Bump version to 2.13.9 on release-2.13 branch (#24404 )

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: crenshaw-dev <350466+crenshaw-dev@users.noreply.github.com>
fix(security): repository.GetDetailedProject exposes repo secrets (#24388 )
2026-02-21 01:58:46 +01:00 · 2025-09-04 13:30:39 -04:00 · 2025-09-04 13:30:14 -04:00 · 2025-07-09 17:07:56 -04:00 · 2025-06-16 13:48:07 -04:00 · 2025-05-28 08:45:24 -06:00
1093 changed files with 53388 additions and 37478 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -0,0 +1,13 @@
+**/*.pb.go linguist-generated=true
+**/mocks/*.go linguist-generated=true
+assets/swagger.json linguist-generated=true
+docs/operator-manual/resource_actions_builtin.md linguist-generated=true
+docs/operator-manual/server-commands/argocd-*.md linguist-generated=true
+docs/user-guide/commands/argocd_*.md linguist-generated=true
+manifests/core-install.yaml linguist-generated=true
+manifests/crds/*-crd.yaml linguist-generated=true
+manifests/ha/install.yaml linguist-generated=true
+manifests/ha/namespace-install.yaml linguist-generated=true
+manifests/install.yaml linguist-generated=true
+manifests/namespace-install.yaml linguist-generated=true
+pkg/apis/api-rules/violation_exceptions.list linguist-generated=true
--- a/.github/ISSUE_TEMPLATE/new_dev_tool.md
+++ b/.github/ISSUE_TEMPLATE/new_dev_tool.md
@@ -0,0 +1,43 @@
+---
+name: New Dev Tool Request
+about: This is a request for adding a new tool for setting up a dev environment.
+title: ''
+labels: ''
+assignees: ''
+---
+
+Checklist:
+
+* [ ] I am willing to maintain this tool, or have another Argo CD maintainer who is. 
+* [ ] I have another Argo CD maintainer who is willing to help maintain this tool (there needs to be at least two maintainers willing to maintain this tool)
+* [ ] I have a lead sponsor who is a core Argo CD maintainer
+* [ ] There is a PR which adds said tool - this is so that the maintainers can assess the impact of having this in the tree
+* [ ] I have given a motivation why this should be added
+
+### The proposer
+
+<-- The username(s) of the person(s) proposing the tool -->
+
+### The proposed tool
+
+<!-- The tool itself, with a link to the tool’s website -->
+
+### Motivation
+
+<!-- Why this tool would be useful to have in the tree. --> 
+
+### Link to PR (Optional)
+
+<!-- A PR adding the tool to the tree -->
+
+### Lead Sponsor(s)
+
+Final approval requires sponsorship from at least one core maintainer.
+
+- @<sponsor-1>
+
+### Co-sponsors
+
+These will be the co-maintainers of the specified tool.
+
+- @<sponsor-1>
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,8 +4,13 @@ updates:
    directory: "/"
    schedule:
      interval: "daily"
+    open-pull-requests-limit: 20
    ignore:
    - dependency-name: k8s.io/*
+    groups:
+      otel:
+        patterns:
+          - "^go.opentelemetry.io/.*"

  - package-ecosystem: "github-actions"
    directory: "/"
--- a/.github/workflows/ci-build.yaml
+++ b/.github/workflows/ci-build.yaml
@@ -31,7 +31,7 @@ jobs:
      docs: ${{ steps.filter.outputs.docs_any_changed }}
    steps:
      - uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
-      - uses: tj-actions/changed-files@d6babd6899969df1a11d14c368283ea4436bca78 # v44.5.2
+      - uses: tj-actions/changed-files@e9772d140489982e0e3704fea5ee93d536f1e275 # v45.0.1
        id: filter
        with:
          # Any file which is not under docs/, ui/ or is not a markdown file is counted as a backend file
@@ -56,7 +56,7 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
      - name: Setup Golang
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Download all Go modules
@@ -77,11 +77,11 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
      - name: Setup Golang
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Restore go build cache
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -104,11 +104,11 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
      - name: Setup Golang
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
+        uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0
        with:
          version: v1.58.2
          args: --verbose
@@ -131,7 +131,7 @@ jobs:
      - name: Create symlink in GOPATH
        run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
      - name: Setup Golang
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Install required packages
@@ -151,7 +151,7 @@ jobs:
        run: |
          echo "/usr/local/bin" >> $GITHUB_PATH
      - name: Restore go build cache
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -172,7 +172,7 @@ jobs:
      - name: Run all unit tests
        run: make test-local
      - name: Generate test results artifacts
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
        with:
          name: test-results
          path: test-results
@@ -195,7 +195,7 @@ jobs:
      - name: Create symlink in GOPATH
        run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
      - name: Setup Golang
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Install required packages
@@ -215,7 +215,7 @@ jobs:
        run: |
          echo "/usr/local/bin" >> $GITHUB_PATH
      - name: Restore go build cache
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -236,7 +236,7 @@ jobs:
      - name: Run all unit tests
        run: make test-race-local
      - name: Generate test results artifacts
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
        with:
          name: race-results
          path: test-results/
@@ -251,7 +251,7 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
      - name: Setup Golang
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Create symlink in GOPATH
@@ -303,12 +303,12 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
      - name: Setup NodeJS
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
        with:
          node-version: '21.6.1'
      - name: Restore node dependency cache
        id: cache-dependencies
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ui/node_modules
          key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -323,6 +323,8 @@ jobs:
          NODE_ENV: production
          NODE_ONLINE_ENV: online
          HOST_ARCH: amd64
+          # If we're on the master branch, set the codecov token so that we upload bundle analysis
+          CODECOV_TOKEN: ${{ github.ref == 'refs/heads/master' && secrets.CODECOV_TOKEN || '' }}
        working-directory: ui/
      - name: Run ESLint
        run: yarn lint
@@ -346,7 +348,7 @@ jobs:
          fetch-depth: 0
      - name: Restore node dependency cache
        id: cache-dependencies
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ui/node_modules
          key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -354,21 +356,22 @@ jobs:
        run: |
          rm -rf ui/node_modules/argo-ui/node_modules
      - name: Get e2e code coverage
-        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: e2e-code-coverage
          path: e2e-code-coverage
      - name: Get unit test code coverage
-        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: test-results
          path: test-results
      - name: combine-go-coverage
-        # We generate coverage reports for all Argo CD components, but only the applicationset-controller report
-        # contains coverage data. The other components currently don't shut down gracefully, so no coverage data is
-        # produced. Once those components are fixed, we can add references to their coverage output directories.
+        # We generate coverage reports for all Argo CD components, but only the applicationset-controller,
+        # app-controller, and repo-server report contain coverage data. The other components currently don't shut down
+        # gracefully, so no coverage data is produced. Once those components are fixed, we can add references to their
+        # coverage output directories.
        run: |
-          go tool covdata percent -i=test-results,e2e-code-coverage/applicationset-controller -o test-results/full-coverage.out
+          go tool covdata percent -i=test-results,e2e-code-coverage/applicationset-controller,e2e-code-coverage/repo-server,e2e-code-coverage/app-controller -o test-results/full-coverage.out
      - name: Upload code coverage information to codecov.io
        uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
        with:
@@ -376,11 +379,18 @@ jobs:
          fail_ci_if_error: true
        env:
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+      - name: Upload test results to Codecov
+        if: github.ref == 'refs/heads/master' && github.event_name == 'push' && github.repository == 'argoproj/argo-cd'
+        uses: codecov/test-results-action@1b5b448b98e58ba90d1a1a1d9fcb72ca2263be46 # v1.0.0
+        with:
+          file: test-results/junit.xml
+          fail_ci_if_error: true
+          token: ${{ secrets.CODECOV_TOKEN }}
      - name: Perform static code analysis using SonarCloud
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        uses: SonarSource/sonarqube-scan-action@540792c588b5c2740ad2bb4667db5cd46ae678f2 # v2.2
+        uses: SonarSource/sonarqube-scan-action@aecaf43ae57e412bd97d70ef9ce6076e672fe0a9 # v2.2
        if: env.sonar_secret != ''
  test-e2e:
    name: Run end-to-end tests
@@ -390,14 +400,14 @@ jobs:
      fail-fast: false
      matrix:
        k3s:
-          - version: v1.29.1
+          - version: v1.30.2
            # We designate the latest version because we only collect code coverage for that version.
            latest: true
-          - version: v1.28.6
+          - version: v1.29.6
            latest: false
-          - version: v1.27.10
+          - version: v1.28.11
            latest: false
-          - version: v1.26.13
+          - version: v1.27.15
            latest: false
    needs:
      - build-go
@@ -419,7 +429,7 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
      - name: Setup Golang
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: GH actions workaround - Kill XSP4 process
@@ -438,7 +448,7 @@ jobs:
          sudo chmod go-r $HOME/.kube/config
          kubectl version
      - name: Restore go build cache
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -464,7 +474,7 @@ jobs:
          git config --global user.email "john.doe@example.com"
      - name: Pull Docker image required for tests
        run: |
-          docker pull ghcr.io/dexidp/dex:v2.38.0
+          docker pull ghcr.io/dexidp/dex:v2.41.1
          docker pull argoproj/argo-cd-ci-builder:v1.0.0
          docker pull redis:7.0.15-alpine
      - name: Create target directory for binaries in the build-process
@@ -496,13 +506,13 @@ jobs:
          goreman run stop-all || echo "goreman trouble"
          sleep 30
      - name: Upload e2e coverage report
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
        with:
          name: e2e-code-coverage
          path: /tmp/coverage
        if: ${{ matrix.k3s.latest }}
      - name: Upload e2e-server logs
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
        with:
          name: e2e-server-k8s${{ matrix.k3s.version }}.log
          path: /tmp/e2e-server.log
@@ -529,4 +539,4 @@ jobs:
            exit 0
          else
            exit 1
-          fi
+          fi
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -33,7 +33,7 @@ jobs:

    # Use correct go version. https://github.com/github/codeql-action/issues/1842#issuecomment-1704398087
    - name: Setup Golang
-      uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
      with:
        go-version-file: go.mod
      
--- a/.github/workflows/image-reuse.yaml
+++ b/.github/workflows/image-reuse.yaml
@@ -69,15 +69,15 @@ jobs:
        if: ${{ github.ref_type != 'tag'}}

      - name: Setup Golang
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
        with:
          go-version: ${{ inputs.go-version }}

      - name: Install cosign
-        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+        uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0

-      - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
-      - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+      - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+      - uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1

      - name: Setup tags for container image as a CSV type
        run: |
@@ -104,7 +104,7 @@ jobs:
            echo 'EOF' >> $GITHUB_ENV

      - name: Login to Quay.io
-        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: quay.io
          username: ${{ secrets.quay_username }}
@@ -112,7 +112,7 @@ jobs:
        if: ${{ inputs.quay_image_name && inputs.push }}

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ghcr.io
          username: ${{ secrets.ghcr_username }}
@@ -120,7 +120,7 @@ jobs:
        if: ${{ inputs.ghcr_image_name && inputs.push }}

      - name: Login to dockerhub Container Registry
-        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          username: ${{ secrets.docker_username }}
          password: ${{ secrets.docker_password }}
@@ -143,7 +143,7 @@ jobs:

      - name: Build and push container image
        id: image
-        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 #v5.4.0
+        uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 #v6.7.0
        with:
          context: .
          platforms: ${{ inputs.platforms }}
--- a/.github/workflows/init-release.yaml
+++ b/.github/workflows/init-release.yaml
@@ -64,7 +64,7 @@ jobs:
          git stash pop

      - name: Create pull request
-        uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e  # v6.0.5
+        uses: peter-evans/create-pull-request@d121e62763d8cc35b5fb1710e887d6e69a52d3a4  # v7.0.2
        with:
          commit-message: "Bump version to ${{ inputs.TARGET_VERSION }}"
          title: "Bump version to ${{ inputs.TARGET_VERSION }} on ${{ inputs.TARGET_BRANCH }} branch"
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -77,7 +77,7 @@ jobs:
          fi

      - name: Setup Golang
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
        with:
          go-version: ${{ env.GOLANG_VERSION }}

@@ -153,7 +153,7 @@ jobs:
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: Setup Golang
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
        with:
          go-version: ${{ env.GOLANG_VERSION }}

@@ -197,7 +197,7 @@ jobs:
          echo "hashes=$(sha256sum /tmp/sbom.tar.gz | base64 -w0)" >> "$GITHUB_OUTPUT"
      
      - name: Upload SBOM
-        uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87 # v2.0.5
+        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
@@ -291,11 +291,11 @@ jobs:
          # Replace the 'project-release: vX.X.X-rcX' line in SECURITY-INSIGHTS.yml
          sed -i "s/project-release: v.*$/project-release: v${{ env.NEW_VERSION }}/" SECURITY-INSIGHTS.yml
          # Update the 'commit-hash: XXXXXXX' line in SECURITY-INSIGHTS.yml
-          sed -i "s/commit-hash: .*/commit-hash: ${{ env.NEW_VERSION }}/" SECURITY-INSIGHTS.yml
+          sed -i "s/commit-hash: .*/commit-hash: ${{ env.COMMIT_HASH }}/" SECURITY-INSIGHTS.yml
        if: ${{ env.UPDATE_VERSION == 'true' }}

      - name: Create PR to update VERSION on master branch
-        uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
+        uses: peter-evans/create-pull-request@d121e62763d8cc35b5fb1710e887d6e69a52d3a4 # v7.0.2
        with:
          commit-message: Bump version in master
          title: "chore: Bump version in master"
--- a/.github/workflows/scorecard.yaml
+++ b/.github/workflows/scorecard.yaml
@@ -35,7 +35,7 @@ jobs:
          persist-credentials: false

      - name: "Run analysis"
-        uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
        with:
          results_file: results.sarif
          results_format: sarif
@@ -54,7 +54,7 @@ jobs:
      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
      - name: "Upload artifact"
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
        with:
          name: SARIF file
          path: results.sarif
--- a/.gitpod.Dockerfile
+++ b/.gitpod.Dockerfile
@@ -1,4 +1,4 @@
-FROM gitpod/workspace-full@sha256:8dd34e72ae5b9e6f60d267dd6287befc2cf5ad1a11c64e9d93daa60c952a2154
+FROM gitpod/workspace-full@sha256:230285e0b949e6d728d384b2029a4111db7b9c87c182f22f32a0be9e36b225df

 USER root

--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -1,9 +1,12 @@
 issues:
  exclude:
-    - SA1019
    - SA5011
  max-issues-per-linter: 0
  max-same-issues: 0
+  exclude-rules:
+    - path: '(.+)_test\.go'
+      linters:
+        - unparam
 linters:
  enable:
    - errcheck
@@ -17,6 +20,7 @@ linters:
    - misspell
    - staticcheck
    - testifylint
+    - unparam
    - unused
    - whitespace 
 linters-settings:
@@ -36,8 +40,6 @@ linters-settings:
  testifylint:
    enable-all: true
    disable:
-      - error-is-as
-      - float-compare
      - go-require
 run:
  timeout: 50m
--- a/.mockery.yaml
+++ b/.mockery.yaml
@@ -0,0 +1,69 @@
+# global config
+filename: "{{.InterfaceName}}.go"
+dir: "{{.InterfaceDir}}/mocks"
+outpkg: "mocks"
+mockname: "{{.InterfaceName}}"
+with-expecter: false
+# individual interface config
+packages:
+  github.com/argoproj/argo-cd/v2/applicationset/generators:
+    interfaces:
+      Generator:
+  github.com/argoproj/argo-cd/v2/applicationset/services:
+    interfaces:
+      Repos:
+  github.com/argoproj/argo-cd/v2/applicationset/services/scm_provider:
+    config:
+      dir: "applicationset/services/scm_provider/aws_codecommit/mocks"
+    interfaces:
+      AWSCodeCommitClient:
+      AWSTaggingClient:
+  github.com/microsoft/azure-devops-go-api/azuredevops/git:
+    config:
+      dir: "applicationset/services/scm_provider/azure_devops/git/mocks"
+    interfaces:
+      Client:
+  github.com/argoproj/argo-cd/v2/applicationset/utils:
+    interfaces:
+      Renderer:
+  github.com/argoproj/argo-cd/v2/controller/cache:
+    interfaces:
+      LiveStateCache:
+  github.com/argoproj/argo-cd/v2/reposerver/apiclient:
+    interfaces:
+      RepoServerServiceClient:
+      RepoServerService_GenerateManifestWithFilesClient:
+  github.com/argoproj/argo-cd/v2/server/application:
+    interfaces:
+      Broadcaster:
+  github.com/argoproj/argo-cd/v2/server/extension:
+    interfaces:
+      ApplicationGetter:
+      ExtensionMetricsRegistry:
+      ProjectGetter:
+      RbacEnforcer:
+      SettingsGetter:
+      UserGetter:
+  github.com/argoproj/argo-cd/v2/util/db:
+    interfaces:
+      ArgoDB:
+  github.com/argoproj/argo-cd/v2/util/git:
+    interfaces:
+      Client:
+  github.com/argoproj/argo-cd/v2/util/helm:
+    interfaces:
+      Client:
+  github.com/argoproj/argo-cd/v2/util/io:
+    interfaces:
+      TempPaths:
+  github.com/argoproj/argo-cd/v2/util/notification/argocd:
+    interfaces:
+      Service:
+  # These mocks are not currently used, but they are part of the public API of this package.      
+  github.com/argoproj/argo-cd/v2/pkg/apiclient/session:
+    interfaces:
+      SessionServiceServer:
+      SessionServiceClient:
+  github.com/argoproj/argo-cd/v2/pkg/apiclient/cluster:
+    interfaces:
+      ClusterServiceServer:
--- a/.readthedocs.yaml
+++ b/.readthedocs.yaml
@@ -2,6 +2,7 @@ version: 2
 formats: all
 mkdocs:
  fail_on_warning: false
+  configuration: mkdocs.yml
 python:
  install:
    - requirements: docs/requirements.txt
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog

+## v2.13.6 (2025-03-21)
+
+### Bug fixes
+- fix: handle annotated git tags correctly in repo server cache (#21548) (#21771)
+
 ## v2.4.8 (2022-07-29)

 ### Bug fixes
--- a/6
+++ b/6
@@ -4,7 +4,7 @@ ARG BASE_IMAGE=docker.io/library/ubuntu:24.04@sha256:3f85b7caad41a95462cf5b787d8
 # Initial stage which pulls prepares build dependencies and CLI tooling we need for our final image
 # Also used as the image in CI jobs so needs all dependencies
 ####################################################################################################
-FROM docker.io/library/golang:1.22.4@sha256:c2010b9c2342431a24a2e64e33d9eb2e484af49e72c820e200d332d214d5e61f AS builder
+FROM docker.io/library/golang:1.23.1@sha256:2fe82a3f3e006b4f2a316c6a21f62b66e1330ae211d039bb8d1128e12ed57bf1 AS builder

 RUN echo 'deb http://archive.debian.org/debian buster-backports main' >> /etc/apt/sources.list

@@ -83,7 +83,7 @@ WORKDIR /home/argocd
 ####################################################################################################
 # Argo CD UI stage
 ####################################################################################################
-FROM --platform=$BUILDPLATFORM docker.io/library/node:22.3.0@sha256:5e4044ff6001d06e7748e35bfa4f80c73cf5f5a7360a1b782995e038a01b0585 AS argocd-ui
+FROM --platform=$BUILDPLATFORM docker.io/library/node:22.8.0@sha256:bd00c03095f7586432805dbf7989be10361d27987f93de904b1fc003949a4794 AS argocd-ui

 WORKDIR /src
 COPY ["ui/package.json", "ui/yarn.lock", "./"]
@@ -101,7 +101,7 @@ RUN HOST_ARCH=$TARGETARCH NODE_ENV='production' NODE_ONLINE_ENV='online' NODE_OP
 ####################################################################################################
 # Argo CD Build stage which performs the actual build of Argo CD binaries
 ####################################################################################################
-FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.22.4@sha256:c2010b9c2342431a24a2e64e33d9eb2e484af49e72c820e200d332d214d5e61f AS argocd-build
+FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.23.1@sha256:2fe82a3f3e006b4f2a316c6a21f62b66e1330ae211d039bb8d1128e12ed57bf1 AS argocd-build

 WORKDIR /go/src/github.com/argoproj/argo-cd

--- a/17
+++ b/17
@@ -192,6 +192,10 @@ endif
 .PHONY: all
 all: cli image

+.PHONY: mockgen
+mockgen:
+	./hack/generate-mock.sh
+
 .PHONY: gogen
 gogen:
 	export GO111MODULE=off
@@ -229,13 +233,16 @@ clientgen:
 clidocsgen:
 	go run tools/cmd-docs/main.go

+.PHONY: actionsdocsgen
+actionsdocsgen:
+	hack/generate-actions-list.sh

 .PHONY: codegen-local
-codegen-local: mod-vendor-local gogen protogen clientgen openapigen clidocsgen manifests-local notification-docs notification-catalog
+codegen-local: mod-vendor-local mockgen gogen protogen clientgen openapigen clidocsgen actionsdocsgen manifests-local notification-docs notification-catalog
 	rm -rf vendor/

 .PHONY: codegen-local-fast
-codegen-local-fast: gogen protogen-fast clientgen openapigen clidocsgen manifests-local notification-docs notification-catalog
+codegen-local-fast: mockgen gogen protogen-fast clientgen openapigen clidocsgen manifests-local notification-docs notification-catalog

 .PHONY: codegen
 codegen: test-tools-image
@@ -247,7 +254,7 @@ cli: test-tools-image

 .PHONY: cli-local
 cli-local: clean-debug
-	CGO_ENABLED=${CGO_FLAG} GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build $(COVERAGE_FLAG) -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${CLI_NAME} ./cmd
+	CGO_ENABLED=${CGO_FLAG} GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -gcflags="all=-N -l" $(COVERAGE_FLAG) -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${CLI_NAME} ./cmd

 .PHONY: gen-resources-cli-local
 gen-resources-cli-local: clean-debug
@@ -546,7 +553,7 @@ build-docs-local:

 .PHONY: build-docs
 build-docs:
-	$(DOCKER) run ${MKDOCS_RUN_ARGS} --rm -it -v ${CURRENT_DIR}:/docs -w /docs --entrypoint "" ${MKDOCS_DOCKER_IMAGE} sh -c 'pip install -r docs/requirements.txt; mkdocs build'
+	$(DOCKER) run ${MKDOCS_RUN_ARGS} --rm -it -v ${CURRENT_DIR}:/docs -w /docs --entrypoint "" ${MKDOCS_DOCKER_IMAGE} sh -c 'pip install mkdocs; pip install $$(mkdocs get-deps); mkdocs build'

 .PHONY: serve-docs-local
 serve-docs-local:
@@ -554,7 +561,7 @@ serve-docs-local:

 .PHONY: serve-docs
 serve-docs:
-	$(DOCKER) run ${MKDOCS_RUN_ARGS} --rm -it -p 8000:8000 -v ${CURRENT_DIR}:/docs -w /docs --entrypoint "" ${MKDOCS_DOCKER_IMAGE} sh -c 'pip install -r docs/requirements.txt; mkdocs serve -a $$(ip route get 1 | awk '\''{print $$7}'\''):8000'
+	$(DOCKER) run ${MKDOCS_RUN_ARGS} --rm -it -p 8000:8000 -v ${CURRENT_DIR}:/docs -w /docs --entrypoint "" ${MKDOCS_DOCKER_IMAGE} sh -c 'pip install mkdocs; pip install $$(mkdocs get-deps); mkdocs serve -a $$(ip route get 1 | awk '\''{print $$7}'\''):8000'

 # Verify that kubectl can connect to your K8s cluster from Docker
 .PHONY: verify-kube-connect
--- a/1
+++ b/1
@@ -1,5 +1,6 @@
 owners:
 - alexmt
+- crenshaw-dev
 - jessesuen

 approvers:
--- a/README.md
+++ b/README.md
@@ -7,7 +7,7 @@
 [![Integration tests](https://github.com/argoproj/argo-cd/workflows/Integration%20tests/badge.svg?branch=master)](https://github.com/argoproj/argo-cd/actions?query=workflow%3A%22Integration+tests%22)
 [![codecov](https://codecov.io/gh/argoproj/argo-cd/branch/master/graph/badge.svg)](https://codecov.io/gh/argoproj/argo-cd)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4486/badge)](https://bestpractices.coreinfrastructure.org/projects/4486)
-[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/argoproj/argo-cd/badge)](https://api.securityscorecards.dev/projects/github.com/argoproj/argo-cd)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/argoproj/argo-cd/badge)](https://scorecard.dev/viewer/?uri=github.com/argoproj/argo-cd)
 [![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fargoproj%2Fargo-cd.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fargoproj%2Fargo-cd?ref=badge_shield)

 **Social:**
--- a/SECURITY-INSIGHTS.yml
+++ b/SECURITY-INSIGHTS.yml
@@ -3,9 +3,9 @@ header:
  expiration-date: '2024-10-31T00:00:00.000Z' # One year from initial release.
  last-updated: '2023-10-27'
  last-reviewed: '2023-10-27'
-  commit-hash: b71277c6beb949d0199d647a582bc25822b88838
+  commit-hash: fe606708859574b9b6102a505e260fac5d3fb14e
  project-url: https://github.com/argoproj/argo-cd
-  project-release: v2.9.0-rc3
+  project-release: v2.13.0
  changelog: https://github.com/argoproj/argo-cd/releases
  license: https://github.com/argoproj/argo-cd/blob/master/LICENSE
 project-lifecycle:
--- a/USERS.md
+++ b/USERS.md
@@ -11,6 +11,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [7shifts](https://www.7shifts.com/)
 1. [Adevinta](https://www.adevinta.com/)
 1. [Adfinis](https://adfinis.com)
+1. [Adobe](https://www.adobe.com/)
 1. [Adventure](https://jp.adventurekk.com/)
 1. [Adyen](https://www.adyen.com)
 1. [AirQo](https://airqo.net/)
@@ -29,6 +30,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Arctiq Inc.](https://www.arctiq.ca)
 2. [Arturia](https://www.arturia.com)
 1. [ARZ Allgemeines Rechenzentrum GmbH](https://www.arz.at/)
+1. [Augury](https://www.augury.com/)
 1. [Autodesk](https://www.autodesk.com)
 1. [Axians ACSP](https://www.axians.fr)
 1. [Axual B.V.](https://axual.com)
@@ -39,13 +41,16 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Beez Innovation Labs](https://www.beezlabs.com/)
 1. [Bedag Informatik AG](https://www.bedag.ch/)
 1. [Beleza Na Web](https://www.belezanaweb.com.br/)
+1. [Believable Bots](https://believablebots.io)
 1. [BigPanda](https://bigpanda.io)
 1. [BioBox Analytics](https://biobox.io)
 1. [BMW Group](https://www.bmwgroup.com/)
 1. [Boozt](https://www.booztgroup.com/)
+1. [Bosch](https://www.bosch.com/)
 1. [Boticario](https://www.boticario.com.br/)
 1. [Broker Consulting, a.s.](https://www.bcas.cz/en/)
 1. [Bulder Bank](https://bulderbank.no)
+1. [Cabify](https://cabify.com/en)
 1. [CAM](https://cam-inc.co.jp)
 1. [Camptocamp](https://camptocamp.com)
 1. [Candis](https://www.candis.io)
@@ -62,12 +67,14 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Cisco ET&I](https://eti.cisco.com/)
 1. [Cloud Posse](https://www.cloudposse.com/)
 1. [Cloud Scale](https://cloudscaleinc.com/)
+1. [CloudScript](https://www.cloudscript.com.br/)
 1. [CloudGeometry](https://www.cloudgeometry.io/)
 1. [Cloudmate](https://cloudmt.co.kr/)
 1. [Cloudogu](https://cloudogu.com/)
 1. [Cobalt](https://www.cobalt.io/)
 1. [Codefresh](https://www.codefresh.io/)
 1. [Codility](https://www.codility.com/)
+1. [Cognizant](https://www.cognizant.com/)
 1. [Commonbond](https://commonbond.co/)
 1. [Contlo](https://contlo.com/)
 1. [Coralogix](https://coralogix.com/)
@@ -109,9 +116,11 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Freshop, Inc](https://www.freshop.com/)
 1. [Future PLC](https://www.futureplc.com/)
 1. [G DATA CyberDefense AG](https://www.gdata-software.com/)
+1. [G-Research](https://www.gresearch.com/teams/open-source-software/)
 1. [Garner](https://www.garnercorp.com)
 1. [Generali Deutschland AG](https://www.generali.de/)
 1. [Gepardec](https://gepardec.com/)
+1. [Getir](https://getir.com)
 1. [GetYourGuide](https://www.getyourguide.com/)
 1. [Gitpod](https://www.gitpod.io)
 1. [Gllue](https://gllue.com)
@@ -128,6 +137,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Groww](https://groww.in)
 1. [Grupo MasMovil](https://grupomasmovil.com/en/)
 1. [Handelsbanken](https://www.handelsbanken.se)
+1. [Hazelcast](https://hazelcast.com/)
 1. [Healy](https://www.healyworld.net)
 1. [Helio](https://helio.exchange)
 1. [Hetki](https://hetki.ai)
@@ -146,6 +156,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Index Exchange](https://www.indexexchange.com/)
 1. [Info Support](https://www.infosupport.com/)
 1. [InsideBoard](https://www.insideboard.com)
+1. [Instruqt](https://www.instruqt.com)
 1. [Intuit](https://www.intuit.com/)
 1. [Jellysmack](https://www.jellysmack.com)
 1. [Joblift](https://joblift.com/)
@@ -155,6 +166,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Karrot](https://www.daangn.com/)
 1. [KarrotPay](https://www.daangnpay.com/)
 1. [Kasa](https://kasa.co.kr/)
+1. [Kave Home](https://kavehome.com)
 1. [Keeeb](https://www.keeeb.com/)
 1. [KelkooGroup](https://www.kelkoogroup.com)
 1. [Keptn](https://keptn.sh)
@@ -167,6 +179,8 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Kurly](https://www.kurly.com/)
 1. [Kvist](https://kvistsolutions.com)
 1. [Kyriba](https://www.kyriba.com/)
+1. [LeFigaro](https://www.lefigaro.fr/)
+1. [Lely](https://www.lely.com/)
 1. [LexisNexis](https://www.lexisnexis.com/)
 1. [Lian Chu Securities](https://lczq.com)
 1. [Liatrio](https://www.liatrio.com)
@@ -196,12 +210,16 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Moengage](https://www.moengage.com/)
 1. [Money Forward](https://corp.moneyforward.com/en/)
 1. [MOO Print](https://www.moo.com/)
+1. [Mozilla](https://www.mozilla.org)
 1. [MTN Group](https://www.mtn.com/)
+1. [Municipality of The Hague](https://www.denhaag.nl/)
+1. [My Job Glasses](https://myjobglasses.com)
 1. [Natura &Co](https://naturaeco.com/)
 1. [Nethopper](https://nethopper.io)
 1. [New Relic](https://newrelic.com/)
 1. [Nextbasket](https://nextbasket.com)
 1. [Nextdoor](https://nextdoor.com/)
+1. [Next Fit Sistemas](https://nextfit.com.br/)
 1. [Nikkei](https://www.nikkei.co.jp/nikkeiinfo/en/)
 1. [Nitro](https://gonitro.com)
 1. [NYCU, CS IT Center](https://it.cs.nycu.edu.tw)
@@ -213,6 +231,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [omegaUp](https://omegaUp.com)
 1. [Omni](https://omni.se/)
 1. [Oncourse Home Solutions](https://oncoursehome.com/)
+1. [Open Analytics](https://openanalytics.eu)
 1. [openEuler](https://openeuler.org)
 1. [openGauss](https://opengauss.org/)
 1. [OpenGov](https://opengov.com)
@@ -245,6 +264,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [PostFinance](https://github.com/postfinance)
 1. [Preferred Networks](https://preferred.jp/en/)
 1. [Previder BV](https://previder.nl)
+1. [Priceline](https://priceline.com)
 1. [Procore](https://www.procore.com)
 1. [Productboard](https://www.productboard.com/)
 1. [Prudential](https://prudential.com.sg)
@@ -260,6 +280,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Redpill Linpro](https://www.redpill-linpro.com/)
 1. [Reenigne Cloud](https://reenigne.ca)
 1. [reev.com](https://www.reev.com/)
+1. [Relex Solutions](https://www.relexsolutions.com/)
 1. [RightRev](https://rightrev.com/)
 1. [Rijkswaterstaat](https://www.rijkswaterstaat.nl/en)
 1. [Rise](https://www.risecard.eu/)
@@ -276,10 +297,13 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Schwarz IT](https://jobs.schwarz/it-mission)
 1. [SCRM Lidl International Hub](https://scrm.lidl)
 1. [SEEK](https://seek.com.au)
+1. [SEKAI](https://www.sekai.io/)
 1. [Semgrep](https://semgrep.com)
 1. [Shield](https://shield.com)
 1. [SI Analytics](https://si-analytics.ai)
+1. [Sidewalk Entertainment](https://sidewalkplay.com/)
 1. [Skit](https://skit.ai/)
+1. [Skribble](https://skribble.com) 
 1. [Skyscanner](https://www.skyscanner.net/)
 1. [Smart Pension](https://www.smartpension.co.uk/)
 1. [Smilee.io](https://smilee.io)
--- a/2
+++ b/2
@@ -1 +1 @@
-2.12.0
+2.13.9
--- a/applicationset/controllers/applicationset_controller.go
+++ b/applicationset/controllers/applicationset_controller.go
@@ -18,6 +18,7 @@ import (
 	"context"
 	"fmt"
 	"reflect"
+	"sort"
 	"strings"
 	"time"

@@ -31,11 +32,10 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/client-go/kubernetes"
-	k8scache "k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/record"
+	"k8s.io/client-go/util/retry"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
-	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
@@ -43,11 +43,13 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"

+	"github.com/argoproj/argo-cd/v2/applicationset/controllers/template"
 	"github.com/argoproj/argo-cd/v2/applicationset/generators"
+	"github.com/argoproj/argo-cd/v2/applicationset/metrics"
+	"github.com/argoproj/argo-cd/v2/applicationset/status"
 	"github.com/argoproj/argo-cd/v2/applicationset/utils"
 	"github.com/argoproj/argo-cd/v2/common"
 	"github.com/argoproj/argo-cd/v2/util/db"
-	"github.com/argoproj/argo-cd/v2/util/glob"

 	argov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	appclientset "github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned"
@@ -88,7 +90,7 @@ type ApplicationSetReconciler struct {
 	SCMRootCAPath              string
 	GlobalPreservedAnnotations []string
 	GlobalPreservedLabels      []string
-	Cache                      cache.Cache
+	Metrics                    *metrics.ApplicationsetMetrics
 }

 // +kubebuilder:rbac:groups=argoproj.io,resources=applicationsets,verbs=get;list;watch;create;update;patch;delete
@@ -99,7 +101,7 @@ func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Reque

 	var applicationSetInfo argov1alpha1.ApplicationSet
 	parametersGenerated := false
-
+	startTime := time.Now()
 	if err := r.Get(ctx, req.NamespacedName, &applicationSetInfo); err != nil {
 		if client.IgnoreNotFound(err) != nil {
 			logCtx.WithError(err).Infof("unable to get ApplicationSet: '%v' ", err)
@@ -107,6 +109,10 @@ func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		return ctrl.Result{}, client.IgnoreNotFound(err)
 	}

+	defer func() {
+		r.Metrics.ObserveReconcile(&applicationSetInfo, time.Since(startTime))
+	}()
+
 	// Do not attempt to further reconcile the ApplicationSet if it is being deleted.
 	if applicationSetInfo.ObjectMeta.DeletionTimestamp != nil {
 		appsetName := applicationSetInfo.ObjectMeta.Name
@@ -126,23 +132,28 @@ func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		return ctrl.Result{}, nil
 	}

+	if err := r.migrateStatus(ctx, &applicationSetInfo); err != nil {
+		logCtx.Errorf("failed to migrate status subresource %v", err)
+		return ctrl.Result{}, err
+	}
+
 	// Log a warning if there are unrecognized generators
 	_ = utils.CheckInvalidGenerators(&applicationSetInfo)
 	// desiredApplications is the main list of all expected Applications from all generators in this appset.
-	desiredApplications, applicationSetReason, generatorsErr := r.generateApplications(logCtx, applicationSetInfo)
-	if generatorsErr != nil {
+	desiredApplications, applicationSetReason, err := template.GenerateApplications(logCtx, applicationSetInfo, r.Generators, r.Renderer, r.Client)
+	if err != nil {
+		logCtx.Errorf("unable to generate applications: %v", err)
 		_ = r.setApplicationSetStatusCondition(ctx,
 			&applicationSetInfo,
 			argov1alpha1.ApplicationSetCondition{
 				Type:    argov1alpha1.ApplicationSetConditionErrorOccurred,
-				Message: generatorsErr.Error(),
+				Message: err.Error(),
 				Reason:  string(applicationSetReason),
 				Status:  argov1alpha1.ApplicationSetConditionStatusTrue,
 			}, parametersGenerated,
 		)
-		if len(desiredApplications) < 1 {
-			return ctrl.Result{}, generatorsErr
-		}
+		// In order for the controller SDK to respect RequeueAfter, the error must be nil
+		return ctrl.Result{RequeueAfter: ReconcileRequeueOnValidationError}, nil
 	}

 	parametersGenerated = true
@@ -237,20 +248,8 @@ func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Reque

 	if r.EnableProgressiveSyncs {
 		// trigger appropriate application syncs if RollingSync strategy is enabled
-		if progressiveSyncsStrategyEnabled(&applicationSetInfo, "RollingSync") {
-			validApps, err = r.syncValidApplications(logCtx, &applicationSetInfo, appSyncMap, appMap, validApps)
-			if err != nil {
-				_ = r.setApplicationSetStatusCondition(ctx,
-					&applicationSetInfo,
-					argov1alpha1.ApplicationSetCondition{
-						Type:    argov1alpha1.ApplicationSetConditionErrorOccurred,
-						Message: err.Error(),
-						Reason:  argov1alpha1.ApplicationSetReasonSyncApplicationError,
-						Status:  argov1alpha1.ApplicationSetConditionStatusTrue,
-					}, parametersGenerated,
-				)
-				return ctrl.Result{}, err
-			}
+		if progressiveSyncsRollingSyncStrategyEnabled(&applicationSetInfo) {
+			validApps = r.syncValidApplications(logCtx, &applicationSetInfo, appSyncMap, appMap, validApps)
 		}
 	}

@@ -320,7 +319,7 @@ func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Reque

 	requeueAfter := r.getMinRequeueAfter(&applicationSetInfo)

-	if len(validateErrors) == 0 && generatorsErr == nil {
+	if len(validateErrors) == 0 {
 		if err := r.setApplicationSetStatusCondition(ctx,
 			&applicationSetInfo,
 			argov1alpha1.ApplicationSetCondition{
@@ -404,8 +403,21 @@ func (r *ApplicationSetReconciler) setApplicationSetStatusCondition(ctx context.
 	paramtersGeneratedCondition := getParametersGeneratedCondition(paramtersGenerated, condition.Message)
 	resourceUpToDateCondition := getResourceUpToDateCondition(errOccurred, condition.Message, condition.Reason)

+	evaluatedTypes := map[argov1alpha1.ApplicationSetConditionType]bool{
+		argov1alpha1.ApplicationSetConditionErrorOccurred:       true,
+		argov1alpha1.ApplicationSetConditionParametersGenerated: true,
+		argov1alpha1.ApplicationSetConditionResourcesUpToDate:   true,
+	}
 	newConditions := []argov1alpha1.ApplicationSetCondition{errOccurredCondition, paramtersGeneratedCondition, resourceUpToDateCondition}

+	if progressiveSyncsRollingSyncStrategyEnabled(applicationSet) {
+		evaluatedTypes[argov1alpha1.ApplicationSetConditionRolloutProgressing] = true
+
+		if condition.Type == argov1alpha1.ApplicationSetConditionRolloutProgressing {
+			newConditions = append(newConditions, condition)
+		}
+	}
+
 	needToUpdateConditions := false
 	for _, condition := range newConditions {
 		// do nothing if appset already has same condition
@@ -416,28 +428,32 @@ func (r *ApplicationSetReconciler) setApplicationSetStatusCondition(ctx context.
 			}
 		}
 	}
-	evaluatedTypes := map[argov1alpha1.ApplicationSetConditionType]bool{
-		argov1alpha1.ApplicationSetConditionErrorOccurred:       true,
-		argov1alpha1.ApplicationSetConditionParametersGenerated: true,
-		argov1alpha1.ApplicationSetConditionResourcesUpToDate:   true,
-	}

-	if needToUpdateConditions || len(applicationSet.Status.Conditions) < 3 {
+	if needToUpdateConditions || len(applicationSet.Status.Conditions) < len(newConditions) {
 		// fetch updated Application Set object before updating it
-		namespacedName := types.NamespacedName{Namespace: applicationSet.Namespace, Name: applicationSet.Name}
-		if err := r.Get(ctx, namespacedName, applicationSet); err != nil {
-			if client.IgnoreNotFound(err) != nil {
-				return nil
+		// DefaultRetry will retry 5 times with a backoff factor of 1, jitter of 0.1 and a duration of 10ms
+		err := retry.RetryOnConflict(retry.DefaultRetry, func() error {
+			namespacedName := types.NamespacedName{Namespace: applicationSet.Namespace, Name: applicationSet.Name}
+			updatedAppset := &argov1alpha1.ApplicationSet{}
+			if err := r.Get(ctx, namespacedName, updatedAppset); err != nil {
+				if client.IgnoreNotFound(err) != nil {
+					return nil
+				}
+				return fmt.Errorf("error fetching updated application set: %w", err)
 			}
-			return fmt.Errorf("error fetching updated application set: %w", err)
-		}

-		applicationSet.Status.SetConditions(
-			newConditions, evaluatedTypes,
-		)
+			updatedAppset.Status.SetConditions(
+				newConditions, evaluatedTypes,
+			)

-		// Update the newly fetched object with new set of conditions
-		err := r.Client.Status().Update(ctx, applicationSet)
+			// Update the newly fetched object with new set of conditions
+			err := r.Client.Status().Update(ctx, updatedAppset)
+			if err != nil {
+				return err
+			}
+			updatedAppset.DeepCopyInto(applicationSet)
+			return nil
+		})
 		if err != nil && !apierr.IsNotFound(err) {
 			return fmt.Errorf("unable to set application set condition: %w", err)
 		}
@@ -495,94 +511,10 @@ func (r *ApplicationSetReconciler) getMinRequeueAfter(applicationSetInfo *argov1
 	return res
 }

-func getTempApplication(applicationSetTemplate argov1alpha1.ApplicationSetTemplate) *argov1alpha1.Application {
-	var tmplApplication argov1alpha1.Application
-	tmplApplication.Annotations = applicationSetTemplate.Annotations
-	tmplApplication.Labels = applicationSetTemplate.Labels
-	tmplApplication.Namespace = applicationSetTemplate.Namespace
-	tmplApplication.Name = applicationSetTemplate.Name
-	tmplApplication.Spec = applicationSetTemplate.Spec
-	tmplApplication.Finalizers = applicationSetTemplate.Finalizers
-
-	return &tmplApplication
-}
-
-func (r *ApplicationSetReconciler) generateApplications(logCtx *log.Entry, applicationSetInfo argov1alpha1.ApplicationSet) ([]argov1alpha1.Application, argov1alpha1.ApplicationSetReasonType, error) {
-	var res []argov1alpha1.Application
-
-	var firstError error
-	var applicationSetReason argov1alpha1.ApplicationSetReasonType
-
-	for _, requestedGenerator := range applicationSetInfo.Spec.Generators {
-		t, err := generators.Transform(requestedGenerator, r.Generators, applicationSetInfo.Spec.Template, &applicationSetInfo, map[string]interface{}{}, r.Client)
-		if err != nil {
-			logCtx.WithError(err).WithField("generator", requestedGenerator).
-				Error("error generating application from params")
-			if firstError == nil {
-				firstError = err
-				applicationSetReason = argov1alpha1.ApplicationSetReasonApplicationParamsGenerationError
-			}
-			continue
-		}
-
-		for _, a := range t {
-			tmplApplication := getTempApplication(a.Template)
-
-			for _, p := range a.Params {
-				app, err := r.Renderer.RenderTemplateParams(tmplApplication, applicationSetInfo.Spec.SyncPolicy, p, applicationSetInfo.Spec.GoTemplate, applicationSetInfo.Spec.GoTemplateOptions)
-				if err != nil {
-					logCtx.WithError(err).WithField("params", a.Params).WithField("generator", requestedGenerator).
-						Error("error generating application from params")
-
-					if firstError == nil {
-						firstError = err
-						applicationSetReason = argov1alpha1.ApplicationSetReasonRenderTemplateParamsError
-					}
-					continue
-				}
-
-				if applicationSetInfo.Spec.TemplatePatch != nil {
-					patchedApplication, err := r.applyTemplatePatch(app, applicationSetInfo, p)
-					if err != nil {
-						log.WithError(err).WithField("params", a.Params).WithField("generator", requestedGenerator).
-							Error("error generating application from params")
-
-						if firstError == nil {
-							firstError = err
-							applicationSetReason = argov1alpha1.ApplicationSetReasonRenderTemplateParamsError
-						}
-						continue
-					}
-
-					app = patchedApplication
-				}
-
-				res = append(res, *app)
-			}
-		}
-
-		logCtx.WithField("generator", requestedGenerator).Infof("generated %d applications", len(res))
-		logCtx.WithField("generator", requestedGenerator).Debugf("apps from generator: %+v", res)
-	}
-
-	return res, applicationSetReason, firstError
-}
-
-func (r *ApplicationSetReconciler) applyTemplatePatch(app *argov1alpha1.Application, applicationSetInfo argov1alpha1.ApplicationSet, params map[string]interface{}) (*argov1alpha1.Application, error) {
-	replacedTemplate, err := r.Renderer.Replace(*applicationSetInfo.Spec.TemplatePatch, params, applicationSetInfo.Spec.GoTemplate, applicationSetInfo.Spec.GoTemplateOptions)
-	if err != nil {
-		return nil, fmt.Errorf("error replacing values in templatePatch: %w", err)
-	}
-
-	return applyTemplatePatch(app, replacedTemplate)
-}
-
 func ignoreNotAllowedNamespaces(namespaces []string) predicate.Predicate {
-	return predicate.Funcs{
-		CreateFunc: func(e event.CreateEvent) bool {
-			return glob.MatchStringInList(namespaces, e.Object.GetNamespace(), false)
-		},
-	}
+	return predicate.NewPredicateFuncs(func(object client.Object) bool {
+		return utils.IsNamespaceAllowed(namespaces, object.GetNamespace())
+	})
 }

 func appControllerIndexer(rawObj client.Object) []string {
@@ -623,25 +555,6 @@ func (r *ApplicationSetReconciler) SetupWithManager(mgr ctrl.Manager, enableProg
 		Complete(r)
 }

-func (r *ApplicationSetReconciler) updateCache(ctx context.Context, obj client.Object, logger *log.Entry) {
-	informer, err := r.Cache.GetInformer(ctx, obj)
-	if err != nil {
-		logger.Errorf("failed to get informer: %v", err)
-		return
-	}
-	// The controller runtime abstract away informers creation
-	// so unfortunately could not find any other way to access informer store.
-	k8sInformer, ok := informer.(k8scache.SharedInformer)
-	if !ok {
-		logger.Error("informer is not a kubernetes informer")
-		return
-	}
-	if err := k8sInformer.GetStore().Update(obj); err != nil {
-		logger.Errorf("failed to update cache: %v", err)
-		return
-	}
-}
-
 // createOrUpdateInCluster will create / update application resources in the cluster.
 // - For new applications, it will call create
 // - For existing application, it will call update
@@ -650,10 +563,6 @@ func (r *ApplicationSetReconciler) createOrUpdateInCluster(ctx context.Context,
 	var firstError error
 	// Creates or updates the application in appList
 	for _, generatedApp := range desiredApplications {
-		// The app's namespace must be the same as the AppSet's namespace to preserve the appsets-in-any-namespace
-		// security boundary.
-		generatedApp.Namespace = applicationSet.Namespace
-
 		appLog := logCtx.WithFields(log.Fields{"app": generatedApp.QualifiedName()})

 		// Normalize to avoid fighting with the application controller.
@@ -743,7 +652,6 @@ func (r *ApplicationSetReconciler) createOrUpdateInCluster(ctx context.Context,
 			}
 			continue
 		}
-		r.updateCache(ctx, found, appLog)

 		if action != controllerutil.OperationResultNone {
 			// Don't pollute etcd with "unchanged Application" events
@@ -910,7 +818,6 @@ func (r *ApplicationSetReconciler) removeFinalizerOnInvalidDestination(ctx conte
 			if err := r.Client.Patch(ctx, updated, patch); err != nil {
 				return fmt.Errorf("error updating finalizers: %w", err)
 			}
-			r.updateCache(ctx, updated, appLog)
 			// Application must have updated list of finalizers
 			updated.DeepCopyInto(app)

@@ -925,14 +832,14 @@ func (r *ApplicationSetReconciler) removeFinalizerOnInvalidDestination(ctx conte
 func (r *ApplicationSetReconciler) removeOwnerReferencesOnDeleteAppSet(ctx context.Context, applicationSet argov1alpha1.ApplicationSet) error {
 	applications, err := r.getCurrentApplications(ctx, applicationSet)
 	if err != nil {
-		return err
+		return fmt.Errorf("error getting current applications for ApplicationSet: %w", err)
 	}

 	for _, app := range applications {
 		app.SetOwnerReferences([]metav1.OwnerReference{})
 		err := r.Client.Update(ctx, &app)
 		if err != nil {
-			return err
+			return fmt.Errorf("error updating application: %w", err)
 		}
 	}

@@ -940,12 +847,9 @@ func (r *ApplicationSetReconciler) removeOwnerReferencesOnDeleteAppSet(ctx conte
 }

 func (r *ApplicationSetReconciler) performProgressiveSyncs(ctx context.Context, logCtx *log.Entry, appset argov1alpha1.ApplicationSet, applications []argov1alpha1.Application, desiredApplications []argov1alpha1.Application, appMap map[string]argov1alpha1.Application) (map[string]bool, error) {
-	appDependencyList, appStepMap, err := r.buildAppDependencyList(logCtx, appset, desiredApplications)
-	if err != nil {
-		return nil, fmt.Errorf("failed to build app dependency list: %w", err)
-	}
+	appDependencyList, appStepMap := r.buildAppDependencyList(logCtx, appset, desiredApplications)

-	_, err = r.updateApplicationSetApplicationStatus(ctx, logCtx, &appset, applications, appStepMap)
+	_, err := r.updateApplicationSetApplicationStatus(ctx, logCtx, &appset, applications, appStepMap)
 	if err != nil {
 		return nil, fmt.Errorf("failed to update applicationset app status: %w", err)
 	}
@@ -955,34 +859,27 @@ func (r *ApplicationSetReconciler) performProgressiveSyncs(ctx context.Context,
 		logCtx.Infof("step %v: %+v", i+1, step)
 	}

-	appSyncMap, err := r.buildAppSyncMap(ctx, appset, appDependencyList, appMap)
-	if err != nil {
-		return nil, fmt.Errorf("failed to build app sync map: %w", err)
-	}
-
+	appSyncMap := r.buildAppSyncMap(appset, appDependencyList, appMap)
 	logCtx.Infof("Application allowed to sync before maxUpdate?: %+v", appSyncMap)

-	_, err = r.updateApplicationSetApplicationStatusProgress(ctx, logCtx, &appset, appSyncMap, appStepMap, appMap)
+	_, err = r.updateApplicationSetApplicationStatusProgress(ctx, logCtx, &appset, appSyncMap, appStepMap)
 	if err != nil {
 		return nil, fmt.Errorf("failed to update applicationset application status progress: %w", err)
 	}

-	_, err = r.updateApplicationSetApplicationStatusConditions(ctx, &appset)
-	if err != nil {
-		return nil, fmt.Errorf("failed to update applicationset application status conditions: %w", err)
-	}
+	_ = r.updateApplicationSetApplicationStatusConditions(ctx, &appset)

 	return appSyncMap, nil
 }

 // this list tracks which Applications belong to each RollingUpdate step
-func (r *ApplicationSetReconciler) buildAppDependencyList(logCtx *log.Entry, applicationSet argov1alpha1.ApplicationSet, applications []argov1alpha1.Application) ([][]string, map[string]int, error) {
+func (r *ApplicationSetReconciler) buildAppDependencyList(logCtx *log.Entry, applicationSet argov1alpha1.ApplicationSet, applications []argov1alpha1.Application) ([][]string, map[string]int) {
 	if applicationSet.Spec.Strategy == nil || applicationSet.Spec.Strategy.Type == "" || applicationSet.Spec.Strategy.Type == "AllAtOnce" {
-		return [][]string{}, map[string]int{}, nil
+		return [][]string{}, map[string]int{}
 	}

 	steps := []argov1alpha1.ApplicationSetRolloutStep{}
-	if progressiveSyncsStrategyEnabled(&applicationSet, "RollingSync") {
+	if progressiveSyncsRollingSyncStrategyEnabled(&applicationSet) {
 		steps = applicationSet.Spec.Strategy.RollingSync.Steps
 	}

@@ -1023,7 +920,7 @@ func (r *ApplicationSetReconciler) buildAppDependencyList(logCtx *log.Entry, app
 		}
 	}

-	return appDependencyList, appStepMap, nil
+	return appDependencyList, appStepMap
 }

 func labelMatchedExpression(logCtx *log.Entry, val string, matchExpression argov1alpha1.ApplicationMatchExpression) bool {
@@ -1047,7 +944,7 @@ func labelMatchedExpression(logCtx *log.Entry, val string, matchExpression argov
 }

 // this map is used to determine which stage of Applications are ready to be updated in the reconciler loop
-func (r *ApplicationSetReconciler) buildAppSyncMap(ctx context.Context, applicationSet argov1alpha1.ApplicationSet, appDependencyList [][]string, appMap map[string]argov1alpha1.Application) (map[string]bool, error) {
+func (r *ApplicationSetReconciler) buildAppSyncMap(applicationSet argov1alpha1.ApplicationSet, appDependencyList [][]string, appMap map[string]argov1alpha1.Application) map[string]bool {
 	appSyncMap := map[string]bool{}
 	syncEnabled := true

@@ -1084,11 +981,11 @@ func (r *ApplicationSetReconciler) buildAppSyncMap(ctx context.Context, applicat
 		}
 	}

-	return appSyncMap, nil
+	return appSyncMap
 }

 func appSyncEnabledForNextStep(appset *argov1alpha1.ApplicationSet, app argov1alpha1.Application, appStatus argov1alpha1.ApplicationSetApplicationStatus) bool {
-	if progressiveSyncsStrategyEnabled(appset, "RollingSync") {
+	if progressiveSyncsRollingSyncStrategyEnabled(appset) {
 		// we still need to complete the current step if the Application is not yet Healthy or there are still pending Application changes
 		return isApplicationHealthy(app) && appStatus.Status == "Healthy"
 	}
@@ -1096,16 +993,8 @@ func appSyncEnabledForNextStep(appset *argov1alpha1.ApplicationSet, app argov1al
 	return true
 }

-func progressiveSyncsStrategyEnabled(appset *argov1alpha1.ApplicationSet, strategyType string) bool {
-	if appset.Spec.Strategy == nil || appset.Spec.Strategy.Type != strategyType {
-		return false
-	}
-
-	if strategyType == "RollingSync" && appset.Spec.Strategy.RollingSync == nil {
-		return false
-	}
-
-	return true
+func progressiveSyncsRollingSyncStrategyEnabled(appset *argov1alpha1.ApplicationSet) bool {
+	return appset.Spec.Strategy != nil && appset.Spec.Strategy.RollingSync != nil && appset.Spec.Strategy.Type == "RollingSync" && len(appset.Spec.Strategy.RollingSync.Steps) > 0
 }

 func isApplicationHealthy(app argov1alpha1.Application) bool {
@@ -1128,6 +1017,16 @@ func statusStrings(app argov1alpha1.Application) (string, string, string) {
 	return healthStatusString, syncStatusString, operationPhaseString
 }

+func getAppStep(appName string, appStepMap map[string]int) int {
+	// if an application is not selected by any match expression, it defaults to step -1
+	step := -1
+	if appStep, ok := appStepMap[appName]; ok {
+		// 1-based indexing
+		step = appStep + 1
+	}
+	return step
+}
+
 // check the status of each Application's status and promote Applications to the next status if needed
 func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatus(ctx context.Context, logCtx *log.Entry, applicationSet *argov1alpha1.ApplicationSet, applications []argov1alpha1.Application, appStepMap map[string]int) ([]argov1alpha1.ApplicationSetApplicationStatus, error) {
 	now := metav1.Now()
@@ -1147,16 +1046,23 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatus(ctx con
 				LastTransitionTime: &now,
 				Message:            "No Application status found, defaulting status to Waiting.",
 				Status:             "Waiting",
-				Step:               fmt.Sprint(appStepMap[app.Name] + 1),
+				Step:               fmt.Sprint(getAppStep(app.Name, appStepMap)),
 				TargetRevisions:    app.Status.GetRevisions(),
 			}
 		} else {
 			// we have an existing AppStatus
 			currentAppStatus = applicationSet.Status.ApplicationStatus[idx]
+
+			// upgrade any existing AppStatus that might have been set by an older argo-cd version
+			// note: currentAppStatus.TargetRevisions may be set to empty list earlier during migrations,
+			// to prevent other usage of r.Client.Status().Update to fail before reaching here.
+			if len(currentAppStatus.TargetRevisions) == 0 {
+				currentAppStatus.TargetRevisions = app.Status.GetRevisions()
+			}
 		}

 		appOutdated := false
-		if progressiveSyncsStrategyEnabled(applicationSet, "RollingSync") {
+		if progressiveSyncsRollingSyncStrategyEnabled(applicationSet) {
 			appOutdated = syncStatusString == "OutOfSync"
 		}

@@ -1165,7 +1071,7 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatus(ctx con
 			currentAppStatus.LastTransitionTime = &now
 			currentAppStatus.Status = "Waiting"
 			currentAppStatus.Message = "Application has pending changes, setting status to Waiting."
-			currentAppStatus.Step = fmt.Sprint(appStepMap[currentAppStatus.Application] + 1)
+			currentAppStatus.Step = fmt.Sprint(getAppStep(currentAppStatus.Application, appStepMap))
 			currentAppStatus.TargetRevisions = app.Status.GetRevisions()
 		}

@@ -1183,14 +1089,14 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatus(ctx con
 					currentAppStatus.LastTransitionTime = &now
 					currentAppStatus.Status = "Progressing"
 					currentAppStatus.Message = "Application resource completed a sync successfully, updating status from Pending to Progressing."
-					currentAppStatus.Step = fmt.Sprint(appStepMap[currentAppStatus.Application] + 1)
+					currentAppStatus.Step = fmt.Sprint(getAppStep(currentAppStatus.Application, appStepMap))
 				}
 			} else if operationPhaseString == "Running" || healthStatusString == "Progressing" {
 				logCtx.Infof("Application %v has entered Progressing status, updating its ApplicationSet status to Progressing", app.Name)
 				currentAppStatus.LastTransitionTime = &now
 				currentAppStatus.Status = "Progressing"
 				currentAppStatus.Message = "Application resource became Progressing, updating status from Pending to Progressing."
-				currentAppStatus.Step = fmt.Sprint(appStepMap[currentAppStatus.Application] + 1)
+				currentAppStatus.Step = fmt.Sprint(getAppStep(currentAppStatus.Application, appStepMap))
 			}
 		}

@@ -1199,7 +1105,7 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatus(ctx con
 			currentAppStatus.LastTransitionTime = &now
 			currentAppStatus.Status = healthStatusString
 			currentAppStatus.Message = "Application resource is already Healthy, updating status from Waiting to Healthy."
-			currentAppStatus.Step = fmt.Sprint(appStepMap[currentAppStatus.Application] + 1)
+			currentAppStatus.Step = fmt.Sprint(getAppStep(currentAppStatus.Application, appStepMap))
 		}

 		if currentAppStatus.Status == "Progressing" && isApplicationHealthy(app) {
@@ -1207,7 +1113,7 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatus(ctx con
 			currentAppStatus.LastTransitionTime = &now
 			currentAppStatus.Status = healthStatusString
 			currentAppStatus.Message = "Application resource became Healthy, updating status from Progressing to Healthy."
-			currentAppStatus.Step = fmt.Sprint(appStepMap[currentAppStatus.Application] + 1)
+			currentAppStatus.Step = fmt.Sprint(getAppStep(currentAppStatus.Application, appStepMap))
 		}

 		appStatuses = append(appStatuses, currentAppStatus)
@@ -1222,20 +1128,18 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatus(ctx con
 }

 // check Applications that are in Waiting status and promote them to Pending if needed
-func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatusProgress(ctx context.Context, logCtx *log.Entry, applicationSet *argov1alpha1.ApplicationSet, appSyncMap map[string]bool, appStepMap map[string]int, appMap map[string]argov1alpha1.Application) ([]argov1alpha1.ApplicationSetApplicationStatus, error) {
+func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatusProgress(ctx context.Context, logCtx *log.Entry, applicationSet *argov1alpha1.ApplicationSet, appSyncMap map[string]bool, appStepMap map[string]int) ([]argov1alpha1.ApplicationSetApplicationStatus, error) {
 	now := metav1.Now()

 	appStatuses := make([]argov1alpha1.ApplicationSetApplicationStatus, 0, len(applicationSet.Status.ApplicationStatus))

 	// if we have no RollingUpdate steps, clear out the existing ApplicationStatus entries
-	if applicationSet.Spec.Strategy != nil && applicationSet.Spec.Strategy.Type != "" && applicationSet.Spec.Strategy.Type != "AllAtOnce" {
+	if progressiveSyncsRollingSyncStrategyEnabled(applicationSet) {
 		updateCountMap := []int{}
 		totalCountMap := []int{}

-		length := 0
-		if progressiveSyncsStrategyEnabled(applicationSet, "RollingSync") {
-			length = len(applicationSet.Spec.Strategy.RollingSync.Steps)
-		}
+		length := len(applicationSet.Spec.Strategy.RollingSync.Steps)
+
 		for s := 0; s < length; s++ {
 			updateCountMap = append(updateCountMap, 0)
 			totalCountMap = append(totalCountMap, 0)
@@ -1245,17 +1149,15 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatusProgress
 		for _, appStatus := range applicationSet.Status.ApplicationStatus {
 			totalCountMap[appStepMap[appStatus.Application]] += 1

-			if progressiveSyncsStrategyEnabled(applicationSet, "RollingSync") {
-				if appStatus.Status == "Pending" || appStatus.Status == "Progressing" {
-					updateCountMap[appStepMap[appStatus.Application]] += 1
-				}
+			if appStatus.Status == "Pending" || appStatus.Status == "Progressing" {
+				updateCountMap[appStepMap[appStatus.Application]] += 1
 			}
 		}

 		for _, appStatus := range applicationSet.Status.ApplicationStatus {
 			maxUpdateAllowed := true
 			maxUpdate := &intstr.IntOrString{}
-			if progressiveSyncsStrategyEnabled(applicationSet, "RollingSync") {
+			if progressiveSyncsRollingSyncStrategyEnabled(applicationSet) {
 				maxUpdate = applicationSet.Spec.Strategy.RollingSync.Steps[appStepMap[appStatus.Application]].MaxUpdate
 			}

@@ -1273,7 +1175,7 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatusProgress

 				if updateCountMap[appStepMap[appStatus.Application]] >= maxUpdateVal {
 					maxUpdateAllowed = false
-					logCtx.Infof("Application %v is not allowed to update yet, %v/%v Applications already updating in step %v in AppSet %v", appStatus.Application, updateCountMap[appStepMap[appStatus.Application]], maxUpdateVal, appStepMap[appStatus.Application]+1, applicationSet.Name)
+					logCtx.Infof("Application %v is not allowed to update yet, %v/%v Applications already updating in step %v in AppSet %v", appStatus.Application, updateCountMap[appStepMap[appStatus.Application]], maxUpdateVal, getAppStep(appStatus.Application, appStepMap), applicationSet.Name)
 				}
 			}

@@ -1282,7 +1184,7 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatusProgress
 				appStatus.LastTransitionTime = &now
 				appStatus.Status = "Pending"
 				appStatus.Message = "Application moved to Pending status, watching for the Application resource to start Progressing."
-				appStatus.Step = fmt.Sprint(appStepMap[appStatus.Application] + 1)
+				appStatus.Step = fmt.Sprint(getAppStep(appStatus.Application, appStepMap))

 				updateCountMap[appStepMap[appStatus.Application]] += 1
 			}
@@ -1299,7 +1201,7 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatusProgress
 	return appStatuses, nil
 }

-func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatusConditions(ctx context.Context, applicationSet *argov1alpha1.ApplicationSet) ([]argov1alpha1.ApplicationSetCondition, error) {
+func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatusConditions(ctx context.Context, applicationSet *argov1alpha1.ApplicationSet) []argov1alpha1.ApplicationSetCondition {
 	appSetProgressing := false
 	for _, appStatus := range applicationSet.Status.ApplicationStatus {
 		if appStatus.Status != "Healthy" {
@@ -1324,7 +1226,7 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatusConditio
 				Message: "ApplicationSet Rollout Rollout started",
 				Reason:  argov1alpha1.ApplicationSetReasonApplicationSetModified,
 				Status:  argov1alpha1.ApplicationSetConditionStatusTrue,
-			}, false,
+			}, true,
 		)
 	} else if !appSetProgressing && appSetConditionProgressing {
 		_ = r.setApplicationSetStatusCondition(ctx,
@@ -1334,11 +1236,11 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatusConditio
 				Message: "ApplicationSet Rollout Rollout complete",
 				Reason:  argov1alpha1.ApplicationSetReasonApplicationSetRolloutComplete,
 				Status:  argov1alpha1.ApplicationSetConditionStatusFalse,
-			}, false,
+			}, true,
 		)
 	}

-	return applicationSet.Status.Conditions, nil
+	return applicationSet.Status.Conditions
 }

 func findApplicationStatusIndex(appStatuses []argov1alpha1.ApplicationSetApplicationStatus, application string) int {
@@ -1350,86 +1252,89 @@ func findApplicationStatusIndex(appStatuses []argov1alpha1.ApplicationSetApplica
 	return -1
 }

+// migrateStatus run migrations on the status subresource of ApplicationSet early during the run of ApplicationSetReconciler.Reconcile
+// this handles any defaulting of values - which would otherwise cause the references to r.Client.Status().Update to fail given missing required fields.
+func (r *ApplicationSetReconciler) migrateStatus(ctx context.Context, appset *argov1alpha1.ApplicationSet) error {
+	update := false
+	if statusList := appset.Status.ApplicationStatus; statusList != nil {
+		for idx := range statusList {
+			if statusList[idx].TargetRevisions == nil {
+				statusList[idx].TargetRevisions = []string{}
+				update = true
+			}
+		}
+	}
+
+	if update {
+		// DefaultRetry will retry 5 times with a backoff factor of 1, jitter of 0.1 and a duration of 10ms
+		err := retry.RetryOnConflict(retry.DefaultRetry, func() error {
+			namespacedName := types.NamespacedName{Namespace: appset.Namespace, Name: appset.Name}
+			updatedAppset := &argov1alpha1.ApplicationSet{}
+			if err := r.Get(ctx, namespacedName, updatedAppset); err != nil {
+				if client.IgnoreNotFound(err) != nil {
+					return nil
+				}
+				return fmt.Errorf("error fetching updated application set: %w", err)
+			}
+
+			updatedAppset.Status.ApplicationStatus = appset.Status.ApplicationStatus
+
+			// Update the newly fetched object with new set of ApplicationStatus
+			err := r.Client.Status().Update(ctx, updatedAppset)
+			if err != nil {
+				return err
+			}
+			updatedAppset.DeepCopyInto(appset)
+			return nil
+		})
+		if err != nil && !apierr.IsNotFound(err) {
+			return fmt.Errorf("unable to set application set condition: %w", err)
+		}
+	}
+	return nil
+}
+
 func (r *ApplicationSetReconciler) updateResourcesStatus(ctx context.Context, logCtx *log.Entry, appset *argov1alpha1.ApplicationSet, apps []argov1alpha1.Application) error {
-	statusMap := getResourceStatusMap(appset)
-	statusMap = buildResourceStatus(statusMap, apps)
+	statusMap := status.GetResourceStatusMap(appset)
+	statusMap = status.BuildResourceStatus(statusMap, apps)

 	statuses := []argov1alpha1.ResourceStatus{}
 	for _, status := range statusMap {
 		statuses = append(statuses, status)
 	}
+	sort.Slice(statuses, func(i, j int) bool {
+		return statuses[i].Name < statuses[j].Name
+	})
 	appset.Status.Resources = statuses
+	// DefaultRetry will retry 5 times with a backoff factor of 1, jitter of 0.1 and a duration of 10ms
+	err := retry.RetryOnConflict(retry.DefaultRetry, func() error {
+		namespacedName := types.NamespacedName{Namespace: appset.Namespace, Name: appset.Name}
+		updatedAppset := &argov1alpha1.ApplicationSet{}
+		if err := r.Get(ctx, namespacedName, updatedAppset); err != nil {
+			if client.IgnoreNotFound(err) != nil {
+				return nil
+			}
+			return fmt.Errorf("error fetching updated application set: %w", err)
+		}

-	namespacedName := types.NamespacedName{Namespace: appset.Namespace, Name: appset.Name}
-	err := r.Client.Status().Update(ctx, appset)
+		updatedAppset.Status.Resources = appset.Status.Resources
+
+		// Update the newly fetched object with new status resources
+		err := r.Client.Status().Update(ctx, updatedAppset)
+		if err != nil {
+			return err
+		}
+		updatedAppset.DeepCopyInto(appset)
+		return nil
+	})
 	if err != nil {
 		logCtx.Errorf("unable to set application set status: %v", err)
 		return fmt.Errorf("unable to set application set status: %w", err)
 	}
-
-	if err := r.Get(ctx, namespacedName, appset); err != nil {
-		if client.IgnoreNotFound(err) != nil {
-			return nil
-		}
-		return fmt.Errorf("error fetching updated application set: %w", err)
-	}
-
 	return nil
 }

-func buildResourceStatus(statusMap map[string]argov1alpha1.ResourceStatus, apps []argov1alpha1.Application) map[string]argov1alpha1.ResourceStatus {
-	appMap := map[string]argov1alpha1.Application{}
-	for _, app := range apps {
-		appCopy := app
-		appMap[app.Name] = app
-
-		gvk := app.GroupVersionKind()
-		// Create status if it does not exist
-		status, ok := statusMap[app.Name]
-		if !ok {
-			status = argov1alpha1.ResourceStatus{
-				Group:     gvk.Group,
-				Version:   gvk.Version,
-				Kind:      gvk.Kind,
-				Name:      app.Name,
-				Namespace: app.Namespace,
-				Status:    app.Status.Sync.Status,
-				Health:    &appCopy.Status.Health,
-			}
-		}
-
-		status.Group = gvk.Group
-		status.Version = gvk.Version
-		status.Kind = gvk.Kind
-		status.Name = app.Name
-		status.Namespace = app.Namespace
-		status.Status = app.Status.Sync.Status
-		status.Health = &appCopy.Status.Health
-
-		statusMap[app.Name] = status
-	}
-	cleanupDeletedApplicationStatuses(statusMap, appMap)
-
-	return statusMap
-}
-
-func getResourceStatusMap(appset *argov1alpha1.ApplicationSet) map[string]argov1alpha1.ResourceStatus {
-	statusMap := map[string]argov1alpha1.ResourceStatus{}
-	for _, status := range appset.Status.Resources {
-		statusMap[status.Name] = status
-	}
-	return statusMap
-}
-
-func cleanupDeletedApplicationStatuses(statusMap map[string]argov1alpha1.ResourceStatus, apps map[string]argov1alpha1.Application) {
-	for name := range statusMap {
-		if _, ok := apps[name]; !ok {
-			delete(statusMap, name)
-		}
-	}
-}
-
-// setApplicationSetApplicationStatus updates the ApplicationSet's status field
+// setAppSetApplicationStatus updates the ApplicationSet's status field
 // with any new/changed Application statuses.
 func (r *ApplicationSetReconciler) setAppSetApplicationStatus(ctx context.Context, logCtx *log.Entry, applicationSet *argov1alpha1.ApplicationSet, applicationStatuses []argov1alpha1.ApplicationSetApplicationStatus) error {
 	needToUpdateStatus := false
@@ -1460,26 +1365,36 @@ func (r *ApplicationSetReconciler) setAppSetApplicationStatus(ctx context.Contex
 		for i := range applicationStatuses {
 			applicationSet.Status.SetApplicationStatus(applicationStatuses[i])
 		}
+		// DefaultRetry will retry 5 times with a backoff factor of 1, jitter of 0.1 and a duration of 10ms
+		err := retry.RetryOnConflict(retry.DefaultRetry, func() error {
+			updatedAppset := &argov1alpha1.ApplicationSet{}
+			if err := r.Get(ctx, namespacedName, updatedAppset); err != nil {
+				if client.IgnoreNotFound(err) != nil {
+					return nil
+				}
+				return fmt.Errorf("error fetching updated application set: %w", err)
+			}

-		// Update the newly fetched object with new set of ApplicationStatus
-		err := r.Client.Status().Update(ctx, applicationSet)
+			updatedAppset.Status.ApplicationStatus = applicationSet.Status.ApplicationStatus
+
+			// Update the newly fetched object with new set of ApplicationStatus
+			err := r.Client.Status().Update(ctx, updatedAppset)
+			if err != nil {
+				return err
+			}
+			updatedAppset.DeepCopyInto(applicationSet)
+			return nil
+		})
 		if err != nil {
 			logCtx.Errorf("unable to set application set status: %v", err)
 			return fmt.Errorf("unable to set application set status: %w", err)
 		}
-
-		if err := r.Get(ctx, namespacedName, applicationSet); err != nil {
-			if client.IgnoreNotFound(err) != nil {
-				return nil
-			}
-			return fmt.Errorf("error fetching updated application set: %w", err)
-		}
 	}

 	return nil
 }

-func (r *ApplicationSetReconciler) syncValidApplications(logCtx *log.Entry, applicationSet *argov1alpha1.ApplicationSet, appSyncMap map[string]bool, appMap map[string]argov1alpha1.Application, validApps []argov1alpha1.Application) ([]argov1alpha1.Application, error) {
+func (r *ApplicationSetReconciler) syncValidApplications(logCtx *log.Entry, applicationSet *argov1alpha1.ApplicationSet, appSyncMap map[string]bool, appMap map[string]argov1alpha1.Application, validApps []argov1alpha1.Application) []argov1alpha1.Application {
 	rolloutApps := []argov1alpha1.Application{}
 	for i := range validApps {
 		pruneEnabled := false
@@ -1500,15 +1415,15 @@ func (r *ApplicationSetReconciler) syncValidApplications(logCtx *log.Entry, appl
 		// check appSyncMap to determine which Applications are ready to be updated and which should be skipped
 		if appSyncMap[validApps[i].Name] && appMap[validApps[i].Name].Status.Sync.Status == "OutOfSync" && appSetStatusPending {
 			logCtx.Infof("triggering sync for application: %v, prune enabled: %v", validApps[i].Name, pruneEnabled)
-			validApps[i], _ = syncApplication(validApps[i], pruneEnabled)
+			validApps[i] = syncApplication(validApps[i], pruneEnabled)
 		}
 		rolloutApps = append(rolloutApps, validApps[i])
 	}
-	return rolloutApps, nil
+	return rolloutApps
 }

 // used by the RollingSync Progressive Sync strategy to trigger a sync of a particular Application resource
-func syncApplication(application argov1alpha1.Application, prune bool) (argov1alpha1.Application, error) {
+func syncApplication(application argov1alpha1.Application, prune bool) argov1alpha1.Application {
 	operation := argov1alpha1.Operation{
 		InitiatedBy: argov1alpha1.OperationInitiator{
 			Username:  "applicationset-controller",
@@ -1534,7 +1449,7 @@ func syncApplication(application argov1alpha1.Application, prune bool) (argov1al
 	}
 	application.Operation = &operation

-	return application, nil
+	return application
 }

 func getOwnsHandlerPredicates(enableProgressiveSyncs bool) predicate.Funcs {
--- a/applicationset/controllers/applicationset_controller_test.go
+++ b/applicationset/controllers/applicationset_controller_test.go
--- a/applicationset/controllers/clustereventhandler.go
+++ b/applicationset/controllers/clustereventhandler.go
@@ -4,6 +4,8 @@ import (
 	"context"
 	"fmt"

+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+
 	log "github.com/sirupsen/logrus"

 	"k8s.io/apimachinery/pkg/types"
@@ -24,29 +26,29 @@ type clusterSecretEventHandler struct {
 	Client client.Client
 }

-func (h *clusterSecretEventHandler) Create(ctx context.Context, e event.CreateEvent, q workqueue.RateLimitingInterface) {
+func (h *clusterSecretEventHandler) Create(ctx context.Context, e event.CreateEvent, q workqueue.TypedRateLimitingInterface[reconcile.Request]) {
 	h.queueRelatedAppGenerators(ctx, q, e.Object)
 }

-func (h *clusterSecretEventHandler) Update(ctx context.Context, e event.UpdateEvent, q workqueue.RateLimitingInterface) {
+func (h *clusterSecretEventHandler) Update(ctx context.Context, e event.UpdateEvent, q workqueue.TypedRateLimitingInterface[reconcile.Request]) {
 	h.queueRelatedAppGenerators(ctx, q, e.ObjectNew)
 }

-func (h *clusterSecretEventHandler) Delete(ctx context.Context, e event.DeleteEvent, q workqueue.RateLimitingInterface) {
+func (h *clusterSecretEventHandler) Delete(ctx context.Context, e event.DeleteEvent, q workqueue.TypedRateLimitingInterface[reconcile.Request]) {
 	h.queueRelatedAppGenerators(ctx, q, e.Object)
 }

-func (h *clusterSecretEventHandler) Generic(ctx context.Context, e event.GenericEvent, q workqueue.RateLimitingInterface) {
+func (h *clusterSecretEventHandler) Generic(ctx context.Context, e event.GenericEvent, q workqueue.TypedRateLimitingInterface[reconcile.Request]) {
 	h.queueRelatedAppGenerators(ctx, q, e.Object)
 }

 // addRateLimitingInterface defines the Add method of workqueue.RateLimitingInterface, allow us to easily mock
 // it for testing purposes.
-type addRateLimitingInterface interface {
-	Add(item interface{})
+type addRateLimitingInterface[T comparable] interface {
+	Add(item T)
 }

-func (h *clusterSecretEventHandler) queueRelatedAppGenerators(ctx context.Context, q addRateLimitingInterface, object client.Object) {
+func (h *clusterSecretEventHandler) queueRelatedAppGenerators(ctx context.Context, q addRateLimitingInterface[reconcile.Request], object client.Object) {
 	// Check for label, lookup all ApplicationSets that might match the cluster, queue them all
 	if object.GetLabels()[generators.ArgoCDSecretTypeLabel] != generators.ArgoCDSecretTypeCluster {
 		return
--- a/applicationset/controllers/clustereventhandler_test.go
+++ b/applicationset/controllers/clustereventhandler_test.go
@@ -551,24 +551,18 @@ func TestClusterEventHandler(t *testing.T) {

 			handler.queueRelatedAppGenerators(context.Background(), &mockAddRateLimitingInterface, &test.secret)

-			assert.False(t, mockAddRateLimitingInterface.errorOccurred)
 			assert.ElementsMatch(t, mockAddRateLimitingInterface.addedItems, test.expectedRequests)
 		})
 	}
 }

 // Add checks the type, and adds it to the internal list of received additions
-func (obj *mockAddRateLimitingInterface) Add(item interface{}) {
-	if req, ok := item.(ctrl.Request); ok {
-		obj.addedItems = append(obj.addedItems, req)
-	} else {
-		obj.errorOccurred = true
-	}
+func (obj *mockAddRateLimitingInterface) Add(item reconcile.Request) {
+	obj.addedItems = append(obj.addedItems, item)
 }

 type mockAddRateLimitingInterface struct {
-	errorOccurred bool
-	addedItems    []ctrl.Request
+	addedItems []reconcile.Request
 }

 func TestNestedGeneratorHasClusterGenerator_NestedClusterGenerator(t *testing.T) {
--- a/applicationset/controllers/requeue_after_test.go
+++ b/applicationset/controllers/requeue_after_test.go
@@ -17,6 +17,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"

 	"github.com/argoproj/argo-cd/v2/applicationset/generators"
+	appsetmetrics "github.com/argoproj/argo-cd/v2/applicationset/metrics"
 	"github.com/argoproj/argo-cd/v2/applicationset/services/mocks"
 	argov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )
@@ -56,14 +57,14 @@ func TestRequeueAfter(t *testing.T) {
 		},
 	}
 	fakeDynClient := dynfake.NewSimpleDynamicClientWithCustomListKinds(runtime.NewScheme(), gvrToListKind, duckType)
-
+	scmConfig := generators.NewSCMConfig("", []string{""}, true, nil)
 	terminalGenerators := map[string]generators.Generator{
 		"List":                    generators.NewListGenerator(),
 		"Clusters":                generators.NewClusterGenerator(k8sClient, ctx, appClientset, "argocd"),
-		"Git":                     generators.NewGitGenerator(mockServer),
-		"SCMProvider":             generators.NewSCMProviderGenerator(fake.NewClientBuilder().WithObjects(&corev1.Secret{}).Build(), generators.SCMAuthProviders{}, "", []string{""}, true),
+		"Git":                     generators.NewGitGenerator(mockServer, "namespace"),
+		"SCMProvider":             generators.NewSCMProviderGenerator(fake.NewClientBuilder().WithObjects(&corev1.Secret{}).Build(), scmConfig),
 		"ClusterDecisionResource": generators.NewDuckTypeGenerator(ctx, fakeDynClient, appClientset, "argocd"),
-		"PullRequest":             generators.NewPullRequestGenerator(k8sClient, generators.SCMAuthProviders{}, "", []string{""}, true),
+		"PullRequest":             generators.NewPullRequestGenerator(k8sClient, scmConfig),
 	}

 	nestedGenerators := map[string]generators.Generator{
@@ -89,11 +90,13 @@ func TestRequeueAfter(t *testing.T) {
 	}

 	client := fake.NewClientBuilder().WithScheme(scheme).Build()
+	metrics := appsetmetrics.NewFakeAppsetMetrics(client)
 	r := ApplicationSetReconciler{
 		Client:     client,
 		Scheme:     scheme,
 		Recorder:   record.NewFakeRecorder(0),
 		Generators: topLevelGenerators,
+		Metrics:    metrics,
 	}

 	type args struct {
--- a/applicationset/controllers/template/patch.go
+++ b/applicationset/controllers/template/patch.go
@@ -1,4 +1,4 @@
-package controllers
+package template

 import (
 	"encoding/json"
--- a/applicationset/controllers/template/patch_test.go
+++ b/applicationset/controllers/template/patch_test.go
@@ -1,4 +1,4 @@
-package controllers
+package template

 import (
 	"testing"
--- a/applicationset/controllers/template/template.go
+++ b/applicationset/controllers/template/template.go
@@ -0,0 +1,99 @@
+package template
+
+import (
+	"fmt"
+
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/argoproj/argo-cd/v2/applicationset/generators"
+	"github.com/argoproj/argo-cd/v2/applicationset/utils"
+
+	argov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+)
+
+func GenerateApplications(logCtx *log.Entry, applicationSetInfo argov1alpha1.ApplicationSet, g map[string]generators.Generator, renderer utils.Renderer, client client.Client) ([]argov1alpha1.Application, argov1alpha1.ApplicationSetReasonType, error) {
+	var res []argov1alpha1.Application
+
+	var firstError error
+	var applicationSetReason argov1alpha1.ApplicationSetReasonType
+
+	for _, requestedGenerator := range applicationSetInfo.Spec.Generators {
+		t, err := generators.Transform(requestedGenerator, g, applicationSetInfo.Spec.Template, &applicationSetInfo, map[string]interface{}{}, client)
+		if err != nil {
+			logCtx.WithError(err).WithField("generator", requestedGenerator).
+				Error("error generating application from params")
+			if firstError == nil {
+				firstError = err
+				applicationSetReason = argov1alpha1.ApplicationSetReasonApplicationParamsGenerationError
+			}
+			continue
+		}
+
+		for _, a := range t {
+			tmplApplication := GetTempApplication(a.Template)
+
+			for _, p := range a.Params {
+				app, err := renderer.RenderTemplateParams(tmplApplication, applicationSetInfo.Spec.SyncPolicy, p, applicationSetInfo.Spec.GoTemplate, applicationSetInfo.Spec.GoTemplateOptions)
+				if err != nil {
+					logCtx.WithError(err).WithField("params", a.Params).WithField("generator", requestedGenerator).
+						Error("error generating application from params")
+
+					if firstError == nil {
+						firstError = err
+						applicationSetReason = argov1alpha1.ApplicationSetReasonRenderTemplateParamsError
+					}
+					continue
+				}
+
+				if applicationSetInfo.Spec.TemplatePatch != nil {
+					patchedApplication, err := renderTemplatePatch(renderer, app, applicationSetInfo, p)
+					if err != nil {
+						log.WithError(err).WithField("params", a.Params).WithField("generator", requestedGenerator).
+							Error("error generating application from params")
+
+						if firstError == nil {
+							firstError = err
+							applicationSetReason = argov1alpha1.ApplicationSetReasonRenderTemplateParamsError
+						}
+						continue
+					}
+
+					app = patchedApplication
+				}
+
+				// The app's namespace must be the same as the AppSet's namespace to preserve the appsets-in-any-namespace
+				// security boundary.
+				app.Namespace = applicationSetInfo.Namespace
+				res = append(res, *app)
+			}
+		}
+
+		logCtx.WithField("generator", requestedGenerator).Infof("generated %d applications", len(res))
+		logCtx.WithField("generator", requestedGenerator).Debugf("apps from generator: %+v", res)
+	}
+
+	return res, applicationSetReason, firstError
+}
+
+func renderTemplatePatch(r utils.Renderer, app *argov1alpha1.Application, applicationSetInfo argov1alpha1.ApplicationSet, params map[string]interface{}) (*argov1alpha1.Application, error) {
+	replacedTemplate, err := r.Replace(*applicationSetInfo.Spec.TemplatePatch, params, applicationSetInfo.Spec.GoTemplate, applicationSetInfo.Spec.GoTemplateOptions)
+	if err != nil {
+		return nil, fmt.Errorf("error replacing values in templatePatch: %w", err)
+	}
+
+	return applyTemplatePatch(app, replacedTemplate)
+}
+
+func GetTempApplication(applicationSetTemplate argov1alpha1.ApplicationSetTemplate) *argov1alpha1.Application {
+	var tmplApplication argov1alpha1.Application
+	tmplApplication.Annotations = applicationSetTemplate.Annotations
+	tmplApplication.Labels = applicationSetTemplate.Labels
+	tmplApplication.Namespace = applicationSetTemplate.Namespace
+	tmplApplication.Name = applicationSetTemplate.Name
+	tmplApplication.Spec = applicationSetTemplate.Spec
+	tmplApplication.Finalizers = applicationSetTemplate.Finalizers
+
+	return &tmplApplication
+}
--- a/applicationset/controllers/template/template_test.go
+++ b/applicationset/controllers/template/template_test.go
@@ -0,0 +1,350 @@
+package template
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/require"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+
+	"github.com/argoproj/argo-cd/v2/applicationset/generators"
+	genmock "github.com/argoproj/argo-cd/v2/applicationset/generators/mocks"
+	"github.com/argoproj/argo-cd/v2/applicationset/utils"
+	rendmock "github.com/argoproj/argo-cd/v2/applicationset/utils/mocks"
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application"
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/util/collections"
+)
+
+func TestGenerateApplications(t *testing.T) {
+	scheme := runtime.NewScheme()
+	err := v1alpha1.AddToScheme(scheme)
+	require.NoError(t, err)
+
+	err = v1alpha1.AddToScheme(scheme)
+	require.NoError(t, err)
+
+	for _, c := range []struct {
+		name                string
+		params              []map[string]interface{}
+		template            v1alpha1.ApplicationSetTemplate
+		generateParamsError error
+		rendererError       error
+		expectErr           bool
+		expectedReason      v1alpha1.ApplicationSetReasonType
+	}{
+		{
+			name:   "Generate two applications",
+			params: []map[string]interface{}{{"name": "app1"}, {"name": "app2"}},
+			template: v1alpha1.ApplicationSetTemplate{
+				ApplicationSetTemplateMeta: v1alpha1.ApplicationSetTemplateMeta{
+					Name:      "name",
+					Namespace: "namespace",
+					Labels:    map[string]string{"label_name": "label_value"},
+				},
+				Spec: v1alpha1.ApplicationSpec{},
+			},
+			expectedReason: "",
+		},
+		{
+			name:                "Handles error from the generator",
+			generateParamsError: fmt.Errorf("error"),
+			expectErr:           true,
+			expectedReason:      v1alpha1.ApplicationSetReasonApplicationParamsGenerationError,
+		},
+		{
+			name:   "Handles error from the render",
+			params: []map[string]interface{}{{"name": "app1"}, {"name": "app2"}},
+			template: v1alpha1.ApplicationSetTemplate{
+				ApplicationSetTemplateMeta: v1alpha1.ApplicationSetTemplateMeta{
+					Name:      "name",
+					Namespace: "namespace",
+					Labels:    map[string]string{"label_name": "label_value"},
+				},
+				Spec: v1alpha1.ApplicationSpec{},
+			},
+			rendererError:  fmt.Errorf("error"),
+			expectErr:      true,
+			expectedReason: v1alpha1.ApplicationSetReasonRenderTemplateParamsError,
+		},
+	} {
+		cc := c
+		app := v1alpha1.Application{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "test",
+				Namespace: "namespace",
+			},
+			TypeMeta: metav1.TypeMeta{
+				Kind:       application.ApplicationKind,
+				APIVersion: "argoproj.io/v1alpha1",
+			},
+		}
+
+		t.Run(cc.name, func(t *testing.T) {
+			generatorMock := genmock.Generator{}
+			generator := v1alpha1.ApplicationSetGenerator{
+				List: &v1alpha1.ListGenerator{},
+			}
+
+			generatorMock.On("GenerateParams", &generator, mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).
+				Return(cc.params, cc.generateParamsError)
+
+			generatorMock.On("GetTemplate", &generator).
+				Return(&v1alpha1.ApplicationSetTemplate{})
+
+			rendererMock := rendmock.Renderer{}
+
+			var expectedApps []v1alpha1.Application
+
+			if cc.generateParamsError == nil {
+				for _, p := range cc.params {
+					if cc.rendererError != nil {
+						rendererMock.On("RenderTemplateParams", GetTempApplication(cc.template), mock.AnythingOfType("*v1alpha1.ApplicationSetSyncPolicy"), p, false, []string(nil)).
+							Return(nil, cc.rendererError)
+					} else {
+						rendererMock.On("RenderTemplateParams", GetTempApplication(cc.template), mock.AnythingOfType("*v1alpha1.ApplicationSetSyncPolicy"), p, false, []string(nil)).
+							Return(&app, nil)
+						expectedApps = append(expectedApps, app)
+					}
+				}
+			}
+
+			generators := map[string]generators.Generator{
+				"List": &generatorMock,
+			}
+			renderer := &rendererMock
+
+			got, reason, err := GenerateApplications(log.NewEntry(log.StandardLogger()), v1alpha1.ApplicationSet{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "name",
+					Namespace: "namespace",
+				},
+				Spec: v1alpha1.ApplicationSetSpec{
+					Generators: []v1alpha1.ApplicationSetGenerator{generator},
+					Template:   cc.template,
+				},
+			},
+				generators,
+				renderer,
+				nil,
+			)
+
+			if cc.expectErr {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+			assert.Equal(t, expectedApps, got)
+			assert.Equal(t, cc.expectedReason, reason)
+			generatorMock.AssertNumberOfCalls(t, "GenerateParams", 1)
+
+			if cc.generateParamsError == nil {
+				rendererMock.AssertNumberOfCalls(t, "RenderTemplateParams", len(cc.params))
+			}
+		})
+	}
+}
+
+func TestMergeTemplateApplications(t *testing.T) {
+	for _, c := range []struct {
+		name             string
+		params           []map[string]interface{}
+		template         v1alpha1.ApplicationSetTemplate
+		overrideTemplate v1alpha1.ApplicationSetTemplate
+		expectedMerged   v1alpha1.ApplicationSetTemplate
+		expectedApps     []v1alpha1.Application
+	}{
+		{
+			name:   "Generate app",
+			params: []map[string]interface{}{{"name": "app1"}},
+			template: v1alpha1.ApplicationSetTemplate{
+				ApplicationSetTemplateMeta: v1alpha1.ApplicationSetTemplateMeta{
+					Name:      "name",
+					Namespace: "namespace",
+					Labels:    map[string]string{"label_name": "label_value"},
+				},
+				Spec: v1alpha1.ApplicationSpec{},
+			},
+			overrideTemplate: v1alpha1.ApplicationSetTemplate{
+				ApplicationSetTemplateMeta: v1alpha1.ApplicationSetTemplateMeta{
+					Name:   "test",
+					Labels: map[string]string{"foo": "bar"},
+				},
+				Spec: v1alpha1.ApplicationSpec{},
+			},
+			expectedMerged: v1alpha1.ApplicationSetTemplate{
+				ApplicationSetTemplateMeta: v1alpha1.ApplicationSetTemplateMeta{
+					Name:      "test",
+					Namespace: "namespace",
+					Labels:    map[string]string{"label_name": "label_value", "foo": "bar"},
+				},
+				Spec: v1alpha1.ApplicationSpec{},
+			},
+			expectedApps: []v1alpha1.Application{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "test",
+						Namespace: "test",
+						Labels:    map[string]string{"foo": "bar"},
+					},
+					Spec: v1alpha1.ApplicationSpec{},
+				},
+			},
+		},
+	} {
+		cc := c
+
+		t.Run(cc.name, func(t *testing.T) {
+			generatorMock := genmock.Generator{}
+			generator := v1alpha1.ApplicationSetGenerator{
+				List: &v1alpha1.ListGenerator{},
+			}
+
+			generatorMock.On("GenerateParams", &generator, mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).
+				Return(cc.params, nil)
+
+			generatorMock.On("GetTemplate", &generator).
+				Return(&cc.overrideTemplate)
+
+			rendererMock := rendmock.Renderer{}
+
+			rendererMock.On("RenderTemplateParams", GetTempApplication(cc.expectedMerged), mock.AnythingOfType("*v1alpha1.ApplicationSetSyncPolicy"), cc.params[0], false, []string(nil)).
+				Return(&cc.expectedApps[0], nil)
+
+			generators := map[string]generators.Generator{
+				"List": &generatorMock,
+			}
+			renderer := &rendererMock
+
+			got, _, _ := GenerateApplications(log.NewEntry(log.StandardLogger()), v1alpha1.ApplicationSet{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "name",
+					Namespace: "namespace",
+				},
+				Spec: v1alpha1.ApplicationSetSpec{
+					Generators: []v1alpha1.ApplicationSetGenerator{generator},
+					Template:   cc.template,
+				},
+			},
+				generators,
+				renderer,
+				nil,
+			)
+
+			assert.Equal(t, cc.expectedApps, got)
+		})
+	}
+}
+
+// Test app generation from a go template application set using a pull request generator
+func TestGenerateAppsUsingPullRequestGenerator(t *testing.T) {
+	for _, cases := range []struct {
+		name        string
+		params      []map[string]interface{}
+		template    v1alpha1.ApplicationSetTemplate
+		expectedApp []v1alpha1.Application
+	}{
+		{
+			name: "Generate an application from a go template application set manifest using a pull request generator",
+			params: []map[string]interface{}{
+				{
+					"number":                                "1",
+					"title":                                 "title1",
+					"branch":                                "branch1",
+					"branch_slug":                           "branchSlug1",
+					"head_sha":                              "089d92cbf9ff857a39e6feccd32798ca700fb958",
+					"head_short_sha":                        "089d92cb",
+					"branch_slugify_default":                "feat/a_really+long_pull_request_name_to_test_argo_slugification_and_branch_name_shortening_feature",
+					"branch_slugify_smarttruncate_disabled": "feat/areallylongpullrequestnametotestargoslugificationandbranchnameshorteningfeature",
+					"branch_slugify_smarttruncate_enabled":  "feat/testwithsmarttruncateenabledramdomlonglistofcharacters",
+					"labels":                                []string{"label1"},
+				},
+			},
+			template: v1alpha1.ApplicationSetTemplate{
+				ApplicationSetTemplateMeta: v1alpha1.ApplicationSetTemplateMeta{
+					Name: "AppSet-{{.branch}}-{{.number}}",
+					Labels: map[string]string{
+						"app1":         "{{index .labels 0}}",
+						"branch-test1": "AppSet-{{.branch_slugify_default | slugify }}",
+						"branch-test2": "AppSet-{{.branch_slugify_smarttruncate_disabled | slugify 49 false }}",
+						"branch-test3": "AppSet-{{.branch_slugify_smarttruncate_enabled | slugify 50 true }}",
+					},
+				},
+				Spec: v1alpha1.ApplicationSpec{
+					Source: &v1alpha1.ApplicationSource{
+						RepoURL:        "https://testurl/testRepo",
+						TargetRevision: "{{.head_short_sha}}",
+					},
+					Destination: v1alpha1.ApplicationDestination{
+						Server:    "https://kubernetes.default.svc",
+						Namespace: "AppSet-{{.branch_slug}}-{{.head_sha}}",
+					},
+				},
+			},
+			expectedApp: []v1alpha1.Application{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "AppSet-branch1-1",
+						Labels: map[string]string{
+							"app1":         "label1",
+							"branch-test1": "AppSet-feat-a-really-long-pull-request-name-to-test-argo",
+							"branch-test2": "AppSet-feat-areallylongpullrequestnametotestargoslugific",
+							"branch-test3": "AppSet-feat",
+						},
+					},
+					Spec: v1alpha1.ApplicationSpec{
+						Source: &v1alpha1.ApplicationSource{
+							RepoURL:        "https://testurl/testRepo",
+							TargetRevision: "089d92cb",
+						},
+						Destination: v1alpha1.ApplicationDestination{
+							Server:    "https://kubernetes.default.svc",
+							Namespace: "AppSet-branchSlug1-089d92cbf9ff857a39e6feccd32798ca700fb958",
+						},
+					},
+				},
+			},
+		},
+	} {
+		t.Run(cases.name, func(t *testing.T) {
+			generatorMock := genmock.Generator{}
+			generator := v1alpha1.ApplicationSetGenerator{
+				PullRequest: &v1alpha1.PullRequestGenerator{},
+			}
+
+			generatorMock.On("GenerateParams", &generator, mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).
+				Return(cases.params, nil)
+
+			generatorMock.On("GetTemplate", &generator).
+				Return(&cases.template, nil)
+
+			generators := map[string]generators.Generator{
+				"PullRequest": &generatorMock,
+			}
+			renderer := &utils.Render{}
+
+			gotApp, _, _ := GenerateApplications(log.NewEntry(log.StandardLogger()), v1alpha1.ApplicationSet{
+				Spec: v1alpha1.ApplicationSetSpec{
+					GoTemplate: true,
+					Generators: []v1alpha1.ApplicationSetGenerator{{
+						PullRequest: &v1alpha1.PullRequestGenerator{},
+					}},
+					Template: cases.template,
+				},
+			},
+				generators,
+				renderer,
+				nil,
+			)
+			assert.EqualValues(t, cases.expectedApp[0].ObjectMeta.Name, gotApp[0].ObjectMeta.Name)
+			assert.EqualValues(t, cases.expectedApp[0].Spec.Source.TargetRevision, gotApp[0].Spec.Source.TargetRevision)
+			assert.EqualValues(t, cases.expectedApp[0].Spec.Destination.Namespace, gotApp[0].Spec.Destination.Namespace)
+			assert.True(t, collections.StringMapsEqual(cases.expectedApp[0].ObjectMeta.Labels, gotApp[0].ObjectMeta.Labels))
+		})
+	}
+}
--- a/applicationset/examples/applications-sync-policies/guestbook/engineering-dev/guestbook-ui-deployment.yaml
+++ b/applicationset/examples/applications-sync-policies/guestbook/engineering-dev/guestbook-ui-deployment.yaml
@@ -14,7 +14,7 @@ spec:
        app: guestbook-ui
    spec:
      containers:
-      - image: gcr.io/heptio-images/ks-guestbook-demo:0.2
+      - image: quay.io/argoprojlabs/argocd-e2e-container:0.2
        name: guestbook-ui
        ports:
        - containerPort: 80
--- a/applicationset/examples/applications-sync-policies/guestbook/engineering-prod/guestbook-ui-deployment.yaml
+++ b/applicationset/examples/applications-sync-policies/guestbook/engineering-prod/guestbook-ui-deployment.yaml
@@ -14,7 +14,7 @@ spec:
        app: guestbook-ui
    spec:
      containers:
-      - image: gcr.io/heptio-images/ks-guestbook-demo:0.2
+      - image: quay.io/argoprojlabs/argocd-e2e-container:0.2
        name: guestbook-ui
        ports:
        - containerPort: 80
--- a/applicationset/examples/git-generator-directory/excludes/cluster-addons/exclude-helm-guestbook/values.yaml
+++ b/applicationset/examples/git-generator-directory/excludes/cluster-addons/exclude-helm-guestbook/values.yaml
@@ -5,7 +5,7 @@
 replicaCount: 1

 image:
-  repository: gcr.io/heptio-images/ks-guestbook-demo
+  repository: quay.io/argoprojlabs/argocd-e2e-container
  tag: 0.1
  pullPolicy: IfNotPresent

--- a/applicationset/examples/git-generator-files-discovery/apps/guestbook/guestbook-ui-deployment.yaml
+++ b/applicationset/examples/git-generator-files-discovery/apps/guestbook/guestbook-ui-deployment.yaml
@@ -14,7 +14,7 @@ spec:
        app: guestbook-ui
    spec:
      containers:
-      - image: gcr.io/heptio-images/ks-guestbook-demo:0.2
+      - image: quay.io/argoprojlabs/argocd-e2e-container:0.2
        name: guestbook-ui
        ports:
        - containerPort: 80
--- a/applicationset/examples/list-generator/guestbook/engineering-dev/guestbook-ui-deployment.yaml
+++ b/applicationset/examples/list-generator/guestbook/engineering-dev/guestbook-ui-deployment.yaml
@@ -14,7 +14,7 @@ spec:
        app: guestbook-ui
    spec:
      containers:
-      - image: gcr.io/heptio-images/ks-guestbook-demo:0.2
+      - image: quay.io/argoprojlabs/argocd-e2e-container:0.2
        name: guestbook-ui
        ports:
        - containerPort: 80
--- a/applicationset/examples/list-generator/guestbook/engineering-prod/guestbook-ui-deployment.yaml
+++ b/applicationset/examples/list-generator/guestbook/engineering-prod/guestbook-ui-deployment.yaml
@@ -14,7 +14,7 @@ spec:
        app: guestbook-ui
    spec:
      containers:
-      - image: gcr.io/heptio-images/ks-guestbook-demo:0.2
+      - image: quay.io/argoprojlabs/argocd-e2e-container:0.2
        name: guestbook-ui
        ports:
        - containerPort: 80
--- a/applicationset/examples/template-override/default/guestbook-ui-deployment.yaml
+++ b/applicationset/examples/template-override/default/guestbook-ui-deployment.yaml
@@ -14,7 +14,7 @@ spec:
        app: guestbook-ui
    spec:
      containers:
-      - image: gcr.io/heptio-images/ks-guestbook-demo:0.2
+      - image: quay.io/argoprojlabs/argocd-e2e-container:0.2
        name: guestbook-ui
        ports:
        - containerPort: 80
--- a/applicationset/examples/template-override/engineering-dev-override/guestbook-ui-deployment.yaml
+++ b/applicationset/examples/template-override/engineering-dev-override/guestbook-ui-deployment.yaml
@@ -14,7 +14,7 @@ spec:
        app: guestbook-ui
    spec:
      containers:
-      - image: gcr.io/heptio-images/ks-guestbook-demo:0.2
+      - image: quay.io/argoprojlabs/argocd-e2e-container:0.2
        name: guestbook-ui
        ports:
        - containerPort: 80
--- a/applicationset/generators/cluster.go
+++ b/applicationset/generators/cluster.go
@@ -85,7 +85,7 @@ func (g *ClusterGenerator) GenerateParams(appSetGenerator *argoappsetv1alpha1.Ap

 	clusterSecrets, err := g.getSecretsByClusterName(appSetGenerator)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error getting cluster secrets: %w", err)
 	}

 	res := []map[string]interface{}{}
@@ -106,7 +106,7 @@ func (g *ClusterGenerator) GenerateParams(appSetGenerator *argoappsetv1alpha1.Ap

 			err = appendTemplatedValues(appSetGenerator.Clusters.Values, params, appSet.Spec.GoTemplate, appSet.Spec.GoTemplateOptions)
 			if err != nil {
-				return nil, err
+				return nil, fmt.Errorf("error appending templated values for local cluster: %w", err)
 			}

 			res = append(res, params)
@@ -146,7 +146,7 @@ func (g *ClusterGenerator) GenerateParams(appSetGenerator *argoappsetv1alpha1.Ap

 		err = appendTemplatedValues(appSetGenerator.Clusters.Values, params, appSet.Spec.GoTemplate, appSet.Spec.GoTemplateOptions)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("error appending templated values for cluster: %w", err)
 		}

 		res = append(res, params)
@@ -164,7 +164,7 @@ func (g *ClusterGenerator) getSecretsByClusterName(appSetGenerator *argoappsetv1
 	selector := metav1.AddLabelToSelector(&appSetGenerator.Clusters.Selector, ArgoCDSecretTypeLabel, ArgoCDSecretTypeCluster)
 	secretSelector, err := metav1.LabelSelectorAsSelector(selector)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error converting label selector: %w", err)
 	}

 	if err := g.Client.List(context.Background(), clusterSecretList, client.MatchingLabelsSelector{Selector: secretSelector}); err != nil {
--- a/applicationset/generators/cluster_test.go
+++ b/applicationset/generators/cluster_test.go
@@ -226,7 +226,7 @@ func TestGenerateParams(t *testing.T) {
 			values:        nil,
 			expected:      nil,
 			clientError:   true,
-			expectedError: fmt.Errorf("could not list Secrets"),
+			expectedError: fmt.Errorf("error getting cluster secrets: could not list Secrets"),
 		},
 	}

@@ -597,7 +597,7 @@ func TestGenerateParamsGoTemplate(t *testing.T) {
 			values:        nil,
 			expected:      nil,
 			clientError:   true,
-			expectedError: fmt.Errorf("could not list Secrets"),
+			expectedError: fmt.Errorf("error getting cluster secrets: could not list Secrets"),
 		},
 	}

--- a/applicationset/generators/duck_type.go
+++ b/applicationset/generators/duck_type.go
@@ -125,7 +125,7 @@ func (g *DuckTypeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.A
 	duckResources, err := g.dynClient.Resource(duckGVR).Namespace(g.namespace).List(g.ctx, listOptions)
 	if err != nil {
 		log.WithField("GVK", duckGVR).Warning("resources were not found")
-		return nil, err
+		return nil, fmt.Errorf("failed to get dynamic resources: %w", err)
 	}

 	if len(duckResources.Items) == 0 {
@@ -218,7 +218,7 @@ func (g *DuckTypeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.A
 			res = append(res, params)
 		}
 	} else {
-		log.Warningf("clusterDecisionResource status." + statusListKey + " missing")
+		log.Warningf("clusterDecisionResource status.%s missing", statusListKey)
 		return nil, nil
 	}

--- a/applicationset/generators/generator_spec_processor_test.go
+++ b/applicationset/generators/generator_spec_processor_test.go
@@ -346,7 +346,7 @@ func getMockClusterGenerator() Generator {
 func getMockGitGenerator() Generator {
 	argoCDServiceMock := mocks.Repos{}
 	argoCDServiceMock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything).Return([]string{"app1", "app2", "app_3", "p1/app4"}, nil)
-	gitGenerator := NewGitGenerator(&argoCDServiceMock)
+	gitGenerator := NewGitGenerator(&argoCDServiceMock, "namespace")
 	return gitGenerator
 }

--- a/applicationset/generators/git.go
+++ b/applicationset/generators/git.go
@@ -24,13 +24,16 @@ import (
 var _ Generator = (*GitGenerator)(nil)

 type GitGenerator struct {
-	repos services.Repos
+	repos     services.Repos
+	namespace string
 }

-func NewGitGenerator(repos services.Repos) Generator {
+func NewGitGenerator(repos services.Repos, namespace string) Generator {
 	g := &GitGenerator{
-		repos: repos,
+		repos:     repos,
+		namespace: namespace,
 	}
+
 	return g
 }

@@ -59,21 +62,25 @@ func (g *GitGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.Applic

 	noRevisionCache := appSet.RefreshRequired()

-	var project string
-	if strings.Contains(appSet.Spec.Template.Spec.Project, "{{") {
-		project = appSetGenerator.Git.Template.Spec.Project
-	} else {
-		project = appSet.Spec.Template.Spec.Project
-	}
+	verifyCommit := false

-	appProject := &argoprojiov1alpha1.AppProject{}
-	if err := client.Get(context.TODO(), types.NamespacedName{Name: appSet.Spec.Template.Spec.Project, Namespace: appSet.Namespace}, appProject); err != nil {
-		return nil, fmt.Errorf("error getting project %s: %w", project, err)
+	// When the project field is templated, the contents of the git repo are required to run the git generator and get the templated value,
+	// but git generator cannot be called without verifying the commit signature.
+	// In this case, we skip the signature verification.
+	if !strings.Contains(appSet.Spec.Template.Spec.Project, "{{") {
+		project := appSet.Spec.Template.Spec.Project
+		appProject := &argoprojiov1alpha1.AppProject{}
+		namespace := g.namespace
+		if namespace == "" {
+			namespace = appSet.Namespace
+		}
+		if err := client.Get(context.TODO(), types.NamespacedName{Name: project, Namespace: namespace}, appProject); err != nil {
+			return nil, fmt.Errorf("error getting project %s: %w", project, err)
+		}
+		// we need to verify the signature on the Git revision if GPG is enabled
+		verifyCommit = len(appProject.Spec.SignatureKeys) > 0 && gpg.IsGPGEnabled()
 	}

-	// we need to verify the signature on the Git revision if GPG is enabled
-	verifyCommit := appProject.Spec.SignatureKeys != nil && len(appProject.Spec.SignatureKeys) > 0 && gpg.IsGPGEnabled()
-
 	var err error
 	var res []map[string]interface{}
 	if len(appSetGenerator.Git.Directories) != 0 {
--- a/applicationset/generators/git_test.go
+++ b/applicationset/generators/git_test.go
@@ -323,7 +323,7 @@ func TestGitGenerateParamsFromDirectories(t *testing.T) {

 			argoCDServiceMock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)

-			gitGenerator := NewGitGenerator(&argoCDServiceMock)
+			gitGenerator := NewGitGenerator(&argoCDServiceMock, "")
 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -624,7 +624,7 @@ func TestGitGenerateParamsFromDirectoriesGoTemplate(t *testing.T) {

 			argoCDServiceMock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)

-			gitGenerator := NewGitGenerator(&argoCDServiceMock)
+			gitGenerator := NewGitGenerator(&argoCDServiceMock, "")
 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -989,7 +989,7 @@ cluster:
 			argoCDServiceMock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).
 				Return(testCaseCopy.repoFileContents, testCaseCopy.repoPathsError)

-			gitGenerator := NewGitGenerator(&argoCDServiceMock)
+			gitGenerator := NewGitGenerator(&argoCDServiceMock, "")
 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -1345,7 +1345,7 @@ cluster:
 			argoCDServiceMock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).
 				Return(testCaseCopy.repoFileContents, testCaseCopy.repoPathsError)

-			gitGenerator := NewGitGenerator(&argoCDServiceMock)
+			gitGenerator := NewGitGenerator(&argoCDServiceMock, "")
 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -1383,3 +1383,114 @@ cluster:
 		})
 	}
 }
+
+func TestGitGenerator_GenerateParams(t *testing.T) {
+	cases := []struct {
+		name               string
+		directories        []argoprojiov1alpha1.GitDirectoryGeneratorItem
+		pathParamPrefix    string
+		repoApps           []string
+		repoPathsError     error
+		repoFileContents   map[string][]byte
+		values             map[string]string
+		expected           []map[string]interface{}
+		expectedError      error
+		appset             argoprojiov1alpha1.ApplicationSet
+		callGetDirectories bool
+	}{
+		{
+			name: "Signature Verification - ignores templated project field",
+			repoApps: []string{
+				"app1",
+			},
+			repoPathsError: nil,
+			appset: argoprojiov1alpha1.ApplicationSet{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "set",
+					Namespace: "namespace",
+				},
+				Spec: argoprojiov1alpha1.ApplicationSetSpec{
+					Generators: []argoprojiov1alpha1.ApplicationSetGenerator{{
+						Git: &argoprojiov1alpha1.GitGenerator{
+							RepoURL:         "RepoURL",
+							Revision:        "Revision",
+							Directories:     []argoprojiov1alpha1.GitDirectoryGeneratorItem{{Path: "*"}},
+							PathParamPrefix: "",
+							Values: map[string]string{
+								"foo": "bar",
+							},
+						},
+					}},
+					Template: argoprojiov1alpha1.ApplicationSetTemplate{
+						Spec: argoprojiov1alpha1.ApplicationSpec{
+							Project: "{{.project}}",
+						},
+					},
+				},
+			},
+			callGetDirectories: true,
+			expected:           []map[string]interface{}{{"path": "app1", "path.basename": "app1", "path.basenameNormalized": "app1", "path[0]": "app1", "values.foo": "bar"}},
+			expectedError:      nil,
+		},
+		{
+			name: "Signature Verification - Checks for non-templated project field",
+			repoApps: []string{
+				"app1",
+			},
+			repoPathsError: nil,
+			appset: argoprojiov1alpha1.ApplicationSet{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "set",
+					Namespace: "namespace",
+				},
+				Spec: argoprojiov1alpha1.ApplicationSetSpec{
+					Generators: []argoprojiov1alpha1.ApplicationSetGenerator{{
+						Git: &argoprojiov1alpha1.GitGenerator{
+							RepoURL:         "RepoURL",
+							Revision:        "Revision",
+							Directories:     []argoprojiov1alpha1.GitDirectoryGeneratorItem{{Path: "*"}},
+							PathParamPrefix: "",
+							Values: map[string]string{
+								"foo": "bar",
+							},
+						},
+					}},
+					Template: argoprojiov1alpha1.ApplicationSetTemplate{
+						Spec: argoprojiov1alpha1.ApplicationSpec{
+							Project: "project",
+						},
+					},
+				},
+			},
+			callGetDirectories: false,
+			expected:           []map[string]interface{}{{"path": "app1", "path.basename": "app1", "path.basenameNormalized": "app1", "path[0]": "app1", "values.foo": "bar"}},
+			expectedError:      fmt.Errorf("error getting project project: appprojects.argoproj.io \"project\" not found"),
+		},
+	}
+	for _, testCase := range cases {
+		argoCDServiceMock := mocks.Repos{}
+
+		if testCase.callGetDirectories {
+			argoCDServiceMock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(testCase.repoApps, testCase.repoPathsError)
+		}
+		gitGenerator := NewGitGenerator(&argoCDServiceMock, "namespace")
+
+		scheme := runtime.NewScheme()
+		err := v1alpha1.AddToScheme(scheme)
+		require.NoError(t, err)
+		appProject := argoprojiov1alpha1.AppProject{}
+
+		client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(&appProject).Build()
+
+		got, err := gitGenerator.GenerateParams(&testCase.appset.Spec.Generators[0], &testCase.appset, client)
+
+		if testCase.expectedError != nil {
+			require.EqualError(t, err, testCase.expectedError.Error())
+		} else {
+			require.NoError(t, err)
+			assert.Equal(t, testCase.expected, got)
+		}
+
+		argoCDServiceMock.AssertExpectations(t)
+	}
+}
--- a/applicationset/generators/matrix_test.go
+++ b/applicationset/generators/matrix_test.go
@@ -1073,7 +1073,7 @@ func TestGitGenerator_GenerateParams_list_x_git_matrix_generator(t *testing.T) {
 	// of that bug.

 	listGeneratorMock := &generatorMock{}
-	listGeneratorMock.On("GenerateParams", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), mock.AnythingOfType("*v1alpha1.ApplicationSet")).Return([]map[string]interface{}{
+	listGeneratorMock.On("GenerateParams", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).Return([]map[string]interface{}{
 		{"some": "value"},
 	}, nil)
 	listGeneratorMock.On("GetTemplate", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator")).Return(&argoprojiov1alpha1.ApplicationSetTemplate{})
@@ -1089,7 +1089,7 @@ func TestGitGenerator_GenerateParams_list_x_git_matrix_generator(t *testing.T) {
 	repoServiceMock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(map[string][]byte{
 		"some/path.json": []byte("test: content"),
 	}, nil)
-	gitGenerator := NewGitGenerator(repoServiceMock)
+	gitGenerator := NewGitGenerator(repoServiceMock, "")

 	matrixGenerator := NewMatrixGenerator(map[string]Generator{
 		"List": listGeneratorMock,
--- a/applicationset/generators/mocks/Generator.go
+++ b/applicationset/generators/mocks/Generator.go
@@ -0,0 +1,100 @@
+// Code generated by mockery v2.43.2. DO NOT EDIT.
+
+package mocks
+
+import (
+	client "sigs.k8s.io/controller-runtime/pkg/client"
+
+	mock "github.com/stretchr/testify/mock"
+
+	time "time"
+
+	v1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+)
+
+// Generator is an autogenerated mock type for the Generator type
+type Generator struct {
+	mock.Mock
+}
+
+// GenerateParams provides a mock function with given fields: appSetGenerator, applicationSetInfo, _a2
+func (_m *Generator) GenerateParams(appSetGenerator *v1alpha1.ApplicationSetGenerator, applicationSetInfo *v1alpha1.ApplicationSet, _a2 client.Client) ([]map[string]interface{}, error) {
+	ret := _m.Called(appSetGenerator, applicationSetInfo, _a2)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GenerateParams")
+	}
+
+	var r0 []map[string]interface{}
+	var r1 error
+	if rf, ok := ret.Get(0).(func(*v1alpha1.ApplicationSetGenerator, *v1alpha1.ApplicationSet, client.Client) ([]map[string]interface{}, error)); ok {
+		return rf(appSetGenerator, applicationSetInfo, _a2)
+	}
+	if rf, ok := ret.Get(0).(func(*v1alpha1.ApplicationSetGenerator, *v1alpha1.ApplicationSet, client.Client) []map[string]interface{}); ok {
+		r0 = rf(appSetGenerator, applicationSetInfo, _a2)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]map[string]interface{})
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(*v1alpha1.ApplicationSetGenerator, *v1alpha1.ApplicationSet, client.Client) error); ok {
+		r1 = rf(appSetGenerator, applicationSetInfo, _a2)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// GetRequeueAfter provides a mock function with given fields: appSetGenerator
+func (_m *Generator) GetRequeueAfter(appSetGenerator *v1alpha1.ApplicationSetGenerator) time.Duration {
+	ret := _m.Called(appSetGenerator)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetRequeueAfter")
+	}
+
+	var r0 time.Duration
+	if rf, ok := ret.Get(0).(func(*v1alpha1.ApplicationSetGenerator) time.Duration); ok {
+		r0 = rf(appSetGenerator)
+	} else {
+		r0 = ret.Get(0).(time.Duration)
+	}
+
+	return r0
+}
+
+// GetTemplate provides a mock function with given fields: appSetGenerator
+func (_m *Generator) GetTemplate(appSetGenerator *v1alpha1.ApplicationSetGenerator) *v1alpha1.ApplicationSetTemplate {
+	ret := _m.Called(appSetGenerator)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetTemplate")
+	}
+
+	var r0 *v1alpha1.ApplicationSetTemplate
+	if rf, ok := ret.Get(0).(func(*v1alpha1.ApplicationSetGenerator) *v1alpha1.ApplicationSetTemplate); ok {
+		r0 = rf(appSetGenerator)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*v1alpha1.ApplicationSetTemplate)
+		}
+	}
+
+	return r0
+}
+
+// NewGenerator creates a new instance of Generator. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewGenerator(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *Generator {
+	mock := &Generator{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
--- a/applicationset/generators/plugin_test.go
+++ b/applicationset/generators/plugin_test.go
@@ -694,7 +694,7 @@ func TestPluginGenerateParams(t *testing.T) {
 				require.NoError(t, err)
 				gotJson, err := json.Marshal(got)
 				require.NoError(t, err)
-				assert.Equal(t, string(expectedJson), string(gotJson))
+				assert.JSONEq(t, string(expectedJson), string(gotJson))
 			}
 		})
 	}
--- a/applicationset/generators/pull_request.go
+++ b/applicationset/generators/pull_request.go
@@ -6,12 +6,12 @@ import (
 	"strconv"
 	"time"

-	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"

 	"github.com/gosimple/slug"

 	pullrequest "github.com/argoproj/argo-cd/v2/applicationset/services/pull_request"
+	"github.com/argoproj/argo-cd/v2/applicationset/utils"
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )

@@ -24,19 +24,13 @@ const (
 type PullRequestGenerator struct {
 	client                    client.Client
 	selectServiceProviderFunc func(context.Context, *argoprojiov1alpha1.PullRequestGenerator, *argoprojiov1alpha1.ApplicationSet) (pullrequest.PullRequestService, error)
-	auth                      SCMAuthProviders
-	scmRootCAPath             string
-	allowedSCMProviders       []string
-	enableSCMProviders        bool
+	SCMConfig
 }

-func NewPullRequestGenerator(client client.Client, auth SCMAuthProviders, scmRootCAPath string, allowedScmProviders []string, enableSCMProviders bool) Generator {
+func NewPullRequestGenerator(client client.Client, scmConfig SCMConfig) Generator {
 	g := &PullRequestGenerator{
-		client:              client,
-		auth:                auth,
-		scmRootCAPath:       scmRootCAPath,
-		allowedSCMProviders: allowedScmProviders,
-		enableSCMProviders:  enableSCMProviders,
+		client:    client,
+		SCMConfig: scmConfig,
 	}
 	g.selectServiceProviderFunc = g.selectServiceProvider
 	return g
@@ -103,6 +97,7 @@ func (g *PullRequestGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha

 		paramMap := map[string]interface{}{
 			"number":             strconv.Itoa(pull.Number),
+			"title":              pull.Title,
 			"branch":             pull.Branch,
 			"branch_slug":        slug.Make(pull.Branch),
 			"target_branch":      pull.TargetBranch,
@@ -110,6 +105,7 @@ func (g *PullRequestGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 			"head_sha":           pull.HeadSHA,
 			"head_short_sha":     pull.HeadSHA[:shortSHALength],
 			"head_short_sha_7":   pull.HeadSHA[:shortSHALength7],
+			"author":             pull.Author,
 		}

 		// PR lables will only be supported for Go Template appsets, since fasttemplate will be deprecated.
@@ -135,15 +131,23 @@ func (g *PullRequestGenerator) selectServiceProvider(ctx context.Context, genera
 	}
 	if generatorConfig.GitLab != nil {
 		providerConfig := generatorConfig.GitLab
-		token, err := g.getSecretRef(ctx, providerConfig.TokenRef, applicationSetInfo.Namespace)
+		var caCerts []byte
+		var prErr error
+		if providerConfig.CARef != nil {
+			caCerts, prErr = utils.GetConfigMapData(ctx, g.client, providerConfig.CARef, applicationSetInfo.Namespace)
+			if prErr != nil {
+				return nil, fmt.Errorf("error fetching CA certificates from ConfigMap: %w", prErr)
+			}
+		}
+		token, err := utils.GetSecretRef(ctx, g.client, providerConfig.TokenRef, applicationSetInfo.Namespace)
 		if err != nil {
 			return nil, fmt.Errorf("error fetching Secret token: %w", err)
 		}
-		return pullrequest.NewGitLabService(ctx, token, providerConfig.API, providerConfig.Project, providerConfig.Labels, providerConfig.PullRequestState, g.scmRootCAPath, providerConfig.Insecure)
+		return pullrequest.NewGitLabService(ctx, token, providerConfig.API, providerConfig.Project, providerConfig.Labels, providerConfig.PullRequestState, g.scmRootCAPath, providerConfig.Insecure, caCerts)
 	}
 	if generatorConfig.Gitea != nil {
 		providerConfig := generatorConfig.Gitea
-		token, err := g.getSecretRef(ctx, providerConfig.TokenRef, applicationSetInfo.Namespace)
+		token, err := utils.GetSecretRef(ctx, g.client, providerConfig.TokenRef, applicationSetInfo.Namespace)
 		if err != nil {
 			return nil, fmt.Errorf("error fetching Secret token: %w", err)
 		}
@@ -151,26 +155,40 @@ func (g *PullRequestGenerator) selectServiceProvider(ctx context.Context, genera
 	}
 	if generatorConfig.BitbucketServer != nil {
 		providerConfig := generatorConfig.BitbucketServer
-		if providerConfig.BasicAuth != nil {
-			password, err := g.getSecretRef(ctx, providerConfig.BasicAuth.PasswordRef, applicationSetInfo.Namespace)
+		var caCerts []byte
+		var prErr error
+		if providerConfig.CARef != nil {
+			caCerts, prErr = utils.GetConfigMapData(ctx, g.client, providerConfig.CARef, applicationSetInfo.Namespace)
+			if prErr != nil {
+				return nil, fmt.Errorf("error fetching CA certificates from ConfigMap: %w", prErr)
+			}
+		}
+		if providerConfig.BearerToken != nil {
+			appToken, err := utils.GetSecretRef(ctx, g.client, providerConfig.BearerToken.TokenRef, applicationSetInfo.Namespace)
+			if err != nil {
+				return nil, fmt.Errorf("error fetching Secret Bearer token: %w", err)
+			}
+			return pullrequest.NewBitbucketServiceBearerToken(ctx, appToken, providerConfig.API, providerConfig.Project, providerConfig.Repo, g.scmRootCAPath, providerConfig.Insecure, caCerts)
+		} else if providerConfig.BasicAuth != nil {
+			password, err := utils.GetSecretRef(ctx, g.client, providerConfig.BasicAuth.PasswordRef, applicationSetInfo.Namespace)
 			if err != nil {
 				return nil, fmt.Errorf("error fetching Secret token: %w", err)
 			}
-			return pullrequest.NewBitbucketServiceBasicAuth(ctx, providerConfig.BasicAuth.Username, password, providerConfig.API, providerConfig.Project, providerConfig.Repo)
+			return pullrequest.NewBitbucketServiceBasicAuth(ctx, providerConfig.BasicAuth.Username, password, providerConfig.API, providerConfig.Project, providerConfig.Repo, g.scmRootCAPath, providerConfig.Insecure, caCerts)
 		} else {
-			return pullrequest.NewBitbucketServiceNoAuth(ctx, providerConfig.API, providerConfig.Project, providerConfig.Repo)
+			return pullrequest.NewBitbucketServiceNoAuth(ctx, providerConfig.API, providerConfig.Project, providerConfig.Repo, g.scmRootCAPath, providerConfig.Insecure, caCerts)
 		}
 	}
 	if generatorConfig.Bitbucket != nil {
 		providerConfig := generatorConfig.Bitbucket
 		if providerConfig.BearerToken != nil {
-			appToken, err := g.getSecretRef(ctx, providerConfig.BearerToken.TokenRef, applicationSetInfo.Namespace)
+			appToken, err := utils.GetSecretRef(ctx, g.client, providerConfig.BearerToken.TokenRef, applicationSetInfo.Namespace)
 			if err != nil {
 				return nil, fmt.Errorf("error fetching Secret Bearer token: %w", err)
 			}
 			return pullrequest.NewBitbucketCloudServiceBearerToken(providerConfig.API, appToken, providerConfig.Owner, providerConfig.Repo)
 		} else if providerConfig.BasicAuth != nil {
-			password, err := g.getSecretRef(ctx, providerConfig.BasicAuth.PasswordRef, applicationSetInfo.Namespace)
+			password, err := utils.GetSecretRef(ctx, g.client, providerConfig.BasicAuth.PasswordRef, applicationSetInfo.Namespace)
 			if err != nil {
 				return nil, fmt.Errorf("error fetching Secret token: %w", err)
 			}
@@ -181,7 +199,7 @@ func (g *PullRequestGenerator) selectServiceProvider(ctx context.Context, genera
 	}
 	if generatorConfig.AzureDevOps != nil {
 		providerConfig := generatorConfig.AzureDevOps
-		token, err := g.getSecretRef(ctx, providerConfig.TokenRef, applicationSetInfo.Namespace)
+		token, err := utils.GetSecretRef(ctx, g.client, providerConfig.TokenRef, applicationSetInfo.Namespace)
 		if err != nil {
 			return nil, fmt.Errorf("error fetching Secret token: %w", err)
 		}
@@ -193,7 +211,7 @@ func (g *PullRequestGenerator) selectServiceProvider(ctx context.Context, genera
 func (g *PullRequestGenerator) github(ctx context.Context, cfg *argoprojiov1alpha1.PullRequestGeneratorGithub, applicationSetInfo *argoprojiov1alpha1.ApplicationSet) (pullrequest.PullRequestService, error) {
 	// use an app if it was configured
 	if cfg.AppSecretName != "" {
-		auth, err := g.auth.GitHubApps.GetAuthSecret(ctx, cfg.AppSecretName)
+		auth, err := g.GitHubApps.GetAuthSecret(ctx, cfg.AppSecretName)
 		if err != nil {
 			return nil, fmt.Errorf("error getting GitHub App secret: %w", err)
 		}
@@ -201,33 +219,9 @@ func (g *PullRequestGenerator) github(ctx context.Context, cfg *argoprojiov1alph
 	}

 	// always default to token, even if not set (public access)
-	token, err := g.getSecretRef(ctx, cfg.TokenRef, applicationSetInfo.Namespace)
+	token, err := utils.GetSecretRef(ctx, g.client, cfg.TokenRef, applicationSetInfo.Namespace)
 	if err != nil {
 		return nil, fmt.Errorf("error fetching Secret token: %w", err)
 	}
 	return pullrequest.NewGithubService(ctx, token, cfg.API, cfg.Owner, cfg.Repo, cfg.Labels)
 }
-
-// getSecretRef gets the value of the key for the specified Secret resource.
-func (g *PullRequestGenerator) getSecretRef(ctx context.Context, ref *argoprojiov1alpha1.SecretRef, namespace string) (string, error) {
-	if ref == nil {
-		return "", nil
-	}
-
-	secret := &corev1.Secret{}
-	err := g.client.Get(
-		ctx,
-		client.ObjectKey{
-			Name:      ref.SecretName,
-			Namespace: namespace,
-		},
-		secret)
-	if err != nil {
-		return "", fmt.Errorf("error fetching secret %s/%s: %w", namespace, ref.SecretName, err)
-	}
-	tokenBytes, ok := secret.Data[ref.Key]
-	if !ok {
-		return "", fmt.Errorf("key %q in secret %s/%s not found", ref.Key, namespace, ref.SecretName)
-	}
-	return string(tokenBytes), nil
-}
--- a/applicationset/generators/pull_request_test.go
+++ b/applicationset/generators/pull_request_test.go
@@ -7,9 +7,7 @@ import (

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"sigs.k8s.io/controller-runtime/pkg/client/fake"

 	pullrequest "github.com/argoproj/argo-cd/v2/applicationset/services/pull_request"
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
@@ -30,9 +28,11 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 					[]*pullrequest.PullRequest{
 						{
 							Number:       1,
+							Title:        "title1",
 							Branch:       "branch1",
 							TargetBranch: "master",
 							HeadSHA:      "089d92cbf9ff857a39e6feccd32798ca700fb958",
+							Author:       "testName",
 						},
 					},
 					nil,
@@ -41,6 +41,7 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 			expected: []map[string]interface{}{
 				{
 					"number":             "1",
+					"title":              "title1",
 					"branch":             "branch1",
 					"branch_slug":        "branch1",
 					"target_branch":      "master",
@@ -48,6 +49,7 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 					"head_sha":           "089d92cbf9ff857a39e6feccd32798ca700fb958",
 					"head_short_sha":     "089d92cb",
 					"head_short_sha_7":   "089d92c",
+					"author":             "testName",
 				},
 			},
 			expectedErr: nil,
@@ -59,9 +61,11 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 					[]*pullrequest.PullRequest{
 						{
 							Number:       2,
+							Title:        "title2",
 							Branch:       "feat/areally+long_pull_request_name_to_test_argo_slugification_and_branch_name_shortening_feature",
 							TargetBranch: "feat/anotherreally+long_pull_request_name_to_test_argo_slugification_and_branch_name_shortening_feature",
 							HeadSHA:      "9b34ff5bd418e57d58891eb0aa0728043ca1e8be",
+							Author:       "testName",
 						},
 					},
 					nil,
@@ -70,6 +74,7 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 			expected: []map[string]interface{}{
 				{
 					"number":             "2",
+					"title":              "title2",
 					"branch":             "feat/areally+long_pull_request_name_to_test_argo_slugification_and_branch_name_shortening_feature",
 					"branch_slug":        "feat-areally-long-pull-request-name-to-test-argo",
 					"target_branch":      "feat/anotherreally+long_pull_request_name_to_test_argo_slugification_and_branch_name_shortening_feature",
@@ -77,6 +82,7 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 					"head_sha":           "9b34ff5bd418e57d58891eb0aa0728043ca1e8be",
 					"head_short_sha":     "9b34ff5b",
 					"head_short_sha_7":   "9b34ff5",
+					"author":             "testName",
 				},
 			},
 			expectedErr: nil,
@@ -88,9 +94,11 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 					[]*pullrequest.PullRequest{
 						{
 							Number:       1,
+							Title:        "title1",
 							Branch:       "a-very-short-sha",
 							TargetBranch: "master",
 							HeadSHA:      "abcd",
+							Author:       "testName",
 						},
 					},
 					nil,
@@ -99,6 +107,7 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 			expected: []map[string]interface{}{
 				{
 					"number":             "1",
+					"title":              "title1",
 					"branch":             "a-very-short-sha",
 					"branch_slug":        "a-very-short-sha",
 					"target_branch":      "master",
@@ -106,6 +115,7 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 					"head_sha":           "abcd",
 					"head_short_sha":     "abcd",
 					"head_short_sha_7":   "abcd",
+					"author":             "testName",
 				},
 			},
 			expectedErr: nil,
@@ -128,10 +138,12 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 					[]*pullrequest.PullRequest{
 						{
 							Number:       1,
+							Title:        "title1",
 							Branch:       "branch1",
 							TargetBranch: "master",
 							HeadSHA:      "089d92cbf9ff857a39e6feccd32798ca700fb958",
 							Labels:       []string{"preview"},
+							Author:       "testName",
 						},
 					},
 					nil,
@@ -140,6 +152,7 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 			expected: []map[string]interface{}{
 				{
 					"number":             "1",
+					"title":              "title1",
 					"branch":             "branch1",
 					"branch_slug":        "branch1",
 					"target_branch":      "master",
@@ -148,6 +161,7 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 					"head_short_sha":     "089d92cb",
 					"head_short_sha_7":   "089d92c",
 					"labels":             []string{"preview"},
+					"author":             "testName",
 				},
 			},
 			expectedErr: nil,
@@ -165,10 +179,12 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 					[]*pullrequest.PullRequest{
 						{
 							Number:       1,
+							Title:        "title1",
 							Branch:       "branch1",
 							TargetBranch: "master",
 							HeadSHA:      "089d92cbf9ff857a39e6feccd32798ca700fb958",
 							Labels:       []string{"preview"},
+							Author:       "testName",
 						},
 					},
 					nil,
@@ -177,6 +193,7 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 			expected: []map[string]interface{}{
 				{
 					"number":             "1",
+					"title":              "title1",
 					"branch":             "branch1",
 					"branch_slug":        "branch1",
 					"target_branch":      "master",
@@ -184,6 +201,7 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 					"head_sha":           "089d92cbf9ff857a39e6feccd32798ca700fb958",
 					"head_short_sha":     "089d92cb",
 					"head_short_sha_7":   "089d92c",
+					"author":             "testName",
 				},
 			},
 			expectedErr: nil,
@@ -214,76 +232,10 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 	}
 }

-func TestPullRequestGetSecretRef(t *testing.T) {
-	secret := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{Name: "test-secret", Namespace: "test"},
-		Data: map[string][]byte{
-			"my-token": []byte("secret"),
-		},
-	}
-	gen := &PullRequestGenerator{client: fake.NewClientBuilder().WithObjects(secret).Build()}
-	ctx := context.Background()
-
-	cases := []struct {
-		name, namespace, token string
-		ref                    *argoprojiov1alpha1.SecretRef
-		hasError               bool
-	}{
-		{
-			name:      "valid ref",
-			ref:       &argoprojiov1alpha1.SecretRef{SecretName: "test-secret", Key: "my-token"},
-			namespace: "test",
-			token:     "secret",
-			hasError:  false,
-		},
-		{
-			name:      "nil ref",
-			ref:       nil,
-			namespace: "test",
-			token:     "",
-			hasError:  false,
-		},
-		{
-			name:      "wrong name",
-			ref:       &argoprojiov1alpha1.SecretRef{SecretName: "other", Key: "my-token"},
-			namespace: "test",
-			token:     "",
-			hasError:  true,
-		},
-		{
-			name:      "wrong key",
-			ref:       &argoprojiov1alpha1.SecretRef{SecretName: "test-secret", Key: "other-token"},
-			namespace: "test",
-			token:     "",
-			hasError:  true,
-		},
-		{
-			name:      "wrong namespace",
-			ref:       &argoprojiov1alpha1.SecretRef{SecretName: "test-secret", Key: "my-token"},
-			namespace: "other",
-			token:     "",
-			hasError:  true,
-		},
-	}
-
-	for _, c := range cases {
-		t.Run(c.name, func(t *testing.T) {
-			token, err := gen.getSecretRef(ctx, c.ref, c.namespace)
-			if c.hasError {
-				require.Error(t, err)
-			} else {
-				require.NoError(t, err)
-			}
-			assert.Equal(t, c.token, token)
-		})
-	}
-}
-
 func TestAllowedSCMProviderPullRequest(t *testing.T) {
 	cases := []struct {
 		name           string
 		providerConfig *argoprojiov1alpha1.PullRequestGenerator
-		expectedError  error
 	}{
 		{
 			name: "Error Github",
@@ -292,7 +244,6 @@ func TestAllowedSCMProviderPullRequest(t *testing.T) {
 					API: "https://myservice.mynamespace.svc.cluster.local",
 				},
 			},
-			expectedError: &ErrDisallowedSCMProvider{},
 		},
 		{
 			name: "Error Gitlab",
@@ -301,7 +252,6 @@ func TestAllowedSCMProviderPullRequest(t *testing.T) {
 					API: "https://myservice.mynamespace.svc.cluster.local",
 				},
 			},
-			expectedError: &ErrDisallowedSCMProvider{},
 		},
 		{
 			name: "Error Gitea",
@@ -310,7 +260,6 @@ func TestAllowedSCMProviderPullRequest(t *testing.T) {
 					API: "https://myservice.mynamespace.svc.cluster.local",
 				},
 			},
-			expectedError: &ErrDisallowedSCMProvider{},
 		},
 		{
 			name: "Error Bitbucket",
@@ -319,7 +268,6 @@ func TestAllowedSCMProviderPullRequest(t *testing.T) {
 					API: "https://myservice.mynamespace.svc.cluster.local",
 				},
 			},
-			expectedError: &ErrDisallowedSCMProvider{},
 		},
 	}

@@ -329,13 +277,13 @@ func TestAllowedSCMProviderPullRequest(t *testing.T) {
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()

-			pullRequestGenerator := NewPullRequestGenerator(nil, SCMAuthProviders{}, "", []string{
+			pullRequestGenerator := NewPullRequestGenerator(nil, NewSCMConfig("", []string{
 				"github.myorg.com",
 				"gitlab.myorg.com",
 				"gitea.myorg.com",
 				"bitbucket.myorg.com",
 				"azuredevops.myorg.com",
-			}, true)
+			}, true, nil))

 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
@@ -351,13 +299,14 @@ func TestAllowedSCMProviderPullRequest(t *testing.T) {
 			_, err := pullRequestGenerator.GenerateParams(&applicationSetInfo.Spec.Generators[0], &applicationSetInfo, nil)

 			require.Error(t, err, "Must return an error")
-			assert.ErrorAs(t, err, testCaseCopy.expectedError)
+			var expectedError ErrDisallowedSCMProvider
+			assert.ErrorAs(t, err, &expectedError)
 		})
 	}
 }

 func TestSCMProviderDisabled_PRGenerator(t *testing.T) {
-	generator := NewPullRequestGenerator(nil, SCMAuthProviders{}, "", []string{}, false)
+	generator := NewPullRequestGenerator(nil, NewSCMConfig("", []string{}, false, nil))

 	applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 		ObjectMeta: metav1.ObjectMeta{
--- a/applicationset/generators/scm_provider.go
+++ b/applicationset/generators/scm_provider.go
@@ -7,7 +7,6 @@ import (
 	"strings"
 	"time"

-	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"

 	log "github.com/sirupsen/logrus"
@@ -29,29 +28,36 @@ type SCMProviderGenerator struct {
 	client client.Client
 	// Testing hooks.
 	overrideProvider scm_provider.SCMProviderService
-	SCMAuthProviders
+	SCMConfig
+}
+type SCMConfig struct {
 	scmRootCAPath       string
 	allowedSCMProviders []string
 	enableSCMProviders  bool
+	GitHubApps          github_app_auth.Credentials
 }

-type SCMAuthProviders struct {
-	GitHubApps github_app_auth.Credentials
-}
-
-func NewSCMProviderGenerator(client client.Client, providers SCMAuthProviders, scmRootCAPath string, allowedSCMProviders []string, enableSCMProviders bool) Generator {
-	return &SCMProviderGenerator{
-		client:              client,
-		SCMAuthProviders:    providers,
+func NewSCMConfig(scmRootCAPath string, allowedSCMProviders []string, enableSCMProviders bool, gitHubApps github_app_auth.Credentials) SCMConfig {
+	return SCMConfig{
 		scmRootCAPath:       scmRootCAPath,
 		allowedSCMProviders: allowedSCMProviders,
 		enableSCMProviders:  enableSCMProviders,
+		GitHubApps:          gitHubApps,
+	}
+}
+
+func NewSCMProviderGenerator(client client.Client, scmConfig SCMConfig) Generator {
+	return &SCMProviderGenerator{
+		client:    client,
+		SCMConfig: scmConfig,
 	}
 }

 // Testing generator
 func NewTestSCMProviderGenerator(overrideProvider scm_provider.SCMProviderService) Generator {
-	return &SCMProviderGenerator{overrideProvider: overrideProvider, enableSCMProviders: true}
+	return &SCMProviderGenerator{overrideProvider: overrideProvider, SCMConfig: SCMConfig{
+		enableSCMProviders: true,
+	}}
 }

 func (g *SCMProviderGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator) time.Duration {
@@ -139,16 +145,25 @@ func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 			return nil, fmt.Errorf("scm provider: %w", err)
 		}
 	} else if providerConfig.Gitlab != nil {
-		token, err := g.getSecretRef(ctx, providerConfig.Gitlab.TokenRef, applicationSetInfo.Namespace)
+		providerConfig := providerConfig.Gitlab
+		var caCerts []byte
+		var scmError error
+		if providerConfig.CARef != nil {
+			caCerts, scmError = utils.GetConfigMapData(ctx, g.client, providerConfig.CARef, applicationSetInfo.Namespace)
+			if scmError != nil {
+				return nil, fmt.Errorf("error fetching CA certificates from ConfigMap: %w", scmError)
+			}
+		}
+		token, err := utils.GetSecretRef(ctx, g.client, providerConfig.TokenRef, applicationSetInfo.Namespace)
 		if err != nil {
 			return nil, fmt.Errorf("error fetching Gitlab token: %w", err)
 		}
-		provider, err = scm_provider.NewGitlabProvider(ctx, providerConfig.Gitlab.Group, token, providerConfig.Gitlab.API, providerConfig.Gitlab.AllBranches, providerConfig.Gitlab.IncludeSubgroups, providerConfig.Gitlab.WillIncludeSharedProjects(), providerConfig.Gitlab.Insecure, g.scmRootCAPath, providerConfig.Gitlab.Topic)
+		provider, err = scm_provider.NewGitlabProvider(ctx, providerConfig.Group, token, providerConfig.API, providerConfig.AllBranches, providerConfig.IncludeSubgroups, providerConfig.WillIncludeSharedProjects(), providerConfig.Insecure, g.scmRootCAPath, providerConfig.Topic, caCerts)
 		if err != nil {
 			return nil, fmt.Errorf("error initializing Gitlab service: %w", err)
 		}
 	} else if providerConfig.Gitea != nil {
-		token, err := g.getSecretRef(ctx, providerConfig.Gitea.TokenRef, applicationSetInfo.Namespace)
+		token, err := utils.GetSecretRef(ctx, g.client, providerConfig.Gitea.TokenRef, applicationSetInfo.Namespace)
 		if err != nil {
 			return nil, fmt.Errorf("error fetching Gitea token: %w", err)
 		}
@@ -158,21 +173,34 @@ func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 		}
 	} else if providerConfig.BitbucketServer != nil {
 		providerConfig := providerConfig.BitbucketServer
+		var caCerts []byte
 		var scmError error
-		if providerConfig.BasicAuth != nil {
-			password, err := g.getSecretRef(ctx, providerConfig.BasicAuth.PasswordRef, applicationSetInfo.Namespace)
+		if providerConfig.CARef != nil {
+			caCerts, scmError = utils.GetConfigMapData(ctx, g.client, providerConfig.CARef, applicationSetInfo.Namespace)
+			if scmError != nil {
+				return nil, fmt.Errorf("error fetching CA certificates from ConfigMap: %w", scmError)
+			}
+		}
+		if providerConfig.BearerToken != nil {
+			appToken, err := utils.GetSecretRef(ctx, g.client, providerConfig.BearerToken.TokenRef, applicationSetInfo.Namespace)
+			if err != nil {
+				return nil, fmt.Errorf("error fetching Secret Bearer token: %w", err)
+			}
+			provider, scmError = scm_provider.NewBitbucketServerProviderBearerToken(ctx, appToken, providerConfig.API, providerConfig.Project, providerConfig.AllBranches, g.scmRootCAPath, providerConfig.Insecure, caCerts)
+		} else if providerConfig.BasicAuth != nil {
+			password, err := utils.GetSecretRef(ctx, g.client, providerConfig.BasicAuth.PasswordRef, applicationSetInfo.Namespace)
 			if err != nil {
 				return nil, fmt.Errorf("error fetching Secret token: %w", err)
 			}
-			provider, scmError = scm_provider.NewBitbucketServerProviderBasicAuth(ctx, providerConfig.BasicAuth.Username, password, providerConfig.API, providerConfig.Project, providerConfig.AllBranches)
+			provider, scmError = scm_provider.NewBitbucketServerProviderBasicAuth(ctx, providerConfig.BasicAuth.Username, password, providerConfig.API, providerConfig.Project, providerConfig.AllBranches, g.scmRootCAPath, providerConfig.Insecure, caCerts)
 		} else {
-			provider, scmError = scm_provider.NewBitbucketServerProviderNoAuth(ctx, providerConfig.API, providerConfig.Project, providerConfig.AllBranches)
+			provider, scmError = scm_provider.NewBitbucketServerProviderNoAuth(ctx, providerConfig.API, providerConfig.Project, providerConfig.AllBranches, g.scmRootCAPath, providerConfig.Insecure, caCerts)
 		}
 		if scmError != nil {
 			return nil, fmt.Errorf("error initializing Bitbucket Server service: %w", scmError)
 		}
 	} else if providerConfig.AzureDevOps != nil {
-		token, err := g.getSecretRef(ctx, providerConfig.AzureDevOps.AccessTokenRef, applicationSetInfo.Namespace)
+		token, err := utils.GetSecretRef(ctx, g.client, providerConfig.AzureDevOps.AccessTokenRef, applicationSetInfo.Namespace)
 		if err != nil {
 			return nil, fmt.Errorf("error fetching Azure Devops access token: %w", err)
 		}
@@ -181,7 +209,7 @@ func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 			return nil, fmt.Errorf("error initializing Azure Devops service: %w", err)
 		}
 	} else if providerConfig.Bitbucket != nil {
-		appPassword, err := g.getSecretRef(ctx, providerConfig.Bitbucket.AppPasswordRef, applicationSetInfo.Namespace)
+		appPassword, err := utils.GetSecretRef(ctx, g.client, providerConfig.Bitbucket.AppPasswordRef, applicationSetInfo.Namespace)
 		if err != nil {
 			return nil, fmt.Errorf("error fetching Bitbucket cloud appPassword: %w", err)
 		}
@@ -240,29 +268,6 @@ func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 	return paramsArray, nil
 }

-func (g *SCMProviderGenerator) getSecretRef(ctx context.Context, ref *argoprojiov1alpha1.SecretRef, namespace string) (string, error) {
-	if ref == nil {
-		return "", nil
-	}
-
-	secret := &corev1.Secret{}
-	err := g.client.Get(
-		ctx,
-		client.ObjectKey{
-			Name:      ref.SecretName,
-			Namespace: namespace,
-		},
-		secret)
-	if err != nil {
-		return "", fmt.Errorf("error fetching secret %s/%s: %w", namespace, ref.SecretName, err)
-	}
-	tokenBytes, ok := secret.Data[ref.Key]
-	if !ok {
-		return "", fmt.Errorf("key %q in secret %s/%s not found", ref.Key, namespace, ref.SecretName)
-	}
-	return string(tokenBytes), nil
-}
-
 func (g *SCMProviderGenerator) githubProvider(ctx context.Context, github *argoprojiov1alpha1.SCMProviderGeneratorGithub, applicationSetInfo *argoprojiov1alpha1.ApplicationSet) (scm_provider.SCMProviderService, error) {
 	if github.AppSecretName != "" {
 		auth, err := g.GitHubApps.GetAuthSecret(ctx, github.AppSecretName)
@@ -278,7 +283,7 @@ func (g *SCMProviderGenerator) githubProvider(ctx context.Context, github *argop
 		)
 	}

-	token, err := g.getSecretRef(ctx, github.TokenRef, applicationSetInfo.Namespace)
+	token, err := utils.GetSecretRef(ctx, g.client, github.TokenRef, applicationSetInfo.Namespace)
 	if err != nil {
 		return nil, fmt.Errorf("error fetching Github token: %w", err)
 	}
--- a/applicationset/generators/scm_provider_test.go
+++ b/applicationset/generators/scm_provider_test.go
@@ -1,84 +1,16 @@
 package generators

 import (
-	"context"
 	"testing"

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"sigs.k8s.io/controller-runtime/pkg/client/fake"

 	"github.com/argoproj/argo-cd/v2/applicationset/services/scm_provider"
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )

-func TestSCMProviderGetSecretRef(t *testing.T) {
-	secret := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{Name: "test-secret", Namespace: "test"},
-		Data: map[string][]byte{
-			"my-token": []byte("secret"),
-		},
-	}
-	gen := &SCMProviderGenerator{client: fake.NewClientBuilder().WithObjects(secret).Build()}
-	ctx := context.Background()
-
-	cases := []struct {
-		name, namespace, token string
-		ref                    *argoprojiov1alpha1.SecretRef
-		hasError               bool
-	}{
-		{
-			name:      "valid ref",
-			ref:       &argoprojiov1alpha1.SecretRef{SecretName: "test-secret", Key: "my-token"},
-			namespace: "test",
-			token:     "secret",
-			hasError:  false,
-		},
-		{
-			name:      "nil ref",
-			ref:       nil,
-			namespace: "test",
-			token:     "",
-			hasError:  false,
-		},
-		{
-			name:      "wrong name",
-			ref:       &argoprojiov1alpha1.SecretRef{SecretName: "other", Key: "my-token"},
-			namespace: "test",
-			token:     "",
-			hasError:  true,
-		},
-		{
-			name:      "wrong key",
-			ref:       &argoprojiov1alpha1.SecretRef{SecretName: "test-secret", Key: "other-token"},
-			namespace: "test",
-			token:     "",
-			hasError:  true,
-		},
-		{
-			name:      "wrong namespace",
-			ref:       &argoprojiov1alpha1.SecretRef{SecretName: "test-secret", Key: "my-token"},
-			namespace: "other",
-			token:     "",
-			hasError:  true,
-		},
-	}
-
-	for _, c := range cases {
-		t.Run(c.name, func(t *testing.T) {
-			token, err := gen.getSecretRef(ctx, c.ref, c.namespace)
-			if c.hasError {
-				require.Error(t, err)
-			} else {
-				require.NoError(t, err)
-			}
-			assert.Equal(t, c.token, token)
-		})
-	}
-}
-
 func TestSCMProviderGenerateParams(t *testing.T) {
 	cases := []struct {
 		name          string
@@ -174,7 +106,7 @@ func TestSCMProviderGenerateParams(t *testing.T) {
 			mockProvider := &scm_provider.MockProvider{
 				Repos: testCaseCopy.repos,
 			}
-			scmGenerator := &SCMProviderGenerator{overrideProvider: mockProvider, enableSCMProviders: true}
+			scmGenerator := &SCMProviderGenerator{overrideProvider: mockProvider, SCMConfig: SCMConfig{enableSCMProviders: true}}
 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -204,7 +136,6 @@ func TestAllowedSCMProvider(t *testing.T) {
 	cases := []struct {
 		name           string
 		providerConfig *argoprojiov1alpha1.SCMProviderGenerator
-		expectedError  error
 	}{
 		{
 			name: "Error Github",
@@ -213,7 +144,6 @@ func TestAllowedSCMProvider(t *testing.T) {
 					API: "https://myservice.mynamespace.svc.cluster.local",
 				},
 			},
-			expectedError: &ErrDisallowedSCMProvider{},
 		},
 		{
 			name: "Error Gitlab",
@@ -222,7 +152,6 @@ func TestAllowedSCMProvider(t *testing.T) {
 					API: "https://myservice.mynamespace.svc.cluster.local",
 				},
 			},
-			expectedError: &ErrDisallowedSCMProvider{},
 		},
 		{
 			name: "Error Gitea",
@@ -231,7 +160,6 @@ func TestAllowedSCMProvider(t *testing.T) {
 					API: "https://myservice.mynamespace.svc.cluster.local",
 				},
 			},
-			expectedError: &ErrDisallowedSCMProvider{},
 		},
 		{
 			name: "Error Bitbucket",
@@ -240,7 +168,6 @@ func TestAllowedSCMProvider(t *testing.T) {
 					API: "https://myservice.mynamespace.svc.cluster.local",
 				},
 			},
-			expectedError: &ErrDisallowedSCMProvider{},
 		},
 		{
 			name: "Error AzureDevops",
@@ -249,7 +176,6 @@ func TestAllowedSCMProvider(t *testing.T) {
 					API: "https://myservice.mynamespace.svc.cluster.local",
 				},
 			},
-			expectedError: &ErrDisallowedSCMProvider{},
 		},
 	}

@@ -260,14 +186,16 @@ func TestAllowedSCMProvider(t *testing.T) {
 			t.Parallel()

 			scmGenerator := &SCMProviderGenerator{
-				allowedSCMProviders: []string{
-					"github.myorg.com",
-					"gitlab.myorg.com",
-					"gitea.myorg.com",
-					"bitbucket.myorg.com",
-					"azuredevops.myorg.com",
+				SCMConfig: SCMConfig{
+					allowedSCMProviders: []string{
+						"github.myorg.com",
+						"gitlab.myorg.com",
+						"gitea.myorg.com",
+						"bitbucket.myorg.com",
+						"azuredevops.myorg.com",
+					},
+					enableSCMProviders: true,
 				},
-				enableSCMProviders: true,
 			}

 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
@@ -284,13 +212,14 @@ func TestAllowedSCMProvider(t *testing.T) {
 			_, err := scmGenerator.GenerateParams(&applicationSetInfo.Spec.Generators[0], &applicationSetInfo, nil)

 			require.Error(t, err, "Must return an error")
-			assert.ErrorAs(t, err, testCaseCopy.expectedError)
+			var expectedError ErrDisallowedSCMProvider
+			assert.ErrorAs(t, err, &expectedError)
 		})
 	}
 }

 func TestSCMProviderDisabled_SCMGenerator(t *testing.T) {
-	generator := &SCMProviderGenerator{enableSCMProviders: false}
+	generator := &SCMProviderGenerator{SCMConfig: SCMConfig{enableSCMProviders: false}}

 	applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 		ObjectMeta: metav1.ObjectMeta{
--- a/applicationset/generators/utils.go
+++ b/applicationset/generators/utils.go
@@ -0,0 +1,49 @@
+package generators
+
+import (
+	"context"
+
+	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/kubernetes"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/argoproj/argo-cd/v2/applicationset/services"
+)
+
+func GetGenerators(ctx context.Context, c client.Client, k8sClient kubernetes.Interface, namespace string, argoCDService services.Repos, dynamicClient dynamic.Interface, scmConfig SCMConfig) map[string]Generator {
+	terminalGenerators := map[string]Generator{
+		"List":                    NewListGenerator(),
+		"Clusters":                NewClusterGenerator(c, ctx, k8sClient, namespace),
+		"Git":                     NewGitGenerator(argoCDService, namespace),
+		"SCMProvider":             NewSCMProviderGenerator(c, scmConfig),
+		"ClusterDecisionResource": NewDuckTypeGenerator(ctx, dynamicClient, k8sClient, namespace),
+		"PullRequest":             NewPullRequestGenerator(c, scmConfig),
+		"Plugin":                  NewPluginGenerator(c, ctx, k8sClient, namespace),
+	}
+
+	nestedGenerators := map[string]Generator{
+		"List":                    terminalGenerators["List"],
+		"Clusters":                terminalGenerators["Clusters"],
+		"Git":                     terminalGenerators["Git"],
+		"SCMProvider":             terminalGenerators["SCMProvider"],
+		"ClusterDecisionResource": terminalGenerators["ClusterDecisionResource"],
+		"PullRequest":             terminalGenerators["PullRequest"],
+		"Plugin":                  terminalGenerators["Plugin"],
+		"Matrix":                  NewMatrixGenerator(terminalGenerators),
+		"Merge":                   NewMergeGenerator(terminalGenerators),
+	}
+
+	topLevelGenerators := map[string]Generator{
+		"List":                    terminalGenerators["List"],
+		"Clusters":                terminalGenerators["Clusters"],
+		"Git":                     terminalGenerators["Git"],
+		"SCMProvider":             terminalGenerators["SCMProvider"],
+		"ClusterDecisionResource": terminalGenerators["ClusterDecisionResource"],
+		"PullRequest":             terminalGenerators["PullRequest"],
+		"Plugin":                  terminalGenerators["Plugin"],
+		"Matrix":                  NewMatrixGenerator(nestedGenerators),
+		"Merge":                   NewMergeGenerator(nestedGenerators),
+	}
+
+	return topLevelGenerators
+}
--- a/applicationset/metrics/fake.go
+++ b/applicationset/metrics/fake.go
@@ -0,0 +1,22 @@
+package metrics
+
+import (
+	"github.com/prometheus/client_golang/prometheus"
+	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+// Fake implementation for testing
+func NewFakeAppsetMetrics(client ctrlclient.WithWatch) *ApplicationsetMetrics {
+	reconcileHistogram := prometheus.NewHistogramVec(
+		prometheus.HistogramOpts{
+			Name: "argocd_appset_reconcile",
+			Help: "Application reconciliation performance in seconds.",
+			// Buckets can be set later on after observing median time
+		},
+		[]string{"name", "namespace"},
+	)
+
+	return &ApplicationsetMetrics{
+		reconcileHistogram: reconcileHistogram,
+	}
+}
--- a/applicationset/metrics/metrics.go
+++ b/applicationset/metrics/metrics.go
@@ -0,0 +1,131 @@
+package metrics
+
+import (
+	"time"
+
+	"github.com/prometheus/client_golang/prometheus"
+	"k8s.io/apimachinery/pkg/labels"
+	"sigs.k8s.io/controller-runtime/pkg/metrics"
+
+	argoappv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	applisters "github.com/argoproj/argo-cd/v2/pkg/client/listers/application/v1alpha1"
+	metricsutil "github.com/argoproj/argo-cd/v2/util/metrics"
+)
+
+var (
+	descAppsetLabels        *prometheus.Desc
+	descAppsetDefaultLabels = []string{"namespace", "name"}
+	descAppsetInfo          = prometheus.NewDesc(
+		"argocd_appset_info",
+		"Information about applicationset",
+		append(descAppsetDefaultLabels, "resource_update_status"),
+		nil,
+	)
+
+	descAppsetGeneratedApps = prometheus.NewDesc(
+		"argocd_appset_owned_applications",
+		"Number of applications owned by the applicationset",
+		descAppsetDefaultLabels,
+		nil,
+	)
+)
+
+type ApplicationsetMetrics struct {
+	reconcileHistogram *prometheus.HistogramVec
+}
+
+type appsetCollector struct {
+	lister applisters.ApplicationSetLister
+	// appsClientSet appclientset.Interface
+	labels []string
+	filter func(appset *argoappv1.ApplicationSet) bool
+}
+
+func NewApplicationsetMetrics(appsetLister applisters.ApplicationSetLister, appsetLabels []string, appsetFilter func(appset *argoappv1.ApplicationSet) bool) ApplicationsetMetrics {
+	reconcileHistogram := prometheus.NewHistogramVec(
+		prometheus.HistogramOpts{
+			Name: "argocd_appset_reconcile",
+			Help: "Application reconciliation performance in seconds.",
+			// Buckets can be set later on after observing median time
+		},
+		descAppsetDefaultLabels,
+	)
+
+	appsetCollector := newAppsetCollector(appsetLister, appsetLabels, appsetFilter)
+
+	// Register collectors and metrics
+	metrics.Registry.MustRegister(reconcileHistogram)
+	metrics.Registry.MustRegister(appsetCollector)
+
+	return ApplicationsetMetrics{
+		reconcileHistogram: reconcileHistogram,
+	}
+}
+
+func (m *ApplicationsetMetrics) ObserveReconcile(appset *argoappv1.ApplicationSet, duration time.Duration) {
+	m.reconcileHistogram.WithLabelValues(appset.Namespace, appset.Name).Observe(duration.Seconds())
+}
+
+func newAppsetCollector(lister applisters.ApplicationSetLister, labels []string, filter func(appset *argoappv1.ApplicationSet) bool) *appsetCollector {
+	descAppsetDefaultLabels = []string{"namespace", "name"}
+
+	if len(labels) > 0 {
+		descAppsetLabels = prometheus.NewDesc(
+			"argocd_appset_labels",
+			"Applicationset labels translated to Prometheus labels",
+			append(descAppsetDefaultLabels, metricsutil.NormalizeLabels("label", labels)...),
+			nil,
+		)
+	}
+
+	return &appsetCollector{
+		lister: lister,
+		labels: labels,
+		filter: filter,
+	}
+}
+
+// Describe implements the prometheus.Collector interface
+func (c *appsetCollector) Describe(ch chan<- *prometheus.Desc) {
+	ch <- descAppsetInfo
+	ch <- descAppsetGeneratedApps
+
+	if len(c.labels) > 0 {
+		ch <- descAppsetLabels
+	}
+}
+
+// Collect implements the prometheus.Collector interface
+func (c *appsetCollector) Collect(ch chan<- prometheus.Metric) {
+	appsets, _ := c.lister.List(labels.NewSelector())
+
+	for _, appset := range appsets {
+		if c.filter(appset) {
+			collectAppset(appset, c.labels, ch)
+		}
+	}
+}
+
+func collectAppset(appset *argoappv1.ApplicationSet, labelsToCollect []string, ch chan<- prometheus.Metric) {
+	labelValues := make([]string, 0)
+	commonLabelValues := []string{appset.Namespace, appset.Name}
+
+	for _, label := range labelsToCollect {
+		labelValues = append(labelValues, appset.GetLabels()[label])
+	}
+
+	resourceUpdateStatus := "Unknown"
+
+	for _, condition := range appset.Status.Conditions {
+		if condition.Type == argoappv1.ApplicationSetConditionResourcesUpToDate {
+			resourceUpdateStatus = condition.Reason
+		}
+	}
+
+	if len(labelsToCollect) > 0 {
+		ch <- prometheus.MustNewConstMetric(descAppsetLabels, prometheus.GaugeValue, 1, append(commonLabelValues, labelValues...)...)
+	}
+
+	ch <- prometheus.MustNewConstMetric(descAppsetInfo, prometheus.GaugeValue, 1, appset.Namespace, appset.Name, resourceUpdateStatus)
+	ch <- prometheus.MustNewConstMetric(descAppsetGeneratedApps, prometheus.GaugeValue, float64(len(appset.Status.Resources)), appset.Namespace, appset.Name)
+}
--- a/applicationset/metrics/metrics_test.go
+++ b/applicationset/metrics/metrics_test.go
@@ -0,0 +1,256 @@
+package metrics
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/argoproj/argo-cd/v2/applicationset/utils"
+	argoappv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+
+	"github.com/prometheus/client_golang/prometheus/promhttp"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
+	fake "sigs.k8s.io/controller-runtime/pkg/client/fake"
+
+	prometheus "github.com/prometheus/client_golang/prometheus"
+
+	metricsutil "github.com/argoproj/argo-cd/v2/util/metrics"
+
+	"sigs.k8s.io/controller-runtime/pkg/metrics"
+
+	"sigs.k8s.io/yaml"
+)
+
+var (
+	applicationsetNamespaces = []string{"argocd", "test-namespace1"}
+
+	filter = func(appset *argoappv1.ApplicationSet) bool {
+		return utils.IsNamespaceAllowed(applicationsetNamespaces, appset.Namespace)
+	}
+
+	collectedLabels = []string{"included/test"}
+)
+
+const fakeAppsetList = `
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: test1
+  namespace: argocd
+  labels:
+    included/test: test
+    not-included.label/test: test
+spec:
+  generators:
+  - git:
+      directories:
+      - path: test/*
+      repoURL: https://github.com/test/test.git
+      revision: HEAD
+  template:
+    metadata:
+      name: '{{.path.basename}}'
+    spec:
+      destination:
+        namespace: '{{.path.basename}}'
+        server: https://kubernetes.default.svc
+      project: default
+      source:
+        path: '{{.path.path}}'
+        repoURL: https://github.com/test/test.git
+        targetRevision: HEAD
+status:
+  resources:
+  - group: argoproj.io
+    health:
+      status: Missing
+    kind: Application
+    name: test-app1
+    namespace: argocd
+    status: OutOfSync
+    version: v1alpha1
+  - group: argoproj.io
+    health:
+      status: Missing
+    kind: Application
+    name: test-app2
+    namespace: argocd
+    status: OutOfSync
+    version: v1alpha1
+  conditions:
+  - lastTransitionTime: "2024-01-01T00:00:00Z"
+    message: Successfully generated parameters for all Applications
+    reason: ApplicationSetUpToDate
+    status: "False"
+    type: ErrorOccurred
+  - lastTransitionTime: "2024-01-01T00:00:00Z"
+    message: Successfully generated parameters for all Applications
+    reason: ParametersGenerated
+    status: "True"
+    type: ParametersGenerated
+  - lastTransitionTime: "2024-01-01T00:00:00Z"
+    message: ApplicationSet up to date
+    reason: ApplicationSetUpToDate
+    status: "True"
+    type: ResourcesUpToDate
+---
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: test2
+  namespace: argocd
+  labels:
+    not-included.label/test: test
+spec:
+  generators:
+  - git:
+      directories:
+      - path: test/*
+      repoURL: https://github.com/test/test.git
+      revision: HEAD
+  template:
+    metadata:
+      name: '{{.path.basename}}'
+    spec:
+      destination:
+        namespace: '{{.path.basename}}'
+        server: https://kubernetes.default.svc
+      project: default
+      source:
+        path: '{{.path.path}}'
+        repoURL: https://github.com/test/test.git
+        targetRevision: HEAD
+---
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: should-be-filtered-out
+  namespace: not-allowed
+spec:
+  generators:
+  - git:
+      directories:
+      - path: test/*
+      repoURL: https://github.com/test/test.git
+      revision: HEAD
+  template:
+    metadata:
+      name: '{{.path.basename}}'
+    spec:
+      destination:
+        namespace: '{{.path.basename}}'
+        server: https://kubernetes.default.svc
+      project: default
+      source:
+        path: '{{.path.path}}'
+        repoURL: https://github.com/test/test.git
+        targetRevision: HEAD
+`
+
+func newFakeAppsets(fakeAppsetYAML string) []argoappv1.ApplicationSet {
+	var results []argoappv1.ApplicationSet
+
+	appsetRawYamls := strings.Split(fakeAppsetYAML, "---")
+
+	for _, appsetRawYaml := range appsetRawYamls {
+		var appset argoappv1.ApplicationSet
+		err := yaml.Unmarshal([]byte(appsetRawYaml), &appset)
+		if err != nil {
+			panic(err)
+		}
+
+		results = append(results, appset)
+	}
+
+	return results
+}
+
+func TestApplicationsetCollector(t *testing.T) {
+	appsetList := newFakeAppsets(fakeAppsetList)
+	client := initializeClient(appsetList)
+	metrics.Registry = prometheus.NewRegistry()
+
+	appsetCollector := newAppsetCollector(utils.NewAppsetLister(client), collectedLabels, filter)
+
+	metrics.Registry.MustRegister(appsetCollector)
+	req, err := http.NewRequest("GET", "/metrics", nil)
+	require.NoError(t, err)
+	rr := httptest.NewRecorder()
+	handler := promhttp.HandlerFor(metrics.Registry, promhttp.HandlerOpts{})
+	handler.ServeHTTP(rr, req)
+
+	assert.Equal(t, http.StatusOK, rr.Code)
+	// Test correct appset_info and owned applications
+	assert.Contains(t, rr.Body.String(), `
+argocd_appset_info{name="test1",namespace="argocd",resource_update_status="ApplicationSetUpToDate"} 1
+`)
+	assert.Contains(t, rr.Body.String(), `
+argocd_appset_owned_applications{name="test1",namespace="argocd"} 2
+`)
+	// Test labels collection - should not include labels not included in the list of collected labels and include the ones that do.
+	assert.Contains(t, rr.Body.String(), `
+argocd_appset_labels{label_included_test="test",name="test1",namespace="argocd"} 1
+`)
+	assert.NotContains(t, rr.Body.String(), normalizeLabel("not-included.label/test"))
+	// If collected label is not present on the applicationset the value should be empty
+	assert.Contains(t, rr.Body.String(), `
+argocd_appset_labels{label_included_test="",name="test2",namespace="argocd"} 1
+`)
+	// If ResourcesUpToDate condition is not present on the applicationset the status should be reported as 'Unknown'
+	assert.Contains(t, rr.Body.String(), `
+argocd_appset_info{name="test2",namespace="argocd",resource_update_status="Unknown"} 1
+`)
+	// If there are no resources on the applicationset the owned application gague should return 0
+	assert.Contains(t, rr.Body.String(), `
+argocd_appset_owned_applications{name="test2",namespace="argocd"} 0
+`)
+	// Test that filter is working
+	assert.NotContains(t, rr.Body.String(), `name="should-be-filtered-out"`)
+}
+
+func TestObserveReconcile(t *testing.T) {
+	appsetList := newFakeAppsets(fakeAppsetList)
+	client := initializeClient(appsetList)
+	metrics.Registry = prometheus.NewRegistry()
+
+	appsetMetrics := NewApplicationsetMetrics(utils.NewAppsetLister(client), collectedLabels, filter)
+
+	req, err := http.NewRequest("GET", "/metrics", nil)
+	require.NoError(t, err)
+	rr := httptest.NewRecorder()
+	handler := promhttp.HandlerFor(metrics.Registry, promhttp.HandlerOpts{})
+	appsetMetrics.ObserveReconcile(&appsetList[0], 5*time.Second)
+	handler.ServeHTTP(rr, req)
+	assert.Contains(t, rr.Body.String(), `
+argocd_appset_reconcile_sum{name="test1",namespace="argocd"} 5
+`)
+	// If there are no resources on the applicationset the owned application gague should return 0
+	assert.Contains(t, rr.Body.String(), `
+argocd_appset_reconcile_count{name="test1",namespace="argocd"} 1
+`)
+}
+
+func initializeClient(appsets []argoappv1.ApplicationSet) ctrlclient.WithWatch {
+	scheme := runtime.NewScheme()
+	err := argoappv1.AddToScheme(scheme)
+	if err != nil {
+		panic(err)
+	}
+
+	var clientObjects []ctrlclient.Object
+
+	for _, appset := range appsets {
+		clientObjects = append(clientObjects, appset.DeepCopy())
+	}
+
+	return fake.NewClientBuilder().WithScheme(scheme).WithObjects(clientObjects...).Build()
+}
+
+func normalizeLabel(label string) string {
+	return metricsutil.NormalizeLabels("label", []string{label})[0]
+}
--- a/applicationset/services/internal/github_app/client.go
+++ b/applicationset/services/internal/github_app/client.go
@@ -5,7 +5,7 @@ import (
 	"net/http"

 	"github.com/bradleyfalzon/ghinstallation/v2"
-	"github.com/google/go-github/v35/github"
+	"github.com/google/go-github/v63/github"

 	"github.com/argoproj/argo-cd/v2/applicationset/services/github_app_auth"
 )
@@ -26,7 +26,7 @@ func Client(g github_app_auth.Authentication, url string) (*github.Client, error
 	} else {
 		rt.BaseURL = url
 		httpClient := http.Client{Transport: rt}
-		client, err = github.NewEnterpriseClient(url, url, &httpClient)
+		client, err = github.NewClient(&httpClient).WithEnterpriseURLs(url, url)
 		if err != nil {
 			return nil, fmt.Errorf("failed to create github enterprise client: %w", err)
 		}
--- a/applicationset/services/mocks/Repos.go
+++ b/applicationset/services/mocks/Repos.go
@@ -1,4 +1,4 @@
-// Code generated by mockery v2.40.2. DO NOT EDIT.
+// Code generated by mockery v2.43.2. DO NOT EDIT.

 package mocks

--- a/applicationset/services/pull_request/azure_devops.go
+++ b/applicationset/services/pull_request/azure_devops.go
@@ -95,9 +95,11 @@ func (a *AzureDevOpsService) List(ctx context.Context) ([]*PullRequest, error) {
 		if *pr.Repository.Name == a.repo {
 			pullRequests = append(pullRequests, &PullRequest{
 				Number:  *pr.PullRequestId,
+				Title:   *pr.Title,
 				Branch:  strings.Replace(*pr.SourceRefName, "refs/heads/", "", 1),
 				HeadSHA: *pr.LastMergeSourceCommit.CommitId,
 				Labels:  azureDevOpsLabels,
+				Author:  strings.Split(*pr.CreatedBy.UniqueName, "@")[0], // Get the part before the @ in the email-address
 			})
 		}
 	}
--- a/applicationset/services/pull_request/azure_devops_test.go
+++ b/applicationset/services/pull_request/azure_devops_test.go
@@ -4,6 +4,8 @@ import (
 	"context"
 	"testing"

+	"github.com/microsoft/azure-devops-go-api/azuredevops/webapi"
+
 	"github.com/microsoft/azure-devops-go-api/azuredevops/core"
 	git "github.com/microsoft/azure-devops-go-api/azuredevops/git"
 	"github.com/stretchr/testify/assert"
@@ -29,6 +31,10 @@ func createLabelsPtr(x []core.WebApiTagDefinition) *[]core.WebApiTagDefinition {
 	return &x
 }

+func createUniqueNamePtr(x string) *string {
+	return &x
+}
+
 type AzureClientFactoryMock struct {
 	mock *mock.Mock
 }
@@ -56,12 +62,15 @@ func TestListPullRequest(t *testing.T) {
 	teamProject := "myorg_project"
 	repoName := "myorg_project_repo"
 	pr_id := 123
+	pr_title := "feat(123)"
 	pr_head_sha := "cd4973d9d14a08ffe6b641a89a68891d6aac8056"
 	ctx := context.Background()
+	uniqueName := "testName"

 	pullRequestMock := []git.GitPullRequest{
 		{
 			PullRequestId: createIntPtr(pr_id),
+			Title:         createStringPtr(pr_title),
 			SourceRefName: createStringPtr("refs/heads/feature-branch"),
 			LastMergeSourceCommit: &git.GitCommitRef{
 				CommitId: createStringPtr(pr_head_sha),
@@ -70,6 +79,9 @@ func TestListPullRequest(t *testing.T) {
 			Repository: &git.GitRepository{
 				Name: createStringPtr(repoName),
 			},
+			CreatedBy: &webapi.IdentityRef{
+				UniqueName: createUniqueNamePtr(uniqueName + "@example.com"),
+			},
 		},
 	}

@@ -95,7 +107,9 @@ func TestListPullRequest(t *testing.T) {
 	assert.Len(t, list, 1)
 	assert.Equal(t, "feature-branch", list[0].Branch)
 	assert.Equal(t, pr_head_sha, list[0].HeadSHA)
+	assert.Equal(t, "feat(123)", list[0].Title)
 	assert.Equal(t, pr_id, list[0].Number)
+	assert.Equal(t, uniqueName, list[0].Author)
 }

 func TestConvertLabes(t *testing.T) {
--- a/applicationset/services/pull_request/bitbucket_cloud.go
+++ b/applicationset/services/pull_request/bitbucket_cloud.go
@@ -17,7 +17,9 @@ type BitbucketCloudService struct {

 type BitbucketCloudPullRequest struct {
 	ID     int                             `json:"id"`
+	Title  string                          `json:"title"`
 	Source BitbucketCloudPullRequestSource `json:"source"`
+	Author BitbucketCloudPullRequestAuthor `json:"author"`
 }

 type BitbucketCloudPullRequestSource struct {
@@ -33,6 +35,11 @@ type BitbucketCloudPullRequestSourceCommit struct {
 	Hash string `json:"hash"`
 }

+// Also have display_name and uuid, but don't plan to use them.
+type BitbucketCloudPullRequestAuthor struct {
+	Nickname string `json:"nickname"`
+}
+
 type PullRequestResponse struct {
 	Page     int32         `json:"page"`
 	Size     int32         `json:"size"`
@@ -129,8 +136,10 @@ func (b *BitbucketCloudService) List(_ context.Context) ([]*PullRequest, error)
 	for _, pull := range pulls {
 		pullRequests = append(pullRequests, &PullRequest{
 			Number:  pull.ID,
+			Title:   pull.Title,
 			Branch:  pull.Source.Branch.Name,
 			HeadSHA: pull.Source.Commit.Hash,
+			Author:  pull.Author.Nickname,
 		})
 	}

--- a/applicationset/services/pull_request/bitbucket_cloud_test.go
+++ b/applicationset/services/pull_request/bitbucket_cloud_test.go
@@ -27,6 +27,7 @@ func defaultHandlerCloud(t *testing.T) func(http.ResponseWriter, *http.Request)
 					"values": [
 						{
 							"id": 101,
+							"title": "feat(foo-bar)",
 							"source": {
 								"branch": {
 									"name": "feature/foo-bar"
@@ -35,6 +36,9 @@ func defaultHandlerCloud(t *testing.T) func(http.ResponseWriter, *http.Request)
 									"type": "commit",
 									"hash": "1a8dd249c04a"
 								}
+							},
+							"author": {
+								"nickname": "testName"
 							}
 						}
 					]
@@ -86,8 +90,10 @@ func TestListPullRequestBearerTokenCloud(t *testing.T) {
 	require.NoError(t, err)
 	assert.Len(t, pullRequests, 1)
 	assert.Equal(t, 101, pullRequests[0].Number)
+	assert.Equal(t, "feat(foo-bar)", pullRequests[0].Title)
 	assert.Equal(t, "feature/foo-bar", pullRequests[0].Branch)
 	assert.Equal(t, "1a8dd249c04a", pullRequests[0].HeadSHA)
+	assert.Equal(t, "testName", pullRequests[0].Author)
 }

 func TestListPullRequestNoAuthCloud(t *testing.T) {
@@ -102,8 +108,10 @@ func TestListPullRequestNoAuthCloud(t *testing.T) {
 	require.NoError(t, err)
 	assert.Len(t, pullRequests, 1)
 	assert.Equal(t, 101, pullRequests[0].Number)
+	assert.Equal(t, "feat(foo-bar)", pullRequests[0].Title)
 	assert.Equal(t, "feature/foo-bar", pullRequests[0].Branch)
 	assert.Equal(t, "1a8dd249c04a", pullRequests[0].HeadSHA)
+	assert.Equal(t, "testName", pullRequests[0].Author)
 }

 func TestListPullRequestBasicAuthCloud(t *testing.T) {
@@ -118,8 +126,10 @@ func TestListPullRequestBasicAuthCloud(t *testing.T) {
 	require.NoError(t, err)
 	assert.Len(t, pullRequests, 1)
 	assert.Equal(t, 101, pullRequests[0].Number)
+	assert.Equal(t, "feat(foo-bar)", pullRequests[0].Title)
 	assert.Equal(t, "feature/foo-bar", pullRequests[0].Branch)
 	assert.Equal(t, "1a8dd249c04a", pullRequests[0].HeadSHA)
+	assert.Equal(t, "testName", pullRequests[0].Author)
 }

 func TestListPullRequestPaginationCloud(t *testing.T) {
@@ -136,6 +146,7 @@ func TestListPullRequestPaginationCloud(t *testing.T) {
 				"values": [
 					{
 						"id": 101,
+						"title": "feat(101)",
 						"source": {
 							"branch": {
 								"name": "feature-101"
@@ -144,10 +155,14 @@ func TestListPullRequestPaginationCloud(t *testing.T) {
 								"type": "commit",
 								"hash": "1a8dd249c04a"
 							}
+						},
+						"author": {
+							"nickname": "testName"
 						}
 					},
 					{
 						"id": 102,
+						"title": "feat(102)",
 						"source": {
 							"branch": {
 								"name": "feature-102"
@@ -156,6 +171,9 @@ func TestListPullRequestPaginationCloud(t *testing.T) {
 								"type": "commit",
 								"hash": "4cf807e67a6d"
 							}
+						},
+						"author": {
+							"nickname": "testName"
 						}
 					}
 				]
@@ -169,6 +187,7 @@ func TestListPullRequestPaginationCloud(t *testing.T) {
 				"values": [
 					{
 						"id": 103,
+						"title": "feat(103)",
 						"source": {
 							"branch": {
 								"name": "feature-103"
@@ -177,6 +196,9 @@ func TestListPullRequestPaginationCloud(t *testing.T) {
 								"type": "commit",
 								"hash": "6344d9623e3b"
 							}
+						},
+						"author": {
+							"nickname": "testName"
 						}
 					}
 				]
@@ -196,18 +218,24 @@ func TestListPullRequestPaginationCloud(t *testing.T) {
 	assert.Len(t, pullRequests, 3)
 	assert.Equal(t, PullRequest{
 		Number:  101,
+		Title:   "feat(101)",
 		Branch:  "feature-101",
 		HeadSHA: "1a8dd249c04a",
+		Author:  "testName",
 	}, *pullRequests[0])
 	assert.Equal(t, PullRequest{
 		Number:  102,
+		Title:   "feat(102)",
 		Branch:  "feature-102",
 		HeadSHA: "4cf807e67a6d",
+		Author:  "testName",
 	}, *pullRequests[1])
 	assert.Equal(t, PullRequest{
 		Number:  103,
+		Title:   "feat(103)",
 		Branch:  "feature-103",
 		HeadSHA: "6344d9623e3b",
+		Author:  "testName",
 	}, *pullRequests[2])
 }

@@ -309,6 +337,7 @@ func TestListPullRequestBranchMatchCloud(t *testing.T) {
 				"values": [
 					{
 						"id": 101,
+						"title": "feat(101)",
 						"source": {
 							"branch": {
 								"name": "feature-101"
@@ -317,10 +346,14 @@ func TestListPullRequestBranchMatchCloud(t *testing.T) {
 								"type": "commit",
 								"hash": "1a8dd249c04a"
 							}
+						},
+						"author": {
+							"nickname": "testName"
 						}
 					},
 					{
 						"id": 200,
+						"title": "feat(200)",
 						"source": {
 							"branch": {
 								"name": "feature-200"
@@ -329,6 +362,9 @@ func TestListPullRequestBranchMatchCloud(t *testing.T) {
 								"type": "commit",
 								"hash": "4cf807e67a6d"
 							}
+						},
+						"author": {
+							"nickname": "testName"
 						}
 					}
 				]
@@ -342,6 +378,7 @@ func TestListPullRequestBranchMatchCloud(t *testing.T) {
 				"values": [
 					{
 						"id": 102,
+						"title": "feat(102)",
 						"source": {
 							"branch": {
 								"name": "feature-102"
@@ -350,6 +387,9 @@ func TestListPullRequestBranchMatchCloud(t *testing.T) {
 								"type": "commit",
 								"hash": "6344d9623e3b"
 							}
+						},
+						"author": {
+							"nickname": "testName"
 						}
 					}
 				]
@@ -374,13 +414,17 @@ func TestListPullRequestBranchMatchCloud(t *testing.T) {
 	assert.Len(t, pullRequests, 2)
 	assert.Equal(t, PullRequest{
 		Number:  101,
+		Title:   "feat(101)",
 		Branch:  "feature-101",
 		HeadSHA: "1a8dd249c04a",
+		Author:  "testName",
 	}, *pullRequests[0])
 	assert.Equal(t, PullRequest{
 		Number:  102,
+		Title:   "feat(102)",
 		Branch:  "feature-102",
 		HeadSHA: "6344d9623e3b",
+		Author:  "testName",
 	}, *pullRequests[1])

 	regexp = `.*2$`
@@ -395,8 +439,10 @@ func TestListPullRequestBranchMatchCloud(t *testing.T) {
 	assert.Len(t, pullRequests, 1)
 	assert.Equal(t, PullRequest{
 		Number:  102,
+		Title:   "feat(102)",
 		Branch:  "feature-102",
 		HeadSHA: "6344d9623e3b",
+		Author:  "testName",
 	}, *pullRequests[0])

 	regexp = `[\d{2}`
--- a/applicationset/services/pull_request/bitbucket_server.go
+++ b/applicationset/services/pull_request/bitbucket_server.go
@@ -3,6 +3,7 @@ package pull_request
 import (
 	"context"
 	"fmt"
+	"net/http"

 	bitbucketv1 "github.com/gfleury/go-bitbucket-v1"
 	log "github.com/sirupsen/logrus"
@@ -20,7 +21,7 @@ type BitbucketService struct {

 var _ PullRequestService = (*BitbucketService)(nil)

-func NewBitbucketServiceBasicAuth(ctx context.Context, username, password, url, projectKey, repositorySlug string) (PullRequestService, error) {
+func NewBitbucketServiceBasicAuth(ctx context.Context, username, password, url, projectKey, repositorySlug string, scmRootCAPath string, insecure bool, caCerts []byte) (PullRequestService, error) {
 	bitbucketConfig := bitbucketv1.NewConfiguration(url)
 	// Avoid the XSRF check
 	bitbucketConfig.AddDefaultHeader("x-atlassian-token", "no-check")
@@ -30,15 +31,29 @@ func NewBitbucketServiceBasicAuth(ctx context.Context, username, password, url,
 		UserName: username,
 		Password: password,
 	})
-	return newBitbucketService(ctx, bitbucketConfig, projectKey, repositorySlug)
+	return newBitbucketService(ctx, bitbucketConfig, projectKey, repositorySlug, scmRootCAPath, insecure, caCerts)
 }

-func NewBitbucketServiceNoAuth(ctx context.Context, url, projectKey, repositorySlug string) (PullRequestService, error) {
-	return newBitbucketService(ctx, bitbucketv1.NewConfiguration(url), projectKey, repositorySlug)
+func NewBitbucketServiceBearerToken(ctx context.Context, bearerToken, url, projectKey, repositorySlug string, scmRootCAPath string, insecure bool, caCerts []byte) (PullRequestService, error) {
+	bitbucketConfig := bitbucketv1.NewConfiguration(url)
+	// Avoid the XSRF check
+	bitbucketConfig.AddDefaultHeader("x-atlassian-token", "no-check")
+	bitbucketConfig.AddDefaultHeader("x-requested-with", "XMLHttpRequest")
+
+	ctx = context.WithValue(ctx, bitbucketv1.ContextAccessToken, bearerToken)
+	return newBitbucketService(ctx, bitbucketConfig, projectKey, repositorySlug, scmRootCAPath, insecure, caCerts)
 }

-func newBitbucketService(ctx context.Context, bitbucketConfig *bitbucketv1.Configuration, projectKey, repositorySlug string) (PullRequestService, error) {
+func NewBitbucketServiceNoAuth(ctx context.Context, url, projectKey, repositorySlug string, scmRootCAPath string, insecure bool, caCerts []byte) (PullRequestService, error) {
+	return newBitbucketService(ctx, bitbucketv1.NewConfiguration(url), projectKey, repositorySlug, scmRootCAPath, insecure, caCerts)
+}
+
+func newBitbucketService(ctx context.Context, bitbucketConfig *bitbucketv1.Configuration, projectKey, repositorySlug string, scmRootCAPath string, insecure bool, caCerts []byte) (PullRequestService, error) {
 	bitbucketConfig.BasePath = utils.NormalizeBitbucketBasePath(bitbucketConfig.BasePath)
+	tlsConfig := utils.GetTlsConfig(scmRootCAPath, insecure, caCerts)
+	bitbucketConfig.HTTPClient = &http.Client{Transport: &http.Transport{
+		TLSClientConfig: tlsConfig,
+	}}
 	bitbucketClient := bitbucketv1.NewAPIClient(ctx, bitbucketConfig)

 	return &BitbucketService{
@@ -68,10 +83,12 @@ func (b *BitbucketService) List(_ context.Context) ([]*PullRequest, error) {
 		for _, pull := range pulls {
 			pullRequests = append(pullRequests, &PullRequest{
 				Number:       pull.ID,
+				Title:        pull.Title,
 				Branch:       pull.FromRef.DisplayID, // ID: refs/heads/main DisplayID: main
 				TargetBranch: pull.ToRef.DisplayID,
 				HeadSHA:      pull.FromRef.LatestCommit, // This is not defined in the official docs, but works in practice
 				Labels:       []string{},                // Not supported by library
+				Author:       pull.Author.User.Name,
 			})
 		}

--- a/applicationset/services/pull_request/bitbucket_server_test.go
+++ b/applicationset/services/pull_request/bitbucket_server_test.go
@@ -2,6 +2,8 @@ package pull_request

 import (
 	"context"
+	"crypto/x509"
+	"encoding/pem"
 	"io"
 	"net/http"
 	"net/http/httptest"
@@ -26,6 +28,7 @@ func defaultHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 					"values": [
 						{
 							"id": 101,
+							"title": "feat(ABC) : 123",
 							"toRef": {
 								"latestCommit": "5b766e3564a3453808f3cd3dd3f2e5fad8ef0e7a",
 								"displayId": "master",
@@ -35,6 +38,11 @@ func defaultHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 								"id": "refs/heads/feature-ABC-123",
 								"displayId": "feature-ABC-123",
 								"latestCommit": "cb3cf2e4d1517c83e720d2585b9402dbef71f992"
+							},
+							"author": {
+								"user": {
+									"name": "testName"
+								}
 							}
 						}
 					],
@@ -55,15 +63,17 @@ func TestListPullRequestNoAuth(t *testing.T) {
 		defaultHandler(t)(w, r)
 	}))
 	defer ts.Close()
-	svc, err := NewBitbucketServiceNoAuth(context.Background(), ts.URL, "PROJECT", "REPO")
+	svc, err := NewBitbucketServiceNoAuth(context.Background(), ts.URL, "PROJECT", "REPO", "", false, nil)
 	require.NoError(t, err)
 	pullRequests, err := ListPullRequests(context.Background(), svc, []v1alpha1.PullRequestGeneratorFilter{})
 	require.NoError(t, err)
 	assert.Len(t, pullRequests, 1)
 	assert.Equal(t, 101, pullRequests[0].Number)
+	assert.Equal(t, "feat(ABC) : 123", pullRequests[0].Title)
 	assert.Equal(t, "feature-ABC-123", pullRequests[0].Branch)
 	assert.Equal(t, "master", pullRequests[0].TargetBranch)
 	assert.Equal(t, "cb3cf2e4d1517c83e720d2585b9402dbef71f992", pullRequests[0].HeadSHA)
+	assert.Equal(t, "testName", pullRequests[0].Author)
 }

 func TestListPullRequestPagination(t *testing.T) {
@@ -79,6 +89,7 @@ func TestListPullRequestPagination(t *testing.T) {
 					"values": [
 						{
 							"id": 101,
+							"title": "feat(101)",
 							"toRef": {
 								"latestCommit": "5b766e3564a3453808f3cd3dd3f2e5fad8ef0e7a",
 								"displayId": "master",
@@ -88,10 +99,16 @@ func TestListPullRequestPagination(t *testing.T) {
 								"id": "refs/heads/feature-101",
 								"displayId": "feature-101",
 								"latestCommit": "ab3cf2e4d1517c83e720d2585b9402dbef71f992"
+							},
+							"author": {
+								"user": {
+									"name": "testName"
+								}
 							}
 						},
 						{
 							"id": 102,
+							"title": "feat(102)",
 							"toRef": {
 								"latestCommit": "5b766e3564a3453808f3cd3dd3f2e5fad8ef0e7a",
 								"displayId": "branch",
@@ -101,6 +118,11 @@ func TestListPullRequestPagination(t *testing.T) {
 								"id": "refs/heads/feature-102",
 								"displayId": "feature-102",
 								"latestCommit": "bb3cf2e4d1517c83e720d2585b9402dbef71f992"
+							},
+							"author": {
+								"user": {
+									"name": "testName"
+								}
 							}
 						}
 					],
@@ -114,6 +136,7 @@ func TestListPullRequestPagination(t *testing.T) {
 				"values": [
 					{
 						"id": 200,
+						"title": "feat(200)",
 						"toRef": {
 							"latestCommit": "5b766e3564a3453808f3cd3dd3f2e5fad8ef0e7a",
 							"displayId": "master",
@@ -123,6 +146,11 @@ func TestListPullRequestPagination(t *testing.T) {
 							"id": "refs/heads/feature-200",
 							"displayId": "feature-200",
 							"latestCommit": "cb3cf2e4d1517c83e720d2585b9402dbef71f992"
+						},
+						"author": {
+							"user": {
+								"name": "testName"
+							}
 						}
 					}
 				],
@@ -136,31 +164,37 @@ func TestListPullRequestPagination(t *testing.T) {
 		}
 	}))
 	defer ts.Close()
-	svc, err := NewBitbucketServiceNoAuth(context.Background(), ts.URL, "PROJECT", "REPO")
+	svc, err := NewBitbucketServiceNoAuth(context.Background(), ts.URL, "PROJECT", "REPO", "", false, nil)
 	require.NoError(t, err)
 	pullRequests, err := ListPullRequests(context.Background(), svc, []v1alpha1.PullRequestGeneratorFilter{})
 	require.NoError(t, err)
 	assert.Len(t, pullRequests, 3)
 	assert.Equal(t, PullRequest{
 		Number:       101,
+		Title:        "feat(101)",
 		Branch:       "feature-101",
 		TargetBranch: "master",
 		HeadSHA:      "ab3cf2e4d1517c83e720d2585b9402dbef71f992",
 		Labels:       []string{},
+		Author:       "testName",
 	}, *pullRequests[0])
 	assert.Equal(t, PullRequest{
 		Number:       102,
+		Title:        "feat(102)",
 		Branch:       "feature-102",
 		TargetBranch: "branch",
 		HeadSHA:      "bb3cf2e4d1517c83e720d2585b9402dbef71f992",
 		Labels:       []string{},
+		Author:       "testName",
 	}, *pullRequests[1])
 	assert.Equal(t, PullRequest{
 		Number:       200,
+		Title:        "feat(200)",
 		Branch:       "feature-200",
 		TargetBranch: "master",
 		HeadSHA:      "cb3cf2e4d1517c83e720d2585b9402dbef71f992",
 		Labels:       []string{},
+		Author:       "testName",
 	}, *pullRequests[2])
 }

@@ -172,7 +206,7 @@ func TestListPullRequestBasicAuth(t *testing.T) {
 		defaultHandler(t)(w, r)
 	}))
 	defer ts.Close()
-	svc, err := NewBitbucketServiceBasicAuth(context.Background(), "user", "password", ts.URL, "PROJECT", "REPO")
+	svc, err := NewBitbucketServiceBasicAuth(context.Background(), "user", "password", ts.URL, "PROJECT", "REPO", "", false, nil)
 	require.NoError(t, err)
 	pullRequests, err := ListPullRequests(context.Background(), svc, []v1alpha1.PullRequestGeneratorFilter{})
 	require.NoError(t, err)
@@ -182,12 +216,97 @@ func TestListPullRequestBasicAuth(t *testing.T) {
 	assert.Equal(t, "cb3cf2e4d1517c83e720d2585b9402dbef71f992", pullRequests[0].HeadSHA)
 }

+func TestListPullRequestBearerAuth(t *testing.T) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assert.Equal(t, "Bearer tolkien", r.Header.Get("Authorization"))
+		assert.Equal(t, "no-check", r.Header.Get("X-Atlassian-Token"))
+		defaultHandler(t)(w, r)
+	}))
+	defer ts.Close()
+	svc, err := NewBitbucketServiceBearerToken(context.Background(), "tolkien", ts.URL, "PROJECT", "REPO", "", false, nil)
+	require.NoError(t, err)
+	pullRequests, err := ListPullRequests(context.Background(), svc, []v1alpha1.PullRequestGeneratorFilter{})
+	require.NoError(t, err)
+	assert.Len(t, pullRequests, 1)
+	assert.Equal(t, 101, pullRequests[0].Number)
+	assert.Equal(t, "feat(ABC) : 123", pullRequests[0].Title)
+	assert.Equal(t, "feature-ABC-123", pullRequests[0].Branch)
+	assert.Equal(t, "cb3cf2e4d1517c83e720d2585b9402dbef71f992", pullRequests[0].HeadSHA)
+}
+
+func TestListPullRequestTLS(t *testing.T) {
+	tests := []struct {
+		name        string
+		tlsInsecure bool
+		passCerts   bool
+		requireErr  bool
+	}{
+		{
+			name:        "TLS Insecure: true, No Certs",
+			tlsInsecure: true,
+			passCerts:   false,
+			requireErr:  false,
+		},
+		{
+			name:        "TLS Insecure: true, With Certs",
+			tlsInsecure: true,
+			passCerts:   true,
+			requireErr:  false,
+		},
+		{
+			name:        "TLS Insecure: false, With Certs",
+			tlsInsecure: false,
+			passCerts:   true,
+			requireErr:  false,
+		},
+		{
+			name:        "TLS Insecure: false, No Certs",
+			tlsInsecure: false,
+			passCerts:   false,
+			requireErr:  true,
+		},
+	}
+
+	for _, test := range tests {
+		test := test
+		t.Run(test.name, func(t *testing.T) {
+			ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				defaultHandler(t)(w, r)
+			}))
+			defer ts.Close()
+
+			var certs []byte
+			if test.passCerts == true {
+				for _, cert := range ts.TLS.Certificates {
+					for _, c := range cert.Certificate {
+						parsedCert, err := x509.ParseCertificate(c)
+						require.NoError(t, err, "Failed to parse certificate")
+						certs = append(certs, pem.EncodeToMemory(&pem.Block{
+							Type:  "CERTIFICATE",
+							Bytes: parsedCert.Raw,
+						})...)
+					}
+				}
+			}
+
+			svc, err := NewBitbucketServiceBasicAuth(context.Background(), "user", "password", ts.URL, "PROJECT", "REPO", "", test.tlsInsecure, certs)
+			require.NoError(t, err)
+			_, err = ListPullRequests(context.Background(), svc, []v1alpha1.PullRequestGeneratorFilter{})
+			if test.requireErr {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}
+
 func TestListResponseError(t *testing.T) {
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusInternalServerError)
 	}))
 	defer ts.Close()
-	svc, _ := NewBitbucketServiceNoAuth(context.Background(), ts.URL, "PROJECT", "REPO")
+	svc, _ := NewBitbucketServiceNoAuth(context.Background(), ts.URL, "PROJECT", "REPO", "", false, nil)
 	_, err := ListPullRequests(context.Background(), svc, []v1alpha1.PullRequestGeneratorFilter{})
 	require.Error(t, err)
 }
@@ -212,7 +331,7 @@ func TestListResponseMalformed(t *testing.T) {
 		}
 	}))
 	defer ts.Close()
-	svc, _ := NewBitbucketServiceNoAuth(context.Background(), ts.URL, "PROJECT", "REPO")
+	svc, _ := NewBitbucketServiceNoAuth(context.Background(), ts.URL, "PROJECT", "REPO", "", false, nil)
 	_, err := ListPullRequests(context.Background(), svc, []v1alpha1.PullRequestGeneratorFilter{})
 	require.Error(t, err)
 }
@@ -237,7 +356,7 @@ func TestListResponseEmpty(t *testing.T) {
 		}
 	}))
 	defer ts.Close()
-	svc, err := NewBitbucketServiceNoAuth(context.Background(), ts.URL, "PROJECT", "REPO")
+	svc, err := NewBitbucketServiceNoAuth(context.Background(), ts.URL, "PROJECT", "REPO", "", false, nil)
 	require.NoError(t, err)
 	pullRequests, err := ListPullRequests(context.Background(), svc, []v1alpha1.PullRequestGeneratorFilter{})
 	require.NoError(t, err)
@@ -257,6 +376,7 @@ func TestListPullRequestBranchMatch(t *testing.T) {
 					"values": [
 						{
 							"id": 101,
+							"title": "feat(101)",
 							"toRef": {
 								"latestCommit": "5b766e3564a3453808f3cd3dd3f2e5fad8ef0e7a",
 								"displayId": "master",
@@ -266,10 +386,16 @@ func TestListPullRequestBranchMatch(t *testing.T) {
 								"id": "refs/heads/feature-101",
 								"displayId": "feature-101",
 								"latestCommit": "ab3cf2e4d1517c83e720d2585b9402dbef71f992"
+							},
+							"author": {
+								"user": {
+									"name": "testName"
+								}
 							}
 						},
 						{
 							"id": 102,
+							"title": "feat(102)",
 							"toRef": {
 								"latestCommit": "5b766e3564a3453808f3cd3dd3f2e5fad8ef0e7a",
 								"displayId": "branch",
@@ -279,6 +405,11 @@ func TestListPullRequestBranchMatch(t *testing.T) {
 								"id": "refs/heads/feature-102",
 								"displayId": "feature-102",
 								"latestCommit": "bb3cf2e4d1517c83e720d2585b9402dbef71f992"
+							},
+							"author": {
+								"user": {
+									"name": "testName"
+								}
 							}
 						}
 					],
@@ -292,6 +423,7 @@ func TestListPullRequestBranchMatch(t *testing.T) {
 				"values": [
 					{
 						"id": 200,
+						"title": "feat(200)",
 						"toRef": {
 							"latestCommit": "5b766e3564a3453808f3cd3dd3f2e5fad8ef0e7a",
 							"displayId": "master",
@@ -301,6 +433,11 @@ func TestListPullRequestBranchMatch(t *testing.T) {
 							"id": "refs/heads/feature-200",
 							"displayId": "feature-200",
 							"latestCommit": "cb3cf2e4d1517c83e720d2585b9402dbef71f992"
+						},
+						"author": {
+							"user": {
+								"name": "testName"
+							}
 						}
 					}
 				],
@@ -315,7 +452,7 @@ func TestListPullRequestBranchMatch(t *testing.T) {
 	}))
 	defer ts.Close()
 	regexp := `feature-1[\d]{2}`
-	svc, err := NewBitbucketServiceNoAuth(context.Background(), ts.URL, "PROJECT", "REPO")
+	svc, err := NewBitbucketServiceNoAuth(context.Background(), ts.URL, "PROJECT", "REPO", "", false, nil)
 	require.NoError(t, err)
 	pullRequests, err := ListPullRequests(context.Background(), svc, []v1alpha1.PullRequestGeneratorFilter{
 		{
@@ -326,21 +463,25 @@ func TestListPullRequestBranchMatch(t *testing.T) {
 	assert.Len(t, pullRequests, 2)
 	assert.Equal(t, PullRequest{
 		Number:       101,
+		Title:        "feat(101)",
 		Branch:       "feature-101",
 		TargetBranch: "master",
 		HeadSHA:      "ab3cf2e4d1517c83e720d2585b9402dbef71f992",
 		Labels:       []string{},
+		Author:       "testName",
 	}, *pullRequests[0])
 	assert.Equal(t, PullRequest{
 		Number:       102,
+		Title:        "feat(102)",
 		Branch:       "feature-102",
 		TargetBranch: "branch",
 		HeadSHA:      "bb3cf2e4d1517c83e720d2585b9402dbef71f992",
 		Labels:       []string{},
+		Author:       "testName",
 	}, *pullRequests[1])

 	regexp = `.*2$`
-	svc, err = NewBitbucketServiceNoAuth(context.Background(), ts.URL, "PROJECT", "REPO")
+	svc, err = NewBitbucketServiceNoAuth(context.Background(), ts.URL, "PROJECT", "REPO", "", false, nil)
 	require.NoError(t, err)
 	pullRequests, err = ListPullRequests(context.Background(), svc, []v1alpha1.PullRequestGeneratorFilter{
 		{
@@ -351,14 +492,16 @@ func TestListPullRequestBranchMatch(t *testing.T) {
 	assert.Len(t, pullRequests, 1)
 	assert.Equal(t, PullRequest{
 		Number:       102,
+		Title:        "feat(102)",
 		Branch:       "feature-102",
 		TargetBranch: "branch",
 		HeadSHA:      "bb3cf2e4d1517c83e720d2585b9402dbef71f992",
 		Labels:       []string{},
+		Author:       "testName",
 	}, *pullRequests[0])

 	regexp = `[\d{2}`
-	svc, err = NewBitbucketServiceNoAuth(context.Background(), ts.URL, "PROJECT", "REPO")
+	svc, err = NewBitbucketServiceNoAuth(context.Background(), ts.URL, "PROJECT", "REPO", "", false, nil)
 	require.NoError(t, err)
 	_, err = ListPullRequests(context.Background(), svc, []v1alpha1.PullRequestGeneratorFilter{
 		{
--- a/applicationset/services/pull_request/gitea.go
+++ b/applicationset/services/pull_request/gitea.go
@@ -57,10 +57,12 @@ func (g *GiteaService) List(ctx context.Context) ([]*PullRequest, error) {
 	for _, pr := range prs {
 		list = append(list, &PullRequest{
 			Number:       int(pr.Index),
+			Title:        pr.Title,
 			Branch:       pr.Head.Ref,
 			TargetBranch: pr.Base.Ref,
 			HeadSHA:      pr.Head.Sha,
 			Labels:       getGiteaPRLabelNames(pr.Labels),
+			Author:       pr.Poster.UserName,
 		})
 	}
 	return list, nil
--- a/applicationset/services/pull_request/gitea_test.go
+++ b/applicationset/services/pull_request/gitea_test.go
@@ -256,9 +256,11 @@ func TestGiteaList(t *testing.T) {
 	require.NoError(t, err)
 	assert.Len(t, prs, 1)
 	assert.Equal(t, 1, prs[0].Number)
+	assert.Equal(t, "add an empty file", prs[0].Title)
 	assert.Equal(t, "test", prs[0].Branch)
 	assert.Equal(t, "main", prs[0].TargetBranch)
 	assert.Equal(t, "7bbaf62d92ddfafd9cc8b340c619abaec32bc09f", prs[0].HeadSHA)
+	assert.Equal(t, "graytshirt", prs[0].Author)
 }

 func TestGetGiteaPRLabelNames(t *testing.T) {
--- a/applicationset/services/pull_request/github.go
+++ b/applicationset/services/pull_request/github.go
@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"os"

-	"github.com/google/go-github/v35/github"
+	"github.com/google/go-github/v63/github"
 	"golang.org/x/oauth2"
 )

@@ -35,7 +35,7 @@ func NewGithubService(ctx context.Context, token, url, owner, repo string, label
 		client = github.NewClient(httpClient)
 	} else {
 		var err error
-		client, err = github.NewEnterpriseClient(url, url, httpClient)
+		client, err = github.NewClient(httpClient).WithEnterpriseURLs(url, url)
 		if err != nil {
 			return nil, err
 		}
@@ -66,10 +66,12 @@ func (g *GithubService) List(ctx context.Context) ([]*PullRequest, error) {
 			}
 			pullRequests = append(pullRequests, &PullRequest{
 				Number:       *pull.Number,
+				Title:        *pull.Title,
 				Branch:       *pull.Head.Ref,
 				TargetBranch: *pull.Base.Ref,
 				HeadSHA:      *pull.Head.SHA,
 				Labels:       getGithubPRLabelNames(pull.Labels),
+				Author:       *pull.User.Login,
 			})
 		}
 		if resp.NextPage == 0 {
--- a/applicationset/services/pull_request/github_test.go
+++ b/applicationset/services/pull_request/github_test.go
@@ -3,7 +3,7 @@ package pull_request
 import (
 	"testing"

-	"github.com/google/go-github/v35/github"
+	"github.com/google/go-github/v63/github"
 	"github.com/stretchr/testify/assert"
 )

--- a/applicationset/services/pull_request/gitlab.go
+++ b/applicationset/services/pull_request/gitlab.go
@@ -21,7 +21,7 @@ type GitLabService struct {

 var _ PullRequestService = (*GitLabService)(nil)

-func NewGitLabService(ctx context.Context, token, url, project string, labels []string, pullRequestState string, scmRootCAPath string, insecure bool) (PullRequestService, error) {
+func NewGitLabService(ctx context.Context, token, url, project string, labels []string, pullRequestState string, scmRootCAPath string, insecure bool, caCerts []byte) (PullRequestService, error) {
 	var clientOptionFns []gitlab.ClientOptionFunc

 	// Set a custom Gitlab base URL if one is provided
@@ -34,7 +34,7 @@ func NewGitLabService(ctx context.Context, token, url, project string, labels []
 	}

 	tr := http.DefaultTransport.(*http.Transport).Clone()
-	tr.TLSClientConfig = utils.GetTlsConfig(scmRootCAPath, insecure)
+	tr.TLSClientConfig = utils.GetTlsConfig(scmRootCAPath, insecure, caCerts)

 	retryClient := retryablehttp.NewClient()
 	retryClient.HTTPClient.Transport = tr
@@ -56,11 +56,11 @@ func NewGitLabService(ctx context.Context, token, url, project string, labels []

 func (g *GitLabService) List(ctx context.Context) ([]*PullRequest, error) {
 	// Filter the merge requests on labels, if they are specified.
-	var labels *gitlab.Labels
+	var labels *gitlab.LabelOptions
 	if len(g.labels) > 0 {
-		labels = (*gitlab.Labels)(&g.labels)
+		var labelsList gitlab.LabelOptions = g.labels
+		labels = &labelsList
 	}
-
 	opts := &gitlab.ListProjectMergeRequestsOptions{
 		ListOptions: gitlab.ListOptions{
 			PerPage: 100,
@@ -81,10 +81,12 @@ func (g *GitLabService) List(ctx context.Context) ([]*PullRequest, error) {
 		for _, mr := range mrs {
 			pullRequests = append(pullRequests, &PullRequest{
 				Number:       mr.IID,
+				Title:        mr.Title,
 				Branch:       mr.SourceBranch,
 				TargetBranch: mr.TargetBranch,
 				HeadSHA:      mr.SHA,
 				Labels:       mr.Labels,
+				Author:       mr.Author.Username,
 			})
 		}
 		if resp.NextPage == 0 {
--- a/applicationset/services/pull_request/gitlab_test.go
+++ b/applicationset/services/pull_request/gitlab_test.go
@@ -2,6 +2,8 @@ package pull_request

 import (
 	"context"
+	"crypto/x509"
+	"encoding/pem"
 	"io"
 	"net/http"
 	"net/http/httptest"
@@ -35,7 +37,7 @@ func TestGitLabServiceCustomBaseURL(t *testing.T) {
 		writeMRListResponse(t, w)
 	})

-	svc, err := NewGitLabService(context.Background(), "", server.URL, "278964", nil, "", "", false)
+	svc, err := NewGitLabService(context.Background(), "", server.URL, "278964", nil, "", "", false, nil)
 	require.NoError(t, err)

 	_, err = svc.List(context.Background())
@@ -54,7 +56,7 @@ func TestGitLabServiceToken(t *testing.T) {
 		writeMRListResponse(t, w)
 	})

-	svc, err := NewGitLabService(context.Background(), "token-123", server.URL, "278964", nil, "", "", false)
+	svc, err := NewGitLabService(context.Background(), "token-123", server.URL, "278964", nil, "", "", false, nil)
 	require.NoError(t, err)

 	_, err = svc.List(context.Background())
@@ -73,16 +75,18 @@ func TestList(t *testing.T) {
 		writeMRListResponse(t, w)
 	})

-	svc, err := NewGitLabService(context.Background(), "", server.URL, "278964", []string{}, "", "", false)
+	svc, err := NewGitLabService(context.Background(), "", server.URL, "278964", []string{}, "", "", false, nil)
 	require.NoError(t, err)

 	prs, err := svc.List(context.Background())
 	require.NoError(t, err)
 	assert.Len(t, prs, 1)
 	assert.Equal(t, 15442, prs[0].Number)
+	assert.Equal(t, "Draft: Use structured logging for DB load balancer", prs[0].Title)
 	assert.Equal(t, "use-structured-logging-for-db-load-balancer", prs[0].Branch)
 	assert.Equal(t, "master", prs[0].TargetBranch)
 	assert.Equal(t, "2fc4e8b972ff3208ec63b6143e34ad67ff343ad7", prs[0].HeadSHA)
+	assert.Equal(t, "hfyngvason", prs[0].Author)
 }

 func TestListWithLabels(t *testing.T) {
@@ -97,7 +101,7 @@ func TestListWithLabels(t *testing.T) {
 		writeMRListResponse(t, w)
 	})

-	svc, err := NewGitLabService(context.Background(), "", server.URL, "278964", []string{"feature", "ready"}, "", "", false)
+	svc, err := NewGitLabService(context.Background(), "", server.URL, "278964", []string{"feature", "ready"}, "", "", false, nil)
 	require.NoError(t, err)

 	_, err = svc.List(context.Background())
@@ -116,9 +120,77 @@ func TestListWithState(t *testing.T) {
 		writeMRListResponse(t, w)
 	})

-	svc, err := NewGitLabService(context.Background(), "", server.URL, "278964", []string{}, "opened", "", false)
+	svc, err := NewGitLabService(context.Background(), "", server.URL, "278964", []string{}, "opened", "", false, nil)
 	require.NoError(t, err)

 	_, err = svc.List(context.Background())
 	require.NoError(t, err)
 }
+
+func TestListWithStateTLS(t *testing.T) {
+	tests := []struct {
+		name        string
+		tlsInsecure bool
+		passCerts   bool
+		requireErr  bool
+	}{
+		{
+			name:        "TLS Insecure: true, No Certs",
+			tlsInsecure: true,
+			passCerts:   false,
+			requireErr:  false,
+		},
+		{
+			name:        "TLS Insecure: true, With Certs",
+			tlsInsecure: true,
+			passCerts:   true,
+			requireErr:  false,
+		},
+		{
+			name:        "TLS Insecure: false, With Certs",
+			tlsInsecure: false,
+			passCerts:   true,
+			requireErr:  false,
+		},
+		{
+			name:        "TLS Insecure: false, No Certs",
+			tlsInsecure: false,
+			passCerts:   false,
+			requireErr:  true,
+		},
+	}
+
+	for _, test := range tests {
+		test := test
+		t.Run(test.name, func(t *testing.T) {
+			ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				writeMRListResponse(t, w)
+			}))
+			defer ts.Close()
+
+			var certs []byte
+			if test.passCerts == true {
+				for _, cert := range ts.TLS.Certificates {
+					for _, c := range cert.Certificate {
+						parsedCert, err := x509.ParseCertificate(c)
+						require.NoError(t, err, "Failed to parse certificate")
+						certs = append(certs, pem.EncodeToMemory(&pem.Block{
+							Type:  "CERTIFICATE",
+							Bytes: parsedCert.Raw,
+						})...)
+					}
+				}
+			}
+
+			svc, err := NewGitLabService(context.Background(), "", ts.URL, "278964", []string{}, "opened", "", test.tlsInsecure, certs)
+			require.NoError(t, err)
+
+			_, err = svc.List(context.Background())
+			if test.requireErr {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}
--- a/applicationset/services/pull_request/interface.go
+++ b/applicationset/services/pull_request/interface.go
@@ -8,6 +8,8 @@ import (
 type PullRequest struct {
 	// Number is a number that will be the ID of the pull request.
 	Number int
+	// Title of the pull request.
+	Title string
 	// Branch is the name of the branch from which the pull request originated.
 	Branch string
 	// TargetBranch is the name of the target branch of the pull request.
@@ -16,6 +18,8 @@ type PullRequest struct {
 	HeadSHA string
 	// Labels of the pull request.
 	Labels []string
+	// Author is the author of the pull request.
+	Author string
 }

 type PullRequestService interface {
--- a/applicationset/services/pull_request/utils_test.go
+++ b/applicationset/services/pull_request/utils_test.go
@@ -20,9 +20,11 @@ func TestFilterBranchMatchBadRegexp(t *testing.T) {
 		[]*PullRequest{
 			{
 				Number:       1,
+				Title:        "PR branch1",
 				Branch:       "branch1",
 				TargetBranch: "master",
 				HeadSHA:      "089d92cbf9ff857a39e6feccd32798ca700fb958",
+				Author:       "name1",
 			},
 		},
 		nil,
@@ -42,27 +44,35 @@ func TestFilterBranchMatch(t *testing.T) {
 		[]*PullRequest{
 			{
 				Number:       1,
+				Title:        "PR one",
 				Branch:       "one",
 				TargetBranch: "master",
 				HeadSHA:      "189d92cbf9ff857a39e6feccd32798ca700fb958",
+				Author:       "name1",
 			},
 			{
 				Number:       2,
+				Title:        "PR two",
 				Branch:       "two",
 				TargetBranch: "master",
 				HeadSHA:      "289d92cbf9ff857a39e6feccd32798ca700fb958",
+				Author:       "name2",
 			},
 			{
 				Number:       3,
+				Title:        "PR three",
 				Branch:       "three",
 				TargetBranch: "master",
 				HeadSHA:      "389d92cbf9ff857a39e6feccd32798ca700fb958",
+				Author:       "name3",
 			},
 			{
 				Number:       4,
+				Title:        "PR four",
 				Branch:       "four",
 				TargetBranch: "master",
 				HeadSHA:      "489d92cbf9ff857a39e6feccd32798ca700fb958",
+				Author:       "name4",
 			},
 		},
 		nil,
@@ -84,27 +94,35 @@ func TestFilterTargetBranchMatch(t *testing.T) {
 		[]*PullRequest{
 			{
 				Number:       1,
+				Title:        "PR one",
 				Branch:       "one",
 				TargetBranch: "master",
 				HeadSHA:      "189d92cbf9ff857a39e6feccd32798ca700fb958",
+				Author:       "name1",
 			},
 			{
 				Number:       2,
+				Title:        "PR two",
 				Branch:       "two",
 				TargetBranch: "branch1",
 				HeadSHA:      "289d92cbf9ff857a39e6feccd32798ca700fb958",
+				Author:       "name2",
 			},
 			{
 				Number:       3,
+				Title:        "PR three",
 				Branch:       "three",
 				TargetBranch: "branch2",
 				HeadSHA:      "389d92cbf9ff857a39e6feccd32798ca700fb958",
+				Author:       "name3",
 			},
 			{
 				Number:       4,
+				Title:        "PR four",
 				Branch:       "four",
 				TargetBranch: "branch3",
 				HeadSHA:      "489d92cbf9ff857a39e6feccd32798ca700fb958",
+				Author:       "name4",
 			},
 		},
 		nil,
@@ -126,27 +144,35 @@ func TestMultiFilterOr(t *testing.T) {
 		[]*PullRequest{
 			{
 				Number:       1,
+				Title:        "PR one",
 				Branch:       "one",
 				TargetBranch: "master",
 				HeadSHA:      "189d92cbf9ff857a39e6feccd32798ca700fb958",
+				Author:       "name1",
 			},
 			{
 				Number:       2,
+				Title:        "PR two",
 				Branch:       "two",
 				TargetBranch: "master",
 				HeadSHA:      "289d92cbf9ff857a39e6feccd32798ca700fb958",
+				Author:       "name2",
 			},
 			{
 				Number:       3,
+				Title:        "PR three",
 				Branch:       "three",
 				TargetBranch: "master",
 				HeadSHA:      "389d92cbf9ff857a39e6feccd32798ca700fb958",
+				Author:       "name3",
 			},
 			{
 				Number:       4,
+				Title:        "PR four",
 				Branch:       "four",
 				TargetBranch: "master",
 				HeadSHA:      "489d92cbf9ff857a39e6feccd32798ca700fb958",
+				Author:       "name4",
 			},
 		},
 		nil,
@@ -173,27 +199,35 @@ func TestMultiFilterOrWithTargetBranchFilter(t *testing.T) {
 		[]*PullRequest{
 			{
 				Number:       1,
+				Title:        "PR one",
 				Branch:       "one",
 				TargetBranch: "master",
 				HeadSHA:      "189d92cbf9ff857a39e6feccd32798ca700fb958",
+				Author:       "name1",
 			},
 			{
 				Number:       2,
+				Title:        "PR two",
 				Branch:       "two",
 				TargetBranch: "branch1",
 				HeadSHA:      "289d92cbf9ff857a39e6feccd32798ca700fb958",
+				Author:       "name2",
 			},
 			{
 				Number:       3,
+				Title:        "PR three",
 				Branch:       "three",
 				TargetBranch: "branch2",
 				HeadSHA:      "389d92cbf9ff857a39e6feccd32798ca700fb958",
+				Author:       "name3",
 			},
 			{
 				Number:       4,
+				Title:        "PR four",
 				Branch:       "four",
 				TargetBranch: "branch3",
 				HeadSHA:      "489d92cbf9ff857a39e6feccd32798ca700fb958",
+				Author:       "name4",
 			},
 		},
 		nil,
@@ -221,15 +255,19 @@ func TestNoFilters(t *testing.T) {
 		[]*PullRequest{
 			{
 				Number:       1,
+				Title:        "PR one",
 				Branch:       "one",
 				TargetBranch: "master",
 				HeadSHA:      "189d92cbf9ff857a39e6feccd32798ca700fb958",
+				Author:       "name1",
 			},
 			{
 				Number:       2,
+				Title:        "PR two",
 				Branch:       "two",
 				TargetBranch: "master",
 				HeadSHA:      "289d92cbf9ff857a39e6feccd32798ca700fb958",
+				Author:       "name2",
 			},
 		},
 		nil,
--- a/applicationset/services/repo_service.go
+++ b/applicationset/services/repo_service.go
@@ -18,8 +18,6 @@ type argoCDService struct {
 	newFileGlobbingEnabled bool
 }

-//go:generate go run github.com/vektra/mockery/v2@v2.40.2 --name=Repos
-
 type Repos interface {
 	// GetFiles returns content of files (not directories) within the target repo
 	GetFiles(ctx context.Context, repoURL string, revision string, pattern string, noRevisionCache, verifyCommit bool) (map[string][]byte, error)
--- a/applicationset/services/repo_service_test.go
+++ b/applicationset/services/repo_service_test.go
@@ -191,6 +191,6 @@ func TestNewArgoCDService(t *testing.T) {
 	service, err := NewArgoCDService(func(ctx context.Context, url, project string) (*v1alpha1.Repository, error) {
 		return &v1alpha1.Repository{}, nil
 	}, false, &repo_mocks.Clientset{}, false)
-	require.NoError(t, err, err)
+	require.NoError(t, err)
 	assert.NotNil(t, service)
 }
--- a/applicationset/services/scm_provider/aws_codecommit/mocks/AWSCodeCommitClient.go
+++ b/applicationset/services/scm_provider/aws_codecommit/mocks/AWSCodeCommitClient.go
@@ -1,4 +1,4 @@
-// Code generated by mockery v2.26.1. DO NOT EDIT.
+// Code generated by mockery v2.43.2. DO NOT EDIT.

 package mocks

@@ -17,14 +17,6 @@ type AWSCodeCommitClient struct {
 	mock.Mock
 }

-type AWSCodeCommitClient_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *AWSCodeCommitClient) EXPECT() *AWSCodeCommitClient_Expecter {
-	return &AWSCodeCommitClient_Expecter{mock: &_m.Mock}
-}
-
 // GetFolderWithContext provides a mock function with given fields: _a0, _a1, _a2
 func (_m *AWSCodeCommitClient) GetFolderWithContext(_a0 context.Context, _a1 *codecommit.GetFolderInput, _a2 ...request.Option) (*codecommit.GetFolderOutput, error) {
 	_va := make([]interface{}, len(_a2))
@@ -36,6 +28,10 @@ func (_m *AWSCodeCommitClient) GetFolderWithContext(_a0 context.Context, _a1 *co
 	_ca = append(_ca, _va...)
 	ret := _m.Called(_ca...)

+	if len(ret) == 0 {
+		panic("no return value specified for GetFolderWithContext")
+	}
+
 	var r0 *codecommit.GetFolderOutput
 	var r1 error
 	if rf, ok := ret.Get(0).(func(context.Context, *codecommit.GetFolderInput, ...request.Option) (*codecommit.GetFolderOutput, error)); ok {
@@ -58,43 +54,6 @@ func (_m *AWSCodeCommitClient) GetFolderWithContext(_a0 context.Context, _a1 *co
 	return r0, r1
 }

-// AWSCodeCommitClient_GetFolderWithContext_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetFolderWithContext'
-type AWSCodeCommitClient_GetFolderWithContext_Call struct {
-	*mock.Call
-}
-
-// GetFolderWithContext is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 *codecommit.GetFolderInput
-//   - _a2 ...request.Option
-func (_e *AWSCodeCommitClient_Expecter) GetFolderWithContext(_a0 interface{}, _a1 interface{}, _a2 ...interface{}) *AWSCodeCommitClient_GetFolderWithContext_Call {
-	return &AWSCodeCommitClient_GetFolderWithContext_Call{Call: _e.mock.On("GetFolderWithContext",
-		append([]interface{}{_a0, _a1}, _a2...)...)}
-}
-
-func (_c *AWSCodeCommitClient_GetFolderWithContext_Call) Run(run func(_a0 context.Context, _a1 *codecommit.GetFolderInput, _a2 ...request.Option)) *AWSCodeCommitClient_GetFolderWithContext_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		variadicArgs := make([]request.Option, len(args)-2)
-		for i, a := range args[2:] {
-			if a != nil {
-				variadicArgs[i] = a.(request.Option)
-			}
-		}
-		run(args[0].(context.Context), args[1].(*codecommit.GetFolderInput), variadicArgs...)
-	})
-	return _c
-}
-
-func (_c *AWSCodeCommitClient_GetFolderWithContext_Call) Return(_a0 *codecommit.GetFolderOutput, _a1 error) *AWSCodeCommitClient_GetFolderWithContext_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *AWSCodeCommitClient_GetFolderWithContext_Call) RunAndReturn(run func(context.Context, *codecommit.GetFolderInput, ...request.Option) (*codecommit.GetFolderOutput, error)) *AWSCodeCommitClient_GetFolderWithContext_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
 // GetRepositoryWithContext provides a mock function with given fields: _a0, _a1, _a2
 func (_m *AWSCodeCommitClient) GetRepositoryWithContext(_a0 context.Context, _a1 *codecommit.GetRepositoryInput, _a2 ...request.Option) (*codecommit.GetRepositoryOutput, error) {
 	_va := make([]interface{}, len(_a2))
@@ -106,6 +65,10 @@ func (_m *AWSCodeCommitClient) GetRepositoryWithContext(_a0 context.Context, _a1
 	_ca = append(_ca, _va...)
 	ret := _m.Called(_ca...)

+	if len(ret) == 0 {
+		panic("no return value specified for GetRepositoryWithContext")
+	}
+
 	var r0 *codecommit.GetRepositoryOutput
 	var r1 error
 	if rf, ok := ret.Get(0).(func(context.Context, *codecommit.GetRepositoryInput, ...request.Option) (*codecommit.GetRepositoryOutput, error)); ok {
@@ -128,43 +91,6 @@ func (_m *AWSCodeCommitClient) GetRepositoryWithContext(_a0 context.Context, _a1
 	return r0, r1
 }

-// AWSCodeCommitClient_GetRepositoryWithContext_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetRepositoryWithContext'
-type AWSCodeCommitClient_GetRepositoryWithContext_Call struct {
-	*mock.Call
-}
-
-// GetRepositoryWithContext is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 *codecommit.GetRepositoryInput
-//   - _a2 ...request.Option
-func (_e *AWSCodeCommitClient_Expecter) GetRepositoryWithContext(_a0 interface{}, _a1 interface{}, _a2 ...interface{}) *AWSCodeCommitClient_GetRepositoryWithContext_Call {
-	return &AWSCodeCommitClient_GetRepositoryWithContext_Call{Call: _e.mock.On("GetRepositoryWithContext",
-		append([]interface{}{_a0, _a1}, _a2...)...)}
-}
-
-func (_c *AWSCodeCommitClient_GetRepositoryWithContext_Call) Run(run func(_a0 context.Context, _a1 *codecommit.GetRepositoryInput, _a2 ...request.Option)) *AWSCodeCommitClient_GetRepositoryWithContext_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		variadicArgs := make([]request.Option, len(args)-2)
-		for i, a := range args[2:] {
-			if a != nil {
-				variadicArgs[i] = a.(request.Option)
-			}
-		}
-		run(args[0].(context.Context), args[1].(*codecommit.GetRepositoryInput), variadicArgs...)
-	})
-	return _c
-}
-
-func (_c *AWSCodeCommitClient_GetRepositoryWithContext_Call) Return(_a0 *codecommit.GetRepositoryOutput, _a1 error) *AWSCodeCommitClient_GetRepositoryWithContext_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *AWSCodeCommitClient_GetRepositoryWithContext_Call) RunAndReturn(run func(context.Context, *codecommit.GetRepositoryInput, ...request.Option) (*codecommit.GetRepositoryOutput, error)) *AWSCodeCommitClient_GetRepositoryWithContext_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
 // ListBranchesWithContext provides a mock function with given fields: _a0, _a1, _a2
 func (_m *AWSCodeCommitClient) ListBranchesWithContext(_a0 context.Context, _a1 *codecommit.ListBranchesInput, _a2 ...request.Option) (*codecommit.ListBranchesOutput, error) {
 	_va := make([]interface{}, len(_a2))
@@ -176,6 +102,10 @@ func (_m *AWSCodeCommitClient) ListBranchesWithContext(_a0 context.Context, _a1
 	_ca = append(_ca, _va...)
 	ret := _m.Called(_ca...)

+	if len(ret) == 0 {
+		panic("no return value specified for ListBranchesWithContext")
+	}
+
 	var r0 *codecommit.ListBranchesOutput
 	var r1 error
 	if rf, ok := ret.Get(0).(func(context.Context, *codecommit.ListBranchesInput, ...request.Option) (*codecommit.ListBranchesOutput, error)); ok {
@@ -198,43 +128,6 @@ func (_m *AWSCodeCommitClient) ListBranchesWithContext(_a0 context.Context, _a1
 	return r0, r1
 }

-// AWSCodeCommitClient_ListBranchesWithContext_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListBranchesWithContext'
-type AWSCodeCommitClient_ListBranchesWithContext_Call struct {
-	*mock.Call
-}
-
-// ListBranchesWithContext is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 *codecommit.ListBranchesInput
-//   - _a2 ...request.Option
-func (_e *AWSCodeCommitClient_Expecter) ListBranchesWithContext(_a0 interface{}, _a1 interface{}, _a2 ...interface{}) *AWSCodeCommitClient_ListBranchesWithContext_Call {
-	return &AWSCodeCommitClient_ListBranchesWithContext_Call{Call: _e.mock.On("ListBranchesWithContext",
-		append([]interface{}{_a0, _a1}, _a2...)...)}
-}
-
-func (_c *AWSCodeCommitClient_ListBranchesWithContext_Call) Run(run func(_a0 context.Context, _a1 *codecommit.ListBranchesInput, _a2 ...request.Option)) *AWSCodeCommitClient_ListBranchesWithContext_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		variadicArgs := make([]request.Option, len(args)-2)
-		for i, a := range args[2:] {
-			if a != nil {
-				variadicArgs[i] = a.(request.Option)
-			}
-		}
-		run(args[0].(context.Context), args[1].(*codecommit.ListBranchesInput), variadicArgs...)
-	})
-	return _c
-}
-
-func (_c *AWSCodeCommitClient_ListBranchesWithContext_Call) Return(_a0 *codecommit.ListBranchesOutput, _a1 error) *AWSCodeCommitClient_ListBranchesWithContext_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *AWSCodeCommitClient_ListBranchesWithContext_Call) RunAndReturn(run func(context.Context, *codecommit.ListBranchesInput, ...request.Option) (*codecommit.ListBranchesOutput, error)) *AWSCodeCommitClient_ListBranchesWithContext_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
 // ListRepositoriesWithContext provides a mock function with given fields: _a0, _a1, _a2
 func (_m *AWSCodeCommitClient) ListRepositoriesWithContext(_a0 context.Context, _a1 *codecommit.ListRepositoriesInput, _a2 ...request.Option) (*codecommit.ListRepositoriesOutput, error) {
 	_va := make([]interface{}, len(_a2))
@@ -246,6 +139,10 @@ func (_m *AWSCodeCommitClient) ListRepositoriesWithContext(_a0 context.Context,
 	_ca = append(_ca, _va...)
 	ret := _m.Called(_ca...)

+	if len(ret) == 0 {
+		panic("no return value specified for ListRepositoriesWithContext")
+	}
+
 	var r0 *codecommit.ListRepositoriesOutput
 	var r1 error
 	if rf, ok := ret.Get(0).(func(context.Context, *codecommit.ListRepositoriesInput, ...request.Option) (*codecommit.ListRepositoriesOutput, error)); ok {
@@ -268,50 +165,12 @@ func (_m *AWSCodeCommitClient) ListRepositoriesWithContext(_a0 context.Context,
 	return r0, r1
 }

-// AWSCodeCommitClient_ListRepositoriesWithContext_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListRepositoriesWithContext'
-type AWSCodeCommitClient_ListRepositoriesWithContext_Call struct {
-	*mock.Call
-}
-
-// ListRepositoriesWithContext is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 *codecommit.ListRepositoriesInput
-//   - _a2 ...request.Option
-func (_e *AWSCodeCommitClient_Expecter) ListRepositoriesWithContext(_a0 interface{}, _a1 interface{}, _a2 ...interface{}) *AWSCodeCommitClient_ListRepositoriesWithContext_Call {
-	return &AWSCodeCommitClient_ListRepositoriesWithContext_Call{Call: _e.mock.On("ListRepositoriesWithContext",
-		append([]interface{}{_a0, _a1}, _a2...)...)}
-}
-
-func (_c *AWSCodeCommitClient_ListRepositoriesWithContext_Call) Run(run func(_a0 context.Context, _a1 *codecommit.ListRepositoriesInput, _a2 ...request.Option)) *AWSCodeCommitClient_ListRepositoriesWithContext_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		variadicArgs := make([]request.Option, len(args)-2)
-		for i, a := range args[2:] {
-			if a != nil {
-				variadicArgs[i] = a.(request.Option)
-			}
-		}
-		run(args[0].(context.Context), args[1].(*codecommit.ListRepositoriesInput), variadicArgs...)
-	})
-	return _c
-}
-
-func (_c *AWSCodeCommitClient_ListRepositoriesWithContext_Call) Return(_a0 *codecommit.ListRepositoriesOutput, _a1 error) *AWSCodeCommitClient_ListRepositoriesWithContext_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *AWSCodeCommitClient_ListRepositoriesWithContext_Call) RunAndReturn(run func(context.Context, *codecommit.ListRepositoriesInput, ...request.Option) (*codecommit.ListRepositoriesOutput, error)) *AWSCodeCommitClient_ListRepositoriesWithContext_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-type mockConstructorTestingTNewAWSCodeCommitClient interface {
+// NewAWSCodeCommitClient creates a new instance of AWSCodeCommitClient. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewAWSCodeCommitClient(t interface {
 	mock.TestingT
 	Cleanup(func())
-}
-
-// NewAWSCodeCommitClient creates a new instance of AWSCodeCommitClient. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewAWSCodeCommitClient(t mockConstructorTestingTNewAWSCodeCommitClient) *AWSCodeCommitClient {
+}) *AWSCodeCommitClient {
 	mock := &AWSCodeCommitClient{}
 	mock.Mock.Test(t)

--- a/applicationset/services/scm_provider/aws_codecommit/mocks/AWSTaggingClient.go
+++ b/applicationset/services/scm_provider/aws_codecommit/mocks/AWSTaggingClient.go
@@ -1,4 +1,4 @@
-// Code generated by mockery v2.26.1. DO NOT EDIT.
+// Code generated by mockery v2.43.2. DO NOT EDIT.

 package mocks

@@ -16,14 +16,6 @@ type AWSTaggingClient struct {
 	mock.Mock
 }

-type AWSTaggingClient_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *AWSTaggingClient) EXPECT() *AWSTaggingClient_Expecter {
-	return &AWSTaggingClient_Expecter{mock: &_m.Mock}
-}
-
 // GetResourcesWithContext provides a mock function with given fields: _a0, _a1, _a2
 func (_m *AWSTaggingClient) GetResourcesWithContext(_a0 context.Context, _a1 *resourcegroupstaggingapi.GetResourcesInput, _a2 ...request.Option) (*resourcegroupstaggingapi.GetResourcesOutput, error) {
 	_va := make([]interface{}, len(_a2))
@@ -35,6 +27,10 @@ func (_m *AWSTaggingClient) GetResourcesWithContext(_a0 context.Context, _a1 *re
 	_ca = append(_ca, _va...)
 	ret := _m.Called(_ca...)

+	if len(ret) == 0 {
+		panic("no return value specified for GetResourcesWithContext")
+	}
+
 	var r0 *resourcegroupstaggingapi.GetResourcesOutput
 	var r1 error
 	if rf, ok := ret.Get(0).(func(context.Context, *resourcegroupstaggingapi.GetResourcesInput, ...request.Option) (*resourcegroupstaggingapi.GetResourcesOutput, error)); ok {
@@ -57,50 +53,12 @@ func (_m *AWSTaggingClient) GetResourcesWithContext(_a0 context.Context, _a1 *re
 	return r0, r1
 }

-// AWSTaggingClient_GetResourcesWithContext_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetResourcesWithContext'
-type AWSTaggingClient_GetResourcesWithContext_Call struct {
-	*mock.Call
-}
-
-// GetResourcesWithContext is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 *resourcegroupstaggingapi.GetResourcesInput
-//   - _a2 ...request.Option
-func (_e *AWSTaggingClient_Expecter) GetResourcesWithContext(_a0 interface{}, _a1 interface{}, _a2 ...interface{}) *AWSTaggingClient_GetResourcesWithContext_Call {
-	return &AWSTaggingClient_GetResourcesWithContext_Call{Call: _e.mock.On("GetResourcesWithContext",
-		append([]interface{}{_a0, _a1}, _a2...)...)}
-}
-
-func (_c *AWSTaggingClient_GetResourcesWithContext_Call) Run(run func(_a0 context.Context, _a1 *resourcegroupstaggingapi.GetResourcesInput, _a2 ...request.Option)) *AWSTaggingClient_GetResourcesWithContext_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		variadicArgs := make([]request.Option, len(args)-2)
-		for i, a := range args[2:] {
-			if a != nil {
-				variadicArgs[i] = a.(request.Option)
-			}
-		}
-		run(args[0].(context.Context), args[1].(*resourcegroupstaggingapi.GetResourcesInput), variadicArgs...)
-	})
-	return _c
-}
-
-func (_c *AWSTaggingClient_GetResourcesWithContext_Call) Return(_a0 *resourcegroupstaggingapi.GetResourcesOutput, _a1 error) *AWSTaggingClient_GetResourcesWithContext_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *AWSTaggingClient_GetResourcesWithContext_Call) RunAndReturn(run func(context.Context, *resourcegroupstaggingapi.GetResourcesInput, ...request.Option) (*resourcegroupstaggingapi.GetResourcesOutput, error)) *AWSTaggingClient_GetResourcesWithContext_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-type mockConstructorTestingTNewAWSTaggingClient interface {
+// NewAWSTaggingClient creates a new instance of AWSTaggingClient. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewAWSTaggingClient(t interface {
 	mock.TestingT
 	Cleanup(func())
-}
-
-// NewAWSTaggingClient creates a new instance of AWSTaggingClient. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewAWSTaggingClient(t mockConstructorTestingTNewAWSTaggingClient) *AWSTaggingClient {
+}) *AWSTaggingClient {
 	mock := &AWSTaggingClient{}
 	mock.Mock.Test(t)

--- a/applicationset/services/scm_provider/aws_codecommit_test.go
+++ b/applicationset/services/scm_provider/aws_codecommit_test.go
@@ -178,8 +178,8 @@ func TestAWSCodeCommitListRepos(t *testing.T) {
 				if repo.getRepositoryNilMetadata {
 					repoMetadata = nil
 				}
-				codeCommitClient.EXPECT().
-					GetRepositoryWithContext(ctx, &codecommit.GetRepositoryInput{RepositoryName: aws.String(repo.name)}).
+				codeCommitClient.
+					On("GetRepositoryWithContext", ctx, &codecommit.GetRepositoryInput{RepositoryName: aws.String(repo.name)}).
 					Return(&codecommit.GetRepositoryOutput{RepositoryMetadata: repoMetadata}, repo.getRepositoryError)
 				codecommitRepoNameIdPairs = append(codecommitRepoNameIdPairs, &codecommit.RepositoryNameIdPair{
 					RepositoryId:   aws.String(repo.id),
@@ -194,14 +194,14 @@ func TestAWSCodeCommitListRepos(t *testing.T) {
 			}

 			if testCase.expectListAtCodeCommit {
-				codeCommitClient.EXPECT().
-					ListRepositoriesWithContext(ctx, &codecommit.ListRepositoriesInput{}).
+				codeCommitClient.
+					On("ListRepositoriesWithContext", ctx, &codecommit.ListRepositoriesInput{}).
 					Return(&codecommit.ListRepositoriesOutput{
 						Repositories: codecommitRepoNameIdPairs,
 					}, testCase.listRepositoryError)
 			} else {
-				taggingClient.EXPECT().
-					GetResourcesWithContext(ctx, mock.MatchedBy(equalIgnoringTagFilterOrder(&resourcegroupstaggingapi.GetResourcesInput{
+				taggingClient.
+					On("GetResourcesWithContext", ctx, mock.MatchedBy(equalIgnoringTagFilterOrder(&resourcegroupstaggingapi.GetResourcesInput{
 						TagFilters:          testCase.expectTagFilters,
 						ResourceTypeFilters: aws.StringSlice([]string{resourceTypeCodeCommitRepository}),
 					}))).
@@ -351,8 +351,8 @@ func TestAWSCodeCommitRepoHasPath(t *testing.T) {
 			taggingClient := mocks.NewAWSTaggingClient(t)
 			ctx := context.Background()
 			if testCase.expectedGetFolderPath != "" {
-				codeCommitClient.EXPECT().
-					GetFolderWithContext(ctx, &codecommit.GetFolderInput{
+				codeCommitClient.
+					On("GetFolderWithContext", ctx, &codecommit.GetFolderInput{
 						CommitSpecifier: aws.String(branch),
 						FolderPath:      aws.String(testCase.expectedGetFolderPath),
 						RepositoryName:  aws.String(repoName),
@@ -424,14 +424,14 @@ func TestAWSCodeCommitGetBranches(t *testing.T) {
 			taggingClient := mocks.NewAWSTaggingClient(t)
 			ctx := context.Background()
 			if testCase.allBranches {
-				codeCommitClient.EXPECT().
-					ListBranchesWithContext(ctx, &codecommit.ListBranchesInput{
+				codeCommitClient.
+					On("ListBranchesWithContext", ctx, &codecommit.ListBranchesInput{
 						RepositoryName: aws.String(name),
 					}).
 					Return(&codecommit.ListBranchesOutput{Branches: aws.StringSlice(testCase.branches)}, testCase.apiError)
 			} else {
-				codeCommitClient.EXPECT().
-					GetRepositoryWithContext(ctx, &codecommit.GetRepositoryInput{RepositoryName: aws.String(name)}).
+				codeCommitClient.
+					On("GetRepositoryWithContext", ctx, &codecommit.GetRepositoryInput{RepositoryName: aws.String(name)}).
 					Return(&codecommit.GetRepositoryOutput{RepositoryMetadata: &codecommit.RepositoryMetadata{
 						AccountId:     aws.String(organization),
 						DefaultBranch: aws.String(defaultBranch),
--- a/applicationset/services/scm_provider/azure_devops/git/mocks/Client.go
+++ b/applicationset/services/scm_provider/azure_devops/git/mocks/Client.go
@@ -1,4 +1,4 @@
-// Code generated by mockery v2.40.2. DO NOT EDIT.
+// Code generated by mockery v2.43.2. DO NOT EDIT.

 package mocks

--- a/applicationset/services/scm_provider/azure_devops_test.go
+++ b/applicationset/services/scm_provider/azure_devops_test.go
@@ -17,8 +17,6 @@ import (
 	azureMock "github.com/argoproj/argo-cd/v2/applicationset/services/scm_provider/azure_devops/git/mocks"
 )

-//go:generate go run github.com/vektra/mockery/v2@v2.40.2 --srcpkg=github.com/microsoft/azure-devops-go-api/azuredevops/git --name=Client --output=azure_devops/git/mocks --outpkg=mocks
-
 func s(input string) *string {
 	return ptr.To(input)
 }
--- a/applicationset/services/scm_provider/bitbucket_cloud.go
+++ b/applicationset/services/scm_provider/bitbucket_cloud.go
@@ -46,7 +46,7 @@ func (c *ExtendedClient) GetContents(repo *Repository, path string) (bool, error
 		return true, nil
 	}

-	return false, fmt.Errorf(resp.Status)
+	return false, fmt.Errorf("%s", resp.Status)
 }

 var _ SCMProviderService = &BitBucketCloudProvider{}
--- a/applicationset/services/scm_provider/bitbucket_server.go
+++ b/applicationset/services/scm_provider/bitbucket_server.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"net/http"

 	bitbucketv1 "github.com/gfleury/go-bitbucket-v1"
 	log "github.com/sirupsen/logrus"
@@ -20,7 +21,7 @@ type BitbucketServerProvider struct {

 var _ SCMProviderService = &BitbucketServerProvider{}

-func NewBitbucketServerProviderBasicAuth(ctx context.Context, username, password, url, projectKey string, allBranches bool) (*BitbucketServerProvider, error) {
+func NewBitbucketServerProviderBasicAuth(ctx context.Context, username, password, url, projectKey string, allBranches bool, scmRootCAPath string, insecure bool, caCerts []byte) (*BitbucketServerProvider, error) {
 	bitbucketConfig := bitbucketv1.NewConfiguration(url)
 	// Avoid the XSRF check
 	bitbucketConfig.AddDefaultHeader("x-atlassian-token", "no-check")
@@ -30,15 +31,29 @@ func NewBitbucketServerProviderBasicAuth(ctx context.Context, username, password
 		UserName: username,
 		Password: password,
 	})
-	return newBitbucketServerProvider(ctx, bitbucketConfig, projectKey, allBranches)
+	return newBitbucketServerProvider(ctx, bitbucketConfig, projectKey, allBranches, scmRootCAPath, insecure, caCerts)
 }

-func NewBitbucketServerProviderNoAuth(ctx context.Context, url, projectKey string, allBranches bool) (*BitbucketServerProvider, error) {
-	return newBitbucketServerProvider(ctx, bitbucketv1.NewConfiguration(url), projectKey, allBranches)
+func NewBitbucketServerProviderBearerToken(ctx context.Context, bearerToken, url, projectKey string, allBranches bool, scmRootCAPath string, insecure bool, caCerts []byte) (*BitbucketServerProvider, error) {
+	bitbucketConfig := bitbucketv1.NewConfiguration(url)
+	// Avoid the XSRF check
+	bitbucketConfig.AddDefaultHeader("x-atlassian-token", "no-check")
+	bitbucketConfig.AddDefaultHeader("x-requested-with", "XMLHttpRequest")
+
+	ctx = context.WithValue(ctx, bitbucketv1.ContextAccessToken, bearerToken)
+	return newBitbucketServerProvider(ctx, bitbucketConfig, projectKey, allBranches, scmRootCAPath, insecure, caCerts)
 }

-func newBitbucketServerProvider(ctx context.Context, bitbucketConfig *bitbucketv1.Configuration, projectKey string, allBranches bool) (*BitbucketServerProvider, error) {
+func NewBitbucketServerProviderNoAuth(ctx context.Context, url, projectKey string, allBranches bool, scmRootCAPath string, insecure bool, caCerts []byte) (*BitbucketServerProvider, error) {
+	return newBitbucketServerProvider(ctx, bitbucketv1.NewConfiguration(url), projectKey, allBranches, scmRootCAPath, insecure, caCerts)
+}
+
+func newBitbucketServerProvider(ctx context.Context, bitbucketConfig *bitbucketv1.Configuration, projectKey string, allBranches bool, scmRootCAPath string, insecure bool, caCerts []byte) (*BitbucketServerProvider, error) {
 	bitbucketConfig.BasePath = utils.NormalizeBitbucketBasePath(bitbucketConfig.BasePath)
+	tlsConfig := utils.GetTlsConfig(scmRootCAPath, insecure, caCerts)
+	bitbucketConfig.HTTPClient = &http.Client{Transport: &http.Transport{
+		TLSClientConfig: tlsConfig,
+	}}
 	bitbucketClient := bitbucketv1.NewAPIClient(ctx, bitbucketConfig)

 	return &BitbucketServerProvider{
--- a/applicationset/services/scm_provider/bitbucket_server_test.go
+++ b/applicationset/services/scm_provider/bitbucket_server_test.go
@@ -2,6 +2,8 @@ package scm_provider

 import (
 	"context"
+	"crypto/x509"
+	"encoding/pem"
 	"io"
 	"net/http"
 	"net/http/httptest"
@@ -99,7 +101,7 @@ func TestListReposNoAuth(t *testing.T) {
 		defaultHandler(t)(w, r)
 	}))
 	defer ts.Close()
-	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", true)
+	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", true, "", false, nil)
 	require.NoError(t, err)
 	repos, err := provider.ListRepos(context.Background(), "ssh")
 	verifyDefaultRepo(t, err, repos)
@@ -191,7 +193,7 @@ func TestListReposPagination(t *testing.T) {
 		}
 	}))
 	defer ts.Close()
-	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", true)
+	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", true, "", false, nil)
 	require.NoError(t, err)
 	repos, err := provider.ListRepos(context.Background(), "ssh")
 	require.NoError(t, err)
@@ -268,7 +270,7 @@ func TestGetBranchesBranchPagination(t *testing.T) {
 		defaultHandler(t)(w, r)
 	}))
 	defer ts.Close()
-	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", true)
+	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", true, "", false, nil)
 	require.NoError(t, err)
 	repos, err := provider.GetBranches(context.Background(), &Repository{
 		Organization: "PROJECT",
@@ -321,7 +323,7 @@ func TestGetBranchesDefaultOnly(t *testing.T) {
 		defaultHandler(t)(w, r)
 	}))
 	defer ts.Close()
-	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", false)
+	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", false, "", false, nil)
 	require.NoError(t, err)
 	repos, err := provider.GetBranches(context.Background(), &Repository{
 		Organization: "PROJECT",
@@ -353,7 +355,7 @@ func TestGetBranchesMissingDefault(t *testing.T) {
 		defaultHandler(t)(w, r)
 	}))
 	defer ts.Close()
-	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", false)
+	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", false, "", false, nil)
 	require.NoError(t, err)
 	repos, err := provider.GetBranches(context.Background(), &Repository{
 		Organization: "PROJECT",
@@ -375,7 +377,7 @@ func TestGetBranchesEmptyRepo(t *testing.T) {
 		}
 	}))
 	defer ts.Close()
-	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", false)
+	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", false, "", false, nil)
 	require.NoError(t, err)
 	repos, err := provider.GetBranches(context.Background(), &Repository{
 		Organization: "PROJECT",
@@ -398,7 +400,7 @@ func TestGetBranchesErrorDefaultBranch(t *testing.T) {
 		defaultHandler(t)(w, r)
 	}))
 	defer ts.Close()
-	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", false)
+	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", false, "", false, nil)
 	require.NoError(t, err)
 	_, err = provider.GetBranches(context.Background(), &Repository{
 		Organization: "PROJECT",
@@ -410,6 +412,73 @@ func TestGetBranchesErrorDefaultBranch(t *testing.T) {
 	require.Error(t, err)
 }

+func TestListReposTLS(t *testing.T) {
+	tests := []struct {
+		name        string
+		tlsInsecure bool
+		passCerts   bool
+		requireErr  bool
+	}{
+		{
+			name:        "TLS Insecure: true, No Certs",
+			tlsInsecure: true,
+			passCerts:   false,
+			requireErr:  false,
+		},
+		{
+			name:        "TLS Insecure: true, With Certs",
+			tlsInsecure: true,
+			passCerts:   true,
+			requireErr:  false,
+		},
+		{
+			name:        "TLS Insecure: false, With Certs",
+			tlsInsecure: false,
+			passCerts:   true,
+			requireErr:  false,
+		},
+		{
+			name:        "TLS Insecure: false, No Certs",
+			tlsInsecure: false,
+			passCerts:   false,
+			requireErr:  true,
+		},
+	}
+
+	for _, test := range tests {
+		test := test
+		t.Run(test.name, func(t *testing.T) {
+			ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				defaultHandler(t)(w, r)
+			}))
+			defer ts.Close()
+
+			var certs []byte
+			if test.passCerts == true {
+				for _, cert := range ts.TLS.Certificates {
+					for _, c := range cert.Certificate {
+						parsedCert, err := x509.ParseCertificate(c)
+						require.NoError(t, err, "Failed to parse certificate")
+						certs = append(certs, pem.EncodeToMemory(&pem.Block{
+							Type:  "CERTIFICATE",
+							Bytes: parsedCert.Raw,
+						})...)
+					}
+				}
+			}
+
+			provider, err := NewBitbucketServerProviderBasicAuth(context.Background(), "user", "password", ts.URL, "PROJECT", true, "", test.tlsInsecure, certs)
+			require.NoError(t, err)
+			_, err = provider.ListRepos(context.Background(), "ssh")
+			if test.requireErr {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}
+
 func TestListReposBasicAuth(t *testing.T) {
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		assert.Equal(t, "Basic dXNlcjpwYXNzd29yZA==", r.Header.Get("Authorization"))
@@ -417,7 +486,20 @@ func TestListReposBasicAuth(t *testing.T) {
 		defaultHandler(t)(w, r)
 	}))
 	defer ts.Close()
-	provider, err := NewBitbucketServerProviderBasicAuth(context.Background(), "user", "password", ts.URL, "PROJECT", true)
+	provider, err := NewBitbucketServerProviderBasicAuth(context.Background(), "user", "password", ts.URL, "PROJECT", true, "", false, nil)
+	require.NoError(t, err)
+	repos, err := provider.ListRepos(context.Background(), "ssh")
+	verifyDefaultRepo(t, err, repos)
+}
+
+func TestListReposBearerAuth(t *testing.T) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assert.Equal(t, "Bearer tolkien", r.Header.Get("Authorization"))
+		assert.Equal(t, "no-check", r.Header.Get("X-Atlassian-Token"))
+		defaultHandler(t)(w, r)
+	}))
+	defer ts.Close()
+	provider, err := NewBitbucketServerProviderBearerToken(context.Background(), "tolkien", ts.URL, "PROJECT", true, "", false, nil)
 	require.NoError(t, err)
 	repos, err := provider.ListRepos(context.Background(), "ssh")
 	verifyDefaultRepo(t, err, repos)
@@ -444,7 +526,7 @@ func TestListReposDefaultBranch(t *testing.T) {
 		defaultHandler(t)(w, r)
 	}))
 	defer ts.Close()
-	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", false)
+	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", false, "", false, nil)
 	require.NoError(t, err)
 	repos, err := provider.ListRepos(context.Background(), "ssh")
 	require.NoError(t, err)
@@ -470,7 +552,7 @@ func TestListReposMissingDefaultBranch(t *testing.T) {
 		defaultHandler(t)(w, r)
 	}))
 	defer ts.Close()
-	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", false)
+	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", false, "", false, nil)
 	require.NoError(t, err)
 	repos, err := provider.ListRepos(context.Background(), "ssh")
 	require.NoError(t, err)
@@ -487,7 +569,7 @@ func TestListReposErrorDefaultBranch(t *testing.T) {
 		defaultHandler(t)(w, r)
 	}))
 	defer ts.Close()
-	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", false)
+	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", false, "", false, nil)
 	require.NoError(t, err)
 	_, err = provider.ListRepos(context.Background(), "ssh")
 	require.Error(t, err)
@@ -499,7 +581,7 @@ func TestListReposCloneProtocol(t *testing.T) {
 		defaultHandler(t)(w, r)
 	}))
 	defer ts.Close()
-	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", true)
+	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", true, "", false, nil)
 	require.NoError(t, err)
 	repos, err := provider.ListRepos(context.Background(), "https")
 	require.NoError(t, err)
@@ -521,7 +603,7 @@ func TestListReposUnknownProtocol(t *testing.T) {
 		defaultHandler(t)(w, r)
 	}))
 	defer ts.Close()
-	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", true)
+	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", true, "", false, nil)
 	require.NoError(t, err)
 	_, errProtocol := provider.ListRepos(context.Background(), "http")
 	require.Error(t, errProtocol)
@@ -559,7 +641,7 @@ func TestBitbucketServerHasPath(t *testing.T) {
 		}
 	}))
 	defer ts.Close()
-	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", true)
+	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", true, "", false, nil)
 	require.NoError(t, err)
 	repo := &Repository{
 		Organization: "PROJECT",
--- a/applicationset/services/scm_provider/github.go
+++ b/applicationset/services/scm_provider/github.go
@@ -2,12 +2,11 @@ package scm_provider

 import (
 	"context"
-	"errors"
 	"fmt"
 	"net/http"
 	"os"

-	"github.com/google/go-github/v35/github"
+	"github.com/google/go-github/v63/github"
 	"golang.org/x/oauth2"
 )

@@ -36,7 +35,7 @@ func NewGithubProvider(ctx context.Context, organization string, token string, u
 		client = github.NewClient(httpClient)
 	} else {
 		var err error
-		client, err = github.NewEnterpriseClient(url, url, httpClient)
+		client, err = github.NewClient(httpClient).WithEnterpriseURLs(url, url)
 		if err != nil {
 			return nil, err
 		}
@@ -120,14 +119,11 @@ func (g *GithubProvider) RepoHasPath(ctx context.Context, repo *Repository, path
 func (g *GithubProvider) listBranches(ctx context.Context, repo *Repository) ([]github.Branch, error) {
 	// If we don't specifically want to query for all branches, just use the default branch and call it a day.
 	if !g.allBranches {
-		defaultBranch, _, err := g.client.Repositories.GetBranch(ctx, repo.Organization, repo.Repository, repo.Branch)
+		defaultBranch, resp, err := g.client.Repositories.GetBranch(ctx, repo.Organization, repo.Repository, repo.Branch, 0)
 		if err != nil {
-			var githubErrorResponse *github.ErrorResponse
-			if errors.As(err, &githubErrorResponse) {
-				if githubErrorResponse.Response.StatusCode == http.StatusNotFound {
-					// Default branch doesn't exist, so the repo is empty.
-					return []github.Branch{}, nil
-				}
+			if resp.StatusCode == http.StatusNotFound {
+				// Default branch doesn't exist, so the repo is empty.
+				return []github.Branch{}, nil
 			}
 			return nil, err
 		}
--- a/applicationset/services/scm_provider/gitlab.go
+++ b/applicationset/services/scm_provider/gitlab.go
@@ -24,7 +24,7 @@ type GitlabProvider struct {

 var _ SCMProviderService = &GitlabProvider{}

-func NewGitlabProvider(ctx context.Context, organization string, token string, url string, allBranches, includeSubgroups, includeSharedProjects, insecure bool, scmRootCAPath, topic string) (*GitlabProvider, error) {
+func NewGitlabProvider(ctx context.Context, organization string, token string, url string, allBranches, includeSubgroups, includeSharedProjects, insecure bool, scmRootCAPath, topic string, caCerts []byte) (*GitlabProvider, error) {
 	// Undocumented environment variable to set a default token, to be used in testing to dodge anonymous rate limits.
 	if token == "" {
 		token = os.Getenv("GITLAB_TOKEN")
@@ -32,7 +32,7 @@ func NewGitlabProvider(ctx context.Context, organization string, token string, u
 	var client *gitlab.Client

 	tr := http.DefaultTransport.(*http.Transport).Clone()
-	tr.TLSClientConfig = utils.GetTlsConfig(scmRootCAPath, insecure)
+	tr.TLSClientConfig = utils.GetTlsConfig(scmRootCAPath, insecure, caCerts)

 	retryClient := retryablehttp.NewClient()
 	retryClient.HTTPClient.Transport = tr
--- a/applicationset/services/scm_provider/gitlab_test.go
+++ b/applicationset/services/scm_provider/gitlab_test.go
@@ -2,6 +2,8 @@ package scm_provider

 import (
 	"context"
+	"crypto/x509"
+	"encoding/pem"
 	"fmt"
 	"io"
 	"net/http"
@@ -1121,7 +1123,7 @@ func TestGitlabListRepos(t *testing.T) {
 	}))
 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {
-			provider, _ := NewGitlabProvider(context.Background(), "test-argocd-proton", "", ts.URL, c.allBranches, c.includeSubgroups, c.includeSharedProjects, c.insecure, "", c.topic)
+			provider, _ := NewGitlabProvider(context.Background(), "test-argocd-proton", "", ts.URL, c.allBranches, c.includeSubgroups, c.includeSharedProjects, c.insecure, "", c.topic, nil)
 			rawRepos, err := ListRepos(context.Background(), provider, c.filters, c.proto)
 			if c.hasError {
 				require.Error(t, err)
@@ -1160,7 +1162,7 @@ func TestGitlabHasPath(t *testing.T) {
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		gitlabMockHandler(t)(w, r)
 	}))
-	host, _ := NewGitlabProvider(context.Background(), "test-argocd-proton", "", ts.URL, false, true, true, false, "", "")
+	host, _ := NewGitlabProvider(context.Background(), "test-argocd-proton", "", ts.URL, false, true, true, false, "", "", nil)
 	repo := &Repository{
 		Organization: "test-argocd-proton",
 		Repository:   "argocd",
@@ -1206,7 +1208,7 @@ func TestGitlabGetBranches(t *testing.T) {
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		gitlabMockHandler(t)(w, r)
 	}))
-	host, _ := NewGitlabProvider(context.Background(), "test-argocd-proton", "", ts.URL, false, true, true, false, "", "")
+	host, _ := NewGitlabProvider(context.Background(), "test-argocd-proton", "", ts.URL, false, true, true, false, "", "", nil)

 	repo := &Repository{
 		RepositoryId: 27084533,
@@ -1227,3 +1229,74 @@ func TestGitlabGetBranches(t *testing.T) {
 		require.NoError(t, err)
 	})
 }
+
+func TestGetBranchesTLS(t *testing.T) {
+	tests := []struct {
+		name        string
+		tlsInsecure bool
+		passCerts   bool
+		requireErr  bool
+	}{
+		{
+			name:        "TLS Insecure: true, No Certs",
+			tlsInsecure: true,
+			passCerts:   false,
+			requireErr:  false,
+		},
+		{
+			name:        "TLS Insecure: true, With Certs",
+			tlsInsecure: true,
+			passCerts:   true,
+			requireErr:  false,
+		},
+		{
+			name:        "TLS Insecure: false, With Certs",
+			tlsInsecure: false,
+			passCerts:   true,
+			requireErr:  false,
+		},
+		{
+			name:        "TLS Insecure: false, No Certs",
+			tlsInsecure: false,
+			passCerts:   false,
+			requireErr:  true,
+		},
+	}
+
+	for _, test := range tests {
+		test := test
+		t.Run(test.name, func(t *testing.T) {
+			ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				gitlabMockHandler(t)(w, r)
+			}))
+			defer ts.Close()
+
+			var certs []byte
+			if test.passCerts == true {
+				for _, cert := range ts.TLS.Certificates {
+					for _, c := range cert.Certificate {
+						parsedCert, err := x509.ParseCertificate(c)
+						require.NoError(t, err, "Failed to parse certificate")
+						certs = append(certs, pem.EncodeToMemory(&pem.Block{
+							Type:  "CERTIFICATE",
+							Bytes: parsedCert.Raw,
+						})...)
+					}
+				}
+			}
+
+			host, err := NewGitlabProvider(context.Background(), "test-argocd-proton", "", ts.URL, false, true, true, test.tlsInsecure, "", "", certs)
+			require.NoError(t, err)
+			repo := &Repository{
+				RepositoryId: 27084533,
+				Branch:       "master",
+			}
+			_, err = host.GetBranches(context.Background(), repo)
+			if test.requireErr {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}
--- a/applicationset/status/resource_status.go
+++ b/applicationset/status/resource_status.go
@@ -0,0 +1,57 @@
+package status
+
+import (
+	argov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+)
+
+func BuildResourceStatus(statusMap map[string]argov1alpha1.ResourceStatus, apps []argov1alpha1.Application) map[string]argov1alpha1.ResourceStatus {
+	appMap := map[string]argov1alpha1.Application{}
+	for _, app := range apps {
+		appCopy := app
+		appMap[app.Name] = app
+
+		gvk := app.GroupVersionKind()
+		// Create status if it does not exist
+		status, ok := statusMap[app.Name]
+		if !ok {
+			status = argov1alpha1.ResourceStatus{
+				Group:     gvk.Group,
+				Version:   gvk.Version,
+				Kind:      gvk.Kind,
+				Name:      app.Name,
+				Namespace: app.Namespace,
+				Status:    app.Status.Sync.Status,
+				Health:    &appCopy.Status.Health,
+			}
+		}
+
+		status.Group = gvk.Group
+		status.Version = gvk.Version
+		status.Kind = gvk.Kind
+		status.Name = app.Name
+		status.Namespace = app.Namespace
+		status.Status = app.Status.Sync.Status
+		status.Health = &appCopy.Status.Health
+
+		statusMap[app.Name] = status
+	}
+	cleanupDeletedApplicationStatuses(statusMap, appMap)
+
+	return statusMap
+}
+
+func GetResourceStatusMap(appset *argov1alpha1.ApplicationSet) map[string]argov1alpha1.ResourceStatus {
+	statusMap := map[string]argov1alpha1.ResourceStatus{}
+	for _, status := range appset.Status.Resources {
+		statusMap[status.Name] = status
+	}
+	return statusMap
+}
+
+func cleanupDeletedApplicationStatuses(statusMap map[string]argov1alpha1.ResourceStatus, apps map[string]argov1alpha1.Application) {
+	for name := range statusMap {
+		if _, ok := apps[name]; !ok {
+			delete(statusMap, name)
+		}
+	}
+}
--- a/applicationset/utils/applicationset_lister.go
+++ b/applicationset/utils/applicationset_lister.go
@@ -0,0 +1,63 @@
+package utils
+
+import (
+	"context"
+
+	"k8s.io/apimachinery/pkg/labels"
+	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
+
+	. "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	. "github.com/argoproj/argo-cd/v2/pkg/client/listers/application/v1alpha1"
+)
+
+// Implements AppsetLister interface with controller-runtime client
+type AppsetLister struct {
+	Client ctrlclient.Client
+}
+
+func NewAppsetLister(client ctrlclient.Client) ApplicationSetLister {
+	return &AppsetLister{Client: client}
+}
+
+func (l *AppsetLister) List(selector labels.Selector) (ret []*ApplicationSet, err error) {
+	return clientListAppsets(l.Client, ctrlclient.ListOptions{})
+}
+
+// ApplicationSets returns an object that can list and get ApplicationSets.
+func (l *AppsetLister) ApplicationSets(namespace string) ApplicationSetNamespaceLister {
+	return &appsetNamespaceLister{
+		Client:    l.Client,
+		Namespace: namespace,
+	}
+}
+
+// Implements ApplicationSetNamespaceLister
+type appsetNamespaceLister struct {
+	Client    ctrlclient.Client
+	Namespace string
+}
+
+func (n *appsetNamespaceLister) List(selector labels.Selector) (ret []*ApplicationSet, err error) {
+	return clientListAppsets(n.Client, ctrlclient.ListOptions{Namespace: n.Namespace})
+}
+
+func (n *appsetNamespaceLister) Get(name string) (*ApplicationSet, error) {
+	appset := ApplicationSet{}
+	err := n.Client.Get(context.TODO(), ctrlclient.ObjectKeyFromObject(&appset), &appset)
+	return &appset, err
+}
+
+func clientListAppsets(client ctrlclient.Client, listOptions ctrlclient.ListOptions) (ret []*ApplicationSet, err error) {
+	var appsetlist ApplicationSetList
+	var results []*ApplicationSet
+
+	err = client.List(context.TODO(), &appsetlist, &listOptions)
+
+	if err == nil {
+		for _, appset := range appsetlist.Items {
+			results = append(results, appset.DeepCopy())
+		}
+	}
+
+	return results, err
+}
--- a/applicationset/utils/clusterUtils.go
+++ b/applicationset/utils/clusterUtils.go
@@ -51,9 +51,12 @@ const (
 // if we used destination name we infer the server url
 // if we used both name and server then we return an invalid spec error
 func ValidateDestination(ctx context.Context, dest *appv1.ApplicationDestination, clientset kubernetes.Interface, argoCDNamespace string) error {
+	if dest.IsServerInferred() && dest.IsNameInferred() {
+		return fmt.Errorf("application destination can't have both name and server inferred: %s %s", dest.Name, dest.Server)
+	}
 	if dest.Name != "" {
 		if dest.Server == "" {
-			server, err := getDestinationServer(ctx, dest.Name, clientset, argoCDNamespace)
+			server, err := getDestinationBy(ctx, dest.Name, clientset, argoCDNamespace, true)
 			if err != nil {
 				return fmt.Errorf("unable to find destination server: %w", err)
 			}
@@ -61,14 +64,25 @@ func ValidateDestination(ctx context.Context, dest *appv1.ApplicationDestination
 				return fmt.Errorf("application references destination cluster %s which does not exist", dest.Name)
 			}
 			dest.SetInferredServer(server)
-		} else if !dest.IsServerInferred() {
+		} else if !dest.IsServerInferred() && !dest.IsNameInferred() {
 			return fmt.Errorf("application destination can't have both name and server defined: %s %s", dest.Name, dest.Server)
 		}
+	} else if dest.Server != "" {
+		if dest.Name == "" {
+			serverName, err := getDestinationBy(ctx, dest.Server, clientset, argoCDNamespace, false)
+			if err != nil {
+				return fmt.Errorf("unable to find destination server: %w", err)
+			}
+			if serverName == "" {
+				return fmt.Errorf("application references destination cluster %s which does not exist", dest.Server)
+			}
+			dest.SetInferredName(serverName)
+		}
 	}
 	return nil
 }

-func getDestinationServer(ctx context.Context, clusterName string, clientset kubernetes.Interface, argoCDNamespace string) (string, error) {
+func getDestinationBy(ctx context.Context, cluster string, clientset kubernetes.Interface, argoCDNamespace string, byName bool) (string, error) {
 	// settingsMgr := settings.NewSettingsManager(context.TODO(), clientset, namespace)
 	// argoDB := db.NewDB(namespace, settingsMgr, clientset)
 	// clusterList, err := argoDB.ListClusters(ctx)
@@ -78,14 +92,17 @@ func getDestinationServer(ctx context.Context, clusterName string, clientset kub
 	}
 	var servers []string
 	for _, c := range clusterList.Items {
-		if c.Name == clusterName {
+		if byName && c.Name == cluster {
 			servers = append(servers, c.Server)
 		}
+		if !byName && c.Server == cluster {
+			servers = append(servers, c.Name)
+		}
 	}
 	if len(servers) > 1 {
 		return "", fmt.Errorf("there are %d clusters with the same name: %v", len(servers), servers)
 	} else if len(servers) == 0 {
-		return "", fmt.Errorf("there are no clusters with this name: %s", clusterName)
+		return "", fmt.Errorf("there are no clusters with this name: %s", cluster)
 	}
 	return servers[0], nil
 }
@@ -132,9 +149,12 @@ func getLocalCluster(clientset kubernetes.Interface) *appv1.Cluster {
 	initLocalCluster.Do(func() {
 		info, err := clientset.Discovery().ServerVersion()
 		if err == nil {
+			// nolint:staticcheck
 			localCluster.ServerVersion = fmt.Sprintf("%s.%s", info.Major, info.Minor)
+			// nolint:staticcheck
 			localCluster.ConnectionState = appv1.ConnectionState{Status: appv1.ConnectionStatusSuccessful}
 		} else {
+			// nolint:staticcheck
 			localCluster.ConnectionState = appv1.ConnectionState{
 				Status:  appv1.ConnectionStatusFailed,
 				Message: err.Error(),
@@ -143,6 +163,7 @@ func getLocalCluster(clientset kubernetes.Interface) *appv1.Cluster {
 	})
 	cluster := localCluster.DeepCopy()
 	now := metav1.Now()
+	// nolint:staticcheck
 	cluster.ConnectionState.ModifiedAt = &now
 	return cluster
 }
--- a/applicationset/utils/clusterUtils_test.go
+++ b/applicationset/utils/clusterUtils_test.go
@@ -92,7 +92,12 @@ func TestValidateDestination(t *testing.T) {
 			Namespace: "default",
 		}

-		appCond := ValidateDestination(context.Background(), &dest, nil, fakeNamespace)
+		secret := createClusterSecret("my-secret", "minikube", "https://127.0.0.1:6443")
+		objects := []runtime.Object{}
+		objects = append(objects, secret)
+		kubeclientset := fake.NewSimpleClientset(objects...)
+
+		appCond := ValidateDestination(context.Background(), &dest, kubeclientset, fakeNamespace)
 		require.NoError(t, appCond)
 		assert.False(t, dest.IsServerInferred())
 	})
--- a/applicationset/utils/createOrUpdate_test.go
+++ b/applicationset/utils/createOrUpdate_test.go
@@ -229,7 +229,7 @@ spec:
 			require.NoError(t, err)
 			yamlExpected, err := yaml.Marshal(tc.expectedApp)
 			require.NoError(t, err)
-			assert.Equal(t, string(yamlExpected), string(yamlFound))
+			assert.YAMLEq(t, string(yamlExpected), string(yamlFound))
 		})
 	}
 }
--- a/applicationset/utils/kubernetes.go
+++ b/applicationset/utils/kubernetes.go
@@ -0,0 +1,54 @@
+package utils
+
+import (
+	"context"
+	"fmt"
+
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+)
+
+// getSecretRef gets the value of the key for the specified Secret resource.
+func GetSecretRef(ctx context.Context, k8sClient client.Client, ref *argoprojiov1alpha1.SecretRef, namespace string) (string, error) {
+	if ref == nil {
+		return "", nil
+	}
+
+	secret := &corev1.Secret{}
+	err := k8sClient.Get(
+		ctx,
+		client.ObjectKey{
+			Name:      ref.SecretName,
+			Namespace: namespace,
+		},
+		secret)
+	if err != nil {
+		return "", fmt.Errorf("error fetching secret %s/%s: %w", namespace, ref.SecretName, err)
+	}
+	tokenBytes, ok := secret.Data[ref.Key]
+	if !ok {
+		return "", fmt.Errorf("key %q in secret %s/%s not found", ref.Key, namespace, ref.SecretName)
+	}
+	return string(tokenBytes), nil
+}
+
+func GetConfigMapData(ctx context.Context, k8sClient client.Client, ref *argoprojiov1alpha1.ConfigMapKeyRef, namespace string) ([]byte, error) {
+	if ref == nil {
+		return nil, nil
+	}
+
+	configMap := &corev1.ConfigMap{}
+	err := k8sClient.Get(ctx, client.ObjectKey{Name: ref.ConfigMapName, Namespace: namespace}, configMap)
+	if err != nil {
+		return nil, err
+	}
+
+	data, ok := configMap.Data[ref.Key]
+	if !ok {
+		return nil, fmt.Errorf("key %s not found in ConfigMap %s", ref.Key, configMap.Name)
+	}
+
+	return []byte(data), nil
+}
--- a/applicationset/utils/kubernetes_test.go
+++ b/applicationset/utils/kubernetes_test.go
@@ -0,0 +1,146 @@
+package utils
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+
+	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+)
+
+func TestGetSecretRef(t *testing.T) {
+	secret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{Name: "test-secret", Namespace: "test"},
+		Data: map[string][]byte{
+			"my-token": []byte("secret"),
+		},
+	}
+	client := fake.NewClientBuilder().WithObjects(secret).Build()
+	ctx := context.Background()
+
+	cases := []struct {
+		name, namespace, token string
+		ref                    *argoprojiov1alpha1.SecretRef
+		hasError               bool
+	}{
+		{
+			name:      "valid ref",
+			ref:       &argoprojiov1alpha1.SecretRef{SecretName: "test-secret", Key: "my-token"},
+			namespace: "test",
+			token:     "secret",
+			hasError:  false,
+		},
+		{
+			name:      "nil ref",
+			ref:       nil,
+			namespace: "test",
+			token:     "",
+			hasError:  false,
+		},
+		{
+			name:      "wrong name",
+			ref:       &argoprojiov1alpha1.SecretRef{SecretName: "other", Key: "my-token"},
+			namespace: "test",
+			token:     "",
+			hasError:  true,
+		},
+		{
+			name:      "wrong key",
+			ref:       &argoprojiov1alpha1.SecretRef{SecretName: "test-secret", Key: "other-token"},
+			namespace: "test",
+			token:     "",
+			hasError:  true,
+		},
+		{
+			name:      "wrong namespace",
+			ref:       &argoprojiov1alpha1.SecretRef{SecretName: "test-secret", Key: "my-token"},
+			namespace: "other",
+			token:     "",
+			hasError:  true,
+		},
+	}
+
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			token, err := GetSecretRef(ctx, client, c.ref, c.namespace)
+			if c.hasError {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+			assert.Equal(t, c.token, token)
+		})
+	}
+}
+
+func TestGetConfigMapData(t *testing.T) {
+	configMap := &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{Name: "test-configmap", Namespace: "test"},
+		Data: map[string]string{
+			"my-data": "configmap-data",
+		},
+	}
+	client := fake.NewClientBuilder().WithObjects(configMap).Build()
+	ctx := context.Background()
+
+	cases := []struct {
+		name, namespace, data string
+		ref                   *argoprojiov1alpha1.ConfigMapKeyRef
+		hasError              bool
+	}{
+		{
+			name:      "valid ref",
+			ref:       &argoprojiov1alpha1.ConfigMapKeyRef{ConfigMapName: "test-configmap", Key: "my-data"},
+			namespace: "test",
+			data:      "configmap-data",
+			hasError:  false,
+		},
+		{
+			name:      "nil ref",
+			ref:       nil,
+			namespace: "test",
+			data:      "",
+			hasError:  false,
+		},
+		{
+			name:      "wrong name",
+			ref:       &argoprojiov1alpha1.ConfigMapKeyRef{ConfigMapName: "other", Key: "my-data"},
+			namespace: "test",
+			data:      "",
+			hasError:  true,
+		},
+		{
+			name:      "wrong key",
+			ref:       &argoprojiov1alpha1.ConfigMapKeyRef{ConfigMapName: "test-configmap", Key: "other-data"},
+			namespace: "test",
+			data:      "",
+			hasError:  true,
+		},
+		{
+			name:      "wrong namespace",
+			ref:       &argoprojiov1alpha1.ConfigMapKeyRef{ConfigMapName: "test-configmap", Key: "my-data"},
+			namespace: "other",
+			data:      "",
+			hasError:  true,
+		},
+	}
+
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			data, err := GetConfigMapData(ctx, client, c.ref, c.namespace)
+			if c.hasError {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+			if !c.hasError {
+				assert.Equal(t, c.data, string(data))
+			}
+		})
+	}
+}
--- a/applicationset/utils/mocks/Renderer.go
+++ b/applicationset/utils/mocks/Renderer.go
@@ -0,0 +1,86 @@
+// Code generated by mockery v2.43.2. DO NOT EDIT.
+
+package mocks
+
+import (
+	mock "github.com/stretchr/testify/mock"
+
+	v1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+)
+
+// Renderer is an autogenerated mock type for the Renderer type
+type Renderer struct {
+	mock.Mock
+}
+
+// RenderTemplateParams provides a mock function with given fields: tmpl, syncPolicy, params, useGoTemplate, goTemplateOptions
+func (_m *Renderer) RenderTemplateParams(tmpl *v1alpha1.Application, syncPolicy *v1alpha1.ApplicationSetSyncPolicy, params map[string]interface{}, useGoTemplate bool, goTemplateOptions []string) (*v1alpha1.Application, error) {
+	ret := _m.Called(tmpl, syncPolicy, params, useGoTemplate, goTemplateOptions)
+
+	if len(ret) == 0 {
+		panic("no return value specified for RenderTemplateParams")
+	}
+
+	var r0 *v1alpha1.Application
+	var r1 error
+	if rf, ok := ret.Get(0).(func(*v1alpha1.Application, *v1alpha1.ApplicationSetSyncPolicy, map[string]interface{}, bool, []string) (*v1alpha1.Application, error)); ok {
+		return rf(tmpl, syncPolicy, params, useGoTemplate, goTemplateOptions)
+	}
+	if rf, ok := ret.Get(0).(func(*v1alpha1.Application, *v1alpha1.ApplicationSetSyncPolicy, map[string]interface{}, bool, []string) *v1alpha1.Application); ok {
+		r0 = rf(tmpl, syncPolicy, params, useGoTemplate, goTemplateOptions)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*v1alpha1.Application)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(*v1alpha1.Application, *v1alpha1.ApplicationSetSyncPolicy, map[string]interface{}, bool, []string) error); ok {
+		r1 = rf(tmpl, syncPolicy, params, useGoTemplate, goTemplateOptions)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// Replace provides a mock function with given fields: tmpl, replaceMap, useGoTemplate, goTemplateOptions
+func (_m *Renderer) Replace(tmpl string, replaceMap map[string]interface{}, useGoTemplate bool, goTemplateOptions []string) (string, error) {
+	ret := _m.Called(tmpl, replaceMap, useGoTemplate, goTemplateOptions)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Replace")
+	}
+
+	var r0 string
+	var r1 error
+	if rf, ok := ret.Get(0).(func(string, map[string]interface{}, bool, []string) (string, error)); ok {
+		return rf(tmpl, replaceMap, useGoTemplate, goTemplateOptions)
+	}
+	if rf, ok := ret.Get(0).(func(string, map[string]interface{}, bool, []string) string); ok {
+		r0 = rf(tmpl, replaceMap, useGoTemplate, goTemplateOptions)
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+
+	if rf, ok := ret.Get(1).(func(string, map[string]interface{}, bool, []string) error); ok {
+		r1 = rf(tmpl, replaceMap, useGoTemplate, goTemplateOptions)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// NewRenderer creates a new instance of Renderer. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewRenderer(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *Renderer {
+	mock := &Renderer{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
--- a/applicationset/utils/utils.go
+++ b/applicationset/utils/utils.go
@@ -23,6 +23,7 @@ import (
 	log "github.com/sirupsen/logrus"

 	argoappsv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/util/glob"
 )

 var sprigFuncMap = sprig.GenericFuncMap() // a singleton for better performance
@@ -46,6 +47,10 @@ type Renderer interface {

 type Render struct{}

+func IsNamespaceAllowed(namespaces []string, namespace string) bool {
+	return glob.MatchStringInList(namespaces, namespace, glob.REGEXP)
+}
+
 func copyValueIntoUnexported(destination, value reflect.Value) {
 	reflect.NewAt(destination.Type(), unsafe.Pointer(destination.UnsafeAddr())).
 		Elem().
@@ -268,7 +273,7 @@ func (r *Render) RenderTemplateParams(tmpl *argoappsv1.Application, syncPolicy *
 	// b) there IS a syncPolicy, but preserveResourcesOnDeletion is set to false
 	// See TestRenderTemplateParamsFinalizers in util_test.go for test-based definition of behaviour
 	if (syncPolicy == nil || !syncPolicy.PreserveResourcesOnDeletion) &&
-		(replacedTmpl.ObjectMeta.Finalizers == nil || len(replacedTmpl.ObjectMeta.Finalizers) == 0) {
+		len(replacedTmpl.ObjectMeta.Finalizers) == 0 {
 		replacedTmpl.ObjectMeta.Finalizers = []string{"resources-finalizer.argocd.argoproj.io"}
 	}

@@ -483,7 +488,7 @@ func SlugifyName(args ...interface{}) string {
 	return urlSlug
 }

-func getTlsConfigWithCACert(scmRootCAPath string) *tls.Config {
+func getTlsConfigWithCACert(scmRootCAPath string, caCerts []byte) *tls.Config {
 	tlsConfig := &tls.Config{}

 	if scmRootCAPath != "" {
@@ -497,8 +502,12 @@ func getTlsConfigWithCACert(scmRootCAPath string) *tls.Config {
 			log.Errorf("error reading certificate from file '%s', proceeding without custom rootCA : %s", scmRootCAPath, err)
 			return tlsConfig
 		}
+		caCerts = append(caCerts, rootCA...)
+	}
+
+	if len(caCerts) > 0 {
 		certPool := x509.NewCertPool()
-		ok := certPool.AppendCertsFromPEM([]byte(rootCA))
+		ok := certPool.AppendCertsFromPEM(caCerts)
 		if !ok {
 			log.Errorf("failed to append certificates from PEM: proceeding without custom rootCA")
 		} else {
@@ -508,8 +517,8 @@ func getTlsConfigWithCACert(scmRootCAPath string) *tls.Config {
 	return tlsConfig
 }

-func GetTlsConfig(scmRootCAPath string, insecure bool) *tls.Config {
-	tlsConfig := getTlsConfigWithCACert(scmRootCAPath)
+func GetTlsConfig(scmRootCAPath string, insecure bool, caCerts []byte) *tls.Config {
+	tlsConfig := getTlsConfigWithCACert(scmRootCAPath, caCerts)

 	if insecure {
 		tlsConfig.InsecureSkipVerify = true
--- a/applicationset/utils/utils_test.go
+++ b/applicationset/utils/utils_test.go
@@ -1260,11 +1260,8 @@ func TestSlugify(t *testing.T) {
 }

 func TestGetTLSConfig(t *testing.T) {
-	// certParsed, err := tls.X509KeyPair(test.Cert, test.PrivateKey)
-	// require.NoError(t, err)
-
 	temppath := t.TempDir()
-	cert := `
+	certFromFile := `
 -----BEGIN CERTIFICATE-----
 MIIFvTCCA6WgAwIBAgIUGrTmW3qc39zqnE08e3qNDhUkeWswDQYJKoZIhvcNAQEL
 BQAwbjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAklMMRAwDgYDVQQHDAdDaGljYWdv
@@ -1298,50 +1295,96 @@ NoB2rjufaB0GQi1azdboMvdGSOxhSCAR8otWT5yDrywCqVnEvjw0oxKmuRduNe2/
 r2AaraPFgrprnxUibP4L7jxdr+iiw5bWN9/B81PodrS7n5TNtnfnpZD6X6rThqOP
 xO7Tr5lAo74vNUkF2EHNaI28/RGnJPm2TIxZqy4rNH6L
 -----END CERTIFICATE-----
+`
+
+	certFromCM := `
+-----BEGIN CERTIFICATE-----
+MIIDOTCCAiGgAwIBAgIQSRJrEpBGFc7tNb1fb5pKFzANBgkqhkiG9w0BAQsFADAS
+MRAwDgYDVQQKEwdBY21lIENvMCAXDTcwMDEwMTAwMDAwMFoYDzIwODQwMTI5MTYw
+MDAwWjASMRAwDgYDVQQKEwdBY21lIENvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA6Gba5tHV1dAKouAaXO3/ebDUU4rvwCUg/CNaJ2PT5xLD4N1Vcb8r
+bFSW2HXKq+MPfVdwIKR/1DczEoAGf/JWQTW7EgzlXrCd3rlajEX2D73faWJekD0U
+aUgz5vtrTXZ90BQL7WvRICd7FlEZ6FPOcPlumiyNmzUqtwGhO+9ad1W5BqJaRI6P
+YfouNkwR6Na4TzSj5BrqUfP0FwDizKSJ0XXmh8g8G9mtwxOSN3Ru1QFc61Xyeluk
+POGKBV/q6RBNklTNe0gI8usUMlYyoC7ytppNMW7X2vodAelSu25jgx2anj9fDVZu
+h7AXF5+4nJS4AAt0n1lNY7nGSsdZas8PbQIDAQABo4GIMIGFMA4GA1UdDwEB/wQE
+AwICpDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud
+DgQWBBStsdjh3/JCXXYlQryOrL4Sh7BW5TAuBgNVHREEJzAlggtleGFtcGxlLmNv
+bYcEfwAAAYcQAAAAAAAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAxWGI
+5NhpF3nwwy/4yB4i/CwwSpLrWUa70NyhvprUBC50PxiXav1TeDzwzLx/o5HyNwsv
+cxv3HdkLW59i/0SlJSrNnWdfZ19oTcS+6PtLoVyISgtyN6DpkKpdG1cOkW3Cy2P2
+tK/tKHRP1Y/Ra0RiDpOAmqn0gCOFGz8+lqDIor/T7MTpibL3IxqWfPrvfVRHL3B
+grw/ZQTTIVjjh4JBSW3WyWgNo/ikC1lrVxzl4iPUGptxT36Cr7Zk2Bsg0XqwbOvK
+5d+NTDREkSnUbie4GeutujmX3Dsx88UiV6UY/4lHJa6I5leHUNOHahRbpbWeOfs/
+WkBKOclmOV2xlTVuPw==
+-----END CERTIFICATE-----
 `

 	rootCAPath := path.Join(temppath, "foo.example.com")
-	err := os.WriteFile(rootCAPath, []byte(cert), 0o666)
+	err := os.WriteFile(rootCAPath, []byte(certFromFile), 0o666)
 	if err != nil {
 		panic(err)
 	}

-	certPool := x509.NewCertPool()
-	ok := certPool.AppendCertsFromPEM([]byte(cert))
-	assert.True(t, ok)
-
 	testCases := []struct {
 		name                    string
 		scmRootCAPath           string
 		insecure                bool
+		caCerts                 []byte
 		validateCertInTlsConfig bool
 	}{
 		{
 			name:                    "Insecure mode configured, SCM Root CA Path not set",
 			scmRootCAPath:           "",
 			insecure:                true,
+			caCerts:                 nil,
 			validateCertInTlsConfig: false,
 		},
 		{
 			name:                    "SCM Root CA Path set, Insecure mode set to false",
 			scmRootCAPath:           rootCAPath,
 			insecure:                false,
+			caCerts:                 nil,
 			validateCertInTlsConfig: true,
 		},
 		{
 			name:                    "SCM Root CA Path set, Insecure mode set to true",
 			scmRootCAPath:           rootCAPath,
 			insecure:                true,
+			caCerts:                 nil,
+			validateCertInTlsConfig: true,
+		},
+		{
+			name:                    "Cert passed, Insecure mode set to false",
+			scmRootCAPath:           "",
+			insecure:                false,
+			caCerts:                 []byte(certFromCM),
+			validateCertInTlsConfig: true,
+		},
+		{
+			name:                    "SCM Root CA Path set, cert passed, Insecure mode set to false",
+			scmRootCAPath:           rootCAPath,
+			insecure:                false,
+			caCerts:                 []byte(certFromCM),
 			validateCertInTlsConfig: true,
 		},
 	}

 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			tlsConfig := GetTlsConfig(testCase.scmRootCAPath, testCase.insecure)
+			certPool := x509.NewCertPool()
+			tlsConfig := GetTlsConfig(testCase.scmRootCAPath, testCase.insecure, testCase.caCerts)
 			assert.Equal(t, testCase.insecure, tlsConfig.InsecureSkipVerify)
+			if testCase.caCerts != nil {
+				ok := certPool.AppendCertsFromPEM([]byte(certFromCM))
+				assert.True(t, ok)
+			}
+			if testCase.scmRootCAPath != "" {
+				ok := certPool.AppendCertsFromPEM([]byte(certFromFile))
+				assert.True(t, ok)
+			}
+			assert.NotNil(t, tlsConfig)
 			if testCase.validateCertInTlsConfig {
-				assert.NotNil(t, tlsConfig)
 				assert.True(t, tlsConfig.RootCAs.Equal(certPool))
 			}
 		})
--- a/applicationset/webhook/testdata/github-commit-event-feature-branch.json
+++ b/applicationset/webhook/testdata/github-commit-event-feature-branch.json
@@ -0,0 +1,186 @@
+{
+    "ref": "refs/heads/env/dev",
+    "before": "d5c1ffa8e294bc18c639bfb4e0df499251034414",
+    "after": "63738bb582c8b540af7bcfc18f87c575c3ed66e0",
+    "created": false,
+    "deleted": false,
+    "forced": true,
+    "base_ref": null,
+    "compare": "https://github.com/org/repo/compare/d5c1ffa8e294...63738bb582c8",
+    "commits": [
+      {
+        "id": "63738bb582c8b540af7bcfc18f87c575c3ed66e0",
+        "tree_id": "64897da445207e409ad05af93b1f349ad0a4ee19",
+        "distinct": true,
+        "message": "Add staging-argocd-demo environment",
+        "timestamp": "2018-05-04T15:40:02-07:00",
+        "url": "https://github.com/org/repo/commit/63738bb582c8b540af7bcfc18f87c575c3ed66e0",
+        "author": {
+          "name": "Jesse Suen",
+          "email": "Jesse_Suen@example.com",
+          "username": "org"
+        },
+        "committer": {
+          "name": "Jesse Suen",
+          "email": "Jesse_Suen@example.com",
+          "username": "org"
+        },
+        "added": [
+          "ksapps/test-app/environments/staging-argocd-demo/main.jsonnet",
+          "ksapps/test-app/environments/staging-argocd-demo/params.libsonnet"
+        ],
+        "removed": [
+  
+        ],
+        "modified": [
+          "ksapps/test-app/app.yaml"
+        ]
+      }
+    ],
+    "head_commit": {
+      "id": "63738bb582c8b540af7bcfc18f87c575c3ed66e0",
+      "tree_id": "64897da445207e409ad05af93b1f349ad0a4ee19",
+      "distinct": true,
+      "message": "Add staging-argocd-demo environment",
+      "timestamp": "2018-05-04T15:40:02-07:00",
+      "url": "https://github.com/org/repo/commit/63738bb582c8b540af7bcfc18f87c575c3ed66e0",
+      "author": {
+        "name": "Jesse Suen",
+        "email": "Jesse_Suen@example.com",
+        "username": "org"
+      },
+      "committer": {
+        "name": "Jesse Suen",
+        "email": "Jesse_Suen@example.com",
+        "username": "org"
+      },
+      "added": [
+        "ksapps/test-app/environments/staging-argocd-demo/main.jsonnet",
+        "ksapps/test-app/environments/staging-argocd-demo/params.libsonnet"
+      ],
+      "removed": [
+  
+      ],
+      "modified": [
+        "ksapps/test-app/app.yaml"
+      ]
+    },
+    "repository": {
+      "id": 123060978,
+      "name": "repo",
+      "full_name": "org/repo",
+      "owner": {
+        "name": "org",
+        "email": "org@users.noreply.github.com",
+        "login": "org",
+        "id": 12677113,
+        "avatar_url": "https://avatars0.githubusercontent.com/u/12677113?v=4",
+        "gravatar_id": "",
+        "url": "https://api.github.com/users/org",
+        "html_url": "https://github.com/org",
+        "followers_url": "https://api.github.com/users/org/followers",
+        "following_url": "https://api.github.com/users/org/following{/other_user}",
+        "gists_url": "https://api.github.com/users/org/gists{/gist_id}",
+        "starred_url": "https://api.github.com/users/org/starred{/owner}{/repo}",
+        "subscriptions_url": "https://api.github.com/users/org/subscriptions",
+        "organizations_url": "https://api.github.com/users/org/orgs",
+        "repos_url": "https://api.github.com/users/org/repos",
+        "events_url": "https://api.github.com/users/org/events{/privacy}",
+        "received_events_url": "https://api.github.com/users/org/received_events",
+        "type": "User",
+        "site_admin": false
+      },
+      "private": false,
+      "html_url": "https://github.com/org/repo",
+      "description": "Test Repository",
+      "fork": false,
+      "url": "https://github.com/org/repo",
+      "forks_url": "https://api.github.com/repos/org/repo/forks",
+      "keys_url": "https://api.github.com/repos/org/repo/keys{/key_id}",
+      "collaborators_url": "https://api.github.com/repos/org/repo/collaborators{/collaborator}",
+      "teams_url": "https://api.github.com/repos/org/repo/teams",
+      "hooks_url": "https://api.github.com/repos/org/repo/hooks",
+      "issue_events_url": "https://api.github.com/repos/org/repo/issues/events{/number}",
+      "events_url": "https://api.github.com/repos/org/repo/events",
+      "assignees_url": "https://api.github.com/repos/org/repo/assignees{/user}",
+      "branches_url": "https://api.github.com/repos/org/repo/branches{/branch}",
+      "tags_url": "https://api.github.com/repos/org/repo/tags",
+      "blobs_url": "https://api.github.com/repos/org/repo/git/blobs{/sha}",
+      "git_tags_url": "https://api.github.com/repos/org/repo/git/tags{/sha}",
+      "git_refs_url": "https://api.github.com/repos/org/repo/git/refs{/sha}",
+      "trees_url": "https://api.github.com/repos/org/repo/git/trees{/sha}",
+      "statuses_url": "https://api.github.com/repos/org/repo/statuses/{sha}",
+      "languages_url": "https://api.github.com/repos/org/repo/languages",
+      "stargazers_url": "https://api.github.com/repos/org/repo/stargazers",
+      "contributors_url": "https://api.github.com/repos/org/repo/contributors",
+      "subscribers_url": "https://api.github.com/repos/org/repo/subscribers",
+      "subscription_url": "https://api.github.com/repos/org/repo/subscription",
+      "commits_url": "https://api.github.com/repos/org/repo/commits{/sha}",
+      "git_commits_url": "https://api.github.com/repos/org/repo/git/commits{/sha}",
+      "comments_url": "https://api.github.com/repos/org/repo/comments{/number}",
+      "issue_comment_url": "https://api.github.com/repos/org/repo/issues/comments{/number}",
+      "contents_url": "https://api.github.com/repos/org/repo/contents/{+path}",
+      "compare_url": "https://api.github.com/repos/org/repo/compare/{base}...{head}",
+      "merges_url": "https://api.github.com/repos/org/repo/merges",
+      "archive_url": "https://api.github.com/repos/org/repo/{archive_format}{/ref}",
+      "downloads_url": "https://api.github.com/repos/org/repo/downloads",
+      "issues_url": "https://api.github.com/repos/org/repo/issues{/number}",
+      "pulls_url": "https://api.github.com/repos/org/repo/pulls{/number}",
+      "milestones_url": "https://api.github.com/repos/org/repo/milestones{/number}",
+      "notifications_url": "https://api.github.com/repos/org/repo/notifications{?since,all,participating}",
+      "labels_url": "https://api.github.com/repos/org/repo/labels{/name}",
+      "releases_url": "https://api.github.com/repos/org/repo/releases{/id}",
+      "deployments_url": "https://api.github.com/repos/org/repo/deployments",
+      "created_at": 1519698615,
+      "updated_at": "2018-05-04T22:37:55Z",
+      "pushed_at": 1525473610,
+      "git_url": "git://github.com/org/repo.git",
+      "ssh_url": "git@github.com:org/repo.git",
+      "clone_url": "https://github.com/org/repo.git",
+      "svn_url": "https://github.com/org/repo",
+      "homepage": null,
+      "size": 538,
+      "stargazers_count": 0,
+      "watchers_count": 0,
+      "language": null,
+      "has_issues": true,
+      "has_projects": true,
+      "has_downloads": true,
+      "has_wiki": true,
+      "has_pages": false,
+      "forks_count": 1,
+      "mirror_url": null,
+      "archived": false,
+      "open_issues_count": 0,
+      "license": null,
+      "forks": 1,
+      "open_issues": 0,
+      "watchers": 0,
+      "default_branch": "master",
+      "stargazers": 0,
+      "master_branch": "master"
+    },
+    "pusher": {
+      "name": "org",
+      "email": "org@users.noreply.github.com"
+    },
+    "sender": {
+      "login": "org",
+      "id": 12677113,
+      "avatar_url": "https://avatars0.githubusercontent.com/u/12677113?v=4",
+      "gravatar_id": "",
+      "url": "https://api.github.com/users/org",
+      "html_url": "https://github.com/org",
+      "followers_url": "https://api.github.com/users/org/followers",
+      "following_url": "https://api.github.com/users/org/following{/other_user}",
+      "gists_url": "https://api.github.com/users/org/gists{/gist_id}",
+      "starred_url": "https://api.github.com/users/org/starred{/owner}{/repo}",
+      "subscriptions_url": "https://api.github.com/users/org/subscriptions",
+      "organizations_url": "https://api.github.com/users/org/orgs",
+      "repos_url": "https://api.github.com/users/org/repos",
+      "events_url": "https://api.github.com/users/org/events{/privacy}",
+      "received_events_url": "https://api.github.com/users/org/received_events",
+      "type": "User",
+      "site_admin": false
+    }
+  }
--- a/applicationset/webhook/webhook.go
+++ b/applicationset/webhook/webhook.go
@@ -2,7 +2,6 @@ package webhook

 import (
 	"context"
-	"errors"
 	"fmt"
 	"html"
 	"net/http"
@@ -10,6 +9,7 @@ import (
 	"regexp"
 	"strconv"
 	"strings"
+	"sync"

 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/util/retry"
@@ -19,6 +19,7 @@ import (
 	"github.com/argoproj/argo-cd/v2/common"
 	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	argosettings "github.com/argoproj/argo-cd/v2/util/settings"
+	"github.com/argoproj/argo-cd/v2/util/webhook"

 	"github.com/go-playground/webhooks/v6/azuredevops"
 	"github.com/go-playground/webhooks/v6/github"
@@ -26,16 +27,17 @@ import (
 	log "github.com/sirupsen/logrus"
 )

-var errBasicAuthVerificationFailed = errors.New("basic auth verification failed")
+const payloadQueueSize = 50000

 type WebhookHandler struct {
-	namespace              string
-	github                 *github.Webhook
-	gitlab                 *gitlab.Webhook
-	azuredevops            *azuredevops.Webhook
-	azuredevopsAuthHandler func(r *http.Request) error
-	client                 client.Client
-	generators             map[string]generators.Generator
+	sync.WaitGroup // for testing
+	namespace      string
+	github         *github.Webhook
+	gitlab         *gitlab.Webhook
+	azuredevops    *azuredevops.Webhook
+	client         client.Client
+	generators     map[string]generators.Generator
+	queue          chan interface{}
 }

 type gitGeneratorInfo struct {
@@ -66,7 +68,7 @@ type prGeneratorGitlabInfo struct {
 	APIHostname string
 }

-func NewWebhookHandler(namespace string, argocdSettingsMgr *argosettings.SettingsManager, client client.Client, generators map[string]generators.Generator) (*WebhookHandler, error) {
+func NewWebhookHandler(namespace string, webhookParallelism int, argocdSettingsMgr *argosettings.SettingsManager, client client.Client, generators map[string]generators.Generator) (*WebhookHandler, error) {
 	// register the webhook secrets stored under "argocd-secret" for verifying incoming payloads
 	argocdSettings, err := argocdSettingsMgr.GetSettings()
 	if err != nil {
@@ -80,29 +82,40 @@ func NewWebhookHandler(namespace string, argocdSettingsMgr *argosettings.Setting
 	if err != nil {
 		return nil, fmt.Errorf("Unable to init GitLab webhook: %w", err)
 	}
-	azuredevopsHandler, err := azuredevops.New()
+	azuredevopsHandler, err := azuredevops.New(azuredevops.Options.BasicAuth(argocdSettings.WebhookAzureDevOpsUsername, argocdSettings.WebhookAzureDevOpsPassword))
 	if err != nil {
 		return nil, fmt.Errorf("Unable to init Azure DevOps webhook: %w", err)
 	}
-	azuredevopsAuthHandler := func(r *http.Request) error {
-		if argocdSettings.WebhookAzureDevOpsUsername != "" && argocdSettings.WebhookAzureDevOpsPassword != "" {
-			username, password, ok := r.BasicAuth()
-			if !ok || username != argocdSettings.WebhookAzureDevOpsUsername || password != argocdSettings.WebhookAzureDevOpsPassword {
-				return errBasicAuthVerificationFailed
-			}
-		}
-		return nil
+
+	webhookHandler := &WebhookHandler{
+		namespace:   namespace,
+		github:      githubHandler,
+		gitlab:      gitlabHandler,
+		azuredevops: azuredevopsHandler,
+		client:      client,
+		generators:  generators,
+		queue:       make(chan interface{}, payloadQueueSize),
 	}

-	return &WebhookHandler{
-		namespace:              namespace,
-		github:                 githubHandler,
-		gitlab:                 gitlabHandler,
-		azuredevops:            azuredevopsHandler,
-		azuredevopsAuthHandler: azuredevopsAuthHandler,
-		client:                 client,
-		generators:             generators,
-	}, nil
+	webhookHandler.startWorkerPool(webhookParallelism)
+
+	return webhookHandler, nil
+}
+
+func (h *WebhookHandler) startWorkerPool(webhookParallelism int) {
+	for i := 0; i < webhookParallelism; i++ {
+		h.Add(1)
+		go func() {
+			defer h.Done()
+			for {
+				payload, ok := <-h.queue
+				if !ok {
+					return
+				}
+				h.HandleEvent(payload)
+			}
+		}()
+	}
 }

 func (h *WebhookHandler) HandleEvent(payload interface{}) {
@@ -153,13 +166,7 @@ func (h *WebhookHandler) Handler(w http.ResponseWriter, r *http.Request) {
 	case r.Header.Get("X-Gitlab-Event") != "":
 		payload, err = h.gitlab.Parse(r, gitlab.PushEvents, gitlab.TagEvents, gitlab.MergeRequestEvents)
 	case r.Header.Get("X-Vss-Activityid") != "":
-		if err = h.azuredevopsAuthHandler(r); err != nil {
-			if errors.Is(err, errBasicAuthVerificationFailed) {
-				log.WithField(common.SecurityField, common.SecurityHigh).Infof("Azure DevOps webhook basic auth verification failed")
-			}
-		} else {
-			payload, err = h.azuredevops.Parse(r, azuredevops.GitPushEventType, azuredevops.GitPullRequestCreatedEventType, azuredevops.GitPullRequestUpdatedEventType, azuredevops.GitPullRequestMergedEventType)
-		}
+		payload, err = h.azuredevops.Parse(r, azuredevops.GitPushEventType, azuredevops.GitPullRequestCreatedEventType, azuredevops.GitPullRequestUpdatedEventType, azuredevops.GitPullRequestMergedEventType)
 	default:
 		log.Debug("Ignoring unknown webhook event")
 		http.Error(w, "Unknown webhook event", http.StatusBadRequest)
@@ -176,12 +183,12 @@ func (h *WebhookHandler) Handler(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	h.HandleEvent(payload)
-}
-
-func parseRevision(ref string) string {
-	refParts := strings.SplitN(ref, "/", 3)
-	return refParts[len(refParts)-1]
+	select {
+	case h.queue <- payload:
+	default:
+		log.Info("Queue is full, discarding webhook payload")
+		http.Error(w, "Queue is full, discarding webhook payload", http.StatusServiceUnavailable)
+	}
 }

 func getGitGeneratorInfo(payload interface{}) *gitGeneratorInfo {
@@ -193,16 +200,16 @@ func getGitGeneratorInfo(payload interface{}) *gitGeneratorInfo {
 	switch payload := payload.(type) {
 	case github.PushPayload:
 		webURL = payload.Repository.HTMLURL
-		revision = parseRevision(payload.Ref)
+		revision = webhook.ParseRevision(payload.Ref)
 		touchedHead = payload.Repository.DefaultBranch == revision
 	case gitlab.PushEventPayload:
 		webURL = payload.Project.WebURL
-		revision = parseRevision(payload.Ref)
+		revision = webhook.ParseRevision(payload.Ref)
 		touchedHead = payload.Project.DefaultBranch == revision
 	case azuredevops.GitPushEvent:
 		// See: https://learn.microsoft.com/en-us/azure/devops/service-hooks/events?view=azure-devops#git.push
 		webURL = payload.Resource.Repository.RemoteURL
-		revision = parseRevision(payload.Resource.RefUpdates[0].Name)
+		revision = webhook.ParseRevision(payload.Resource.RefUpdates[0].Name)
 		touchedHead = payload.Resource.RefUpdates[0].Name == payload.Resource.Repository.DefaultBranch
 		// unfortunately, Azure DevOps doesn't provide a list of changed files
 	default:
@@ -362,12 +369,12 @@ func shouldRefreshPluginGenerator(gen *v1alpha1.PluginGenerator) bool {
 }

 func genRevisionHasChanged(gen *v1alpha1.GitGenerator, revision string, touchedHead bool) bool {
-	targetRev := parseRevision(gen.Revision)
+	targetRev := webhook.ParseRevision(gen.Revision)
 	if targetRev == "HEAD" || targetRev == "" { // revision is head
 		return touchedHead
 	}

-	return targetRev == revision
+	return targetRev == revision || gen.Revision == revision
 }

 func gitGeneratorUsesURL(gen *v1alpha1.GitGenerator, webURL string, repoRegexp *regexp.Regexp) bool {
--- a/applicationset/webhook/webhook_test.go
+++ b/applicationset/webhook/webhook_test.go
@@ -67,6 +67,15 @@ func TestWebhookHandler(t *testing.T) {
 			expectedStatusCode: http.StatusOK,
 			expectedRefresh:    true,
 		},
+		{
+			desc:               "WebHook from a GitHub repository via Commit shorthand",
+			headerKey:          "X-GitHub-Event",
+			headerValue:        "push",
+			payloadFile:        "github-commit-event-feature-branch.json",
+			effectedAppSets:    []string{"github-shorthand", "matrix-pull-request-github-plugin", "plugin"},
+			expectedStatusCode: http.StatusOK,
+			expectedRefresh:    true,
+		},
 		{
 			desc:               "WebHook from a GitHub repository via Commit to branch",
 			headerKey:          "X-GitHub-Event",
@@ -178,6 +187,7 @@ func TestWebhookHandler(t *testing.T) {
 	}

 	namespace := "test"
+	webhookParallelism := 10
 	fakeClient := newFakeClient(namespace)
 	scheme := runtime.NewScheme()
 	err := v1alpha1.AddToScheme(scheme)
@@ -191,6 +201,7 @@ func TestWebhookHandler(t *testing.T) {
 				fakeAppWithGitGenerator("git-github", namespace, "https://github.com/org/repo"),
 				fakeAppWithGitGenerator("git-gitlab", namespace, "https://gitlab/group/name"),
 				fakeAppWithGitGenerator("git-azure-devops", namespace, "https://dev.azure.com/fabrikam-fiber-inc/DefaultCollection/_git/Fabrikam-Fiber-Git"),
+				fakeAppWithGitGeneratorWithRevision("github-shorthand", namespace, "https://github.com/org/repo", "env/dev"),
 				fakeAppWithGithubPullRequestGenerator("pull-request-github", namespace, "CodErTOcat", "Hello-World"),
 				fakeAppWithGitlabPullRequestGenerator("pull-request-gitlab", namespace, "100500"),
 				fakeAppWithAzureDevOpsPullRequestGenerator("pull-request-azure-devops", namespace, "DefaultCollection", "Fabrikam"),
@@ -206,7 +217,7 @@ func TestWebhookHandler(t *testing.T) {
 				fakeAppWithMergeAndNestedGitGenerator("merge-nested-git-github", namespace, "https://github.com/org/repo"),
 			).Build()
 			set := argosettings.NewSettingsManager(context.TODO(), fakeClient, namespace)
-			h, err := NewWebhookHandler(namespace, set, fc, mockGenerators())
+			h, err := NewWebhookHandler(namespace, webhookParallelism, set, fc, mockGenerators())
 			require.NoError(t, err)

 			req := httptest.NewRequest(http.MethodPost, "/api/webhook", nil)
@@ -217,6 +228,8 @@ func TestWebhookHandler(t *testing.T) {
 			w := httptest.NewRecorder()

 			h.Handler(w, req)
+			close(h.queue)
+			h.Wait()
 			assert.Equal(t, test.expectedStatusCode, w.Code)

 			list := &v1alpha1.ApplicationSetList{}
@@ -299,14 +312,62 @@ func mockGenerators() map[string]generators.Generator {
 }

 func TestGenRevisionHasChanged(t *testing.T) {
-	assert.True(t, genRevisionHasChanged(&v1alpha1.GitGenerator{}, "master", true))
-	assert.False(t, genRevisionHasChanged(&v1alpha1.GitGenerator{}, "master", false))
-
-	assert.True(t, genRevisionHasChanged(&v1alpha1.GitGenerator{Revision: "dev"}, "dev", true))
-	assert.False(t, genRevisionHasChanged(&v1alpha1.GitGenerator{Revision: "dev"}, "master", false))
-
-	assert.True(t, genRevisionHasChanged(&v1alpha1.GitGenerator{Revision: "refs/heads/dev"}, "dev", true))
-	assert.False(t, genRevisionHasChanged(&v1alpha1.GitGenerator{Revision: "refs/heads/dev"}, "master", false))
+	type args struct {
+		gen         *v1alpha1.GitGenerator
+		revision    string
+		touchedHead bool
+	}
+	tests := []struct {
+		name string
+		args args
+		want bool
+	}{
+		{name: "touchedHead", args: args{
+			gen:         &v1alpha1.GitGenerator{},
+			revision:    "main",
+			touchedHead: true,
+		}, want: true},
+		{name: "didntTouchHead", args: args{
+			gen:         &v1alpha1.GitGenerator{},
+			revision:    "main",
+			touchedHead: false,
+		}, want: false},
+		{name: "foundEqualShort", args: args{
+			gen:         &v1alpha1.GitGenerator{Revision: "dev"},
+			revision:    "dev",
+			touchedHead: true,
+		}, want: true},
+		{name: "foundEqualLongGen", args: args{
+			gen:         &v1alpha1.GitGenerator{Revision: "refs/heads/dev"},
+			revision:    "dev",
+			touchedHead: true,
+		}, want: true},
+		{name: "foundNotEqualLongGen", args: args{
+			gen:         &v1alpha1.GitGenerator{Revision: "refs/heads/dev"},
+			revision:    "main",
+			touchedHead: true,
+		}, want: false},
+		{name: "foundNotEqualShort", args: args{
+			gen:         &v1alpha1.GitGenerator{Revision: "dev"},
+			revision:    "main",
+			touchedHead: false,
+		}, want: false},
+		{name: "foundEqualTag", args: args{
+			gen:         &v1alpha1.GitGenerator{Revision: "v3.14.1"},
+			revision:    "v3.14.1",
+			touchedHead: false,
+		}, want: true},
+		{name: "foundEqualTagLongGen", args: args{
+			gen:         &v1alpha1.GitGenerator{Revision: "refs/tags/v3.14.1"},
+			revision:    "v3.14.1",
+			touchedHead: false,
+		}, want: true},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equalf(t, tt.want, genRevisionHasChanged(tt.args.gen, tt.args.revision, tt.args.touchedHead), "genRevisionHasChanged(%v, %v, %v)", tt.args.gen, tt.args.revision, tt.args.touchedHead)
+		})
+	}
 }

 func fakeAppWithGitGenerator(name, namespace, repo string) *v1alpha1.ApplicationSet {
@@ -328,6 +389,12 @@ func fakeAppWithGitGenerator(name, namespace, repo string) *v1alpha1.Application
 	}
 }

+func fakeAppWithGitGeneratorWithRevision(name, namespace, repo, revision string) *v1alpha1.ApplicationSet {
+	appSet := fakeAppWithGitGenerator(name, namespace, repo)
+	appSet.Spec.Generators[0].Git.Revision = revision
+	return appSet
+}
+
 func fakeAppWithGitlabPullRequestGenerator(name, namespace, projectId string) *v1alpha1.ApplicationSet {
 	return &v1alpha1.ApplicationSet{
 		ObjectMeta: metav1.ObjectMeta{
@@ -708,7 +775,7 @@ func fakeAppWithMatrixAndPullRequestGeneratorWithPluginGenerator(name, namespace
 func newFakeClient(ns string) *kubefake.Clientset {
 	s := runtime.NewScheme()
 	s.AddKnownTypes(v1alpha1.SchemeGroupVersion, &v1alpha1.ApplicationSet{})
-	return kubefake.NewSimpleClientset(&corev1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: "argocd-cm", Namespace: ns, Labels: map[string]string{
+	return kubefake.NewClientset(&corev1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: "argocd-cm", Namespace: ns, Labels: map[string]string{
 		"app.kubernetes.io/part-of": "argocd",
 	}}}, &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
--- a/assets/builtin-policy.csv
+++ b/assets/builtin-policy.csv
@@ -1,10 +1,10 @@
 # Built-in policy which defines two roles: role:readonly and role:admin,
 # and additionally assigns the admin user to the role:admin role.
 # There are two policy formats:
-# 1. Applications, logs, and exec (which belong to a project):
-# p, <user/group>, <resource>, <action>, <project>/<object>
+# 1. Applications, applicationsets, logs, and exec (which belong to a project):
+# p, <role/user/group>, <resource>, <action>, <project>/<object>, <allow/deny>
 # 2. All other resources:
-# p, <user/group>, <resource>, <action>, <object>
+# p, <role/user/group>, <resource>, <action>, <object>, <allow/deny>

 p, role:readonly, applications, get, */*, allow
 p, role:readonly, certificates, get, *, allow
--- a/assets/swagger.json
+++ b/assets/swagger.json
@@ -1967,6 +1967,11 @@
            "type": "boolean",
            "name": "upsert",
            "in": "query"
+          },
+          {
+            "type": "boolean",
+            "name": "dryRun",
+            "in": "query"
          }
        ],
        "responses": {
@@ -1985,6 +1990,39 @@
        }
      }
    },
+    "/api/v1/applicationsets/generate": {
+      "post": {
+        "tags": [
+          "ApplicationSetService"
+        ],
+        "summary": "Generate generates",
+        "operationId": "ApplicationSetService_Generate",
+        "parameters": [
+          {
+            "name": "body",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/applicationsetApplicationSetGenerateRequest"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/applicationsetApplicationSetGenerateResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/runtimeError"
+            }
+          }
+        }
+      }
+    },
    "/api/v1/applicationsets/{name}": {
      "get": {
        "tags": [
@@ -4484,6 +4522,27 @@
        }
      }
    },
+    "applicationsetApplicationSetGenerateRequest": {
+      "type": "object",
+      "title": "ApplicationSetGetQuery is a query for applicationset resources",
+      "properties": {
+        "applicationSet": {
+          "$ref": "#/definitions/v1alpha1ApplicationSet"
+        }
+      }
+    },
+    "applicationsetApplicationSetGenerateResponse": {
+      "type": "object",
+      "title": "ApplicationSetGenerateResponse is a response for applicationset generate request",
+      "properties": {
+        "applications": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/v1alpha1Application"
+          }
+        }
+      }
+    },
    "applicationsetApplicationSetResponse": {
      "type": "object",
      "properties": {
@@ -4509,6 +4568,43 @@
        }
      }
    },
+    "applicationv1alpha1ResourceStatus": {
+      "type": "object",
+      "title": "ResourceStatus holds the current sync and health status of a resource\nTODO: describe members of this type",
+      "properties": {
+        "group": {
+          "type": "string"
+        },
+        "health": {
+          "$ref": "#/definitions/v1alpha1HealthStatus"
+        },
+        "hook": {
+          "type": "boolean"
+        },
+        "kind": {
+          "type": "string"
+        },
+        "name": {
+          "type": "string"
+        },
+        "namespace": {
+          "type": "string"
+        },
+        "requiresPruning": {
+          "type": "boolean"
+        },
+        "status": {
+          "type": "string"
+        },
+        "syncWave": {
+          "type": "integer",
+          "format": "int64"
+        },
+        "version": {
+          "type": "string"
+        }
+      }
+    },
    "clusterClusterID": {
      "type": "object",
      "title": "ClusterID holds a cluster server URL or cluster name",
@@ -4653,6 +4749,12 @@
        "help": {
          "$ref": "#/definitions/clusterHelp"
        },
+        "impersonationEnabled": {
+          "type": "boolean"
+        },
+        "installationID": {
+          "type": "string"
+        },
        "kustomizeOptions": {
          "$ref": "#/definitions/v1alpha1KustomizeOptions"
        },
@@ -5044,6 +5146,13 @@
    "repositoryManifestResponse": {
      "type": "object",
      "properties": {
+        "commands": {
+          "type": "array",
+          "title": "Commands is the list of commands used to hydrate the manifests",
+          "items": {
+            "type": "string"
+          }
+        },
        "manifests": {
          "type": "array",
          "items": {
@@ -5452,7 +5561,7 @@
      "properties": {
        "matchExpressions": {
          "type": "array",
-          "title": "matchExpressions is a list of label selector requirements. The requirements are ANDed.\n+optional",
+          "title": "matchExpressions is a list of label selector requirements. The requirements are ANDed.\n+optional\n+listType=atomic",
          "items": {
            "$ref": "#/definitions/v1LabelSelectorRequirement"
          }
@@ -5480,7 +5589,7 @@
        },
        "values": {
          "type": "array",
-          "title": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.\n+optional",
+          "title": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.\n+optional\n+listType=atomic",
          "items": {
            "type": "string"
          }
@@ -5604,7 +5713,7 @@
          "type": "string"
        },
        "kubeProxyVersion": {
-          "description": "KubeProxy Version reported by the node.",
+          "description": "Deprecated: KubeProxy Version reported by the node.",
          "type": "string"
        },
        "kubeletVersion": {
@@ -5653,7 +5762,7 @@
        },
        "finalizers": {
          "type": "array",
-          "title": "Must be empty before the object is deleted from the registry. Each entry\nis an identifier for the responsible component that will remove the entry\nfrom the list. If the deletionTimestamp of the object is non-nil, entries\nin this list can only be removed.\nFinalizers may be processed and removed in any order.  Order is NOT enforced\nbecause it introduces significant risk of stuck finalizers.\nfinalizers is a shared field, any actor with permission can reorder it.\nIf the finalizer list is processed in order, then this can lead to a situation\nin which the component responsible for the first finalizer in the list is\nwaiting for a signal (field value, external system, or other) produced by a\ncomponent responsible for a finalizer later in the list, resulting in a deadlock.\nWithout enforced ordering finalizers are free to order amongst themselves and\nare not vulnerable to ordering changes in the list.\n+optional\n+patchStrategy=merge",
+          "title": "Must be empty before the object is deleted from the registry. Each entry\nis an identifier for the responsible component that will remove the entry\nfrom the list. If the deletionTimestamp of the object is non-nil, entries\nin this list can only be removed.\nFinalizers may be processed and removed in any order.  Order is NOT enforced\nbecause it introduces significant risk of stuck finalizers.\nfinalizers is a shared field, any actor with permission can reorder it.\nIf the finalizer list is processed in order, then this can lead to a situation\nin which the component responsible for the first finalizer in the list is\nwaiting for a signal (field value, external system, or other) produced by a\ncomponent responsible for a finalizer later in the list, resulting in a deadlock.\nWithout enforced ordering finalizers are free to order amongst themselves and\nare not vulnerable to ordering changes in the list.\n+optional\n+patchStrategy=merge\n+listType=set",
          "items": {
            "type": "string"
          }
@@ -5675,7 +5784,7 @@
          }
        },
        "managedFields": {
-          "description": "ManagedFields maps workflow-id and version to the set of fields\nthat are managed by that workflow. This is mostly for internal\nhousekeeping, and users typically shouldn't need to set or\nunderstand this field. A workflow can be the user's name, a\ncontroller's name, or the name of a specific apply path like\n\"ci-cd\". The set of fields is always in the version that the\nworkflow used when modifying the object.\n\n+optional",
+          "description": "ManagedFields maps workflow-id and version to the set of fields\nthat are managed by that workflow. This is mostly for internal\nhousekeeping, and users typically shouldn't need to set or\nunderstand this field. A workflow can be the user's name, a\ncontroller's name, or the name of a specific apply path like\n\"ci-cd\". The set of fields is always in the version that the\nworkflow used when modifying the object.\n\n+optional\n+listType=atomic",
          "type": "array",
          "items": {
            "$ref": "#/definitions/v1ManagedFieldsEntry"
@@ -5691,7 +5800,7 @@
        },
        "ownerReferences": {
          "type": "array",
-          "title": "List of objects depended by this object. If ALL objects in the list have\nbeen deleted, this object will be garbage collected. If this object is managed by a controller,\nthen an entry in this list will point to this controller, with the controller field set to true.\nThere cannot be more than one managing controller.\n+optional\n+patchMergeKey=uid\n+patchStrategy=merge",
+          "title": "List of objects depended by this object. If ALL objects in the list have\nbeen deleted, this object will be garbage collected. If this object is managed by a controller,\nthen an entry in this list will point to this controller, with the controller field set to true.\nThere cannot be more than one managing controller.\n+optional\n+patchMergeKey=uid\n+patchStrategy=merge\n+listType=map\n+listMapKey=uid",
          "items": {
            "$ref": "#/definitions/v1OwnerReference"
          }
@@ -5867,6 +5976,13 @@
          "type": "string",
          "title": "Description contains optional project description"
        },
+        "destinationServiceAccounts": {
+          "description": "DestinationServiceAccounts holds information about the service accounts to be impersonated for the application sync operation for each destination.",
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/v1alpha1ApplicationDestinationServiceAccount"
+          }
+        },
        "destinations": {
          "type": "array",
          "title": "Destinations contains list of destinations available for deployment",
@@ -5998,6 +6114,24 @@
        }
      }
    },
+    "v1alpha1ApplicationDestinationServiceAccount": {
+      "description": "ApplicationDestinationServiceAccount holds information about the service account to be impersonated for the application sync operation.",
+      "type": "object",
+      "properties": {
+        "defaultServiceAccount": {
+          "type": "string",
+          "title": "DefaultServiceAccount to be used for impersonation during the sync operation"
+        },
+        "namespace": {
+          "description": "Namespace specifies the target namespace for the application's resources.",
+          "type": "string"
+        },
+        "server": {
+          "description": "Server specifies the URL of the target cluster's Kubernetes control plane API.",
+          "type": "string"
+        }
+      }
+    },
    "v1alpha1ApplicationList": {
      "type": "object",
      "title": "ApplicationList is list of Application resources\n+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object",
@@ -6322,7 +6456,7 @@
          "description": "Resources is a list of Applications resources managed by this application set.",
          "type": "array",
          "items": {
-            "$ref": "#/definitions/v1alpha1ResourceStatus"
+            "$ref": "#/definitions/applicationv1alpha1ResourceStatus"
          }
        }
      }
@@ -6471,6 +6605,13 @@
      "type": "object",
      "title": "ApplicationSourceHelm holds helm specific options",
      "properties": {
+        "apiVersions": {
+          "description": "APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default,\nArgo CD uses the API versions of the target cluster. The format is [group/]version/kind.",
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
        "fileParameters": {
          "type": "array",
          "title": "FileParameters are file parameters to the helm template",
@@ -6482,6 +6623,14 @@
          "type": "boolean",
          "title": "IgnoreMissingValueFiles prevents helm template from failing when valueFiles do not exist locally by not appending them to helm template --values"
        },
+        "kubeVersion": {
+          "description": "KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD\nuses the Kubernetes version of the target cluster.",
+          "type": "string"
+        },
+        "namespace": {
+          "description": "Namespace is an optional namespace to template with. If left empty, defaults to the app's destination namespace.",
+          "type": "string"
+        },
        "parameters": {
          "type": "array",
          "title": "Parameters is a list of Helm parameters which are passed to the helm template command upon manifest generation",
@@ -6552,6 +6701,13 @@
      "type": "object",
      "title": "ApplicationSourceKustomize holds options specific to an Application source specific to Kustomize",
      "properties": {
+        "apiVersions": {
+          "description": "APIVersions specifies the Kubernetes resource API versions to pass to Helm when templating manifests. By default,\nArgo CD uses the API versions of the target cluster. The format is [group/]version/kind.",
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
        "commonAnnotations": {
          "type": "object",
          "title": "CommonAnnotations is a list of additional annotations to add to rendered manifests",
@@ -6592,6 +6748,10 @@
            "type": "string"
          }
        },
+        "kubeVersion": {
+          "description": "KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD\nuses the Kubernetes version of the target cluster.",
+          "type": "string"
+        },
        "labelWithoutSelector": {
          "type": "boolean",
          "title": "LabelWithoutSelector specifies whether to apply common labels to resource selectors or not"
@@ -6763,7 +6923,7 @@
          "type": "array",
          "title": "Resources is a list of Kubernetes resources managed by this application",
          "items": {
-            "$ref": "#/definitions/v1alpha1ResourceStatus"
+            "$ref": "#/definitions/applicationv1alpha1ResourceStatus"
          }
        },
        "sourceType": {
@@ -6829,6 +6989,11 @@
          "items": {
            "$ref": "#/definitions/v1alpha1ResourceNode"
          }
+        },
+        "shardsCount": {
+          "type": "integer",
+          "format": "int64",
+          "title": "ShardsCount contains total number of shards the application tree is split into"
        }
      }
    },
@@ -6876,6 +7041,15 @@
        }
      }
    },
+    "v1alpha1BearerTokenBitbucket": {
+      "description": "BearerTokenBitbucket defines the Bearer token for BitBucket AppToken auth.",
+      "type": "object",
+      "properties": {
+        "tokenRef": {
+          "$ref": "#/definitions/v1alpha1SecretRef"
+        }
+      }
+    },
    "v1alpha1BearerTokenBitbucketCloud": {
      "description": "BearerTokenBitbucketCloud defines the Bearer token for BitBucket AppToken auth.",
      "type": "object",
@@ -6960,7 +7134,7 @@
        },
        "serverVersion": {
          "type": "string",
-          "title": "DEPRECATED: use Info.ServerVersion field instead.\nThe server version"
+          "title": "Deprecated: use Info.ServerVersion field instead.\nThe server version"
        },
        "shard": {
          "description": "Shard contains optional shard number. Calculated on the fly by the application controller if not specified.",
@@ -7138,6 +7312,18 @@
        }
      }
    },
+    "v1alpha1ConfigMapKeyRef": {
+      "description": "Utility struct for a reference to a configmap key.",
+      "type": "object",
+      "properties": {
+        "configMapName": {
+          "type": "string"
+        },
+        "key": {
+          "type": "string"
+        }
+      }
+    },
    "v1alpha1ConnectionState": {
      "type": "object",
      "title": "ConnectionState contains information about remote resource connection state, currently used for clusters and repositories",
@@ -7962,6 +8148,16 @@
        "basicAuth": {
          "$ref": "#/definitions/v1alpha1BasicAuthBitbucketServer"
        },
+        "bearerToken": {
+          "$ref": "#/definitions/v1alpha1BearerTokenBitbucket"
+        },
+        "caRef": {
+          "$ref": "#/definitions/v1alpha1ConfigMapKeyRef"
+        },
+        "insecure": {
+          "type": "boolean",
+          "title": "Allow self-signed TLS / Certificates; default: false"
+        },
        "project": {
          "description": "Project to scan. Required.",
          "type": "string"
@@ -7992,6 +8188,9 @@
          "description": "The GitLab API URL to talk to. If blank, uses https://gitlab.com/.",
          "type": "string"
        },
+        "caRef": {
+          "$ref": "#/definitions/v1alpha1ConfigMapKeyRef"
+        },
        "insecure": {
          "type": "boolean",
          "title": "Skips validating the SCM provider's TLS certificate - useful for self-signed certificates.; default: false"
@@ -8107,6 +8306,10 @@
          "type": "string",
          "title": "GithubAppPrivateKey specifies the private key PEM data for authentication via GitHub app"
        },
+        "noProxy": {
+          "type": "string",
+          "title": "NoProxy specifies a list of targets where the proxy isn't used, applies only in cases where the proxy is applied"
+        },
        "password": {
          "type": "string",
          "title": "Password for authenticating at the repo server"
@@ -8213,6 +8416,10 @@
          "type": "string",
          "title": "Name specifies a name to be used for this repo. Only used with Helm repos"
        },
+        "noProxy": {
+          "type": "string",
+          "title": "NoProxy specifies a list of targets where the proxy isn't used, applies only in cases where the proxy is applied"
+        },
        "password": {
          "type": "string",
          "title": "Password contains the password or PAT used for authenticating at the remote repository"
@@ -8610,43 +8817,6 @@
        }
      }
    },
-    "v1alpha1ResourceStatus": {
-      "type": "object",
-      "title": "ResourceStatus holds the current sync and health status of a resource\nTODO: describe members of this type",
-      "properties": {
-        "group": {
-          "type": "string"
-        },
-        "health": {
-          "$ref": "#/definitions/v1alpha1HealthStatus"
-        },
-        "hook": {
-          "type": "boolean"
-        },
-        "kind": {
-          "type": "string"
-        },
-        "name": {
-          "type": "string"
-        },
-        "namespace": {
-          "type": "string"
-        },
-        "requiresPruning": {
-          "type": "boolean"
-        },
-        "status": {
-          "type": "string"
-        },
-        "syncWave": {
-          "type": "integer",
-          "format": "int64"
-        },
-        "version": {
-          "type": "string"
-        }
-      }
-    },
    "v1alpha1RetryStrategy": {
      "type": "object",
      "title": "RetryStrategy contains information about the strategy to apply when a sync failed",
@@ -8869,6 +9039,16 @@
        "basicAuth": {
          "$ref": "#/definitions/v1alpha1BasicAuthBitbucketServer"
        },
+        "bearerToken": {
+          "$ref": "#/definitions/v1alpha1BearerTokenBitbucket"
+        },
+        "caRef": {
+          "$ref": "#/definitions/v1alpha1ConfigMapKeyRef"
+        },
+        "insecure": {
+          "type": "boolean",
+          "title": "Allow self-signed TLS / Certificates; default: false"
+        },
        "project": {
          "description": "Project to scan. Required.",
          "type": "string"
@@ -8969,6 +9149,9 @@
          "description": "The Gitlab API URL to talk to.",
          "type": "string"
        },
+        "caRef": {
+          "$ref": "#/definitions/v1alpha1ConfigMapKeyRef"
+        },
        "group": {
          "description": "Gitlab group to scan. Required.  You can use either the project id (recommended) or the full namespaced path.",
          "type": "string"
@@ -9020,6 +9203,11 @@
      "description": "SyncOperation contains details about a sync operation.",
      "type": "object",
      "properties": {
+        "autoHealAttemptsCount": {
+          "type": "integer",
+          "format": "int64",
+          "title": "SelfHealAttemptsCount contains the number of auto-heal attempts"
+        },
        "dryRun": {
          "type": "boolean",
          "title": "DryRun specifies to perform a `kubectl apply --dry-run` without actually performing the sync"
--- a/cmd/argocd-application-controller/commands/argocd_application_controller.go
+++ b/cmd/argocd-application-controller/commands/argocd_application_controller.go
@@ -4,12 +4,16 @@ import (
 	"context"
 	"fmt"
 	"math"
+	"os"
+	"os/signal"
+	"syscall"
 	"time"

 	"github.com/argoproj/pkg/stats"
 	"github.com/redis/go-redis/v9"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"

@@ -21,6 +25,7 @@ import (
 	appclientset "github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned"
 	"github.com/argoproj/argo-cd/v2/pkg/ratelimiter"
 	"github.com/argoproj/argo-cd/v2/reposerver/apiclient"
+	"github.com/argoproj/argo-cd/v2/util/argo"
 	"github.com/argoproj/argo-cd/v2/util/argo/normalizers"
 	cacheutil "github.com/argoproj/argo-cd/v2/util/cache"
 	appstatecache "github.com/argoproj/argo-cd/v2/util/cache/appstate"
@@ -53,12 +58,16 @@ func NewCommand() *cobra.Command {
 		repoServerAddress                string
 		repoServerTimeoutSeconds         int
 		selfHealTimeoutSeconds           int
+		selfHealBackoffTimeoutSeconds    int
+		selfHealBackoffFactor            int
+		selfHealBackoffCapSeconds        int
 		statusProcessors                 int
 		operationProcessors              int
 		glogLevel                        int
 		metricsPort                      int
 		metricsCacheExpiration           time.Duration
 		metricsAplicationLabels          []string
+		metricsAplicationConditions      []string
 		kubectlParallelismLimit          int64
 		cacheSource                      func() (*appstatecache.Cache, error)
 		redisClient                      *redis.Client
@@ -74,6 +83,9 @@ func NewCommand() *cobra.Command {
 		enableDynamicClusterDistribution bool
 		serverSideDiff                   bool
 		ignoreNormalizerOpts             normalizers.IgnoreNormalizerOpts
+
+		// argocd k8s event logging flag
+		enableK8sEvent []string
 	)
 	command := cobra.Command{
 		Use:               cliName,
@@ -148,6 +160,14 @@ func NewCommand() *cobra.Command {
 			kubectl := kubeutil.NewKubectl()
 			clusterSharding, err := sharding.GetClusterSharding(kubeClient, settingsMgr, shardingAlgorithm, enableDynamicClusterDistribution)
 			errors.CheckError(err)
+			var selfHealBackoff *wait.Backoff
+			if selfHealBackoffTimeoutSeconds != 0 {
+				selfHealBackoff = &wait.Backoff{
+					Duration: time.Duration(selfHealBackoffTimeoutSeconds) * time.Second,
+					Factor:   float64(selfHealBackoffFactor),
+					Cap:      time.Duration(selfHealBackoffCapSeconds) * time.Second,
+				}
+			}
 			appController, err = controller.NewApplicationController(
 				namespace,
 				settingsMgr,
@@ -160,10 +180,12 @@ func NewCommand() *cobra.Command {
 				hardResyncDuration,
 				time.Duration(appResyncJitter)*time.Second,
 				time.Duration(selfHealTimeoutSeconds)*time.Second,
+				selfHealBackoff,
 				time.Duration(repoErrorGracePeriod)*time.Second,
 				metricsPort,
 				metricsCacheExpiration,
 				metricsAplicationLabels,
+				metricsAplicationConditions,
 				kubectlParallelismLimit,
 				persistResourceHealth,
 				clusterSharding,
@@ -172,6 +194,7 @@ func NewCommand() *cobra.Command {
 				serverSideDiff,
 				enableDynamicClusterDistribution,
 				ignoreNormalizerOpts,
+				enableK8sEvent,
 			)
 			errors.CheckError(err)
 			cacheutil.CollectMetrics(redisClient, appController.GetMetricsServer())
@@ -188,10 +211,22 @@ func NewCommand() *cobra.Command {
 				defer closeTracer()
 			}

+			// Graceful shutdown code
+			sigCh := make(chan os.Signal, 1)
+			signal.Notify(sigCh, os.Interrupt, syscall.SIGTERM)
+			go func() {
+				s := <-sigCh
+				log.Printf("got signal %v, attempting graceful shutdown", s)
+				cancel()
+			}()
+
 			go appController.Run(ctx, statusProcessors, operationProcessors)

-			// Wait forever
-			select {}
+			<-ctx.Done()
+
+			log.Println("clean shutdown")
+
+			return nil
 		},
 	}

@@ -209,11 +244,15 @@ func NewCommand() *cobra.Command {
 	command.Flags().IntVar(&glogLevel, "gloglevel", 0, "Set the glog logging level")
 	command.Flags().IntVar(&metricsPort, "metrics-port", common.DefaultPortArgoCDMetrics, "Start metrics server on given port")
 	command.Flags().DurationVar(&metricsCacheExpiration, "metrics-cache-expiration", env.ParseDurationFromEnv("ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION", 0*time.Second, 0, math.MaxInt64), "Prometheus metrics cache expiration (disabled  by default. e.g. 24h0m0s)")
-	command.Flags().IntVar(&selfHealTimeoutSeconds, "self-heal-timeout-seconds", env.ParseNumFromEnv("ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_TIMEOUT_SECONDS", 5, 0, math.MaxInt32), "Specifies timeout between application self heal attempts")
+	command.Flags().IntVar(&selfHealTimeoutSeconds, "self-heal-timeout-seconds", env.ParseNumFromEnv("ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_TIMEOUT_SECONDS", 0, 0, math.MaxInt32), "Specifies timeout between application self heal attempts")
+	command.Flags().IntVar(&selfHealBackoffTimeoutSeconds, "self-heal-backoff-timeout-seconds", env.ParseNumFromEnv("ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_TIMEOUT_SECONDS", 2, 0, math.MaxInt32), "Specifies initial timeout of exponential backoff between self heal attempts")
+	command.Flags().IntVar(&selfHealBackoffFactor, "self-heal-backoff-factor", env.ParseNumFromEnv("ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_FACTOR", 3, 0, math.MaxInt32), "Specifies factor of exponential timeout between application self heal attempts")
+	command.Flags().IntVar(&selfHealBackoffCapSeconds, "self-heal-backoff-cap-seconds", env.ParseNumFromEnv("ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_CAP_SECONDS", 300, 0, math.MaxInt32), "Specifies max timeout of exponential backoff between application self heal attempts")
 	command.Flags().Int64Var(&kubectlParallelismLimit, "kubectl-parallelism-limit", env.ParseInt64FromEnv("ARGOCD_APPLICATION_CONTROLLER_KUBECTL_PARALLELISM_LIMIT", 20, 0, math.MaxInt64), "Number of allowed concurrent kubectl fork/execs. Any value less than 1 means no limit.")
 	command.Flags().BoolVar(&repoServerPlaintext, "repo-server-plaintext", env.ParseBoolFromEnv("ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT", false), "Disable TLS on connections to repo server")
 	command.Flags().BoolVar(&repoServerStrictTLS, "repo-server-strict-tls", env.ParseBoolFromEnv("ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_STRICT_TLS", false), "Whether to use strict validation of the TLS cert presented by the repo server")
 	command.Flags().StringSliceVar(&metricsAplicationLabels, "metrics-application-labels", []string{}, "List of Application labels that will be added to the argocd_application_labels metric")
+	command.Flags().StringSliceVar(&metricsAplicationConditions, "metrics-application-conditions", []string{}, "List of Application conditions that will be added to the argocd_application_conditions metric")
 	command.Flags().StringVar(&otlpAddress, "otlp-address", env.StringFromEnv("ARGOCD_APPLICATION_CONTROLLER_OTLP_ADDRESS", ""), "OpenTelemetry collector address to send traces to")
 	command.Flags().BoolVar(&otlpInsecure, "otlp-insecure", env.ParseBoolFromEnv("ARGOCD_APPLICATION_CONTROLLER_OTLP_INSECURE", true), "OpenTelemetry collector insecure mode")
 	command.Flags().StringToStringVar(&otlpHeaders, "otlp-headers", env.ParseStringToStringFromEnv("ARGOCD_APPLICATION_CONTROLLER_OTLP_HEADERS", map[string]string{}, ","), "List of OpenTelemetry collector extra headers sent with traces, headers are comma-separated key-value pairs(e.g. key1=value1,key2=value2)")
@@ -233,6 +272,9 @@ func NewCommand() *cobra.Command {
 	command.Flags().BoolVar(&enableDynamicClusterDistribution, "dynamic-cluster-distribution-enabled", env.ParseBoolFromEnv(common.EnvEnableDynamicClusterDistribution, false), "Enables dynamic cluster distribution.")
 	command.Flags().BoolVar(&serverSideDiff, "server-side-diff-enabled", env.ParseBoolFromEnv(common.EnvServerSideDiff, false), "Feature flag to enable ServerSide diff. Default (\"false\")")
 	command.Flags().DurationVar(&ignoreNormalizerOpts.JQExecutionTimeout, "ignore-normalizer-jq-execution-timeout-seconds", env.ParseDurationFromEnv("ARGOCD_IGNORE_NORMALIZER_JQ_TIMEOUT", 0*time.Second, 0, math.MaxInt64), "Set ignore normalizer JQ execution timeout")
+	// argocd k8s event logging flag
+	command.Flags().StringSliceVar(&enableK8sEvent, "enable-k8s-event", env.StringsFromEnv("ARGOCD_ENABLE_K8S_EVENT", argo.DefaultEnableEventList(), ","), "Enable ArgoCD to use k8s event. For disabling all events, set the value as `none`. (e.g --enable-k8s-event=none), For enabling specific events, set the value as `event reason`. (e.g --enable-k8s-event=StatusRefreshed,ResourceCreated)")
+
 	cacheSource = appstatecache.AddCacheFlagsToCmd(&command, cacheutil.Options{
 		OnClientCreated: func(client *redis.Client) {
 			redisClient = client
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .12.0
 .13.9