Bump version to 3.2.6 on release-3.2 branch (#26120 )

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: crenshaw-dev <350466+crenshaw-dev@users.noreply.github.com>
fix: cherry pick #25516 to release-3.2 (#26115 )
2026-02-21 01:58:46 +01:00 · 2026-01-22 14:34:29 -05:00 · 2026-01-22 13:34:06 -05:00 · 2026-01-21 09:21:20 +02:00 · 2026-01-20 17:34:00 +02:00 · 2026-01-15 16:26:37 -05:00
1080 changed files with 25508 additions and 206446 deletions
--- a/.github/ISSUE_TEMPLATE/release.md
+++ b/.github/ISSUE_TEMPLATE/release.md
@@ -9,78 +9,18 @@ assignees: ''
 Target RC1 date: ___. __, ____
 Target GA date: ___. __, ____

-## RC1 Release Checklist
-
- - [ ] 1wk before feature freeze post in #argo-contributors that PRs must be merged by DD-MM-YYYY to be included in the release - ask approvers to drop items from milestone they can't merge
+ - [ ] 1wk before feature freeze post in #argo-contributors that PRs must be merged by DD-MM-YYYY to be included in the release - ask approvers to drop items from milestone they can’t merge
 - [ ] At least two days before RC1 date, draft RC blog post and submit it for review (or delegate this task)
- - [ ] Create new release branch (or delegate this task to an Approver)
-    - [ ] Add the release branch to ReadTheDocs
 - [ ] Cut RC1 (or delegate this task to an Approver and coordinate timing)
-    - [ ] Run the [Init ArgoCD Release workflow](https://github.com/argoproj/argo-cd/actions/workflows/init-release.yaml) from the release branch
-    - [ ] Review and merge the generated version bump PR
-    - [ ] Run `./hack/trigger-release.sh` to push the release tag
-    - [ ] Monitor the [Publish ArgoCD Release workflow](https://github.com/argoproj/argo-cd/actions/workflows/release.yaml)
-    - [ ] Verify the release on [GitHub releases](https://github.com/argoproj/argo-cd/releases)
-    - [ ] Verify the container image on [Quay.io](https://quay.io/repository/argoproj/argocd?tab=tags)
-    - [ ] Confirm the new version appears in [Read the Docs](https://argo-cd.readthedocs.io/)
-    - [ ] Verify the docs release build in https://app.readthedocs.org/projects/argo-cd/ succeeded and retry if failed (requires an Approver with admin creds to readthedocs)
- - [ ] Announce RC1 release
-   - [ ] Confirm that tweet and blog post are ready
-   - [ ] Publish tweet and blog post
-   - [ ] Post in #argo-cd and #argo-announcements requesting help testing:
-     ```
-     :mega: Argo CD v{MAJOR}.{MINOR}.{PATCH}-rc{RC_NUMBER} is OUT NOW! :argocd::tada:
-     
-     Please go through the following resources to know more about the release:
-     
-     Release notes: https://github.com/argoproj/argo-cd/releases/tag/v{VERSION}
-     Blog: {BLOG_POST_URL}
-     
-     We'd love your help testing this release candidate! Please try it out in your environments and report any issues you find. This helps us ensure a stable GA release.
-     
-     Thanks to all the folks who spent their time contributing to this release in any way possible!
-     ```
- - [ ] Monitor support channels for issues, cherry-picking bugfixes and docs fixes as appropriate during the RC period (or delegate this task to an Approver and coordinate timing)
-
-## GA Release Checklist
-
- - [ ] At GA release date, evaluate if any bugs justify delaying the release
- - [ ] Prepare for EOL version (version that is 3 releases old)
-    - [ ] If unreleased changes are on the release branch for {current minor version minus 3}, cut a final patch release for that series (or delegate this task to an Approver and coordinate timing)
-    - [ ] Edit the final patch release on GitHub and add the following notice at the top:
-     ```markdown
-     > [!IMPORTANT]
-     > **END OF LIFE NOTICE**
-     > 
-     > This is the final release of the {EOL_SERIES} release series. As of {GA_DATE}, this version has reached end of life and will no longer receive bug fixes or security updates.
-     > 
-     > **Action Required**: Please upgrade to a [supported version](https://argo-cd.readthedocs.io/en/stable/operator-manual/upgrading/overview/) (v{SUPPORTED_VERSION_1}, v{SUPPORTED_VERSION_2}, or v{NEW_VERSION}).
-     ```
- - [ ] Cut GA release (or delegate this task to an Approver and coordinate timing)
-    - [ ] Run the [Init ArgoCD Release workflow](https://github.com/argoproj/argo-cd/actions/workflows/init-release.yaml) from the release branch
-    - [ ] Review and merge the generated version bump PR
-    - [ ] Run `./hack/trigger-release.sh` to push the release tag
-    - [ ] Monitor the [Publish ArgoCD Release workflow](https://github.com/argoproj/argo-cd/actions/workflows/release.yaml)
-    - [ ] Verify the release on [GitHub releases](https://github.com/argoproj/argo-cd/releases)
-    - [ ] Verify the container image on [Quay.io](https://quay.io/repository/argoproj/argocd?tab=tags)
-    - [ ] Verify the `stable` tag has been updated
-    - [ ] Confirm the new version appears in [Read the Docs](https://argo-cd.readthedocs.io/)
-    - [ ] Verify the docs release build in https://app.readthedocs.org/projects/argo-cd/ succeeded and retry if failed (requires an Approver with admin creds to readthedocs)
- - [ ] Announce GA release with EOL notice
-   - [ ] Confirm that tweet and blog post are ready
-   - [ ] Publish tweet and blog post
-   - [ ] Post in #argo-cd and #argo-announcements announcing the release and EOL:
-     ```
-     :mega: Argo CD v{MAJOR}.{MINOR} is OUT NOW! :argocd::tada:
-     
-     Please go through the following resources to know more about the release:
-     
-     Upgrade instructions: https://argo-cd.readthedocs.io/en/latest/operator-manual/upgrading/{PREV_MINOR}-{MAJOR}.{MINOR}/
-     Blog: {BLOG_POST_URL}
-     
-     :warning: IMPORTANT: With the release of Argo CD v{MAJOR}.{MINOR}, support for Argo CD v{EOL_VERSION} has officially reached End of Life (EOL).
-     
-     Thanks to all the folks who spent their time contributing to this release in any way possible!
-     ```
+ - [ ] Create new release branch
+    - [ ] Add the release branch to ReadTheDocs
+    - [ ] Confirm that tweet and blog post are ready
+    - [ ] Trigger the release
+    - [ ] After the release is finished, publish tweet and blog post
+    - [ ] Post in #argo-cd and #argo-announcements with lots of emojis announcing the release and requesting help testing
+ - [ ] Monitor support channels for issues, cherry-picking bugfixes and docs fixes as appropriate (or delegate this task to an Approver and coordinate timing)
+ - [ ] At release date, evaluate if any bugs justify delaying the release. If not, cut the release (or delegate this task to an Approver and coordinate timing)
+ - [ ] If unreleased changes are on the release branch for {current minor version minus 3}, cut a final patch release for that series (or delegate this task to an Approver and coordinate timing)
+ - [ ] After the release, post in #argo-cd that the {current minor version minus 3} has reached EOL (example: https://cloud-native.slack.com/archives/C01TSERG0KZ/p1667336234059729)
 - [ ] (For the next release champion) Review the [items scheduled for the next release](https://github.com/orgs/argoproj/projects/25). If any item does not have an assignee who can commit to finish the feature, move it to the next release.
- - [ ] (For the next release champion) Schedule a time mid-way through the release cycle to review items again.
+ - [ ] (For the next release champion) Schedule a time mid-way through the release cycle to review items again.
--- a/.github/workflows/bump-major-version.yaml
+++ b/.github/workflows/bump-major-version.yaml
@@ -13,7 +13,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
+        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694  # v4.0.0
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
@@ -37,7 +37,7 @@ jobs:
        working-directory: /home/runner/go/src/github.com/argoproj/argo-cd

      - name: Setup Golang
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Add ~/go/bin to PATH
@@ -74,7 +74,7 @@ jobs:
          rsync -a --exclude=.git /home/runner/go/src/github.com/argoproj/argo-cd/ ../argo-cd

      - name: Create pull request
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725  # v8.0.0
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e  # v7.0.8
        with:
          commit-message: "Bump major version to ${{ steps.get-target-version.outputs.TARGET_VERSION }}"
          title: "Bump major version to ${{ steps.get-target-version.outputs.TARGET_VERSION }}"
--- a/.github/workflows/cherry-pick-single.yml
+++ b/.github/workflows/cherry-pick-single.yml
@@ -38,7 +38,7 @@ jobs:
          private-key: ${{ secrets.CHERRYPICK_APP_PRIVATE_KEY }}

      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
+        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694  # v4.0.0
        with:
          fetch-depth: 0
          token: ${{ steps.generate-token.outputs.token }}
@@ -91,17 +91,11 @@ jobs:
      - name: Create Pull Request
        run: |
          # Create cherry-pick PR
-          TITLE="${PR_TITLE} (cherry-pick #${{ inputs.pr_number }} for ${{ inputs.version_number }})"
-          BODY=$(cat <<EOF
-          Cherry-picked ${PR_TITLE} (#${{ inputs.pr_number }})
-
-          ${{ steps.cherry-pick.outputs.signoff }}
-          EOF
-          )
-
          gh pr create \
-            --title "$TITLE" \
-            --body "$BODY" \
+            --title "${{ inputs.pr_title }} (cherry-pick #${{ inputs.pr_number }} for ${{ inputs.version_number }})" \
+            --body "Cherry-picked ${{ inputs.pr_title }} (#${{ inputs.pr_number }})
+
+          ${{ steps.cherry-pick.outputs.signoff }}" \
            --base "${{ steps.cherry-pick.outputs.target_branch }}" \
            --head "${{ steps.cherry-pick.outputs.branch_name }}"

@@ -109,13 +103,12 @@ jobs:
          gh pr comment ${{ inputs.pr_number }} \
            --body "🍒 Cherry-pick PR created for ${{ inputs.version_number }}: #$(gh pr list --head ${{ steps.cherry-pick.outputs.branch_name }} --json number --jq '.[0].number')"
        env:
-          PR_TITLE: ${{ inputs.pr_title }}
          GH_TOKEN: ${{ steps.generate-token.outputs.token }}

      - name: Comment on failure
        if: failure()
        run: |
          gh pr comment ${{ inputs.pr_number }} \
-            --body "❌ Cherry-pick failed for ${{ inputs.version_number }}. Please check the [workflow logs](https://github.com/argoproj/argo-cd/actions/runs/${{ github.run_id }}) for details."
+            --body "❌ Cherry-pick failed for ${{ inputs.version_number }}. Please check the workflow logs for details."
        env:
-          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
--- a/.github/workflows/ci-build.yaml
+++ b/.github/workflows/ci-build.yaml
@@ -31,8 +31,8 @@ jobs:
      frontend: ${{ steps.filter.outputs.frontend_any_changed }}
      docs: ${{ steps.filter.outputs.docs_any_changed }}
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      - uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
+      - uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+      - uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        id: filter
        with:
          # Any file which is not under docs/, ui/ or is not a markdown file is counted as a backend file
@@ -55,9 +55,9 @@ jobs:
      - changes
    steps:
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
      - name: Setup Golang
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Download all Go modules
@@ -67,6 +67,7 @@ jobs:
        run: |
          go mod tidy
          git diff --exit-code -- .
+
  build-go:
    name: Build & cache Go code
    if: ${{ needs.changes.outputs.backend == 'true' }}
@@ -75,13 +76,13 @@ jobs:
      - changes
    steps:
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
      - name: Setup Golang
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Restore go build cache
-        uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v5.0.0
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -102,16 +103,16 @@ jobs:
      - changes
    steps:
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
      - name: Setup Golang
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
        with:
          # renovate: datasource=go packageName=github.com/golangci/golangci-lint versioning=regex:^v(?<major>\d+)\.(?<minor>\d+)\.(?<patch>\d+)?$
-          version: v2.5.0
+          version: v2.4.0
          args: --verbose

  test-go:
@@ -128,11 +129,11 @@ jobs:
      - name: Create checkout directory
        run: mkdir -p ~/go/src/github.com/argoproj
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
      - name: Create symlink in GOPATH
        run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
      - name: Setup Golang
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Install required packages
@@ -152,7 +153,7 @@ jobs:
        run: |
          echo "/usr/local/bin" >> $GITHUB_PATH
      - name: Restore go build cache
-        uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v5.0.0
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -173,7 +174,7 @@ jobs:
      - name: Run all unit tests
        run: make test-local
      - name: Generate test results artifacts
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: test-results
          path: test-results
@@ -192,11 +193,11 @@ jobs:
      - name: Create checkout directory
        run: mkdir -p ~/go/src/github.com/argoproj
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
      - name: Create symlink in GOPATH
        run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
      - name: Setup Golang
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Install required packages
@@ -216,7 +217,7 @@ jobs:
        run: |
          echo "/usr/local/bin" >> $GITHUB_PATH
      - name: Restore go build cache
-        uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v5.0.0
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -237,7 +238,7 @@ jobs:
      - name: Run all unit tests
        run: make test-race-local
      - name: Generate test results artifacts
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: race-results
          path: test-results/
@@ -250,16 +251,15 @@ jobs:
      - changes
    steps:
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
      - name: Setup Golang
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Create symlink in GOPATH
-        # generalizing repo name for forks:  ${{ github.event.repository.name }}
        run: |
          mkdir -p ~/go/src/github.com/argoproj
-          cp -a ../${{ github.event.repository.name }} ~/go/src/github.com/argoproj
+          cp -a ../argo-cd ~/go/src/github.com/argoproj
      - name: Add ~/go/bin to PATH
        run: |
          echo "/home/runner/go/bin" >> $GITHUB_PATH
@@ -271,14 +271,12 @@ jobs:
          # We need to vendor go modules for codegen yet
          go mod download
          go mod vendor -v
-        # generalizing repo name for forks:  ${{ github.event.repository.name }}
-        working-directory: /home/runner/go/src/github.com/argoproj/${{ github.event.repository.name }}
+        working-directory: /home/runner/go/src/github.com/argoproj/argo-cd
      - name: Install toolchain for codegen
        run: |
          make install-codegen-tools-local
          make install-go-tools-local
-        # generalizing repo name for forks:  ${{ github.event.repository.name }}
-        working-directory: /home/runner/go/src/github.com/argoproj/${{ github.event.repository.name }}
+        working-directory: /home/runner/go/src/github.com/argoproj/argo-cd
        # We install kustomize in the dist directory
      - name: Add dist to PATH
        run: |
@@ -289,14 +287,12 @@ jobs:
          export GOPATH=$(go env GOPATH)
          git checkout -- go.mod go.sum
          make codegen-local
-        # generalizing repo name for forks:  ${{ github.event.repository.name }}
-        working-directory: /home/runner/go/src/github.com/argoproj/${{ github.event.repository.name }}
+        working-directory: /home/runner/go/src/github.com/argoproj/argo-cd
      - name: Check nothing has changed
        run: |
          set -xo pipefail
          git diff --exit-code -- . ':!go.sum' ':!go.mod' ':!assets/swagger.json' | tee codegen.patch
-        # generalizing repo name for forks:  ${{ github.event.repository.name }}
-        working-directory: /home/runner/go/src/github.com/argoproj/${{ github.event.repository.name }}
+        working-directory: /home/runner/go/src/github.com/argoproj/argo-cd

  build-ui:
    name: Build, test & lint UI code
@@ -307,15 +303,15 @@ jobs:
      - changes
    steps:
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
      - name: Setup NodeJS
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
        with:
          # renovate: datasource=node-version packageName=node versioning=node
          node-version: '22.9.0'
      - name: Restore node dependency cache
        id: cache-dependencies
-        uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v5.0.0
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
        with:
          path: ui/node_modules
          key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -340,7 +336,7 @@ jobs:
  shellcheck:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
      - run: |
          sudo apt-get install shellcheck
          shellcheck -e SC2059 -e SC2154 -e SC2034 -e SC2016 -e SC1091 $(find . -type f -name '*.sh' | grep -v './ui/node_modules') | tee sc.log
@@ -359,12 +355,12 @@ jobs:
      sonar_secret: ${{ secrets.SONAR_TOKEN }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
        with:
          fetch-depth: 0
      - name: Restore node dependency cache
        id: cache-dependencies
-        uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v5.0.0
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
        with:
          path: ui/node_modules
          key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -372,12 +368,12 @@ jobs:
        run: |
          rm -rf ui/node_modules/argo-ui/node_modules
      - name: Get e2e code coverage
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
        with:
          name: e2e-code-coverage
          path: e2e-code-coverage
      - name: Get unit test code coverage
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
        with:
          name: test-results
          path: test-results
@@ -389,7 +385,7 @@ jobs:
        run: |
          go tool covdata percent -i=test-results,e2e-code-coverage/applicationset-controller,e2e-code-coverage/repo-server,e2e-code-coverage/app-controller,e2e-code-coverage/commit-server -o test-results/full-coverage.out
      - name: Upload code coverage information to codecov.io
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
        with:
          files: test-results/full-coverage.out
          fail_ci_if_error: true
@@ -406,12 +402,12 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        uses: SonarSource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 # v7.0.0
+        uses: SonarSource/sonarqube-scan-action@1a6d90ebcb0e6a6b1d87e37ba693fe453195ae25 # v5.3.1
        if: env.sonar_secret != ''
  test-e2e:
    name: Run end-to-end tests
    if: ${{ needs.changes.outputs.backend == 'true' }}
-    runs-on: ${{ github.repository == 'argoproj/argo-cd' && 'oracle-vm-16cpu-64gb-x86-64' || 'ubuntu-22.04' }}
+    runs-on: oracle-vm-16cpu-64gb-x86-64
    strategy:
      fail-fast: false
      matrix:
@@ -430,7 +426,11 @@ jobs:
      - build-go
      - changes
    env:
+      GOPATH: /home/ubuntu/go
      ARGOCD_FAKE_IN_CLUSTER: 'true'
+      ARGOCD_SSH_DATA_PATH: '/tmp/argo-e2e/app/config/ssh'
+      ARGOCD_TLS_DATA_PATH: '/tmp/argo-e2e/app/config/tls'
+      ARGOCD_E2E_SSH_KNOWN_HOSTS: '../fixture/certs/ssh_known_hosts'
      ARGOCD_E2E_K3S: 'true'
      ARGOCD_IN_CI: 'true'
      ARGOCD_E2E_APISERVER_PORT: '8088'
@@ -447,14 +447,11 @@ jobs:
          swap-storage: false
          tool-cache: false
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
      - name: Setup Golang
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
-      - name: Set GOPATH
-        run: |
-          echo "GOPATH=$HOME/go" >> $GITHUB_ENV
      - name: GH actions workaround - Kill XSP4 process
        run: |
          sudo pkill mono || true
@@ -465,19 +462,19 @@ jobs:
          set -x
          curl -sfL https://get.k3s.io | sh -
          sudo chmod -R a+rw /etc/rancher/k3s
-          sudo mkdir -p $HOME/.kube && sudo chown -R $(whoami) $HOME/.kube
+          sudo mkdir -p $HOME/.kube && sudo chown -R ubuntu $HOME/.kube
          sudo k3s kubectl config view --raw > $HOME/.kube/config
-          sudo chown $(whoami) $HOME/.kube/config
+          sudo chown ubuntu $HOME/.kube/config
          sudo chmod go-r $HOME/.kube/config
          kubectl version
      - name: Restore go build cache
-        uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v5.0.0
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
      - name: Add ~/go/bin to PATH
        run: |
-          echo "$HOME/go/bin" >> $GITHUB_PATH
+          echo "/home/ubuntu/go/bin" >> $GITHUB_PATH
      - name: Add /usr/local/bin to PATH
        run: |
          echo "/usr/local/bin" >> $GITHUB_PATH
@@ -499,11 +496,11 @@ jobs:
        run: |
          docker pull ghcr.io/dexidp/dex:v2.43.0
          docker pull argoproj/argo-cd-ci-builder:v1.0.0
-          docker pull redis:8.2.3-alpine
+          docker pull redis:8.2.2-alpine
      - name: Create target directory for binaries in the build-process
        run: |
          mkdir -p dist
-          chown $(whoami) dist
+          chown ubuntu dist
      - name: Run E2E server and wait for it being available
        timeout-minutes: 30
        run: |
@@ -529,13 +526,13 @@ jobs:
          goreman run stop-all || echo "goreman trouble"
          sleep 30
      - name: Upload e2e coverage report
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: e2e-code-coverage
          path: /tmp/coverage
        if: ${{ matrix.k3s.latest }}
      - name: Upload e2e-server logs
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: e2e-server-k8s${{ matrix.k3s.version }}.log
          path: /tmp/e2e-server.log
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -29,11 +29,11 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: Checkout repository
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0

    # Use correct go version. https://github.com/github/codeql-action/issues/1842#issuecomment-1704398087
    - name: Setup Golang
-      uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
      with:
        go-version-file: go.mod
      
--- a/.github/workflows/image-reuse.yaml
+++ b/.github/workflows/image-reuse.yaml
@@ -56,24 +56,24 @@ jobs:
      image-digest: ${{ steps.image.outputs.digest }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
        if: ${{ github.ref_type == 'tag'}}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
        if: ${{ github.ref_type != 'tag'}}

      - name: Setup Golang
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version: ${{ inputs.go-version }}
          cache: false

      - name: Install cosign
-        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0

      - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
      - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
@@ -103,7 +103,7 @@ jobs:
            echo 'EOF' >> $GITHUB_ENV

      - name: Login to Quay.io
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
        with:
          registry: quay.io
          username: ${{ secrets.quay_username }}
@@ -111,7 +111,7 @@ jobs:
        if: ${{ inputs.quay_image_name && inputs.push }}

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
        with:
          registry: ghcr.io
          username: ${{ secrets.ghcr_username }}
@@ -119,7 +119,7 @@ jobs:
        if: ${{ inputs.ghcr_image_name && inputs.push }}

      - name: Login to dockerhub Container Registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
        with:
          username: ${{ secrets.docker_username }}
          password: ${{ secrets.docker_password }}
--- a/.github/workflows/image.yaml
+++ b/.github/workflows/image.yaml
@@ -19,49 +19,16 @@ jobs:
  set-vars:
    permissions:
      contents: read
-    # Always run to calculate variables - other jobs check outputs
+    if: github.repository == 'argoproj/argo-cd'
    runs-on: ubuntu-22.04
    outputs:
      image-tag: ${{ steps.image.outputs.tag}}
      platforms: ${{ steps.platforms.outputs.platforms }}
-      image_namespace: ${{ steps.image.outputs.image_namespace }}
-      image_repository: ${{ steps.image.outputs.image_repository }}
-      quay_image_name: ${{ steps.image.outputs.quay_image_name }}
-      ghcr_image_name: ${{ steps.image.outputs.ghcr_image_name }}
-      ghcr_provenance_image: ${{ steps.image.outputs.ghcr_provenance_image }}
-      allow_ghcr_publish: ${{ steps.image.outputs.allow_ghcr_publish }}
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0

-      - name: Set image tag and names
-        run: |
-          # Calculate image tag
-          TAG="$(cat ./VERSION)-${GITHUB_SHA::8}"
-          echo "tag=$TAG" >> $GITHUB_OUTPUT
-          
-          # Calculate image names with defaults
-          IMAGE_NAMESPACE="${{ vars.IMAGE_NAMESPACE || 'argoproj' }}"
-          IMAGE_REPOSITORY="${{ vars.IMAGE_REPOSITORY || 'argocd' }}"
-          GHCR_NAMESPACE="${{ vars.GHCR_NAMESPACE || github.repository }}"
-          GHCR_REPOSITORY="${{ vars.GHCR_REPOSITORY || 'argocd' }}"
-          
-          echo "image_namespace=$IMAGE_NAMESPACE" >> $GITHUB_OUTPUT
-          echo "image_repository=$IMAGE_REPOSITORY" >> $GITHUB_OUTPUT
-          
-          # Construct image name
-          echo "quay_image_name=quay.io/$IMAGE_NAMESPACE/$IMAGE_REPOSITORY:latest" >> $GITHUB_OUTPUT
-          
-          ALLOW_GHCR_PUBLISH=false
-          if [[ "${{ github.repository }}" == "argoproj/argo-cd" || "$GHCR_NAMESPACE" != argoproj/* ]]; then
-            ALLOW_GHCR_PUBLISH=true
-            echo "ghcr_image_name=ghcr.io/$GHCR_NAMESPACE/$GHCR_REPOSITORY:$TAG" >> $GITHUB_OUTPUT
-            echo "ghcr_provenance_image=ghcr.io/$GHCR_NAMESPACE/$GHCR_REPOSITORY" >> $GITHUB_OUTPUT
-          else
-            echo "GhCR publish skipped: refusing to push to namespace '$GHCR_NAMESPACE'. Please override GHCR_* for forks." >&2
-            echo "ghcr_image_name=" >> $GITHUB_OUTPUT
-            echo "ghcr_provenance_image=" >> $GITHUB_OUTPUT
-          fi
-          echo "allow_ghcr_publish=$ALLOW_GHCR_PUBLISH" >> $GITHUB_OUTPUT
+      - name: Set image tag for ghcr
+        run: echo "tag=$(cat ./VERSION)-${GITHUB_SHA::8}" >> $GITHUB_OUTPUT
        id: image

      - name: Determine image platforms to use
@@ -81,7 +48,7 @@ jobs:
      contents: read
      packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
      id-token: write # for creating OIDC tokens for signing.
-    if: ${{ (github.repository == 'argoproj/argo-cd' || needs.set-vars.outputs.image_namespace != 'argoproj') && github.event_name != 'push' }}
+    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name != 'push' }}
    uses: ./.github/workflows/image-reuse.yaml
    with:
      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
@@ -96,11 +63,11 @@ jobs:
      contents: read
      packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
      id-token: write # for creating OIDC tokens for signing.
-    if: ${{ (github.repository == 'argoproj/argo-cd' || needs.set-vars.outputs.image_namespace != 'argoproj') && github.event_name == 'push' }}
+    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
    uses: ./.github/workflows/image-reuse.yaml
    with:
-      quay_image_name: ${{ needs.set-vars.outputs.quay_image_name }}
-      ghcr_image_name: ${{ needs.set-vars.outputs.ghcr_image_name }}
+      quay_image_name: quay.io/argoproj/argocd:latest
+      ghcr_image_name: ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }}
      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
      # renovate: datasource=golang-version packageName=golang
      go-version: 1.25.5
@@ -114,17 +81,16 @@ jobs:

  build-and-publish-provenance: # Push attestations to GHCR, latest image is polluting quay.io
    needs:
-      - set-vars
      - build-and-publish
    permissions:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
-    if: ${{ (github.repository == 'argoproj/argo-cd' || needs.set-vars.outputs.image_namespace != 'argoproj') && github.event_name == 'push' && needs.set-vars.outputs.allow_ghcr_publish == 'true'}}
+    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
    # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
    with:
-      image: ${{ needs.set-vars.outputs.ghcr_provenance_image }}
+      image: ghcr.io/argoproj/argo-cd/argocd
      digest: ${{ needs.build-and-publish.outputs.image-digest }}
      registry-username: ${{ github.actor }}
    secrets:
@@ -140,7 +106,7 @@ jobs:
    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
    runs-on: ubuntu-22.04
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
      - run: git clone "https://$TOKEN@github.com/argoproj/argoproj-deployments"
        env:
          TOKEN: ${{ secrets.TOKEN }}
--- a/.github/workflows/init-release.yaml
+++ b/.github/workflows/init-release.yaml
@@ -21,15 +21,9 @@ jobs:
      pull-requests: write  # for peter-evans/create-pull-request to create a PR
    name: Automatically generate version and manifests on ${{ inputs.TARGET_BRANCH }}
    runs-on: ubuntu-22.04
-    env:
-      # Calculate image names with defaults, this will be used in the make manifests-local command
-      # to generate the correct image name in the manifests
-      IMAGE_REGISTRY: ${{ vars.IMAGE_REGISTRY || 'quay.io' }}
-      IMAGE_NAMESPACE: ${{ vars.IMAGE_NAMESPACE || 'argoproj' }}
-      IMAGE_REPOSITORY: ${{ vars.IMAGE_REPOSITORY || 'argocd' }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
+        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694  # v4.0.0
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
@@ -70,7 +64,7 @@ jobs:
          git stash pop

      - name: Create pull request
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725  # v8.0.0
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e  # v7.0.8
        with:
          commit-message: "Bump version to ${{ inputs.TARGET_VERSION }}"
          title: "Bump version to ${{ inputs.TARGET_VERSION }} on ${{ inputs.TARGET_BRANCH }} branch"
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -15,15 +15,14 @@ env:

 jobs:
  argocd-image:
-    needs: [setup-variables]
    permissions:
      contents: read
      id-token: write # for creating OIDC tokens for signing.
      packages: write # used to push images to `ghcr.io` if used.
-    if: github.repository == 'argoproj/argo-cd' || needs.setup-variables.outputs.allow_fork_release == 'true'
+    if: github.repository == 'argoproj/argo-cd'
    uses: ./.github/workflows/image-reuse.yaml
    with:
-      quay_image_name: ${{ needs.setup-variables.outputs.quay_image_name }}
+      quay_image_name: quay.io/argoproj/argocd:${{ github.ref_name }}
      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
      # renovate: datasource=golang-version packageName=golang
      go-version: 1.25.5
@@ -35,20 +34,14 @@ jobs:

  setup-variables:
    name: Setup Release Variables
-    if: github.repository == 'argoproj/argo-cd' || (github.repository_owner != 'argoproj' && vars.ENABLE_FORK_RELEASES == 'true' && vars.IMAGE_NAMESPACE && vars.IMAGE_NAMESPACE != 'argoproj')
+    if: github.repository == 'argoproj/argo-cd'
    runs-on: ubuntu-22.04
    outputs:
      is_pre_release: ${{ steps.var.outputs.is_pre_release }}
      is_latest_release: ${{ steps.var.outputs.is_latest_release }}
-      enable_fork_releases: ${{ steps.var.outputs.enable_fork_releases }}
-      image_namespace: ${{ steps.var.outputs.image_namespace }}
-      image_repository: ${{ steps.var.outputs.image_repository }}
-      quay_image_name: ${{ steps.var.outputs.quay_image_name }}
-      provenance_image: ${{ steps.var.outputs.provenance_image }}
-      allow_fork_release: ${{ steps.var.outputs.allow_fork_release }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
@@ -74,36 +67,18 @@ jobs:
          fi
          echo "is_pre_release=$PRE_RELEASE" >> $GITHUB_OUTPUT
          echo "is_latest_release=$IS_LATEST" >> $GITHUB_OUTPUT
-          
-          # Calculate configuration with defaults
-          ENABLE_FORK_RELEASES="${{ vars.ENABLE_FORK_RELEASES || 'false' }}"
-          IMAGE_NAMESPACE="${{ vars.IMAGE_NAMESPACE || 'argoproj' }}"
-          IMAGE_REPOSITORY="${{ vars.IMAGE_REPOSITORY || 'argocd' }}"
-          
-          echo "enable_fork_releases=$ENABLE_FORK_RELEASES" >> $GITHUB_OUTPUT
-          
-          echo "image_namespace=$IMAGE_NAMESPACE" >> $GITHUB_OUTPUT
-          echo "image_repository=$IMAGE_REPOSITORY" >> $GITHUB_OUTPUT
-          echo "quay_image_name=quay.io/$IMAGE_NAMESPACE/$IMAGE_REPOSITORY:${{ github.ref_name }}" >> $GITHUB_OUTPUT
-          echo "provenance_image=quay.io/$IMAGE_NAMESPACE/$IMAGE_REPOSITORY" >> $GITHUB_OUTPUT
-          
-          ALLOW_FORK_RELEASE=false
-          if [[ "${{ github.repository_owner }}" != "argoproj" && "$ENABLE_FORK_RELEASES" == "true" && "$IMAGE_NAMESPACE" != "argoproj" && "${{ github.ref }}" == refs/tags/* ]]; then
-            ALLOW_FORK_RELEASE=true
-          fi
-          echo "allow_fork_release=$ALLOW_FORK_RELEASE" >> $GITHUB_OUTPUT

  argocd-image-provenance:
-    needs: [setup-variables, argocd-image]
+    needs: [argocd-image]
    permissions:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
    # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
-    if: github.repository == 'argoproj/argo-cd' || needs.setup-variables.outputs.allow_fork_release == 'true'
+    if: github.repository == 'argoproj/argo-cd'
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
    with:
-      image: ${{ needs.setup-variables.outputs.provenance_image }}
+      image: quay.io/argoproj/argocd
      digest: ${{ needs.argocd-image.outputs.image-digest }}
    secrets:
      registry-username: ${{ secrets.RELEASE_QUAY_USERNAME }}
@@ -116,7 +91,7 @@ jobs:
      - argocd-image-provenance
    permissions:
      contents: write # used for uploading assets
-    if: github.repository == 'argoproj/argo-cd' || needs.setup-variables.outputs.allow_fork_release == 'true'
+    if: github.repository == 'argoproj/argo-cd'
    runs-on: ubuntu-22.04
    env:
      GORELEASER_MAKE_LATEST: ${{ needs.setup-variables.outputs.is_latest_release }}
@@ -124,7 +99,7 @@ jobs:
      hashes: ${{ steps.hash.outputs.hashes }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
@@ -133,7 +108,7 @@ jobs:
        run: git fetch --force --tags

      - name: Setup Golang
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
          cache: false
@@ -168,8 +143,6 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          KUBECTL_VERSION: ${{ env.KUBECTL_VERSION }}
          GIT_TREE_STATE: ${{ env.GIT_TREE_STATE }}
-          # Used to determine the current repository in the goreleaser config to display correct manifest links
-          GORELEASER_CURRENT_REPOSITORY: ${{ github.repository }}

      - name: Generate subject for provenance
        id: hash
@@ -186,12 +159,12 @@ jobs:
          echo "hashes=$hashes" >> $GITHUB_OUTPUT

  goreleaser-provenance:
-    needs: [goreleaser, setup-variables]
+    needs: [goreleaser]
    permissions:
      actions: read # for detecting the Github Actions environment
      id-token: write # Needed for provenance signing and ID
      contents: write #  Needed for release uploads
-    if: github.repository == 'argoproj/argo-cd' || needs.setup-variables.outputs.allow_fork_release == 'true'
+    if: github.repository == 'argoproj/argo-cd'
    # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
    with:
@@ -204,22 +177,21 @@ jobs:
    needs:
      - argocd-image
      - goreleaser
-      - setup-variables
    permissions:
      contents: write # Needed for release uploads
    outputs:
      hashes: ${{ steps.sbom-hash.outputs.hashes }}
-    if: github.repository == 'argoproj/argo-cd' || needs.setup-variables.outputs.allow_fork_release == 'true'
+    if: github.repository == 'argoproj/argo-cd'
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: Setup Golang
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
          cache: false
@@ -235,7 +207,7 @@ jobs:
          # managers (gomod, yarn, npm).
          PROJECT_FOLDERS: '.,./ui'
          # full qualified name of the docker image to be inspected
-          DOCKER_IMAGE: ${{ needs.setup-variables.outputs.quay_image_name }}
+          DOCKER_IMAGE: quay.io/argoproj/argocd:${{ github.ref_name }}
        run: |
          yarn install --cwd ./ui
          go install github.com/spdx/spdx-sbom-generator/cmd/generator@$SPDX_GEN_VERSION
@@ -264,7 +236,7 @@ jobs:
          echo "hashes=$(sha256sum /tmp/sbom.tar.gz | base64 -w0)" >> "$GITHUB_OUTPUT"

      - name: Upload SBOM
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+        uses: softprops/action-gh-release@6cbd405e2c4e67a21c47fa9e383d020e4e28b836 # v2.3.3
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
@@ -272,12 +244,12 @@ jobs:
            /tmp/sbom.tar.gz

  sbom-provenance:
-    needs: [generate-sbom, setup-variables]
+    needs: [generate-sbom]
    permissions:
      actions: read # for detecting the Github Actions environment
      id-token: write # Needed for provenance signing and ID
      contents: write #  Needed for release uploads
-    if: github.repository == 'argoproj/argo-cd' || needs.setup-variables.outputs.allow_fork_release == 'true'
+    if: github.repository == 'argoproj/argo-cd'
    # Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
    with:
@@ -294,13 +266,13 @@ jobs:
    permissions:
      contents: write # Needed to push commit to update stable tag
      pull-requests: write # Needed to create PR for VERSION update.
-    if: github.repository == 'argoproj/argo-cd' || needs.setup-variables.outputs.allow_fork_release == 'true'
+    if: github.repository == 'argoproj/argo-cd'
    runs-on: ubuntu-22.04
    env:
      TAG_STABLE: ${{ needs.setup-variables.outputs.is_latest_release }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
@@ -344,7 +316,7 @@ jobs:
        if: ${{ env.UPDATE_VERSION == 'true' }}

      - name: Create PR to update VERSION on master branch
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
        with:
          commit-message: Bump version in master
          title: 'chore: Bump version in master'
--- a/.github/workflows/renovate.yaml
+++ b/.github/workflows/renovate.yaml
@@ -10,7 +10,6 @@ permissions:
 jobs:
  renovate:
    runs-on: ubuntu-latest
-    if: github.repository == 'argoproj/argo-cd'
    steps:
      - name: Get token
        id: get_token
@@ -20,17 +19,10 @@ jobs:
          private-key: ${{ secrets.RENOVATE_APP_PRIVATE_KEY }}

      - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1
-
-      # Some codegen commands require Go to be setup
-      - name: Setup Golang
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
-        with:
-          # renovate: datasource=golang-version packageName=golang
-          go-version: 1.25.5
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2

      - name: Self-hosted Renovate
-        uses: renovatebot/github-action@5712c6a41dea6cdf32c72d92a763bd417e6606aa #44.0.5
+        uses: renovatebot/github-action@f8af9272cd94a4637c29f60dea8731afd3134473 #43.0.12
        with:
          configurationFile: .github/configs/renovate-config.js
          token: '${{ steps.get_token.outputs.token }}'
--- a/.github/workflows/scorecard.yaml
+++ b/.github/workflows/scorecard.yaml
@@ -30,12 +30,12 @@ jobs:

    steps:
      - name: "Checkout code"
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          persist-credentials: false

      - name: "Run analysis"
-        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
+        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
        with:
          results_file: results.sarif
          results_format: sarif
@@ -54,7 +54,7 @@ jobs:
      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
      - name: "Upload artifact"
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: SARIF file
          path: results.sarif
--- a/.github/workflows/update-snyk.yaml
+++ b/.github/workflows/update-snyk.yaml
@@ -17,7 +17,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Build reports
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -22,7 +22,6 @@ linters:
    - govet
    - importas
    - misspell
-    - noctx
    - perfsprint
    - revive
    - staticcheck
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -66,14 +66,14 @@ release:

    ```shell
    kubectl create namespace argocd
-    kubectl apply -n argocd --server-side --force-conflicts -f https://raw.githubusercontent.com/{{ .Env.GORELEASER_CURRENT_REPOSITORY }}/{{.Tag}}/manifests/install.yaml
+    kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/{{.Tag}}/manifests/install.yaml
    ```

    ### HA:

    ```shell
    kubectl create namespace argocd
-    kubectl apply -n argocd --server-side --force-conflicts -f https://raw.githubusercontent.com/{{ .Env.GORELEASER_CURRENT_REPOSITORY }}/{{.Tag}}/manifests/ha/install.yaml
+    kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/{{.Tag}}/manifests/ha/install.yaml
    ```

    ## Release Signatures and Provenance
@@ -87,7 +87,7 @@ release:

    If upgrading from a different minor version, be sure to read the [upgrading](https://argo-cd.readthedocs.io/en/stable/operator-manual/upgrading/overview/) documentation.
  footer: |
-    **Full Changelog**: https://github.com/{{ .Env.GORELEASER_CURRENT_REPOSITORY }}/compare/{{ .PreviousTag }}...{{ .Tag }}
+    **Full Changelog**: https://github.com/argoproj/argo-cd/compare/{{ .PreviousTag }}...{{ .Tag }}

    <a href="https://argoproj.github.io/cd/"><img src="https://raw.githubusercontent.com/argoproj/argo-site/master/content/pages/cd/gitops-cd.png" width="25%" ></a>

--- a/.mockery.yaml
+++ b/.mockery.yaml
@@ -1,6 +1,11 @@
 dir: '{{.InterfaceDir}}/mocks'
+structname: '{{.InterfaceName}}'
 filename: '{{.InterfaceName}}.go'
-include-auto-generated: true # Needed since mockery 3.6.1
+pkgname: mocks
+
+template-data:
+  unroll-variadic: true
+
 packages:
  github.com/argoproj/argo-cd/v3/applicationset/generators:
    interfaces:
@@ -9,10 +14,11 @@ packages:
    interfaces:
      Repos: {}
  github.com/argoproj/argo-cd/v3/applicationset/services/scm_provider:
+    config:
+      dir: applicationset/services/scm_provider/aws_codecommit/mocks
    interfaces:
      AWSCodeCommitClient: {}
      AWSTaggingClient: {}
-      AzureDevOpsClientFactory: {}
  github.com/argoproj/argo-cd/v3/applicationset/utils:
    interfaces:
      Renderer: {}
@@ -32,9 +38,6 @@ packages:
  github.com/argoproj/argo-cd/v3/pkg/apiclient/cluster:
    interfaces:
      ClusterServiceServer: {}
-  github.com/argoproj/argo-cd/v3/pkg/apiclient/project:
-    interfaces:
-      ProjectServiceClient: {}
  github.com/argoproj/argo-cd/v3/pkg/apiclient/session:
    interfaces:
      SessionServiceClient: {}
@@ -44,8 +47,8 @@ packages:
      AppProjectInterface: {}
  github.com/argoproj/argo-cd/v3/reposerver/apiclient:
    interfaces:
-      RepoServerServiceClient: {}
      RepoServerService_GenerateManifestWithFilesClient: {}
+      RepoServerServiceClient: {}
  github.com/argoproj/argo-cd/v3/server/application:
    interfaces:
      Broadcaster: {}
@@ -60,37 +63,26 @@ packages:
  github.com/argoproj/argo-cd/v3/util/db:
    interfaces:
      ArgoDB: {}
-      RepoCredsDB: {}
  github.com/argoproj/argo-cd/v3/util/git:
    interfaces:
      Client: {}
  github.com/argoproj/argo-cd/v3/util/helm:
    interfaces:
      Client: {}
+  github.com/argoproj/argo-cd/v3/util/oci:
+    interfaces:
+      Client: {}
  github.com/argoproj/argo-cd/v3/util/io:
    interfaces:
      TempPaths: {}
  github.com/argoproj/argo-cd/v3/util/notification/argocd:
    interfaces:
      Service: {}
-  github.com/argoproj/argo-cd/v3/util/oci:
-    interfaces:
-      Client: {}
  github.com/argoproj/argo-cd/v3/util/workloadidentity:
    interfaces:
      TokenProvider: {}
-  github.com/argoproj/gitops-engine/pkg/cache:
-    interfaces:
-      ClusterCache: {}
-  github.com/argoproj/gitops-engine/pkg/diff:
-    interfaces:
-      ServerSideDryRunner: {}
  github.com/microsoft/azure-devops-go-api/azuredevops/v7/git:
    config:
      dir: applicationset/services/scm_provider/azure_devops/git/mocks
    interfaces:
      Client: {}
-pkgname: mocks
-structname: '{{.InterfaceName}}'
-template-data:
-  unroll-variadic: true
--- a/3
+++ b/3
@@ -16,5 +16,4 @@
 # CLI
 /cmd/argocd/** @argoproj/argocd-approvers @argoproj/argocd-approvers-cli
 /cmd/main.go @argoproj/argocd-approvers @argoproj/argocd-approvers-cli
-# Also include @argoproj/argocd-approvers-docs to avoid requiring CLI approvers for docs-only PRs.
-/docs/operator-manual/ @argoproj/argocd-approvers @argoproj/argocd-approvers-docs @argoproj/argocd-approvers-cli
+/docs/operator-manual/ @argoproj/argocd-approvers @argoproj/argocd-approvers-cli
--- a/11
+++ b/11
@@ -1,10 +1,10 @@
-ARG BASE_IMAGE=docker.io/library/ubuntu:25.10@sha256:5922638447b1e3ba114332c896a2c7288c876bb94adec923d70d58a17d2fec5e
+ARG BASE_IMAGE=docker.io/library/ubuntu:25.04@sha256:10bb10bb062de665d4dc3e0ea36715270ead632cfcb74d08ca2273712a0dfb42
 ####################################################################################################
 # Builder image
 # Initial stage which pulls prepares build dependencies and CLI tooling we need for our final image
 # Also used as the image in CI jobs so needs all dependencies
 ####################################################################################################
-FROM docker.io/library/golang:1.25.5@sha256:31c1e53dfc1cc2d269deec9c83f58729fa3c53dc9a576f6426109d1e319e9e9a AS builder
+FROM docker.io/library/golang:1.25.5@sha256:36b4f45d2874905b9e8573b783292629bcb346d0a70d8d7150b6df545234818f AS builder

 WORKDIR /tmp

@@ -85,7 +85,7 @@ WORKDIR /home/argocd
 ####################################################################################################
 # Argo CD UI stage
 ####################################################################################################
-FROM --platform=$BUILDPLATFORM docker.io/library/node:23.0.0@sha256:9d09fa506f5b8465c5221cbd6f980e29ae0ce9a3119e2b9bc0842e6a3f37bb59 AS argocd-ui
+FROM --platform=$BUILDPLATFORM docker.io/library/node:23.0.0@sha256:e643c0b70dca9704dff42e12b17f5b719dbe4f95e6392fc2dfa0c5f02ea8044d AS argocd-ui

 WORKDIR /src
 COPY ["ui/package.json", "ui/yarn.lock", "./"]
@@ -103,13 +103,10 @@ RUN HOST_ARCH=$TARGETARCH NODE_ENV='production' NODE_ONLINE_ENV='online' NODE_OP
 ####################################################################################################
 # Argo CD Build stage which performs the actual build of Argo CD binaries
 ####################################################################################################
-FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.25.5@sha256:31c1e53dfc1cc2d269deec9c83f58729fa3c53dc9a576f6426109d1e319e9e9a AS argocd-build
-
+FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.25.5@sha256:36b4f45d2874905b9e8573b783292629bcb346d0a70d8d7150b6df545234818f AS argocd-build
 WORKDIR /go/src/github.com/argoproj/argo-cd

 COPY go.* ./
-RUN mkdir -p gitops-engine
-COPY gitops-engine/go.* ./gitops-engine
 RUN go mod download

 # Perform the build
--- a/Dockerfile.tilt
+++ b/Dockerfile.tilt
@@ -1,4 +1,4 @@
-FROM docker.io/library/golang:1.25.5@sha256:31c1e53dfc1cc2d269deec9c83f58729fa3c53dc9a576f6426109d1e319e9e9a
+FROM docker.io/library/golang:1.25.5@sha256:36b4f45d2874905b9e8573b783292629bcb346d0a70d8d7150b6df545234818f

 ENV DEBIAN_FRONTEND=noninteractive

--- a/53
+++ b/53
@@ -56,8 +56,8 @@ endif

 ARGOCD_PROCFILE?=Procfile

-# pointing to python 3.12 to match https://github.com/argoproj/argo-cd/blob/master/.readthedocs.yaml
-MKDOCS_DOCKER_IMAGE?=python:3.12-alpine
+# pointing to python 3.7 to match https://github.com/argoproj/argo-cd/blob/master/.readthedocs.yml
+MKDOCS_DOCKER_IMAGE?=python:3.7-alpine
 MKDOCS_RUN_ARGS?=

 # Configuration for building argocd-test-tools image
@@ -76,10 +76,8 @@ ARGOCD_E2E_REDIS_PORT?=6379
 ARGOCD_E2E_DEX_PORT?=5556
 ARGOCD_E2E_YARN_HOST?=localhost
 ARGOCD_E2E_DISABLE_AUTH?=
-ARGOCD_E2E_DIR?=/tmp/argo-e2e

 ARGOCD_E2E_TEST_TIMEOUT?=90m
-ARGOCD_E2E_RERUN_FAILS?=5

 ARGOCD_IN_CI?=false
 ARGOCD_TEST_E2E?=true
@@ -200,7 +198,7 @@ endif

 ifneq (${GIT_TAG},)
 IMAGE_TAG=${GIT_TAG}
-override LDFLAGS += -X ${PACKAGE}.gitTag=${GIT_TAG}
+LDFLAGS += -X ${PACKAGE}.gitTag=${GIT_TAG}
 else
 IMAGE_TAG?=latest
 endif
@@ -215,10 +213,6 @@ ifdef IMAGE_NAMESPACE
 IMAGE_PREFIX=${IMAGE_NAMESPACE}/
 endif

-ifndef IMAGE_REGISTRY
-IMAGE_REGISTRY="quay.io"
-endif
-
 .PHONY: all
 all: cli image

@@ -267,12 +261,8 @@ clidocsgen:
 actionsdocsgen:
 	hack/generate-actions-list.sh

-.PHONY: resourceiconsgen
-resourceiconsgen:
-	hack/generate-icons-typescript.sh
-
 .PHONY: codegen-local
-codegen-local: mod-vendor-local mockgen gogen protogen clientgen openapigen clidocsgen actionsdocsgen resourceiconsgen manifests-local notification-docs notification-catalog
+codegen-local: mod-vendor-local mockgen gogen protogen clientgen openapigen clidocsgen actionsdocsgen manifests-local notification-docs notification-catalog
 	rm -rf vendor/

 .PHONY: codegen-local-fast
@@ -314,11 +304,12 @@ endif
 .PHONY: manifests-local
 manifests-local:
 	./hack/update-manifests.sh
+
 .PHONY: manifests
 manifests: test-tools-image
-	$(call run-in-test-client,make manifests-local IMAGE_REGISTRY='${IMAGE_REGISTRY}' IMAGE_NAMESPACE='${IMAGE_NAMESPACE}' IMAGE_REPOSITORY='${IMAGE_REPOSITORY}' IMAGE_TAG='${IMAGE_TAG}')
-# consolidated binary for cli, util, server, repo-server, controller
+	$(call run-in-test-client,make manifests-local IMAGE_NAMESPACE='${IMAGE_NAMESPACE}' IMAGE_TAG='${IMAGE_TAG}')

+# consolidated binary for cli, util, server, repo-server, controller
 .PHONY: argocd-all
 argocd-all: clean-debug
 	CGO_ENABLED=${CGO_FLAG} GOOS=${GOOS} GOARCH=${GOARCH} GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${BIN_NAME} ./cmd
@@ -463,7 +454,7 @@ test-e2e:
 test-e2e-local: cli-local
 	# NO_PROXY ensures all tests don't go out through a proxy if one is configured on the test system
 	export GO111MODULE=off
-	DIST_DIR=${DIST_DIR} RERUN_FAILS=$(ARGOCD_E2E_RERUN_FAILS) PACKAGES="./test/e2e" ARGOCD_E2E_RECORD=${ARGOCD_E2E_RECORD} ARGOCD_CONFIG_DIR=$(HOME)/.config/argocd-e2e ARGOCD_GPG_ENABLED=true NO_PROXY=* ./hack/test.sh -timeout $(ARGOCD_E2E_TEST_TIMEOUT) -v -args -test.gocoverdir="$(PWD)/test-results"
+	DIST_DIR=${DIST_DIR} RERUN_FAILS=5 PACKAGES="./test/e2e" ARGOCD_E2E_RECORD=${ARGOCD_E2E_RECORD} ARGOCD_CONFIG_DIR=$(HOME)/.config/argocd-e2e ARGOCD_GPG_ENABLED=true NO_PROXY=* ./hack/test.sh -timeout $(ARGOCD_E2E_TEST_TIMEOUT) -v -args -test.gocoverdir="$(PWD)/test-results"

 # Spawns a shell in the test server container for debugging purposes
 debug-test-server: test-tools-image
@@ -487,13 +478,13 @@ start-e2e-local: mod-vendor-local dep-ui-local cli-local
 	kubectl create ns argocd-e2e-external || true
 	kubectl create ns argocd-e2e-external-2 || true
 	kubectl config set-context --current --namespace=argocd-e2e
-	kustomize build test/manifests/base | kubectl apply --server-side --force-conflicts -f -
+	kustomize build test/manifests/base | kubectl apply -f -
 	kubectl apply -f https://raw.githubusercontent.com/open-cluster-management/api/a6845f2ebcb186ec26b832f60c988537a58f3859/cluster/v1alpha1/0000_04_clusters.open-cluster-management.io_placementdecisions.crd.yaml
 	# Create GPG keys and source directories
-	if test -d $(ARGOCD_E2E_DIR)/app/config/gpg; then rm -rf $(ARGOCD_E2E_DIR)/app/config/gpg/*; fi
-	mkdir -p $(ARGOCD_E2E_DIR)/app/config/gpg/keys && chmod 0700 $(ARGOCD_E2E_DIR)/app/config/gpg/keys
-	mkdir -p $(ARGOCD_E2E_DIR)/app/config/gpg/source && chmod 0700 $(ARGOCD_E2E_DIR)/app/config/gpg/source
-	mkdir -p $(ARGOCD_E2E_DIR)/app/config/plugin && chmod 0700 $(ARGOCD_E2E_DIR)/app/config/plugin
+	if test -d /tmp/argo-e2e/app/config/gpg; then rm -rf /tmp/argo-e2e/app/config/gpg/*; fi
+	mkdir -p /tmp/argo-e2e/app/config/gpg/keys && chmod 0700 /tmp/argo-e2e/app/config/gpg/keys
+	mkdir -p /tmp/argo-e2e/app/config/gpg/source && chmod 0700 /tmp/argo-e2e/app/config/gpg/source
+	mkdir -p /tmp/argo-e2e/app/config/plugin && chmod 0700 /tmp/argo-e2e/app/config/plugin
 	# create folders to hold go coverage results for each component
 	mkdir -p /tmp/coverage/app-controller
 	mkdir -p /tmp/coverage/api-server
@@ -502,15 +493,13 @@ start-e2e-local: mod-vendor-local dep-ui-local cli-local
 	mkdir -p /tmp/coverage/notification
 	mkdir -p /tmp/coverage/commit-server
 	# set paths for locally managed ssh known hosts and tls certs data
-	ARGOCD_E2E_DIR=$(ARGOCD_E2E_DIR) \
-	ARGOCD_SSH_DATA_PATH=$(ARGOCD_E2E_DIR)/app/config/ssh \
-	ARGOCD_TLS_DATA_PATH=$(ARGOCD_E2E_DIR)/app/config/tls \
-	ARGOCD_GPG_DATA_PATH=$(ARGOCD_E2E_DIR)/app/config/gpg/source \
-	ARGOCD_GNUPGHOME=$(ARGOCD_E2E_DIR)/app/config/gpg/keys \
+	ARGOCD_SSH_DATA_PATH=/tmp/argo-e2e/app/config/ssh \
+	ARGOCD_TLS_DATA_PATH=/tmp/argo-e2e/app/config/tls \
+	ARGOCD_GPG_DATA_PATH=/tmp/argo-e2e/app/config/gpg/source \
+	ARGOCD_GNUPGHOME=/tmp/argo-e2e/app/config/gpg/keys \
 	ARGOCD_GPG_ENABLED=$(ARGOCD_GPG_ENABLED) \
-	ARGOCD_PLUGINCONFIGFILEPATH=$(ARGOCD_E2E_DIR)/app/config/plugin \
-	ARGOCD_PLUGINSOCKFILEPATH=$(ARGOCD_E2E_DIR)/app/config/plugin \
-	ARGOCD_GIT_CONFIG=$(PWD)/test/e2e/fixture/gitconfig \
+	ARGOCD_PLUGINCONFIGFILEPATH=/tmp/argo-e2e/app/config/plugin \
+	ARGOCD_PLUGINSOCKFILEPATH=/tmp/argo-e2e/app/config/plugin \
 	ARGOCD_E2E_DISABLE_AUTH=false \
 	ARGOCD_ZJWT_FEATURE_FLAG=always \
 	ARGOCD_IN_CI=$(ARGOCD_IN_CI) \
@@ -587,7 +576,7 @@ build-docs-local:

 .PHONY: build-docs
 build-docs:
-	$(DOCKER) run ${MKDOCS_RUN_ARGS} --rm -it -v ${CURRENT_DIR}:/docs -w /docs --entrypoint "" ${MKDOCS_DOCKER_IMAGE} sh -c 'pip install -r docs/requirements.txt; mkdocs build'
+	$(DOCKER) run ${MKDOCS_RUN_ARGS} --rm -it -v ${CURRENT_DIR}:/docs -w /docs --entrypoint "" ${MKDOCS_DOCKER_IMAGE} sh -c 'pip install mkdocs; pip install $$(mkdocs get-deps); mkdocs build'

 .PHONY: serve-docs-local
 serve-docs-local:
@@ -595,7 +584,7 @@ serve-docs-local:

 .PHONY: serve-docs
 serve-docs:
-	$(DOCKER) run ${MKDOCS_RUN_ARGS} --rm -it -p 8000:8000 -v ${CURRENT_DIR}:/docs -w /docs --entrypoint "" ${MKDOCS_DOCKER_IMAGE} sh -c 'pip install -r docs/requirements.txt; mkdocs serve -a $$(ip route get 1 | awk '\''{print $$7}'\''):8000'
+	$(DOCKER) run ${MKDOCS_RUN_ARGS} --rm -it -p 8000:8000 -v ${CURRENT_DIR}:/docs -w /docs --entrypoint "" ${MKDOCS_DOCKER_IMAGE} sh -c 'pip install mkdocs; pip install $$(mkdocs get-deps); mkdocs serve -a $$(ip route get 1 | awk '\''{print $$7}'\''):8000'

 # Verify that kubectl can connect to your K8s cluster from Docker
 .PHONY: verify-kube-connect
--- a/6
+++ b/6
@@ -2,13 +2,13 @@ controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run
 api-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/api-server} FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-server $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --hydrator-enabled=${ARGOCD_HYDRATOR_ENABLED:='false'}"
 dex: sh -c "ARGOCD_BINARY_NAME=argocd-dex go run github.com/argoproj/argo-cd/v3/cmd gendexcfg -o `pwd`/dist/dex.yaml && (test -f dist/dex.yaml || { echo 'Failed to generate dex configuration'; exit 1; }) && docker run --rm -p ${ARGOCD_E2E_DEX_PORT:-5556}:${ARGOCD_E2E_DEX_PORT:-5556} -v `pwd`/dist/dex.yaml:/dex.yaml ghcr.io/dexidp/dex:$(grep "image: ghcr.io/dexidp/dex" manifests/base/dex/argocd-dex-server-deployment.yaml | cut -d':' -f3) dex serve /dex.yaml"
 redis: hack/start-redis-with-password.sh
-repo-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "export PATH=./dist:\$PATH && [ -n \"\$ARGOCD_GIT_CONFIG\" ] && export GIT_CONFIG_GLOBAL=\$ARGOCD_GIT_CONFIG && export GIT_CONFIG_NOSYSTEM=1; GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/repo-server} FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_GNUPGHOME=${ARGOCD_GNUPGHOME:-/tmp/argocd-local/gpg/keys} ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp}  ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-repo-server ARGOCD_GPG_ENABLED=${ARGOCD_GPG_ENABLED:-false} $COMMAND --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --otlp-address=${ARGOCD_OTLP_ADDRESS}"
+repo-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/repo-server} FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_GNUPGHOME=${ARGOCD_GNUPGHOME:-/tmp/argocd-local/gpg/keys} ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp}  ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-repo-server ARGOCD_GPG_ENABLED=${ARGOCD_GPG_ENABLED:-false} $COMMAND --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --otlp-address=${ARGOCD_OTLP_ADDRESS}"
 cmp-server: [ "$ARGOCD_E2E_TEST" = 'true' ] && exit 0 || [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_BINARY_NAME=argocd-cmp-server ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp} $COMMAND --config-dir-path ./test/cmp --loglevel debug --otlp-address=${ARGOCD_OTLP_ADDRESS}"
 commit-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/commit-server} FORCE_LOG_COLORS=1 ARGOCD_BINARY_NAME=argocd-commit-server $COMMAND --loglevel debug --port ${ARGOCD_E2E_COMMITSERVER_PORT:-8086}"
 ui: sh -c 'cd ui && ${ARGOCD_E2E_YARN_CMD:-yarn} start'
 git-server: test/fixture/testrepos/start-git.sh
 helm-registry: test/fixture/testrepos/start-helm-registry.sh
 oci-registry: test/fixture/testrepos/start-authenticated-helm-registry.sh
-dev-mounter: [ "$ARGOCD_E2E_TEST" != "true" ] && go run hack/dev-mounter/main.go --configmap argocd-ssh-known-hosts-cm=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} --configmap argocd-tls-certs-cm=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} --configmap argocd-gpg-keys-cm=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source}
+dev-mounter: [[ "$ARGOCD_E2E_TEST" != "true" ]] && go run hack/dev-mounter/main.go --configmap argocd-ssh-known-hosts-cm=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} --configmap argocd-tls-certs-cm=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} --configmap argocd-gpg-keys-cm=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source}
 applicationset-controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/applicationset-controller} FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-applicationset-controller $COMMAND --loglevel debug --metrics-addr localhost:12345 --probe-addr localhost:12346 --argocd-repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081}"
-notification: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/notification} FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_BINARY_NAME=argocd-notifications $COMMAND --loglevel debug --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --self-service-notification-enabled=${ARGOCD_NOTIFICATION_CONTROLLER_SELF_SERVICE_NOTIFICATION_ENABLED:-'false'}"
+notification: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/notification} FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_BINARY_NAME=argocd-notifications $COMMAND --loglevel debug --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --self-service-notification-enabled=${ARGOCD_NOTIFICATION_CONTROLLER_SELF_SERVICE_NOTIFICATION_ENABLED:-'false'}"
--- a/SECURITY-INSIGHTS.yml
+++ b/SECURITY-INSIGHTS.yml
@@ -3,9 +3,9 @@ header:
  expiration-date: '2024-10-31T00:00:00.000Z' # One year from initial release.
  last-updated: '2023-10-27'
  last-reviewed: '2023-10-27'
-  commit-hash: 06ef059f9fc7cf9da2dfaef2a505ee1e3c693485
+  commit-hash: 320f46f06beaf75f9c406e3a47e2e09d36e2047a
  project-url: https://github.com/argoproj/argo-cd
-  project-release: v3.3.0
+  project-release: v3.2.0
  changelog: https://github.com/argoproj/argo-cd/releases
  license: https://github.com/argoproj/argo-cd/blob/master/LICENSE
 project-lifecycle:
--- a/23
+++ b/23
@@ -123,7 +123,6 @@ k8s_resource(
        '9345:2345',
        '8083:8083'
    ],
-    resource_deps=['build']
 )

 # track crds
@@ -149,7 +148,6 @@ k8s_resource(
        '9346:2345',
        '8084:8084'
    ],
-    resource_deps=['build']
 )

 # track argocd-redis resources and port forward
@@ -164,7 +162,6 @@ k8s_resource(
    port_forwards=[
        '6379:6379',
    ],
-    resource_deps=['build']
 )

 # track argocd-applicationset-controller resources
@@ -183,7 +180,6 @@ k8s_resource(
        '8085:8080',
        '7000:7000'
    ],
-    resource_deps=['build']
 )

 # track argocd-application-controller resources
@@ -201,7 +197,6 @@ k8s_resource(
        '9348:2345',
        '8086:8082',
    ],
-    resource_deps=['build']
 )

 # track argocd-notifications-controller resources
@@ -219,7 +214,6 @@ k8s_resource(
        '9349:2345',
        '8087:9001',
    ],
-    resource_deps=['build']
 )

 # track argocd-dex-server resources
@@ -231,7 +225,6 @@ k8s_resource(
        'argocd-dex-server:role',
        'argocd-dex-server:rolebinding',
    ],
-    resource_deps=['build']
 )

 # track argocd-commit-server resources
@@ -246,19 +239,6 @@ k8s_resource(
        '8088:8087',
        '8089:8086',
    ],
-    resource_deps=['build']
-)
-
-# ui dependencies
-local_resource(
-    'node-modules',
-    'yarn',
-    dir='ui',
-    deps = [
-        'ui/package.json',
-        'ui/yarn.lock',
-    ],
-    allow_parallel=True,
 )

 # docker for ui
@@ -280,7 +260,6 @@ k8s_resource(
    port_forwards=[
        '4000:4000',
    ],
-    resource_deps=['node-modules'],
 )

 # linting
@@ -299,7 +278,6 @@ local_resource(
        'ui',
    ],
    allow_parallel=True,
-    resource_deps=['node-modules'],
 )

 local_resource(
@@ -309,6 +287,5 @@ local_resource(
        'go.mod',
        'go.sum',
    ],
-    allow_parallel=True,
 )

--- a/USERS.md
+++ b/USERS.md
@@ -31,7 +31,6 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [ANSTO - Australian Synchrotron](https://www.synchrotron.org.au/)
 1. [Ant Group](https://www.antgroup.com/)
 1. [AppDirect](https://www.appdirect.com)
-1. [Arcadia](https://www.arcadia.io)
 1. [Arctiq Inc.](https://www.arctiq.ca)
 1. [Artemis Health by Nomi Health](https://www.artemishealth.com/)
 1. [Arturia](https://www.arturia.com)
@@ -64,7 +63,6 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Camptocamp](https://camptocamp.com)
 1. [Candis](https://www.candis.io)
 1. [Capital One](https://www.capitalone.com)
-1. [Capptain LTD](https://capptain.co/)
 1. [CARFAX Europe](https://www.carfax.eu)
 1. [CARFAX](https://www.carfax.com)
 1. [Carrefour Group](https://www.carrefour.com)
@@ -87,7 +85,6 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Codefresh](https://www.codefresh.io/)
 1. [Codility](https://www.codility.com/)
 1. [Cognizant](https://www.cognizant.com/)
-1. [Collins Aerospace](https://www.collinsaerospace.com/)
 1. [Commonbond](https://commonbond.co/)
 1. [Compatio.AI](https://compatio.ai/)
 1. [Contlo](https://contlo.com/)
@@ -101,7 +98,6 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Datarisk](https://www.datarisk.io/)
 1. [Daydream](https://daydream.ing)
 1. [Deloitte](https://www.deloitte.com/)
-1. [Dematic](https://www.dematic.com)
 1. [Deutsche Telekom AG](https://telekom.com)
 1. [Deutsche Bank AG](https://www.deutsche-bank.de/)
 1. [Devopsi - Poland Software/DevOps Consulting](https://devopsi.pl/)
@@ -110,7 +106,6 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [DigitalOcean](https://www.digitalocean.com)
 1. [Divar](https://divar.ir)
 1. [Divistant](https://divistant.com)
-2. [DocNetwork](https://docnetwork.org/)
 1. [Dott](https://ridedott.com)
 1. [Doubble](https://www.doubble.app)
 1. [Doximity](https://www.doximity.com/)
@@ -125,7 +120,6 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [enigmo](https://enigmo.co.jp/)
 1. [Envoy](https://envoy.com/)
 1. [eSave](https://esave.es/)
-1. [Expedia](https://www.expedia.com)
 1. [Factorial](https://factorialhr.com/)
 1. [Farfetch](https://www.farfetch.com)
 1. [Faro](https://www.faro.com/)
@@ -186,7 +180,6 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Instruqt](https://www.instruqt.com)
 1. [Intel](https://www.intel.com)
 1. [Intuit](https://www.intuit.com/)
-1. [IQVIA](https://www.iqvia.com/)
 1. [Jellysmack](https://www.jellysmack.com)
 1. [Joblift](https://joblift.com/)
 1. [JovianX](https://www.jovianx.com/)
@@ -238,7 +231,6 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [mixi Group](https://mixi.co.jp/)
 1. [Moengage](https://www.moengage.com/)
 1. [Money Forward](https://corp.moneyforward.com/en/)
-1. [MongoDB](https://www.mongodb.com/)
 1. [MOO Print](https://www.moo.com/)
 1. [Mozilla](https://www.mozilla.org)
 1. [MTN Group](https://www.mtn.com/)
@@ -317,8 +309,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Relex Solutions](https://www.relexsolutions.com/)
 1. [RightRev](https://rightrev.com/)
 1. [Rijkswaterstaat](https://www.rijkswaterstaat.nl/en)
-1. Rise
-1. [RISK IDENT](https://riskident.com/)
+1. [Rise](https://www.risecard.eu/)
 1. [Riskified](https://www.riskified.com/)
 1. [Robotinfra](https://www.robotinfra.com)
 1. [Rocket.Chat](https://rocket.chat)
@@ -385,7 +376,6 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Ticketmaster](https://ticketmaster.com)
 1. [Tiger Analytics](https://www.tigeranalytics.com/)
 1. [Tigera](https://www.tigera.io/)
-1. [Topicus.Education](https://topicus.nl/en/sectors/education)
 1. [Toss](https://toss.im/en)
 1. [Trendyol](https://www.trendyol.com/)
 1. [tru.ID](https://tru.id)
--- a/2
+++ b/2
@@ -1 +1 @@
-3.3.1
+3.2.6
--- a/applicationset/controllers/applicationset_controller.go
+++ b/applicationset/controllers/applicationset_controller.go
@@ -37,7 +37,6 @@ import (
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/record"
 	"k8s.io/client-go/util/retry"
-	"k8s.io/utils/ptr"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -47,8 +46,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"

-	"github.com/argoproj/gitops-engine/pkg/health"
-
 	"github.com/argoproj/argo-cd/v3/applicationset/controllers/template"
 	"github.com/argoproj/argo-cd/v3/applicationset/generators"
 	"github.com/argoproj/argo-cd/v3/applicationset/metrics"
@@ -75,11 +72,6 @@ const (
 	AllAtOnceDeletionOrder            = "AllAtOnce"
 )

-var defaultPreservedFinalizers = []string{
-	argov1alpha1.PreDeleteFinalizerName,
-	argov1alpha1.PostDeleteFinalizerName,
-}
-
 var defaultPreservedAnnotations = []string{
 	NotifiedAnnotationKey,
 	argov1alpha1.AnnotationKeyRefresh,
@@ -182,16 +174,6 @@ func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		return ctrl.Result{}, err
 	}

-	// ensure finalizer exists if deletionOrder is set as Reverse
-	if r.EnableProgressiveSyncs && isProgressiveSyncDeletionOrderReversed(&applicationSetInfo) {
-		if !controllerutil.ContainsFinalizer(&applicationSetInfo, argov1alpha1.ResourcesFinalizerName) {
-			controllerutil.AddFinalizer(&applicationSetInfo, argov1alpha1.ResourcesFinalizerName)
-			if err := r.Update(ctx, &applicationSetInfo); err != nil {
-				return ctrl.Result{}, err
-			}
-		}
-	}
-
 	// Log a warning if there are unrecognized generators
 	_ = utils.CheckInvalidGenerators(&applicationSetInfo)
 	// desiredApplications is the main list of all expected Applications from all generators in this appset.
@@ -246,6 +228,8 @@ func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		return ctrl.Result{}, fmt.Errorf("failed to get update resources status for application set: %w", err)
 	}

+	// appMap is a name->app collection of Applications in this ApplicationSet.
+	appMap := map[string]argov1alpha1.Application{}
 	// appSyncMap tracks which apps will be synced during this reconciliation.
 	appSyncMap := map[string]bool{}

@@ -259,7 +243,12 @@ func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 				return ctrl.Result{}, fmt.Errorf("failed to clear previous AppSet application statuses for %v: %w", applicationSetInfo.Name, err)
 			}
 		} else if isRollingSyncStrategy(&applicationSetInfo) {
-			appSyncMap, err = r.performProgressiveSyncs(ctx, logCtx, applicationSetInfo, currentApplications, generatedApplications)
+			// The appset uses progressive sync with `RollingSync` strategy
+			for _, app := range currentApplications {
+				appMap[app.Name] = app
+			}
+
+			appSyncMap, err = r.performProgressiveSyncs(ctx, logCtx, applicationSetInfo, currentApplications, generatedApplications, appMap)
 			if err != nil {
 				return ctrl.Result{}, fmt.Errorf("failed to perform progressive sync reconciliation for application set: %w", err)
 			}
@@ -276,6 +265,13 @@ func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		}
 	}

+	var validApps []argov1alpha1.Application
+	for i := range generatedApplications {
+		if validateErrors[generatedApplications[i].QualifiedName()] == nil {
+			validApps = append(validApps, generatedApplications[i])
+		}
+	}
+
 	if len(validateErrors) > 0 {
 		errorApps := make([]string, 0, len(validateErrors))
 		for key := range validateErrors {
@@ -303,25 +299,13 @@ func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		)
 	}

-	var validApps []argov1alpha1.Application
-	for i := range generatedApplications {
-		if validateErrors[generatedApplications[i].QualifiedName()] == nil {
-			validApps = append(validApps, generatedApplications[i])
-		}
-	}
-
 	if r.EnableProgressiveSyncs {
 		// trigger appropriate application syncs if RollingSync strategy is enabled
 		if progressiveSyncsRollingSyncStrategyEnabled(&applicationSetInfo) {
-			validApps = r.syncDesiredApplications(logCtx, &applicationSetInfo, appSyncMap, validApps)
+			validApps = r.syncValidApplications(logCtx, &applicationSetInfo, appSyncMap, appMap, validApps)
 		}
 	}

-	// Sort apps by name so they are updated/created in the same order, and condition errors are the same
-	sort.Slice(validApps, func(i, j int) bool {
-		return validApps[i].Name < validApps[j].Name
-	})
-
 	if utils.DefaultPolicy(applicationSetInfo.Spec.SyncPolicy, r.Policy, r.EnablePolicyOverride).AllowUpdate() {
 		err = r.createOrUpdateInCluster(ctx, logCtx, applicationSetInfo, validApps)
 		if err != nil {
@@ -353,7 +337,6 @@ func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 	}

 	if utils.DefaultPolicy(applicationSetInfo.Spec.SyncPolicy, r.Policy, r.EnablePolicyOverride).AllowDelete() {
-		// Delete the generatedApplications instead of the validApps because we want to be able to delete applications in error/invalid state
 		err = r.deleteInCluster(ctx, logCtx, applicationSetInfo, generatedApplications)
 		if err != nil {
 			_ = r.setApplicationSetStatusCondition(ctx,
@@ -748,19 +731,21 @@ func (r *ApplicationSetReconciler) createOrUpdateInCluster(ctx context.Context,
 				}
 			}

-			// Preserve deleting finalizers and avoid diff conflicts
-			for _, finalizer := range defaultPreservedFinalizers {
-				for _, f := range found.Finalizers {
-					// For finalizers, use prefix matching in case it contains "/" stages
-					if strings.HasPrefix(f, finalizer) {
-						generatedApp.Finalizers = append(generatedApp.Finalizers, f)
+			// Preserve post-delete finalizers:
+			//   https://github.com/argoproj/argo-cd/issues/17181
+			for _, finalizer := range found.Finalizers {
+				if strings.HasPrefix(finalizer, argov1alpha1.PostDeleteFinalizerName) {
+					if generatedApp.Finalizers == nil {
+						generatedApp.Finalizers = []string{}
 					}
+					generatedApp.Finalizers = append(generatedApp.Finalizers, finalizer)
 				}
 			}

 			found.Annotations = generatedApp.Annotations
-			found.Labels = generatedApp.Labels
+
 			found.Finalizers = generatedApp.Finalizers
+			found.Labels = generatedApp.Labels

 			return controllerutil.SetControllerReference(&applicationSet, found, r.Scheme)
 		})
@@ -891,14 +876,16 @@ func (r *ApplicationSetReconciler) removeFinalizerOnInvalidDestination(ctx conte
 		// Detect if the destination's server field does not match an existing cluster
 		matchingCluster := false
 		for _, cluster := range clusterList {
-			// A cluster matches if either the server matches OR the name matches
-			// This handles cases where:
-			// 1. The cluster is the in-cluster (server=https://kubernetes.default.svc, name=in-cluster)
-			// 2. A custom cluster has the same server as in-cluster but a different name
-			if destCluster.Server == cluster.Server || (destCluster.Name != "" && cluster.Name != "" && destCluster.Name == cluster.Name) {
-				matchingCluster = true
-				break
+			if destCluster.Server != cluster.Server {
+				continue
 			}
+
+			if destCluster.Name != cluster.Name {
+				continue
+			}
+
+			matchingCluster = true
+			break
 		}

 		if !matchingCluster {
@@ -957,7 +944,7 @@ func (r *ApplicationSetReconciler) removeOwnerReferencesOnDeleteAppSet(ctx conte
 	return nil
 }

-func (r *ApplicationSetReconciler) performProgressiveSyncs(ctx context.Context, logCtx *log.Entry, appset argov1alpha1.ApplicationSet, applications []argov1alpha1.Application, desiredApplications []argov1alpha1.Application) (map[string]bool, error) {
+func (r *ApplicationSetReconciler) performProgressiveSyncs(ctx context.Context, logCtx *log.Entry, appset argov1alpha1.ApplicationSet, applications []argov1alpha1.Application, desiredApplications []argov1alpha1.Application, appMap map[string]argov1alpha1.Application) (map[string]bool, error) {
 	appDependencyList, appStepMap := r.buildAppDependencyList(logCtx, appset, desiredApplications)

 	_, err := r.updateApplicationSetApplicationStatus(ctx, logCtx, &appset, applications, appStepMap)
@@ -966,21 +953,21 @@ func (r *ApplicationSetReconciler) performProgressiveSyncs(ctx context.Context,
 	}

 	logCtx.Infof("ApplicationSet %v step list:", appset.Name)
-	for stepIndex, applicationNames := range appDependencyList {
-		logCtx.Infof("step %v: %+v", stepIndex+1, applicationNames)
+	for i, step := range appDependencyList {
+		logCtx.Infof("step %v: %+v", i+1, step)
 	}

-	appsToSync := r.getAppsToSync(appset, appDependencyList, applications)
-	logCtx.Infof("Application allowed to sync before maxUpdate?: %+v", appsToSync)
+	appSyncMap := r.buildAppSyncMap(appset, appDependencyList, appMap)
+	logCtx.Infof("Application allowed to sync before maxUpdate?: %+v", appSyncMap)

-	_, err = r.updateApplicationSetApplicationStatusProgress(ctx, logCtx, &appset, appsToSync, appStepMap)
+	_, err = r.updateApplicationSetApplicationStatusProgress(ctx, logCtx, &appset, appSyncMap, appStepMap)
 	if err != nil {
 		return nil, fmt.Errorf("failed to update applicationset application status progress: %w", err)
 	}

 	_ = r.updateApplicationSetApplicationStatusConditions(ctx, &appset)

-	return appsToSync, nil
+	return appSyncMap, nil
 }

 // this list tracks which Applications belong to each RollingUpdate step
@@ -1054,53 +1041,55 @@ func labelMatchedExpression(logCtx *log.Entry, val string, matchExpression argov
 	return valueMatched
 }

-// getAppsToSync returns a Map of Applications that should be synced in this progressive sync wave
-func (r *ApplicationSetReconciler) getAppsToSync(applicationSet argov1alpha1.ApplicationSet, appDependencyList [][]string, currentApplications []argov1alpha1.Application) map[string]bool {
+// this map is used to determine which stage of Applications are ready to be updated in the reconciler loop
+func (r *ApplicationSetReconciler) buildAppSyncMap(applicationSet argov1alpha1.ApplicationSet, appDependencyList [][]string, appMap map[string]argov1alpha1.Application) map[string]bool {
 	appSyncMap := map[string]bool{}
-	currentAppsMap := map[string]bool{}
+	syncEnabled := true

-	for _, app := range currentApplications {
-		currentAppsMap[app.Name] = true
-	}
+	// healthy stages and the first non-healthy stage should have sync enabled
+	// every stage after should have sync disabled

-	for stepIndex := range appDependencyList {
+	for i := range appDependencyList {
 		// set the syncEnabled boolean for every Application in the current step
-		for _, appName := range appDependencyList[stepIndex] {
-			appSyncMap[appName] = true
+		for _, appName := range appDependencyList[i] {
+			appSyncMap[appName] = syncEnabled
 		}

-		// evaluate if we need to sync next waves
-		syncNextWave := true
-		for _, appName := range appDependencyList[stepIndex] {
-			// Check if application is created and managed by this AppSet, if it is not created yet, we cannot progress
-			if _, ok := currentAppsMap[appName]; !ok {
-				syncNextWave = false
-				break
-			}
-
+		// detect if we need to halt before progressing to the next step
+		for _, appName := range appDependencyList[i] {
 			idx := findApplicationStatusIndex(applicationSet.Status.ApplicationStatus, appName)
 			if idx == -1 {
-				// No Application status found, likely because the Application is being newly created
-				// This mean this wave is not yet completed
-				syncNextWave = false
+				// no Application status found, likely because the Application is being newly created
+				syncEnabled = false
 				break
 			}

 			appStatus := applicationSet.Status.ApplicationStatus[idx]
-			if appStatus.Status != argov1alpha1.ProgressiveSyncHealthy {
-				// At least one application in this wave is not yet healthy. We cannot proceed to the next wave
-				syncNextWave = false
+			app, ok := appMap[appName]
+			if !ok {
+				// application name not found in the list of applications managed by this ApplicationSet, maybe because it's being deleted
+				syncEnabled = false
+				break
+			}
+			syncEnabled = appSyncEnabledForNextStep(&applicationSet, app, appStatus)
+			if !syncEnabled {
 				break
 			}
-		}
-		if !syncNextWave {
-			break
 		}
 	}

 	return appSyncMap
 }

+func appSyncEnabledForNextStep(appset *argov1alpha1.ApplicationSet, app argov1alpha1.Application, appStatus argov1alpha1.ApplicationSetApplicationStatus) bool {
+	if progressiveSyncsRollingSyncStrategyEnabled(appset) {
+		// we still need to complete the current step if the Application is not yet Healthy or there are still pending Application changes
+		return isApplicationHealthy(app) && appStatus.Status == "Healthy"
+	}
+
+	return true
+}
+
 func isRollingSyncStrategy(appset *argov1alpha1.ApplicationSet) bool {
 	// It's only RollingSync if the type specifically sets it
 	return appset.Spec.Strategy != nil && appset.Spec.Strategy.Type == "RollingSync" && appset.Spec.Strategy.RollingSync != nil
@@ -1111,21 +1100,29 @@ func progressiveSyncsRollingSyncStrategyEnabled(appset *argov1alpha1.Application
 	return isRollingSyncStrategy(appset) && len(appset.Spec.Strategy.RollingSync.Steps) > 0
 }

-func isApplicationWithError(app argov1alpha1.Application) bool {
-	for _, condition := range app.Status.Conditions {
-		if condition.Type == argov1alpha1.ApplicationConditionInvalidSpecError {
-			return true
-		}
-		if condition.Type == argov1alpha1.ApplicationConditionUnknownError {
-			return true
-		}
+func isProgressiveSyncDeletionOrderReversed(appset *argov1alpha1.ApplicationSet) bool {
+	// When progressive sync is enabled + deletionOrder is set to Reverse (case-insensitive)
+	return progressiveSyncsRollingSyncStrategyEnabled(appset) && strings.EqualFold(appset.Spec.Strategy.DeletionOrder, ReverseDeletionOrder)
+}
+
+func isApplicationHealthy(app argov1alpha1.Application) bool {
+	healthStatusString, syncStatusString, operationPhaseString := statusStrings(app)
+
+	if healthStatusString == "Healthy" && syncStatusString != "OutOfSync" && (operationPhaseString == "Succeeded" || operationPhaseString == "") {
+		return true
 	}
 	return false
 }

-func isProgressiveSyncDeletionOrderReversed(appset *argov1alpha1.ApplicationSet) bool {
-	// When progressive sync is enabled + deletionOrder is set to Reverse (case-insensitive)
-	return progressiveSyncsRollingSyncStrategyEnabled(appset) && strings.EqualFold(appset.Spec.Strategy.DeletionOrder, ReverseDeletionOrder)
+func statusStrings(app argov1alpha1.Application) (string, string, string) {
+	healthStatusString := string(app.Status.Health.Status)
+	syncStatusString := string(app.Status.Sync.Status)
+	operationPhaseString := ""
+	if app.Status.OperationState != nil {
+		operationPhaseString = string(app.Status.OperationState.Phase)
+	}
+
+	return healthStatusString, syncStatusString, operationPhaseString
 }

 func getAppStep(appName string, appStepMap map[string]int) int {
@@ -1144,112 +1141,81 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatus(ctx con
 	appStatuses := make([]argov1alpha1.ApplicationSetApplicationStatus, 0, len(applications))

 	for _, app := range applications {
-		appHealthStatus := app.Status.Health.Status
-		appSyncStatus := app.Status.Sync.Status
+		healthStatusString, syncStatusString, operationPhaseString := statusStrings(app)
+
+		idx := findApplicationStatusIndex(applicationSet.Status.ApplicationStatus, app.Name)

 		currentAppStatus := argov1alpha1.ApplicationSetApplicationStatus{}
-		idx := findApplicationStatusIndex(applicationSet.Status.ApplicationStatus, app.Name)
+
 		if idx == -1 {
 			// AppStatus not found, set default status of "Waiting"
 			currentAppStatus = argov1alpha1.ApplicationSetApplicationStatus{
 				Application:        app.Name,
-				TargetRevisions:    app.Status.GetRevisions(),
 				LastTransitionTime: &now,
-				Message:            "No Application status found, defaulting status to Waiting",
-				Status:             argov1alpha1.ProgressiveSyncWaiting,
+				Message:            "No Application status found, defaulting status to Waiting.",
+				Status:             "Waiting",
 				Step:               strconv.Itoa(getAppStep(app.Name, appStepMap)),
 			}
 		} else {
 			// we have an existing AppStatus
 			currentAppStatus = applicationSet.Status.ApplicationStatus[idx]
+			if !reflect.DeepEqual(currentAppStatus.TargetRevisions, app.Status.GetRevisions()) {
+				currentAppStatus.Message = "Application has pending changes, setting status to Waiting."
+			}
 		}
-
-		statusLogCtx := logCtx.WithFields(log.Fields{
-			"app.name":               currentAppStatus.Application,
-			"app.health":             appHealthStatus,
-			"app.sync":               appSyncStatus,
-			"status.status":          currentAppStatus.Status,
-			"status.message":         currentAppStatus.Message,
-			"status.step":            currentAppStatus.Step,
-			"status.targetRevisions": strings.Join(currentAppStatus.TargetRevisions, ","),
-		})
-
-		newAppStatus := currentAppStatus.DeepCopy()
-		newAppStatus.Step = strconv.Itoa(getAppStep(newAppStatus.Application, appStepMap))
-
 		if !reflect.DeepEqual(currentAppStatus.TargetRevisions, app.Status.GetRevisions()) {
-			// A new version is available in the application and we need to re-sync the application
-			newAppStatus.TargetRevisions = app.Status.GetRevisions()
-			newAppStatus.Message = "Application has pending changes, setting status to Waiting"
-			newAppStatus.Status = argov1alpha1.ProgressiveSyncWaiting
-			newAppStatus.LastTransitionTime = &now
+			currentAppStatus.TargetRevisions = app.Status.GetRevisions()
+			currentAppStatus.Status = "Waiting"
+			currentAppStatus.LastTransitionTime = &now
+			currentAppStatus.Step = strconv.Itoa(getAppStep(currentAppStatus.Application, appStepMap))
 		}

-		if newAppStatus.Status == argov1alpha1.ProgressiveSyncWaiting {
-			// App has changed to waiting because the TargetRevisions changed or it is a new selected app
-			// This does not mean we should always sync the app. The app may not be OutOfSync
-			// and may not require a sync if it does not have differences.
-			if appSyncStatus == argov1alpha1.SyncStatusCodeSynced {
-				if app.Status.Health.Status == health.HealthStatusHealthy {
-					newAppStatus.LastTransitionTime = &now
-					newAppStatus.Status = argov1alpha1.ProgressiveSyncHealthy
-					newAppStatus.Message = "Application resource has synced, updating status to Healthy"
-				} else {
-					newAppStatus.LastTransitionTime = &now
-					newAppStatus.Status = argov1alpha1.ProgressiveSyncProgressing
-					newAppStatus.Message = "Application resource has synced, updating status to Progressing"
-				}
-			}
-		} else {
-			// The target revision is the same, so we need to evaluate the current revision progress
-			if currentAppStatus.Status == argov1alpha1.ProgressiveSyncPending {
-				// No need to evaluate status health further if the application did not change since our last transition
-				if app.Status.ReconciledAt == nil || (newAppStatus.LastTransitionTime != nil && app.Status.ReconciledAt.After(newAppStatus.LastTransitionTime.Time)) {
-					// Validate that at least one sync was trigerred after the pending transition time
-					if app.Status.OperationState != nil && app.Status.OperationState.StartedAt.After(currentAppStatus.LastTransitionTime.Time) {
-						statusLogCtx = statusLogCtx.WithField("app.operation", app.Status.OperationState.Phase)
-						newAppStatus.LastTransitionTime = &now
-						newAppStatus.Status = argov1alpha1.ProgressiveSyncProgressing
+		appOutdated := false
+		if progressiveSyncsRollingSyncStrategyEnabled(applicationSet) {
+			appOutdated = syncStatusString == "OutOfSync"
+		}

-						switch {
-						case app.Status.OperationState.Phase.Successful():
-							newAppStatus.Message = "Application resource completed a sync successfully, updating status from Pending to Progressing"
-						case app.Status.OperationState.Phase.Completed():
-							newAppStatus.Message = "Application resource completed a sync, updating status from Pending to Progressing"
-						default:
-							// If a sync fails or has errors, the Application should be configured with retry. It is not the appset's job to retry failed syncs
-							newAppStatus.Message = "Application resource became Progressing, updating status from Pending to Progressing"
-						}
-					} else if isApplicationWithError(app) {
-						// Validate if the application has errors preventing it to be reconciled and perform syncs
-						// If it does, we move it to progressing.
-						newAppStatus.LastTransitionTime = &now
-						newAppStatus.Status = argov1alpha1.ProgressiveSyncProgressing
-						newAppStatus.Message = "Application resource has error and cannot sync, updating status to Progressing"
-					}
-				}
-			}
+		if appOutdated && currentAppStatus.Status != "Waiting" && currentAppStatus.Status != "Pending" {
+			logCtx.Infof("Application %v is outdated, updating its ApplicationSet status to Waiting", app.Name)
+			currentAppStatus.LastTransitionTime = &now
+			currentAppStatus.Status = "Waiting"
+			currentAppStatus.Message = "Application has pending changes, setting status to Waiting."
+			currentAppStatus.Step = strconv.Itoa(getAppStep(currentAppStatus.Application, appStepMap))
+		}

-			if currentAppStatus.Status == argov1alpha1.ProgressiveSyncProgressing {
-				// If the status has reached progressing, we know a sync has been triggered. No matter the result of that operation,
-				// we want an the app to reach the Healthy state for the current revision.
-				if appHealthStatus == health.HealthStatusHealthy && appSyncStatus == argov1alpha1.SyncStatusCodeSynced {
-					newAppStatus.LastTransitionTime = &now
-					newAppStatus.Status = argov1alpha1.ProgressiveSyncHealthy
-					newAppStatus.Message = "Application resource became Healthy, updating status from Progressing to Healthy"
-				}
+		if currentAppStatus.Status == "Pending" {
+			if !appOutdated && operationPhaseString == "Succeeded" {
+				logCtx.Infof("Application %v has completed a sync successfully, updating its ApplicationSet status to Progressing", app.Name)
+				currentAppStatus.LastTransitionTime = &now
+				currentAppStatus.Status = "Progressing"
+				currentAppStatus.Message = "Application resource completed a sync successfully, updating status from Pending to Progressing."
+				currentAppStatus.Step = strconv.Itoa(getAppStep(currentAppStatus.Application, appStepMap))
+			} else if operationPhaseString == "Running" || healthStatusString == "Progressing" {
+				logCtx.Infof("Application %v has entered Progressing status, updating its ApplicationSet status to Progressing", app.Name)
+				currentAppStatus.LastTransitionTime = &now
+				currentAppStatus.Status = "Progressing"
+				currentAppStatus.Message = "Application resource became Progressing, updating status from Pending to Progressing."
+				currentAppStatus.Step = strconv.Itoa(getAppStep(currentAppStatus.Application, appStepMap))
 			}
 		}

-		if newAppStatus.LastTransitionTime == &now {
-			statusLogCtx.WithFields(log.Fields{
-				"new_status.status":          newAppStatus.Status,
-				"new_status.message":         newAppStatus.Message,
-				"new_status.step":            newAppStatus.Step,
-				"new_status.targetRevisions": strings.Join(newAppStatus.TargetRevisions, ","),
-			}).Info("Progressive sync application changed status")
+		if currentAppStatus.Status == "Waiting" && isApplicationHealthy(app) {
+			logCtx.Infof("Application %v is already synced and healthy, updating its ApplicationSet status to Healthy", app.Name)
+			currentAppStatus.LastTransitionTime = &now
+			currentAppStatus.Status = healthStatusString
+			currentAppStatus.Message = "Application resource is already Healthy, updating status from Waiting to Healthy."
+			currentAppStatus.Step = strconv.Itoa(getAppStep(currentAppStatus.Application, appStepMap))
 		}
-		appStatuses = append(appStatuses, *newAppStatus)
+
+		if currentAppStatus.Status == "Progressing" && isApplicationHealthy(app) {
+			logCtx.Infof("Application %v has completed Progressing status, updating its ApplicationSet status to Healthy", app.Name)
+			currentAppStatus.LastTransitionTime = &now
+			currentAppStatus.Status = healthStatusString
+			currentAppStatus.Message = "Application resource became Healthy, updating status from Progressing to Healthy."
+			currentAppStatus.Step = strconv.Itoa(getAppStep(currentAppStatus.Application, appStepMap))
+		}
+
+		appStatuses = append(appStatuses, currentAppStatus)
 	}

 	err := r.setAppSetApplicationStatus(ctx, logCtx, applicationSet, appStatuses)
@@ -1261,7 +1227,7 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatus(ctx con
 }

 // check Applications that are in Waiting status and promote them to Pending if needed
-func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatusProgress(ctx context.Context, logCtx *log.Entry, applicationSet *argov1alpha1.ApplicationSet, appsToSync map[string]bool, appStepMap map[string]int) ([]argov1alpha1.ApplicationSetApplicationStatus, error) {
+func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatusProgress(ctx context.Context, logCtx *log.Entry, applicationSet *argov1alpha1.ApplicationSet, appSyncMap map[string]bool, appStepMap map[string]int) ([]argov1alpha1.ApplicationSetApplicationStatus, error) {
 	now := metav1.Now()

 	appStatuses := make([]argov1alpha1.ApplicationSetApplicationStatus, 0, len(applicationSet.Status.ApplicationStatus))
@@ -1277,20 +1243,12 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatusProgress
 		for _, appStatus := range applicationSet.Status.ApplicationStatus {
 			totalCountMap[appStepMap[appStatus.Application]]++

-			if appStatus.Status == argov1alpha1.ProgressiveSyncPending || appStatus.Status == argov1alpha1.ProgressiveSyncProgressing {
+			if appStatus.Status == "Pending" || appStatus.Status == "Progressing" {
 				updateCountMap[appStepMap[appStatus.Application]]++
 			}
 		}

 		for _, appStatus := range applicationSet.Status.ApplicationStatus {
-			statusLogCtx := logCtx.WithFields(log.Fields{
-				"app.name":               appStatus.Application,
-				"status.status":          appStatus.Status,
-				"status.message":         appStatus.Message,
-				"status.step":            appStatus.Step,
-				"status.targetRevisions": strings.Join(appStatus.TargetRevisions, ","),
-			})
-
 			maxUpdateAllowed := true
 			maxUpdate := &intstr.IntOrString{}
 			if progressiveSyncsRollingSyncStrategyEnabled(applicationSet) {
@@ -1301,7 +1259,7 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatusProgress
 			if maxUpdate != nil {
 				maxUpdateVal, err := intstr.GetScaledValueFromIntOrPercent(maxUpdate, totalCountMap[appStepMap[appStatus.Application]], false)
 				if err != nil {
-					statusLogCtx.Warnf("AppSet has a invalid maxUpdate value '%+v', ignoring maxUpdate logic for this step: %v", maxUpdate, err)
+					logCtx.Warnf("AppSet '%v' has a invalid maxUpdate value '%+v', ignoring maxUpdate logic for this step: %v", applicationSet.Name, maxUpdate, err)
 				}

 				// ensure that percentage values greater than 0% always result in at least 1 Application being selected
@@ -1311,21 +1269,16 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatusProgress

 				if updateCountMap[appStepMap[appStatus.Application]] >= maxUpdateVal {
 					maxUpdateAllowed = false
-					statusLogCtx.Infof("Application is not allowed to update yet, %v/%v Applications already updating in step %v", updateCountMap[appStepMap[appStatus.Application]], maxUpdateVal, getAppStep(appStatus.Application, appStepMap))
+					logCtx.Infof("Application %v is not allowed to update yet, %v/%v Applications already updating in step %v in AppSet %v", appStatus.Application, updateCountMap[appStepMap[appStatus.Application]], maxUpdateVal, getAppStep(appStatus.Application, appStepMap), applicationSet.Name)
 				}
 			}

-			if appStatus.Status == argov1alpha1.ProgressiveSyncWaiting && appsToSync[appStatus.Application] && maxUpdateAllowed {
+			if appStatus.Status == "Waiting" && appSyncMap[appStatus.Application] && maxUpdateAllowed {
+				logCtx.Infof("Application %v moved to Pending status, watching for the Application to start Progressing", appStatus.Application)
 				appStatus.LastTransitionTime = &now
-				appStatus.Status = argov1alpha1.ProgressiveSyncPending
-				appStatus.Message = "Application moved to Pending status, watching for the Application resource to start Progressing"
-
-				statusLogCtx.WithFields(log.Fields{
-					"new_status.status":          appStatus.Status,
-					"new_status.message":         appStatus.Message,
-					"new_status.step":            appStatus.Step,
-					"new_status.targetRevisions": strings.Join(appStatus.TargetRevisions, ","),
-				}).Info("Progressive sync application changed status")
+				appStatus.Status = "Pending"
+				appStatus.Message = "Application moved to Pending status, watching for the Application resource to start Progressing."
+				appStatus.Step = strconv.Itoa(getAppStep(appStatus.Application, appStepMap))

 				updateCountMap[appStepMap[appStatus.Application]]++
 			}
@@ -1350,9 +1303,9 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatusConditio
 	completedWaves := map[string]bool{}
 	for _, appStatus := range applicationSet.Status.ApplicationStatus {
 		if v, ok := completedWaves[appStatus.Step]; !ok {
-			completedWaves[appStatus.Step] = appStatus.Status == argov1alpha1.ProgressiveSyncHealthy
+			completedWaves[appStatus.Step] = appStatus.Status == "Healthy"
 		} else {
-			completedWaves[appStatus.Step] = v && appStatus.Status == argov1alpha1.ProgressiveSyncHealthy
+			completedWaves[appStatus.Step] = v && appStatus.Status == "Healthy"
 		}
 	}

@@ -1574,31 +1527,30 @@ func (r *ApplicationSetReconciler) setAppSetApplicationStatus(ctx context.Contex
 	return nil
 }

-func (r *ApplicationSetReconciler) syncDesiredApplications(logCtx *log.Entry, applicationSet *argov1alpha1.ApplicationSet, appsToSync map[string]bool, desiredApplications []argov1alpha1.Application) []argov1alpha1.Application {
+func (r *ApplicationSetReconciler) syncValidApplications(logCtx *log.Entry, applicationSet *argov1alpha1.ApplicationSet, appSyncMap map[string]bool, appMap map[string]argov1alpha1.Application, validApps []argov1alpha1.Application) []argov1alpha1.Application {
 	rolloutApps := []argov1alpha1.Application{}
-	for i := range desiredApplications {
+	for i := range validApps {
 		pruneEnabled := false

 		// ensure that Applications generated with RollingSync do not have an automated sync policy, since the AppSet controller will handle triggering the sync operation instead
-		if desiredApplications[i].Spec.SyncPolicy != nil && desiredApplications[i].Spec.SyncPolicy.IsAutomatedSyncEnabled() {
-			pruneEnabled = desiredApplications[i].Spec.SyncPolicy.Automated.Prune
-			desiredApplications[i].Spec.SyncPolicy.Automated.Enabled = ptr.To(false)
+		if validApps[i].Spec.SyncPolicy != nil && validApps[i].Spec.SyncPolicy.IsAutomatedSyncEnabled() {
+			pruneEnabled = validApps[i].Spec.SyncPolicy.Automated.Prune
+			validApps[i].Spec.SyncPolicy.Automated = nil
 		}

 		appSetStatusPending := false
-		idx := findApplicationStatusIndex(applicationSet.Status.ApplicationStatus, desiredApplications[i].Name)
-		if idx > -1 && applicationSet.Status.ApplicationStatus[idx].Status == argov1alpha1.ProgressiveSyncPending {
+		idx := findApplicationStatusIndex(applicationSet.Status.ApplicationStatus, validApps[i].Name)
+		if idx > -1 && applicationSet.Status.ApplicationStatus[idx].Status == "Pending" {
 			// only trigger a sync for Applications that are in Pending status, since this is governed by maxUpdate
 			appSetStatusPending = true
 		}

-		// check appsToSync to determine which Applications are ready to be updated and which should be skipped
-		if appsToSync[desiredApplications[i].Name] && appSetStatusPending {
-			logCtx.Infof("triggering sync for application: %v, prune enabled: %v", desiredApplications[i].Name, pruneEnabled)
-			desiredApplications[i] = syncApplication(desiredApplications[i], pruneEnabled)
+		// check appSyncMap to determine which Applications are ready to be updated and which should be skipped
+		if appSyncMap[validApps[i].Name] && appMap[validApps[i].Name].Status.Sync.Status == "OutOfSync" && appSetStatusPending {
+			logCtx.Infof("triggering sync for application: %v, prune enabled: %v", validApps[i].Name, pruneEnabled)
+			validApps[i] = syncApplication(validApps[i], pruneEnabled)
 		}
-
-		rolloutApps = append(rolloutApps, desiredApplications[i])
+		rolloutApps = append(rolloutApps, validApps[i])
 	}
 	return rolloutApps
 }
--- a/applicationset/controllers/applicationset_controller_test.go
+++ b/applicationset/controllers/applicationset_controller_test.go
--- a/applicationset/controllers/template/template_test.go
+++ b/applicationset/controllers/template/template_test.go
@@ -86,28 +86,28 @@ func TestGenerateApplications(t *testing.T) {
 		}

 		t.Run(cc.name, func(t *testing.T) {
-			generatorMock := &genmock.Generator{}
+			generatorMock := genmock.Generator{}
 			generator := v1alpha1.ApplicationSetGenerator{
 				List: &v1alpha1.ListGenerator{},
 			}

-			generatorMock.EXPECT().GenerateParams(&generator, mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).
+			generatorMock.On("GenerateParams", &generator, mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).
 				Return(cc.params, cc.generateParamsError)

-			generatorMock.EXPECT().GetTemplate(&generator).
+			generatorMock.On("GetTemplate", &generator).
 				Return(&v1alpha1.ApplicationSetTemplate{})

-			rendererMock := &rendmock.Renderer{}
+			rendererMock := rendmock.Renderer{}

 			var expectedApps []v1alpha1.Application

 			if cc.generateParamsError == nil {
 				for _, p := range cc.params {
 					if cc.rendererError != nil {
-						rendererMock.EXPECT().RenderTemplateParams(GetTempApplication(cc.template), mock.AnythingOfType("*v1alpha1.ApplicationSetSyncPolicy"), p, false, []string(nil)).
+						rendererMock.On("RenderTemplateParams", GetTempApplication(cc.template), mock.AnythingOfType("*v1alpha1.ApplicationSetSyncPolicy"), p, false, []string(nil)).
 							Return(nil, cc.rendererError)
 					} else {
-						rendererMock.EXPECT().RenderTemplateParams(GetTempApplication(cc.template), mock.AnythingOfType("*v1alpha1.ApplicationSetSyncPolicy"), p, false, []string(nil)).
+						rendererMock.On("RenderTemplateParams", GetTempApplication(cc.template), mock.AnythingOfType("*v1alpha1.ApplicationSetSyncPolicy"), p, false, []string(nil)).
 							Return(&app, nil)
 						expectedApps = append(expectedApps, app)
 					}
@@ -115,9 +115,9 @@ func TestGenerateApplications(t *testing.T) {
 			}

 			generators := map[string]generators.Generator{
-				"List": generatorMock,
+				"List": &generatorMock,
 			}
-			renderer := rendererMock
+			renderer := &rendererMock

 			got, reason, err := GenerateApplications(log.NewEntry(log.StandardLogger()), v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
@@ -200,26 +200,26 @@ func TestMergeTemplateApplications(t *testing.T) {
 		cc := c

 		t.Run(cc.name, func(t *testing.T) {
-			generatorMock := &genmock.Generator{}
+			generatorMock := genmock.Generator{}
 			generator := v1alpha1.ApplicationSetGenerator{
 				List: &v1alpha1.ListGenerator{},
 			}

-			generatorMock.EXPECT().GenerateParams(&generator, mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).
+			generatorMock.On("GenerateParams", &generator, mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).
 				Return(cc.params, nil)

-			generatorMock.EXPECT().GetTemplate(&generator).
+			generatorMock.On("GetTemplate", &generator).
 				Return(&cc.overrideTemplate)

-			rendererMock := &rendmock.Renderer{}
+			rendererMock := rendmock.Renderer{}

-			rendererMock.EXPECT().RenderTemplateParams(GetTempApplication(cc.expectedMerged), mock.AnythingOfType("*v1alpha1.ApplicationSetSyncPolicy"), cc.params[0], false, []string(nil)).
+			rendererMock.On("RenderTemplateParams", GetTempApplication(cc.expectedMerged), mock.AnythingOfType("*v1alpha1.ApplicationSetSyncPolicy"), cc.params[0], false, []string(nil)).
 				Return(&cc.expectedApps[0], nil)

 			generators := map[string]generators.Generator{
-				"List": generatorMock,
+				"List": &generatorMock,
 			}
-			renderer := rendererMock
+			renderer := &rendererMock

 			got, _, _ := GenerateApplications(log.NewEntry(log.StandardLogger()), v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
@@ -312,19 +312,19 @@ func TestGenerateAppsUsingPullRequestGenerator(t *testing.T) {
 		},
 	} {
 		t.Run(cases.name, func(t *testing.T) {
-			generatorMock := &genmock.Generator{}
+			generatorMock := genmock.Generator{}
 			generator := v1alpha1.ApplicationSetGenerator{
 				PullRequest: &v1alpha1.PullRequestGenerator{},
 			}

-			generatorMock.EXPECT().GenerateParams(&generator, mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).
+			generatorMock.On("GenerateParams", &generator, mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).
 				Return(cases.params, nil)

-			generatorMock.EXPECT().GetTemplate(&generator).
-				Return(&cases.template)
+			generatorMock.On("GetTemplate", &generator).
+				Return(&cases.template, nil)

 			generators := map[string]generators.Generator{
-				"PullRequest": generatorMock,
+				"PullRequest": &generatorMock,
 			}
 			renderer := &utils.Render{}

--- a/applicationset/generators/generator_spec_processor_test.go
+++ b/applicationset/generators/generator_spec_processor_test.go
@@ -223,7 +223,7 @@ func TestTransForm(t *testing.T) {
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
 			testGenerators := map[string]Generator{
-				"Clusters": getMockClusterGenerator(t.Context()),
+				"Clusters": getMockClusterGenerator(),
 			}

 			applicationSetInfo := argov1alpha1.ApplicationSet{
@@ -260,7 +260,7 @@ func emptyTemplate() argov1alpha1.ApplicationSetTemplate {
 	}
 }

-func getMockClusterGenerator(ctx context.Context) Generator {
+func getMockClusterGenerator() Generator {
 	clusters := []crtclient.Object{
 		&corev1.Secret{
 			TypeMeta: metav1.TypeMeta{
@@ -342,19 +342,19 @@ func getMockClusterGenerator(ctx context.Context) Generator {
 	appClientset := kubefake.NewSimpleClientset(runtimeClusters...)

 	fakeClient := fake.NewClientBuilder().WithObjects(clusters...).Build()
-	return NewClusterGenerator(ctx, fakeClient, appClientset, "namespace")
+	return NewClusterGenerator(context.Background(), fakeClient, appClientset, "namespace")
 }

 func getMockGitGenerator() Generator {
-	argoCDServiceMock := &mocks.Repos{}
-	argoCDServiceMock.EXPECT().GetDirectories(mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return([]string{"app1", "app2", "app_3", "p1/app4"}, nil)
-	gitGenerator := NewGitGenerator(argoCDServiceMock, "namespace")
+	argoCDServiceMock := mocks.Repos{}
+	argoCDServiceMock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything).Return([]string{"app1", "app2", "app_3", "p1/app4"}, nil)
+	gitGenerator := NewGitGenerator(&argoCDServiceMock, "namespace")
 	return gitGenerator
 }

 func TestGetRelevantGenerators(t *testing.T) {
 	testGenerators := map[string]Generator{
-		"Clusters": getMockClusterGenerator(t.Context()),
+		"Clusters": getMockClusterGenerator(),
 		"Git":      getMockGitGenerator(),
 	}

@@ -551,7 +551,7 @@ func TestInterpolateGeneratorError(t *testing.T) {
 			},
 			useGoTemplate:     true,
 			goTemplateOptions: []string{},
-		}, want: argov1alpha1.ApplicationSetGenerator{}, expectedErrStr: "failed to replace parameters in generator: failed to execute go template {{ index .rmap (default .override .test) }}: template: base:1:3: executing \"base\" at <index .rmap (default .override .test)>: error calling index: index of untyped nil"},
+		}, want: argov1alpha1.ApplicationSetGenerator{}, expectedErrStr: "failed to replace parameters in generator: failed to execute go template {{ index .rmap (default .override .test) }}: template: :1:3: executing \"\" at <index .rmap (default .override .test)>: error calling index: index of untyped nil"},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
--- a/applicationset/generators/git_test.go
+++ b/applicationset/generators/git_test.go
@@ -320,11 +320,11 @@ func TestGitGenerateParamsFromDirectories(t *testing.T) {
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()

-			argoCDServiceMock := mocks.NewRepos(t)
+			argoCDServiceMock := mocks.Repos{}

-			argoCDServiceMock.EXPECT().GetDirectories(mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)
+			argoCDServiceMock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)

-			gitGenerator := NewGitGenerator(argoCDServiceMock, "")
+			gitGenerator := NewGitGenerator(&argoCDServiceMock, "")
 			applicationSetInfo := v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -357,6 +357,8 @@ func TestGitGenerateParamsFromDirectories(t *testing.T) {
 				require.NoError(t, err)
 				assert.Equal(t, testCaseCopy.expected, got)
 			}
+
+			argoCDServiceMock.AssertExpectations(t)
 		})
 	}
 }
@@ -621,11 +623,11 @@ func TestGitGenerateParamsFromDirectoriesGoTemplate(t *testing.T) {
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()

-			argoCDServiceMock := mocks.NewRepos(t)
+			argoCDServiceMock := mocks.Repos{}

-			argoCDServiceMock.EXPECT().GetDirectories(mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)
+			argoCDServiceMock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)

-			gitGenerator := NewGitGenerator(argoCDServiceMock, "")
+			gitGenerator := NewGitGenerator(&argoCDServiceMock, "")
 			applicationSetInfo := v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -658,6 +660,8 @@ func TestGitGenerateParamsFromDirectoriesGoTemplate(t *testing.T) {
 				require.NoError(t, err)
 				assert.Equal(t, testCaseCopy.expected, got)
 			}
+
+			argoCDServiceMock.AssertExpectations(t)
 		})
 	}
 }
@@ -996,11 +1000,11 @@ cluster:
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()

-			argoCDServiceMock := mocks.NewRepos(t)
-			argoCDServiceMock.EXPECT().GetFiles(mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).
+			argoCDServiceMock := mocks.Repos{}
+			argoCDServiceMock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).
 				Return(testCaseCopy.repoFileContents, testCaseCopy.repoPathsError)

-			gitGenerator := NewGitGenerator(argoCDServiceMock, "")
+			gitGenerator := NewGitGenerator(&argoCDServiceMock, "")
 			applicationSetInfo := v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -1032,6 +1036,8 @@ cluster:
 				require.NoError(t, err)
 				assert.ElementsMatch(t, testCaseCopy.expected, got)
 			}
+
+			argoCDServiceMock.AssertExpectations(t)
 		})
 	}
 }
@@ -1325,7 +1331,7 @@ env: testing
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()

-			argoCDServiceMock := mocks.NewRepos(t)
+			argoCDServiceMock := mocks.Repos{}

 			// IMPORTANT: we try to get the files from the repo server that matches the patterns
 			// If we find those files also satisfy the exclude pattern, we remove them from map
@@ -1333,16 +1339,18 @@ env: testing
 			// With the below mock setup, we make sure that if the GetFiles() function gets called
 			// for a include or exclude pattern, it should always return the includeFiles or excludeFiles.
 			for _, pattern := range testCaseCopy.excludePattern {
-				argoCDServiceMock.EXPECT().GetFiles(mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
+				argoCDServiceMock.
+					On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
 					Return(testCaseCopy.excludeFiles, testCaseCopy.repoPathsError)
 			}

 			for _, pattern := range testCaseCopy.includePattern {
-				argoCDServiceMock.EXPECT().GetFiles(mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
+				argoCDServiceMock.
+					On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
 					Return(testCaseCopy.includeFiles, testCaseCopy.repoPathsError)
 			}

-			gitGenerator := NewGitGenerator(argoCDServiceMock, "")
+			gitGenerator := NewGitGenerator(&argoCDServiceMock, "")
 			applicationSetInfo := v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -1374,6 +1382,8 @@ env: testing
 				require.NoError(t, err)
 				assert.ElementsMatch(t, testCaseCopy.expected, got)
 			}
+
+			argoCDServiceMock.AssertExpectations(t)
 		})
 	}
 }
@@ -1662,7 +1672,7 @@ env: testing
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()

-			argoCDServiceMock := mocks.NewRepos(t)
+			argoCDServiceMock := mocks.Repos{}

 			// IMPORTANT: we try to get the files from the repo server that matches the patterns
 			// If we find those files also satisfy the exclude pattern, we remove them from map
@@ -1670,16 +1680,18 @@ env: testing
 			// With the below mock setup, we make sure that if the GetFiles() function gets called
 			// for a include or exclude pattern, it should always return the includeFiles or excludeFiles.
 			for _, pattern := range testCaseCopy.excludePattern {
-				argoCDServiceMock.EXPECT().GetFiles(mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
+				argoCDServiceMock.
+					On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
 					Return(testCaseCopy.excludeFiles, testCaseCopy.repoPathsError)
 			}

 			for _, pattern := range testCaseCopy.includePattern {
-				argoCDServiceMock.EXPECT().GetFiles(mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
+				argoCDServiceMock.
+					On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
 					Return(testCaseCopy.includeFiles, testCaseCopy.repoPathsError)
 			}

-			gitGenerator := NewGitGenerator(argoCDServiceMock, "")
+			gitGenerator := NewGitGenerator(&argoCDServiceMock, "")
 			applicationSetInfo := v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -1711,6 +1723,8 @@ env: testing
 				require.NoError(t, err)
 				assert.ElementsMatch(t, testCaseCopy.expected, got)
 			}
+
+			argoCDServiceMock.AssertExpectations(t)
 		})
 	}
 }
@@ -1894,23 +1908,25 @@ func TestGitGeneratorParamsFromFilesWithExcludeOptionGoTemplate(t *testing.T) {
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()

-			argoCDServiceMock := mocks.NewRepos(t)
+			argoCDServiceMock := mocks.Repos{}
 			// IMPORTANT: we try to get the files from the repo server that matches the patterns
 			// If we find those files also satisfy the exclude pattern, we remove them from map
 			// This is generally done by the g.repos.GetFiles() function.
 			// With the below mock setup, we make sure that if the GetFiles() function gets called
 			// for a include or exclude pattern, it should always return the includeFiles or excludeFiles.
 			for _, pattern := range testCaseCopy.excludePattern {
-				argoCDServiceMock.EXPECT().GetFiles(mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
+				argoCDServiceMock.
+					On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
 					Return(testCaseCopy.excludeFiles, testCaseCopy.repoPathsError)
 			}

 			for _, pattern := range testCaseCopy.includePattern {
-				argoCDServiceMock.EXPECT().GetFiles(mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
+				argoCDServiceMock.
+					On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
 					Return(testCaseCopy.includeFiles, testCaseCopy.repoPathsError)
 			}

-			gitGenerator := NewGitGenerator(argoCDServiceMock, "")
+			gitGenerator := NewGitGenerator(&argoCDServiceMock, "")
 			applicationSetInfo := v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -1942,6 +1958,8 @@ func TestGitGeneratorParamsFromFilesWithExcludeOptionGoTemplate(t *testing.T) {
 				require.NoError(t, err)
 				assert.ElementsMatch(t, testCaseCopy.expected, got)
 			}
+
+			argoCDServiceMock.AssertExpectations(t)
 		})
 	}
 }
@@ -2261,11 +2279,11 @@ cluster:
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()

-			argoCDServiceMock := mocks.NewRepos(t)
-			argoCDServiceMock.EXPECT().GetFiles(mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).
+			argoCDServiceMock := mocks.Repos{}
+			argoCDServiceMock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).
 				Return(testCaseCopy.repoFileContents, testCaseCopy.repoPathsError)

-			gitGenerator := NewGitGenerator(argoCDServiceMock, "")
+			gitGenerator := NewGitGenerator(&argoCDServiceMock, "")
 			applicationSetInfo := v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -2297,6 +2315,8 @@ cluster:
 				require.NoError(t, err)
 				assert.ElementsMatch(t, testCaseCopy.expected, got)
 			}
+
+			argoCDServiceMock.AssertExpectations(t)
 		})
 	}
 }
@@ -2462,7 +2482,7 @@ func TestGitGenerator_GenerateParams(t *testing.T) {
 		},
 	}
 	for _, testCase := range cases {
-		argoCDServiceMock := mocks.NewRepos(t)
+		argoCDServiceMock := mocks.Repos{}

 		if testCase.callGetDirectories {
 			var project any
@@ -2472,9 +2492,9 @@ func TestGitGenerator_GenerateParams(t *testing.T) {
 				project = mock.Anything
 			}

-			argoCDServiceMock.EXPECT().GetDirectories(mock.Anything, mock.Anything, mock.Anything, project, mock.Anything, mock.Anything).Return(testCase.repoApps, testCase.repoPathsError)
+			argoCDServiceMock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything, project, mock.Anything, mock.Anything).Return(testCase.repoApps, testCase.repoPathsError)
 		}
-		gitGenerator := NewGitGenerator(argoCDServiceMock, "argocd")
+		gitGenerator := NewGitGenerator(&argoCDServiceMock, "argocd")

 		scheme := runtime.NewScheme()
 		err := v1alpha1.AddToScheme(scheme)
@@ -2490,5 +2510,7 @@ func TestGitGenerator_GenerateParams(t *testing.T) {
 			require.NoError(t, err)
 			assert.Equal(t, testCase.expected, got)
 		}
+
+		argoCDServiceMock.AssertExpectations(t)
 	}
 }
--- a/applicationset/generators/matrix_test.go
+++ b/applicationset/generators/matrix_test.go
@@ -12,12 +12,12 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"

+	"github.com/argoproj/argo-cd/v3/applicationset/services/mocks"
+
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"

-	generatorsMock "github.com/argoproj/argo-cd/v3/applicationset/generators/mocks"
-	servicesMocks "github.com/argoproj/argo-cd/v3/applicationset/services/mocks"
 	"github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 )

@@ -136,7 +136,7 @@ func TestMatrixGenerate(t *testing.T) {
 		testCaseCopy := testCase // Since tests may run in parallel

 		t.Run(testCaseCopy.name, func(t *testing.T) {
-			genMock := &generatorsMock.Generator{}
+			genMock := &generatorMock{}
 			appSet := &v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -149,7 +149,7 @@ func TestMatrixGenerate(t *testing.T) {
 					Git:  g.Git,
 					List: g.List,
 				}
-				genMock.EXPECT().GenerateParams(mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet, mock.Anything).Return([]map[string]any{
+				genMock.On("GenerateParams", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet, mock.Anything).Return([]map[string]any{
 					{
 						"path":                    "app1",
 						"path.basename":           "app1",
@@ -162,7 +162,7 @@ func TestMatrixGenerate(t *testing.T) {
 					},
 				}, nil)

-				genMock.EXPECT().GetTemplate(&gitGeneratorSpec).
+				genMock.On("GetTemplate", &gitGeneratorSpec).
 					Return(&v1alpha1.ApplicationSetTemplate{})
 			}

@@ -343,7 +343,7 @@ func TestMatrixGenerateGoTemplate(t *testing.T) {
 		testCaseCopy := testCase // Since tests may run in parallel

 		t.Run(testCaseCopy.name, func(t *testing.T) {
-			genMock := &generatorsMock.Generator{}
+			genMock := &generatorMock{}
 			appSet := &v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -358,7 +358,7 @@ func TestMatrixGenerateGoTemplate(t *testing.T) {
 					Git:  g.Git,
 					List: g.List,
 				}
-				genMock.EXPECT().GenerateParams(mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet, mock.Anything).Return([]map[string]any{
+				genMock.On("GenerateParams", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet, mock.Anything).Return([]map[string]any{
 					{
 						"path": map[string]string{
 							"path":               "app1",
@@ -375,7 +375,7 @@ func TestMatrixGenerateGoTemplate(t *testing.T) {
 					},
 				}, nil)

-				genMock.EXPECT().GetTemplate(&gitGeneratorSpec).
+				genMock.On("GetTemplate", &gitGeneratorSpec).
 					Return(&v1alpha1.ApplicationSetTemplate{})
 			}

@@ -507,7 +507,7 @@ func TestMatrixGetRequeueAfter(t *testing.T) {
 		testCaseCopy := testCase // Since tests may run in parallel

 		t.Run(testCaseCopy.name, func(t *testing.T) {
-			mock := &generatorsMock.Generator{}
+			mock := &generatorMock{}

 			for _, g := range testCaseCopy.baseGenerators {
 				gitGeneratorSpec := v1alpha1.ApplicationSetGenerator{
@@ -517,7 +517,7 @@ func TestMatrixGetRequeueAfter(t *testing.T) {
 					SCMProvider:             g.SCMProvider,
 					ClusterDecisionResource: g.ClusterDecisionResource,
 				}
-				mock.EXPECT().GetRequeueAfter(&gitGeneratorSpec).Return(testCaseCopy.gitGetRequeueAfter)
+				mock.On("GetRequeueAfter", &gitGeneratorSpec).Return(testCaseCopy.gitGetRequeueAfter, nil)
 			}

 			matrixGenerator := NewMatrixGenerator(
@@ -634,7 +634,7 @@ func TestInterpolatedMatrixGenerate(t *testing.T) {
 		testCaseCopy := testCase // Since tests may run in parallel

 		t.Run(testCaseCopy.name, func(t *testing.T) {
-			genMock := &generatorsMock.Generator{}
+			genMock := &generatorMock{}
 			appSet := &v1alpha1.ApplicationSet{}

 			appClientset := kubefake.NewSimpleClientset(runtimeClusters...)
@@ -650,7 +650,7 @@ func TestInterpolatedMatrixGenerate(t *testing.T) {
 					Git:      g.Git,
 					Clusters: g.Clusters,
 				}
-				genMock.EXPECT().GenerateParams(mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet, mock.Anything).Return([]map[string]any{
+				genMock.On("GenerateParams", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet).Return([]map[string]any{
 					{
 						"path":                    "examples/git-generator-files-discovery/cluster-config/dev/config.json",
 						"path.basename":           "dev",
@@ -662,7 +662,7 @@ func TestInterpolatedMatrixGenerate(t *testing.T) {
 						"path.basenameNormalized": "prod",
 					},
 				}, nil)
-				genMock.EXPECT().GetTemplate(&gitGeneratorSpec).
+				genMock.On("GetTemplate", &gitGeneratorSpec).
 					Return(&v1alpha1.ApplicationSetTemplate{})
 			}
 			matrixGenerator := NewMatrixGenerator(
@@ -813,7 +813,7 @@ func TestInterpolatedMatrixGenerateGoTemplate(t *testing.T) {
 		testCaseCopy := testCase // Since tests may run in parallel

 		t.Run(testCaseCopy.name, func(t *testing.T) {
-			genMock := &generatorsMock.Generator{}
+			genMock := &generatorMock{}
 			appSet := &v1alpha1.ApplicationSet{
 				Spec: v1alpha1.ApplicationSetSpec{
 					GoTemplate: true,
@@ -833,7 +833,7 @@ func TestInterpolatedMatrixGenerateGoTemplate(t *testing.T) {
 					Git:      g.Git,
 					Clusters: g.Clusters,
 				}
-				genMock.EXPECT().GenerateParams(mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet, mock.Anything).Return([]map[string]any{
+				genMock.On("GenerateParams", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet).Return([]map[string]any{
 					{
 						"path": map[string]string{
 							"path":               "examples/git-generator-files-discovery/cluster-config/dev/config.json",
@@ -849,7 +849,7 @@ func TestInterpolatedMatrixGenerateGoTemplate(t *testing.T) {
 						},
 					},
 				}, nil)
-				genMock.EXPECT().GetTemplate(&gitGeneratorSpec).
+				genMock.On("GetTemplate", &gitGeneratorSpec).
 					Return(&v1alpha1.ApplicationSetTemplate{})
 			}
 			matrixGenerator := NewMatrixGenerator(
@@ -969,7 +969,7 @@ func TestMatrixGenerateListElementsYaml(t *testing.T) {
 		testCaseCopy := testCase // Since tests may run in parallel

 		t.Run(testCaseCopy.name, func(t *testing.T) {
-			genMock := &generatorsMock.Generator{}
+			genMock := &generatorMock{}
 			appSet := &v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -984,7 +984,7 @@ func TestMatrixGenerateListElementsYaml(t *testing.T) {
 					Git:  g.Git,
 					List: g.List,
 				}
-				genMock.EXPECT().GenerateParams(mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet, mock.Anything).Return([]map[string]any{{
+				genMock.On("GenerateParams", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet).Return([]map[string]any{{
 					"foo": map[string]any{
 						"bar": []any{
 							map[string]any{
@@ -1009,7 +1009,7 @@ func TestMatrixGenerateListElementsYaml(t *testing.T) {
 						},
 					},
 				}}, nil)
-				genMock.EXPECT().GetTemplate(&gitGeneratorSpec).
+				genMock.On("GetTemplate", &gitGeneratorSpec).
 					Return(&v1alpha1.ApplicationSetTemplate{})
 			}

@@ -1037,6 +1037,28 @@ func TestMatrixGenerateListElementsYaml(t *testing.T) {
 	}
 }

+type generatorMock struct {
+	mock.Mock
+}
+
+func (g *generatorMock) GetTemplate(appSetGenerator *v1alpha1.ApplicationSetGenerator) *v1alpha1.ApplicationSetTemplate {
+	args := g.Called(appSetGenerator)
+
+	return args.Get(0).(*v1alpha1.ApplicationSetTemplate)
+}
+
+func (g *generatorMock) GenerateParams(appSetGenerator *v1alpha1.ApplicationSetGenerator, appSet *v1alpha1.ApplicationSet, _ client.Client) ([]map[string]any, error) {
+	args := g.Called(appSetGenerator, appSet)
+
+	return args.Get(0).([]map[string]any), args.Error(1)
+}
+
+func (g *generatorMock) GetRequeueAfter(appSetGenerator *v1alpha1.ApplicationSetGenerator) time.Duration {
+	args := g.Called(appSetGenerator)
+
+	return args.Get(0).(time.Duration)
+}
+
 func TestGitGenerator_GenerateParams_list_x_git_matrix_generator(t *testing.T) {
 	// Given a matrix generator over a list generator and a git files generator, the nested git files generator should
 	// be treated as a files generator, and it should produce parameters.
@@ -1050,11 +1072,11 @@ func TestGitGenerator_GenerateParams_list_x_git_matrix_generator(t *testing.T) {
 	// Now instead of checking for nil, we check whether the field is a non-empty slice. This test prevents a regression
 	// of that bug.

-	listGeneratorMock := &generatorsMock.Generator{}
-	listGeneratorMock.EXPECT().GenerateParams(mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).Return([]map[string]any{
+	listGeneratorMock := &generatorMock{}
+	listGeneratorMock.On("GenerateParams", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).Return([]map[string]any{
 		{"some": "value"},
 	}, nil)
-	listGeneratorMock.EXPECT().GetTemplate(mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator")).Return(&v1alpha1.ApplicationSetTemplate{})
+	listGeneratorMock.On("GetTemplate", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator")).Return(&v1alpha1.ApplicationSetTemplate{})

 	gitGeneratorSpec := &v1alpha1.GitGenerator{
 		RepoURL: "https://git.example.com",
@@ -1063,10 +1085,10 @@ func TestGitGenerator_GenerateParams_list_x_git_matrix_generator(t *testing.T) {
 		},
 	}

-	repoServiceMock := &servicesMocks.Repos{}
-	repoServiceMock.EXPECT().GetFiles(mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(map[string][]byte{
+	repoServiceMock := &mocks.Repos{}
+	repoServiceMock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(map[string][]byte{
 		"some/path.json": []byte("test: content"),
-	}, nil).Maybe()
+	}, nil)
 	gitGenerator := NewGitGenerator(repoServiceMock, "")

 	matrixGenerator := NewMatrixGenerator(map[string]Generator{
--- a/applicationset/generators/pull_request.go
+++ b/applicationset/generators/pull_request.go
@@ -107,7 +107,7 @@ func (g *PullRequestGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 		}

 		paramMap := map[string]any{
-			"number":             strconv.FormatInt(pull.Number, 10),
+			"number":             strconv.Itoa(pull.Number),
 			"title":              pull.Title,
 			"branch":             pull.Branch,
 			"branch_slug":        slug.Make(pull.Branch),
@@ -243,9 +243,9 @@ func (g *PullRequestGenerator) github(ctx context.Context, cfg *argoprojiov1alph
 		}

 		if g.enableGitHubAPIMetrics {
-			return pullrequest.NewGithubAppService(ctx, *auth, cfg.API, cfg.Owner, cfg.Repo, cfg.Labels, httpClient)
+			return pullrequest.NewGithubAppService(*auth, cfg.API, cfg.Owner, cfg.Repo, cfg.Labels, httpClient)
 		}
-		return pullrequest.NewGithubAppService(ctx, *auth, cfg.API, cfg.Owner, cfg.Repo, cfg.Labels)
+		return pullrequest.NewGithubAppService(*auth, cfg.API, cfg.Owner, cfg.Repo, cfg.Labels)
 	}

 	// always default to token, even if not set (public access)
--- a/applicationset/generators/scm_provider.go
+++ b/applicationset/generators/scm_provider.go
@@ -296,9 +296,9 @@ func (g *SCMProviderGenerator) githubProvider(ctx context.Context, github *argop
 		}

 		if g.enableGitHubAPIMetrics {
-			return scm_provider.NewGithubAppProviderFor(ctx, *auth, github.Organization, github.API, github.AllBranches, httpClient)
+			return scm_provider.NewGithubAppProviderFor(*auth, github.Organization, github.API, github.AllBranches, httpClient)
 		}
-		return scm_provider.NewGithubAppProviderFor(ctx, *auth, github.Organization, github.API, github.AllBranches)
+		return scm_provider.NewGithubAppProviderFor(*auth, github.Organization, github.API, github.AllBranches)
 	}

 	token, err := utils.GetSecretRef(ctx, g.client, github.TokenRef, applicationSetInfo.Namespace, g.tokenRefStrictMode)
--- a/applicationset/metrics/metrics_test.go
+++ b/applicationset/metrics/metrics_test.go
@@ -174,7 +174,7 @@ func TestApplicationsetCollector(t *testing.T) {
 	appsetCollector := newAppsetCollector(utils.NewAppsetLister(client), collectedLabels, filter)

 	metrics.Registry.MustRegister(appsetCollector)
-	req, err := http.NewRequestWithContext(t.Context(), http.MethodGet, "/metrics", http.NoBody)
+	req, err := http.NewRequest(http.MethodGet, "/metrics", http.NoBody)
 	require.NoError(t, err)
 	rr := httptest.NewRecorder()
 	handler := promhttp.HandlerFor(metrics.Registry, promhttp.HandlerOpts{})
@@ -216,7 +216,7 @@ func TestObserveReconcile(t *testing.T) {

 	appsetMetrics := NewApplicationsetMetrics(utils.NewAppsetLister(client), collectedLabels, filter)

-	req, err := http.NewRequestWithContext(t.Context(), http.MethodGet, "/metrics", http.NoBody)
+	req, err := http.NewRequest(http.MethodGet, "/metrics", http.NoBody)
 	require.NoError(t, err)
 	rr := httptest.NewRecorder()
 	handler := promhttp.HandlerFor(metrics.Registry, promhttp.HandlerOpts{})
--- a/applicationset/services/github_metrics_test.go
+++ b/applicationset/services/github_metrics_test.go
@@ -97,9 +97,7 @@ func TestGitHubMetrics_CollectorApproach_Success(t *testing.T) {
 		),
 	}

-	ctx := t.Context()
-
-	req, _ := http.NewRequestWithContext(ctx, http.MethodGet, ts.URL+URL, http.NoBody)
+	req, _ := http.NewRequest(http.MethodGet, ts.URL+URL, http.NoBody)
 	resp, err := client.Do(req)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -111,11 +109,7 @@ func TestGitHubMetrics_CollectorApproach_Success(t *testing.T) {
 	server := httptest.NewServer(handler)
 	defer server.Close()

-	req, err = http.NewRequestWithContext(ctx, http.MethodGet, server.URL, http.NoBody)
-	if err != nil {
-		t.Fatalf("failed to create request: %v", err)
-	}
-	resp, err = http.DefaultClient.Do(req)
+	resp, err = http.Get(server.URL)
 	if err != nil {
 		t.Fatalf("failed to scrape metrics: %v", err)
 	}
@@ -157,23 +151,15 @@ func TestGitHubMetrics_CollectorApproach_NoRateLimitMetricsOnNilResponse(t *test
 			metrics:        metrics,
 		},
 	}
-	ctx := t.Context()

-	req, err := http.NewRequestWithContext(ctx, http.MethodGet, URL, http.NoBody)
-	if err != nil {
-		t.Fatalf("failed to create request: %v", err)
-	}
+	req, _ := http.NewRequest(http.MethodGet, URL, http.NoBody)
 	_, _ = client.Do(req)

 	handler := promhttp.HandlerFor(reg, promhttp.HandlerOpts{})
 	server := httptest.NewServer(handler)
 	defer server.Close()

-	req, err = http.NewRequestWithContext(ctx, http.MethodGet, server.URL, http.NoBody)
-	if err != nil {
-		t.Fatalf("failed to create request: %v", err)
-	}
-	resp, err := http.DefaultClient.Do(req)
+	resp, err := http.Get(server.URL)
 	if err != nil {
 		t.Fatalf("failed to scrape metrics: %v", err)
 	}
--- a/applicationset/services/internal/github_app/client.go
+++ b/applicationset/services/internal/github_app/client.go
@@ -1,8 +1,6 @@
 package github_app

 import (
-	"context"
-	"errors"
 	"fmt"
 	"net/http"

@@ -10,65 +8,40 @@ import (
 	"github.com/google/go-github/v69/github"

 	"github.com/argoproj/argo-cd/v3/applicationset/services/github_app_auth"
-	"github.com/argoproj/argo-cd/v3/util/git"
+	appsetutils "github.com/argoproj/argo-cd/v3/applicationset/utils"
 )

-// getInstallationClient creates a new GitHub client with the specified installation ID.
-// It also returns a ghinstallation.Transport, which can be used for git requests.
-func getInstallationClient(g github_app_auth.Authentication, url string, httpClient ...*http.Client) (*github.Client, error) {
-	if g.InstallationId <= 0 {
-		return nil, errors.New("installation ID is required for github")
+func getOptionalHTTPClientAndTransport(optionalHTTPClient ...*http.Client) (*http.Client, http.RoundTripper) {
+	httpClient := appsetutils.GetOptionalHTTPClient(optionalHTTPClient...)
+	if len(optionalHTTPClient) > 0 && optionalHTTPClient[0] != nil && optionalHTTPClient[0].Transport != nil {
+		// will either use the provided custom httpClient and it's transport
+		return httpClient, optionalHTTPClient[0].Transport
 	}
-
-	// Use provided HTTP client's transport or default
-	var transport http.RoundTripper
-	if len(httpClient) > 0 && httpClient[0] != nil && httpClient[0].Transport != nil {
-		transport = httpClient[0].Transport
-	} else {
-		transport = http.DefaultTransport
-	}
-
-	itr, err := ghinstallation.New(transport, g.Id, g.InstallationId, []byte(g.PrivateKey))
-	if err != nil {
-		return nil, fmt.Errorf("failed to create GitHub installation transport: %w", err)
-	}
-
-	if url == "" {
-		url = g.EnterpriseBaseURL
-	}
-
-	var client *github.Client
-	if url == "" {
-		client = github.NewClient(&http.Client{Transport: itr})
-		return client, nil
-	}
-
-	itr.BaseURL = url
-	client, err = github.NewClient(&http.Client{Transport: itr}).WithEnterpriseURLs(url, url)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create GitHub enterprise client: %w", err)
-	}
-	return client, nil
+	// or the default httpClient and transport
+	return httpClient, http.DefaultTransport
 }

 // Client builds a github client for the given app authentication.
-func Client(ctx context.Context, g github_app_auth.Authentication, url, org string, optionalHTTPClient ...*http.Client) (*github.Client, error) {
+func Client(g github_app_auth.Authentication, url string, optionalHTTPClient ...*http.Client) (*github.Client, error) {
+	httpClient, transport := getOptionalHTTPClientAndTransport(optionalHTTPClient...)
+
+	rt, err := ghinstallation.New(transport, g.Id, g.InstallationId, []byte(g.PrivateKey))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create github app install: %w", err)
+	}
 	if url == "" {
 		url = g.EnterpriseBaseURL
 	}
-
-	// If an installation ID is already provided, use it directly.
-	if g.InstallationId != 0 {
-		return getInstallationClient(g, url, optionalHTTPClient...)
+	var client *github.Client
+	httpClient.Transport = rt
+	if url == "" {
+		client = github.NewClient(httpClient)
+	} else {
+		rt.BaseURL = url
+		client, err = github.NewClient(httpClient).WithEnterpriseURLs(url, url)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create github enterprise client: %w", err)
+		}
 	}
-
-	// Auto-discover installation ID using shared utility
-	// Pass optional HTTP client for metrics tracking
-	installationId, err := git.DiscoverGitHubAppInstallationID(ctx, g.Id, g.PrivateKey, url, org, optionalHTTPClient...)
-	if err != nil {
-		return nil, err
-	}
-
-	g.InstallationId = installationId
-	return getInstallationClient(g, url, optionalHTTPClient...)
+	return client, nil
 }
--- a/applicationset/services/pull_request/azure_devops.go
+++ b/applicationset/services/pull_request/azure_devops.go
@@ -107,7 +107,7 @@ func (a *AzureDevOpsService) List(ctx context.Context) ([]*PullRequest, error) {

 		if *pr.Repository.Name == a.repo {
 			pullRequests = append(pullRequests, &PullRequest{
-				Number:       int64(*pr.PullRequestId),
+				Number:       *pr.PullRequestId,
 				Title:        *pr.Title,
 				Branch:       strings.Replace(*pr.SourceRefName, "refs/heads/", "", 1),
 				TargetBranch: strings.Replace(*pr.TargetRefName, "refs/heads/", "", 1),
--- a/applicationset/services/pull_request/azure_devops_test.go
+++ b/applicationset/services/pull_request/azure_devops_test.go
@@ -1,6 +1,7 @@
 package pull_request

 import (
+	"context"
 	"errors"
 	"testing"

@@ -12,7 +13,6 @@ import (
 	"github.com/stretchr/testify/require"

 	azureMock "github.com/argoproj/argo-cd/v3/applicationset/services/scm_provider/azure_devops/git/mocks"
-	"github.com/argoproj/argo-cd/v3/applicationset/services/scm_provider/mocks"
 )

 func createBoolPtr(x bool) *bool {
@@ -35,6 +35,29 @@ func createUniqueNamePtr(x string) *string {
 	return &x
 }

+type AzureClientFactoryMock struct {
+	mock *mock.Mock
+}
+
+func (m *AzureClientFactoryMock) GetClient(ctx context.Context) (git.Client, error) {
+	args := m.mock.Called(ctx)
+
+	var client git.Client
+	c := args.Get(0)
+	if c != nil {
+		client = c.(git.Client)
+	}
+
+	var err error
+	if len(args) > 1 {
+		if e, ok := args.Get(1).(error); ok {
+			err = e
+		}
+	}
+
+	return client, err
+}
+
 func TestListPullRequest(t *testing.T) {
 	teamProject := "myorg_project"
 	repoName := "myorg_project_repo"
@@ -68,10 +91,10 @@ func TestListPullRequest(t *testing.T) {
 		SearchCriteria: &git.GitPullRequestSearchCriteria{},
 	}

-	gitClientMock := &azureMock.Client{}
-	clientFactoryMock := &mocks.AzureDevOpsClientFactory{}
-	clientFactoryMock.EXPECT().GetClient(mock.Anything).Return(gitClientMock, nil)
-	gitClientMock.EXPECT().GetPullRequestsByProject(mock.Anything, args).Return(&pullRequestMock, nil)
+	gitClientMock := azureMock.Client{}
+	clientFactoryMock := &AzureClientFactoryMock{mock: &mock.Mock{}}
+	clientFactoryMock.mock.On("GetClient", mock.Anything).Return(&gitClientMock, nil)
+	gitClientMock.On("GetPullRequestsByProject", ctx, args).Return(&pullRequestMock, nil)

 	provider := AzureDevOpsService{
 		clientFactory: clientFactoryMock,
@@ -87,7 +110,7 @@ func TestListPullRequest(t *testing.T) {
 	assert.Equal(t, "main", list[0].TargetBranch)
 	assert.Equal(t, prHeadSha, list[0].HeadSHA)
 	assert.Equal(t, "feat(123)", list[0].Title)
-	assert.Equal(t, int64(prID), list[0].Number)
+	assert.Equal(t, prID, list[0].Number)
 	assert.Equal(t, uniqueName, list[0].Author)
 }

@@ -222,12 +245,12 @@ func TestAzureDevOpsListReturnsRepositoryNotFoundError(t *testing.T) {

 	pullRequestMock := []git.GitPullRequest{}

-	gitClientMock := &azureMock.Client{}
-	clientFactoryMock := &mocks.AzureDevOpsClientFactory{}
-	clientFactoryMock.EXPECT().GetClient(mock.Anything).Return(gitClientMock, nil)
+	gitClientMock := azureMock.Client{}
+	clientFactoryMock := &AzureClientFactoryMock{mock: &mock.Mock{}}
+	clientFactoryMock.mock.On("GetClient", mock.Anything).Return(&gitClientMock, nil)

 	// Mock the GetPullRequestsByProject to return an error containing "404"
-	gitClientMock.EXPECT().GetPullRequestsByProject(mock.Anything, args).Return(&pullRequestMock,
+	gitClientMock.On("GetPullRequestsByProject", t.Context(), args).Return(&pullRequestMock,
 		errors.New("The following project does not exist:"))

 	provider := AzureDevOpsService{
--- a/applicationset/services/pull_request/bitbucket_cloud.go
+++ b/applicationset/services/pull_request/bitbucket_cloud.go
@@ -81,10 +81,7 @@ func NewBitbucketCloudServiceBasicAuth(baseURL, username, password, owner, repos
 		return nil, fmt.Errorf("error parsing base url of %s for %s/%s: %w", baseURL, owner, repositorySlug, err)
 	}

-	bitbucketClient, err := bitbucket.NewBasicAuth(username, password)
-	if err != nil {
-		return nil, fmt.Errorf("error creating BitBucket Cloud client with basic auth: %w", err)
-	}
+	bitbucketClient := bitbucket.NewBasicAuth(username, password)
 	bitbucketClient.SetApiBaseURL(*url)

 	return &BitbucketCloudService{
@@ -100,13 +97,14 @@ func NewBitbucketCloudServiceBearerToken(baseURL, bearerToken, owner, repository
 		return nil, fmt.Errorf("error parsing base url of %s for %s/%s: %w", baseURL, owner, repositorySlug, err)
 	}

-	bitbucketClient, err := bitbucket.NewOAuthbearerToken(bearerToken)
-	if err != nil {
-		return nil, fmt.Errorf("error creating BitBucket Cloud client with oauth bearer token: %w", err)
-	}
+	bitbucketClient := bitbucket.NewOAuthbearerToken(bearerToken)
 	bitbucketClient.SetApiBaseURL(*url)

-	return &BitbucketCloudService{client: bitbucketClient, owner: owner, repositorySlug: repositorySlug}, nil
+	return &BitbucketCloudService{
+		client:         bitbucketClient,
+		owner:          owner,
+		repositorySlug: repositorySlug,
+	}, nil
 }

 func NewBitbucketCloudServiceNoAuth(baseURL, owner, repositorySlug string) (PullRequestService, error) {
@@ -156,7 +154,7 @@ func (b *BitbucketCloudService) List(_ context.Context) ([]*PullRequest, error)

 	for _, pull := range pulls {
 		pullRequests = append(pullRequests, &PullRequest{
-			Number:       int64(pull.ID),
+			Number:       pull.ID,
 			Title:        pull.Title,
 			Branch:       pull.Source.Branch.Name,
 			TargetBranch: pull.Destination.Branch.Name,
--- a/applicationset/services/pull_request/bitbucket_cloud_test.go
+++ b/applicationset/services/pull_request/bitbucket_cloud_test.go
@@ -89,7 +89,7 @@ func TestListPullRequestBearerTokenCloud(t *testing.T) {
 	pullRequests, err := ListPullRequests(t.Context(), svc, []v1alpha1.PullRequestGeneratorFilter{})
 	require.NoError(t, err)
 	assert.Len(t, pullRequests, 1)
-	assert.Equal(t, int64(101), pullRequests[0].Number)
+	assert.Equal(t, 101, pullRequests[0].Number)
 	assert.Equal(t, "feat(foo-bar)", pullRequests[0].Title)
 	assert.Equal(t, "feature/foo-bar", pullRequests[0].Branch)
 	assert.Equal(t, "1a8dd249c04a", pullRequests[0].HeadSHA)
@@ -107,7 +107,7 @@ func TestListPullRequestNoAuthCloud(t *testing.T) {
 	pullRequests, err := ListPullRequests(t.Context(), svc, []v1alpha1.PullRequestGeneratorFilter{})
 	require.NoError(t, err)
 	assert.Len(t, pullRequests, 1)
-	assert.Equal(t, int64(101), pullRequests[0].Number)
+	assert.Equal(t, 101, pullRequests[0].Number)
 	assert.Equal(t, "feat(foo-bar)", pullRequests[0].Title)
 	assert.Equal(t, "feature/foo-bar", pullRequests[0].Branch)
 	assert.Equal(t, "1a8dd249c04a", pullRequests[0].HeadSHA)
@@ -125,7 +125,7 @@ func TestListPullRequestBasicAuthCloud(t *testing.T) {
 	pullRequests, err := ListPullRequests(t.Context(), svc, []v1alpha1.PullRequestGeneratorFilter{})
 	require.NoError(t, err)
 	assert.Len(t, pullRequests, 1)
-	assert.Equal(t, int64(101), pullRequests[0].Number)
+	assert.Equal(t, 101, pullRequests[0].Number)
 	assert.Equal(t, "feat(foo-bar)", pullRequests[0].Title)
 	assert.Equal(t, "feature/foo-bar", pullRequests[0].Branch)
 	assert.Equal(t, "1a8dd249c04a", pullRequests[0].HeadSHA)
--- a/applicationset/services/pull_request/bitbucket_server.go
+++ b/applicationset/services/pull_request/bitbucket_server.go
@@ -82,7 +82,7 @@ func (b *BitbucketService) List(_ context.Context) ([]*PullRequest, error) {

 		for _, pull := range pulls {
 			pullRequests = append(pullRequests, &PullRequest{
-				Number:       int64(pull.ID),
+				Number:       pull.ID,
 				Title:        pull.Title,
 				Branch:       pull.FromRef.DisplayID, // ID: refs/heads/main DisplayID: main
 				TargetBranch: pull.ToRef.DisplayID,
--- a/applicationset/services/pull_request/bitbucket_server_test.go
+++ b/applicationset/services/pull_request/bitbucket_server_test.go
@@ -68,7 +68,7 @@ func TestListPullRequestNoAuth(t *testing.T) {
 	pullRequests, err := ListPullRequests(t.Context(), svc, []v1alpha1.PullRequestGeneratorFilter{})
 	require.NoError(t, err)
 	assert.Len(t, pullRequests, 1)
-	assert.Equal(t, int64(101), pullRequests[0].Number)
+	assert.Equal(t, 101, pullRequests[0].Number)
 	assert.Equal(t, "feat(ABC) : 123", pullRequests[0].Title)
 	assert.Equal(t, "feature-ABC-123", pullRequests[0].Branch)
 	assert.Equal(t, "master", pullRequests[0].TargetBranch)
@@ -211,7 +211,7 @@ func TestListPullRequestBasicAuth(t *testing.T) {
 	pullRequests, err := ListPullRequests(t.Context(), svc, []v1alpha1.PullRequestGeneratorFilter{})
 	require.NoError(t, err)
 	assert.Len(t, pullRequests, 1)
-	assert.Equal(t, int64(101), pullRequests[0].Number)
+	assert.Equal(t, 101, pullRequests[0].Number)
 	assert.Equal(t, "feature-ABC-123", pullRequests[0].Branch)
 	assert.Equal(t, "cb3cf2e4d1517c83e720d2585b9402dbef71f992", pullRequests[0].HeadSHA)
 }
@@ -228,7 +228,7 @@ func TestListPullRequestBearerAuth(t *testing.T) {
 	pullRequests, err := ListPullRequests(t.Context(), svc, []v1alpha1.PullRequestGeneratorFilter{})
 	require.NoError(t, err)
 	assert.Len(t, pullRequests, 1)
-	assert.Equal(t, int64(101), pullRequests[0].Number)
+	assert.Equal(t, 101, pullRequests[0].Number)
 	assert.Equal(t, "feat(ABC) : 123", pullRequests[0].Title)
 	assert.Equal(t, "feature-ABC-123", pullRequests[0].Branch)
 	assert.Equal(t, "cb3cf2e4d1517c83e720d2585b9402dbef71f992", pullRequests[0].HeadSHA)
--- a/applicationset/services/pull_request/gitea.go
+++ b/applicationset/services/pull_request/gitea.go
@@ -68,7 +68,7 @@ func (g *GiteaService) List(ctx context.Context) ([]*PullRequest, error) {
 			continue
 		}
 		list = append(list, &PullRequest{
-			Number:       int64(pr.Index),
+			Number:       int(pr.Index),
 			Title:        pr.Title,
 			Branch:       pr.Head.Ref,
 			TargetBranch: pr.Base.Ref,
--- a/applicationset/services/pull_request/gitea_test.go
+++ b/applicationset/services/pull_request/gitea_test.go
@@ -303,7 +303,7 @@ func TestGiteaList(t *testing.T) {
 	prs, err := host.List(t.Context())
 	require.NoError(t, err)
 	assert.Len(t, prs, 1)
-	assert.Equal(t, int64(1), prs[0].Number)
+	assert.Equal(t, 1, prs[0].Number)
 	assert.Equal(t, "add an empty file", prs[0].Title)
 	assert.Equal(t, "test", prs[0].Branch)
 	assert.Equal(t, "main", prs[0].TargetBranch)
--- a/applicationset/services/pull_request/github.go
+++ b/applicationset/services/pull_request/github.go
@@ -76,7 +76,7 @@ func (g *GithubService) List(ctx context.Context) ([]*PullRequest, error) {
 				continue
 			}
 			pullRequests = append(pullRequests, &PullRequest{
-				Number:       int64(*pull.Number),
+				Number:       *pull.Number,
 				Title:        *pull.Title,
 				Branch:       *pull.Head.Ref,
 				TargetBranch: *pull.Base.Ref,
--- a/applicationset/services/pull_request/github_app.go
+++ b/applicationset/services/pull_request/github_app.go
@@ -1,7 +1,6 @@
 package pull_request

 import (
-	"context"
 	"net/http"

 	"github.com/argoproj/argo-cd/v3/applicationset/services/github_app_auth"
@@ -9,9 +8,9 @@ import (
 	appsetutils "github.com/argoproj/argo-cd/v3/applicationset/utils"
 )

-func NewGithubAppService(ctx context.Context, g github_app_auth.Authentication, url, owner, repo string, labels []string, optionalHTTPClient ...*http.Client) (PullRequestService, error) {
+func NewGithubAppService(g github_app_auth.Authentication, url, owner, repo string, labels []string, optionalHTTPClient ...*http.Client) (PullRequestService, error) {
 	httpClient := appsetutils.GetOptionalHTTPClient(optionalHTTPClient...)
-	client, err := github_app.Client(ctx, g, url, owner, httpClient)
+	client, err := github_app.Client(g, url, httpClient)
 	if err != nil {
 		return nil, err
 	}
--- a/applicationset/services/pull_request/gitlab.go
+++ b/applicationset/services/pull_request/gitlab.go
@@ -61,15 +61,11 @@ func (g *GitLabService) List(ctx context.Context) ([]*PullRequest, error) {
 		var labelsList gitlab.LabelOptions = g.labels
 		labels = &labelsList
 	}
-
-	snippetsListOptions := gitlab.ExploreSnippetsOptions{
+	opts := &gitlab.ListProjectMergeRequestsOptions{
 		ListOptions: gitlab.ListOptions{
 			PerPage: 100,
 		},
-	}
-	opts := &gitlab.ListProjectMergeRequestsOptions{
-		ListOptions: snippetsListOptions.ListOptions,
-		Labels:      labels,
+		Labels: labels,
 	}

 	if g.pullRequestState != "" {
--- a/applicationset/services/pull_request/gitlab_test.go
+++ b/applicationset/services/pull_request/gitlab_test.go
@@ -78,7 +78,7 @@ func TestList(t *testing.T) {
 	prs, err := svc.List(t.Context())
 	require.NoError(t, err)
 	assert.Len(t, prs, 1)
-	assert.Equal(t, int64(15442), prs[0].Number)
+	assert.Equal(t, 15442, prs[0].Number)
 	assert.Equal(t, "Draft: Use structured logging for DB load balancer", prs[0].Title)
 	assert.Equal(t, "use-structured-logging-for-db-load-balancer", prs[0].Branch)
 	assert.Equal(t, "master", prs[0].TargetBranch)
--- a/applicationset/services/pull_request/interface.go
+++ b/applicationset/services/pull_request/interface.go
@@ -7,8 +7,7 @@ import (

 type PullRequest struct {
 	// Number is a number that will be the ID of the pull request.
-	// Gitlab uses int64 for the pull request number.
-	Number int64
+	Number int
 	// Title of the pull request.
 	Title string
 	// Branch is the name of the branch from which the pull request originated.
--- a/applicationset/services/scm_provider/aws_codecommit/mocks/AWSCodeCommitClient.go
+++ b/applicationset/services/scm_provider/aws_codecommit/mocks/AWSCodeCommitClient.go
--- a/applicationset/services/scm_provider/aws_codecommit/mocks/AWSTaggingClient.go
+++ b/applicationset/services/scm_provider/aws_codecommit/mocks/AWSTaggingClient.go
--- a/applicationset/services/scm_provider/aws_codecommit_test.go
+++ b/applicationset/services/scm_provider/aws_codecommit_test.go
@@ -12,7 +12,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"

-	"github.com/argoproj/argo-cd/v3/applicationset/services/scm_provider/mocks"
+	"github.com/argoproj/argo-cd/v3/applicationset/services/scm_provider/aws_codecommit/mocks"
 	"github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 )

@@ -177,8 +177,9 @@ func TestAWSCodeCommitListRepos(t *testing.T) {
 				if repo.getRepositoryNilMetadata {
 					repoMetadata = nil
 				}
-				codeCommitClient.EXPECT().GetRepositoryWithContext(mock.Anything, &codecommit.GetRepositoryInput{RepositoryName: aws.String(repo.name)}).
-					Return(&codecommit.GetRepositoryOutput{RepositoryMetadata: repoMetadata}, repo.getRepositoryError).Maybe()
+				codeCommitClient.
+					On("GetRepositoryWithContext", ctx, &codecommit.GetRepositoryInput{RepositoryName: aws.String(repo.name)}).
+					Return(&codecommit.GetRepositoryOutput{RepositoryMetadata: repoMetadata}, repo.getRepositoryError)
 				codecommitRepoNameIdPairs = append(codecommitRepoNameIdPairs, &codecommit.RepositoryNameIdPair{
 					RepositoryId:   aws.String(repo.id),
 					RepositoryName: aws.String(repo.name),
@@ -192,18 +193,20 @@ func TestAWSCodeCommitListRepos(t *testing.T) {
 			}

 			if testCase.expectListAtCodeCommit {
-				codeCommitClient.EXPECT().ListRepositoriesWithContext(mock.Anything, &codecommit.ListRepositoriesInput{}).
+				codeCommitClient.
+					On("ListRepositoriesWithContext", ctx, &codecommit.ListRepositoriesInput{}).
 					Return(&codecommit.ListRepositoriesOutput{
 						Repositories: codecommitRepoNameIdPairs,
-					}, testCase.listRepositoryError).Maybe()
+					}, testCase.listRepositoryError)
 			} else {
-				taggingClient.EXPECT().GetResourcesWithContext(mock.Anything, mock.MatchedBy(equalIgnoringTagFilterOrder(&resourcegroupstaggingapi.GetResourcesInput{
-					TagFilters:          testCase.expectTagFilters,
-					ResourceTypeFilters: aws.StringSlice([]string{resourceTypeCodeCommitRepository}),
-				}))).
+				taggingClient.
+					On("GetResourcesWithContext", ctx, mock.MatchedBy(equalIgnoringTagFilterOrder(&resourcegroupstaggingapi.GetResourcesInput{
+						TagFilters:          testCase.expectTagFilters,
+						ResourceTypeFilters: aws.StringSlice([]string{resourceTypeCodeCommitRepository}),
+					}))).
 					Return(&resourcegroupstaggingapi.GetResourcesOutput{
 						ResourceTagMappingList: resourceTaggings,
-					}, testCase.listRepositoryError).Maybe()
+					}, testCase.listRepositoryError)
 			}

 			provider := &AWSCodeCommitProvider{
@@ -347,12 +350,13 @@ func TestAWSCodeCommitRepoHasPath(t *testing.T) {
 			taggingClient := mocks.NewAWSTaggingClient(t)
 			ctx := t.Context()
 			if testCase.expectedGetFolderPath != "" {
-				codeCommitClient.EXPECT().GetFolderWithContext(mock.Anything, &codecommit.GetFolderInput{
-					CommitSpecifier: aws.String(branch),
-					FolderPath:      aws.String(testCase.expectedGetFolderPath),
-					RepositoryName:  aws.String(repoName),
-				}).
-					Return(testCase.getFolderOutput, testCase.getFolderError).Maybe()
+				codeCommitClient.
+					On("GetFolderWithContext", ctx, &codecommit.GetFolderInput{
+						CommitSpecifier: aws.String(branch),
+						FolderPath:      aws.String(testCase.expectedGetFolderPath),
+						RepositoryName:  aws.String(repoName),
+					}).
+					Return(testCase.getFolderOutput, testCase.getFolderError)
 			}
 			provider := &AWSCodeCommitProvider{
 				codeCommitClient: codeCommitClient,
@@ -419,16 +423,18 @@ func TestAWSCodeCommitGetBranches(t *testing.T) {
 			taggingClient := mocks.NewAWSTaggingClient(t)
 			ctx := t.Context()
 			if testCase.allBranches {
-				codeCommitClient.EXPECT().ListBranchesWithContext(mock.Anything, &codecommit.ListBranchesInput{
-					RepositoryName: aws.String(name),
-				}).
-					Return(&codecommit.ListBranchesOutput{Branches: aws.StringSlice(testCase.branches)}, testCase.apiError).Maybe()
+				codeCommitClient.
+					On("ListBranchesWithContext", ctx, &codecommit.ListBranchesInput{
+						RepositoryName: aws.String(name),
+					}).
+					Return(&codecommit.ListBranchesOutput{Branches: aws.StringSlice(testCase.branches)}, testCase.apiError)
 			} else {
-				codeCommitClient.EXPECT().GetRepositoryWithContext(mock.Anything, &codecommit.GetRepositoryInput{RepositoryName: aws.String(name)}).
+				codeCommitClient.
+					On("GetRepositoryWithContext", ctx, &codecommit.GetRepositoryInput{RepositoryName: aws.String(name)}).
 					Return(&codecommit.GetRepositoryOutput{RepositoryMetadata: &codecommit.RepositoryMetadata{
 						AccountId:     aws.String(organization),
 						DefaultBranch: aws.String(defaultBranch),
-					}}, testCase.apiError).Maybe()
+					}}, testCase.apiError)
 			}
 			provider := &AWSCodeCommitProvider{
 				codeCommitClient: codeCommitClient,
--- a/applicationset/services/scm_provider/azure_devops_test.go
+++ b/applicationset/services/scm_provider/azure_devops_test.go
@@ -1,6 +1,7 @@
 package scm_provider

 import (
+	"context"
 	"errors"
 	"fmt"
 	"testing"
@@ -15,7 +16,6 @@ import (
 	azureGit "github.com/microsoft/azure-devops-go-api/azuredevops/v7/git"

 	azureMock "github.com/argoproj/argo-cd/v3/applicationset/services/scm_provider/azure_devops/git/mocks"
-	"github.com/argoproj/argo-cd/v3/applicationset/services/scm_provider/mocks"
 )

 func s(input string) *string {
@@ -78,13 +78,13 @@ func TestAzureDevopsRepoHasPath(t *testing.T) {

 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			gitClientMock := &azureMock.Client{}
+			gitClientMock := azureMock.Client{}

-			clientFactoryMock := &mocks.AzureDevOpsClientFactory{}
-			clientFactoryMock.EXPECT().GetClient(mock.Anything).Return(gitClientMock, testCase.clientError)
+			clientFactoryMock := &AzureClientFactoryMock{mock: &mock.Mock{}}
+			clientFactoryMock.mock.On("GetClient", mock.Anything).Return(&gitClientMock, testCase.clientError)

 			repoId := &uuid
-			gitClientMock.EXPECT().GetItem(mock.Anything, azureGit.GetItemArgs{Project: &teamProject, Path: &path, VersionDescriptor: &azureGit.GitVersionDescriptor{Version: &branchName}, RepositoryId: repoId}).Return(nil, testCase.azureDevopsError)
+			gitClientMock.On("GetItem", ctx, azureGit.GetItemArgs{Project: &teamProject, Path: &path, VersionDescriptor: &azureGit.GitVersionDescriptor{Version: &branchName}, RepositoryId: repoId}).Return(nil, testCase.azureDevopsError)

 			provider := AzureDevOpsProvider{organization: organization, teamProject: teamProject, clientFactory: clientFactoryMock}

@@ -143,12 +143,12 @@ func TestGetDefaultBranchOnDisabledRepo(t *testing.T) {
 		t.Run(testCase.name, func(t *testing.T) {
 			uuid := uuid.New().String()

-			gitClientMock := azureMock.NewClient(t)
+			gitClientMock := azureMock.Client{}

-			clientFactoryMock := &mocks.AzureDevOpsClientFactory{}
-			clientFactoryMock.EXPECT().GetClient(mock.Anything).Return(gitClientMock, nil)
+			clientFactoryMock := &AzureClientFactoryMock{mock: &mock.Mock{}}
+			clientFactoryMock.mock.On("GetClient", mock.Anything).Return(&gitClientMock, nil)

-			gitClientMock.EXPECT().GetBranch(mock.Anything, azureGit.GetBranchArgs{RepositoryId: &repoName, Project: &teamProject, Name: &defaultBranch}).Return(nil, testCase.azureDevOpsError)
+			gitClientMock.On("GetBranch", ctx, azureGit.GetBranchArgs{RepositoryId: &repoName, Project: &teamProject, Name: &defaultBranch}).Return(nil, testCase.azureDevOpsError)

 			repo := &Repository{Organization: organization, Repository: repoName, RepositoryId: uuid, Branch: defaultBranch}

@@ -162,6 +162,8 @@ func TestGetDefaultBranchOnDisabledRepo(t *testing.T) {
 			}

 			assert.Empty(t, branches)
+
+			gitClientMock.AssertExpectations(t)
 		})
 	}
 }
@@ -200,12 +202,12 @@ func TestGetAllBranchesOnDisabledRepo(t *testing.T) {
 		t.Run(testCase.name, func(t *testing.T) {
 			uuid := uuid.New().String()

-			gitClientMock := azureMock.NewClient(t)
+			gitClientMock := azureMock.Client{}

-			clientFactoryMock := &mocks.AzureDevOpsClientFactory{}
-			clientFactoryMock.EXPECT().GetClient(mock.Anything).Return(gitClientMock, nil)
+			clientFactoryMock := &AzureClientFactoryMock{mock: &mock.Mock{}}
+			clientFactoryMock.mock.On("GetClient", mock.Anything).Return(&gitClientMock, nil)

-			gitClientMock.EXPECT().GetBranches(mock.Anything, azureGit.GetBranchesArgs{RepositoryId: &repoName, Project: &teamProject}).Return(nil, testCase.azureDevOpsError)
+			gitClientMock.On("GetBranches", ctx, azureGit.GetBranchesArgs{RepositoryId: &repoName, Project: &teamProject}).Return(nil, testCase.azureDevOpsError)

 			repo := &Repository{Organization: organization, Repository: repoName, RepositoryId: uuid, Branch: defaultBranch}

@@ -219,6 +221,8 @@ func TestGetAllBranchesOnDisabledRepo(t *testing.T) {
 			}

 			assert.Empty(t, branches)
+
+			gitClientMock.AssertExpectations(t)
 		})
 	}
 }
@@ -237,12 +241,12 @@ func TestAzureDevOpsGetDefaultBranchStripsRefsName(t *testing.T) {
 		branchReturn := &azureGit.GitBranchStats{Name: &strippedBranchName, Commit: &azureGit.GitCommitRef{CommitId: s("abc123233223")}}
 		repo := &Repository{Organization: organization, Repository: repoName, RepositoryId: uuid, Branch: defaultBranch}

-		gitClientMock := &azureMock.Client{}
+		gitClientMock := azureMock.Client{}

-		clientFactoryMock := &mocks.AzureDevOpsClientFactory{}
-		clientFactoryMock.EXPECT().GetClient(mock.Anything).Return(gitClientMock, nil)
+		clientFactoryMock := &AzureClientFactoryMock{mock: &mock.Mock{}}
+		clientFactoryMock.mock.On("GetClient", mock.Anything).Return(&gitClientMock, nil)

-		gitClientMock.EXPECT().GetBranch(mock.Anything, azureGit.GetBranchArgs{RepositoryId: &repoName, Project: &teamProject, Name: &strippedBranchName}).Return(branchReturn, nil).Maybe()
+		gitClientMock.On("GetBranch", ctx, azureGit.GetBranchArgs{RepositoryId: &repoName, Project: &teamProject, Name: &strippedBranchName}).Return(branchReturn, nil)

 		provider := AzureDevOpsProvider{organization: organization, teamProject: teamProject, clientFactory: clientFactoryMock, allBranches: false}
 		branches, err := provider.GetBranches(ctx, repo)
@@ -291,12 +295,12 @@ func TestAzureDevOpsGetBranchesDefultBranchOnly(t *testing.T) {

 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			gitClientMock := &azureMock.Client{}
+			gitClientMock := azureMock.Client{}

-			clientFactoryMock := &mocks.AzureDevOpsClientFactory{}
-			clientFactoryMock.EXPECT().GetClient(mock.Anything).Return(gitClientMock, testCase.clientError)
+			clientFactoryMock := &AzureClientFactoryMock{mock: &mock.Mock{}}
+			clientFactoryMock.mock.On("GetClient", mock.Anything).Return(&gitClientMock, testCase.clientError)

-			gitClientMock.EXPECT().GetBranch(mock.Anything, azureGit.GetBranchArgs{RepositoryId: &repoName, Project: &teamProject, Name: &defaultBranch}).Return(testCase.expectedBranch, testCase.getBranchesAPIError)
+			gitClientMock.On("GetBranch", ctx, azureGit.GetBranchArgs{RepositoryId: &repoName, Project: &teamProject, Name: &defaultBranch}).Return(testCase.expectedBranch, testCase.getBranchesAPIError)

 			repo := &Repository{Organization: organization, Repository: repoName, RepositoryId: uuid, Branch: defaultBranch}

@@ -375,12 +379,12 @@ func TestAzureDevopsGetBranches(t *testing.T) {

 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			gitClientMock := &azureMock.Client{}
+			gitClientMock := azureMock.Client{}

-			clientFactoryMock := &mocks.AzureDevOpsClientFactory{}
-			clientFactoryMock.EXPECT().GetClient(mock.Anything).Return(gitClientMock, testCase.clientError)
+			clientFactoryMock := &AzureClientFactoryMock{mock: &mock.Mock{}}
+			clientFactoryMock.mock.On("GetClient", mock.Anything).Return(&gitClientMock, testCase.clientError)

-			gitClientMock.EXPECT().GetBranches(mock.Anything, azureGit.GetBranchesArgs{RepositoryId: &repoName, Project: &teamProject}).Return(testCase.expectedBranches, testCase.getBranchesAPIError)
+			gitClientMock.On("GetBranches", ctx, azureGit.GetBranchesArgs{RepositoryId: &repoName, Project: &teamProject}).Return(testCase.expectedBranches, testCase.getBranchesAPIError)

 			repo := &Repository{Organization: organization, Repository: repoName, RepositoryId: uuid}

@@ -423,6 +427,7 @@ func TestGetAzureDevopsRepositories(t *testing.T) {
 	teamProject := "myorg_project"

 	uuid := uuid.New()
+	ctx := t.Context()

 	repoId := &uuid

@@ -472,15 +477,15 @@ func TestGetAzureDevopsRepositories(t *testing.T) {

 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			gitClientMock := azureMock.NewClient(t)
-			gitClientMock.EXPECT().GetRepositories(mock.Anything, azureGit.GetRepositoriesArgs{Project: s(teamProject)}).Return(&testCase.repositories, testCase.getRepositoriesError)
+			gitClientMock := azureMock.Client{}
+			gitClientMock.On("GetRepositories", ctx, azureGit.GetRepositoriesArgs{Project: s(teamProject)}).Return(&testCase.repositories, testCase.getRepositoriesError)

-			clientFactoryMock := &mocks.AzureDevOpsClientFactory{}
-			clientFactoryMock.EXPECT().GetClient(mock.Anything).Return(gitClientMock, nil)
+			clientFactoryMock := &AzureClientFactoryMock{mock: &mock.Mock{}}
+			clientFactoryMock.mock.On("GetClient", mock.Anything).Return(&gitClientMock)

 			provider := AzureDevOpsProvider{organization: organization, teamProject: teamProject, clientFactory: clientFactoryMock}

-			repositories, err := provider.ListRepos(t.Context(), "https")
+			repositories, err := provider.ListRepos(ctx, "https")

 			if testCase.getRepositoriesError != nil {
 				require.Error(t, err, "Expected an error from test case %v", testCase.name)
@@ -492,6 +497,31 @@ func TestGetAzureDevopsRepositories(t *testing.T) {
 				assert.NotEmpty(t, repositories)
 				assert.Len(t, repositories, testCase.expectedNumberOfRepos)
 			}
+
+			gitClientMock.AssertExpectations(t)
 		})
 	}
 }
+
+type AzureClientFactoryMock struct {
+	mock *mock.Mock
+}
+
+func (m *AzureClientFactoryMock) GetClient(ctx context.Context) (azureGit.Client, error) {
+	args := m.mock.Called(ctx)
+
+	var client azureGit.Client
+	c := args.Get(0)
+	if c != nil {
+		client = c.(azureGit.Client)
+	}
+
+	var err error
+	if len(args) > 1 {
+		if e, ok := args.Get(1).(error); ok {
+			err = e
+		}
+	}
+
+	return client, err
+}
--- a/applicationset/services/scm_provider/bitbucket_cloud.go
+++ b/applicationset/services/scm_provider/bitbucket_cloud.go
@@ -30,7 +30,7 @@ func (c *ExtendedClient) GetContents(repo *Repository, path string) (bool, error
 	urlStr += fmt.Sprintf("/repositories/%s/%s/src/%s/%s?format=meta", c.owner, repo.Repository, repo.SHA, path)
 	body := strings.NewReader("")

-	req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, urlStr, body)
+	req, err := http.NewRequest(http.MethodGet, urlStr, body)
 	if err != nil {
 		return false, err
 	}
@@ -53,12 +53,8 @@ func (c *ExtendedClient) GetContents(repo *Repository, path string) (bool, error
 var _ SCMProviderService = &BitBucketCloudProvider{}

 func NewBitBucketCloudProvider(owner string, user string, password string, allBranches bool) (*BitBucketCloudProvider, error) {
-	bitbucketClient, err := bitbucket.NewBasicAuth(user, password)
-	if err != nil {
-		return nil, fmt.Errorf("error creating BitBucket Cloud client with basic auth: %w", err)
-	}
 	client := &ExtendedClient{
-		bitbucketClient,
+		bitbucket.NewBasicAuth(user, password),
 		user,
 		password,
 		owner,
--- a/applicationset/services/scm_provider/github_app.go
+++ b/applicationset/services/scm_provider/github_app.go
@@ -1,7 +1,6 @@
 package scm_provider

 import (
-	"context"
 	"net/http"

 	"github.com/argoproj/argo-cd/v3/applicationset/services/github_app_auth"
@@ -9,9 +8,9 @@ import (
 	appsetutils "github.com/argoproj/argo-cd/v3/applicationset/utils"
 )

-func NewGithubAppProviderFor(ctx context.Context, g github_app_auth.Authentication, organization string, url string, allBranches bool, optionalHTTPClient ...*http.Client) (*GithubProvider, error) {
+func NewGithubAppProviderFor(g github_app_auth.Authentication, organization string, url string, allBranches bool, optionalHTTPClient ...*http.Client) (*GithubProvider, error) {
 	httpClient := appsetutils.GetOptionalHTTPClient(optionalHTTPClient...)
-	client, err := github_app.Client(ctx, g, url, organization, httpClient)
+	client, err := github_app.Client(g, url, httpClient)
 	if err != nil {
 		return nil, err
 	}
--- a/applicationset/services/scm_provider/gitlab.go
+++ b/applicationset/services/scm_provider/gitlab.go
@@ -76,13 +76,8 @@ func (g *GitlabProvider) GetBranches(ctx context.Context, repo *Repository) ([]*
 }

 func (g *GitlabProvider) ListRepos(_ context.Context, cloneProtocol string) ([]*Repository, error) {
-	snippetsListOptions := gitlab.ExploreSnippetsOptions{
-		ListOptions: gitlab.ListOptions{
-			PerPage: 100,
-		},
-	}
 	opt := &gitlab.ListGroupProjectsOptions{
-		ListOptions:      snippetsListOptions.ListOptions,
+		ListOptions:      gitlab.ListOptions{PerPage: 100},
 		IncludeSubGroups: &g.includeSubgroups,
 		WithShared:       &g.includeSharedProjects,
 		Topic:            &g.topic,
@@ -178,13 +173,8 @@ func (g *GitlabProvider) listBranches(_ context.Context, repo *Repository) ([]gi
 		return branches, nil
 	}
 	// Otherwise, scrape the ListBranches API.
-	snippetsListOptions := gitlab.ExploreSnippetsOptions{
-		ListOptions: gitlab.ListOptions{
-			PerPage: 100,
-		},
-	}
 	opt := &gitlab.ListBranchesOptions{
-		ListOptions: snippetsListOptions.ListOptions,
+		ListOptions: gitlab.ListOptions{PerPage: 100},
 	}
 	for {
 		gitlabBranches, resp, err := g.client.Branches.ListBranches(repo.RepositoryId, opt)
--- a/applicationset/services/scm_provider/mocks/AzureDevOpsClientFactory.go
+++ b/applicationset/services/scm_provider/mocks/AzureDevOpsClientFactory.go
@@ -1,101 +0,0 @@
-// Code generated by mockery; DO NOT EDIT.
-// github.com/vektra/mockery
-// template: testify
-
-package mocks
-
-import (
-	"context"
-
-	"github.com/microsoft/azure-devops-go-api/azuredevops/v7/git"
-	mock "github.com/stretchr/testify/mock"
-)
-
-// NewAzureDevOpsClientFactory creates a new instance of AzureDevOpsClientFactory. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewAzureDevOpsClientFactory(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *AzureDevOpsClientFactory {
-	mock := &AzureDevOpsClientFactory{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
-
-// AzureDevOpsClientFactory is an autogenerated mock type for the AzureDevOpsClientFactory type
-type AzureDevOpsClientFactory struct {
-	mock.Mock
-}
-
-type AzureDevOpsClientFactory_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *AzureDevOpsClientFactory) EXPECT() *AzureDevOpsClientFactory_Expecter {
-	return &AzureDevOpsClientFactory_Expecter{mock: &_m.Mock}
-}
-
-// GetClient provides a mock function for the type AzureDevOpsClientFactory
-func (_mock *AzureDevOpsClientFactory) GetClient(ctx context.Context) (git.Client, error) {
-	ret := _mock.Called(ctx)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetClient")
-	}
-
-	var r0 git.Client
-	var r1 error
-	if returnFunc, ok := ret.Get(0).(func(context.Context) (git.Client, error)); ok {
-		return returnFunc(ctx)
-	}
-	if returnFunc, ok := ret.Get(0).(func(context.Context) git.Client); ok {
-		r0 = returnFunc(ctx)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(git.Client)
-		}
-	}
-	if returnFunc, ok := ret.Get(1).(func(context.Context) error); ok {
-		r1 = returnFunc(ctx)
-	} else {
-		r1 = ret.Error(1)
-	}
-	return r0, r1
-}
-
-// AzureDevOpsClientFactory_GetClient_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetClient'
-type AzureDevOpsClientFactory_GetClient_Call struct {
-	*mock.Call
-}
-
-// GetClient is a helper method to define mock.On call
-//   - ctx context.Context
-func (_e *AzureDevOpsClientFactory_Expecter) GetClient(ctx interface{}) *AzureDevOpsClientFactory_GetClient_Call {
-	return &AzureDevOpsClientFactory_GetClient_Call{Call: _e.mock.On("GetClient", ctx)}
-}
-
-func (_c *AzureDevOpsClientFactory_GetClient_Call) Run(run func(ctx context.Context)) *AzureDevOpsClientFactory_GetClient_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		var arg0 context.Context
-		if args[0] != nil {
-			arg0 = args[0].(context.Context)
-		}
-		run(
-			arg0,
-		)
-	})
-	return _c
-}
-
-func (_c *AzureDevOpsClientFactory_GetClient_Call) Return(client git.Client, err error) *AzureDevOpsClientFactory_GetClient_Call {
-	_c.Call.Return(client, err)
-	return _c
-}
-
-func (_c *AzureDevOpsClientFactory_GetClient_Call) RunAndReturn(run func(ctx context.Context) (git.Client, error)) *AzureDevOpsClientFactory_GetClient_Call {
-	_c.Call.Return(run)
-	return _c
-}
--- a/applicationset/services/util_test.go
+++ b/applicationset/services/util_test.go
@@ -1,6 +1,7 @@
 package services

 import (
+	"context"
 	"crypto/tls"
 	"net/http"
 	"testing"
@@ -11,7 +12,7 @@ import (
 )

 func TestSetupBitbucketClient(t *testing.T) {
-	ctx := t.Context()
+	ctx := context.Background()
 	cfg := &bitbucketv1.Configuration{}

 	// Act
--- a/applicationset/utils/utils.go
+++ b/applicationset/utils/utils.go
@@ -30,10 +30,6 @@ import (

 var sprigFuncMap = sprig.GenericFuncMap() // a singleton for better performance

-// baseTemplate is a pre-initialized template with all sprig functions loaded.
-// Cloning this is much faster than calling Funcs() on a new template each time.
-var baseTemplate *template.Template
-
 func init() {
 	// Avoid allowing the user to learn things about the environment.
 	delete(sprigFuncMap, "env")
@@ -44,10 +40,6 @@ func init() {
 	sprigFuncMap["toYaml"] = toYAML
 	sprigFuncMap["fromYaml"] = fromYAML
 	sprigFuncMap["fromYamlArray"] = fromYAMLArray
-
-	// Initialize the base template with sprig functions once at startup.
-	// This must be done after modifying sprigFuncMap above.
-	baseTemplate = template.New("base").Funcs(sprigFuncMap)
 }

 type Renderer interface {
@@ -317,21 +309,16 @@ var isTemplatedRegex = regexp.MustCompile(".*{{.*}}.*")
 // remaining in the substituted template.
 func (r *Render) Replace(tmpl string, replaceMap map[string]any, useGoTemplate bool, goTemplateOptions []string) (string, error) {
 	if useGoTemplate {
-		// Clone the base template which has sprig funcs pre-loaded
-		cloned, err := baseTemplate.Clone()
-		if err != nil {
-			return "", fmt.Errorf("failed to clone base template: %w", err)
-		}
-		for _, option := range goTemplateOptions {
-			cloned = cloned.Option(option)
-		}
-		parsed, err := cloned.Parse(tmpl)
+		template, err := template.New("").Funcs(sprigFuncMap).Parse(tmpl)
 		if err != nil {
 			return "", fmt.Errorf("failed to parse template %s: %w", tmpl, err)
 		}
+		for _, option := range goTemplateOptions {
+			template = template.Option(option)
+		}

 		var replacedTmplBuffer bytes.Buffer
-		if err = parsed.Execute(&replacedTmplBuffer, replaceMap); err != nil {
+		if err = template.Execute(&replacedTmplBuffer, replaceMap); err != nil {
 			return "", fmt.Errorf("failed to execute go template %s: %w", tmpl, err)
 		}

--- a/applicationset/utils/utils_test.go
+++ b/applicationset/utils/utils_test.go
@@ -514,7 +514,7 @@ func TestRenderTemplateParamsGoTemplate(t *testing.T) {
 			params: map[string]any{
 				"data": `a data string`,
 			},
-			errorMessage: `failed to parse template {{functiondoesnotexist}}: template: base:1: function "functiondoesnotexist" not defined`,
+			errorMessage: `failed to parse template {{functiondoesnotexist}}: template: :1: function "functiondoesnotexist" not defined`,
 		},
 		{
 			name:        "Test template error",
@@ -523,7 +523,7 @@ func TestRenderTemplateParamsGoTemplate(t *testing.T) {
 			params: map[string]any{
 				"data": `a data string`,
 			},
-			errorMessage: `failed to execute go template {{.data.test}}: template: base:1:7: executing "base" at <.data.test>: can't evaluate field test in type interface {}`,
+			errorMessage: `failed to execute go template {{.data.test}}: template: :1:7: executing "" at <.data.test>: can't evaluate field test in type interface {}`,
 		},
 		{
 			name:        "lookup missing value with missingkey=default",
@@ -543,7 +543,7 @@ func TestRenderTemplateParamsGoTemplate(t *testing.T) {
 				"unused": "this is not used",
 			},
 			templateOptions: []string{"missingkey=error"},
-			errorMessage:    `failed to execute go template --> {{.doesnotexist}} <--: template: base:1:6: executing "base" at <.doesnotexist>: map has no entry for key "doesnotexist"`,
+			errorMessage:    `failed to execute go template --> {{.doesnotexist}} <--: template: :1:6: executing "" at <.doesnotexist>: map has no entry for key "doesnotexist"`,
 		},
 		{
 			name:        "toYaml",
@@ -563,7 +563,7 @@ func TestRenderTemplateParamsGoTemplate(t *testing.T) {
 			name:         "toYaml Error",
 			fieldVal:     `{{ toYaml . | indent 2 }}`,
 			expectedVal:  "  foo:\n    bar:\n      bool: true\n      number: 2\n      str: Hello world",
-			errorMessage: "failed to execute go template {{ toYaml . | indent 2 }}: template: base:1:3: executing \"base\" at <toYaml .>: error calling toYaml: error marshaling into JSON: json: unsupported type: func(*string)",
+			errorMessage: "failed to execute go template {{ toYaml . | indent 2 }}: template: :1:3: executing \"\" at <toYaml .>: error calling toYaml: error marshaling into JSON: json: unsupported type: func(*string)",
 			params: map[string]any{
 				"foo": func(_ *string) {
 				},
@@ -581,7 +581,7 @@ func TestRenderTemplateParamsGoTemplate(t *testing.T) {
 			name:         "fromYaml error",
 			fieldVal:     `{{ get (fromYaml .value) "hello" }}`,
 			expectedVal:  "world",
-			errorMessage: "failed to execute go template {{ get (fromYaml .value) \"hello\" }}: template: base:1:8: executing \"base\" at <fromYaml .value>: error calling fromYaml: error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string into Go value of type map[string]interface {}",
+			errorMessage: "failed to execute go template {{ get (fromYaml .value) \"hello\" }}: template: :1:8: executing \"\" at <fromYaml .value>: error calling fromYaml: error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string into Go value of type map[string]interface {}",
 			params: map[string]any{
 				"value": "non\n compliant\n yaml",
 			},
@@ -598,7 +598,7 @@ func TestRenderTemplateParamsGoTemplate(t *testing.T) {
 			name:         "fromYamlArray error",
 			fieldVal:     `{{ fromYamlArray .value | last }}`,
 			expectedVal:  "bonjour tout le monde",
-			errorMessage: "failed to execute go template {{ fromYamlArray .value | last }}: template: base:1:3: executing \"base\" at <fromYamlArray .value>: error calling fromYamlArray: error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string into Go value of type []interface {}",
+			errorMessage: "failed to execute go template {{ fromYamlArray .value | last }}: template: :1:3: executing \"\" at <fromYamlArray .value>: error calling fromYamlArray: error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string into Go value of type []interface {}",
 			params: map[string]any{
 				"value": "non\n compliant\n yaml",
 			},
--- a/assets/swagger.json
+++ b/assets/swagger.json
@@ -5619,9 +5619,6 @@
        "statusBadgeRootUrl": {
          "type": "string"
        },
-        "syncWithReplaceAllowed": {
-          "type": "boolean"
-        },
        "trackingMethod": {
          "type": "string"
        },
@@ -6829,14 +6826,14 @@
          "type": "array",
          "title": "ClusterResourceBlacklist contains list of blacklisted cluster level resources",
          "items": {
-            "$ref": "#/definitions/v1alpha1ClusterResourceRestrictionItem"
+            "$ref": "#/definitions/v1GroupKind"
          }
        },
        "clusterResourceWhitelist": {
          "type": "array",
          "title": "ClusterResourceWhitelist contains list of whitelisted cluster level resources",
          "items": {
-            "$ref": "#/definitions/v1alpha1ClusterResourceRestrictionItem"
+            "$ref": "#/definitions/v1GroupKind"
          }
        },
        "description": {
@@ -7050,7 +7047,7 @@
    },
    "v1alpha1ApplicationSet": {
      "type": "object",
-      "title": "ApplicationSet is a set of Application resources.\n+genclient\n+genclient:noStatus\n+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object\n+kubebuilder:resource:path=applicationsets,shortName=appset;appsets\n+kubebuilder:subresource:status",
+      "title": "ApplicationSet is a set of Application resources\n+genclient\n+genclient:noStatus\n+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object\n+kubebuilder:resource:path=applicationsets,shortName=appset;appsets\n+kubebuilder:subresource:status",
      "properties": {
        "metadata": {
          "$ref": "#/definitions/v1ObjectMeta"
@@ -7080,7 +7077,7 @@
        },
        "status": {
          "type": "string",
-          "title": "Status contains the AppSet's perceived status of the managed Application resource"
+          "title": "Status contains the AppSet's perceived status of the managed Application resource: (Waiting, Pending, Progressing, Healthy)"
        },
        "step": {
          "type": "string",
@@ -8164,22 +8161,6 @@
        }
      }
    },
-    "v1alpha1ClusterResourceRestrictionItem": {
-      "type": "object",
-      "title": "ClusterResourceRestrictionItem is a cluster resource that is restricted by the project's whitelist or blacklist",
-      "properties": {
-        "group": {
-          "type": "string"
-        },
-        "kind": {
-          "type": "string"
-        },
-        "name": {
-          "description": "Name is the name of the restricted resource. Glob patterns using Go's filepath.Match syntax are supported.\nUnlike the group and kind fields, if no name is specified, all resources of the specified group/kind are matched.",
-          "type": "string"
-        }
-      }
-    },
    "v1alpha1Command": {
      "type": "object",
      "title": "Command holds binary path and arguments list",
@@ -8273,7 +8254,7 @@
      }
    },
    "v1alpha1ConfigMapKeyRef": {
-      "description": "ConfigMapKeyRef struct for a reference to a configmap key.",
+      "description": "Utility struct for a reference to a configmap key.",
      "type": "object",
      "properties": {
        "configMapName": {
@@ -8305,22 +8286,10 @@
      "description": "DrySource specifies a location for dry \"don't repeat yourself\" manifest source information.",
      "type": "object",
      "properties": {
-        "directory": {
-          "$ref": "#/definitions/v1alpha1ApplicationSourceDirectory"
-        },
-        "helm": {
-          "$ref": "#/definitions/v1alpha1ApplicationSourceHelm"
-        },
-        "kustomize": {
-          "$ref": "#/definitions/v1alpha1ApplicationSourceKustomize"
-        },
        "path": {
          "type": "string",
          "title": "Path is a directory path within the Git repository where the manifests are located"
        },
-        "plugin": {
-          "$ref": "#/definitions/v1alpha1ApplicationSourcePlugin"
-        },
        "repoURL": {
          "type": "string",
          "title": "RepoURL is the URL to the git repository that contains the application manifests"
@@ -9367,7 +9336,7 @@
      }
    },
    "v1alpha1PullRequestGeneratorGithub": {
-      "description": "PullRequestGeneratorGithub defines connection info specific to GitHub.",
+      "description": "PullRequestGenerator defines connection info specific to GitHub.",
      "type": "object",
      "properties": {
        "api": {
@@ -9465,7 +9434,7 @@
          "title": "TLSClientCertKey specifies the TLS client cert key for authenticating at the repo server"
        },
        "type": {
-          "description": "Type specifies the type of the repoCreds. Can be either \"git\", \"helm\" or \"oci\". \"git\" is assumed if empty or absent.",
+          "description": "Type specifies the type of the repoCreds. Can be either \"git\" or \"helm. \"git\" is assumed if empty or absent.",
          "type": "string"
        },
        "url": {
@@ -9508,11 +9477,6 @@
        "connectionState": {
          "$ref": "#/definitions/v1alpha1ConnectionState"
        },
-        "depth": {
-          "description": "Depth specifies the depth for shallow clones. A value of 0 or omitting the field indicates a full clone.",
-          "type": "integer",
-          "format": "int64"
-        },
        "enableLfs": {
          "description": "EnableLFS specifies whether git-lfs support should be enabled for this repo. Only valid for Git repositories.",
          "type": "boolean"
@@ -10376,7 +10340,7 @@
      }
    },
    "v1alpha1SecretRef": {
-      "description": "SecretRef struct for a reference to a secret key.",
+      "description": "Utility struct for a reference to a secret key.",
      "type": "object",
      "properties": {
        "key": {
--- a/cmd/argocd-application-controller/commands/argocd_application_controller.go
+++ b/cmd/argocd-application-controller/commands/argocd_application_controller.go
@@ -202,6 +202,7 @@ func NewCommand() *cobra.Command {
 				time.Duration(appResyncJitter)*time.Second,
 				time.Duration(selfHealTimeoutSeconds)*time.Second,
 				selfHealBackoff,
+				time.Duration(selfHealBackoffCooldownSeconds)*time.Second,
 				time.Duration(syncTimeout)*time.Second,
 				time.Duration(repoErrorGracePeriod)*time.Second,
 				metricsPort,
@@ -274,7 +275,6 @@ func NewCommand() *cobra.Command {
 	command.Flags().IntVar(&selfHealBackoffFactor, "self-heal-backoff-factor", env.ParseNumFromEnv("ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_FACTOR", 3, 0, math.MaxInt32), "Specifies factor of exponential timeout between application self heal attempts")
 	command.Flags().IntVar(&selfHealBackoffCapSeconds, "self-heal-backoff-cap-seconds", env.ParseNumFromEnv("ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_CAP_SECONDS", 300, 0, math.MaxInt32), "Specifies max timeout of exponential backoff between application self heal attempts")
 	command.Flags().IntVar(&selfHealBackoffCooldownSeconds, "self-heal-backoff-cooldown-seconds", env.ParseNumFromEnv("ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_COOLDOWN_SECONDS", 330, 0, math.MaxInt32), "Specifies period of time the app needs to stay synced before the self heal backoff can reset")
-	errors.CheckError(command.Flags().MarkDeprecated("self-heal-backoff-cooldown-seconds", "This flag is deprecated and has no effect."))
 	command.Flags().IntVar(&syncTimeout, "sync-timeout", env.ParseNumFromEnv("ARGOCD_APPLICATION_CONTROLLER_SYNC_TIMEOUT", 0, 0, math.MaxInt32), "Specifies the timeout after which a sync would be terminated. 0 means no timeout (default 0).")
 	command.Flags().Int64Var(&kubectlParallelismLimit, "kubectl-parallelism-limit", env.ParseInt64FromEnv("ARGOCD_APPLICATION_CONTROLLER_KUBECTL_PARALLELISM_LIMIT", 20, 0, math.MaxInt64), "Number of allowed concurrent kubectl fork/execs. Any value less than 1 means no limit.")
 	command.Flags().BoolVar(&repoServerPlaintext, "repo-server-plaintext", env.ParseBoolFromEnv("ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT", false), "Disable TLS on connections to repo server")
--- a/cmd/argocd-applicationset-controller/commands/applicationset_controller.go
+++ b/cmd/argocd-applicationset-controller/commands/applicationset_controller.go
@@ -105,12 +105,7 @@ func NewCommand() *cobra.Command {
 			)

 			cli.SetLogFormat(cmdutil.LogFormat)
-
-			if debugLog {
-				cli.SetLogLevel("debug")
-			} else {
-				cli.SetLogLevel(cmdutil.LogLevel)
-			}
+			cli.SetLogLevel(cmdutil.LogLevel)

 			ctrl.SetLogger(logutils.NewLogrusLogger(logutils.NewWithCurrentConfig()))

--- a/cmd/argocd-commit-server/commands/argocd_commit_server.go
+++ b/cmd/argocd-commit-server/commands/argocd_commit_server.go
@@ -38,7 +38,7 @@ func NewCommand() *cobra.Command {
 		Use:   "argocd-commit-server",
 		Short: "Run Argo CD Commit Server",
 		Long:  "Argo CD Commit Server is an internal service which commits and pushes hydrated manifests to git. This command runs Commit Server in the foreground.",
-		RunE: func(cmd *cobra.Command, _ []string) error {
+		RunE: func(_ *cobra.Command, _ []string) error {
 			vers := common.GetVersion()
 			vers.LogStartupInfo(
 				"Argo CD Commit Server",
@@ -59,10 +59,8 @@ func NewCommand() *cobra.Command {

 			server := commitserver.NewServer(askPassServer, metricsServer)
 			grpc := server.CreateGRPC()
-			ctx := cmd.Context()

-			lc := &net.ListenConfig{}
-			listener, err := lc.Listen(ctx, "tcp", fmt.Sprintf("%s:%d", listenHost, listenPort))
+			listener, err := net.Listen("tcp", fmt.Sprintf("%s:%d", listenHost, listenPort))
 			errors.CheckError(err)

 			healthz.ServeHealthCheck(http.DefaultServeMux, func(r *http.Request) error {
--- a/cmd/argocd-dex/commands/argocd_dex.go
+++ b/cmd/argocd-dex/commands/argocd_dex.go
@@ -115,7 +115,7 @@ func NewRunDexCommand() *cobra.Command {
 					err = os.WriteFile("/tmp/dex.yaml", dexCfgBytes, 0o644)
 					errors.CheckError(err)
 					log.Debug(redactor(string(dexCfgBytes)))
-					cmd = exec.CommandContext(ctx, "dex", "serve", "/tmp/dex.yaml")
+					cmd = exec.Command("dex", "serve", "/tmp/dex.yaml")
 					cmd.Stdout = os.Stdout
 					cmd.Stderr = os.Stderr
 					err = cmd.Start()
--- a/cmd/argocd-repo-server/commands/argocd_repo_server.go
+++ b/cmd/argocd-repo-server/commands/argocd_repo_server.go
@@ -171,8 +171,7 @@ func NewCommand() *cobra.Command {
 			}

 			grpc := server.CreateGRPC()
-			lc := &net.ListenConfig{}
-			listener, err := lc.Listen(ctx, "tcp", fmt.Sprintf("%s:%d", listenHost, listenPort))
+			listener, err := net.Listen("tcp", fmt.Sprintf("%s:%d", listenHost, listenPort))
 			errors.CheckError(err)

 			healthz.ServeHealthCheck(http.DefaultServeMux, func(r *http.Request) error {
--- a/cmd/argocd/commands/admin/app_test.go
+++ b/cmd/argocd/commands/admin/app_test.go
@@ -105,26 +105,26 @@ func TestGetReconcileResults_Refresh(t *testing.T) {
 	appClientset := appfake.NewSimpleClientset(app, proj)
 	deployment := test.NewDeployment()
 	kubeClientset := kubefake.NewClientset(deployment, argoCM, argoCDSecret)
-	clusterCache := &clustermocks.ClusterCache{}
-	clusterCache.EXPECT().IsNamespaced(mock.Anything).Return(true, nil)
-	clusterCache.EXPECT().GetGVKParser().Return(nil)
-	repoServerClient := &mocks.RepoServerServiceClient{}
-	repoServerClient.EXPECT().GenerateManifest(mock.Anything, mock.Anything).Return(&argocdclient.ManifestResponse{
+	clusterCache := clustermocks.ClusterCache{}
+	clusterCache.On("IsNamespaced", mock.Anything).Return(true, nil)
+	clusterCache.On("GetGVKParser", mock.Anything).Return(nil)
+	repoServerClient := mocks.RepoServerServiceClient{}
+	repoServerClient.On("GenerateManifest", mock.Anything, mock.Anything).Return(&argocdclient.ManifestResponse{
 		Manifests: []string{test.DeploymentManifest},
 	}, nil)
-	repoServerClientset := &mocks.Clientset{RepoServerServiceClient: repoServerClient}
-	liveStateCache := &cachemocks.LiveStateCache{}
-	liveStateCache.EXPECT().GetManagedLiveObjs(mock.Anything, mock.Anything, mock.Anything).Return(map[kube.ResourceKey]*unstructured.Unstructured{
+	repoServerClientset := mocks.Clientset{RepoServerServiceClient: &repoServerClient}
+	liveStateCache := cachemocks.LiveStateCache{}
+	liveStateCache.On("GetManagedLiveObjs", mock.Anything, mock.Anything, mock.Anything).Return(map[kube.ResourceKey]*unstructured.Unstructured{
 		kube.GetResourceKey(deployment): deployment,
 	}, nil)
-	liveStateCache.EXPECT().GetVersionsInfo(mock.Anything).Return("v1.2.3", nil, nil)
-	liveStateCache.EXPECT().Init().Return(nil)
-	liveStateCache.EXPECT().GetClusterCache(mock.Anything).Return(clusterCache, nil)
-	liveStateCache.EXPECT().IsNamespaced(mock.Anything, mock.Anything).Return(true, nil)
+	liveStateCache.On("GetVersionsInfo", mock.Anything).Return("v1.2.3", nil, nil)
+	liveStateCache.On("Init").Return(nil, nil)
+	liveStateCache.On("GetClusterCache", mock.Anything).Return(&clusterCache, nil)
+	liveStateCache.On("IsNamespaced", mock.Anything, mock.Anything).Return(true, nil)

-	result, err := reconcileApplications(ctx, kubeClientset, appClientset, "default", repoServerClientset, "",
+	result, err := reconcileApplications(ctx, kubeClientset, appClientset, "default", &repoServerClientset, "",
 		func(_ db.ArgoDB, _ cache.SharedIndexInformer, _ *settings.SettingsManager, _ *metrics.MetricsServer) statecache.LiveStateCache {
-			return liveStateCache
+			return &liveStateCache
 		},
 		false,
 		normalizers.IgnoreNormalizerOpts{},
--- a/cmd/argocd/commands/admin/backup_test.go
+++ b/cmd/argocd/commands/admin/backup_test.go
@@ -84,7 +84,7 @@ func newAppProject() *unstructured.Unstructured {
 					Server:    "*",
 				},
 			},
-			ClusterResourceWhitelist: []v1alpha1.ClusterResourceRestrictionItem{
+			ClusterResourceWhitelist: []metav1.GroupKind{
 				{
 					Group: "*",
 					Kind:  "*",
--- a/cmd/argocd/commands/admin/repo.go
+++ b/cmd/argocd/commands/admin/repo.go
@@ -77,15 +77,6 @@ func NewGenRepoSpecCommand() *cobra.Command {
  
  # Add a private HTTP OCI repository named 'stable'
  argocd admin repo generate-spec oci://helm-oci-registry.cn-zhangjiakou.cr.aliyuncs.com --type oci --name stable --username test --password test --insecure-oci-force-http
-
-  # Add a private Git repository on GitHub.com via GitHub App. github-app-installation-id is optional, if not provided, the installation id will be fetched from the GitHub API.
-  argocd admin repo generate-spec https://git.example.com/repos/repo --github-app-id 1 --github-app-installation-id 2 --github-app-private-key-path test.private-key.pem
-
-  # Add a private Git repository on GitHub Enterprise via GitHub App. github-app-installation-id is optional, if not provided, the installation id will be fetched from the GitHub API.
-  argocd admin repo generate-spec https://ghe.example.com/repos/repo --github-app-id 1 --github-app-installation-id 2 --github-app-private-key-path test.private-key.pem --github-app-enterprise-base-url https://ghe.example.com/api/v3
-
-  # Add a private Git repository on Google Cloud Sources via GCP service account credentials
-  argocd admin repo generate-spec https://source.developers.google.com/p/my-google-cloud-project/r/my-repo --gcp-service-account-key-path service-account-key.json
 `

 	command := &cobra.Command{
--- a/cmd/argocd/commands/admin/settings_test.go
+++ b/cmd/argocd/commands/admin/settings_test.go
@@ -40,7 +40,9 @@ func captureStdout(callback func()) (string, error) {
 	return string(data), err
 }

-func newSettingsManager(ctx context.Context, data map[string]string) *settings.SettingsManager {
+func newSettingsManager(data map[string]string) *settings.SettingsManager {
+	ctx := context.Background()
+
 	clientset := fake.NewClientset(&corev1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: "default",
@@ -67,8 +69,8 @@ type fakeCmdContext struct {
 	mgr *settings.SettingsManager
 }

-func newCmdContext(ctx context.Context, data map[string]string) *fakeCmdContext {
-	return &fakeCmdContext{mgr: newSettingsManager(ctx, data)}
+func newCmdContext(data map[string]string) *fakeCmdContext {
+	return &fakeCmdContext{mgr: newSettingsManager(data)}
 }

 func (ctx *fakeCmdContext) createSettingsManager(context.Context) (*settings.SettingsManager, error) {
@@ -180,7 +182,7 @@ admissionregistration.k8s.io/MutatingWebhookConfiguration:
 			if !assert.True(t, ok) {
 				return
 			}
-			summary, err := validator(newSettingsManager(t.Context(), tc.data))
+			summary, err := validator(newSettingsManager(tc.data))
 			if tc.containsSummary != "" {
 				require.NoError(t, err)
 				assert.Contains(t, summary, tc.containsSummary)
@@ -247,7 +249,7 @@ func tempFile(content string) (string, io.Closer, error) {
 }

 func TestValidateSettingsCommand_NoErrors(t *testing.T) {
-	cmd := NewValidateSettingsCommand(newCmdContext(t.Context(), map[string]string{}))
+	cmd := NewValidateSettingsCommand(newCmdContext(map[string]string{}))
 	out, err := captureStdout(func() {
 		err := cmd.Execute()
 		require.NoError(t, err)
@@ -265,7 +267,7 @@ func TestResourceOverrideIgnoreDifferences(t *testing.T) {
 	defer utilio.Close(closer)

 	t.Run("NoOverridesConfigured", func(t *testing.T) {
-		cmd := NewResourceOverridesCommand(newCmdContext(t.Context(), map[string]string{}))
+		cmd := NewResourceOverridesCommand(newCmdContext(map[string]string{}))
 		out, err := captureStdout(func() {
 			cmd.SetArgs([]string{"ignore-differences", f})
 			err := cmd.Execute()
@@ -276,7 +278,7 @@ func TestResourceOverrideIgnoreDifferences(t *testing.T) {
 	})

 	t.Run("DataIgnored", func(t *testing.T) {
-		cmd := NewResourceOverridesCommand(newCmdContext(t.Context(), map[string]string{
+		cmd := NewResourceOverridesCommand(newCmdContext(map[string]string{
 			"resource.customizations": `apps/Deployment:
  ignoreDifferences: |
    jsonPointers:
@@ -298,7 +300,7 @@ func TestResourceOverrideHealth(t *testing.T) {
 	defer utilio.Close(closer)

 	t.Run("NoHealthAssessment", func(t *testing.T) {
-		cmd := NewResourceOverridesCommand(newCmdContext(t.Context(), map[string]string{
+		cmd := NewResourceOverridesCommand(newCmdContext(map[string]string{
 			"resource.customizations": `example.com/ExampleResource: {}`,
 		}))
 		out, err := captureStdout(func() {
@@ -311,7 +313,7 @@ func TestResourceOverrideHealth(t *testing.T) {
 	})

 	t.Run("HealthAssessmentConfigured", func(t *testing.T) {
-		cmd := NewResourceOverridesCommand(newCmdContext(t.Context(), map[string]string{
+		cmd := NewResourceOverridesCommand(newCmdContext(map[string]string{
 			"resource.customizations": `example.com/ExampleResource:
  health.lua: |
    return { status = "Progressing" }
@@ -327,7 +329,7 @@ func TestResourceOverrideHealth(t *testing.T) {
 	})

 	t.Run("HealthAssessmentConfiguredWildcard", func(t *testing.T) {
-		cmd := NewResourceOverridesCommand(newCmdContext(t.Context(), map[string]string{
+		cmd := NewResourceOverridesCommand(newCmdContext(map[string]string{
 			"resource.customizations": `example.com/*:
  health.lua: |
    return { status = "Progressing" }
@@ -353,7 +355,7 @@ func TestResourceOverrideAction(t *testing.T) {
 	defer utilio.Close(closer)

 	t.Run("NoActions", func(t *testing.T) {
-		cmd := NewResourceOverridesCommand(newCmdContext(t.Context(), map[string]string{
+		cmd := NewResourceOverridesCommand(newCmdContext(map[string]string{
 			"resource.customizations": `apps/Deployment: {}`,
 		}))
 		out, err := captureStdout(func() {
@@ -366,7 +368,7 @@ func TestResourceOverrideAction(t *testing.T) {
 	})

 	t.Run("OldStyleActionConfigured", func(t *testing.T) {
-		cmd := NewResourceOverridesCommand(newCmdContext(t.Context(), map[string]string{
+		cmd := NewResourceOverridesCommand(newCmdContext(map[string]string{
 			"resource.customizations": `apps/Deployment:
  actions: |
    discovery.lua: |
@@ -402,7 +404,7 @@ resume   false
 	})

 	t.Run("NewStyleActionConfigured", func(t *testing.T) {
-		cmd := NewResourceOverridesCommand(newCmdContext(t.Context(), map[string]string{
+		cmd := NewResourceOverridesCommand(newCmdContext(map[string]string{
 			"resource.customizations": `batch/CronJob:
  actions: |
    discovery.lua: |
--- a/cmd/argocd/commands/app.go
+++ b/cmd/argocd/commands/app.go
@@ -1794,7 +1794,6 @@ func NewApplicationListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 		repo         string
 		appNamespace string
 		cluster      string
-		path         string
 	)
 	command := &cobra.Command{
 		Use:   "list",
@@ -1830,9 +1829,6 @@ func NewApplicationListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 			if cluster != "" {
 				appList = argo.FilterByCluster(appList, cluster)
 			}
-			if path != "" {
-				appList = argo.FilterByPath(appList, path)
-			}

 			switch output {
 			case "yaml", "json":
@@ -1853,7 +1849,6 @@ func NewApplicationListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 	command.Flags().StringVarP(&repo, "repo", "r", "", "List apps by source repo URL")
 	command.Flags().StringVarP(&appNamespace, "app-namespace", "N", "", "Only list applications in namespace")
 	command.Flags().StringVarP(&cluster, "cluster", "c", "", "List apps by cluster name or url")
-	command.Flags().StringVarP(&path, "path", "P", "", "List apps by path")
 	return command
 }

--- a/cmd/argocd/commands/app_resources.go
+++ b/cmd/argocd/commands/app_resources.go
@@ -33,7 +33,6 @@ func NewApplicationGetResourceCommand(clientOpts *argocdclient.ClientOptions) *c
 	var (
 		resourceName      string
 		kind              string
-		group             string
 		project           string
 		filteredFields    []string
 		showManagedFields bool
@@ -58,7 +57,7 @@ func NewApplicationGetResourceCommand(clientOpts *argocdclient.ClientOptions) *c
  # Get a specific resource with managed fields, Pod my-app-pod, in 'my-app' by name in wide format
    argocd app get-resource my-app --kind Pod --resource-name my-app-pod --show-managed-fields

-  # Get the details of a specific field in a resource in 'my-app' in the wide format
+  # Get the the details of a specific field in a resource in 'my-app' in the wide format
    argocd app get-resource my-app --kind Pod --filter-fields status.podIP

  # Get the details of multiple specific fields in a specific resource in 'my-app' in the wide format
@@ -89,7 +88,7 @@ func NewApplicationGetResourceCommand(clientOpts *argocdclient.ClientOptions) *c
 		var resources []unstructured.Unstructured
 		var fetchedStr string
 		for _, r := range tree.Nodes {
-			if (resourceName != "" && r.Name != resourceName) || (group != "" && r.Group != group) || r.Kind != kind {
+			if (resourceName != "" && r.Name != resourceName) || r.Kind != kind {
 				continue
 			}
 			resource, err := appIf.GetResource(ctx, &applicationpkg.ApplicationResourceRequest{
@@ -132,7 +131,6 @@ func NewApplicationGetResourceCommand(clientOpts *argocdclient.ClientOptions) *c
 	command.Flags().StringVar(&kind, "kind", "", "Kind of resource [REQUIRED]")
 	err := command.MarkFlagRequired("kind")
 	errors.CheckError(err)
-	command.Flags().StringVar(&group, "group", "", "Group")
 	command.Flags().StringVar(&project, "project", "", "Project of resource")
 	command.Flags().StringSliceVar(&filteredFields, "filter-fields", nil, "A comma separated list of fields to display, if not provided will output the entire manifest")
 	command.Flags().BoolVar(&showManagedFields, "show-managed-fields", false, "Show managed fields in the output manifest")
--- a/cmd/argocd/commands/completion.go
+++ b/cmd/argocd/commands/completion.go
@@ -223,19 +223,6 @@ $ source _argocd
 $ argocd completion fish > ~/.config/fish/completions/argocd.fish
 $ source ~/.config/fish/completions/argocd.fish

-# For powershell
-$ mkdir -Force "$HOME\Documents\PowerShell" | Out-Null
-$ argocd completion powershell > $HOME\Documents\PowerShell\argocd_completion.ps1
-
-Add the following lines to your powershell profile
-
-$ # ArgoCD tab completion
-if (Test-Path "$HOME\Documents\PowerShell\argocd_completion.ps1") {
-    . "$HOME\Documents\PowerShell\argocd_completion.ps1"
-}
-
-Then reload your profile
-$ . $PROFILE
 `,
 		Run: func(cmd *cobra.Command, args []string) {
 			if len(args) != 1 {
@@ -246,10 +233,9 @@ $ . $PROFILE
 			rootCommand := NewCommand()
 			rootCommand.BashCompletionFunction = bashCompletionFunc
 			availableCompletions := map[string]func(out io.Writer, cmd *cobra.Command) error{
-				"bash":       runCompletionBash,
-				"zsh":        runCompletionZsh,
-				"fish":       runCompletionFish,
-				"powershell": runCompletionPowershell,
+				"bash": runCompletionBash,
+				"zsh":  runCompletionZsh,
+				"fish": runCompletionFish,
 			}
 			completion, ok := availableCompletions[shell]
 			if !ok {
@@ -276,7 +262,3 @@ func runCompletionZsh(out io.Writer, cmd *cobra.Command) error {
 func runCompletionFish(out io.Writer, cmd *cobra.Command) error {
 	return cmd.GenFishCompletion(out, true)
 }
-
-func runCompletionPowershell(out io.Writer, cmd *cobra.Command) error {
-	return cmd.GenPowerShellCompletionWithDesc(out)
-}
--- a/cmd/argocd/commands/context.go
+++ b/cmd/argocd/commands/context.go
@@ -34,10 +34,6 @@ argocd context cd.argoproj.io --delete`,
 		Run: func(c *cobra.Command, args []string) {
 			localCfg, err := localconfig.ReadLocalConfig(clientOpts.ConfigPath)
 			errors.CheckError(err)
-			if localCfg == nil {
-				fmt.Println("No local configuration found")
-				os.Exit(1)
-			}

 			if deletion {
 				if len(args) == 0 {
--- a/cmd/argocd/commands/gpg_test.go
+++ b/cmd/argocd/commands/gpg_test.go
@@ -1,103 +0,0 @@
-package commands
-
-import (
-	"regexp"
-	"strings"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	appsv1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
-)
-
-// splitColumns splits a line produced by tabwriter using runs of 2 or more spaces
-// as delimiters to obtain logical columns regardless of alignment padding.
-func splitColumns(line string) []string {
-	re := regexp.MustCompile(`\s{2,}`)
-	return re.Split(strings.TrimSpace(line), -1)
-}
-
-func Test_printKeyTable_Empty(t *testing.T) {
-	out, err := captureOutput(func() error {
-		printKeyTable([]appsv1.GnuPGPublicKey{})
-		return nil
-	})
-	require.NoError(t, err)
-
-	lines := strings.Split(strings.TrimRight(out, "\n"), "\n")
-	require.Len(t, lines, 1)
-
-	headerCols := splitColumns(lines[0])
-	assert.Equal(t, []string{"KEYID", "TYPE", "IDENTITY"}, headerCols)
-}
-
-func Test_printKeyTable_Single(t *testing.T) {
-	keys := []appsv1.GnuPGPublicKey{
-		{
-			KeyID:   "ABCDEF1234567890",
-			SubType: "rsa4096",
-			Owner:   "Alice <alice@example.com>",
-		},
-	}
-
-	out, err := captureOutput(func() error {
-		printKeyTable(keys)
-		return nil
-	})
-	require.NoError(t, err)
-
-	lines := strings.Split(strings.TrimRight(out, "\n"), "\n")
-	require.Len(t, lines, 2)
-
-	// Header
-	assert.Equal(t, []string{"KEYID", "TYPE", "IDENTITY"}, splitColumns(lines[0]))
-
-	// Row
-	row := splitColumns(lines[1])
-	require.Len(t, row, 3)
-	assert.Equal(t, "ABCDEF1234567890", row[0])
-	assert.Equal(t, "RSA4096", row[1]) // subtype upper-cased
-	assert.Equal(t, "Alice <alice@example.com>", row[2])
-}
-
-func Test_printKeyTable_Multiple(t *testing.T) {
-	keys := []appsv1.GnuPGPublicKey{
-		{
-			KeyID:   "ABCD",
-			SubType: "ed25519",
-			Owner:   "User One <one@example.com>",
-		},
-		{
-			KeyID:   "0123456789ABCDEF",
-			SubType: "rsa2048",
-			Owner:   "Second User <second@example.com>",
-		},
-	}
-
-	out, err := captureOutput(func() error {
-		printKeyTable(keys)
-		return nil
-	})
-	require.NoError(t, err)
-
-	lines := strings.Split(strings.TrimRight(out, "\n"), "\n")
-	require.Len(t, lines, 3)
-
-	// Header
-	assert.Equal(t, []string{"KEYID", "TYPE", "IDENTITY"}, splitColumns(lines[0]))
-
-	// First row
-	row1 := splitColumns(lines[1])
-	require.Len(t, row1, 3)
-	assert.Equal(t, "ABCD", row1[0])
-	assert.Equal(t, "ED25519", row1[1])
-	assert.Equal(t, "User One <one@example.com>", row1[2])
-
-	// Second row
-	row2 := splitColumns(lines[2])
-	require.Len(t, row2, 3)
-	assert.Equal(t, "0123456789ABCDEF", row2[0])
-	assert.Equal(t, "RSA2048", row2[1])
-	assert.Equal(t, "Second User <second@example.com>", row2[2])
-}
--- a/cmd/argocd/commands/headless/headless.go
+++ b/cmd/argocd/commands/headless/headless.go
@@ -213,8 +213,7 @@ func MaybeStartLocalServer(ctx context.Context, clientOpts *apiclient.ClientOpti
 	}
 	if port == nil || *port == 0 {
 		addr := *address + ":0"
-		lc := &net.ListenConfig{}
-		ln, err := lc.Listen(ctx, "tcp", addr)
+		ln, err := net.Listen("tcp", addr)
 		if err != nil {
 			return nil, fmt.Errorf("failed to listen on %q: %w", addr, err)
 		}
--- a/cmd/argocd/commands/plugin.go
+++ b/cmd/argocd/commands/plugin.go
@@ -3,11 +3,9 @@ package commands
 import (
 	"errors"
 	"fmt"
-	"maps"
 	"os"
 	"os/exec"
 	"path/filepath"
-	"slices"
 	"strings"

 	"github.com/argoproj/argo-cd/v3/util/cli"
@@ -15,17 +13,18 @@ import (
 	log "github.com/sirupsen/logrus"
 )

-const prefix = "argocd"
-
+// DefaultPluginHandler implements the PluginHandler interface
 type DefaultPluginHandler struct {
-	lookPath func(file string) (string, error)
-	run      func(cmd *exec.Cmd) error
+	ValidPrefixes []string
+	lookPath      func(file string) (string, error)
+	run           func(cmd *exec.Cmd) error
 }

-// NewDefaultPluginHandler instantiates a DefaultPluginHandler
-func NewDefaultPluginHandler() *DefaultPluginHandler {
+// NewDefaultPluginHandler instantiates the DefaultPluginHandler
+func NewDefaultPluginHandler(validPrefixes []string) *DefaultPluginHandler {
 	return &DefaultPluginHandler{
-		lookPath: exec.LookPath,
+		ValidPrefixes: validPrefixes,
+		lookPath:      exec.LookPath,
 		run: func(cmd *exec.Cmd) error {
 			return cmd.Run()
 		},
@@ -33,8 +32,8 @@ func NewDefaultPluginHandler() *DefaultPluginHandler {
 }

 // HandleCommandExecutionError processes the error returned from executing the command.
-// It handles both standard Argo CD commands and plugin commands. We don't require returning
-// an error, but we are doing it to cover various test scenarios.
+// It handles both standard Argo CD commands and plugin commands. We don't require to return
+// error but we are doing it to cover various test scenarios.
 func (h *DefaultPluginHandler) HandleCommandExecutionError(err error, isArgocdCLI bool, args []string) error {
 	// the log level needs to be setup manually here since the initConfig()
 	// set by the cobra.OnInitialize() was never executed because cmd.Execute()
@@ -86,24 +85,27 @@ func (h *DefaultPluginHandler) handlePluginCommand(cmdArgs []string) (string, er

 // lookForPlugin looks for a plugin in the PATH that starts with argocd prefix
 func (h *DefaultPluginHandler) lookForPlugin(filename string) (string, bool) {
-	pluginName := fmt.Sprintf("%s-%s", prefix, filename)
-	path, err := h.lookPath(pluginName)
-	if err != nil {
-		//  error if a plugin is found in a relative path
-		if errors.Is(err, exec.ErrDot) {
-			log.Errorf("Plugin '%s' found in relative path: %v", pluginName, err)
-		} else {
-			log.Warnf("error looking for plugin '%s': %v", pluginName, err)
+	for _, prefix := range h.ValidPrefixes {
+		pluginName := fmt.Sprintf("%s-%s", prefix, filename)
+		path, err := h.lookPath(pluginName)
+		if err != nil {
+			//  error if a plugin is found in a relative path
+			if errors.Is(err, exec.ErrDot) {
+				log.Errorf("Plugin '%s' found in relative path: %v", pluginName, err)
+			} else {
+				log.Warnf("error looking for plugin '%s': %v", pluginName, err)
+			}
+			continue
 		}

-		return "", false
+		if path == "" {
+			return "", false
+		}
+
+		return path, true
 	}

-	if path == "" {
-		return "", false
-	}
-
-	return path, true
+	return "", false
 }

 // executePlugin implements PluginHandler and executes a plugin found
@@ -139,56 +141,3 @@ func (h *DefaultPluginHandler) command(name string, arg ...string) *exec.Cmd {
 	}
 	return cmd
 }
-
-// ListAvailablePlugins returns a list of plugin names that are available in the user's PATH
-// for tab completion. It searches for executables matching the ValidPrefixes pattern.
-func (h *DefaultPluginHandler) ListAvailablePlugins() []string {
-	// Track seen plugin names to avoid duplicates
-	seenPlugins := make(map[string]bool)
-
-	// Search through each directory in PATH
-	for _, dir := range filepath.SplitList(os.Getenv("PATH")) {
-		// Skip empty directories
-		if dir == "" {
-			continue
-		}
-
-		// Read directory contents
-		entries, err := os.ReadDir(dir)
-		if err != nil {
-			continue
-		}
-
-		// Check each file in the directory
-		for _, entry := range entries {
-			// Skip directories and non-executable files
-			if entry.IsDir() {
-				continue
-			}
-
-			name := entry.Name()
-
-			// Check if the file is a valid argocd plugin
-			pluginPrefix := prefix + "-"
-			if strings.HasPrefix(name, pluginPrefix) {
-				// Extract the plugin command name (everything after the prefix)
-				pluginName := strings.TrimPrefix(name, pluginPrefix)
-
-				// Skip empty plugin names or names with path separators
-				if pluginName == "" || strings.Contains(pluginName, "/") || strings.Contains(pluginName, "\\") {
-					continue
-				}
-
-				// Check if the file is executable
-				if info, err := entry.Info(); err == nil {
-					// On Unix-like systems, check executable bit
-					if info.Mode()&0o111 != 0 {
-						seenPlugins[pluginName] = true
-					}
-				}
-			}
-		}
-	}
-
-	return slices.Sorted(maps.Keys(seenPlugins))
-}
--- a/cmd/argocd/commands/plugin_test.go
+++ b/cmd/argocd/commands/plugin_test.go
@@ -28,7 +28,7 @@ func setupPluginPath(t *testing.T) {
 func TestNormalCommandWithPlugin(t *testing.T) {
 	setupPluginPath(t)

-	_ = NewDefaultPluginHandler()
+	_ = NewDefaultPluginHandler([]string{"argocd"})
 	args := []string{"argocd", "version", "--short", "--client"}
 	buf := new(bytes.Buffer)
 	cmd := NewVersionCmd(&argocdclient.ClientOptions{}, nil)
@@ -47,7 +47,7 @@ func TestNormalCommandWithPlugin(t *testing.T) {
 func TestPluginExecution(t *testing.T) {
 	setupPluginPath(t)

-	pluginHandler := NewDefaultPluginHandler()
+	pluginHandler := NewDefaultPluginHandler([]string{"argocd"})
 	cmd := NewCommand()
 	cmd.SilenceErrors = true
 	cmd.SilenceUsage = true
@@ -101,7 +101,7 @@ func TestPluginExecution(t *testing.T) {
 func TestNormalCommandError(t *testing.T) {
 	setupPluginPath(t)

-	pluginHandler := NewDefaultPluginHandler()
+	pluginHandler := NewDefaultPluginHandler([]string{"argocd"})
 	args := []string{"argocd", "version", "--non-existent-flag"}
 	cmd := NewVersionCmd(&argocdclient.ClientOptions{}, nil)
 	cmd.SetArgs(args[1:])
@@ -118,7 +118,7 @@ func TestNormalCommandError(t *testing.T) {
 // TestUnknownCommandNoPlugin tests the scenario when the command is neither a normal ArgoCD command
 // nor exists as a plugin
 func TestUnknownCommandNoPlugin(t *testing.T) {
-	pluginHandler := NewDefaultPluginHandler()
+	pluginHandler := NewDefaultPluginHandler([]string{"argocd"})
 	cmd := NewCommand()
 	cmd.SilenceErrors = true
 	cmd.SilenceUsage = true
@@ -137,7 +137,7 @@ func TestUnknownCommandNoPlugin(t *testing.T) {
 func TestPluginNoExecutePermission(t *testing.T) {
 	setupPluginPath(t)

-	pluginHandler := NewDefaultPluginHandler()
+	pluginHandler := NewDefaultPluginHandler([]string{"argocd"})
 	cmd := NewCommand()
 	cmd.SilenceErrors = true
 	cmd.SilenceUsage = true
@@ -156,7 +156,7 @@ func TestPluginNoExecutePermission(t *testing.T) {
 func TestPluginExecutionError(t *testing.T) {
 	setupPluginPath(t)

-	pluginHandler := NewDefaultPluginHandler()
+	pluginHandler := NewDefaultPluginHandler([]string{"argocd"})
 	cmd := NewCommand()
 	cmd.SilenceErrors = true
 	cmd.SilenceUsage = true
@@ -187,7 +187,7 @@ func TestPluginInRelativePathIgnored(t *testing.T) {

 	t.Setenv("PATH", os.Getenv("PATH")+string(os.PathListSeparator)+relativePath)

-	pluginHandler := NewDefaultPluginHandler()
+	pluginHandler := NewDefaultPluginHandler([]string{"argocd"})
 	cmd := NewCommand()
 	cmd.SilenceErrors = true
 	cmd.SilenceUsage = true
@@ -206,7 +206,7 @@ func TestPluginInRelativePathIgnored(t *testing.T) {
 func TestPluginFlagParsing(t *testing.T) {
 	setupPluginPath(t)

-	pluginHandler := NewDefaultPluginHandler()
+	pluginHandler := NewDefaultPluginHandler([]string{"argocd"})

 	tests := []struct {
 		name           string
@@ -255,7 +255,7 @@ func TestPluginFlagParsing(t *testing.T) {
 func TestPluginStatusCode(t *testing.T) {
 	setupPluginPath(t)

-	pluginHandler := NewDefaultPluginHandler()
+	pluginHandler := NewDefaultPluginHandler([]string{"argocd"})

 	tests := []struct {
 		name       string
@@ -309,76 +309,3 @@ func TestPluginStatusCode(t *testing.T) {
 		})
 	}
 }
-
-// TestListAvailablePlugins tests the plugin discovery functionality for tab completion
-func TestListAvailablePlugins(t *testing.T) {
-	setupPluginPath(t)
-
-	tests := []struct {
-		name        string
-		validPrefix []string
-		expected    []string
-	}{
-		{
-			name:     "Standard argocd prefix finds plugins",
-			expected: []string{"demo_plugin", "error", "foo", "status-code-plugin", "test-plugin", "version"},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			pluginHandler := NewDefaultPluginHandler()
-			plugins := pluginHandler.ListAvailablePlugins()
-
-			assert.Equal(t, tt.expected, plugins)
-		})
-	}
-}
-
-// TestListAvailablePluginsEmptyPath tests plugin discovery when PATH is empty
-func TestListAvailablePluginsEmptyPath(t *testing.T) {
-	// Set empty PATH
-	t.Setenv("PATH", "")
-
-	pluginHandler := NewDefaultPluginHandler()
-	plugins := pluginHandler.ListAvailablePlugins()
-
-	assert.Empty(t, plugins, "Should return empty list when PATH is empty")
-}
-
-// TestListAvailablePluginsNonExecutableFiles tests that non-executable files are ignored
-func TestListAvailablePluginsNonExecutableFiles(t *testing.T) {
-	setupPluginPath(t)
-
-	pluginHandler := NewDefaultPluginHandler()
-	plugins := pluginHandler.ListAvailablePlugins()
-
-	// Should not include 'no-permission' since it's not executable
-	assert.NotContains(t, plugins, "no-permission")
-}
-
-// TestListAvailablePluginsDeduplication tests that duplicate plugins from different PATH dirs are handled
-func TestListAvailablePluginsDeduplication(t *testing.T) {
-	// Create two temporary directories with the same plugin
-	dir1 := t.TempDir()
-	dir2 := t.TempDir()
-
-	// Create the same plugin in both directories
-	plugin1 := filepath.Join(dir1, "argocd-duplicate")
-	plugin2 := filepath.Join(dir2, "argocd-duplicate")
-
-	err := os.WriteFile(plugin1, []byte("#!/bin/bash\necho 'plugin1'\n"), 0o755)
-	require.NoError(t, err)
-
-	err = os.WriteFile(plugin2, []byte("#!/bin/bash\necho 'plugin2'\n"), 0o755)
-	require.NoError(t, err)
-
-	// Set PATH to include both directories
-	testPath := dir1 + string(os.PathListSeparator) + dir2
-	t.Setenv("PATH", testPath)
-
-	pluginHandler := NewDefaultPluginHandler()
-	plugins := pluginHandler.ListAvailablePlugins()
-
-	assert.Equal(t, []string{"duplicate"}, plugins)
-}
--- a/cmd/argocd/commands/project.go
+++ b/cmd/argocd/commands/project.go
@@ -41,9 +41,8 @@ type policyOpts struct {
 // NewProjectCommand returns a new instance of an `argocd proj` command
 func NewProjectCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	command := &cobra.Command{
-		Use:     "proj",
-		Short:   "Manage projects",
-		Aliases: []string{"project"},
+		Use:   "proj",
+		Short: "Manage projects",
 		Example: templates.Examples(`
 			# List all available projects
 			argocd proj list
@@ -591,15 +590,17 @@ func NewProjectRemoveSourceNamespace(clientOpts *argocdclient.ClientOptions) *co
 	return command
 }

-func modifyNamespacedResourcesList(list *[]metav1.GroupKind, add bool, listAction string, group string, kind string) (bool, string) {
+func modifyResourcesList(list *[]metav1.GroupKind, add bool, listDesc string, group string, kind string) bool {
 	if add {
 		for _, item := range *list {
 			if item.Group == group && item.Kind == kind {
-				return false, fmt.Sprintf("Group '%s' and kind '%s' already present in %s namespaced resources", group, kind, listAction)
+				fmt.Printf("Group '%s' and kind '%s' already present in %s resources\n", group, kind, listDesc)
+				return false
 			}
 		}
+		fmt.Printf("Group '%s' and kind '%s' is added to %s resources\n", group, kind, listDesc)
 		*list = append(*list, metav1.GroupKind{Group: group, Kind: kind})
-		return true, fmt.Sprintf("Group '%s' and kind '%s' is added to %s namespaced resources", group, kind, listAction)
+		return true
 	}
 	index := -1
 	for i, item := range *list {
@@ -609,37 +610,15 @@ func modifyNamespacedResourcesList(list *[]metav1.GroupKind, add bool, listActio
 		}
 	}
 	if index == -1 {
-		return false, fmt.Sprintf("Group '%s' and kind '%s' not in %s namespaced resources", group, kind, listAction)
+		fmt.Printf("Group '%s' and kind '%s' not in %s resources\n", group, kind, listDesc)
+		return false
 	}
 	*list = append((*list)[:index], (*list)[index+1:]...)
-	return true, fmt.Sprintf("Group '%s' and kind '%s' is removed from %s namespaced resources", group, kind, listAction)
+	fmt.Printf("Group '%s' and kind '%s' is removed from %s resources\n", group, kind, listDesc)
+	return true
 }

-func modifyClusterResourcesList(list *[]v1alpha1.ClusterResourceRestrictionItem, add bool, listAction string, group string, kind string, name string) (bool, string) {
-	if add {
-		for _, item := range *list {
-			if item.Group == group && item.Kind == kind && item.Name == name {
-				return false, fmt.Sprintf("Group '%s', kind '%s', and name '%s' is already present in %s cluster resources", group, kind, name, listAction)
-			}
-		}
-		*list = append(*list, v1alpha1.ClusterResourceRestrictionItem{Group: group, Kind: kind, Name: name})
-		return true, fmt.Sprintf("Group '%s', kind '%s', and name '%s' is added to %s cluster resources", group, kind, name, listAction)
-	}
-	index := -1
-	for i, item := range *list {
-		if item.Group == group && item.Kind == kind && item.Name == name {
-			index = i
-			break
-		}
-	}
-	if index == -1 {
-		return false, fmt.Sprintf("Group '%s', kind '%s', and name '%s' not in %s cluster resources", group, kind, name, listAction)
-	}
-	*list = append((*list)[:index], (*list)[index+1:]...)
-	return true, fmt.Sprintf("Group '%s', kind '%s', and name '%s' is removed from %s cluster resources", group, kind, name, listAction)
-}
-
-func modifyResourceListCmd(getProjIf func(*cobra.Command) (io.Closer, projectpkg.ProjectServiceClient), cmdUse, cmdDesc, examples string, allow bool, namespacedList bool) *cobra.Command {
+func modifyResourceListCmd(cmdUse, cmdDesc, examples string, clientOpts *argocdclient.ClientOptions, allow bool, namespacedList bool) *cobra.Command {
 	var (
 		listType    string
 		defaultList string
@@ -656,61 +635,38 @@ func modifyResourceListCmd(getProjIf func(*cobra.Command) (io.Closer, projectpkg
 		Run: func(c *cobra.Command, args []string) {
 			ctx := c.Context()

-			if namespacedList && len(args) != 3 {
+			if len(args) != 3 {
 				c.HelpFunc()(c, args)
 				os.Exit(1)
 			}
-
-			if !namespacedList && (len(args) < 3 || len(args) > 4) {
-				// Cluster-scoped resource command can have an optional NAME argument.
-				c.HelpFunc()(c, args)
-				os.Exit(1)
-			}
-
 			projName, group, kind := args[0], args[1], args[2]
-			var name string
-			if !namespacedList && len(args) > 3 {
-				name = args[3]
-			}
-			conn, projIf := getProjIf(c)
+			conn, projIf := headless.NewClientOrDie(clientOpts, c).NewProjectClientOrDie()
 			defer utilio.Close(conn)

 			proj, err := projIf.Get(ctx, &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
 			var list, allowList, denyList *[]metav1.GroupKind
-			var clusterList *[]v1alpha1.ClusterResourceRestrictionItem
-			var clusterAllowList, clusterDenyList *[]v1alpha1.ClusterResourceRestrictionItem
-			var listAction string
+			var listAction, listDesc string
 			var add bool
 			if namespacedList {
 				allowList, denyList = &proj.Spec.NamespaceResourceWhitelist, &proj.Spec.NamespaceResourceBlacklist
+				listDesc = "namespaced"
 			} else {
-				clusterAllowList, clusterDenyList = &proj.Spec.ClusterResourceWhitelist, &proj.Spec.ClusterResourceBlacklist
+				allowList, denyList = &proj.Spec.ClusterResourceWhitelist, &proj.Spec.ClusterResourceBlacklist
+				listDesc = "cluster"
 			}

 			if (listType == "allow") || (listType == "white") {
 				list = allowList
-				clusterList = clusterAllowList
 				listAction = "allowed"
 				add = allow
 			} else {
 				list = denyList
-				clusterList = clusterDenyList
 				listAction = "denied"
 				add = !allow
 			}

-			if !namespacedList {
-				if ok, msg := modifyClusterResourcesList(clusterList, add, listAction, group, kind, name); ok {
-					c.Println(msg)
-					_, err = projIf.Update(ctx, &projectpkg.ProjectUpdateRequest{Project: proj})
-					errors.CheckError(err)
-				}
-				return
-			}
-
-			if ok, msg := modifyNamespacedResourcesList(list, add, listAction, group, kind); ok {
-				c.Println(msg)
+			if modifyResourcesList(list, add, listAction+" "+listDesc, group, kind) {
 				_, err = projIf.Update(ctx, &projectpkg.ProjectUpdateRequest{Project: proj})
 				errors.CheckError(err)
 			}
@@ -728,10 +684,7 @@ func NewProjectAllowNamespaceResourceCommand(clientOpts *argocdclient.ClientOpti
 	# Removes a namespaced API resource with specified GROUP and KIND from the deny list or add a namespaced API resource to the allow list for project PROJECT
 	argocd proj allow-namespace-resource PROJECT GROUP KIND
 	`
-	getProjIf := func(cmd *cobra.Command) (io.Closer, projectpkg.ProjectServiceClient) {
-		return headless.NewClientOrDie(clientOpts, cmd).NewProjectClientOrDie()
-	}
-	return modifyResourceListCmd(getProjIf, use, desc, examples, true, true)
+	return modifyResourceListCmd(use, desc, examples, clientOpts, true, true)
 }

 // NewProjectDenyNamespaceResourceCommand returns a new instance of an `argocd proj deny-namespace-resource` command
@@ -742,10 +695,7 @@ func NewProjectDenyNamespaceResourceCommand(clientOpts *argocdclient.ClientOptio
 	# Adds a namespaced API resource with specified GROUP and KIND from the deny list or removes a namespaced API resource from the allow list for project PROJECT
 	argocd proj deny-namespace-resource PROJECT GROUP KIND
 	`
-	getProjIf := func(cmd *cobra.Command) (io.Closer, projectpkg.ProjectServiceClient) {
-		return headless.NewClientOrDie(clientOpts, cmd).NewProjectClientOrDie()
-	}
-	return modifyResourceListCmd(getProjIf, use, desc, examples, false, true)
+	return modifyResourceListCmd(use, desc, examples, clientOpts, false, true)
 }

 // NewProjectDenyClusterResourceCommand returns a new instance of an `deny-cluster-resource` command
@@ -756,27 +706,18 @@ func NewProjectDenyClusterResourceCommand(clientOpts *argocdclient.ClientOptions
 	# Removes a cluster-scoped API resource with specified GROUP and KIND from the allow list and adds it to deny list for project PROJECT
 	argocd proj deny-cluster-resource PROJECT GROUP KIND
 	`
-	getProjIf := func(cmd *cobra.Command) (io.Closer, projectpkg.ProjectServiceClient) {
-		return headless.NewClientOrDie(clientOpts, cmd).NewProjectClientOrDie()
-	}
-	return modifyResourceListCmd(getProjIf, use, desc, examples, false, false)
+	return modifyResourceListCmd(use, desc, examples, clientOpts, false, false)
 }

 // NewProjectAllowClusterResourceCommand returns a new instance of an `argocd proj allow-cluster-resource` command
 func NewProjectAllowClusterResourceCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
-	use := "allow-cluster-resource PROJECT GROUP KIND [NAME]"
+	use := "allow-cluster-resource PROJECT GROUP KIND"
 	desc := "Adds a cluster-scoped API resource to the allow list and removes it from deny list"
 	examples := `
 	# Adds a cluster-scoped API resource with specified GROUP and KIND to the allow list and removes it from deny list for project PROJECT
 	argocd proj allow-cluster-resource PROJECT GROUP KIND
-
-	# Adds a cluster-scoped API resource with specified GROUP, KIND and NAME pattern to the allow list and removes it from deny list for project PROJECT
-	argocd proj allow-cluster-resource PROJECT GROUP KIND NAME
 	`
-	getProjIf := func(cmd *cobra.Command) (io.Closer, projectpkg.ProjectServiceClient) {
-		return headless.NewClientOrDie(clientOpts, cmd).NewProjectClientOrDie()
-	}
-	return modifyResourceListCmd(getProjIf, use, desc, examples, true, false)
+	return modifyResourceListCmd(use, desc, examples, clientOpts, true, false)
 }

 // NewProjectRemoveSourceCommand returns a new instance of an `argocd proj remove-src` command
@@ -885,7 +826,7 @@ func NewProjectListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comman
 			# List all available projects
 			argocd proj list

-			# List all available projects in yaml format (other options are "json" and "name")
+			# List all available projects in yaml format
 			argocd proj list -o yaml
 		`),
 		Run: func(c *cobra.Command, _ []string) {
--- a/cmd/argocd/commands/project_test.go
+++ b/cmd/argocd/commands/project_test.go
@@ -1,256 +0,0 @@
-package commands
-
-import (
-	"bytes"
-	"io"
-	"testing"
-
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-
-	"github.com/spf13/cobra"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/mock"
-	"github.com/stretchr/testify/require"
-
-	projectpkg "github.com/argoproj/argo-cd/v3/pkg/apiclient/project"
-	projectmocks "github.com/argoproj/argo-cd/v3/pkg/apiclient/project/mocks"
-	"github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
-)
-
-func TestModifyResourceListCmd_AddClusterAllowItemWithName(t *testing.T) {
-	// Create a mock project client
-	mockProjClient := projectmocks.NewProjectServiceClient(t)
-
-	// Mock project data
-	projectName := "test-project"
-	mockProject := &v1alpha1.AppProject{
-		Spec: v1alpha1.AppProjectSpec{
-			ClusterResourceWhitelist: []v1alpha1.ClusterResourceRestrictionItem{},
-		},
-	}
-
-	// Mock Get and Update calls
-	mockProjClient.On("Get", mock.Anything, mock.Anything).Return(mockProject, nil)
-	mockProjClient.On("Update", mock.Anything, mock.Anything).Run(func(args mock.Arguments) {
-		req := args.Get(1).(*projectpkg.ProjectUpdateRequest)
-		mockProject.Spec.ClusterResourceWhitelist = req.Project.Spec.ClusterResourceWhitelist
-	}).Return(mockProject, nil)
-
-	getProjIf := func(_ *cobra.Command) (io.Closer, projectpkg.ProjectServiceClient) {
-		return io.NopCloser(bytes.NewBufferString("")), mockProjClient
-	}
-	// Create the command
-	cmd := modifyResourceListCmd(
-		getProjIf,
-		"allow-cluster-resource",
-		"Test command",
-		"Example usage",
-		true,
-		false,
-	)
-
-	// Set up the command arguments
-	args := []string{projectName, "apps", "Deployment", "example-deployment"}
-	cmd.SetArgs(args)
-
-	// Capture the output
-	var output bytes.Buffer
-	cmd.SetOut(&output)
-
-	// Execute the command
-	err := cmd.ExecuteContext(t.Context())
-	require.NoError(t, err)
-
-	// Verify the project was updated correctly
-	expected := []v1alpha1.ClusterResourceRestrictionItem{
-		{Group: "apps", Kind: "Deployment", Name: "example-deployment"},
-	}
-	assert.Equal(t, expected, mockProject.Spec.ClusterResourceWhitelist)
-
-	// Verify the output
-	assert.Contains(t, output.String(), "Group 'apps', kind 'Deployment', and name 'example-deployment' is added to allowed cluster resources")
-}
-
-func Test_modifyNamespacedResourceList(t *testing.T) {
-	tests := []struct {
-		name           string
-		initialList    []metav1.GroupKind
-		add            bool
-		group          string
-		kind           string
-		expectedList   []metav1.GroupKind
-		expectedResult bool
-	}{
-		{
-			name:        "Add new item to empty list",
-			initialList: []metav1.GroupKind{},
-			add:         true,
-			group:       "apps",
-			kind:        "Deployment",
-			expectedList: []metav1.GroupKind{
-				{Group: "apps", Kind: "Deployment"},
-			},
-			expectedResult: true,
-		},
-		{
-			name: "Add duplicate item",
-			initialList: []metav1.GroupKind{
-				{Group: "apps", Kind: "Deployment"},
-			},
-			add:   true,
-			group: "apps",
-			kind:  "Deployment",
-			expectedList: []metav1.GroupKind{
-				{Group: "apps", Kind: "Deployment"},
-			},
-			expectedResult: false,
-		},
-		{
-			name: "Remove existing item",
-			initialList: []metav1.GroupKind{
-				{Group: "apps", Kind: "Deployment"},
-			},
-			add:            false,
-			group:          "apps",
-			kind:           "Deployment",
-			expectedList:   []metav1.GroupKind{},
-			expectedResult: true,
-		},
-		{
-			name: "Remove non-existent item",
-			initialList: []metav1.GroupKind{
-				{Group: "apps", Kind: "Deployment"},
-			},
-			add:   false,
-			group: "apps",
-			kind:  "StatefulSet",
-			expectedList: []metav1.GroupKind{
-				{Group: "apps", Kind: "Deployment"},
-			},
-			expectedResult: false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			list := tt.initialList
-			result, _ := modifyNamespacedResourcesList(&list, tt.add, "", tt.group, tt.kind)
-			assert.Equal(t, tt.expectedResult, result)
-			assert.Equal(t, tt.expectedList, list)
-		})
-	}
-}
-
-func Test_modifyAllowClusterResourceList(t *testing.T) {
-	tests := []struct {
-		name           string
-		initialList    []v1alpha1.ClusterResourceRestrictionItem
-		add            bool
-		group          string
-		kind           string
-		resourceName   string
-		expectedList   []v1alpha1.ClusterResourceRestrictionItem
-		expectedResult bool
-	}{
-		{
-			name:         "Add new item to empty list",
-			initialList:  []v1alpha1.ClusterResourceRestrictionItem{},
-			add:          true,
-			group:        "apps",
-			kind:         "Deployment",
-			resourceName: "",
-			expectedList: []v1alpha1.ClusterResourceRestrictionItem{
-				{Group: "apps", Kind: "Deployment", Name: ""},
-			},
-			expectedResult: true,
-		},
-		{
-			name: "Add duplicate item",
-			initialList: []v1alpha1.ClusterResourceRestrictionItem{
-				{Group: "apps", Kind: "Deployment", Name: ""},
-			},
-			add:          true,
-			group:        "apps",
-			kind:         "Deployment",
-			resourceName: "",
-			expectedList: []v1alpha1.ClusterResourceRestrictionItem{
-				{Group: "apps", Kind: "Deployment", Name: ""},
-			},
-			expectedResult: false,
-		},
-		{
-			name: "Remove existing item",
-			initialList: []v1alpha1.ClusterResourceRestrictionItem{
-				{Group: "apps", Kind: "Deployment", Name: ""},
-			},
-			add:            false,
-			group:          "apps",
-			kind:           "Deployment",
-			resourceName:   "",
-			expectedList:   []v1alpha1.ClusterResourceRestrictionItem{},
-			expectedResult: true,
-		},
-		{
-			name: "Remove non-existent item",
-			initialList: []v1alpha1.ClusterResourceRestrictionItem{
-				{Group: "apps", Kind: "Deployment", Name: ""},
-			},
-			add:          false,
-			group:        "apps",
-			kind:         "StatefulSet",
-			resourceName: "",
-			expectedList: []v1alpha1.ClusterResourceRestrictionItem{
-				{Group: "apps", Kind: "Deployment", Name: ""},
-			},
-			expectedResult: false,
-		},
-		{
-			name:         "Add item with name",
-			initialList:  []v1alpha1.ClusterResourceRestrictionItem{},
-			add:          true,
-			group:        "apps",
-			kind:         "Deployment",
-			resourceName: "example-deployment",
-			expectedList: []v1alpha1.ClusterResourceRestrictionItem{
-				{Group: "apps", Kind: "Deployment", Name: "example-deployment"},
-			},
-			expectedResult: true,
-		},
-		{
-			name: "Remove item with name",
-			initialList: []v1alpha1.ClusterResourceRestrictionItem{
-				{Group: "apps", Kind: "Deployment", Name: "example-deployment"},
-			},
-			add:            false,
-			group:          "apps",
-			kind:           "Deployment",
-			resourceName:   "example-deployment",
-			expectedList:   []v1alpha1.ClusterResourceRestrictionItem{},
-			expectedResult: true,
-		},
-		{
-			name: "Attempt to remove item with name but only group and kind exist",
-			initialList: []v1alpha1.ClusterResourceRestrictionItem{
-				{Group: "apps", Kind: "Deployment", Name: ""},
-			},
-			add:          false,
-			group:        "apps",
-			kind:         "Deployment",
-			resourceName: "example-deployment",
-			expectedList: []v1alpha1.ClusterResourceRestrictionItem{
-				{Group: "apps", Kind: "Deployment", Name: ""},
-			},
-			expectedResult: false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			list := tt.initialList
-
-			result, _ := modifyClusterResourcesList(&list, tt.add, "", tt.group, tt.kind, tt.resourceName)
-			assert.Equal(t, tt.expectedResult, result)
-			assert.Equal(t, tt.expectedList, list)
-		})
-	}
-}
--- a/cmd/argocd/commands/repo.go
+++ b/cmd/argocd/commands/repo.go
@@ -94,10 +94,10 @@ func NewRepoAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
  # Add a private HTTP OCI repository named 'stable'
  argocd repo add oci://helm-oci-registry.cn-zhangjiakou.cr.aliyuncs.com --type oci --name stable --username test --password test --insecure-oci-force-http

-  # Add a private Git repository on GitHub.com via GitHub App. github-app-installation-id is optional, if not provided, the installation id will be fetched from the GitHub API.
+  # Add a private Git repository on GitHub.com via GitHub App
  argocd repo add https://git.example.com/repos/repo --github-app-id 1 --github-app-installation-id 2 --github-app-private-key-path test.private-key.pem

-  # Add a private Git repository on GitHub Enterprise via GitHub App. github-app-installation-id is optional, if not provided, the installation id will be fetched from the GitHub API.
+  # Add a private Git repository on GitHub Enterprise via GitHub App
  argocd repo add https://ghe.example.com/repos/repo --github-app-id 1 --github-app-installation-id 2 --github-app-private-key-path test.private-key.pem --github-app-enterprise-base-url https://ghe.example.com/api/v3

  # Add a private Git repository on Google Cloud Sources via GCP service account credentials
@@ -191,7 +191,6 @@ func NewRepoAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 			repoOpts.Repo.NoProxy = repoOpts.NoProxy
 			repoOpts.Repo.ForceHttpBasicAuth = repoOpts.ForceHttpBasicAuth
 			repoOpts.Repo.UseAzureWorkloadIdentity = repoOpts.UseAzureWorkloadIdentity
-			repoOpts.Repo.Depth = repoOpts.Depth

 			if repoOpts.Repo.Type == "helm" && repoOpts.Repo.Name == "" {
 				errors.Fatal(errors.ErrorGeneric, "Must specify --name for repos of type 'helm'")
--- a/cmd/argocd/commands/repocreds.go
+++ b/cmd/argocd/commands/repocreds.go
@@ -72,10 +72,10 @@ func NewRepoCredsAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comma
  # Add credentials with SSH private key authentication to use for all repositories under ssh://git@git.example.com/repos
  argocd repocreds add ssh://git@git.example.com/repos/ --ssh-private-key-path ~/.ssh/id_rsa

-  # Add credentials with GitHub App authentication to use for all repositories under https://github.com/repos. github-app-installation-id is optional, if not provided, the installation id will be fetched from the GitHub API.
+  # Add credentials with GitHub App authentication to use for all repositories under https://github.com/repos
  argocd repocreds add https://github.com/repos/ --github-app-id 1 --github-app-installation-id 2 --github-app-private-key-path test.private-key.pem

-  # Add credentials with GitHub App authentication to use for all repositories under https://ghe.example.com/repos. github-app-installation-id is optional, if not provided, the installation id will be fetched from the GitHub API.
+  # Add credentials with GitHub App authentication to use for all repositories under https://ghe.example.com/repos
  argocd repocreds add https://ghe.example.com/repos/ --github-app-id 1 --github-app-installation-id 2 --github-app-private-key-path test.private-key.pem --github-app-enterprise-base-url https://ghe.example.com/api/v3

  # Add credentials with helm oci registry so that these oci registry urls do not need to be added as repos individually.
@@ -191,7 +191,7 @@ func NewRepoCredsAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comma
 	command.Flags().StringVar(&tlsClientCertPath, "tls-client-cert-path", "", "path to the TLS client cert (must be PEM format)")
 	command.Flags().StringVar(&tlsClientCertKeyPath, "tls-client-cert-key-path", "", "path to the TLS client cert's key (must be PEM format)")
 	command.Flags().Int64Var(&repo.GithubAppId, "github-app-id", 0, "id of the GitHub Application")
-	command.Flags().Int64Var(&repo.GithubAppInstallationId, "github-app-installation-id", 0, "installation id of the GitHub Application (optional, will be auto-discovered if not provided)")
+	command.Flags().Int64Var(&repo.GithubAppInstallationId, "github-app-installation-id", 0, "installation id of the GitHub Application")
 	command.Flags().StringVar(&githubAppPrivateKeyPath, "github-app-private-key-path", "", "private key of the GitHub Application")
 	command.Flags().StringVar(&repo.GitHubAppEnterpriseBaseURL, "github-app-enterprise-base-url", "", "base url to use when using GitHub Enterprise (e.g. https://ghe.example.com/api/v3")
 	command.Flags().BoolVar(&upsert, "upsert", false, "Override an existing repository with the same name even if the spec differs")
--- a/cmd/argocd/commands/root.go
+++ b/cmd/argocd/commands/root.go
@@ -44,11 +44,6 @@ func NewCommand() *cobra.Command {
 		},
 		DisableAutoGenTag: true,
 		SilenceUsage:      true,
-		ValidArgsFunction: func(_ *cobra.Command, _ []string, _ string) ([]string, cobra.ShellCompDirective) {
-			// Return available plugin commands for tab completion
-			plugins := NewDefaultPluginHandler().ListAvailablePlugins()
-			return plugins, cobra.ShellCompDirectiveNoFileComp
-		},
 	}

 	command.AddCommand(NewCompletionCommand())
--- a/cmd/argocd/commands/tree.go
+++ b/cmd/argocd/commands/tree.go
@@ -24,7 +24,7 @@ func extractHealthStatusAndReason(node v1alpha1.ResourceNode) (healthStatus heal
 		healthStatus = node.Health.Status
 		reason = node.Health.Message
 	}
-	return healthStatus, reason
+	return
 }

 func treeViewAppGet(prefix string, uidToNodeMap map[string]v1alpha1.ResourceNode, parentToChildMap map[string][]string, parent v1alpha1.ResourceNode, mapNodeNameToResourceState map[string]*resourceState, w *tabwriter.Writer) {
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -83,11 +83,12 @@ func main() {
 	}

 	err := command.Execute()
-	// if an error is present, try to look for various scenarios
+	// if the err is non-nil, try to look for various scenarios
 	// such as if the error is from the execution of a normal argocd command,
 	// unknown command error or any other.
 	if err != nil {
-		pluginErr := cli.NewDefaultPluginHandler().HandleCommandExecutionError(err, isArgocdCLI, os.Args)
+		pluginHandler := cli.NewDefaultPluginHandler([]string{"argocd"})
+		pluginErr := pluginHandler.HandleCommandExecutionError(err, isArgocdCLI, os.Args)
 		if pluginErr != nil {
 			var exitErr *exec.ExitError
 			if errors.As(pluginErr, &exitErr) {
--- a/cmd/util/app.go
+++ b/cmd/util/app.go
@@ -136,9 +136,9 @@ func AddAppFlags(command *cobra.Command, opts *AppOptions) {
 	command.Flags().StringVar(&opts.project, "project", "", "Application project name")
 	command.Flags().StringVar(&opts.syncPolicy, "sync-policy", "", "Set the sync policy (one of: manual (aliases of manual: none), automated (aliases of automated: auto, automatic))")
 	command.Flags().StringArrayVar(&opts.syncOptions, "sync-option", []string{}, "Add or remove a sync option, e.g add `Prune=false`. Remove using `!` prefix, e.g. `!Prune=false`")
-	command.Flags().BoolVar(&opts.autoPrune, "auto-prune", false, "Set automatic pruning for automated sync policy")
-	command.Flags().BoolVar(&opts.selfHeal, "self-heal", false, "Set self healing for automated sync policy")
-	command.Flags().BoolVar(&opts.allowEmpty, "allow-empty", false, "Set allow zero live resources for automated sync policy")
+	command.Flags().BoolVar(&opts.autoPrune, "auto-prune", false, "Set automatic pruning when sync is automated")
+	command.Flags().BoolVar(&opts.selfHeal, "self-heal", false, "Set self healing when sync is automated")
+	command.Flags().BoolVar(&opts.allowEmpty, "allow-empty", false, "Set allow zero live resources when sync is automated")
 	command.Flags().StringVar(&opts.namePrefix, "nameprefix", "", "Kustomize nameprefix")
 	command.Flags().StringVar(&opts.nameSuffix, "namesuffix", "", "Kustomize namesuffix")
 	command.Flags().StringVar(&opts.kustomizeVersion, "kustomize-version", "", "Kustomize version")
@@ -284,26 +284,25 @@ func SetAppSpecOptions(flags *pflag.FlagSet, spec *argoappv1.ApplicationSpec, ap
 			spec.SyncPolicy.Retry.Refresh = appOpts.retryRefresh
 		}
 	})
-
-	if flags.Changed("auto-prune") || flags.Changed("self-heal") || flags.Changed("allow-empty") {
-		if spec.SyncPolicy == nil {
-			spec.SyncPolicy = &argoappv1.SyncPolicy{}
-		}
-		if spec.SyncPolicy.Automated == nil {
-			disabled := false
-			spec.SyncPolicy.Automated = &argoappv1.SyncPolicyAutomated{Enabled: &disabled}
-		}
-
-		if flags.Changed("auto-prune") {
-			spec.SyncPolicy.Automated.Prune = appOpts.autoPrune
-		}
-		if flags.Changed("self-heal") {
-			spec.SyncPolicy.Automated.SelfHeal = appOpts.selfHeal
-		}
-		if flags.Changed("allow-empty") {
-			spec.SyncPolicy.Automated.AllowEmpty = appOpts.allowEmpty
+	if flags.Changed("auto-prune") {
+		if spec.SyncPolicy == nil || !spec.SyncPolicy.IsAutomatedSyncEnabled() {
+			log.Fatal("Cannot set --auto-prune: application not configured with automatic sync")
 		}
+		spec.SyncPolicy.Automated.Prune = appOpts.autoPrune
 	}
+	if flags.Changed("self-heal") {
+		if spec.SyncPolicy == nil || !spec.SyncPolicy.IsAutomatedSyncEnabled() {
+			log.Fatal("Cannot set --self-heal: application not configured with automatic sync")
+		}
+		spec.SyncPolicy.Automated.SelfHeal = appOpts.selfHeal
+	}
+	if flags.Changed("allow-empty") {
+		if spec.SyncPolicy == nil || !spec.SyncPolicy.IsAutomatedSyncEnabled() {
+			log.Fatal("Cannot set --allow-empty: application not configured with automatic sync")
+		}
+		spec.SyncPolicy.Automated.AllowEmpty = appOpts.allowEmpty
+	}
+
 	return visited
 }

--- a/cmd/util/app_test.go
+++ b/cmd/util/app_test.go
@@ -267,47 +267,6 @@ func Test_setAppSpecOptions(t *testing.T) {
 		require.NoError(t, f.SetFlag("sync-option", "!a=1"))
 		assert.Nil(t, f.spec.SyncPolicy)
 	})
-	t.Run("AutoPruneFlag", func(t *testing.T) {
-		f := newAppOptionsFixture()
-
-		// syncPolicy is nil (automated.enabled = false)
-		require.NoError(t, f.SetFlag("auto-prune", "true"))
-		require.NotNil(t, f.spec.SyncPolicy.Automated.Enabled)
-		assert.False(t, *f.spec.SyncPolicy.Automated.Enabled)
-		assert.True(t, f.spec.SyncPolicy.Automated.Prune)
-
-		// automated.enabled = true
-		*f.spec.SyncPolicy.Automated.Enabled = true
-		require.NoError(t, f.SetFlag("auto-prune", "false"))
-		assert.True(t, *f.spec.SyncPolicy.Automated.Enabled)
-		assert.False(t, f.spec.SyncPolicy.Automated.Prune)
-	})
-	t.Run("SelfHealFlag", func(t *testing.T) {
-		f := newAppOptionsFixture()
-
-		require.NoError(t, f.SetFlag("self-heal", "true"))
-		require.NotNil(t, f.spec.SyncPolicy.Automated.Enabled)
-		assert.False(t, *f.spec.SyncPolicy.Automated.Enabled)
-		assert.True(t, f.spec.SyncPolicy.Automated.SelfHeal)
-
-		*f.spec.SyncPolicy.Automated.Enabled = true
-		require.NoError(t, f.SetFlag("self-heal", "false"))
-		assert.True(t, *f.spec.SyncPolicy.Automated.Enabled)
-		assert.False(t, f.spec.SyncPolicy.Automated.SelfHeal)
-	})
-	t.Run("AllowEmptyFlag", func(t *testing.T) {
-		f := newAppOptionsFixture()
-
-		require.NoError(t, f.SetFlag("allow-empty", "true"))
-		require.NotNil(t, f.spec.SyncPolicy.Automated.Enabled)
-		assert.False(t, *f.spec.SyncPolicy.Automated.Enabled)
-		assert.True(t, f.spec.SyncPolicy.Automated.AllowEmpty)
-
-		*f.spec.SyncPolicy.Automated.Enabled = true
-		require.NoError(t, f.SetFlag("allow-empty", "false"))
-		assert.True(t, *f.spec.SyncPolicy.Automated.Enabled)
-		assert.False(t, f.spec.SyncPolicy.Automated.AllowEmpty)
-	})
 	t.Run("RetryLimit", func(t *testing.T) {
 		require.NoError(t, f.SetFlag("sync-retry-limit", "5"))
 		assert.Equal(t, int64(5), f.spec.SyncPolicy.Retry.Limit)
--- a/cmd/util/project.go
+++ b/cmd/util/project.go
@@ -43,8 +43,8 @@ func AddProjFlags(command *cobra.Command, opts *ProjectOpts) {
 	command.Flags().StringSliceVar(&opts.SignatureKeys, "signature-keys", []string{}, "GnuPG public key IDs for commit signature verification")
 	command.Flags().BoolVar(&opts.orphanedResourcesEnabled, "orphaned-resources", false, "Enables orphaned resources monitoring")
 	command.Flags().BoolVar(&opts.orphanedResourcesWarn, "orphaned-resources-warn", false, "Specifies if applications should have a warning condition when orphaned resources detected")
-	command.Flags().StringArrayVar(&opts.allowedClusterResources, "allow-cluster-resource", []string{}, "List of allowed cluster level resources, optionally with group and name (e.g. ClusterRole, apiextensions.k8s.io/CustomResourceDefinition, /Namespace/team1-*)")
-	command.Flags().StringArrayVar(&opts.deniedClusterResources, "deny-cluster-resource", []string{}, "List of denied cluster level resources, optionally with group and name (e.g. ClusterRole, apiextensions.k8s.io/CustomResourceDefinition, /Namespace/kube-*)")
+	command.Flags().StringArrayVar(&opts.allowedClusterResources, "allow-cluster-resource", []string{}, "List of allowed cluster level resources")
+	command.Flags().StringArrayVar(&opts.deniedClusterResources, "deny-cluster-resource", []string{}, "List of denied cluster level resources")
 	command.Flags().StringArrayVar(&opts.allowedNamespacedResources, "allow-namespaced-resource", []string{}, "List of allowed namespaced resources")
 	command.Flags().StringArrayVar(&opts.deniedNamespacedResources, "deny-namespaced-resource", []string{}, "List of denied namespaced resources")
 	command.Flags().StringSliceVar(&opts.SourceNamespaces, "source-namespaces", []string{}, "List of source namespaces for applications")
@@ -64,26 +64,12 @@ func getGroupKindList(values []string) []metav1.GroupKind {
 	return res
 }

-func getClusterResourceRestrictionItemList(values []string) []v1alpha1.ClusterResourceRestrictionItem {
-	var res []v1alpha1.ClusterResourceRestrictionItem
-	for _, val := range values {
-		if parts := strings.Split(val, "/"); len(parts) == 3 {
-			res = append(res, v1alpha1.ClusterResourceRestrictionItem{Group: parts[0], Kind: parts[1], Name: parts[2]})
-		} else if parts = strings.Split(val, "/"); len(parts) == 2 {
-			res = append(res, v1alpha1.ClusterResourceRestrictionItem{Group: parts[0], Kind: parts[1]})
-		} else if len(parts) == 1 {
-			res = append(res, v1alpha1.ClusterResourceRestrictionItem{Kind: parts[0]})
-		}
-	}
-	return res
+func (opts *ProjectOpts) GetAllowedClusterResources() []metav1.GroupKind {
+	return getGroupKindList(opts.allowedClusterResources)
 }

-func (opts *ProjectOpts) GetAllowedClusterResources() []v1alpha1.ClusterResourceRestrictionItem {
-	return getClusterResourceRestrictionItemList(opts.allowedClusterResources)
-}
-
-func (opts *ProjectOpts) GetDeniedClusterResources() []v1alpha1.ClusterResourceRestrictionItem {
-	return getClusterResourceRestrictionItemList(opts.deniedClusterResources)
+func (opts *ProjectOpts) GetDeniedClusterResources() []metav1.GroupKind {
+	return getGroupKindList(opts.deniedClusterResources)
 }

 func (opts *ProjectOpts) GetAllowedNamespacedResources() []metav1.GroupKind {
--- a/cmd/util/project_test.go
+++ b/cmd/util/project_test.go
@@ -19,8 +19,8 @@ func TestProjectOpts_ResourceLists(t *testing.T) {

 	assert.ElementsMatch(t, []metav1.GroupKind{{Kind: "ConfigMap"}}, opts.GetAllowedNamespacedResources())
 	assert.ElementsMatch(t, []metav1.GroupKind{{Group: "apps", Kind: "DaemonSet"}}, opts.GetDeniedNamespacedResources())
-	assert.ElementsMatch(t, []v1alpha1.ClusterResourceRestrictionItem{{Group: "apiextensions.k8s.io", Kind: "CustomResourceDefinition"}}, opts.GetAllowedClusterResources())
-	assert.ElementsMatch(t, []v1alpha1.ClusterResourceRestrictionItem{{Group: "rbac.authorization.k8s.io", Kind: "ClusterRole"}}, opts.GetDeniedClusterResources())
+	assert.ElementsMatch(t, []metav1.GroupKind{{Group: "apiextensions.k8s.io", Kind: "CustomResourceDefinition"}}, opts.GetAllowedClusterResources())
+	assert.ElementsMatch(t, []metav1.GroupKind{{Group: "rbac.authorization.k8s.io", Kind: "ClusterRole"}}, opts.GetDeniedClusterResources())
 }

 func TestProjectOpts_GetDestinationServiceAccounts(t *testing.T) {
--- a/cmd/util/repo.go
+++ b/cmd/util/repo.go
@@ -27,7 +27,6 @@ type RepoOptions struct {
 	GCPServiceAccountKeyPath       string
 	ForceHttpBasicAuth             bool //nolint:revive //FIXME(var-naming)
 	UseAzureWorkloadIdentity       bool
-	Depth                          int64
 }

 func AddRepoFlags(command *cobra.Command, opts *RepoOptions) {
@@ -45,7 +44,7 @@ func AddRepoFlags(command *cobra.Command, opts *RepoOptions) {
 	command.Flags().BoolVar(&opts.EnableLfs, "enable-lfs", false, "enable git-lfs (Large File Support) on this repository")
 	command.Flags().BoolVar(&opts.EnableOci, "enable-oci", false, "enable helm-oci (Helm OCI-Based Repository) (only valid for helm type repositories)")
 	command.Flags().Int64Var(&opts.GithubAppId, "github-app-id", 0, "id of the GitHub Application")
-	command.Flags().Int64Var(&opts.GithubAppInstallationId, "github-app-installation-id", 0, "installation id of the GitHub Application (optional, will be auto-discovered if not provided)")
+	command.Flags().Int64Var(&opts.GithubAppInstallationId, "github-app-installation-id", 0, "installation id of the GitHub Application")
 	command.Flags().StringVar(&opts.GithubAppPrivateKeyPath, "github-app-private-key-path", "", "private key of the GitHub Application")
 	command.Flags().StringVar(&opts.GitHubAppEnterpriseBaseURL, "github-app-enterprise-base-url", "", "base url to use when using GitHub Enterprise (e.g. https://ghe.example.com/api/v3")
 	command.Flags().StringVar(&opts.Proxy, "proxy", "", "use proxy to access repository")
@@ -54,5 +53,4 @@ func AddRepoFlags(command *cobra.Command, opts *RepoOptions) {
 	command.Flags().BoolVar(&opts.ForceHttpBasicAuth, "force-http-basic-auth", false, "whether to force use of basic auth when connecting repository via HTTP")
 	command.Flags().BoolVar(&opts.UseAzureWorkloadIdentity, "use-azure-workload-identity", false, "whether to use azure workload identity for authentication")
 	command.Flags().BoolVar(&opts.InsecureOCIForceHTTP, "insecure-oci-force-http", false, "Use http when accessing an OCI repository")
-	command.Flags().Int64Var(&opts.Depth, "depth", 0, "Specify a custom depth for git clone operations. Unless specified, a full clone is performed using the depth of 0")
 }
--- a/cmpserver/server.go
+++ b/cmpserver/server.go
@@ -1,7 +1,6 @@
 package cmpserver

 import (
-	"context"
 	"fmt"
 	"net"
 	"os"
@@ -86,8 +85,7 @@ func (a *ArgoCDCMPServer) Run() {

 	// Listen on the socket address
 	_ = os.Remove(config.Address())
-	lc := &net.ListenConfig{}
-	listener, err := lc.Listen(context.Background(), "unix", config.Address())
+	listener, err := net.Listen("unix", config.Address())
 	errors.CheckError(err)
 	log.Infof("argocd-cmp-server %s serving on %s", common.GetVersion(), listener.Addr())

--- a/commitserver/commit/addnote_race_test.go
+++ b/commitserver/commit/addnote_race_test.go
@@ -1,209 +0,0 @@
-package commit
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"strings"
-	"sync"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/argoproj/argo-cd/v3/util/git"
-)
-
-// TestAddNoteConcurrentStaggered tests that when multiple AddNote operations run
-// with slightly staggered timing, all notes persist correctly.
-// Each operation gets its own git clone, simulating multiple concurrent hydration requests.
-func TestAddNoteConcurrentStaggered(t *testing.T) {
-	t.Parallel()
-
-	remotePath, localPath := setupRepoWithRemote(t)
-
-	// Create 3 branches with commits (simulating different hydration targets)
-	branches := []string{"env/dev", "env/staging", "env/prod"}
-	commitSHAs := make([]string, 3)
-
-	for i, branch := range branches {
-		commitSHAs[i] = commitAndPushBranch(t, localPath, branch)
-	}
-
-	// Create separate clones for concurrent operations
-	cloneClients := make([]git.Client, 3)
-	for i := 0; i < 3; i++ {
-		cloneClients[i] = getClientForClone(t, remotePath)
-	}
-
-	// Add notes concurrently with slight stagger
-	var wg sync.WaitGroup
-	errors := make([]error, 3)
-
-	for i := 0; i < 3; i++ {
-		wg.Add(1)
-		go func(idx int) {
-			defer wg.Done()
-			time.Sleep(time.Duration(idx*50) * time.Millisecond)
-			errors[idx] = AddNote(cloneClients[idx], fmt.Sprintf("dry-sha-%d", idx), commitSHAs[idx])
-		}(i)
-	}
-	wg.Wait()
-
-	// Verify all notes persisted
-	verifyClient := getClientForClone(t, remotePath)
-
-	for i, commitSHA := range commitSHAs {
-		note, err := verifyClient.GetCommitNote(commitSHA, NoteNamespace)
-		require.NoError(t, err, "Note should exist for commit %d", i)
-		assert.Contains(t, note, fmt.Sprintf("dry-sha-%d", i))
-	}
-}
-
-// TestAddNoteConcurrentSimultaneous tests that when multiple AddNote operations run
-// simultaneously (without delays), all notes persist correctly.
-// Each operation gets its own git clone, simulating multiple concurrent hydration requests.
-func TestAddNoteConcurrentSimultaneous(t *testing.T) {
-	t.Parallel()
-
-	remotePath, localPath := setupRepoWithRemote(t)
-
-	// Create 3 branches with commits (simulating different hydration targets)
-	branches := []string{"env/dev", "env/staging", "env/prod"}
-	commitSHAs := make([]string, 3)
-
-	for i, branch := range branches {
-		commitSHAs[i] = commitAndPushBranch(t, localPath, branch)
-	}
-
-	// Create separate clones for concurrent operations
-	cloneClients := make([]git.Client, 3)
-	for i := 0; i < 3; i++ {
-		cloneClients[i] = getClientForClone(t, remotePath)
-	}
-
-	// Add notes concurrently without delays
-	var wg sync.WaitGroup
-	startChan := make(chan struct{})
-
-	for i := 0; i < 3; i++ {
-		wg.Add(1)
-		go func(idx int) {
-			defer wg.Done()
-			<-startChan
-			_ = AddNote(cloneClients[idx], fmt.Sprintf("dry-sha-%d", idx), commitSHAs[idx])
-		}(i)
-	}
-
-	close(startChan)
-	wg.Wait()
-
-	// Verify all notes persisted
-	verifyClient := getClientForClone(t, remotePath)
-
-	for i, commitSHA := range commitSHAs {
-		note, err := verifyClient.GetCommitNote(commitSHA, NoteNamespace)
-		require.NoError(t, err, "Note should exist for commit %d", i)
-		assert.Contains(t, note, fmt.Sprintf("dry-sha-%d", i))
-	}
-}
-
-// setupRepoWithRemote creates a bare remote repo and a local repo configured to push to it.
-// Returns the remote path and local path.
-func setupRepoWithRemote(t *testing.T) (remotePath, localPath string) {
-	t.Helper()
-	ctx := t.Context()
-
-	// Create bare remote repository
-	remoteDir := t.TempDir()
-	remotePath = filepath.Join(remoteDir, "remote.git")
-	err := os.MkdirAll(remotePath, 0o755)
-	require.NoError(t, err)
-
-	_, err = runGitCmd(ctx, remotePath, "init", "--bare")
-	require.NoError(t, err)
-
-	// Create local repository
-	localDir := t.TempDir()
-	localPath = filepath.Join(localDir, "local")
-	err = os.MkdirAll(localPath, 0o755)
-	require.NoError(t, err)
-
-	_, err = runGitCmd(ctx, localPath, "init")
-	require.NoError(t, err)
-
-	_, err = runGitCmd(ctx, localPath, "config", "user.name", "Test User")
-	require.NoError(t, err)
-
-	_, err = runGitCmd(ctx, localPath, "config", "user.email", "test@example.com")
-	require.NoError(t, err)
-
-	_, err = runGitCmd(ctx, localPath, "remote", "add", "origin", remotePath)
-	require.NoError(t, err)
-
-	return remotePath, localPath
-}
-
-// commitAndPushBranch writes a file, commits it, creates a branch, and pushes to remote.
-// Returns the commit SHA.
-func commitAndPushBranch(t *testing.T, localPath, branch string) string {
-	t.Helper()
-	ctx := t.Context()
-
-	testFile := filepath.Join(localPath, "test.txt")
-	err := os.WriteFile(testFile, []byte("content for "+branch), 0o644)
-	require.NoError(t, err)
-
-	_, err = runGitCmd(ctx, localPath, "add", ".")
-	require.NoError(t, err)
-
-	_, err = runGitCmd(ctx, localPath, "commit", "-m", "commit "+branch)
-	require.NoError(t, err)
-
-	sha, err := runGitCmd(ctx, localPath, "rev-parse", "HEAD")
-	require.NoError(t, err)
-
-	_, err = runGitCmd(ctx, localPath, "branch", branch)
-	require.NoError(t, err)
-
-	_, err = runGitCmd(ctx, localPath, "push", "origin", branch)
-	require.NoError(t, err)
-
-	return sha
-}
-
-// getClientForClone creates a git client with a fresh clone of the remote repo.
-func getClientForClone(t *testing.T, remotePath string) git.Client {
-	t.Helper()
-	ctx := t.Context()
-
-	workDir := t.TempDir()
-
-	client, err := git.NewClientExt(remotePath, workDir, &git.NopCreds{}, false, false, "", "")
-	require.NoError(t, err)
-
-	err = client.Init()
-	require.NoError(t, err)
-
-	_, err = runGitCmd(ctx, workDir, "config", "user.name", "Test User")
-	require.NoError(t, err)
-
-	_, err = runGitCmd(ctx, workDir, "config", "user.email", "test@example.com")
-	require.NoError(t, err)
-
-	err = client.Fetch("", 0)
-	require.NoError(t, err)
-
-	return client
-}
-
-// runGitCmd is a helper function to run git commands
-func runGitCmd(ctx context.Context, dir string, args ...string) (string, error) {
-	cmd := exec.CommandContext(ctx, "git", args...)
-	cmd.Dir = dir
-	output, err := cmd.CombinedOutput()
-	return strings.TrimSpace(string(output)), err
-}
--- a/commitserver/commit/commit.go
+++ b/commitserver/commit/commit.go
@@ -7,6 +7,8 @@ import (
 	"os"
 	"time"

+	"github.com/argoproj/argo-cd/v3/controller/hydrator"
+
 	log "github.com/sirupsen/logrus"

 	"github.com/argoproj/argo-cd/v3/commitserver/apiclient"
@@ -17,11 +19,6 @@ import (
 	"github.com/argoproj/argo-cd/v3/util/io/files"
 )

-const (
-	NoteNamespace = "hydrator.metadata" // NoteNamespace is the custom git notes namespace used by the hydrator to store and retrieve commit-related metadata.
-	ManifestYaml  = "manifest.yaml"     // ManifestYaml constant for the manifest yaml
-)
-
 // Service is the service that handles commit requests.
 type Service struct {
 	metricsServer     *metrics.Server
@@ -50,13 +47,6 @@ type hydratorMetadataFile struct {
 	References []v1alpha1.RevisionReference `json:"references,omitempty"`
 }

-// CommitNote represents the structure of the git note associated with a hydrated commit.
-// This struct is used to serialize/deserialize commit metadata (such as the dry run SHA)
-// stored in the custom note namespace by the hydrator.
-type CommitNote struct {
-	DrySHA string `json:"drySha"` // SHA of original commit that triggerd the hydrator
-}
-
 // TODO: make this configurable via ConfigMap.
 var manifestHydrationReadmeTemplate = `# Manifest Hydration

@@ -167,45 +157,33 @@ func (s *Service) handleCommitRequest(logCtx *log.Entry, r *apiclient.CommitHydr
 		return out, "", fmt.Errorf("failed to checkout target branch: %w", err)
 	}

-	hydratedSha, err := gitClient.CommitSHA()
-	if err != nil {
-		return "", "", fmt.Errorf("failed to get commit SHA: %w", err)
+	logCtx.Debug("Clearing and preparing paths")
+	var pathsToClear []string
+	// range over the paths configured and skip those application
+	// paths that are referencing to root path
+	for _, p := range r.Paths {
+		if hydrator.IsRootPath(p.Path) {
+			// skip adding paths that are referencing root directory
+			logCtx.Debugf("Path %s is referencing root directory, ignoring the path", p.Path)
+			continue
+		}
+		pathsToClear = append(pathsToClear, p.Path)
 	}

-	/* git note changes
-	1. Get the git note
-	2. If found, short-circuit, log a warn and return
-	3. If not, get the last manifest from git  for every path, compare it with the hydrated manifest
-	3a. If manifest has no changes, continue.. no need to commit it
-	3b. Else, hydrate the manifest.
-	3c. Push the updated note
-	*/
-	isHydrated, err := IsHydrated(gitClient, r.DrySha, hydratedSha)
-	if err != nil {
-		return "", "", fmt.Errorf("failed to get notes from git %w", err)
-	}
-	// short-circuit if already hydrated
-	if isHydrated {
-		logCtx.Debugf("this dry sha %s is already hydrated", r.DrySha)
-		return "", hydratedSha, nil
+	if len(pathsToClear) > 0 {
+		logCtx.Debugf("Clearing paths: %v", pathsToClear)
+		out, err := gitClient.RemoveContents(pathsToClear)
+		if err != nil {
+			return out, "", fmt.Errorf("failed to clear paths %v: %w", pathsToClear, err)
+		}
 	}

 	logCtx.Debug("Writing manifests")
-	shouldCommit, err := WriteForPaths(root, r.Repo.Repo, r.DrySha, r.DryCommitMetadata, r.Paths, gitClient)
-	// When there are no new manifests to commit, err will be nil and success will be false as nothing to commit. Else or every other error err will not be nil
+	err = WriteForPaths(root, r.Repo.Repo, r.DrySha, r.DryCommitMetadata, r.Paths)
 	if err != nil {
 		return "", "", fmt.Errorf("failed to write manifests: %w", err)
 	}
-	if !shouldCommit {
-		// Manifests did not change, so we don't need to create a new commit.
-		// Add a git note to track that this dry SHA has been processed, and return the existing hydrated SHA.
-		logCtx.Debug("Adding commit note")
-		err = AddNote(gitClient, r.DrySha, hydratedSha)
-		if err != nil {
-			return "", "", fmt.Errorf("failed to add commit note: %w", err)
-		}
-		return "", hydratedSha, nil
-	}
+
 	logCtx.Debug("Committing and pushing changes")
 	out, err = gitClient.CommitAndPush(r.TargetBranch, r.CommitMessage)
 	if err != nil {
@@ -217,12 +195,7 @@ func (s *Service) handleCommitRequest(logCtx *log.Entry, r *apiclient.CommitHydr
 	if err != nil {
 		return "", "", fmt.Errorf("failed to get commit SHA: %w", err)
 	}
-	// add the commit note
-	logCtx.Debug("Adding commit note")
-	err = AddNote(gitClient, r.DrySha, sha)
-	if err != nil {
-		return "", "", fmt.Errorf("failed to add commit note: %w", err)
-	}
+
 	return "", sha, nil
 }

@@ -256,7 +229,7 @@ func (s *Service) initGitClient(logCtx *log.Entry, r *apiclient.CommitHydratedMa
 	}

 	logCtx.Debugf("Fetching repo %s", r.Repo.Repo)
-	err = gitClient.Fetch("", 0)
+	err = gitClient.Fetch("")
 	if err != nil {
 		cleanupOrLog()
 		return nil, "", nil, fmt.Errorf("failed to clone repo: %w", err)
--- a/commitserver/commit/commit_test.go
+++ b/commitserver/commit/commit_test.go
@@ -1,7 +1,6 @@
 package commit

 import (
-	"fmt"
 	"testing"

 	"github.com/stretchr/testify/assert"
@@ -83,7 +82,7 @@ func Test_CommitHydratedManifests(t *testing.T) {
 		t.Parallel()

 		service, mockRepoClientFactory := newServiceWithMocks(t)
-		mockRepoClientFactory.EXPECT().NewClient(mock.Anything, mock.Anything).Return(nil, assert.AnError).Once()
+		mockRepoClientFactory.On("NewClient", mock.Anything, mock.Anything).Return(nil, assert.AnError).Once()

 		_, err := service.CommitHydratedManifests(t.Context(), validRequest)
 		require.Error(t, err)
@@ -95,20 +94,19 @@ func Test_CommitHydratedManifests(t *testing.T) {

 		service, mockRepoClientFactory := newServiceWithMocks(t)
 		mockGitClient := gitmocks.NewClient(t)
-		mockGitClient.EXPECT().Init().Return(nil).Once()
-		mockGitClient.EXPECT().Fetch(mock.Anything, mock.Anything).Return(nil).Once()
-		mockGitClient.EXPECT().SetAuthor("Argo CD", "argo-cd@example.com").Return("", nil).Once()
-		mockGitClient.EXPECT().CheckoutOrOrphan("env/test", false).Return("", nil).Once()
-		mockGitClient.EXPECT().CheckoutOrNew("main", "env/test", false).Return("", nil).Once()
-		mockGitClient.EXPECT().GetCommitNote(mock.Anything, mock.Anything).Return("", fmt.Errorf("test %w", git.ErrNoNoteFound)).Once()
-		mockGitClient.EXPECT().AddAndPushNote(mock.Anything, mock.Anything, mock.Anything).Return(nil).Once()
-		mockGitClient.EXPECT().CommitSHA().Return("it-worked!", nil).Once()
-		mockRepoClientFactory.EXPECT().NewClient(mock.Anything, mock.Anything).Return(mockGitClient, nil).Once()
+		mockGitClient.On("Init").Return(nil).Once()
+		mockGitClient.On("Fetch", mock.Anything).Return(nil).Once()
+		mockGitClient.On("SetAuthor", "Argo CD", "argo-cd@example.com").Return("", nil).Once()
+		mockGitClient.On("CheckoutOrOrphan", "env/test", false).Return("", nil).Once()
+		mockGitClient.On("CheckoutOrNew", "main", "env/test", false).Return("", nil).Once()
+		mockGitClient.On("CommitAndPush", "main", "test commit message").Return("", nil).Once()
+		mockGitClient.On("CommitSHA").Return("it-worked!", nil).Once()
+		mockRepoClientFactory.On("NewClient", mock.Anything, mock.Anything).Return(mockGitClient, nil).Once()

 		resp, err := service.CommitHydratedManifests(t.Context(), validRequest)
 		require.NoError(t, err)
 		require.NotNil(t, resp)
-		assert.Equal(t, "it-worked!", resp.HydratedSha, "Should return existing hydrated SHA for no-op")
+		assert.Equal(t, "it-worked!", resp.HydratedSha)
 	})

 	t.Run("root path with dot and blank - no directory removal", func(t *testing.T) {
@@ -116,17 +114,14 @@ func Test_CommitHydratedManifests(t *testing.T) {

 		service, mockRepoClientFactory := newServiceWithMocks(t)
 		mockGitClient := gitmocks.NewClient(t)
-		mockGitClient.EXPECT().Init().Return(nil).Once()
-		mockGitClient.EXPECT().Fetch(mock.Anything, mock.Anything).Return(nil).Once()
-		mockGitClient.EXPECT().SetAuthor("Argo CD", "argo-cd@example.com").Return("", nil).Once()
-		mockGitClient.EXPECT().CheckoutOrOrphan("env/test", false).Return("", nil).Once()
-		mockGitClient.EXPECT().CheckoutOrNew("main", "env/test", false).Return("", nil).Once()
-		mockGitClient.EXPECT().GetCommitNote(mock.Anything, mock.Anything).Return("", fmt.Errorf("test %w", git.ErrNoNoteFound)).Once()
-		mockGitClient.EXPECT().HasFileChanged(mock.Anything).Return(true, nil).Twice()
-		mockGitClient.EXPECT().CommitAndPush("main", "test commit message").Return("", nil).Once()
-		mockGitClient.EXPECT().AddAndPushNote(mock.Anything, mock.Anything, mock.Anything).Return(nil).Once()
-		mockGitClient.EXPECT().CommitSHA().Return("root-and-blank-sha", nil).Twice()
-		mockRepoClientFactory.EXPECT().NewClient(mock.Anything, mock.Anything).Return(mockGitClient, nil).Once()
+		mockGitClient.On("Init").Return(nil).Once()
+		mockGitClient.On("Fetch", mock.Anything).Return(nil).Once()
+		mockGitClient.On("SetAuthor", "Argo CD", "argo-cd@example.com").Return("", nil).Once()
+		mockGitClient.On("CheckoutOrOrphan", "env/test", false).Return("", nil).Once()
+		mockGitClient.On("CheckoutOrNew", "main", "env/test", false).Return("", nil).Once()
+		mockGitClient.On("CommitAndPush", "main", "test commit message").Return("", nil).Once()
+		mockGitClient.On("CommitSHA").Return("root-and-blank-sha", nil).Once()
+		mockRepoClientFactory.On("NewClient", mock.Anything, mock.Anything).Return(mockGitClient, nil).Once()

 		requestWithRootAndBlank := &apiclient.CommitHydratedManifestsRequest{
 			Repo: &v1alpha1.Repository{
@@ -163,27 +158,25 @@ func Test_CommitHydratedManifests(t *testing.T) {

 	t.Run("subdirectory path - triggers directory removal", func(t *testing.T) {
 		t.Parallel()
+
 		service, mockRepoClientFactory := newServiceWithMocks(t)
 		mockGitClient := gitmocks.NewClient(t)
-		mockGitClient.EXPECT().Init().Return(nil).Once()
-		mockGitClient.EXPECT().Fetch(mock.Anything, mock.Anything).Return(nil).Once()
-		mockGitClient.EXPECT().SetAuthor("Argo CD", "argo-cd@example.com").Return("", nil).Once()
-		mockGitClient.EXPECT().CheckoutOrOrphan("env/test", false).Return("", nil).Once()
-		mockGitClient.EXPECT().CheckoutOrNew("main", "env/test", false).Return("", nil).Once()
-		mockGitClient.EXPECT().GetCommitNote(mock.Anything, mock.Anything).Return("", fmt.Errorf("test %w", git.ErrNoNoteFound)).Once()
-		mockGitClient.EXPECT().HasFileChanged(mock.Anything).Return(true, nil).Once()
-		mockGitClient.EXPECT().CommitAndPush("main", "test commit message").Return("", nil).Once()
-		mockGitClient.EXPECT().AddAndPushNote(mock.Anything, mock.Anything, mock.Anything).Return(nil).Once()
-		mockGitClient.EXPECT().CommitSHA().Return("subdir-path-sha", nil).Twice()
-		mockRepoClientFactory.EXPECT().NewClient(mock.Anything, mock.Anything).Return(mockGitClient, nil).Once()
+		mockGitClient.On("Init").Return(nil).Once()
+		mockGitClient.On("Fetch", mock.Anything).Return(nil).Once()
+		mockGitClient.On("SetAuthor", "Argo CD", "argo-cd@example.com").Return("", nil).Once()
+		mockGitClient.On("CheckoutOrOrphan", "env/test", false).Return("", nil).Once()
+		mockGitClient.On("CheckoutOrNew", "main", "env/test", false).Return("", nil).Once()
+		mockGitClient.On("RemoveContents", []string{"apps/staging"}).Return("", nil).Once()
+		mockGitClient.On("CommitAndPush", "main", "test commit message").Return("", nil).Once()
+		mockGitClient.On("CommitSHA").Return("subdir-path-sha", nil).Once()
+		mockRepoClientFactory.On("NewClient", mock.Anything, mock.Anything).Return(mockGitClient, nil).Once()

 		requestWithSubdirPath := &apiclient.CommitHydratedManifestsRequest{
 			Repo: &v1alpha1.Repository{
 				Repo: "https://github.com/argoproj/argocd-example-apps.git",
 			},
-			TargetBranch: "main",
-			SyncBranch:   "env/test",
-
+			TargetBranch:  "main",
+			SyncBranch:    "env/test",
 			CommitMessage: "test commit message",
 			Paths: []*apiclient.PathDetails{
 				{
@@ -208,17 +201,15 @@ func Test_CommitHydratedManifests(t *testing.T) {

 		service, mockRepoClientFactory := newServiceWithMocks(t)
 		mockGitClient := gitmocks.NewClient(t)
-		mockGitClient.EXPECT().Init().Return(nil).Once()
-		mockGitClient.EXPECT().Fetch(mock.Anything, mock.Anything).Return(nil).Once()
-		mockGitClient.EXPECT().SetAuthor("Argo CD", "argo-cd@example.com").Return("", nil).Once()
-		mockGitClient.EXPECT().CheckoutOrOrphan("env/test", false).Return("", nil).Once()
-		mockGitClient.EXPECT().CheckoutOrNew("main", "env/test", false).Return("", nil).Once()
-		mockGitClient.EXPECT().GetCommitNote(mock.Anything, mock.Anything).Return("", fmt.Errorf("test %w", git.ErrNoNoteFound)).Once()
-		mockGitClient.EXPECT().HasFileChanged(mock.Anything).Return(true, nil).Times(3)
-		mockGitClient.EXPECT().CommitAndPush("main", "test commit message").Return("", nil).Once()
-		mockGitClient.EXPECT().AddAndPushNote(mock.Anything, mock.Anything, mock.Anything).Return(nil).Once()
-		mockGitClient.EXPECT().CommitSHA().Return("mixed-paths-sha", nil).Twice()
-		mockRepoClientFactory.EXPECT().NewClient(mock.Anything, mock.Anything).Return(mockGitClient, nil).Once()
+		mockGitClient.On("Init").Return(nil).Once()
+		mockGitClient.On("Fetch", mock.Anything).Return(nil).Once()
+		mockGitClient.On("SetAuthor", "Argo CD", "argo-cd@example.com").Return("", nil).Once()
+		mockGitClient.On("CheckoutOrOrphan", "env/test", false).Return("", nil).Once()
+		mockGitClient.On("CheckoutOrNew", "main", "env/test", false).Return("", nil).Once()
+		mockGitClient.On("RemoveContents", []string{"apps/production", "apps/staging"}).Return("", nil).Once()
+		mockGitClient.On("CommitAndPush", "main", "test commit message").Return("", nil).Once()
+		mockGitClient.On("CommitSHA").Return("mixed-paths-sha", nil).Once()
+		mockRepoClientFactory.On("NewClient", mock.Anything, mock.Anything).Return(mockGitClient, nil).Once()

 		requestWithMixedPaths := &apiclient.CommitHydratedManifestsRequest{
 			Repo: &v1alpha1.Repository{
@@ -266,15 +257,14 @@ func Test_CommitHydratedManifests(t *testing.T) {

 		service, mockRepoClientFactory := newServiceWithMocks(t)
 		mockGitClient := gitmocks.NewClient(t)
-		mockGitClient.EXPECT().Init().Return(nil).Once()
-		mockGitClient.EXPECT().Fetch(mock.Anything, mock.Anything).Return(nil).Once()
-		mockGitClient.EXPECT().SetAuthor("Argo CD", "argo-cd@example.com").Return("", nil).Once()
-		mockGitClient.EXPECT().CheckoutOrOrphan("env/test", false).Return("", nil).Once()
-		mockGitClient.EXPECT().CheckoutOrNew("main", "env/test", false).Return("", nil).Once()
-		mockGitClient.EXPECT().GetCommitNote(mock.Anything, mock.Anything).Return("", fmt.Errorf("test %w", git.ErrNoNoteFound)).Once()
-		mockGitClient.EXPECT().AddAndPushNote(mock.Anything, mock.Anything, mock.Anything).Return(nil).Once()
-		mockGitClient.EXPECT().CommitSHA().Return("empty-paths-sha", nil).Once()
-		mockRepoClientFactory.EXPECT().NewClient(mock.Anything, mock.Anything).Return(mockGitClient, nil).Once()
+		mockGitClient.On("Init").Return(nil).Once()
+		mockGitClient.On("Fetch", mock.Anything).Return(nil).Once()
+		mockGitClient.On("SetAuthor", "Argo CD", "argo-cd@example.com").Return("", nil).Once()
+		mockGitClient.On("CheckoutOrOrphan", "env/test", false).Return("", nil).Once()
+		mockGitClient.On("CheckoutOrNew", "main", "env/test", false).Return("", nil).Once()
+		mockGitClient.On("CommitAndPush", "main", "test commit message").Return("", nil).Once()
+		mockGitClient.On("CommitSHA").Return("it-worked!", nil).Once()
+		mockRepoClientFactory.On("NewClient", mock.Anything, mock.Anything).Return(mockGitClient, nil).Once()

 		requestWithEmptyPaths := &apiclient.CommitHydratedManifestsRequest{
 			Repo: &v1alpha1.Repository{
@@ -283,97 +273,12 @@ func Test_CommitHydratedManifests(t *testing.T) {
 			TargetBranch:  "main",
 			SyncBranch:    "env/test",
 			CommitMessage: "test commit message",
-			DrySha:        "dry-sha-456",
 		}

 		resp, err := service.CommitHydratedManifests(t.Context(), requestWithEmptyPaths)
 		require.NoError(t, err)
 		require.NotNil(t, resp)
-		assert.Equal(t, "empty-paths-sha", resp.HydratedSha, "Should return existing hydrated SHA for no-op")
-	})
-
-	t.Run("duplicate request already hydrated", func(t *testing.T) {
-		t.Parallel()
-
-		strnote := "{\"drySha\":\"abc123\"}"
-		service, mockRepoClientFactory := newServiceWithMocks(t)
-		mockGitClient := gitmocks.NewClient(t)
-		mockGitClient.EXPECT().Init().Return(nil).Once()
-		mockGitClient.EXPECT().Fetch(mock.Anything, mock.Anything).Return(nil).Once()
-		mockGitClient.EXPECT().SetAuthor("Argo CD", "argo-cd@example.com").Return("", nil).Once()
-		mockGitClient.EXPECT().CheckoutOrOrphan("env/test", false).Return("", nil).Once()
-		mockGitClient.EXPECT().CheckoutOrNew("main", "env/test", false).Return("", nil).Once()
-		mockGitClient.EXPECT().GetCommitNote(mock.Anything, mock.Anything).Return(strnote, nil).Once()
-		mockGitClient.EXPECT().CommitSHA().Return("dupe-test-sha", nil).Once()
-		mockRepoClientFactory.EXPECT().NewClient(mock.Anything, mock.Anything).Return(mockGitClient, nil).Once()
-
-		request := &apiclient.CommitHydratedManifestsRequest{
-			Repo: &v1alpha1.Repository{
-				Repo: "https://github.com/argoproj/argocd-example-apps.git",
-			},
-			TargetBranch:  "main",
-			SyncBranch:    "env/test",
-			DrySha:        "abc123",
-			CommitMessage: "test commit message",
-			Paths: []*apiclient.PathDetails{
-				{
-					Path: ".",
-					Manifests: []*apiclient.HydratedManifestDetails{
-						{
-							ManifestJSON: `{"apiVersion":"v1","kind":"Deployment","metadata":{"name":"test-app"}}`,
-						},
-					},
-				},
-			},
-		}
-
-		resp, err := service.CommitHydratedManifests(t.Context(), request)
-		require.NoError(t, err)
-		require.NotNil(t, resp)
-		assert.Equal(t, "dupe-test-sha", resp.HydratedSha, "Should return existing hydrated SHA when already hydrated")
-	})
-
-	t.Run("root path with dot - no changes to manifest - should commit note only", func(t *testing.T) {
-		t.Parallel()
-
-		service, mockRepoClientFactory := newServiceWithMocks(t)
-		mockGitClient := gitmocks.NewClient(t)
-		mockGitClient.EXPECT().Init().Return(nil).Once()
-		mockGitClient.EXPECT().Fetch(mock.Anything, mock.Anything).Return(nil).Once()
-		mockGitClient.EXPECT().SetAuthor("Argo CD", "argo-cd@example.com").Return("", nil).Once()
-		mockGitClient.EXPECT().CheckoutOrOrphan("env/test", false).Return("", nil).Once()
-		mockGitClient.EXPECT().CheckoutOrNew("main", "env/test", false).Return("", nil).Once()
-		mockGitClient.EXPECT().GetCommitNote(mock.Anything, mock.Anything).Return("", fmt.Errorf("test %w", git.ErrNoNoteFound)).Once()
-		mockGitClient.EXPECT().HasFileChanged(mock.Anything).Return(false, nil).Once()
-		mockGitClient.EXPECT().AddAndPushNote(mock.Anything, mock.Anything, mock.Anything).Return(nil).Once()
-		mockGitClient.EXPECT().CommitSHA().Return("root-and-blank-sha", nil).Once()
-		mockRepoClientFactory.EXPECT().NewClient(mock.Anything, mock.Anything).Return(mockGitClient, nil).Once()
-
-		requestWithRootAndBlank := &apiclient.CommitHydratedManifestsRequest{
-			Repo: &v1alpha1.Repository{
-				Repo: "https://github.com/argoproj/argocd-example-apps.git",
-			},
-			TargetBranch:  "main",
-			SyncBranch:    "env/test",
-			CommitMessage: "test commit message",
-			DrySha:        "dry-sha-123",
-			Paths: []*apiclient.PathDetails{
-				{
-					Path: ".",
-					Manifests: []*apiclient.HydratedManifestDetails{
-						{
-							ManifestJSON: `{"apiVersion":"v1","kind":"ConfigMap","metadata":{"name":"test-dot"}}`,
-						},
-					},
-				},
-			},
-		}
-
-		resp, err := service.CommitHydratedManifests(t.Context(), requestWithRootAndBlank)
-		require.NoError(t, err)
-		require.NotNil(t, resp)
-		// BUG FIX: When manifests don't change (no-op), the existing hydrated SHA should be returned.
-		assert.Equal(t, "root-and-blank-sha", resp.HydratedSha, "Should return existing hydrated SHA for no-op")
+		assert.Equal(t, "it-worked!", resp.HydratedSha)
 	})
 }

--- a/commitserver/commit/credentialtypehelper.go
+++ b/commitserver/commit/credentialtypehelper.go
@@ -13,7 +13,7 @@ func getCredentialType(repo *v1alpha1.Repository) string {
 	if repo.SSHPrivateKey != "" {
 		return "ssh"
 	}
-	if repo.GithubAppPrivateKey != "" && repo.GithubAppId != 0 { // Promoter MVP: remove github-app-installation-id check since it is no longer a required field
+	if repo.GithubAppPrivateKey != "" && repo.GithubAppId != 0 && repo.GithubAppInstallationId != 0 {
 		return "github-app"
 	}
 	if repo.GCPServiceAccountKey != "" {
--- a/commitserver/commit/hydratorhelper.go
+++ b/commitserver/commit/hydratorhelper.go
@@ -2,7 +2,6 @@ package commit

 import (
 	"encoding/json"
-	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -16,7 +15,6 @@ import (
 	"github.com/argoproj/argo-cd/v3/commitserver/apiclient"
 	"github.com/argoproj/argo-cd/v3/common"
 	appv1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/v3/util/git"
 	"github.com/argoproj/argo-cd/v3/util/hydrator"
 	"github.com/argoproj/argo-cd/v3/util/io"
 )
@@ -35,24 +33,24 @@ func init() {

 // WriteForPaths writes the manifests, hydrator.metadata, and README.md files for each path in the provided paths. It
 // also writes a root-level hydrator.metadata file containing the repo URL and dry SHA.
-func WriteForPaths(root *os.Root, repoUrl, drySha string, dryCommitMetadata *appv1.RevisionMetadata, paths []*apiclient.PathDetails, gitClient git.Client) (bool, error) { //nolint:revive //FIXME(var-naming)
+func WriteForPaths(root *os.Root, repoUrl, drySha string, dryCommitMetadata *appv1.RevisionMetadata, paths []*apiclient.PathDetails) error { //nolint:revive //FIXME(var-naming)
 	hydratorMetadata, err := hydrator.GetCommitMetadata(repoUrl, drySha, dryCommitMetadata)
 	if err != nil {
-		return false, fmt.Errorf("failed to retrieve hydrator metadata: %w", err)
+		return fmt.Errorf("failed to retrieve hydrator metadata: %w", err)
 	}

 	// Write the top-level readme.
 	err = writeMetadata(root, "", hydratorMetadata)
 	if err != nil {
-		return false, fmt.Errorf("failed to write top-level hydrator metadata: %w", err)
+		return fmt.Errorf("failed to write top-level hydrator metadata: %w", err)
 	}

 	// Write .gitattributes
 	err = writeGitAttributes(root)
 	if err != nil {
-		return false, fmt.Errorf("failed to write git attributes: %w", err)
+		return fmt.Errorf("failed to write git attributes: %w", err)
 	}
-	var atleastOneManifestChanged bool
+
 	for _, p := range paths {
 		hydratePath := p.Path
 		if hydratePath == "." {
@@ -63,26 +61,15 @@ func WriteForPaths(root *os.Root, repoUrl, drySha string, dryCommitMetadata *app
 		if hydratePath != "" {
 			err = root.MkdirAll(hydratePath, 0o755)
 			if err != nil {
-				return false, fmt.Errorf("failed to create path: %w", err)
+				return fmt.Errorf("failed to create path: %w", err)
 			}
 		}

 		// Write the manifests
-		err := writeManifests(root, hydratePath, p.Manifests)
+		err = writeManifests(root, hydratePath, p.Manifests)
 		if err != nil {
-			return false, fmt.Errorf("failed to write manifests: %w", err)
+			return fmt.Errorf("failed to write manifests: %w", err)
 		}
-		// Check if the manifest file has been modified compared to the git index
-		changed, err := gitClient.HasFileChanged(filepath.Join(hydratePath, ManifestYaml))
-		if err != nil {
-			return false, fmt.Errorf("failed to check if anything changed on the manifest: %w", err)
-		}
-
-		if !changed {
-			continue
-		}
-		//  If any manifest has changed, signal that a commit should occur. If none have changed, skip committing.
-		atleastOneManifestChanged = changed

 		// Write hydrator.metadata containing information about the hydration process.
 		hydratorMetadata := hydrator.HydratorCommitMetadata{
@@ -92,20 +79,16 @@ func WriteForPaths(root *os.Root, repoUrl, drySha string, dryCommitMetadata *app
 		}
 		err = writeMetadata(root, hydratePath, hydratorMetadata)
 		if err != nil {
-			return false, fmt.Errorf("failed to write hydrator metadata: %w", err)
+			return fmt.Errorf("failed to write hydrator metadata: %w", err)
 		}

 		// Write README
 		err = writeReadme(root, hydratePath, hydratorMetadata)
 		if err != nil {
-			return false, fmt.Errorf("failed to write readme: %w", err)
+			return fmt.Errorf("failed to write readme: %w", err)
 		}
 	}
-	// if no manifest changes then skip commit
-	if !atleastOneManifestChanged {
-		return false, nil
-	}
-	return atleastOneManifestChanged, nil
+	return nil
 }

 // writeMetadata writes the metadata to the hydrator.metadata file.
@@ -180,7 +163,7 @@ func writeGitAttributes(root *os.Root) error {
 func writeManifests(root *os.Root, dirPath string, manifests []*apiclient.HydratedManifestDetails) error {
 	// If the file exists, truncate it.
 	// No need to use SecureJoin here, as the path is already sanitized.
-	manifestPath := filepath.Join(dirPath, ManifestYaml)
+	manifestPath := filepath.Join(dirPath, "manifest.yaml")

 	file, err := root.OpenFile(manifestPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, os.ModePerm)
 	if err != nil {
@@ -213,43 +196,6 @@ func writeManifests(root *os.Root, dirPath string, manifests []*apiclient.Hydrat
 			return fmt.Errorf("failed to encode manifest: %w", err)
 		}
 	}
-	return nil
-}
-
-// IsHydrated checks whether the given commit (commitSha) has already been hydrated with the specified Dry SHA (drySha).
-// It does this by retrieving the commit note in the NoteNamespace and examining the DrySHA value.
-// Returns true if the stored DrySHA matches the provided drySha, false if not or if no note exists.
-// Gracefully handles missing notes as a normal outcome (not an error), but returns an error on retrieval or parse failures.
-func IsHydrated(gitClient git.Client, drySha, commitSha string) (bool, error) {
-	note, err := gitClient.GetCommitNote(commitSha, NoteNamespace)
-	if err != nil {
-		// note not found is a valid and acceptable outcome in this context so returning false and nil to let the hydration continue
-		unwrappedError := errors.Unwrap(err)
-		if unwrappedError != nil && errors.Is(unwrappedError, git.ErrNoNoteFound) {
-			return false, nil
-		}
-		return false, err
-	}
-	var commitNote CommitNote
-	err = json.Unmarshal([]byte(note), &commitNote)
-	if err != nil {
-		return false, fmt.Errorf("json unmarshal failed %w", err)
-	}
-	return commitNote.DrySHA == drySha, nil
-}
-
-// AddNote attaches a commit note containing the specified dry SHA (`drySha`) to the given commit (`commitSha`)
-// in the configured note namespace. The note is marshaled as JSON and pushed to the remote repository using
-// the provided gitClient. Returns an error if marshalling or note addition fails.
-func AddNote(gitClient git.Client, drySha, commitSha string) error {
-	note := CommitNote{DrySHA: drySha}
-	jsonBytes, err := json.Marshal(note)
-	if err != nil {
-		return fmt.Errorf("failed to marshal commit note: %w", err)
-	}
-	err = gitClient.AddAndPushNote(commitSha, NoteNamespace, string(jsonBytes))
-	if err != nil {
-		return fmt.Errorf("failed to add commit note: %w", err)
-	}
+
 	return nil
 }
--- a/commitserver/commit/hydratorhelper_test.go
+++ b/commitserver/commit/hydratorhelper_test.go
@@ -5,7 +5,6 @@ import (
 	"crypto/sha256"
 	"encoding/hex"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"os"
 	"os/exec"
@@ -16,14 +15,11 @@ import (
 	"time"

 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/mock"
 	"github.com/stretchr/testify/require"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

 	"github.com/argoproj/argo-cd/v3/commitserver/apiclient"
 	appsv1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/v3/util/git"
-	gitmocks "github.com/argoproj/argo-cd/v3/util/git/mocks"
 	"github.com/argoproj/argo-cd/v3/util/hydrator"
 )

@@ -98,12 +94,9 @@ Argocd-reference-commit-sha: abc123
 			},
 		},
 	}
-	mockGitClient := gitmocks.NewClient(t)
-	mockGitClient.On("HasFileChanged", mock.Anything).Return(true, nil).Times(len(paths))

-	shouldCommit, err := WriteForPaths(root, repoURL, drySha, metadata, paths, mockGitClient)
+	err := WriteForPaths(root, repoURL, drySha, metadata, paths)
 	require.NoError(t, err)
-	require.True(t, shouldCommit)

 	// Check if the top-level hydrator.metadata exists and contains the repo URL and dry SHA
 	topMetadataPath := filepath.Join(root.Name(), "hydrator.metadata")
@@ -151,117 +144,6 @@ Argocd-reference-commit-sha: abc123
 	}
 }

-func TestWriteForPaths_WithOneManifestMatchesExisting(t *testing.T) {
-	root := tempRoot(t)
-
-	repoURL := "https://github.com/example/repo"
-	drySha := "abc123"
-	paths := []*apiclient.PathDetails{
-		{
-			Path: "path1",
-			Manifests: []*apiclient.HydratedManifestDetails{
-				{ManifestJSON: `{"kind":"Pod","apiVersion":"v1"}`},
-			},
-			Commands: []string{"command1", "command2"},
-		},
-		{
-			Path: "path2",
-			Manifests: []*apiclient.HydratedManifestDetails{
-				{ManifestJSON: `{"kind":"Service","apiVersion":"v1"}`},
-			},
-			Commands: []string{"command3"},
-		},
-		{
-			Path: "path3/nested",
-			Manifests: []*apiclient.HydratedManifestDetails{
-				{ManifestJSON: `{"kind":"Deployment","apiVersion":"apps/v1"}`},
-			},
-			Commands: []string{"command4"},
-		},
-	}
-
-	now := metav1.NewTime(time.Now())
-	metadata := &appsv1.RevisionMetadata{
-		Author: "test-author",
-		Date:   &now,
-		Message: `test-message
-
-Signed-off-by: Test User <test@example.com>
-Argocd-reference-commit-sha: abc123
-`,
-		References: []appsv1.RevisionReference{
-			{
-				Commit: &appsv1.CommitMetadata{
-					Author:  "test-code-author <test-email-author@example.com>",
-					Date:    now.Format(time.RFC3339),
-					Subject: "test-code-subject",
-					SHA:     "test-code-sha",
-					RepoURL: "https://example.com/test/repo.git",
-				},
-			},
-		},
-	}
-	mockGitClient := gitmocks.NewClient(t)
-	mockGitClient.On("HasFileChanged", "path1/manifest.yaml").Return(true, nil).Once()
-	mockGitClient.On("HasFileChanged", "path2/manifest.yaml").Return(true, nil).Once()
-	mockGitClient.On("HasFileChanged", "path3/nested/manifest.yaml").Return(false, nil).Once()
-
-	shouldCommit, err := WriteForPaths(root, repoURL, drySha, metadata, paths, mockGitClient)
-	require.NoError(t, err)
-	require.True(t, shouldCommit)
-
-	// Check if the top-level hydrator.metadata exists and contains the repo URL and dry SHA
-	topMetadataPath := filepath.Join(root.Name(), "hydrator.metadata")
-	topMetadataBytes, err := os.ReadFile(topMetadataPath)
-	require.NoError(t, err)
-
-	var topMetadata hydratorMetadataFile
-	err = json.Unmarshal(topMetadataBytes, &topMetadata)
-	require.NoError(t, err)
-	assert.Equal(t, repoURL, topMetadata.RepoURL)
-	assert.Equal(t, drySha, topMetadata.DrySHA)
-	assert.Equal(t, metadata.Author, topMetadata.Author)
-	assert.Equal(t, "test-message", topMetadata.Subject)
-	// The body should exclude the Argocd- trailers.
-	assert.Equal(t, "Signed-off-by: Test User <test@example.com>\n", topMetadata.Body)
-	assert.Equal(t, metadata.Date.Format(time.RFC3339), topMetadata.Date)
-	assert.Equal(t, metadata.References, topMetadata.References)
-
-	for _, p := range paths {
-		fullHydratePath := filepath.Join(root.Name(), p.Path)
-		if p.Path == "path3/nested" {
-			assert.DirExists(t, fullHydratePath)
-			manifestPath := path.Join(fullHydratePath, "manifest.yaml")
-			_, err := os.ReadFile(manifestPath)
-			require.NoError(t, err)
-			continue
-		}
-		// Check if each path directory exists
-		assert.DirExists(t, fullHydratePath)
-
-		// Check if each path contains a hydrator.metadata file and contains the repo URL
-		metadataPath := path.Join(fullHydratePath, "hydrator.metadata")
-		metadataBytes, err := os.ReadFile(metadataPath)
-		require.NoError(t, err)
-
-		var readMetadata hydratorMetadataFile
-		err = json.Unmarshal(metadataBytes, &readMetadata)
-		require.NoError(t, err)
-		assert.Equal(t, repoURL, readMetadata.RepoURL)
-		// Check if each path contains a README.md file and contains the repo URL
-		readmePath := path.Join(fullHydratePath, "README.md")
-		readmeBytes, err := os.ReadFile(readmePath)
-		require.NoError(t, err)
-		assert.Contains(t, string(readmeBytes), repoURL)
-
-		// Check if each path contains a manifest.yaml file and contains the word kind
-		manifestPath := path.Join(fullHydratePath, "manifest.yaml")
-		manifestBytes, err := os.ReadFile(manifestPath)
-		require.NoError(t, err)
-		assert.Contains(t, string(manifestBytes), "kind")
-	}
-}
-
 func TestWriteMetadata(t *testing.T) {
 	root := tempRoot(t)

@@ -425,115 +307,3 @@ func TestWriteGitAttributes_MatchesAllDepths(t *testing.T) {
 		})
 	}
 }
-
-func TestIsHydrated(t *testing.T) {
-	mockGitClient := gitmocks.NewClient(t)
-	drySha := "abc123"
-	commitSha := "fff456"
-	commitShaNoNoteFoundErr := "abc456"
-	commitShaErr := "abc999"
-	strnote := "{\"drySha\":\"abc123\"}"
-	mockGitClient.On("GetCommitNote", commitSha, mock.Anything).Return(strnote, nil).Once()
-	mockGitClient.On("GetCommitNote", commitShaNoNoteFoundErr, mock.Anything).Return("", fmt.Errorf("wrapped error %w", git.ErrNoNoteFound)).Once()
-	// an existing note
-	isHydrated, err := IsHydrated(mockGitClient, drySha, commitSha)
-	require.NoError(t, err)
-	assert.True(t, isHydrated)
-
-	// no note found treated as success.. no error returned
-	isHydrated, err = IsHydrated(mockGitClient, drySha, commitShaNoNoteFoundErr)
-	require.NoError(t, err)
-	assert.False(t, isHydrated)
-
-	// Test that non-ErrNoNoteFound errors are propagated: when GetCommitNote fails with
-	// an error other than "no note found", IsHydrated should return that error to the caller
-	err = errors.New("some other error")
-	mockGitClient.On("GetCommitNote", commitShaErr, mock.Anything).Return("", fmt.Errorf("wrapped error %w", err)).Once()
-	isHydrated, err = IsHydrated(mockGitClient, drySha, commitShaErr)
-	require.Error(t, err)
-	assert.False(t, isHydrated)
-}
-
-func TestAddNote(t *testing.T) {
-	mockGitClient := gitmocks.NewClient(t)
-	drySha := "abc123"
-	commitSha := "fff456"
-	commitShaErr := "abc456"
-	err := errors.New("test error")
-	mockGitClient.On("AddAndPushNote", commitSha, mock.Anything, mock.Anything).Return(nil).Once()
-	mockGitClient.On("AddAndPushNote", commitShaErr, mock.Anything, mock.Anything).Return(err).Once()
-
-	// success
-	err = AddNote(mockGitClient, drySha, commitSha)
-	require.NoError(t, err)
-
-	// failure
-	err = AddNote(mockGitClient, drySha, commitShaErr)
-	require.Error(t, err)
-}
-
-// TestWriteForPaths_NoOpScenario tests that when manifests don't change between two hydrations,
-// shouldCommit returns false. This reproduces the bug where a new DRY commit that doesn't affect
-// manifests should not create a new hydrated commit.
-func TestWriteForPaths_NoOpScenario(t *testing.T) {
-	root := tempRoot(t)
-
-	repoURL := "https://github.com/example/repo"
-	drySha1 := "abc123"
-	drySha2 := "def456" // Different dry SHA
-	paths := []*apiclient.PathDetails{
-		{
-			Path: "guestbook",
-			Manifests: []*apiclient.HydratedManifestDetails{
-				{ManifestJSON: `{"apiVersion":"v1","kind":"Service","metadata":{"name":"guestbook-ui"}}`},
-				{ManifestJSON: `{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"guestbook-ui"}}`},
-			},
-			Commands: []string{"kustomize build ."},
-		},
-	}
-
-	now1 := metav1.NewTime(time.Now())
-	metadata1 := &appsv1.RevisionMetadata{
-		Author:  "test-author",
-		Date:    &now1,
-		Message: "Initial commit",
-	}
-
-	// First hydration - manifests are new, so HasFileChanged should return true
-	mockGitClient1 := gitmocks.NewClient(t)
-	mockGitClient1.On("HasFileChanged", "guestbook/manifest.yaml").Return(true, nil).Once()
-
-	shouldCommit1, err := WriteForPaths(root, repoURL, drySha1, metadata1, paths, mockGitClient1)
-	require.NoError(t, err)
-	require.True(t, shouldCommit1, "First hydration should commit because manifests are new")
-
-	// Second hydration - same manifest content but different dry SHA and metadata
-	// Simulate adding a README.md to the dry source (which doesn't affect manifests)
-	now2 := metav1.NewTime(time.Now().Add(1 * time.Hour)) // Different timestamp
-	metadata2 := &appsv1.RevisionMetadata{
-		Author:  "test-author",
-		Date:    &now2,
-		Message: "Add README.md", // Different commit message
-	}
-
-	// The manifests are identical, so HasFileChanged should return false
-	mockGitClient2 := gitmocks.NewClient(t)
-	mockGitClient2.On("HasFileChanged", "guestbook/manifest.yaml").Return(false, nil).Once()
-
-	shouldCommit2, err := WriteForPaths(root, repoURL, drySha2, metadata2, paths, mockGitClient2)
-	require.NoError(t, err)
-	require.False(t, shouldCommit2, "Second hydration should NOT commit because manifests didn't change")
-
-	// Verify that the root-level metadata WAS updated (even though we're not committing)
-	// The files get written to the working directory, but since shouldCommit is false, they won't be committed
-	topMetadataPath := filepath.Join(root.Name(), "hydrator.metadata")
-	topMetadataBytes, err := os.ReadFile(topMetadataPath)
-	require.NoError(t, err)
-
-	var topMetadata hydratorMetadataFile
-	err = json.Unmarshal(topMetadataBytes, &topMetadata)
-	require.NoError(t, err)
-	// The top-level metadata should have the NEW dry SHA (files are written, just not committed)
-	assert.Equal(t, drySha2, topMetadata.DrySHA)
-	assert.Equal(t, metadata2.Date.Format(time.RFC3339), topMetadata.Date)
-}
--- a/common/common.go
+++ b/common/common.go
@@ -225,15 +225,10 @@ const (
 	// Ex: "http://grafana.example.com/d/yu5UH4MMz/deployments"
 	// Ex: "Go to Dashboard|http://grafana.example.com/d/yu5UH4MMz/deployments"
 	AnnotationKeyLinkPrefix = "link.argocd.argoproj.io/"
-	// AnnotationKeyIgnoreDefaultLinks tells the Application to not add autogenerated links from this object into its externalURLs
-	// This applies to ingress objects and takes effect if set to "true"
-	// This only disables the default behavior of generating links based on the ingress spec, and does not disable AnnotationKeyLinkPrefix
-	AnnotationKeyIgnoreDefaultLinks = "argocd.argoproj.io/ignore-default-links"

 	// AnnotationKeyAppSkipReconcile tells the Application to skip the Application controller reconcile.
 	// Skip reconcile when the value is "true" or any other string values that can be strconv.ParseBool() to be true.
 	AnnotationKeyAppSkipReconcile = "argocd.argoproj.io/skip-reconcile"
-
 	// LabelKeyComponentRepoServer is the label key to identify the component as repo-server
 	LabelKeyComponentRepoServer = "app.kubernetes.io/component"
 	// LabelValueComponentRepoServer is the label value for the repo-server component
--- a/controller/appcontroller.go
+++ b/controller/appcontroller.go
@@ -39,7 +39,6 @@ import (
 	"k8s.io/client-go/informers"
 	informerv1 "k8s.io/client-go/informers/apps/v1"
 	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/util/workqueue"
 	"k8s.io/utils/ptr"
@@ -128,6 +127,7 @@ type ApplicationController struct {
 	statusRefreshJitter           time.Duration
 	selfHealTimeout               time.Duration
 	selfHealBackoff               *wait.Backoff
+	selfHealBackoffCooldown       time.Duration
 	syncTimeout                   time.Duration
 	db                            db.ArgoDB
 	settingsMgr                   *settings_util.SettingsManager
@@ -163,6 +163,7 @@ func NewApplicationController(
 	appResyncJitter time.Duration,
 	selfHealTimeout time.Duration,
 	selfHealBackoff *wait.Backoff,
+	selfHealBackoffCooldown time.Duration,
 	syncTimeout time.Duration,
 	repoErrorGracePeriod time.Duration,
 	metricsPort int,
@@ -209,6 +210,7 @@ func NewApplicationController(
 		settingsMgr:                       settingsMgr,
 		selfHealTimeout:                   selfHealTimeout,
 		selfHealBackoff:                   selfHealBackoff,
+		selfHealBackoffCooldown:           selfHealBackoffCooldown,
 		syncTimeout:                       syncTimeout,
 		clusterSharding:                   clusterSharding,
 		projByNameCache:                   sync.Map{},
@@ -464,7 +466,7 @@ func (ctrl *ApplicationController) handleObjectUpdated(managedByApp map[string]b
 		// Enforce application's permission for the source namespace
 		_, err = ctrl.getAppProj(app)
 		if err != nil {
-			logCtx.WithError(err).Errorf("Unable to determine project for app")
+			logCtx.Errorf("Unable to determine project for app '%s': %v", app.QualifiedName(), err)
 			continue
 		}

@@ -609,10 +611,8 @@ func (ctrl *ApplicationController) getResourceTree(destCluster *appv1.Cluster, a
 			managedResourcesKeys = append(managedResourcesKeys, kube.GetResourceKey(live))
 		}
 	}
-	// Process managed resources and their children, including cross-namespace relationships
-	// from cluster-scoped parents (e.g., Crossplane CompositeResourceDefinitions)
 	err = ctrl.stateCache.IterateHierarchyV2(destCluster, managedResourcesKeys, func(child appv1.ResourceNode, _ string) bool {
-		permitted, _ := proj.IsResourcePermitted(schema.GroupKind{Group: child.Group, Kind: child.Kind}, child.Name, child.Namespace, destCluster, func(project string) ([]*appv1.Cluster, error) {
+		permitted, _ := proj.IsResourcePermitted(schema.GroupKind{Group: child.Group, Kind: child.Kind}, child.Namespace, destCluster, func(project string) ([]*appv1.Cluster, error) {
 			clusters, err := ctrl.db.GetProjectClusters(context.TODO(), project)
 			if err != nil {
 				return nil, fmt.Errorf("failed to get project clusters: %w", err)
@@ -632,11 +632,10 @@ func (ctrl *ApplicationController) getResourceTree(destCluster *appv1.Cluster, a
 	orphanedNodes := make([]appv1.ResourceNode, 0)
 	orphanedNodesKeys := make([]kube.ResourceKey, 0)
 	for k := range orphanedNodesMap {
-		if k.Namespace != "" && proj.IsGroupKindNamePermitted(k.GroupKind(), k.Name, true) && !isKnownOrphanedResourceExclusion(k, proj) {
+		if k.Namespace != "" && proj.IsGroupKindPermitted(k.GroupKind(), true) && !isKnownOrphanedResourceExclusion(k, proj) {
 			orphanedNodesKeys = append(orphanedNodesKeys, k)
 		}
 	}
-	// Process orphaned resources
 	err = ctrl.stateCache.IterateHierarchyV2(destCluster, orphanedNodesKeys, func(child appv1.ResourceNode, appName string) bool {
 		belongToAnotherApp := false
 		if appName != "" {
@@ -650,7 +649,7 @@ func (ctrl *ApplicationController) getResourceTree(destCluster *appv1.Cluster, a
 			return false
 		}

-		permitted, _ := proj.IsResourcePermitted(schema.GroupKind{Group: child.Group, Kind: child.Kind}, child.Name, child.Namespace, destCluster, func(project string) ([]*appv1.Cluster, error) {
+		permitted, _ := proj.IsResourcePermitted(schema.GroupKind{Group: child.Group, Kind: child.Kind}, child.Namespace, destCluster, func(project string) ([]*appv1.Cluster, error) {
 			return ctrl.db.GetProjectClusters(context.TODO(), project)
 		})

@@ -903,12 +902,12 @@ func (ctrl *ApplicationController) Run(ctx context.Context, statusProcessors int

 	clusters, err := ctrl.db.ListClusters(ctx)
 	if err != nil {
-		log.WithError(err).Warn("Cannot init sharding. Error while querying clusters list from database")
+		log.Warnf("Cannot init sharding. Error while querying clusters list from database: %v", err)
 	} else {
 		appItems, err := ctrl.getAppList(metav1.ListOptions{})

 		if err != nil {
-			log.WithError(err).Warn("Cannot init sharding. Error while querying application list from database")
+			log.Warnf("Cannot init sharding. Error while querying application list from database: %v", err)
 		} else {
 			ctrl.clusterSharding.Init(clusters, appItems)
 		}
@@ -1001,29 +1000,29 @@ func (ctrl *ApplicationController) processAppOperationQueueItem() (processNext b
 	appKey, shutdown := ctrl.appOperationQueue.Get()
 	if shutdown {
 		processNext = false
-		return processNext
+		return
 	}
 	processNext = true
 	defer func() {
 		if r := recover(); r != nil {
-			log.WithField("appkey", appKey).Errorf("Recovered from panic: %+v\n%s", r, debug.Stack())
+			log.Errorf("Recovered from panic: %+v\n%s", r, debug.Stack())
 		}
 		ctrl.appOperationQueue.Done(appKey)
 	}()

 	obj, exists, err := ctrl.appInformer.GetIndexer().GetByKey(appKey)
 	if err != nil {
-		log.WithField("appkey", appKey).WithError(err).Error("Failed to get application from informer index")
-		return processNext
+		log.Errorf("Failed to get application '%s' from informer index: %+v", appKey, err)
+		return
 	}
 	if !exists {
 		// This happens after app was deleted, but the work queue still had an entry for it.
-		return processNext
+		return
 	}
 	origApp, ok := obj.(*appv1.Application)
 	if !ok {
-		log.WithField("appkey", appKey).Warn("Key in index is not an application")
-		return processNext
+		log.Warnf("Key '%s' in index is not an application", appKey)
+		return
 	}
 	app := origApp.DeepCopy()
 	logCtx := log.WithFields(applog.GetAppLogFields(app))
@@ -1042,8 +1041,8 @@ func (ctrl *ApplicationController) processAppOperationQueueItem() (processNext b
 		// We cannot rely on informer since applications might be updated by both application controller and api server.
 		freshApp, err := ctrl.applicationClientset.ArgoprojV1alpha1().Applications(app.ObjectMeta.Namespace).Get(context.Background(), app.Name, metav1.GetOptions{})
 		if err != nil {
-			logCtx.WithError(err).Error("Failed to retrieve latest application state")
-			return processNext
+			logCtx.Errorf("Failed to retrieve latest application state: %v", err)
+			return
 		}
 		app = freshApp
 	}
@@ -1062,13 +1061,10 @@ func (ctrl *ApplicationController) processAppOperationQueueItem() (processNext b
 			})
 			message := fmt.Sprintf("Unable to delete application resources: %v", err.Error())
 			ctrl.logAppEvent(context.TODO(), app, argo.EventInfo{Reason: argo.EventReasonStatusRefreshed, Type: corev1.EventTypeWarning}, message)
-		} else {
-			// Clear DeletionError condition if deletion is progressing successfully
-			app.Status.SetConditions([]appv1.ApplicationCondition{}, map[appv1.ApplicationConditionType]bool{appv1.ApplicationConditionDeletionError: true})
 		}
 		ts.AddCheckpoint("finalize_application_deletion_ms")
 	}
-	return processNext
+	return
 }

 func (ctrl *ApplicationController) processAppComparisonTypeQueueItem() (processNext bool) {
@@ -1077,26 +1073,26 @@ func (ctrl *ApplicationController) processAppComparisonTypeQueueItem() (processN

 	defer func() {
 		if r := recover(); r != nil {
-			log.WithField("appkey", key).Errorf("Recovered from panic: %+v\n%s", r, debug.Stack())
+			log.Errorf("Recovered from panic: %+v\n%s", r, debug.Stack())
 		}
 		ctrl.appComparisonTypeRefreshQueue.Done(key)
 	}()
 	if shutdown {
 		processNext = false
-		return processNext
+		return
 	}

 	if parts := strings.Split(key, "/"); len(parts) != 3 {
-		log.WithField("appkey", key).Warn("Unexpected key format in appComparisonTypeRefreshTypeQueue. Key should consist of namespace/name/comparisonType")
+		log.Warnf("Unexpected key format in appComparisonTypeRefreshTypeQueue. Key should consists of namespace/name/comparisonType but got: %s", key)
 	} else {
 		compareWith, err := strconv.Atoi(parts[2])
 		if err != nil {
-			log.WithField("appkey", key).WithError(err).Warn("Unable to parse comparison type")
-			return processNext
+			log.Warnf("Unable to parse comparison type: %v", err)
+			return
 		}
 		ctrl.requestAppRefresh(ctrl.toAppQualifiedName(parts[1], parts[0]), CompareWith(compareWith).Pointer(), nil)
 	}
-	return processNext
+	return
 }

 func (ctrl *ApplicationController) processProjectQueueItem() (processNext bool) {
@@ -1105,45 +1101,45 @@ func (ctrl *ApplicationController) processProjectQueueItem() (processNext bool)

 	defer func() {
 		if r := recover(); r != nil {
-			log.WithField("key", key).Errorf("Recovered from panic: %+v\n%s", r, debug.Stack())
+			log.Errorf("Recovered from panic: %+v\n%s", r, debug.Stack())
 		}
 		ctrl.projectRefreshQueue.Done(key)
 	}()
 	if shutdown {
 		processNext = false
-		return processNext
+		return
 	}
 	obj, exists, err := ctrl.projInformer.GetIndexer().GetByKey(key)
 	if err != nil {
-		log.WithField("key", key).WithError(err).Error("Failed to get project from informer index")
-		return processNext
+		log.Errorf("Failed to get project '%s' from informer index: %+v", key, err)
+		return
 	}
 	if !exists {
 		// This happens after appproj was deleted, but the work queue still had an entry for it.
-		return processNext
+		return
 	}
 	origProj, ok := obj.(*appv1.AppProject)
 	if !ok {
-		log.WithField("key", key).Warnf("Key in index is not an appproject")
-		return processNext
+		log.Warnf("Key '%s' in index is not an appproject", key)
+		return
 	}

 	if origProj.DeletionTimestamp != nil && origProj.HasFinalizer() {
 		if err := ctrl.finalizeProjectDeletion(origProj.DeepCopy()); err != nil {
-			log.WithError(err).Warn("Failed to finalize project deletion")
+			log.Warnf("Failed to finalize project deletion: %v", err)
 		}
 	}
-	return processNext
+	return
 }

 func (ctrl *ApplicationController) finalizeProjectDeletion(proj *appv1.AppProject) error {
-	apps, err := ctrl.appLister.List(labels.Everything())
+	apps, err := ctrl.appLister.Applications(ctrl.namespace).List(labels.Everything())
 	if err != nil {
 		return fmt.Errorf("error listing applications: %w", err)
 	}
 	appsCount := 0
 	for i := range apps {
-		if apps[i].Spec.GetProject() == proj.Name && ctrl.isAppNamespaceAllowed(apps[i]) && proj.IsAppNamespacePermitted(apps[i], ctrl.namespace) {
+		if apps[i].Spec.GetProject() == proj.Name {
 			appsCount++
 		}
 	}
@@ -1198,7 +1194,7 @@ func (ctrl *ApplicationController) finalizeApplicationDeletion(app *appv1.Applic
 	app, err := ctrl.applicationClientset.ArgoprojV1alpha1().Applications(app.Namespace).Get(context.Background(), app.Name, metav1.GetOptions{})
 	if err != nil {
 		if !apierrors.IsNotFound(err) {
-			logCtx.WithError(err).Error("Unable to get refreshed application info prior deleting resources")
+			logCtx.Errorf("Unable to get refreshed application info prior deleting resources: %v", err)
 		}
 		return nil
 	}
@@ -1206,56 +1202,26 @@ func (ctrl *ApplicationController) finalizeApplicationDeletion(app *appv1.Applic
 	if err != nil {
 		return err
 	}
-
-	// Get destination cluster
 	destCluster, err := argo.GetDestinationCluster(context.Background(), app.Spec.Destination, ctrl.db)
 	if err != nil {
-		logCtx.WithError(err).Warn("Unable to get destination cluster")
+		logCtx.Warnf("Unable to get destination cluster: %v", err)
 		app.UnSetCascadedDeletion()
 		app.UnSetPostDeleteFinalizerAll()
-		app.UnSetPreDeleteFinalizerAll()
 		if err := ctrl.updateFinalizers(app); err != nil {
 			return err
 		}
 		logCtx.Infof("Resource entries removed from undefined cluster")
 		return nil
 	}
-
 	clusterRESTConfig, err := destCluster.RESTConfig()
 	if err != nil {
 		return err
 	}
 	config := metrics.AddMetricsTransportWrapper(ctrl.metricsServer, app, clusterRESTConfig)

-	// Apply impersonation config if necessary
-	if err := ctrl.applyImpersonationConfig(config, proj, app, destCluster); err != nil {
-		return fmt.Errorf("cannot apply impersonation: %w", err)
-	}
-
-	// Handle PreDelete hooks - run them before any deletion occurs
-	if app.HasPreDeleteFinalizer() {
-		objsMap, err := ctrl.getPermittedAppLiveObjects(destCluster, app, proj, projectClusters)
-		if err != nil {
-			return fmt.Errorf("error getting permitted app live objects: %w", err)
-		}
-
-		done, err := ctrl.executePreDeleteHooks(app, proj, objsMap, config, logCtx)
-		if err != nil {
-			return fmt.Errorf("error executing pre-delete hooks: %w", err)
-		}
-		if !done {
-			// PreDelete hooks are still running - wait for them to complete
-			return nil
-		}
-		// PreDelete hooks are done - remove the finalizer so we can continue with deletion
-		app.UnSetPreDeleteFinalizer()
-		if err := ctrl.updateFinalizers(app); err != nil {
-			return fmt.Errorf("error updating pre-delete finalizers: %w", err)
-		}
-	}
-
 	if app.CascadedDeletion() {
 		deletionApproved := app.IsDeletionConfirmed(app.DeletionTimestamp.Time)
+
 		logCtx.Infof("Deleting resources")
 		// ApplicationDestination points to a valid cluster, so we may clean up the live objects
 		objs := make([]*unstructured.Unstructured, 0)
@@ -1332,23 +1298,6 @@ func (ctrl *ApplicationController) finalizeApplicationDeletion(app *appv1.Applic
 		return ctrl.updateFinalizers(app)
 	}

-	if app.HasPreDeleteFinalizer("cleanup") {
-		objsMap, err := ctrl.getPermittedAppLiveObjects(destCluster, app, proj, projectClusters)
-		if err != nil {
-			return fmt.Errorf("error getting permitted app live objects for pre-delete cleanup: %w", err)
-		}
-
-		done, err := ctrl.cleanupPreDeleteHooks(objsMap, config, logCtx)
-		if err != nil {
-			return fmt.Errorf("error cleaning up pre-delete hooks: %w", err)
-		}
-		if !done {
-			return nil
-		}
-		app.UnSetPreDeleteFinalizer("cleanup")
-		return ctrl.updateFinalizers(app)
-	}
-
 	if app.HasPostDeleteFinalizer("cleanup") {
 		objsMap, err := ctrl.getPermittedAppLiveObjects(destCluster, app, proj, projectClusters)
 		if err != nil {
@@ -1366,7 +1315,7 @@ func (ctrl *ApplicationController) finalizeApplicationDeletion(app *appv1.Applic
 		return ctrl.updateFinalizers(app)
 	}

-	if !app.CascadedDeletion() && !app.HasPostDeleteFinalizer() && !app.HasPreDeleteFinalizer() {
+	if !app.CascadedDeletion() && !app.HasPostDeleteFinalizer() {
 		if err := ctrl.cache.SetAppManagedResources(app.Name, nil); err != nil {
 			return err
 		}
@@ -1418,7 +1367,7 @@ func (ctrl *ApplicationController) setAppCondition(app *appv1.Application, condi
 		_, err = ctrl.applicationClientset.ArgoprojV1alpha1().Applications(app.Namespace).Patch(context.Background(), app.Name, types.MergePatchType, patch, metav1.PatchOptions{})
 	}
 	if err != nil {
-		logCtx.WithError(err).Error("Unable to set application condition")
+		logCtx.Errorf("Unable to set application condition: %v", err)
 	}
 }

@@ -1559,20 +1508,10 @@ func (ctrl *ApplicationController) processRequestedAppOperation(app *appv1.Appli
 		// if we just completed an operation, force a refresh so that UI will report up-to-date
 		// sync/health information
 		if _, err := cache.MetaNamespaceKeyFunc(app); err == nil {
-			var compareWith CompareWith
-			if state.Operation.InitiatedBy.Automated {
-				// Do not force revision resolution on automated operations because
-				// this would cause excessive Ls-Remote requests on monorepo commits
-				compareWith = CompareWithLatest
-			} else {
-				// Force app refresh with using most recent resolved revision after sync,
-				// so UI won't show a just synced application being out of sync if it was
-				// synced after commit but before app. refresh (see #18153)
-				compareWith = CompareWithLatestForceResolve
-			}
-			ctrl.requestAppRefresh(app.QualifiedName(), compareWith.Pointer(), nil)
+			// force app refresh with using CompareWithLatest comparison type and trigger app reconciliation loop
+			ctrl.requestAppRefresh(app.QualifiedName(), CompareWithLatestForceResolve.Pointer(), nil)
 		} else {
-			logCtx.WithError(err).Warn("Fails to requeue application")
+			logCtx.Warnf("Fails to requeue application: %v", err)
 		}
 	}
 	ts.AddCheckpoint("request_app_refresh_ms")
@@ -1604,13 +1543,13 @@ func (ctrl *ApplicationController) setOperationState(app *appv1.Application, sta
 	}
 	patchJSON, err := json.Marshal(patch)
 	if err != nil {
-		logCtx.WithError(err).Error("error marshaling json")
+		logCtx.Errorf("error marshaling json: %v", err)
 		return
 	}
 	if app.Status.OperationState != nil && app.Status.OperationState.FinishedAt != nil && state.FinishedAt == nil {
 		patchJSON, err = jsonpatch.MergeMergePatches(patchJSON, []byte(`{"status": {"operationState": {"finishedAt": null}}}`))
 		if err != nil {
-			logCtx.WithError(err).Error("error merging operation state patch")
+			logCtx.Errorf("error merging operation state patch: %v", err)
 			return
 		}
 	}
@@ -1624,7 +1563,7 @@ func (ctrl *ApplicationController) setOperationState(app *appv1.Application, sta
 			}
 			// kube.RetryUntilSucceed logs failed attempts at "debug" level, but we want to know if this fails. Log a
 			// warning.
-			logCtx.WithError(err).Warn("error patching application with operation state")
+			logCtx.Warnf("error patching application with operation state: %v", err)
 			return fmt.Errorf("error patching application with operation state: %w", err)
 		}
 		return nil
@@ -1653,7 +1592,7 @@ func (ctrl *ApplicationController) setOperationState(app *appv1.Application, sta

 		destCluster, err := argo.GetDestinationCluster(context.Background(), app.Spec.Destination, ctrl.db)
 		if err != nil {
-			logCtx.WithError(err).Warn("Unable to get destination cluster, setting dest_server label to empty string in sync metric")
+			logCtx.Warnf("Unable to get destination cluster, setting dest_server label to empty string in sync metric: %v", err)
 		}
 		destServer := ""
 		if destCluster != nil {
@@ -1670,7 +1609,7 @@ func (ctrl *ApplicationController) writeBackToInformer(app *appv1.Application) {
 	logCtx := log.WithFields(applog.GetAppLogFields(app)).WithField("informer-writeBack", true)
 	err := ctrl.appInformer.GetStore().Update(app)
 	if err != nil {
-		logCtx.WithError(err).Error("failed to update informer store")
+		logCtx.Errorf("failed to update informer store: %v", err)
 		return
 	}
 }
@@ -1691,12 +1630,12 @@ func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext boo
 	appKey, shutdown := ctrl.appRefreshQueue.Get()
 	if shutdown {
 		processNext = false
-		return processNext
+		return
 	}
 	processNext = true
 	defer func() {
 		if r := recover(); r != nil {
-			log.WithField("appkey", appKey).Errorf("Recovered from panic: %+v\n%s", r, debug.Stack())
+			log.Errorf("Recovered from panic: %+v\n%s", r, debug.Stack())
 		}
 		// We want to have app operation update happen after the sync, so there's no race condition
 		// and app updates not proceeding. See https://github.com/argoproj/argo-cd/issues/18500.
@@ -1705,23 +1644,23 @@ func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext boo
 	}()
 	obj, exists, err := ctrl.appInformer.GetIndexer().GetByKey(appKey)
 	if err != nil {
-		log.WithField("appkey", appKey).WithError(err).Error("Failed to get application from informer index")
-		return processNext
+		log.Errorf("Failed to get application '%s' from informer index: %+v", appKey, err)
+		return
 	}
 	if !exists {
 		// This happens after app was deleted, but the work queue still had an entry for it.
-		return processNext
+		return
 	}
 	origApp, ok := obj.(*appv1.Application)
 	if !ok {
-		log.WithField("appkey", appKey).Warn("Key in index is not an application")
-		return processNext
+		log.Warnf("Key '%s' in index is not an application", appKey)
+		return
 	}
 	origApp = origApp.DeepCopy()
 	needRefresh, refreshType, comparisonLevel := ctrl.needRefreshAppStatus(origApp, ctrl.statusRefreshTimeout, ctrl.statusHardRefreshTimeout)

 	if !needRefresh {
-		return processNext
+		return
 	}
 	app := origApp.DeepCopy()
 	logCtx := log.WithFields(applog.GetAppLogFields(app)).WithFields(log.Fields{
@@ -1763,13 +1702,13 @@ func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext boo
 				if tree, err = ctrl.getResourceTree(destCluster, app, managedResources); err == nil {
 					app.Status.Summary = tree.GetSummary(app)
 					if err := ctrl.cache.SetAppResourcesTree(app.InstanceName(ctrl.namespace), tree); err != nil {
-						logCtx.WithError(err).Error("Failed to cache resources tree")
-						return processNext
+						logCtx.Errorf("Failed to cache resources tree: %v", err)
+						return
 					}
 				}

 				patchDuration = ctrl.persistAppStatus(origApp, &app.Status)
-				return processNext
+				return
 			}
 			logCtx.Warnf("Failed to get cached managed resources for tree reconciliation, fall back to full reconciliation")
 		}
@@ -1785,20 +1724,20 @@ func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext boo
 		patchDuration = ctrl.persistAppStatus(origApp, &app.Status)

 		if err := ctrl.cache.SetAppResourcesTree(app.InstanceName(ctrl.namespace), &appv1.ApplicationTree{}); err != nil {
-			logCtx.WithError(err).Warn("failed to set app resource tree")
+			logCtx.Warnf("failed to set app resource tree: %v", err)
 		}
 		if err := ctrl.cache.SetAppManagedResources(app.InstanceName(ctrl.namespace), nil); err != nil {
-			logCtx.WithError(err).Warn("failed to set app managed resources tree")
+			logCtx.Warnf("failed to set app managed resources tree: %v", err)
 		}
 		ts.AddCheckpoint("process_refresh_app_conditions_errors_ms")
-		return processNext
+		return
 	}

 	destCluster, err = argo.GetDestinationCluster(context.Background(), app.Spec.Destination, ctrl.db)
 	if err != nil {
-		logCtx.WithError(err).Error("Failed to get destination cluster")
+		logCtx.Errorf("Failed to get destination cluster: %v", err)
 		// exit the reconciliation. ctrl.refreshAppConditions should have caught the error
-		return processNext
+		return
 	}

 	var localManifests []string
@@ -1838,8 +1777,8 @@ func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext boo
 	ts.AddCheckpoint("compare_app_state_ms")

 	if stderrors.Is(err, ErrCompareStateRepo) {
-		logCtx.WithError(err).Warn("Ignoring temporary failed attempt to compare app state against repo")
-		return processNext // short circuit if git error is encountered
+		logCtx.Warnf("Ignoring temporary failed attempt to compare app state against repo: %v", err)
+		return // short circuit if git error is encountered
 	}

 	for k, v := range compareResult.timings {
@@ -1852,7 +1791,7 @@ func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext boo
 	tree, err := ctrl.setAppManagedResources(destCluster, app, compareResult)
 	ts.AddCheckpoint("set_app_managed_resources_ms")
 	if err != nil {
-		logCtx.WithError(err).Error("Failed to cache app resources")
+		logCtx.Errorf("Failed to cache app resources: %v", err)
 	} else {
 		app.Status.Summary = tree.GetSummary(app)
 	}
@@ -1890,25 +1829,10 @@ func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext boo
 	app.Status.SourceTypes = compareResult.appSourceTypes
 	app.Status.ControllerNamespace = ctrl.namespace
 	ts.AddCheckpoint("app_status_update_ms")
-	// Update finalizers BEFORE persisting status to avoid race condition where app shows "Synced"
-	// but doesn't have finalizers yet, which would allow deletion without running pre-delete hooks
-	if (compareResult.hasPreDeleteHooks != app.HasPreDeleteFinalizer() ||
-		compareResult.hasPreDeleteHooks != app.HasPreDeleteFinalizer("cleanup")) &&
-		app.GetDeletionTimestamp() == nil {
-		if compareResult.hasPreDeleteHooks {
-			app.SetPreDeleteFinalizer()
-			app.SetPreDeleteFinalizer("cleanup")
-		} else {
-			app.UnSetPreDeleteFinalizer()
-			app.UnSetPreDeleteFinalizer("cleanup")
-		}
-
-		if err := ctrl.updateFinalizers(app); err != nil {
-			logCtx.Errorf("Failed to update pre-delete finalizers: %v", err)
-		}
-	}
-	if (compareResult.hasPostDeleteHooks != app.HasPostDeleteFinalizer() ||
-		compareResult.hasPostDeleteHooks != app.HasPostDeleteFinalizer("cleanup")) &&
+	patchDuration = ctrl.persistAppStatus(origApp, &app.Status)
+	// This is a partly a duplicate of patch_ms, but more descriptive and allows to have measurement for the next step.
+	ts.AddCheckpoint("persist_app_status_ms")
+	if (compareResult.hasPostDeleteHooks != app.HasPostDeleteFinalizer() || compareResult.hasPostDeleteHooks != app.HasPostDeleteFinalizer("cleanup")) &&
 		app.GetDeletionTimestamp() == nil {
 		if compareResult.hasPostDeleteHooks {
 			app.SetPostDeleteFinalizer()
@@ -1919,57 +1843,60 @@ func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext boo
 		}

 		if err := ctrl.updateFinalizers(app); err != nil {
-			logCtx.WithError(err).Error("Failed to update post-delete finalizers")
+			logCtx.Errorf("Failed to update finalizers: %v", err)
 		}
 	}
 	ts.AddCheckpoint("process_finalizers_ms")
-	patchDuration = ctrl.persistAppStatus(origApp, &app.Status)
-	// This is a partly a duplicate of patch_ms, but more descriptive and allows to have measurement for the next step.
-	ts.AddCheckpoint("persist_app_status_ms")
-	return processNext
+	return
 }

 func (ctrl *ApplicationController) processAppHydrateQueueItem() (processNext bool) {
 	appKey, shutdown := ctrl.appHydrateQueue.Get()
 	if shutdown {
 		processNext = false
-		return processNext
+		return
 	}
 	processNext = true
 	defer func() {
 		if r := recover(); r != nil {
-			log.WithField("appkey", appKey).Errorf("Recovered from panic: %+v\n%s", r, debug.Stack())
+			log.Errorf("Recovered from panic: %+v\n%s", r, debug.Stack())
 		}
 		ctrl.appHydrateQueue.Done(appKey)
 	}()
 	obj, exists, err := ctrl.appInformer.GetIndexer().GetByKey(appKey)
 	if err != nil {
-		log.WithField("appkey", appKey).WithError(err).Error("Failed to get application from informer index")
-		return processNext
+		log.Errorf("Failed to get application '%s' from informer index: %+v", appKey, err)
+		return
 	}
 	if !exists {
 		// This happens after app was deleted, but the work queue still had an entry for it.
-		return processNext
+		return
 	}
 	origApp, ok := obj.(*appv1.Application)
 	if !ok {
-		log.WithField("appkey", appKey).Warn("Key in index is not an application")
-		return processNext
+		log.Warnf("Key '%s' in index is not an application", appKey)
+		return
 	}

 	ctrl.hydrator.ProcessAppHydrateQueueItem(origApp.DeepCopy())

 	log.WithFields(applog.GetAppLogFields(origApp)).Debug("Successfully processed app hydrate queue item")
-	return processNext
+	return
 }

 func (ctrl *ApplicationController) processHydrationQueueItem() (processNext bool) {
 	hydrationKey, shutdown := ctrl.hydrationQueue.Get()
 	if shutdown {
 		processNext = false
-		return processNext
+		return
 	}
 	processNext = true
+	defer func() {
+		if r := recover(); r != nil {
+			log.Errorf("Recovered from panic: %+v\n%s", r, debug.Stack())
+		}
+		ctrl.hydrationQueue.Done(hydrationKey)
+	}()

 	logCtx := log.WithFields(log.Fields{
 		"sourceRepoURL":        hydrationKey.SourceRepoURL,
@@ -1977,19 +1904,12 @@ func (ctrl *ApplicationController) processHydrationQueueItem() (processNext bool
 		"destinationBranch":    hydrationKey.DestinationBranch,
 	})

-	defer func() {
-		if r := recover(); r != nil {
-			logCtx.Errorf("Recovered from panic: %+v\n%s", r, debug.Stack())
-		}
-		ctrl.hydrationQueue.Done(hydrationKey)
-	}()
-
 	logCtx.Debug("Processing hydration queue item")

 	ctrl.hydrator.ProcessHydrationQueueItem(hydrationKey)

 	logCtx.Debug("Successfully processed hydration queue item")
-	return processNext
+	return
 }

 func resourceStatusKey(res appv1.ResourceStatus) string {
@@ -2092,11 +2012,11 @@ func (ctrl *ApplicationController) normalizeApplication(orig, app *appv1.Applica
 	patch, modified, err := diff.CreateTwoWayMergePatch(orig, app, appv1.Application{})

 	if err != nil {
-		logCtx.WithError(err).Error("error constructing app spec patch")
+		logCtx.Errorf("error constructing app spec patch: %v", err)
 	} else if modified {
 		_, err := ctrl.PatchAppWithWriteBack(context.Background(), app.Name, app.Namespace, types.MergePatchType, patch, metav1.PatchOptions{})
 		if err != nil {
-			logCtx.WithError(err).Error("Error persisting normalized application spec")
+			logCtx.Errorf("Error persisting normalized application spec: %v", err)
 		} else {
 			logCtx.Infof("Normalized app spec: %s", string(patch))
 		}
@@ -2151,12 +2071,12 @@ func (ctrl *ApplicationController) persistAppStatus(orig *appv1.Application, new
 		&appv1.Application{ObjectMeta: metav1.ObjectMeta{Annotations: orig.GetAnnotations()}, Status: orig.Status},
 		&appv1.Application{ObjectMeta: metav1.ObjectMeta{Annotations: newAnnotations}, Status: *newStatus})
 	if err != nil {
-		logCtx.WithError(err).Error("Error constructing app status patch")
-		return patchDuration
+		logCtx.Errorf("Error constructing app status patch: %v", err)
+		return
 	}
 	if !modified {
 		logCtx.Infof("No status changes. Skipping patch")
-		return patchDuration
+		return
 	}
 	// calculate time for path call
 	start := time.Now()
@@ -2165,7 +2085,7 @@ func (ctrl *ApplicationController) persistAppStatus(orig *appv1.Application, new
 	}()
 	_, err = ctrl.PatchAppWithWriteBack(context.Background(), orig.Name, orig.Namespace, types.MergePatchType, patch, metav1.PatchOptions{})
 	if err != nil {
-		logCtx.WithError(err).Warn("Error updating application")
+		logCtx.Warnf("Error updating application: %v", err)
 	} else {
 		logCtx.Infof("Update successful")
 	}
@@ -2259,8 +2179,12 @@ func (ctrl *ApplicationController) autoSync(app *appv1.Application, syncStatus *
 		// Self heal will trigger a new sync operation when the desired state changes and cause the application to
 		// be OutOfSync when it was previously synced Successfully. This means SelfHeal should only ever be attempted
 		// when the revisions have not changed, and where the previous sync to these revision was successful
-		if app.Status.OperationState != nil && app.Status.OperationState.Operation.Sync != nil {
-			op.Sync.SelfHealAttemptsCount = app.Status.OperationState.Operation.Sync.SelfHealAttemptsCount
+
+		// Only carry SelfHealAttemptsCount to be increased when the selfHealBackoffCooldown has not elapsed yet
+		if !ctrl.selfHealBackoffCooldownElapsed(app) {
+			if app.Status.OperationState != nil && app.Status.OperationState.Operation.Sync != nil {
+				op.Sync.SelfHealAttemptsCount = app.Status.OperationState.Operation.Sync.SelfHealAttemptsCount
+			}
 		}

 		if remainingTime := ctrl.selfHealRemainingBackoff(app, int(op.Sync.SelfHealAttemptsCount)); remainingTime > 0 {
@@ -2306,11 +2230,11 @@ func (ctrl *ApplicationController) autoSync(app *appv1.Application, syncStatus *
 		if stderrors.Is(err, argo.ErrAnotherOperationInProgress) {
 			// skipping auto-sync because another operation is in progress and was not noticed due to stale data in informer
 			// it is safe to skip auto-sync because it is already running
-			logCtx.WithError(err).Warnf("Failed to initiate auto-sync to %s", desiredRevisions)
+			logCtx.Warnf("Failed to initiate auto-sync to %s: %v", desiredRevisions, err)
 			return nil, 0
 		}

-		logCtx.WithError(err).Errorf("Failed to initiate auto-sync to %s", desiredRevisions)
+		logCtx.Errorf("Failed to initiate auto-sync to %s: %v", desiredRevisions, err)
 		return &appv1.ApplicationCondition{Type: appv1.ApplicationConditionSyncError, Message: err.Error()}, setOpTime
 	}
 	ctrl.writeBackToInformer(updatedApp)
@@ -2396,6 +2320,19 @@ func (ctrl *ApplicationController) selfHealRemainingBackoff(app *appv1.Applicati
 	return retryAfter
 }

+// selfHealBackoffCooldownElapsed returns true when the last successful sync has occurred since longer
+// than then self heal cooldown. This means that the application has been in sync for long enough to
+// reset the self healing backoff to its initial state
+func (ctrl *ApplicationController) selfHealBackoffCooldownElapsed(app *appv1.Application) bool {
+	if app.Status.OperationState == nil || app.Status.OperationState.FinishedAt == nil {
+		// Something is in progress, or about to be. In that case, selfHeal attempt should be zero anyway
+		return true
+	}
+
+	timeSinceLastOperation := time.Since(app.Status.OperationState.FinishedAt.Time)
+	return timeSinceLastOperation >= ctrl.selfHealBackoffCooldown && app.Status.OperationState.Phase.Successful()
+}
+
 // isAppNamespaceAllowed returns whether the application is allowed in the
 // namespace it's residing in.
 func (ctrl *ApplicationController) isAppNamespaceAllowed(app *appv1.Application) bool {
@@ -2423,7 +2360,7 @@ func (ctrl *ApplicationController) canProcessApp(obj any) bool {
 					return false
 				}
 			} else {
-				logCtx.WithError(err).Debugf("Unable to determine if Application should skip reconcile based on annotation %s", common.AnnotationKeyAppSkipReconcile)
+				logCtx.Debugf("Unable to determine if Application should skip reconcile based on annotation %s: %v", common.AnnotationKeyAppSkipReconcile, err)
 			}
 		}
 	}
@@ -2678,22 +2615,4 @@ func (ctrl *ApplicationController) logAppEvent(ctx context.Context, a *appv1.App
 	ctrl.auditLogger.LogAppEvent(a, eventInfo, message, "", eventLabels)
 }

-func (ctrl *ApplicationController) applyImpersonationConfig(config *rest.Config, proj *appv1.AppProject, app *appv1.Application, destCluster *appv1.Cluster) error {
-	impersonationEnabled, err := ctrl.settingsMgr.IsImpersonationEnabled()
-	if err != nil {
-		return fmt.Errorf("error getting impersonation setting: %w", err)
-	}
-	if !impersonationEnabled {
-		return nil
-	}
-	user, err := deriveServiceAccountToImpersonate(proj, app, destCluster)
-	if err != nil {
-		return fmt.Errorf("error deriving service account to impersonate: %w", err)
-	}
-	config.Impersonate = rest.ImpersonationConfig{
-		UserName: user,
-	}
-	return nil
-}
-
 type ClusterFilterFunction func(c *appv1.Cluster, distributionFunction sharding.DistributionFunction) bool
--- a/controller/appcontroller_test.go
+++ b/controller/appcontroller_test.go
--- a/controller/cache/cache.go
+++ b/controller/cache/cache.go
@@ -270,7 +270,7 @@ func (c *liveStateCache) loadCacheSettings() (*cacheSettings, error) {
 	return &cacheSettings{clusterSettings, appInstanceLabelKey, appv1.TrackingMethod(trackingMethod), installationID, resourceUpdatesOverrides, ignoreResourceUpdatesEnabled}, nil
 }

-func asResourceNode(r *clustercache.Resource, namespaceResources map[kube.ResourceKey]*clustercache.Resource) appv1.ResourceNode {
+func asResourceNode(r *clustercache.Resource) appv1.ResourceNode {
 	gv, err := schema.ParseGroupVersion(r.Ref.APIVersion)
 	if err != nil {
 		gv = schema.GroupVersion{}
@@ -278,30 +278,14 @@ func asResourceNode(r *clustercache.Resource, namespaceResources map[kube.Resour
 	parentRefs := make([]appv1.ResourceRef, len(r.OwnerRefs))
 	for i, ownerRef := range r.OwnerRefs {
 		ownerGvk := schema.FromAPIVersionAndKind(ownerRef.APIVersion, ownerRef.Kind)
-		parentRef := appv1.ResourceRef{
-			Group:   ownerGvk.Group,
-			Kind:    ownerGvk.Kind,
-			Version: ownerGvk.Version,
-			Name:    ownerRef.Name,
-			UID:     string(ownerRef.UID),
+		parentRefs[i] = appv1.ResourceRef{
+			Group:     ownerGvk.Group,
+			Kind:      ownerGvk.Kind,
+			Version:   ownerGvk.Version,
+			Namespace: r.Ref.Namespace,
+			Name:      ownerRef.Name,
+			UID:       string(ownerRef.UID),
 		}
-
-		// Look up the parent in namespace resources
-		// If found, it's namespaced and we use its namespace
-		// If not found, it must be cluster-scoped (namespace = "")
-		parentKey := kube.NewResourceKey(ownerGvk.Group, ownerGvk.Kind, r.Ref.Namespace, ownerRef.Name)
-		if parent, ok := namespaceResources[parentKey]; ok {
-			parentRef.Namespace = parent.Ref.Namespace
-		} else {
-			// Not in namespace => must be cluster-scoped
-			parentRef.Namespace = ""
-			// Debug logging for cross-namespace relationships
-			if r.Ref.Namespace != "" {
-				log.Debugf("Cross-namespace ref: %s/%s in namespace %s has parent %s/%s (cluster-scoped)",
-					r.Ref.Kind, r.Ref.Name, r.Ref.Namespace, ownerGvk.Kind, ownerRef.Name)
-			}
-		}
-		parentRefs[i] = parentRef
 	}
 	var resHealth *appv1.HealthStatus
 	resourceInfo := resInfo(r)
@@ -689,7 +673,7 @@ func (c *liveStateCache) IterateHierarchyV2(server *appv1.Cluster, keys []kube.R
 		return err
 	}
 	clusterInfo.IterateHierarchyV2(keys, func(resource *clustercache.Resource, namespaceResources map[kube.ResourceKey]*clustercache.Resource) bool {
-		return action(asResourceNode(resource, namespaceResources), getApp(resource, namespaceResources))
+		return action(asResourceNode(resource), getApp(resource, namespaceResources))
 	})
 	return nil
 }
@@ -714,15 +698,9 @@ func (c *liveStateCache) GetNamespaceTopLevelResources(server *appv1.Cluster, na
 		return nil, err
 	}
 	resources := clusterInfo.FindResources(namespace, clustercache.TopLevelResource)
-
-	// Get all namespace resources for parent lookups
-	namespaceResources := clusterInfo.FindResources(namespace, func(_ *clustercache.Resource) bool {
-		return true
-	})
-
 	res := make(map[kube.ResourceKey]appv1.ResourceNode)
 	for k, r := range resources {
-		res[k] = asResourceNode(r, namespaceResources)
+		res[k] = asResourceNode(r)
 	}
 	return res, nil
 }
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .3.1
 .2.6