources {
+			appResource := app.Status.Resources[i]
+			if (argo.IncludeResource(appResource.Name, appResource.Namespace,
+				schema.GroupVersionKind{Group: appResource.Group, Kind: appResource.Kind}, selectedResources)) {
+				filteredResources = append(filteredResources, &argoappv1.SyncOperationResource{
+					Group:     appResource.Group,
+					Kind:      appResource.Kind,
+					Name:      appResource.Name,
+					Namespace: appResource.Namespace,
+				})
+			}
+		}
+	}
+	return filteredResources
+}
+
 func groupResourceStates(app *argoappv1.Application, selectedResources []*argoappv1.SyncOperationResource) map[string]*resourceState {
 	resStates := make(map[string]*resourceState)
 	for _, result := range getResourceStates(app, selectedResources) {
@@ -2087,8 +2127,9 @@ func setParameterOverrides(app *argoappv1.Application, parameters []string) {
 	if len(parameters) == 0 {
 		return
 	}
+	source := app.Spec.GetSource()
 	var sourceType argoappv1.ApplicationSourceType
-	if st, _ := app.Spec.Source.ExplicitType(); st != nil {
+	if st, _ := source.ExplicitType(); st != nil {
 		sourceType = *st
 	} else if app.Status.SourceType != "" {
 		sourceType = app.Status.SourceType
@@ -2100,8 +2141,8 @@ func setParameterOverrides(app *argoappv1.Application, parameters []string) {

 	switch sourceType {
 	case argoappv1.ApplicationSourceTypeHelm:
-		if app.Spec.Source.Helm == nil {
-			app.Spec.Source.Helm = &argoappv1.ApplicationSourceHelm{}
+		if source.Helm == nil {
+			source.Helm = &argoappv1.ApplicationSourceHelm{}
 		}
 		for _, p := range parameters {
 			newParam, err := argoappv1.NewHelmParameter(p, false)
@@ -2109,7 +2150,7 @@ func setParameterOverrides(app *argoappv1.Application, parameters []string) {
 				log.Error(err)
 				continue
 			}
-			app.Spec.Source.Helm.AddParameter(*newParam)
+			source.Helm.AddParameter(*newParam)
 		}
 	default:
 		log.Fatalf("Parameters can only be set against Helm applications")
@@ -2161,10 +2202,6 @@ func NewApplicationHistoryCommand(clientOpts *argocdclient.ClientOptions) *cobra
 			})
 			errors.CheckError(err)

-			if app.Spec.Source.Plugin != nil && app.Spec.Source.Plugin.Name != "" {
-				log.Warnf(argocommon.ConfigMapPluginCLIDeprecationWarning)
-			}
-
 			if output == "id" {
 				printApplicationHistoryIds(app.Status.History)
 			} else {
@@ -2225,10 +2262,6 @@ func NewApplicationRollbackCommand(clientOpts *argocdclient.ClientOptions) *cobr
 			})
 			errors.CheckError(err)

-			if app.Spec.Source.Plugin != nil && app.Spec.Source.Plugin.Name != "" {
-				log.Warnf(argocommon.ConfigMapPluginCLIDeprecationWarning)
-			}
-
 			depInfo, err := findRevisionHistory(app, int64(depID))
 			errors.CheckError(err)

@@ -2312,10 +2345,6 @@ func NewApplicationManifestsCommand(clientOpts *argocdclient.ClientOptions) *cob
 					app, err := appIf.Get(context.Background(), &applicationpkg.ApplicationQuery{Name: &appName})
 					errors.CheckError(err)

-					if app.Spec.Source.Plugin != nil && app.Spec.Source.Plugin.Name != "" {
-						log.Warnf(argocommon.ConfigMapPluginCLIDeprecationWarning)
-					}
-
 					settingsConn, settingsIf := clientset.NewSettingsClientOrDie()
 					defer argoio.Close(settingsConn)
 					argoSettings, err := settingsIf.Get(context.Background(), &settingspkg.SettingsQuery{})
@@ -2415,10 +2444,6 @@ func NewApplicationEditCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 			})
 			errors.CheckError(err)

-			if app.Spec.Source.Plugin != nil && app.Spec.Source.Plugin.Name != "" {
-				log.Warnf(argocommon.ConfigMapPluginCLIDeprecationWarning)
-			}
-
 			appData, err := json.Marshal(app.Spec)
 			errors.CheckError(err)
 			appData, err = yaml.JSONToYAML(appData)
@@ -2460,12 +2485,11 @@ func NewApplicationPatchCommand(clientOpts *argocdclient.ClientOptions) *cobra.C
 	command := cobra.Command{
 		Use:   "patch APPNAME",
 		Short: "Patch application",
-		Long: `Examples:
-	# Update an application's source path using json patch
-	argocd app patch myapplication --patch='[{"op": "replace", "path": "/spec/source/path", "value": "newPath"}]' --type json
+		Example: `  # Update an application's source path using json patch
+  argocd app patch myapplication --patch='[{"op": "replace", "path": "/spec/source/path", "value": "newPath"}]' --type json

-	# Update an application's repository target revision using merge patch
-	argocd app patch myapplication --patch '{"spec": { "source": { "targetRevision": "master" } }}' --type merge`,
+  # Update an application's repository target revision using merge patch
+  argocd app patch myapplication --patch '{"spec": { "source": { "targetRevision": "master" } }}' --type merge`,
 		Run: func(c *cobra.Command, args []string) {
 			ctx := c.Context()

--- a/cmd/argocd/commands/app_actions.go
+++ b/cmd/argocd/commands/app_actions.go
@@ -18,6 +18,7 @@ import (
 	"github.com/argoproj/argo-cd/v2/cmd/argocd/commands/headless"
 	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
 	applicationpkg "github.com/argoproj/argo-cd/v2/pkg/apiclient/application"
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application"
 	v1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	"github.com/argoproj/argo-cd/v2/util/argo"
 	"github.com/argoproj/argo-cd/v2/util/errors"
@@ -202,7 +203,7 @@ func getActionableResourcesForApplication(appIf applicationpkg.ApplicationServic
 	if err != nil {
 		return nil, err
 	}
-	app.Kind = "Application"
+	app.Kind = application.ApplicationKind
 	app.APIVersion = "argoproj.io/v1alpha1"
 	appManifest, err := json.Marshal(app)
 	if err != nil {
--- a/cmd/argocd/commands/app_test.go
+++ b/cmd/argocd/commands/app_test.go
@@ -7,6 +7,7 @@ import (
 	"time"

 	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application"
 	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	argoappv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	"github.com/argoproj/gitops-engine/pkg/health"
@@ -16,6 +17,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/util/intstr"
 )

 func Test_getInfos(t *testing.T) {
@@ -498,7 +500,7 @@ func TestPrintAppSummaryTable(t *testing.T) {
 				},
 				Project:     "default",
 				Destination: v1alpha1.ApplicationDestination{Server: "local", Namespace: "argocd"},
-				Source: v1alpha1.ApplicationSource{
+				Source: &v1alpha1.ApplicationSource{
 					RepoURL:        "test",
 					TargetRevision: "master",
 					Path:           "/test",
@@ -604,7 +606,7 @@ func TestPrintParams(t *testing.T) {
 	output, _ := captureOutput(func() error {
 		app := &v1alpha1.Application{
 			Spec: v1alpha1.ApplicationSpec{
-				Source: v1alpha1.ApplicationSource{
+				Source: &v1alpha1.ApplicationSource{
 					Helm: &v1alpha1.ApplicationSourceHelm{
 						Parameters: []v1alpha1.HelmParameter{
 							{
@@ -750,6 +752,16 @@ func Test_unset(t *testing.T) {
 				"old1=new:tag",
 				"old2=new:tag",
 			},
+			Replicas: []v1alpha1.KustomizeReplica{
+				{
+					Name:  "my-deployment",
+					Count: intstr.FromInt(2),
+				},
+				{
+					Name:  "my-statefulset",
+					Count: intstr.FromInt(4),
+				},
+			},
 		},
 	}

@@ -826,6 +838,15 @@ func Test_unset(t *testing.T) {
 	assert.False(t, updated)
 	assert.False(t, nothingToUnset)

+	assert.Equal(t, 2, len(kustomizeSource.Kustomize.Replicas))
+	updated, nothingToUnset = unset(kustomizeSource, unsetOpts{kustomizeReplicas: []string{"my-deployment"}})
+	assert.Equal(t, 1, len(kustomizeSource.Kustomize.Replicas))
+	assert.True(t, updated)
+	assert.False(t, nothingToUnset)
+	updated, nothingToUnset = unset(kustomizeSource, unsetOpts{kustomizeReplicas: []string{"my-deployment"}})
+	assert.False(t, updated)
+	assert.False(t, nothingToUnset)
+
 	assert.Equal(t, 2, len(helmSource.Helm.Parameters))
 	updated, nothingToUnset = unset(helmSource, unsetOpts{parameters: []string{"name-1"}})
 	assert.Equal(t, 1, len(helmSource.Helm.Parameters))
@@ -904,22 +925,252 @@ func Test_unset_nothingToUnset(t *testing.T) {
 	}
 }

+func TestFilterAppResources(t *testing.T) {
+	// App resources
+	var (
+		appReplicaSet1 = v1alpha1.ResourceStatus{
+			Group:     "apps",
+			Kind:      "ReplicaSet",
+			Namespace: "default",
+			Name:      "replicaSet-name1",
+		}
+		appReplicaSet2 = v1alpha1.ResourceStatus{
+			Group:     "apps",
+			Kind:      "ReplicaSet",
+			Namespace: "default",
+			Name:      "replicaSet-name2",
+		}
+		appJob = v1alpha1.ResourceStatus{
+			Group:     "batch",
+			Kind:      "Job",
+			Namespace: "default",
+			Name:      "job-name",
+		}
+		appService1 = v1alpha1.ResourceStatus{
+			Group:     "",
+			Kind:      "Service",
+			Namespace: "default",
+			Name:      "service-name1",
+		}
+		appService2 = v1alpha1.ResourceStatus{
+			Group:     "",
+			Kind:      "Service",
+			Namespace: "default",
+			Name:      "service-name2",
+		}
+		appDeployment = v1alpha1.ResourceStatus{
+			Group:     "apps",
+			Kind:      "Deployment",
+			Namespace: "default",
+			Name:      "deployment-name",
+		}
+	)
+	app := v1alpha1.Application{
+		Status: v1alpha1.ApplicationStatus{
+			Resources: []v1alpha1.ResourceStatus{
+				appReplicaSet1, appReplicaSet2, appJob, appService1, appService2, appDeployment},
+		},
+	}
+	// Resource filters
+	var (
+		blankValues = argoappv1.SyncOperationResource{
+			Group:     "",
+			Kind:      "",
+			Name:      "",
+			Namespace: "",
+			Exclude:   false}
+		// *:*:*
+		includeAllResources = argoappv1.SyncOperationResource{
+			Group:     "*",
+			Kind:      "*",
+			Name:      "*",
+			Namespace: "",
+			Exclude:   false}
+		// !*:*:*
+		excludeAllResources = argoappv1.SyncOperationResource{
+			Group:     "*",
+			Kind:      "*",
+			Name:      "*",
+			Namespace: "",
+			Exclude:   true}
+		// *:Service:*
+		includeAllServiceResources = argoappv1.SyncOperationResource{
+			Group:     "*",
+			Kind:      "Service",
+			Name:      "*",
+			Namespace: "",
+			Exclude:   false}
+		// !*:Service:*
+		excludeAllServiceResources = argoappv1.SyncOperationResource{
+			Group:     "*",
+			Kind:      "Service",
+			Name:      "*",
+			Namespace: "",
+			Exclude:   true}
+		// apps:ReplicaSet:replicaSet-name1
+		includeReplicaSet1Resource = argoappv1.SyncOperationResource{
+			Group:     "apps",
+			Kind:      "ReplicaSet",
+			Name:      "replicaSet-name1",
+			Namespace: "",
+			Exclude:   false}
+		// !apps:ReplicaSet:replicaSet-name2
+		excludeReplicaSet2Resource = argoappv1.SyncOperationResource{
+			Group:     "apps",
+			Kind:      "ReplicaSet",
+			Name:      "replicaSet-name2",
+			Namespace: "",
+			Exclude:   true}
+	)
+
+	// Filtered resources
+	var (
+		replicaSet1 = v1alpha1.SyncOperationResource{
+			Group:     "apps",
+			Kind:      "ReplicaSet",
+			Namespace: "default",
+			Name:      "replicaSet-name1",
+		}
+		replicaSet2 = v1alpha1.SyncOperationResource{
+			Group:     "apps",
+			Kind:      "ReplicaSet",
+			Namespace: "default",
+			Name:      "replicaSet-name2",
+		}
+		job = v1alpha1.SyncOperationResource{
+			Group:     "batch",
+			Kind:      "Job",
+			Namespace: "default",
+			Name:      "job-name",
+		}
+		service1 = v1alpha1.SyncOperationResource{
+			Group:     "",
+			Kind:      "Service",
+			Namespace: "default",
+			Name:      "service-name1",
+		}
+		service2 = v1alpha1.SyncOperationResource{
+			Group:     "",
+			Kind:      "Service",
+			Namespace: "default",
+			Name:      "service-name2",
+		}
+		deployment = v1alpha1.SyncOperationResource{
+			Group:     "apps",
+			Kind:      "Deployment",
+			Namespace: "default",
+			Name:      "deployment-name",
+		}
+	)
+	tests := []struct {
+		testName          string
+		selectedResources []*argoappv1.SyncOperationResource
+		expectedResult    []*argoappv1.SyncOperationResource
+	}{
+		// --resource apps:ReplicaSet:replicaSet-name1 --resource *:Service:*
+		{testName: "Include ReplicaSet replicaSet-name1 resouce and all service resources",
+			selectedResources: []*argoappv1.SyncOperationResource{&includeAllServiceResources, &includeReplicaSet1Resource},
+			expectedResult:    []*argoappv1.SyncOperationResource{&replicaSet1, &service1, &service2},
+		},
+		// --resource apps:ReplicaSet:replicaSet-name1 --resource !*:Service:*
+		{testName: "Include ReplicaSet replicaSet-name1 resouce and exclude all service resources",
+			selectedResources: []*argoappv1.SyncOperationResource{&excludeAllServiceResources, &includeReplicaSet1Resource},
+			expectedResult:    []*argoappv1.SyncOperationResource{&replicaSet1, &replicaSet2, &job, &deployment},
+		},
+		// --resource !apps:ReplicaSet:replicaSet-name2 --resource !*:Service:*
+		{testName: "Exclude ReplicaSet replicaSet-name2 resouce and all service resources",
+			selectedResources: []*argoappv1.SyncOperationResource{&excludeReplicaSet2Resource, &excludeAllServiceResources},
+			expectedResult:    []*argoappv1.SyncOperationResource{&replicaSet1, &replicaSet2, &job, &service1, &service2, &deployment},
+		},
+		// --resource !apps:ReplicaSet:replicaSet-name2
+		{testName: "Exclude ReplicaSet replicaSet-name2 resouce",
+			selectedResources: []*argoappv1.SyncOperationResource{&excludeReplicaSet2Resource},
+			expectedResult:    []*argoappv1.SyncOperationResource{&replicaSet1, &job, &service1, &service2, &deployment},
+		},
+		// --resource apps:ReplicaSet:replicaSet-name1
+		{testName: "Include ReplicaSet replicaSet-name1 resouce",
+			selectedResources: []*argoappv1.SyncOperationResource{&includeReplicaSet1Resource},
+			expectedResult:    []*argoappv1.SyncOperationResource{&replicaSet1},
+		},
+		// --resource !*:Service:*
+		{testName: "Exclude Service resouces",
+			selectedResources: []*argoappv1.SyncOperationResource{&excludeAllServiceResources},
+			expectedResult:    []*argoappv1.SyncOperationResource{&replicaSet1, &replicaSet2, &job, &deployment},
+		},
+		// --resource *:Service:*
+		{testName: "Include Service resouces",
+			selectedResources: []*argoappv1.SyncOperationResource{&includeAllServiceResources},
+			expectedResult:    []*argoappv1.SyncOperationResource{&service1, &service2},
+		},
+		// --resource !*:*:*
+		{testName: "Exclude all resouces",
+			selectedResources: []*argoappv1.SyncOperationResource{&excludeAllResources},
+			expectedResult:    nil,
+		},
+		// --resource *:*:*
+		{testName: "Include all resouces",
+			selectedResources: []*argoappv1.SyncOperationResource{&includeAllResources},
+			expectedResult:    []*argoappv1.SyncOperationResource{&replicaSet1, &replicaSet2, &job, &service1, &service2, &deployment},
+		},
+		{testName: "No Filters",
+			selectedResources: []*argoappv1.SyncOperationResource{&blankValues},
+			expectedResult:    nil,
+		},
+		{testName: "Empty Filter",
+			selectedResources: []*argoappv1.SyncOperationResource{},
+			expectedResult:    nil,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.testName, func(t *testing.T) {
+			filteredResources := filterAppResources(&app, test.selectedResources)
+			assert.Equal(t, test.expectedResult, filteredResources)
+		})
+	}
+}
+
 func TestParseSelectedResources(t *testing.T) {
-	resources := []string{"v1alpha:Application:test", "v1alpha:Application:namespace/test"}
+	resources := []string{"v1alpha:Application:test",
+		"v1alpha:Application:namespace/test",
+		"!v1alpha:Application:test",
+		"apps:Deployment:default/test",
+		"!*:*:*"}
 	operationResources, err := parseSelectedResources(resources)
 	assert.NoError(t, err)
-	assert.Len(t, operationResources, 2)
+	assert.Len(t, operationResources, 5)
 	assert.Equal(t, *operationResources[0], v1alpha1.SyncOperationResource{
 		Namespace: "",
 		Name:      "test",
-		Kind:      "Application",
+		Kind:      application.ApplicationKind,
 		Group:     "v1alpha",
 	})
 	assert.Equal(t, *operationResources[1], v1alpha1.SyncOperationResource{
 		Namespace: "namespace",
 		Name:      "test",
+		Kind:      application.ApplicationKind,
+		Group:     "v1alpha",
+	})
+	assert.Equal(t, *operationResources[2], v1alpha1.SyncOperationResource{
+		Namespace: "",
+		Name:      "test",
 		Kind:      "Application",
 		Group:     "v1alpha",
+		Exclude:   true,
+	})
+	assert.Equal(t, *operationResources[3], v1alpha1.SyncOperationResource{
+		Namespace: "default",
+		Name:      "test",
+		Kind:      "Deployment",
+		Group:     "apps",
+		Exclude:   false,
+	})
+	assert.Equal(t, *operationResources[4], v1alpha1.SyncOperationResource{
+		Namespace: "",
+		Name:      "*",
+		Kind:      "*",
+		Group:     "*",
+		Exclude:   true,
 	})
 }

@@ -985,7 +1236,7 @@ func TestPrintApplicationTableWide(t *testing.T) {
 					Server:    "http://localhost:8080",
 					Namespace: "default",
 				},
-				Source: v1alpha1.ApplicationSource{
+				Source: &v1alpha1.ApplicationSource{
 					RepoURL:        "https://github.com/argoproj/argocd-example-apps",
 					Path:           "guestbook",
 					TargetRevision: "123",
@@ -1261,7 +1512,7 @@ func testApp(name, project string, labels map[string]string, annotations map[str
 			Finalizers:  finalizers,
 		},
 		Spec: argoappv1.ApplicationSpec{
-			Source: argoappv1.ApplicationSource{
+			Source: &argoappv1.ApplicationSource{
 				RepoURL: "https://github.com/argoproj/argocd-example-apps.git",
 			},
 			Project: project,
--- a/cmd/argocd/commands/applicationset.go
+++ b/cmd/argocd/commands/applicationset.go
@@ -95,7 +95,7 @@ func NewApplicationSetGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.
 					fmt.Println()
 				}
 				if showParams {
-					printHelmParams(appSet.Spec.Template.Spec.Source.Helm)
+					printHelmParams(appSet.Spec.Template.Spec.GetSource().Helm)
 				}
 			default:
 				errors.CheckError(fmt.Errorf("unknown output format: %s", output))
@@ -317,7 +317,7 @@ func printApplicationSetTable(apps []arogappsetv1.ApplicationSet, output *string
 			conditions,
 		}
 		if *output == "wide" {
-			vals = append(vals, app.Spec.Template.Spec.Source.RepoURL, app.Spec.Template.Spec.Source.Path, app.Spec.Template.Spec.Source.TargetRevision)
+			vals = append(vals, app.Spec.Template.Spec.GetSource().RepoURL, app.Spec.Template.Spec.GetSource().Path, app.Spec.Template.Spec.GetSource().TargetRevision)
 		}
 		_, _ = fmt.Fprintf(w, fmtStr, vals...)
 	}
@@ -333,25 +333,29 @@ func getServerForAppSet(appSet *arogappsetv1.ApplicationSet) string {
 }

 func printAppSetSummaryTable(appSet *arogappsetv1.ApplicationSet) {
+	source := appSet.Spec.Template.Spec.GetSource()
 	fmt.Printf(printOpFmtStr, "Name:", appSet.Name)
 	fmt.Printf(printOpFmtStr, "Project:", appSet.Spec.Template.Spec.GetProject())
 	fmt.Printf(printOpFmtStr, "Server:", getServerForAppSet(appSet))
 	fmt.Printf(printOpFmtStr, "Namespace:", appSet.Spec.Template.Spec.Destination.Namespace)
-	fmt.Printf(printOpFmtStr, "Repo:", appSet.Spec.Template.Spec.Source.RepoURL)
-	fmt.Printf(printOpFmtStr, "Target:", appSet.Spec.Template.Spec.Source.TargetRevision)
-	fmt.Printf(printOpFmtStr, "Path:", appSet.Spec.Template.Spec.Source.Path)
-	printAppSourceDetails(&appSet.Spec.Template.Spec.Source)
+	fmt.Printf(printOpFmtStr, "Repo:", source.RepoURL)
+	fmt.Printf(printOpFmtStr, "Target:", source.TargetRevision)
+	fmt.Printf(printOpFmtStr, "Path:", source.Path)
+	printAppSourceDetails(&source)

-	var syncPolicy string
-	if appSet.Spec.SyncPolicy != nil && appSet.Spec.Template.Spec.SyncPolicy.Automated != nil {
-		syncPolicy = "Automated"
-		if appSet.Spec.Template.Spec.SyncPolicy.Automated.Prune {
-			syncPolicy += " (Prune)"
+	var (
+		syncPolicyStr string
+		syncPolicy    = appSet.Spec.Template.Spec.SyncPolicy
+	)
+	if syncPolicy != nil && syncPolicy.Automated != nil {
+		syncPolicyStr = "Automated"
+		if syncPolicy.Automated.Prune {
+			syncPolicyStr += " (Prune)"
 		}
 	} else {
-		syncPolicy = "<none>"
+		syncPolicyStr = "<none>"
 	}
-	fmt.Printf(printOpFmtStr, "SyncPolicy:", syncPolicy)
+	fmt.Printf(printOpFmtStr, "SyncPolicy:", syncPolicyStr)

 }

--- a/cmd/argocd/commands/applicationset_test.go
+++ b/cmd/argocd/commands/applicationset_test.go
@@ -1,6 +1,8 @@
 package commands

 import (
+	"io"
+	"os"
 	"testing"

 	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
@@ -68,3 +70,124 @@ func TestPrintApplicationSetTable(t *testing.T) {
 	expectation := "NAME      NAMESPACE  PROJECT  SYNCPOLICY  CONDITIONS\napp-name             default  nil         [{ResourcesUpToDate  <nil> True }]\napp-name             default  nil         [{ResourcesUpToDate  <nil> True }]\n"
 	assert.Equal(t, expectation, output)
 }
+
+func TestPrintAppSetSummaryTable(t *testing.T) {
+	baseAppSet := &arogappsetv1.ApplicationSet{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "app-name",
+		},
+		Spec: arogappsetv1.ApplicationSetSpec{
+			Generators: []arogappsetv1.ApplicationSetGenerator{
+				arogappsetv1.ApplicationSetGenerator{
+					Git: &arogappsetv1.GitGenerator{
+						RepoURL:  "https://github.com/argoproj/argo-cd.git",
+						Revision: "head",
+						Directories: []arogappsetv1.GitDirectoryGeneratorItem{
+							arogappsetv1.GitDirectoryGeneratorItem{
+								Path: "applicationset/examples/git-generator-directory/cluster-addons/*",
+							},
+						},
+					},
+				},
+			},
+			Template: arogappsetv1.ApplicationSetTemplate{
+				Spec: v1alpha1.ApplicationSpec{
+					Project: "default",
+				},
+			},
+		},
+		Status: arogappsetv1.ApplicationSetStatus{
+			Conditions: []arogappsetv1.ApplicationSetCondition{
+				arogappsetv1.ApplicationSetCondition{
+					Status: v1alpha1.ApplicationSetConditionStatusTrue,
+					Type:   arogappsetv1.ApplicationSetConditionResourcesUpToDate,
+				},
+			},
+		},
+	}
+
+	appsetSpecSyncPolicy := baseAppSet.DeepCopy()
+	appsetSpecSyncPolicy.Spec.SyncPolicy = &arogappsetv1.ApplicationSetSyncPolicy{
+		PreserveResourcesOnDeletion: true,
+	}
+
+	appSetTemplateSpecSyncPolicy := baseAppSet.DeepCopy()
+	appSetTemplateSpecSyncPolicy.Spec.Template.Spec.SyncPolicy = &arogappsetv1.SyncPolicy{
+		Automated: &arogappsetv1.SyncPolicyAutomated{
+			SelfHeal: true,
+		},
+	}
+
+	appSetBothSyncPolicies := baseAppSet.DeepCopy()
+	appSetBothSyncPolicies.Spec.SyncPolicy = &arogappsetv1.ApplicationSetSyncPolicy{
+		PreserveResourcesOnDeletion: true,
+	}
+	appSetBothSyncPolicies.Spec.Template.Spec.SyncPolicy = &arogappsetv1.SyncPolicy{
+		Automated: &arogappsetv1.SyncPolicyAutomated{
+			SelfHeal: true,
+		},
+	}
+
+	for _, tt := range []struct {
+		name           string
+		appSet         *arogappsetv1.ApplicationSet
+		expectedOutput string
+	}{
+		{
+			name:   "appset with only spec.syncPolicy set",
+			appSet: appsetSpecSyncPolicy,
+			expectedOutput: `Name:               app-name
+Project:            default
+Server:             
+Namespace:          
+Repo:               
+Target:             
+Path:               
+SyncPolicy:         <none>
+`,
+		},
+		{
+			name:   "appset with only spec.template.spec.syncPolicy set",
+			appSet: appSetTemplateSpecSyncPolicy,
+			expectedOutput: `Name:               app-name
+Project:            default
+Server:             
+Namespace:          
+Repo:               
+Target:             
+Path:               
+SyncPolicy:         Automated
+`,
+		},
+		{
+			name:   "appset with both spec.SyncPolicy and spec.template.spec.syncPolicy set",
+			appSet: appSetBothSyncPolicies,
+			expectedOutput: `Name:               app-name
+Project:            default
+Server:             
+Namespace:          
+Repo:               
+Target:             
+Path:               
+SyncPolicy:         Automated
+`,
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			oldStdout := os.Stdout
+			defer func() {
+				os.Stdout = oldStdout
+			}()
+
+			r, w, _ := os.Pipe()
+			os.Stdout = w
+
+			printAppSetSummaryTable(tt.appSet)
+			w.Close()
+
+			out, err := io.ReadAll(r)
+			assert.NoError(t, err)
+			assert.Equal(t, tt.expectedOutput, string(out))
+		})
+	}
+}
--- a/cmd/argocd/commands/bcrypt.go
+++ b/cmd/argocd/commands/bcrypt.go
@@ -8,7 +8,7 @@ import (
 	"golang.org/x/crypto/bcrypt"
 )

-// bcryptCmd represents the bcrypt command
+// NewBcryptCmd represents the bcrypt command
 func NewBcryptCmd() *cobra.Command {
 	var (
 		password string
--- a/cmd/argocd/commands/cert.go
+++ b/cmd/argocd/commands/cert.go
@@ -135,7 +135,7 @@ func NewCertAddTLSCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command
 	return command
 }

-// NewCertAddCommand returns a new instance of an `argocd cert add` command
+// NewCertAddSSHCommand returns a new instance of an `argocd cert add` command
 func NewCertAddSSHCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
 		fromFile     string
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .5.0
 .8.0