Bump version to 3.3.1 on release-3.3 branch (#26501 )

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: reggie-k <19544836+reggie-k@users.noreply.github.com>
fix: Fix excessive ls-remote requests on monorepos with Auto Sync enabled apps (26277) (cherry-pick #26278 for 3.3) (#26372 )
2026-02-20 09:38:49 +01:00 · 2026-02-18 13:39:12 +02:00 · 2026-02-18 13:31:39 +02:00 · 2026-02-17 23:15:37 -10:00 · 2026-02-13 12:17:50 +05:30 · 2026-02-13 11:40:27 +05:30
3465 changed files with 512225 additions and 120409 deletions
--- a/.codecov.yml
+++ b/.codecov.yml
@@ -8,6 +8,7 @@ ignore:
 - "pkg/client/.*"
 - "vendor/.*"
 - "test/.*"
+- "**/mocks/*"
 coverage:
  status:
    # we've found this not to be useful
--- a/.gitattributes
+++ b/.gitattributes
@@ -0,0 +1,18 @@
+**/*.pb.go linguist-generated=true
+**/mocks/*.go linguist-generated=true
+assets/swagger.json linguist-generated=true
+docs/operator-manual/resource_actions_builtin.md linguist-generated=true
+docs/operator-manual/server-commands/argocd-*.md linguist-generated=true
+docs/user-guide/commands/argocd_*.md linguist-generated=true
+manifests/core-install.yaml linguist-generated=true
+manifests/core-install-with-hydrator.yaml linguist-generated=true
+manifests/crds/*-crd.yaml linguist-generated=true
+manifests/ha/install.yaml linguist-generated=true
+manifests/ha/install-with-hydrator.yaml linguist-generated=true
+manifests/ha/namespace-install.yaml linguist-generated=true
+manifests/ha/namespace-install-with-hydrator.yaml linguist-generated=true
+manifests/install.yaml linguist-generated=true
+manifests/install-with-hydrator.yaml linguist-generated=true
+manifests/namespace-install.yaml linguist-generated=true
+manifests/namespace-install-with-hydrator.yaml linguist-generated=true
+pkg/apis/api-rules/violation_exceptions.list linguist-generated=true
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -2,7 +2,7 @@
 name: Bug report
 about: Create a report to help us improve
 title: ''
-labels: 'bug'
+labels: ['bug', 'triage/pending']
 assignees: ''
 ---

@@ -10,9 +10,9 @@ assignees: ''

 Checklist:

-* [ ] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
-* [ ] I've included steps to reproduce the bug.
-* [ ] I've pasted the output of `argocd version`.
+- [ ] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
+- [ ] I've included steps to reproduce the bug.
+- [ ] I've pasted the output of `argocd version`.

 **Describe the bug**

--- a/.github/ISSUE_TEMPLATE/enhancement_proposal.md
+++ b/.github/ISSUE_TEMPLATE/enhancement_proposal.md
@@ -2,9 +2,10 @@
 name: Enhancement proposal
 about: Propose an enhancement for this project
 title: ''
-labels: 'enhancement'
+labels: ['enhancement', 'triage/pending']
 assignees: ''
 ---
+
 # Summary

 What change you think needs making.
@@ -15,4 +16,4 @@ Please give examples of your use case, e.g. when would you use this.

 # Proposal

-How do you think this should be implemented?
+How do you think this should be implemented?
--- a/.github/ISSUE_TEMPLATE/new_dev_tool.md
+++ b/.github/ISSUE_TEMPLATE/new_dev_tool.md
@@ -0,0 +1,43 @@
+---
+name: New Dev Tool Request
+about: This is a request for adding a new tool for setting up a dev environment.
+title: ''
+labels: ['component:dev-env', 'triage/pending']
+assignees: ''
+---
+
+Checklist:
+
+- [ ] I am willing to maintain this tool, or have another Argo CD maintainer who is.
+- [ ] I have another Argo CD maintainer who is willing to help maintain this tool (there needs to be at least two maintainers willing to maintain this tool)
+- [ ] I have a lead sponsor who is a core Argo CD maintainer
+- [ ] There is a PR which adds said tool - this is so that the maintainers can assess the impact of having this in the tree
+- [ ] I have given a motivation why this should be added
+
+### The proposer
+
+<-- The username(s) of the person(s) proposing the tool -->
+
+### The proposed tool
+
+<!-- The tool itself, with a link to the tool’s website -->
+
+### Motivation
+
+<!-- Why this tool would be useful to have in the tree. -->
+
+### Link to PR (Optional)
+
+<!-- A PR adding the tool to the tree -->
+
+### Lead Sponsor(s)
+
+Final approval requires sponsorship from at least one core maintainer.
+
+- @<sponsor-1>
+
+### Co-sponsors
+
+These will be the co-maintainers of the specified tool.
+
+- @<sponsor-1>
--- a/.github/ISSUE_TEMPLATE/release.md
+++ b/.github/ISSUE_TEMPLATE/release.md
@@ -9,18 +9,78 @@ assignees: ''
 Target RC1 date: ___. __, ____
 Target GA date: ___. __, ____

- - [ ] 1wk before feature freeze post in #argo-contributors that PRs must be merged by DD-MM-YYYY to be included in the release - ask approvers to drop items from milestone they can’t merge
+## RC1 Release Checklist
+
+ - [ ] 1wk before feature freeze post in #argo-contributors that PRs must be merged by DD-MM-YYYY to be included in the release - ask approvers to drop items from milestone they can't merge
 - [ ] At least two days before RC1 date, draft RC blog post and submit it for review (or delegate this task)
- - [ ] Cut RC1 (or delegate this task to an Approver and coordinate timing)
- - [ ] Create new release branch
+ - [ ] Create new release branch (or delegate this task to an Approver)
    - [ ] Add the release branch to ReadTheDocs
-    - [ ] Confirm that tweet and blog post are ready
-    - [ ] Trigger the release
-    - [ ] After the release is finished, publish tweet and blog post
-    - [ ] Post in #argo-cd and #argo-announcements with lots of emojis announcing the release and requesting help testing
- - [ ] Monitor support channels for issues, cherry-picking bugfixes and docs fixes as appropriate (or delegate this task to an Approver and coordinate timing)
- - [ ] At release date, evaluate if any bugs justify delaying the release. If not, cut the release (or delegate this task to an Approver and coordinate timing)
- - [ ] If unreleased changes are on the release branch for {current minor version minus 3}, cut a final patch release for that series (or delegate this task to an Approver and coordinate timing)
- - [ ] After the release, post in #argo-cd that the {current minor version minus 3} has reached EOL (example: https://cloud-native.slack.com/archives/C01TSERG0KZ/p1667336234059729)
+ - [ ] Cut RC1 (or delegate this task to an Approver and coordinate timing)
+    - [ ] Run the [Init ArgoCD Release workflow](https://github.com/argoproj/argo-cd/actions/workflows/init-release.yaml) from the release branch
+    - [ ] Review and merge the generated version bump PR
+    - [ ] Run `./hack/trigger-release.sh` to push the release tag
+    - [ ] Monitor the [Publish ArgoCD Release workflow](https://github.com/argoproj/argo-cd/actions/workflows/release.yaml)
+    - [ ] Verify the release on [GitHub releases](https://github.com/argoproj/argo-cd/releases)
+    - [ ] Verify the container image on [Quay.io](https://quay.io/repository/argoproj/argocd?tab=tags)
+    - [ ] Confirm the new version appears in [Read the Docs](https://argo-cd.readthedocs.io/)
+    - [ ] Verify the docs release build in https://app.readthedocs.org/projects/argo-cd/ succeeded and retry if failed (requires an Approver with admin creds to readthedocs)
+ - [ ] Announce RC1 release
+   - [ ] Confirm that tweet and blog post are ready
+   - [ ] Publish tweet and blog post
+   - [ ] Post in #argo-cd and #argo-announcements requesting help testing:
+     ```
+     :mega: Argo CD v{MAJOR}.{MINOR}.{PATCH}-rc{RC_NUMBER} is OUT NOW! :argocd::tada:
+     
+     Please go through the following resources to know more about the release:
+     
+     Release notes: https://github.com/argoproj/argo-cd/releases/tag/v{VERSION}
+     Blog: {BLOG_POST_URL}
+     
+     We'd love your help testing this release candidate! Please try it out in your environments and report any issues you find. This helps us ensure a stable GA release.
+     
+     Thanks to all the folks who spent their time contributing to this release in any way possible!
+     ```
+ - [ ] Monitor support channels for issues, cherry-picking bugfixes and docs fixes as appropriate during the RC period (or delegate this task to an Approver and coordinate timing)
+
+## GA Release Checklist
+
+ - [ ] At GA release date, evaluate if any bugs justify delaying the release
+ - [ ] Prepare for EOL version (version that is 3 releases old)
+    - [ ] If unreleased changes are on the release branch for {current minor version minus 3}, cut a final patch release for that series (or delegate this task to an Approver and coordinate timing)
+    - [ ] Edit the final patch release on GitHub and add the following notice at the top:
+     ```markdown
+     > [!IMPORTANT]
+     > **END OF LIFE NOTICE**
+     > 
+     > This is the final release of the {EOL_SERIES} release series. As of {GA_DATE}, this version has reached end of life and will no longer receive bug fixes or security updates.
+     > 
+     > **Action Required**: Please upgrade to a [supported version](https://argo-cd.readthedocs.io/en/stable/operator-manual/upgrading/overview/) (v{SUPPORTED_VERSION_1}, v{SUPPORTED_VERSION_2}, or v{NEW_VERSION}).
+     ```
+ - [ ] Cut GA release (or delegate this task to an Approver and coordinate timing)
+    - [ ] Run the [Init ArgoCD Release workflow](https://github.com/argoproj/argo-cd/actions/workflows/init-release.yaml) from the release branch
+    - [ ] Review and merge the generated version bump PR
+    - [ ] Run `./hack/trigger-release.sh` to push the release tag
+    - [ ] Monitor the [Publish ArgoCD Release workflow](https://github.com/argoproj/argo-cd/actions/workflows/release.yaml)
+    - [ ] Verify the release on [GitHub releases](https://github.com/argoproj/argo-cd/releases)
+    - [ ] Verify the container image on [Quay.io](https://quay.io/repository/argoproj/argocd?tab=tags)
+    - [ ] Verify the `stable` tag has been updated
+    - [ ] Confirm the new version appears in [Read the Docs](https://argo-cd.readthedocs.io/)
+    - [ ] Verify the docs release build in https://app.readthedocs.org/projects/argo-cd/ succeeded and retry if failed (requires an Approver with admin creds to readthedocs)
+ - [ ] Announce GA release with EOL notice
+   - [ ] Confirm that tweet and blog post are ready
+   - [ ] Publish tweet and blog post
+   - [ ] Post in #argo-cd and #argo-announcements announcing the release and EOL:
+     ```
+     :mega: Argo CD v{MAJOR}.{MINOR} is OUT NOW! :argocd::tada:
+     
+     Please go through the following resources to know more about the release:
+     
+     Upgrade instructions: https://argo-cd.readthedocs.io/en/latest/operator-manual/upgrading/{PREV_MINOR}-{MAJOR}.{MINOR}/
+     Blog: {BLOG_POST_URL}
+     
+     :warning: IMPORTANT: With the release of Argo CD v{MAJOR}.{MINOR}, support for Argo CD v{EOL_VERSION} has officially reached End of Life (EOL).
+     
+     Thanks to all the folks who spent their time contributing to this release in any way possible!
+     ```
 - [ ] (For the next release champion) Review the [items scheduled for the next release](https://github.com/orgs/argoproj/projects/25). If any item does not have an assignee who can commit to finish the feature, move it to the next release.
- - [ ] (For the next release champion) Schedule a time mid-way through the release cycle to review items again.
+ - [ ] (For the next release champion) Schedule a time mid-way through the release cycle to review items again.
--- a/.github/ISSUE_TEMPLATE/security_logs.md
+++ b/.github/ISSUE_TEMPLATE/security_logs.md
@@ -1,10 +1,11 @@
 ---
 name: Security log
 about: Propose adding security-related logs or tagging existing logs with security fields
-title: "seclog: [Event Description]"
-labels: security-log
-assignees: notfromstatefarm
+title: 'seclog: [Event Description]'
+labels: ['security', 'triage/pending']
+assignees: ''
 ---
+
 # Event to be logged

 Specify the event that needs to be logged or existing logs that need to be tagged.
@@ -16,4 +17,3 @@ What security level should these events be logged under? Refer to https://argo-c
 # Common Weakness Enumeration

 Is there an associated [CWE](https://cwe.mitre.org/) that could be tagged as well?
-
--- a/.github/cherry-pick-bot.yml
+++ b/.github/cherry-pick-bot.yml
@@ -1,3 +0,0 @@
-enabled: true
-preservePullRequestTitle: true
-
--- a/.github/configs/renovate-config.js
+++ b/.github/configs/renovate-config.js
@@ -0,0 +1,15 @@
+module.exports = {
+    platform: 'github',
+    gitAuthor: 'renovate[bot] <renovate[bot]@users.noreply.github.com>',
+    autodiscover: false,
+    allowPostUpgradeCommandTemplating: true,
+    allowedPostUpgradeCommands: ["make mockgen"],
+    extends: [
+        "github>argoproj/argo-cd//renovate-presets/commons.json5",
+        "github>argoproj/argo-cd//renovate-presets/custom-managers/shell.json5",
+        "github>argoproj/argo-cd//renovate-presets/custom-managers/yaml.json5",
+        "github>argoproj/argo-cd//renovate-presets/fix/disable-all-updates.json5",
+        "github>argoproj/argo-cd//renovate-presets/devtool.json5",
+        "github>argoproj/argo-cd//renovate-presets/docs.json5"
+    ]
+}
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,8 +4,13 @@ updates:
    directory: "/"
    schedule:
      interval: "daily"
+    open-pull-requests-limit: 20
    ignore:
    - dependency-name: k8s.io/*
+    groups:
+      otel:
+        patterns:
+          - "go.opentelemetry.io/*"

  - package-ecosystem: "github-actions"
    directory: "/"
@@ -17,10 +22,21 @@ updates:
    schedule:
      interval: "daily"

+# Disabled since this code is rarely used.
+#  - package-ecosystem: "npm"
+#    directory: "/ui-test/"
+#    schedule:
+#      interval: "daily"
+
  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "daily"
+    ignore:
+      # We use consistent go and node versions across a lot of different files, and updating via dependabot would cause
+      # drift among those files, instead we let renovate bot handle them.
+      - dependency-name: "library/golang"
+      - dependency-name: "library/node"

  - package-ecosystem: "docker"
    directory: "/test/container/"
@@ -37,7 +53,8 @@ updates:
    schedule:
      interval: "daily"

-  - package-ecosystem: "docker"
-    directory: "/ui-test/"
-    schedule:
-      interval: "daily"
+# Disabled since this code is rarely used.
+#  - package-ecosystem: "docker"
+#    directory: "/ui-test/"
+#    schedule:
+#      interval: "daily"
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -8,7 +8,7 @@ Checklist:

 * [ ] Either (a) I've created an [enhancement proposal](https://github.com/argoproj/argo-cd/issues/new/choose) and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
 * [ ] The title of the PR states what changed and the related issues number (used for the release note).
-* [ ] The title of the PR conforms to the [Toolchain Guide](https://argo-cd.readthedocs.io/en/latest/developer-guide/toolchain-guide/#title-of-the-pr)
+* [ ] The title of the PR conforms to the [Title of the PR](https://argo-cd.readthedocs.io/en/latest/developer-guide/submit-your-pr/#title-of-the-pr)
 * [ ] I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
 * [ ] I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
 * [ ] Does this PR require documentation updates?
--- a/.github/workflows/README.md
+++ b/.github/workflows/README.md
@@ -6,16 +6,17 @@
 | codeql.yaml        | CodeQL analysis                                                |
 | image-reuse.yaml   | Build, push, and Sign container images                         |
 | image.yaml         | Build container image for PR's & publish for push events       |
-| pr-title-check.yaml| Lint PR for semantic information                               |
 | init-release.yaml  | Build manifests and version then create a PR for release branch|
+| pr-title-check.yaml| Lint PR for semantic information                               |
 | release.yaml       | Build images, cli-binaries, provenances, and post actions      |
+| scorecard.yaml     | Generate scorecard for supply-chain security                   |
 | update-snyk.yaml   | Scheduled snyk reports                                         |

 # Reusable workflows

 ## image-reuse.yaml

- The resuable workflow can be used to publish or build images with multiple container registries(Quay,GHCR, dockerhub), and then sign them with cosign when an image is published.
+- The reusable workflow can be used to publish or build images with multiple container registries(Quay,GHCR, dockerhub), and then sign them with cosign when an image is published.
 - A GO version `must` be specified e.g. 1.21
 - The image name for each registry *must* contain the tag. Note: multiple tags are allowed for each registry using a CSV type.
 - Multiple platforms can be specified e.g. linux/amd64,linux/arm64
--- a/.github/workflows/bump-major-version.yaml
+++ b/.github/workflows/bump-major-version.yaml
@@ -0,0 +1,89 @@
+name: Bump major version
+on:
+  workflow_dispatch: {}
+
+permissions: {}
+
+jobs:
+  prepare-release:
+    permissions:
+      contents: write  # for peter-evans/create-pull-request to create branch
+      pull-requests: write  # for peter-evans/create-pull-request to create a PR
+    name: Automatically update major version
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      # Get the current major version from go.mod and save it as a variable.
+      - name: Get target version
+        id: get-target-version
+        run: |
+          set -ue
+          CURRENT_VERSION=$(grep 'module github.com/argoproj/argo-cd' go.mod | awk '{print $2}' | sed 's/.*\/v//')
+          echo "TARGET_VERSION=$((CURRENT_VERSION + 1))" >> $GITHUB_OUTPUT
+
+      - name: Copy source code to GOPATH
+        run: |
+          mkdir -p ~/go/src/github.com/argoproj
+          cp -a ../argo-cd ~/go/src/github.com/argoproj
+
+      - name: Run script to bump the version
+        run: |
+          hack/bump-major-version.sh
+        working-directory: /home/runner/go/src/github.com/argoproj/argo-cd
+
+      - name: Setup Golang
+        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        with:
+          go-version: ${{ env.GOLANG_VERSION }}
+      - name: Add ~/go/bin to PATH
+        run: |
+          echo "/home/runner/go/bin" >> $GITHUB_PATH
+      - name: Add /usr/local/bin to PATH
+        run: |
+          echo "/usr/local/bin" >> $GITHUB_PATH
+      - name: Download & vendor dependencies
+        run: |
+          # We need to vendor go modules for codegen yet
+          go mod download
+          go mod vendor -v
+        working-directory: /home/runner/go/src/github.com/argoproj/argo-cd
+      - name: Install toolchain for codegen
+        run: |
+          make install-codegen-tools-local
+          make install-go-tools-local
+        working-directory: /home/runner/go/src/github.com/argoproj/argo-cd
+        # We install kustomize in the dist directory
+      - name: Add dist to PATH
+        run: |
+          echo "/home/runner/work/argo-cd/argo-cd/dist" >> $GITHUB_PATH
+      - name: Run codegen
+        run: |
+          set -x
+          export GOPATH=$(go env GOPATH)
+          make codegen-local
+        working-directory: /home/runner/go/src/github.com/argoproj/argo-cd
+
+      - name: Copy changes back
+        run: |
+          # Copy the contents back, but skip the .git directory
+          rsync -a --exclude=.git /home/runner/go/src/github.com/argoproj/argo-cd/ ../argo-cd
+
+      - name: Create pull request
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725  # v8.0.0
+        with:
+          commit-message: "Bump major version to ${{ steps.get-target-version.outputs.TARGET_VERSION }}"
+          title: "Bump major version to ${{ steps.get-target-version.outputs.TARGET_VERSION }}"
+          body: |
+            Congrats! You've just bumped the major version to ${{ steps.get-target-version.outputs.TARGET_VERSION }}.
+            
+            Next steps:
+            - [ ] Merge this PR
+            - [ ] Add an upgrade guide to the docs for this version
+          branch: bump-major-version
+          branch-suffix: random
+          signoff: true
--- a/.github/workflows/cherry-pick-single.yml
+++ b/.github/workflows/cherry-pick-single.yml
@@ -0,0 +1,121 @@
+name: Cherry Pick Single
+
+on:
+  workflow_call:
+    inputs:
+      merge_commit_sha:
+        required: true
+        type: string
+        description: "The merge commit SHA to cherry-pick"
+      version_number:
+        required: true
+        type: string
+        description: "The version number (from cherry-pick/ label)"
+      pr_number:
+        required: true
+        type: string
+        description: "The original PR number"
+      pr_title:
+        required: true
+        type: string
+        description: "The original PR title"
+    secrets:
+      CHERRYPICK_APP_ID:
+        required: true
+      CHERRYPICK_APP_PRIVATE_KEY:
+        required: true
+
+jobs:
+  cherry-pick:
+    name: Cherry Pick to ${{ inputs.version_number }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate a token
+        id: generate-token
+        uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1
+        with:
+          app-id: ${{ secrets.CHERRYPICK_APP_ID }}
+          private-key: ${{ secrets.CHERRYPICK_APP_PRIVATE_KEY }}
+
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
+        with:
+          fetch-depth: 0
+          token: ${{ steps.generate-token.outputs.token }}
+
+      - name: Configure Git
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Cherry pick commit
+        id: cherry-pick
+        run: |
+          set -e
+
+          MERGE_COMMIT="${{ inputs.merge_commit_sha }}"
+          TARGET_BRANCH="release-${{ inputs.version_number }}"
+
+          echo "🍒 Cherry-picking commit $MERGE_COMMIT to branch $TARGET_BRANCH"
+
+          # Check if target branch exists
+          if ! git show-ref --verify --quiet "refs/remotes/origin/$TARGET_BRANCH"; then
+            echo "❌ Target branch '$TARGET_BRANCH' does not exist"
+            exit 1
+          fi
+
+          # Create new branch for cherry-pick
+          CHERRY_PICK_BRANCH="cherry-pick-${{ inputs.pr_number }}-to-${TARGET_BRANCH}"
+          git checkout -b "$CHERRY_PICK_BRANCH" "origin/$TARGET_BRANCH"
+
+          # Perform cherry-pick
+          if git cherry-pick -m 1 "$MERGE_COMMIT"; then
+            echo "✅ Cherry-pick successful"
+
+            # Extract Signed-off-by from the cherry-pick commit
+            SIGNOFF=$(git log -1 --pretty=format:"%B" | grep -E '^Signed-off-by:' || echo "")
+
+            # Push the new branch
+            git push origin "$CHERRY_PICK_BRANCH"
+
+            # Save data for PR creation
+            echo "branch_name=$CHERRY_PICK_BRANCH" >> "$GITHUB_OUTPUT"
+            echo "signoff=$SIGNOFF" >> "$GITHUB_OUTPUT"
+            echo "target_branch=$TARGET_BRANCH" >> "$GITHUB_OUTPUT"
+          else
+            echo "❌ Cherry-pick failed due to conflicts"
+            git cherry-pick --abort
+            exit 1
+          fi
+
+      - name: Create Pull Request
+        run: |
+          # Create cherry-pick PR
+          TITLE="${PR_TITLE} (cherry-pick #${{ inputs.pr_number }} for ${{ inputs.version_number }})"
+          BODY=$(cat <<EOF
+          Cherry-picked ${PR_TITLE} (#${{ inputs.pr_number }})
+
+          ${{ steps.cherry-pick.outputs.signoff }}
+          EOF
+          )
+
+          gh pr create \
+            --title "$TITLE" \
+            --body "$BODY" \
+            --base "${{ steps.cherry-pick.outputs.target_branch }}" \
+            --head "${{ steps.cherry-pick.outputs.branch_name }}"
+
+          # Comment on original PR
+          gh pr comment ${{ inputs.pr_number }} \
+            --body "🍒 Cherry-pick PR created for ${{ inputs.version_number }}: #$(gh pr list --head ${{ steps.cherry-pick.outputs.branch_name }} --json number --jq '.[0].number')"
+        env:
+          PR_TITLE: ${{ inputs.pr_title }}
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+
+      - name: Comment on failure
+        if: failure()
+        run: |
+          gh pr comment ${{ inputs.pr_number }} \
+            --body "❌ Cherry-pick failed for ${{ inputs.version_number }}. Please check the [workflow logs](https://github.com/argoproj/argo-cd/actions/runs/${{ github.run_id }}) for details."
+        env:
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
--- a/.github/workflows/cherry-pick.yml
+++ b/.github/workflows/cherry-pick.yml
@@ -0,0 +1,53 @@
+name: Cherry Pick
+
+on:
+  pull_request_target:
+    branches:
+      - master
+    types: ["labeled", "closed"]
+
+jobs:
+  find-labels:
+    name: Find Cherry Pick Labels
+    if: |
+      github.event.pull_request.merged == true && (
+        (github.event.action == 'labeled' && startsWith(github.event.label.name, 'cherry-pick/')) ||
+        (github.event.action == 'closed' && contains(toJSON(github.event.pull_request.labels.*.name), 'cherry-pick/'))
+      )
+    runs-on: ubuntu-latest
+    outputs:
+      labels: ${{ steps.extract-labels.outputs.labels }}
+    steps:
+      - name: Extract cherry-pick labels
+        id: extract-labels
+        run: |
+          if [[ "${{ github.event.action }}" == "labeled" ]]; then
+            # Label was just added - use it directly
+            LABEL_NAME="${{ github.event.label.name }}"
+            VERSION="${LABEL_NAME#cherry-pick/}"
+            CHERRY_PICK_DATA='[{"label":"'$LABEL_NAME'","version":"'$VERSION'"}]'
+          else
+            # PR was closed - find all cherry-pick labels
+            CHERRY_PICK_DATA=$(echo '${{ toJSON(github.event.pull_request.labels) }}' | jq -c '[.[] | select(.name | startswith("cherry-pick/")) | {label: .name, version: (.name | sub("cherry-pick/"; ""))}]')
+          fi
+
+          echo "labels=$CHERRY_PICK_DATA" >> "$GITHUB_OUTPUT"
+          echo "Found cherry-pick data: $CHERRY_PICK_DATA"
+
+  cherry-pick:
+    name: Cherry Pick
+    needs: find-labels
+    if: needs.find-labels.outputs.labels != '[]'
+    strategy:
+      matrix:
+        include: ${{ fromJSON(needs.find-labels.outputs.labels) }}
+      fail-fast: false
+    uses: ./.github/workflows/cherry-pick-single.yml
+    with:
+      merge_commit_sha: ${{ github.event.pull_request.merge_commit_sha }}
+      version_number: ${{ matrix.version }}
+      pr_number: ${{ github.event.pull_request.number }}
+      pr_title: ${{ github.event.pull_request.title }}
+    secrets:
+      CHERRYPICK_APP_ID: ${{ vars.CHERRYPICK_APP_ID }}
+      CHERRYPICK_APP_PRIVATE_KEY: ${{ secrets.CHERRYPICK_APP_PRIVATE_KEY }}
--- a/.github/workflows/ci-build.yaml
+++ b/.github/workflows/ci-build.yaml
@@ -13,11 +13,12 @@ on:

 env:
  # Golang version to use across CI steps
-  GOLANG_VERSION: '1.21'
+  # renovate: datasource=golang-version packageName=golang
+  GOLANG_VERSION: '1.25.5'

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
+  cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}

 permissions:
  contents: read
@@ -28,21 +29,24 @@ jobs:
    outputs:
      backend: ${{ steps.filter.outputs.backend_any_changed }}
      frontend: ${{ steps.filter.outputs.frontend_any_changed }}
+      docs: ${{ steps.filter.outputs.docs_any_changed }}
    steps:
-      - uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
-      - uses: tj-actions/changed-files@90a06d6ba9543371ab4df8eeca0be07ca6054959 # v42.0.2
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        id: filter
        with:
          # Any file which is not under docs/, ui/ or is not a markdown file is counted as a backend file
          files_yaml: |
            backend:
              - '!ui/**'
-              - '!**.md'            
+              - '!**.md'
              - '!**/*.md'
              - '!docs/**'
            frontend:
              - 'ui/**'
              - Dockerfile
+            docs:
+              - 'docs/**'
  check-go:
    name: Ensure Go modules synchronicity
    if: ${{ needs.changes.outputs.backend == 'true' }}
@@ -51,9 +55,9 @@ jobs:
      - changes
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Setup Golang
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0
+        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Download all Go modules
@@ -63,7 +67,6 @@ jobs:
        run: |
          go mod tidy
          git diff --exit-code -- .
-
  build-go:
    name: Build & cache Go code
    if: ${{ needs.changes.outputs.backend == 'true' }}
@@ -72,13 +75,13 @@ jobs:
      - changes
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Setup Golang
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0
+        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Restore go build cache
-        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+        uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v5.0.0
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -90,8 +93,8 @@ jobs:

  lint-go:
    permissions:
-      contents: read  # for actions/checkout to fetch code
-      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
+      contents: read # for actions/checkout to fetch code
+      pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
    name: Lint Go code
    if: ${{ needs.changes.outputs.backend == 'true' }}
    runs-on: ubuntu-22.04
@@ -99,16 +102,17 @@ jobs:
      - changes
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Setup Golang
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0
+        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
+        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
        with:
-          version: v1.54.0
-          args: --enable gofmt --timeout 10m --exclude SA5011 --verbose --max-issues-per-linter 0 --max-same-issues 0
+          # renovate: datasource=go packageName=github.com/golangci/golangci-lint versioning=regex:^v(?<major>\d+)\.(?<minor>\d+)\.(?<patch>\d+)?$
+          version: v2.5.0
+          args: --verbose

  test-go:
    name: Run unit tests for Go packages
@@ -124,11 +128,11 @@ jobs:
      - name: Create checkout directory
        run: mkdir -p ~/go/src/github.com/argoproj
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Create symlink in GOPATH
        run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
      - name: Setup Golang
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0
+        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Install required packages
@@ -148,7 +152,7 @@ jobs:
        run: |
          echo "/usr/local/bin" >> $GITHUB_PATH
      - name: Restore go build cache
-        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+        uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v5.0.0
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -168,16 +172,11 @@ jobs:
          go mod download
      - name: Run all unit tests
        run: make test-local
-      - name: Generate code coverage artifacts
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
-        with:
-          name: code-coverage
-          path: coverage.out
      - name: Generate test results artifacts
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: test-results
-          path: test-results/
+          path: test-results

  test-go-race:
    name: Run unit tests with -race for Go packages
@@ -193,11 +192,11 @@ jobs:
      - name: Create checkout directory
        run: mkdir -p ~/go/src/github.com/argoproj
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Create symlink in GOPATH
        run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
      - name: Setup Golang
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0
+        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Install required packages
@@ -217,7 +216,7 @@ jobs:
        run: |
          echo "/usr/local/bin" >> $GITHUB_PATH
      - name: Restore go build cache
-        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+        uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v5.0.0
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -238,28 +237,29 @@ jobs:
      - name: Run all unit tests
        run: make test-race-local
      - name: Generate test results artifacts
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: race-results
          path: test-results/

  codegen:
    name: Check changes to generated code
-    if: ${{ needs.changes.outputs.backend == 'true' }}
+    if: ${{ needs.changes.outputs.backend == 'true' || needs.changes.outputs.docs == 'true'}}
    runs-on: ubuntu-22.04
    needs:
      - changes
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Setup Golang
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0
+        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Create symlink in GOPATH
+        # generalizing repo name for forks:  ${{ github.event.repository.name }}
        run: |
          mkdir -p ~/go/src/github.com/argoproj
-          cp -a ../argo-cd ~/go/src/github.com/argoproj
+          cp -a ../${{ github.event.repository.name }} ~/go/src/github.com/argoproj
      - name: Add ~/go/bin to PATH
        run: |
          echo "/home/runner/go/bin" >> $GITHUB_PATH
@@ -271,12 +271,14 @@ jobs:
          # We need to vendor go modules for codegen yet
          go mod download
          go mod vendor -v
-        working-directory: /home/runner/go/src/github.com/argoproj/argo-cd
+        # generalizing repo name for forks:  ${{ github.event.repository.name }}
+        working-directory: /home/runner/go/src/github.com/argoproj/${{ github.event.repository.name }}
      - name: Install toolchain for codegen
        run: |
          make install-codegen-tools-local
          make install-go-tools-local
-        working-directory: /home/runner/go/src/github.com/argoproj/argo-cd
+        # generalizing repo name for forks:  ${{ github.event.repository.name }}
+        working-directory: /home/runner/go/src/github.com/argoproj/${{ github.event.repository.name }}
        # We install kustomize in the dist directory
      - name: Add dist to PATH
        run: |
@@ -287,29 +289,33 @@ jobs:
          export GOPATH=$(go env GOPATH)
          git checkout -- go.mod go.sum
          make codegen-local
-        working-directory: /home/runner/go/src/github.com/argoproj/argo-cd
+        # generalizing repo name for forks:  ${{ github.event.repository.name }}
+        working-directory: /home/runner/go/src/github.com/argoproj/${{ github.event.repository.name }}
      - name: Check nothing has changed
        run: |
          set -xo pipefail
          git diff --exit-code -- . ':!go.sum' ':!go.mod' ':!assets/swagger.json' | tee codegen.patch
-        working-directory: /home/runner/go/src/github.com/argoproj/argo-cd
+        # generalizing repo name for forks:  ${{ github.event.repository.name }}
+        working-directory: /home/runner/go/src/github.com/argoproj/${{ github.event.repository.name }}

  build-ui:
    name: Build, test & lint UI code
-    if: ${{ needs.changes.outputs.frontend == 'true' }}
+    # We run UI logic for backend changes so that we have a complete set of coverage documents to send to codecov.
+    if: ${{ needs.changes.outputs.backend == 'true' || needs.changes.outputs.frontend == 'true' }}
    runs-on: ubuntu-22.04
    needs:
      - changes
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Setup NodeJS
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
-          node-version: '21.6.1'
+          # renovate: datasource=node-version packageName=node versioning=node
+          node-version: '22.9.0'
      - name: Restore node dependency cache
        id: cache-dependencies
-        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+        uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v5.0.0
        with:
          path: ui/node_modules
          key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -324,11 +330,22 @@ jobs:
          NODE_ENV: production
          NODE_ONLINE_ENV: online
          HOST_ARCH: amd64
+          # If we're on the master branch, set the codecov token so that we upload bundle analysis
+          CODECOV_TOKEN: ${{ github.ref == 'refs/heads/master' && secrets.CODECOV_TOKEN || '' }}
        working-directory: ui/
      - name: Run ESLint
        run: yarn lint
        working-directory: ui/

+  shellcheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - run: |
+          sudo apt-get install shellcheck
+          shellcheck -e SC2059 -e SC2154 -e SC2034 -e SC2016 -e SC1091 $(find . -type f -name '*.sh' | grep -v './ui/node_modules') | tee sc.log
+          test ! -s sc.log
+
  analyze:
    name: Process & analyze test artifacts
    if: ${{ needs.changes.outputs.backend == 'true' || needs.changes.outputs.frontend == 'true' }}
@@ -337,120 +354,130 @@ jobs:
      - test-go
      - build-ui
      - changes
+      - test-e2e
    env:
      sonar_secret: ${{ secrets.SONAR_TOKEN }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0
      - name: Restore node dependency cache
        id: cache-dependencies
-        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+        uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v5.0.0
        with:
          path: ui/node_modules
          key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
      - name: Remove other node_modules directory
        run: |
          rm -rf ui/node_modules/argo-ui/node_modules
-      - name: Create test-results directory
-        run: |
-          mkdir -p test-results
-      - name: Get code coverage artifact
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      - name: Get e2e code coverage
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
        with:
-          name: code-coverage
-      - name: Get test result artifact
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+          name: e2e-code-coverage
+          path: e2e-code-coverage
+      - name: Get unit test code coverage
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
        with:
          name: test-results
          path: test-results
+      - name: combine-go-coverage
+        # We generate coverage reports for all Argo CD components, but only the applicationset-controller,
+        # app-controller, repo-server, and commit-server report contain coverage data. The other components currently
+        # don't shut down gracefully, so no coverage data is produced. Once those components are fixed, we can add
+        # references to their coverage output directories.
+        run: |
+          go tool covdata percent -i=test-results,e2e-code-coverage/applicationset-controller,e2e-code-coverage/repo-server,e2e-code-coverage/app-controller,e2e-code-coverage/commit-server -o test-results/full-coverage.out
      - name: Upload code coverage information to codecov.io
-        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
        with:
-          file: coverage.out
+          files: test-results/full-coverage.out
+          fail_ci_if_error: true
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+      - name: Upload test results to Codecov
+        if: github.ref == 'refs/heads/master' && github.event_name == 'push' && github.repository == 'argoproj/argo-cd'
+        uses: codecov/test-results-action@47f89e9acb64b76debcd5ea40642d25a4adced9f # v1.1.1
+        with:
+          file: test-results/junit.xml
+          fail_ci_if_error: true
+          token: ${{ secrets.CODECOV_TOKEN }}
      - name: Perform static code analysis using SonarCloud
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-          SCANNER_VERSION: 4.2.0.1873
-          SCANNER_PATH: /tmp/cache/scanner
-          OS: linux
-        run: |
-          # We do not use the provided action, because it does contain an old
-          # version of the scanner, and also takes time to build.
-          set -e
-          mkdir -p ${SCANNER_PATH}
-          export SONAR_USER_HOME=${SCANNER_PATH}/.sonar
-          if [[ ! -x "${SCANNER_PATH}/sonar-scanner-${SCANNER_VERSION}-${OS}/bin/sonar-scanner" ]]; then
-            curl -Ol https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SCANNER_VERSION}-${OS}.zip
-            unzip -qq -o sonar-scanner-cli-${SCANNER_VERSION}-${OS}.zip -d ${SCANNER_PATH}
-          fi
-          
-          chmod +x ${SCANNER_PATH}/sonar-scanner-${SCANNER_VERSION}-${OS}/bin/sonar-scanner
-          chmod +x ${SCANNER_PATH}/sonar-scanner-${SCANNER_VERSION}-${OS}/jre/bin/java
-          
-          # Explicitly set NODE_MODULES
-          export NODE_MODULES=${PWD}/ui/node_modules
-          export NODE_PATH=${PWD}/ui/node_modules
-          
-          ${SCANNER_PATH}/sonar-scanner-${SCANNER_VERSION}-${OS}/bin/sonar-scanner
+        uses: SonarSource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 # v7.0.0
        if: env.sonar_secret != ''
-
  test-e2e:
    name: Run end-to-end tests
    if: ${{ needs.changes.outputs.backend == 'true' }}
-    runs-on: ubuntu-22.04
+    runs-on: ${{ github.repository == 'argoproj/argo-cd' && 'oracle-vm-16cpu-64gb-x86-64' || 'ubuntu-22.04' }}
    strategy:
      fail-fast: false
      matrix:
-        k3s-version: [v1.29.1, v1.28.6, v1.27.10, v1.26.13, v1.25.16]
+        # latest: true means that this version mush upload the coverage report to codecov.io
+        # We designate the latest version because we only collect code coverage for that version.
+        k3s:
+          - version: v1.34.2
+            latest: true
+          - version: v1.33.1
+            latest: false
+          - version: v1.32.1
+            latest: false
+          - version: v1.31.0
+            latest: false
    needs:
      - build-go
      - changes
    env:
-      GOPATH: /home/runner/go
-      ARGOCD_FAKE_IN_CLUSTER: "true"
-      ARGOCD_SSH_DATA_PATH: "/tmp/argo-e2e/app/config/ssh"
-      ARGOCD_TLS_DATA_PATH: "/tmp/argo-e2e/app/config/tls"
-      ARGOCD_E2E_SSH_KNOWN_HOSTS: "../fixture/certs/ssh_known_hosts"
-      ARGOCD_E2E_K3S: "true"
-      ARGOCD_IN_CI: "true"
-      ARGOCD_E2E_APISERVER_PORT: "8088"
-      ARGOCD_APPLICATION_NAMESPACES: "argocd-e2e-external,argocd-e2e-external-2"
-      ARGOCD_SERVER: "127.0.0.1:8088"
+      ARGOCD_FAKE_IN_CLUSTER: 'true'
+      ARGOCD_E2E_K3S: 'true'
+      ARGOCD_IN_CI: 'true'
+      ARGOCD_E2E_APISERVER_PORT: '8088'
+      ARGOCD_APPLICATION_NAMESPACES: 'argocd-e2e-external,argocd-e2e-external-2'
+      ARGOCD_SERVER: '127.0.0.1:8088'
      GITHUB_TOKEN: ${{ secrets.E2E_TEST_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
      GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}
    steps:
+      - name: Free Disk Space (Ubuntu)
+        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be
+        with:
+          large-packages: false
+          docker-images: false
+          swap-storage: false
+          tool-cache: false
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Setup Golang
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0
+        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
+      - name: Set GOPATH
+        run: |
+          echo "GOPATH=$HOME/go" >> $GITHUB_ENV
      - name: GH actions workaround - Kill XSP4 process
        run: |
          sudo pkill mono || true
      - name: Install K3S
        env:
-          INSTALL_K3S_VERSION: ${{ matrix.k3s-version }}+k3s1
+          INSTALL_K3S_VERSION: ${{ matrix.k3s.version }}+k3s1
        run: |
          set -x
          curl -sfL https://get.k3s.io | sh -
          sudo chmod -R a+rw /etc/rancher/k3s
-          sudo mkdir -p $HOME/.kube && sudo chown -R runner $HOME/.kube
+          sudo mkdir -p $HOME/.kube && sudo chown -R $(whoami) $HOME/.kube
          sudo k3s kubectl config view --raw > $HOME/.kube/config
-          sudo chown runner $HOME/.kube/config
+          sudo chown $(whoami) $HOME/.kube/config
          sudo chmod go-r $HOME/.kube/config
          kubectl version
      - name: Restore go build cache
-        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+        uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v5.0.0
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
      - name: Add ~/go/bin to PATH
        run: |
-          echo "/home/runner/go/bin" >> $GITHUB_PATH
+          echo "$HOME/go/bin" >> $GITHUB_PATH
      - name: Add /usr/local/bin to PATH
        run: |
          echo "/usr/local/bin" >> $GITHUB_PATH
@@ -470,13 +497,13 @@ jobs:
          git config --global user.email "john.doe@example.com"
      - name: Pull Docker image required for tests
        run: |
-          docker pull ghcr.io/dexidp/dex:v2.38.0
+          docker pull ghcr.io/dexidp/dex:v2.43.0
          docker pull argoproj/argo-cd-ci-builder:v1.0.0
-          docker pull redis:7.0.14-alpine
+          docker pull redis:8.2.3-alpine
      - name: Create target directory for binaries in the build-process
        run: |
          mkdir -p dist
-          chown runner dist
+          chown $(whoami) dist
      - name: Run E2E server and wait for it being available
        timeout-minutes: 30
        run: |
@@ -485,7 +512,7 @@ jobs:
          # port 8080 which is not visible in netstat -tulpen, but still there
          # with a HTTP listener. We have API server listening on port 8088
          # instead.
-          make start-e2e-local 2>&1 | sed -r "s/[[:cntrl:]]\[[0-9]{1,3}m//g" > /tmp/e2e-server.log &
+          make start-e2e-local COVERAGE_ENABLED=true 2>&1 | sed -r "s/[[:cntrl:]]\[[0-9]{1,3}m//g" > /tmp/e2e-server.log &
          count=1
          until curl -f http://127.0.0.1:8088/healthz; do
            sleep 10;
@@ -499,10 +526,18 @@ jobs:
        run: |
          set -x
          make test-e2e-local
-      - name: Upload e2e-server logs
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+          goreman run stop-all || echo "goreman trouble"
+          sleep 30
+      - name: Upload e2e coverage report
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
-          name: e2e-server-k8s${{ matrix.k3s-version }}.log
+          name: e2e-code-coverage
+          path: /tmp/coverage
+        if: ${{ matrix.k3s.latest }}
+      - name: Upload e2e-server logs
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        with:
+          name: e2e-server-k8s${{ matrix.k3s.version }}.log
          path: /tmp/e2e-server.log
        if: ${{ failure() }}

@@ -527,4 +562,4 @@ jobs:
            exit 0
          else
            exit 1
-          fi
+          fi
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -23,23 +23,23 @@ jobs:
      actions: read  # for github/codeql-action/init to get workflow details
      contents: read  # for actions/checkout to fetch code
      security-events: write  # for github/codeql-action/autobuild to send a status report
-    if: github.repository == 'argoproj/argo-cd'
+    if: github.repository == 'argoproj/argo-cd' || vars.enable_codeql

    # CodeQL runs on ubuntu-latest and windows-latest
    runs-on: ubuntu-22.04
    steps:
    - name: Checkout repository
-      uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

    # Use correct go version. https://github.com/github/codeql-action/issues/1842#issuecomment-1704398087
    - name: Setup Golang
-      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0
+      uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
      with:
        go-version-file: go.mod
      
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@8aff97f12c99086bdb92ff62ae06dbbcdf07941b # v2.1.33
+      uses: github/codeql-action/init@8fcfedf57053e09257688fce7a0beeb18b1b9ae3 # v2.17.2
      # Override language selection by uncommenting this and choosing your languages
      # with:
      #   languages: go, javascript, csharp, python, cpp, java
@@ -47,7 +47,7 @@ jobs:
    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
-      uses: github/codeql-action/autobuild@8aff97f12c99086bdb92ff62ae06dbbcdf07941b # v2.1.33
+      uses: github/codeql-action/autobuild@8fcfedf57053e09257688fce7a0beeb18b1b9ae3 # v2.17.2

    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 https://git.io/JvXDl
@@ -61,4 +61,4 @@ jobs:
    #   make release

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@8aff97f12c99086bdb92ff62ae06dbbcdf07941b # v2.1.33
+      uses: github/codeql-action/analyze@8fcfedf57053e09257688fce7a0beeb18b1b9ae3 # v2.17.2
--- a/.github/workflows/image-reuse.yaml
+++ b/.github/workflows/image-reuse.yaml
@@ -17,11 +17,9 @@ on:
      platforms:
        required: true
        type: string
-        default: linux/amd64
      push:
        required: true
        type: boolean
-        default: false
      target:
        required: false
        type: string
@@ -58,26 +56,27 @@ jobs:
      image-digest: ${{ steps.image.outputs.digest }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
        if: ${{ github.ref_type == 'tag'}}

      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        if: ${{ github.ref_type != 'tag'}}

      - name: Setup Golang
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
        with:
          go-version: ${{ inputs.go-version }}
+          cache: false

      - name: Install cosign
-        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0

-      - uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
-      - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+      - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+      - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Setup tags for container image as a CSV type
        run: |
@@ -104,7 +103,7 @@ jobs:
            echo 'EOF' >> $GITHUB_ENV

      - name: Login to Quay.io
-        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: quay.io
          username: ${{ secrets.quay_username }}
@@ -112,7 +111,7 @@ jobs:
        if: ${{ inputs.quay_image_name && inputs.push }}

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
          username: ${{ secrets.ghcr_username }}
@@ -120,7 +119,7 @@ jobs:
        if: ${{ inputs.ghcr_image_name && inputs.push }}

      - name: Login to dockerhub Container Registry
-        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.docker_username }}
          password: ${{ secrets.docker_password }}
@@ -134,7 +133,7 @@ jobs:
            echo "GIT_TREE_STATE=$(if [ -z "`git status --porcelain`" ]; then echo "clean" ; else echo "dirty"; fi)" >> $GITHUB_ENV

      - name: Free Disk Space (Ubuntu)
-        uses: jlumbroso/free-disk-space@4d9e71b726748f254fe64fa44d273194bd18ec91
+        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be
        with:
          large-packages: false
          docker-images: false
@@ -143,7 +142,7 @@ jobs:

      - name: Build and push container image
        id: image
-        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 #v5.3.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0
        with:
          context: .
          platforms: ${{ inputs.platforms }}
--- a/.github/workflows/image.yaml
+++ b/.github/workflows/image.yaml
@@ -7,7 +7,7 @@ on:
  pull_request:
    branches:
      - master
-    types: [ labeled, unlabeled, opened, synchronize, reopened ]
+    types: [labeled, unlabeled, opened, synchronize, reopened]

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@@ -19,16 +19,49 @@ jobs:
  set-vars:
    permissions:
      contents: read
-    if: github.repository == 'argoproj/argo-cd'
+    # Always run to calculate variables - other jobs check outputs
    runs-on: ubuntu-22.04
    outputs:
      image-tag: ${{ steps.image.outputs.tag}}
      platforms: ${{ steps.platforms.outputs.platforms }}
+      image_namespace: ${{ steps.image.outputs.image_namespace }}
+      image_repository: ${{ steps.image.outputs.image_repository }}
+      quay_image_name: ${{ steps.image.outputs.quay_image_name }}
+      ghcr_image_name: ${{ steps.image.outputs.ghcr_image_name }}
+      ghcr_provenance_image: ${{ steps.image.outputs.ghcr_provenance_image }}
+      allow_ghcr_publish: ${{ steps.image.outputs.allow_ghcr_publish }}
    steps:
-      - uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

-      - name: Set image tag for ghcr
-        run: echo "tag=$(cat ./VERSION)-${GITHUB_SHA::8}" >> $GITHUB_OUTPUT
+      - name: Set image tag and names
+        run: |
+          # Calculate image tag
+          TAG="$(cat ./VERSION)-${GITHUB_SHA::8}"
+          echo "tag=$TAG" >> $GITHUB_OUTPUT
+          
+          # Calculate image names with defaults
+          IMAGE_NAMESPACE="${{ vars.IMAGE_NAMESPACE || 'argoproj' }}"
+          IMAGE_REPOSITORY="${{ vars.IMAGE_REPOSITORY || 'argocd' }}"
+          GHCR_NAMESPACE="${{ vars.GHCR_NAMESPACE || github.repository }}"
+          GHCR_REPOSITORY="${{ vars.GHCR_REPOSITORY || 'argocd' }}"
+          
+          echo "image_namespace=$IMAGE_NAMESPACE" >> $GITHUB_OUTPUT
+          echo "image_repository=$IMAGE_REPOSITORY" >> $GITHUB_OUTPUT
+          
+          # Construct image name
+          echo "quay_image_name=quay.io/$IMAGE_NAMESPACE/$IMAGE_REPOSITORY:latest" >> $GITHUB_OUTPUT
+          
+          ALLOW_GHCR_PUBLISH=false
+          if [[ "${{ github.repository }}" == "argoproj/argo-cd" || "$GHCR_NAMESPACE" != argoproj/* ]]; then
+            ALLOW_GHCR_PUBLISH=true
+            echo "ghcr_image_name=ghcr.io/$GHCR_NAMESPACE/$GHCR_REPOSITORY:$TAG" >> $GITHUB_OUTPUT
+            echo "ghcr_provenance_image=ghcr.io/$GHCR_NAMESPACE/$GHCR_REPOSITORY" >> $GITHUB_OUTPUT
+          else
+            echo "GhCR publish skipped: refusing to push to namespace '$GHCR_NAMESPACE'. Please override GHCR_* for forks." >&2
+            echo "ghcr_image_name=" >> $GITHUB_OUTPUT
+            echo "ghcr_provenance_image=" >> $GITHUB_OUTPUT
+          fi
+          echo "allow_ghcr_publish=$ALLOW_GHCR_PUBLISH" >> $GITHUB_OUTPUT
        id: image

      - name: Determine image platforms to use
@@ -46,13 +79,14 @@ jobs:
    needs: [set-vars]
    permissions:
      contents: read
-      packages: write  # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
+      packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
      id-token: write # for creating OIDC tokens for signing.
-    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name != 'push' }}
+    if: ${{ (github.repository == 'argoproj/argo-cd' || needs.set-vars.outputs.image_namespace != 'argoproj') && github.event_name != 'push' }}
    uses: ./.github/workflows/image-reuse.yaml
    with:
      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
-      go-version: 1.21
+      # renovate: datasource=golang-version packageName=golang
+      go-version: 1.25.5
      platforms: ${{ needs.set-vars.outputs.platforms }}
      push: false

@@ -60,15 +94,16 @@ jobs:
    needs: [set-vars]
    permissions:
      contents: read
-      packages: write  # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
+      packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
      id-token: write # for creating OIDC tokens for signing.
-    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
+    if: ${{ (github.repository == 'argoproj/argo-cd' || needs.set-vars.outputs.image_namespace != 'argoproj') && github.event_name == 'push' }}
    uses: ./.github/workflows/image-reuse.yaml
    with:
-      quay_image_name: quay.io/argoproj/argocd:latest
-      ghcr_image_name: ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }}
+      quay_image_name: ${{ needs.set-vars.outputs.quay_image_name }}
+      ghcr_image_name: ${{ needs.set-vars.outputs.ghcr_image_name }}
      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
-      go-version: 1.21
+      # renovate: datasource=golang-version packageName=golang
+      go-version: 1.25.5
      platforms: ${{ needs.set-vars.outputs.platforms }}
      push: true
    secrets:
@@ -79,16 +114,17 @@ jobs:

  build-and-publish-provenance: # Push attestations to GHCR, latest image is polluting quay.io
    needs:
+      - set-vars
      - build-and-publish
    permissions:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
-    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
+    if: ${{ (github.repository == 'argoproj/argo-cd' || needs.set-vars.outputs.image_namespace != 'argoproj') && github.event_name == 'push' && needs.set-vars.outputs.allow_ghcr_publish == 'true'}}
    # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
    with:
-      image: ghcr.io/argoproj/argo-cd/argocd
+      image: ${{ needs.set-vars.outputs.ghcr_provenance_image }}
      digest: ${{ needs.build-and-publish.outputs.image-digest }}
      registry-username: ${{ github.actor }}
    secrets:
@@ -99,12 +135,12 @@ jobs:
      - build-and-publish
      - set-vars
    permissions:
-      contents: write  # for git to push upgrade commit if not already deployed
-      packages: write  # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
+      contents: write # for git to push upgrade commit if not already deployed
+      packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
    runs-on: ubuntu-22.04
    steps:
-      - uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - run: git clone "https://$TOKEN@github.com/argoproj/argoproj-deployments"
        env:
          TOKEN: ${{ secrets.TOKEN }}
@@ -114,4 +150,3 @@ jobs:
          git config --global user.name 'CI'
          git diff --exit-code && echo 'Already deployed' || (git commit -am 'Upgrade argocd to ${{ needs.set-vars.outputs.image-tag }}' && git push)
        working-directory: argoproj-deployments/argocd
-
--- a/.github/workflows/init-release.yaml
+++ b/.github/workflows/init-release.yaml
@@ -21,9 +21,15 @@ jobs:
      pull-requests: write  # for peter-evans/create-pull-request to create a PR
    name: Automatically generate version and manifests on ${{ inputs.TARGET_BRANCH }}
    runs-on: ubuntu-22.04
+    env:
+      # Calculate image names with defaults, this will be used in the make manifests-local command
+      # to generate the correct image name in the manifests
+      IMAGE_REGISTRY: ${{ vars.IMAGE_REGISTRY || 'quay.io' }}
+      IMAGE_NAMESPACE: ${{ vars.IMAGE_NAMESPACE || 'argoproj' }}
+      IMAGE_REPOSITORY: ${{ vars.IMAGE_REPOSITORY || 'argocd' }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694  # v4.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
@@ -64,7 +70,7 @@ jobs:
          git stash pop

      - name: Create pull request
-        uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38  # v5.0.2
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725  # v8.0.0
        with:
          commit-message: "Bump version to ${{ inputs.TARGET_VERSION }}"
          title: "Bump version to ${{ inputs.TARGET_VERSION }} on ${{ inputs.TARGET_BRANCH }} branch"
--- a/.github/workflows/pr-title-check.yml
+++ b/.github/workflows/pr-title-check.yml
@@ -12,8 +12,8 @@ permissions: {}
 # workflow being trigger a number of times. This limits it
 # to one run per PR.
 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-
+  group: ${{ github.workflow }}-${{ github.head_ref }}
+  cancel-in-progress: true

 jobs:
  validate:
@@ -23,7 +23,7 @@ jobs:
    name: Validate PR Title
    runs-on: ubuntu-latest
    steps:
-      - uses: thehanimo/pr-title-checker@0cf5902181e78341bb97bb06646396e5bd354b3f # v1.4.0
+      - uses: thehanimo/pr-title-checker@7fbfe05602bdd86f926d3fb3bccb6f3aed43bc70 # v1.4.3
        with:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          configuration_path: ".github/pr-title-checker-config.json"
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -10,37 +10,100 @@ on:
 permissions: {}

 env:
-  GOLANG_VERSION: '1.21' # Note: go-version must also be set in job argocd-image.with.go-version
+  # renovate: datasource=golang-version packageName=golang
+  GOLANG_VERSION: '1.25.5' # Note: go-version must also be set in job argocd-image.with.go-version

 jobs:
  argocd-image:
+    needs: [setup-variables]
    permissions:
      contents: read
      id-token: write # for creating OIDC tokens for signing.
      packages: write # used to push images to `ghcr.io` if used.
-    if: github.repository == 'argoproj/argo-cd'
+    if: github.repository == 'argoproj/argo-cd' || needs.setup-variables.outputs.allow_fork_release == 'true'
    uses: ./.github/workflows/image-reuse.yaml
    with:
-      quay_image_name: quay.io/argoproj/argocd:${{ github.ref_name }}
+      quay_image_name: ${{ needs.setup-variables.outputs.quay_image_name }}
      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
-      go-version: 1.21
+      # renovate: datasource=golang-version packageName=golang
+      go-version: 1.25.5
      platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
      push: true
    secrets:
      quay_username: ${{ secrets.RELEASE_QUAY_USERNAME }}
      quay_password: ${{ secrets.RELEASE_QUAY_TOKEN }}

+  setup-variables:
+    name: Setup Release Variables
+    if: github.repository == 'argoproj/argo-cd' || (github.repository_owner != 'argoproj' && vars.ENABLE_FORK_RELEASES == 'true' && vars.IMAGE_NAMESPACE && vars.IMAGE_NAMESPACE != 'argoproj')
+    runs-on: ubuntu-22.04
+    outputs:
+      is_pre_release: ${{ steps.var.outputs.is_pre_release }}
+      is_latest_release: ${{ steps.var.outputs.is_latest_release }}
+      enable_fork_releases: ${{ steps.var.outputs.enable_fork_releases }}
+      image_namespace: ${{ steps.var.outputs.image_namespace }}
+      image_repository: ${{ steps.var.outputs.image_repository }}
+      quay_image_name: ${{ steps.var.outputs.quay_image_name }}
+      provenance_image: ${{ steps.var.outputs.provenance_image }}
+      allow_fork_release: ${{ steps.var.outputs.allow_fork_release }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Setup variables
+        id: var
+        run: |
+          set -xue
+          # Fetch all tag information
+          git fetch --prune --tags --force
+
+          LATEST_RELEASE_TAG=$(git -c 'versionsort.suffix=-rc' tag --list --sort=version:refname | grep -v '-' | tail -n1)
+
+          PRE_RELEASE=false
+          # Check if latest tag is a pre-release
+          if echo ${{ github.ref_name }} | grep -E -- '-rc[0-9]+$';then
+            PRE_RELEASE=true
+          fi
+
+          IS_LATEST=false
+          # Ensure latest release tag matches github.ref_name
+          if [[ $LATEST_RELEASE_TAG == ${{ github.ref_name }} ]];then
+            IS_LATEST=true
+          fi
+          echo "is_pre_release=$PRE_RELEASE" >> $GITHUB_OUTPUT
+          echo "is_latest_release=$IS_LATEST" >> $GITHUB_OUTPUT
+          
+          # Calculate configuration with defaults
+          ENABLE_FORK_RELEASES="${{ vars.ENABLE_FORK_RELEASES || 'false' }}"
+          IMAGE_NAMESPACE="${{ vars.IMAGE_NAMESPACE || 'argoproj' }}"
+          IMAGE_REPOSITORY="${{ vars.IMAGE_REPOSITORY || 'argocd' }}"
+          
+          echo "enable_fork_releases=$ENABLE_FORK_RELEASES" >> $GITHUB_OUTPUT
+          
+          echo "image_namespace=$IMAGE_NAMESPACE" >> $GITHUB_OUTPUT
+          echo "image_repository=$IMAGE_REPOSITORY" >> $GITHUB_OUTPUT
+          echo "quay_image_name=quay.io/$IMAGE_NAMESPACE/$IMAGE_REPOSITORY:${{ github.ref_name }}" >> $GITHUB_OUTPUT
+          echo "provenance_image=quay.io/$IMAGE_NAMESPACE/$IMAGE_REPOSITORY" >> $GITHUB_OUTPUT
+          
+          ALLOW_FORK_RELEASE=false
+          if [[ "${{ github.repository_owner }}" != "argoproj" && "$ENABLE_FORK_RELEASES" == "true" && "$IMAGE_NAMESPACE" != "argoproj" && "${{ github.ref }}" == refs/tags/* ]]; then
+            ALLOW_FORK_RELEASE=true
+          fi
+          echo "allow_fork_release=$ALLOW_FORK_RELEASE" >> $GITHUB_OUTPUT
+
  argocd-image-provenance:
-    needs: [argocd-image]
+    needs: [setup-variables, argocd-image]
    permissions:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
    # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
-    if: github.repository == 'argoproj/argo-cd'
+    if: github.repository == 'argoproj/argo-cd' || needs.setup-variables.outputs.allow_fork_release == 'true'
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
    with:
-      image: quay.io/argoproj/argocd
+      image: ${{ needs.setup-variables.outputs.provenance_image }}
      digest: ${{ needs.argocd-image.outputs.image-digest }}
    secrets:
      registry-username: ${{ secrets.RELEASE_QUAY_USERNAME }}
@@ -48,18 +111,20 @@ jobs:

  goreleaser:
    needs:
+      - setup-variables
      - argocd-image
      - argocd-image-provenance
    permissions:
      contents: write # used for uploading assets
-    if: github.repository == 'argoproj/argo-cd'
+    if: github.repository == 'argoproj/argo-cd' || needs.setup-variables.outputs.allow_fork_release == 'true'
    runs-on: ubuntu-22.04
+    env:
+      GORELEASER_MAKE_LATEST: ${{ needs.setup-variables.outputs.is_latest_release }}
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}
-
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
@@ -67,19 +132,17 @@ jobs:
      - name: Fetch all tags
        run: git fetch --force --tags

-      - name: Set GORELEASER_PREVIOUS_TAG # Workaround, GoReleaser uses 'git-describe' to determine a previous tag. Our tags are created in realease branches.
-        run: |
-          set -xue
-          if echo ${{ github.ref_name }} | grep -E -- '-rc1+$';then
-            echo "GORELEASER_PREVIOUS_TAG=$(git -c 'versionsort.suffix=-rc' tag --list --sort=version:refname | tail -n 2 | head -n 1)" >> $GITHUB_ENV
-          else
-            echo "This is not the first release on the branch, Using GoReleaser defaults"
-          fi
-
      - name: Setup Golang
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0
+        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
+          cache: false
+
+      - name: Set GORELEASER_PREVIOUS_TAG # Workaround, GoReleaser uses 'git-describe' to determine a previous tag. Our tags are created in release branches.
+        run: |
+          set -xue
+          GORELEASER_PREVIOUS_TAG=$(go run hack/get-previous-release/get-previous-version-for-release-notes.go ${{ github.ref_name }}) || exit 1
+          echo "GORELEASER_PREVIOUS_TAG=$GORELEASER_PREVIOUS_TAG" >> $GITHUB_ENV

      - name: Set environment variables for ldflags
        id: set_ldflag
@@ -88,7 +151,7 @@ jobs:
          echo "GIT_TREE_STATE=$(if [ -z "`git status --porcelain`" ]; then echo "clean" ; else echo "dirty"; fi)" >> $GITHUB_ENV

      - name: Free Disk Space (Ubuntu)
-        uses: jlumbroso/free-disk-space@4d9e71b726748f254fe64fa44d273194bd18ec91
+        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be
        with:
          large-packages: false
          docker-images: false
@@ -96,20 +159,22 @@ jobs:
          tool-cache: false

      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
        id: run-goreleaser
        with:
          version: latest
          args: release --clean --timeout 55m
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          KUBECTL_VERSION: ${{ env.KUBECTL_VERSION }} 
+          KUBECTL_VERSION: ${{ env.KUBECTL_VERSION }}
          GIT_TREE_STATE: ${{ env.GIT_TREE_STATE }}
+          # Used to determine the current repository in the goreleaser config to display correct manifest links
+          GORELEASER_CURRENT_REPOSITORY: ${{ github.repository }}

      - name: Generate subject for provenance
        id: hash
        env:
-          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
+          ARTIFACTS: '${{ steps.run-goreleaser.outputs.artifacts }}'
        run: |
          set -euo pipefail

@@ -121,17 +186,17 @@ jobs:
          echo "hashes=$hashes" >> $GITHUB_OUTPUT

  goreleaser-provenance:
-    needs: [goreleaser]
+    needs: [goreleaser, setup-variables]
    permissions:
      actions: read # for detecting the Github Actions environment
      id-token: write # Needed for provenance signing and ID
      contents: write #  Needed for release uploads
-    if: github.repository == 'argoproj/argo-cd'
+    if: github.repository == 'argoproj/argo-cd' || needs.setup-variables.outputs.allow_fork_release == 'true'
    # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
    with:
-      base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
-      provenance-name: "argocd-cli.intoto.jsonl"
+      base64-subjects: '${{ needs.goreleaser.outputs.hashes }}'
+      provenance-name: 'argocd-cli.intoto.jsonl'
      upload-assets: true

  generate-sbom:
@@ -139,23 +204,25 @@ jobs:
    needs:
      - argocd-image
      - goreleaser
+      - setup-variables
    permissions:
      contents: write # Needed for release uploads
    outputs:
-      hashes: ${{ steps.sbom-hash.outputs.hashes}}
-    if: github.repository == 'argoproj/argo-cd'
+      hashes: ${{ steps.sbom-hash.outputs.hashes }}
+    if: github.repository == 'argoproj/argo-cd' || needs.setup-variables.outputs.allow_fork_release == 'true'
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: Setup Golang
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
+          cache: false

      - name: Generate SBOM (spdx)
        id: spdx-builder
@@ -166,9 +233,9 @@ jobs:
          SIGS_BOM_VERSION: v0.2.1
          # comma delimited list of project relative folders to inspect for package
          # managers (gomod, yarn, npm).
-          PROJECT_FOLDERS: ".,./ui"
+          PROJECT_FOLDERS: '.,./ui'
          # full qualified name of the docker image to be inspected
-          DOCKER_IMAGE: quay.io/argoproj/argocd:${{ github.ref_name }}
+          DOCKER_IMAGE: ${{ needs.setup-variables.outputs.quay_image_name }}
        run: |
          yarn install --cwd ./ui
          go install github.com/spdx/spdx-sbom-generator/cmd/generator@$SPDX_GEN_VERSION
@@ -186,7 +253,7 @@ jobs:
          fi

          cd /tmp && tar -zcf sbom.tar.gz *.spdx
-          
+
      - name: Generate SBOM hash
        shell: bash
        id: sbom-hash
@@ -195,42 +262,45 @@ jobs:
          # base64 -w0 encodes to base64 and outputs on a single line.
          # sha256sum /tmp/sbom.tar.gz ... | base64 -w0
          echo "hashes=$(sha256sum /tmp/sbom.tar.gz | base64 -w0)" >> "$GITHUB_OUTPUT"
-      
+
      - name: Upload SBOM
-        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          files: |
            /tmp/sbom.tar.gz
-  
+
  sbom-provenance:
-    needs: [generate-sbom]
+    needs: [generate-sbom, setup-variables]
    permissions:
      actions: read # for detecting the Github Actions environment
      id-token: write # Needed for provenance signing and ID
      contents: write #  Needed for release uploads
-    if: github.repository == 'argoproj/argo-cd'
+    if: github.repository == 'argoproj/argo-cd' || needs.setup-variables.outputs.allow_fork_release == 'true'
    # Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
    with:
-      base64-subjects: "${{ needs.generate-sbom.outputs.hashes }}"
-      provenance-name: "argocd-sbom.intoto.jsonl"
+      base64-subjects: '${{ needs.generate-sbom.outputs.hashes }}'
+      provenance-name: 'argocd-sbom.intoto.jsonl'
      upload-assets: true
-      
+
  post-release:
    needs:
+      - setup-variables
      - argocd-image
      - goreleaser
      - generate-sbom
    permissions:
      contents: write # Needed to push commit to update stable tag
      pull-requests: write # Needed to create PR for VERSION update.
-    if: github.repository == 'argoproj/argo-cd'
+    if: github.repository == 'argoproj/argo-cd' || needs.setup-variables.outputs.allow_fork_release == 'true'
    runs-on: ubuntu-22.04
+    env:
+      TAG_STABLE: ${{ needs.setup-variables.outputs.is_latest_release }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
@@ -241,27 +311,6 @@ jobs:
          git config --global user.email 'ci@argoproj.com'
          git config --global user.name 'CI'

-      - name: Check if tag is the latest version and not a pre-release
-        run: |
-          set -xue
-          # Fetch all tag information
-          git fetch --prune --tags --force
-
-          LATEST_TAG=$(git -c 'versionsort.suffix=-rc' tag --list --sort=version:refname | tail -n1)
-
-          PRE_RELEASE=false
-          # Check if latest tag is a pre-release
-          if echo $LATEST_TAG | grep -E -- '-rc[0-9]+$';then
-            PRE_RELEASE=true
-          fi
-
-          # Ensure latest tag matches github.ref_name & not a pre-release
-          if [[ $LATEST_TAG == ${{ github.ref_name }} ]] && [[ $PRE_RELEASE != 'true' ]];then
-            echo "TAG_STABLE=true" >> $GITHUB_ENV
-          else
-            echo "TAG_STABLE=false" >> $GITHUB_ENV
-          fi
-
      - name: Update stable tag to latest version
        run: |
          git tag -f stable ${{ github.ref_name }}
@@ -291,14 +340,14 @@ jobs:
          # Replace the 'project-release: vX.X.X-rcX' line in SECURITY-INSIGHTS.yml
          sed -i "s/project-release: v.*$/project-release: v${{ env.NEW_VERSION }}/" SECURITY-INSIGHTS.yml
          # Update the 'commit-hash: XXXXXXX' line in SECURITY-INSIGHTS.yml
-          sed -i "s/commit-hash: .*/commit-hash: ${{ env.NEW_VERSION }}/" SECURITY-INSIGHTS.yml
+          sed -i "s/commit-hash: .*/commit-hash: ${{ env.COMMIT_HASH }}/" SECURITY-INSIGHTS.yml
        if: ${{ env.UPDATE_VERSION == 'true' }}

      - name: Create PR to update VERSION on master branch
-        uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          commit-message: Bump version in master
-          title: "chore: Bump version in master"
+          title: 'chore: Bump version in master'
          body: All images built from master should indicate which version we are on track for.
          signoff: true
          branch: update-version
--- a/.github/workflows/renovate.yaml
+++ b/.github/workflows/renovate.yaml
@@ -0,0 +1,39 @@
+name: Renovate
+on:
+  schedule:
+    - cron: '0 * * * *'
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    if: github.repository == 'argoproj/argo-cd'
+    steps:
+      - name: Get token
+        id: get_token
+        uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1
+        with:
+          app-id: ${{ vars.RENOVATE_APP_ID }}
+          private-key: ${{ secrets.RENOVATE_APP_PRIVATE_KEY }}
+
+      - name: Checkout
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1
+
+      # Some codegen commands require Go to be setup
+      - name: Setup Golang
+        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        with:
+          # renovate: datasource=golang-version packageName=golang
+          go-version: 1.25.5
+
+      - name: Self-hosted Renovate
+        uses: renovatebot/github-action@5712c6a41dea6cdf32c72d92a763bd417e6606aa #44.0.5
+        with:
+          configurationFile: .github/configs/renovate-config.js
+          token: '${{ steps.get_token.outputs.token }}'
+        env:
+          LOG_LEVEL: 'debug'
+          RENOVATE_REPOSITORIES: '${{ github.repository }}'
--- a/.github/workflows/scorecard.yaml
+++ b/.github/workflows/scorecard.yaml
@@ -30,12 +30,12 @@ jobs:

    steps:
      - name: "Checkout code"
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - name: "Run analysis"
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
        with:
          results_file: results.sarif
          results_format: sarif
@@ -54,7 +54,7 @@ jobs:
      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
      - name: "Upload artifact"
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: SARIF file
          path: results.sarif
@@ -62,6 +62,6 @@ jobs:

      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@83a02f7883b12e0e4e1a146174f5e2292a01e601 # v2.16.4
+        uses: github/codeql-action/upload-sarif@8fcfedf57053e09257688fce7a0beeb18b1b9ae3 # v2.17.2
        with:
          sarif_file: results.sarif
--- a/.github/workflows/update-snyk.yaml
+++ b/.github/workflows/update-snyk.yaml
@@ -17,7 +17,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Build reports
--- a/.gitignore
+++ b/.gitignore
@@ -1,12 +1,14 @@
 .vscode/
 .idea/
 .DS_Store
+.run/
 vendor/
 dist/*
 ui/dist/app/*
 !ui/dist/app/gitkeep
 site/
 *.iml
+.tilt-bin/
 # delve debug binaries
 cmd/**/debug
 debug.test
@@ -18,10 +20,15 @@ node_modules/
 .kube/
 ./test/cmp/*.sock
 .envrc.remote
+.mirrord/
 .*.swp
+rerunreport.txt

 # ignore built binaries
 cmd/argocd/argocd
 cmd/argocd-application-controller/argocd-application-controller
 cmd/argocd-repo-server/argocd-repo-server
 cmd/argocd-server/argocd-server
+
+# ignore generated `.argocd-helm-dep-up` marker file; this should not be committed to git
+reposerver/repository/testdata/**/.argocd-helm-dep-up
--- a/.gitpod.Dockerfile
+++ b/.gitpod.Dockerfile
@@ -1,21 +0,0 @@
-FROM gitpod/workspace-full@sha256:511cecde4dc129ca9eb4cc4c479d61f95e5485ebe320a07f5b902f11899956a3
-
-USER root
-
-RUN curl -o /usr/local/bin/kubectl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" && \
-    chmod +x /usr/local/bin/kubectl
-
-RUN curl -L https://github.com/kubernetes-sigs/kubebuilder/releases/download/v2.3.1/kubebuilder_2.3.1_$(go env GOOS)_$(go env GOARCH).tar.gz | \
-    tar -xz -C /tmp/ && mv /tmp/kubebuilder_2.3.1_$(go env GOOS)_$(go env GOARCH) /usr/local/kubebuilder
-
-ENV GOCACHE=/go-build-cache
-
-RUN apt-get install redis-server -y
-RUN go install github.com/mattn/goreman@latest
-
-RUN chown -R gitpod:gitpod /go-build-cache
-
-USER gitpod
-
-ENV ARGOCD_REDIS_LOCAL=true
-ENV KUBECONFIG=/tmp/kubeconfig
--- a/.gitpod.yml
+++ b/.gitpod.yml
@@ -1,6 +0,0 @@
-image:
-  file: .gitpod.Dockerfile
-
-tasks:
-  - init: make mod-download-local dep-ui-local && GO111MODULE=off go install github.com/mattn/goreman@latest
-    command: make start-test-k8s
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -0,0 +1,253 @@
+formatters:
+  enable:
+    - gofumpt
+    - goimports
+
+  settings:
+    goimports:
+      local-prefixes:
+        - github.com/argoproj/argo-cd/v3
+
+issues:
+  max-issues-per-linter: 0
+
+  max-same-issues: 0
+
+linters:
+  enable:
+    - errorlint
+    - exptostd
+    - gocritic
+    - gomodguard
+    - govet
+    - importas
+    - misspell
+    - noctx
+    - perfsprint
+    - revive
+    - staticcheck
+    - testifylint
+    - thelper
+    - tparallel
+    - unparam
+    - usestdlibvars
+    - usetesting
+    - whitespace
+
+  exclusions:
+    rules:
+      - linters:
+          - unparam
+        path: (.+)_test\.go
+
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+
+    warn-unused: true
+
+  settings:
+    gocritic:
+      enable-all: true
+      # Most of these should probably be enabled one-by-one.
+      disabled-checks:
+        - appendAssign
+        - appendCombine # Leave disabled, multi-line assigns can be more readable.
+        - assignOp # Leave disabled, assign operations can be more confusing than helpful.
+        - commentedOutCode
+        - deferInLoop
+        - exitAfterDefer
+        - hugeParam
+        - importShadow
+        - paramTypeCombine # Leave disabled, there are too many failures to be worth fixing.
+        - rangeValCopy
+        - tooManyResultsChecker
+        - unnamedResult
+        - whyNoLint
+
+    gomodguard:
+      blocked:
+        modules:
+          - github.com/golang-jwt/jwt/v4:
+              recommendations:
+                - github.com/golang-jwt/jwt/v5
+
+          - github.com/imdario/mergo:
+              recommendations:
+                - dario.cat/mergo
+              reason: '`github.com/imdario/mergo` has been renamed.'
+
+          - github.com/pkg/errors:
+              recommendations:
+                - errors
+
+    govet:
+      disable:
+        - fieldalignment
+        - shadow
+      enable-all: true
+
+    importas:
+      alias:
+        - pkg: github.com/golang-jwt/jwt/v5
+          alias: jwtgo
+
+        - pkg: k8s.io/api/apps/v1
+          alias: appsv1
+
+        - pkg: k8s.io/api/core/v1
+          alias: corev1
+
+        - pkg: k8s.io/api/rbac/v1
+          alias: rbacv1
+
+        - pkg: k8s.io/apimachinery/pkg/api/errors
+          alias: apierrors
+
+        - pkg: k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
+          alias: apiextensionsv1
+
+        - pkg: k8s.io/apimachinery/pkg/apis/meta/v1
+          alias: metav1
+
+        - pkg: k8s.io/client-go/informers/core/v1
+          alias: informersv1
+
+        - pkg: errors
+          alias: stderrors
+
+        - pkg: github.com/argoproj/argo-cd/v3/util/io
+          alias: utilio
+
+    nolintlint:
+      require-specific: true
+
+    perfsprint:
+      # Optimizes even if it requires an int or uint type cast.
+      int-conversion: true
+      # Optimizes into `err.Error()` even if it is only equivalent for non-nil errors.
+      err-error: true
+      # Optimizes `fmt.Errorf`.
+      errorf: true
+      # Optimizes `fmt.Sprintf` with only one argument.
+      sprintf1: true
+      # Optimizes into strings concatenation.
+      strconcat: true
+
+    revive:
+      # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md
+      rules:
+        - name: bool-literal-in-expr
+
+        - name: blank-imports
+          disabled: true
+
+        - name: context-as-argument
+          arguments:
+            - allowTypesBefore: '*testing.T,testing.TB'
+
+        - name: context-keys-type
+          disabled: true
+
+        - name: dot-imports
+          disabled: true
+
+        - name: duplicated-imports
+
+        - name: early-return
+          arguments:
+            - preserveScope
+
+        - name: empty-block
+          disabled: true
+
+        - name: error-naming
+          disabled: true
+
+        - name: error-return
+
+        - name: error-strings
+          disabled: true
+
+        - name: errorf
+
+        - name: identical-branches
+
+        - name: if-return
+
+        - name: increment-decrement
+
+        - name: indent-error-flow
+          arguments:
+            - preserveScope
+
+        - name: modifies-parameter
+
+        - name: optimize-operands-order
+
+        - name: range
+
+        - name: receiver-naming
+
+        - name: redefines-builtin-id
+          disabled: true
+
+        - name: redundant-import-alias
+
+        - name: superfluous-else
+          arguments:
+            - preserveScope
+
+        - name: time-equal
+
+        - name: time-naming
+          disabled: true
+
+        - name: unexported-return
+          disabled: true
+
+        - name: unnecessary-stmt
+
+        - name: unreachable-code
+
+        - name: unused-parameter
+
+        - name: use-any
+
+        - name: useless-break
+
+        - name: var-declaration
+
+        - name: var-naming
+          arguments:
+            - - ID
+            - - VM
+            - - skipPackageNameChecks: true
+                upperCaseConst: true
+
+    staticcheck:
+      checks:
+        - all
+        - -SA5011
+        - -ST1003
+        - -ST1016
+
+    testifylint:
+      enable-all: true
+
+      disable:
+        - go-require
+
+    unused:
+      field-writes-are-uses: false
+      exported-fields-are-used: false
+
+    usetesting:
+      os-mkdir-temp: false
+
+output:
+  show-stats: false
+
+version: "2"
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -1,3 +1,5 @@
+version: 2
+
 project_name: argocd

 before:
@@ -14,16 +16,16 @@ builds:
    flags:
      - -v
    ldflags:
-      - -X github.com/argoproj/argo-cd/v2/common.version={{ .Version }}
-      - -X github.com/argoproj/argo-cd/v2/common.buildDate={{ .Date }}
-      - -X github.com/argoproj/argo-cd/v2/common.gitCommit={{ .FullCommit }}
-      - -X github.com/argoproj/argo-cd/v2/common.gitTreeState={{ .Env.GIT_TREE_STATE }}
-      - -X github.com/argoproj/argo-cd/v2/common.kubectlVersion={{ .Env.KUBECTL_VERSION }}
+      - -X github.com/argoproj/argo-cd/v3/common.version={{ .Version }}
+      - -X github.com/argoproj/argo-cd/v3/common.buildDate={{ .Date }}
+      - -X github.com/argoproj/argo-cd/v3/common.gitCommit={{ .FullCommit }}
+      - -X github.com/argoproj/argo-cd/v3/common.gitTreeState={{ .Env.GIT_TREE_STATE }}
+      - -X github.com/argoproj/argo-cd/v3/common.kubectlVersion={{ .Env.KUBECTL_VERSION }}
      - -extldflags="-static"
    goos:
      - linux
-      - darwin
      - windows
+      - darwin
    goarch:
      - amd64
      - arm64
@@ -43,17 +45,18 @@ builds:

 archives:
  - id: argocd-archive
-    builds:
-    - argocd-cli
+    ids:
+      - argocd-cli
    name_template: |-
      {{ .ProjectName }}-{{ .Os }}-{{ .Arch }}
-    format: binary
+    formats: [binary]

 checksum:
  name_template: 'cli_checksums.txt'
  algorithm: sha256

 release:
+  make_latest: '{{ .Env.GORELEASER_MAKE_LATEST }}'
  prerelease: auto
  draft: false
  header: |
@@ -63,39 +66,42 @@ release:

    ```shell
    kubectl create namespace argocd
-    kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/{{.Tag}}/manifests/install.yaml
+    kubectl apply -n argocd --server-side --force-conflicts -f https://raw.githubusercontent.com/{{ .Env.GORELEASER_CURRENT_REPOSITORY }}/{{.Tag}}/manifests/install.yaml
    ```

    ### HA:

    ```shell
    kubectl create namespace argocd
-    kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/{{.Tag}}/manifests/ha/install.yaml
+    kubectl apply -n argocd --server-side --force-conflicts -f https://raw.githubusercontent.com/{{ .Env.GORELEASER_CURRENT_REPOSITORY }}/{{.Tag}}/manifests/ha/install.yaml
    ```

    ## Release Signatures and Provenance

    All Argo CD container images are signed by cosign.  A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the [documentation](https://argo-cd.readthedocs.io/en/stable/operator-manual/signed-release-assets) on how to verify.

+    ## Release Notes Blog Post
+    For a detailed breakdown of the key changes and improvements in this release, check out the [official blog post](https://blog.argoproj.io/argo-cd-v3-0-release-candidate-a0b933f4e58f)

    ## Upgrading

    If upgrading from a different minor version, be sure to read the [upgrading](https://argo-cd.readthedocs.io/en/stable/operator-manual/upgrading/overview/) documentation.
  footer: |
-    **Full Changelog**: https://github.com/argoproj/argo-cd/compare/{{ .PreviousTag }}...{{ .Tag }}
-    
+    **Full Changelog**: https://github.com/{{ .Env.GORELEASER_CURRENT_REPOSITORY }}/compare/{{ .PreviousTag }}...{{ .Tag }}
+
    <a href="https://argoproj.github.io/cd/"><img src="https://raw.githubusercontent.com/argoproj/argo-site/master/content/pages/cd/gitops-cd.png" width="25%" ></a>

-
 snapshot: #### To be removed for PR
-  name_template: "2.6.0"
+  version_template: '2.6.0'

 changelog:
-  use:
-    github
+  use: github
  sort: asc
  abbrev: 0
  groups: # Regex use RE2 syntax as defined here: https://github.com/google/re2/wiki/Syntax.
+    - title: 'Breaking Changes'
+      regexp: '^.*?(\([[:word:]]+\))??!:.+$'
+      order: 0
    - title: 'Features'
      regexp: '^.*?feat(\([[:word:]]+\))??!?:.+$'
      order: 100
@@ -115,7 +121,4 @@ changelog:
      - '^test:'
      - '^.*?Bump(\([[:word:]]+\))?.+$'
      - '^.*?\[Bot\](\([[:word:]]+\))?.+$'
-
-
 # yaml-language-server: $schema=https://goreleaser.com/static/schema.json
-
--- a/.mockery.yaml
+++ b/.mockery.yaml
@@ -0,0 +1,96 @@
+dir: '{{.InterfaceDir}}/mocks'
+filename: '{{.InterfaceName}}.go'
+include-auto-generated: true # Needed since mockery 3.6.1
+packages:
+  github.com/argoproj/argo-cd/v3/applicationset/generators:
+    interfaces:
+      Generator: {}
+  github.com/argoproj/argo-cd/v3/applicationset/services:
+    interfaces:
+      Repos: {}
+  github.com/argoproj/argo-cd/v3/applicationset/services/scm_provider:
+    interfaces:
+      AWSCodeCommitClient: {}
+      AWSTaggingClient: {}
+      AzureDevOpsClientFactory: {}
+  github.com/argoproj/argo-cd/v3/applicationset/utils:
+    interfaces:
+      Renderer: {}
+  github.com/argoproj/argo-cd/v3/commitserver/apiclient:
+    interfaces:
+      CommitServiceClient: {}
+  github.com/argoproj/argo-cd/v3/commitserver/commit:
+    interfaces:
+      RepoClientFactory: {}
+  github.com/argoproj/argo-cd/v3/controller/cache:
+    interfaces:
+      LiveStateCache: {}
+  github.com/argoproj/argo-cd/v3/controller/hydrator:
+    interfaces:
+      Dependencies: {}
+      RepoGetter: {}
+  github.com/argoproj/argo-cd/v3/pkg/apiclient/cluster:
+    interfaces:
+      ClusterServiceServer: {}
+  github.com/argoproj/argo-cd/v3/pkg/apiclient/project:
+    interfaces:
+      ProjectServiceClient: {}
+  github.com/argoproj/argo-cd/v3/pkg/apiclient/session:
+    interfaces:
+      SessionServiceClient: {}
+      SessionServiceServer: {}
+  github.com/argoproj/argo-cd/v3/pkg/client/clientset/versioned/typed/application/v1alpha1:
+    interfaces:
+      AppProjectInterface: {}
+  github.com/argoproj/argo-cd/v3/reposerver/apiclient:
+    interfaces:
+      RepoServerServiceClient: {}
+      RepoServerService_GenerateManifestWithFilesClient: {}
+  github.com/argoproj/argo-cd/v3/server/application:
+    interfaces:
+      Broadcaster: {}
+  github.com/argoproj/argo-cd/v3/server/extension:
+    interfaces:
+      ApplicationGetter: {}
+      ExtensionMetricsRegistry: {}
+      ProjectGetter: {}
+      RbacEnforcer: {}
+      SettingsGetter: {}
+      UserGetter: {}
+  github.com/argoproj/argo-cd/v3/util/db:
+    interfaces:
+      ArgoDB: {}
+      RepoCredsDB: {}
+  github.com/argoproj/argo-cd/v3/util/git:
+    interfaces:
+      Client: {}
+  github.com/argoproj/argo-cd/v3/util/helm:
+    interfaces:
+      Client: {}
+  github.com/argoproj/argo-cd/v3/util/io:
+    interfaces:
+      TempPaths: {}
+  github.com/argoproj/argo-cd/v3/util/notification/argocd:
+    interfaces:
+      Service: {}
+  github.com/argoproj/argo-cd/v3/util/oci:
+    interfaces:
+      Client: {}
+  github.com/argoproj/argo-cd/v3/util/workloadidentity:
+    interfaces:
+      TokenProvider: {}
+  github.com/argoproj/gitops-engine/pkg/cache:
+    interfaces:
+      ClusterCache: {}
+  github.com/argoproj/gitops-engine/pkg/diff:
+    interfaces:
+      ServerSideDryRunner: {}
+  github.com/microsoft/azure-devops-go-api/azuredevops/v7/git:
+    config:
+      dir: applicationset/services/scm_provider/azure_devops/git/mocks
+    interfaces:
+      Client: {}
+pkgname: mocks
+structname: '{{.InterfaceName}}'
+template-data:
+  unroll-variadic: true
--- a/.readthedocs.yaml
+++ b/.readthedocs.yaml
@@ -2,10 +2,11 @@ version: 2
 formats: all
 mkdocs:
  fail_on_warning: false
+  configuration: mkdocs.yml
 python:
  install:
    - requirements: docs/requirements.txt
 build:
  os: "ubuntu-22.04"
  tools:
-    python: "3.7"
+    python: "3.12"
--- a/12
+++ b/12
@@ -8,5 +8,13 @@
 /mkdocs.yml  @argoproj/argocd-approvers @argoproj/argocd-approvers-docs

 # CI
-/.github/**       @argoproj/argocd-approvers @argoproj/argocd-approvers-ci
-/.goreleaser.yaml @argoproj/argocd-approvers @argoproj/argocd-approvers-ci
+/.codecov.yml             @argoproj/argocd-approvers @argoproj/argocd-approvers-ci
+/.github/**               @argoproj/argocd-approvers @argoproj/argocd-approvers-ci
+/.goreleaser.yaml         @argoproj/argocd-approvers @argoproj/argocd-approvers-ci
+/sonar-project.properties @argoproj/argocd-approvers @argoproj/argocd-approvers-ci
+
+# CLI
+/cmd/argocd/** @argoproj/argocd-approvers @argoproj/argocd-approvers-cli
+/cmd/main.go @argoproj/argocd-approvers @argoproj/argocd-approvers-cli
+# Also include @argoproj/argocd-approvers-docs to avoid requiring CLI approvers for docs-only PRs.
+/docs/operator-manual/ @argoproj/argocd-approvers @argoproj/argocd-approvers-docs @argoproj/argocd-approvers-cli
--- a/43
+++ b/43
@@ -1,10 +1,12 @@
-ARG BASE_IMAGE=docker.io/library/ubuntu:22.04@sha256:0bced47fffa3361afa981854fcabcd4577cd43cebbb808cea2b1f33a3dd7f508
+ARG BASE_IMAGE=docker.io/library/ubuntu:25.10@sha256:5922638447b1e3ba114332c896a2c7288c876bb94adec923d70d58a17d2fec5e
 ####################################################################################################
 # Builder image
 # Initial stage which pulls prepares build dependencies and CLI tooling we need for our final image
 # Also used as the image in CI jobs so needs all dependencies
 ####################################################################################################
-FROM docker.io/library/golang:1.21.10@sha256:16438a8e66c0c984f732e815ee5b7d715b8e33e81bac6d6a3750b1067744e7ca AS builder
+FROM docker.io/library/golang:1.25.5@sha256:31c1e53dfc1cc2d269deec9c83f58729fa3c53dc9a576f6426109d1e319e9e9a AS builder
+
+WORKDIR /tmp

 RUN echo 'deb http://archive.debian.org/debian buster-backports main' >> /etc/apt/sources.list

@@ -23,8 +25,6 @@ RUN apt-get update && apt-get install --no-install-recommends -y \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

-WORKDIR /tmp
-
 COPY hack/install.sh hack/tool-versions.sh ./
 COPY hack/installers installers

@@ -40,8 +40,8 @@ LABEL org.opencontainers.image.source="https://github.com/argoproj/argo-cd"

 USER root

-ENV ARGOCD_USER_ID=999
-ENV DEBIAN_FRONTEND=noninteractive
+ENV ARGOCD_USER_ID=999 \
+    DEBIAN_FRONTEND=noninteractive

 RUN groupadd -g $ARGOCD_USER_ID argocd && \
    useradd -r -u $ARGOCD_USER_ID -g argocd argocd && \
@@ -55,11 +55,13 @@ RUN groupadd -g $ARGOCD_USER_ID argocd && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

-COPY hack/gpg-wrapper.sh /usr/local/bin/gpg-wrapper.sh
-COPY hack/git-verify-wrapper.sh /usr/local/bin/git-verify-wrapper.sh
+COPY hack/gpg-wrapper.sh \
+    hack/git-verify-wrapper.sh \
+    entrypoint.sh \
+    /usr/local/bin/
 COPY --from=builder /usr/local/bin/helm /usr/local/bin/helm
 COPY --from=builder /usr/local/bin/kustomize /usr/local/bin/kustomize
-COPY entrypoint.sh /usr/local/bin/entrypoint.sh
+
 # keep uid_entrypoint.sh for backward compatibility
 RUN ln -s /usr/local/bin/entrypoint.sh /usr/local/bin/uid_entrypoint.sh

@@ -83,7 +85,7 @@ WORKDIR /home/argocd
 ####################################################################################################
 # Argo CD UI stage
 ####################################################################################################
-FROM --platform=$BUILDPLATFORM docker.io/library/node:21.6.2@sha256:65998e325b06014d4f1417a8a6afb1540d1ac66521cca76f2221a6953947f9ee AS argocd-ui
+FROM --platform=$BUILDPLATFORM docker.io/library/node:23.0.0@sha256:9d09fa506f5b8465c5221cbd6f980e29ae0ce9a3119e2b9bc0842e6a3f37bb59 AS argocd-ui

 WORKDIR /src
 COPY ["ui/package.json", "ui/yarn.lock", "./"]
@@ -101,23 +103,25 @@ RUN HOST_ARCH=$TARGETARCH NODE_ENV='production' NODE_ONLINE_ENV='online' NODE_OP
 ####################################################################################################
 # Argo CD Build stage which performs the actual build of Argo CD binaries
 ####################################################################################################
-FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.21.10@sha256:16438a8e66c0c984f732e815ee5b7d715b8e33e81bac6d6a3750b1067744e7ca AS argocd-build
+FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.25.5@sha256:31c1e53dfc1cc2d269deec9c83f58729fa3c53dc9a576f6426109d1e319e9e9a AS argocd-build

 WORKDIR /go/src/github.com/argoproj/argo-cd

 COPY go.* ./
+RUN mkdir -p gitops-engine
+COPY gitops-engine/go.* ./gitops-engine
 RUN go mod download

 # Perform the build
 COPY . .
 COPY --from=argocd-ui /src/dist/app /go/src/github.com/argoproj/argo-cd/ui/dist/app
-ARG TARGETOS
-ARG TARGETARCH
+ARG TARGETOS \
+    TARGETARCH
 # These build args are optional; if not specified the defaults will be taken from the Makefile
-ARG GIT_TAG
-ARG BUILD_DATE
-ARG GIT_TREE_STATE
-ARG GIT_COMMIT
+ARG GIT_TAG \
+    BUILD_DATE \
+    GIT_TREE_STATE \
+    GIT_COMMIT
 RUN GIT_COMMIT=$GIT_COMMIT \
    GIT_TREE_STATE=$GIT_TREE_STATE \
    GIT_TAG=$GIT_TAG \
@@ -130,6 +134,7 @@ RUN GIT_COMMIT=$GIT_COMMIT \
 # Final image
 ####################################################################################################
 FROM argocd-base
+ENTRYPOINT ["/usr/bin/tini", "--"]
 COPY --from=argocd-build /go/src/github.com/argoproj/argo-cd/dist/argocd* /usr/local/bin/

 USER root
@@ -140,7 +145,7 @@ RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-server && \
    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-dex && \
    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-notifications && \
    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-applicationset-controller && \
-    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-k8s-auth
+    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-k8s-auth && \
+    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-commit-server

 USER $ARGOCD_USER_ID
-ENTRYPOINT ["/usr/bin/tini", "--"]
--- a/Dockerfile.tilt
+++ b/Dockerfile.tilt
@@ -0,0 +1,62 @@
+FROM docker.io/library/golang:1.25.5@sha256:31c1e53dfc1cc2d269deec9c83f58729fa3c53dc9a576f6426109d1e319e9e9a
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN echo 'deb http://archive.debian.org/debian buster-backports main' >> /etc/apt/sources.list
+
+RUN apt-get update && apt-get install --no-install-recommends -y \
+    curl \
+    openssh-server \
+    nginx \
+    unzip \
+    fcgiwrap \
+    git \
+    git-lfs \
+    make \
+    wget \
+    gcc \
+    sudo \
+    zip \
+    tini \
+    gpg \
+    tzdata \
+    connect-proxy
+
+RUN go install github.com/go-delve/delve/cmd/dlv@latest
+
+COPY hack/install.sh hack/tool-versions.sh ./
+COPY hack/installers installers
+
+RUN ./install.sh helm && \
+    INSTALL_PATH=/usr/local/bin ./install.sh kustomize
+
+COPY hack/gpg-wrapper.sh \
+    hack/git-verify-wrapper.sh \
+    entrypoint.sh \
+    /usr/local/bin/
+
+# support for mounting configuration from a configmap
+WORKDIR /app/config/ssh
+RUN touch ssh_known_hosts && \
+    ln -s /app/config/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts
+
+WORKDIR /app/config
+RUN mkdir -p tls && \
+    mkdir -p gpg/source && \
+    mkdir -p gpg/keys 
+
+COPY .tilt-bin/argocd_linux /usr/local/bin/argocd
+
+RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-server && \
+    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-repo-server && \
+    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-application-controller && \
+    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-dex && \
+    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-notifications && \
+    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-applicationset-controller && \
+    ln -s /usr/local/bin/argocd /usr/local/bin/argocd-commit-server
+
+# directory for Tilt restart file
+RUN mkdir -p /tilt
+
+# overridden by Tiltfile
+ENTRYPOINT ["/usr/bin/tini", "-s", "--", "dlv", "exec", "--continue", "--accept-multiclient", "--headless", "--listen=:2345", "--api-version=2"]
--- a/Dockerfile.ui.tilt
+++ b/Dockerfile.ui.tilt
@@ -0,0 +1,9 @@
+FROM node:20
+
+WORKDIR /app/ui
+
+COPY ui /app/ui
+
+RUN yarn install
+
+ENTRYPOINT ["yarn", "start"]
--- a/134
+++ b/134
@@ -1,9 +1,18 @@
-PACKAGE=github.com/argoproj/argo-cd/v2/common
+PACKAGE=github.com/argoproj/argo-cd/v3/common
 CURRENT_DIR=$(shell pwd)
 DIST_DIR=${CURRENT_DIR}/dist
 CLI_NAME=argocd
 BIN_NAME=argocd
-CGO_FLAG=0
+
+UNAME_S:=$(shell uname)
+IS_DARWIN:=$(if $(filter Darwin, $(UNAME_S)),true,false)
+
+# When using OSX/Darwin, you might need to enable CGO for local builds
+DEFAULT_CGO_FLAG:=0
+ifeq ($(IS_DARWIN),true)
+    DEFAULT_CGO_FLAG:=1
+endif
+CGO_FLAG?=${DEFAULT_CGO_FLAG}

 GEN_RESOURCES_CLI_NAME=argocd-resources-gen

@@ -34,10 +43,21 @@ endif
 DOCKER_SRCDIR?=$(GOPATH)/src
 DOCKER_WORKDIR?=/go/src/github.com/argoproj/argo-cd

+# Allows you to control which Docker network the test-util containers attach to.
+# This is particularly useful if you are running Kubernetes in Docker (e.g., k3d)
+# and want the test containers to reach the Kubernetes API via an already-existing Docker network.
+DOCKER_NETWORK ?= default
+
+ifneq ($(DOCKER_NETWORK),default)
+DOCKER_NETWORK_ARG := --network $(DOCKER_NETWORK)
+else
+DOCKER_NETWORK_ARG :=
+endif
+
 ARGOCD_PROCFILE?=Procfile

-# pointing to python 3.7 to match https://github.com/argoproj/argo-cd/blob/master/.readthedocs.yml
-MKDOCS_DOCKER_IMAGE?=python:3.7-alpine
+# pointing to python 3.12 to match https://github.com/argoproj/argo-cd/blob/master/.readthedocs.yaml
+MKDOCS_DOCKER_IMAGE?=python:3.12-alpine
 MKDOCS_RUN_ARGS?=

 # Configuration for building argocd-test-tools image
@@ -56,8 +76,10 @@ ARGOCD_E2E_REDIS_PORT?=6379
 ARGOCD_E2E_DEX_PORT?=5556
 ARGOCD_E2E_YARN_HOST?=localhost
 ARGOCD_E2E_DISABLE_AUTH?=
+ARGOCD_E2E_DIR?=/tmp/argo-e2e

 ARGOCD_E2E_TEST_TIMEOUT?=90m
+ARGOCD_E2E_RERUN_FAILS?=5

 ARGOCD_IN_CI?=false
 ARGOCD_TEST_E2E?=true
@@ -104,11 +126,11 @@ define run-in-test-server
 		-v ${GOPATH}/pkg/mod:/go/pkg/mod${VOLUME_MOUNT} \
 		-v ${GOCACHE}:/tmp/go-build-cache${VOLUME_MOUNT} \
 		-v ${HOME}/.kube:/home/user/.kube${VOLUME_MOUNT} \
-		-v /tmp:/tmp${VOLUME_MOUNT} \
 		-w ${DOCKER_WORKDIR} \
 		-p ${ARGOCD_E2E_APISERVER_PORT}:8080 \
 		-p 4000:4000 \
 		-p 5000:5000 \
+		$(DOCKER_NETWORK_ARG)\
 		$(PODMAN_ARGS) \
 		$(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE):$(TEST_TOOLS_TAG) \
 		bash -c "$(1)"
@@ -129,8 +151,8 @@ define run-in-test-client
 		-v ${GOPATH}/pkg/mod:/go/pkg/mod${VOLUME_MOUNT} \
 		-v ${GOCACHE}:/tmp/go-build-cache${VOLUME_MOUNT} \
 		-v ${HOME}/.kube:/home/user/.kube${VOLUME_MOUNT} \
-		-v /tmp:/tmp${VOLUME_MOUNT} \
 		-w ${DOCKER_WORKDIR} \
+		$(DOCKER_NETWORK_ARG)\
 		$(PODMAN_ARGS) \
 		$(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE):$(TEST_TOOLS_TAG) \
 		bash -c "$(1)"
@@ -147,12 +169,23 @@ PATH:=$(PATH):$(PWD)/hack
 DOCKER_PUSH?=false
 IMAGE_NAMESPACE?=
 # perform static compilation
-STATIC_BUILD?=true
+DEFAULT_STATIC_BUILD:=true
+ifeq ($(IS_DARWIN),true)
+    DEFAULT_STATIC_BUILD:=false
+endif
+STATIC_BUILD?=${DEFAULT_STATIC_BUILD}
 # build development images
 DEV_IMAGE?=false
 ARGOCD_GPG_ENABLED?=true
 ARGOCD_E2E_APISERVER_PORT?=8080

+ifeq (${COVERAGE_ENABLED}, true)
+# We use this in the cli-local target to enable code coverage for e2e tests.
+COVERAGE_FLAG=-cover
+else
+COVERAGE_FLAG=
+endif
+
 override LDFLAGS += \
  -X ${PACKAGE}.version=${VERSION} \
  -X ${PACKAGE}.buildDate=${BUILD_DATE} \
@@ -167,7 +200,7 @@ endif

 ifneq (${GIT_TAG},)
 IMAGE_TAG=${GIT_TAG}
-LDFLAGS += -X ${PACKAGE}.gitTag=${GIT_TAG}
+override LDFLAGS += -X ${PACKAGE}.gitTag=${GIT_TAG}
 else
 IMAGE_TAG?=latest
 endif
@@ -182,13 +215,21 @@ ifdef IMAGE_NAMESPACE
 IMAGE_PREFIX=${IMAGE_NAMESPACE}/
 endif

+ifndef IMAGE_REGISTRY
+IMAGE_REGISTRY="quay.io"
+endif
+
 .PHONY: all
 all: cli image

+.PHONY: mockgen
+mockgen:
+	./hack/generate-mock.sh
+
 .PHONY: gogen
 gogen:
 	export GO111MODULE=off
-	go generate ./util/argo/...
+	go generate ./...

 .PHONY: protogen
 protogen: mod-vendor-local protogen-fast
@@ -222,13 +263,20 @@ clientgen:
 clidocsgen:
 	go run tools/cmd-docs/main.go

+.PHONY: actionsdocsgen
+actionsdocsgen:
+	hack/generate-actions-list.sh
+
+.PHONY: resourceiconsgen
+resourceiconsgen:
+	hack/generate-icons-typescript.sh

 .PHONY: codegen-local
-codegen-local: mod-vendor-local gogen protogen clientgen openapigen clidocsgen manifests-local notification-docs notification-catalog
+codegen-local: mod-vendor-local mockgen gogen protogen clientgen openapigen clidocsgen actionsdocsgen resourceiconsgen manifests-local notification-docs notification-catalog
 	rm -rf vendor/

 .PHONY: codegen-local-fast
-codegen-local-fast: gogen protogen-fast clientgen openapigen clidocsgen manifests-local notification-docs notification-catalog
+codegen-local-fast: mockgen gogen protogen-fast clientgen openapigen clidocsgen manifests-local notification-docs notification-catalog

 .PHONY: codegen
 codegen: test-tools-image
@@ -240,7 +288,7 @@ cli: test-tools-image

 .PHONY: cli-local
 cli-local: clean-debug
-	CGO_ENABLED=${CGO_FLAG} GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${CLI_NAME} ./cmd
+	CGO_ENABLED=${CGO_FLAG} GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -gcflags="all=-N -l" $(COVERAGE_FLAG) -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${CLI_NAME} ./cmd

 .PHONY: gen-resources-cli-local
 gen-resources-cli-local: clean-debug
@@ -266,12 +314,11 @@ endif
 .PHONY: manifests-local
 manifests-local:
 	./hack/update-manifests.sh
-
 .PHONY: manifests
 manifests: test-tools-image
-	$(call run-in-test-client,make manifests-local IMAGE_NAMESPACE='${IMAGE_NAMESPACE}' IMAGE_TAG='${IMAGE_TAG}')
-
+	$(call run-in-test-client,make manifests-local IMAGE_REGISTRY='${IMAGE_REGISTRY}' IMAGE_NAMESPACE='${IMAGE_NAMESPACE}' IMAGE_REPOSITORY='${IMAGE_REPOSITORY}' IMAGE_TAG='${IMAGE_TAG}')
 # consolidated binary for cli, util, server, repo-server, controller
+
 .PHONY: argocd-all
 argocd-all: clean-debug
 	CGO_ENABLED=${CGO_FLAG} GOOS=${GOOS} GOARCH=${GOARCH} GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${BIN_NAME} ./cmd
@@ -341,11 +388,6 @@ mod-vendor: test-tools-image
 mod-vendor-local: mod-download-local
 	go mod vendor

-# Deprecated - replace by install-tools-local
-.PHONY: install-lint-tools
-install-lint-tools:
-	./hack/install.sh lint-tools
-
 # Run linter on the code
 .PHONY: lint
 lint: test-tools-image
@@ -357,7 +399,7 @@ lint-local:
 	golangci-lint --version
 	# NOTE: If you get a "Killed" OOM message, try reducing the value of GOGC
 	# See https://github.com/golangci/golangci-lint#memory-usage-of-golangci-lint
-	GOGC=$(ARGOCD_LINT_GOGC) GOMAXPROCS=2 golangci-lint run --enable gofmt --fix --verbose --timeout 3000s --max-issues-per-linter 0 --max-same-issues 0
+	GOGC=$(ARGOCD_LINT_GOGC) GOMAXPROCS=2 golangci-lint run --fix --verbose

 .PHONY: lint-ui
 lint-ui: test-tools-image
@@ -391,9 +433,9 @@ test: test-tools-image
 .PHONY: test-local
 test-local:
 	if test "$(TEST_MODULE)" = ""; then \
-		DIST_DIR=${DIST_DIR} RERUN_FAILS=0 PACKAGES=`go list ./... | grep -v 'test/e2e'` ./hack/test.sh -coverprofile=coverage.out; \
+		DIST_DIR=${DIST_DIR} RERUN_FAILS=0 PACKAGES=`go list ./... | grep -v 'test/e2e'` ./hack/test.sh -args -test.gocoverdir="$(PWD)/test-results"; \
 	else \
-		DIST_DIR=${DIST_DIR} RERUN_FAILS=0 PACKAGES="$(TEST_MODULE)" ./hack/test.sh -coverprofile=coverage.out "$(TEST_MODULE)"; \
+		DIST_DIR=${DIST_DIR} RERUN_FAILS=0 PACKAGES="$(TEST_MODULE)" ./hack/test.sh -args -test.gocoverdir="$(PWD)/test-results" "$(TEST_MODULE)"; \
 	fi

 .PHONY: test-race
@@ -405,9 +447,9 @@ test-race: test-tools-image
 .PHONY: test-race-local
 test-race-local:
 	if test "$(TEST_MODULE)" = ""; then \
-		DIST_DIR=${DIST_DIR} RERUN_FAILS=0 PACKAGES=`go list ./... | grep -v 'test/e2e'` ./hack/test.sh -race -coverprofile=coverage.out; \
+		DIST_DIR=${DIST_DIR} RERUN_FAILS=0 PACKAGES=`go list ./... | grep -v 'test/e2e'` ./hack/test.sh -race -args -test.gocoverdir="$(PWD)/test-results"; \
 	else \
-		DIST_DIR=${DIST_DIR} RERUN_FAILS=0 PACKAGES="$(TEST_MODULE)" ./hack/test.sh -race -coverprofile=coverage.out; \
+		DIST_DIR=${DIST_DIR} RERUN_FAILS=0 PACKAGES="$(TEST_MODULE)" ./hack/test.sh -race -args -test.gocoverdir="$(PWD)/test-results"; \
 	fi

 # Run the E2E test suite. E2E test servers (see start-e2e target) must be
@@ -421,7 +463,7 @@ test-e2e:
 test-e2e-local: cli-local
 	# NO_PROXY ensures all tests don't go out through a proxy if one is configured on the test system
 	export GO111MODULE=off
-	DIST_DIR=${DIST_DIR} RERUN_FAILS=5 PACKAGES="./test/e2e" ARGOCD_E2E_RECORD=${ARGOCD_E2E_RECORD} ARGOCD_GPG_ENABLED=true NO_PROXY=* ./hack/test.sh -timeout $(ARGOCD_E2E_TEST_TIMEOUT) -v
+	DIST_DIR=${DIST_DIR} RERUN_FAILS=$(ARGOCD_E2E_RERUN_FAILS) PACKAGES="./test/e2e" ARGOCD_E2E_RECORD=${ARGOCD_E2E_RECORD} ARGOCD_CONFIG_DIR=$(HOME)/.config/argocd-e2e ARGOCD_GPG_ENABLED=true NO_PROXY=* ./hack/test.sh -timeout $(ARGOCD_E2E_TEST_TIMEOUT) -v -args -test.gocoverdir="$(PWD)/test-results"

 # Spawns a shell in the test server container for debugging purposes
 debug-test-server: test-tools-image
@@ -445,30 +487,43 @@ start-e2e-local: mod-vendor-local dep-ui-local cli-local
 	kubectl create ns argocd-e2e-external || true
 	kubectl create ns argocd-e2e-external-2 || true
 	kubectl config set-context --current --namespace=argocd-e2e
-	kustomize build test/manifests/base | kubectl apply -f -
+	kustomize build test/manifests/base | kubectl apply --server-side --force-conflicts -f -
 	kubectl apply -f https://raw.githubusercontent.com/open-cluster-management/api/a6845f2ebcb186ec26b832f60c988537a58f3859/cluster/v1alpha1/0000_04_clusters.open-cluster-management.io_placementdecisions.crd.yaml
 	# Create GPG keys and source directories
-	if test -d /tmp/argo-e2e/app/config/gpg; then rm -rf /tmp/argo-e2e/app/config/gpg/*; fi
-	mkdir -p /tmp/argo-e2e/app/config/gpg/keys && chmod 0700 /tmp/argo-e2e/app/config/gpg/keys
-	mkdir -p /tmp/argo-e2e/app/config/gpg/source && chmod 0700 /tmp/argo-e2e/app/config/gpg/source
-	mkdir -p /tmp/argo-e2e/app/config/plugin && chmod 0700 /tmp/argo-e2e/app/config/plugin
+	if test -d $(ARGOCD_E2E_DIR)/app/config/gpg; then rm -rf $(ARGOCD_E2E_DIR)/app/config/gpg/*; fi
+	mkdir -p $(ARGOCD_E2E_DIR)/app/config/gpg/keys && chmod 0700 $(ARGOCD_E2E_DIR)/app/config/gpg/keys
+	mkdir -p $(ARGOCD_E2E_DIR)/app/config/gpg/source && chmod 0700 $(ARGOCD_E2E_DIR)/app/config/gpg/source
+	mkdir -p $(ARGOCD_E2E_DIR)/app/config/plugin && chmod 0700 $(ARGOCD_E2E_DIR)/app/config/plugin
+	# create folders to hold go coverage results for each component
+	mkdir -p /tmp/coverage/app-controller
+	mkdir -p /tmp/coverage/api-server
+	mkdir -p /tmp/coverage/repo-server
+	mkdir -p /tmp/coverage/applicationset-controller
+	mkdir -p /tmp/coverage/notification
+	mkdir -p /tmp/coverage/commit-server
 	# set paths for locally managed ssh known hosts and tls certs data
-	ARGOCD_SSH_DATA_PATH=/tmp/argo-e2e/app/config/ssh \
-	ARGOCD_TLS_DATA_PATH=/tmp/argo-e2e/app/config/tls \
-	ARGOCD_GPG_DATA_PATH=/tmp/argo-e2e/app/config/gpg/source \
-	ARGOCD_GNUPGHOME=/tmp/argo-e2e/app/config/gpg/keys \
+	ARGOCD_E2E_DIR=$(ARGOCD_E2E_DIR) \
+	ARGOCD_SSH_DATA_PATH=$(ARGOCD_E2E_DIR)/app/config/ssh \
+	ARGOCD_TLS_DATA_PATH=$(ARGOCD_E2E_DIR)/app/config/tls \
+	ARGOCD_GPG_DATA_PATH=$(ARGOCD_E2E_DIR)/app/config/gpg/source \
+	ARGOCD_GNUPGHOME=$(ARGOCD_E2E_DIR)/app/config/gpg/keys \
 	ARGOCD_GPG_ENABLED=$(ARGOCD_GPG_ENABLED) \
-	ARGOCD_PLUGINCONFIGFILEPATH=/tmp/argo-e2e/app/config/plugin \
-	ARGOCD_PLUGINSOCKFILEPATH=/tmp/argo-e2e/app/config/plugin \
+	ARGOCD_PLUGINCONFIGFILEPATH=$(ARGOCD_E2E_DIR)/app/config/plugin \
+	ARGOCD_PLUGINSOCKFILEPATH=$(ARGOCD_E2E_DIR)/app/config/plugin \
+	ARGOCD_GIT_CONFIG=$(PWD)/test/e2e/fixture/gitconfig \
 	ARGOCD_E2E_DISABLE_AUTH=false \
 	ARGOCD_ZJWT_FEATURE_FLAG=always \
 	ARGOCD_IN_CI=$(ARGOCD_IN_CI) \
 	BIN_MODE=$(ARGOCD_BIN_MODE) \
 	ARGOCD_APPLICATION_NAMESPACES=argocd-e2e-external,argocd-e2e-external-2 \
 	ARGOCD_APPLICATIONSET_CONTROLLER_NAMESPACES=argocd-e2e-external,argocd-e2e-external-2 \
+	ARGOCD_APPLICATIONSET_CONTROLLER_TOKENREF_STRICT_MODE=true \
 	ARGOCD_APPLICATIONSET_CONTROLLER_ALLOWED_SCM_PROVIDERS=http://127.0.0.1:8341,http://127.0.0.1:8342,http://127.0.0.1:8343,http://127.0.0.1:8344 \
 	ARGOCD_E2E_TEST=true \
+	ARGOCD_HYDRATOR_ENABLED=true \
+	ARGOCD_CLUSTER_CACHE_EVENTS_PROCESSING_INTERVAL=1ms \
 		goreman -f $(ARGOCD_PROCFILE) start ${ARGOCD_START}
+	ls -lrt /tmp/coverage

 # Cleans VSCode debug.test files from sub-dirs to prevent them from being included in by golang embed
 .PHONY: clean-debug
@@ -494,6 +549,7 @@ start-local: mod-vendor-local dep-ui-local cli-local
 	mkdir -p /tmp/argocd-local
 	mkdir -p /tmp/argocd-local/gpg/keys && chmod 0700 /tmp/argocd-local/gpg/keys
 	mkdir -p /tmp/argocd-local/gpg/source
+	REDIS_PASSWORD=$(shell kubectl get secret argocd-redis -o jsonpath='{.data.auth}' | base64 -d) \
 	ARGOCD_ZJWT_FEATURE_FLAG=always \
 	ARGOCD_IN_CI=false \
 	ARGOCD_GPG_ENABLED=$(ARGOCD_GPG_ENABLED) \
@@ -564,16 +620,19 @@ install-test-tools-local:
 	./hack/install.sh kustomize
 	./hack/install.sh helm
 	./hack/install.sh gotestsum
+	./hack/install.sh oras

 # Installs all tools required for running codegen (Linux packages)
 .PHONY: install-codegen-tools-local
 install-codegen-tools-local:
 	./hack/install.sh codegen-tools
+	./hack/install.sh codegen-go-tools

 # Installs all tools required for running codegen (Go packages)
 .PHONY: install-go-tools-local
 install-go-tools-local:
 	./hack/install.sh codegen-go-tools
+	./hack/install.sh lint-tools

 .PHONY: dep-ui
 dep-ui: test-tools-image
@@ -654,7 +713,6 @@ help:
 	@echo 'debug:'
 	@echo '  list -- list all make targets'
 	@echo '  install-tools-local -- install all the tools below'
-	@echo '  install-lint-tools(-local)'
 	@echo
 	@echo 'codegen:'
 	@echo '  codegen(-local) -- if using -local, run the following targets first'
--- a/1
+++ b/1
@@ -1,5 +1,6 @@
 owners:
 - alexmt
+- crenshaw-dev
 - jessesuen

 approvers:
--- a/19
+++ b/19
@@ -1,13 +1,14 @@
-controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "HOSTNAME=testappcontroller-1  FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-application-controller $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --server-side-diff-enabled=${ARGOCD_APPLICATION_CONTROLLER_SERVER_SIDE_DIFF:-'false'}"
-api-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-server $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''}"
-dex: sh -c "ARGOCD_BINARY_NAME=argocd-dex go run github.com/argoproj/argo-cd/v2/cmd gendexcfg -o `pwd`/dist/dex.yaml && (test -f dist/dex.yaml || { echo 'Failed to generate dex configuration'; exit 1; }) && docker run --rm -p ${ARGOCD_E2E_DEX_PORT:-5556}:${ARGOCD_E2E_DEX_PORT:-5556} -v `pwd`/dist/dex.yaml:/dex.yaml ghcr.io/dexidp/dex:$(grep "image: ghcr.io/dexidp/dex" manifests/base/dex/argocd-dex-server-deployment.yaml | cut -d':' -f3) dex serve /dex.yaml"
-redis: bash -c "if [ \"$ARGOCD_REDIS_LOCAL\" = 'true' ]; then redis-server --save '' --appendonly no --port ${ARGOCD_E2E_REDIS_PORT:-6379}; else docker run --rm --name argocd-redis -i -p ${ARGOCD_E2E_REDIS_PORT:-6379}:${ARGOCD_E2E_REDIS_PORT:-6379} docker.io/library/redis:$(grep "image: redis" manifests/base/redis/argocd-redis-deployment.yaml | cut -d':' -f3) --save '' --appendonly no --port ${ARGOCD_E2E_REDIS_PORT:-6379}; fi"
-repo-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_GNUPGHOME=${ARGOCD_GNUPGHOME:-/tmp/argocd-local/gpg/keys} ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp}  ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-repo-server ARGOCD_GPG_ENABLED=${ARGOCD_GPG_ENABLED:-false} $COMMAND --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --otlp-address=${ARGOCD_OTLP_ADDRESS}"
+controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/app-controller} HOSTNAME=testappcontroller-1  FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-application-controller $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --commit-server localhost:${ARGOCD_E2E_COMMITSERVER_PORT:-8086} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --server-side-diff-enabled=${ARGOCD_APPLICATION_CONTROLLER_SERVER_SIDE_DIFF:-'false'} --hydrator-enabled=${ARGOCD_HYDRATOR_ENABLED:='false'}"
+api-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/api-server} FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-server $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --hydrator-enabled=${ARGOCD_HYDRATOR_ENABLED:='false'}"
+dex: sh -c "ARGOCD_BINARY_NAME=argocd-dex go run github.com/argoproj/argo-cd/v3/cmd gendexcfg -o `pwd`/dist/dex.yaml && (test -f dist/dex.yaml || { echo 'Failed to generate dex configuration'; exit 1; }) && docker run --rm -p ${ARGOCD_E2E_DEX_PORT:-5556}:${ARGOCD_E2E_DEX_PORT:-5556} -v `pwd`/dist/dex.yaml:/dex.yaml ghcr.io/dexidp/dex:$(grep "image: ghcr.io/dexidp/dex" manifests/base/dex/argocd-dex-server-deployment.yaml | cut -d':' -f3) dex serve /dex.yaml"
+redis: hack/start-redis-with-password.sh
+repo-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "export PATH=./dist:\$PATH && [ -n \"\$ARGOCD_GIT_CONFIG\" ] && export GIT_CONFIG_GLOBAL=\$ARGOCD_GIT_CONFIG && export GIT_CONFIG_NOSYSTEM=1; GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/repo-server} FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_GNUPGHOME=${ARGOCD_GNUPGHOME:-/tmp/argocd-local/gpg/keys} ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp}  ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-repo-server ARGOCD_GPG_ENABLED=${ARGOCD_GPG_ENABLED:-false} $COMMAND --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --otlp-address=${ARGOCD_OTLP_ADDRESS}"
 cmp-server: [ "$ARGOCD_E2E_TEST" = 'true' ] && exit 0 || [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_BINARY_NAME=argocd-cmp-server ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp} $COMMAND --config-dir-path ./test/cmp --loglevel debug --otlp-address=${ARGOCD_OTLP_ADDRESS}"
+commit-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/commit-server} FORCE_LOG_COLORS=1 ARGOCD_BINARY_NAME=argocd-commit-server $COMMAND --loglevel debug --port ${ARGOCD_E2E_COMMITSERVER_PORT:-8086}"
 ui: sh -c 'cd ui && ${ARGOCD_E2E_YARN_CMD:-yarn} start'
 git-server: test/fixture/testrepos/start-git.sh
 helm-registry: test/fixture/testrepos/start-helm-registry.sh
-dev-mounter: [[ "$ARGOCD_E2E_TEST" != "true" ]] && go run hack/dev-mounter/main.go --configmap argocd-ssh-known-hosts-cm=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} --configmap argocd-tls-certs-cm=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} --configmap argocd-gpg-keys-cm=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source}
-applicationset-controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-applicationset-controller $COMMAND --loglevel debug --metrics-addr localhost:12345 --probe-addr localhost:12346 --argocd-repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081}"
-notification: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_BINARY_NAME=argocd-notifications $COMMAND --loglevel debug --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --self-service-notification-enabled=${ARGOCD_NOTIFICATION_CONTROLLER_SELF_SERVICE_NOTIFICATION_ENABLED:-'false'}"
-
+oci-registry: test/fixture/testrepos/start-authenticated-helm-registry.sh
+dev-mounter: [ "$ARGOCD_E2E_TEST" != "true" ] && go run hack/dev-mounter/main.go --configmap argocd-ssh-known-hosts-cm=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} --configmap argocd-tls-certs-cm=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} --configmap argocd-gpg-keys-cm=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source}
+applicationset-controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/applicationset-controller} FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-applicationset-controller $COMMAND --loglevel debug --metrics-addr localhost:12345 --probe-addr localhost:12346 --argocd-repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081}"
+notification: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/notification} FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_BINARY_NAME=argocd-notifications $COMMAND --loglevel debug --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --self-service-notification-enabled=${ARGOCD_NOTIFICATION_CONTROLLER_SELF_SERVICE_NOTIFICATION_ENABLED:-'false'}"
--- a/README.md
+++ b/README.md
@@ -7,8 +7,7 @@
 [![Integration tests](https://github.com/argoproj/argo-cd/workflows/Integration%20tests/badge.svg?branch=master)](https://github.com/argoproj/argo-cd/actions?query=workflow%3A%22Integration+tests%22)
 [![codecov](https://codecov.io/gh/argoproj/argo-cd/branch/master/graph/badge.svg)](https://codecov.io/gh/argoproj/argo-cd)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4486/badge)](https://bestpractices.coreinfrastructure.org/projects/4486)
-[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/argoproj/argo-cd/badge)](https://api.securityscorecards.dev/projects/github.com/argoproj/argo-cd)
-[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fargoproj%2Fargo-cd.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fargoproj%2Fargo-cd?ref=badge_shield)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/argoproj/argo-cd/badge)](https://scorecard.dev/viewer/?uri=github.com/argoproj/argo-cd)

 **Social:**
 [![Twitter Follow](https://img.shields.io/twitter/follow/argoproj?style=social)](https://twitter.com/argoproj)
@@ -57,7 +56,7 @@ Participation in the Argo CD project is governed by the [CNCF Code of Conduct](h
 ### Blogs and Presentations

 1. [Awesome-Argo: A Curated List of Awesome Projects and Resources Related to Argo](https://github.com/terrytangyuan/awesome-argo)
-1. [Unveil the Secret Ingredients of Continuous Delivery at Enterprise Scale with Argo CD](https://akuity.io/blog/unveil-the-secret-ingredients-of-continuous-delivery-at-enterprise-scale-with-argocd-kubecon-china-2021/)
+1. [Unveil the Secret Ingredients of Continuous Delivery at Enterprise Scale with Argo CD](https://akuity.io/blog/secret-ingredients-of-continuous-delivery-at-enterprise-scale-with-argocd/)
 1. [GitOps Without Pipelines With ArgoCD Image Updater](https://youtu.be/avPUQin9kzU)
 1. [Combining Argo CD (GitOps), Crossplane (Control Plane), And KubeVela (OAM)](https://youtu.be/eEcgn_gU3SM)
 1. [How to Apply GitOps to Everything - Combining Argo CD and Crossplane](https://youtu.be/yrj4lmScKHQ)
--- a/SECURITY-INSIGHTS.yml
+++ b/SECURITY-INSIGHTS.yml
@@ -3,9 +3,9 @@ header:
  expiration-date: '2024-10-31T00:00:00.000Z' # One year from initial release.
  last-updated: '2023-10-27'
  last-reviewed: '2023-10-27'
-  commit-hash: b71277c6beb949d0199d647a582bc25822b88838
+  commit-hash: 06ef059f9fc7cf9da2dfaef2a505ee1e3c693485
  project-url: https://github.com/argoproj/argo-cd
-  project-release: v2.9.0-rc3
+  project-release: v3.3.0
  changelog: https://github.com/argoproj/argo-cd/releases
  license: https://github.com/argoproj/argo-cd/blob/master/LICENSE
 project-lifecycle:
--- a/314
+++ b/314
@@ -0,0 +1,314 @@
+load('ext://restart_process', 'docker_build_with_restart')
+load('ext://uibutton', 'cmd_button', 'location')
+
+# add ui button in web ui to run make codegen-local (top nav)
+cmd_button(
+    'make codegen-local',
+    argv=['sh', '-c', 'make codegen-local'],
+    location=location.NAV,
+    icon_name='terminal',
+    text='make codegen-local',
+)
+
+cmd_button(
+    'make test-local',
+    argv=['sh', '-c', 'make test-local'],
+    location=location.NAV,
+    icon_name='science',
+    text='make test-local',
+)
+
+# add ui button in web ui to run make codegen-local (top nav)
+cmd_button(
+    'make cli-local',
+    argv=['sh', '-c', 'make cli-local'],
+    location=location.NAV,
+    icon_name='terminal',
+    text='make cli-local',
+)
+
+# detect cluster architecture for build
+cluster_version = decode_yaml(local('kubectl version -o yaml'))
+platform = cluster_version['serverVersion']['platform']
+arch = platform.split('/')[1]
+
+# build the argocd binary on code changes
+code_deps = [
+    'applicationset',
+    'cmd',
+    'cmpserver',
+    'commitserver',
+    'common',
+    'controller',
+    'notification-controller',
+    'pkg',
+    'reposerver',
+    'server',
+    'util',
+    'go.mod',
+    'go.sum',
+]
+local_resource(
+    'build',
+    'CGO_ENABLED=0 GOOS=linux GOARCH=' + arch + ' go build -gcflags="all=-N -l" -mod=readonly -o .tilt-bin/argocd_linux cmd/main.go',
+    deps = code_deps,
+    allow_parallel=True,
+)
+
+# deploy the argocd manifests
+k8s_yaml(kustomize('manifests/dev-tilt'))
+
+# build dev image
+docker_build_with_restart(
+    'argocd', 
+    context='.',
+    dockerfile='Dockerfile.tilt',
+    entrypoint=[
+        "/usr/bin/tini",
+        "-s",
+        "--",
+        "dlv",
+        "exec",
+        "--continue",
+        "--accept-multiclient",
+        "--headless",
+        "--listen=:2345",
+        "--api-version=2"
+    ],
+    platform=platform,
+    live_update=[
+        sync('.tilt-bin/argocd_linux', '/usr/local/bin/argocd'),
+    ],
+    only=[
+        '.tilt-bin',
+        'hack',
+        'entrypoint.sh',
+    ],
+    restart_file='/tilt/.restart-proc'
+)
+
+# build image for argocd-cli jobs
+docker_build(
+    'argocd-job', 
+    context='.',
+    dockerfile='Dockerfile.tilt',
+    platform=platform,
+    only=[
+        '.tilt-bin',
+        'hack',
+        'entrypoint.sh',
+    ]
+)
+
+# track argocd-server resources and port forward
+k8s_resource(
+    workload='argocd-server',
+    objects=[
+        'argocd-server:serviceaccount',
+        'argocd-server:role',
+        'argocd-server:rolebinding',
+        'argocd-cm:configmap',
+        'argocd-cmd-params-cm:configmap',
+        'argocd-gpg-keys-cm:configmap',
+        'argocd-rbac-cm:configmap',
+        'argocd-ssh-known-hosts-cm:configmap',
+        'argocd-tls-certs-cm:configmap',
+        'argocd-secret:secret',
+        'argocd-server-network-policy:networkpolicy',
+        'argocd-server:clusterrolebinding',
+        'argocd-server:clusterrole',
+    ],
+    port_forwards=[
+        '8080:8080',
+        '9345:2345',
+        '8083:8083'
+    ],
+    resource_deps=['build']
+)
+
+# track crds
+k8s_resource(
+    new_name='cluster-resources',
+    objects=[
+        'applications.argoproj.io:customresourcedefinition',
+        'applicationsets.argoproj.io:customresourcedefinition',
+        'appprojects.argoproj.io:customresourcedefinition',
+        'argocd:namespace'
+    ]
+)
+
+# track argocd-repo-server resources and port forward
+k8s_resource(
+    workload='argocd-repo-server',
+    objects=[
+        'argocd-repo-server:serviceaccount',
+        'argocd-repo-server-network-policy:networkpolicy',
+    ],
+    port_forwards=[
+        '8081:8081',
+        '9346:2345',
+        '8084:8084'
+    ],
+    resource_deps=['build']
+)
+
+# track argocd-redis resources and port forward
+k8s_resource(
+    workload='argocd-redis',
+    objects=[
+        'argocd-redis:serviceaccount',
+        'argocd-redis:role',
+        'argocd-redis:rolebinding',
+        'argocd-redis-network-policy:networkpolicy',
+    ],
+    port_forwards=[
+        '6379:6379',
+    ],
+    resource_deps=['build']
+)
+
+# track argocd-applicationset-controller resources
+k8s_resource(
+    workload='argocd-applicationset-controller',
+    objects=[
+        'argocd-applicationset-controller:serviceaccount',
+        'argocd-applicationset-controller-network-policy:networkpolicy',
+        'argocd-applicationset-controller:role',
+        'argocd-applicationset-controller:rolebinding',
+        'argocd-applicationset-controller:clusterrolebinding',
+        'argocd-applicationset-controller:clusterrole',
+    ],
+    port_forwards=[
+        '9347:2345',
+        '8085:8080',
+        '7000:7000'
+    ],
+    resource_deps=['build']
+)
+
+# track argocd-application-controller resources
+k8s_resource(
+    workload='argocd-application-controller',
+    objects=[
+        'argocd-application-controller:serviceaccount',
+        'argocd-application-controller-network-policy:networkpolicy',
+        'argocd-application-controller:role',
+        'argocd-application-controller:rolebinding',
+        'argocd-application-controller:clusterrolebinding',
+        'argocd-application-controller:clusterrole',
+    ],
+    port_forwards=[
+        '9348:2345',
+        '8086:8082',
+    ],
+    resource_deps=['build']
+)
+
+# track argocd-notifications-controller resources
+k8s_resource(
+    workload='argocd-notifications-controller',
+    objects=[
+        'argocd-notifications-controller:serviceaccount',
+        'argocd-notifications-controller-network-policy:networkpolicy',
+        'argocd-notifications-controller:role',
+        'argocd-notifications-controller:rolebinding',
+        'argocd-notifications-cm:configmap',
+        'argocd-notifications-secret:secret',
+    ],
+    port_forwards=[
+        '9349:2345',
+        '8087:9001',
+    ],
+    resource_deps=['build']
+)
+
+# track argocd-dex-server resources
+k8s_resource(
+    workload='argocd-dex-server',
+    objects=[
+        'argocd-dex-server:serviceaccount',
+        'argocd-dex-server-network-policy:networkpolicy',
+        'argocd-dex-server:role',
+        'argocd-dex-server:rolebinding',
+    ],
+    resource_deps=['build']
+)
+
+# track argocd-commit-server resources
+k8s_resource(
+    workload='argocd-commit-server',
+    objects=[
+        'argocd-commit-server:serviceaccount',
+        'argocd-commit-server-network-policy:networkpolicy',
+    ],
+    port_forwards=[
+        '9350:2345',
+        '8088:8087',
+        '8089:8086',
+    ],
+    resource_deps=['build']
+)
+
+# ui dependencies
+local_resource(
+    'node-modules',
+    'yarn',
+    dir='ui',
+    deps = [
+        'ui/package.json',
+        'ui/yarn.lock',
+    ],
+    allow_parallel=True,
+)
+
+# docker for ui
+docker_build(
+    'argocd-ui',
+    context='.',
+    dockerfile='Dockerfile.ui.tilt',
+    entrypoint=['sh', '-c', 'cd /app/ui && yarn start'], 
+    only=['ui'],
+    live_update=[
+        sync('ui', '/app/ui'),
+        run('sh -c "cd /app/ui && yarn install"', trigger=['/app/ui/package.json', '/app/ui/yarn.lock']),
+    ],
+)
+
+# track argocd-ui resources and port forward
+k8s_resource(
+    workload='argocd-ui',
+    port_forwards=[
+        '4000:4000',
+    ],
+    resource_deps=['node-modules'],
+)
+
+# linting
+local_resource(
+    'lint',
+    'make lint-local',
+    deps = code_deps,
+    allow_parallel=True,
+    resource_deps=['vendor']
+)
+
+local_resource(
+    'lint-ui',
+    'make lint-ui-local',
+    deps = [
+        'ui',
+    ],
+    allow_parallel=True,
+    resource_deps=['node-modules'],
+)
+
+local_resource(
+    'vendor',
+    'go mod vendor',
+    deps = [
+        'go.mod',
+        'go.sum',
+    ],
+    allow_parallel=True,
+)
+
--- a/USERS.md
+++ b/USERS.md
@@ -5,47 +5,66 @@ PR with your organization name if you are using Argo CD.

 Currently, the following organizations are **officially** using Argo CD:

+1. [100ms](https://www.100ms.ai/)
 1. [127Labs](https://127labs.com/)
 1. [3Rein](https://www.3rein.com/)
+1. [42 School](https://42.fr/)
 1. [4data](https://4data.ch/)
 1. [7shifts](https://www.7shifts.com/)
 1. [Adevinta](https://www.adevinta.com/)
 1. [Adfinis](https://adfinis.com)
+1. [Adobe](https://www.adobe.com/)
 1. [Adventure](https://jp.adventurekk.com/)
 1. [Adyen](https://www.adyen.com)
 1. [AirQo](https://airqo.net/)
 1. [Akuity](https://akuity.io/)
+1. [Alarm.com](https://alarm.com/)
+1. [Alauda](https://alauda.io/)
 1. [Albert Heijn](https://ah.nl/)
 1. [Alibaba Group](https://www.alibabagroup.com/)
 1. [Allianz Direct](https://www.allianzdirect.de/)
+1. [AlphaSense](https://www.alpha-sense.com/)
 1. [Amadeus IT Group](https://amadeus.com/)
 1. [Ambassador Labs](https://www.getambassador.io/)
 1. [Ancestry](https://www.ancestry.com/)
+1. [Andgo Systems](https://www.andgosystems.com/)
 1. [ANSTO - Australian Synchrotron](https://www.synchrotron.org.au/)
 1. [Ant Group](https://www.antgroup.com/)
 1. [AppDirect](https://www.appdirect.com)
+1. [Arcadia](https://www.arcadia.io)
 1. [Arctiq Inc.](https://www.arctiq.ca)
-2. [Arturia](https://www.arturia.com)
+1. [Artemis Health by Nomi Health](https://www.artemishealth.com/)
+1. [Arturia](https://www.arturia.com)
 1. [ARZ Allgemeines Rechenzentrum GmbH](https://www.arz.at/)
+1. [Augury](https://www.augury.com/)
 1. [Autodesk](https://www.autodesk.com)
 1. [Axians ACSP](https://www.axians.fr)
 1. [Axual B.V.](https://axual.com)
 1. [Back Market](https://www.backmarket.com)
+1. [Bajaj Finserv Health Ltd.](https://www.bajajfinservhealth.in)
 1. [Baloise](https://www.baloise.com)
+1. [Batumbu](https://batumbu.id)
 1. [BCDevExchange DevOps Platform](https://bcdevexchange.org/DevOpsPlatform)
 1. [Beat](https://thebeat.co/en/)
 1. [Beez Innovation Labs](https://www.beezlabs.com/)
+1. [Bedag Informatik AG](https://www.bedag.ch/)
 1. [Beleza Na Web](https://www.belezanaweb.com.br/)
+1. [Believable Bots](https://believablebots.io)
+1. [Bayer AG](https://bayer.com)
 1. [BigPanda](https://bigpanda.io)
 1. [BioBox Analytics](https://biobox.io)
 1. [BMW Group](https://www.bmwgroup.com/)
 1. [Boozt](https://www.booztgroup.com/)
+1. [Bosch](https://www.bosch.com/)
 1. [Boticario](https://www.boticario.com.br/)
+1. [Broker Consulting, a.s.](https://www.bcas.cz/en/)
 1. [Bulder Bank](https://bulderbank.no)
+1. [Cabify](https://cabify.com/en)
 1. [CAM](https://cam-inc.co.jp)
 1. [Camptocamp](https://camptocamp.com)
 1. [Candis](https://www.candis.io)
 1. [Capital One](https://www.capitalone.com)
+1. [Capptain LTD](https://capptain.co/)
 1. [CARFAX Europe](https://www.carfax.eu)
 1. [CARFAX](https://www.carfax.com)
 1. [Carrefour Group](https://www.carrefour.com)
@@ -55,15 +74,23 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Chainnodes](https://chainnodes.org)
 1. [Chargetrip](https://chargetrip.com)
 1. [Chime](https://www.chime.com)
+1. [Chronicle Labs](https://chroniclelabs.org)
 1. [Cisco ET&I](https://eti.cisco.com/)
+1. [Close](https://www.close.com/)
 1. [Cloud Posse](https://www.cloudposse.com/)
 1. [Cloud Scale](https://cloudscaleinc.com/)
+1. [CloudScript](https://www.cloudscript.com.br/)
+1. [CloudGeometry](https://www.cloudgeometry.io/)
 1. [Cloudmate](https://cloudmt.co.kr/)
 1. [Cloudogu](https://cloudogu.com/)
 1. [Cobalt](https://www.cobalt.io/)
 1. [Codefresh](https://www.codefresh.io/)
 1. [Codility](https://www.codility.com/)
+1. [Cognizant](https://www.cognizant.com/)
+1. [Collins Aerospace](https://www.collinsaerospace.com/)
 1. [Commonbond](https://commonbond.co/)
+1. [Compatio.AI](https://compatio.ai/)
+1. [Contlo](https://contlo.com/)
 1. [Coralogix](https://coralogix.com/)
 1. [Crédit Agricole CIB](https://www.ca-cib.com)
 1. [CROZ d.o.o.](https://croz.net/)
@@ -72,13 +99,20 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [D2iQ](https://www.d2iq.com)
 1. [DaoCloud](https://daocloud.io/)
 1. [Datarisk](https://www.datarisk.io/)
+1. [Daydream](https://daydream.ing)
 1. [Deloitte](https://www.deloitte.com/)
+1. [Dematic](https://www.dematic.com)
 1. [Deutsche Telekom AG](https://telekom.com)
+1. [Deutsche Bank AG](https://www.deutsche-bank.de/)
 1. [Devopsi - Poland Software/DevOps Consulting](https://devopsi.pl/)
 1. [Devtron Labs](https://github.com/devtron-labs/devtron)
+1. [DigitalEd](https://www.digitaled.com)
 1. [DigitalOcean](https://www.digitalocean.com)
+1. [Divar](https://divar.ir)
 1. [Divistant](https://divistant.com)
+2. [DocNetwork](https://docnetwork.org/)
 1. [Dott](https://ridedott.com)
+1. [Doubble](https://www.doubble.app)
 1. [Doximity](https://www.doximity.com/)
 1. [EDF Renewables](https://www.edf-re.com/)
 1. [edX](https://edx.org)
@@ -90,6 +124,8 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Energisme](https://energisme.com/)
 1. [enigmo](https://enigmo.co.jp/)
 1. [Envoy](https://envoy.com/)
+1. [eSave](https://esave.es/)
+1. [Expedia](https://www.expedia.com)
 1. [Factorial](https://factorialhr.com/)
 1. [Farfetch](https://www.farfetch.com)
 1. [Faro](https://www.faro.com/)
@@ -102,10 +138,13 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [freee](https://corp.freee.co.jp/en/company/)
 1. [Freshop, Inc](https://www.freshop.com/)
 1. [Future PLC](https://www.futureplc.com/)
+1. [Flagler Health](https://www.flaglerhealth.io/)
 1. [G DATA CyberDefense AG](https://www.gdata-software.com/)
+1. [G-Research](https://www.gresearch.com/teams/open-source-software/)
 1. [Garner](https://www.garnercorp.com)
 1. [Generali Deutschland AG](https://www.generali.de/)
 1. [Gepardec](https://gepardec.com/)
+1. [Getir](https://getir.com)
 1. [GetYourGuide](https://www.getyourguide.com/)
 1. [Gitpod](https://www.gitpod.io)
 1. [Gllue](https://gllue.com)
@@ -122,16 +161,21 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Groww](https://groww.in)
 1. [Grupo MasMovil](https://grupomasmovil.com/en/)
 1. [Handelsbanken](https://www.handelsbanken.se)
+1. [Hazelcast](https://hazelcast.com/)
 1. [Healy](https://www.healyworld.net)
 1. [Helio](https://helio.exchange)
+1. [hetao101](https://www.hetao101.com/)
 1. [Hetki](https://hetki.ai)
 1. [hipages](https://hipages.com.au/)
 1. [Hiya](https://hiya.com)
 1. [Honestbank](https://honestbank.com)
 1. [Hostinger](https://www.hostinger.com)
+1. [Hotjar](https://www.hotjar.com)
 1. [IABAI](https://www.iab.ai)
 1. [IBM](https://www.ibm.com/)
 1. [Ibotta](https://home.ibotta.com)
+1. [Icelandair](https://www.icelandair.com)
+1. [IFS](https://www.ifs.com)
 1. [IITS-Consulting](https://iits-consulting.de)
 1. [IllumiDesk](https://www.illumidesk.com)
 1. [imaware](https://imaware.health)
@@ -139,7 +183,10 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Index Exchange](https://www.indexexchange.com/)
 1. [Info Support](https://www.infosupport.com/)
 1. [InsideBoard](https://www.insideboard.com)
+1. [Instruqt](https://www.instruqt.com)
+1. [Intel](https://www.intel.com)
 1. [Intuit](https://www.intuit.com/)
+1. [IQVIA](https://www.iqvia.com/)
 1. [Jellysmack](https://www.jellysmack.com)
 1. [Joblift](https://joblift.com/)
 1. [JovianX](https://www.jovianx.com/)
@@ -148,6 +195,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Karrot](https://www.daangn.com/)
 1. [KarrotPay](https://www.daangnpay.com/)
 1. [Kasa](https://kasa.co.kr/)
+1. [Kave Home](https://kavehome.com)
 1. [Keeeb](https://www.keeeb.com/)
 1. [KelkooGroup](https://www.kelkoogroup.com)
 1. [Keptn](https://keptn.sh)
@@ -159,14 +207,17 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [KubeSphere](https://github.com/kubesphere)
 1. [Kurly](https://www.kurly.com/)
 1. [Kvist](https://kvistsolutions.com)
+1. [Kyriba](https://www.kyriba.com/)
+1. [LeFigaro](https://www.lefigaro.fr/)
+1. [Lely](https://www.lely.com/)
 1. [LexisNexis](https://www.lexisnexis.com/)
 1. [Lian Chu Securities](https://lczq.com)
 1. [Liatrio](https://www.liatrio.com)
 1. [Lightricks](https://www.lightricks.com/)
-1. [LINE](https://linecorp.com/en/)
 1. [Loom](https://www.loom.com/)
 1. [Lucid Motors](https://www.lucidmotors.com/)
 1. [Lytt](https://www.lytt.co/)
+1. [LY Corporation](https://www.lycorp.co.jp/en/)
 1. [Magic Leap](https://www.magicleap.com/)
 1. [Majid Al Futtaim](https://www.majidalfuttaim.com/)
 1. [Major League Baseball](https://mlb.com)
@@ -179,6 +230,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Meilleurs Agents](https://www.meilleursagents.com/)
 1. [Mercedes-Benz Tech Innovation](https://www.mercedes-benz-techinnovation.com/)
 1. [Mercedes-Benz.io](https://www.mercedes-benz.io/)
+1. [Metacore Games](https://metacoregames.com/)
 1. [Metanet](http://www.metanet.co.kr/en/)
 1. [MindSpore](https://mindspore.cn)
 1. [Mirantis](https://mirantis.com/)
@@ -186,23 +238,30 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [mixi Group](https://mixi.co.jp/)
 1. [Moengage](https://www.moengage.com/)
 1. [Money Forward](https://corp.moneyforward.com/en/)
+1. [MongoDB](https://www.mongodb.com/)
 1. [MOO Print](https://www.moo.com/)
+1. [Mozilla](https://www.mozilla.org)
 1. [MTN Group](https://www.mtn.com/)
+1. [Municipality of The Hague](https://www.denhaag.nl/)
+1. [My Job Glasses](https://myjobglasses.com)
 1. [Natura &Co](https://naturaeco.com/)
 1. [Nethopper](https://nethopper.io)
 1. [New Relic](https://newrelic.com/)
 1. [Nextbasket](https://nextbasket.com)
 1. [Nextdoor](https://nextdoor.com/)
+1. [Next Fit Sistemas](https://nextfit.com.br/)
 1. [Nikkei](https://www.nikkei.co.jp/nikkeiinfo/en/)
 1. [Nitro](https://gonitro.com)
 1. [NYCU, CS IT Center](https://it.cs.nycu.edu.tw)
 1. [Objective](https://www.objective.com.br/)
 1. [OCCMundial](https://occ.com.mx)
 1. [Octadesk](https://octadesk.com)
+1. [Octopus Deploy](https://octopus.com)
 1. [Olfeo](https://www.olfeo.com/)
 1. [omegaUp](https://omegaUp.com)
 1. [Omni](https://omni.se/)
 1. [Oncourse Home Solutions](https://oncoursehome.com/)
+1. [Open Analytics](https://openanalytics.eu)
 1. [openEuler](https://openeuler.org)
 1. [openGauss](https://opengauss.org/)
 1. [OpenGov](https://opengov.com)
@@ -214,6 +273,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Optoro](https://www.optoro.com/)
 1. [Orbital Insight](https://orbitalinsight.com/)
 1. [Oscar Health Insurance](https://hioscar.com/)
+1. [Outpost24](https://outpost24.com/)
 1. [p3r](https://www.p3r.one/)
 1. [Packlink](https://www.packlink.com/)
 1. [PagerDuty](https://www.pagerduty.com/)
@@ -221,60 +281,77 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Patreon](https://www.patreon.com/)
 1. [PayIt](https://payitgov.com/)
 1. [PayPay](https://paypay.ne.jp/)
+1. [Paystack](https://paystack.com/)
 1. [Peloton Interactive](https://www.onepeloton.com/)
 1. [Percona](https://percona.com/)
 1. [PGS](https://www.pgs.com)
 1. [Pigment](https://www.gopigment.com/)
+1. [Pipedrive](https://www.pipedrive.com/)
 1. [Pipefy](https://www.pipefy.com/)
+1. [Pipekit](https://pipekit.io/)
 1. [Pismo](https://pismo.io/)
 1. [PITS Globale Datenrettungsdienste](https://www.pitsdatenrettung.de/)
 1. [Platform9 Systems](https://platform9.com/)
 1. [Polarpoint.io](https://polarpoint.io)
+1. [Pollinate](https://www.pollinate.global)
 1. [PostFinance](https://github.com/postfinance)
 1. [Preferred Networks](https://preferred.jp/en/)
 1. [Previder BV](https://previder.nl)
+1. [Priceline](https://priceline.com)
 1. [Procore](https://www.procore.com)
 1. [Productboard](https://www.productboard.com/)
 1. [Prudential](https://prudential.com.sg)
 1. [PT Boer Technology (Btech)](https://btech.id/)
 1. [PUBG](https://www.pubg.com)
 1. [Puzzle ITC](https://www.puzzle.ch/)
+1. [Pvotal Technologies](https://pvotal.tech/)
 1. [Qonto](https://qonto.com)
 1. [QuintoAndar](https://quintoandar.com.br)
 1. [Quipper](https://www.quipper.com/)
 1. [RapidAPI](https://www.rapidapi.com/)
 1. [rebuy](https://www.rebuy.de/)
-1. [Recreation.gov](https://www.recreation.gov/)
 1. [Red Hat](https://www.redhat.com/)
 1. [Redpill Linpro](https://www.redpill-linpro.com/)
 1. [Reenigne Cloud](https://reenigne.ca)
 1. [reev.com](https://www.reev.com/)
+1. [Relex Solutions](https://www.relexsolutions.com/)
 1. [RightRev](https://rightrev.com/)
 1. [Rijkswaterstaat](https://www.rijkswaterstaat.nl/en)
-1. [Rise](https://www.risecard.eu/)
+1. Rise
+1. [RISK IDENT](https://riskident.com/)
 1. [Riskified](https://www.riskified.com/)
 1. [Robotinfra](https://www.robotinfra.com)
 1. [Rocket.Chat](https://rocket.chat)
+1. [Rogo](https://rogodata.com)
 1. [Rubin Observatory](https://www.lsst.org)
 1. [Saildrone](https://www.saildrone.com/)
 1. [Salad Technologies](https://salad.com/)
 1. [Saloodo! GmbH](https://www.saloodo.com)
 1. [Sap Labs](http://sap.com)
 1. [Sauce Labs](https://saucelabs.com/)
+1. [Schneider Electric](https://www.se.com)
 1. [Schwarz IT](https://jobs.schwarz/it-mission)
 1. [SCRM Lidl International Hub](https://scrm.lidl)
 1. [SEEK](https://seek.com.au)
+1. [SEKAI](https://www.sekai.io/)
 1. [Semgrep](https://semgrep.com)
+1. [Seznam.cz](https://o-seznam.cz/)
 1. [Shield](https://shield.com)
+1. [Shipfox](https://www.shipfox.io)
+1. [Shock Media](https://www.shockmedia.nl)
 1. [SI Analytics](https://si-analytics.ai)
+1. [Sidewalk Entertainment](https://sidewalkplay.com/)
 1. [Skit](https://skit.ai/)
+1. [Skribble](https://skribble.com)
 1. [Skyscanner](https://www.skyscanner.net/)
 1. [Smart Pension](https://www.smartpension.co.uk/)
 1. [Smilee.io](https://smilee.io)
+1. [Smilegate Stove](https://www.onstove.com/)
 1. [Smood.ch](https://www.smood.ch/)
 1. [Snapp](https://snapp.ir/)
 1. [Snyk](https://snyk.io/)
 1. [Softway Medical](https://www.softwaymedical.fr/)
+1. [Sophotech](https://sopho.tech)
 1. [South China Morning Post (SCMP)](https://www.scmp.com/)
 1. [Speee](https://speee.jp/)
 1. [Spendesk](https://spendesk.com/)
@@ -287,21 +364,28 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Sumo Logic](https://sumologic.com/)
 1. [Sutpc](http://www.sutpc.com/)
 1. [Swiss Post](https://github.com/swisspost)
+1. [Swissblock Technologies](https://swissblock.net/)
 1. [Swisscom](https://www.swisscom.ch)
 1. [Swissquote](https://github.com/swissquote)
 1. [Syncier](https://syncier.com/)
+1. [Synergy](https://synergy.net.au)
+1. [Syself](https://syself.com)
+1. [T-ROC Global](https://trocglobal.com/)
 1. [TableCheck](https://tablecheck.com/)
 1. [Tailor Brands](https://www.tailorbrands.com)
 1. [Tamkeen Technologies](https://tamkeentech.sa/)
+1. [TBC Bank](https://tbcbank.ge/)
 1. [Techcombank](https://www.techcombank.com.vn/trang-chu)
 1. [Technacy](https://www.technacy.it/)
 1. [Telavita](https://www.telavita.com.br/)
 1. [Tesla](https://tesla.com/)
+1. [TextNow](https://www.textnow.com/)
 1. [The Scale Factory](https://www.scalefactory.com/)
 1. [ThousandEyes](https://www.thousandeyes.com/)
 1. [Ticketmaster](https://ticketmaster.com)
 1. [Tiger Analytics](https://www.tigeranalytics.com/)
 1. [Tigera](https://www.tigera.io/)
+1. [Topicus.Education](https://topicus.nl/en/sectors/education)
 1. [Toss](https://toss.im/en)
 1. [Trendyol](https://www.trendyol.com/)
 1. [tru.ID](https://tru.id)
@@ -319,14 +403,17 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Urbantz](https://urbantz.com/)
 1. [Vectra](https://www.vectra.ai)
 1. [Veepee](https://www.veepee.com)
+1. [Verkada](https://www.verkada.com)
 1. [Viaduct](https://www.viaduct.ai/)
 1. [VietMoney](https://vietmoney.vn/)
 1. [Vinted](https://vinted.com/)
 1. [Virtuo](https://www.govirtuo.com/)
 1. [VISITS Technologies](https://visits.world/en)
+1. [Viya](https://viya.me)
 1. [Volvo Cars](https://www.volvocars.com/)
 1. [Voyager Digital](https://www.investvoyager.com/)
 1. [VSHN - The DevOps Company](https://vshn.ch/)
+1. [Wakacje.pl](https://www.wakacje.pl/)
 1. [Walkbase](https://www.walkbase.com/)
 1. [Webstores](https://www.webstores.nl)
 1. [Wehkamp](https://www.wehkamp.nl/)
@@ -338,9 +425,12 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [WooliesX](https://wooliesx.com.au/)
 1. [Woolworths Group](https://www.woolworthsgroup.com.au/)
 1. [WSpot](https://www.wspot.com.br/)
+1. [X3M ads](https://x3mads.com)
 1. [Yieldlab](https://www.yieldlab.de/)
 1. [Youverify](https://youverify.co/)
 1. [Yubo](https://www.yubo.live/)
+1. [Yuno](https://y.uno/)
 1. [ZDF](https://www.zdf.de/)
 1. [Zimpler](https://www.zimpler.com/)
+1. [ZipRecruiter](https://www.ziprecruiter.com/)
 1. [ZOZO](https://corp.zozo.com/)
--- a/2
+++ b/2
@@ -1 +1 @@
-2.11.14
+3.3.1
--- a/applicationset/controllers/applicationset_controller.go
+++ b/applicationset/controllers/applicationset_controller.go
--- a/applicationset/controllers/applicationset_controller_test.go
+++ b/applicationset/controllers/applicationset_controller_test.go
--- a/applicationset/controllers/clustereventhandler.go
+++ b/applicationset/controllers/clustereventhandler.go
@@ -4,6 +4,8 @@ import (
 	"context"
 	"fmt"

+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+
 	log "github.com/sirupsen/logrus"

 	"k8s.io/apimachinery/pkg/types"
@@ -12,43 +14,45 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/event"

-	"github.com/argoproj/argo-cd/v2/applicationset/generators"
-	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v3/applicationset/utils"
+	"github.com/argoproj/argo-cd/v3/common"
+	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 )

 // clusterSecretEventHandler is used when watching Secrets to check if they are ArgoCD Cluster Secrets, and if so
 // requeue any related ApplicationSets.
 type clusterSecretEventHandler struct {
-	//handler.EnqueueRequestForOwner
-	Log    log.FieldLogger
-	Client client.Client
+	// handler.EnqueueRequestForOwner
+	Log                      log.FieldLogger
+	Client                   client.Client
+	ApplicationSetNamespaces []string
 }

-func (h *clusterSecretEventHandler) Create(e event.CreateEvent, q workqueue.RateLimitingInterface) {
-	h.queueRelatedAppGenerators(q, e.Object)
+func (h *clusterSecretEventHandler) Create(ctx context.Context, e event.CreateEvent, q workqueue.TypedRateLimitingInterface[reconcile.Request]) {
+	h.queueRelatedAppGenerators(ctx, q, e.Object)
 }

-func (h *clusterSecretEventHandler) Update(e event.UpdateEvent, q workqueue.RateLimitingInterface) {
-	h.queueRelatedAppGenerators(q, e.ObjectNew)
+func (h *clusterSecretEventHandler) Update(ctx context.Context, e event.UpdateEvent, q workqueue.TypedRateLimitingInterface[reconcile.Request]) {
+	h.queueRelatedAppGenerators(ctx, q, e.ObjectNew)
 }

-func (h *clusterSecretEventHandler) Delete(e event.DeleteEvent, q workqueue.RateLimitingInterface) {
-	h.queueRelatedAppGenerators(q, e.Object)
+func (h *clusterSecretEventHandler) Delete(ctx context.Context, e event.DeleteEvent, q workqueue.TypedRateLimitingInterface[reconcile.Request]) {
+	h.queueRelatedAppGenerators(ctx, q, e.Object)
 }

-func (h *clusterSecretEventHandler) Generic(e event.GenericEvent, q workqueue.RateLimitingInterface) {
-	h.queueRelatedAppGenerators(q, e.Object)
+func (h *clusterSecretEventHandler) Generic(ctx context.Context, e event.GenericEvent, q workqueue.TypedRateLimitingInterface[reconcile.Request]) {
+	h.queueRelatedAppGenerators(ctx, q, e.Object)
 }

 // addRateLimitingInterface defines the Add method of workqueue.RateLimitingInterface, allow us to easily mock
 // it for testing purposes.
-type addRateLimitingInterface interface {
-	Add(item interface{})
+type addRateLimitingInterface[T comparable] interface {
+	Add(item T)
 }

-func (h *clusterSecretEventHandler) queueRelatedAppGenerators(q addRateLimitingInterface, object client.Object) {
+func (h *clusterSecretEventHandler) queueRelatedAppGenerators(ctx context.Context, q addRateLimitingInterface[reconcile.Request], object client.Object) {
 	// Check for label, lookup all ApplicationSets that might match the cluster, queue them all
-	if object.GetLabels()[generators.ArgoCDSecretTypeLabel] != generators.ArgoCDSecretTypeCluster {
+	if object.GetLabels()[common.LabelKeySecretType] != common.LabelValueSecretTypeCluster {
 		return
 	}

@@ -58,7 +62,7 @@ func (h *clusterSecretEventHandler) queueRelatedAppGenerators(q addRateLimitingI
 	}).Info("processing event for cluster secret")

 	appSetList := &argoprojiov1alpha1.ApplicationSetList{}
-	err := h.Client.List(context.Background(), appSetList)
+	err := h.Client.List(ctx, appSetList)
 	if err != nil {
 		h.Log.WithError(err).Error("unable to list ApplicationSets")
 		return
@@ -66,7 +70,10 @@ func (h *clusterSecretEventHandler) queueRelatedAppGenerators(q addRateLimitingI

 	h.Log.WithField("count", len(appSetList.Items)).Info("listed ApplicationSets")
 	for _, appSet := range appSetList.Items {
-
+		if !utils.IsNamespaceAllowed(h.ApplicationSetNamespaces, appSet.GetNamespace()) {
+			// Ignore it as not part of the allowed list of namespaces in which to watch Appsets
+			continue
+		}
 		foundClusterGenerator := false
 		for _, generator := range appSet.Spec.Generators {
 			if generator.Clusters != nil {
@@ -109,7 +116,6 @@ func (h *clusterSecretEventHandler) queueRelatedAppGenerators(q addRateLimitingI
 			}
 		}
 		if foundClusterGenerator {
-
 			// TODO: only queue the AppGenerator if the labels match this cluster
 			req := ctrl.Request{NamespacedName: types.NamespacedName{Namespace: appSet.Namespace, Name: appSet.Name}}
 			q.Add(req)
--- a/applicationset/controllers/clustereventhandler_test.go
+++ b/applicationset/controllers/clustereventhandler_test.go
@@ -3,29 +3,39 @@ package controllers
 import (
 	"testing"

+	argocommon "github.com/argoproj/argo-cd/v3/common"
+
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"

-	"github.com/argoproj/argo-cd/v2/applicationset/generators"
-	argov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	argov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 )

-func TestClusterEventHandler(t *testing.T) {
+type mockAddRateLimitingInterface struct {
+	addedItems []reconcile.Request
+}

+// Add checks the type, and adds it to the internal list of received additions
+func (obj *mockAddRateLimitingInterface) Add(item reconcile.Request) {
+	obj.addedItems = append(obj.addedItems, item)
+}
+
+func TestClusterEventHandler(t *testing.T) {
 	scheme := runtime.NewScheme()
 	err := argov1alpha1.AddToScheme(scheme)
-	assert.Nil(t, err)
+	require.NoError(t, err)

 	err = argov1alpha1.AddToScheme(scheme)
-	assert.Nil(t, err)
+	require.NoError(t, err)

 	tests := []struct {
 		name             string
@@ -37,11 +47,11 @@ func TestClusterEventHandler(t *testing.T) {
 			name:  "no application sets should mean no requests",
 			items: []argov1alpha1.ApplicationSet{},
 			secret: corev1.Secret{
-				ObjectMeta: v1.ObjectMeta{
+				ObjectMeta: metav1.ObjectMeta{
 					Namespace: "argocd",
 					Name:      "my-secret",
 					Labels: map[string]string{
-						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+						argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
 					},
 				},
 			},
@@ -51,7 +61,7 @@ func TestClusterEventHandler(t *testing.T) {
 			name: "a cluster generator should produce a request",
 			items: []argov1alpha1.ApplicationSet{
 				{
-					ObjectMeta: v1.ObjectMeta{
+					ObjectMeta: metav1.ObjectMeta{
 						Name:      "my-app-set",
 						Namespace: "argocd",
 					},
@@ -65,11 +75,11 @@ func TestClusterEventHandler(t *testing.T) {
 				},
 			},
 			secret: corev1.Secret{
-				ObjectMeta: v1.ObjectMeta{
+				ObjectMeta: metav1.ObjectMeta{
 					Namespace: "argocd",
 					Name:      "my-secret",
 					Labels: map[string]string{
-						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+						argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
 					},
 				},
 			},
@@ -81,7 +91,7 @@ func TestClusterEventHandler(t *testing.T) {
 			name: "multiple cluster generators should produce multiple requests",
 			items: []argov1alpha1.ApplicationSet{
 				{
-					ObjectMeta: v1.ObjectMeta{
+					ObjectMeta: metav1.ObjectMeta{
 						Name:      "my-app-set",
 						Namespace: "argocd",
 					},
@@ -94,7 +104,7 @@ func TestClusterEventHandler(t *testing.T) {
 					},
 				},
 				{
-					ObjectMeta: v1.ObjectMeta{
+					ObjectMeta: metav1.ObjectMeta{
 						Name:      "my-app-set2",
 						Namespace: "argocd",
 					},
@@ -108,11 +118,11 @@ func TestClusterEventHandler(t *testing.T) {
 				},
 			},
 			secret: corev1.Secret{
-				ObjectMeta: v1.ObjectMeta{
+				ObjectMeta: metav1.ObjectMeta{
 					Namespace: "argocd",
 					Name:      "my-secret",
 					Labels: map[string]string{
-						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+						argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
 					},
 				},
 			},
@@ -125,9 +135,9 @@ func TestClusterEventHandler(t *testing.T) {
 			name: "non-cluster generator should not match",
 			items: []argov1alpha1.ApplicationSet{
 				{
-					ObjectMeta: v1.ObjectMeta{
+					ObjectMeta: metav1.ObjectMeta{
 						Name:      "my-app-set",
-						Namespace: "another-namespace",
+						Namespace: "argocd",
 					},
 					Spec: argov1alpha1.ApplicationSetSpec{
 						Generators: []argov1alpha1.ApplicationSetGenerator{
@@ -138,7 +148,7 @@ func TestClusterEventHandler(t *testing.T) {
 					},
 				},
 				{
-					ObjectMeta: v1.ObjectMeta{
+					ObjectMeta: metav1.ObjectMeta{
 						Name:      "app-set-non-cluster",
 						Namespace: "argocd",
 					},
@@ -152,23 +162,51 @@ func TestClusterEventHandler(t *testing.T) {
 				},
 			},
 			secret: corev1.Secret{
-				ObjectMeta: v1.ObjectMeta{
+				ObjectMeta: metav1.ObjectMeta{
 					Namespace: "argocd",
 					Name:      "my-secret",
 					Labels: map[string]string{
-						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+						argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
 					},
 				},
 			},
 			expectedRequests: []reconcile.Request{
-				{NamespacedName: types.NamespacedName{Namespace: "another-namespace", Name: "my-app-set"}},
+				{NamespacedName: types.NamespacedName{Namespace: "argocd", Name: "my-app-set"}},
 			},
 		},
+		{
+			name: "cluster generators in other namespaces should not match",
+			items: []argov1alpha1.ApplicationSet{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "my-app-set",
+						Namespace: "my-namespace-not-allowed",
+					},
+					Spec: argov1alpha1.ApplicationSetSpec{
+						Generators: []argov1alpha1.ApplicationSetGenerator{
+							{
+								Clusters: &argov1alpha1.ClusterGenerator{},
+							},
+						},
+					},
+				},
+			},
+			secret: corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "argocd",
+					Name:      "my-secret",
+					Labels: map[string]string{
+						argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
+					},
+				},
+			},
+			expectedRequests: []reconcile.Request{},
+		},
 		{
 			name: "non-argo cd secret should not match",
 			items: []argov1alpha1.ApplicationSet{
 				{
-					ObjectMeta: v1.ObjectMeta{
+					ObjectMeta: metav1.ObjectMeta{
 						Name:      "my-app-set",
 						Namespace: "another-namespace",
 					},
@@ -182,7 +220,7 @@ func TestClusterEventHandler(t *testing.T) {
 				},
 			},
 			secret: corev1.Secret{
-				ObjectMeta: v1.ObjectMeta{
+				ObjectMeta: metav1.ObjectMeta{
 					Namespace: "argocd",
 					Name:      "my-non-argocd-secret",
 				},
@@ -193,7 +231,7 @@ func TestClusterEventHandler(t *testing.T) {
 			name: "a matrix generator with a cluster generator should produce a request",
 			items: []argov1alpha1.ApplicationSet{
 				{
-					ObjectMeta: v1.ObjectMeta{
+					ObjectMeta: metav1.ObjectMeta{
 						Name:      "my-app-set",
 						Namespace: "argocd",
 					},
@@ -213,11 +251,11 @@ func TestClusterEventHandler(t *testing.T) {
 				},
 			},
 			secret: corev1.Secret{
-				ObjectMeta: v1.ObjectMeta{
+				ObjectMeta: metav1.ObjectMeta{
 					Namespace: "argocd",
 					Name:      "my-secret",
 					Labels: map[string]string{
-						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+						argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
 					},
 				},
 			},
@@ -229,7 +267,7 @@ func TestClusterEventHandler(t *testing.T) {
 			name: "a matrix generator with non cluster generator should not match",
 			items: []argov1alpha1.ApplicationSet{
 				{
-					ObjectMeta: v1.ObjectMeta{
+					ObjectMeta: metav1.ObjectMeta{
 						Name:      "my-app-set",
 						Namespace: "argocd",
 					},
@@ -249,11 +287,11 @@ func TestClusterEventHandler(t *testing.T) {
 				},
 			},
 			secret: corev1.Secret{
-				ObjectMeta: v1.ObjectMeta{
+				ObjectMeta: metav1.ObjectMeta{
 					Namespace: "argocd",
 					Name:      "my-secret",
 					Labels: map[string]string{
-						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+						argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
 					},
 				},
 			},
@@ -263,7 +301,7 @@ func TestClusterEventHandler(t *testing.T) {
 			name: "a matrix generator with a nested matrix generator containing a cluster generator should produce a request",
 			items: []argov1alpha1.ApplicationSet{
 				{
-					ObjectMeta: v1.ObjectMeta{
+					ObjectMeta: metav1.ObjectMeta{
 						Name:      "my-app-set",
 						Namespace: "argocd",
 					},
@@ -299,11 +337,11 @@ func TestClusterEventHandler(t *testing.T) {
 				},
 			},
 			secret: corev1.Secret{
-				ObjectMeta: v1.ObjectMeta{
+				ObjectMeta: metav1.ObjectMeta{
 					Namespace: "argocd",
 					Name:      "my-secret",
 					Labels: map[string]string{
-						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+						argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
 					},
 				},
 			},
@@ -315,7 +353,7 @@ func TestClusterEventHandler(t *testing.T) {
 			name: "a matrix generator with a nested matrix generator containing non cluster generator should not match",
 			items: []argov1alpha1.ApplicationSet{
 				{
-					ObjectMeta: v1.ObjectMeta{
+					ObjectMeta: metav1.ObjectMeta{
 						Name:      "my-app-set",
 						Namespace: "argocd",
 					},
@@ -350,11 +388,11 @@ func TestClusterEventHandler(t *testing.T) {
 				},
 			},
 			secret: corev1.Secret{
-				ObjectMeta: v1.ObjectMeta{
+				ObjectMeta: metav1.ObjectMeta{
 					Namespace: "argocd",
 					Name:      "my-secret",
 					Labels: map[string]string{
-						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+						argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
 					},
 				},
 			},
@@ -364,7 +402,7 @@ func TestClusterEventHandler(t *testing.T) {
 			name: "a merge generator with a cluster generator should produce a request",
 			items: []argov1alpha1.ApplicationSet{
 				{
-					ObjectMeta: v1.ObjectMeta{
+					ObjectMeta: metav1.ObjectMeta{
 						Name:      "my-app-set",
 						Namespace: "argocd",
 					},
@@ -384,11 +422,11 @@ func TestClusterEventHandler(t *testing.T) {
 				},
 			},
 			secret: corev1.Secret{
-				ObjectMeta: v1.ObjectMeta{
+				ObjectMeta: metav1.ObjectMeta{
 					Namespace: "argocd",
 					Name:      "my-secret",
 					Labels: map[string]string{
-						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+						argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
 					},
 				},
 			},
@@ -400,7 +438,7 @@ func TestClusterEventHandler(t *testing.T) {
 			name: "a matrix generator with non cluster generator should not match",
 			items: []argov1alpha1.ApplicationSet{
 				{
-					ObjectMeta: v1.ObjectMeta{
+					ObjectMeta: metav1.ObjectMeta{
 						Name:      "my-app-set",
 						Namespace: "argocd",
 					},
@@ -420,11 +458,11 @@ func TestClusterEventHandler(t *testing.T) {
 				},
 			},
 			secret: corev1.Secret{
-				ObjectMeta: v1.ObjectMeta{
+				ObjectMeta: metav1.ObjectMeta{
 					Namespace: "argocd",
 					Name:      "my-secret",
 					Labels: map[string]string{
-						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+						argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
 					},
 				},
 			},
@@ -434,7 +472,7 @@ func TestClusterEventHandler(t *testing.T) {
 			name: "a merge generator with a nested merge generator containing a cluster generator should produce a request",
 			items: []argov1alpha1.ApplicationSet{
 				{
-					ObjectMeta: v1.ObjectMeta{
+					ObjectMeta: metav1.ObjectMeta{
 						Name:      "my-app-set",
 						Namespace: "argocd",
 					},
@@ -470,11 +508,11 @@ func TestClusterEventHandler(t *testing.T) {
 				},
 			},
 			secret: corev1.Secret{
-				ObjectMeta: v1.ObjectMeta{
+				ObjectMeta: metav1.ObjectMeta{
 					Namespace: "argocd",
 					Name:      "my-secret",
 					Labels: map[string]string{
-						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+						argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
 					},
 				},
 			},
@@ -486,7 +524,7 @@ func TestClusterEventHandler(t *testing.T) {
 			name: "a merge generator with a nested merge generator containing non cluster generator should not match",
 			items: []argov1alpha1.ApplicationSet{
 				{
-					ObjectMeta: v1.ObjectMeta{
+					ObjectMeta: metav1.ObjectMeta{
 						Name:      "my-app-set",
 						Namespace: "argocd",
 					},
@@ -521,11 +559,11 @@ func TestClusterEventHandler(t *testing.T) {
 				},
 			},
 			secret: corev1.Secret{
-				ObjectMeta: v1.ObjectMeta{
+				ObjectMeta: metav1.ObjectMeta{
 					Namespace: "argocd",
 					Name:      "my-secret",
 					Labels: map[string]string{
-						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+						argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
 					},
 				},
 			},
@@ -534,9 +572,7 @@ func TestClusterEventHandler(t *testing.T) {
 	}

 	for _, test := range tests {
-
 		t.Run(test.name, func(t *testing.T) {
-
 			appSetList := argov1alpha1.ApplicationSetList{
 				Items: test.items,
 			}
@@ -544,34 +580,18 @@ func TestClusterEventHandler(t *testing.T) {
 			fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithLists(&appSetList).Build()

 			handler := &clusterSecretEventHandler{
-				Client: fakeClient,
-				Log:    log.WithField("type", "createSecretEventHandler"),
+				Client:                   fakeClient,
+				Log:                      log.WithField("type", "createSecretEventHandler"),
+				ApplicationSetNamespaces: []string{"argocd"},
 			}

 			mockAddRateLimitingInterface := mockAddRateLimitingInterface{}

-			handler.queueRelatedAppGenerators(&mockAddRateLimitingInterface, &test.secret)
+			handler.queueRelatedAppGenerators(t.Context(), &mockAddRateLimitingInterface, &test.secret)

-			assert.False(t, mockAddRateLimitingInterface.errorOccurred)
 			assert.ElementsMatch(t, mockAddRateLimitingInterface.addedItems, test.expectedRequests)
-
 		})
 	}
-
-}
-
-// Add checks the type, and adds it to the internal list of received additions
-func (obj *mockAddRateLimitingInterface) Add(item interface{}) {
-	if req, ok := item.(ctrl.Request); ok {
-		obj.addedItems = append(obj.addedItems, req)
-	} else {
-		obj.errorOccurred = true
-	}
-}
-
-type mockAddRateLimitingInterface struct {
-	errorOccurred bool
-	addedItems    []ctrl.Request
 }

 func TestNestedGeneratorHasClusterGenerator_NestedClusterGenerator(t *testing.T) {
@@ -581,7 +601,7 @@ func TestNestedGeneratorHasClusterGenerator_NestedClusterGenerator(t *testing.T)

 	hasClusterGenerator, err := nestedGeneratorHasClusterGenerator(nested)

-	assert.Nil(t, err)
+	require.NoError(t, err)
 	assert.True(t, hasClusterGenerator)
 }

@@ -608,7 +628,7 @@ func TestNestedGeneratorHasClusterGenerator_NestedMergeGenerator(t *testing.T) {

 	hasClusterGenerator, err := nestedGeneratorHasClusterGenerator(nested)

-	assert.Nil(t, err)
+	require.NoError(t, err)
 	assert.True(t, hasClusterGenerator)
 }

@@ -635,6 +655,6 @@ func TestNestedGeneratorHasClusterGenerator_NestedMergeGeneratorWithInvalidJSON(

 	hasClusterGenerator, err := nestedGeneratorHasClusterGenerator(nested)

-	assert.NotNil(t, err)
+	require.Error(t, err)
 	assert.False(t, hasClusterGenerator)
 }
--- a/applicationset/controllers/requeue_after_test.go
+++ b/applicationset/controllers/requeue_after_test.go
@@ -1,11 +1,11 @@
 package controllers

 import (
-	"context"
 	"testing"
 	"time"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -15,17 +15,18 @@ import (
 	"k8s.io/client-go/tools/record"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"

-	"github.com/argoproj/argo-cd/v2/applicationset/generators"
-	"github.com/argoproj/argo-cd/v2/applicationset/services/mocks"
-	argov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v3/applicationset/generators"
+	appsetmetrics "github.com/argoproj/argo-cd/v3/applicationset/metrics"
+	"github.com/argoproj/argo-cd/v3/applicationset/services/mocks"
+	argov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 )

 func TestRequeueAfter(t *testing.T) {
 	mockServer := &mocks.Repos{}
-	ctx := context.Background()
+	ctx := t.Context()
 	scheme := runtime.NewScheme()
 	err := argov1alpha1.AddToScheme(scheme)
-	assert.Nil(t, err)
+	require.NoError(t, err)
 	gvrToListKind := map[schema.GroupVersionResource]string{{
 		Group:    "mallard.io",
 		Version:  "v1",
@@ -34,20 +35,20 @@ func TestRequeueAfter(t *testing.T) {
 	appClientset := kubefake.NewSimpleClientset()
 	k8sClient := fake.NewClientBuilder().Build()
 	duckType := &unstructured.Unstructured{
-		Object: map[string]interface{}{
+		Object: map[string]any{
 			"apiVersion": "v2quack",
 			"kind":       "Duck",
-			"metadata": map[string]interface{}{
+			"metadata": map[string]any{
 				"name":      "mightyduck",
 				"namespace": "namespace",
-				"labels":    map[string]interface{}{"duck": "all-species"},
+				"labels":    map[string]any{"duck": "all-species"},
 			},
-			"status": map[string]interface{}{
-				"decisions": []interface{}{
-					map[string]interface{}{
+			"status": map[string]any{
+				"decisions": []any{
+					map[string]any{
 						"clusterName": "staging-01",
 					},
-					map[string]interface{}{
+					map[string]any{
 						"clusterName": "production-01",
 					},
 				},
@@ -55,14 +56,14 @@ func TestRequeueAfter(t *testing.T) {
 		},
 	}
 	fakeDynClient := dynfake.NewSimpleDynamicClientWithCustomListKinds(runtime.NewScheme(), gvrToListKind, duckType)
-
+	scmConfig := generators.NewSCMConfig("", []string{""}, true, true, nil, true)
 	terminalGenerators := map[string]generators.Generator{
 		"List":                    generators.NewListGenerator(),
-		"Clusters":                generators.NewClusterGenerator(k8sClient, ctx, appClientset, "argocd"),
-		"Git":                     generators.NewGitGenerator(mockServer),
-		"SCMProvider":             generators.NewSCMProviderGenerator(fake.NewClientBuilder().WithObjects(&corev1.Secret{}).Build(), generators.SCMAuthProviders{}, "", []string{""}, true),
+		"Clusters":                generators.NewClusterGenerator(ctx, k8sClient, appClientset, "argocd"),
+		"Git":                     generators.NewGitGenerator(mockServer, "namespace"),
+		"SCMProvider":             generators.NewSCMProviderGenerator(fake.NewClientBuilder().WithObjects(&corev1.Secret{}).Build(), scmConfig),
 		"ClusterDecisionResource": generators.NewDuckTypeGenerator(ctx, fakeDynClient, appClientset, "argocd"),
-		"PullRequest":             generators.NewPullRequestGenerator(k8sClient, generators.SCMAuthProviders{}, "", []string{""}, true),
+		"PullRequest":             generators.NewPullRequestGenerator(k8sClient, scmConfig),
 	}

 	nestedGenerators := map[string]generators.Generator{
@@ -88,15 +89,18 @@ func TestRequeueAfter(t *testing.T) {
 	}

 	client := fake.NewClientBuilder().WithScheme(scheme).Build()
+	metrics := appsetmetrics.NewFakeAppsetMetrics()
 	r := ApplicationSetReconciler{
 		Client:     client,
 		Scheme:     scheme,
 		Recorder:   record.NewFakeRecorder(0),
 		Generators: topLevelGenerators,
+		Metrics:    metrics,
 	}

 	type args struct {
-		appset *argov1alpha1.ApplicationSet
+		appset               *argov1alpha1.ApplicationSet
+		requeueAfterOverride string
 	}
 	tests := []struct {
 		name    string
@@ -104,11 +108,13 @@ func TestRequeueAfter(t *testing.T) {
 		want    time.Duration
 		wantErr assert.ErrorAssertionFunc
 	}{
-		{name: "Cluster", args: args{appset: &argov1alpha1.ApplicationSet{
-			Spec: argov1alpha1.ApplicationSetSpec{
-				Generators: []argov1alpha1.ApplicationSetGenerator{{Clusters: &argov1alpha1.ClusterGenerator{}}},
-			},
-		}}, want: generators.NoRequeueAfter, wantErr: assert.NoError},
+		{name: "Cluster", args: args{
+			appset: &argov1alpha1.ApplicationSet{
+				Spec: argov1alpha1.ApplicationSetSpec{
+					Generators: []argov1alpha1.ApplicationSetGenerator{{Clusters: &argov1alpha1.ClusterGenerator{}}},
+				},
+			}, requeueAfterOverride: "",
+		}, want: generators.NoRequeueAfter, wantErr: assert.NoError},
 		{name: "ClusterMergeNested", args: args{&argov1alpha1.ApplicationSet{
 			Spec: argov1alpha1.ApplicationSetSpec{
 				Generators: []argov1alpha1.ApplicationSetGenerator{
@@ -123,7 +129,7 @@ func TestRequeueAfter(t *testing.T) {
 					}},
 				},
 			},
-		}}, want: generators.DefaultRequeueAfterSeconds, wantErr: assert.NoError},
+		}, ""}, want: generators.DefaultRequeueAfter, wantErr: assert.NoError},
 		{name: "ClusterMatrixNested", args: args{&argov1alpha1.ApplicationSet{
 			Spec: argov1alpha1.ApplicationSetSpec{
 				Generators: []argov1alpha1.ApplicationSetGenerator{
@@ -138,15 +144,65 @@ func TestRequeueAfter(t *testing.T) {
 					}},
 				},
 			},
-		}}, want: generators.DefaultRequeueAfterSeconds, wantErr: assert.NoError},
+		}, ""}, want: generators.DefaultRequeueAfter, wantErr: assert.NoError},
 		{name: "ListGenerator", args: args{appset: &argov1alpha1.ApplicationSet{
 			Spec: argov1alpha1.ApplicationSetSpec{
 				Generators: []argov1alpha1.ApplicationSetGenerator{{List: &argov1alpha1.ListGenerator{}}},
 			},
 		}}, want: generators.NoRequeueAfter, wantErr: assert.NoError},
+		{name: "DuckGenerator", args: args{appset: &argov1alpha1.ApplicationSet{
+			Spec: argov1alpha1.ApplicationSetSpec{
+				Generators: []argov1alpha1.ApplicationSetGenerator{{ClusterDecisionResource: &argov1alpha1.DuckTypeGenerator{}}},
+			},
+		}}, want: generators.DefaultRequeueAfter, wantErr: assert.NoError},
+		{name: "OverrideRequeueDuck", args: args{
+			appset: &argov1alpha1.ApplicationSet{
+				Spec: argov1alpha1.ApplicationSetSpec{
+					Generators: []argov1alpha1.ApplicationSetGenerator{{ClusterDecisionResource: &argov1alpha1.DuckTypeGenerator{}}},
+				},
+			}, requeueAfterOverride: "1h",
+		}, want: 1 * time.Hour, wantErr: assert.NoError},
+		{name: "OverrideRequeueGit", args: args{&argov1alpha1.ApplicationSet{
+			Spec: argov1alpha1.ApplicationSetSpec{
+				Generators: []argov1alpha1.ApplicationSetGenerator{
+					{Git: &argov1alpha1.GitGenerator{}},
+				},
+			},
+		}, "1h"}, want: 1 * time.Hour, wantErr: assert.NoError},
+		{name: "OverrideRequeueMatrix", args: args{&argov1alpha1.ApplicationSet{
+			Spec: argov1alpha1.ApplicationSetSpec{
+				Generators: []argov1alpha1.ApplicationSetGenerator{
+					{Clusters: &argov1alpha1.ClusterGenerator{}},
+					{Merge: &argov1alpha1.MergeGenerator{
+						Generators: []argov1alpha1.ApplicationSetNestedGenerator{
+							{
+								Clusters: &argov1alpha1.ClusterGenerator{},
+								Git:      &argov1alpha1.GitGenerator{},
+							},
+						},
+					}},
+				},
+			},
+		}, "5m"}, want: 5 * time.Minute, wantErr: assert.NoError},
+		{name: "OverrideRequeueMerge", args: args{&argov1alpha1.ApplicationSet{
+			Spec: argov1alpha1.ApplicationSetSpec{
+				Generators: []argov1alpha1.ApplicationSetGenerator{
+					{Clusters: &argov1alpha1.ClusterGenerator{}},
+					{Merge: &argov1alpha1.MergeGenerator{
+						Generators: []argov1alpha1.ApplicationSetNestedGenerator{
+							{
+								Clusters: &argov1alpha1.ClusterGenerator{},
+								Git:      &argov1alpha1.GitGenerator{},
+							},
+						},
+					}},
+				},
+			},
+		}, "12s"}, want: 12 * time.Second, wantErr: assert.NoError},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			t.Setenv("ARGOCD_APPLICATIONSET_CONTROLLER_REQUEUE_AFTER", tt.args.requeueAfterOverride)
 			assert.Equalf(t, tt.want, r.getMinRequeueAfter(tt.args.appset), "getMinRequeueAfter(%v)", tt.args.appset)
 		})
 	}
--- a/applicationset/controllers/template/patch.go
+++ b/applicationset/controllers/template/patch.go
@@ -1,4 +1,4 @@
-package controllers
+package template

 import (
 	"encoding/json"
@@ -6,19 +6,17 @@ import (

 	"k8s.io/apimachinery/pkg/util/strategicpatch"

-	"github.com/argoproj/argo-cd/v2/applicationset/utils"
-	appv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v3/applicationset/utils"
+	appv1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 )

 func applyTemplatePatch(app *appv1.Application, templatePatch string) (*appv1.Application, error) {
-
 	appString, err := json.Marshal(app)
 	if err != nil {
 		return nil, fmt.Errorf("error while marhsalling Application %w", err)
 	}

 	convertedTemplatePatch, err := utils.ConvertYAMLToJSON(templatePatch)
-
 	if err != nil {
 		return nil, fmt.Errorf("error while converting template to json %q: %w", convertedTemplatePatch, err)
 	}
@@ -28,7 +26,6 @@ func applyTemplatePatch(app *appv1.Application, templatePatch string) (*appv1.Ap
 	}

 	data, err := strategicpatch.StrategicMergePatch(appString, []byte(convertedTemplatePatch), appv1.Application{})
-
 	if err != nil {
 		return nil, fmt.Errorf("error while applying templatePatch template to json %q: %w", convertedTemplatePatch, err)
 	}
--- a/applicationset/controllers/template/patch_test.go
+++ b/applicationset/controllers/template/patch_test.go
@@ -1,4 +1,4 @@
-package controllers
+package template

 import (
 	"testing"
@@ -7,7 +7,7 @@ import (
 	"github.com/stretchr/testify/require"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	appv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	appv1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 )

 func Test_ApplyTemplatePatch(t *testing.T) {
@@ -27,7 +27,7 @@ func Test_ApplyTemplatePatch(t *testing.T) {
 				ObjectMeta: metav1.ObjectMeta{
 					Name:       "my-cluster-guestbook",
 					Namespace:  "namespace",
-					Finalizers: []string{"resources-finalizer.argocd.argoproj.io"},
+					Finalizers: []string{appv1.ResourcesFinalizerName},
 				},
 				Spec: appv1.ApplicationSpec{
 					Project: "default",
@@ -72,7 +72,7 @@ func Test_ApplyTemplatePatch(t *testing.T) {
 				ObjectMeta: metav1.ObjectMeta{
 					Name:       "my-cluster-guestbook",
 					Namespace:  "namespace",
-					Finalizers: []string{"resources-finalizer.argocd.argoproj.io"},
+					Finalizers: []string{appv1.ResourcesFinalizerName},
 					Annotations: map[string]string{
 						"annotation-some-key": "annotation-some-value",
 					},
@@ -112,7 +112,7 @@ func Test_ApplyTemplatePatch(t *testing.T) {
 				ObjectMeta: metav1.ObjectMeta{
 					Name:       "my-cluster-guestbook",
 					Namespace:  "namespace",
-					Finalizers: []string{"resources-finalizer.argocd.argoproj.io"},
+					Finalizers: []string{appv1.ResourcesFinalizerName},
 				},
 				Spec: appv1.ApplicationSpec{
 					Project: "default",
@@ -148,7 +148,7 @@ spec:
 				ObjectMeta: metav1.ObjectMeta{
 					Name:       "my-cluster-guestbook",
 					Namespace:  "namespace",
-					Finalizers: []string{"resources-finalizer.argocd.argoproj.io"},
+					Finalizers: []string{appv1.ResourcesFinalizerName},
 					Annotations: map[string]string{
 						"annotation-some-key": "annotation-some-value",
 					},
--- a/applicationset/controllers/template/template.go
+++ b/applicationset/controllers/template/template.go
@@ -0,0 +1,101 @@
+package template
+
+import (
+	"fmt"
+
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/argoproj/argo-cd/v3/applicationset/generators"
+	"github.com/argoproj/argo-cd/v3/applicationset/utils"
+
+	argov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
+)
+
+func GenerateApplications(logCtx *log.Entry, applicationSetInfo argov1alpha1.ApplicationSet, g map[string]generators.Generator, renderer utils.Renderer, client client.Client) ([]argov1alpha1.Application, argov1alpha1.ApplicationSetReasonType, error) {
+	var res []argov1alpha1.Application
+
+	var firstError error
+	var applicationSetReason argov1alpha1.ApplicationSetReasonType
+
+	for _, requestedGenerator := range applicationSetInfo.Spec.Generators {
+		t, err := generators.Transform(requestedGenerator, g, applicationSetInfo.Spec.Template, &applicationSetInfo, map[string]any{}, client)
+		if err != nil {
+			logCtx.WithError(err).WithField("generator", requestedGenerator).
+				Error("error generating application from params")
+			if firstError == nil {
+				firstError = err
+				applicationSetReason = argov1alpha1.ApplicationSetReasonApplicationParamsGenerationError
+			}
+			continue
+		}
+
+		for _, a := range t {
+			tmplApplication := GetTempApplication(a.Template)
+
+			for _, p := range a.Params {
+				app, err := renderer.RenderTemplateParams(tmplApplication, applicationSetInfo.Spec.SyncPolicy, p, applicationSetInfo.Spec.GoTemplate, applicationSetInfo.Spec.GoTemplateOptions)
+				if err != nil {
+					logCtx.WithError(err).WithField("params", a.Params).WithField("generator", requestedGenerator).
+						Error("error generating application from params")
+
+					if firstError == nil {
+						firstError = err
+						applicationSetReason = argov1alpha1.ApplicationSetReasonRenderTemplateParamsError
+					}
+					continue
+				}
+
+				if applicationSetInfo.Spec.TemplatePatch != nil {
+					patchedApplication, err := renderTemplatePatch(renderer, app, applicationSetInfo, p)
+					if err != nil {
+						log.WithError(err).WithField("params", a.Params).WithField("generator", requestedGenerator).
+							Error("error generating application from params")
+
+						if firstError == nil {
+							firstError = err
+							applicationSetReason = argov1alpha1.ApplicationSetReasonRenderTemplateParamsError
+						}
+						continue
+					}
+
+					app = patchedApplication
+				}
+
+				// The app's namespace must be the same as the AppSet's namespace to preserve the appsets-in-any-namespace
+				// security boundary.
+				app.Namespace = applicationSetInfo.Namespace
+				res = append(res, *app)
+			}
+		}
+		if log.IsLevelEnabled(log.DebugLevel) {
+			logCtx.WithField("generator", requestedGenerator).Debugf("apps from generator: %+v", res)
+		} else {
+			logCtx.Infof("generated %d applications", len(res))
+		}
+	}
+
+	return res, applicationSetReason, firstError
+}
+
+func renderTemplatePatch(r utils.Renderer, app *argov1alpha1.Application, applicationSetInfo argov1alpha1.ApplicationSet, params map[string]any) (*argov1alpha1.Application, error) {
+	replacedTemplate, err := r.Replace(*applicationSetInfo.Spec.TemplatePatch, params, applicationSetInfo.Spec.GoTemplate, applicationSetInfo.Spec.GoTemplateOptions)
+	if err != nil {
+		return nil, fmt.Errorf("error replacing values in templatePatch: %w", err)
+	}
+
+	return applyTemplatePatch(app, replacedTemplate)
+}
+
+func GetTempApplication(applicationSetTemplate argov1alpha1.ApplicationSetTemplate) *argov1alpha1.Application {
+	var tmplApplication argov1alpha1.Application
+	tmplApplication.Annotations = applicationSetTemplate.Annotations
+	tmplApplication.Labels = applicationSetTemplate.Labels
+	tmplApplication.Namespace = applicationSetTemplate.Namespace
+	tmplApplication.Name = applicationSetTemplate.Name
+	tmplApplication.Spec = applicationSetTemplate.Spec
+	tmplApplication.Finalizers = applicationSetTemplate.Finalizers
+
+	return &tmplApplication
+}
--- a/applicationset/controllers/template/template_test.go
+++ b/applicationset/controllers/template/template_test.go
@@ -0,0 +1,350 @@
+package template
+
+import (
+	"errors"
+	"maps"
+	"testing"
+
+	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/require"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+
+	"github.com/argoproj/argo-cd/v3/applicationset/generators"
+	genmock "github.com/argoproj/argo-cd/v3/applicationset/generators/mocks"
+	"github.com/argoproj/argo-cd/v3/applicationset/utils"
+	rendmock "github.com/argoproj/argo-cd/v3/applicationset/utils/mocks"
+	"github.com/argoproj/argo-cd/v3/pkg/apis/application"
+	"github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
+)
+
+func TestGenerateApplications(t *testing.T) {
+	scheme := runtime.NewScheme()
+	err := v1alpha1.AddToScheme(scheme)
+	require.NoError(t, err)
+
+	err = v1alpha1.AddToScheme(scheme)
+	require.NoError(t, err)
+
+	for _, c := range []struct {
+		name                string
+		params              []map[string]any
+		template            v1alpha1.ApplicationSetTemplate
+		generateParamsError error
+		rendererError       error
+		expectErr           bool
+		expectedReason      v1alpha1.ApplicationSetReasonType
+	}{
+		{
+			name:   "Generate two applications",
+			params: []map[string]any{{"name": "app1"}, {"name": "app2"}},
+			template: v1alpha1.ApplicationSetTemplate{
+				ApplicationSetTemplateMeta: v1alpha1.ApplicationSetTemplateMeta{
+					Name:      "name",
+					Namespace: "namespace",
+					Labels:    map[string]string{"label_name": "label_value"},
+				},
+				Spec: v1alpha1.ApplicationSpec{},
+			},
+			expectedReason: "",
+		},
+		{
+			name:                "Handles error from the generator",
+			generateParamsError: errors.New("error"),
+			expectErr:           true,
+			expectedReason:      v1alpha1.ApplicationSetReasonApplicationParamsGenerationError,
+		},
+		{
+			name:   "Handles error from the render",
+			params: []map[string]any{{"name": "app1"}, {"name": "app2"}},
+			template: v1alpha1.ApplicationSetTemplate{
+				ApplicationSetTemplateMeta: v1alpha1.ApplicationSetTemplateMeta{
+					Name:      "name",
+					Namespace: "namespace",
+					Labels:    map[string]string{"label_name": "label_value"},
+				},
+				Spec: v1alpha1.ApplicationSpec{},
+			},
+			rendererError:  errors.New("error"),
+			expectErr:      true,
+			expectedReason: v1alpha1.ApplicationSetReasonRenderTemplateParamsError,
+		},
+	} {
+		cc := c
+		app := v1alpha1.Application{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "test",
+				Namespace: "namespace",
+			},
+			TypeMeta: metav1.TypeMeta{
+				Kind:       application.ApplicationKind,
+				APIVersion: "argoproj.io/v1alpha1",
+			},
+		}
+
+		t.Run(cc.name, func(t *testing.T) {
+			generatorMock := &genmock.Generator{}
+			generator := v1alpha1.ApplicationSetGenerator{
+				List: &v1alpha1.ListGenerator{},
+			}
+
+			generatorMock.EXPECT().GenerateParams(&generator, mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).
+				Return(cc.params, cc.generateParamsError)
+
+			generatorMock.EXPECT().GetTemplate(&generator).
+				Return(&v1alpha1.ApplicationSetTemplate{})
+
+			rendererMock := &rendmock.Renderer{}
+
+			var expectedApps []v1alpha1.Application
+
+			if cc.generateParamsError == nil {
+				for _, p := range cc.params {
+					if cc.rendererError != nil {
+						rendererMock.EXPECT().RenderTemplateParams(GetTempApplication(cc.template), mock.AnythingOfType("*v1alpha1.ApplicationSetSyncPolicy"), p, false, []string(nil)).
+							Return(nil, cc.rendererError)
+					} else {
+						rendererMock.EXPECT().RenderTemplateParams(GetTempApplication(cc.template), mock.AnythingOfType("*v1alpha1.ApplicationSetSyncPolicy"), p, false, []string(nil)).
+							Return(&app, nil)
+						expectedApps = append(expectedApps, app)
+					}
+				}
+			}
+
+			generators := map[string]generators.Generator{
+				"List": generatorMock,
+			}
+			renderer := rendererMock
+
+			got, reason, err := GenerateApplications(log.NewEntry(log.StandardLogger()), v1alpha1.ApplicationSet{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "name",
+					Namespace: "namespace",
+				},
+				Spec: v1alpha1.ApplicationSetSpec{
+					Generators: []v1alpha1.ApplicationSetGenerator{generator},
+					Template:   cc.template,
+				},
+			},
+				generators,
+				renderer,
+				nil,
+			)
+
+			if cc.expectErr {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+			assert.Equal(t, expectedApps, got)
+			assert.Equal(t, cc.expectedReason, reason)
+			generatorMock.AssertNumberOfCalls(t, "GenerateParams", 1)
+
+			if cc.generateParamsError == nil {
+				rendererMock.AssertNumberOfCalls(t, "RenderTemplateParams", len(cc.params))
+			}
+		})
+	}
+}
+
+func TestMergeTemplateApplications(t *testing.T) {
+	for _, c := range []struct {
+		name             string
+		params           []map[string]any
+		template         v1alpha1.ApplicationSetTemplate
+		overrideTemplate v1alpha1.ApplicationSetTemplate
+		expectedMerged   v1alpha1.ApplicationSetTemplate
+		expectedApps     []v1alpha1.Application
+	}{
+		{
+			name:   "Generate app",
+			params: []map[string]any{{"name": "app1"}},
+			template: v1alpha1.ApplicationSetTemplate{
+				ApplicationSetTemplateMeta: v1alpha1.ApplicationSetTemplateMeta{
+					Name:      "name",
+					Namespace: "namespace",
+					Labels:    map[string]string{"label_name": "label_value"},
+				},
+				Spec: v1alpha1.ApplicationSpec{},
+			},
+			overrideTemplate: v1alpha1.ApplicationSetTemplate{
+				ApplicationSetTemplateMeta: v1alpha1.ApplicationSetTemplateMeta{
+					Name:   "test",
+					Labels: map[string]string{"foo": "bar"},
+				},
+				Spec: v1alpha1.ApplicationSpec{},
+			},
+			expectedMerged: v1alpha1.ApplicationSetTemplate{
+				ApplicationSetTemplateMeta: v1alpha1.ApplicationSetTemplateMeta{
+					Name:      "test",
+					Namespace: "namespace",
+					Labels:    map[string]string{"label_name": "label_value", "foo": "bar"},
+				},
+				Spec: v1alpha1.ApplicationSpec{},
+			},
+			expectedApps: []v1alpha1.Application{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "test",
+						Namespace: "test",
+						Labels:    map[string]string{"foo": "bar"},
+					},
+					Spec: v1alpha1.ApplicationSpec{},
+				},
+			},
+		},
+	} {
+		cc := c
+
+		t.Run(cc.name, func(t *testing.T) {
+			generatorMock := &genmock.Generator{}
+			generator := v1alpha1.ApplicationSetGenerator{
+				List: &v1alpha1.ListGenerator{},
+			}
+
+			generatorMock.EXPECT().GenerateParams(&generator, mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).
+				Return(cc.params, nil)
+
+			generatorMock.EXPECT().GetTemplate(&generator).
+				Return(&cc.overrideTemplate)
+
+			rendererMock := &rendmock.Renderer{}
+
+			rendererMock.EXPECT().RenderTemplateParams(GetTempApplication(cc.expectedMerged), mock.AnythingOfType("*v1alpha1.ApplicationSetSyncPolicy"), cc.params[0], false, []string(nil)).
+				Return(&cc.expectedApps[0], nil)
+
+			generators := map[string]generators.Generator{
+				"List": generatorMock,
+			}
+			renderer := rendererMock
+
+			got, _, _ := GenerateApplications(log.NewEntry(log.StandardLogger()), v1alpha1.ApplicationSet{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "name",
+					Namespace: "namespace",
+				},
+				Spec: v1alpha1.ApplicationSetSpec{
+					Generators: []v1alpha1.ApplicationSetGenerator{generator},
+					Template:   cc.template,
+				},
+			},
+				generators,
+				renderer,
+				nil,
+			)
+
+			assert.Equal(t, cc.expectedApps, got)
+		})
+	}
+}
+
+// Test app generation from a go template application set using a pull request generator
+func TestGenerateAppsUsingPullRequestGenerator(t *testing.T) {
+	for _, cases := range []struct {
+		name        string
+		params      []map[string]any
+		template    v1alpha1.ApplicationSetTemplate
+		expectedApp []v1alpha1.Application
+	}{
+		{
+			name: "Generate an application from a go template application set manifest using a pull request generator",
+			params: []map[string]any{
+				{
+					"number":                                "1",
+					"title":                                 "title1",
+					"branch":                                "branch1",
+					"branch_slug":                           "branchSlug1",
+					"head_sha":                              "089d92cbf9ff857a39e6feccd32798ca700fb958",
+					"head_short_sha":                        "089d92cb",
+					"branch_slugify_default":                "feat/a_really+long_pull_request_name_to_test_argo_slugification_and_branch_name_shortening_feature",
+					"branch_slugify_smarttruncate_disabled": "feat/areallylongpullrequestnametotestargoslugificationandbranchnameshorteningfeature",
+					"branch_slugify_smarttruncate_enabled":  "feat/testwithsmarttruncateenabledramdomlonglistofcharacters",
+					"labels":                                []string{"label1"},
+				},
+			},
+			template: v1alpha1.ApplicationSetTemplate{
+				ApplicationSetTemplateMeta: v1alpha1.ApplicationSetTemplateMeta{
+					Name: "AppSet-{{.branch}}-{{.number}}",
+					Labels: map[string]string{
+						"app1":         "{{index .labels 0}}",
+						"branch-test1": "AppSet-{{.branch_slugify_default | slugify }}",
+						"branch-test2": "AppSet-{{.branch_slugify_smarttruncate_disabled | slugify 49 false }}",
+						"branch-test3": "AppSet-{{.branch_slugify_smarttruncate_enabled | slugify 50 true }}",
+					},
+				},
+				Spec: v1alpha1.ApplicationSpec{
+					Source: &v1alpha1.ApplicationSource{
+						RepoURL:        "https://testurl/testRepo",
+						TargetRevision: "{{.head_short_sha}}",
+					},
+					Destination: v1alpha1.ApplicationDestination{
+						Server:    "https://kubernetes.default.svc",
+						Namespace: "AppSet-{{.branch_slug}}-{{.head_sha}}",
+					},
+				},
+			},
+			expectedApp: []v1alpha1.Application{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "AppSet-branch1-1",
+						Labels: map[string]string{
+							"app1":         "label1",
+							"branch-test1": "AppSet-feat-a-really-long-pull-request-name-to-test-argo",
+							"branch-test2": "AppSet-feat-areallylongpullrequestnametotestargoslugific",
+							"branch-test3": "AppSet-feat",
+						},
+					},
+					Spec: v1alpha1.ApplicationSpec{
+						Source: &v1alpha1.ApplicationSource{
+							RepoURL:        "https://testurl/testRepo",
+							TargetRevision: "089d92cb",
+						},
+						Destination: v1alpha1.ApplicationDestination{
+							Server:    "https://kubernetes.default.svc",
+							Namespace: "AppSet-branchSlug1-089d92cbf9ff857a39e6feccd32798ca700fb958",
+						},
+					},
+				},
+			},
+		},
+	} {
+		t.Run(cases.name, func(t *testing.T) {
+			generatorMock := &genmock.Generator{}
+			generator := v1alpha1.ApplicationSetGenerator{
+				PullRequest: &v1alpha1.PullRequestGenerator{},
+			}
+
+			generatorMock.EXPECT().GenerateParams(&generator, mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).
+				Return(cases.params, nil)
+
+			generatorMock.EXPECT().GetTemplate(&generator).
+				Return(&cases.template)
+
+			generators := map[string]generators.Generator{
+				"PullRequest": generatorMock,
+			}
+			renderer := &utils.Render{}
+
+			gotApp, _, _ := GenerateApplications(log.NewEntry(log.StandardLogger()), v1alpha1.ApplicationSet{
+				Spec: v1alpha1.ApplicationSetSpec{
+					GoTemplate: true,
+					Generators: []v1alpha1.ApplicationSetGenerator{{
+						PullRequest: &v1alpha1.PullRequestGenerator{},
+					}},
+					Template: cases.template,
+				},
+			},
+				generators,
+				renderer,
+				nil,
+			)
+			assert.Equal(t, cases.expectedApp[0].Name, gotApp[0].Name)
+			assert.Equal(t, cases.expectedApp[0].Spec.Source.TargetRevision, gotApp[0].Spec.Source.TargetRevision)
+			assert.Equal(t, cases.expectedApp[0].Spec.Destination.Namespace, gotApp[0].Spec.Destination.Namespace)
+			assert.True(t, maps.Equal(cases.expectedApp[0].Labels, gotApp[0].Labels))
+		})
+	}
+}
--- a/applicationset/examples/applications-sync-policies/guestbook/engineering-dev/guestbook-ui-deployment.yaml
+++ b/applicationset/examples/applications-sync-policies/guestbook/engineering-dev/guestbook-ui-deployment.yaml
@@ -14,7 +14,7 @@ spec:
        app: guestbook-ui
    spec:
      containers:
-      - image: gcr.io/heptio-images/ks-guestbook-demo:0.2
+      - image: quay.io/argoprojlabs/argocd-e2e-container:0.2
        name: guestbook-ui
        ports:
        - containerPort: 80
--- a/applicationset/examples/applications-sync-policies/guestbook/engineering-prod/guestbook-ui-deployment.yaml
+++ b/applicationset/examples/applications-sync-policies/guestbook/engineering-prod/guestbook-ui-deployment.yaml
@@ -14,7 +14,7 @@ spec:
        app: guestbook-ui
    spec:
      containers:
-      - image: gcr.io/heptio-images/ks-guestbook-demo:0.2
+      - image: quay.io/argoprojlabs/argocd-e2e-container:0.2
        name: guestbook-ui
        ports:
        - containerPort: 80
--- a/applicationset/examples/git-generator-directory/excludes/cluster-addons/exclude-helm-guestbook/values.yaml
+++ b/applicationset/examples/git-generator-directory/excludes/cluster-addons/exclude-helm-guestbook/values.yaml
@@ -5,7 +5,7 @@
 replicaCount: 1

 image:
-  repository: gcr.io/heptio-images/ks-guestbook-demo
+  repository: quay.io/argoprojlabs/argocd-e2e-container
  tag: 0.1
  pullPolicy: IfNotPresent

--- a/applicationset/examples/git-generator-files-discovery/apps/guestbook/guestbook-ui-deployment.yaml
+++ b/applicationset/examples/git-generator-files-discovery/apps/guestbook/guestbook-ui-deployment.yaml
@@ -14,7 +14,7 @@ spec:
        app: guestbook-ui
    spec:
      containers:
-      - image: gcr.io/heptio-images/ks-guestbook-demo:0.2
+      - image: quay.io/argoprojlabs/argocd-e2e-container:0.2
        name: guestbook-ui
        ports:
        - containerPort: 80
--- a/applicationset/examples/git-generator-files-discovery/excludes/git-files-exclude-example-fasttemplate.yaml
+++ b/applicationset/examples/git-generator-files-discovery/excludes/git-files-exclude-example-fasttemplate.yaml
@@ -0,0 +1,26 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: guestbook
+spec:
+  generators:
+    - git:
+        repoURL: https://github.com/argoproj/argo-cd.git
+        revision: HEAD
+        files:
+          - path: "applicationset/examples/git-generator-files-discovery/cluster-config/**/config.json"
+          - path: "applicationset/examples/git-generator-files-discovery/cluster-config/*/dev/config.json"
+            exclude: true
+  template:
+    metadata:
+      name: '{{cluster.name}}-guestbook'
+    spec:
+      project: default
+      source:
+        repoURL: https://github.com/argoproj/argo-cd.git
+        targetRevision: HEAD
+        path: "applicationset/examples/git-generator-files-discovery/apps/guestbook"
+      destination:
+        server: https://kubernetes.default.svc
+        #server: '{{cluster.address}}'
+        namespace: guestbook
--- a/applicationset/examples/git-generator-files-discovery/excludes/git-files-exclude-example.yaml
+++ b/applicationset/examples/git-generator-files-discovery/excludes/git-files-exclude-example.yaml
@@ -0,0 +1,27 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: guestbook
+spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
+  generators:
+    - git:
+        repoURL: https://github.com/argoproj/argo-cd.git
+        revision: HEAD
+        files:
+          - path: "applicationset/examples/git-generator-files-discovery/cluster-config/**/config.json"
+          - path: "applicationset/examples/git-generator-files-discovery/cluster-config/*/dev/config.json"
+            exclude: true
+  template:
+    metadata:
+      name: '{{.cluster.name}}-guestbook'
+    spec:
+      project: default
+      source:
+        repoURL: https://github.com/argoproj/argo-cd.git
+        targetRevision: HEAD
+        path: "applicationset/examples/git-generator-files-discovery/apps/guestbook"
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: guestbook
--- a/applicationset/examples/list-generator/guestbook/engineering-dev/guestbook-ui-deployment.yaml
+++ b/applicationset/examples/list-generator/guestbook/engineering-dev/guestbook-ui-deployment.yaml
@@ -14,7 +14,7 @@ spec:
        app: guestbook-ui
    spec:
      containers:
-      - image: gcr.io/heptio-images/ks-guestbook-demo:0.2
+      - image: quay.io/argoprojlabs/argocd-e2e-container:0.2
        name: guestbook-ui
        ports:
        - containerPort: 80
--- a/applicationset/examples/list-generator/guestbook/engineering-prod/guestbook-ui-deployment.yaml
+++ b/applicationset/examples/list-generator/guestbook/engineering-prod/guestbook-ui-deployment.yaml
@@ -14,7 +14,7 @@ spec:
        app: guestbook-ui
    spec:
      containers:
-      - image: gcr.io/heptio-images/ks-guestbook-demo:0.2
+      - image: quay.io/argoprojlabs/argocd-e2e-container:0.2
        name: guestbook-ui
        ports:
        - containerPort: 80
--- a/applicationset/examples/template-override/default/guestbook-ui-deployment.yaml
+++ b/applicationset/examples/template-override/default/guestbook-ui-deployment.yaml
@@ -14,7 +14,7 @@ spec:
        app: guestbook-ui
    spec:
      containers:
-      - image: gcr.io/heptio-images/ks-guestbook-demo:0.2
+      - image: quay.io/argoprojlabs/argocd-e2e-container:0.2
        name: guestbook-ui
        ports:
        - containerPort: 80
--- a/applicationset/examples/template-override/engineering-dev-override/guestbook-ui-deployment.yaml
+++ b/applicationset/examples/template-override/engineering-dev-override/guestbook-ui-deployment.yaml
@@ -14,7 +14,7 @@ spec:
        app: guestbook-ui
    spec:
      containers:
-      - image: gcr.io/heptio-images/ks-guestbook-demo:0.2
+      - image: quay.io/argoprojlabs/argocd-e2e-container:0.2
        name: guestbook-ui
        ports:
        - containerPort: 80
--- a/applicationset/generators/cluster.go
+++ b/applicationset/generators/cluster.go
@@ -7,20 +7,14 @@ import (

 	log "github.com/sirupsen/logrus"

-	"github.com/argoproj/argo-cd/v2/util/settings"
-
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	"sigs.k8s.io/controller-runtime/pkg/client"

-	"github.com/argoproj/argo-cd/v2/applicationset/utils"
-	argoappsetv1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
-)
-
-const (
-	ArgoCDSecretTypeLabel   = "argocd.argoproj.io/secret-type"
-	ArgoCDSecretTypeCluster = "cluster"
+	"github.com/argoproj/argo-cd/v3/applicationset/utils"
+	"github.com/argoproj/argo-cd/v3/common"
+	argoappsetv1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 )

 var _ Generator = (*ClusterGenerator)(nil)
@@ -31,29 +25,24 @@ type ClusterGenerator struct {
 	ctx       context.Context
 	clientset kubernetes.Interface
 	// namespace is the Argo CD namespace
-	namespace       string
-	settingsManager *settings.SettingsManager
+	namespace string
 }

 var render = &utils.Render{}

-func NewClusterGenerator(c client.Client, ctx context.Context, clientset kubernetes.Interface, namespace string) Generator {
-
-	settingsManager := settings.NewSettingsManager(ctx, clientset, namespace)
-
+func NewClusterGenerator(ctx context.Context, c client.Client, clientset kubernetes.Interface, namespace string) Generator {
 	g := &ClusterGenerator{
-		Client:          c,
-		ctx:             ctx,
-		clientset:       clientset,
-		namespace:       namespace,
-		settingsManager: settingsManager,
+		Client:    c,
+		ctx:       ctx,
+		clientset: clientset,
+		namespace: namespace,
 	}
 	return g
 }

 // GetRequeueAfter never requeue the cluster generator because the `clusterSecretEventHandler` will requeue the appsets
 // when the cluster secrets change
-func (g *ClusterGenerator) GetRequeueAfter(appSetGenerator *argoappsetv1alpha1.ApplicationSetGenerator) time.Duration {
+func (g *ClusterGenerator) GetRequeueAfter(_ *argoappsetv1alpha1.ApplicationSetGenerator) time.Duration {
 	return NoRequeueAfter
 }

@@ -61,21 +50,21 @@ func (g *ClusterGenerator) GetTemplate(appSetGenerator *argoappsetv1alpha1.Appli
 	return &appSetGenerator.Clusters.Template
 }

-func (g *ClusterGenerator) GenerateParams(appSetGenerator *argoappsetv1alpha1.ApplicationSetGenerator, appSet *argoappsetv1alpha1.ApplicationSet) ([]map[string]interface{}, error) {
-
+func (g *ClusterGenerator) GenerateParams(appSetGenerator *argoappsetv1alpha1.ApplicationSetGenerator, appSet *argoappsetv1alpha1.ApplicationSet, _ client.Client) ([]map[string]any, error) {
+	logCtx := log.WithField("applicationset", appSet.GetName()).WithField("namespace", appSet.GetNamespace())
 	if appSetGenerator == nil {
-		return nil, EmptyAppSetGeneratorError
+		return nil, ErrEmptyAppSetGenerator
 	}

 	if appSetGenerator.Clusters == nil {
-		return nil, EmptyAppSetGeneratorError
+		return nil, ErrEmptyAppSetGenerator
 	}

 	// Do not include the local cluster in the cluster parameters IF there is a non-empty selector
 	// - Since local clusters do not have secrets, they do not have labels to match against
 	ignoreLocalClusters := len(appSetGenerator.Clusters.Selector.MatchExpressions) > 0 || len(appSetGenerator.Clusters.Selector.MatchLabels) > 0

-	// ListCluster from Argo CD's util/db package will include the local cluster in the list of clusters
+	// ListCluster will include the local cluster in the list of clusters
 	clustersFromArgoCD, err := utils.ListClusters(g.ctx, g.clientset, g.namespace)
 	if err != nil {
 		return nil, fmt.Errorf("error listing clusters: %w", err)
@@ -85,96 +74,122 @@ func (g *ClusterGenerator) GenerateParams(appSetGenerator *argoappsetv1alpha1.Ap
 		return nil, nil
 	}

-	clusterSecrets, err := g.getSecretsByClusterName(appSetGenerator)
+	clusterSecrets, err := g.getSecretsByClusterName(logCtx, appSetGenerator)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error getting cluster secrets: %w", err)
 	}

-	res := []map[string]interface{}{}
+	paramHolder := &paramHolder{isFlatMode: appSetGenerator.Clusters.FlatList}
+	logCtx.Debugf("Using flat mode = %t for cluster generator", paramHolder.isFlatMode)

 	secretsFound := []corev1.Secret{}
-
-	for _, cluster := range clustersFromArgoCD.Items {
-
+	for _, cluster := range clustersFromArgoCD {
 		// If there is a secret for this cluster, then it's a non-local cluster, so it will be
 		// handled by the next step.
 		if secretForCluster, exists := clusterSecrets[cluster.Name]; exists {
 			secretsFound = append(secretsFound, secretForCluster)
-
 		} else if !ignoreLocalClusters {
 			// If there is no secret for the cluster, it's the local cluster, so handle it here.
-			params := map[string]interface{}{}
+			params := map[string]any{}
 			params["name"] = cluster.Name
 			params["nameNormalized"] = cluster.Name
 			params["server"] = cluster.Server
+			params["project"] = ""

 			err = appendTemplatedValues(appSetGenerator.Clusters.Values, params, appSet.Spec.GoTemplate, appSet.Spec.GoTemplateOptions)
 			if err != nil {
-				return nil, err
+				return nil, fmt.Errorf("error appending templated values for local cluster: %w", err)
 			}

-			res = append(res, params)
-
-			log.WithField("cluster", "local cluster").Info("matched local cluster")
+			paramHolder.append(params)
+			logCtx.WithField("cluster", "local cluster").Info("matched local cluster")
 		}
 	}

 	// For each matching cluster secret (non-local clusters only)
 	for _, cluster := range secretsFound {
-		params := map[string]interface{}{}
-
-		params["name"] = string(cluster.Data["name"])
-		params["nameNormalized"] = utils.SanitizeName(string(cluster.Data["name"]))
-		params["server"] = string(cluster.Data["server"])
-
-		if appSet.Spec.GoTemplate {
-			meta := map[string]interface{}{}
-
-			if len(cluster.ObjectMeta.Annotations) > 0 {
-				meta["annotations"] = cluster.ObjectMeta.Annotations
-			}
-			if len(cluster.ObjectMeta.Labels) > 0 {
-				meta["labels"] = cluster.ObjectMeta.Labels
-			}
-
-			params["metadata"] = meta
-		} else {
-			for key, value := range cluster.ObjectMeta.Annotations {
-				params[fmt.Sprintf("metadata.annotations.%s", key)] = value
-			}
-
-			for key, value := range cluster.ObjectMeta.Labels {
-				params[fmt.Sprintf("metadata.labels.%s", key)] = value
-			}
-		}
+		params := g.getClusterParameters(cluster, appSet)

 		err = appendTemplatedValues(appSetGenerator.Clusters.Values, params, appSet.Spec.GoTemplate, appSet.Spec.GoTemplateOptions)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("error appending templated values for cluster: %w", err)
 		}

-		res = append(res, params)
-
-		log.WithField("cluster", cluster.Name).Info("matched cluster secret")
+		paramHolder.append(params)
+		logCtx.WithField("cluster", cluster.Name).Debug("matched cluster secret")
 	}

-	return res, nil
+	return paramHolder.consolidate(), nil
 }

-func (g *ClusterGenerator) getSecretsByClusterName(appSetGenerator *argoappsetv1alpha1.ApplicationSetGenerator) (map[string]corev1.Secret, error) {
-	// List all Clusters:
+type paramHolder struct {
+	isFlatMode bool
+	params     []map[string]any
+}
+
+func (p *paramHolder) append(params map[string]any) {
+	p.params = append(p.params, params)
+}
+
+func (p *paramHolder) consolidate() []map[string]any {
+	if p.isFlatMode {
+		p.params = []map[string]any{
+			{"clusters": p.params},
+		}
+	}
+	return p.params
+}
+
+func (g *ClusterGenerator) getClusterParameters(cluster corev1.Secret, appSet *argoappsetv1alpha1.ApplicationSet) map[string]any {
+	params := map[string]any{}
+
+	params["name"] = string(cluster.Data["name"])
+	params["nameNormalized"] = utils.SanitizeName(string(cluster.Data["name"]))
+	params["server"] = string(cluster.Data["server"])
+
+	project, ok := cluster.Data["project"]
+	if ok {
+		params["project"] = string(project)
+	} else {
+		params["project"] = ""
+	}
+
+	if appSet.Spec.GoTemplate {
+		meta := map[string]any{}
+
+		if len(cluster.Annotations) > 0 {
+			meta["annotations"] = cluster.Annotations
+		}
+		if len(cluster.Labels) > 0 {
+			meta["labels"] = cluster.Labels
+		}
+
+		params["metadata"] = meta
+	} else {
+		for key, value := range cluster.Annotations {
+			params["metadata.annotations."+key] = value
+		}
+
+		for key, value := range cluster.Labels {
+			params["metadata.labels."+key] = value
+		}
+	}
+	return params
+}
+
+func (g *ClusterGenerator) getSecretsByClusterName(log *log.Entry, appSetGenerator *argoappsetv1alpha1.ApplicationSetGenerator) (map[string]corev1.Secret, error) {
 	clusterSecretList := &corev1.SecretList{}

-	selector := metav1.AddLabelToSelector(&appSetGenerator.Clusters.Selector, ArgoCDSecretTypeLabel, ArgoCDSecretTypeCluster)
+	selector := metav1.AddLabelToSelector(&appSetGenerator.Clusters.Selector, common.LabelKeySecretType, common.LabelValueSecretTypeCluster)
 	secretSelector, err := metav1.LabelSelectorAsSelector(selector)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error converting label selector: %w", err)
 	}

-	if err := g.Client.List(context.Background(), clusterSecretList, client.MatchingLabelsSelector{Selector: secretSelector}); err != nil {
+	if err := g.List(context.Background(), clusterSecretList, client.MatchingLabelsSelector{Selector: secretSelector}); err != nil {
 		return nil, err
 	}
-	log.Debug("clusters matching labels", "count", len(clusterSecretList.Items))
+	log.Debugf("clusters matching labels: %d", len(clusterSecretList.Items))

 	res := map[string]corev1.Secret{}

@@ -185,5 +200,4 @@ func (g *ClusterGenerator) getSecretsByClusterName(appSetGenerator *argoappsetv1
 	}

 	return res, nil
-
 }
--- a/applicationset/generators/cluster_test.go
+++ b/applicationset/generators/cluster_test.go
@@ -2,7 +2,7 @@ package generators

 import (
 	"context"
-	"fmt"
+	"errors"
 	"testing"

 	corev1 "k8s.io/api/core/v1"
@@ -13,10 +13,11 @@ import (

 	kubefake "k8s.io/client-go/kubernetes/fake"

-	"github.com/argoproj/argo-cd/v2/applicationset/utils"
-	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v3/applicationset/utils"
+	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 type possiblyErroringFakeCtrlRuntimeClient struct {
@@ -26,7 +27,7 @@ type possiblyErroringFakeCtrlRuntimeClient struct {

 func (p *possiblyErroringFakeCtrlRuntimeClient) List(ctx context.Context, secretList client.ObjectList, opts ...client.ListOption) error {
 	if p.shouldError {
-		return fmt.Errorf("could not list Secrets")
+		return errors.New("could not list Secrets")
 	}
 	return p.Client.List(ctx, secretList, opts...)
 }
@@ -75,18 +76,20 @@ func TestGenerateParams(t *testing.T) {
 				},
 			},
 			Data: map[string][]byte{
-				"config": []byte("{}"),
-				"name":   []byte("production_01/west"),
-				"server": []byte("https://production-01.example.com"),
+				"config":  []byte("{}"),
+				"name":    []byte("production_01/west"),
+				"server":  []byte("https://production-01.example.com"),
+				"project": []byte("prod-project"),
 			},
 			Type: corev1.SecretType("Opaque"),
 		},
 	}
 	testCases := []struct {
-		name     string
-		selector metav1.LabelSelector
-		values   map[string]string
-		expected []map[string]interface{}
+		name       string
+		selector   metav1.LabelSelector
+		isFlatMode bool
+		values     map[string]string
+		expected   []map[string]any
 		// clientError is true if a k8s client error should be simulated
 		clientError   bool
 		expectedError error
@@ -103,14 +106,17 @@ func TestGenerateParams(t *testing.T) {
 				"bat":   "{{ metadata.labels.environment }}",
 				"aaa":   "{{ server }}",
 				"no-op": "{{ this-does-not-exist }}",
-			}, expected: []map[string]interface{}{
-				{"values.lol1": "lol", "values.lol2": "{{values.lol1}}{{values.lol1}}", "values.lol3": "{{values.lol2}}{{values.lol2}}{{values.lol2}}", "values.foo": "bar", "values.bar": "production", "values.no-op": "{{ this-does-not-exist }}", "values.bat": "production", "values.aaa": "https://production-01.example.com", "name": "production_01/west", "nameNormalized": "production-01-west", "server": "https://production-01.example.com", "metadata.labels.environment": "production", "metadata.labels.org": "bar",
-					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "production"},
+			}, expected: []map[string]any{
+				{"values.lol1": "lol", "values.lol2": "{{values.lol1}}{{values.lol1}}", "values.lol3": "{{values.lol2}}{{values.lol2}}{{values.lol2}}", "values.foo": "bar", "values.bar": "{{ metadata.annotations.foo.argoproj.io }}", "values.no-op": "{{ this-does-not-exist }}", "values.bat": "{{ metadata.labels.environment }}", "values.aaa": "https://kubernetes.default.svc", "nameNormalized": "in-cluster", "name": "in-cluster", "server": "https://kubernetes.default.svc", "project": ""},
+				{
+					"values.lol1": "lol", "values.lol2": "{{values.lol1}}{{values.lol1}}", "values.lol3": "{{values.lol2}}{{values.lol2}}{{values.lol2}}", "values.foo": "bar", "values.bar": "production", "values.no-op": "{{ this-does-not-exist }}", "values.bat": "production", "values.aaa": "https://production-01.example.com", "name": "production_01/west", "nameNormalized": "production-01-west", "server": "https://production-01.example.com", "metadata.labels.environment": "production", "metadata.labels.org": "bar",
+					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "production", "project": "prod-project",
+				},

-				{"values.lol1": "lol", "values.lol2": "{{values.lol1}}{{values.lol1}}", "values.lol3": "{{values.lol2}}{{values.lol2}}{{values.lol2}}", "values.foo": "bar", "values.bar": "staging", "values.no-op": "{{ this-does-not-exist }}", "values.bat": "staging", "values.aaa": "https://staging-01.example.com", "name": "staging-01", "nameNormalized": "staging-01", "server": "https://staging-01.example.com", "metadata.labels.environment": "staging", "metadata.labels.org": "foo",
-					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "staging"},
-
-				{"values.lol1": "lol", "values.lol2": "{{values.lol1}}{{values.lol1}}", "values.lol3": "{{values.lol2}}{{values.lol2}}{{values.lol2}}", "values.foo": "bar", "values.bar": "{{ metadata.annotations.foo.argoproj.io }}", "values.no-op": "{{ this-does-not-exist }}", "values.bat": "{{ metadata.labels.environment }}", "values.aaa": "https://kubernetes.default.svc", "nameNormalized": "in-cluster", "name": "in-cluster", "server": "https://kubernetes.default.svc"},
+				{
+					"values.lol1": "lol", "values.lol2": "{{values.lol1}}{{values.lol1}}", "values.lol3": "{{values.lol2}}{{values.lol2}}{{values.lol2}}", "values.foo": "bar", "values.bar": "staging", "values.no-op": "{{ this-does-not-exist }}", "values.bat": "staging", "values.aaa": "https://staging-01.example.com", "name": "staging-01", "nameNormalized": "staging-01", "server": "https://staging-01.example.com", "metadata.labels.environment": "staging", "metadata.labels.org": "foo",
+					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "staging", "project": "",
+				},
 			},
 			clientError:   false,
 			expectedError: nil,
@@ -123,12 +129,16 @@ func TestGenerateParams(t *testing.T) {
 				},
 			},
 			values: nil,
-			expected: []map[string]interface{}{
-				{"name": "production_01/west", "nameNormalized": "production-01-west", "server": "https://production-01.example.com", "metadata.labels.environment": "production", "metadata.labels.org": "bar",
-					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "production"},
+			expected: []map[string]any{
+				{
+					"name": "production_01/west", "nameNormalized": "production-01-west", "server": "https://production-01.example.com", "metadata.labels.environment": "production", "metadata.labels.org": "bar",
+					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "production", "project": "prod-project",
+				},

-				{"name": "staging-01", "nameNormalized": "staging-01", "server": "https://staging-01.example.com", "metadata.labels.environment": "staging", "metadata.labels.org": "foo",
-					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "staging"},
+				{
+					"name": "staging-01", "nameNormalized": "staging-01", "server": "https://staging-01.example.com", "metadata.labels.environment": "staging", "metadata.labels.org": "foo",
+					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "staging", "project": "",
+				},
 			},
 			clientError:   false,
 			expectedError: nil,
@@ -143,9 +153,11 @@ func TestGenerateParams(t *testing.T) {
 			values: map[string]string{
 				"foo": "bar",
 			},
-			expected: []map[string]interface{}{
-				{"values.foo": "bar", "name": "production_01/west", "nameNormalized": "production-01-west", "server": "https://production-01.example.com", "metadata.labels.environment": "production", "metadata.labels.org": "bar",
-					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "production"},
+			expected: []map[string]any{
+				{
+					"values.foo": "bar", "name": "production_01/west", "nameNormalized": "production-01-west", "server": "https://production-01.example.com", "metadata.labels.environment": "production", "metadata.labels.org": "bar",
+					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "production", "project": "prod-project",
+				},
 			},
 			clientError:   false,
 			expectedError: nil,
@@ -167,11 +179,15 @@ func TestGenerateParams(t *testing.T) {
 			values: map[string]string{
 				"foo": "bar",
 			},
-			expected: []map[string]interface{}{
-				{"values.foo": "bar", "name": "staging-01", "nameNormalized": "staging-01", "server": "https://staging-01.example.com", "metadata.labels.environment": "staging", "metadata.labels.org": "foo",
-					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "staging"},
-				{"values.foo": "bar", "name": "production_01/west", "nameNormalized": "production-01-west", "server": "https://production-01.example.com", "metadata.labels.environment": "production", "metadata.labels.org": "bar",
-					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "production"},
+			expected: []map[string]any{
+				{
+					"values.foo": "bar", "name": "staging-01", "nameNormalized": "staging-01", "server": "https://staging-01.example.com", "metadata.labels.environment": "staging", "metadata.labels.org": "foo",
+					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "staging", "project": "",
+				},
+				{
+					"values.foo": "bar", "name": "production_01/west", "nameNormalized": "production-01-west", "server": "https://production-01.example.com", "metadata.labels.environment": "production", "metadata.labels.org": "bar",
+					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "production", "project": "prod-project",
+				},
 			},
 			clientError:   false,
 			expectedError: nil,
@@ -196,9 +212,11 @@ func TestGenerateParams(t *testing.T) {
 			values: map[string]string{
 				"name": "baz",
 			},
-			expected: []map[string]interface{}{
-				{"values.name": "baz", "name": "staging-01", "nameNormalized": "staging-01", "server": "https://staging-01.example.com", "metadata.labels.environment": "staging", "metadata.labels.org": "foo",
-					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "staging"},
+			expected: []map[string]any{
+				{
+					"values.name": "baz", "name": "staging-01", "nameNormalized": "staging-01", "server": "https://staging-01.example.com", "metadata.labels.environment": "staging", "metadata.labels.org": "foo",
+					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "staging", "project": "",
+				},
 			},
 			clientError:   false,
 			expectedError: nil,
@@ -209,7 +227,75 @@ func TestGenerateParams(t *testing.T) {
 			values:        nil,
 			expected:      nil,
 			clientError:   true,
-			expectedError: fmt.Errorf("could not list Secrets"),
+			expectedError: errors.New("error getting cluster secrets: could not list Secrets"),
+		},
+		{
+			name:     "flat mode without selectors",
+			selector: metav1.LabelSelector{},
+			values: map[string]string{
+				"lol1":  "lol",
+				"lol2":  "{{values.lol1}}{{values.lol1}}",
+				"lol3":  "{{values.lol2}}{{values.lol2}}{{values.lol2}}",
+				"foo":   "bar",
+				"bar":   "{{ metadata.annotations.foo.argoproj.io }}",
+				"bat":   "{{ metadata.labels.environment }}",
+				"aaa":   "{{ server }}",
+				"no-op": "{{ this-does-not-exist }}",
+			},
+			expected: []map[string]any{
+				{
+					"clusters": []map[string]any{
+						{"values.lol1": "lol", "values.lol2": "{{values.lol1}}{{values.lol1}}", "values.lol3": "{{values.lol2}}{{values.lol2}}{{values.lol2}}", "values.foo": "bar", "values.bar": "{{ metadata.annotations.foo.argoproj.io }}", "values.no-op": "{{ this-does-not-exist }}", "values.bat": "{{ metadata.labels.environment }}", "values.aaa": "https://kubernetes.default.svc", "nameNormalized": "in-cluster", "name": "in-cluster", "server": "https://kubernetes.default.svc", "project": ""},
+						{
+							"values.lol1": "lol", "values.lol2": "{{values.lol1}}{{values.lol1}}", "values.lol3": "{{values.lol2}}{{values.lol2}}{{values.lol2}}", "values.foo": "bar", "values.bar": "production", "values.no-op": "{{ this-does-not-exist }}", "values.bat": "production", "values.aaa": "https://production-01.example.com", "name": "production_01/west", "nameNormalized": "production-01-west", "server": "https://production-01.example.com", "metadata.labels.environment": "production", "metadata.labels.org": "bar",
+							"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "production", "project": "prod-project",
+						},
+
+						{
+							"values.lol1": "lol", "values.lol2": "{{values.lol1}}{{values.lol1}}", "values.lol3": "{{values.lol2}}{{values.lol2}}{{values.lol2}}", "values.foo": "bar", "values.bar": "staging", "values.no-op": "{{ this-does-not-exist }}", "values.bat": "staging", "values.aaa": "https://staging-01.example.com", "name": "staging-01", "nameNormalized": "staging-01", "server": "https://staging-01.example.com", "metadata.labels.environment": "staging", "metadata.labels.org": "foo",
+							"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "staging", "project": "",
+						},
+					},
+				},
+			},
+			isFlatMode:    true,
+			clientError:   false,
+			expectedError: nil,
+		},
+		{
+			name: "production or staging with flat mode",
+			selector: metav1.LabelSelector{
+				MatchExpressions: []metav1.LabelSelectorRequirement{
+					{
+						Key:      "environment",
+						Operator: "In",
+						Values: []string{
+							"production",
+							"staging",
+						},
+					},
+				},
+			},
+			isFlatMode: true,
+			values: map[string]string{
+				"foo": "bar",
+			},
+			expected: []map[string]any{
+				{
+					"clusters": []map[string]any{
+						{
+							"values.foo": "bar", "name": "production_01/west", "nameNormalized": "production-01-west", "server": "https://production-01.example.com", "metadata.labels.environment": "production", "metadata.labels.org": "bar",
+							"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "production", "project": "prod-project",
+						},
+						{
+							"values.foo": "bar", "name": "staging-01", "nameNormalized": "staging-01", "server": "https://staging-01.example.com", "metadata.labels.environment": "staging", "metadata.labels.org": "foo",
+							"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "staging", "project": "",
+						},
+					},
+				},
+			},
+			clientError:   false,
+			expectedError: nil,
 		},
 	}

@@ -220,9 +306,7 @@ func TestGenerateParams(t *testing.T) {
 	}

 	for _, testCase := range testCases {
-
 		t.Run(testCase.name, func(t *testing.T) {
-
 			appClientset := kubefake.NewSimpleClientset(runtimeClusters...)

 			fakeClient := fake.NewClientBuilder().WithObjects(clusters...).Build()
@@ -231,7 +315,7 @@ func TestGenerateParams(t *testing.T) {
 				testCase.clientError,
 			}

-			var clusterGenerator = NewClusterGenerator(cl, context.Background(), appClientset, "namespace")
+			clusterGenerator := NewClusterGenerator(t.Context(), cl, appClientset, "namespace")

 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
@@ -244,16 +328,16 @@ func TestGenerateParams(t *testing.T) {
 				Clusters: &argoprojiov1alpha1.ClusterGenerator{
 					Selector: testCase.selector,
 					Values:   testCase.values,
+					FlatList: testCase.isFlatMode,
 				},
-			}, &applicationSetInfo)
+			}, &applicationSetInfo, nil)

 			if testCase.expectedError != nil {
-				assert.EqualError(t, err, testCase.expectedError.Error())
+				require.EqualError(t, err, testCase.expectedError.Error())
 			} else {
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.ElementsMatch(t, testCase.expected, got)
 			}
-
 		})
 	}
 }
@@ -310,10 +394,11 @@ func TestGenerateParamsGoTemplate(t *testing.T) {
 		},
 	}
 	testCases := []struct {
-		name     string
-		selector metav1.LabelSelector
-		values   map[string]string
-		expected []map[string]interface{}
+		name       string
+		selector   metav1.LabelSelector
+		values     map[string]string
+		isFlatMode bool
+		expected   []map[string]any
 		// clientError is true if a k8s client error should be simulated
 		clientError   bool
 		expectedError error
@@ -330,12 +415,13 @@ func TestGenerateParamsGoTemplate(t *testing.T) {
 				"bat":   "{{ if not (empty .metadata) }}{{.metadata.labels.environment}}{{ end }}",
 				"aaa":   "{{ .server }}",
 				"no-op": "{{ .thisDoesNotExist }}",
-			}, expected: []map[string]interface{}{
+			}, expected: []map[string]any{
 				{
 					"name":           "production_01/west",
 					"nameNormalized": "production-01-west",
 					"server":         "https://production-01.example.com",
-					"metadata": map[string]interface{}{
+					"project":        "",
+					"metadata": map[string]any{
 						"labels": map[string]string{
 							"argocd.argoproj.io/secret-type": "cluster",
 							"environment":                    "production",
@@ -360,7 +446,8 @@ func TestGenerateParamsGoTemplate(t *testing.T) {
 					"name":           "staging-01",
 					"nameNormalized": "staging-01",
 					"server":         "https://staging-01.example.com",
-					"metadata": map[string]interface{}{
+					"project":        "",
+					"metadata": map[string]any{
 						"labels": map[string]string{
 							"argocd.argoproj.io/secret-type": "cluster",
 							"environment":                    "staging",
@@ -385,6 +472,7 @@ func TestGenerateParamsGoTemplate(t *testing.T) {
 					"nameNormalized": "in-cluster",
 					"name":           "in-cluster",
 					"server":         "https://kubernetes.default.svc",
+					"project":        "",
 					"values": map[string]string{
 						"lol1":  "lol",
 						"lol2":  "<no value><no value>",
@@ -408,12 +496,13 @@ func TestGenerateParamsGoTemplate(t *testing.T) {
 				},
 			},
 			values: nil,
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{
 					"name":           "production_01/west",
 					"nameNormalized": "production-01-west",
 					"server":         "https://production-01.example.com",
-					"metadata": map[string]interface{}{
+					"project":        "",
+					"metadata": map[string]any{
 						"labels": map[string]string{
 							"argocd.argoproj.io/secret-type": "cluster",
 							"environment":                    "production",
@@ -428,7 +517,8 @@ func TestGenerateParamsGoTemplate(t *testing.T) {
 					"name":           "staging-01",
 					"nameNormalized": "staging-01",
 					"server":         "https://staging-01.example.com",
-					"metadata": map[string]interface{}{
+					"project":        "",
+					"metadata": map[string]any{
 						"labels": map[string]string{
 							"argocd.argoproj.io/secret-type": "cluster",
 							"environment":                    "staging",
@@ -453,12 +543,13 @@ func TestGenerateParamsGoTemplate(t *testing.T) {
 			values: map[string]string{
 				"foo": "bar",
 			},
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{
 					"name":           "production_01/west",
 					"nameNormalized": "production-01-west",
 					"server":         "https://production-01.example.com",
-					"metadata": map[string]interface{}{
+					"project":        "",
+					"metadata": map[string]any{
 						"labels": map[string]string{
 							"argocd.argoproj.io/secret-type": "cluster",
 							"environment":                    "production",
@@ -493,12 +584,13 @@ func TestGenerateParamsGoTemplate(t *testing.T) {
 			values: map[string]string{
 				"foo": "bar",
 			},
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{
 					"name":           "production_01/west",
 					"nameNormalized": "production-01-west",
 					"server":         "https://production-01.example.com",
-					"metadata": map[string]interface{}{
+					"project":        "",
+					"metadata": map[string]any{
 						"labels": map[string]string{
 							"argocd.argoproj.io/secret-type": "cluster",
 							"environment":                    "production",
@@ -516,7 +608,8 @@ func TestGenerateParamsGoTemplate(t *testing.T) {
 					"name":           "staging-01",
 					"nameNormalized": "staging-01",
 					"server":         "https://staging-01.example.com",
-					"metadata": map[string]interface{}{
+					"project":        "",
+					"metadata": map[string]any{
 						"labels": map[string]string{
 							"argocd.argoproj.io/secret-type": "cluster",
 							"environment":                    "staging",
@@ -554,12 +647,13 @@ func TestGenerateParamsGoTemplate(t *testing.T) {
 			values: map[string]string{
 				"name": "baz",
 			},
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{
 					"name":           "staging-01",
 					"nameNormalized": "staging-01",
 					"server":         "https://staging-01.example.com",
-					"metadata": map[string]interface{}{
+					"project":        "",
+					"metadata": map[string]any{
 						"labels": map[string]string{
 							"argocd.argoproj.io/secret-type": "cluster",
 							"environment":                    "staging",
@@ -583,7 +677,163 @@ func TestGenerateParamsGoTemplate(t *testing.T) {
 			values:        nil,
 			expected:      nil,
 			clientError:   true,
-			expectedError: fmt.Errorf("could not list Secrets"),
+			expectedError: errors.New("error getting cluster secrets: could not list Secrets"),
+		},
+		{
+			name:       "Clusters with flat list mode and no selector",
+			selector:   metav1.LabelSelector{},
+			isFlatMode: true,
+			values: map[string]string{
+				"lol1":  "lol",
+				"lol2":  "{{ .values.lol1 }}{{ .values.lol1 }}",
+				"lol3":  "{{ .values.lol2 }}{{ .values.lol2 }}{{ .values.lol2 }}",
+				"foo":   "bar",
+				"bar":   "{{ if not (empty .metadata) }}{{index .metadata.annotations \"foo.argoproj.io\" }}{{ end }}",
+				"bat":   "{{ if not (empty .metadata) }}{{.metadata.labels.environment}}{{ end }}",
+				"aaa":   "{{ .server }}",
+				"no-op": "{{ .thisDoesNotExist }}",
+			},
+			expected: []map[string]any{
+				{
+					"clusters": []map[string]any{
+						{
+							"nameNormalized": "in-cluster",
+							"name":           "in-cluster",
+							"server":         "https://kubernetes.default.svc",
+							"project":        "",
+							"values": map[string]string{
+								"lol1":  "lol",
+								"lol2":  "<no value><no value>",
+								"lol3":  "<no value><no value><no value>",
+								"foo":   "bar",
+								"bar":   "",
+								"bat":   "",
+								"aaa":   "https://kubernetes.default.svc",
+								"no-op": "<no value>",
+							},
+						},
+						{
+							"name":           "production_01/west",
+							"nameNormalized": "production-01-west",
+							"server":         "https://production-01.example.com",
+							"project":        "",
+							"metadata": map[string]any{
+								"labels": map[string]string{
+									"argocd.argoproj.io/secret-type": "cluster",
+									"environment":                    "production",
+									"org":                            "bar",
+								},
+								"annotations": map[string]string{
+									"foo.argoproj.io": "production",
+								},
+							},
+							"values": map[string]string{
+								"lol1":  "lol",
+								"lol2":  "<no value><no value>",
+								"lol3":  "<no value><no value><no value>",
+								"foo":   "bar",
+								"bar":   "production",
+								"bat":   "production",
+								"aaa":   "https://production-01.example.com",
+								"no-op": "<no value>",
+							},
+						},
+						{
+							"name":           "staging-01",
+							"nameNormalized": "staging-01",
+							"server":         "https://staging-01.example.com",
+							"project":        "",
+							"metadata": map[string]any{
+								"labels": map[string]string{
+									"argocd.argoproj.io/secret-type": "cluster",
+									"environment":                    "staging",
+									"org":                            "foo",
+								},
+								"annotations": map[string]string{
+									"foo.argoproj.io": "staging",
+								},
+							},
+							"values": map[string]string{
+								"lol1":  "lol",
+								"lol2":  "<no value><no value>",
+								"lol3":  "<no value><no value><no value>",
+								"foo":   "bar",
+								"bar":   "staging",
+								"bat":   "staging",
+								"aaa":   "https://staging-01.example.com",
+								"no-op": "<no value>",
+							},
+						},
+					},
+				},
+			},
+			clientError:   false,
+			expectedError: nil,
+		},
+		{
+			name: "production or staging with flat mode",
+			selector: metav1.LabelSelector{
+				MatchExpressions: []metav1.LabelSelectorRequirement{
+					{
+						Key:      "environment",
+						Operator: "In",
+						Values: []string{
+							"production",
+							"staging",
+						},
+					},
+				},
+			},
+			isFlatMode: true,
+			values: map[string]string{
+				"foo": "bar",
+			},
+			expected: []map[string]any{
+				{
+					"clusters": []map[string]any{
+						{
+							"name":           "production_01/west",
+							"nameNormalized": "production-01-west",
+							"server":         "https://production-01.example.com",
+							"project":        "",
+							"metadata": map[string]any{
+								"labels": map[string]string{
+									"argocd.argoproj.io/secret-type": "cluster",
+									"environment":                    "production",
+									"org":                            "bar",
+								},
+								"annotations": map[string]string{
+									"foo.argoproj.io": "production",
+								},
+							},
+							"values": map[string]string{
+								"foo": "bar",
+							},
+						},
+						{
+							"name":           "staging-01",
+							"nameNormalized": "staging-01",
+							"server":         "https://staging-01.example.com",
+							"project":        "",
+							"metadata": map[string]any{
+								"labels": map[string]string{
+									"argocd.argoproj.io/secret-type": "cluster",
+									"environment":                    "staging",
+									"org":                            "foo",
+								},
+								"annotations": map[string]string{
+									"foo.argoproj.io": "staging",
+								},
+							},
+							"values": map[string]string{
+								"foo": "bar",
+							},
+						},
+					},
+				},
+			},
+			clientError:   false,
+			expectedError: nil,
 		},
 	}

@@ -594,9 +844,7 @@ func TestGenerateParamsGoTemplate(t *testing.T) {
 	}

 	for _, testCase := range testCases {
-
 		t.Run(testCase.name, func(t *testing.T) {
-
 			appClientset := kubefake.NewSimpleClientset(runtimeClusters...)

 			fakeClient := fake.NewClientBuilder().WithObjects(clusters...).Build()
@@ -605,7 +853,7 @@ func TestGenerateParamsGoTemplate(t *testing.T) {
 				testCase.clientError,
 			}

-			var clusterGenerator = NewClusterGenerator(cl, context.Background(), appClientset, "namespace")
+			clusterGenerator := NewClusterGenerator(t.Context(), cl, appClientset, "namespace")

 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
@@ -620,16 +868,16 @@ func TestGenerateParamsGoTemplate(t *testing.T) {
 				Clusters: &argoprojiov1alpha1.ClusterGenerator{
 					Selector: testCase.selector,
 					Values:   testCase.values,
+					FlatList: testCase.isFlatMode,
 				},
-			}, &applicationSetInfo)
+			}, &applicationSetInfo, nil)

 			if testCase.expectedError != nil {
-				assert.EqualError(t, err, testCase.expectedError.Error())
+				require.EqualError(t, err, testCase.expectedError.Error())
 			} else {
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.ElementsMatch(t, testCase.expected, got)
 			}
-
 		})
 	}
 }
--- a/applicationset/generators/duck_type.go
+++ b/applicationset/generators/duck_type.go
@@ -2,73 +2,67 @@ package generators

 import (
 	"context"
+	"errors"
 	"fmt"
 	"strings"
 	"time"

 	log "github.com/sirupsen/logrus"
-
-	"github.com/argoproj/argo-cd/v2/util/settings"
+	"sigs.k8s.io/controller-runtime/pkg/client"

 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/kubernetes"

-	"github.com/argoproj/argo-cd/v2/applicationset/utils"
-	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v3/applicationset/utils"
+	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 )

 var _ Generator = (*DuckTypeGenerator)(nil)

 // DuckTypeGenerator generates Applications for some or all clusters registered with ArgoCD.
 type DuckTypeGenerator struct {
-	ctx             context.Context
-	dynClient       dynamic.Interface
-	clientset       kubernetes.Interface
-	namespace       string // namespace is the Argo CD namespace
-	settingsManager *settings.SettingsManager
+	ctx       context.Context
+	dynClient dynamic.Interface
+	clientset kubernetes.Interface
+	namespace string // namespace is the Argo CD namespace
 }

 func NewDuckTypeGenerator(ctx context.Context, dynClient dynamic.Interface, clientset kubernetes.Interface, namespace string) Generator {
-
-	settingsManager := settings.NewSettingsManager(ctx, clientset, namespace)
-
 	g := &DuckTypeGenerator{
-		ctx:             ctx,
-		dynClient:       dynClient,
-		clientset:       clientset,
-		namespace:       namespace,
-		settingsManager: settingsManager,
+		ctx:       ctx,
+		dynClient: dynClient,
+		clientset: clientset,
+		namespace: namespace,
 	}
 	return g
 }

 func (g *DuckTypeGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator) time.Duration {
-
 	// Return a requeue default of 3 minutes, if no override is specified.

 	if appSetGenerator.ClusterDecisionResource.RequeueAfterSeconds != nil {
 		return time.Duration(*appSetGenerator.ClusterDecisionResource.RequeueAfterSeconds) * time.Second
 	}

-	return DefaultRequeueAfterSeconds
+	return getDefaultRequeueAfter()
 }

 func (g *DuckTypeGenerator) GetTemplate(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator) *argoprojiov1alpha1.ApplicationSetTemplate {
 	return &appSetGenerator.ClusterDecisionResource.Template
 }

-func (g *DuckTypeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, appSet *argoprojiov1alpha1.ApplicationSet) ([]map[string]interface{}, error) {
-
+func (g *DuckTypeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, appSet *argoprojiov1alpha1.ApplicationSet, _ client.Client) ([]map[string]any, error) {
 	if appSetGenerator == nil {
-		return nil, EmptyAppSetGeneratorError
+		return nil, ErrEmptyAppSetGenerator
 	}

 	// Not likely to happen
 	if appSetGenerator.ClusterDecisionResource == nil {
-		return nil, EmptyAppSetGeneratorError
+		return nil, ErrEmptyAppSetGenerator
 	}

 	// ListCluster from Argo CD's util/db package will include the local cluster in the list of clusters
@@ -83,7 +77,6 @@ func (g *DuckTypeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.A

 	// Read the configMapRef
 	cm, err := g.clientset.CoreV1().ConfigMaps(g.namespace).Get(g.ctx, appSetGenerator.ClusterDecisionResource.ConfigMapRef, metav1.GetOptions{})
-
 	if err != nil {
 		return nil, fmt.Errorf("error reading configMapRef: %w", err)
 	}
@@ -99,14 +92,13 @@ func (g *DuckTypeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.A
 	// Validate the fields
 	if kind == "" || versionIdx < 1 {
 		log.Warningf("kind=%v, resourceName=%v, versionIdx=%v", kind, resourceName, versionIdx)
-		return nil, fmt.Errorf("There is a problem with the apiVersion, kind or resourceName provided")
+		return nil, errors.New("there is a problem with the apiVersion, kind or resourceName provided")
 	}

 	if (resourceName == "" && labelSelector.MatchLabels == nil && labelSelector.MatchExpressions == nil) ||
 		(resourceName != "" && (labelSelector.MatchExpressions != nil || labelSelector.MatchLabels != nil)) {
-
 		log.Warningf("You must choose either resourceName=%v, labelSelector.matchLabels=%v or labelSelect.matchExpressions=%v", resourceName, labelSelector.MatchLabels, labelSelector.MatchExpressions)
-		return nil, fmt.Errorf("There is a problem with the definition of the ClusterDecisionResource generator")
+		return nil, errors.New("there is a problem with the definition of the ClusterDecisionResource generator")
 	}

 	// Split up the apiVersion
@@ -122,115 +114,116 @@ func (g *DuckTypeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.A
 		log.WithField("listOptions.LabelSelector", listOptions.LabelSelector).Info("selection type")
 	} else {
 		listOptions.FieldSelector = fields.OneTermEqualSelector("metadata.name", resourceName).String()
-		//metav1.Convert_fields_Selector_To_string(fields.).Sprintf("metadata.name=%s", resourceName)
+		// metav1.Convert_fields_Selector_To_string(fields.).Sprintf("metadata.name=%s", resourceName)
 		log.WithField("listOptions.FieldSelector", listOptions.FieldSelector).Info("selection type")
 	}

 	duckResources, err := g.dynClient.Resource(duckGVR).Namespace(g.namespace).List(g.ctx, listOptions)
-
 	if err != nil {
 		log.WithField("GVK", duckGVR).Warning("resources were not found")
-		return nil, err
+		return nil, fmt.Errorf("failed to get dynamic resources: %w", err)
 	}

 	if len(duckResources.Items) == 0 {
 		log.Warning("no resource found, make sure you clusterDecisionResource is defined correctly")
-		return nil, fmt.Errorf("no clusterDecisionResources found")
+		return nil, errors.New("no clusterDecisionResources found")
 	}

 	// Override the duck type in the status of the resource
 	statusListKey := "clusters"
-
-	matchKey := cm.Data["matchKey"]
-
 	if cm.Data["statusListKey"] != "" {
 		statusListKey = cm.Data["statusListKey"]
 	}
+
+	matchKey := cm.Data["matchKey"]
 	if matchKey == "" {
 		log.WithField("matchKey", matchKey).Warning("matchKey not found in " + cm.Name)
 		return nil, nil
-
 	}

-	res := []map[string]interface{}{}
-	clusterDecisions := []interface{}{}
+	clusterDecisions := buildClusterDecisions(duckResources, statusListKey)
+	if len(clusterDecisions) == 0 {
+		log.Warningf("clusterDecisionResource status.%s missing", statusListKey)
+		return nil, nil
+	}
+
+	res := []map[string]any{}
+	for _, clusterDecision := range clusterDecisions {
+		cluster := findCluster(clustersFromArgoCD, clusterDecision, matchKey, statusListKey)
+		// if no cluster is found, move to the next cluster
+		if cluster == nil {
+			continue
+		}
+
+		// generated instance of cluster params
+		params := map[string]any{
+			"name":   cluster.Name,
+			"server": cluster.Server,
+		}
+
+		for key, value := range clusterDecision.(map[string]any) {
+			params[key] = value.(string)
+		}
+
+		for key, value := range appSetGenerator.ClusterDecisionResource.Values {
+			collectParams(appSet, params, key, value)
+		}
+
+		res = append(res, params)
+	}
+
+	return res, nil
+}
+
+func buildClusterDecisions(duckResources *unstructured.UnstructuredList, statusListKey string) []any {
+	clusterDecisions := []any{}

 	// Build the decision slice
 	for _, duckResource := range duckResources.Items {
 		log.WithField("duckResourceName", duckResource.GetName()).Debug("found resource")

-		if duckResource.Object["status"] == nil || len(duckResource.Object["status"].(map[string]interface{})) == 0 {
+		if duckResource.Object["status"] == nil || len(duckResource.Object["status"].(map[string]any)) == 0 {
 			log.Warningf("clusterDecisionResource: %s, has no status", duckResource.GetName())
 			continue
 		}

 		log.WithField("duckResourceStatus", duckResource.Object["status"]).Debug("found resource")

-		clusterDecisions = append(clusterDecisions, duckResource.Object["status"].(map[string]interface{})[statusListKey].([]interface{})...)
-
+		clusterDecisions = append(clusterDecisions, duckResource.Object["status"].(map[string]any)[statusListKey].([]any)...)
 	}
 	log.Infof("Number of decisions found: %v", len(clusterDecisions))
+	return clusterDecisions
+}

-	// Read this outside the loop to improve performance
-	argoClusters := clustersFromArgoCD.Items
-
-	if len(clusterDecisions) > 0 {
-		for _, cluster := range clusterDecisions {
-
-			// generated instance of cluster params
-			params := map[string]interface{}{}
-
-			log.Infof("cluster: %v", cluster)
-			matchValue := cluster.(map[string]interface{})[matchKey]
-			if matchValue == nil || matchValue.(string) == "" {
-				log.Warningf("matchKey=%v not found in \"%v\" list: %v\n", matchKey, statusListKey, cluster.(map[string]interface{}))
-				continue
-			}
-
-			strMatchValue := matchValue.(string)
-			log.WithField(matchKey, strMatchValue).Debug("validate against ArgoCD")
-
-			found := false
-
-			for _, argoCluster := range argoClusters {
-				if argoCluster.Name == strMatchValue {
-
-					log.WithField(matchKey, argoCluster.Name).Info("matched cluster in ArgoCD")
-					params["name"] = argoCluster.Name
-					params["server"] = argoCluster.Server
-
-					found = true
-					break // Stop looking
-				}
-
-			}
-
-			if !found {
-				log.WithField(matchKey, strMatchValue).Warning("unmatched cluster in ArgoCD")
-				continue
-			}
-
-			for key, value := range cluster.(map[string]interface{}) {
-				params[key] = value.(string)
-			}
-
-			for key, value := range appSetGenerator.ClusterDecisionResource.Values {
-				if appSet.Spec.GoTemplate {
-					if params["values"] == nil {
-						params["values"] = map[string]string{}
-					}
-					params["values"].(map[string]string)[key] = value
-				} else {
-					params[fmt.Sprintf("values.%s", key)] = value
-				}
-			}
-
-			res = append(res, params)
-		}
-	} else {
-		log.Warningf("clusterDecisionResource status." + statusListKey + " missing")
-		return nil, nil
+func findCluster(clustersFromArgoCD []utils.ClusterSpecifier, cluster any, matchKey string, statusListKey string) *utils.ClusterSpecifier {
+	log.Infof("cluster: %v", cluster)
+	matchValue := cluster.(map[string]any)[matchKey]
+	if matchValue == nil || matchValue.(string) == "" {
+		log.Warningf("matchKey=%v not found in \"%v\" list: %v\n", matchKey, statusListKey, cluster.(map[string]any))
+		return nil // no match
 	}

-	return res, nil
+	strMatchValue := matchValue.(string)
+	log.WithField(matchKey, strMatchValue).Debug("validate against ArgoCD")
+
+	for _, argoCluster := range clustersFromArgoCD {
+		if argoCluster.Name == strMatchValue {
+			log.WithField(matchKey, argoCluster.Name).Info("matched cluster in ArgoCD")
+			return &argoCluster
+		}
+	}
+
+	log.WithField(matchKey, strMatchValue).Warning("unmatched cluster in ArgoCD")
+	return nil
+}
+
+func collectParams(appSet *argoprojiov1alpha1.ApplicationSet, params map[string]any, key string, value string) {
+	if appSet.Spec.GoTemplate {
+		if params["values"] == nil {
+			params["values"] = map[string]string{}
+		}
+		params["values"].(map[string]string)[key] = value
+	} else {
+		params["values."+key] = value
+	}
 }
--- a/applicationset/generators/duck_type_test.go
+++ b/applicationset/generators/duck_type_test.go
@@ -1,11 +1,11 @@
 package generators

 import (
-	"context"
-	"fmt"
+	"errors"
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -15,12 +15,14 @@ import (
 	kubefake "k8s.io/client-go/kubernetes/fake"
 	"sigs.k8s.io/controller-runtime/pkg/client"

-	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 )

-const resourceApiVersion = "mallard.io/v1"
-const resourceKind = "ducks"
-const resourceName = "quak"
+const (
+	resourceAPIVersion = "mallard.io/v1"
+	resourceKind       = "ducks"
+	resourceName       = "quak"
+)

 func TestGenerateParamsForDuckType(t *testing.T) {
 	clusters := []client.Object{
@@ -75,20 +77,20 @@ func TestGenerateParamsForDuckType(t *testing.T) {
 	}

 	duckType := &unstructured.Unstructured{
-		Object: map[string]interface{}{
-			"apiVersion": resourceApiVersion,
+		Object: map[string]any{
+			"apiVersion": resourceAPIVersion,
 			"kind":       "Duck",
-			"metadata": map[string]interface{}{
+			"metadata": map[string]any{
 				"name":      resourceName,
 				"namespace": "namespace",
-				"labels":    map[string]interface{}{"duck": "all-species"},
+				"labels":    map[string]any{"duck": "all-species"},
 			},
-			"status": map[string]interface{}{
-				"decisions": []interface{}{
-					map[string]interface{}{
+			"status": map[string]any{
+				"decisions": []any{
+					map[string]any{
 						"clusterName": "staging-01",
 					},
-					map[string]interface{}{
+					map[string]any{
 						"clusterName": "production-01",
 					},
 				},
@@ -97,17 +99,17 @@ func TestGenerateParamsForDuckType(t *testing.T) {
 	}

 	duckTypeProdOnly := &unstructured.Unstructured{
-		Object: map[string]interface{}{
-			"apiVersion": resourceApiVersion,
+		Object: map[string]any{
+			"apiVersion": resourceAPIVersion,
 			"kind":       "Duck",
-			"metadata": map[string]interface{}{
+			"metadata": map[string]any{
 				"name":      resourceName,
 				"namespace": "namespace",
-				"labels":    map[string]interface{}{"duck": "spotted"},
+				"labels":    map[string]any{"duck": "spotted"},
 			},
-			"status": map[string]interface{}{
-				"decisions": []interface{}{
-					map[string]interface{}{
+			"status": map[string]any{
+				"decisions": []any{
+					map[string]any{
 						"clusterName": "production-01",
 					},
 				},
@@ -116,15 +118,15 @@ func TestGenerateParamsForDuckType(t *testing.T) {
 	}

 	duckTypeEmpty := &unstructured.Unstructured{
-		Object: map[string]interface{}{
-			"apiVersion": resourceApiVersion,
+		Object: map[string]any{
+			"apiVersion": resourceAPIVersion,
 			"kind":       "Duck",
-			"metadata": map[string]interface{}{
+			"metadata": map[string]any{
 				"name":      resourceName,
 				"namespace": "namespace",
-				"labels":    map[string]interface{}{"duck": "canvasback"},
+				"labels":    map[string]any{"duck": "canvasback"},
 			},
-			"status": map[string]interface{}{},
+			"status": map[string]any{},
 		},
 	}

@@ -134,7 +136,7 @@ func TestGenerateParamsForDuckType(t *testing.T) {
 			Namespace: "namespace",
 		},
 		Data: map[string]string{
-			"apiVersion":    resourceApiVersion,
+			"apiVersion":    resourceAPIVersion,
 			"kind":          resourceKind,
 			"statusListKey": "decisions",
 			"matchKey":      "clusterName",
@@ -148,7 +150,7 @@ func TestGenerateParamsForDuckType(t *testing.T) {
 		labelSelector metav1.LabelSelector
 		resource      *unstructured.Unstructured
 		values        map[string]string
-		expected      []map[string]interface{}
+		expected      []map[string]any
 		expectedError error
 	}{
 		{
@@ -156,8 +158,8 @@ func TestGenerateParamsForDuckType(t *testing.T) {
 			resourceName:  "",
 			resource:      duckType,
 			values:        nil,
-			expected:      []map[string]interface{}{},
-			expectedError: fmt.Errorf("There is a problem with the definition of the ClusterDecisionResource generator"),
+			expected:      []map[string]any{},
+			expectedError: errors.New("there is a problem with the definition of the ClusterDecisionResource generator"),
 		},
 		/*** This does not work with the FAKE runtime client, fieldSelectors are broken.
 		{
@@ -174,7 +176,7 @@ func TestGenerateParamsForDuckType(t *testing.T) {
 			resourceName: resourceName,
 			resource:     duckType,
 			values:       nil,
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{"clusterName": "production-01", "name": "production-01", "server": "https://production-01.example.com"},

 				{"clusterName": "staging-01", "name": "staging-01", "server": "https://staging-01.example.com"},
@@ -188,7 +190,7 @@ func TestGenerateParamsForDuckType(t *testing.T) {
 			values: map[string]string{
 				"foo": "bar",
 			},
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{"clusterName": "production-01", "values.foo": "bar", "name": "production-01", "server": "https://production-01.example.com"},
 			},
 			expectedError: nil,
@@ -216,7 +218,7 @@ func TestGenerateParamsForDuckType(t *testing.T) {
 			labelSelector: metav1.LabelSelector{MatchLabels: map[string]string{"duck": "all-species"}},
 			resource:      duckType,
 			values:        nil,
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{"clusterName": "production-01", "name": "production-01", "server": "https://production-01.example.com"},

 				{"clusterName": "staging-01", "name": "staging-01", "server": "https://staging-01.example.com"},
@@ -231,7 +233,7 @@ func TestGenerateParamsForDuckType(t *testing.T) {
 			values: map[string]string{
 				"foo": "bar",
 			},
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{"clusterName": "production-01", "values.foo": "bar", "name": "production-01", "server": "https://production-01.example.com"},
 			},
 			expectedError: nil,
@@ -248,7 +250,7 @@ func TestGenerateParamsForDuckType(t *testing.T) {
 			}},
 			resource: duckType,
 			values:   nil,
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{"clusterName": "production-01", "name": "production-01", "server": "https://production-01.example.com"},

 				{"clusterName": "staging-01", "name": "staging-01", "server": "https://staging-01.example.com"},
@@ -268,7 +270,7 @@ func TestGenerateParamsForDuckType(t *testing.T) {
 			resource:      duckType,
 			values:        nil,
 			expected:      nil,
-			expectedError: fmt.Errorf("There is a problem with the definition of the ClusterDecisionResource generator"),
+			expectedError: errors.New("there is a problem with the definition of the ClusterDecisionResource generator"),
 		},
 	}

@@ -279,9 +281,7 @@ func TestGenerateParamsForDuckType(t *testing.T) {
 	}

 	for _, testCase := range testCases {
-
 		t.Run(testCase.name, func(t *testing.T) {
-
 			appClientset := kubefake.NewSimpleClientset(append(runtimeClusters, configMap)...)

 			gvrToListKind := map[schema.GroupVersionResource]string{{
@@ -292,7 +292,7 @@ func TestGenerateParamsForDuckType(t *testing.T) {

 			fakeDynClient := dynfake.NewSimpleDynamicClientWithCustomListKinds(runtime.NewScheme(), gvrToListKind, testCase.resource)

-			var duckTypeGenerator = NewDuckTypeGenerator(context.Background(), fakeDynClient, appClientset, "namespace")
+			duckTypeGenerator := NewDuckTypeGenerator(t.Context(), fakeDynClient, appClientset, "namespace")

 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
@@ -308,12 +308,12 @@ func TestGenerateParamsForDuckType(t *testing.T) {
 					LabelSelector: testCase.labelSelector,
 					Values:        testCase.values,
 				},
-			}, &applicationSetInfo)
+			}, &applicationSetInfo, nil)

 			if testCase.expectedError != nil {
-				assert.EqualError(t, err, testCase.expectedError.Error())
+				require.EqualError(t, err, testCase.expectedError.Error())
 			} else {
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.ElementsMatch(t, testCase.expected, got)
 			}
 		})
@@ -373,20 +373,20 @@ func TestGenerateParamsForDuckTypeGoTemplate(t *testing.T) {
 	}

 	duckType := &unstructured.Unstructured{
-		Object: map[string]interface{}{
-			"apiVersion": resourceApiVersion,
+		Object: map[string]any{
+			"apiVersion": resourceAPIVersion,
 			"kind":       "Duck",
-			"metadata": map[string]interface{}{
+			"metadata": map[string]any{
 				"name":      resourceName,
 				"namespace": "namespace",
-				"labels":    map[string]interface{}{"duck": "all-species"},
+				"labels":    map[string]any{"duck": "all-species"},
 			},
-			"status": map[string]interface{}{
-				"decisions": []interface{}{
-					map[string]interface{}{
+			"status": map[string]any{
+				"decisions": []any{
+					map[string]any{
 						"clusterName": "staging-01",
 					},
-					map[string]interface{}{
+					map[string]any{
 						"clusterName": "production-01",
 					},
 				},
@@ -395,17 +395,17 @@ func TestGenerateParamsForDuckTypeGoTemplate(t *testing.T) {
 	}

 	duckTypeProdOnly := &unstructured.Unstructured{
-		Object: map[string]interface{}{
-			"apiVersion": resourceApiVersion,
+		Object: map[string]any{
+			"apiVersion": resourceAPIVersion,
 			"kind":       "Duck",
-			"metadata": map[string]interface{}{
+			"metadata": map[string]any{
 				"name":      resourceName,
 				"namespace": "namespace",
-				"labels":    map[string]interface{}{"duck": "spotted"},
+				"labels":    map[string]any{"duck": "spotted"},
 			},
-			"status": map[string]interface{}{
-				"decisions": []interface{}{
-					map[string]interface{}{
+			"status": map[string]any{
+				"decisions": []any{
+					map[string]any{
 						"clusterName": "production-01",
 					},
 				},
@@ -414,15 +414,15 @@ func TestGenerateParamsForDuckTypeGoTemplate(t *testing.T) {
 	}

 	duckTypeEmpty := &unstructured.Unstructured{
-		Object: map[string]interface{}{
-			"apiVersion": resourceApiVersion,
+		Object: map[string]any{
+			"apiVersion": resourceAPIVersion,
 			"kind":       "Duck",
-			"metadata": map[string]interface{}{
+			"metadata": map[string]any{
 				"name":      resourceName,
 				"namespace": "namespace",
-				"labels":    map[string]interface{}{"duck": "canvasback"},
+				"labels":    map[string]any{"duck": "canvasback"},
 			},
-			"status": map[string]interface{}{},
+			"status": map[string]any{},
 		},
 	}

@@ -432,7 +432,7 @@ func TestGenerateParamsForDuckTypeGoTemplate(t *testing.T) {
 			Namespace: "namespace",
 		},
 		Data: map[string]string{
-			"apiVersion":    resourceApiVersion,
+			"apiVersion":    resourceAPIVersion,
 			"kind":          resourceKind,
 			"statusListKey": "decisions",
 			"matchKey":      "clusterName",
@@ -446,7 +446,7 @@ func TestGenerateParamsForDuckTypeGoTemplate(t *testing.T) {
 		labelSelector metav1.LabelSelector
 		resource      *unstructured.Unstructured
 		values        map[string]string
-		expected      []map[string]interface{}
+		expected      []map[string]any
 		expectedError error
 	}{
 		{
@@ -454,8 +454,8 @@ func TestGenerateParamsForDuckTypeGoTemplate(t *testing.T) {
 			resourceName:  "",
 			resource:      duckType,
 			values:        nil,
-			expected:      []map[string]interface{}{},
-			expectedError: fmt.Errorf("There is a problem with the definition of the ClusterDecisionResource generator"),
+			expected:      []map[string]any{},
+			expectedError: errors.New("there is a problem with the definition of the ClusterDecisionResource generator"),
 		},
 		/*** This does not work with the FAKE runtime client, fieldSelectors are broken.
 		{
@@ -472,7 +472,7 @@ func TestGenerateParamsForDuckTypeGoTemplate(t *testing.T) {
 			resourceName: resourceName,
 			resource:     duckType,
 			values:       nil,
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{"clusterName": "production-01", "name": "production-01", "server": "https://production-01.example.com"},

 				{"clusterName": "staging-01", "name": "staging-01", "server": "https://staging-01.example.com"},
@@ -486,7 +486,7 @@ func TestGenerateParamsForDuckTypeGoTemplate(t *testing.T) {
 			values: map[string]string{
 				"foo": "bar",
 			},
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{"clusterName": "production-01", "values": map[string]string{"foo": "bar"}, "name": "production-01", "server": "https://production-01.example.com"},
 			},
 			expectedError: nil,
@@ -514,7 +514,7 @@ func TestGenerateParamsForDuckTypeGoTemplate(t *testing.T) {
 			labelSelector: metav1.LabelSelector{MatchLabels: map[string]string{"duck": "all-species"}},
 			resource:      duckType,
 			values:        nil,
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{"clusterName": "production-01", "name": "production-01", "server": "https://production-01.example.com"},

 				{"clusterName": "staging-01", "name": "staging-01", "server": "https://staging-01.example.com"},
@@ -529,7 +529,7 @@ func TestGenerateParamsForDuckTypeGoTemplate(t *testing.T) {
 			values: map[string]string{
 				"foo": "bar",
 			},
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{"clusterName": "production-01", "values": map[string]string{"foo": "bar"}, "name": "production-01", "server": "https://production-01.example.com"},
 			},
 			expectedError: nil,
@@ -546,7 +546,7 @@ func TestGenerateParamsForDuckTypeGoTemplate(t *testing.T) {
 			}},
 			resource: duckType,
 			values:   nil,
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{"clusterName": "production-01", "name": "production-01", "server": "https://production-01.example.com"},

 				{"clusterName": "staging-01", "name": "staging-01", "server": "https://staging-01.example.com"},
@@ -566,7 +566,7 @@ func TestGenerateParamsForDuckTypeGoTemplate(t *testing.T) {
 			resource:      duckType,
 			values:        nil,
 			expected:      nil,
-			expectedError: fmt.Errorf("There is a problem with the definition of the ClusterDecisionResource generator"),
+			expectedError: errors.New("there is a problem with the definition of the ClusterDecisionResource generator"),
 		},
 	}

@@ -577,9 +577,7 @@ func TestGenerateParamsForDuckTypeGoTemplate(t *testing.T) {
 	}

 	for _, testCase := range testCases {
-
 		t.Run(testCase.name, func(t *testing.T) {
-
 			appClientset := kubefake.NewSimpleClientset(append(runtimeClusters, configMap)...)

 			gvrToListKind := map[schema.GroupVersionResource]string{{
@@ -590,7 +588,7 @@ func TestGenerateParamsForDuckTypeGoTemplate(t *testing.T) {

 			fakeDynClient := dynfake.NewSimpleDynamicClientWithCustomListKinds(runtime.NewScheme(), gvrToListKind, testCase.resource)

-			var duckTypeGenerator = NewDuckTypeGenerator(context.Background(), fakeDynClient, appClientset, "namespace")
+			duckTypeGenerator := NewDuckTypeGenerator(t.Context(), fakeDynClient, appClientset, "namespace")

 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
@@ -608,12 +606,12 @@ func TestGenerateParamsForDuckTypeGoTemplate(t *testing.T) {
 					LabelSelector: testCase.labelSelector,
 					Values:        testCase.values,
 				},
-			}, &applicationSetInfo)
+			}, &applicationSetInfo, nil)

 			if testCase.expectedError != nil {
-				assert.EqualError(t, err, testCase.expectedError.Error())
+				require.EqualError(t, err, testCase.expectedError.Error())
 			} else {
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.ElementsMatch(t, testCase.expected, got)
 			}
 		})
--- a/applicationset/generators/generator_spec_processor.go
+++ b/applicationset/generators/generator_spec_processor.go
@@ -5,14 +5,15 @@ import (
 	"reflect"

 	"github.com/jeremywohl/flatten"
+	"sigs.k8s.io/controller-runtime/pkg/client"

-	"github.com/argoproj/argo-cd/v2/applicationset/utils"
+	"github.com/argoproj/argo-cd/v3/applicationset/utils"

 	"k8s.io/apimachinery/pkg/labels"

-	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"

-	"github.com/imdario/mergo"
+	"dario.cat/mergo"
 	log "github.com/sirupsen/logrus"
 )

@@ -21,12 +22,12 @@ const (
 )

 type TransformResult struct {
-	Params   []map[string]interface{}
+	Params   []map[string]any
 	Template argoprojiov1alpha1.ApplicationSetTemplate
 }

 // Transform a spec generator to list of paramSets and a template
-func Transform(requestedGenerator argoprojiov1alpha1.ApplicationSetGenerator, allGenerators map[string]Generator, baseTemplate argoprojiov1alpha1.ApplicationSetTemplate, appSet *argoprojiov1alpha1.ApplicationSet, genParams map[string]interface{}) ([]TransformResult, error) {
+func Transform(requestedGenerator argoprojiov1alpha1.ApplicationSetGenerator, allGenerators map[string]Generator, baseTemplate argoprojiov1alpha1.ApplicationSetTemplate, appSet *argoprojiov1alpha1.ApplicationSet, genParams map[string]any, client client.Client) ([]TransformResult, error) {
 	// This is a custom version of the `LabelSelectorAsSelector` that is in k8s.io/apimachinery. This has been copied
 	// verbatim from that package, with the difference that we do not have any restrictions on label values. This is done
 	// so that, among other things, we can match on cluster urls.
@@ -51,7 +52,7 @@ func Transform(requestedGenerator argoprojiov1alpha1.ApplicationSetGenerator, al
 			}
 			continue
 		}
-		var params []map[string]interface{}
+		var params []map[string]any
 		if len(genParams) != 0 {
 			tempInterpolatedGenerator, err := InterpolateGenerator(&requestedGenerator, genParams, appSet.Spec.GoTemplate, appSet.Spec.GoTemplateOptions)
 			interpolatedGenerator = &tempInterpolatedGenerator
@@ -64,7 +65,7 @@ func Transform(requestedGenerator argoprojiov1alpha1.ApplicationSetGenerator, al
 				continue
 			}
 		}
-		params, err = g.GenerateParams(interpolatedGenerator, appSet)
+		params, err = g.GenerateParams(interpolatedGenerator, appSet, client)
 		if err != nil {
 			log.WithError(err).WithField("generator", g).
 				Error("error generating params")
@@ -73,7 +74,7 @@ func Transform(requestedGenerator argoprojiov1alpha1.ApplicationSetGenerator, al
 			}
 			continue
 		}
-		var filterParams []map[string]interface{}
+		var filterParams []map[string]any
 		for _, param := range params {
 			flatParam, err := flattenParameters(param)
 			if err != nil {
@@ -122,7 +123,7 @@ func GetRelevantGenerators(requestedGenerator *argoprojiov1alpha1.ApplicationSet
 	return res
 }

-func flattenParameters(in map[string]interface{}) (map[string]string, error) {
+func flattenParameters(in map[string]any) (map[string]string, error) {
 	flat, err := flatten.Flatten(in, "", flatten.DotStyle)
 	if err != nil {
 		return nil, fmt.Errorf("error flatenning parameters: %w", err)
@@ -148,7 +149,7 @@ func mergeGeneratorTemplate(g Generator, requestedGenerator *argoprojiov1alpha1.

 // InterpolateGenerator allows interpolating the matrix's 2nd child generator with values from the 1st child generator
 // "params" parameter is an array, where each index corresponds to a generator. Each index contains a map w/ that generator's parameters.
-func InterpolateGenerator(requestedGenerator *argoprojiov1alpha1.ApplicationSetGenerator, params map[string]interface{}, useGoTemplate bool, goTemplateOptions []string) (argoprojiov1alpha1.ApplicationSetGenerator, error) {
+func InterpolateGenerator(requestedGenerator *argoprojiov1alpha1.ApplicationSetGenerator, params map[string]any, useGoTemplate bool, goTemplateOptions []string) (argoprojiov1alpha1.ApplicationSetGenerator, error) {
 	render := utils.Render{}
 	interpolatedGenerator, err := render.RenderGeneratorParams(requestedGenerator, params, useGoTemplate, goTemplateOptions)
 	if err != nil {
@@ -158,16 +159,3 @@ func InterpolateGenerator(requestedGenerator *argoprojiov1alpha1.ApplicationSetG

 	return *interpolatedGenerator, nil
 }
-
-// Fixes https://github.com/argoproj/argo-cd/issues/11982 while ensuring backwards compatibility.
-// This is only a short-term solution and should be removed in a future major version.
-func dropDisabledNestedSelectors(generators []argoprojiov1alpha1.ApplicationSetNestedGenerator) bool {
-	var foundSelector bool
-	for i := range generators {
-		if generators[i].Selector != nil {
-			foundSelector = true
-			generators[i].Selector = nil
-		}
-	}
-	return foundSelector
-}
--- a/applicationset/generators/generator_spec_processor_test.go
+++ b/applicationset/generators/generator_spec_processor_test.go
@@ -10,9 +10,9 @@ import (
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	"github.com/argoproj/argo-cd/v2/applicationset/services/mocks"
+	"github.com/argoproj/argo-cd/v3/applicationset/services/mocks"

-	argov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	argov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"

 	"github.com/stretchr/testify/mock"
 	corev1 "k8s.io/api/core/v1"
@@ -27,19 +27,19 @@ func TestMatchValues(t *testing.T) {
 		name     string
 		elements []apiextensionsv1.JSON
 		selector *metav1.LabelSelector
-		expected []map[string]interface{}
+		expected []map[string]any
 	}{
 		{
 			name:     "no filter",
 			elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "cluster","url": "url"}`)}},
 			selector: &metav1.LabelSelector{},
-			expected: []map[string]interface{}{{"cluster": "cluster", "url": "url"}},
+			expected: []map[string]any{{"cluster": "cluster", "url": "url"}},
 		},
 		{
 			name:     "nil",
 			elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "cluster","url": "url"}`)}},
 			selector: nil,
-			expected: []map[string]interface{}{{"cluster": "cluster", "url": "url"}},
+			expected: []map[string]any{{"cluster": "cluster", "url": "url"}},
 		},
 		{
 			name:     "values.foo should be foo but is ignore element",
@@ -49,7 +49,7 @@ func TestMatchValues(t *testing.T) {
 					"values.foo": "foo",
 				},
 			},
-			expected: []map[string]interface{}{},
+			expected: []map[string]any{},
 		},
 		{
 			name:     "values.foo should be bar",
@@ -59,14 +59,14 @@ func TestMatchValues(t *testing.T) {
 					"values.foo": "bar",
 				},
 			},
-			expected: []map[string]interface{}{{"cluster": "cluster", "url": "url", "values.foo": "bar"}},
+			expected: []map[string]any{{"cluster": "cluster", "url": "url", "values.foo": "bar"}},
 		},
 	}

 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			var listGenerator = NewListGenerator()
-			var data = map[string]Generator{
+			listGenerator := NewListGenerator()
+			data := map[string]Generator{
 				"List": listGenerator,
 			}

@@ -84,12 +84,13 @@ func TestMatchValues(t *testing.T) {
 				List: &argov1alpha1.ListGenerator{
 					Elements: testCase.elements,
 					Template: emptyTemplate(),
-				}},
+				},
+			},
 				data,
 				emptyTemplate(),
-				&applicationSetInfo, nil)
+				&applicationSetInfo, nil, nil)

-			assert.NoError(t, err)
+			require.NoError(t, err)
 			assert.ElementsMatch(t, testCase.expected, results[0].Params)
 		})
 	}
@@ -100,19 +101,19 @@ func TestMatchValuesGoTemplate(t *testing.T) {
 		name     string
 		elements []apiextensionsv1.JSON
 		selector *metav1.LabelSelector
-		expected []map[string]interface{}
+		expected []map[string]any
 	}{
 		{
 			name:     "no filter",
 			elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "cluster","url": "url"}`)}},
 			selector: &metav1.LabelSelector{},
-			expected: []map[string]interface{}{{"cluster": "cluster", "url": "url"}},
+			expected: []map[string]any{{"cluster": "cluster", "url": "url"}},
 		},
 		{
 			name:     "nil",
 			elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "cluster","url": "url"}`)}},
 			selector: nil,
-			expected: []map[string]interface{}{{"cluster": "cluster", "url": "url"}},
+			expected: []map[string]any{{"cluster": "cluster", "url": "url"}},
 		},
 		{
 			name:     "values.foo should be foo but is ignore element",
@@ -122,7 +123,7 @@ func TestMatchValuesGoTemplate(t *testing.T) {
 					"values.foo": "foo",
 				},
 			},
-			expected: []map[string]interface{}{},
+			expected: []map[string]any{},
 		},
 		{
 			name:     "values.foo should be bar",
@@ -132,7 +133,7 @@ func TestMatchValuesGoTemplate(t *testing.T) {
 					"values.foo": "bar",
 				},
 			},
-			expected: []map[string]interface{}{{"cluster": "cluster", "url": "url", "values": map[string]interface{}{"foo": "bar"}}},
+			expected: []map[string]any{{"cluster": "cluster", "url": "url", "values": map[string]any{"foo": "bar"}}},
 		},
 		{
 			name:     "values.0 should be bar",
@@ -142,14 +143,14 @@ func TestMatchValuesGoTemplate(t *testing.T) {
 					"values.0": "bar",
 				},
 			},
-			expected: []map[string]interface{}{{"cluster": "cluster", "url": "url", "values": []interface{}{"bar"}}},
+			expected: []map[string]any{{"cluster": "cluster", "url": "url", "values": []any{"bar"}}},
 		},
 	}

 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			var listGenerator = NewListGenerator()
-			var data = map[string]Generator{
+			listGenerator := NewListGenerator()
+			data := map[string]Generator{
 				"List": listGenerator,
 			}

@@ -167,12 +168,13 @@ func TestMatchValuesGoTemplate(t *testing.T) {
 				List: &argov1alpha1.ListGenerator{
 					Elements: testCase.elements,
 					Template: emptyTemplate(),
-				}},
+				},
+			},
 				data,
 				emptyTemplate(),
-				&applicationSetInfo, nil)
+				&applicationSetInfo, nil, nil)

-			assert.NoError(t, err)
+			require.NoError(t, err)
 			assert.ElementsMatch(t, testCase.expected, results[0].Params)
 		})
 	}
@@ -182,14 +184,14 @@ func TestTransForm(t *testing.T) {
 	testCases := []struct {
 		name     string
 		selector *metav1.LabelSelector
-		expected []map[string]interface{}
+		expected []map[string]any
 	}{
 		{
 			name: "server filter",
 			selector: &metav1.LabelSelector{
 				MatchLabels: map[string]string{"server": "https://production-01.example.com"},
 			},
-			expected: []map[string]interface{}{{
+			expected: []map[string]any{{
 				"metadata.annotations.foo.argoproj.io":           "production",
 				"metadata.labels.argocd.argoproj.io/secret-type": "cluster",
 				"metadata.labels.environment":                    "production",
@@ -197,6 +199,7 @@ func TestTransForm(t *testing.T) {
 				"name":                                           "production_01/west",
 				"nameNormalized":                                 "production-01-west",
 				"server":                                         "https://production-01.example.com",
+				"project":                                        "",
 			}},
 		},
 		{
@@ -204,7 +207,7 @@ func TestTransForm(t *testing.T) {
 			selector: &metav1.LabelSelector{
 				MatchLabels: map[string]string{"server": "https://some-really-long-url-that-will-exceed-63-characters.com"},
 			},
-			expected: []map[string]interface{}{{
+			expected: []map[string]any{{
 				"metadata.annotations.foo.argoproj.io":           "production",
 				"metadata.labels.argocd.argoproj.io/secret-type": "cluster",
 				"metadata.labels.environment":                    "production",
@@ -212,6 +215,7 @@ func TestTransForm(t *testing.T) {
 				"name":                                           "some-really-long-server-url",
 				"nameNormalized":                                 "some-really-long-server-url",
 				"server":                                         "https://some-really-long-url-that-will-exceed-63-characters.com",
+				"project":                                        "",
 			}},
 		},
 	}
@@ -219,7 +223,7 @@ func TestTransForm(t *testing.T) {
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
 			testGenerators := map[string]Generator{
-				"Clusters": getMockClusterGenerator(),
+				"Clusters": getMockClusterGenerator(t.Context()),
 			}

 			applicationSetInfo := argov1alpha1.ApplicationSet{
@@ -236,12 +240,13 @@ func TestTransForm(t *testing.T) {
 						Selector: metav1.LabelSelector{},
 						Template: argov1alpha1.ApplicationSetTemplate{},
 						Values:   nil,
-					}},
+					},
+				},
 				testGenerators,
 				emptyTemplate(),
-				&applicationSetInfo, nil)
+				&applicationSetInfo, nil, nil)

-			assert.NoError(t, err)
+			require.NoError(t, err)
 			assert.ElementsMatch(t, testCase.expected, results[0].Params)
 		})
 	}
@@ -255,7 +260,7 @@ func emptyTemplate() argov1alpha1.ApplicationSetTemplate {
 	}
 }

-func getMockClusterGenerator() Generator {
+func getMockClusterGenerator(ctx context.Context) Generator {
 	clusters := []crtclient.Object{
 		&corev1.Secret{
 			TypeMeta: metav1.TypeMeta{
@@ -337,20 +342,19 @@ func getMockClusterGenerator() Generator {
 	appClientset := kubefake.NewSimpleClientset(runtimeClusters...)

 	fakeClient := fake.NewClientBuilder().WithObjects(clusters...).Build()
-	return NewClusterGenerator(fakeClient, context.Background(), appClientset, "namespace")
+	return NewClusterGenerator(ctx, fakeClient, appClientset, "namespace")
 }

 func getMockGitGenerator() Generator {
-	argoCDServiceMock := mocks.Repos{}
-	argoCDServiceMock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything).Return([]string{"app1", "app2", "app_3", "p1/app4"}, nil)
-	var gitGenerator = NewGitGenerator(&argoCDServiceMock)
+	argoCDServiceMock := &mocks.Repos{}
+	argoCDServiceMock.EXPECT().GetDirectories(mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return([]string{"app1", "app2", "app_3", "p1/app4"}, nil)
+	gitGenerator := NewGitGenerator(argoCDServiceMock, "namespace")
 	return gitGenerator
 }

 func TestGetRelevantGenerators(t *testing.T) {
-
 	testGenerators := map[string]Generator{
-		"Clusters": getMockClusterGenerator(),
+		"Clusters": getMockClusterGenerator(t.Context()),
 		"Git":      getMockGitGenerator(),
 	}

@@ -361,7 +365,8 @@ func TestGetRelevantGenerators(t *testing.T) {
 	requestedGenerator := &argov1alpha1.ApplicationSetGenerator{
 		List: &argov1alpha1.ListGenerator{
 			Elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "cluster","url": "url","values":{"foo":"bar"}}`)}},
-		}}
+		},
+	}

 	relevantGenerators := GetRelevantGenerators(requestedGenerator, testGenerators)
 	assert.Len(t, relevantGenerators, 1)
@@ -404,10 +409,11 @@ func TestInterpolateGenerator(t *testing.T) {
 					"path-basename":                  "{{path.basename}}",
 					"path-zero":                      "{{path[0]}}",
 					"path-full":                      "{{path}}",
-				}},
+				},
+			},
 		},
 	}
-	gitGeneratorParams := map[string]interface{}{
+	gitGeneratorParams := map[string]any{
 		"path":                    "p1/p2/app3",
 		"path.basename":           "app3",
 		"path[0]":                 "p1",
@@ -436,7 +442,7 @@ func TestInterpolateGenerator(t *testing.T) {
 			Template: argov1alpha1.ApplicationSetTemplate{},
 		},
 	}
-	clusterGeneratorParams := map[string]interface{}{
+	clusterGeneratorParams := map[string]any{
 		"name": "production_01/west", "server": "https://production-01.example.com",
 	}
 	interpolatedGenerator, err = InterpolateGenerator(requestedGenerator, clusterGeneratorParams, false, nil)
@@ -458,11 +464,12 @@ func TestInterpolateGenerator_go(t *testing.T) {
 					"path-zero":                      "{{index .path.segments 0}}",
 					"path-full":                      "{{.path.path}}",
 					"kubernetes.io/environment":      `{{default "foo" .my_label}}`,
-				}},
+				},
+			},
 		},
 	}
-	gitGeneratorParams := map[string]interface{}{
-		"path": map[string]interface{}{
+	gitGeneratorParams := map[string]any{
+		"path": map[string]any{
 			"path":     "p1/p2/app3",
 			"segments": []string{"p1", "p2", "app3"},
 		},
@@ -490,7 +497,7 @@ func TestInterpolateGenerator_go(t *testing.T) {
 			Template: argov1alpha1.ApplicationSetTemplate{},
 		},
 	}
-	clusterGeneratorParams := map[string]interface{}{
+	clusterGeneratorParams := map[string]any{
 		"name": "production_01/west", "server": "https://production-01.example.com",
 	}
 	interpolatedGenerator, err = InterpolateGenerator(requestedGenerator, clusterGeneratorParams, true, nil)
@@ -505,7 +512,7 @@ func TestInterpolateGenerator_go(t *testing.T) {
 func TestInterpolateGeneratorError(t *testing.T) {
 	type args struct {
 		requestedGenerator *argov1alpha1.ApplicationSetGenerator
-		params             map[string]interface{}
+		params             map[string]any
 		useGoTemplate      bool
 		goTemplateOptions  []string
 	}
@@ -523,7 +530,7 @@ func TestInterpolateGeneratorError(t *testing.T) {
 		}, want: argov1alpha1.ApplicationSetGenerator{}, expectedErrStr: "generator is empty"},
 		{name: "No Params", args: args{
 			requestedGenerator: &argov1alpha1.ApplicationSetGenerator{},
-			params:             map[string]interface{}{},
+			params:             map[string]any{},
 			useGoTemplate:      false,
 			goTemplateOptions:  nil,
 		}, want: argov1alpha1.ApplicationSetGenerator{}, expectedErrStr: ""},
@@ -538,19 +545,19 @@ func TestInterpolateGeneratorError(t *testing.T) {
 					"resolved":  "{{ index .rmap (default .override .test) }}",
 				},
 			}},
-			params: map[string]interface{}{
+			params: map[string]any{
 				"name":     "in-cluster",
 				"override": "foo",
 			},
 			useGoTemplate:     true,
 			goTemplateOptions: []string{},
-		}, want: argov1alpha1.ApplicationSetGenerator{}, expectedErrStr: "failed to replace parameters in generator: failed to execute go template {{ index .rmap (default .override .test) }}: template: :1:3: executing \"\" at <index .rmap (default .override .test)>: error calling index: index of untyped nil"},
+		}, want: argov1alpha1.ApplicationSetGenerator{}, expectedErrStr: "failed to replace parameters in generator: failed to execute go template {{ index .rmap (default .override .test) }}: template: base:1:3: executing \"base\" at <index .rmap (default .override .test)>: error calling index: index of untyped nil"},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			got, err := InterpolateGenerator(tt.args.requestedGenerator, tt.args.params, tt.args.useGoTemplate, tt.args.goTemplateOptions)
 			if tt.expectedErrStr != "" {
-				assert.EqualError(t, err, tt.expectedErrStr)
+				require.EqualError(t, err, tt.expectedErrStr)
 			} else {
 				require.NoError(t, err)
 			}
--- a/applicationset/generators/git.go
+++ b/applicationset/generators/git.go
@@ -11,61 +11,97 @@ import (

 	"github.com/jeremywohl/flatten"
 	log "github.com/sirupsen/logrus"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"

-	"github.com/argoproj/argo-cd/v2/applicationset/services"
-	"github.com/argoproj/argo-cd/v2/applicationset/utils"
-	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v3/applicationset/services"
+	"github.com/argoproj/argo-cd/v3/applicationset/utils"
+	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v3/util/gpg"
 )

 var _ Generator = (*GitGenerator)(nil)

 type GitGenerator struct {
-	repos services.Repos
+	repos     services.Repos
+	namespace string
 }

-func NewGitGenerator(repos services.Repos) Generator {
+// NewGitGenerator creates a new instance of Git Generator
+func NewGitGenerator(repos services.Repos, controllerNamespace string) Generator {
 	g := &GitGenerator{
-		repos: repos,
+		repos:     repos,
+		namespace: controllerNamespace,
 	}
+
 	return g
 }

+// GetTemplate returns the ApplicationSetTemplate associated with the Git generator
+// from the provided ApplicationSetGenerator. This template defines how each
+// generated Argo CD Application should be rendered.
 func (g *GitGenerator) GetTemplate(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator) *argoprojiov1alpha1.ApplicationSetTemplate {
 	return &appSetGenerator.Git.Template
 }

+// GetRequeueAfter returns the duration after which the Git generator should be
+// requeued for reconciliation. If RequeueAfterSeconds is set in the generator spec,
+// it uses that value. Otherwise, it falls back to a default requeue interval (3 minutes).
 func (g *GitGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator) time.Duration {
-
-	// Return a requeue default of 3 minutes, if no default is specified.
-
 	if appSetGenerator.Git.RequeueAfterSeconds != nil {
 		return time.Duration(*appSetGenerator.Git.RequeueAfterSeconds) * time.Second
 	}

-	return DefaultRequeueAfterSeconds
+	return getDefaultRequeueAfter()
 }

-func (g *GitGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, appSet *argoprojiov1alpha1.ApplicationSet) ([]map[string]interface{}, error) {
-
+// GenerateParams generates a list of parameter maps for the ApplicationSet by evaluating the Git generator's configuration.
+// It supports both directory-based and file-based Git generators.
+func (g *GitGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, appSet *argoprojiov1alpha1.ApplicationSet, client client.Client) ([]map[string]any, error) {
 	if appSetGenerator == nil {
-		return nil, EmptyAppSetGeneratorError
+		return nil, ErrEmptyAppSetGenerator
 	}

 	if appSetGenerator.Git == nil {
-		return nil, EmptyAppSetGeneratorError
+		return nil, ErrEmptyAppSetGenerator
 	}

 	noRevisionCache := appSet.RefreshRequired()

+	verifyCommit := false
+
+	// When the project field is templated, the contents of the git repo are required to run the git generator and get the templated value,
+	// but git generator cannot be called without verifying the commit signature.
+	// In this case, we skip the signature verification.
+	// If the project is templated, we skip the commit verification
+	if !strings.Contains(appSet.Spec.Template.Spec.Project, "{{") {
+		project := appSet.Spec.Template.Spec.Project
+		appProject := &argoprojiov1alpha1.AppProject{}
+		controllerNamespace := g.namespace
+		if controllerNamespace == "" {
+			controllerNamespace = appSet.Namespace
+		}
+		if err := client.Get(context.TODO(), types.NamespacedName{Name: project, Namespace: controllerNamespace}, appProject); err != nil {
+			return nil, fmt.Errorf("error getting project %s: %w", project, err)
+		}
+		// we need to verify the signature on the Git revision if GPG is enabled
+		verifyCommit = len(appProject.Spec.SignatureKeys) > 0 && gpg.IsGPGEnabled()
+	}
+
+	// If the project field is templated, we cannot resolve the project name, so we pass an empty string to the repo-server.
+	// This means only "globally-scoped" repo credentials can be used for such appsets.
+	project := resolveProjectName(appSet.Spec.Template.Spec.Project)
+
 	var err error
-	var res []map[string]interface{}
-	if len(appSetGenerator.Git.Directories) != 0 {
-		res, err = g.generateParamsForGitDirectories(appSetGenerator, noRevisionCache, appSet.Spec.GoTemplate, appSet.Spec.GoTemplateOptions)
-	} else if len(appSetGenerator.Git.Files) != 0 {
-		res, err = g.generateParamsForGitFiles(appSetGenerator, noRevisionCache, appSet.Spec.GoTemplate, appSet.Spec.GoTemplateOptions)
-	} else {
-		return nil, EmptyAppSetGeneratorError
+	var res []map[string]any
+	switch {
+	case len(appSetGenerator.Git.Directories) != 0:
+		res, err = g.generateParamsForGitDirectories(appSetGenerator, noRevisionCache, verifyCommit, appSet.Spec.GoTemplate, project, appSet.Spec.GoTemplateOptions)
+	case len(appSetGenerator.Git.Files) != 0:
+		res, err = g.generateParamsForGitFiles(appSetGenerator, noRevisionCache, verifyCommit, appSet.Spec.GoTemplate, project, appSet.Spec.GoTemplateOptions)
+	default:
+		return nil, ErrEmptyAppSetGenerator
 	}
 	if err != nil {
 		return nil, fmt.Errorf("error generating params from git: %w", err)
@@ -74,10 +110,11 @@ func (g *GitGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.Applic
 	return res, nil
 }

-func (g *GitGenerator) generateParamsForGitDirectories(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, noRevisionCache bool, useGoTemplate bool, goTemplateOptions []string) ([]map[string]interface{}, error) {
-
-	// Directories, not files
-	allPaths, err := g.repos.GetDirectories(context.TODO(), appSetGenerator.Git.RepoURL, appSetGenerator.Git.Revision, noRevisionCache)
+// generateParamsForGitDirectories generates parameters for an ApplicationSet using a directory-based Git generator.
+// It fetches all directories from the given Git repository and revision, optionally using a revision cache and verifying commits.
+// It then filters the directories based on the generator's configuration and renders parameters for the resulting applications
+func (g *GitGenerator) generateParamsForGitDirectories(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, noRevisionCache, verifyCommit, useGoTemplate bool, project string, goTemplateOptions []string) ([]map[string]any, error) {
+	allPaths, err := g.repos.GetDirectories(context.TODO(), appSetGenerator.Git.RepoURL, appSetGenerator.Git.Revision, project, noRevisionCache, verifyCommit)
 	if err != nil {
 		return nil, fmt.Errorf("error getting directories from repo: %w", err)
 	}
@@ -100,73 +137,116 @@ func (g *GitGenerator) generateParamsForGitDirectories(appSetGenerator *argoproj
 	return res, nil
 }

-func (g *GitGenerator) generateParamsForGitFiles(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, noRevisionCache bool, useGoTemplate bool, goTemplateOptions []string) ([]map[string]interface{}, error) {
+// generateParamsForGitFiles generates parameters for an ApplicationSet using a file-based Git generator.
+// It retrieves and processes specified files from the Git repository, supporting both YAML and JSON formats,
+// and returns a list of parameter maps extracted from the content.
+func (g *GitGenerator) generateParamsForGitFiles(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, noRevisionCache, verifyCommit, useGoTemplate bool, project string, goTemplateOptions []string) ([]map[string]any, error) {
+	// fileContentMap maps absolute file paths to their byte content
+	fileContentMap := make(map[string][]byte)
+	var includePatterns []string
+	var excludePatterns []string

-	// Get all files that match the requested path string, removing duplicates
-	allFiles := make(map[string][]byte)
-	for _, requestedPath := range appSetGenerator.Git.Files {
-		files, err := g.repos.GetFiles(context.TODO(), appSetGenerator.Git.RepoURL, appSetGenerator.Git.Revision, requestedPath.Path, noRevisionCache)
+	for _, req := range appSetGenerator.Git.Files {
+		if req.Exclude {
+			excludePatterns = append(excludePatterns, req.Path)
+		} else {
+			includePatterns = append(includePatterns, req.Path)
+		}
+	}
+
+	// Fetch all files from include patterns
+	for _, includePattern := range includePatterns {
+		retrievedFiles, err := g.repos.GetFiles(
+			context.TODO(),
+			appSetGenerator.Git.RepoURL,
+			appSetGenerator.Git.Revision,
+			project,
+			includePattern,
+			noRevisionCache,
+			verifyCommit,
+		)
 		if err != nil {
 			return nil, err
 		}
-		for filePath, content := range files {
-			allFiles[filePath] = content
+		for absPath, content := range retrievedFiles {
+			fileContentMap[absPath] = content
 		}
 	}

-	// Extract the unduplicated map into a list, and sort by path to ensure a deterministic
-	// processing order in the subsequent step
-	allPaths := []string{}
-	for path := range allFiles {
-		allPaths = append(allPaths, path)
-	}
-	sort.Strings(allPaths)
-
-	// Generate params from each path, and return
-	res := []map[string]interface{}{}
-	for _, path := range allPaths {
-
-		// A JSON / YAML file path can contain multiple sets of parameters (ie it is an array)
-		paramsArray, err := g.generateParamsFromGitFile(path, allFiles[path], appSetGenerator.Git.Values, useGoTemplate, goTemplateOptions, appSetGenerator.Git.PathParamPrefix)
+	// Now remove files matching any exclude pattern
+	for _, excludePattern := range excludePatterns {
+		matchingFiles, err := g.repos.GetFiles(
+			context.TODO(),
+			appSetGenerator.Git.RepoURL,
+			appSetGenerator.Git.Revision,
+			project,
+			excludePattern,
+			noRevisionCache,
+			verifyCommit,
+		)
 		if err != nil {
-			return nil, fmt.Errorf("unable to process file '%s': %v", path, err)
+			return nil, err
+		}
+		for absPath := range matchingFiles {
+			// if the file doesn't exist already and you try to delete it from the map
+			// the operation is a no-op. It’s safe and doesn't return an error or panic.
+			// Hence, we can simply try to delete the file from the path without checking
+			// if that file already exists in the map.
+			delete(fileContentMap, absPath)
 		}
-
-		res = append(res, paramsArray...)
 	}
-	return res, nil
+
+	// Get a sorted list of file paths to ensure deterministic processing order
+	var filePaths []string
+	for path := range fileContentMap {
+		filePaths = append(filePaths, path)
+	}
+	sort.Strings(filePaths)
+
+	var allParams []map[string]any
+	for _, filePath := range filePaths {
+		// A JSON / YAML file path can contain multiple sets of parameters (ie it is an array)
+		paramsFromFileArray, err := g.generateParamsFromGitFile(filePath, fileContentMap[filePath], appSetGenerator.Git.Values, useGoTemplate, goTemplateOptions, appSetGenerator.Git.PathParamPrefix)
+		if err != nil {
+			return nil, fmt.Errorf("unable to process file '%s': %w", filePath, err)
+		}
+		allParams = append(allParams, paramsFromFileArray...)
+	}
+
+	return allParams, nil
 }

-func (g *GitGenerator) generateParamsFromGitFile(filePath string, fileContent []byte, values map[string]string, useGoTemplate bool, goTemplateOptions []string, pathParamPrefix string) ([]map[string]interface{}, error) {
-	objectsFound := []map[string]interface{}{}
+// generateParamsFromGitFile parses the content of a Git-tracked file and generates a slice of parameter maps.
+// The file can contain a single YAML/JSON object or an array of such objects. Depending on the useGoTemplate flag,
+// it either preserves structure for Go templating or flattens the objects for use as plain key-value parameters.
+func (g *GitGenerator) generateParamsFromGitFile(filePath string, fileContent []byte, values map[string]string, useGoTemplate bool, goTemplateOptions []string, pathParamPrefix string) ([]map[string]any, error) {
+	objectsFound := []map[string]any{}

-	// First, we attempt to parse as an array
-	err := yaml.Unmarshal(fileContent, &objectsFound)
-	if err != nil {
-		// If unable to parse as an array, attempt to parse as a single object
-		singleObj := make(map[string]interface{})
-		err = yaml.Unmarshal(fileContent, &singleObj)
-		if err != nil {
-			return nil, fmt.Errorf("unable to parse file: %v", err)
-		}
+	// First, we attempt to parse as a single object.
+	// This will also succeed for empty files.
+	singleObj := map[string]any{}
+	err := yaml.Unmarshal(fileContent, &singleObj)
+	if err == nil {
 		objectsFound = append(objectsFound, singleObj)
-	} else if len(objectsFound) == 0 {
-		// If file is valid but empty, add a default empty item
-		objectsFound = append(objectsFound, map[string]interface{}{})
+	} else {
+		// If unable to parse as an object, try to parse as an array
+		err = yaml.Unmarshal(fileContent, &objectsFound)
+		if err != nil {
+			return nil, fmt.Errorf("unable to parse file: %w", err)
+		}
 	}

-	res := []map[string]interface{}{}
+	res := []map[string]any{}

 	for _, objectFound := range objectsFound {
-
-		params := map[string]interface{}{}
+		params := map[string]any{}

 		if useGoTemplate {
 			for k, v := range objectFound {
 				params[k] = v
 			}

-			paramPath := map[string]interface{}{}
+			paramPath := map[string]any{}

 			paramPath["path"] = path.Dir(filePath)
 			paramPath["basename"] = path.Base(paramPath["path"].(string))
@@ -175,7 +255,7 @@ func (g *GitGenerator) generateParamsFromGitFile(filePath string, fileContent []
 			paramPath["filenameNormalized"] = utils.SanitizeName(path.Base(paramPath["filename"].(string)))
 			paramPath["segments"] = strings.Split(paramPath["path"].(string), "/")
 			if pathParamPrefix != "" {
-				params[pathParamPrefix] = map[string]interface{}{"path": paramPath}
+				params[pathParamPrefix] = map[string]any{"path": paramPath}
 			} else {
 				params["path"] = paramPath
 			}
@@ -197,7 +277,7 @@ func (g *GitGenerator) generateParamsFromGitFile(filePath string, fileContent []
 			params[pathParamName+".basenameNormalized"] = utils.SanitizeName(path.Base(params[pathParamName].(string)))
 			params[pathParamName+".filenameNormalized"] = utils.SanitizeName(path.Base(params[pathParamName+".filename"].(string)))
 			for k, v := range strings.Split(params[pathParamName].(string), "/") {
-				if len(v) > 0 {
+				if v != "" {
 					params[pathParamName+"["+strconv.Itoa(k)+"]"] = v
 				}
 			}
@@ -214,13 +294,15 @@ func (g *GitGenerator) generateParamsFromGitFile(filePath string, fileContent []
 	return res, nil
 }

-func (g *GitGenerator) filterApps(Directories []argoprojiov1alpha1.GitDirectoryGeneratorItem, allPaths []string) []string {
-	res := []string{}
+// filterApps filters the list of all application paths based on inclusion and exclusion rules
+// defined in GitDirectoryGeneratorItems. Each item can either include or exclude matching paths.
+func (g *GitGenerator) filterApps(directories []argoprojiov1alpha1.GitDirectoryGeneratorItem, allPaths []string) []string {
+	var res []string
 	for _, appPath := range allPaths {
 		appInclude := false
 		appExclude := false
 		// Iterating over each appPath and check whether directories object has requestedPath that matches the appPath
-		for _, requestedPath := range Directories {
+		for _, requestedPath := range directories {
 			match, err := path.Match(requestedPath.Path, appPath)
 			if err != nil {
 				log.WithError(err).WithField("requestedPath", requestedPath).
@@ -242,20 +324,22 @@ func (g *GitGenerator) filterApps(Directories []argoprojiov1alpha1.GitDirectoryG
 	return res
 }

-func (g *GitGenerator) generateParamsFromApps(requestedApps []string, appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, useGoTemplate bool, goTemplateOptions []string) ([]map[string]interface{}, error) {
-	res := make([]map[string]interface{}, len(requestedApps))
+// generateParamsFromApps generates a list of parameter maps based on the given app paths.
+// Each app path is converted into a parameter object with path metadata (basename, segments, etc.).
+// It supports both Go templates and flat key-value parameters.
+func (g *GitGenerator) generateParamsFromApps(requestedApps []string, appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, useGoTemplate bool, goTemplateOptions []string) ([]map[string]any, error) {
+	res := make([]map[string]any, len(requestedApps))
 	for i, a := range requestedApps {
-
-		params := make(map[string]interface{}, 5)
+		params := make(map[string]any, 5)

 		if useGoTemplate {
-			paramPath := map[string]interface{}{}
+			paramPath := map[string]any{}
 			paramPath["path"] = a
 			paramPath["basename"] = path.Base(a)
 			paramPath["basenameNormalized"] = utils.SanitizeName(path.Base(a))
 			paramPath["segments"] = strings.Split(paramPath["path"].(string), "/")
 			if appSetGenerator.Git.PathParamPrefix != "" {
-				params[appSetGenerator.Git.PathParamPrefix] = map[string]interface{}{"path": paramPath}
+				params[appSetGenerator.Git.PathParamPrefix] = map[string]any{"path": paramPath}
 			} else {
 				params["path"] = paramPath
 			}
@@ -268,7 +352,7 @@ func (g *GitGenerator) generateParamsFromApps(requestedApps []string, appSetGene
 			params[pathParamName+".basename"] = path.Base(a)
 			params[pathParamName+".basenameNormalized"] = utils.SanitizeName(path.Base(a))
 			for k, v := range strings.Split(params[pathParamName].(string), "/") {
-				if len(v) > 0 {
+				if v != "" {
 					params[pathParamName+"["+strconv.Itoa(k)+"]"] = v
 				}
 			}
@@ -284,3 +368,12 @@ func (g *GitGenerator) generateParamsFromApps(requestedApps []string, appSetGene

 	return res, nil
 }
+
+// resolveProjectName resolves a project name whether templated or not
+func resolveProjectName(project string) string {
+	if strings.Contains(project, "{{") {
+		return ""
+	}
+
+	return project
+}
--- a/applicationset/generators/git_test.go
+++ b/applicationset/generators/git_test.go
--- a/applicationset/generators/interface.go
+++ b/applicationset/generators/interface.go
@@ -1,20 +1,21 @@
 package generators

 import (
-	"fmt"
+	"errors"
 	"time"

-	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
-)
+	"sigs.k8s.io/controller-runtime/pkg/client"

-//go:generate go run github.com/vektra/mockery/v2@v2.40.2 --name=Generator
+	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v3/util/env"
+)

 // Generator defines the interface implemented by all ApplicationSet generators.
 type Generator interface {
 	// GenerateParams interprets the ApplicationSet and generates all relevant parameters for the application template.
 	// The expected / desired list of parameters is returned, it then will be render and reconciled
 	// against the current state of the Applications in the cluster.
-	GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, applicationSetInfo *argoprojiov1alpha1.ApplicationSet) ([]map[string]interface{}, error)
+	GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, applicationSetInfo *argoprojiov1alpha1.ApplicationSet, client client.Client) ([]map[string]any, error)

 	// GetRequeueAfter is the generator can controller the next reconciled loop
 	// In case there is more then one generator the time will be the minimum of the times.
@@ -25,10 +26,16 @@ type Generator interface {
 	GetTemplate(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator) *argoprojiov1alpha1.ApplicationSetTemplate
 }

-var EmptyAppSetGeneratorError = fmt.Errorf("ApplicationSet is empty")
-var NoRequeueAfter time.Duration
-
-// DefaultRequeueAfterSeconds is used when GetRequeueAfter is not specified, it is the default time to wait before the next reconcile loop
-const (
-	DefaultRequeueAfterSeconds = 3 * time.Minute
+var (
+	ErrEmptyAppSetGenerator = errors.New("ApplicationSet is empty")
+	NoRequeueAfter          time.Duration
 )
+
+const (
+	DefaultRequeueAfter = 3 * time.Minute
+)
+
+func getDefaultRequeueAfter() time.Duration {
+	// Default is 3 minutes, min is 1 second, max is 1 year
+	return env.ParseDurationFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_REQUEUE_AFTER", DefaultRequeueAfter, 1*time.Second, 8760*time.Hour)
+}
--- a/applicationset/generators/interface_test.go
+++ b/applicationset/generators/interface_test.go
@@ -0,0 +1,29 @@
+package generators
+
+import (
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_getDefaultRequeueAfter(t *testing.T) {
+	tests := []struct {
+		name            string
+		requeueAfterEnv string
+		want            time.Duration
+	}{
+		{name: "Default", requeueAfterEnv: "", want: DefaultRequeueAfter},
+		{name: "Min", requeueAfterEnv: "1s", want: 1 * time.Second},
+		{name: "Max", requeueAfterEnv: "8760h", want: 8760 * time.Hour},
+		{name: "Override", requeueAfterEnv: "10m", want: 10 * time.Minute},
+		{name: "LessThanMin", requeueAfterEnv: "1ms", want: DefaultRequeueAfter},
+		{name: "MoreThanMax", requeueAfterEnv: "8761h", want: DefaultRequeueAfter},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Setenv("ARGOCD_APPLICATIONSET_CONTROLLER_REQUEUE_AFTER", tt.requeueAfterEnv)
+			assert.Equalf(t, tt.want, getDefaultRequeueAfter(), "getDefaultRequeueAfter()")
+		})
+	}
+}
--- a/applicationset/generators/list.go
+++ b/applicationset/generators/list.go
@@ -2,25 +2,26 @@ package generators

 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"time"

+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"

-	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 )

 var _ Generator = (*ListGenerator)(nil)

-type ListGenerator struct {
-}
+type ListGenerator struct{}

 func NewListGenerator() Generator {
 	g := &ListGenerator{}
 	return g
 }

-func (g *ListGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator) time.Duration {
+func (g *ListGenerator) GetRequeueAfter(_ *argoprojiov1alpha1.ApplicationSetGenerator) time.Duration {
 	return NoRequeueAfter
 }

@@ -28,23 +29,23 @@ func (g *ListGenerator) GetTemplate(appSetGenerator *argoprojiov1alpha1.Applicat
 	return &appSetGenerator.List.Template
 }

-func (g *ListGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, appSet *argoprojiov1alpha1.ApplicationSet) ([]map[string]interface{}, error) {
+func (g *ListGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, appSet *argoprojiov1alpha1.ApplicationSet, _ client.Client) ([]map[string]any, error) {
 	if appSetGenerator == nil {
-		return nil, EmptyAppSetGeneratorError
+		return nil, ErrEmptyAppSetGenerator
 	}

 	if appSetGenerator.List == nil {
-		return nil, EmptyAppSetGeneratorError
+		return nil, ErrEmptyAppSetGenerator
 	}

-	res := make([]map[string]interface{}, len(appSetGenerator.List.Elements))
+	res := make([]map[string]any, len(appSetGenerator.List.Elements))

 	for i, tmpItem := range appSetGenerator.List.Elements {
-		params := map[string]interface{}{}
-		var element map[string]interface{}
+		params := map[string]any{}
+		var element map[string]any
 		err := json.Unmarshal(tmpItem.Raw, &element)
 		if err != nil {
-			return nil, fmt.Errorf("error unmarshling list element %v", err)
+			return nil, fmt.Errorf("error unmarshling list element %w", err)
 		}

 		if appSet.Spec.GoTemplate {
@@ -52,21 +53,21 @@ func (g *ListGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.Appli
 		} else {
 			for key, value := range element {
 				if key == "values" {
-					values, ok := (value).(map[string]interface{})
+					values, ok := (value).(map[string]any)
 					if !ok {
-						return nil, fmt.Errorf("error parsing values map")
+						return nil, errors.New("error parsing values map")
 					}
 					for k, v := range values {
 						value, ok := v.(string)
 						if !ok {
-							return nil, fmt.Errorf("error parsing value as string %v", err)
+							return nil, fmt.Errorf("error parsing value as string %w", err)
 						}
-						params[fmt.Sprintf("values.%s", k)] = value
+						params["values."+k] = value
 					}
 				} else {
 					v, ok := value.(string)
 					if !ok {
-						return nil, fmt.Errorf("error parsing value as string %v", err)
+						return nil, fmt.Errorf("error parsing value as string %w", err)
 					}
 					params[key] = v
 				}
@@ -76,12 +77,11 @@ func (g *ListGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.Appli
 	}

 	// Append elements from ElementsYaml to the response
-	if len(appSetGenerator.List.ElementsYaml) > 0 {
-
-		var yamlElements []map[string]interface{}
+	if appSetGenerator.List.ElementsYaml != "" {
+		var yamlElements []map[string]any
 		err := yaml.Unmarshal([]byte(appSetGenerator.List.ElementsYaml), &yamlElements)
 		if err != nil {
-			return nil, fmt.Errorf("error unmarshling decoded ElementsYaml %v", err)
+			return nil, fmt.Errorf("error unmarshling decoded ElementsYaml %w", err)
 		}
 		res = append(res, yamlElements...)
 	}
--- a/applicationset/generators/list_test.go
+++ b/applicationset/generators/list_test.go
@@ -4,29 +4,29 @@ import (
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 )

 func TestGenerateListParams(t *testing.T) {
 	testCases := []struct {
 		elements []apiextensionsv1.JSON
-		expected []map[string]interface{}
+		expected []map[string]any
 	}{
 		{
 			elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "cluster","url": "url"}`)}},
-			expected: []map[string]interface{}{{"cluster": "cluster", "url": "url"}},
+			expected: []map[string]any{{"cluster": "cluster", "url": "url"}},
 		}, {
 			elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "cluster","url": "url","values":{"foo":"bar"}}`)}},
-			expected: []map[string]interface{}{{"cluster": "cluster", "url": "url", "values.foo": "bar"}},
+			expected: []map[string]any{{"cluster": "cluster", "url": "url", "values.foo": "bar"}},
 		},
 	}

 	for _, testCase := range testCases {
-
-		var listGenerator = NewListGenerator()
+		listGenerator := NewListGenerator()

 		applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 			ObjectMeta: metav1.ObjectMeta{
@@ -38,31 +38,30 @@ func TestGenerateListParams(t *testing.T) {
 		got, err := listGenerator.GenerateParams(&argoprojiov1alpha1.ApplicationSetGenerator{
 			List: &argoprojiov1alpha1.ListGenerator{
 				Elements: testCase.elements,
-			}}, &applicationSetInfo)
+			},
+		}, &applicationSetInfo, nil)

-		assert.NoError(t, err)
+		require.NoError(t, err)
 		assert.ElementsMatch(t, testCase.expected, got)
-
 	}
 }

 func TestGenerateListParamsGoTemplate(t *testing.T) {
 	testCases := []struct {
 		elements []apiextensionsv1.JSON
-		expected []map[string]interface{}
+		expected []map[string]any
 	}{
 		{
 			elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "cluster","url": "url"}`)}},
-			expected: []map[string]interface{}{{"cluster": "cluster", "url": "url"}},
+			expected: []map[string]any{{"cluster": "cluster", "url": "url"}},
 		}, {
 			elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "cluster","url": "url","values":{"foo":"bar"}}`)}},
-			expected: []map[string]interface{}{{"cluster": "cluster", "url": "url", "values": map[string]interface{}{"foo": "bar"}}},
+			expected: []map[string]any{{"cluster": "cluster", "url": "url", "values": map[string]any{"foo": "bar"}}},
 		},
 	}

 	for _, testCase := range testCases {
-
-		var listGenerator = NewListGenerator()
+		listGenerator := NewListGenerator()

 		applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 			ObjectMeta: metav1.ObjectMeta{
@@ -76,9 +75,10 @@ func TestGenerateListParamsGoTemplate(t *testing.T) {
 		got, err := listGenerator.GenerateParams(&argoprojiov1alpha1.ApplicationSetGenerator{
 			List: &argoprojiov1alpha1.ListGenerator{
 				Elements: testCase.elements,
-			}}, &applicationSetInfo)
+			},
+		}, &applicationSetInfo, nil)

-		assert.NoError(t, err)
+		require.NoError(t, err)
 		assert.ElementsMatch(t, testCase.expected, got)
 	}
 }
--- a/applicationset/generators/matrix.go
+++ b/applicationset/generators/matrix.go
@@ -1,23 +1,23 @@
 package generators

 import (
+	"errors"
 	"fmt"
 	"time"

-	"github.com/imdario/mergo"
+	"dario.cat/mergo"
+	"sigs.k8s.io/controller-runtime/pkg/client"

-	"github.com/argoproj/argo-cd/v2/applicationset/utils"
-	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
-
-	log "github.com/sirupsen/logrus"
+	"github.com/argoproj/argo-cd/v3/applicationset/utils"
+	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 )

 var _ Generator = (*MatrixGenerator)(nil)

 var (
-	ErrMoreThanTwoGenerators      = fmt.Errorf("found more than two generators, Matrix support only two")
-	ErrLessThanTwoGenerators      = fmt.Errorf("found less than two generators, Matrix support only two")
-	ErrMoreThenOneInnerGenerators = fmt.Errorf("found more than one generator in matrix.Generators")
+	ErrMoreThanTwoGenerators      = errors.New("found more than two generators, Matrix support only two")
+	ErrLessThanTwoGenerators      = errors.New("found less than two generators, Matrix support only two")
+	ErrMoreThenOneInnerGenerators = errors.New("found more than one generator in matrix.Generators")
 )

 type MatrixGenerator struct {
@@ -32,10 +32,9 @@ func NewMatrixGenerator(supportedGenerators map[string]Generator) Generator {
 	return m
 }

-func (m *MatrixGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, appSet *argoprojiov1alpha1.ApplicationSet) ([]map[string]interface{}, error) {
-
+func (m *MatrixGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, appSet *argoprojiov1alpha1.ApplicationSet, client client.Client) ([]map[string]any, error) {
 	if appSetGenerator.Matrix == nil {
-		return nil, EmptyAppSetGeneratorError
+		return nil, ErrEmptyAppSetGenerator
 	}

 	if len(appSetGenerator.Matrix.Generators) < 2 {
@@ -46,21 +45,20 @@ func (m *MatrixGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.App
 		return nil, ErrMoreThanTwoGenerators
 	}

-	res := []map[string]interface{}{}
+	res := []map[string]any{}

-	g0, err := m.getParams(appSetGenerator.Matrix.Generators[0], appSet, nil)
+	g0, err := m.getParams(appSetGenerator.Matrix.Generators[0], appSet, nil, client)
 	if err != nil {
 		return nil, fmt.Errorf("error failed to get params for first generator in matrix generator: %w", err)
 	}
 	for _, a := range g0 {
-		g1, err := m.getParams(appSetGenerator.Matrix.Generators[1], appSet, a)
+		g1, err := m.getParams(appSetGenerator.Matrix.Generators[1], appSet, a, client)
 		if err != nil {
 			return nil, fmt.Errorf("failed to get params for second generator in the matrix generator: %w", err)
 		}
 		for _, b := range g1 {
-
 			if appSet.Spec.GoTemplate {
-				tmp := map[string]interface{}{}
+				tmp := map[string]any{}
 				if err := mergo.Merge(&tmp, b, mergo.WithOverride); err != nil {
 					return nil, fmt.Errorf("failed to merge params from the second generator in the matrix generator with temp map: %w", err)
 				}
@@ -73,7 +71,7 @@ func (m *MatrixGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.App
 				if err != nil {
 					return nil, fmt.Errorf("failed to combine string maps with merging params for the matrix generator: %w", err)
 				}
-				res = append(res, utils.ConvertToMapStringInterface(val))
+				res = append(res, val)
 			}
 		}
 	}
@@ -81,27 +79,15 @@ func (m *MatrixGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.App
 	return res, nil
 }

-func (m *MatrixGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.ApplicationSetNestedGenerator, appSet *argoprojiov1alpha1.ApplicationSet, params map[string]interface{}) ([]map[string]interface{}, error) {
+func (m *MatrixGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.ApplicationSetNestedGenerator, appSet *argoprojiov1alpha1.ApplicationSet, params map[string]any, client client.Client) ([]map[string]any, error) {
 	matrixGen, err := getMatrixGenerator(appSetBaseGenerator)
 	if err != nil {
 		return nil, err
 	}
-	if matrixGen != nil && !appSet.Spec.ApplyNestedSelectors {
-		foundSelector := dropDisabledNestedSelectors(matrixGen.Generators)
-		if foundSelector {
-			log.Warnf("AppSet '%v' defines selector on nested matrix generator's generator without enabling them via 'spec.applyNestedSelectors', ignoring nested selectors", appSet.Name)
-		}
-	}
 	mergeGen, err := getMergeGenerator(appSetBaseGenerator)
 	if err != nil {
 		return nil, fmt.Errorf("error retrieving merge generator: %w", err)
 	}
-	if mergeGen != nil && !appSet.Spec.ApplyNestedSelectors {
-		foundSelector := dropDisabledNestedSelectors(mergeGen.Generators)
-		if foundSelector {
-			log.Warnf("AppSet '%v' defines selector on nested merge generator's generator without enabling them via 'spec.applyNestedSelectors', ignoring nested selectors", appSet.Name)
-		}
-	}

 	t, err := Transform(
 		argoprojiov1alpha1.ApplicationSetGenerator{
@@ -119,14 +105,14 @@ func (m *MatrixGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.Appli
 		m.supportedGenerators,
 		argoprojiov1alpha1.ApplicationSetTemplate{},
 		appSet,
-		params)
-
+		params,
+		client)
 	if err != nil {
-		return nil, fmt.Errorf("child generator returned an error on parameter generation: %v", err)
+		return nil, fmt.Errorf("child generator returned an error on parameter generation: %w", err)
 	}

 	if len(t) == 0 {
-		return nil, fmt.Errorf("child generator generated no parameters")
+		return nil, errors.New("child generator generated no parameters")
 	}

 	if len(t) > 1 {
@@ -169,10 +155,8 @@ func (m *MatrixGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.Ap

 	if found {
 		return res
-	} else {
-		return NoRequeueAfter
 	}
-
+	return NoRequeueAfter
 }

 func getMatrixGenerator(r argoprojiov1alpha1.ApplicationSetNestedGenerator) (*argoprojiov1alpha1.MatrixGenerator, error) {
--- a/applicationset/generators/matrix_test.go
+++ b/applicationset/generators/matrix_test.go
--- a/applicationset/generators/merge.go
+++ b/applicationset/generators/merge.go
@@ -2,23 +2,23 @@ package generators

 import (
 	"encoding/json"
+	"errors"
 	"fmt"
+	"maps"
 	"time"

-	"github.com/imdario/mergo"
+	"dario.cat/mergo"
+	"sigs.k8s.io/controller-runtime/pkg/client"

-	"github.com/argoproj/argo-cd/v2/applicationset/utils"
-	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
-
-	log "github.com/sirupsen/logrus"
+	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 )

 var _ Generator = (*MergeGenerator)(nil)

 var (
-	ErrLessThanTwoGeneratorsInMerge = fmt.Errorf("found less than two generators, Merge requires two or more")
-	ErrNoMergeKeys                  = fmt.Errorf("no merge keys were specified, Merge requires at least one")
-	ErrNonUniqueParamSets           = fmt.Errorf("the parameters from a generator were not unique by the given mergeKeys, Merge requires all param sets to be unique")
+	ErrLessThanTwoGeneratorsInMerge = errors.New("found less than two generators, Merge requires two or more")
+	ErrNoMergeKeys                  = errors.New("no merge keys were specified, Merge requires at least one")
+	ErrNonUniqueParamSets           = errors.New("the parameters from a generator were not unique by the given mergeKeys, Merge requires all param sets to be unique")
 )

 type MergeGenerator struct {
@@ -36,10 +36,10 @@ func NewMergeGenerator(supportedGenerators map[string]Generator) Generator {

 // getParamSetsForAllGenerators generates params for each child generator in a MergeGenerator. Param sets are returned
 // in slices ordered according to the order of the given generators.
-func (m *MergeGenerator) getParamSetsForAllGenerators(generators []argoprojiov1alpha1.ApplicationSetNestedGenerator, appSet *argoprojiov1alpha1.ApplicationSet) ([][]map[string]interface{}, error) {
-	var paramSets [][]map[string]interface{}
+func (m *MergeGenerator) getParamSetsForAllGenerators(generators []argoprojiov1alpha1.ApplicationSetNestedGenerator, appSet *argoprojiov1alpha1.ApplicationSet, client client.Client) ([][]map[string]any, error) {
+	var paramSets [][]map[string]any
 	for i, generator := range generators {
-		generatorParamSets, err := m.getParams(generator, appSet)
+		generatorParamSets, err := m.getParams(generator, appSet, client)
 		if err != nil {
 			return nil, fmt.Errorf("error getting params from generator %d of %d: %w", i+1, len(generators), err)
 		}
@@ -50,16 +50,16 @@ func (m *MergeGenerator) getParamSetsForAllGenerators(generators []argoprojiov1a
 }

 // GenerateParams gets the params produced by the MergeGenerator.
-func (m *MergeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, appSet *argoprojiov1alpha1.ApplicationSet) ([]map[string]interface{}, error) {
+func (m *MergeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, appSet *argoprojiov1alpha1.ApplicationSet, client client.Client) ([]map[string]any, error) {
 	if appSetGenerator.Merge == nil {
-		return nil, EmptyAppSetGeneratorError
+		return nil, ErrEmptyAppSetGenerator
 	}

 	if len(appSetGenerator.Merge.Generators) < 2 {
 		return nil, ErrLessThanTwoGeneratorsInMerge
 	}

-	paramSetsFromGenerators, err := m.getParamSetsForAllGenerators(appSetGenerator.Merge.Generators, appSet)
+	paramSetsFromGenerators, err := m.getParamSetsForAllGenerators(appSetGenerator.Merge.Generators, appSet, client)
 	if err != nil {
 		return nil, fmt.Errorf("error getting param sets from generators: %w", err)
 	}
@@ -77,28 +77,24 @@ func (m *MergeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.Appl

 		for mergeKeyValue, baseParamSet := range baseParamSetsByMergeKey {
 			if overrideParamSet, exists := paramSetsByMergeKey[mergeKeyValue]; exists {
-
 				if appSet.Spec.GoTemplate {
 					if err := mergo.Merge(&baseParamSet, overrideParamSet, mergo.WithOverride); err != nil {
 						return nil, fmt.Errorf("error merging base param set with override param set: %w", err)
 					}
 					baseParamSetsByMergeKey[mergeKeyValue] = baseParamSet
 				} else {
-					overriddenParamSet, err := utils.CombineStringMapsAllowDuplicates(baseParamSet, overrideParamSet)
-					if err != nil {
-						return nil, fmt.Errorf("error combining string maps: %w", err)
-					}
-					baseParamSetsByMergeKey[mergeKeyValue] = utils.ConvertToMapStringInterface(overriddenParamSet)
+					maps.Copy(baseParamSet, overrideParamSet)
+					baseParamSetsByMergeKey[mergeKeyValue] = baseParamSet
 				}
 			}
 		}
 	}

-	mergedParamSets := make([]map[string]interface{}, len(baseParamSetsByMergeKey))
-	var i = 0
+	mergedParamSets := make([]map[string]any, len(baseParamSetsByMergeKey))
+	i := 0
 	for _, mergedParamSet := range baseParamSetsByMergeKey {
 		mergedParamSets[i] = mergedParamSet
-		i += 1
+		i++
 	}

 	return mergedParamSets, nil
@@ -107,7 +103,7 @@ func (m *MergeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.Appl
 // getParamSetsByMergeKey converts the given list of parameter sets to a map of parameter sets where the key is the
 // unique key of the parameter set as determined by the given mergeKeys. If any two parameter sets share the same merge
 // key, getParamSetsByMergeKey will throw NonUniqueParamSets.
-func getParamSetsByMergeKey(mergeKeys []string, paramSets []map[string]interface{}) (map[string]map[string]interface{}, error) {
+func getParamSetsByMergeKey(mergeKeys []string, paramSets []map[string]any) (map[string]map[string]any, error) {
 	if len(mergeKeys) < 1 {
 		return nil, ErrNoMergeKeys
 	}
@@ -117,17 +113,17 @@ func getParamSetsByMergeKey(mergeKeys []string, paramSets []map[string]interface
 		deDuplicatedMergeKeys[mergeKey] = false
 	}

-	paramSetsByMergeKey := make(map[string]map[string]interface{}, len(paramSets))
+	paramSetsByMergeKey := make(map[string]map[string]any, len(paramSets))
 	for _, paramSet := range paramSets {
-		paramSetKey := make(map[string]interface{})
+		paramSetKey := make(map[string]any)
 		for mergeKey := range deDuplicatedMergeKeys {
 			paramSetKey[mergeKey] = paramSet[mergeKey]
 		}
-		paramSetKeyJson, err := json.Marshal(paramSetKey)
+		paramSetKeyJSON, err := json.Marshal(paramSetKey)
 		if err != nil {
 			return nil, fmt.Errorf("error marshalling param set key json: %w", err)
 		}
-		paramSetKeyString := string(paramSetKeyJson)
+		paramSetKeyString := string(paramSetKeyJSON)
 		if _, exists := paramSetsByMergeKey[paramSetKeyString]; exists {
 			return nil, fmt.Errorf("%w. Duplicate key was %s", ErrNonUniqueParamSets, paramSetKeyString)
 		}
@@ -138,27 +134,15 @@ func getParamSetsByMergeKey(mergeKeys []string, paramSets []map[string]interface
 }

 // getParams get the parameters generated by this generator.
-func (m *MergeGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.ApplicationSetNestedGenerator, appSet *argoprojiov1alpha1.ApplicationSet) ([]map[string]interface{}, error) {
+func (m *MergeGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.ApplicationSetNestedGenerator, appSet *argoprojiov1alpha1.ApplicationSet, client client.Client) ([]map[string]any, error) {
 	matrixGen, err := getMatrixGenerator(appSetBaseGenerator)
 	if err != nil {
 		return nil, err
 	}
-	if matrixGen != nil && !appSet.Spec.ApplyNestedSelectors {
-		foundSelector := dropDisabledNestedSelectors(matrixGen.Generators)
-		if foundSelector {
-			log.Warnf("AppSet '%v' defines selector on nested matrix generator's generator without enabling them via 'spec.applyNestedSelectors', ignoring nested selector", appSet.Name)
-		}
-	}
 	mergeGen, err := getMergeGenerator(appSetBaseGenerator)
 	if err != nil {
 		return nil, err
 	}
-	if mergeGen != nil && !appSet.Spec.ApplyNestedSelectors {
-		foundSelector := dropDisabledNestedSelectors(mergeGen.Generators)
-		if foundSelector {
-			log.Warnf("AppSet '%v' defines selector on nested merge generator's generator without enabling them via 'spec.applyNestedSelectors', ignoring nested selector", appSet.Name)
-		}
-	}

 	t, err := Transform(
 		argoprojiov1alpha1.ApplicationSetGenerator{
@@ -176,14 +160,13 @@ func (m *MergeGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.Applic
 		m.supportedGenerators,
 		argoprojiov1alpha1.ApplicationSetTemplate{},
 		appSet,
-		map[string]interface{}{})
-
+		map[string]any{}, client)
 	if err != nil {
-		return nil, fmt.Errorf("child generator returned an error on parameter generation: %v", err)
+		return nil, fmt.Errorf("child generator returned an error on parameter generation: %w", err)
 	}

 	if len(t) == 0 {
-		return nil, fmt.Errorf("child generator generated no parameters")
+		return nil, errors.New("child generator generated no parameters")
 	}

 	if len(t) > 1 {
@@ -224,10 +207,8 @@ func (m *MergeGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.App

 	if found {
 		return res
-	} else {
-		return NoRequeueAfter
 	}
-
+	return NoRequeueAfter
 }

 func getMergeGenerator(r argoprojiov1alpha1.ApplicationSetNestedGenerator) (*argoprojiov1alpha1.MergeGenerator, error) {
--- a/applicationset/generators/merge_test.go
+++ b/applicationset/generators/merge_test.go
@@ -6,9 +6,10 @@ import (
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"

-	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 )

 func getNestedListGenerator(json string) *argoprojiov1alpha1.ApplicationSetNestedGenerator {
@@ -35,27 +36,28 @@ func getTerminalListGeneratorMultiple(jsons []string) argoprojiov1alpha1.Applica
 	return generator
 }

-func listOfMapsToSet(maps []map[string]interface{}) (map[string]bool, error) {
+func listOfMapsToSet(maps []map[string]any) (map[string]bool, error) {
 	set := make(map[string]bool, len(maps))
 	for _, paramMap := range maps {
-		paramMapAsJson, err := json.Marshal(paramMap)
+		paramMapAsJSON, err := json.Marshal(paramMap)
 		if err != nil {
 			return nil, err
 		}

-		set[string(paramMapAsJson)] = false
+		set[string(paramMapAsJSON)] = false
 	}
 	return set, nil
 }

 func TestMergeGenerate(t *testing.T) {
+	t.Parallel()

 	testCases := []struct {
 		name           string
 		baseGenerators []argoprojiov1alpha1.ApplicationSetNestedGenerator
 		mergeKeys      []string
 		expectedErr    error
-		expected       []map[string]interface{}
+		expected       []map[string]any
 	}{
 		{
 			name:           "no generators",
@@ -79,7 +81,7 @@ func TestMergeGenerate(t *testing.T) {
 				*getNestedListGenerator(`{"a": "3_1","b": "different","c": "3_3"}`), // gets ignored because its merge key value isn't in the base params set
 			},
 			mergeKeys: []string{"b"},
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{"a": "2_1", "b": "same", "c": "1_3"},
 			},
 		},
@@ -90,7 +92,7 @@ func TestMergeGenerate(t *testing.T) {
 				*getNestedListGenerator(`{"a": "a"}`),
 			},
 			mergeKeys: []string{"b"},
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{"a": "a"},
 			},
 		},
@@ -101,7 +103,7 @@ func TestMergeGenerate(t *testing.T) {
 				*getNestedListGenerator(`{"b": "b"}`),
 			},
 			mergeKeys: []string{"b"},
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{"a": "a"},
 			},
 		},
@@ -119,7 +121,7 @@ func TestMergeGenerate(t *testing.T) {
 				*getNestedListGenerator(`{"a": "1", "b": "1", "c": "added"}`),
 			},
 			mergeKeys: []string{"a", "b"},
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{"a": "1", "b": "1", "c": "added"},
 				{"a": "1", "b": "2"},
 				{"a": "2", "b": "1"},
@@ -141,7 +143,7 @@ func TestMergeGenerate(t *testing.T) {
 				*getNestedListGenerator(`{"a": "1", "b": "3", "d": "added"}`),
 			},
 			mergeKeys: []string{"a", "b"},
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{"a": "1", "b": "3", "c": "added", "d": "added"},
 				{"a": "2", "b": "2"},
 			},
@@ -156,7 +158,7 @@ func TestMergeGenerate(t *testing.T) {

 			appSet := &argoprojiov1alpha1.ApplicationSet{}

-			var mergeGenerator = NewMergeGenerator(
+			mergeGenerator := NewMergeGenerator(
 				map[string]Generator{
 					"List": &ListGenerator{},
 					"Matrix": &MatrixGenerator{
@@ -178,26 +180,26 @@ func TestMergeGenerate(t *testing.T) {
 					MergeKeys:  testCaseCopy.mergeKeys,
 					Template:   argoprojiov1alpha1.ApplicationSetTemplate{},
 				},
-			}, appSet)
+			}, appSet, nil)

 			if testCaseCopy.expectedErr != nil {
-				assert.EqualError(t, err, testCaseCopy.expectedErr.Error())
+				require.EqualError(t, err, testCaseCopy.expectedErr.Error())
 			} else {
 				expectedSet, err := listOfMapsToSet(testCaseCopy.expected)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				actualSet, err := listOfMapsToSet(got)
-				assert.NoError(t, err)
+				require.NoError(t, err)

-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, expectedSet, actualSet)
 			}
 		})
 	}
 }

-func toAPIExtensionsJSON(t *testing.T, g interface{}) *apiextensionsv1.JSON {
-
+func toAPIExtensionsJSON(t *testing.T, g any) *apiextensionsv1.JSON {
+	t.Helper()
 	resVal, err := json.Marshal(g)
 	if err != nil {
 		t.Error("unable to unmarshal json", g)
@@ -210,12 +212,14 @@ func toAPIExtensionsJSON(t *testing.T, g interface{}) *apiextensionsv1.JSON {
 }

 func TestParamSetsAreUniqueByMergeKeys(t *testing.T) {
+	t.Parallel()
+
 	testCases := []struct {
 		name        string
 		mergeKeys   []string
-		paramSets   []map[string]interface{}
+		paramSets   []map[string]any
 		expectedErr error
-		expected    map[string]map[string]interface{}
+		expected    map[string]map[string]any
 	}{
 		{
 			name:        "no merge keys",
@@ -225,13 +229,13 @@ func TestParamSetsAreUniqueByMergeKeys(t *testing.T) {
 		{
 			name:      "no paramSets",
 			mergeKeys: []string{"key"},
-			expected:  make(map[string]map[string]interface{}),
+			expected:  make(map[string]map[string]any),
 		},
 		{
 			name:      "simple key, unique paramSets",
 			mergeKeys: []string{"key"},
-			paramSets: []map[string]interface{}{{"key": "a"}, {"key": "b"}},
-			expected: map[string]map[string]interface{}{
+			paramSets: []map[string]any{{"key": "a"}, {"key": "b"}},
+			expected: map[string]map[string]any{
 				`{"key":"a"}`: {"key": "a"},
 				`{"key":"b"}`: {"key": "b"},
 			},
@@ -239,23 +243,23 @@ func TestParamSetsAreUniqueByMergeKeys(t *testing.T) {
 		{
 			name:      "simple key object, unique paramSets",
 			mergeKeys: []string{"key"},
-			paramSets: []map[string]interface{}{{"key": map[string]interface{}{"hello": "world"}}, {"key": "b"}},
-			expected: map[string]map[string]interface{}{
-				`{"key":{"hello":"world"}}`: {"key": map[string]interface{}{"hello": "world"}},
+			paramSets: []map[string]any{{"key": map[string]any{"hello": "world"}}, {"key": "b"}},
+			expected: map[string]map[string]any{
+				`{"key":{"hello":"world"}}`: {"key": map[string]any{"hello": "world"}},
 				`{"key":"b"}`:               {"key": "b"},
 			},
 		},
 		{
 			name:        "simple key, non-unique paramSets",
 			mergeKeys:   []string{"key"},
-			paramSets:   []map[string]interface{}{{"key": "a"}, {"key": "b"}, {"key": "b"}},
+			paramSets:   []map[string]any{{"key": "a"}, {"key": "b"}, {"key": "b"}},
 			expectedErr: fmt.Errorf("%w. Duplicate key was %s", ErrNonUniqueParamSets, `{"key":"b"}`),
 		},
 		{
 			name:      "simple key, duplicated key name, unique paramSets",
 			mergeKeys: []string{"key", "key"},
-			paramSets: []map[string]interface{}{{"key": "a"}, {"key": "b"}},
-			expected: map[string]map[string]interface{}{
+			paramSets: []map[string]any{{"key": "a"}, {"key": "b"}},
+			expected: map[string]map[string]any{
 				`{"key":"a"}`: {"key": "a"},
 				`{"key":"b"}`: {"key": "b"},
 			},
@@ -263,18 +267,18 @@ func TestParamSetsAreUniqueByMergeKeys(t *testing.T) {
 		{
 			name:        "simple key, duplicated key name, non-unique paramSets",
 			mergeKeys:   []string{"key", "key"},
-			paramSets:   []map[string]interface{}{{"key": "a"}, {"key": "b"}, {"key": "b"}},
+			paramSets:   []map[string]any{{"key": "a"}, {"key": "b"}, {"key": "b"}},
 			expectedErr: fmt.Errorf("%w. Duplicate key was %s", ErrNonUniqueParamSets, `{"key":"b"}`),
 		},
 		{
 			name:      "compound key, unique paramSets",
 			mergeKeys: []string{"key1", "key2"},
-			paramSets: []map[string]interface{}{
+			paramSets: []map[string]any{
 				{"key1": "a", "key2": "a"},
 				{"key1": "a", "key2": "b"},
 				{"key1": "b", "key2": "a"},
 			},
-			expected: map[string]map[string]interface{}{
+			expected: map[string]map[string]any{
 				`{"key1":"a","key2":"a"}`: {"key1": "a", "key2": "a"},
 				`{"key1":"a","key2":"b"}`: {"key1": "a", "key2": "b"},
 				`{"key1":"b","key2":"a"}`: {"key1": "b", "key2": "a"},
@@ -283,13 +287,13 @@ func TestParamSetsAreUniqueByMergeKeys(t *testing.T) {
 		{
 			name:      "compound key object, unique paramSets",
 			mergeKeys: []string{"key1", "key2"},
-			paramSets: []map[string]interface{}{
-				{"key1": "a", "key2": map[string]interface{}{"hello": "world"}},
+			paramSets: []map[string]any{
+				{"key1": "a", "key2": map[string]any{"hello": "world"}},
 				{"key1": "a", "key2": "b"},
 				{"key1": "b", "key2": "a"},
 			},
-			expected: map[string]map[string]interface{}{
-				`{"key1":"a","key2":{"hello":"world"}}`: {"key1": "a", "key2": map[string]interface{}{"hello": "world"}},
+			expected: map[string]map[string]any{
+				`{"key1":"a","key2":{"hello":"world"}}`: {"key1": "a", "key2": map[string]any{"hello": "world"}},
 				`{"key1":"a","key2":"b"}`:               {"key1": "a", "key2": "b"},
 				`{"key1":"b","key2":"a"}`:               {"key1": "b", "key2": "a"},
 			},
@@ -297,12 +301,12 @@ func TestParamSetsAreUniqueByMergeKeys(t *testing.T) {
 		{
 			name:      "compound key, duplicate key names, unique paramSets",
 			mergeKeys: []string{"key1", "key1", "key2"},
-			paramSets: []map[string]interface{}{
+			paramSets: []map[string]any{
 				{"key1": "a", "key2": "a"},
 				{"key1": "a", "key2": "b"},
 				{"key1": "b", "key2": "a"},
 			},
-			expected: map[string]map[string]interface{}{
+			expected: map[string]map[string]any{
 				`{"key1":"a","key2":"a"}`: {"key1": "a", "key2": "a"},
 				`{"key1":"a","key2":"b"}`: {"key1": "a", "key2": "b"},
 				`{"key1":"b","key2":"a"}`: {"key1": "b", "key2": "a"},
@@ -311,7 +315,7 @@ func TestParamSetsAreUniqueByMergeKeys(t *testing.T) {
 		{
 			name:      "compound key, non-unique paramSets",
 			mergeKeys: []string{"key1", "key2"},
-			paramSets: []map[string]interface{}{
+			paramSets: []map[string]any{
 				{"key1": "a", "key2": "a"},
 				{"key1": "a", "key2": "a"},
 				{"key1": "b", "key2": "a"},
@@ -321,7 +325,7 @@ func TestParamSetsAreUniqueByMergeKeys(t *testing.T) {
 		{
 			name:      "compound key, duplicate key names, non-unique paramSets",
 			mergeKeys: []string{"key1", "key1", "key2"},
-			paramSets: []map[string]interface{}{
+			paramSets: []map[string]any{
 				{"key1": "a", "key2": "a"},
 				{"key1": "a", "key2": "a"},
 				{"key1": "b", "key2": "a"},
@@ -339,13 +343,11 @@ func TestParamSetsAreUniqueByMergeKeys(t *testing.T) {
 			got, err := getParamSetsByMergeKey(testCaseCopy.mergeKeys, testCaseCopy.paramSets)

 			if testCaseCopy.expectedErr != nil {
-				assert.EqualError(t, err, testCaseCopy.expectedErr.Error())
+				require.EqualError(t, err, testCaseCopy.expectedErr.Error())
 			} else {
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, testCaseCopy.expected, got)
 			}
-
 		})
-
 	}
 }
--- a/applicationset/generators/mocks/Generator.go
+++ b/applicationset/generators/mocks/Generator.go
@@ -1,88 +1,17 @@
-// Code generated by mockery v2.40.2. DO NOT EDIT.
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify

 package mocks

 import (
-	time "time"
+	"time"

+	"github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 	mock "github.com/stretchr/testify/mock"
-
-	v1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 )

-// Generator is an autogenerated mock type for the Generator type
-type Generator struct {
-	mock.Mock
-}
-
-// GenerateParams provides a mock function with given fields: appSetGenerator, applicationSetInfo
-func (_m *Generator) GenerateParams(appSetGenerator *v1alpha1.ApplicationSetGenerator, applicationSetInfo *v1alpha1.ApplicationSet) ([]map[string]interface{}, error) {
-	ret := _m.Called(appSetGenerator, applicationSetInfo)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GenerateParams")
-	}
-
-	var r0 []map[string]interface{}
-	var r1 error
-	if rf, ok := ret.Get(0).(func(*v1alpha1.ApplicationSetGenerator, *v1alpha1.ApplicationSet) ([]map[string]interface{}, error)); ok {
-		return rf(appSetGenerator, applicationSetInfo)
-	}
-	if rf, ok := ret.Get(0).(func(*v1alpha1.ApplicationSetGenerator, *v1alpha1.ApplicationSet) []map[string]interface{}); ok {
-		r0 = rf(appSetGenerator, applicationSetInfo)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]map[string]interface{})
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(*v1alpha1.ApplicationSetGenerator, *v1alpha1.ApplicationSet) error); ok {
-		r1 = rf(appSetGenerator, applicationSetInfo)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// GetRequeueAfter provides a mock function with given fields: appSetGenerator
-func (_m *Generator) GetRequeueAfter(appSetGenerator *v1alpha1.ApplicationSetGenerator) time.Duration {
-	ret := _m.Called(appSetGenerator)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetRequeueAfter")
-	}
-
-	var r0 time.Duration
-	if rf, ok := ret.Get(0).(func(*v1alpha1.ApplicationSetGenerator) time.Duration); ok {
-		r0 = rf(appSetGenerator)
-	} else {
-		r0 = ret.Get(0).(time.Duration)
-	}
-
-	return r0
-}
-
-// GetTemplate provides a mock function with given fields: appSetGenerator
-func (_m *Generator) GetTemplate(appSetGenerator *v1alpha1.ApplicationSetGenerator) *v1alpha1.ApplicationSetTemplate {
-	ret := _m.Called(appSetGenerator)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetTemplate")
-	}
-
-	var r0 *v1alpha1.ApplicationSetTemplate
-	if rf, ok := ret.Get(0).(func(*v1alpha1.ApplicationSetGenerator) *v1alpha1.ApplicationSetTemplate); ok {
-		r0 = rf(appSetGenerator)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*v1alpha1.ApplicationSetTemplate)
-		}
-	}
-
-	return r0
-}
-
 // NewGenerator creates a new instance of Generator. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
 // The first argument is typically a *testing.T value.
 func NewGenerator(t interface {
@@ -96,3 +25,194 @@ func NewGenerator(t interface {

 	return mock
 }
+
+// Generator is an autogenerated mock type for the Generator type
+type Generator struct {
+	mock.Mock
+}
+
+type Generator_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *Generator) EXPECT() *Generator_Expecter {
+	return &Generator_Expecter{mock: &_m.Mock}
+}
+
+// GenerateParams provides a mock function for the type Generator
+func (_mock *Generator) GenerateParams(appSetGenerator *v1alpha1.ApplicationSetGenerator, applicationSetInfo *v1alpha1.ApplicationSet, client1 client.Client) ([]map[string]any, error) {
+	ret := _mock.Called(appSetGenerator, applicationSetInfo, client1)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GenerateParams")
+	}
+
+	var r0 []map[string]any
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(*v1alpha1.ApplicationSetGenerator, *v1alpha1.ApplicationSet, client.Client) ([]map[string]any, error)); ok {
+		return returnFunc(appSetGenerator, applicationSetInfo, client1)
+	}
+	if returnFunc, ok := ret.Get(0).(func(*v1alpha1.ApplicationSetGenerator, *v1alpha1.ApplicationSet, client.Client) []map[string]any); ok {
+		r0 = returnFunc(appSetGenerator, applicationSetInfo, client1)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]map[string]any)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(*v1alpha1.ApplicationSetGenerator, *v1alpha1.ApplicationSet, client.Client) error); ok {
+		r1 = returnFunc(appSetGenerator, applicationSetInfo, client1)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// Generator_GenerateParams_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GenerateParams'
+type Generator_GenerateParams_Call struct {
+	*mock.Call
+}
+
+// GenerateParams is a helper method to define mock.On call
+//   - appSetGenerator *v1alpha1.ApplicationSetGenerator
+//   - applicationSetInfo *v1alpha1.ApplicationSet
+//   - client1 client.Client
+func (_e *Generator_Expecter) GenerateParams(appSetGenerator interface{}, applicationSetInfo interface{}, client1 interface{}) *Generator_GenerateParams_Call {
+	return &Generator_GenerateParams_Call{Call: _e.mock.On("GenerateParams", appSetGenerator, applicationSetInfo, client1)}
+}
+
+func (_c *Generator_GenerateParams_Call) Run(run func(appSetGenerator *v1alpha1.ApplicationSetGenerator, applicationSetInfo *v1alpha1.ApplicationSet, client1 client.Client)) *Generator_GenerateParams_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *v1alpha1.ApplicationSetGenerator
+		if args[0] != nil {
+			arg0 = args[0].(*v1alpha1.ApplicationSetGenerator)
+		}
+		var arg1 *v1alpha1.ApplicationSet
+		if args[1] != nil {
+			arg1 = args[1].(*v1alpha1.ApplicationSet)
+		}
+		var arg2 client.Client
+		if args[2] != nil {
+			arg2 = args[2].(client.Client)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
+	})
+	return _c
+}
+
+func (_c *Generator_GenerateParams_Call) Return(stringToVs []map[string]any, err error) *Generator_GenerateParams_Call {
+	_c.Call.Return(stringToVs, err)
+	return _c
+}
+
+func (_c *Generator_GenerateParams_Call) RunAndReturn(run func(appSetGenerator *v1alpha1.ApplicationSetGenerator, applicationSetInfo *v1alpha1.ApplicationSet, client1 client.Client) ([]map[string]any, error)) *Generator_GenerateParams_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetRequeueAfter provides a mock function for the type Generator
+func (_mock *Generator) GetRequeueAfter(appSetGenerator *v1alpha1.ApplicationSetGenerator) time.Duration {
+	ret := _mock.Called(appSetGenerator)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetRequeueAfter")
+	}
+
+	var r0 time.Duration
+	if returnFunc, ok := ret.Get(0).(func(*v1alpha1.ApplicationSetGenerator) time.Duration); ok {
+		r0 = returnFunc(appSetGenerator)
+	} else {
+		r0 = ret.Get(0).(time.Duration)
+	}
+	return r0
+}
+
+// Generator_GetRequeueAfter_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetRequeueAfter'
+type Generator_GetRequeueAfter_Call struct {
+	*mock.Call
+}
+
+// GetRequeueAfter is a helper method to define mock.On call
+//   - appSetGenerator *v1alpha1.ApplicationSetGenerator
+func (_e *Generator_Expecter) GetRequeueAfter(appSetGenerator interface{}) *Generator_GetRequeueAfter_Call {
+	return &Generator_GetRequeueAfter_Call{Call: _e.mock.On("GetRequeueAfter", appSetGenerator)}
+}
+
+func (_c *Generator_GetRequeueAfter_Call) Run(run func(appSetGenerator *v1alpha1.ApplicationSetGenerator)) *Generator_GetRequeueAfter_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *v1alpha1.ApplicationSetGenerator
+		if args[0] != nil {
+			arg0 = args[0].(*v1alpha1.ApplicationSetGenerator)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *Generator_GetRequeueAfter_Call) Return(duration time.Duration) *Generator_GetRequeueAfter_Call {
+	_c.Call.Return(duration)
+	return _c
+}
+
+func (_c *Generator_GetRequeueAfter_Call) RunAndReturn(run func(appSetGenerator *v1alpha1.ApplicationSetGenerator) time.Duration) *Generator_GetRequeueAfter_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetTemplate provides a mock function for the type Generator
+func (_mock *Generator) GetTemplate(appSetGenerator *v1alpha1.ApplicationSetGenerator) *v1alpha1.ApplicationSetTemplate {
+	ret := _mock.Called(appSetGenerator)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetTemplate")
+	}
+
+	var r0 *v1alpha1.ApplicationSetTemplate
+	if returnFunc, ok := ret.Get(0).(func(*v1alpha1.ApplicationSetGenerator) *v1alpha1.ApplicationSetTemplate); ok {
+		r0 = returnFunc(appSetGenerator)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*v1alpha1.ApplicationSetTemplate)
+		}
+	}
+	return r0
+}
+
+// Generator_GetTemplate_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetTemplate'
+type Generator_GetTemplate_Call struct {
+	*mock.Call
+}
+
+// GetTemplate is a helper method to define mock.On call
+//   - appSetGenerator *v1alpha1.ApplicationSetGenerator
+func (_e *Generator_Expecter) GetTemplate(appSetGenerator interface{}) *Generator_GetTemplate_Call {
+	return &Generator_GetTemplate_Call{Call: _e.mock.On("GetTemplate", appSetGenerator)}
+}
+
+func (_c *Generator_GetTemplate_Call) Run(run func(appSetGenerator *v1alpha1.ApplicationSetGenerator)) *Generator_GetTemplate_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *v1alpha1.ApplicationSetGenerator
+		if args[0] != nil {
+			arg0 = args[0].(*v1alpha1.ApplicationSetGenerator)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *Generator_GetTemplate_Call) Return(applicationSetTemplate *v1alpha1.ApplicationSetTemplate) *Generator_GetTemplate_Call {
+	_c.Call.Return(applicationSetTemplate)
+	return _c
+}
+
+func (_c *Generator_GetTemplate_Call) RunAndReturn(run func(appSetGenerator *v1alpha1.ApplicationSetGenerator) *v1alpha1.ApplicationSetTemplate) *Generator_GetTemplate_Call {
+	_c.Call.Return(run)
+	return _c
+}
--- a/applicationset/generators/plugin.go
+++ b/applicationset/generators/plugin.go
@@ -2,6 +2,7 @@ package generators

 import (
 	"context"
+	"errors"
 	"fmt"
 	"strconv"
 	"strings"
@@ -9,33 +10,28 @@ import (

 	"github.com/jeremywohl/flatten"
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/client-go/kubernetes"
 	"sigs.k8s.io/controller-runtime/pkg/client"

-	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/v2/util/settings"
+	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v3/util/settings"

-	"github.com/argoproj/argo-cd/v2/applicationset/services/plugin"
+	"github.com/argoproj/argo-cd/v3/applicationset/services/plugin"
 )

 const (
-	DefaultPluginRequeueAfterSeconds = 30 * time.Minute
+	DefaultPluginRequeueAfter = 30 * time.Minute
 )

 var _ Generator = (*PluginGenerator)(nil)

 type PluginGenerator struct {
 	client    client.Client
-	ctx       context.Context
-	clientset kubernetes.Interface
 	namespace string
 }

-func NewPluginGenerator(client client.Client, ctx context.Context, clientset kubernetes.Interface, namespace string) Generator {
+func NewPluginGenerator(client client.Client, namespace string) Generator {
 	g := &PluginGenerator{
 		client:    client,
-		ctx:       ctx,
-		clientset: clientset,
 		namespace: namespace,
 	}
 	return g
@@ -48,21 +44,20 @@ func (g *PluginGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.Ap
 		return time.Duration(*appSetGenerator.Plugin.RequeueAfterSeconds) * time.Second
 	}

-	return DefaultPluginRequeueAfterSeconds
+	return DefaultPluginRequeueAfter
 }

 func (g *PluginGenerator) GetTemplate(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator) *argoprojiov1alpha1.ApplicationSetTemplate {
 	return &appSetGenerator.Plugin.Template
 }

-func (g *PluginGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, applicationSetInfo *argoprojiov1alpha1.ApplicationSet) ([]map[string]interface{}, error) {
-
+func (g *PluginGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, applicationSetInfo *argoprojiov1alpha1.ApplicationSet, _ client.Client) ([]map[string]any, error) {
 	if appSetGenerator == nil {
-		return nil, EmptyAppSetGeneratorError
+		return nil, ErrEmptyAppSetGenerator
 	}

 	if appSetGenerator.Plugin == nil {
-		return nil, EmptyAppSetGeneratorError
+		return nil, ErrEmptyAppSetGenerator
 	}

 	ctx := context.Background()
@@ -94,7 +89,7 @@ func (g *PluginGenerator) getPluginFromGenerator(ctx context.Context, appSetName
 	}
 	token, err := g.getToken(ctx, cm["token"])
 	if err != nil {
-		return nil, fmt.Errorf("error fetching Secret token: %v", err)
+		return nil, fmt.Errorf("error fetching Secret token: %w", err)
 	}

 	var requestTimeout int
@@ -106,19 +101,18 @@ func (g *PluginGenerator) getPluginFromGenerator(ctx context.Context, appSetName
 		}
 	}

-	pluginClient, err := plugin.NewPluginService(ctx, appSetName, cm["baseUrl"], token, requestTimeout)
+	pluginClient, err := plugin.NewPluginService(appSetName, cm["baseUrl"], token, requestTimeout)
 	if err != nil {
 		return nil, fmt.Errorf("error initializing plugin client: %w", err)
 	}
 	return pluginClient, nil
 }

-func (g *PluginGenerator) generateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, appSet *argoprojiov1alpha1.ApplicationSet, objectsFound []map[string]interface{}, pluginParams argoprojiov1alpha1.PluginParameters, useGoTemplate bool) ([]map[string]interface{}, error) {
-	res := []map[string]interface{}{}
+func (g *PluginGenerator) generateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, appSet *argoprojiov1alpha1.ApplicationSet, objectsFound []map[string]any, pluginParams argoprojiov1alpha1.PluginParameters, useGoTemplate bool) ([]map[string]any, error) {
+	res := []map[string]any{}

 	for _, objectFound := range objectsFound {
-
-		params := map[string]interface{}{}
+		params := map[string]any{}

 		if useGoTemplate {
 			for k, v := range objectFound {
@@ -134,7 +128,7 @@ func (g *PluginGenerator) generateParams(appSetGenerator *argoprojiov1alpha1.App
 			}
 		}

-		params["generator"] = map[string]interface{}{
+		params["generator"] = map[string]any{
 			"input": map[string]argoprojiov1alpha1.PluginParameters{
 				"parameters": pluginParams,
 			},
@@ -152,7 +146,6 @@ func (g *PluginGenerator) generateParams(appSetGenerator *argoprojiov1alpha1.App
 }

 func (g *PluginGenerator) getToken(ctx context.Context, tokenRef string) (string, error) {
-
 	if tokenRef == "" || !strings.HasPrefix(tokenRef, "$") {
 		return "", fmt.Errorf("token is empty, or does not reference a secret key starting with '$': %v", tokenRef)
 	}
@@ -167,9 +160,8 @@ func (g *PluginGenerator) getToken(ctx context.Context, tokenRef string) (string
 			Namespace: g.namespace,
 		},
 		secret)
-
 	if err != nil {
-		return "", fmt.Errorf("error fetching secret %s/%s: %v", g.namespace, secretName, err)
+		return "", fmt.Errorf("error fetching secret %s/%s: %w", g.namespace, secretName, err)
 	}

 	secretValues := make(map[string]string, len(secret.Data))
@@ -192,19 +184,18 @@ func (g *PluginGenerator) getConfigMap(ctx context.Context, configMapRef string)
 			Namespace: g.namespace,
 		},
 		cm)
-
 	if err != nil {
 		return nil, err
 	}

-	baseUrl, ok := cm.Data["baseUrl"]
-	if !ok || baseUrl == "" {
-		return nil, fmt.Errorf("baseUrl not found in ConfigMap")
+	baseURL, ok := cm.Data["baseUrl"]
+	if !ok || baseURL == "" {
+		return nil, errors.New("baseUrl not found in ConfigMap")
 	}

 	token, ok := cm.Data["token"]
 	if !ok || token == "" {
-		return nil, fmt.Errorf("token not found in ConfigMap")
+		return nil, errors.New("token not found in ConfigMap")
 	}

 	return cm.Data, nil
--- a/applicationset/generators/plugin_test.go
+++ b/applicationset/generators/plugin_test.go
@@ -1,8 +1,8 @@
 package generators

 import (
-	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
@@ -11,33 +11,31 @@ import (

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	v1 "k8s.io/api/core/v1"
+	corev1 "k8s.io/api/core/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-	kubefake "k8s.io/client-go/kubernetes/fake"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"

-	"github.com/argoproj/argo-cd/v2/applicationset/services/plugin"
-	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v3/applicationset/services/plugin"
+	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 )

 func TestPluginGenerateParams(t *testing.T) {
 	testCases := []struct {
 		name            string
-		configmap       *v1.ConfigMap
-		secret          *v1.Secret
+		configmap       *corev1.ConfigMap
+		secret          *corev1.Secret
 		inputParameters map[string]apiextensionsv1.JSON
 		values          map[string]string
 		gotemplate      bool
-		expected        []map[string]interface{}
+		expected        []map[string]any
 		content         []byte
 		expectedError   error
 	}{
 		{
 			name: "simple case",
-			configmap: &v1.ConfigMap{
+			configmap: &corev1.ConfigMap{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "first-plugin-cm",
 					Namespace: "default",
@@ -47,7 +45,7 @@ func TestPluginGenerateParams(t *testing.T) {
 					"token":   "$plugin.token",
 				},
 			},
-			secret: &v1.Secret{
+			secret: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "argocd-secret",
 					Namespace: "default",
@@ -73,13 +71,13 @@ func TestPluginGenerateParams(t *testing.T) {
 					"key3": 123
                }]
 			 }}`),
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{
 					"key1":                 "val1",
 					"key2.key2_1":          "val2_1",
 					"key2.key2_2.key2_2_1": "val2_2_1",
 					"key3":                 "123",
-					"generator": map[string]interface{}{
+					"generator": map[string]any{
 						"input": argoprojiov1alpha1.PluginInput{
 							Parameters: argoprojiov1alpha1.PluginParameters{
 								"pkey1": {Raw: []byte(`"val1"`)},
@@ -93,7 +91,7 @@ func TestPluginGenerateParams(t *testing.T) {
 		},
 		{
 			name: "simple case with values",
-			configmap: &v1.ConfigMap{
+			configmap: &corev1.ConfigMap{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "first-plugin-cm",
 					Namespace: "default",
@@ -103,7 +101,7 @@ func TestPluginGenerateParams(t *testing.T) {
 					"token":   "$plugin.token",
 				},
 			},
-			secret: &v1.Secret{
+			secret: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "argocd-secret",
 					Namespace: "default",
@@ -133,7 +131,7 @@ func TestPluginGenerateParams(t *testing.T) {
 					"key3": 123
                }]
 			 }}`),
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{
 					"key1":                 "val1",
 					"key2.key2_1":          "val2_1",
@@ -141,7 +139,7 @@ func TestPluginGenerateParams(t *testing.T) {
 					"key3":                 "123",
 					"values.valuekey1":     "valuevalue1",
 					"values.valuekey2":     "templated-val1",
-					"generator": map[string]interface{}{
+					"generator": map[string]any{
 						"input": argoprojiov1alpha1.PluginInput{
 							Parameters: argoprojiov1alpha1.PluginParameters{
 								"pkey1": {Raw: []byte(`"val1"`)},
@@ -155,7 +153,7 @@ func TestPluginGenerateParams(t *testing.T) {
 		},
 		{
 			name: "simple case with gotemplate",
-			configmap: &v1.ConfigMap{
+			configmap: &corev1.ConfigMap{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "first-plugin-cm",
 					Namespace: "default",
@@ -165,7 +163,7 @@ func TestPluginGenerateParams(t *testing.T) {
 					"token":   "$plugin.token",
 				},
 			},
-			secret: &v1.Secret{
+			secret: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "argocd-secret",
 					Namespace: "default",
@@ -191,17 +189,17 @@ func TestPluginGenerateParams(t *testing.T) {
 					"key3": 123
                }]
 			 }}`),
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{
 					"key1": "val1",
-					"key2": map[string]interface{}{
+					"key2": map[string]any{
 						"key2_1": "val2_1",
-						"key2_2": map[string]interface{}{
+						"key2_2": map[string]any{
 							"key2_2_1": "val2_2_1",
 						},
 					},
 					"key3": float64(123),
-					"generator": map[string]interface{}{
+					"generator": map[string]any{
 						"input": argoprojiov1alpha1.PluginInput{
 							Parameters: argoprojiov1alpha1.PluginParameters{
 								"pkey1": {Raw: []byte(`"val1"`)},
@@ -215,7 +213,7 @@ func TestPluginGenerateParams(t *testing.T) {
 		},
 		{
 			name: "simple case with appended params",
-			configmap: &v1.ConfigMap{
+			configmap: &corev1.ConfigMap{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "first-plugin-cm",
 					Namespace: "default",
@@ -225,7 +223,7 @@ func TestPluginGenerateParams(t *testing.T) {
 					"token":   "$plugin.token",
 				},
 			},
-			secret: &v1.Secret{
+			secret: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "argocd-secret",
 					Namespace: "default",
@@ -250,14 +248,14 @@ func TestPluginGenerateParams(t *testing.T) {
 				"key3": 123,
 				"pkey2": "valplugin"
 			 }]}}`),
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{
 					"key1":                 "val1",
 					"key2.key2_1":          "val2_1",
 					"key2.key2_2.key2_2_1": "val2_2_1",
 					"key3":                 "123",
 					"pkey2":                "valplugin",
-					"generator": map[string]interface{}{
+					"generator": map[string]any{
 						"input": argoprojiov1alpha1.PluginInput{
 							Parameters: argoprojiov1alpha1.PluginParameters{
 								"pkey1": {Raw: []byte(`"val1"`)},
@@ -271,7 +269,7 @@ func TestPluginGenerateParams(t *testing.T) {
 		},
 		{
 			name: "no params",
-			configmap: &v1.ConfigMap{
+			configmap: &corev1.ConfigMap{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "first-plugin-cm",
 					Namespace: "default",
@@ -281,7 +279,7 @@ func TestPluginGenerateParams(t *testing.T) {
 					"token":   "$plugin.token",
 				},
 			},
-			secret: &v1.Secret{
+			secret: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "argocd-secret",
 					Namespace: "default",
@@ -304,14 +302,14 @@ func TestPluginGenerateParams(t *testing.T) {
 					"key3": 123
                }]
 			 }}`),
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{
 					"key1":                 "val1",
 					"key2.key2_1":          "val2_1",
 					"key2.key2_2.key2_2_1": "val2_2_1",
 					"key3":                 "123",
-					"generator": map[string]interface{}{
-						"input": map[string]map[string]interface{}{
+					"generator": map[string]any{
+						"input": map[string]map[string]any{
 							"parameters": {},
 						},
 					},
@@ -321,7 +319,7 @@ func TestPluginGenerateParams(t *testing.T) {
 		},
 		{
 			name: "empty return",
-			configmap: &v1.ConfigMap{
+			configmap: &corev1.ConfigMap{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "first-plugin-cm",
 					Namespace: "default",
@@ -331,7 +329,7 @@ func TestPluginGenerateParams(t *testing.T) {
 					"token":   "$plugin.token",
 				},
 			},
-			secret: &v1.Secret{
+			secret: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "argocd-secret",
 					Namespace: "default",
@@ -343,12 +341,12 @@ func TestPluginGenerateParams(t *testing.T) {
 			inputParameters: map[string]apiextensionsv1.JSON{},
 			gotemplate:      false,
 			content:         []byte(`{"input": {"parameters": []}}`),
-			expected:        []map[string]interface{}{},
+			expected:        []map[string]any{},
 			expectedError:   nil,
 		},
 		{
 			name: "wrong return",
-			configmap: &v1.ConfigMap{
+			configmap: &corev1.ConfigMap{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "first-plugin-cm",
 					Namespace: "default",
@@ -358,7 +356,7 @@ func TestPluginGenerateParams(t *testing.T) {
 					"token":   "$plugin.token",
 				},
 			},
-			secret: &v1.Secret{
+			secret: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "argocd-secret",
 					Namespace: "default",
@@ -370,12 +368,12 @@ func TestPluginGenerateParams(t *testing.T) {
 			inputParameters: map[string]apiextensionsv1.JSON{},
 			gotemplate:      false,
 			content:         []byte(`wrong body ...`),
-			expected:        []map[string]interface{}{},
-			expectedError:   fmt.Errorf("error listing params: error get api 'set': invalid character 'w' looking for beginning of value: wrong body ..."),
+			expected:        []map[string]any{},
+			expectedError:   errors.New("error listing params: error get api 'set': invalid character 'w' looking for beginning of value: wrong body ..."),
 		},
 		{
 			name: "external secret",
-			configmap: &v1.ConfigMap{
+			configmap: &corev1.ConfigMap{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "first-plugin-cm",
 					Namespace: "default",
@@ -385,7 +383,7 @@ func TestPluginGenerateParams(t *testing.T) {
 					"token":   "$plugin-secret:plugin.token",
 				},
 			},
-			secret: &v1.Secret{
+			secret: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "plugin-secret",
 					Namespace: "default",
@@ -410,14 +408,14 @@ func TestPluginGenerateParams(t *testing.T) {
 				"key3": 123,
 				"pkey2": "valplugin"
 			 }]}}`),
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{
 					"key1":                 "val1",
 					"key2.key2_1":          "val2_1",
 					"key2.key2_2.key2_2_1": "val2_2_1",
 					"key3":                 "123",
 					"pkey2":                "valplugin",
-					"generator": map[string]interface{}{
+					"generator": map[string]any{
 						"input": argoprojiov1alpha1.PluginInput{
 							Parameters: argoprojiov1alpha1.PluginParameters{
 								"pkey1": {Raw: []byte(`"val1"`)},
@@ -431,7 +429,7 @@ func TestPluginGenerateParams(t *testing.T) {
 		},
 		{
 			name: "no secret",
-			configmap: &v1.ConfigMap{
+			configmap: &corev1.ConfigMap{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "first-plugin-cm",
 					Namespace: "default",
@@ -441,7 +439,7 @@ func TestPluginGenerateParams(t *testing.T) {
 					"token":   "$plugin.token",
 				},
 			},
-			secret: &v1.Secret{},
+			secret: &corev1.Secret{},
 			inputParameters: map[string]apiextensionsv1.JSON{
 				"pkey1": {Raw: []byte(`"val1"`)},
 				"pkey2": {Raw: []byte(`"val2"`)},
@@ -459,13 +457,13 @@ func TestPluginGenerateParams(t *testing.T) {
 					"key3": 123
                }]
 			 }}`),
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{
 					"key1":                 "val1",
 					"key2.key2_1":          "val2_1",
 					"key2.key2_2.key2_2_1": "val2_2_1",
 					"key3":                 "123",
-					"generator": map[string]interface{}{
+					"generator": map[string]any{
 						"input": argoprojiov1alpha1.PluginInput{
 							Parameters: argoprojiov1alpha1.PluginParameters{
 								"pkey1": {Raw: []byte(`"val1"`)},
@@ -475,12 +473,12 @@ func TestPluginGenerateParams(t *testing.T) {
 					},
 				},
 			},
-			expectedError: fmt.Errorf("error getting plugin from generator: error fetching Secret token: error fetching secret default/argocd-secret: secrets \"argocd-secret\" not found"),
+			expectedError: errors.New("error getting plugin from generator: error fetching Secret token: error fetching secret default/argocd-secret: secrets \"argocd-secret\" not found"),
 		},
 		{
 			name:      "no configmap",
-			configmap: &v1.ConfigMap{},
-			secret: &v1.Secret{
+			configmap: &corev1.ConfigMap{},
+			secret: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "argocd-secret",
 					Namespace: "default",
@@ -506,13 +504,13 @@ func TestPluginGenerateParams(t *testing.T) {
 					"key3": 123
                }]
 			 }}`),
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{
 					"key1":                 "val1",
 					"key2.key2_1":          "val2_1",
 					"key2.key2_2.key2_2_1": "val2_2_1",
 					"key3":                 "123",
-					"generator": map[string]interface{}{
+					"generator": map[string]any{
 						"input": argoprojiov1alpha1.PluginInput{
 							Parameters: argoprojiov1alpha1.PluginParameters{
 								"pkey1": {Raw: []byte(`"val1"`)},
@@ -522,11 +520,11 @@ func TestPluginGenerateParams(t *testing.T) {
 					},
 				},
 			},
-			expectedError: fmt.Errorf("error getting plugin from generator: error fetching ConfigMap: configmaps \"\" not found"),
+			expectedError: errors.New("error getting plugin from generator: error fetching ConfigMap: configmaps \"\" not found"),
 		},
 		{
 			name: "no baseUrl",
-			configmap: &v1.ConfigMap{
+			configmap: &corev1.ConfigMap{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "first-plugin-cm",
 					Namespace: "default",
@@ -535,7 +533,7 @@ func TestPluginGenerateParams(t *testing.T) {
 					"token": "$plugin.token",
 				},
 			},
-			secret: &v1.Secret{
+			secret: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "argocd-secret",
 					Namespace: "default",
@@ -561,13 +559,13 @@ func TestPluginGenerateParams(t *testing.T) {
 					"key3": 123
                }]
 			 }}`),
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{
 					"key1":                 "val1",
 					"key2.key2_1":          "val2_1",
 					"key2.key2_2.key2_2_1": "val2_2_1",
 					"key3":                 "123",
-					"generator": map[string]interface{}{
+					"generator": map[string]any{
 						"input": argoprojiov1alpha1.PluginInput{
 							Parameters: argoprojiov1alpha1.PluginParameters{
 								"pkey1": {Raw: []byte(`"val1"`)},
@@ -577,11 +575,11 @@ func TestPluginGenerateParams(t *testing.T) {
 					},
 				},
 			},
-			expectedError: fmt.Errorf("error getting plugin from generator: error fetching ConfigMap: baseUrl not found in ConfigMap"),
+			expectedError: errors.New("error getting plugin from generator: error fetching ConfigMap: baseUrl not found in ConfigMap"),
 		},
 		{
 			name: "no token",
-			configmap: &v1.ConfigMap{
+			configmap: &corev1.ConfigMap{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "first-plugin-cm",
 					Namespace: "default",
@@ -590,7 +588,7 @@ func TestPluginGenerateParams(t *testing.T) {
 					"baseUrl": "http://127.0.0.1",
 				},
 			},
-			secret: &v1.Secret{},
+			secret: &corev1.Secret{},
 			inputParameters: map[string]apiextensionsv1.JSON{
 				"pkey1": {Raw: []byte(`"val1"`)},
 				"pkey2": {Raw: []byte(`"val2"`)},
@@ -608,13 +606,13 @@ func TestPluginGenerateParams(t *testing.T) {
 					"key3": 123
                }]
 			 }}`),
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{
 					"key1":                 "val1",
 					"key2.key2_1":          "val2_1",
 					"key2.key2_2.key2_2_1": "val2_2_1",
 					"key3":                 "123",
-					"generator": map[string]interface{}{
+					"generator": map[string]any{
 						"input": argoprojiov1alpha1.PluginInput{
 							Parameters: argoprojiov1alpha1.PluginParameters{
 								"pkey1": {Raw: []byte(`"val1"`)},
@@ -624,16 +622,12 @@ func TestPluginGenerateParams(t *testing.T) {
 					},
 				},
 			},
-			expectedError: fmt.Errorf("error getting plugin from generator: error fetching ConfigMap: token not found in ConfigMap"),
+			expectedError: errors.New("error getting plugin from generator: error fetching ConfigMap: token not found in ConfigMap"),
 		},
 	}

-	ctx := context.Background()
-
 	for _, testCase := range testCases {
-
 		t.Run(testCase.name, func(t *testing.T) {
-
 			generatorConfig := argoprojiov1alpha1.ApplicationSetGenerator{
 				Plugin: &argoprojiov1alpha1.PluginGenerator{
 					ConfigMapRef: argoprojiov1alpha1.PluginConfigMapRef{Name: testCase.configmap.Name},
@@ -645,10 +639,9 @@ func TestPluginGenerateParams(t *testing.T) {
 			}

 			handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-
 				authHeader := r.Header.Get("Authorization")
 				_, tokenKey := plugin.ParseSecretKey(testCase.configmap.Data["token"])
-				expectedToken := testCase.secret.Data[strings.Replace(tokenKey, "$", "", -1)]
+				expectedToken := testCase.secret.Data[strings.ReplaceAll(tokenKey, "$", "")]
 				if authHeader != "Bearer "+string(expectedToken) {
 					w.WriteHeader(http.StatusUnauthorized)
 					return
@@ -657,7 +650,7 @@ func TestPluginGenerateParams(t *testing.T) {
 				w.Header().Set("Content-Type", "application/json")
 				_, err := w.Write(testCase.content)
 				if err != nil {
-					assert.NoError(t, fmt.Errorf("Error Write %v", err))
+					require.NoError(t, fmt.Errorf("Error Write %w", err))
 				}
 			})

@@ -669,11 +662,9 @@ func TestPluginGenerateParams(t *testing.T) {
 				testCase.configmap.Data["baseUrl"] = fakeServer.URL
 			}

-			fakeClient := kubefake.NewSimpleClientset(append([]runtime.Object{}, testCase.configmap, testCase.secret)...)
-
 			fakeClientWithCache := fake.NewClientBuilder().WithObjects([]client.Object{testCase.configmap, testCase.secret}...).Build()

-			var pluginGenerator = NewPluginGenerator(fakeClientWithCache, ctx, fakeClient, "default")
+			pluginGenerator := NewPluginGenerator(fakeClientWithCache, "default")

 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
@@ -684,21 +675,20 @@ func TestPluginGenerateParams(t *testing.T) {
 				},
 			}

-			got, err := pluginGenerator.GenerateParams(&generatorConfig, &applicationSetInfo)
-
+			got, err := pluginGenerator.GenerateParams(&generatorConfig, &applicationSetInfo, nil)
 			if err != nil {
 				fmt.Println(err)
 			}

 			if testCase.expectedError != nil {
-				assert.EqualError(t, err, testCase.expectedError.Error())
+				require.EqualError(t, err, testCase.expectedError.Error())
 			} else {
-				assert.NoError(t, err)
-				expectedJson, err := json.Marshal(testCase.expected)
 				require.NoError(t, err)
-				gotJson, err := json.Marshal(got)
+				expectedJSON, err := json.Marshal(testCase.expected)
 				require.NoError(t, err)
-				assert.Equal(t, string(expectedJson), string(gotJson))
+				gotJSON, err := json.Marshal(got)
+				require.NoError(t, err)
+				assert.JSONEq(t, string(expectedJSON), string(gotJSON))
 			}
 		})
 	}
--- a/applicationset/generators/pull_request.go
+++ b/applicationset/generators/pull_request.go
@@ -2,41 +2,37 @@ package generators

 import (
 	"context"
+	"errors"
 	"fmt"
+	"net/http"
 	"strconv"
 	"time"

-	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"

 	"github.com/gosimple/slug"
+	log "github.com/sirupsen/logrus"

-	pullrequest "github.com/argoproj/argo-cd/v2/applicationset/services/pull_request"
-	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v3/applicationset/services"
+	pullrequest "github.com/argoproj/argo-cd/v3/applicationset/services/pull_request"
+	"github.com/argoproj/argo-cd/v3/applicationset/utils"
+	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 )

-var _ Generator = (*PullRequestGenerator)(nil)
-
 const (
-	DefaultPullRequestRequeueAfterSeconds = 30 * time.Minute
+	DefaultPullRequestRequeueAfter = 30 * time.Minute
 )

 type PullRequestGenerator struct {
 	client                    client.Client
 	selectServiceProviderFunc func(context.Context, *argoprojiov1alpha1.PullRequestGenerator, *argoprojiov1alpha1.ApplicationSet) (pullrequest.PullRequestService, error)
-	auth                      SCMAuthProviders
-	scmRootCAPath             string
-	allowedSCMProviders       []string
-	enableSCMProviders        bool
+	SCMConfig
 }

-func NewPullRequestGenerator(client client.Client, auth SCMAuthProviders, scmRootCAPath string, allowedScmProviders []string, enableSCMProviders bool) Generator {
+func NewPullRequestGenerator(client client.Client, scmConfig SCMConfig) Generator {
 	g := &PullRequestGenerator{
-		client:              client,
-		auth:                auth,
-		scmRootCAPath:       scmRootCAPath,
-		allowedSCMProviders: allowedScmProviders,
-		enableSCMProviders:  enableSCMProviders,
+		client:    client,
+		SCMConfig: scmConfig,
 	}
 	g.selectServiceProviderFunc = g.selectServiceProvider
 	return g
@@ -49,20 +45,24 @@ func (g *PullRequestGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alph
 		return time.Duration(*appSetGenerator.PullRequest.RequeueAfterSeconds) * time.Second
 	}

-	return DefaultPullRequestRequeueAfterSeconds
+	return DefaultPullRequestRequeueAfter
+}
+
+func (g *PullRequestGenerator) GetContinueOnRepoNotFoundError(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator) bool {
+	return appSetGenerator.PullRequest.ContinueOnRepoNotFoundError
 }

 func (g *PullRequestGenerator) GetTemplate(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator) *argoprojiov1alpha1.ApplicationSetTemplate {
 	return &appSetGenerator.PullRequest.Template
 }

-func (g *PullRequestGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, applicationSetInfo *argoprojiov1alpha1.ApplicationSet) ([]map[string]interface{}, error) {
+func (g *PullRequestGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, applicationSetInfo *argoprojiov1alpha1.ApplicationSet, _ client.Client) ([]map[string]any, error) {
 	if appSetGenerator == nil {
-		return nil, EmptyAppSetGeneratorError
+		return nil, ErrEmptyAppSetGenerator
 	}

 	if appSetGenerator.PullRequest == nil {
-		return nil, EmptyAppSetGeneratorError
+		return nil, ErrEmptyAppSetGenerator
 	}

 	ctx := context.Background()
@@ -72,10 +72,15 @@ func (g *PullRequestGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 	}

 	pulls, err := pullrequest.ListPullRequests(ctx, svc, appSetGenerator.PullRequest.Filters)
+	params := make([]map[string]any, 0, len(pulls))
 	if err != nil {
-		return nil, fmt.Errorf("error listing repos: %v", err)
+		if pullrequest.IsRepositoryNotFoundError(err) && g.GetContinueOnRepoNotFoundError(appSetGenerator) {
+			log.WithError(err).WithField("generator", g).
+				Warn("Skipping params generation for this repository since it was not found.")
+			return params, nil
+		}
+		return nil, fmt.Errorf("error listing repos: %w", err)
 	}
-	params := make([]map[string]interface{}, 0, len(pulls))

 	// In order to follow the DNS label standard as defined in RFC 1123,
 	// we need to limit the 'branch' to 50 to give room to append/suffix-ing it
@@ -101,8 +106,9 @@ func (g *PullRequestGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 			shortSHALength7 = len(pull.HeadSHA)
 		}

-		paramMap := map[string]interface{}{
-			"number":             strconv.Itoa(pull.Number),
+		paramMap := map[string]any{
+			"number":             strconv.FormatInt(pull.Number, 10),
+			"title":              pull.Title,
 			"branch":             pull.Branch,
 			"branch_slug":        slug.Make(pull.Branch),
 			"target_branch":      pull.TargetBranch,
@@ -110,12 +116,18 @@ func (g *PullRequestGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 			"head_sha":           pull.HeadSHA,
 			"head_short_sha":     pull.HeadSHA[:shortSHALength],
 			"head_short_sha_7":   pull.HeadSHA[:shortSHALength7],
+			"author":             pull.Author,
 		}

 		// PR lables will only be supported for Go Template appsets, since fasttemplate will be deprecated.
 		if applicationSetInfo != nil && applicationSetInfo.Spec.GoTemplate {
 			paramMap["labels"] = pull.Labels
 		}
+
+		err := appendTemplatedValues(appSetGenerator.PullRequest.Values, paramMap, applicationSetInfo.Spec.GoTemplate, applicationSetInfo.Spec.GoTemplateOptions)
+		if err != nil {
+			return nil, fmt.Errorf("failed to append templated values: %w", err)
+		}
 		params = append(params, paramMap)
 	}
 	return params, nil
@@ -135,99 +147,115 @@ func (g *PullRequestGenerator) selectServiceProvider(ctx context.Context, genera
 	}
 	if generatorConfig.GitLab != nil {
 		providerConfig := generatorConfig.GitLab
-		token, err := g.getSecretRef(ctx, providerConfig.TokenRef, applicationSetInfo.Namespace)
-		if err != nil {
-			return nil, fmt.Errorf("error fetching Secret token: %v", err)
+		var caCerts []byte
+		var prErr error
+		if providerConfig.CARef != nil {
+			caCerts, prErr = utils.GetConfigMapData(ctx, g.client, providerConfig.CARef, applicationSetInfo.Namespace)
+			if prErr != nil {
+				return nil, fmt.Errorf("error fetching CA certificates from ConfigMap: %w", prErr)
+			}
 		}
-		return pullrequest.NewGitLabService(ctx, token, providerConfig.API, providerConfig.Project, providerConfig.Labels, providerConfig.PullRequestState, g.scmRootCAPath, providerConfig.Insecure)
+		token, err := utils.GetSecretRef(ctx, g.client, providerConfig.TokenRef, applicationSetInfo.Namespace, g.tokenRefStrictMode)
+		if err != nil {
+			return nil, fmt.Errorf("error fetching Secret token: %w", err)
+		}
+		return pullrequest.NewGitLabService(token, providerConfig.API, providerConfig.Project, providerConfig.Labels, providerConfig.PullRequestState, g.scmRootCAPath, providerConfig.Insecure, caCerts)
 	}
 	if generatorConfig.Gitea != nil {
 		providerConfig := generatorConfig.Gitea
-		token, err := g.getSecretRef(ctx, providerConfig.TokenRef, applicationSetInfo.Namespace)
+		token, err := utils.GetSecretRef(ctx, g.client, providerConfig.TokenRef, applicationSetInfo.Namespace, g.tokenRefStrictMode)
 		if err != nil {
-			return nil, fmt.Errorf("error fetching Secret token: %v", err)
+			return nil, fmt.Errorf("error fetching Secret token: %w", err)
 		}
-		return pullrequest.NewGiteaService(ctx, token, providerConfig.API, providerConfig.Owner, providerConfig.Repo, providerConfig.Insecure)
+
+		return pullrequest.NewGiteaService(token, providerConfig.API, providerConfig.Owner, providerConfig.Repo, providerConfig.Labels, providerConfig.Insecure)
 	}
 	if generatorConfig.BitbucketServer != nil {
 		providerConfig := generatorConfig.BitbucketServer
-		if providerConfig.BasicAuth != nil {
-			password, err := g.getSecretRef(ctx, providerConfig.BasicAuth.PasswordRef, applicationSetInfo.Namespace)
-			if err != nil {
-				return nil, fmt.Errorf("error fetching Secret token: %v", err)
+		var caCerts []byte
+		var prErr error
+		if providerConfig.CARef != nil {
+			caCerts, prErr = utils.GetConfigMapData(ctx, g.client, providerConfig.CARef, applicationSetInfo.Namespace)
+			if prErr != nil {
+				return nil, fmt.Errorf("error fetching CA certificates from ConfigMap: %w", prErr)
 			}
-			return pullrequest.NewBitbucketServiceBasicAuth(ctx, providerConfig.BasicAuth.Username, password, providerConfig.API, providerConfig.Project, providerConfig.Repo)
-		} else {
-			return pullrequest.NewBitbucketServiceNoAuth(ctx, providerConfig.API, providerConfig.Project, providerConfig.Repo)
 		}
+		if providerConfig.BearerToken != nil {
+			appToken, err := utils.GetSecretRef(ctx, g.client, providerConfig.BearerToken.TokenRef, applicationSetInfo.Namespace, g.tokenRefStrictMode)
+			if err != nil {
+				return nil, fmt.Errorf("error fetching Secret Bearer token: %w", err)
+			}
+			return pullrequest.NewBitbucketServiceBearerToken(ctx, appToken, providerConfig.API, providerConfig.Project, providerConfig.Repo, g.scmRootCAPath, providerConfig.Insecure, caCerts)
+		} else if providerConfig.BasicAuth != nil {
+			password, err := utils.GetSecretRef(ctx, g.client, providerConfig.BasicAuth.PasswordRef, applicationSetInfo.Namespace, g.tokenRefStrictMode)
+			if err != nil {
+				return nil, fmt.Errorf("error fetching Secret token: %w", err)
+			}
+			return pullrequest.NewBitbucketServiceBasicAuth(ctx, providerConfig.BasicAuth.Username, password, providerConfig.API, providerConfig.Project, providerConfig.Repo, g.scmRootCAPath, providerConfig.Insecure, caCerts)
+		}
+		return pullrequest.NewBitbucketServiceNoAuth(ctx, providerConfig.API, providerConfig.Project, providerConfig.Repo, g.scmRootCAPath, providerConfig.Insecure, caCerts)
 	}
 	if generatorConfig.Bitbucket != nil {
 		providerConfig := generatorConfig.Bitbucket
 		if providerConfig.BearerToken != nil {
-			appToken, err := g.getSecretRef(ctx, providerConfig.BearerToken.TokenRef, applicationSetInfo.Namespace)
+			appToken, err := utils.GetSecretRef(ctx, g.client, providerConfig.BearerToken.TokenRef, applicationSetInfo.Namespace, g.tokenRefStrictMode)
 			if err != nil {
-				return nil, fmt.Errorf("error fetching Secret Bearer token: %v", err)
+				return nil, fmt.Errorf("error fetching Secret Bearer token: %w", err)
 			}
 			return pullrequest.NewBitbucketCloudServiceBearerToken(providerConfig.API, appToken, providerConfig.Owner, providerConfig.Repo)
 		} else if providerConfig.BasicAuth != nil {
-			password, err := g.getSecretRef(ctx, providerConfig.BasicAuth.PasswordRef, applicationSetInfo.Namespace)
+			password, err := utils.GetSecretRef(ctx, g.client, providerConfig.BasicAuth.PasswordRef, applicationSetInfo.Namespace, g.tokenRefStrictMode)
 			if err != nil {
-				return nil, fmt.Errorf("error fetching Secret token: %v", err)
+				return nil, fmt.Errorf("error fetching Secret token: %w", err)
 			}
 			return pullrequest.NewBitbucketCloudServiceBasicAuth(providerConfig.API, providerConfig.BasicAuth.Username, password, providerConfig.Owner, providerConfig.Repo)
-		} else {
-			return pullrequest.NewBitbucketCloudServiceNoAuth(providerConfig.API, providerConfig.Owner, providerConfig.Repo)
 		}
+		return pullrequest.NewBitbucketCloudServiceNoAuth(providerConfig.API, providerConfig.Owner, providerConfig.Repo)
 	}
 	if generatorConfig.AzureDevOps != nil {
 		providerConfig := generatorConfig.AzureDevOps
-		token, err := g.getSecretRef(ctx, providerConfig.TokenRef, applicationSetInfo.Namespace)
+		token, err := utils.GetSecretRef(ctx, g.client, providerConfig.TokenRef, applicationSetInfo.Namespace, g.tokenRefStrictMode)
 		if err != nil {
-			return nil, fmt.Errorf("error fetching Secret token: %v", err)
+			return nil, fmt.Errorf("error fetching Secret token: %w", err)
 		}
-		return pullrequest.NewAzureDevOpsService(ctx, token, providerConfig.API, providerConfig.Organization, providerConfig.Project, providerConfig.Repo, providerConfig.Labels)
+		return pullrequest.NewAzureDevOpsService(token, providerConfig.API, providerConfig.Organization, providerConfig.Project, providerConfig.Repo, providerConfig.Labels)
 	}
-	return nil, fmt.Errorf("no Pull Request provider implementation configured")
+	return nil, errors.New("no Pull Request provider implementation configured")
 }

 func (g *PullRequestGenerator) github(ctx context.Context, cfg *argoprojiov1alpha1.PullRequestGeneratorGithub, applicationSetInfo *argoprojiov1alpha1.ApplicationSet) (pullrequest.PullRequestService, error) {
+	var metricsCtx *services.MetricsContext
+	var httpClient *http.Client
+
+	if g.enableGitHubAPIMetrics {
+		metricsCtx = &services.MetricsContext{
+			AppSetNamespace: applicationSetInfo.Namespace,
+			AppSetName:      applicationSetInfo.Name,
+		}
+		httpClient = services.NewGitHubMetricsClient(metricsCtx)
+	}
+
 	// use an app if it was configured
 	if cfg.AppSecretName != "" {
-		auth, err := g.auth.GitHubApps.GetAuthSecret(ctx, cfg.AppSecretName)
+		auth, err := g.GitHubApps.GetAuthSecret(ctx, cfg.AppSecretName)
 		if err != nil {
-			return nil, fmt.Errorf("error getting GitHub App secret: %v", err)
+			return nil, fmt.Errorf("error getting GitHub App secret: %w", err)
 		}
-		return pullrequest.NewGithubAppService(*auth, cfg.API, cfg.Owner, cfg.Repo, cfg.Labels)
+
+		if g.enableGitHubAPIMetrics {
+			return pullrequest.NewGithubAppService(ctx, *auth, cfg.API, cfg.Owner, cfg.Repo, cfg.Labels, httpClient)
+		}
+		return pullrequest.NewGithubAppService(ctx, *auth, cfg.API, cfg.Owner, cfg.Repo, cfg.Labels)
 	}

 	// always default to token, even if not set (public access)
-	token, err := g.getSecretRef(ctx, cfg.TokenRef, applicationSetInfo.Namespace)
+	token, err := utils.GetSecretRef(ctx, g.client, cfg.TokenRef, applicationSetInfo.Namespace, g.tokenRefStrictMode)
 	if err != nil {
-		return nil, fmt.Errorf("error fetching Secret token: %v", err)
-	}
-	return pullrequest.NewGithubService(ctx, token, cfg.API, cfg.Owner, cfg.Repo, cfg.Labels)
-}
-
-// getSecretRef gets the value of the key for the specified Secret resource.
-func (g *PullRequestGenerator) getSecretRef(ctx context.Context, ref *argoprojiov1alpha1.SecretRef, namespace string) (string, error) {
-	if ref == nil {
-		return "", nil
+		return nil, fmt.Errorf("error fetching Secret token: %w", err)
 	}

-	secret := &corev1.Secret{}
-	err := g.client.Get(
-		ctx,
-		client.ObjectKey{
-			Name:      ref.SecretName,
-			Namespace: namespace,
-		},
-		secret)
-	if err != nil {
-		return "", fmt.Errorf("error fetching secret %s/%s: %v", namespace, ref.SecretName, err)
+	if g.enableGitHubAPIMetrics {
+		return pullrequest.NewGithubService(token, cfg.API, cfg.Owner, cfg.Repo, cfg.Labels, httpClient)
 	}
-	tokenBytes, ok := secret.Data[ref.Key]
-	if !ok {
-		return "", fmt.Errorf("key %q in secret %s/%s not found", ref.Key, namespace, ref.SecretName)
-	}
-	return string(tokenBytes), nil
+	return pullrequest.NewGithubService(token, cfg.API, cfg.Owner, cfg.Repo, cfg.Labels)
 }
--- a/applicationset/generators/pull_request_test.go
+++ b/applicationset/generators/pull_request_test.go
@@ -2,25 +2,26 @@ package generators

 import (
 	"context"
-	"fmt"
+	"errors"
 	"testing"

 	"github.com/stretchr/testify/assert"
-	corev1 "k8s.io/api/core/v1"
+	"github.com/stretchr/testify/require"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"sigs.k8s.io/controller-runtime/pkg/client/fake"

-	pullrequest "github.com/argoproj/argo-cd/v2/applicationset/services/pull_request"
-	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	pullrequest "github.com/argoproj/argo-cd/v3/applicationset/services/pull_request"
+	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 )

 func TestPullRequestGithubGenerateParams(t *testing.T) {
-	ctx := context.Background()
+	ctx := t.Context()
 	cases := []struct {
-		selectFunc     func(context.Context, *argoprojiov1alpha1.PullRequestGenerator, *argoprojiov1alpha1.ApplicationSet) (pullrequest.PullRequestService, error)
-		expected       []map[string]interface{}
-		expectedErr    error
-		applicationSet argoprojiov1alpha1.ApplicationSet
+		selectFunc                  func(context.Context, *argoprojiov1alpha1.PullRequestGenerator, *argoprojiov1alpha1.ApplicationSet) (pullrequest.PullRequestService, error)
+		values                      map[string]string
+		expected                    []map[string]any
+		expectedErr                 error
+		applicationSet              argoprojiov1alpha1.ApplicationSet
+		continueOnRepoNotFoundError bool
 	}{
 		{
 			selectFunc: func(context.Context, *argoprojiov1alpha1.PullRequestGenerator, *argoprojiov1alpha1.ApplicationSet) (pullrequest.PullRequestService, error) {
@@ -29,17 +30,20 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 					[]*pullrequest.PullRequest{
 						{
 							Number:       1,
+							Title:        "title1",
 							Branch:       "branch1",
 							TargetBranch: "master",
 							HeadSHA:      "089d92cbf9ff857a39e6feccd32798ca700fb958",
+							Author:       "testName",
 						},
 					},
 					nil,
 				)
 			},
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{
 					"number":             "1",
+					"title":              "title1",
 					"branch":             "branch1",
 					"branch_slug":        "branch1",
 					"target_branch":      "master",
@@ -47,6 +51,7 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 					"head_sha":           "089d92cbf9ff857a39e6feccd32798ca700fb958",
 					"head_short_sha":     "089d92cb",
 					"head_short_sha_7":   "089d92c",
+					"author":             "testName",
 				},
 			},
 			expectedErr: nil,
@@ -58,17 +63,20 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 					[]*pullrequest.PullRequest{
 						{
 							Number:       2,
+							Title:        "title2",
 							Branch:       "feat/areally+long_pull_request_name_to_test_argo_slugification_and_branch_name_shortening_feature",
 							TargetBranch: "feat/anotherreally+long_pull_request_name_to_test_argo_slugification_and_branch_name_shortening_feature",
 							HeadSHA:      "9b34ff5bd418e57d58891eb0aa0728043ca1e8be",
+							Author:       "testName",
 						},
 					},
 					nil,
 				)
 			},
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{
 					"number":             "2",
+					"title":              "title2",
 					"branch":             "feat/areally+long_pull_request_name_to_test_argo_slugification_and_branch_name_shortening_feature",
 					"branch_slug":        "feat-areally-long-pull-request-name-to-test-argo",
 					"target_branch":      "feat/anotherreally+long_pull_request_name_to_test_argo_slugification_and_branch_name_shortening_feature",
@@ -76,6 +84,7 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 					"head_sha":           "9b34ff5bd418e57d58891eb0aa0728043ca1e8be",
 					"head_short_sha":     "9b34ff5b",
 					"head_short_sha_7":   "9b34ff5",
+					"author":             "testName",
 				},
 			},
 			expectedErr: nil,
@@ -87,17 +96,20 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 					[]*pullrequest.PullRequest{
 						{
 							Number:       1,
+							Title:        "title1",
 							Branch:       "a-very-short-sha",
 							TargetBranch: "master",
 							HeadSHA:      "abcd",
+							Author:       "testName",
 						},
 					},
 					nil,
 				)
 			},
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{
 					"number":             "1",
+					"title":              "title1",
 					"branch":             "a-very-short-sha",
 					"branch_slug":        "a-very-short-sha",
 					"target_branch":      "master",
@@ -105,6 +117,46 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 					"head_sha":           "abcd",
 					"head_short_sha":     "abcd",
 					"head_short_sha_7":   "abcd",
+					"author":             "testName",
+				},
+			},
+			expectedErr: nil,
+		},
+		{
+			selectFunc: func(context.Context, *argoprojiov1alpha1.PullRequestGenerator, *argoprojiov1alpha1.ApplicationSet) (pullrequest.PullRequestService, error) {
+				return pullrequest.NewFakeService(
+					ctx,
+					[]*pullrequest.PullRequest{
+						{
+							Number:       1,
+							Title:        "title1",
+							Branch:       "my_branch",
+							TargetBranch: "master",
+							HeadSHA:      "abcd",
+							Author:       "testName",
+						},
+					},
+					nil,
+				)
+			},
+			values: map[string]string{
+				"foo":       "bar",
+				"pr_branch": "{{ branch }}",
+			},
+			expected: []map[string]any{
+				{
+					"number":             "1",
+					"title":              "title1",
+					"branch":             "my_branch",
+					"branch_slug":        "my-branch",
+					"target_branch":      "master",
+					"target_branch_slug": "master",
+					"head_sha":           "abcd",
+					"head_short_sha":     "abcd",
+					"head_short_sha_7":   "abcd",
+					"author":             "testName",
+					"values.foo":         "bar",
+					"values.pr_branch":   "my_branch",
 				},
 			},
 			expectedErr: nil,
@@ -114,11 +166,35 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 				return pullrequest.NewFakeService(
 					ctx,
 					nil,
-					fmt.Errorf("fake error"),
+					errors.New("fake error"),
 				)
 			},
 			expected:    nil,
-			expectedErr: fmt.Errorf("error listing repos: fake error"),
+			expectedErr: errors.New("error listing repos: fake error"),
+		},
+		{
+			selectFunc: func(context.Context, *argoprojiov1alpha1.PullRequestGenerator, *argoprojiov1alpha1.ApplicationSet) (pullrequest.PullRequestService, error) {
+				return pullrequest.NewFakeService(
+					ctx,
+					nil,
+					pullrequest.NewRepositoryNotFoundError(errors.New("repository not found")),
+				)
+			},
+			expected:                    []map[string]any{},
+			expectedErr:                 nil,
+			continueOnRepoNotFoundError: true,
+		},
+		{
+			selectFunc: func(context.Context, *argoprojiov1alpha1.PullRequestGenerator, *argoprojiov1alpha1.ApplicationSet) (pullrequest.PullRequestService, error) {
+				return pullrequest.NewFakeService(
+					ctx,
+					nil,
+					pullrequest.NewRepositoryNotFoundError(errors.New("repository not found")),
+				)
+			},
+			expected:                    nil,
+			expectedErr:                 errors.New("error listing repos: repository not found"),
+			continueOnRepoNotFoundError: false,
 		},
 		{
 			selectFunc: func(context.Context, *argoprojiov1alpha1.PullRequestGenerator, *argoprojiov1alpha1.ApplicationSet) (pullrequest.PullRequestService, error) {
@@ -127,18 +203,21 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 					[]*pullrequest.PullRequest{
 						{
 							Number:       1,
+							Title:        "title1",
 							Branch:       "branch1",
 							TargetBranch: "master",
 							HeadSHA:      "089d92cbf9ff857a39e6feccd32798ca700fb958",
 							Labels:       []string{"preview"},
+							Author:       "testName",
 						},
 					},
 					nil,
 				)
 			},
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{
 					"number":             "1",
+					"title":              "title1",
 					"branch":             "branch1",
 					"branch_slug":        "branch1",
 					"target_branch":      "master",
@@ -147,6 +226,7 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 					"head_short_sha":     "089d92cb",
 					"head_short_sha_7":   "089d92c",
 					"labels":             []string{"preview"},
+					"author":             "testName",
 				},
 			},
 			expectedErr: nil,
@@ -164,18 +244,21 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 					[]*pullrequest.PullRequest{
 						{
 							Number:       1,
+							Title:        "title1",
 							Branch:       "branch1",
 							TargetBranch: "master",
 							HeadSHA:      "089d92cbf9ff857a39e6feccd32798ca700fb958",
 							Labels:       []string{"preview"},
+							Author:       "testName",
 						},
 					},
 					nil,
 				)
 			},
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{
 					"number":             "1",
+					"title":              "title1",
 					"branch":             "branch1",
 					"branch_slug":        "branch1",
 					"target_branch":      "master",
@@ -183,6 +266,7 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 					"head_sha":           "089d92cbf9ff857a39e6feccd32798ca700fb958",
 					"head_short_sha":     "089d92cb",
 					"head_short_sha_7":   "089d92c",
+					"author":             "testName",
 				},
 			},
 			expectedErr: nil,
@@ -193,6 +277,51 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 				},
 			},
 		},
+		{
+			selectFunc: func(context.Context, *argoprojiov1alpha1.PullRequestGenerator, *argoprojiov1alpha1.ApplicationSet) (pullrequest.PullRequestService, error) {
+				return pullrequest.NewFakeService(
+					ctx,
+					[]*pullrequest.PullRequest{
+						{
+							Number:       1,
+							Title:        "title1",
+							Branch:       "my_branch",
+							TargetBranch: "master",
+							HeadSHA:      "abcd",
+							Author:       "testName",
+							Labels:       []string{"preview", "preview:team1"},
+						},
+					},
+					nil,
+				)
+			},
+			values: map[string]string{
+				"preview_env": "{{ regexFind \"(team1|team2)\" (.labels | join \",\") }}",
+			},
+			expected: []map[string]any{
+				{
+					"number":             "1",
+					"title":              "title1",
+					"branch":             "my_branch",
+					"branch_slug":        "my-branch",
+					"target_branch":      "master",
+					"target_branch_slug": "master",
+					"head_sha":           "abcd",
+					"head_short_sha":     "abcd",
+					"head_short_sha_7":   "abcd",
+					"author":             "testName",
+					"labels":             []string{"preview", "preview:team1"},
+					"values":             map[string]string{"preview_env": "team1"},
+				},
+			},
+			expectedErr: nil,
+			applicationSet: argoprojiov1alpha1.ApplicationSet{
+				Spec: argoprojiov1alpha1.ApplicationSetSpec{
+					// Application set is using fasttemplate.
+					GoTemplate: true,
+				},
+			},
+		},
 	}

 	for _, c := range cases {
@@ -200,85 +329,28 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 			selectServiceProviderFunc: c.selectFunc,
 		}
 		generatorConfig := argoprojiov1alpha1.ApplicationSetGenerator{
-			PullRequest: &argoprojiov1alpha1.PullRequestGenerator{},
+			PullRequest: &argoprojiov1alpha1.PullRequestGenerator{
+				Values:                      c.values,
+				ContinueOnRepoNotFoundError: c.continueOnRepoNotFoundError,
+			},
 		}

-		got, gotErr := gen.GenerateParams(&generatorConfig, &c.applicationSet)
-		assert.Equal(t, c.expectedErr, gotErr)
+		got, gotErr := gen.GenerateParams(&generatorConfig, &c.applicationSet, nil)
+		if c.expectedErr != nil {
+			require.EqualError(t, gotErr, c.expectedErr.Error())
+		} else {
+			require.NoError(t, gotErr)
+		}
 		assert.ElementsMatch(t, c.expected, got)
 	}
 }

-func TestPullRequestGetSecretRef(t *testing.T) {
-	secret := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{Name: "test-secret", Namespace: "test"},
-		Data: map[string][]byte{
-			"my-token": []byte("secret"),
-		},
-	}
-	gen := &PullRequestGenerator{client: fake.NewClientBuilder().WithObjects(secret).Build()}
-	ctx := context.Background()
-
-	cases := []struct {
-		name, namespace, token string
-		ref                    *argoprojiov1alpha1.SecretRef
-		hasError               bool
-	}{
-		{
-			name:      "valid ref",
-			ref:       &argoprojiov1alpha1.SecretRef{SecretName: "test-secret", Key: "my-token"},
-			namespace: "test",
-			token:     "secret",
-			hasError:  false,
-		},
-		{
-			name:      "nil ref",
-			ref:       nil,
-			namespace: "test",
-			token:     "",
-			hasError:  false,
-		},
-		{
-			name:      "wrong name",
-			ref:       &argoprojiov1alpha1.SecretRef{SecretName: "other", Key: "my-token"},
-			namespace: "test",
-			token:     "",
-			hasError:  true,
-		},
-		{
-			name:      "wrong key",
-			ref:       &argoprojiov1alpha1.SecretRef{SecretName: "test-secret", Key: "other-token"},
-			namespace: "test",
-			token:     "",
-			hasError:  true,
-		},
-		{
-			name:      "wrong namespace",
-			ref:       &argoprojiov1alpha1.SecretRef{SecretName: "test-secret", Key: "my-token"},
-			namespace: "other",
-			token:     "",
-			hasError:  true,
-		},
-	}
-
-	for _, c := range cases {
-		t.Run(c.name, func(t *testing.T) {
-			token, err := gen.getSecretRef(ctx, c.ref, c.namespace)
-			if c.hasError {
-				assert.NotNil(t, err)
-			} else {
-				assert.Nil(t, err)
-			}
-			assert.Equal(t, c.token, token)
-		})
-	}
-}
-
 func TestAllowedSCMProviderPullRequest(t *testing.T) {
+	t.Parallel()
+
 	cases := []struct {
 		name           string
 		providerConfig *argoprojiov1alpha1.PullRequestGenerator
-		expectedError  error
 	}{
 		{
 			name: "Error Github",
@@ -287,7 +359,6 @@ func TestAllowedSCMProviderPullRequest(t *testing.T) {
 					API: "https://myservice.mynamespace.svc.cluster.local",
 				},
 			},
-			expectedError: &ErrDisallowedSCMProvider{},
 		},
 		{
 			name: "Error Gitlab",
@@ -296,7 +367,6 @@ func TestAllowedSCMProviderPullRequest(t *testing.T) {
 					API: "https://myservice.mynamespace.svc.cluster.local",
 				},
 			},
-			expectedError: &ErrDisallowedSCMProvider{},
 		},
 		{
 			name: "Error Gitea",
@@ -305,7 +375,6 @@ func TestAllowedSCMProviderPullRequest(t *testing.T) {
 					API: "https://myservice.mynamespace.svc.cluster.local",
 				},
 			},
-			expectedError: &ErrDisallowedSCMProvider{},
 		},
 		{
 			name: "Error Bitbucket",
@@ -314,7 +383,6 @@ func TestAllowedSCMProviderPullRequest(t *testing.T) {
 					API: "https://myservice.mynamespace.svc.cluster.local",
 				},
 			},
-			expectedError: &ErrDisallowedSCMProvider{},
 		},
 	}

@@ -324,13 +392,13 @@ func TestAllowedSCMProviderPullRequest(t *testing.T) {
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()

-			pullRequestGenerator := NewPullRequestGenerator(nil, SCMAuthProviders{}, "", []string{
+			pullRequestGenerator := NewPullRequestGenerator(nil, NewSCMConfig("", []string{
 				"github.myorg.com",
 				"gitlab.myorg.com",
 				"gitea.myorg.com",
 				"bitbucket.myorg.com",
 				"azuredevops.myorg.com",
-			}, true)
+			}, true, true, nil, true))

 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
@@ -343,16 +411,17 @@ func TestAllowedSCMProviderPullRequest(t *testing.T) {
 				},
 			}

-			_, err := pullRequestGenerator.GenerateParams(&applicationSetInfo.Spec.Generators[0], &applicationSetInfo)
+			_, err := pullRequestGenerator.GenerateParams(&applicationSetInfo.Spec.Generators[0], &applicationSetInfo, nil)

-			assert.Error(t, err, "Must return an error")
-			assert.ErrorAs(t, err, testCaseCopy.expectedError)
+			require.Error(t, err, "Must return an error")
+			var expectedError ErrDisallowedSCMProvider
+			assert.ErrorAs(t, err, &expectedError)
 		})
 	}
 }

 func TestSCMProviderDisabled_PRGenerator(t *testing.T) {
-	generator := NewPullRequestGenerator(nil, SCMAuthProviders{}, "", []string{}, false)
+	generator := NewPullRequestGenerator(nil, NewSCMConfig("", []string{}, false, true, nil, true))

 	applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 		ObjectMeta: metav1.ObjectMeta{
@@ -369,6 +438,6 @@ func TestSCMProviderDisabled_PRGenerator(t *testing.T) {
 		},
 	}

-	_, err := generator.GenerateParams(&applicationSetInfo.Spec.Generators[0], &applicationSetInfo)
+	_, err := generator.GenerateParams(&applicationSetInfo.Spec.Generators[0], &applicationSetInfo, nil)
 	assert.ErrorIs(t, err, ErrSCMProvidersDisabled)
 }
--- a/applicationset/generators/scm_provider.go
+++ b/applicationset/generators/scm_provider.go
@@ -4,54 +4,66 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"net/http"
 	"strings"
 	"time"

-	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"

 	log "github.com/sirupsen/logrus"

-	"github.com/argoproj/argo-cd/v2/applicationset/services/github_app_auth"
-	"github.com/argoproj/argo-cd/v2/applicationset/services/scm_provider"
-	"github.com/argoproj/argo-cd/v2/applicationset/utils"
-	"github.com/argoproj/argo-cd/v2/common"
-	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v3/applicationset/services"
+	"github.com/argoproj/argo-cd/v3/applicationset/services/github_app_auth"
+	"github.com/argoproj/argo-cd/v3/applicationset/services/scm_provider"
+	"github.com/argoproj/argo-cd/v3/applicationset/utils"
+	"github.com/argoproj/argo-cd/v3/common"
+	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 )

 var _ Generator = (*SCMProviderGenerator)(nil)

 const (
-	DefaultSCMProviderRequeueAfterSeconds = 30 * time.Minute
+	DefaultSCMProviderRequeueAfter = 30 * time.Minute
 )

 type SCMProviderGenerator struct {
 	client client.Client
 	// Testing hooks.
 	overrideProvider scm_provider.SCMProviderService
-	SCMAuthProviders
-	scmRootCAPath       string
-	allowedSCMProviders []string
-	enableSCMProviders  bool
+	SCMConfig
+}
+type SCMConfig struct {
+	scmRootCAPath          string
+	allowedSCMProviders    []string
+	enableSCMProviders     bool
+	enableGitHubAPIMetrics bool
+	GitHubApps             github_app_auth.Credentials
+	tokenRefStrictMode     bool
 }

-type SCMAuthProviders struct {
-	GitHubApps github_app_auth.Credentials
+func NewSCMConfig(scmRootCAPath string, allowedSCMProviders []string, enableSCMProviders bool, enableGitHubAPIMetrics bool, gitHubApps github_app_auth.Credentials, tokenRefStrictMode bool) SCMConfig {
+	return SCMConfig{
+		scmRootCAPath:          scmRootCAPath,
+		allowedSCMProviders:    allowedSCMProviders,
+		enableSCMProviders:     enableSCMProviders,
+		enableGitHubAPIMetrics: enableGitHubAPIMetrics,
+		GitHubApps:             gitHubApps,
+		tokenRefStrictMode:     tokenRefStrictMode,
+	}
 }

-func NewSCMProviderGenerator(client client.Client, providers SCMAuthProviders, scmRootCAPath string, allowedSCMProviders []string, enableSCMProviders bool) Generator {
+func NewSCMProviderGenerator(client client.Client, scmConfig SCMConfig) Generator {
 	return &SCMProviderGenerator{
-		client:              client,
-		SCMAuthProviders:    providers,
-		scmRootCAPath:       scmRootCAPath,
-		allowedSCMProviders: allowedSCMProviders,
-		enableSCMProviders:  enableSCMProviders,
+		client:    client,
+		SCMConfig: scmConfig,
 	}
 }

 // Testing generator
 func NewTestSCMProviderGenerator(overrideProvider scm_provider.SCMProviderService) Generator {
-	return &SCMProviderGenerator{overrideProvider: overrideProvider, enableSCMProviders: true}
+	return &SCMProviderGenerator{overrideProvider: overrideProvider, SCMConfig: SCMConfig{
+		enableSCMProviders: true,
+	}}
 }

 func (g *SCMProviderGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator) time.Duration {
@@ -61,7 +73,7 @@ func (g *SCMProviderGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alph
 		return time.Duration(*appSetGenerator.SCMProvider.RequeueAfterSeconds) * time.Second
 	}

-	return DefaultSCMProviderRequeueAfterSeconds
+	return DefaultSCMProviderRequeueAfter
 }

 func (g *SCMProviderGenerator) GetTemplate(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator) *argoprojiov1alpha1.ApplicationSetTemplate {
@@ -108,13 +120,13 @@ func ScmProviderAllowed(applicationSetInfo *argoprojiov1alpha1.ApplicationSet, g
 	return NewErrDisallowedSCMProvider(url, allowedScmProviders)
 }

-func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, applicationSetInfo *argoprojiov1alpha1.ApplicationSet) ([]map[string]interface{}, error) {
+func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, applicationSetInfo *argoprojiov1alpha1.ApplicationSet, _ client.Client) ([]map[string]any, error) {
 	if appSetGenerator == nil {
-		return nil, EmptyAppSetGeneratorError
+		return nil, ErrEmptyAppSetGenerator
 	}

 	if appSetGenerator.SCMProvider == nil {
-		return nil, EmptyAppSetGeneratorError
+		return nil, ErrEmptyAppSetGenerator
 	}

 	if !g.enableSCMProviders {
@@ -130,81 +142,105 @@ func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha

 	ctx := context.Background()
 	var provider scm_provider.SCMProviderService
-	if g.overrideProvider != nil {
+	switch {
+	case g.overrideProvider != nil:
 		provider = g.overrideProvider
-	} else if providerConfig.Github != nil {
+	case providerConfig.Github != nil:
 		var err error
 		provider, err = g.githubProvider(ctx, providerConfig.Github, applicationSetInfo)
 		if err != nil {
 			return nil, fmt.Errorf("scm provider: %w", err)
 		}
-	} else if providerConfig.Gitlab != nil {
-		token, err := g.getSecretRef(ctx, providerConfig.Gitlab.TokenRef, applicationSetInfo.Namespace)
-		if err != nil {
-			return nil, fmt.Errorf("error fetching Gitlab token: %v", err)
-		}
-		provider, err = scm_provider.NewGitlabProvider(ctx, providerConfig.Gitlab.Group, token, providerConfig.Gitlab.API, providerConfig.Gitlab.AllBranches, providerConfig.Gitlab.IncludeSubgroups, providerConfig.Gitlab.WillIncludeSharedProjects(), providerConfig.Gitlab.Insecure, g.scmRootCAPath, providerConfig.Gitlab.Topic)
-		if err != nil {
-			return nil, fmt.Errorf("error initializing Gitlab service: %v", err)
-		}
-	} else if providerConfig.Gitea != nil {
-		token, err := g.getSecretRef(ctx, providerConfig.Gitea.TokenRef, applicationSetInfo.Namespace)
-		if err != nil {
-			return nil, fmt.Errorf("error fetching Gitea token: %v", err)
-		}
-		provider, err = scm_provider.NewGiteaProvider(ctx, providerConfig.Gitea.Owner, token, providerConfig.Gitea.API, providerConfig.Gitea.AllBranches, providerConfig.Gitea.Insecure)
-		if err != nil {
-			return nil, fmt.Errorf("error initializing Gitea service: %v", err)
-		}
-	} else if providerConfig.BitbucketServer != nil {
-		providerConfig := providerConfig.BitbucketServer
+	case providerConfig.Gitlab != nil:
+		providerConfig := providerConfig.Gitlab
+		var caCerts []byte
 		var scmError error
-		if providerConfig.BasicAuth != nil {
-			password, err := g.getSecretRef(ctx, providerConfig.BasicAuth.PasswordRef, applicationSetInfo.Namespace)
-			if err != nil {
-				return nil, fmt.Errorf("error fetching Secret token: %v", err)
+		if providerConfig.CARef != nil {
+			caCerts, scmError = utils.GetConfigMapData(ctx, g.client, providerConfig.CARef, applicationSetInfo.Namespace)
+			if scmError != nil {
+				return nil, fmt.Errorf("error fetching CA certificates from ConfigMap: %w", scmError)
 			}
-			provider, scmError = scm_provider.NewBitbucketServerProviderBasicAuth(ctx, providerConfig.BasicAuth.Username, password, providerConfig.API, providerConfig.Project, providerConfig.AllBranches)
-		} else {
-			provider, scmError = scm_provider.NewBitbucketServerProviderNoAuth(ctx, providerConfig.API, providerConfig.Project, providerConfig.AllBranches)
+		}
+		token, err := utils.GetSecretRef(ctx, g.client, providerConfig.TokenRef, applicationSetInfo.Namespace, g.tokenRefStrictMode)
+		if err != nil {
+			return nil, fmt.Errorf("error fetching Gitlab token: %w", err)
+		}
+		provider, err = scm_provider.NewGitlabProvider(providerConfig.Group, token, providerConfig.API, providerConfig.AllBranches, providerConfig.IncludeSubgroups, providerConfig.WillIncludeSharedProjects(), providerConfig.Insecure, g.scmRootCAPath, providerConfig.Topic, caCerts)
+		if err != nil {
+			return nil, fmt.Errorf("error initializing Gitlab service: %w", err)
+		}
+	case providerConfig.Gitea != nil:
+		token, err := utils.GetSecretRef(ctx, g.client, providerConfig.Gitea.TokenRef, applicationSetInfo.Namespace, g.tokenRefStrictMode)
+		if err != nil {
+			return nil, fmt.Errorf("error fetching Gitea token: %w", err)
+		}
+		provider, err = scm_provider.NewGiteaProvider(providerConfig.Gitea.Owner, token, providerConfig.Gitea.API, providerConfig.Gitea.AllBranches, providerConfig.Gitea.Insecure)
+		if err != nil {
+			return nil, fmt.Errorf("error initializing Gitea service: %w", err)
+		}
+	case providerConfig.BitbucketServer != nil:
+		providerConfig := providerConfig.BitbucketServer
+		var caCerts []byte
+		var scmError error
+		if providerConfig.CARef != nil {
+			caCerts, scmError = utils.GetConfigMapData(ctx, g.client, providerConfig.CARef, applicationSetInfo.Namespace)
+			if scmError != nil {
+				return nil, fmt.Errorf("error fetching CA certificates from ConfigMap: %w", scmError)
+			}
+		}
+		switch {
+		case providerConfig.BearerToken != nil:
+			appToken, err := utils.GetSecretRef(ctx, g.client, providerConfig.BearerToken.TokenRef, applicationSetInfo.Namespace, g.tokenRefStrictMode)
+			if err != nil {
+				return nil, fmt.Errorf("error fetching Secret Bearer token: %w", err)
+			}
+			provider, scmError = scm_provider.NewBitbucketServerProviderBearerToken(ctx, appToken, providerConfig.API, providerConfig.Project, providerConfig.AllBranches, g.scmRootCAPath, providerConfig.Insecure, caCerts)
+		case providerConfig.BasicAuth != nil:
+			password, err := utils.GetSecretRef(ctx, g.client, providerConfig.BasicAuth.PasswordRef, applicationSetInfo.Namespace, g.tokenRefStrictMode)
+			if err != nil {
+				return nil, fmt.Errorf("error fetching Secret token: %w", err)
+			}
+			provider, scmError = scm_provider.NewBitbucketServerProviderBasicAuth(ctx, providerConfig.BasicAuth.Username, password, providerConfig.API, providerConfig.Project, providerConfig.AllBranches, g.scmRootCAPath, providerConfig.Insecure, caCerts)
+		default:
+			provider, scmError = scm_provider.NewBitbucketServerProviderNoAuth(ctx, providerConfig.API, providerConfig.Project, providerConfig.AllBranches, g.scmRootCAPath, providerConfig.Insecure, caCerts)
 		}
 		if scmError != nil {
-			return nil, fmt.Errorf("error initializing Bitbucket Server service: %v", scmError)
+			return nil, fmt.Errorf("error initializing Bitbucket Server service: %w", scmError)
 		}
-	} else if providerConfig.AzureDevOps != nil {
-		token, err := g.getSecretRef(ctx, providerConfig.AzureDevOps.AccessTokenRef, applicationSetInfo.Namespace)
+	case providerConfig.AzureDevOps != nil:
+		token, err := utils.GetSecretRef(ctx, g.client, providerConfig.AzureDevOps.AccessTokenRef, applicationSetInfo.Namespace, g.tokenRefStrictMode)
 		if err != nil {
-			return nil, fmt.Errorf("error fetching Azure Devops access token: %v", err)
+			return nil, fmt.Errorf("error fetching Azure Devops access token: %w", err)
 		}
-		provider, err = scm_provider.NewAzureDevOpsProvider(ctx, token, providerConfig.AzureDevOps.Organization, providerConfig.AzureDevOps.API, providerConfig.AzureDevOps.TeamProject, providerConfig.AzureDevOps.AllBranches)
+		provider, err = scm_provider.NewAzureDevOpsProvider(token, providerConfig.AzureDevOps.Organization, providerConfig.AzureDevOps.API, providerConfig.AzureDevOps.TeamProject, providerConfig.AzureDevOps.AllBranches)
 		if err != nil {
-			return nil, fmt.Errorf("error initializing Azure Devops service: %v", err)
+			return nil, fmt.Errorf("error initializing Azure Devops service: %w", err)
 		}
-	} else if providerConfig.Bitbucket != nil {
-		appPassword, err := g.getSecretRef(ctx, providerConfig.Bitbucket.AppPasswordRef, applicationSetInfo.Namespace)
+	case providerConfig.Bitbucket != nil:
+		appPassword, err := utils.GetSecretRef(ctx, g.client, providerConfig.Bitbucket.AppPasswordRef, applicationSetInfo.Namespace, g.tokenRefStrictMode)
 		if err != nil {
-			return nil, fmt.Errorf("error fetching Bitbucket cloud appPassword: %v", err)
+			return nil, fmt.Errorf("error fetching Bitbucket cloud appPassword: %w", err)
 		}
-		provider, err = scm_provider.NewBitBucketCloudProvider(ctx, providerConfig.Bitbucket.Owner, providerConfig.Bitbucket.User, appPassword, providerConfig.Bitbucket.AllBranches)
+		provider, err = scm_provider.NewBitBucketCloudProvider(providerConfig.Bitbucket.Owner, providerConfig.Bitbucket.User, appPassword, providerConfig.Bitbucket.AllBranches)
 		if err != nil {
-			return nil, fmt.Errorf("error initializing Bitbucket cloud service: %v", err)
+			return nil, fmt.Errorf("error initializing Bitbucket cloud service: %w", err)
 		}
-	} else if providerConfig.AWSCodeCommit != nil {
+	case providerConfig.AWSCodeCommit != nil:
 		var awsErr error
 		provider, awsErr = scm_provider.NewAWSCodeCommitProvider(ctx, providerConfig.AWSCodeCommit.TagFilters, providerConfig.AWSCodeCommit.Role, providerConfig.AWSCodeCommit.Region, providerConfig.AWSCodeCommit.AllBranches)
 		if awsErr != nil {
-			return nil, fmt.Errorf("error initializing AWS codecommit service: %v", awsErr)
+			return nil, fmt.Errorf("error initializing AWS codecommit service: %w", awsErr)
 		}
-	} else {
-		return nil, fmt.Errorf("no SCM provider implementation configured")
+	default:
+		return nil, errors.New("no SCM provider implementation configured")
 	}

 	// Find all the available repos.
 	repos, err := scm_provider.ListRepos(ctx, provider, providerConfig.Filters, providerConfig.CloneProtocol)
 	if err != nil {
-		return nil, fmt.Errorf("error listing repos: %v", err)
+		return nil, fmt.Errorf("error listing repos: %w", err)
 	}
-	paramsArray := make([]map[string]interface{}, 0, len(repos))
+	paramsArray := make([]map[string]any, 0, len(repos))
 	var shortSHALength int
 	var shortSHALength7 int
 	for _, repo := range repos {
@@ -218,9 +254,10 @@ func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 			shortSHALength7 = len(repo.SHA)
 		}

-		params := map[string]interface{}{
+		params := map[string]any{
 			"organization":     repo.Organization,
 			"repository":       repo.Repository,
+			"repository_id":    repo.RepositoryId,
 			"url":              repo.URL,
 			"branch":           repo.Branch,
 			"sha":              repo.SHA,
@@ -240,47 +277,37 @@ func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 	return paramsArray, nil
 }

-func (g *SCMProviderGenerator) getSecretRef(ctx context.Context, ref *argoprojiov1alpha1.SecretRef, namespace string) (string, error) {
-	if ref == nil {
-		return "", nil
-	}
-
-	secret := &corev1.Secret{}
-	err := g.client.Get(
-		ctx,
-		client.ObjectKey{
-			Name:      ref.SecretName,
-			Namespace: namespace,
-		},
-		secret)
-	if err != nil {
-		return "", fmt.Errorf("error fetching secret %s/%s: %v", namespace, ref.SecretName, err)
-	}
-	tokenBytes, ok := secret.Data[ref.Key]
-	if !ok {
-		return "", fmt.Errorf("key %q in secret %s/%s not found", ref.Key, namespace, ref.SecretName)
-	}
-	return string(tokenBytes), nil
-}
-
 func (g *SCMProviderGenerator) githubProvider(ctx context.Context, github *argoprojiov1alpha1.SCMProviderGeneratorGithub, applicationSetInfo *argoprojiov1alpha1.ApplicationSet) (scm_provider.SCMProviderService, error) {
+	var metricsCtx *services.MetricsContext
+	var httpClient *http.Client
+
+	if g.enableGitHubAPIMetrics {
+		metricsCtx = &services.MetricsContext{
+			AppSetNamespace: applicationSetInfo.Namespace,
+			AppSetName:      applicationSetInfo.Name,
+		}
+		httpClient = services.NewGitHubMetricsClient(metricsCtx)
+	}
+
 	if github.AppSecretName != "" {
 		auth, err := g.GitHubApps.GetAuthSecret(ctx, github.AppSecretName)
 		if err != nil {
-			return nil, fmt.Errorf("error fetching Github app secret: %v", err)
+			return nil, fmt.Errorf("error fetching Github app secret: %w", err)
 		}

-		return scm_provider.NewGithubAppProviderFor(
-			*auth,
-			github.Organization,
-			github.API,
-			github.AllBranches,
-		)
+		if g.enableGitHubAPIMetrics {
+			return scm_provider.NewGithubAppProviderFor(ctx, *auth, github.Organization, github.API, github.AllBranches, httpClient)
+		}
+		return scm_provider.NewGithubAppProviderFor(ctx, *auth, github.Organization, github.API, github.AllBranches)
 	}

-	token, err := g.getSecretRef(ctx, github.TokenRef, applicationSetInfo.Namespace)
+	token, err := utils.GetSecretRef(ctx, g.client, github.TokenRef, applicationSetInfo.Namespace, g.tokenRefStrictMode)
 	if err != nil {
-		return nil, fmt.Errorf("error fetching Github token: %v", err)
+		return nil, fmt.Errorf("error fetching Github token: %w", err)
 	}
-	return scm_provider.NewGithubProvider(ctx, github.Organization, token, github.API, github.AllBranches)
+
+	if g.enableGitHubAPIMetrics {
+		return scm_provider.NewGithubProvider(github.Organization, token, github.API, github.AllBranches, httpClient)
+	}
+	return scm_provider.NewGithubProvider(github.Organization, token, github.API, github.AllBranches)
 }
--- a/applicationset/generators/scm_provider_test.go
+++ b/applicationset/generators/scm_provider_test.go
@@ -1,90 +1,24 @@
 package generators

 import (
-	"context"
 	"testing"

 	"github.com/stretchr/testify/assert"
-	corev1 "k8s.io/api/core/v1"
+	"github.com/stretchr/testify/require"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"sigs.k8s.io/controller-runtime/pkg/client/fake"

-	"github.com/argoproj/argo-cd/v2/applicationset/services/scm_provider"
-	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v3/applicationset/services/scm_provider"
+	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 )

-func TestSCMProviderGetSecretRef(t *testing.T) {
-	secret := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{Name: "test-secret", Namespace: "test"},
-		Data: map[string][]byte{
-			"my-token": []byte("secret"),
-		},
-	}
-	gen := &SCMProviderGenerator{client: fake.NewClientBuilder().WithObjects(secret).Build()}
-	ctx := context.Background()
-
-	cases := []struct {
-		name, namespace, token string
-		ref                    *argoprojiov1alpha1.SecretRef
-		hasError               bool
-	}{
-		{
-			name:      "valid ref",
-			ref:       &argoprojiov1alpha1.SecretRef{SecretName: "test-secret", Key: "my-token"},
-			namespace: "test",
-			token:     "secret",
-			hasError:  false,
-		},
-		{
-			name:      "nil ref",
-			ref:       nil,
-			namespace: "test",
-			token:     "",
-			hasError:  false,
-		},
-		{
-			name:      "wrong name",
-			ref:       &argoprojiov1alpha1.SecretRef{SecretName: "other", Key: "my-token"},
-			namespace: "test",
-			token:     "",
-			hasError:  true,
-		},
-		{
-			name:      "wrong key",
-			ref:       &argoprojiov1alpha1.SecretRef{SecretName: "test-secret", Key: "other-token"},
-			namespace: "test",
-			token:     "",
-			hasError:  true,
-		},
-		{
-			name:      "wrong namespace",
-			ref:       &argoprojiov1alpha1.SecretRef{SecretName: "test-secret", Key: "my-token"},
-			namespace: "other",
-			token:     "",
-			hasError:  true,
-		},
-	}
-
-	for _, c := range cases {
-		t.Run(c.name, func(t *testing.T) {
-			token, err := gen.getSecretRef(ctx, c.ref, c.namespace)
-			if c.hasError {
-				assert.NotNil(t, err)
-			} else {
-				assert.Nil(t, err)
-			}
-			assert.Equal(t, c.token, token)
-
-		})
-	}
-}
-
 func TestSCMProviderGenerateParams(t *testing.T) {
+	t.Parallel()
+
 	cases := []struct {
 		name          string
 		repos         []*scm_provider.Repository
 		values        map[string]string
-		expected      []map[string]interface{}
+		expected      []map[string]any
 		expectedError error
 	}{
 		{
@@ -93,6 +27,7 @@ func TestSCMProviderGenerateParams(t *testing.T) {
 				{
 					Organization: "myorg",
 					Repository:   "repo1",
+					RepositoryId: 190320251,
 					URL:          "git@github.com:myorg/repo1.git",
 					Branch:       "main",
 					SHA:          "0bc57212c3cbbec69d20b34c507284bd300def5b",
@@ -101,15 +36,17 @@ func TestSCMProviderGenerateParams(t *testing.T) {
 				{
 					Organization: "myorg",
 					Repository:   "repo2",
+					RepositoryId: 190320252,
 					URL:          "git@github.com:myorg/repo2.git",
 					Branch:       "main",
 					SHA:          "59d0",
 				},
 			},
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{
 					"organization":     "myorg",
 					"repository":       "repo1",
+					"repository_id":    190320251,
 					"url":              "git@github.com:myorg/repo1.git",
 					"branch":           "main",
 					"branchNormalized": "main",
@@ -121,6 +58,7 @@ func TestSCMProviderGenerateParams(t *testing.T) {
 				{
 					"organization":     "myorg",
 					"repository":       "repo2",
+					"repository_id":    190320252,
 					"url":              "git@github.com:myorg/repo2.git",
 					"branch":           "main",
 					"branchNormalized": "main",
@@ -137,6 +75,7 @@ func TestSCMProviderGenerateParams(t *testing.T) {
 				{
 					Organization: "myorg",
 					Repository:   "repo3",
+					RepositoryId: 190320253,
 					URL:          "git@github.com:myorg/repo3.git",
 					Branch:       "main",
 					SHA:          "0bc57212c3cbbec69d20b34c507284bd300def5b",
@@ -147,10 +86,11 @@ func TestSCMProviderGenerateParams(t *testing.T) {
 				"foo":                    "bar",
 				"should_i_force_push_to": "{{ branch }}?",
 			},
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{
 					"organization":                  "myorg",
 					"repository":                    "repo3",
+					"repository_id":                 190320253,
 					"url":                           "git@github.com:myorg/repo3.git",
 					"branch":                        "main",
 					"branchNormalized":              "main",
@@ -163,6 +103,52 @@ func TestSCMProviderGenerateParams(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "Repos with and without id",
+			repos: []*scm_provider.Repository{
+				{
+					Organization: "myorg",
+					Repository:   "repo4",
+					RepositoryId: "idaz09",
+					URL:          "git@github.com:myorg/repo4.git",
+					Branch:       "main",
+					SHA:          "0bc57212c3cbbec69d20b34c507284bd300def5b",
+				},
+				{
+					Organization: "myorg",
+					Repository:   "repo5",
+					URL:          "git@github.com:myorg/repo5.git",
+					Branch:       "main",
+					SHA:          "0bc57212c3cbbec69d20b34c507284bd300def5b",
+				},
+			},
+			expected: []map[string]any{
+				{
+					"organization":     "myorg",
+					"repository":       "repo4",
+					"repository_id":    "idaz09",
+					"url":              "git@github.com:myorg/repo4.git",
+					"branch":           "main",
+					"branchNormalized": "main",
+					"sha":              "0bc57212c3cbbec69d20b34c507284bd300def5b",
+					"short_sha":        "0bc57212",
+					"short_sha_7":      "0bc5721",
+					"labels":           "",
+				},
+				{
+					"organization":     "myorg",
+					"repository":       "repo5",
+					"repository_id":    nil,
+					"url":              "git@github.com:myorg/repo5.git",
+					"branch":           "main",
+					"branchNormalized": "main",
+					"sha":              "0bc57212c3cbbec69d20b34c507284bd300def5b",
+					"short_sha":        "0bc57212",
+					"short_sha_7":      "0bc5721",
+					"labels":           "",
+				},
+			},
+		},
 	}

 	for _, testCase := range cases {
@@ -174,7 +160,7 @@ func TestSCMProviderGenerateParams(t *testing.T) {
 			mockProvider := &scm_provider.MockProvider{
 				Repos: testCaseCopy.repos,
 			}
-			scmGenerator := &SCMProviderGenerator{overrideProvider: mockProvider, enableSCMProviders: true}
+			scmGenerator := &SCMProviderGenerator{overrideProvider: mockProvider, SCMConfig: SCMConfig{enableSCMProviders: true}}
 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -188,24 +174,24 @@ func TestSCMProviderGenerateParams(t *testing.T) {
 				},
 			}

-			got, err := scmGenerator.GenerateParams(&applicationSetInfo.Spec.Generators[0], &applicationSetInfo)
+			got, err := scmGenerator.GenerateParams(&applicationSetInfo.Spec.Generators[0], &applicationSetInfo, nil)

 			if testCaseCopy.expectedError != nil {
 				assert.EqualError(t, err, testCaseCopy.expectedError.Error())
 			} else {
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, testCaseCopy.expected, got)
 			}
-
 		})
 	}
 }

 func TestAllowedSCMProvider(t *testing.T) {
+	t.Parallel()
+
 	cases := []struct {
 		name           string
 		providerConfig *argoprojiov1alpha1.SCMProviderGenerator
-		expectedError  error
 	}{
 		{
 			name: "Error Github",
@@ -214,7 +200,6 @@ func TestAllowedSCMProvider(t *testing.T) {
 					API: "https://myservice.mynamespace.svc.cluster.local",
 				},
 			},
-			expectedError: &ErrDisallowedSCMProvider{},
 		},
 		{
 			name: "Error Gitlab",
@@ -223,7 +208,6 @@ func TestAllowedSCMProvider(t *testing.T) {
 					API: "https://myservice.mynamespace.svc.cluster.local",
 				},
 			},
-			expectedError: &ErrDisallowedSCMProvider{},
 		},
 		{
 			name: "Error Gitea",
@@ -232,7 +216,6 @@ func TestAllowedSCMProvider(t *testing.T) {
 					API: "https://myservice.mynamespace.svc.cluster.local",
 				},
 			},
-			expectedError: &ErrDisallowedSCMProvider{},
 		},
 		{
 			name: "Error Bitbucket",
@@ -241,7 +224,6 @@ func TestAllowedSCMProvider(t *testing.T) {
 					API: "https://myservice.mynamespace.svc.cluster.local",
 				},
 			},
-			expectedError: &ErrDisallowedSCMProvider{},
 		},
 		{
 			name: "Error AzureDevops",
@@ -250,7 +232,6 @@ func TestAllowedSCMProvider(t *testing.T) {
 					API: "https://myservice.mynamespace.svc.cluster.local",
 				},
 			},
-			expectedError: &ErrDisallowedSCMProvider{},
 		},
 	}

@@ -261,14 +242,16 @@ func TestAllowedSCMProvider(t *testing.T) {
 			t.Parallel()

 			scmGenerator := &SCMProviderGenerator{
-				allowedSCMProviders: []string{
-					"github.myorg.com",
-					"gitlab.myorg.com",
-					"gitea.myorg.com",
-					"bitbucket.myorg.com",
-					"azuredevops.myorg.com",
+				SCMConfig: SCMConfig{
+					allowedSCMProviders: []string{
+						"github.myorg.com",
+						"gitlab.myorg.com",
+						"gitea.myorg.com",
+						"bitbucket.myorg.com",
+						"azuredevops.myorg.com",
+					},
+					enableSCMProviders: true,
 				},
-				enableSCMProviders: true,
 			}

 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
@@ -282,16 +265,17 @@ func TestAllowedSCMProvider(t *testing.T) {
 				},
 			}

-			_, err := scmGenerator.GenerateParams(&applicationSetInfo.Spec.Generators[0], &applicationSetInfo)
+			_, err := scmGenerator.GenerateParams(&applicationSetInfo.Spec.Generators[0], &applicationSetInfo, nil)

-			assert.Error(t, err, "Must return an error")
-			assert.ErrorAs(t, err, testCaseCopy.expectedError)
+			require.Error(t, err, "Must return an error")
+			var expectedError ErrDisallowedSCMProvider
+			assert.ErrorAs(t, err, &expectedError)
 		})
 	}
 }

 func TestSCMProviderDisabled_SCMGenerator(t *testing.T) {
-	generator := &SCMProviderGenerator{enableSCMProviders: false}
+	generator := &SCMProviderGenerator{SCMConfig: SCMConfig{enableSCMProviders: false}}

 	applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 		ObjectMeta: metav1.ObjectMeta{
@@ -308,6 +292,6 @@ func TestSCMProviderDisabled_SCMGenerator(t *testing.T) {
 		},
 	}

-	_, err := generator.GenerateParams(&applicationSetInfo.Spec.Generators[0], &applicationSetInfo)
+	_, err := generator.GenerateParams(&applicationSetInfo.Spec.Generators[0], &applicationSetInfo, nil)
 	assert.ErrorIs(t, err, ErrSCMProvidersDisabled)
 }
--- a/applicationset/generators/scm_utils.go
+++ b/applicationset/generators/scm_utils.go
@@ -1,5 +1,5 @@
 package generators

-type SCMGeneratorWithCustomApiUrl interface {
+type SCMGeneratorWithCustomApiUrl interface { //nolint:revive //FIXME(var-naming)
 	CustomApiUrl() string
 }
--- a/applicationset/generators/utils.go
+++ b/applicationset/generators/utils.go
@@ -0,0 +1,49 @@
+package generators
+
+import (
+	"context"
+
+	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/kubernetes"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/argoproj/argo-cd/v3/applicationset/services"
+)
+
+func GetGenerators(ctx context.Context, c client.Client, k8sClient kubernetes.Interface, controllerNamespace string, argoCDService services.Repos, dynamicClient dynamic.Interface, scmConfig SCMConfig) map[string]Generator {
+	terminalGenerators := map[string]Generator{
+		"List":                    NewListGenerator(),
+		"Clusters":                NewClusterGenerator(ctx, c, k8sClient, controllerNamespace),
+		"Git":                     NewGitGenerator(argoCDService, controllerNamespace),
+		"SCMProvider":             NewSCMProviderGenerator(c, scmConfig),
+		"ClusterDecisionResource": NewDuckTypeGenerator(ctx, dynamicClient, k8sClient, controllerNamespace),
+		"PullRequest":             NewPullRequestGenerator(c, scmConfig),
+		"Plugin":                  NewPluginGenerator(c, controllerNamespace),
+	}
+
+	nestedGenerators := map[string]Generator{
+		"List":                    terminalGenerators["List"],
+		"Clusters":                terminalGenerators["Clusters"],
+		"Git":                     terminalGenerators["Git"],
+		"SCMProvider":             terminalGenerators["SCMProvider"],
+		"ClusterDecisionResource": terminalGenerators["ClusterDecisionResource"],
+		"PullRequest":             terminalGenerators["PullRequest"],
+		"Plugin":                  terminalGenerators["Plugin"],
+		"Matrix":                  NewMatrixGenerator(terminalGenerators),
+		"Merge":                   NewMergeGenerator(terminalGenerators),
+	}
+
+	topLevelGenerators := map[string]Generator{
+		"List":                    terminalGenerators["List"],
+		"Clusters":                terminalGenerators["Clusters"],
+		"Git":                     terminalGenerators["Git"],
+		"SCMProvider":             terminalGenerators["SCMProvider"],
+		"ClusterDecisionResource": terminalGenerators["ClusterDecisionResource"],
+		"PullRequest":             terminalGenerators["PullRequest"],
+		"Plugin":                  terminalGenerators["Plugin"],
+		"Matrix":                  NewMatrixGenerator(nestedGenerators),
+		"Merge":                   NewMergeGenerator(nestedGenerators),
+	}
+
+	return topLevelGenerators
+}
--- a/applicationset/generators/value_interpolation.go
+++ b/applicationset/generators/value_interpolation.go
@@ -4,15 +4,14 @@ import (
 	"fmt"
 )

-func appendTemplatedValues(values map[string]string, params map[string]interface{}, useGoTemplate bool, goTemplateOptions []string) error {
+func appendTemplatedValues(values map[string]string, params map[string]any, useGoTemplate bool, goTemplateOptions []string) error {
 	// We create a local map to ensure that we do not fall victim to a billion-laughs attack. We iterate through the
 	// cluster values map and only replace values in said map if it has already been allowlisted in the params map.
 	// Once we iterate through all the cluster values we can then safely merge the `tmp` map into the main params map.
-	tmp := map[string]interface{}{}
+	tmp := map[string]any{}

 	for key, value := range values {
 		result, err := replaceTemplatedString(value, params, useGoTemplate, goTemplateOptions)
-
 		if err != nil {
 			return fmt.Errorf("failed to replace templated string: %w", err)
 		}
@@ -23,7 +22,7 @@ func appendTemplatedValues(values map[string]string, params map[string]interface
 			}
 			tmp["values"].(map[string]string)[key] = result
 		} else {
-			tmp[fmt.Sprintf("values.%s", key)] = result
+			tmp["values."+key] = result
 		}
 	}

@@ -34,7 +33,7 @@ func appendTemplatedValues(values map[string]string, params map[string]interface
 	return nil
 }

-func replaceTemplatedString(value string, params map[string]interface{}, useGoTemplate bool, goTemplateOptions []string) (string, error) {
+func replaceTemplatedString(value string, params map[string]any, useGoTemplate bool, goTemplateOptions []string) (string, error) {
 	replacedTmplStr, err := render.Replace(value, params, useGoTemplate, goTemplateOptions)
 	if err != nil {
 		return "", fmt.Errorf("failed to replace templated string with rendered values: %w", err)
--- a/applicationset/generators/value_interpolation_test.go
+++ b/applicationset/generators/value_interpolation_test.go
@@ -4,24 +4,25 @@ import (
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func TestValueInterpolation(t *testing.T) {
 	testCases := []struct {
 		name     string
 		values   map[string]string
-		params   map[string]interface{}
-		expected map[string]interface{}
+		params   map[string]any
+		expected map[string]any
 	}{
 		{
 			name: "Simple interpolation",
 			values: map[string]string{
 				"hello": "{{ world }}",
 			},
-			params: map[string]interface{}{
+			params: map[string]any{
 				"world": "world!",
 			},
-			expected: map[string]interface{}{
+			expected: map[string]any{
 				"world":        "world!",
 				"values.hello": "world!",
 			},
@@ -31,8 +32,8 @@ func TestValueInterpolation(t *testing.T) {
 			values: map[string]string{
 				"non-existent": "{{ non-existent }}",
 			},
-			params: map[string]interface{}{},
-			expected: map[string]interface{}{
+			params: map[string]any{},
+			expected: map[string]any{
 				"values.non-existent": "{{ non-existent }}",
 			},
 		},
@@ -43,8 +44,8 @@ func TestValueInterpolation(t *testing.T) {
 				"lol2": "{{values.lol1}}{{values.lol1}}",
 				"lol3": "{{values.lol2}}{{values.lol2}}{{values.lol2}}",
 			},
-			params: map[string]interface{}{},
-			expected: map[string]interface{}{
+			params: map[string]any{},
+			expected: map[string]any{
 				"values.lol1": "lol",
 				"values.lol2": "{{values.lol1}}{{values.lol1}}",
 				"values.lol3": "{{values.lol2}}{{values.lol2}}{{values.lol2}}",
@@ -53,11 +54,10 @@ func TestValueInterpolation(t *testing.T) {
 	}

 	for _, testCase := range testCases {
-
 		t.Run(testCase.name, func(t *testing.T) {
 			err := appendTemplatedValues(testCase.values, testCase.params, false, nil)
-			assert.NoError(t, err)
-			assert.EqualValues(t, testCase.expected, testCase.params)
+			require.NoError(t, err)
+			assert.Equal(t, testCase.expected, testCase.params)
 		})
 	}
 }
@@ -66,18 +66,18 @@ func TestValueInterpolationWithGoTemplating(t *testing.T) {
 	testCases := []struct {
 		name     string
 		values   map[string]string
-		params   map[string]interface{}
-		expected map[string]interface{}
+		params   map[string]any
+		expected map[string]any
 	}{
 		{
 			name: "Simple interpolation",
 			values: map[string]string{
 				"hello": "{{ .world }}",
 			},
-			params: map[string]interface{}{
+			params: map[string]any{
 				"world": "world!",
 			},
-			expected: map[string]interface{}{
+			expected: map[string]any{
 				"world": "world!",
 				"values": map[string]string{
 					"hello": "world!",
@@ -89,8 +89,8 @@ func TestValueInterpolationWithGoTemplating(t *testing.T) {
 			values: map[string]string{
 				"non_existent": "{{ default \"bar\" .non_existent }}",
 			},
-			params: map[string]interface{}{},
-			expected: map[string]interface{}{
+			params: map[string]any{},
+			expected: map[string]any{
 				"values": map[string]string{
 					"non_existent": "bar",
 				},
@@ -103,8 +103,8 @@ func TestValueInterpolationWithGoTemplating(t *testing.T) {
 				"lol2": "{{.values.lol1}}{{.values.lol1}}",
 				"lol3": "{{.values.lol2}}{{.values.lol2}}{{.values.lol2}}",
 			},
-			params: map[string]interface{}{},
-			expected: map[string]interface{}{
+			params: map[string]any{},
+			expected: map[string]any{
 				"values": map[string]string{
 					"lol1": "lol",
 					"lol2": "<no value><no value>",
@@ -115,11 +115,10 @@ func TestValueInterpolationWithGoTemplating(t *testing.T) {
 	}

 	for _, testCase := range testCases {
-
 		t.Run(testCase.name, func(t *testing.T) {
 			err := appendTemplatedValues(testCase.values, testCase.params, true, nil)
-			assert.NoError(t, err)
-			assert.EqualValues(t, testCase.expected, testCase.params)
+			require.NoError(t, err)
+			assert.Equal(t, testCase.expected, testCase.params)
 		})
 	}
 }
--- a/applicationset/metrics/fake.go
+++ b/applicationset/metrics/fake.go
@@ -0,0 +1,21 @@
+package metrics
+
+import (
+	"github.com/prometheus/client_golang/prometheus"
+)
+
+// Fake implementation for testing
+func NewFakeAppsetMetrics() *ApplicationsetMetrics {
+	reconcileHistogram := prometheus.NewHistogramVec(
+		prometheus.HistogramOpts{
+			Name: "argocd_appset_reconcile",
+			Help: "Application reconciliation performance in seconds.",
+			// Buckets can be set later on after observing median time
+		},
+		[]string{"name", "namespace"},
+	)
+
+	return &ApplicationsetMetrics{
+		reconcileHistogram: reconcileHistogram,
+	}
+}
--- a/applicationset/metrics/metrics.go
+++ b/applicationset/metrics/metrics.go
@@ -0,0 +1,135 @@
+package metrics
+
+import (
+	"time"
+
+	"github.com/prometheus/client_golang/prometheus"
+	"k8s.io/apimachinery/pkg/labels"
+	"sigs.k8s.io/controller-runtime/pkg/metrics"
+
+	argoappv1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
+	applisters "github.com/argoproj/argo-cd/v3/pkg/client/listers/application/v1alpha1"
+	metricsutil "github.com/argoproj/argo-cd/v3/util/metrics"
+	"github.com/argoproj/argo-cd/v3/util/metrics/kubectl"
+)
+
+var (
+	descAppsetLabels        *prometheus.Desc
+	descAppsetDefaultLabels = []string{"namespace", "name"}
+	descAppsetInfo          = prometheus.NewDesc(
+		"argocd_appset_info",
+		"Information about applicationset",
+		append(descAppsetDefaultLabels, "resource_update_status"),
+		nil,
+	)
+
+	descAppsetGeneratedApps = prometheus.NewDesc(
+		"argocd_appset_owned_applications",
+		"Number of applications owned by the applicationset",
+		descAppsetDefaultLabels,
+		nil,
+	)
+)
+
+type ApplicationsetMetrics struct {
+	reconcileHistogram *prometheus.HistogramVec
+}
+
+type appsetCollector struct {
+	lister applisters.ApplicationSetLister
+	// appsClientSet appclientset.Interface
+	labels []string
+	filter func(appset *argoappv1.ApplicationSet) bool
+}
+
+func NewApplicationsetMetrics(appsetLister applisters.ApplicationSetLister, appsetLabels []string, appsetFilter func(appset *argoappv1.ApplicationSet) bool) ApplicationsetMetrics {
+	reconcileHistogram := prometheus.NewHistogramVec(
+		prometheus.HistogramOpts{
+			Name: "argocd_appset_reconcile",
+			Help: "Application reconciliation performance in seconds.",
+			// Buckets can be set later on after observing median time
+		},
+		descAppsetDefaultLabels,
+	)
+
+	appsetCollector := newAppsetCollector(appsetLister, appsetLabels, appsetFilter)
+
+	// Register collectors and metrics
+	metrics.Registry.MustRegister(reconcileHistogram)
+	metrics.Registry.MustRegister(appsetCollector)
+
+	kubectl.RegisterWithClientGo()
+	kubectl.RegisterWithPrometheus(metrics.Registry)
+
+	return ApplicationsetMetrics{
+		reconcileHistogram: reconcileHistogram,
+	}
+}
+
+func (m *ApplicationsetMetrics) ObserveReconcile(appset *argoappv1.ApplicationSet, duration time.Duration) {
+	m.reconcileHistogram.WithLabelValues(appset.Namespace, appset.Name).Observe(duration.Seconds())
+}
+
+func newAppsetCollector(lister applisters.ApplicationSetLister, labels []string, filter func(appset *argoappv1.ApplicationSet) bool) *appsetCollector {
+	descAppsetDefaultLabels = []string{"namespace", "name"}
+
+	if len(labels) > 0 {
+		descAppsetLabels = prometheus.NewDesc(
+			"argocd_appset_labels",
+			"Applicationset labels translated to Prometheus labels",
+			append(descAppsetDefaultLabels, metricsutil.NormalizeLabels("label", labels)...),
+			nil,
+		)
+	}
+
+	return &appsetCollector{
+		lister: lister,
+		labels: labels,
+		filter: filter,
+	}
+}
+
+// Describe implements the prometheus.Collector interface
+func (c *appsetCollector) Describe(ch chan<- *prometheus.Desc) {
+	ch <- descAppsetInfo
+	ch <- descAppsetGeneratedApps
+
+	if len(c.labels) > 0 {
+		ch <- descAppsetLabels
+	}
+}
+
+// Collect implements the prometheus.Collector interface
+func (c *appsetCollector) Collect(ch chan<- prometheus.Metric) {
+	appsets, _ := c.lister.List(labels.NewSelector())
+
+	for _, appset := range appsets {
+		if c.filter(appset) {
+			collectAppset(appset, c.labels, ch)
+		}
+	}
+}
+
+func collectAppset(appset *argoappv1.ApplicationSet, labelsToCollect []string, ch chan<- prometheus.Metric) {
+	labelValues := make([]string, 0)
+	commonLabelValues := []string{appset.Namespace, appset.Name}
+
+	for _, label := range labelsToCollect {
+		labelValues = append(labelValues, appset.GetLabels()[label])
+	}
+
+	resourceUpdateStatus := "Unknown"
+
+	for _, condition := range appset.Status.Conditions {
+		if condition.Type == argoappv1.ApplicationSetConditionResourcesUpToDate {
+			resourceUpdateStatus = condition.Reason
+		}
+	}
+
+	if len(labelsToCollect) > 0 {
+		ch <- prometheus.MustNewConstMetric(descAppsetLabels, prometheus.GaugeValue, 1, append(commonLabelValues, labelValues...)...)
+	}
+
+	ch <- prometheus.MustNewConstMetric(descAppsetInfo, prometheus.GaugeValue, 1, appset.Namespace, appset.Name, resourceUpdateStatus)
+	ch <- prometheus.MustNewConstMetric(descAppsetGeneratedApps, prometheus.GaugeValue, float64(len(appset.Status.Resources)), appset.Namespace, appset.Name)
+}
--- a/applicationset/metrics/metrics_test.go
+++ b/applicationset/metrics/metrics_test.go
@@ -0,0 +1,252 @@
+package metrics
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/client_golang/prometheus/promhttp"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+	"sigs.k8s.io/controller-runtime/pkg/metrics"
+	"sigs.k8s.io/yaml"
+
+	"github.com/argoproj/argo-cd/v3/applicationset/utils"
+	argoappv1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
+	metricsutil "github.com/argoproj/argo-cd/v3/util/metrics"
+)
+
+var (
+	applicationsetNamespaces = []string{"argocd", "test-namespace1"}
+
+	filter = func(appset *argoappv1.ApplicationSet) bool {
+		return utils.IsNamespaceAllowed(applicationsetNamespaces, appset.Namespace)
+	}
+
+	collectedLabels = []string{"included/test"}
+)
+
+const fakeAppsetList = `
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: test1
+  namespace: argocd
+  labels:
+    included/test: test
+    not-included.label/test: test
+spec:
+  generators:
+  - git:
+      directories:
+      - path: test/*
+      repoURL: https://github.com/test/test.git
+      revision: HEAD
+  template:
+    metadata:
+      name: '{{.path.basename}}'
+    spec:
+      destination:
+        namespace: '{{.path.basename}}'
+        server: https://kubernetes.default.svc
+      project: default
+      source:
+        path: '{{.path.path}}'
+        repoURL: https://github.com/test/test.git
+        targetRevision: HEAD
+status:
+  resources:
+  - group: argoproj.io
+    health:
+      status: Missing
+    kind: Application
+    name: test-app1
+    namespace: argocd
+    status: OutOfSync
+    version: v1alpha1
+  - group: argoproj.io
+    health:
+      status: Missing
+    kind: Application
+    name: test-app2
+    namespace: argocd
+    status: OutOfSync
+    version: v1alpha1
+  conditions:
+  - lastTransitionTime: "2024-01-01T00:00:00Z"
+    message: Successfully generated parameters for all Applications
+    reason: ApplicationSetUpToDate
+    status: "False"
+    type: ErrorOccurred
+  - lastTransitionTime: "2024-01-01T00:00:00Z"
+    message: Successfully generated parameters for all Applications
+    reason: ParametersGenerated
+    status: "True"
+    type: ParametersGenerated
+  - lastTransitionTime: "2024-01-01T00:00:00Z"
+    message: ApplicationSet up to date
+    reason: ApplicationSetUpToDate
+    status: "True"
+    type: ResourcesUpToDate
+---
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: test2
+  namespace: argocd
+  labels:
+    not-included.label/test: test
+spec:
+  generators:
+  - git:
+      directories:
+      - path: test/*
+      repoURL: https://github.com/test/test.git
+      revision: HEAD
+  template:
+    metadata:
+      name: '{{.path.basename}}'
+    spec:
+      destination:
+        namespace: '{{.path.basename}}'
+        server: https://kubernetes.default.svc
+      project: default
+      source:
+        path: '{{.path.path}}'
+        repoURL: https://github.com/test/test.git
+        targetRevision: HEAD
+---
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: should-be-filtered-out
+  namespace: not-allowed
+spec:
+  generators:
+  - git:
+      directories:
+      - path: test/*
+      repoURL: https://github.com/test/test.git
+      revision: HEAD
+  template:
+    metadata:
+      name: '{{.path.basename}}'
+    spec:
+      destination:
+        namespace: '{{.path.basename}}'
+        server: https://kubernetes.default.svc
+      project: default
+      source:
+        path: '{{.path.path}}'
+        repoURL: https://github.com/test/test.git
+        targetRevision: HEAD
+`
+
+func newFakeAppsets(fakeAppsetYAML string) []argoappv1.ApplicationSet {
+	var results []argoappv1.ApplicationSet
+
+	appsetRawYamls := strings.Split(fakeAppsetYAML, "---")
+
+	for _, appsetRawYaml := range appsetRawYamls {
+		var appset argoappv1.ApplicationSet
+		err := yaml.Unmarshal([]byte(appsetRawYaml), &appset)
+		if err != nil {
+			panic(err)
+		}
+
+		results = append(results, appset)
+	}
+
+	return results
+}
+
+func TestApplicationsetCollector(t *testing.T) {
+	appsetList := newFakeAppsets(fakeAppsetList)
+	client := initializeClient(appsetList)
+	metrics.Registry = prometheus.NewRegistry()
+
+	appsetCollector := newAppsetCollector(utils.NewAppsetLister(client), collectedLabels, filter)
+
+	metrics.Registry.MustRegister(appsetCollector)
+	req, err := http.NewRequestWithContext(t.Context(), http.MethodGet, "/metrics", http.NoBody)
+	require.NoError(t, err)
+	rr := httptest.NewRecorder()
+	handler := promhttp.HandlerFor(metrics.Registry, promhttp.HandlerOpts{})
+	handler.ServeHTTP(rr, req)
+
+	assert.Equal(t, http.StatusOK, rr.Code)
+	// Test correct appset_info and owned applications
+	assert.Contains(t, rr.Body.String(), `
+argocd_appset_info{name="test1",namespace="argocd",resource_update_status="ApplicationSetUpToDate"} 1
+`)
+	assert.Contains(t, rr.Body.String(), `
+argocd_appset_owned_applications{name="test1",namespace="argocd"} 2
+`)
+	// Test labels collection - should not include labels not included in the list of collected labels and include the ones that do.
+	assert.Contains(t, rr.Body.String(), `
+argocd_appset_labels{label_included_test="test",name="test1",namespace="argocd"} 1
+`)
+	assert.NotContains(t, rr.Body.String(), normalizeLabel("not-included.label/test"))
+	// If collected label is not present on the applicationset the value should be empty
+	assert.Contains(t, rr.Body.String(), `
+argocd_appset_labels{label_included_test="",name="test2",namespace="argocd"} 1
+`)
+	// If ResourcesUpToDate condition is not present on the applicationset the status should be reported as 'Unknown'
+	assert.Contains(t, rr.Body.String(), `
+argocd_appset_info{name="test2",namespace="argocd",resource_update_status="Unknown"} 1
+`)
+	// If there are no resources on the applicationset the owned application gague should return 0
+	assert.Contains(t, rr.Body.String(), `
+argocd_appset_owned_applications{name="test2",namespace="argocd"} 0
+`)
+	// Test that filter is working
+	assert.NotContains(t, rr.Body.String(), `name="should-be-filtered-out"`)
+}
+
+func TestObserveReconcile(t *testing.T) {
+	appsetList := newFakeAppsets(fakeAppsetList)
+	client := initializeClient(appsetList)
+	metrics.Registry = prometheus.NewRegistry()
+
+	appsetMetrics := NewApplicationsetMetrics(utils.NewAppsetLister(client), collectedLabels, filter)
+
+	req, err := http.NewRequestWithContext(t.Context(), http.MethodGet, "/metrics", http.NoBody)
+	require.NoError(t, err)
+	rr := httptest.NewRecorder()
+	handler := promhttp.HandlerFor(metrics.Registry, promhttp.HandlerOpts{})
+	appsetMetrics.ObserveReconcile(&appsetList[0], 5*time.Second)
+	handler.ServeHTTP(rr, req)
+	assert.Contains(t, rr.Body.String(), `
+argocd_appset_reconcile_sum{name="test1",namespace="argocd"} 5
+`)
+	// If there are no resources on the applicationset the owned application gague should return 0
+	assert.Contains(t, rr.Body.String(), `
+argocd_appset_reconcile_count{name="test1",namespace="argocd"} 1
+`)
+}
+
+func initializeClient(appsets []argoappv1.ApplicationSet) ctrlclient.WithWatch {
+	scheme := runtime.NewScheme()
+	err := argoappv1.AddToScheme(scheme)
+	if err != nil {
+		panic(err)
+	}
+
+	var clientObjects []ctrlclient.Object
+
+	for _, appset := range appsets {
+		clientObjects = append(clientObjects, appset.DeepCopy())
+	}
+
+	return fake.NewClientBuilder().WithScheme(scheme).WithObjects(clientObjects...).Build()
+}
+
+func normalizeLabel(label string) string {
+	return metricsutil.NormalizeLabels("label", []string{label})[0]
+}
--- a/applicationset/services/github_metrics.go
+++ b/applicationset/services/github_metrics.go
@@ -0,0 +1,241 @@
+package services
+
+import (
+	"net/http"
+	"strconv"
+	"time"
+
+	"github.com/prometheus/client_golang/prometheus"
+	log "github.com/sirupsen/logrus"
+	"sigs.k8s.io/controller-runtime/pkg/metrics"
+)
+
+// Doc for the GitHub API rate limit headers:
+// https://docs.github.com/en/rest/using-the-rest-api/rate-limits-for-the-rest-api?apiVersion=2022-11-28#checking-the-status-of-your-rate-limit
+
+// Metric names as constants
+const (
+	githubAPIRequestTotalMetricName       = "argocd_github_api_requests_total"
+	githubAPIRequestDurationMetricName    = "argocd_github_api_request_duration_seconds"
+	githubAPIRateLimitRemainingMetricName = "argocd_github_api_rate_limit_remaining"
+	githubAPIRateLimitLimitMetricName     = "argocd_github_api_rate_limit_limit"
+	githubAPIRateLimitResetMetricName     = "argocd_github_api_rate_limit_reset_seconds"
+	githubAPIRateLimitUsedMetricName      = "argocd_github_api_rate_limit_used"
+)
+
+// GitHubMetrics groups all metric vectors for easier injection and registration
+type GitHubMetrics struct {
+	RequestTotal       *prometheus.CounterVec
+	RequestDuration    *prometheus.HistogramVec
+	RateLimitRemaining *prometheus.GaugeVec
+	RateLimitLimit     *prometheus.GaugeVec
+	RateLimitReset     *prometheus.GaugeVec
+	RateLimitUsed      *prometheus.GaugeVec
+}
+
+// Factory for a new set of GitHub metrics (for tests or custom registries)
+func NewGitHubMetrics() *GitHubMetrics {
+	return &GitHubMetrics{
+		RequestTotal:       NewGitHubAPIRequestTotal(),
+		RequestDuration:    NewGitHubAPIRequestDuration(),
+		RateLimitRemaining: NewGitHubAPIRateLimitRemaining(),
+		RateLimitLimit:     NewGitHubAPIRateLimitLimit(),
+		RateLimitReset:     NewGitHubAPIRateLimitReset(),
+		RateLimitUsed:      NewGitHubAPIRateLimitUsed(),
+	}
+}
+
+// Factory functions for each metric vector
+func NewGitHubAPIRequestTotal() *prometheus.CounterVec {
+	return prometheus.NewCounterVec(
+		prometheus.CounterOpts{
+			Name: githubAPIRequestTotalMetricName,
+			Help: "Total number of GitHub API requests",
+		},
+		[]string{"method", "endpoint", "status", "appset_namespace", "appset_name"},
+	)
+}
+
+func NewGitHubAPIRequestDuration() *prometheus.HistogramVec {
+	return prometheus.NewHistogramVec(
+		prometheus.HistogramOpts{
+			Name:    githubAPIRequestDurationMetricName,
+			Help:    "GitHub API request duration in seconds",
+			Buckets: prometheus.DefBuckets,
+		},
+		[]string{"method", "endpoint", "appset_namespace", "appset_name"},
+	)
+}
+
+func NewGitHubAPIRateLimitRemaining() *prometheus.GaugeVec {
+	return prometheus.NewGaugeVec(
+		prometheus.GaugeOpts{
+			Name: githubAPIRateLimitRemainingMetricName,
+			Help: "The number of requests remaining in the current rate limit window",
+		},
+		[]string{"endpoint", "appset_namespace", "appset_name", "resource"},
+	)
+}
+
+func NewGitHubAPIRateLimitLimit() *prometheus.GaugeVec {
+	return prometheus.NewGaugeVec(
+		prometheus.GaugeOpts{
+			Name: githubAPIRateLimitLimitMetricName,
+			Help: "The maximum number of requests that you can make per hour",
+		},
+		[]string{"endpoint", "appset_namespace", "appset_name", "resource"},
+	)
+}
+
+func NewGitHubAPIRateLimitReset() *prometheus.GaugeVec {
+	return prometheus.NewGaugeVec(
+		prometheus.GaugeOpts{
+			Name: githubAPIRateLimitResetMetricName,
+			Help: "The time left till the current rate limit window resets, in seconds",
+		},
+		[]string{"endpoint", "appset_namespace", "appset_name", "resource"},
+	)
+}
+
+func NewGitHubAPIRateLimitUsed() *prometheus.GaugeVec {
+	return prometheus.NewGaugeVec(
+		prometheus.GaugeOpts{
+			Name: githubAPIRateLimitUsedMetricName,
+			Help: "The number of requests used in the current rate limit window",
+		},
+		[]string{"endpoint", "appset_namespace", "appset_name", "resource"},
+	)
+}
+
+// Global metrics (registered with the default registry)
+var globalGitHubMetrics = NewGitHubMetrics()
+
+func init() {
+	log.Debug("Registering GitHub API AppSet metrics")
+	metrics.Registry.MustRegister(globalGitHubMetrics.RequestTotal)
+	metrics.Registry.MustRegister(globalGitHubMetrics.RequestDuration)
+	metrics.Registry.MustRegister(globalGitHubMetrics.RateLimitRemaining)
+	metrics.Registry.MustRegister(globalGitHubMetrics.RateLimitLimit)
+	metrics.Registry.MustRegister(globalGitHubMetrics.RateLimitReset)
+	metrics.Registry.MustRegister(globalGitHubMetrics.RateLimitUsed)
+}
+
+type MetricsContext struct {
+	AppSetNamespace string
+	AppSetName      string
+}
+
+// GitHubMetricsTransport is a custom http.RoundTripper that collects GitHub API metrics
+type GitHubMetricsTransport struct {
+	transport      http.RoundTripper
+	metricsContext *MetricsContext
+	metrics        *GitHubMetrics
+}
+
+// RoundTrip implements http.RoundTripper interface and collects metrics along with debug logging
+func (t *GitHubMetricsTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	endpoint := req.URL.Path
+	method := req.Method
+
+	appsetNamespace := "unknown"
+	appsetName := "unknown"
+
+	if t.metricsContext != nil {
+		appsetNamespace = t.metricsContext.AppSetNamespace
+		appsetName = t.metricsContext.AppSetName
+	}
+
+	log.WithFields(log.Fields{
+		"method":         method,
+		"endpoint":       endpoint,
+		"applicationset": map[string]string{"name": appsetName, "namespace": appsetNamespace},
+	}).Debugf("Invoking GitHub API")
+
+	startTime := time.Now()
+	resp, err := t.transport.RoundTrip(req)
+	duration := time.Since(startTime)
+
+	// Record metrics
+	t.metrics.RequestDuration.WithLabelValues(method, endpoint, appsetNamespace, appsetName).Observe(duration.Seconds())
+
+	status := "0"
+	if resp != nil {
+		status = strconv.Itoa(resp.StatusCode)
+	}
+	t.metrics.RequestTotal.WithLabelValues(method, endpoint, status, appsetNamespace, appsetName).Inc()
+
+	if resp != nil {
+		resetHumanReadableTime := ""
+		remainingInt := 0
+		limitInt := 0
+		usedInt := 0
+		resource := resp.Header.Get("X-RateLimit-Resource")
+
+		// Record rate limit metrics if available
+		if resetTime := resp.Header.Get("X-RateLimit-Reset"); resetTime != "" {
+			if resetUnix, err := strconv.ParseInt(resetTime, 10, 64); err == nil {
+				// Calculate seconds until reset (reset timestamp - current time)
+				secondsUntilReset := resetUnix - time.Now().Unix()
+				t.metrics.RateLimitReset.WithLabelValues(endpoint, appsetNamespace, appsetName, resource).Set(float64(secondsUntilReset))
+				resetHumanReadableTime = time.Unix(resetUnix, 0).Local().Format("2006-01-02 15:04:05 MST")
+			}
+		}
+		if remaining := resp.Header.Get("X-RateLimit-Remaining"); remaining != "" {
+			if remainingInt, err = strconv.Atoi(remaining); err == nil {
+				t.metrics.RateLimitRemaining.WithLabelValues(endpoint, appsetNamespace, appsetName, resource).Set(float64(remainingInt))
+			}
+		}
+		if limit := resp.Header.Get("X-RateLimit-Limit"); limit != "" {
+			if limitInt, err = strconv.Atoi(limit); err == nil {
+				t.metrics.RateLimitLimit.WithLabelValues(endpoint, appsetNamespace, appsetName, resource).Set(float64(limitInt))
+			}
+		}
+		if used := resp.Header.Get("X-RateLimit-Used"); used != "" {
+			if usedInt, err = strconv.Atoi(used); err == nil {
+				t.metrics.RateLimitUsed.WithLabelValues(endpoint, appsetNamespace, appsetName, resource).Set(float64(usedInt))
+			}
+		}
+
+		log.WithFields(log.Fields{
+			"endpoint":       endpoint,
+			"reset":          resetHumanReadableTime,
+			"remaining":      remainingInt,
+			"limit":          limitInt,
+			"used":           usedInt,
+			"resource":       resource,
+			"applicationset": map[string]string{"name": appsetName, "namespace": appsetNamespace},
+		}).Debugf("GitHub API rate limit info")
+	}
+
+	return resp, err
+}
+
+// Full constructor (for tests and advanced use)
+func NewGitHubMetricsTransport(
+	transport http.RoundTripper,
+	metricsContext *MetricsContext,
+	metrics *GitHubMetrics,
+) *GitHubMetricsTransport {
+	return &GitHubMetricsTransport{
+		transport:      transport,
+		metricsContext: metricsContext,
+		metrics:        metrics,
+	}
+}
+
+// Default constructor
+func NewDefaultGitHubMetricsTransport(transport http.RoundTripper, metricsContext *MetricsContext) *GitHubMetricsTransport {
+	return NewGitHubMetricsTransport(
+		transport,
+		metricsContext,
+		globalGitHubMetrics,
+	)
+}
+
+// NewGitHubMetricsClient wraps an http.Client with metrics middleware
+func NewGitHubMetricsClient(metricsContext *MetricsContext) *http.Client {
+	log.Debug("Creating new GitHub metrics client")
+	return &http.Client{
+		Transport: NewDefaultGitHubMetricsTransport(http.DefaultTransport, metricsContext),
+	}
+}
--- a/applicationset/services/github_metrics_test.go
+++ b/applicationset/services/github_metrics_test.go
@@ -0,0 +1,235 @@
+package services
+
+import (
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"sort"
+	"strconv"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/client_golang/prometheus/promhttp"
+	"github.com/stretchr/testify/assert"
+)
+
+type Metric struct {
+	name   string
+	labels []string
+	value  string
+}
+
+var (
+	endpointLabel        = "endpoint=\"/api/test\""
+	URL                  = "/api/test"
+	appsetNamespaceLabel = "appset_namespace=\"test-ns\""
+	appsetNamespace      = "test-ns"
+	appsetName           = "test-appset"
+	appsetNameLabel      = "appset_name=\"test-appset\""
+	resourceLabel        = "resource=\"core\""
+
+	rateLimitMetrics = []Metric{
+		{
+			name:   githubAPIRateLimitRemainingMetricName,
+			labels: []string{endpointLabel, appsetNamespaceLabel, appsetNameLabel, resourceLabel},
+			value:  "42",
+		},
+		{
+			name:   githubAPIRateLimitLimitMetricName,
+			labels: []string{endpointLabel, appsetNamespaceLabel, appsetNameLabel, resourceLabel},
+			value:  "100",
+		},
+		{
+			name:   githubAPIRateLimitUsedMetricName,
+			labels: []string{endpointLabel, appsetNamespaceLabel, appsetNameLabel, resourceLabel},
+			value:  "58",
+		},
+		{
+			name:   githubAPIRateLimitResetMetricName,
+			labels: []string{endpointLabel, appsetNamespaceLabel, appsetNameLabel, resourceLabel},
+			value:  "1",
+		},
+	}
+	successRequestMetrics = Metric{
+		name:   githubAPIRequestTotalMetricName,
+		labels: []string{"method=\"GET\"", endpointLabel, "status=\"201\"", appsetNamespaceLabel, appsetNameLabel},
+		value:  "1",
+	}
+	failureRequestMetrics = Metric{
+		name:   githubAPIRequestTotalMetricName,
+		labels: []string{"method=\"GET\"", endpointLabel, "status=\"0\"", appsetNamespaceLabel, appsetNameLabel},
+		value:  "1",
+	}
+)
+
+func TestGitHubMetrics_CollectorApproach_Success(t *testing.T) {
+	metrics := NewGitHubMetrics()
+	reg := prometheus.NewRegistry()
+	reg.MustRegister(
+		metrics.RequestTotal,
+		metrics.RequestDuration,
+		metrics.RateLimitRemaining,
+		metrics.RateLimitLimit,
+		metrics.RateLimitReset,
+		metrics.RateLimitUsed,
+	)
+
+	// Setup a fake HTTP server
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.Header().Set("X-RateLimit-Reset", strconv.FormatInt(time.Now().Unix()+1, 10))
+		w.Header().Set("X-RateLimit-Remaining", "42")
+		w.Header().Set("X-RateLimit-Limit", "100")
+		w.Header().Set("X-RateLimit-Used", "58")
+		w.Header().Set("X-RateLimit-Resource", "core")
+		w.WriteHeader(http.StatusCreated)
+		_, _ = w.Write([]byte("ok"))
+	}))
+	defer ts.Close()
+
+	metricsCtx := &MetricsContext{AppSetNamespace: appsetNamespace, AppSetName: appsetName}
+	client := &http.Client{
+		Transport: NewGitHubMetricsTransport(
+			http.DefaultTransport,
+			metricsCtx,
+			metrics,
+		),
+	}
+
+	ctx := t.Context()
+
+	req, _ := http.NewRequestWithContext(ctx, http.MethodGet, ts.URL+URL, http.NoBody)
+	resp, err := client.Do(req)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	resp.Body.Close()
+
+	// Expose and scrape metrics
+	handler := promhttp.HandlerFor(reg, promhttp.HandlerOpts{})
+	server := httptest.NewServer(handler)
+	defer server.Close()
+
+	req, err = http.NewRequestWithContext(ctx, http.MethodGet, server.URL, http.NoBody)
+	if err != nil {
+		t.Fatalf("failed to create request: %v", err)
+	}
+	resp, err = http.DefaultClient.Do(req)
+	if err != nil {
+		t.Fatalf("failed to scrape metrics: %v", err)
+	}
+	defer resp.Body.Close()
+	body, _ := io.ReadAll(resp.Body)
+	metricsOutput := string(body)
+
+	sort.Strings(successRequestMetrics.labels)
+	assert.Contains(t, metricsOutput, successRequestMetrics.name+"{"+strings.Join(successRequestMetrics.labels, ",")+"} "+successRequestMetrics.value)
+
+	for _, metric := range rateLimitMetrics {
+		sort.Strings(metric.labels)
+		assert.Contains(t, metricsOutput, metric.name+"{"+strings.Join(metric.labels, ",")+"} "+metric.value)
+	}
+}
+
+type RoundTripperFunc func(*http.Request) (*http.Response, error)
+
+func (f RoundTripperFunc) RoundTrip(r *http.Request) (*http.Response, error) { return f(r) }
+
+func TestGitHubMetrics_CollectorApproach_NoRateLimitMetricsOnNilResponse(t *testing.T) {
+	metrics := NewGitHubMetrics()
+	reg := prometheus.NewRegistry()
+	reg.MustRegister(
+		metrics.RequestTotal,
+		metrics.RequestDuration,
+		metrics.RateLimitRemaining,
+		metrics.RateLimitLimit,
+		metrics.RateLimitReset,
+		metrics.RateLimitUsed,
+	)
+
+	client := &http.Client{
+		Transport: &GitHubMetricsTransport{
+			transport: RoundTripperFunc(func(*http.Request) (*http.Response, error) {
+				return nil, http.ErrServerClosed
+			}),
+			metricsContext: &MetricsContext{AppSetNamespace: appsetNamespace, AppSetName: appsetName},
+			metrics:        metrics,
+		},
+	}
+	ctx := t.Context()
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, URL, http.NoBody)
+	if err != nil {
+		t.Fatalf("failed to create request: %v", err)
+	}
+	_, _ = client.Do(req)
+
+	handler := promhttp.HandlerFor(reg, promhttp.HandlerOpts{})
+	server := httptest.NewServer(handler)
+	defer server.Close()
+
+	req, err = http.NewRequestWithContext(ctx, http.MethodGet, server.URL, http.NoBody)
+	if err != nil {
+		t.Fatalf("failed to create request: %v", err)
+	}
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		t.Fatalf("failed to scrape metrics: %v", err)
+	}
+	defer resp.Body.Close()
+	body, _ := io.ReadAll(resp.Body)
+	metricsOutput := string(body)
+
+	// Verify request metric exists with status "0"
+	sort.Strings(failureRequestMetrics.labels)
+	assert.Contains(t, metricsOutput, failureRequestMetrics.name+"{"+strings.Join(failureRequestMetrics.labels, ",")+"} "+failureRequestMetrics.value)
+
+	// Verify rate limit metrics don't exist
+	for _, metric := range rateLimitMetrics {
+		sort.Strings(metric.labels)
+		assert.NotContains(t, metricsOutput, metric.name+"{"+strings.Join(metric.labels, ",")+"} "+metric.value)
+	}
+}
+
+func TestNewGitHubMetricsClient(t *testing.T) {
+	// Test cases
+	testCases := []struct {
+		name       string
+		metricsCtx *MetricsContext
+	}{
+		{
+			name: "with metrics context",
+			metricsCtx: &MetricsContext{
+				AppSetNamespace: appsetNamespace,
+				AppSetName:      appsetName,
+			},
+		},
+		{
+			name:       "with nil metrics context",
+			metricsCtx: nil,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			// Create client
+			client := NewGitHubMetricsClient(tc.metricsCtx)
+
+			// Assert client is not nil
+			assert.NotNil(t, client)
+
+			// Assert transport is properly configured
+			transport, ok := client.Transport.(*GitHubMetricsTransport)
+			assert.True(t, ok, "Transport should be GitHubMetricsTransport")
+
+			// Verify transport configuration
+			assert.Equal(t, tc.metricsCtx, transport.metricsContext)
+			assert.NotNil(t, transport.metrics, "Metrics should not be nil")
+			assert.Equal(t, http.DefaultTransport, transport.transport, "Base transport should be http.DefaultTransport")
+
+			// Verify metrics are global metrics
+			assert.Equal(t, globalGitHubMetrics, transport.metrics, "Should use global metrics")
+		})
+	}
+}
--- a/applicationset/services/internal/github_app/client.go
+++ b/applicationset/services/internal/github_app/client.go
@@ -1,35 +1,74 @@
 package github_app

 import (
+	"context"
+	"errors"
 	"fmt"
 	"net/http"

 	"github.com/bradleyfalzon/ghinstallation/v2"
-	"github.com/google/go-github/v35/github"
+	"github.com/google/go-github/v69/github"

-	"github.com/argoproj/argo-cd/v2/applicationset/services/github_app_auth"
+	"github.com/argoproj/argo-cd/v3/applicationset/services/github_app_auth"
+	"github.com/argoproj/argo-cd/v3/util/git"
 )

-// Client builds a github client for the given app authentication.
-func Client(g github_app_auth.Authentication, url string) (*github.Client, error) {
-	rt, err := ghinstallation.New(http.DefaultTransport, g.Id, g.InstallationId, []byte(g.PrivateKey))
-	if err != nil {
-		return nil, fmt.Errorf("failed to create github app install: %w", err)
+// getInstallationClient creates a new GitHub client with the specified installation ID.
+// It also returns a ghinstallation.Transport, which can be used for git requests.
+func getInstallationClient(g github_app_auth.Authentication, url string, httpClient ...*http.Client) (*github.Client, error) {
+	if g.InstallationId <= 0 {
+		return nil, errors.New("installation ID is required for github")
 	}
+
+	// Use provided HTTP client's transport or default
+	var transport http.RoundTripper
+	if len(httpClient) > 0 && httpClient[0] != nil && httpClient[0].Transport != nil {
+		transport = httpClient[0].Transport
+	} else {
+		transport = http.DefaultTransport
+	}
+
+	itr, err := ghinstallation.New(transport, g.Id, g.InstallationId, []byte(g.PrivateKey))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create GitHub installation transport: %w", err)
+	}
+
 	if url == "" {
 		url = g.EnterpriseBaseURL
 	}
+
 	var client *github.Client
 	if url == "" {
-		httpClient := http.Client{Transport: rt}
-		client = github.NewClient(&httpClient)
-	} else {
-		rt.BaseURL = url
-		httpClient := http.Client{Transport: rt}
-		client, err = github.NewEnterpriseClient(url, url, &httpClient)
-		if err != nil {
-			return nil, fmt.Errorf("failed to create github enterprise client: %w", err)
-		}
+		client = github.NewClient(&http.Client{Transport: itr})
+		return client, nil
+	}
+
+	itr.BaseURL = url
+	client, err = github.NewClient(&http.Client{Transport: itr}).WithEnterpriseURLs(url, url)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create GitHub enterprise client: %w", err)
 	}
 	return client, nil
 }
+
+// Client builds a github client for the given app authentication.
+func Client(ctx context.Context, g github_app_auth.Authentication, url, org string, optionalHTTPClient ...*http.Client) (*github.Client, error) {
+	if url == "" {
+		url = g.EnterpriseBaseURL
+	}
+
+	// If an installation ID is already provided, use it directly.
+	if g.InstallationId != 0 {
+		return getInstallationClient(g, url, optionalHTTPClient...)
+	}
+
+	// Auto-discover installation ID using shared utility
+	// Pass optional HTTP client for metrics tracking
+	installationId, err := git.DiscoverGitHubAppInstallationID(ctx, g.Id, g.PrivateKey, url, org, optionalHTTPClient...)
+	if err != nil {
+		return nil, err
+	}
+
+	g.InstallationId = installationId
+	return getInstallationClient(g, url, optionalHTTPClient...)
+}
--- a/applicationset/services/internal/http/client.go
+++ b/applicationset/services/internal/http/client.go
@@ -65,8 +65,7 @@ func newClient(baseURL string, options ...ClientOptionFunc) (*Client, error) {
 	return c, nil
 }

-func (c *Client) NewRequest(method, path string, body interface{}, options []ClientOptionFunc) (*http.Request, error) {
-
+func (c *Client) NewRequestWithContext(ctx context.Context, method, path string, body any) (*http.Request, error) {
 	// Make sure the given URL end with a slash
 	if !strings.HasSuffix(c.baseURL, "/") {
 		c.baseURL += "/"
@@ -83,7 +82,7 @@ func (c *Client) NewRequest(method, path string, body interface{}, options []Cli
 		}
 	}

-	req, err := http.NewRequest(method, c.baseURL+path, buf)
+	req, err := http.NewRequestWithContext(ctx, method, c.baseURL+path, buf)
 	if err != nil {
 		return nil, err
 	}
@@ -92,7 +91,7 @@ func (c *Client) NewRequest(method, path string, body interface{}, options []Cli
 		req.Header.Set("Content-Type", "application/json")
 	}

-	if len(c.token) != 0 {
+	if c.token != "" {
 		req.Header.Set("Authorization", "Bearer "+c.token)
 	}

@@ -103,7 +102,7 @@ func (c *Client) NewRequest(method, path string, body interface{}, options []Cli
 	return req, nil
 }

-func (c *Client) Do(ctx context.Context, req *http.Request, v interface{}) (*http.Response, error) {
+func (c *Client) Do(req *http.Request, v any) (*http.Response, error) {
 	resp, err := c.client.Do(req)
 	if err != nil {
 		return nil, err
@@ -135,17 +134,16 @@ func (c *Client) Do(ctx context.Context, req *http.Request, v interface{}) (*htt

 // CheckResponse checks the API response for errors, and returns them if present.
 func CheckResponse(resp *http.Response) error {
-
-	if c := resp.StatusCode; 200 <= c && c <= 299 {
+	if c := resp.StatusCode; http.StatusOK <= c && c < http.StatusMultipleChoices {
 		return nil
 	}

 	data, err := io.ReadAll(resp.Body)
 	if err != nil {
-		return fmt.Errorf("API error with status code %d: %v", resp.StatusCode, err)
+		return fmt.Errorf("API error with status code %d: %w", resp.StatusCode, err)
 	}

-	var raw map[string]interface{}
+	var raw map[string]any
 	if err := json.Unmarshal(data, &raw); err != nil {
 		return fmt.Errorf("API error with status code %d: %s", resp.StatusCode, string(data))
 	}
--- a/applicationset/services/internal/http/client_test.go
+++ b/applicationset/services/internal/http/client_test.go
@@ -2,7 +2,7 @@ package http

 import (
 	"bytes"
-	"context"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -10,36 +10,32 @@ import (
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func TestClient(t *testing.T) {
-	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		w.WriteHeader(http.StatusOK)
 		_, err := w.Write([]byte("Hello, World!"))
 		if err != nil {
-			assert.NoError(t, fmt.Errorf("Error Write %v", err))
+			assert.NoError(t, fmt.Errorf("Error Write %w", err))
 		}
 	}))
 	defer server.Close()

 	var clientOptionFns []ClientOptionFunc
 	_, err := NewClient(server.URL, clientOptionFns...)
-
-	if err != nil {
-		t.Fatalf("Failed to create client: %v", err)
-	}
+	require.NoError(t, err, "Failed to create client")
 }

 func TestClientDo(t *testing.T) {
-	ctx := context.Background()
-
 	for _, c := range []struct {
 		name            string
 		params          map[string]string
 		content         []byte
 		fakeServer      *httptest.Server
 		clientOptionFns []ClientOptionFunc
-		expected        []map[string]interface{}
+		expected        []map[string]any
 		expectedCode    int
 		expectedError   error
 	}{
@@ -49,7 +45,7 @@ func TestClientDo(t *testing.T) {
 				"pkey1": "val1",
 				"pkey2": "val2",
 			},
-			fakeServer: httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			fakeServer: httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 				w.WriteHeader(http.StatusOK)
 				_, err := w.Write([]byte(`[{
 					"key1": "val1",
@@ -62,23 +58,23 @@ func TestClientDo(t *testing.T) {
 					"key3": 123
 				 }]`))
 				if err != nil {
-					assert.NoError(t, fmt.Errorf("Error Write %v", err))
+					assert.NoError(t, fmt.Errorf("Error Write %w", err))
 				}
 			})),
 			clientOptionFns: nil,
-			expected: []map[string]interface{}{
+			expected: []map[string]any{
 				{
 					"key1": "val1",
-					"key2": map[string]interface{}{
+					"key2": map[string]any{
 						"key2_1": "val2_1",
-						"key2_2": map[string]interface{}{
+						"key2_2": map[string]any{
 							"key2_2_1": "val2_2_1",
 						},
 					},
 					"key3": float64(123),
 				},
 			},
-			expectedCode:  200,
+			expectedCode:  http.StatusOK,
 			expectedError: nil,
 		},
 		{
@@ -105,13 +101,13 @@ func TestClientDo(t *testing.T) {
 					"key3": 123
 				 }]`))
 				if err != nil {
-					assert.NoError(t, fmt.Errorf("Error Write %v", err))
+					assert.NoError(t, fmt.Errorf("Error Write %w", err))
 				}
 			})),
 			clientOptionFns: nil,
-			expected:        []map[string]interface{}(nil),
-			expectedCode:    401,
-			expectedError:   fmt.Errorf("API error with status code 401: "),
+			expected:        []map[string]any(nil),
+			expectedCode:    http.StatusUnauthorized,
+			expectedError:   errors.New("API error with status code 401: "),
 		},
 	} {
 		cc := c
@@ -119,26 +115,20 @@ func TestClientDo(t *testing.T) {
 			defer cc.fakeServer.Close()

 			client, err := NewClient(cc.fakeServer.URL, cc.clientOptionFns...)
+			require.NoError(t, err, "NewClient returned unexpected error")

-			if err != nil {
-				t.Fatalf("NewClient returned unexpected error: %v", err)
-			}
+			req, err := client.NewRequestWithContext(t.Context(), http.MethodPost, "", cc.params)
+			require.NoError(t, err, "NewRequest returned unexpected error")

-			req, err := client.NewRequest("POST", "", cc.params, nil)
+			var data []map[string]any

-			if err != nil {
-				t.Fatalf("NewRequest returned unexpected error: %v", err)
-			}
-
-			var data []map[string]interface{}
-
-			resp, err := client.Do(ctx, req, &data)
+			resp, err := client.Do(req, &data)

 			if cc.expectedError != nil {
 				assert.EqualError(t, err, cc.expectedError.Error())
 			} else {
-				assert.Equal(t, resp.StatusCode, cc.expectedCode)
-				assert.Equal(t, data, cc.expected)
+				assert.Equal(t, cc.expectedCode, resp.StatusCode)
+				assert.Equal(t, cc.expected, data)
 				assert.NoError(t, err)
 			}
 		})
@@ -152,12 +142,5 @@ func TestCheckResponse(t *testing.T) {
 	}

 	err := CheckResponse(resp)
-	if err == nil {
-		t.Error("Expected an error, got nil")
-	}
-
-	expected := "API error with status code 400: invalid_request"
-	if err.Error() != expected {
-		t.Errorf("Expected error '%s', got '%s'", expected, err.Error())
-	}
+	require.EqualError(t, err, "API error with status code 400: invalid_request")
 }
--- a/applicationset/services/mocks/Repos.go
+++ b/applicationset/services/mocks/Repos.go
@@ -1,77 +1,21 @@
-// Code generated by mockery v2.25.1. DO NOT EDIT.
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify

 package mocks

 import (
-	context "context"
+	"context"

 	mock "github.com/stretchr/testify/mock"
 )

-// Repos is an autogenerated mock type for the Repos type
-type Repos struct {
-	mock.Mock
-}
-
-// GetDirectories provides a mock function with given fields: ctx, repoURL, revision, noRevisionCache
-func (_m *Repos) GetDirectories(ctx context.Context, repoURL string, revision string, noRevisionCache bool) ([]string, error) {
-	ret := _m.Called(ctx, repoURL, revision, noRevisionCache)
-
-	var r0 []string
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, string, string, bool) ([]string, error)); ok {
-		return rf(ctx, repoURL, revision, noRevisionCache)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, string, string, bool) []string); ok {
-		r0 = rf(ctx, repoURL, revision, noRevisionCache)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]string)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, string, string, bool) error); ok {
-		r1 = rf(ctx, repoURL, revision, noRevisionCache)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// GetFiles provides a mock function with given fields: ctx, repoURL, revision, pattern, noRevisionCache
-func (_m *Repos) GetFiles(ctx context.Context, repoURL string, revision string, pattern string, noRevisionCache bool) (map[string][]byte, error) {
-	ret := _m.Called(ctx, repoURL, revision, pattern, noRevisionCache)
-
-	var r0 map[string][]byte
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, string, string, string, bool) (map[string][]byte, error)); ok {
-		return rf(ctx, repoURL, revision, pattern, noRevisionCache)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, string, string, string, bool) map[string][]byte); ok {
-		r0 = rf(ctx, repoURL, revision, pattern, noRevisionCache)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(map[string][]byte)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, string, string, string, bool) error); ok {
-		r1 = rf(ctx, repoURL, revision, pattern, noRevisionCache)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-type mockConstructorTestingTNewRepos interface {
+// NewRepos creates a new instance of Repos. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewRepos(t interface {
 	mock.TestingT
 	Cleanup(func())
-}
-
-// NewRepos creates a new instance of Repos. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewRepos(t mockConstructorTestingTNewRepos) *Repos {
+}) *Repos {
 	mock := &Repos{}
 	mock.Mock.Test(t)

@@ -79,3 +23,206 @@ func NewRepos(t mockConstructorTestingTNewRepos) *Repos {

 	return mock
 }
+
+// Repos is an autogenerated mock type for the Repos type
+type Repos struct {
+	mock.Mock
+}
+
+type Repos_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *Repos) EXPECT() *Repos_Expecter {
+	return &Repos_Expecter{mock: &_m.Mock}
+}
+
+// GetDirectories provides a mock function for the type Repos
+func (_mock *Repos) GetDirectories(ctx context.Context, repoURL string, revision string, project string, noRevisionCache bool, verifyCommit bool) ([]string, error) {
+	ret := _mock.Called(ctx, repoURL, revision, project, noRevisionCache, verifyCommit)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetDirectories")
+	}
+
+	var r0 []string
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string, string, string, bool, bool) ([]string, error)); ok {
+		return returnFunc(ctx, repoURL, revision, project, noRevisionCache, verifyCommit)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string, string, string, bool, bool) []string); ok {
+		r0 = returnFunc(ctx, repoURL, revision, project, noRevisionCache, verifyCommit)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]string)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, string, string, string, bool, bool) error); ok {
+		r1 = returnFunc(ctx, repoURL, revision, project, noRevisionCache, verifyCommit)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// Repos_GetDirectories_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetDirectories'
+type Repos_GetDirectories_Call struct {
+	*mock.Call
+}
+
+// GetDirectories is a helper method to define mock.On call
+//   - ctx context.Context
+//   - repoURL string
+//   - revision string
+//   - project string
+//   - noRevisionCache bool
+//   - verifyCommit bool
+func (_e *Repos_Expecter) GetDirectories(ctx interface{}, repoURL interface{}, revision interface{}, project interface{}, noRevisionCache interface{}, verifyCommit interface{}) *Repos_GetDirectories_Call {
+	return &Repos_GetDirectories_Call{Call: _e.mock.On("GetDirectories", ctx, repoURL, revision, project, noRevisionCache, verifyCommit)}
+}
+
+func (_c *Repos_GetDirectories_Call) Run(run func(ctx context.Context, repoURL string, revision string, project string, noRevisionCache bool, verifyCommit bool)) *Repos_GetDirectories_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		var arg2 string
+		if args[2] != nil {
+			arg2 = args[2].(string)
+		}
+		var arg3 string
+		if args[3] != nil {
+			arg3 = args[3].(string)
+		}
+		var arg4 bool
+		if args[4] != nil {
+			arg4 = args[4].(bool)
+		}
+		var arg5 bool
+		if args[5] != nil {
+			arg5 = args[5].(bool)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+			arg3,
+			arg4,
+			arg5,
+		)
+	})
+	return _c
+}
+
+func (_c *Repos_GetDirectories_Call) Return(strings []string, err error) *Repos_GetDirectories_Call {
+	_c.Call.Return(strings, err)
+	return _c
+}
+
+func (_c *Repos_GetDirectories_Call) RunAndReturn(run func(ctx context.Context, repoURL string, revision string, project string, noRevisionCache bool, verifyCommit bool) ([]string, error)) *Repos_GetDirectories_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetFiles provides a mock function for the type Repos
+func (_mock *Repos) GetFiles(ctx context.Context, repoURL string, revision string, project string, pattern string, noRevisionCache bool, verifyCommit bool) (map[string][]byte, error) {
+	ret := _mock.Called(ctx, repoURL, revision, project, pattern, noRevisionCache, verifyCommit)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetFiles")
+	}
+
+	var r0 map[string][]byte
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string, string, string, string, bool, bool) (map[string][]byte, error)); ok {
+		return returnFunc(ctx, repoURL, revision, project, pattern, noRevisionCache, verifyCommit)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string, string, string, string, bool, bool) map[string][]byte); ok {
+		r0 = returnFunc(ctx, repoURL, revision, project, pattern, noRevisionCache, verifyCommit)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(map[string][]byte)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, string, string, string, string, bool, bool) error); ok {
+		r1 = returnFunc(ctx, repoURL, revision, project, pattern, noRevisionCache, verifyCommit)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// Repos_GetFiles_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetFiles'
+type Repos_GetFiles_Call struct {
+	*mock.Call
+}
+
+// GetFiles is a helper method to define mock.On call
+//   - ctx context.Context
+//   - repoURL string
+//   - revision string
+//   - project string
+//   - pattern string
+//   - noRevisionCache bool
+//   - verifyCommit bool
+func (_e *Repos_Expecter) GetFiles(ctx interface{}, repoURL interface{}, revision interface{}, project interface{}, pattern interface{}, noRevisionCache interface{}, verifyCommit interface{}) *Repos_GetFiles_Call {
+	return &Repos_GetFiles_Call{Call: _e.mock.On("GetFiles", ctx, repoURL, revision, project, pattern, noRevisionCache, verifyCommit)}
+}
+
+func (_c *Repos_GetFiles_Call) Run(run func(ctx context.Context, repoURL string, revision string, project string, pattern string, noRevisionCache bool, verifyCommit bool)) *Repos_GetFiles_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		var arg2 string
+		if args[2] != nil {
+			arg2 = args[2].(string)
+		}
+		var arg3 string
+		if args[3] != nil {
+			arg3 = args[3].(string)
+		}
+		var arg4 string
+		if args[4] != nil {
+			arg4 = args[4].(string)
+		}
+		var arg5 bool
+		if args[5] != nil {
+			arg5 = args[5].(bool)
+		}
+		var arg6 bool
+		if args[6] != nil {
+			arg6 = args[6].(bool)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+			arg3,
+			arg4,
+			arg5,
+			arg6,
+		)
+	})
+	return _c
+}
+
+func (_c *Repos_GetFiles_Call) Return(stringToBytes map[string][]byte, err error) *Repos_GetFiles_Call {
+	_c.Call.Return(stringToBytes, err)
+	return _c
+}
+
+func (_c *Repos_GetFiles_Call) RunAndReturn(run func(ctx context.Context, repoURL string, revision string, project string, pattern string, noRevisionCache bool, verifyCommit bool) (map[string][]byte, error)) *Repos_GetFiles_Call {
+	_c.Call.Return(run)
+	return _c
+}
--- a/applicationset/services/mocks/RepositoryDB.go
+++ b/applicationset/services/mocks/RepositoryDB.go
@@ -1,57 +0,0 @@
-// Code generated by mockery v2.21.1. DO NOT EDIT.
-
-package mocks
-
-import (
-	context "context"
-
-	mock "github.com/stretchr/testify/mock"
-
-	v1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
-)
-
-// RepositoryDB is an autogenerated mock type for the RepositoryDB type
-type RepositoryDB struct {
-	mock.Mock
-}
-
-// GetRepository provides a mock function with given fields: ctx, url
-func (_m *RepositoryDB) GetRepository(ctx context.Context, url string) (*v1alpha1.Repository, error) {
-	ret := _m.Called(ctx, url)
-
-	var r0 *v1alpha1.Repository
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, string) (*v1alpha1.Repository, error)); ok {
-		return rf(ctx, url)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, string) *v1alpha1.Repository); ok {
-		r0 = rf(ctx, url)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*v1alpha1.Repository)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, string) error); ok {
-		r1 = rf(ctx, url)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-type mockConstructorTestingTNewRepositoryDB interface {
-	mock.TestingT
-	Cleanup(func())
-}
-
-// NewRepositoryDB creates a new instance of RepositoryDB. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewRepositoryDB(t mockConstructorTestingTNewRepositoryDB) *RepositoryDB {
-	mock := &RepositoryDB{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .11.14
 .3.1