Bump version to 2.12.2 (#19657 )

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: crenshaw-dev <350466+crenshaw-dev@users.noreply.github.com>
fix(appset): remove cache references (#19652 )
2026-02-28 21:48:46 +01:00 · 2024-08-22 23:29:03 -04:00 · 2024-08-22 18:09:56 -04:00 · 2024-08-21 20:17:21 -08:00 · 2024-08-21 19:31:48 -04:00 · 2024-08-21 00:48:58 -04:00
914 changed files with 66234 additions and 46111 deletions
--- a/.codecov.yml
+++ b/.codecov.yml
@@ -8,6 +8,7 @@ ignore:
 - "pkg/client/.*"
 - "vendor/.*"
 - "test/.*"
+- "**/mocks/*"
 coverage:
  status:
    # we've found this not to be useful
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -17,6 +17,11 @@ updates:
    schedule:
      interval: "daily"

+  - package-ecosystem: "npm"
+    directory: "/ui-test/"
+    schedule:
+      interval: "daily"
+
  - package-ecosystem: "docker"
    directory: "/"
    schedule:
--- a/.github/workflows/README.md
+++ b/.github/workflows/README.md
@@ -6,9 +6,10 @@
 | codeql.yaml        | CodeQL analysis                                                |
 | image-reuse.yaml   | Build, push, and Sign container images                         |
 | image.yaml         | Build container image for PR's & publish for push events       |
-| pr-title-check.yaml| Lint PR for semantic information                               |
 | init-release.yaml  | Build manifests and version then create a PR for release branch|
+| pr-title-check.yaml| Lint PR for semantic information                               |
 | release.yaml       | Build images, cli-binaries, provenances, and post actions      |
+| scorecard.yaml     | Generate scorecard for supply-chain security                   |
 | update-snyk.yaml   | Scheduled snyk reports                                         |

 # Reusable workflows
--- a/.github/workflows/ci-build.yaml
+++ b/.github/workflows/ci-build.yaml
@@ -13,7 +13,7 @@ on:

 env:
  # Golang version to use across CI steps
-  GOLANG_VERSION: '1.21'
+  GOLANG_VERSION: '1.22'

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@@ -28,9 +28,10 @@ jobs:
    outputs:
      backend: ${{ steps.filter.outputs.backend_any_changed }}
      frontend: ${{ steps.filter.outputs.frontend_any_changed }}
+      docs: ${{ steps.filter.outputs.docs_any_changed }}
    steps:
      - uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
-      - uses: tj-actions/changed-files@90a06d6ba9543371ab4df8eeca0be07ca6054959 # v42.0.2
+      - uses: tj-actions/changed-files@d6babd6899969df1a11d14c368283ea4436bca78 # v44.5.2
        id: filter
        with:
          # Any file which is not under docs/, ui/ or is not a markdown file is counted as a backend file
@@ -43,6 +44,8 @@ jobs:
            frontend:
              - 'ui/**'
              - Dockerfile
+            docs:
+              - 'docs/**'
  check-go:
    name: Ensure Go modules synchronicity
    if: ${{ needs.changes.outputs.backend == 'true' }}
@@ -53,7 +56,7 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
      - name: Setup Golang
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Download all Go modules
@@ -74,11 +77,11 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
      - name: Setup Golang
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Restore go build cache
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -101,14 +104,14 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
      - name: Setup Golang
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
+        uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
        with:
-          version: v1.54.0
-          args: --enable gofmt --timeout 10m --exclude SA5011 --verbose --max-issues-per-linter 0 --max-same-issues 0
+          version: v1.58.2
+          args: --verbose

  test-go:
    name: Run unit tests for Go packages
@@ -128,7 +131,7 @@ jobs:
      - name: Create symlink in GOPATH
        run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
      - name: Setup Golang
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Install required packages
@@ -148,7 +151,7 @@ jobs:
        run: |
          echo "/usr/local/bin" >> $GITHUB_PATH
      - name: Restore go build cache
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -168,16 +171,11 @@ jobs:
          go mod download
      - name: Run all unit tests
        run: make test-local
-      - name: Generate code coverage artifacts
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
-        with:
-          name: code-coverage
-          path: coverage.out
      - name: Generate test results artifacts
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
        with:
          name: test-results
-          path: test-results/
+          path: test-results

  test-go-race:
    name: Run unit tests with -race for Go packages
@@ -197,7 +195,7 @@ jobs:
      - name: Create symlink in GOPATH
        run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
      - name: Setup Golang
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Install required packages
@@ -217,7 +215,7 @@ jobs:
        run: |
          echo "/usr/local/bin" >> $GITHUB_PATH
      - name: Restore go build cache
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -238,14 +236,14 @@ jobs:
      - name: Run all unit tests
        run: make test-race-local
      - name: Generate test results artifacts
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
        with:
          name: race-results
          path: test-results/

  codegen:
    name: Check changes to generated code
-    if: ${{ needs.changes.outputs.backend == 'true' }}
+    if: ${{ needs.changes.outputs.backend == 'true' || needs.changes.outputs.docs == 'true'}}
    runs-on: ubuntu-22.04
    needs:
      - changes
@@ -253,7 +251,7 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
      - name: Setup Golang
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Create symlink in GOPATH
@@ -296,7 +294,8 @@ jobs:

  build-ui:
    name: Build, test & lint UI code
-    if: ${{ needs.changes.outputs.frontend == 'true' }}
+    # We run UI logic for backend changes so that we have a complete set of coverage documents to send to codecov.
+    if: ${{ needs.changes.outputs.backend == 'true' || needs.changes.outputs.frontend == 'true' }}
    runs-on: ubuntu-22.04
    needs:
      - changes
@@ -304,12 +303,12 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
      - name: Setup NodeJS
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
        with:
          node-version: '21.6.1'
      - name: Restore node dependency cache
        id: cache-dependencies
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
        with:
          path: ui/node_modules
          key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -337,6 +336,7 @@ jobs:
      - test-go
      - build-ui
      - changes
+      - test-e2e
    env:
      sonar_secret: ${{ secrets.SONAR_TOKEN }}
    steps:
@@ -346,57 +346,42 @@ jobs:
          fetch-depth: 0
      - name: Restore node dependency cache
        id: cache-dependencies
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
        with:
          path: ui/node_modules
          key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
      - name: Remove other node_modules directory
        run: |
          rm -rf ui/node_modules/argo-ui/node_modules
-      - name: Create test-results directory
-        run: |
-          mkdir -p test-results
-      - name: Get code coverage artifact
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      - name: Get e2e code coverage
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
        with:
-          name: code-coverage
-      - name: Get test result artifact
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+          name: e2e-code-coverage
+          path: e2e-code-coverage
+      - name: Get unit test code coverage
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
        with:
          name: test-results
          path: test-results
+      - name: combine-go-coverage
+        # We generate coverage reports for all Argo CD components, but only the applicationset-controller report
+        # contains coverage data. The other components currently don't shut down gracefully, so no coverage data is
+        # produced. Once those components are fixed, we can add references to their coverage output directories.
+        run: |
+          go tool covdata percent -i=test-results,e2e-code-coverage/applicationset-controller -o test-results/full-coverage.out
      - name: Upload code coverage information to codecov.io
-        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
+        uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
        with:
-          file: coverage.out
+          file: test-results/full-coverage.out
+          fail_ci_if_error: true
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
      - name: Perform static code analysis using SonarCloud
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-          SCANNER_VERSION: 4.2.0.1873
-          SCANNER_PATH: /tmp/cache/scanner
-          OS: linux
-        run: |
-          # We do not use the provided action, because it does contain an old
-          # version of the scanner, and also takes time to build.
-          set -e
-          mkdir -p ${SCANNER_PATH}
-          export SONAR_USER_HOME=${SCANNER_PATH}/.sonar
-          if [[ ! -x "${SCANNER_PATH}/sonar-scanner-${SCANNER_VERSION}-${OS}/bin/sonar-scanner" ]]; then
-            curl -Ol https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SCANNER_VERSION}-${OS}.zip
-            unzip -qq -o sonar-scanner-cli-${SCANNER_VERSION}-${OS}.zip -d ${SCANNER_PATH}
-          fi
-          
-          chmod +x ${SCANNER_PATH}/sonar-scanner-${SCANNER_VERSION}-${OS}/bin/sonar-scanner
-          chmod +x ${SCANNER_PATH}/sonar-scanner-${SCANNER_VERSION}-${OS}/jre/bin/java
-          
-          # Explicitly set NODE_MODULES
-          export NODE_MODULES=${PWD}/ui/node_modules
-          export NODE_PATH=${PWD}/ui/node_modules
-          
-          ${SCANNER_PATH}/sonar-scanner-${SCANNER_VERSION}-${OS}/bin/sonar-scanner
+        uses: SonarSource/sonarqube-scan-action@540792c588b5c2740ad2bb4667db5cd46ae678f2 # v2.2
        if: env.sonar_secret != ''
-
  test-e2e:
    name: Run end-to-end tests
    if: ${{ needs.changes.outputs.backend == 'true' }}
@@ -404,7 +389,16 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        k3s-version: [v1.29.1, v1.28.6, v1.27.10, v1.26.13, v1.25.16]
+        k3s:
+          - version: v1.29.1
+            # We designate the latest version because we only collect code coverage for that version.
+            latest: true
+          - version: v1.28.6
+            latest: false
+          - version: v1.27.10
+            latest: false
+          - version: v1.26.13
+            latest: false
    needs:
      - build-go
      - changes
@@ -425,7 +419,7 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
      - name: Setup Golang
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: GH actions workaround - Kill XSP4 process
@@ -433,7 +427,7 @@ jobs:
          sudo pkill mono || true
      - name: Install K3S
        env:
-          INSTALL_K3S_VERSION: ${{ matrix.k3s-version }}+k3s1
+          INSTALL_K3S_VERSION: ${{ matrix.k3s.version }}+k3s1
        run: |
          set -x
          curl -sfL https://get.k3s.io | sh -
@@ -444,7 +438,7 @@ jobs:
          sudo chmod go-r $HOME/.kube/config
          kubectl version
      - name: Restore go build cache
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -472,7 +466,7 @@ jobs:
        run: |
          docker pull ghcr.io/dexidp/dex:v2.38.0
          docker pull argoproj/argo-cd-ci-builder:v1.0.0
-          docker pull redis:7.0.14-alpine
+          docker pull redis:7.0.15-alpine
      - name: Create target directory for binaries in the build-process
        run: |
          mkdir -p dist
@@ -485,7 +479,7 @@ jobs:
          # port 8080 which is not visible in netstat -tulpen, but still there
          # with a HTTP listener. We have API server listening on port 8088
          # instead.
-          make start-e2e-local 2>&1 | sed -r "s/[[:cntrl:]]\[[0-9]{1,3}m//g" > /tmp/e2e-server.log &
+          make start-e2e-local COVERAGE_ENABLED=true 2>&1 | sed -r "s/[[:cntrl:]]\[[0-9]{1,3}m//g" > /tmp/e2e-server.log &
          count=1
          until curl -f http://127.0.0.1:8088/healthz; do
            sleep 10;
@@ -499,10 +493,18 @@ jobs:
        run: |
          set -x
          make test-e2e-local
-      - name: Upload e2e-server logs
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+          goreman run stop-all || echo "goreman trouble"
+          sleep 30
+      - name: Upload e2e coverage report
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
        with:
-          name: e2e-server-k8s${{ matrix.k3s-version }}.log
+          name: e2e-code-coverage
+          path: /tmp/coverage
+        if: ${{ matrix.k3s.latest }}
+      - name: Upload e2e-server logs
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        with:
+          name: e2e-server-k8s${{ matrix.k3s.version }}.log
          path: /tmp/e2e-server.log
        if: ${{ failure() }}

--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -33,13 +33,13 @@ jobs:

    # Use correct go version. https://github.com/github/codeql-action/issues/1842#issuecomment-1704398087
    - name: Setup Golang
-      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0
+      uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
      with:
        go-version-file: go.mod
      
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@8aff97f12c99086bdb92ff62ae06dbbcdf07941b # v2.1.33
+      uses: github/codeql-action/init@8fcfedf57053e09257688fce7a0beeb18b1b9ae3 # v2.17.2
      # Override language selection by uncommenting this and choosing your languages
      # with:
      #   languages: go, javascript, csharp, python, cpp, java
@@ -47,7 +47,7 @@ jobs:
    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
-      uses: github/codeql-action/autobuild@8aff97f12c99086bdb92ff62ae06dbbcdf07941b # v2.1.33
+      uses: github/codeql-action/autobuild@8fcfedf57053e09257688fce7a0beeb18b1b9ae3 # v2.17.2

    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 https://git.io/JvXDl
@@ -61,4 +61,4 @@ jobs:
    #   make release

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@8aff97f12c99086bdb92ff62ae06dbbcdf07941b # v2.1.33
+      uses: github/codeql-action/analyze@8fcfedf57053e09257688fce7a0beeb18b1b9ae3 # v2.17.2
--- a/.github/workflows/image-reuse.yaml
+++ b/.github/workflows/image-reuse.yaml
@@ -69,14 +69,14 @@ jobs:
        if: ${{ github.ref_type != 'tag'}}

      - name: Setup Golang
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
        with:
          go-version: ${{ inputs.go-version }}

      - name: Install cosign
-        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0

-      - uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
+      - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
      - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0

      - name: Setup tags for container image as a CSV type
@@ -104,7 +104,7 @@ jobs:
            echo 'EOF' >> $GITHUB_ENV

      - name: Login to Quay.io
-        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
        with:
          registry: quay.io
          username: ${{ secrets.quay_username }}
@@ -112,7 +112,7 @@ jobs:
        if: ${{ inputs.quay_image_name && inputs.push }}

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
        with:
          registry: ghcr.io
          username: ${{ secrets.ghcr_username }}
@@ -120,7 +120,7 @@ jobs:
        if: ${{ inputs.ghcr_image_name && inputs.push }}

      - name: Login to dockerhub Container Registry
-        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
        with:
          username: ${{ secrets.docker_username }}
          password: ${{ secrets.docker_password }}
@@ -134,7 +134,7 @@ jobs:
            echo "GIT_TREE_STATE=$(if [ -z "`git status --porcelain`" ]; then echo "clean" ; else echo "dirty"; fi)" >> $GITHUB_ENV

      - name: Free Disk Space (Ubuntu)
-        uses: jlumbroso/free-disk-space@4d9e71b726748f254fe64fa44d273194bd18ec91
+        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be
        with:
          large-packages: false
          docker-images: false
@@ -143,7 +143,7 @@ jobs:

      - name: Build and push container image
        id: image
-        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 #v5.3.0
+        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 #v5.4.0
        with:
          context: .
          platforms: ${{ inputs.platforms }}
--- a/.github/workflows/image.yaml
+++ b/.github/workflows/image.yaml
@@ -52,7 +52,7 @@ jobs:
    uses: ./.github/workflows/image-reuse.yaml
    with:
      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
-      go-version: 1.21
+      go-version: 1.22
      platforms: ${{ needs.set-vars.outputs.platforms }}
      push: false

@@ -68,7 +68,7 @@ jobs:
      quay_image_name: quay.io/argoproj/argocd:latest
      ghcr_image_name: ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }}
      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
-      go-version: 1.21
+      go-version: 1.22
      platforms: ${{ needs.set-vars.outputs.platforms }}
      push: true
    secrets:
@@ -86,7 +86,7 @@ jobs:
      packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
    # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.10.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
    with:
      image: ghcr.io/argoproj/argo-cd/argocd
      digest: ${{ needs.build-and-publish.outputs.image-digest }}
--- a/.github/workflows/init-release.yaml
+++ b/.github/workflows/init-release.yaml
@@ -64,7 +64,7 @@ jobs:
          git stash pop

      - name: Create pull request
-        uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38  # v5.0.2
+        uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e  # v6.0.5
        with:
          commit-message: "Bump version to ${{ inputs.TARGET_VERSION }}"
          title: "Bump version to ${{ inputs.TARGET_VERSION }} on ${{ inputs.TARGET_BRANCH }} branch"
--- a/.github/workflows/pr-title-check.yml
+++ b/.github/workflows/pr-title-check.yml
@@ -23,7 +23,7 @@ jobs:
    name: Validate PR Title
    runs-on: ubuntu-latest
    steps:
-      - uses: thehanimo/pr-title-checker@0cf5902181e78341bb97bb06646396e5bd354b3f # v1.4.0
+      - uses: thehanimo/pr-title-checker@1d8cd483a2b73118406a187f54dca8a9415f1375 # v1.4.2
        with:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          configuration_path: ".github/pr-title-checker-config.json"
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -10,7 +10,7 @@ on:
 permissions: {}

 env:
-  GOLANG_VERSION: '1.21' # Note: go-version must also be set in job argocd-image.with.go-version
+  GOLANG_VERSION: '1.22' # Note: go-version must also be set in job argocd-image.with.go-version

 jobs:
  argocd-image:
@@ -23,7 +23,7 @@ jobs:
    with:
      quay_image_name: quay.io/argoproj/argocd:${{ github.ref_name }}
      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
-      go-version: 1.21
+      go-version: 1.22
      platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
      push: true
    secrets:
@@ -38,7 +38,7 @@ jobs:
        packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
      # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
      if: github.repository == 'argoproj/argo-cd'
-      uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.10.0
+      uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
      with:
        image: quay.io/argoproj/argocd
        digest: ${{ needs.argocd-image.outputs.image-digest }}
@@ -77,7 +77,7 @@ jobs:
          fi

      - name: Setup Golang
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
        with:
          go-version: ${{ env.GOLANG_VERSION }}

@@ -88,7 +88,7 @@ jobs:
          echo "GIT_TREE_STATE=$(if [ -z "`git status --porcelain`" ]; then echo "clean" ; else echo "dirty"; fi)" >> $GITHUB_ENV

      - name: Free Disk Space (Ubuntu)
-        uses: jlumbroso/free-disk-space@4d9e71b726748f254fe64fa44d273194bd18ec91
+        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be
        with:
          large-packages: false
          docker-images: false
@@ -96,7 +96,7 @@ jobs:
          tool-cache: false

      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
+        uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
        id: run-goreleaser
        with:
          version: latest
@@ -128,7 +128,7 @@ jobs:
      contents: write #  Needed for release uploads
    if: github.repository == 'argoproj/argo-cd'
    # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
    with:
      base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
      provenance-name: "argocd-cli.intoto.jsonl"
@@ -153,7 +153,7 @@ jobs:
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: Setup Golang
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
        with:
          go-version: ${{ env.GOLANG_VERSION }}

@@ -197,7 +197,7 @@ jobs:
          echo "hashes=$(sha256sum /tmp/sbom.tar.gz | base64 -w0)" >> "$GITHUB_OUTPUT"
      
      - name: Upload SBOM
-        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
+        uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87 # v2.0.5
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
@@ -212,7 +212,7 @@ jobs:
      contents: write #  Needed for release uploads
    if: github.repository == 'argoproj/argo-cd'
    # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
    with:
      base64-subjects: "${{ needs.generate-sbom.outputs.hashes }}"
      provenance-name: "argocd-sbom.intoto.jsonl"
@@ -295,7 +295,7 @@ jobs:
        if: ${{ env.UPDATE_VERSION == 'true' }}

      - name: Create PR to update VERSION on master branch
-        uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2
+        uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
        with:
          commit-message: Bump version in master
          title: "chore: Bump version in master"
--- a/.github/workflows/scorecard.yaml
+++ b/.github/workflows/scorecard.yaml
@@ -35,7 +35,7 @@ jobs:
          persist-credentials: false

      - name: "Run analysis"
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
        with:
          results_file: results.sarif
          results_format: sarif
@@ -54,7 +54,7 @@ jobs:
      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
      - name: "Upload artifact"
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
        with:
          name: SARIF file
          path: results.sarif
@@ -62,6 +62,6 @@ jobs:

      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@83a02f7883b12e0e4e1a146174f5e2292a01e601 # v2.16.4
+        uses: github/codeql-action/upload-sarif@8fcfedf57053e09257688fce7a0beeb18b1b9ae3 # v2.17.2
        with:
          sarif_file: results.sarif
--- a/.gitignore
+++ b/.gitignore
@@ -19,6 +19,7 @@ node_modules/
 ./test/cmp/*.sock
 .envrc.remote
 .*.swp
+rerunreport.txt

 # ignore built binaries
 cmd/argocd/argocd
--- a/.gitpod.Dockerfile
+++ b/.gitpod.Dockerfile
@@ -1,4 +1,4 @@
-FROM gitpod/workspace-full@sha256:511cecde4dc129ca9eb4cc4c479d61f95e5485ebe320a07f5b902f11899956a3
+FROM gitpod/workspace-full@sha256:8dd34e72ae5b9e6f60d267dd6287befc2cf5ad1a11c64e9d93daa60c952a2154

 USER root

--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -0,0 +1,43 @@
+issues:
+  exclude:
+    - SA1019
+    - SA5011
+  max-issues-per-linter: 0
+  max-same-issues: 0
+linters:
+  enable:
+    - errcheck
+    - errorlint
+    - gocritic
+    - gofumpt
+    - goimports
+    - gosimple
+    - govet
+    - ineffassign
+    - misspell
+    - staticcheck
+    - testifylint
+    - unused
+    - whitespace 
+linters-settings:
+  gocritic:
+    disabled-checks:
+      - appendAssign
+      - assignOp  # Keep it disabled for readability
+      - badCond
+      - commentFormatting
+      - exitAfterDefer
+      - ifElseChain
+      - mapKey
+      - singleCaseSwitch
+      - typeSwitchVar
+  goimports:
+    local-prefixes: github.com/argoproj/argo-cd/v2
+  testifylint:
+    enable-all: true
+    disable:
+      - error-is-as
+      - float-compare
+      - go-require
+run:
+  timeout: 50m
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -1,3 +1,5 @@
+version: 2
+
 project_name: argocd

 before:
@@ -114,7 +116,7 @@ changelog:
    exclude:
      - '^test:'
      - '^.*?Bump(\([[:word:]]+\))?.+$'
-      - '^.*?[Bot](\([[:word:]]+\))?.+$'
+      - '^.*?\[Bot\](\([[:word:]]+\))?.+$'


 # yaml-language-server: $schema=https://goreleaser.com/static/schema.json
--- a/.readthedocs.yaml
+++ b/.readthedocs.yaml
--- a/6
+++ b/6
@@ -8,5 +8,7 @@
 /mkdocs.yml  @argoproj/argocd-approvers @argoproj/argocd-approvers-docs

 # CI
-/.github/**       @argoproj/argocd-approvers @argoproj/argocd-approvers-ci
-/.goreleaser.yaml @argoproj/argocd-approvers @argoproj/argocd-approvers-ci
+/.codecov.yml             @argoproj/argocd-approvers @argoproj/argocd-approvers-ci
+/.github/**               @argoproj/argocd-approvers @argoproj/argocd-approvers-ci
+/.goreleaser.yaml         @argoproj/argocd-approvers @argoproj/argocd-approvers-ci
+/sonar-project.properties @argoproj/argocd-approvers @argoproj/argocd-approvers-ci
--- a/10
+++ b/10
@@ -1,12 +1,12 @@
-ARG BASE_IMAGE=docker.io/library/ubuntu:22.04@sha256:0bced47fffa3361afa981854fcabcd4577cd43cebbb808cea2b1f33a3dd7f508
+ARG BASE_IMAGE=docker.io/library/ubuntu:24.04@sha256:3f85b7caad41a95462cf5b787d8a04604c8262cdcdf9a472b8c52ef83375fe15
 ####################################################################################################
 # Builder image
 # Initial stage which pulls prepares build dependencies and CLI tooling we need for our final image
 # Also used as the image in CI jobs so needs all dependencies
 ####################################################################################################
-FROM docker.io/library/golang:1.21.9@sha256:7d0dcbe5807b1ad7272a598fbf9d7af15b5e2bed4fd6c4c2b5b3684df0b317dd AS builder
+FROM docker.io/library/golang:1.22.4@sha256:c2010b9c2342431a24a2e64e33d9eb2e484af49e72c820e200d332d214d5e61f AS builder

-RUN echo 'deb http://deb.debian.org/debian buster-backports main' >> /etc/apt/sources.list
+RUN echo 'deb http://archive.debian.org/debian buster-backports main' >> /etc/apt/sources.list

 RUN apt-get update && apt-get install --no-install-recommends -y \
    openssh-server \
@@ -83,7 +83,7 @@ WORKDIR /home/argocd
 ####################################################################################################
 # Argo CD UI stage
 ####################################################################################################
-FROM --platform=$BUILDPLATFORM docker.io/library/node:21.6.2@sha256:65998e325b06014d4f1417a8a6afb1540d1ac66521cca76f2221a6953947f9ee AS argocd-ui
+FROM --platform=$BUILDPLATFORM docker.io/library/node:22.3.0@sha256:5e4044ff6001d06e7748e35bfa4f80c73cf5f5a7360a1b782995e038a01b0585 AS argocd-ui

 WORKDIR /src
 COPY ["ui/package.json", "ui/yarn.lock", "./"]
@@ -101,7 +101,7 @@ RUN HOST_ARCH=$TARGETARCH NODE_ENV='production' NODE_ONLINE_ENV='online' NODE_OP
 ####################################################################################################
 # Argo CD Build stage which performs the actual build of Argo CD binaries
 ####################################################################################################
-FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.21.9@sha256:7d0dcbe5807b1ad7272a598fbf9d7af15b5e2bed4fd6c4c2b5b3684df0b317dd AS argocd-build
+FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.22.4@sha256:c2010b9c2342431a24a2e64e33d9eb2e484af49e72c820e200d332d214d5e61f AS argocd-build

 WORKDIR /go/src/github.com/argoproj/argo-cd

--- a/31
+++ b/31
@@ -153,6 +153,13 @@ DEV_IMAGE?=false
 ARGOCD_GPG_ENABLED?=true
 ARGOCD_E2E_APISERVER_PORT?=8080

+ifeq (${COVERAGE_ENABLED}, true)
+# We use this in the cli-local target to enable code coverage for e2e tests.
+COVERAGE_FLAG=-cover
+else
+COVERAGE_FLAG=
+endif
+
 override LDFLAGS += \
  -X ${PACKAGE}.version=${VERSION} \
  -X ${PACKAGE}.buildDate=${BUILD_DATE} \
@@ -188,7 +195,7 @@ all: cli image
 .PHONY: gogen
 gogen:
 	export GO111MODULE=off
-	go generate ./util/argo/...
+	go generate ./...

 .PHONY: protogen
 protogen: mod-vendor-local protogen-fast
@@ -240,7 +247,7 @@ cli: test-tools-image

 .PHONY: cli-local
 cli-local: clean-debug
-	CGO_ENABLED=${CGO_FLAG} GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${CLI_NAME} ./cmd
+	CGO_ENABLED=${CGO_FLAG} GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build $(COVERAGE_FLAG) -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${CLI_NAME} ./cmd

 .PHONY: gen-resources-cli-local
 gen-resources-cli-local: clean-debug
@@ -357,7 +364,7 @@ lint-local:
 	golangci-lint --version
 	# NOTE: If you get a "Killed" OOM message, try reducing the value of GOGC
 	# See https://github.com/golangci/golangci-lint#memory-usage-of-golangci-lint
-	GOGC=$(ARGOCD_LINT_GOGC) GOMAXPROCS=2 golangci-lint run --enable gofmt --fix --verbose --timeout 3000s --max-issues-per-linter 0 --max-same-issues 0
+	GOGC=$(ARGOCD_LINT_GOGC) GOMAXPROCS=2 golangci-lint run --fix --verbose

 .PHONY: lint-ui
 lint-ui: test-tools-image
@@ -391,9 +398,9 @@ test: test-tools-image
 .PHONY: test-local
 test-local:
 	if test "$(TEST_MODULE)" = ""; then \
-		DIST_DIR=${DIST_DIR} RERUN_FAILS=0 PACKAGES=`go list ./... | grep -v 'test/e2e'` ./hack/test.sh -coverprofile=coverage.out; \
+		DIST_DIR=${DIST_DIR} RERUN_FAILS=0 PACKAGES=`go list ./... | grep -v 'test/e2e'` ./hack/test.sh -args -test.gocoverdir="$(PWD)/test-results"; \
 	else \
-		DIST_DIR=${DIST_DIR} RERUN_FAILS=0 PACKAGES="$(TEST_MODULE)" ./hack/test.sh -coverprofile=coverage.out "$(TEST_MODULE)"; \
+		DIST_DIR=${DIST_DIR} RERUN_FAILS=0 PACKAGES="$(TEST_MODULE)" ./hack/test.sh -args -test.gocoverdir="$(PWD)/test-results" "$(TEST_MODULE)"; \
 	fi

 .PHONY: test-race
@@ -405,9 +412,9 @@ test-race: test-tools-image
 .PHONY: test-race-local
 test-race-local:
 	if test "$(TEST_MODULE)" = ""; then \
-		DIST_DIR=${DIST_DIR} RERUN_FAILS=0 PACKAGES=`go list ./... | grep -v 'test/e2e'` ./hack/test.sh -race -coverprofile=coverage.out; \
+		DIST_DIR=${DIST_DIR} RERUN_FAILS=0 PACKAGES=`go list ./... | grep -v 'test/e2e'` ./hack/test.sh -race -args -test.gocoverdir="$(PWD)/test-results"; \
 	else \
-		DIST_DIR=${DIST_DIR} RERUN_FAILS=0 PACKAGES="$(TEST_MODULE)" ./hack/test.sh -race -coverprofile=coverage.out; \
+		DIST_DIR=${DIST_DIR} RERUN_FAILS=0 PACKAGES="$(TEST_MODULE)" ./hack/test.sh -race -args -test.gocoverdir="$(PWD)/test-results"; \
 	fi

 # Run the E2E test suite. E2E test servers (see start-e2e target) must be
@@ -421,7 +428,7 @@ test-e2e:
 test-e2e-local: cli-local
 	# NO_PROXY ensures all tests don't go out through a proxy if one is configured on the test system
 	export GO111MODULE=off
-	DIST_DIR=${DIST_DIR} RERUN_FAILS=5 PACKAGES="./test/e2e" ARGOCD_E2E_RECORD=${ARGOCD_E2E_RECORD} ARGOCD_GPG_ENABLED=true NO_PROXY=* ./hack/test.sh -timeout $(ARGOCD_E2E_TEST_TIMEOUT) -v
+	DIST_DIR=${DIST_DIR} RERUN_FAILS=5 PACKAGES="./test/e2e" ARGOCD_E2E_RECORD=${ARGOCD_E2E_RECORD} ARGOCD_GPG_ENABLED=true NO_PROXY=* ./hack/test.sh -timeout $(ARGOCD_E2E_TEST_TIMEOUT) -v -args -test.gocoverdir="$(PWD)/test-results"

 # Spawns a shell in the test server container for debugging purposes
 debug-test-server: test-tools-image
@@ -452,6 +459,12 @@ start-e2e-local: mod-vendor-local dep-ui-local cli-local
 	mkdir -p /tmp/argo-e2e/app/config/gpg/keys && chmod 0700 /tmp/argo-e2e/app/config/gpg/keys
 	mkdir -p /tmp/argo-e2e/app/config/gpg/source && chmod 0700 /tmp/argo-e2e/app/config/gpg/source
 	mkdir -p /tmp/argo-e2e/app/config/plugin && chmod 0700 /tmp/argo-e2e/app/config/plugin
+	# create folders to hold go coverage results for each component
+	mkdir -p /tmp/coverage/app-controller
+	mkdir -p /tmp/coverage/api-server
+	mkdir -p /tmp/coverage/repo-server
+	mkdir -p /tmp/coverage/applicationset-controller
+	mkdir -p /tmp/coverage/notification
 	# set paths for locally managed ssh known hosts and tls certs data
 	ARGOCD_SSH_DATA_PATH=/tmp/argo-e2e/app/config/ssh \
 	ARGOCD_TLS_DATA_PATH=/tmp/argo-e2e/app/config/tls \
@@ -469,6 +482,7 @@ start-e2e-local: mod-vendor-local dep-ui-local cli-local
 	ARGOCD_APPLICATIONSET_CONTROLLER_ALLOWED_SCM_PROVIDERS=http://127.0.0.1:8341,http://127.0.0.1:8342,http://127.0.0.1:8343,http://127.0.0.1:8344 \
 	ARGOCD_E2E_TEST=true \
 		goreman -f $(ARGOCD_PROCFILE) start ${ARGOCD_START}
+	ls -lrt /tmp/coverage

 # Cleans VSCode debug.test files from sub-dirs to prevent them from being included in by golang embed
 .PHONY: clean-debug
@@ -494,6 +508,7 @@ start-local: mod-vendor-local dep-ui-local cli-local
 	mkdir -p /tmp/argocd-local
 	mkdir -p /tmp/argocd-local/gpg/keys && chmod 0700 /tmp/argocd-local/gpg/keys
 	mkdir -p /tmp/argocd-local/gpg/source
+	REDIS_PASSWORD=$(shell kubectl get secret argocd-redis -o jsonpath='{.data.auth}' | base64 -d) \
 	ARGOCD_ZJWT_FEATURE_FLAG=always \
 	ARGOCD_IN_CI=false \
 	ARGOCD_GPG_ENABLED=$(ARGOCD_GPG_ENABLED) \
--- a/11
+++ b/11
@@ -1,13 +1,12 @@
-controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "HOSTNAME=testappcontroller-1  FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-application-controller $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --server-side-diff-enabled=${ARGOCD_APPLICATION_CONTROLLER_SERVER_SIDE_DIFF:-'false'}"
-api-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-server $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''}"
+controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/app-controller} HOSTNAME=testappcontroller-1  FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-application-controller $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --server-side-diff-enabled=${ARGOCD_APPLICATION_CONTROLLER_SERVER_SIDE_DIFF:-'false'}"
+api-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/api-server} FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-server $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''}"
 dex: sh -c "ARGOCD_BINARY_NAME=argocd-dex go run github.com/argoproj/argo-cd/v2/cmd gendexcfg -o `pwd`/dist/dex.yaml && (test -f dist/dex.yaml || { echo 'Failed to generate dex configuration'; exit 1; }) && docker run --rm -p ${ARGOCD_E2E_DEX_PORT:-5556}:${ARGOCD_E2E_DEX_PORT:-5556} -v `pwd`/dist/dex.yaml:/dex.yaml ghcr.io/dexidp/dex:$(grep "image: ghcr.io/dexidp/dex" manifests/base/dex/argocd-dex-server-deployment.yaml | cut -d':' -f3) dex serve /dex.yaml"
 redis: bash -c "if [ \"$ARGOCD_REDIS_LOCAL\" = 'true' ]; then redis-server --save '' --appendonly no --port ${ARGOCD_E2E_REDIS_PORT:-6379}; else docker run --rm --name argocd-redis -i -p ${ARGOCD_E2E_REDIS_PORT:-6379}:${ARGOCD_E2E_REDIS_PORT:-6379} docker.io/library/redis:$(grep "image: redis" manifests/base/redis/argocd-redis-deployment.yaml | cut -d':' -f3) --save '' --appendonly no --port ${ARGOCD_E2E_REDIS_PORT:-6379}; fi"
-repo-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_GNUPGHOME=${ARGOCD_GNUPGHOME:-/tmp/argocd-local/gpg/keys} ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp}  ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-repo-server ARGOCD_GPG_ENABLED=${ARGOCD_GPG_ENABLED:-false} $COMMAND --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --otlp-address=${ARGOCD_OTLP_ADDRESS}"
+repo-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/repo-server} FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_GNUPGHOME=${ARGOCD_GNUPGHOME:-/tmp/argocd-local/gpg/keys} ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp}  ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-repo-server ARGOCD_GPG_ENABLED=${ARGOCD_GPG_ENABLED:-false} $COMMAND --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --otlp-address=${ARGOCD_OTLP_ADDRESS}"
 cmp-server: [ "$ARGOCD_E2E_TEST" = 'true' ] && exit 0 || [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_BINARY_NAME=argocd-cmp-server ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp} $COMMAND --config-dir-path ./test/cmp --loglevel debug --otlp-address=${ARGOCD_OTLP_ADDRESS}"
 ui: sh -c 'cd ui && ${ARGOCD_E2E_YARN_CMD:-yarn} start'
 git-server: test/fixture/testrepos/start-git.sh
 helm-registry: test/fixture/testrepos/start-helm-registry.sh
 dev-mounter: [[ "$ARGOCD_E2E_TEST" != "true" ]] && go run hack/dev-mounter/main.go --configmap argocd-ssh-known-hosts-cm=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} --configmap argocd-tls-certs-cm=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} --configmap argocd-gpg-keys-cm=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source}
-applicationset-controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-applicationset-controller $COMMAND --loglevel debug --metrics-addr localhost:12345 --probe-addr localhost:12346 --argocd-repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081}"
-notification: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_BINARY_NAME=argocd-notifications $COMMAND --loglevel debug --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --self-service-notification-enabled=${ARGOCD_NOTIFICATION_CONTROLLER_SELF_SERVICE_NOTIFICATION_ENABLED:-'false'}"
-
+applicationset-controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/applicationset-controller} FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-applicationset-controller $COMMAND --loglevel debug --metrics-addr localhost:12345 --probe-addr localhost:12346 --argocd-repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081}"
+notification: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/notification} FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_BINARY_NAME=argocd-notifications $COMMAND --loglevel debug --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --self-service-notification-enabled=${ARGOCD_NOTIFICATION_CONTROLLER_SELF_SERVICE_NOTIFICATION_ENABLED:-'false'}"
--- a/USERS.md
+++ b/USERS.md
@@ -18,9 +18,11 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Albert Heijn](https://ah.nl/)
 1. [Alibaba Group](https://www.alibabagroup.com/)
 1. [Allianz Direct](https://www.allianzdirect.de/)
+1. [AlphaSense](https://www.alpha-sense.com/)
 1. [Amadeus IT Group](https://amadeus.com/)
 1. [Ambassador Labs](https://www.getambassador.io/)
 1. [Ancestry](https://www.ancestry.com/)
+1. [Andgo Systems](https://www.andgosystems.com/)
 1. [ANSTO - Australian Synchrotron](https://www.synchrotron.org.au/)
 1. [Ant Group](https://www.antgroup.com/)
 1. [AppDirect](https://www.appdirect.com)
@@ -35,12 +37,14 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [BCDevExchange DevOps Platform](https://bcdevexchange.org/DevOpsPlatform)
 1. [Beat](https://thebeat.co/en/)
 1. [Beez Innovation Labs](https://www.beezlabs.com/)
+1. [Bedag Informatik AG](https://www.bedag.ch/)
 1. [Beleza Na Web](https://www.belezanaweb.com.br/)
 1. [BigPanda](https://bigpanda.io)
 1. [BioBox Analytics](https://biobox.io)
 1. [BMW Group](https://www.bmwgroup.com/)
 1. [Boozt](https://www.booztgroup.com/)
 1. [Boticario](https://www.boticario.com.br/)
+1. [Broker Consulting, a.s.](https://www.bcas.cz/en/)
 1. [Bulder Bank](https://bulderbank.no)
 1. [CAM](https://cam-inc.co.jp)
 1. [Camptocamp](https://camptocamp.com)
@@ -58,12 +62,14 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Cisco ET&I](https://eti.cisco.com/)
 1. [Cloud Posse](https://www.cloudposse.com/)
 1. [Cloud Scale](https://cloudscaleinc.com/)
+1. [CloudGeometry](https://www.cloudgeometry.io/)
 1. [Cloudmate](https://cloudmt.co.kr/)
 1. [Cloudogu](https://cloudogu.com/)
 1. [Cobalt](https://www.cobalt.io/)
 1. [Codefresh](https://www.codefresh.io/)
 1. [Codility](https://www.codility.com/)
 1. [Commonbond](https://commonbond.co/)
+1. [Contlo](https://contlo.com/)
 1. [Coralogix](https://coralogix.com/)
 1. [Crédit Agricole CIB](https://www.ca-cib.com)
 1. [CROZ d.o.o.](https://croz.net/)
@@ -132,6 +138,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [IABAI](https://www.iab.ai)
 1. [IBM](https://www.ibm.com/)
 1. [Ibotta](https://home.ibotta.com)
+1. [IFS](https://www.ifs.com)
 1. [IITS-Consulting](https://iits-consulting.de)
 1. [IllumiDesk](https://www.illumidesk.com)
 1. [imaware](https://imaware.health)
@@ -159,6 +166,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [KubeSphere](https://github.com/kubesphere)
 1. [Kurly](https://www.kurly.com/)
 1. [Kvist](https://kvistsolutions.com)
+1. [Kyriba](https://www.kyriba.com/)
 1. [LexisNexis](https://www.lexisnexis.com/)
 1. [Lian Chu Securities](https://lczq.com)
 1. [Liatrio](https://www.liatrio.com)
@@ -179,6 +187,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Meilleurs Agents](https://www.meilleursagents.com/)
 1. [Mercedes-Benz Tech Innovation](https://www.mercedes-benz-techinnovation.com/)
 1. [Mercedes-Benz.io](https://www.mercedes-benz.io/)
+1. [Metacore Games](https://metacoregames.com/)
 1. [Metanet](http://www.metanet.co.kr/en/)
 1. [MindSpore](https://mindspore.cn)
 1. [Mirantis](https://mirantis.com/)
@@ -199,6 +208,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Objective](https://www.objective.com.br/)
 1. [OCCMundial](https://occ.com.mx)
 1. [Octadesk](https://octadesk.com)
+1. [Octopus Deploy](https://octopus.com)
 1. [Olfeo](https://www.olfeo.com/)
 1. [omegaUp](https://omegaUp.com)
 1. [Omni](https://omni.se/)
@@ -225,7 +235,9 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Percona](https://percona.com/)
 1. [PGS](https://www.pgs.com)
 1. [Pigment](https://www.gopigment.com/)
+1. [Pipedrive](https://www.pipedrive.com/)
 1. [Pipefy](https://www.pipefy.com/)
+1. [Pipekit](https://pipekit.io/)
 1. [Pismo](https://pismo.io/)
 1. [PITS Globale Datenrettungsdienste](https://www.pitsdatenrettung.de/)
 1. [Platform9 Systems](https://platform9.com/)
@@ -244,7 +256,6 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Quipper](https://www.quipper.com/)
 1. [RapidAPI](https://www.rapidapi.com/)
 1. [rebuy](https://www.rebuy.de/)
-1. [Recreation.gov](https://www.recreation.gov/)
 1. [Red Hat](https://www.redhat.com/)
 1. [Redpill Linpro](https://www.redpill-linpro.com/)
 1. [Reenigne Cloud](https://reenigne.ca)
@@ -255,6 +266,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Riskified](https://www.riskified.com/)
 1. [Robotinfra](https://www.robotinfra.com)
 1. [Rocket.Chat](https://rocket.chat)
+1. [Rogo](https://rogodata.com)
 1. [Rubin Observatory](https://www.lsst.org)
 1. [Saildrone](https://www.saildrone.com/)
 1. [Salad Technologies](https://salad.com/)
@@ -290,6 +302,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Swisscom](https://www.swisscom.ch)
 1. [Swissquote](https://github.com/swissquote)
 1. [Syncier](https://syncier.com/)
+1. [Syself](https://syself.com)
 1. [TableCheck](https://tablecheck.com/)
 1. [Tailor Brands](https://www.tailorbrands.com)
 1. [Tamkeen Technologies](https://tamkeentech.sa/)
@@ -319,6 +332,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Urbantz](https://urbantz.com/)
 1. [Vectra](https://www.vectra.ai)
 1. [Veepee](https://www.veepee.com)
+1. [Verkada](https://www.verkada.com)
 1. [Viaduct](https://www.viaduct.ai/)
 1. [VietMoney](https://vietmoney.vn/)
 1. [Vinted](https://vinted.com/)
--- a/2
+++ b/2
@@ -1 +1 @@
-2.11.0
+2.12.2
--- a/applicationset/controllers/applicationset_controller.go
+++ b/applicationset/controllers/applicationset_controller.go
@@ -18,8 +18,11 @@ import (
 	"context"
 	"fmt"
 	"reflect"
+	"strings"
 	"time"

+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
 	log "github.com/sirupsen/logrus"
 	corev1 "k8s.io/api/core/v1"
 	apierr "k8s.io/apimachinery/pkg/api/errors"
@@ -28,18 +31,15 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/client-go/kubernetes"
-	k8scache "k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/record"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
-	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/event"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
-	"sigs.k8s.io/controller-runtime/pkg/source"

 	"github.com/argoproj/argo-cd/v2/applicationset/generators"
 	"github.com/argoproj/argo-cd/v2/applicationset/utils"
@@ -50,6 +50,7 @@ import (
 	argov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	appclientset "github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned"
 	argoutil "github.com/argoproj/argo-cd/v2/util/argo"
+	"github.com/argoproj/argo-cd/v2/util/argo/normalizers"

 	"github.com/argoproj/argo-cd/v2/pkg/apis/application"
 )
@@ -62,12 +63,10 @@ const (
 	ReconcileRequeueOnValidationError = time.Minute * 3
 )

-var (
-	defaultPreservedAnnotations = []string{
-		NotifiedAnnotationKey,
-		argov1alpha1.AnnotationKeyRefresh,
-	}
-)
+var defaultPreservedAnnotations = []string{
+	NotifiedAnnotationKey,
+	argov1alpha1.AnnotationKeyRefresh,
+}

 // ApplicationSetReconciler reconciles a ApplicationSet object
 type ApplicationSetReconciler struct {
@@ -87,7 +86,6 @@ type ApplicationSetReconciler struct {
 	SCMRootCAPath              string
 	GlobalPreservedAnnotations []string
 	GlobalPreservedLabels      []string
-	Cache                      cache.Cache
 }

 // +kubebuilder:rbac:groups=argoproj.io,resources=applicationsets,verbs=get;list;watch;create;update;patch;delete
@@ -108,36 +106,43 @@ func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Reque

 	// Do not attempt to further reconcile the ApplicationSet if it is being deleted.
 	if applicationSetInfo.ObjectMeta.DeletionTimestamp != nil {
+		appsetName := applicationSetInfo.ObjectMeta.Name
+		logCtx.Debugf("DeletionTimestamp is set on %s", appsetName)
 		deleteAllowed := utils.DefaultPolicy(applicationSetInfo.Spec.SyncPolicy, r.Policy, r.EnablePolicyOverride).AllowDelete()
 		if !deleteAllowed {
+			logCtx.Debugf("ApplicationSet policy does not allow to delete")
 			if err := r.removeOwnerReferencesOnDeleteAppSet(ctx, applicationSetInfo); err != nil {
 				return ctrl.Result{}, err
 			}
-			controllerutil.RemoveFinalizer(&applicationSetInfo, argov1alpha1.ResourcesFinalizerName)
-			if err := r.Update(ctx, &applicationSetInfo); err != nil {
-				return ctrl.Result{}, err
-			}
+			logCtx.Debugf("ownerReferences referring %s is deleted from generated applications", appsetName)
+		}
+		controllerutil.RemoveFinalizer(&applicationSetInfo, argov1alpha1.ResourcesFinalizerName)
+		if err := r.Update(ctx, &applicationSetInfo); err != nil {
+			return ctrl.Result{}, err
 		}
 		return ctrl.Result{}, nil
 	}

+	if err := r.migrateStatus(ctx, &applicationSetInfo); err != nil {
+		logCtx.Errorf("failed to migrate status subresource %v", err)
+		return ctrl.Result{}, err
+	}
+
 	// Log a warning if there are unrecognized generators
 	_ = utils.CheckInvalidGenerators(&applicationSetInfo)
 	// desiredApplications is the main list of all expected Applications from all generators in this appset.
-	desiredApplications, applicationSetReason, generatorsErr := r.generateApplications(logCtx, applicationSetInfo)
-	if generatorsErr != nil {
+	desiredApplications, applicationSetReason, err := r.generateApplications(logCtx, applicationSetInfo)
+	if err != nil {
 		_ = r.setApplicationSetStatusCondition(ctx,
 			&applicationSetInfo,
 			argov1alpha1.ApplicationSetCondition{
 				Type:    argov1alpha1.ApplicationSetConditionErrorOccurred,
-				Message: generatorsErr.Error(),
+				Message: err.Error(),
 				Reason:  string(applicationSetReason),
 				Status:  argov1alpha1.ApplicationSetConditionStatusTrue,
 			}, parametersGenerated,
 		)
-		if len(desiredApplications) < 1 {
-			return ctrl.Result{}, generatorsErr
-		}
+		return ctrl.Result{RequeueAfter: ReconcileRequeueOnValidationError}, err
 	}

 	parametersGenerated = true
@@ -165,6 +170,16 @@ func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		return ctrl.Result{RequeueAfter: ReconcileRequeueOnValidationError}, nil
 	}

+	currentApplications, err := r.getCurrentApplications(ctx, applicationSetInfo)
+	if err != nil {
+		return ctrl.Result{}, fmt.Errorf("failed to get current applications for application set: %w", err)
+	}
+
+	err = r.updateResourcesStatus(ctx, logCtx, &applicationSetInfo, currentApplications)
+	if err != nil {
+		return ctrl.Result{}, fmt.Errorf("failed to get update resources status for application set: %w", err)
+	}
+
 	// appMap is a name->app collection of Applications in this ApplicationSet.
 	appMap := map[string]argov1alpha1.Application{}
 	// appSyncMap tracks which apps will be synced during this reconciliation.
@@ -181,16 +196,11 @@ func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 			}
 		} else if applicationSetInfo.Spec.Strategy != nil {
 			// appset uses progressive sync
-			applications, err := r.getCurrentApplications(ctx, applicationSetInfo)
-			if err != nil {
-				return ctrl.Result{}, fmt.Errorf("failed to get current applications for application set: %w", err)
-			}
-
-			for _, app := range applications {
+			for _, app := range currentApplications {
 				appMap[app.Name] = app
 			}

-			appSyncMap, err = r.performProgressiveSyncs(ctx, logCtx, applicationSetInfo, applications, desiredApplications, appMap)
+			appSyncMap, err = r.performProgressiveSyncs(ctx, logCtx, applicationSetInfo, currentApplications, desiredApplications, appMap)
 			if err != nil {
 				return ctrl.Result{}, fmt.Errorf("failed to perform progressive sync reconciliation for application set: %w", err)
 			}
@@ -229,7 +239,6 @@ func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		// trigger appropriate application syncs if RollingSync strategy is enabled
 		if progressiveSyncsStrategyEnabled(&applicationSetInfo, "RollingSync") {
 			validApps, err = r.syncValidApplications(logCtx, &applicationSetInfo, appSyncMap, appMap, validApps)
-
 			if err != nil {
 				_ = r.setApplicationSetStatusCondition(ctx,
 					&applicationSetInfo,
@@ -311,7 +320,7 @@ func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Reque

 	requeueAfter := r.getMinRequeueAfter(&applicationSetInfo)

-	if len(validateErrors) == 0 && generatorsErr == nil {
+	if len(validateErrors) == 0 {
 		if err := r.setApplicationSetStatusCondition(ctx,
 			&applicationSetInfo,
 			argov1alpha1.ApplicationSetCondition{
@@ -420,7 +429,7 @@ func (r *ApplicationSetReconciler) setApplicationSetStatusCondition(ctx context.
 			if client.IgnoreNotFound(err) != nil {
 				return nil
 			}
-			return fmt.Errorf("error fetching updated application set: %v", err)
+			return fmt.Errorf("error fetching updated application set: %w", err)
 		}

 		applicationSet.Status.SetConditions(
@@ -430,7 +439,7 @@ func (r *ApplicationSetReconciler) setApplicationSetStatusCondition(ctx context.
 		// Update the newly fetched object with new set of conditions
 		err := r.Client.Status().Update(ctx, applicationSet)
 		if err != nil && !apierr.IsNotFound(err) {
-			return fmt.Errorf("unable to set application set condition: %v", err)
+			return fmt.Errorf("unable to set application set condition: %w", err)
 		}
 	}

@@ -443,7 +452,6 @@ func (r *ApplicationSetReconciler) validateGeneratedApplications(ctx context.Con
 	errorsByIndex := map[int]error{}
 	namesSet := map[string]bool{}
 	for i, app := range desiredApplications {
-
 		if !namesSet[app.Name] {
 			namesSet[app.Name] = true
 		} else {
@@ -463,7 +471,6 @@ func (r *ApplicationSetReconciler) validateGeneratedApplications(ctx context.Con
 			errorsByIndex[i] = fmt.Errorf("application destination spec is invalid: %s", err.Error())
 			continue
 		}
-
 	}

 	return errorsByIndex, nil
@@ -472,7 +479,6 @@ func (r *ApplicationSetReconciler) validateGeneratedApplications(ctx context.Con
 func (r *ApplicationSetReconciler) getMinRequeueAfter(applicationSetInfo *argov1alpha1.ApplicationSet) time.Duration {
 	var res time.Duration
 	for _, requestedGenerator := range applicationSetInfo.Spec.Generators {
-
 		relevantGenerators := generators.GetRelevantGenerators(&requestedGenerator, r.Generators)

 		for _, g := range relevantGenerators {
@@ -508,7 +514,7 @@ func (r *ApplicationSetReconciler) generateApplications(logCtx *log.Entry, appli
 	var applicationSetReason argov1alpha1.ApplicationSetReasonType

 	for _, requestedGenerator := range applicationSetInfo.Spec.Generators {
-		t, err := generators.Transform(requestedGenerator, r.Generators, applicationSetInfo.Spec.Template, &applicationSetInfo, map[string]interface{}{})
+		t, err := generators.Transform(requestedGenerator, r.Generators, applicationSetInfo.Spec.Template, &applicationSetInfo, map[string]interface{}{}, r.Client)
 		if err != nil {
 			logCtx.WithError(err).WithField("generator", requestedGenerator).
 				Error("error generating application from params")
@@ -524,7 +530,6 @@ func (r *ApplicationSetReconciler) generateApplications(logCtx *log.Entry, appli

 			for _, p := range a.Params {
 				app, err := r.Renderer.RenderTemplateParams(tmplApplication, applicationSetInfo.Spec.SyncPolicy, p, applicationSetInfo.Spec.GoTemplate, applicationSetInfo.Spec.GoTemplateOptions)
-
 				if err != nil {
 					logCtx.WithError(err).WithField("params", a.Params).WithField("generator", requestedGenerator).
 						Error("error generating application from params")
@@ -538,7 +543,6 @@ func (r *ApplicationSetReconciler) generateApplications(logCtx *log.Entry, appli

 				if applicationSetInfo.Spec.TemplatePatch != nil {
 					patchedApplication, err := r.applyTemplatePatch(app, applicationSetInfo, p)
-
 					if err != nil {
 						log.WithError(err).WithField("params", a.Params).WithField("generator", requestedGenerator).
 							Error("error generating application from params")
@@ -566,7 +570,6 @@ func (r *ApplicationSetReconciler) generateApplications(logCtx *log.Entry, appli

 func (r *ApplicationSetReconciler) applyTemplatePatch(app *argov1alpha1.Application, applicationSetInfo argov1alpha1.ApplicationSet, params map[string]interface{}) (*argov1alpha1.Application, error) {
 	replacedTemplate, err := r.Renderer.Replace(*applicationSetInfo.Spec.TemplatePatch, params, applicationSetInfo.Spec.GoTemplate, applicationSetInfo.Spec.GoTemplateOptions)
-
 	if err != nil {
 		return nil, fmt.Errorf("error replacing values in templatePatch: %w", err)
 	}
@@ -611,7 +614,7 @@ func (r *ApplicationSetReconciler) SetupWithManager(mgr ctrl.Manager, enableProg
 		Owns(&argov1alpha1.Application{}, builder.WithPredicates(ownsHandler)).
 		WithEventFilter(ignoreNotAllowedNamespaces(r.ApplicationSetNamespaces)).
 		Watches(
-			&source.Kind{Type: &corev1.Secret{}},
+			&corev1.Secret{},
 			&clusterSecretEventHandler{
 				Client: mgr.GetClient(),
 				Log:    log.WithField("type", "createSecretEventHandler"),
@@ -620,31 +623,11 @@ func (r *ApplicationSetReconciler) SetupWithManager(mgr ctrl.Manager, enableProg
 		Complete(r)
 }

-func (r *ApplicationSetReconciler) updateCache(ctx context.Context, obj client.Object, logger *log.Entry) {
-	informer, err := r.Cache.GetInformer(ctx, obj)
-	if err != nil {
-		logger.Errorf("failed to get informer: %v", err)
-		return
-	}
-	// The controller runtime abstract away informers creation
-	// so unfortunately could not find any other way to access informer store.
-	k8sInformer, ok := informer.(k8scache.SharedInformer)
-	if !ok {
-		logger.Error("informer is not a kubernetes informer")
-		return
-	}
-	if err := k8sInformer.GetStore().Update(obj); err != nil {
-		logger.Errorf("failed to update cache: %v", err)
-		return
-	}
-}
-
 // createOrUpdateInCluster will create / update application resources in the cluster.
 // - For new applications, it will call create
 // - For existing application, it will call update
 // The function also adds owner reference to all applications, and uses it to delete them.
 func (r *ApplicationSetReconciler) createOrUpdateInCluster(ctx context.Context, logCtx *log.Entry, applicationSet argov1alpha1.ApplicationSet, desiredApplications []argov1alpha1.Application) error {
-
 	var firstError error
 	// Creates or updates the application in appList
 	for _, generatedApp := range desiredApplications {
@@ -668,7 +651,7 @@ func (r *ApplicationSetReconciler) createOrUpdateInCluster(ctx context.Context,
 			},
 		}

-		action, err := utils.CreateOrUpdate(ctx, appLog, r.Client, applicationSet.Spec.IgnoreApplicationDifferences, found, func() error {
+		action, err := utils.CreateOrUpdate(ctx, appLog, r.Client, applicationSet.Spec.IgnoreApplicationDifferences, normalizers.IgnoreNormalizerOpts{}, found, func() error {
 			// Copy only the Application/ObjectMeta fields that are significant, from the generatedApp
 			found.Spec = generatedApp.Spec

@@ -716,6 +699,17 @@ func (r *ApplicationSetReconciler) createOrUpdateInCluster(ctx context.Context,
 				}
 			}

+			// Preserve post-delete finalizers:
+			//   https://github.com/argoproj/argo-cd/issues/17181
+			for _, finalizer := range found.ObjectMeta.Finalizers {
+				if strings.HasPrefix(finalizer, argov1alpha1.PostDeleteFinalizerName) {
+					if generatedApp.Finalizers == nil {
+						generatedApp.Finalizers = []string{}
+					}
+					generatedApp.Finalizers = append(generatedApp.Finalizers, finalizer)
+				}
+			}
+
 			found.ObjectMeta.Annotations = generatedApp.Annotations

 			found.ObjectMeta.Finalizers = generatedApp.Finalizers
@@ -723,7 +717,6 @@ func (r *ApplicationSetReconciler) createOrUpdateInCluster(ctx context.Context,

 			return controllerutil.SetControllerReference(&applicationSet, found, r.Scheme)
 		})
-
 		if err != nil {
 			appLog.WithError(err).WithField("action", action).Errorf("failed to %s Application", action)
 			if firstError == nil {
@@ -731,7 +724,6 @@ func (r *ApplicationSetReconciler) createOrUpdateInCluster(ctx context.Context,
 			}
 			continue
 		}
-		r.updateCache(ctx, found, appLog)

 		if action != controllerutil.OperationResultNone {
 			// Don't pollute etcd with "unchanged Application" events
@@ -749,7 +741,6 @@ func (r *ApplicationSetReconciler) createOrUpdateInCluster(ctx context.Context,
 // createInCluster will filter from the desiredApplications only the application that needs to be created
 // Then it will call createOrUpdateInCluster to do the actual create
 func (r *ApplicationSetReconciler) createInCluster(ctx context.Context, logCtx *log.Entry, applicationSet argov1alpha1.ApplicationSet, desiredApplications []argov1alpha1.Application) error {
-
 	var createApps []argov1alpha1.Application
 	current, err := r.getCurrentApplications(ctx, applicationSet)
 	if err != nil {
@@ -777,7 +768,6 @@ func (r *ApplicationSetReconciler) createInCluster(ctx context.Context, logCtx *
 func (r *ApplicationSetReconciler) getCurrentApplications(ctx context.Context, applicationSet argov1alpha1.ApplicationSet) ([]argov1alpha1.Application, error) {
 	var current argov1alpha1.ApplicationList
 	err := r.Client.List(ctx, &current, client.MatchingFields{".metadata.controller": applicationSet.Name}, client.InNamespace(applicationSet.Namespace))
-
 	if err != nil {
 		return nil, fmt.Errorf("error retrieving applications: %w", err)
 	}
@@ -815,7 +805,6 @@ func (r *ApplicationSetReconciler) deleteInCluster(ctx context.Context, logCtx *
 		_, exists := m[app.Name]

 		if !exists {
-
 			// Removes the Argo CD resources finalizer if the application contains an invalid target (eg missing cluster)
 			err := r.removeFinalizerOnInvalidDestination(ctx, applicationSet, &app, clusterList, logCtx)
 			if err != nil {
@@ -843,7 +832,6 @@ func (r *ApplicationSetReconciler) deleteInCluster(ctx context.Context, logCtx *

 // removeFinalizerOnInvalidDestination removes the Argo CD resources finalizer if the application contains an invalid target (eg missing cluster)
 func (r *ApplicationSetReconciler) removeFinalizerOnInvalidDestination(ctx context.Context, applicationSet argov1alpha1.ApplicationSet, app *argov1alpha1.Application, clusterList *argov1alpha1.ClusterList, appLog *log.Entry) error {
-
 	// Only check if the finalizers need to be removed IF there are finalizers to remove
 	if len(app.Finalizers) == 0 {
 		return nil
@@ -856,12 +844,10 @@ func (r *ApplicationSetReconciler) removeFinalizerOnInvalidDestination(ctx conte
 		appLog.Warnf("The destination cluster for %s couldn't be found: %v", app.Name, err)
 		validDestination = false
 	} else {
-
 		// Detect if the destination's server field does not match an existing cluster

 		matchingCluster := false
 		for _, cluster := range clusterList.Items {
-
 			// Server fields must match. Note that ValidateDestination ensures that the server field is set, if applicable.
 			if app.Spec.Destination.Server != cluster.Server {
 				continue
@@ -885,7 +871,6 @@ func (r *ApplicationSetReconciler) removeFinalizerOnInvalidDestination(ctx conte
 	// If the destination is invalid (for example the cluster is no longer defined), then remove
 	// the application finalizers to avoid triggering Argo CD bug #5817
 	if !validDestination {
-
 		// Filter out the Argo CD finalizer from the finalizer list
 		var newFinalizers []string
 		for _, existingFinalizer := range app.Finalizers {
@@ -905,7 +890,6 @@ func (r *ApplicationSetReconciler) removeFinalizerOnInvalidDestination(ctx conte
 			if err := r.Client.Patch(ctx, updated, patch); err != nil {
 				return fmt.Errorf("error updating finalizers: %w", err)
 			}
-			r.updateCache(ctx, updated, appLog)
 			// Application must have updated list of finalizers
 			updated.DeepCopyInto(app)

@@ -935,7 +919,6 @@ func (r *ApplicationSetReconciler) removeOwnerReferencesOnDeleteAppSet(ctx conte
 }

 func (r *ApplicationSetReconciler) performProgressiveSyncs(ctx context.Context, logCtx *log.Entry, appset argov1alpha1.ApplicationSet, applications []argov1alpha1.Application, desiredApplications []argov1alpha1.Application, appMap map[string]argov1alpha1.Application) (map[string]bool, error) {
-
 	appDependencyList, appStepMap, err := r.buildAppDependencyList(logCtx, appset, desiredApplications)
 	if err != nil {
 		return nil, fmt.Errorf("failed to build app dependency list: %w", err)
@@ -973,7 +956,6 @@ func (r *ApplicationSetReconciler) performProgressiveSyncs(ctx context.Context,

 // this list tracks which Applications belong to each RollingUpdate step
 func (r *ApplicationSetReconciler) buildAppDependencyList(logCtx *log.Entry, applicationSet argov1alpha1.ApplicationSet, applications []argov1alpha1.Application) ([][]string, map[string]int, error) {
-
 	if applicationSet.Spec.Strategy == nil || applicationSet.Spec.Strategy.Type == "" || applicationSet.Spec.Strategy.Type == "AllAtOnce" {
 		return [][]string{}, map[string]int{}, nil
 	}
@@ -993,11 +975,9 @@ func (r *ApplicationSetReconciler) buildAppDependencyList(logCtx *log.Entry, app
 	// use applicationLabelSelectors to filter generated Applications into steps and status by name
 	for _, app := range applications {
 		for i, step := range steps {
-
 			selected := true // default to true, assuming the current Application is a match for the given step matchExpression

 			for _, matchExpression := range step.MatchExpressions {
-
 				if val, ok := app.Labels[matchExpression.Key]; ok {
 					valueMatched := labelMatchedExpression(logCtx, val, matchExpression)

@@ -1061,7 +1041,6 @@ func (r *ApplicationSetReconciler) buildAppSyncMap(ctx context.Context, applicat

 		// detect if we need to halt before progressing to the next step
 		for _, appName := range appDependencyList[i] {
-
 			idx := findApplicationStatusIndex(applicationSet.Status.ApplicationStatus, appName)
 			if idx == -1 {
 				// no Application status found, likely because the Application is being newly created
@@ -1072,7 +1051,6 @@ func (r *ApplicationSetReconciler) buildAppSyncMap(ctx context.Context, applicat
 			appStatus := applicationSet.Status.ApplicationStatus[idx]

 			if app, ok := appMap[appName]; ok {
-
 				syncEnabled = appSyncEnabledForNextStep(&applicationSet, app, appStatus)
 				if !syncEnabled {
 					break
@@ -1089,7 +1067,6 @@ func (r *ApplicationSetReconciler) buildAppSyncMap(ctx context.Context, applicat
 }

 func appSyncEnabledForNextStep(appset *argov1alpha1.ApplicationSet, app argov1alpha1.Application, appStatus argov1alpha1.ApplicationSetApplicationStatus) bool {
-
 	if progressiveSyncsStrategyEnabled(appset, "RollingSync") {
 		// we still need to complete the current step if the Application is not yet Healthy or there are still pending Application changes
 		return isApplicationHealthy(app) && appStatus.Status == "Healthy"
@@ -1132,12 +1109,10 @@ func statusStrings(app argov1alpha1.Application) (string, string, string) {

 // check the status of each Application's status and promote Applications to the next status if needed
 func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatus(ctx context.Context, logCtx *log.Entry, applicationSet *argov1alpha1.ApplicationSet, applications []argov1alpha1.Application, appStepMap map[string]int) ([]argov1alpha1.ApplicationSetApplicationStatus, error) {
-
 	now := metav1.Now()
 	appStatuses := make([]argov1alpha1.ApplicationSetApplicationStatus, 0, len(applications))

 	for _, app := range applications {
-
 		healthStatusString, syncStatusString, operationPhaseString := statusStrings(app)

 		idx := findApplicationStatusIndex(applicationSet.Status.ApplicationStatus, app.Name)
@@ -1152,10 +1127,18 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatus(ctx con
 				Message:            "No Application status found, defaulting status to Waiting.",
 				Status:             "Waiting",
 				Step:               fmt.Sprint(appStepMap[app.Name] + 1),
+				TargetRevisions:    app.Status.GetRevisions(),
 			}
 		} else {
 			// we have an existing AppStatus
 			currentAppStatus = applicationSet.Status.ApplicationStatus[idx]
+
+			// upgrade any existing AppStatus that might have been set by an older argo-cd version
+			// note: currentAppStatus.TargetRevisions may be set to empty list earlier during migrations,
+			// to prevent other usage of r.Client.Status().Update to fail before reaching here.
+			if currentAppStatus.TargetRevisions == nil || len(currentAppStatus.TargetRevisions) == 0 {
+				currentAppStatus.TargetRevisions = app.Status.GetRevisions()
+			}
 		}

 		appOutdated := false
@@ -1169,20 +1152,25 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatus(ctx con
 			currentAppStatus.Status = "Waiting"
 			currentAppStatus.Message = "Application has pending changes, setting status to Waiting."
 			currentAppStatus.Step = fmt.Sprint(appStepMap[currentAppStatus.Application] + 1)
+			currentAppStatus.TargetRevisions = app.Status.GetRevisions()
 		}

 		if currentAppStatus.Status == "Pending" {
-			// check for successful syncs started less than 10s before the Application transitioned to Pending
-			// this covers race conditions where syncs initiated by RollingSync miraculously have a sync time before the transition to Pending state occurred (could be a few seconds)
-			if operationPhaseString == "Succeeded" && app.Status.OperationState.StartedAt.Add(time.Duration(10)*time.Second).After(currentAppStatus.LastTransitionTime.Time) {
-				if !app.Status.OperationState.StartedAt.After(currentAppStatus.LastTransitionTime.Time) {
-					logCtx.Warnf("Application %v was synced less than 10s prior to entering Pending status, we'll assume the AppSet controller triggered this sync and update its status to Progressing", app.Name)
+			if operationPhaseString == "Succeeded" {
+				revisions := []string{}
+				if len(app.Status.OperationState.SyncResult.Revisions) > 0 {
+					revisions = app.Status.OperationState.SyncResult.Revisions
+				} else if app.Status.OperationState.SyncResult.Revision != "" {
+					revisions = append(revisions, app.Status.OperationState.SyncResult.Revision)
+				}
+
+				if reflect.DeepEqual(currentAppStatus.TargetRevisions, revisions) {
+					logCtx.Infof("Application %v has completed a sync successfully, updating its ApplicationSet status to Progressing", app.Name)
+					currentAppStatus.LastTransitionTime = &now
+					currentAppStatus.Status = "Progressing"
+					currentAppStatus.Message = "Application resource completed a sync successfully, updating status from Pending to Progressing."
+					currentAppStatus.Step = fmt.Sprint(appStepMap[currentAppStatus.Application] + 1)
 				}
-				logCtx.Infof("Application %v has completed a sync successfully, updating its ApplicationSet status to Progressing", app.Name)
-				currentAppStatus.LastTransitionTime = &now
-				currentAppStatus.Status = "Progressing"
-				currentAppStatus.Message = "Application resource completed a sync successfully, updating status from Pending to Progressing."
-				currentAppStatus.Step = fmt.Sprint(appStepMap[currentAppStatus.Application] + 1)
 			} else if operationPhaseString == "Running" || healthStatusString == "Progressing" {
 				logCtx.Infof("Application %v has entered Progressing status, updating its ApplicationSet status to Progressing", app.Name)
 				currentAppStatus.LastTransitionTime = &now
@@ -1251,7 +1239,6 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatusProgress
 		}

 		for _, appStatus := range applicationSet.Status.ApplicationStatus {
-
 			maxUpdateAllowed := true
 			maxUpdate := &intstr.IntOrString{}
 			if progressiveSyncsStrategyEnabled(applicationSet, "RollingSync") {
@@ -1274,7 +1261,6 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatusProgress
 					maxUpdateAllowed = false
 					logCtx.Infof("Application %v is not allowed to update yet, %v/%v Applications already updating in step %v in AppSet %v", appStatus.Application, updateCountMap[appStepMap[appStatus.Application]], maxUpdateVal, appStepMap[appStatus.Application]+1, applicationSet.Name)
 				}
-
 			}

 			if appStatus.Status == "Waiting" && appSyncMap[appStatus.Application] && maxUpdateAllowed {
@@ -1300,7 +1286,6 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatusProgress
 }

 func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatusConditions(ctx context.Context, applicationSet *argov1alpha1.ApplicationSet) ([]argov1alpha1.ApplicationSetCondition, error) {
-
 	appSetProgressing := false
 	for _, appStatus := range applicationSet.Status.ApplicationStatus {
 		if appStatus.Status != "Healthy" {
@@ -1351,7 +1336,107 @@ func findApplicationStatusIndex(appStatuses []argov1alpha1.ApplicationSetApplica
 	return -1
 }

-// setApplicationSetApplicationStatus updates the ApplicatonSet's status field
+// migrateStatus run migrations on the status subresource of ApplicationSet early during the run of ApplicationSetReconciler.Reconcile
+// this handles any defaulting of values - which would otherwise cause the references to r.Client.Status().Update to fail given missing required fields.
+func (r *ApplicationSetReconciler) migrateStatus(ctx context.Context, appset *argov1alpha1.ApplicationSet) error {
+	update := false
+	if statusList := appset.Status.ApplicationStatus; statusList != nil {
+		for idx := range statusList {
+			if statusList[idx].TargetRevisions == nil {
+				statusList[idx].TargetRevisions = []string{}
+				update = true
+			}
+		}
+	}
+
+	if update {
+		if err := r.Client.Status().Update(ctx, appset); err != nil {
+			return fmt.Errorf("unable to set application set status: %w", err)
+		}
+	}
+	return nil
+}
+
+func (r *ApplicationSetReconciler) updateResourcesStatus(ctx context.Context, logCtx *log.Entry, appset *argov1alpha1.ApplicationSet, apps []argov1alpha1.Application) error {
+	statusMap := getResourceStatusMap(appset)
+	statusMap = buildResourceStatus(statusMap, apps)
+
+	statuses := []argov1alpha1.ResourceStatus{}
+	for _, status := range statusMap {
+		statuses = append(statuses, status)
+	}
+	appset.Status.Resources = statuses
+
+	namespacedName := types.NamespacedName{Namespace: appset.Namespace, Name: appset.Name}
+	err := r.Client.Status().Update(ctx, appset)
+	if err != nil {
+		logCtx.Errorf("unable to set application set status: %v", err)
+		return fmt.Errorf("unable to set application set status: %w", err)
+	}
+
+	if err := r.Get(ctx, namespacedName, appset); err != nil {
+		if client.IgnoreNotFound(err) != nil {
+			return nil
+		}
+		return fmt.Errorf("error fetching updated application set: %w", err)
+	}
+
+	return nil
+}
+
+func buildResourceStatus(statusMap map[string]argov1alpha1.ResourceStatus, apps []argov1alpha1.Application) map[string]argov1alpha1.ResourceStatus {
+	appMap := map[string]argov1alpha1.Application{}
+	for _, app := range apps {
+		appCopy := app
+		appMap[app.Name] = app
+
+		gvk := app.GroupVersionKind()
+		// Create status if it does not exist
+		status, ok := statusMap[app.Name]
+		if !ok {
+			status = argov1alpha1.ResourceStatus{
+				Group:     gvk.Group,
+				Version:   gvk.Version,
+				Kind:      gvk.Kind,
+				Name:      app.Name,
+				Namespace: app.Namespace,
+				Status:    app.Status.Sync.Status,
+				Health:    &appCopy.Status.Health,
+			}
+		}
+
+		status.Group = gvk.Group
+		status.Version = gvk.Version
+		status.Kind = gvk.Kind
+		status.Name = app.Name
+		status.Namespace = app.Namespace
+		status.Status = app.Status.Sync.Status
+		status.Health = &appCopy.Status.Health
+
+		statusMap[app.Name] = status
+	}
+	cleanupDeletedApplicationStatuses(statusMap, appMap)
+
+	return statusMap
+}
+
+func getResourceStatusMap(appset *argov1alpha1.ApplicationSet) map[string]argov1alpha1.ResourceStatus {
+	statusMap := map[string]argov1alpha1.ResourceStatus{}
+	for _, status := range appset.Status.Resources {
+		statusMap[status.Name] = status
+	}
+	return statusMap
+}
+
+func cleanupDeletedApplicationStatuses(statusMap map[string]argov1alpha1.ResourceStatus, apps map[string]argov1alpha1.Application) {
+	for name := range statusMap {
+		if _, ok := apps[name]; !ok {
+			delete(statusMap, name)
+		}
+	}
+}
+
+// setApplicationSetApplicationStatus updates the ApplicationSet's status field
 // with any new/changed Application statuses.
 func (r *ApplicationSetReconciler) setAppSetApplicationStatus(ctx context.Context, logCtx *log.Entry, applicationSet *argov1alpha1.ApplicationSet, applicationStatuses []argov1alpha1.ApplicationSetApplicationStatus) error {
 	needToUpdateStatus := false
@@ -1386,16 +1471,15 @@ func (r *ApplicationSetReconciler) setAppSetApplicationStatus(ctx context.Contex
 		// Update the newly fetched object with new set of ApplicationStatus
 		err := r.Client.Status().Update(ctx, applicationSet)
 		if err != nil {
-
 			logCtx.Errorf("unable to set application set status: %v", err)
-			return fmt.Errorf("unable to set application set status: %v", err)
+			return fmt.Errorf("unable to set application set status: %w", err)
 		}

 		if err := r.Get(ctx, namespacedName, applicationSet); err != nil {
 			if client.IgnoreNotFound(err) != nil {
 				return nil
 			}
-			return fmt.Errorf("error fetching updated application set: %v", err)
+			return fmt.Errorf("error fetching updated application set: %w", err)
 		}
 	}

@@ -1432,7 +1516,6 @@ func (r *ApplicationSetReconciler) syncValidApplications(logCtx *log.Entry, appl

 // used by the RollingSync Progressive Sync strategy to trigger a sync of a particular Application resource
 func syncApplication(application argov1alpha1.Application, prune bool) (argov1alpha1.Application, error) {
-
 	operation := argov1alpha1.Operation{
 		InitiatedBy: argov1alpha1.OperationInitiator{
 			Username:  "applicationset-controller",
@@ -1528,10 +1611,13 @@ func shouldRequeueApplicationSet(appOld *argov1alpha1.Application, appNew *argov
 	}

 	// the applicationset controller owns the application spec, labels, annotations, and finalizers on the applications
-	if !reflect.DeepEqual(appOld.Spec, appNew.Spec) ||
-		!reflect.DeepEqual(appOld.ObjectMeta.GetAnnotations(), appNew.ObjectMeta.GetAnnotations()) ||
-		!reflect.DeepEqual(appOld.ObjectMeta.GetLabels(), appNew.ObjectMeta.GetLabels()) ||
-		!reflect.DeepEqual(appOld.ObjectMeta.GetFinalizers(), appNew.ObjectMeta.GetFinalizers()) {
+	// reflect.DeepEqual considers nil slices/maps not equal to empty slices/maps
+	// https://pkg.go.dev/reflect#DeepEqual
+	// ApplicationDestination has an unexported field so we can just use the == for comparison
+	if !cmp.Equal(appOld.Spec, appNew.Spec, cmpopts.EquateEmpty(), cmpopts.EquateComparable(argov1alpha1.ApplicationDestination{})) ||
+		!cmp.Equal(appOld.ObjectMeta.GetAnnotations(), appNew.ObjectMeta.GetAnnotations(), cmpopts.EquateEmpty()) ||
+		!cmp.Equal(appOld.ObjectMeta.GetLabels(), appNew.ObjectMeta.GetLabels(), cmpopts.EquateEmpty()) ||
+		!cmp.Equal(appOld.ObjectMeta.GetFinalizers(), appNew.ObjectMeta.GetFinalizers(), cmpopts.EquateEmpty()) {
 		return true
 	}

--- a/applicationset/controllers/applicationset_controller_test.go
+++ b/applicationset/controllers/applicationset_controller_test.go
--- a/applicationset/controllers/clustereventhandler.go
+++ b/applicationset/controllers/clustereventhandler.go
@@ -19,25 +19,25 @@ import (
 // clusterSecretEventHandler is used when watching Secrets to check if they are ArgoCD Cluster Secrets, and if so
 // requeue any related ApplicationSets.
 type clusterSecretEventHandler struct {
-	//handler.EnqueueRequestForOwner
+	// handler.EnqueueRequestForOwner
 	Log    log.FieldLogger
 	Client client.Client
 }

-func (h *clusterSecretEventHandler) Create(e event.CreateEvent, q workqueue.RateLimitingInterface) {
-	h.queueRelatedAppGenerators(q, e.Object)
+func (h *clusterSecretEventHandler) Create(ctx context.Context, e event.CreateEvent, q workqueue.RateLimitingInterface) {
+	h.queueRelatedAppGenerators(ctx, q, e.Object)
 }

-func (h *clusterSecretEventHandler) Update(e event.UpdateEvent, q workqueue.RateLimitingInterface) {
-	h.queueRelatedAppGenerators(q, e.ObjectNew)
+func (h *clusterSecretEventHandler) Update(ctx context.Context, e event.UpdateEvent, q workqueue.RateLimitingInterface) {
+	h.queueRelatedAppGenerators(ctx, q, e.ObjectNew)
 }

-func (h *clusterSecretEventHandler) Delete(e event.DeleteEvent, q workqueue.RateLimitingInterface) {
-	h.queueRelatedAppGenerators(q, e.Object)
+func (h *clusterSecretEventHandler) Delete(ctx context.Context, e event.DeleteEvent, q workqueue.RateLimitingInterface) {
+	h.queueRelatedAppGenerators(ctx, q, e.Object)
 }

-func (h *clusterSecretEventHandler) Generic(e event.GenericEvent, q workqueue.RateLimitingInterface) {
-	h.queueRelatedAppGenerators(q, e.Object)
+func (h *clusterSecretEventHandler) Generic(ctx context.Context, e event.GenericEvent, q workqueue.RateLimitingInterface) {
+	h.queueRelatedAppGenerators(ctx, q, e.Object)
 }

 // addRateLimitingInterface defines the Add method of workqueue.RateLimitingInterface, allow us to easily mock
@@ -46,7 +46,7 @@ type addRateLimitingInterface interface {
 	Add(item interface{})
 }

-func (h *clusterSecretEventHandler) queueRelatedAppGenerators(q addRateLimitingInterface, object client.Object) {
+func (h *clusterSecretEventHandler) queueRelatedAppGenerators(ctx context.Context, q addRateLimitingInterface, object client.Object) {
 	// Check for label, lookup all ApplicationSets that might match the cluster, queue them all
 	if object.GetLabels()[generators.ArgoCDSecretTypeLabel] != generators.ArgoCDSecretTypeCluster {
 		return
@@ -58,7 +58,7 @@ func (h *clusterSecretEventHandler) queueRelatedAppGenerators(q addRateLimitingI
 	}).Info("processing event for cluster secret")

 	appSetList := &argoprojiov1alpha1.ApplicationSetList{}
-	err := h.Client.List(context.Background(), appSetList)
+	err := h.Client.List(ctx, appSetList)
 	if err != nil {
 		h.Log.WithError(err).Error("unable to list ApplicationSets")
 		return
@@ -66,7 +66,6 @@ func (h *clusterSecretEventHandler) queueRelatedAppGenerators(q addRateLimitingI

 	h.Log.WithField("count", len(appSetList.Items)).Info("listed ApplicationSets")
 	for _, appSet := range appSetList.Items {
-
 		foundClusterGenerator := false
 		for _, generator := range appSet.Spec.Generators {
 			if generator.Clusters != nil {
@@ -109,7 +108,6 @@ func (h *clusterSecretEventHandler) queueRelatedAppGenerators(q addRateLimitingI
 			}
 		}
 		if foundClusterGenerator {
-
 			// TODO: only queue the AppGenerator if the labels match this cluster
 			req := ctrl.Request{NamespacedName: types.NamespacedName{Namespace: appSet.Namespace, Name: appSet.Name}}
 			q.Add(req)
--- a/applicationset/controllers/clustereventhandler_test.go
+++ b/applicationset/controllers/clustereventhandler_test.go
@@ -1,10 +1,12 @@
 package controllers

 import (
+	"context"
 	"testing"

 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -19,13 +21,12 @@ import (
 )

 func TestClusterEventHandler(t *testing.T) {
-
 	scheme := runtime.NewScheme()
 	err := argov1alpha1.AddToScheme(scheme)
-	assert.Nil(t, err)
+	require.NoError(t, err)

 	err = argov1alpha1.AddToScheme(scheme)
-	assert.Nil(t, err)
+	require.NoError(t, err)

 	tests := []struct {
 		name             string
@@ -534,9 +535,7 @@ func TestClusterEventHandler(t *testing.T) {
 	}

 	for _, test := range tests {
-
 		t.Run(test.name, func(t *testing.T) {
-
 			appSetList := argov1alpha1.ApplicationSetList{
 				Items: test.items,
 			}
@@ -550,14 +549,12 @@ func TestClusterEventHandler(t *testing.T) {

 			mockAddRateLimitingInterface := mockAddRateLimitingInterface{}

-			handler.queueRelatedAppGenerators(&mockAddRateLimitingInterface, &test.secret)
+			handler.queueRelatedAppGenerators(context.Background(), &mockAddRateLimitingInterface, &test.secret)

 			assert.False(t, mockAddRateLimitingInterface.errorOccurred)
 			assert.ElementsMatch(t, mockAddRateLimitingInterface.addedItems, test.expectedRequests)
-
 		})
 	}
-
 }

 // Add checks the type, and adds it to the internal list of received additions
@@ -581,7 +578,7 @@ func TestNestedGeneratorHasClusterGenerator_NestedClusterGenerator(t *testing.T)

 	hasClusterGenerator, err := nestedGeneratorHasClusterGenerator(nested)

-	assert.Nil(t, err)
+	require.NoError(t, err)
 	assert.True(t, hasClusterGenerator)
 }

@@ -608,7 +605,7 @@ func TestNestedGeneratorHasClusterGenerator_NestedMergeGenerator(t *testing.T) {

 	hasClusterGenerator, err := nestedGeneratorHasClusterGenerator(nested)

-	assert.Nil(t, err)
+	require.NoError(t, err)
 	assert.True(t, hasClusterGenerator)
 }

@@ -635,6 +632,6 @@ func TestNestedGeneratorHasClusterGenerator_NestedMergeGeneratorWithInvalidJSON(

 	hasClusterGenerator, err := nestedGeneratorHasClusterGenerator(nested)

-	assert.NotNil(t, err)
+	require.Error(t, err)
 	assert.False(t, hasClusterGenerator)
 }
--- a/applicationset/controllers/requeue_after_test.go
+++ b/applicationset/controllers/requeue_after_test.go
@@ -6,6 +6,7 @@ import (
 	"time"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -25,7 +26,7 @@ func TestRequeueAfter(t *testing.T) {
 	ctx := context.Background()
 	scheme := runtime.NewScheme()
 	err := argov1alpha1.AddToScheme(scheme)
-	assert.Nil(t, err)
+	require.NoError(t, err)
 	gvrToListKind := map[schema.GroupVersionResource]string{{
 		Group:    "mallard.io",
 		Version:  "v1",
@@ -59,7 +60,7 @@ func TestRequeueAfter(t *testing.T) {
 	terminalGenerators := map[string]generators.Generator{
 		"List":                    generators.NewListGenerator(),
 		"Clusters":                generators.NewClusterGenerator(k8sClient, ctx, appClientset, "argocd"),
-		"Git":                     generators.NewGitGenerator(mockServer),
+		"Git":                     generators.NewGitGenerator(mockServer, "namespace"),
 		"SCMProvider":             generators.NewSCMProviderGenerator(fake.NewClientBuilder().WithObjects(&corev1.Secret{}).Build(), generators.SCMAuthProviders{}, "", []string{""}, true),
 		"ClusterDecisionResource": generators.NewDuckTypeGenerator(ctx, fakeDynClient, appClientset, "argocd"),
 		"PullRequest":             generators.NewPullRequestGenerator(k8sClient, generators.SCMAuthProviders{}, "", []string{""}, true),
--- a/applicationset/controllers/templatePatch.go
+++ b/applicationset/controllers/templatePatch.go
@@ -11,14 +11,12 @@ import (
 )

 func applyTemplatePatch(app *appv1.Application, templatePatch string) (*appv1.Application, error) {
-
 	appString, err := json.Marshal(app)
 	if err != nil {
 		return nil, fmt.Errorf("error while marhsalling Application %w", err)
 	}

 	convertedTemplatePatch, err := utils.ConvertYAMLToJSON(templatePatch)
-
 	if err != nil {
 		return nil, fmt.Errorf("error while converting template to json %q: %w", convertedTemplatePatch, err)
 	}
@@ -28,7 +26,6 @@ func applyTemplatePatch(app *appv1.Application, templatePatch string) (*appv1.Ap
 	}

 	data, err := strategicpatch.StrategicMergePatch(appString, []byte(convertedTemplatePatch), appv1.Application{})
-
 	if err != nil {
 		return nil, fmt.Errorf("error while applying templatePatch template to json %q: %w", convertedTemplatePatch, err)
 	}
--- a/applicationset/generators/cluster.go
+++ b/applicationset/generators/cluster.go
@@ -38,7 +38,6 @@ type ClusterGenerator struct {
 var render = &utils.Render{}

 func NewClusterGenerator(c client.Client, ctx context.Context, clientset kubernetes.Interface, namespace string) Generator {
-
 	settingsManager := settings.NewSettingsManager(ctx, clientset, namespace)

 	g := &ClusterGenerator{
@@ -61,8 +60,7 @@ func (g *ClusterGenerator) GetTemplate(appSetGenerator *argoappsetv1alpha1.Appli
 	return &appSetGenerator.Clusters.Template
 }

-func (g *ClusterGenerator) GenerateParams(appSetGenerator *argoappsetv1alpha1.ApplicationSetGenerator, appSet *argoappsetv1alpha1.ApplicationSet) ([]map[string]interface{}, error) {
-
+func (g *ClusterGenerator) GenerateParams(appSetGenerator *argoappsetv1alpha1.ApplicationSetGenerator, appSet *argoappsetv1alpha1.ApplicationSet, _ client.Client) ([]map[string]interface{}, error) {
 	if appSetGenerator == nil {
 		return nil, EmptyAppSetGeneratorError
 	}
@@ -95,12 +93,10 @@ func (g *ClusterGenerator) GenerateParams(appSetGenerator *argoappsetv1alpha1.Ap
 	secretsFound := []corev1.Secret{}

 	for _, cluster := range clustersFromArgoCD.Items {
-
 		// If there is a secret for this cluster, then it's a non-local cluster, so it will be
 		// handled by the next step.
 		if secretForCluster, exists := clusterSecrets[cluster.Name]; exists {
 			secretsFound = append(secretsFound, secretForCluster)
-
 		} else if !ignoreLocalClusters {
 			// If there is no secret for the cluster, it's the local cluster, so handle it here.
 			params := map[string]interface{}{}
@@ -185,5 +181,4 @@ func (g *ClusterGenerator) getSecretsByClusterName(appSetGenerator *argoappsetv1
 	}

 	return res, nil
-
 }
--- a/applicationset/generators/cluster_test.go
+++ b/applicationset/generators/cluster_test.go
@@ -17,6 +17,7 @@ import (
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 type possiblyErroringFakeCtrlRuntimeClient struct {
@@ -104,11 +105,15 @@ func TestGenerateParams(t *testing.T) {
 				"aaa":   "{{ server }}",
 				"no-op": "{{ this-does-not-exist }}",
 			}, expected: []map[string]interface{}{
-				{"values.lol1": "lol", "values.lol2": "{{values.lol1}}{{values.lol1}}", "values.lol3": "{{values.lol2}}{{values.lol2}}{{values.lol2}}", "values.foo": "bar", "values.bar": "production", "values.no-op": "{{ this-does-not-exist }}", "values.bat": "production", "values.aaa": "https://production-01.example.com", "name": "production_01/west", "nameNormalized": "production-01-west", "server": "https://production-01.example.com", "metadata.labels.environment": "production", "metadata.labels.org": "bar",
-					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "production"},
+				{
+					"values.lol1": "lol", "values.lol2": "{{values.lol1}}{{values.lol1}}", "values.lol3": "{{values.lol2}}{{values.lol2}}{{values.lol2}}", "values.foo": "bar", "values.bar": "production", "values.no-op": "{{ this-does-not-exist }}", "values.bat": "production", "values.aaa": "https://production-01.example.com", "name": "production_01/west", "nameNormalized": "production-01-west", "server": "https://production-01.example.com", "metadata.labels.environment": "production", "metadata.labels.org": "bar",
+					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "production",
+				},

-				{"values.lol1": "lol", "values.lol2": "{{values.lol1}}{{values.lol1}}", "values.lol3": "{{values.lol2}}{{values.lol2}}{{values.lol2}}", "values.foo": "bar", "values.bar": "staging", "values.no-op": "{{ this-does-not-exist }}", "values.bat": "staging", "values.aaa": "https://staging-01.example.com", "name": "staging-01", "nameNormalized": "staging-01", "server": "https://staging-01.example.com", "metadata.labels.environment": "staging", "metadata.labels.org": "foo",
-					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "staging"},
+				{
+					"values.lol1": "lol", "values.lol2": "{{values.lol1}}{{values.lol1}}", "values.lol3": "{{values.lol2}}{{values.lol2}}{{values.lol2}}", "values.foo": "bar", "values.bar": "staging", "values.no-op": "{{ this-does-not-exist }}", "values.bat": "staging", "values.aaa": "https://staging-01.example.com", "name": "staging-01", "nameNormalized": "staging-01", "server": "https://staging-01.example.com", "metadata.labels.environment": "staging", "metadata.labels.org": "foo",
+					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "staging",
+				},

 				{"values.lol1": "lol", "values.lol2": "{{values.lol1}}{{values.lol1}}", "values.lol3": "{{values.lol2}}{{values.lol2}}{{values.lol2}}", "values.foo": "bar", "values.bar": "{{ metadata.annotations.foo.argoproj.io }}", "values.no-op": "{{ this-does-not-exist }}", "values.bat": "{{ metadata.labels.environment }}", "values.aaa": "https://kubernetes.default.svc", "nameNormalized": "in-cluster", "name": "in-cluster", "server": "https://kubernetes.default.svc"},
 			},
@@ -124,11 +129,15 @@ func TestGenerateParams(t *testing.T) {
 			},
 			values: nil,
 			expected: []map[string]interface{}{
-				{"name": "production_01/west", "nameNormalized": "production-01-west", "server": "https://production-01.example.com", "metadata.labels.environment": "production", "metadata.labels.org": "bar",
-					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "production"},
+				{
+					"name": "production_01/west", "nameNormalized": "production-01-west", "server": "https://production-01.example.com", "metadata.labels.environment": "production", "metadata.labels.org": "bar",
+					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "production",
+				},

-				{"name": "staging-01", "nameNormalized": "staging-01", "server": "https://staging-01.example.com", "metadata.labels.environment": "staging", "metadata.labels.org": "foo",
-					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "staging"},
+				{
+					"name": "staging-01", "nameNormalized": "staging-01", "server": "https://staging-01.example.com", "metadata.labels.environment": "staging", "metadata.labels.org": "foo",
+					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "staging",
+				},
 			},
 			clientError:   false,
 			expectedError: nil,
@@ -144,8 +153,10 @@ func TestGenerateParams(t *testing.T) {
 				"foo": "bar",
 			},
 			expected: []map[string]interface{}{
-				{"values.foo": "bar", "name": "production_01/west", "nameNormalized": "production-01-west", "server": "https://production-01.example.com", "metadata.labels.environment": "production", "metadata.labels.org": "bar",
-					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "production"},
+				{
+					"values.foo": "bar", "name": "production_01/west", "nameNormalized": "production-01-west", "server": "https://production-01.example.com", "metadata.labels.environment": "production", "metadata.labels.org": "bar",
+					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "production",
+				},
 			},
 			clientError:   false,
 			expectedError: nil,
@@ -168,10 +179,14 @@ func TestGenerateParams(t *testing.T) {
 				"foo": "bar",
 			},
 			expected: []map[string]interface{}{
-				{"values.foo": "bar", "name": "staging-01", "nameNormalized": "staging-01", "server": "https://staging-01.example.com", "metadata.labels.environment": "staging", "metadata.labels.org": "foo",
-					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "staging"},
-				{"values.foo": "bar", "name": "production_01/west", "nameNormalized": "production-01-west", "server": "https://production-01.example.com", "metadata.labels.environment": "production", "metadata.labels.org": "bar",
-					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "production"},
+				{
+					"values.foo": "bar", "name": "staging-01", "nameNormalized": "staging-01", "server": "https://staging-01.example.com", "metadata.labels.environment": "staging", "metadata.labels.org": "foo",
+					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "staging",
+				},
+				{
+					"values.foo": "bar", "name": "production_01/west", "nameNormalized": "production-01-west", "server": "https://production-01.example.com", "metadata.labels.environment": "production", "metadata.labels.org": "bar",
+					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "production",
+				},
 			},
 			clientError:   false,
 			expectedError: nil,
@@ -197,8 +212,10 @@ func TestGenerateParams(t *testing.T) {
 				"name": "baz",
 			},
 			expected: []map[string]interface{}{
-				{"values.name": "baz", "name": "staging-01", "nameNormalized": "staging-01", "server": "https://staging-01.example.com", "metadata.labels.environment": "staging", "metadata.labels.org": "foo",
-					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "staging"},
+				{
+					"values.name": "baz", "name": "staging-01", "nameNormalized": "staging-01", "server": "https://staging-01.example.com", "metadata.labels.environment": "staging", "metadata.labels.org": "foo",
+					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "staging",
+				},
 			},
 			clientError:   false,
 			expectedError: nil,
@@ -220,9 +237,7 @@ func TestGenerateParams(t *testing.T) {
 	}

 	for _, testCase := range testCases {
-
 		t.Run(testCase.name, func(t *testing.T) {
-
 			appClientset := kubefake.NewSimpleClientset(runtimeClusters...)

 			fakeClient := fake.NewClientBuilder().WithObjects(clusters...).Build()
@@ -231,7 +246,7 @@ func TestGenerateParams(t *testing.T) {
 				testCase.clientError,
 			}

-			var clusterGenerator = NewClusterGenerator(cl, context.Background(), appClientset, "namespace")
+			clusterGenerator := NewClusterGenerator(cl, context.Background(), appClientset, "namespace")

 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
@@ -245,15 +260,14 @@ func TestGenerateParams(t *testing.T) {
 					Selector: testCase.selector,
 					Values:   testCase.values,
 				},
-			}, &applicationSetInfo)
+			}, &applicationSetInfo, nil)

 			if testCase.expectedError != nil {
-				assert.EqualError(t, err, testCase.expectedError.Error())
+				require.EqualError(t, err, testCase.expectedError.Error())
 			} else {
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.ElementsMatch(t, testCase.expected, got)
 			}
-
 		})
 	}
 }
@@ -594,9 +608,7 @@ func TestGenerateParamsGoTemplate(t *testing.T) {
 	}

 	for _, testCase := range testCases {
-
 		t.Run(testCase.name, func(t *testing.T) {
-
 			appClientset := kubefake.NewSimpleClientset(runtimeClusters...)

 			fakeClient := fake.NewClientBuilder().WithObjects(clusters...).Build()
@@ -605,7 +617,7 @@ func TestGenerateParamsGoTemplate(t *testing.T) {
 				testCase.clientError,
 			}

-			var clusterGenerator = NewClusterGenerator(cl, context.Background(), appClientset, "namespace")
+			clusterGenerator := NewClusterGenerator(cl, context.Background(), appClientset, "namespace")

 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
@@ -621,15 +633,14 @@ func TestGenerateParamsGoTemplate(t *testing.T) {
 					Selector: testCase.selector,
 					Values:   testCase.values,
 				},
-			}, &applicationSetInfo)
+			}, &applicationSetInfo, nil)

 			if testCase.expectedError != nil {
-				assert.EqualError(t, err, testCase.expectedError.Error())
+				require.EqualError(t, err, testCase.expectedError.Error())
 			} else {
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.ElementsMatch(t, testCase.expected, got)
 			}
-
 		})
 	}
 }
--- a/applicationset/generators/duck_type.go
+++ b/applicationset/generators/duck_type.go
@@ -7,6 +7,7 @@ import (
 	"time"

 	log "github.com/sirupsen/logrus"
+	"sigs.k8s.io/controller-runtime/pkg/client"

 	"github.com/argoproj/argo-cd/v2/util/settings"

@@ -32,7 +33,6 @@ type DuckTypeGenerator struct {
 }

 func NewDuckTypeGenerator(ctx context.Context, dynClient dynamic.Interface, clientset kubernetes.Interface, namespace string) Generator {
-
 	settingsManager := settings.NewSettingsManager(ctx, clientset, namespace)

 	g := &DuckTypeGenerator{
@@ -46,7 +46,6 @@ func NewDuckTypeGenerator(ctx context.Context, dynClient dynamic.Interface, clie
 }

 func (g *DuckTypeGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator) time.Duration {
-
 	// Return a requeue default of 3 minutes, if no override is specified.

 	if appSetGenerator.ClusterDecisionResource.RequeueAfterSeconds != nil {
@@ -60,8 +59,7 @@ func (g *DuckTypeGenerator) GetTemplate(appSetGenerator *argoprojiov1alpha1.Appl
 	return &appSetGenerator.ClusterDecisionResource.Template
 }

-func (g *DuckTypeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, appSet *argoprojiov1alpha1.ApplicationSet) ([]map[string]interface{}, error) {
-
+func (g *DuckTypeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, appSet *argoprojiov1alpha1.ApplicationSet, _ client.Client) ([]map[string]interface{}, error) {
 	if appSetGenerator == nil {
 		return nil, EmptyAppSetGeneratorError
 	}
@@ -83,7 +81,6 @@ func (g *DuckTypeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.A

 	// Read the configMapRef
 	cm, err := g.clientset.CoreV1().ConfigMaps(g.namespace).Get(g.ctx, appSetGenerator.ClusterDecisionResource.ConfigMapRef, metav1.GetOptions{})
-
 	if err != nil {
 		return nil, fmt.Errorf("error reading configMapRef: %w", err)
 	}
@@ -104,7 +101,6 @@ func (g *DuckTypeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.A

 	if (resourceName == "" && labelSelector.MatchLabels == nil && labelSelector.MatchExpressions == nil) ||
 		(resourceName != "" && (labelSelector.MatchExpressions != nil || labelSelector.MatchLabels != nil)) {
-
 		log.Warningf("You must choose either resourceName=%v, labelSelector.matchLabels=%v or labelSelect.matchExpressions=%v", resourceName, labelSelector.MatchLabels, labelSelector.MatchExpressions)
 		return nil, fmt.Errorf("There is a problem with the definition of the ClusterDecisionResource generator")
 	}
@@ -122,12 +118,11 @@ func (g *DuckTypeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.A
 		log.WithField("listOptions.LabelSelector", listOptions.LabelSelector).Info("selection type")
 	} else {
 		listOptions.FieldSelector = fields.OneTermEqualSelector("metadata.name", resourceName).String()
-		//metav1.Convert_fields_Selector_To_string(fields.).Sprintf("metadata.name=%s", resourceName)
+		// metav1.Convert_fields_Selector_To_string(fields.).Sprintf("metadata.name=%s", resourceName)
 		log.WithField("listOptions.FieldSelector", listOptions.FieldSelector).Info("selection type")
 	}

 	duckResources, err := g.dynClient.Resource(duckGVR).Namespace(g.namespace).List(g.ctx, listOptions)
-
 	if err != nil {
 		log.WithField("GVK", duckGVR).Warning("resources were not found")
 		return nil, err
@@ -149,7 +144,6 @@ func (g *DuckTypeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.A
 	if matchKey == "" {
 		log.WithField("matchKey", matchKey).Warning("matchKey not found in " + cm.Name)
 		return nil, nil
-
 	}

 	res := []map[string]interface{}{}
@@ -167,7 +161,6 @@ func (g *DuckTypeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.A
 		log.WithField("duckResourceStatus", duckResource.Object["status"]).Debug("found resource")

 		clusterDecisions = append(clusterDecisions, duckResource.Object["status"].(map[string]interface{})[statusListKey].([]interface{})...)
-
 	}
 	log.Infof("Number of decisions found: %v", len(clusterDecisions))

@@ -176,7 +169,6 @@ func (g *DuckTypeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.A

 	if len(clusterDecisions) > 0 {
 		for _, cluster := range clusterDecisions {
-
 			// generated instance of cluster params
 			params := map[string]interface{}{}

@@ -194,7 +186,6 @@ func (g *DuckTypeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.A

 			for _, argoCluster := range argoClusters {
 				if argoCluster.Name == strMatchValue {
-
 					log.WithField(matchKey, argoCluster.Name).Info("matched cluster in ArgoCD")
 					params["name"] = argoCluster.Name
 					params["server"] = argoCluster.Server
@@ -202,7 +193,6 @@ func (g *DuckTypeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.A
 					found = true
 					break // Stop looking
 				}
-
 			}

 			if !found {
--- a/applicationset/generators/duck_type_test.go
+++ b/applicationset/generators/duck_type_test.go
@@ -6,6 +6,7 @@ import (
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -18,9 +19,11 @@ import (
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )

-const resourceApiVersion = "mallard.io/v1"
-const resourceKind = "ducks"
-const resourceName = "quak"
+const (
+	resourceApiVersion = "mallard.io/v1"
+	resourceKind       = "ducks"
+	resourceName       = "quak"
+)

 func TestGenerateParamsForDuckType(t *testing.T) {
 	clusters := []client.Object{
@@ -279,9 +282,7 @@ func TestGenerateParamsForDuckType(t *testing.T) {
 	}

 	for _, testCase := range testCases {
-
 		t.Run(testCase.name, func(t *testing.T) {
-
 			appClientset := kubefake.NewSimpleClientset(append(runtimeClusters, configMap)...)

 			gvrToListKind := map[schema.GroupVersionResource]string{{
@@ -292,7 +293,7 @@ func TestGenerateParamsForDuckType(t *testing.T) {

 			fakeDynClient := dynfake.NewSimpleDynamicClientWithCustomListKinds(runtime.NewScheme(), gvrToListKind, testCase.resource)

-			var duckTypeGenerator = NewDuckTypeGenerator(context.Background(), fakeDynClient, appClientset, "namespace")
+			duckTypeGenerator := NewDuckTypeGenerator(context.Background(), fakeDynClient, appClientset, "namespace")

 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
@@ -308,12 +309,12 @@ func TestGenerateParamsForDuckType(t *testing.T) {
 					LabelSelector: testCase.labelSelector,
 					Values:        testCase.values,
 				},
-			}, &applicationSetInfo)
+			}, &applicationSetInfo, nil)

 			if testCase.expectedError != nil {
-				assert.EqualError(t, err, testCase.expectedError.Error())
+				require.EqualError(t, err, testCase.expectedError.Error())
 			} else {
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.ElementsMatch(t, testCase.expected, got)
 			}
 		})
@@ -577,9 +578,7 @@ func TestGenerateParamsForDuckTypeGoTemplate(t *testing.T) {
 	}

 	for _, testCase := range testCases {
-
 		t.Run(testCase.name, func(t *testing.T) {
-
 			appClientset := kubefake.NewSimpleClientset(append(runtimeClusters, configMap)...)

 			gvrToListKind := map[schema.GroupVersionResource]string{{
@@ -590,7 +589,7 @@ func TestGenerateParamsForDuckTypeGoTemplate(t *testing.T) {

 			fakeDynClient := dynfake.NewSimpleDynamicClientWithCustomListKinds(runtime.NewScheme(), gvrToListKind, testCase.resource)

-			var duckTypeGenerator = NewDuckTypeGenerator(context.Background(), fakeDynClient, appClientset, "namespace")
+			duckTypeGenerator := NewDuckTypeGenerator(context.Background(), fakeDynClient, appClientset, "namespace")

 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
@@ -608,12 +607,12 @@ func TestGenerateParamsForDuckTypeGoTemplate(t *testing.T) {
 					LabelSelector: testCase.labelSelector,
 					Values:        testCase.values,
 				},
-			}, &applicationSetInfo)
+			}, &applicationSetInfo, nil)

 			if testCase.expectedError != nil {
-				assert.EqualError(t, err, testCase.expectedError.Error())
+				require.EqualError(t, err, testCase.expectedError.Error())
 			} else {
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.ElementsMatch(t, testCase.expected, got)
 			}
 		})
--- a/applicationset/generators/generator_spec_processor.go
+++ b/applicationset/generators/generator_spec_processor.go
@@ -5,6 +5,7 @@ import (
 	"reflect"

 	"github.com/jeremywohl/flatten"
+	"sigs.k8s.io/controller-runtime/pkg/client"

 	"github.com/argoproj/argo-cd/v2/applicationset/utils"

@@ -26,7 +27,7 @@ type TransformResult struct {
 }

 // Transform a spec generator to list of paramSets and a template
-func Transform(requestedGenerator argoprojiov1alpha1.ApplicationSetGenerator, allGenerators map[string]Generator, baseTemplate argoprojiov1alpha1.ApplicationSetTemplate, appSet *argoprojiov1alpha1.ApplicationSet, genParams map[string]interface{}) ([]TransformResult, error) {
+func Transform(requestedGenerator argoprojiov1alpha1.ApplicationSetGenerator, allGenerators map[string]Generator, baseTemplate argoprojiov1alpha1.ApplicationSetTemplate, appSet *argoprojiov1alpha1.ApplicationSet, genParams map[string]interface{}, client client.Client) ([]TransformResult, error) {
 	// This is a custom version of the `LabelSelectorAsSelector` that is in k8s.io/apimachinery. This has been copied
 	// verbatim from that package, with the difference that we do not have any restrictions on label values. This is done
 	// so that, among other things, we can match on cluster urls.
@@ -64,7 +65,7 @@ func Transform(requestedGenerator argoprojiov1alpha1.ApplicationSetGenerator, al
 				continue
 			}
 		}
-		params, err = g.GenerateParams(interpolatedGenerator, appSet)
+		params, err = g.GenerateParams(interpolatedGenerator, appSet, client)
 		if err != nil {
 			log.WithError(err).WithField("generator", g).
 				Error("error generating params")
--- a/applicationset/generators/generator_spec_processor_test.go
+++ b/applicationset/generators/generator_spec_processor_test.go
@@ -65,8 +65,8 @@ func TestMatchValues(t *testing.T) {

 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			var listGenerator = NewListGenerator()
-			var data = map[string]Generator{
+			listGenerator := NewListGenerator()
+			data := map[string]Generator{
 				"List": listGenerator,
 			}

@@ -84,12 +84,13 @@ func TestMatchValues(t *testing.T) {
 				List: &argov1alpha1.ListGenerator{
 					Elements: testCase.elements,
 					Template: emptyTemplate(),
-				}},
+				},
+			},
 				data,
 				emptyTemplate(),
-				&applicationSetInfo, nil)
+				&applicationSetInfo, nil, nil)

-			assert.NoError(t, err)
+			require.NoError(t, err)
 			assert.ElementsMatch(t, testCase.expected, results[0].Params)
 		})
 	}
@@ -148,8 +149,8 @@ func TestMatchValuesGoTemplate(t *testing.T) {

 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			var listGenerator = NewListGenerator()
-			var data = map[string]Generator{
+			listGenerator := NewListGenerator()
+			data := map[string]Generator{
 				"List": listGenerator,
 			}

@@ -167,12 +168,13 @@ func TestMatchValuesGoTemplate(t *testing.T) {
 				List: &argov1alpha1.ListGenerator{
 					Elements: testCase.elements,
 					Template: emptyTemplate(),
-				}},
+				},
+			},
 				data,
 				emptyTemplate(),
-				&applicationSetInfo, nil)
+				&applicationSetInfo, nil, nil)

-			assert.NoError(t, err)
+			require.NoError(t, err)
 			assert.ElementsMatch(t, testCase.expected, results[0].Params)
 		})
 	}
@@ -236,12 +238,13 @@ func TestTransForm(t *testing.T) {
 						Selector: metav1.LabelSelector{},
 						Template: argov1alpha1.ApplicationSetTemplate{},
 						Values:   nil,
-					}},
+					},
+				},
 				testGenerators,
 				emptyTemplate(),
-				&applicationSetInfo, nil)
+				&applicationSetInfo, nil, nil)

-			assert.NoError(t, err)
+			require.NoError(t, err)
 			assert.ElementsMatch(t, testCase.expected, results[0].Params)
 		})
 	}
@@ -343,12 +346,11 @@ func getMockClusterGenerator() Generator {
 func getMockGitGenerator() Generator {
 	argoCDServiceMock := mocks.Repos{}
 	argoCDServiceMock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything).Return([]string{"app1", "app2", "app_3", "p1/app4"}, nil)
-	var gitGenerator = NewGitGenerator(&argoCDServiceMock)
+	gitGenerator := NewGitGenerator(&argoCDServiceMock, "namespace")
 	return gitGenerator
 }

 func TestGetRelevantGenerators(t *testing.T) {
-
 	testGenerators := map[string]Generator{
 		"Clusters": getMockClusterGenerator(),
 		"Git":      getMockGitGenerator(),
@@ -361,7 +363,8 @@ func TestGetRelevantGenerators(t *testing.T) {
 	requestedGenerator := &argov1alpha1.ApplicationSetGenerator{
 		List: &argov1alpha1.ListGenerator{
 			Elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "cluster","url": "url","values":{"foo":"bar"}}`)}},
-		}}
+		},
+	}

 	relevantGenerators := GetRelevantGenerators(requestedGenerator, testGenerators)
 	assert.Len(t, relevantGenerators, 1)
@@ -404,7 +407,8 @@ func TestInterpolateGenerator(t *testing.T) {
 					"path-basename":                  "{{path.basename}}",
 					"path-zero":                      "{{path[0]}}",
 					"path-full":                      "{{path}}",
-				}},
+				},
+			},
 		},
 	}
 	gitGeneratorParams := map[string]interface{}{
@@ -458,7 +462,8 @@ func TestInterpolateGenerator_go(t *testing.T) {
 					"path-zero":                      "{{index .path.segments 0}}",
 					"path-full":                      "{{.path.path}}",
 					"kubernetes.io/environment":      `{{default "foo" .my_label}}`,
-				}},
+				},
+			},
 		},
 	}
 	gitGeneratorParams := map[string]interface{}{
@@ -550,7 +555,7 @@ func TestInterpolateGeneratorError(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			got, err := InterpolateGenerator(tt.args.requestedGenerator, tt.args.params, tt.args.useGoTemplate, tt.args.goTemplateOptions)
 			if tt.expectedErrStr != "" {
-				assert.EqualError(t, err, tt.expectedErrStr)
+				require.EqualError(t, err, tt.expectedErrStr)
 			} else {
 				require.NoError(t, err)
 			}
--- a/applicationset/generators/git.go
+++ b/applicationset/generators/git.go
@@ -11,23 +11,29 @@ import (

 	"github.com/jeremywohl/flatten"
 	log "github.com/sirupsen/logrus"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"

 	"github.com/argoproj/argo-cd/v2/applicationset/services"
 	"github.com/argoproj/argo-cd/v2/applicationset/utils"
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/util/gpg"
 )

 var _ Generator = (*GitGenerator)(nil)

 type GitGenerator struct {
-	repos services.Repos
+	repos     services.Repos
+	namespace string
 }

-func NewGitGenerator(repos services.Repos) Generator {
+func NewGitGenerator(repos services.Repos, namespace string) Generator {
 	g := &GitGenerator{
-		repos: repos,
+		repos:     repos,
+		namespace: namespace,
 	}
+
 	return g
 }

@@ -36,7 +42,6 @@ func (g *GitGenerator) GetTemplate(appSetGenerator *argoprojiov1alpha1.Applicati
 }

 func (g *GitGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator) time.Duration {
-
 	// Return a requeue default of 3 minutes, if no default is specified.

 	if appSetGenerator.Git.RequeueAfterSeconds != nil {
@@ -46,8 +51,7 @@ func (g *GitGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.Appli
 	return DefaultRequeueAfterSeconds
 }

-func (g *GitGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, appSet *argoprojiov1alpha1.ApplicationSet) ([]map[string]interface{}, error) {
-
+func (g *GitGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, appSet *argoprojiov1alpha1.ApplicationSet, client client.Client) ([]map[string]interface{}, error) {
 	if appSetGenerator == nil {
 		return nil, EmptyAppSetGeneratorError
 	}
@@ -58,12 +62,31 @@ func (g *GitGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.Applic

 	noRevisionCache := appSet.RefreshRequired()

+	verifyCommit := false
+
+	// When the project field is templated, the contents of the git repo are required to run the git generator and get the templated value,
+	// but git generator cannot be called without verifying the commit signature.
+	// In this case, we skip the signature verification.
+	if !strings.Contains(appSet.Spec.Template.Spec.Project, "{{") {
+		project := appSet.Spec.Template.Spec.Project
+		appProject := &argoprojiov1alpha1.AppProject{}
+		namespace := g.namespace
+		if namespace == "" {
+			namespace = appSet.Namespace
+		}
+		if err := client.Get(context.TODO(), types.NamespacedName{Name: project, Namespace: namespace}, appProject); err != nil {
+			return nil, fmt.Errorf("error getting project %s: %w", project, err)
+		}
+		// we need to verify the signature on the Git revision if GPG is enabled
+		verifyCommit = appProject.Spec.SignatureKeys != nil && len(appProject.Spec.SignatureKeys) > 0 && gpg.IsGPGEnabled()
+	}
+
 	var err error
 	var res []map[string]interface{}
 	if len(appSetGenerator.Git.Directories) != 0 {
-		res, err = g.generateParamsForGitDirectories(appSetGenerator, noRevisionCache, appSet.Spec.GoTemplate, appSet.Spec.GoTemplateOptions)
+		res, err = g.generateParamsForGitDirectories(appSetGenerator, noRevisionCache, verifyCommit, appSet.Spec.GoTemplate, appSet.Spec.GoTemplateOptions)
 	} else if len(appSetGenerator.Git.Files) != 0 {
-		res, err = g.generateParamsForGitFiles(appSetGenerator, noRevisionCache, appSet.Spec.GoTemplate, appSet.Spec.GoTemplateOptions)
+		res, err = g.generateParamsForGitFiles(appSetGenerator, noRevisionCache, verifyCommit, appSet.Spec.GoTemplate, appSet.Spec.GoTemplateOptions)
 	} else {
 		return nil, EmptyAppSetGeneratorError
 	}
@@ -74,10 +97,9 @@ func (g *GitGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.Applic
 	return res, nil
 }

-func (g *GitGenerator) generateParamsForGitDirectories(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, noRevisionCache bool, useGoTemplate bool, goTemplateOptions []string) ([]map[string]interface{}, error) {
-
+func (g *GitGenerator) generateParamsForGitDirectories(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, noRevisionCache, verifyCommit bool, useGoTemplate bool, goTemplateOptions []string) ([]map[string]interface{}, error) {
 	// Directories, not files
-	allPaths, err := g.repos.GetDirectories(context.TODO(), appSetGenerator.Git.RepoURL, appSetGenerator.Git.Revision, noRevisionCache)
+	allPaths, err := g.repos.GetDirectories(context.TODO(), appSetGenerator.Git.RepoURL, appSetGenerator.Git.Revision, noRevisionCache, verifyCommit)
 	if err != nil {
 		return nil, fmt.Errorf("error getting directories from repo: %w", err)
 	}
@@ -100,12 +122,11 @@ func (g *GitGenerator) generateParamsForGitDirectories(appSetGenerator *argoproj
 	return res, nil
 }

-func (g *GitGenerator) generateParamsForGitFiles(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, noRevisionCache bool, useGoTemplate bool, goTemplateOptions []string) ([]map[string]interface{}, error) {
-
+func (g *GitGenerator) generateParamsForGitFiles(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, noRevisionCache, verifyCommit bool, useGoTemplate bool, goTemplateOptions []string) ([]map[string]interface{}, error) {
 	// Get all files that match the requested path string, removing duplicates
 	allFiles := make(map[string][]byte)
 	for _, requestedPath := range appSetGenerator.Git.Files {
-		files, err := g.repos.GetFiles(context.TODO(), appSetGenerator.Git.RepoURL, appSetGenerator.Git.Revision, requestedPath.Path, noRevisionCache)
+		files, err := g.repos.GetFiles(context.TODO(), appSetGenerator.Git.RepoURL, appSetGenerator.Git.Revision, requestedPath.Path, noRevisionCache, verifyCommit)
 		if err != nil {
 			return nil, err
 		}
@@ -125,11 +146,10 @@ func (g *GitGenerator) generateParamsForGitFiles(appSetGenerator *argoprojiov1al
 	// Generate params from each path, and return
 	res := []map[string]interface{}{}
 	for _, path := range allPaths {
-
 		// A JSON / YAML file path can contain multiple sets of parameters (ie it is an array)
 		paramsArray, err := g.generateParamsFromGitFile(path, allFiles[path], appSetGenerator.Git.Values, useGoTemplate, goTemplateOptions, appSetGenerator.Git.PathParamPrefix)
 		if err != nil {
-			return nil, fmt.Errorf("unable to process file '%s': %v", path, err)
+			return nil, fmt.Errorf("unable to process file '%s': %w", path, err)
 		}

 		res = append(res, paramsArray...)
@@ -147,7 +167,7 @@ func (g *GitGenerator) generateParamsFromGitFile(filePath string, fileContent []
 		singleObj := make(map[string]interface{})
 		err = yaml.Unmarshal(fileContent, &singleObj)
 		if err != nil {
-			return nil, fmt.Errorf("unable to parse file: %v", err)
+			return nil, fmt.Errorf("unable to parse file: %w", err)
 		}
 		objectsFound = append(objectsFound, singleObj)
 	} else if len(objectsFound) == 0 {
@@ -158,7 +178,6 @@ func (g *GitGenerator) generateParamsFromGitFile(filePath string, fileContent []
 	res := []map[string]interface{}{}

 	for _, objectFound := range objectsFound {
-
 		params := map[string]interface{}{}

 		if useGoTemplate {
@@ -214,13 +233,13 @@ func (g *GitGenerator) generateParamsFromGitFile(filePath string, fileContent []
 	return res, nil
 }

-func (g *GitGenerator) filterApps(Directories []argoprojiov1alpha1.GitDirectoryGeneratorItem, allPaths []string) []string {
+func (g *GitGenerator) filterApps(directories []argoprojiov1alpha1.GitDirectoryGeneratorItem, allPaths []string) []string {
 	res := []string{}
 	for _, appPath := range allPaths {
 		appInclude := false
 		appExclude := false
 		// Iterating over each appPath and check whether directories object has requestedPath that matches the appPath
-		for _, requestedPath := range Directories {
+		for _, requestedPath := range directories {
 			match, err := path.Match(requestedPath.Path, appPath)
 			if err != nil {
 				log.WithError(err).WithField("requestedPath", requestedPath).
@@ -245,7 +264,6 @@ func (g *GitGenerator) filterApps(Directories []argoprojiov1alpha1.GitDirectoryG
 func (g *GitGenerator) generateParamsFromApps(requestedApps []string, appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, useGoTemplate bool, goTemplateOptions []string) ([]map[string]interface{}, error) {
 	res := make([]map[string]interface{}, len(requestedApps))
 	for i, a := range requestedApps {
-
 		params := make(map[string]interface{}, 5)

 		if useGoTemplate {
--- a/applicationset/generators/git_test.go
+++ b/applicationset/generators/git_test.go
@@ -4,11 +4,16 @@ import (
 	"fmt"
 	"testing"

-	"github.com/argoproj/argo-cd/v2/applicationset/services/mocks"
-	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/require"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+
+	"github.com/argoproj/argo-cd/v2/applicationset/services/mocks"
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )

 func Test_generateParamsFromGitFile(t *testing.T) {
@@ -174,7 +179,6 @@ foo:
 }

 func TestGitGenerateParamsFromDirectories(t *testing.T) {
-
 	cases := []struct {
 		name            string
 		directories     []argoprojiov1alpha1.GitDirectoryGeneratorItem
@@ -317,9 +321,9 @@ func TestGitGenerateParamsFromDirectories(t *testing.T) {

 			argoCDServiceMock := mocks.Repos{}

-			argoCDServiceMock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)
+			argoCDServiceMock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)

-			var gitGenerator = NewGitGenerator(&argoCDServiceMock)
+			gitGenerator := NewGitGenerator(&argoCDServiceMock, "")
 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -337,12 +341,19 @@ func TestGitGenerateParamsFromDirectories(t *testing.T) {
 				},
 			}

-			got, err := gitGenerator.GenerateParams(&applicationSetInfo.Spec.Generators[0], &applicationSetInfo)
+			scheme := runtime.NewScheme()
+			err := v1alpha1.AddToScheme(scheme)
+			require.NoError(t, err)
+			appProject := argoprojiov1alpha1.AppProject{}
+
+			client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(&appProject).Build()
+
+			got, err := gitGenerator.GenerateParams(&applicationSetInfo.Spec.Generators[0], &applicationSetInfo, client)

 			if testCaseCopy.expectedError != nil {
-				assert.EqualError(t, err, testCaseCopy.expectedError.Error())
+				require.EqualError(t, err, testCaseCopy.expectedError.Error())
 			} else {
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, testCaseCopy.expected, got)
 			}

@@ -352,7 +363,6 @@ func TestGitGenerateParamsFromDirectories(t *testing.T) {
 }

 func TestGitGenerateParamsFromDirectoriesGoTemplate(t *testing.T) {
-
 	cases := []struct {
 		name            string
 		directories     []argoprojiov1alpha1.GitDirectoryGeneratorItem
@@ -552,7 +562,6 @@ func TestGitGenerateParamsFromDirectoriesGoTemplate(t *testing.T) {
 			},
 			repoError: nil,
 			expected: []map[string]interface{}{
-
 				{
 					"path": map[string]interface{}{
 						"path":               "app1",
@@ -613,9 +622,9 @@ func TestGitGenerateParamsFromDirectoriesGoTemplate(t *testing.T) {

 			argoCDServiceMock := mocks.Repos{}

-			argoCDServiceMock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)
+			argoCDServiceMock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)

-			var gitGenerator = NewGitGenerator(&argoCDServiceMock)
+			gitGenerator := NewGitGenerator(&argoCDServiceMock, "")
 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -633,23 +642,28 @@ func TestGitGenerateParamsFromDirectoriesGoTemplate(t *testing.T) {
 				},
 			}

-			got, err := gitGenerator.GenerateParams(&applicationSetInfo.Spec.Generators[0], &applicationSetInfo)
+			scheme := runtime.NewScheme()
+			err := v1alpha1.AddToScheme(scheme)
+			require.NoError(t, err)
+			appProject := argoprojiov1alpha1.AppProject{}
+
+			client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(&appProject).Build()
+
+			got, err := gitGenerator.GenerateParams(&applicationSetInfo.Spec.Generators[0], &applicationSetInfo, client)

 			if testCaseCopy.expectedError != nil {
-				assert.EqualError(t, err, testCaseCopy.expectedError.Error())
+				require.EqualError(t, err, testCaseCopy.expectedError.Error())
 			} else {
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, testCaseCopy.expected, got)
 			}

 			argoCDServiceMock.AssertExpectations(t)
 		})
 	}
-
 }

 func TestGitGenerateParamsFromFiles(t *testing.T) {
-
 	cases := []struct {
 		name string
 		// files is the list of paths/globs to match
@@ -972,10 +986,10 @@ cluster:
 			t.Parallel()

 			argoCDServiceMock := mocks.Repos{}
-			argoCDServiceMock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).
+			argoCDServiceMock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).
 				Return(testCaseCopy.repoFileContents, testCaseCopy.repoPathsError)

-			var gitGenerator = NewGitGenerator(&argoCDServiceMock)
+			gitGenerator := NewGitGenerator(&argoCDServiceMock, "")
 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -992,13 +1006,20 @@ cluster:
 				},
 			}

-			got, err := gitGenerator.GenerateParams(&applicationSetInfo.Spec.Generators[0], &applicationSetInfo)
+			scheme := runtime.NewScheme()
+			err := v1alpha1.AddToScheme(scheme)
+			require.NoError(t, err)
+			appProject := argoprojiov1alpha1.AppProject{}
+
+			client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(&appProject).Build()
+
+			got, err := gitGenerator.GenerateParams(&applicationSetInfo.Spec.Generators[0], &applicationSetInfo, client)
 			fmt.Println(got, err)

 			if testCaseCopy.expectedError != nil {
-				assert.EqualError(t, err, testCaseCopy.expectedError.Error())
+				require.EqualError(t, err, testCaseCopy.expectedError.Error())
 			} else {
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.ElementsMatch(t, testCaseCopy.expected, got)
 			}

@@ -1008,7 +1029,6 @@ cluster:
 }

 func TestGitGenerateParamsFromFilesGoTemplate(t *testing.T) {
-
 	cases := []struct {
 		name string
 		// files is the list of paths/globs to match
@@ -1322,10 +1342,10 @@ cluster:
 			t.Parallel()

 			argoCDServiceMock := mocks.Repos{}
-			argoCDServiceMock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).
+			argoCDServiceMock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).
 				Return(testCaseCopy.repoFileContents, testCaseCopy.repoPathsError)

-			var gitGenerator = NewGitGenerator(&argoCDServiceMock)
+			gitGenerator := NewGitGenerator(&argoCDServiceMock, "")
 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -1342,13 +1362,20 @@ cluster:
 				},
 			}

-			got, err := gitGenerator.GenerateParams(&applicationSetInfo.Spec.Generators[0], &applicationSetInfo)
+			scheme := runtime.NewScheme()
+			err := v1alpha1.AddToScheme(scheme)
+			require.NoError(t, err)
+			appProject := argoprojiov1alpha1.AppProject{}
+
+			client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(&appProject).Build()
+
+			got, err := gitGenerator.GenerateParams(&applicationSetInfo.Spec.Generators[0], &applicationSetInfo, client)
 			fmt.Println(got, err)

 			if testCaseCopy.expectedError != nil {
-				assert.EqualError(t, err, testCaseCopy.expectedError.Error())
+				require.EqualError(t, err, testCaseCopy.expectedError.Error())
 			} else {
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.ElementsMatch(t, testCaseCopy.expected, got)
 			}

@@ -1356,3 +1383,114 @@ cluster:
 		})
 	}
 }
+
+func TestGitGenerator_GenerateParams(t *testing.T) {
+	cases := []struct {
+		name               string
+		directories        []argoprojiov1alpha1.GitDirectoryGeneratorItem
+		pathParamPrefix    string
+		repoApps           []string
+		repoPathsError     error
+		repoFileContents   map[string][]byte
+		values             map[string]string
+		expected           []map[string]interface{}
+		expectedError      error
+		appset             argoprojiov1alpha1.ApplicationSet
+		callGetDirectories bool
+	}{
+		{
+			name: "Signature Verification - ignores templated project field",
+			repoApps: []string{
+				"app1",
+			},
+			repoPathsError: nil,
+			appset: argoprojiov1alpha1.ApplicationSet{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "set",
+					Namespace: "namespace",
+				},
+				Spec: argoprojiov1alpha1.ApplicationSetSpec{
+					Generators: []argoprojiov1alpha1.ApplicationSetGenerator{{
+						Git: &argoprojiov1alpha1.GitGenerator{
+							RepoURL:         "RepoURL",
+							Revision:        "Revision",
+							Directories:     []argoprojiov1alpha1.GitDirectoryGeneratorItem{{Path: "*"}},
+							PathParamPrefix: "",
+							Values: map[string]string{
+								"foo": "bar",
+							},
+						},
+					}},
+					Template: argoprojiov1alpha1.ApplicationSetTemplate{
+						Spec: argoprojiov1alpha1.ApplicationSpec{
+							Project: "{{.project}}",
+						},
+					},
+				},
+			},
+			callGetDirectories: true,
+			expected:           []map[string]interface{}{{"path": "app1", "path.basename": "app1", "path.basenameNormalized": "app1", "path[0]": "app1", "values.foo": "bar"}},
+			expectedError:      nil,
+		},
+		{
+			name: "Signature Verification - Checks for non-templated project field",
+			repoApps: []string{
+				"app1",
+			},
+			repoPathsError: nil,
+			appset: argoprojiov1alpha1.ApplicationSet{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "set",
+					Namespace: "namespace",
+				},
+				Spec: argoprojiov1alpha1.ApplicationSetSpec{
+					Generators: []argoprojiov1alpha1.ApplicationSetGenerator{{
+						Git: &argoprojiov1alpha1.GitGenerator{
+							RepoURL:         "RepoURL",
+							Revision:        "Revision",
+							Directories:     []argoprojiov1alpha1.GitDirectoryGeneratorItem{{Path: "*"}},
+							PathParamPrefix: "",
+							Values: map[string]string{
+								"foo": "bar",
+							},
+						},
+					}},
+					Template: argoprojiov1alpha1.ApplicationSetTemplate{
+						Spec: argoprojiov1alpha1.ApplicationSpec{
+							Project: "project",
+						},
+					},
+				},
+			},
+			callGetDirectories: false,
+			expected:           []map[string]interface{}{{"path": "app1", "path.basename": "app1", "path.basenameNormalized": "app1", "path[0]": "app1", "values.foo": "bar"}},
+			expectedError:      fmt.Errorf("error getting project project: appprojects.argoproj.io \"project\" not found"),
+		},
+	}
+	for _, testCase := range cases {
+		argoCDServiceMock := mocks.Repos{}
+
+		if testCase.callGetDirectories {
+			argoCDServiceMock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(testCase.repoApps, testCase.repoPathsError)
+		}
+		gitGenerator := NewGitGenerator(&argoCDServiceMock, "namespace")
+
+		scheme := runtime.NewScheme()
+		err := v1alpha1.AddToScheme(scheme)
+		require.NoError(t, err)
+		appProject := argoprojiov1alpha1.AppProject{}
+
+		client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(&appProject).Build()
+
+		got, err := gitGenerator.GenerateParams(&testCase.appset.Spec.Generators[0], &testCase.appset, client)
+
+		if testCase.expectedError != nil {
+			require.EqualError(t, err, testCase.expectedError.Error())
+		} else {
+			require.NoError(t, err)
+			assert.Equal(t, testCase.expected, got)
+		}
+
+		argoCDServiceMock.AssertExpectations(t)
+	}
+}
--- a/applicationset/generators/interface.go
+++ b/applicationset/generators/interface.go
@@ -4,15 +4,19 @@ import (
 	"fmt"
 	"time"

+	"sigs.k8s.io/controller-runtime/pkg/client"
+
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )

+//go:generate go run github.com/vektra/mockery/v2@v2.40.2 --name=Generator
+
 // Generator defines the interface implemented by all ApplicationSet generators.
 type Generator interface {
 	// GenerateParams interprets the ApplicationSet and generates all relevant parameters for the application template.
 	// The expected / desired list of parameters is returned, it then will be render and reconciled
 	// against the current state of the Applications in the cluster.
-	GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, applicationSetInfo *argoprojiov1alpha1.ApplicationSet) ([]map[string]interface{}, error)
+	GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, applicationSetInfo *argoprojiov1alpha1.ApplicationSet, client client.Client) ([]map[string]interface{}, error)

 	// GetRequeueAfter is the generator can controller the next reconciled loop
 	// In case there is more then one generator the time will be the minimum of the times.
@@ -23,8 +27,10 @@ type Generator interface {
 	GetTemplate(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator) *argoprojiov1alpha1.ApplicationSetTemplate
 }

-var EmptyAppSetGeneratorError = fmt.Errorf("ApplicationSet is empty")
-var NoRequeueAfter time.Duration
+var (
+	EmptyAppSetGeneratorError = fmt.Errorf("ApplicationSet is empty")
+	NoRequeueAfter            time.Duration
+)

 // DefaultRequeueAfterSeconds is used when GetRequeueAfter is not specified, it is the default time to wait before the next reconcile loop
 const (
--- a/applicationset/generators/list.go
+++ b/applicationset/generators/list.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"time"

+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"

 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
@@ -12,8 +13,7 @@ import (

 var _ Generator = (*ListGenerator)(nil)

-type ListGenerator struct {
-}
+type ListGenerator struct{}

 func NewListGenerator() Generator {
 	g := &ListGenerator{}
@@ -28,7 +28,7 @@ func (g *ListGenerator) GetTemplate(appSetGenerator *argoprojiov1alpha1.Applicat
 	return &appSetGenerator.List.Template
 }

-func (g *ListGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, appSet *argoprojiov1alpha1.ApplicationSet) ([]map[string]interface{}, error) {
+func (g *ListGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, appSet *argoprojiov1alpha1.ApplicationSet, _ client.Client) ([]map[string]interface{}, error) {
 	if appSetGenerator == nil {
 		return nil, EmptyAppSetGeneratorError
 	}
@@ -44,7 +44,7 @@ func (g *ListGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.Appli
 		var element map[string]interface{}
 		err := json.Unmarshal(tmpItem.Raw, &element)
 		if err != nil {
-			return nil, fmt.Errorf("error unmarshling list element %v", err)
+			return nil, fmt.Errorf("error unmarshling list element %w", err)
 		}

 		if appSet.Spec.GoTemplate {
@@ -59,14 +59,14 @@ func (g *ListGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.Appli
 					for k, v := range values {
 						value, ok := v.(string)
 						if !ok {
-							return nil, fmt.Errorf("error parsing value as string %v", err)
+							return nil, fmt.Errorf("error parsing value as string %w", err)
 						}
 						params[fmt.Sprintf("values.%s", k)] = value
 					}
 				} else {
 					v, ok := value.(string)
 					if !ok {
-						return nil, fmt.Errorf("error parsing value as string %v", err)
+						return nil, fmt.Errorf("error parsing value as string %w", err)
 					}
 					params[key] = v
 				}
@@ -77,11 +77,10 @@ func (g *ListGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.Appli

 	// Append elements from ElementsYaml to the response
 	if len(appSetGenerator.List.ElementsYaml) > 0 {
-
 		var yamlElements []map[string]interface{}
 		err := yaml.Unmarshal([]byte(appSetGenerator.List.ElementsYaml), &yamlElements)
 		if err != nil {
-			return nil, fmt.Errorf("error unmarshling decoded ElementsYaml %v", err)
+			return nil, fmt.Errorf("error unmarshling decoded ElementsYaml %w", err)
 		}
 		res = append(res, yamlElements...)
 	}
--- a/applicationset/generators/list_test.go
+++ b/applicationset/generators/list_test.go
@@ -4,6 +4,7 @@ import (
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

@@ -25,8 +26,7 @@ func TestGenerateListParams(t *testing.T) {
 	}

 	for _, testCase := range testCases {
-
-		var listGenerator = NewListGenerator()
+		listGenerator := NewListGenerator()

 		applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 			ObjectMeta: metav1.ObjectMeta{
@@ -38,11 +38,11 @@ func TestGenerateListParams(t *testing.T) {
 		got, err := listGenerator.GenerateParams(&argoprojiov1alpha1.ApplicationSetGenerator{
 			List: &argoprojiov1alpha1.ListGenerator{
 				Elements: testCase.elements,
-			}}, &applicationSetInfo)
+			},
+		}, &applicationSetInfo, nil)

-		assert.NoError(t, err)
+		require.NoError(t, err)
 		assert.ElementsMatch(t, testCase.expected, got)
-
 	}
 }

@@ -61,8 +61,7 @@ func TestGenerateListParamsGoTemplate(t *testing.T) {
 	}

 	for _, testCase := range testCases {
-
-		var listGenerator = NewListGenerator()
+		listGenerator := NewListGenerator()

 		applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 			ObjectMeta: metav1.ObjectMeta{
@@ -76,9 +75,10 @@ func TestGenerateListParamsGoTemplate(t *testing.T) {
 		got, err := listGenerator.GenerateParams(&argoprojiov1alpha1.ApplicationSetGenerator{
 			List: &argoprojiov1alpha1.ListGenerator{
 				Elements: testCase.elements,
-			}}, &applicationSetInfo)
+			},
+		}, &applicationSetInfo, nil)

-		assert.NoError(t, err)
+		require.NoError(t, err)
 		assert.ElementsMatch(t, testCase.expected, got)
 	}
 }
--- a/applicationset/generators/matrix.go
+++ b/applicationset/generators/matrix.go
@@ -5,6 +5,7 @@ import (
 	"time"

 	"github.com/imdario/mergo"
+	"sigs.k8s.io/controller-runtime/pkg/client"

 	"github.com/argoproj/argo-cd/v2/applicationset/utils"
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
@@ -32,8 +33,7 @@ func NewMatrixGenerator(supportedGenerators map[string]Generator) Generator {
 	return m
 }

-func (m *MatrixGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, appSet *argoprojiov1alpha1.ApplicationSet) ([]map[string]interface{}, error) {
-
+func (m *MatrixGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, appSet *argoprojiov1alpha1.ApplicationSet, client client.Client) ([]map[string]interface{}, error) {
 	if appSetGenerator.Matrix == nil {
 		return nil, EmptyAppSetGeneratorError
 	}
@@ -48,17 +48,16 @@ func (m *MatrixGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.App

 	res := []map[string]interface{}{}

-	g0, err := m.getParams(appSetGenerator.Matrix.Generators[0], appSet, nil)
+	g0, err := m.getParams(appSetGenerator.Matrix.Generators[0], appSet, nil, client)
 	if err != nil {
 		return nil, fmt.Errorf("error failed to get params for first generator in matrix generator: %w", err)
 	}
 	for _, a := range g0 {
-		g1, err := m.getParams(appSetGenerator.Matrix.Generators[1], appSet, a)
+		g1, err := m.getParams(appSetGenerator.Matrix.Generators[1], appSet, a, client)
 		if err != nil {
 			return nil, fmt.Errorf("failed to get params for second generator in the matrix generator: %w", err)
 		}
 		for _, b := range g1 {
-
 			if appSet.Spec.GoTemplate {
 				tmp := map[string]interface{}{}
 				if err := mergo.Merge(&tmp, b, mergo.WithOverride); err != nil {
@@ -81,7 +80,7 @@ func (m *MatrixGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.App
 	return res, nil
 }

-func (m *MatrixGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.ApplicationSetNestedGenerator, appSet *argoprojiov1alpha1.ApplicationSet, params map[string]interface{}) ([]map[string]interface{}, error) {
+func (m *MatrixGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.ApplicationSetNestedGenerator, appSet *argoprojiov1alpha1.ApplicationSet, params map[string]interface{}, client client.Client) ([]map[string]interface{}, error) {
 	matrixGen, err := getMatrixGenerator(appSetBaseGenerator)
 	if err != nil {
 		return nil, err
@@ -119,10 +118,10 @@ func (m *MatrixGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.Appli
 		m.supportedGenerators,
 		argoprojiov1alpha1.ApplicationSetTemplate{},
 		appSet,
-		params)
-
+		params,
+		client)
 	if err != nil {
-		return nil, fmt.Errorf("child generator returned an error on parameter generation: %v", err)
+		return nil, fmt.Errorf("child generator returned an error on parameter generation: %w", err)
 	}

 	if len(t) == 0 {
@@ -172,7 +171,6 @@ func (m *MatrixGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.Ap
 	} else {
 		return NoRequeueAfter
 	}
-
 }

 func getMatrixGenerator(r argoprojiov1alpha1.ApplicationSetNestedGenerator) (*argoprojiov1alpha1.MatrixGenerator, error) {
--- a/applicationset/generators/matrix_test.go
+++ b/applicationset/generators/matrix_test.go
@@ -19,11 +19,11 @@ import (
 	"github.com/stretchr/testify/mock"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"

+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )

 func TestMatrixGenerate(t *testing.T) {
-
 	gitGenerator := &argoprojiov1alpha1.GitGenerator{
 		RepoURL:     "RepoURL",
 		Revision:    "Revision",
@@ -147,12 +147,11 @@ func TestMatrixGenerate(t *testing.T) {
 			}

 			for _, g := range testCaseCopy.baseGenerators {
-
 				gitGeneratorSpec := argoprojiov1alpha1.ApplicationSetGenerator{
 					Git:  g.Git,
 					List: g.List,
 				}
-				genMock.On("GenerateParams", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet).Return([]map[string]interface{}{
+				genMock.On("GenerateParams", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet, mock.Anything).Return([]map[string]interface{}{
 					{
 						"path":                    "app1",
 						"path.basename":           "app1",
@@ -169,7 +168,7 @@ func TestMatrixGenerate(t *testing.T) {
 					Return(&argoprojiov1alpha1.ApplicationSetTemplate{})
 			}

-			var matrixGenerator = NewMatrixGenerator(
+			matrixGenerator := NewMatrixGenerator(
 				map[string]Generator{
 					"Git":  genMock,
 					"List": &ListGenerator{},
@@ -181,22 +180,19 @@ func TestMatrixGenerate(t *testing.T) {
 					Generators: testCaseCopy.baseGenerators,
 					Template:   argoprojiov1alpha1.ApplicationSetTemplate{},
 				},
-			}, appSet)
+			}, appSet, nil)

 			if testCaseCopy.expectedErr != nil {
-				assert.ErrorIs(t, err, testCaseCopy.expectedErr)
+				require.ErrorIs(t, err, testCaseCopy.expectedErr)
 			} else {
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, testCaseCopy.expected, got)
 			}
-
 		})
-
 	}
 }

 func TestMatrixGenerateGoTemplate(t *testing.T) {
-
 	gitGenerator := &argoprojiov1alpha1.GitGenerator{
 		RepoURL:     "RepoURL",
 		Revision:    "Revision",
@@ -360,12 +356,11 @@ func TestMatrixGenerateGoTemplate(t *testing.T) {
 			}

 			for _, g := range testCaseCopy.baseGenerators {
-
 				gitGeneratorSpec := argoprojiov1alpha1.ApplicationSetGenerator{
 					Git:  g.Git,
 					List: g.List,
 				}
-				genMock.On("GenerateParams", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet).Return([]map[string]interface{}{
+				genMock.On("GenerateParams", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet, mock.Anything).Return([]map[string]interface{}{
 					{
 						"path": map[string]string{
 							"path":               "app1",
@@ -386,7 +381,7 @@ func TestMatrixGenerateGoTemplate(t *testing.T) {
 					Return(&argoprojiov1alpha1.ApplicationSetTemplate{})
 			}

-			var matrixGenerator = NewMatrixGenerator(
+			matrixGenerator := NewMatrixGenerator(
 				map[string]Generator{
 					"Git":  genMock,
 					"List": &ListGenerator{},
@@ -398,22 +393,19 @@ func TestMatrixGenerateGoTemplate(t *testing.T) {
 					Generators: testCaseCopy.baseGenerators,
 					Template:   argoprojiov1alpha1.ApplicationSetTemplate{},
 				},
-			}, appSet)
+			}, appSet, nil)

 			if testCaseCopy.expectedErr != nil {
-				assert.ErrorIs(t, err, testCaseCopy.expectedErr)
+				require.ErrorIs(t, err, testCaseCopy.expectedErr)
 			} else {
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, testCaseCopy.expected, got)
 			}
-
 		})
-
 	}
 }

 func TestMatrixGetRequeueAfter(t *testing.T) {
-
 	gitGenerator := &argoprojiov1alpha1.GitGenerator{
 		RepoURL:     "RepoURL",
 		Revision:    "Revision",
@@ -530,7 +522,7 @@ func TestMatrixGetRequeueAfter(t *testing.T) {
 				mock.On("GetRequeueAfter", &gitGeneratorSpec).Return(testCaseCopy.gitGetRequeueAfter, nil)
 			}

-			var matrixGenerator = NewMatrixGenerator(
+			matrixGenerator := NewMatrixGenerator(
 				map[string]Generator{
 					"Git":                     mock,
 					"List":                    &ListGenerator{},
@@ -548,9 +540,7 @@ func TestMatrixGetRequeueAfter(t *testing.T) {
 			})

 			assert.Equal(t, testCaseCopy.expected, got)
-
 		})
-
 	}
 }

@@ -655,10 +645,9 @@ func TestInterpolatedMatrixGenerate(t *testing.T) {
 				fakeClient,
 				testCase.clientError,
 			}
-			var clusterGenerator = NewClusterGenerator(cl, context.Background(), appClientset, "namespace")
+			clusterGenerator := NewClusterGenerator(cl, context.Background(), appClientset, "namespace")

 			for _, g := range testCaseCopy.baseGenerators {
-
 				gitGeneratorSpec := argoprojiov1alpha1.ApplicationSetGenerator{
 					Git:      g.Git,
 					Clusters: g.Clusters,
@@ -678,7 +667,7 @@ func TestInterpolatedMatrixGenerate(t *testing.T) {
 				genMock.On("GetTemplate", &gitGeneratorSpec).
 					Return(&argoprojiov1alpha1.ApplicationSetTemplate{})
 			}
-			var matrixGenerator = NewMatrixGenerator(
+			matrixGenerator := NewMatrixGenerator(
 				map[string]Generator{
 					"Git":      genMock,
 					"Clusters": clusterGenerator,
@@ -690,15 +679,14 @@ func TestInterpolatedMatrixGenerate(t *testing.T) {
 					Generators: testCaseCopy.baseGenerators,
 					Template:   argoprojiov1alpha1.ApplicationSetTemplate{},
 				},
-			}, appSet)
+			}, appSet, nil)

 			if testCaseCopy.expectedErr != nil {
-				assert.ErrorIs(t, err, testCaseCopy.expectedErr)
+				require.ErrorIs(t, err, testCaseCopy.expectedErr)
 			} else {
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, testCaseCopy.expected, got)
 			}
-
 		})
 	}
 }
@@ -838,16 +826,14 @@ func TestInterpolatedMatrixGenerateGoTemplate(t *testing.T) {
 				fakeClient,
 				testCase.clientError,
 			}
-			var clusterGenerator = NewClusterGenerator(cl, context.Background(), appClientset, "namespace")
+			clusterGenerator := NewClusterGenerator(cl, context.Background(), appClientset, "namespace")

 			for _, g := range testCaseCopy.baseGenerators {
-
 				gitGeneratorSpec := argoprojiov1alpha1.ApplicationSetGenerator{
 					Git:      g.Git,
 					Clusters: g.Clusters,
 				}
 				genMock.On("GenerateParams", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet).Return([]map[string]interface{}{
-
 					{
 						"path": map[string]string{
 							"path":               "examples/git-generator-files-discovery/cluster-config/dev/config.json",
@@ -866,7 +852,7 @@ func TestInterpolatedMatrixGenerateGoTemplate(t *testing.T) {
 				genMock.On("GetTemplate", &gitGeneratorSpec).
 					Return(&argoprojiov1alpha1.ApplicationSetTemplate{})
 			}
-			var matrixGenerator = NewMatrixGenerator(
+			matrixGenerator := NewMatrixGenerator(
 				map[string]Generator{
 					"Git":      genMock,
 					"Clusters": clusterGenerator,
@@ -878,22 +864,19 @@ func TestInterpolatedMatrixGenerateGoTemplate(t *testing.T) {
 					Generators: testCaseCopy.baseGenerators,
 					Template:   argoprojiov1alpha1.ApplicationSetTemplate{},
 				},
-			}, appSet)
+			}, appSet, nil)

 			if testCaseCopy.expectedErr != nil {
-				assert.ErrorIs(t, err, testCaseCopy.expectedErr)
+				require.ErrorIs(t, err, testCaseCopy.expectedErr)
 			} else {
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, testCaseCopy.expected, got)
 			}
-
 		})
-
 	}
 }

 func TestMatrixGenerateListElementsYaml(t *testing.T) {
-
 	gitGenerator := &argoprojiov1alpha1.GitGenerator{
 		RepoURL:  "RepoURL",
 		Revision: "Revision",
@@ -997,7 +980,6 @@ func TestMatrixGenerateListElementsYaml(t *testing.T) {
 			}

 			for _, g := range testCaseCopy.baseGenerators {
-
 				gitGeneratorSpec := argoprojiov1alpha1.ApplicationSetGenerator{
 					Git:  g.Git,
 					List: g.List,
@@ -1029,10 +1011,9 @@ func TestMatrixGenerateListElementsYaml(t *testing.T) {
 				}}, nil)
 				genMock.On("GetTemplate", &gitGeneratorSpec).
 					Return(&argoprojiov1alpha1.ApplicationSetTemplate{})
-
 			}

-			var matrixGenerator = NewMatrixGenerator(
+			matrixGenerator := NewMatrixGenerator(
 				map[string]Generator{
 					"Git":  genMock,
 					"List": &ListGenerator{},
@@ -1044,17 +1025,15 @@ func TestMatrixGenerateListElementsYaml(t *testing.T) {
 					Generators: testCaseCopy.baseGenerators,
 					Template:   argoprojiov1alpha1.ApplicationSetTemplate{},
 				},
-			}, appSet)
+			}, appSet, nil)

 			if testCaseCopy.expectedErr != nil {
-				assert.ErrorIs(t, err, testCaseCopy.expectedErr)
+				require.ErrorIs(t, err, testCaseCopy.expectedErr)
 			} else {
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, testCaseCopy.expected, got)
 			}
-
 		})
-
 	}
 }

@@ -1068,7 +1047,7 @@ func (g *generatorMock) GetTemplate(appSetGenerator *argoprojiov1alpha1.Applicat
 	return args.Get(0).(*argoprojiov1alpha1.ApplicationSetTemplate)
 }

-func (g *generatorMock) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, appSet *argoprojiov1alpha1.ApplicationSet) ([]map[string]interface{}, error) {
+func (g *generatorMock) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, appSet *argoprojiov1alpha1.ApplicationSet, _ client.Client) ([]map[string]interface{}, error) {
 	args := g.Called(appSetGenerator, appSet)

 	return args.Get(0).([]map[string]interface{}), args.Error(1)
@@ -1078,7 +1057,6 @@ func (g *generatorMock) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.Appl
 	args := g.Called(appSetGenerator)

 	return args.Get(0).(time.Duration)
-
 }

 func TestGitGenerator_GenerateParams_list_x_git_matrix_generator(t *testing.T) {
@@ -1108,10 +1086,10 @@ func TestGitGenerator_GenerateParams_list_x_git_matrix_generator(t *testing.T) {
 	}

 	repoServiceMock := &mocks.Repos{}
-	repoServiceMock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(map[string][]byte{
+	repoServiceMock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(map[string][]byte{
 		"some/path.json": []byte("test: content"),
 	}, nil)
-	gitGenerator := NewGitGenerator(repoServiceMock)
+	gitGenerator := NewGitGenerator(repoServiceMock, "")

 	matrixGenerator := NewMatrixGenerator(map[string]Generator{
 		"List": listGeneratorMock,
@@ -1134,9 +1112,17 @@ func TestGitGenerator_GenerateParams_list_x_git_matrix_generator(t *testing.T) {
 			},
 		},
 	}
+
+	scheme := runtime.NewScheme()
+	err := v1alpha1.AddToScheme(scheme)
+	require.NoError(t, err)
+	appProject := argoprojiov1alpha1.AppProject{}
+
+	client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(&appProject).Build()
+
 	params, err := matrixGenerator.GenerateParams(&argoprojiov1alpha1.ApplicationSetGenerator{
 		Matrix: matrixGeneratorSpec,
-	}, &argoprojiov1alpha1.ApplicationSet{})
+	}, &argoprojiov1alpha1.ApplicationSet{}, client)
 	require.NoError(t, err)
 	assert.Equal(t, []map[string]interface{}{{
 		"path":                    "some",
--- a/applicationset/generators/merge.go
+++ b/applicationset/generators/merge.go
@@ -6,6 +6,7 @@ import (
 	"time"

 	"github.com/imdario/mergo"
+	"sigs.k8s.io/controller-runtime/pkg/client"

 	"github.com/argoproj/argo-cd/v2/applicationset/utils"
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
@@ -36,10 +37,10 @@ func NewMergeGenerator(supportedGenerators map[string]Generator) Generator {

 // getParamSetsForAllGenerators generates params for each child generator in a MergeGenerator. Param sets are returned
 // in slices ordered according to the order of the given generators.
-func (m *MergeGenerator) getParamSetsForAllGenerators(generators []argoprojiov1alpha1.ApplicationSetNestedGenerator, appSet *argoprojiov1alpha1.ApplicationSet) ([][]map[string]interface{}, error) {
+func (m *MergeGenerator) getParamSetsForAllGenerators(generators []argoprojiov1alpha1.ApplicationSetNestedGenerator, appSet *argoprojiov1alpha1.ApplicationSet, client client.Client) ([][]map[string]interface{}, error) {
 	var paramSets [][]map[string]interface{}
 	for i, generator := range generators {
-		generatorParamSets, err := m.getParams(generator, appSet)
+		generatorParamSets, err := m.getParams(generator, appSet, client)
 		if err != nil {
 			return nil, fmt.Errorf("error getting params from generator %d of %d: %w", i+1, len(generators), err)
 		}
@@ -50,7 +51,7 @@ func (m *MergeGenerator) getParamSetsForAllGenerators(generators []argoprojiov1a
 }

 // GenerateParams gets the params produced by the MergeGenerator.
-func (m *MergeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, appSet *argoprojiov1alpha1.ApplicationSet) ([]map[string]interface{}, error) {
+func (m *MergeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, appSet *argoprojiov1alpha1.ApplicationSet, client client.Client) ([]map[string]interface{}, error) {
 	if appSetGenerator.Merge == nil {
 		return nil, EmptyAppSetGeneratorError
 	}
@@ -59,7 +60,7 @@ func (m *MergeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.Appl
 		return nil, ErrLessThanTwoGeneratorsInMerge
 	}

-	paramSetsFromGenerators, err := m.getParamSetsForAllGenerators(appSetGenerator.Merge.Generators, appSet)
+	paramSetsFromGenerators, err := m.getParamSetsForAllGenerators(appSetGenerator.Merge.Generators, appSet, client)
 	if err != nil {
 		return nil, fmt.Errorf("error getting param sets from generators: %w", err)
 	}
@@ -77,7 +78,6 @@ func (m *MergeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.Appl

 		for mergeKeyValue, baseParamSet := range baseParamSetsByMergeKey {
 			if overrideParamSet, exists := paramSetsByMergeKey[mergeKeyValue]; exists {
-
 				if appSet.Spec.GoTemplate {
 					if err := mergo.Merge(&baseParamSet, overrideParamSet, mergo.WithOverride); err != nil {
 						return nil, fmt.Errorf("error merging base param set with override param set: %w", err)
@@ -95,7 +95,7 @@ func (m *MergeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.Appl
 	}

 	mergedParamSets := make([]map[string]interface{}, len(baseParamSetsByMergeKey))
-	var i = 0
+	i := 0
 	for _, mergedParamSet := range baseParamSetsByMergeKey {
 		mergedParamSets[i] = mergedParamSet
 		i += 1
@@ -138,7 +138,7 @@ func getParamSetsByMergeKey(mergeKeys []string, paramSets []map[string]interface
 }

 // getParams get the parameters generated by this generator.
-func (m *MergeGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.ApplicationSetNestedGenerator, appSet *argoprojiov1alpha1.ApplicationSet) ([]map[string]interface{}, error) {
+func (m *MergeGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.ApplicationSetNestedGenerator, appSet *argoprojiov1alpha1.ApplicationSet, client client.Client) ([]map[string]interface{}, error) {
 	matrixGen, err := getMatrixGenerator(appSetBaseGenerator)
 	if err != nil {
 		return nil, err
@@ -176,10 +176,9 @@ func (m *MergeGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.Applic
 		m.supportedGenerators,
 		argoprojiov1alpha1.ApplicationSetTemplate{},
 		appSet,
-		map[string]interface{}{})
-
+		map[string]interface{}{}, client)
 	if err != nil {
-		return nil, fmt.Errorf("child generator returned an error on parameter generation: %v", err)
+		return nil, fmt.Errorf("child generator returned an error on parameter generation: %w", err)
 	}

 	if len(t) == 0 {
@@ -227,7 +226,6 @@ func (m *MergeGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.App
 	} else {
 		return NoRequeueAfter
 	}
-
 }

 func getMergeGenerator(r argoprojiov1alpha1.ApplicationSetNestedGenerator) (*argoprojiov1alpha1.MergeGenerator, error) {
--- a/applicationset/generators/merge_test.go
+++ b/applicationset/generators/merge_test.go
@@ -6,6 +6,7 @@ import (
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"

 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
@@ -49,7 +50,6 @@ func listOfMapsToSet(maps []map[string]interface{}) (map[string]bool, error) {
 }

 func TestMergeGenerate(t *testing.T) {
-
 	testCases := []struct {
 		name           string
 		baseGenerators []argoprojiov1alpha1.ApplicationSetNestedGenerator
@@ -156,7 +156,7 @@ func TestMergeGenerate(t *testing.T) {

 			appSet := &argoprojiov1alpha1.ApplicationSet{}

-			var mergeGenerator = NewMergeGenerator(
+			mergeGenerator := NewMergeGenerator(
 				map[string]Generator{
 					"List": &ListGenerator{},
 					"Matrix": &MatrixGenerator{
@@ -178,18 +178,18 @@ func TestMergeGenerate(t *testing.T) {
 					MergeKeys:  testCaseCopy.mergeKeys,
 					Template:   argoprojiov1alpha1.ApplicationSetTemplate{},
 				},
-			}, appSet)
+			}, appSet, nil)

 			if testCaseCopy.expectedErr != nil {
-				assert.EqualError(t, err, testCaseCopy.expectedErr.Error())
+				require.EqualError(t, err, testCaseCopy.expectedErr.Error())
 			} else {
 				expectedSet, err := listOfMapsToSet(testCaseCopy.expected)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				actualSet, err := listOfMapsToSet(got)
-				assert.NoError(t, err)
+				require.NoError(t, err)

-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, expectedSet, actualSet)
 			}
 		})
@@ -197,7 +197,6 @@ func TestMergeGenerate(t *testing.T) {
 }

 func toAPIExtensionsJSON(t *testing.T, g interface{}) *apiextensionsv1.JSON {
-
 	resVal, err := json.Marshal(g)
 	if err != nil {
 		t.Error("unable to unmarshal json", g)
@@ -339,13 +338,11 @@ func TestParamSetsAreUniqueByMergeKeys(t *testing.T) {
 			got, err := getParamSetsByMergeKey(testCaseCopy.mergeKeys, testCaseCopy.paramSets)

 			if testCaseCopy.expectedErr != nil {
-				assert.EqualError(t, err, testCaseCopy.expectedErr.Error())
+				require.EqualError(t, err, testCaseCopy.expectedErr.Error())
 			} else {
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, testCaseCopy.expected, got)
 			}
-
 		})
-
 	}
 }
--- a/applicationset/generators/mocks/Generator.go
+++ b/applicationset/generators/mocks/Generator.go
@@ -0,0 +1,100 @@
+// Code generated by mockery v2.40.2. DO NOT EDIT.
+
+package mocks
+
+import (
+	client "sigs.k8s.io/controller-runtime/pkg/client"
+
+	mock "github.com/stretchr/testify/mock"
+
+	time "time"
+
+	v1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+)
+
+// Generator is an autogenerated mock type for the Generator type
+type Generator struct {
+	mock.Mock
+}
+
+// GenerateParams provides a mock function with given fields: appSetGenerator, applicationSetInfo, _a2
+func (_m *Generator) GenerateParams(appSetGenerator *v1alpha1.ApplicationSetGenerator, applicationSetInfo *v1alpha1.ApplicationSet, _a2 client.Client) ([]map[string]interface{}, error) {
+	ret := _m.Called(appSetGenerator, applicationSetInfo, _a2)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GenerateParams")
+	}
+
+	var r0 []map[string]interface{}
+	var r1 error
+	if rf, ok := ret.Get(0).(func(*v1alpha1.ApplicationSetGenerator, *v1alpha1.ApplicationSet, client.Client) ([]map[string]interface{}, error)); ok {
+		return rf(appSetGenerator, applicationSetInfo, _a2)
+	}
+	if rf, ok := ret.Get(0).(func(*v1alpha1.ApplicationSetGenerator, *v1alpha1.ApplicationSet, client.Client) []map[string]interface{}); ok {
+		r0 = rf(appSetGenerator, applicationSetInfo, _a2)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]map[string]interface{})
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(*v1alpha1.ApplicationSetGenerator, *v1alpha1.ApplicationSet, client.Client) error); ok {
+		r1 = rf(appSetGenerator, applicationSetInfo, _a2)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// GetRequeueAfter provides a mock function with given fields: appSetGenerator
+func (_m *Generator) GetRequeueAfter(appSetGenerator *v1alpha1.ApplicationSetGenerator) time.Duration {
+	ret := _m.Called(appSetGenerator)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetRequeueAfter")
+	}
+
+	var r0 time.Duration
+	if rf, ok := ret.Get(0).(func(*v1alpha1.ApplicationSetGenerator) time.Duration); ok {
+		r0 = rf(appSetGenerator)
+	} else {
+		r0 = ret.Get(0).(time.Duration)
+	}
+
+	return r0
+}
+
+// GetTemplate provides a mock function with given fields: appSetGenerator
+func (_m *Generator) GetTemplate(appSetGenerator *v1alpha1.ApplicationSetGenerator) *v1alpha1.ApplicationSetTemplate {
+	ret := _m.Called(appSetGenerator)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetTemplate")
+	}
+
+	var r0 *v1alpha1.ApplicationSetTemplate
+	if rf, ok := ret.Get(0).(func(*v1alpha1.ApplicationSetGenerator) *v1alpha1.ApplicationSetTemplate); ok {
+		r0 = rf(appSetGenerator)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*v1alpha1.ApplicationSetTemplate)
+		}
+	}
+
+	return r0
+}
+
+// NewGenerator creates a new instance of Generator. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewGenerator(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *Generator {
+	mock := &Generator{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
--- a/applicationset/generators/plugin.go
+++ b/applicationset/generators/plugin.go
@@ -55,8 +55,7 @@ func (g *PluginGenerator) GetTemplate(appSetGenerator *argoprojiov1alpha1.Applic
 	return &appSetGenerator.Plugin.Template
 }

-func (g *PluginGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, applicationSetInfo *argoprojiov1alpha1.ApplicationSet) ([]map[string]interface{}, error) {
-
+func (g *PluginGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, applicationSetInfo *argoprojiov1alpha1.ApplicationSet, _ client.Client) ([]map[string]interface{}, error) {
 	if appSetGenerator == nil {
 		return nil, EmptyAppSetGeneratorError
 	}
@@ -94,7 +93,7 @@ func (g *PluginGenerator) getPluginFromGenerator(ctx context.Context, appSetName
 	}
 	token, err := g.getToken(ctx, cm["token"])
 	if err != nil {
-		return nil, fmt.Errorf("error fetching Secret token: %v", err)
+		return nil, fmt.Errorf("error fetching Secret token: %w", err)
 	}

 	var requestTimeout int
@@ -117,7 +116,6 @@ func (g *PluginGenerator) generateParams(appSetGenerator *argoprojiov1alpha1.App
 	res := []map[string]interface{}{}

 	for _, objectFound := range objectsFound {
-
 		params := map[string]interface{}{}

 		if useGoTemplate {
@@ -152,7 +150,6 @@ func (g *PluginGenerator) generateParams(appSetGenerator *argoprojiov1alpha1.App
 }

 func (g *PluginGenerator) getToken(ctx context.Context, tokenRef string) (string, error) {
-
 	if tokenRef == "" || !strings.HasPrefix(tokenRef, "$") {
 		return "", fmt.Errorf("token is empty, or does not reference a secret key starting with '$': %v", tokenRef)
 	}
@@ -167,9 +164,8 @@ func (g *PluginGenerator) getToken(ctx context.Context, tokenRef string) (string
 			Namespace: g.namespace,
 		},
 		secret)
-
 	if err != nil {
-		return "", fmt.Errorf("error fetching secret %s/%s: %v", g.namespace, secretName, err)
+		return "", fmt.Errorf("error fetching secret %s/%s: %w", g.namespace, secretName, err)
 	}

 	secretValues := make(map[string]string, len(secret.Data))
@@ -192,7 +188,6 @@ func (g *PluginGenerator) getConfigMap(ctx context.Context, configMapRef string)
 			Namespace: g.namespace,
 		},
 		cm)
-
 	if err != nil {
 		return nil, err
 	}
--- a/applicationset/generators/plugin_test.go
+++ b/applicationset/generators/plugin_test.go
@@ -631,9 +631,7 @@ func TestPluginGenerateParams(t *testing.T) {
 	ctx := context.Background()

 	for _, testCase := range testCases {
-
 		t.Run(testCase.name, func(t *testing.T) {
-
 			generatorConfig := argoprojiov1alpha1.ApplicationSetGenerator{
 				Plugin: &argoprojiov1alpha1.PluginGenerator{
 					ConfigMapRef: argoprojiov1alpha1.PluginConfigMapRef{Name: testCase.configmap.Name},
@@ -645,10 +643,9 @@ func TestPluginGenerateParams(t *testing.T) {
 			}

 			handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-
 				authHeader := r.Header.Get("Authorization")
 				_, tokenKey := plugin.ParseSecretKey(testCase.configmap.Data["token"])
-				expectedToken := testCase.secret.Data[strings.Replace(tokenKey, "$", "", -1)]
+				expectedToken := testCase.secret.Data[strings.ReplaceAll(tokenKey, "$", "")]
 				if authHeader != "Bearer "+string(expectedToken) {
 					w.WriteHeader(http.StatusUnauthorized)
 					return
@@ -657,7 +654,7 @@ func TestPluginGenerateParams(t *testing.T) {
 				w.Header().Set("Content-Type", "application/json")
 				_, err := w.Write(testCase.content)
 				if err != nil {
-					assert.NoError(t, fmt.Errorf("Error Write %v", err))
+					require.NoError(t, fmt.Errorf("Error Write %w", err))
 				}
 			})

@@ -673,7 +670,7 @@ func TestPluginGenerateParams(t *testing.T) {

 			fakeClientWithCache := fake.NewClientBuilder().WithObjects([]client.Object{testCase.configmap, testCase.secret}...).Build()

-			var pluginGenerator = NewPluginGenerator(fakeClientWithCache, ctx, fakeClient, "default")
+			pluginGenerator := NewPluginGenerator(fakeClientWithCache, ctx, fakeClient, "default")

 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
@@ -684,16 +681,15 @@ func TestPluginGenerateParams(t *testing.T) {
 				},
 			}

-			got, err := pluginGenerator.GenerateParams(&generatorConfig, &applicationSetInfo)
-
+			got, err := pluginGenerator.GenerateParams(&generatorConfig, &applicationSetInfo, nil)
 			if err != nil {
 				fmt.Println(err)
 			}

 			if testCase.expectedError != nil {
-				assert.EqualError(t, err, testCase.expectedError.Error())
+				require.EqualError(t, err, testCase.expectedError.Error())
 			} else {
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				expectedJson, err := json.Marshal(testCase.expected)
 				require.NoError(t, err)
 				gotJson, err := json.Marshal(got)
--- a/applicationset/generators/pull_request.go
+++ b/applicationset/generators/pull_request.go
@@ -56,7 +56,7 @@ func (g *PullRequestGenerator) GetTemplate(appSetGenerator *argoprojiov1alpha1.A
 	return &appSetGenerator.PullRequest.Template
 }

-func (g *PullRequestGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, applicationSetInfo *argoprojiov1alpha1.ApplicationSet) ([]map[string]interface{}, error) {
+func (g *PullRequestGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, applicationSetInfo *argoprojiov1alpha1.ApplicationSet, _ client.Client) ([]map[string]interface{}, error) {
 	if appSetGenerator == nil {
 		return nil, EmptyAppSetGeneratorError
 	}
@@ -73,7 +73,7 @@ func (g *PullRequestGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha

 	pulls, err := pullrequest.ListPullRequests(ctx, svc, appSetGenerator.PullRequest.Filters)
 	if err != nil {
-		return nil, fmt.Errorf("error listing repos: %v", err)
+		return nil, fmt.Errorf("error listing repos: %w", err)
 	}
 	params := make([]map[string]interface{}, 0, len(pulls))

@@ -137,7 +137,7 @@ func (g *PullRequestGenerator) selectServiceProvider(ctx context.Context, genera
 		providerConfig := generatorConfig.GitLab
 		token, err := g.getSecretRef(ctx, providerConfig.TokenRef, applicationSetInfo.Namespace)
 		if err != nil {
-			return nil, fmt.Errorf("error fetching Secret token: %v", err)
+			return nil, fmt.Errorf("error fetching Secret token: %w", err)
 		}
 		return pullrequest.NewGitLabService(ctx, token, providerConfig.API, providerConfig.Project, providerConfig.Labels, providerConfig.PullRequestState, g.scmRootCAPath, providerConfig.Insecure)
 	}
@@ -145,7 +145,7 @@ func (g *PullRequestGenerator) selectServiceProvider(ctx context.Context, genera
 		providerConfig := generatorConfig.Gitea
 		token, err := g.getSecretRef(ctx, providerConfig.TokenRef, applicationSetInfo.Namespace)
 		if err != nil {
-			return nil, fmt.Errorf("error fetching Secret token: %v", err)
+			return nil, fmt.Errorf("error fetching Secret token: %w", err)
 		}
 		return pullrequest.NewGiteaService(ctx, token, providerConfig.API, providerConfig.Owner, providerConfig.Repo, providerConfig.Insecure)
 	}
@@ -154,7 +154,7 @@ func (g *PullRequestGenerator) selectServiceProvider(ctx context.Context, genera
 		if providerConfig.BasicAuth != nil {
 			password, err := g.getSecretRef(ctx, providerConfig.BasicAuth.PasswordRef, applicationSetInfo.Namespace)
 			if err != nil {
-				return nil, fmt.Errorf("error fetching Secret token: %v", err)
+				return nil, fmt.Errorf("error fetching Secret token: %w", err)
 			}
 			return pullrequest.NewBitbucketServiceBasicAuth(ctx, providerConfig.BasicAuth.Username, password, providerConfig.API, providerConfig.Project, providerConfig.Repo)
 		} else {
@@ -166,13 +166,13 @@ func (g *PullRequestGenerator) selectServiceProvider(ctx context.Context, genera
 		if providerConfig.BearerToken != nil {
 			appToken, err := g.getSecretRef(ctx, providerConfig.BearerToken.TokenRef, applicationSetInfo.Namespace)
 			if err != nil {
-				return nil, fmt.Errorf("error fetching Secret Bearer token: %v", err)
+				return nil, fmt.Errorf("error fetching Secret Bearer token: %w", err)
 			}
 			return pullrequest.NewBitbucketCloudServiceBearerToken(providerConfig.API, appToken, providerConfig.Owner, providerConfig.Repo)
 		} else if providerConfig.BasicAuth != nil {
 			password, err := g.getSecretRef(ctx, providerConfig.BasicAuth.PasswordRef, applicationSetInfo.Namespace)
 			if err != nil {
-				return nil, fmt.Errorf("error fetching Secret token: %v", err)
+				return nil, fmt.Errorf("error fetching Secret token: %w", err)
 			}
 			return pullrequest.NewBitbucketCloudServiceBasicAuth(providerConfig.API, providerConfig.BasicAuth.Username, password, providerConfig.Owner, providerConfig.Repo)
 		} else {
@@ -183,7 +183,7 @@ func (g *PullRequestGenerator) selectServiceProvider(ctx context.Context, genera
 		providerConfig := generatorConfig.AzureDevOps
 		token, err := g.getSecretRef(ctx, providerConfig.TokenRef, applicationSetInfo.Namespace)
 		if err != nil {
-			return nil, fmt.Errorf("error fetching Secret token: %v", err)
+			return nil, fmt.Errorf("error fetching Secret token: %w", err)
 		}
 		return pullrequest.NewAzureDevOpsService(ctx, token, providerConfig.API, providerConfig.Organization, providerConfig.Project, providerConfig.Repo, providerConfig.Labels)
 	}
@@ -195,7 +195,7 @@ func (g *PullRequestGenerator) github(ctx context.Context, cfg *argoprojiov1alph
 	if cfg.AppSecretName != "" {
 		auth, err := g.auth.GitHubApps.GetAuthSecret(ctx, cfg.AppSecretName)
 		if err != nil {
-			return nil, fmt.Errorf("error getting GitHub App secret: %v", err)
+			return nil, fmt.Errorf("error getting GitHub App secret: %w", err)
 		}
 		return pullrequest.NewGithubAppService(*auth, cfg.API, cfg.Owner, cfg.Repo, cfg.Labels)
 	}
@@ -203,7 +203,7 @@ func (g *PullRequestGenerator) github(ctx context.Context, cfg *argoprojiov1alph
 	// always default to token, even if not set (public access)
 	token, err := g.getSecretRef(ctx, cfg.TokenRef, applicationSetInfo.Namespace)
 	if err != nil {
-		return nil, fmt.Errorf("error fetching Secret token: %v", err)
+		return nil, fmt.Errorf("error fetching Secret token: %w", err)
 	}
 	return pullrequest.NewGithubService(ctx, token, cfg.API, cfg.Owner, cfg.Repo, cfg.Labels)
 }
@@ -223,7 +223,7 @@ func (g *PullRequestGenerator) getSecretRef(ctx context.Context, ref *argoprojio
 		},
 		secret)
 	if err != nil {
-		return "", fmt.Errorf("error fetching secret %s/%s: %v", namespace, ref.SecretName, err)
+		return "", fmt.Errorf("error fetching secret %s/%s: %w", namespace, ref.SecretName, err)
 	}
 	tokenBytes, ok := secret.Data[ref.Key]
 	if !ok {
--- a/applicationset/generators/pull_request_test.go
+++ b/applicationset/generators/pull_request_test.go
@@ -6,6 +6,7 @@ import (
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
@@ -203,8 +204,12 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 			PullRequest: &argoprojiov1alpha1.PullRequestGenerator{},
 		}

-		got, gotErr := gen.GenerateParams(&generatorConfig, &c.applicationSet)
-		assert.Equal(t, c.expectedErr, gotErr)
+		got, gotErr := gen.GenerateParams(&generatorConfig, &c.applicationSet, nil)
+		if c.expectedErr != nil {
+			assert.Equal(t, c.expectedErr.Error(), gotErr.Error())
+		} else {
+			require.NoError(t, gotErr)
+		}
 		assert.ElementsMatch(t, c.expected, got)
 	}
 }
@@ -265,9 +270,9 @@ func TestPullRequestGetSecretRef(t *testing.T) {
 		t.Run(c.name, func(t *testing.T) {
 			token, err := gen.getSecretRef(ctx, c.ref, c.namespace)
 			if c.hasError {
-				assert.NotNil(t, err)
+				require.Error(t, err)
 			} else {
-				assert.Nil(t, err)
+				require.NoError(t, err)
 			}
 			assert.Equal(t, c.token, token)
 		})
@@ -343,9 +348,9 @@ func TestAllowedSCMProviderPullRequest(t *testing.T) {
 				},
 			}

-			_, err := pullRequestGenerator.GenerateParams(&applicationSetInfo.Spec.Generators[0], &applicationSetInfo)
+			_, err := pullRequestGenerator.GenerateParams(&applicationSetInfo.Spec.Generators[0], &applicationSetInfo, nil)

-			assert.Error(t, err, "Must return an error")
+			require.Error(t, err, "Must return an error")
 			assert.ErrorAs(t, err, testCaseCopy.expectedError)
 		})
 	}
@@ -369,6 +374,6 @@ func TestSCMProviderDisabled_PRGenerator(t *testing.T) {
 		},
 	}

-	_, err := generator.GenerateParams(&applicationSetInfo.Spec.Generators[0], &applicationSetInfo)
+	_, err := generator.GenerateParams(&applicationSetInfo.Spec.Generators[0], &applicationSetInfo, nil)
 	assert.ErrorIs(t, err, ErrSCMProvidersDisabled)
 }
--- a/applicationset/generators/scm_provider.go
+++ b/applicationset/generators/scm_provider.go
@@ -108,7 +108,7 @@ func ScmProviderAllowed(applicationSetInfo *argoprojiov1alpha1.ApplicationSet, g
 	return NewErrDisallowedSCMProvider(url, allowedScmProviders)
 }

-func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, applicationSetInfo *argoprojiov1alpha1.ApplicationSet) ([]map[string]interface{}, error) {
+func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, applicationSetInfo *argoprojiov1alpha1.ApplicationSet, _ client.Client) ([]map[string]interface{}, error) {
 	if appSetGenerator == nil {
 		return nil, EmptyAppSetGeneratorError
 	}
@@ -141,20 +141,20 @@ func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 	} else if providerConfig.Gitlab != nil {
 		token, err := g.getSecretRef(ctx, providerConfig.Gitlab.TokenRef, applicationSetInfo.Namespace)
 		if err != nil {
-			return nil, fmt.Errorf("error fetching Gitlab token: %v", err)
+			return nil, fmt.Errorf("error fetching Gitlab token: %w", err)
 		}
 		provider, err = scm_provider.NewGitlabProvider(ctx, providerConfig.Gitlab.Group, token, providerConfig.Gitlab.API, providerConfig.Gitlab.AllBranches, providerConfig.Gitlab.IncludeSubgroups, providerConfig.Gitlab.WillIncludeSharedProjects(), providerConfig.Gitlab.Insecure, g.scmRootCAPath, providerConfig.Gitlab.Topic)
 		if err != nil {
-			return nil, fmt.Errorf("error initializing Gitlab service: %v", err)
+			return nil, fmt.Errorf("error initializing Gitlab service: %w", err)
 		}
 	} else if providerConfig.Gitea != nil {
 		token, err := g.getSecretRef(ctx, providerConfig.Gitea.TokenRef, applicationSetInfo.Namespace)
 		if err != nil {
-			return nil, fmt.Errorf("error fetching Gitea token: %v", err)
+			return nil, fmt.Errorf("error fetching Gitea token: %w", err)
 		}
 		provider, err = scm_provider.NewGiteaProvider(ctx, providerConfig.Gitea.Owner, token, providerConfig.Gitea.API, providerConfig.Gitea.AllBranches, providerConfig.Gitea.Insecure)
 		if err != nil {
-			return nil, fmt.Errorf("error initializing Gitea service: %v", err)
+			return nil, fmt.Errorf("error initializing Gitea service: %w", err)
 		}
 	} else if providerConfig.BitbucketServer != nil {
 		providerConfig := providerConfig.BitbucketServer
@@ -162,38 +162,38 @@ func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 		if providerConfig.BasicAuth != nil {
 			password, err := g.getSecretRef(ctx, providerConfig.BasicAuth.PasswordRef, applicationSetInfo.Namespace)
 			if err != nil {
-				return nil, fmt.Errorf("error fetching Secret token: %v", err)
+				return nil, fmt.Errorf("error fetching Secret token: %w", err)
 			}
 			provider, scmError = scm_provider.NewBitbucketServerProviderBasicAuth(ctx, providerConfig.BasicAuth.Username, password, providerConfig.API, providerConfig.Project, providerConfig.AllBranches)
 		} else {
 			provider, scmError = scm_provider.NewBitbucketServerProviderNoAuth(ctx, providerConfig.API, providerConfig.Project, providerConfig.AllBranches)
 		}
 		if scmError != nil {
-			return nil, fmt.Errorf("error initializing Bitbucket Server service: %v", scmError)
+			return nil, fmt.Errorf("error initializing Bitbucket Server service: %w", scmError)
 		}
 	} else if providerConfig.AzureDevOps != nil {
 		token, err := g.getSecretRef(ctx, providerConfig.AzureDevOps.AccessTokenRef, applicationSetInfo.Namespace)
 		if err != nil {
-			return nil, fmt.Errorf("error fetching Azure Devops access token: %v", err)
+			return nil, fmt.Errorf("error fetching Azure Devops access token: %w", err)
 		}
 		provider, err = scm_provider.NewAzureDevOpsProvider(ctx, token, providerConfig.AzureDevOps.Organization, providerConfig.AzureDevOps.API, providerConfig.AzureDevOps.TeamProject, providerConfig.AzureDevOps.AllBranches)
 		if err != nil {
-			return nil, fmt.Errorf("error initializing Azure Devops service: %v", err)
+			return nil, fmt.Errorf("error initializing Azure Devops service: %w", err)
 		}
 	} else if providerConfig.Bitbucket != nil {
 		appPassword, err := g.getSecretRef(ctx, providerConfig.Bitbucket.AppPasswordRef, applicationSetInfo.Namespace)
 		if err != nil {
-			return nil, fmt.Errorf("error fetching Bitbucket cloud appPassword: %v", err)
+			return nil, fmt.Errorf("error fetching Bitbucket cloud appPassword: %w", err)
 		}
 		provider, err = scm_provider.NewBitBucketCloudProvider(ctx, providerConfig.Bitbucket.Owner, providerConfig.Bitbucket.User, appPassword, providerConfig.Bitbucket.AllBranches)
 		if err != nil {
-			return nil, fmt.Errorf("error initializing Bitbucket cloud service: %v", err)
+			return nil, fmt.Errorf("error initializing Bitbucket cloud service: %w", err)
 		}
 	} else if providerConfig.AWSCodeCommit != nil {
 		var awsErr error
 		provider, awsErr = scm_provider.NewAWSCodeCommitProvider(ctx, providerConfig.AWSCodeCommit.TagFilters, providerConfig.AWSCodeCommit.Role, providerConfig.AWSCodeCommit.Region, providerConfig.AWSCodeCommit.AllBranches)
 		if awsErr != nil {
-			return nil, fmt.Errorf("error initializing AWS codecommit service: %v", awsErr)
+			return nil, fmt.Errorf("error initializing AWS codecommit service: %w", awsErr)
 		}
 	} else {
 		return nil, fmt.Errorf("no SCM provider implementation configured")
@@ -202,7 +202,7 @@ func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 	// Find all the available repos.
 	repos, err := scm_provider.ListRepos(ctx, provider, providerConfig.Filters, providerConfig.CloneProtocol)
 	if err != nil {
-		return nil, fmt.Errorf("error listing repos: %v", err)
+		return nil, fmt.Errorf("error listing repos: %w", err)
 	}
 	paramsArray := make([]map[string]interface{}, 0, len(repos))
 	var shortSHALength int
@@ -254,7 +254,7 @@ func (g *SCMProviderGenerator) getSecretRef(ctx context.Context, ref *argoprojio
 		},
 		secret)
 	if err != nil {
-		return "", fmt.Errorf("error fetching secret %s/%s: %v", namespace, ref.SecretName, err)
+		return "", fmt.Errorf("error fetching secret %s/%s: %w", namespace, ref.SecretName, err)
 	}
 	tokenBytes, ok := secret.Data[ref.Key]
 	if !ok {
@@ -267,7 +267,7 @@ func (g *SCMProviderGenerator) githubProvider(ctx context.Context, github *argop
 	if github.AppSecretName != "" {
 		auth, err := g.GitHubApps.GetAuthSecret(ctx, github.AppSecretName)
 		if err != nil {
-			return nil, fmt.Errorf("error fetching Github app secret: %v", err)
+			return nil, fmt.Errorf("error fetching Github app secret: %w", err)
 		}

 		return scm_provider.NewGithubAppProviderFor(
@@ -280,7 +280,7 @@ func (g *SCMProviderGenerator) githubProvider(ctx context.Context, github *argop

 	token, err := g.getSecretRef(ctx, github.TokenRef, applicationSetInfo.Namespace)
 	if err != nil {
-		return nil, fmt.Errorf("error fetching Github token: %v", err)
+		return nil, fmt.Errorf("error fetching Github token: %w", err)
 	}
 	return scm_provider.NewGithubProvider(ctx, github.Organization, token, github.API, github.AllBranches)
 }
--- a/applicationset/generators/scm_provider_test.go
+++ b/applicationset/generators/scm_provider_test.go
@@ -5,6 +5,7 @@ import (
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
@@ -69,12 +70,11 @@ func TestSCMProviderGetSecretRef(t *testing.T) {
 		t.Run(c.name, func(t *testing.T) {
 			token, err := gen.getSecretRef(ctx, c.ref, c.namespace)
 			if c.hasError {
-				assert.NotNil(t, err)
+				require.Error(t, err)
 			} else {
-				assert.Nil(t, err)
+				require.NoError(t, err)
 			}
 			assert.Equal(t, c.token, token)
-
 		})
 	}
 }
@@ -188,15 +188,14 @@ func TestSCMProviderGenerateParams(t *testing.T) {
 				},
 			}

-			got, err := scmGenerator.GenerateParams(&applicationSetInfo.Spec.Generators[0], &applicationSetInfo)
+			got, err := scmGenerator.GenerateParams(&applicationSetInfo.Spec.Generators[0], &applicationSetInfo, nil)

 			if testCaseCopy.expectedError != nil {
 				assert.EqualError(t, err, testCaseCopy.expectedError.Error())
 			} else {
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, testCaseCopy.expected, got)
 			}
-
 		})
 	}
 }
@@ -282,9 +281,9 @@ func TestAllowedSCMProvider(t *testing.T) {
 				},
 			}

-			_, err := scmGenerator.GenerateParams(&applicationSetInfo.Spec.Generators[0], &applicationSetInfo)
+			_, err := scmGenerator.GenerateParams(&applicationSetInfo.Spec.Generators[0], &applicationSetInfo, nil)

-			assert.Error(t, err, "Must return an error")
+			require.Error(t, err, "Must return an error")
 			assert.ErrorAs(t, err, testCaseCopy.expectedError)
 		})
 	}
@@ -308,6 +307,6 @@ func TestSCMProviderDisabled_SCMGenerator(t *testing.T) {
 		},
 	}

-	_, err := generator.GenerateParams(&applicationSetInfo.Spec.Generators[0], &applicationSetInfo)
+	_, err := generator.GenerateParams(&applicationSetInfo.Spec.Generators[0], &applicationSetInfo, nil)
 	assert.ErrorIs(t, err, ErrSCMProvidersDisabled)
 }
--- a/applicationset/generators/value_interpolation.go
+++ b/applicationset/generators/value_interpolation.go
@@ -12,7 +12,6 @@ func appendTemplatedValues(values map[string]string, params map[string]interface

 	for key, value := range values {
 		result, err := replaceTemplatedString(value, params, useGoTemplate, goTemplateOptions)
-
 		if err != nil {
 			return fmt.Errorf("failed to replace templated string: %w", err)
 		}
--- a/applicationset/generators/value_interpolation_test.go
+++ b/applicationset/generators/value_interpolation_test.go
@@ -4,6 +4,7 @@ import (
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func TestValueInterpolation(t *testing.T) {
@@ -53,10 +54,9 @@ func TestValueInterpolation(t *testing.T) {
 	}

 	for _, testCase := range testCases {
-
 		t.Run(testCase.name, func(t *testing.T) {
 			err := appendTemplatedValues(testCase.values, testCase.params, false, nil)
-			assert.NoError(t, err)
+			require.NoError(t, err)
 			assert.EqualValues(t, testCase.expected, testCase.params)
 		})
 	}
@@ -115,10 +115,9 @@ func TestValueInterpolationWithGoTemplating(t *testing.T) {
 	}

 	for _, testCase := range testCases {
-
 		t.Run(testCase.name, func(t *testing.T) {
 			err := appendTemplatedValues(testCase.values, testCase.params, true, nil)
-			assert.NoError(t, err)
+			require.NoError(t, err)
 			assert.EqualValues(t, testCase.expected, testCase.params)
 		})
 	}
--- a/applicationset/services/internal/http/client.go
+++ b/applicationset/services/internal/http/client.go
@@ -66,7 +66,6 @@ func newClient(baseURL string, options ...ClientOptionFunc) (*Client, error) {
 }

 func (c *Client) NewRequest(method, path string, body interface{}, options []ClientOptionFunc) (*http.Request, error) {
-
 	// Make sure the given URL end with a slash
 	if !strings.HasSuffix(c.baseURL, "/") {
 		c.baseURL += "/"
@@ -135,14 +134,13 @@ func (c *Client) Do(ctx context.Context, req *http.Request, v interface{}) (*htt

 // CheckResponse checks the API response for errors, and returns them if present.
 func CheckResponse(resp *http.Response) error {
-
 	if c := resp.StatusCode; 200 <= c && c <= 299 {
 		return nil
 	}

 	data, err := io.ReadAll(resp.Body)
 	if err != nil {
-		return fmt.Errorf("API error with status code %d: %v", resp.StatusCode, err)
+		return fmt.Errorf("API error with status code %d: %w", resp.StatusCode, err)
 	}

 	var raw map[string]interface{}
--- a/applicationset/services/internal/http/client_test.go
+++ b/applicationset/services/internal/http/client_test.go
@@ -17,14 +17,13 @@ func TestClient(t *testing.T) {
 		w.WriteHeader(http.StatusOK)
 		_, err := w.Write([]byte("Hello, World!"))
 		if err != nil {
-			assert.NoError(t, fmt.Errorf("Error Write %v", err))
+			assert.NoError(t, fmt.Errorf("Error Write %w", err))
 		}
 	}))
 	defer server.Close()

 	var clientOptionFns []ClientOptionFunc
 	_, err := NewClient(server.URL, clientOptionFns...)
-
 	if err != nil {
 		t.Fatalf("Failed to create client: %v", err)
 	}
@@ -62,7 +61,7 @@ func TestClientDo(t *testing.T) {
 					"key3": 123
 				 }]`))
 				if err != nil {
-					assert.NoError(t, fmt.Errorf("Error Write %v", err))
+					assert.NoError(t, fmt.Errorf("Error Write %w", err))
 				}
 			})),
 			clientOptionFns: nil,
@@ -105,7 +104,7 @@ func TestClientDo(t *testing.T) {
 					"key3": 123
 				 }]`))
 				if err != nil {
-					assert.NoError(t, fmt.Errorf("Error Write %v", err))
+					assert.NoError(t, fmt.Errorf("Error Write %w", err))
 				}
 			})),
 			clientOptionFns: nil,
@@ -119,13 +118,11 @@ func TestClientDo(t *testing.T) {
 			defer cc.fakeServer.Close()

 			client, err := NewClient(cc.fakeServer.URL, cc.clientOptionFns...)
-
 			if err != nil {
 				t.Fatalf("NewClient returned unexpected error: %v", err)
 			}

 			req, err := client.NewRequest("POST", "", cc.params, nil)
-
 			if err != nil {
 				t.Fatalf("NewRequest returned unexpected error: %v", err)
 			}
@@ -137,8 +134,8 @@ func TestClientDo(t *testing.T) {
 			if cc.expectedError != nil {
 				assert.EqualError(t, err, cc.expectedError.Error())
 			} else {
-				assert.Equal(t, resp.StatusCode, cc.expectedCode)
-				assert.Equal(t, data, cc.expected)
+				assert.Equal(t, cc.expectedCode, resp.StatusCode)
+				assert.Equal(t, cc.expected, data)
 				assert.NoError(t, err)
 			}
 		})
--- a/applicationset/services/mocks/Repos.go
+++ b/applicationset/services/mocks/Repos.go
@@ -1,4 +1,4 @@
-// Code generated by mockery v2.25.1. DO NOT EDIT.
+// Code generated by mockery v2.40.2. DO NOT EDIT.

 package mocks

@@ -13,25 +13,29 @@ type Repos struct {
 	mock.Mock
 }

-// GetDirectories provides a mock function with given fields: ctx, repoURL, revision, noRevisionCache
-func (_m *Repos) GetDirectories(ctx context.Context, repoURL string, revision string, noRevisionCache bool) ([]string, error) {
-	ret := _m.Called(ctx, repoURL, revision, noRevisionCache)
+// GetDirectories provides a mock function with given fields: ctx, repoURL, revision, noRevisionCache, verifyCommit
+func (_m *Repos) GetDirectories(ctx context.Context, repoURL string, revision string, noRevisionCache bool, verifyCommit bool) ([]string, error) {
+	ret := _m.Called(ctx, repoURL, revision, noRevisionCache, verifyCommit)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetDirectories")
+	}

 	var r0 []string
 	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, string, string, bool) ([]string, error)); ok {
-		return rf(ctx, repoURL, revision, noRevisionCache)
+	if rf, ok := ret.Get(0).(func(context.Context, string, string, bool, bool) ([]string, error)); ok {
+		return rf(ctx, repoURL, revision, noRevisionCache, verifyCommit)
 	}
-	if rf, ok := ret.Get(0).(func(context.Context, string, string, bool) []string); ok {
-		r0 = rf(ctx, repoURL, revision, noRevisionCache)
+	if rf, ok := ret.Get(0).(func(context.Context, string, string, bool, bool) []string); ok {
+		r0 = rf(ctx, repoURL, revision, noRevisionCache, verifyCommit)
 	} else {
 		if ret.Get(0) != nil {
 			r0 = ret.Get(0).([]string)
 		}
 	}

-	if rf, ok := ret.Get(1).(func(context.Context, string, string, bool) error); ok {
-		r1 = rf(ctx, repoURL, revision, noRevisionCache)
+	if rf, ok := ret.Get(1).(func(context.Context, string, string, bool, bool) error); ok {
+		r1 = rf(ctx, repoURL, revision, noRevisionCache, verifyCommit)
 	} else {
 		r1 = ret.Error(1)
 	}
@@ -39,25 +43,29 @@ func (_m *Repos) GetDirectories(ctx context.Context, repoURL string, revision st
 	return r0, r1
 }

-// GetFiles provides a mock function with given fields: ctx, repoURL, revision, pattern, noRevisionCache
-func (_m *Repos) GetFiles(ctx context.Context, repoURL string, revision string, pattern string, noRevisionCache bool) (map[string][]byte, error) {
-	ret := _m.Called(ctx, repoURL, revision, pattern, noRevisionCache)
+// GetFiles provides a mock function with given fields: ctx, repoURL, revision, pattern, noRevisionCache, verifyCommit
+func (_m *Repos) GetFiles(ctx context.Context, repoURL string, revision string, pattern string, noRevisionCache bool, verifyCommit bool) (map[string][]byte, error) {
+	ret := _m.Called(ctx, repoURL, revision, pattern, noRevisionCache, verifyCommit)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetFiles")
+	}

 	var r0 map[string][]byte
 	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, string, string, string, bool) (map[string][]byte, error)); ok {
-		return rf(ctx, repoURL, revision, pattern, noRevisionCache)
+	if rf, ok := ret.Get(0).(func(context.Context, string, string, string, bool, bool) (map[string][]byte, error)); ok {
+		return rf(ctx, repoURL, revision, pattern, noRevisionCache, verifyCommit)
 	}
-	if rf, ok := ret.Get(0).(func(context.Context, string, string, string, bool) map[string][]byte); ok {
-		r0 = rf(ctx, repoURL, revision, pattern, noRevisionCache)
+	if rf, ok := ret.Get(0).(func(context.Context, string, string, string, bool, bool) map[string][]byte); ok {
+		r0 = rf(ctx, repoURL, revision, pattern, noRevisionCache, verifyCommit)
 	} else {
 		if ret.Get(0) != nil {
 			r0 = ret.Get(0).(map[string][]byte)
 		}
 	}

-	if rf, ok := ret.Get(1).(func(context.Context, string, string, string, bool) error); ok {
-		r1 = rf(ctx, repoURL, revision, pattern, noRevisionCache)
+	if rf, ok := ret.Get(1).(func(context.Context, string, string, string, bool, bool) error); ok {
+		r1 = rf(ctx, repoURL, revision, pattern, noRevisionCache, verifyCommit)
 	} else {
 		r1 = ret.Error(1)
 	}
@@ -65,13 +73,12 @@ func (_m *Repos) GetFiles(ctx context.Context, repoURL string, revision string,
 	return r0, r1
 }

-type mockConstructorTestingTNewRepos interface {
+// NewRepos creates a new instance of Repos. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewRepos(t interface {
 	mock.TestingT
 	Cleanup(func())
-}
-
-// NewRepos creates a new instance of Repos. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewRepos(t mockConstructorTestingTNewRepos) *Repos {
+}) *Repos {
 	mock := &Repos{}
 	mock.Mock.Test(t)

--- a/applicationset/services/mocks/RepositoryDB.go
+++ b/applicationset/services/mocks/RepositoryDB.go
@@ -1,57 +0,0 @@
-// Code generated by mockery v2.21.1. DO NOT EDIT.
-
-package mocks
-
-import (
-	context "context"
-
-	mock "github.com/stretchr/testify/mock"
-
-	v1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
-)
-
-// RepositoryDB is an autogenerated mock type for the RepositoryDB type
-type RepositoryDB struct {
-	mock.Mock
-}
-
-// GetRepository provides a mock function with given fields: ctx, url
-func (_m *RepositoryDB) GetRepository(ctx context.Context, url string) (*v1alpha1.Repository, error) {
-	ret := _m.Called(ctx, url)
-
-	var r0 *v1alpha1.Repository
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, string) (*v1alpha1.Repository, error)); ok {
-		return rf(ctx, url)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, string) *v1alpha1.Repository); ok {
-		r0 = rf(ctx, url)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*v1alpha1.Repository)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, string) error); ok {
-		r1 = rf(ctx, url)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-type mockConstructorTestingTNewRepositoryDB interface {
-	mock.TestingT
-	Cleanup(func())
-}
-
-// NewRepositoryDB creates a new instance of RepositoryDB. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewRepositoryDB(t mockConstructorTestingTNewRepositoryDB) *RepositoryDB {
-	mock := &RepositoryDB{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
--- a/applicationset/services/plugin/plugin_service.go
+++ b/applicationset/services/plugin/plugin_service.go
@@ -45,7 +45,7 @@ func NewPluginService(ctx context.Context, appSetName string, baseURL string, to

 	client, err := internalhttp.NewClient(baseURL, clientOptionFns...)
 	if err != nil {
-		return nil, fmt.Errorf("error creating plugin client: %v", err)
+		return nil, fmt.Errorf("error creating plugin client: %w", err)
 	}

 	return &Service{
@@ -56,17 +56,15 @@ func NewPluginService(ctx context.Context, appSetName string, baseURL string, to

 func (p *Service) List(ctx context.Context, parameters v1alpha1.PluginParameters) (*ServiceResponse, error) {
 	req, err := p.client.NewRequest(http.MethodPost, "api/v1/getparams.execute", ServiceRequest{ApplicationSetName: p.appSetName, Input: v1alpha1.PluginInput{Parameters: parameters}}, nil)
-
 	if err != nil {
-		return nil, fmt.Errorf("NewRequest returned unexpected error: %v", err)
+		return nil, fmt.Errorf("NewRequest returned unexpected error: %w", err)
 	}

 	var data ServiceResponse

 	_, err = p.client.Do(ctx, req, &data)
-
 	if err != nil {
-		return nil, fmt.Errorf("error get api '%s': %v", p.appSetName, err)
+		return nil, fmt.Errorf("error get api '%s': %w", p.appSetName, err)
 	}

 	return &data, err
--- a/applicationset/services/plugin/plugin_service_test.go
+++ b/applicationset/services/plugin/plugin_service_test.go
@@ -23,22 +23,19 @@ func TestPlugin(t *testing.T) {
 			return
 		}
 		_, err := w.Write([]byte(expectedJSON))
-
 		if err != nil {
-			assert.NoError(t, fmt.Errorf("Error Write %v", err))
+			assert.NoError(t, fmt.Errorf("Error Write %w", err))
 		}
 	})
 	ts := httptest.NewServer(handler)
 	defer ts.Close()

 	client, err := NewPluginService(context.Background(), "plugin-test", ts.URL, token, 0)
-
 	if err != nil {
 		t.Errorf("unexpected error: %v", err)
 	}

 	data, err := client.List(context.Background(), nil)
-
 	if err != nil {
 		t.Errorf("unexpected error: %v", err)
 	}
--- a/applicationset/services/pull_request/azure_devops.go
+++ b/applicationset/services/pull_request/azure_devops.go
@@ -36,8 +36,10 @@ type AzureDevOpsService struct {
 	labels        []string
 }

-var _ PullRequestService = (*AzureDevOpsService)(nil)
-var _ AzureDevOpsClientFactory = &devopsFactoryImpl{}
+var (
+	_ PullRequestService       = (*AzureDevOpsService)(nil)
+	_ AzureDevOpsClientFactory = &devopsFactoryImpl{}
+)

 func NewAzureDevOpsService(ctx context.Context, token, url, organization, project, repo string, labels []string) (PullRequestService, error) {
 	organizationUrl := buildURL(url, organization)
--- a/applicationset/services/pull_request/azure_devops_test.go
+++ b/applicationset/services/pull_request/azure_devops_test.go
@@ -8,6 +8,7 @@ import (
 	git "github.com/microsoft/azure-devops-go-api/azuredevops/git"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/require"

 	azureMock "github.com/argoproj/argo-cd/v2/applicationset/services/scm_provider/azure_devops/git/mocks"
 )
@@ -90,8 +91,8 @@ func TestListPullRequest(t *testing.T) {
 	}

 	list, err := provider.List(ctx)
-	assert.NoError(t, err)
-	assert.Equal(t, 1, len(list))
+	require.NoError(t, err)
+	assert.Len(t, list, 1)
 	assert.Equal(t, "feature-branch", list[0].Branch)
 	assert.Equal(t, pr_head_sha, list[0].HeadSHA)
 	assert.Equal(t, pr_id, list[0].Number)
@@ -215,7 +216,7 @@ func TestBuildURL(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			result := buildURL(tc.url, tc.organization)
-			assert.Equal(t, result, tc.expected)
+			assert.Equal(t, tc.expected, result)
 		})
 	}
 }
--- a/applicationset/services/pull_request/bitbucket_cloud.go
+++ b/applicationset/services/pull_request/bitbucket_cloud.go
@@ -60,7 +60,7 @@ func parseUrl(uri string) (*url.URL, error) {
 func NewBitbucketCloudServiceBasicAuth(baseUrl, username, password, owner, repositorySlug string) (PullRequestService, error) {
 	url, err := parseUrl(baseUrl)
 	if err != nil {
-		return nil, fmt.Errorf("error parsing base url of %s for %s/%s: %v", baseUrl, owner, repositorySlug, err)
+		return nil, fmt.Errorf("error parsing base url of %s for %s/%s: %w", baseUrl, owner, repositorySlug, err)
 	}

 	bitbucketClient := bitbucket.NewBasicAuth(username, password)
@@ -76,7 +76,7 @@ func NewBitbucketCloudServiceBasicAuth(baseUrl, username, password, owner, repos
 func NewBitbucketCloudServiceBearerToken(baseUrl, bearerToken, owner, repositorySlug string) (PullRequestService, error) {
 	url, err := parseUrl(baseUrl)
 	if err != nil {
-		return nil, fmt.Errorf("error parsing base url of %s for %s/%s: %v", baseUrl, owner, repositorySlug, err)
+		return nil, fmt.Errorf("error parsing base url of %s for %s/%s: %w", baseUrl, owner, repositorySlug, err)
 	}

 	bitbucketClient := bitbucket.NewOAuthbearerToken(bearerToken)
@@ -102,7 +102,7 @@ func (b *BitbucketCloudService) List(_ context.Context) ([]*PullRequest, error)

 	response, err := b.client.Repositories.PullRequests.Gets(opts)
 	if err != nil {
-		return nil, fmt.Errorf("error listing pull requests for %s/%s: %v", b.owner, b.repositorySlug, err)
+		return nil, fmt.Errorf("error listing pull requests for %s/%s: %w", b.owner, b.repositorySlug, err)
 	}

 	resp, ok := response.(map[string]interface{})
@@ -117,12 +117,12 @@ func (b *BitbucketCloudService) List(_ context.Context) ([]*PullRequest, error)

 	jsonStr, err := json.Marshal(repoArray)
 	if err != nil {
-		return nil, fmt.Errorf("error marshalling response body to json: %v", err)
+		return nil, fmt.Errorf("error marshalling response body to json: %w", err)
 	}

 	var pulls []BitbucketCloudPullRequest
 	if err := json.Unmarshal(jsonStr, &pulls); err != nil {
-		return nil, fmt.Errorf("error unmarshalling json to type '[]BitbucketCloudPullRequest': %v", err)
+		return nil, fmt.Errorf("error unmarshalling json to type '[]BitbucketCloudPullRequest': %w", err)
 	}

 	pullRequests := []*PullRequest{}
--- a/applicationset/services/pull_request/bitbucket_cloud_test.go
+++ b/applicationset/services/pull_request/bitbucket_cloud_test.go
@@ -9,6 +9,7 @@ import (
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"

 	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )
@@ -51,26 +52,26 @@ func TestParseUrlEmptyUrl(t *testing.T) {
 	url, err := parseUrl("")
 	bitbucketUrl, _ := url.Parse("https://api.bitbucket.org/2.0")

-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.Equal(t, bitbucketUrl, url)
 }

 func TestInvalidBaseUrlBasicAuthCloud(t *testing.T) {
 	_, err := NewBitbucketCloudServiceBasicAuth("http:// example.org", "user", "password", "OWNER", "REPO")

-	assert.Error(t, err)
+	require.Error(t, err)
 }

 func TestInvalidBaseUrlBearerTokenCloud(t *testing.T) {
 	_, err := NewBitbucketCloudServiceBearerToken("http:// example.org", "TOKEN", "OWNER", "REPO")

-	assert.Error(t, err)
+	require.Error(t, err)
 }

 func TestInvalidBaseUrlNoAuthCloud(t *testing.T) {
 	_, err := NewBitbucketCloudServiceNoAuth("http:// example.org", "OWNER", "REPO")

-	assert.Error(t, err)
+	require.Error(t, err)
 }

 func TestListPullRequestBearerTokenCloud(t *testing.T) {
@@ -80,10 +81,10 @@ func TestListPullRequestBearerTokenCloud(t *testing.T) {
 	}))
 	defer ts.Close()
 	svc, err := NewBitbucketCloudServiceBearerToken(ts.URL, "TOKEN", "OWNER", "REPO")
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	pullRequests, err := ListPullRequests(context.Background(), svc, []v1alpha1.PullRequestGeneratorFilter{})
-	assert.NoError(t, err)
-	assert.Equal(t, 1, len(pullRequests))
+	require.NoError(t, err)
+	assert.Len(t, pullRequests, 1)
 	assert.Equal(t, 101, pullRequests[0].Number)
 	assert.Equal(t, "feature/foo-bar", pullRequests[0].Branch)
 	assert.Equal(t, "1a8dd249c04a", pullRequests[0].HeadSHA)
@@ -96,10 +97,10 @@ func TestListPullRequestNoAuthCloud(t *testing.T) {
 	}))
 	defer ts.Close()
 	svc, err := NewBitbucketCloudServiceNoAuth(ts.URL, "OWNER", "REPO")
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	pullRequests, err := ListPullRequests(context.Background(), svc, []v1alpha1.PullRequestGeneratorFilter{})
-	assert.NoError(t, err)
-	assert.Equal(t, 1, len(pullRequests))
+	require.NoError(t, err)
+	assert.Len(t, pullRequests, 1)
 	assert.Equal(t, 101, pullRequests[0].Number)
 	assert.Equal(t, "feature/foo-bar", pullRequests[0].Branch)
 	assert.Equal(t, "1a8dd249c04a", pullRequests[0].HeadSHA)
@@ -112,10 +113,10 @@ func TestListPullRequestBasicAuthCloud(t *testing.T) {
 	}))
 	defer ts.Close()
 	svc, err := NewBitbucketCloudServiceBasicAuth(ts.URL, "user", "password", "OWNER", "REPO")
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	pullRequests, err := ListPullRequests(context.Background(), svc, []v1alpha1.PullRequestGeneratorFilter{})
-	assert.NoError(t, err)
-	assert.Equal(t, 1, len(pullRequests))
+	require.NoError(t, err)
+	assert.Len(t, pullRequests, 1)
 	assert.Equal(t, 101, pullRequests[0].Number)
 	assert.Equal(t, "feature/foo-bar", pullRequests[0].Branch)
 	assert.Equal(t, "1a8dd249c04a", pullRequests[0].HeadSHA)
@@ -189,10 +190,10 @@ func TestListPullRequestPaginationCloud(t *testing.T) {
 	}))
 	defer ts.Close()
 	svc, err := NewBitbucketCloudServiceNoAuth(ts.URL, "OWNER", "REPO")
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	pullRequests, err := ListPullRequests(context.Background(), svc, []v1alpha1.PullRequestGeneratorFilter{})
-	assert.NoError(t, err)
-	assert.Equal(t, 3, len(pullRequests))
+	require.NoError(t, err)
+	assert.Len(t, pullRequests, 3)
 	assert.Equal(t, PullRequest{
 		Number:  101,
 		Branch:  "feature-101",
@@ -217,7 +218,7 @@ func TestListResponseErrorCloud(t *testing.T) {
 	defer ts.Close()
 	svc, _ := NewBitbucketCloudServiceNoAuth(ts.URL, "OWNER", "REPO")
 	_, err := ListPullRequests(context.Background(), svc, []v1alpha1.PullRequestGeneratorFilter{})
-	assert.Error(t, err)
+	require.Error(t, err)
 }

 func TestListResponseMalformedCloud(t *testing.T) {
@@ -241,7 +242,7 @@ func TestListResponseMalformedCloud(t *testing.T) {
 	defer ts.Close()
 	svc, _ := NewBitbucketCloudServiceNoAuth(ts.URL, "OWNER", "REPO")
 	_, err := ListPullRequests(context.Background(), svc, []v1alpha1.PullRequestGeneratorFilter{})
-	assert.Error(t, err)
+	require.Error(t, err)
 }

 func TestListResponseMalformedValuesCloud(t *testing.T) {
@@ -265,7 +266,7 @@ func TestListResponseMalformedValuesCloud(t *testing.T) {
 	defer ts.Close()
 	svc, _ := NewBitbucketCloudServiceNoAuth(ts.URL, "OWNER", "REPO")
 	_, err := ListPullRequests(context.Background(), svc, []v1alpha1.PullRequestGeneratorFilter{})
-	assert.Error(t, err)
+	require.Error(t, err)
 }

 func TestListResponseEmptyCloud(t *testing.T) {
@@ -288,9 +289,9 @@ func TestListResponseEmptyCloud(t *testing.T) {
 	}))
 	defer ts.Close()
 	svc, err := NewBitbucketCloudServiceNoAuth(ts.URL, "OWNER", "REPO")
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	pullRequests, err := ListPullRequests(context.Background(), svc, []v1alpha1.PullRequestGeneratorFilter{})
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.Empty(t, pullRequests)
 }

@@ -363,14 +364,14 @@ func TestListPullRequestBranchMatchCloud(t *testing.T) {
 	defer ts.Close()
 	regexp := `feature-1[\d]{2}`
 	svc, err := NewBitbucketCloudServiceNoAuth(ts.URL, "OWNER", "REPO")
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	pullRequests, err := ListPullRequests(context.Background(), svc, []v1alpha1.PullRequestGeneratorFilter{
 		{
 			BranchMatch: &regexp,
 		},
 	})
-	assert.NoError(t, err)
-	assert.Equal(t, 2, len(pullRequests))
+	require.NoError(t, err)
+	assert.Len(t, pullRequests, 2)
 	assert.Equal(t, PullRequest{
 		Number:  101,
 		Branch:  "feature-101",
@@ -384,14 +385,14 @@ func TestListPullRequestBranchMatchCloud(t *testing.T) {

 	regexp = `.*2$`
 	svc, err = NewBitbucketCloudServiceNoAuth(ts.URL, "OWNER", "REPO")
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	pullRequests, err = ListPullRequests(context.Background(), svc, []v1alpha1.PullRequestGeneratorFilter{
 		{
 			BranchMatch: &regexp,
 		},
 	})
-	assert.NoError(t, err)
-	assert.Equal(t, 1, len(pullRequests))
+	require.NoError(t, err)
+	assert.Len(t, pullRequests, 1)
 	assert.Equal(t, PullRequest{
 		Number:  102,
 		Branch:  "feature-102",
@@ -400,11 +401,11 @@ func TestListPullRequestBranchMatchCloud(t *testing.T) {

 	regexp = `[\d{2}`
 	svc, err = NewBitbucketCloudServiceNoAuth(ts.URL, "OWNER", "REPO")
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	_, err = ListPullRequests(context.Background(), svc, []v1alpha1.PullRequestGeneratorFilter{
 		{
 			BranchMatch: &regexp,
 		},
 	})
-	assert.Error(t, err)
+	require.Error(t, err)
 }
--- a/applicationset/services/pull_request/bitbucket_server.go
+++ b/applicationset/services/pull_request/bitbucket_server.go
@@ -4,9 +4,10 @@ import (
 	"context"
 	"fmt"

-	"github.com/argoproj/argo-cd/v2/applicationset/utils"
 	bitbucketv1 "github.com/gfleury/go-bitbucket-v1"
 	log "github.com/sirupsen/logrus"
+
+	"github.com/argoproj/argo-cd/v2/applicationset/utils"
 )

 type BitbucketService struct {
@@ -56,12 +57,12 @@ func (b *BitbucketService) List(_ context.Context) ([]*PullRequest, error) {
 	for {
 		response, err := b.client.DefaultApi.GetPullRequestsPage(b.projectKey, b.repositorySlug, paged)
 		if err != nil {
-			return nil, fmt.Errorf("error listing pull requests for %s/%s: %v", b.projectKey, b.repositorySlug, err)
+			return nil, fmt.Errorf("error listing pull requests for %s/%s: %w", b.projectKey, b.repositorySlug, err)
 		}
 		pulls, err := bitbucketv1.GetPullRequestsResponse(response)
 		if err != nil {
 			log.Errorf("error parsing pull request response '%v'", response.Values)
-			return nil, fmt.Errorf("error parsing pull request response for %s/%s: %v", b.projectKey, b.repositorySlug, err)
+			return nil, fmt.Errorf("error parsing pull request response for %s/%s: %w", b.projectKey, b.repositorySlug, err)
 		}

 		for _, pull := range pulls {
--- a/applicationset/services/pull_request/bitbucket_server_test.go
+++ b/applicationset/services/pull_request/bitbucket_server_test.go
@@ -7,8 +7,10 @@ import (
 	"net/http/httptest"
 	"testing"

-	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )

 func defaultHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
@@ -54,10 +56,10 @@ func TestListPullRequestNoAuth(t *testing.T) {
 	}))
 	defer ts.Close()
 	svc, err := NewBitbucketServiceNoAuth(context.Background(), ts.URL, "PROJECT", "REPO")
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	pullRequests, err := ListPullRequests(context.Background(), svc, []v1alpha1.PullRequestGeneratorFilter{})
-	assert.NoError(t, err)
-	assert.Equal(t, 1, len(pullRequests))
+	require.NoError(t, err)
+	assert.Len(t, pullRequests, 1)
 	assert.Equal(t, 101, pullRequests[0].Number)
 	assert.Equal(t, "feature-ABC-123", pullRequests[0].Branch)
 	assert.Equal(t, "master", pullRequests[0].TargetBranch)
@@ -135,10 +137,10 @@ func TestListPullRequestPagination(t *testing.T) {
 	}))
 	defer ts.Close()
 	svc, err := NewBitbucketServiceNoAuth(context.Background(), ts.URL, "PROJECT", "REPO")
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	pullRequests, err := ListPullRequests(context.Background(), svc, []v1alpha1.PullRequestGeneratorFilter{})
-	assert.NoError(t, err)
-	assert.Equal(t, 3, len(pullRequests))
+	require.NoError(t, err)
+	assert.Len(t, pullRequests, 3)
 	assert.Equal(t, PullRequest{
 		Number:       101,
 		Branch:       "feature-101",
@@ -171,10 +173,10 @@ func TestListPullRequestBasicAuth(t *testing.T) {
 	}))
 	defer ts.Close()
 	svc, err := NewBitbucketServiceBasicAuth(context.Background(), "user", "password", ts.URL, "PROJECT", "REPO")
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	pullRequests, err := ListPullRequests(context.Background(), svc, []v1alpha1.PullRequestGeneratorFilter{})
-	assert.NoError(t, err)
-	assert.Equal(t, 1, len(pullRequests))
+	require.NoError(t, err)
+	assert.Len(t, pullRequests, 1)
 	assert.Equal(t, 101, pullRequests[0].Number)
 	assert.Equal(t, "feature-ABC-123", pullRequests[0].Branch)
 	assert.Equal(t, "cb3cf2e4d1517c83e720d2585b9402dbef71f992", pullRequests[0].HeadSHA)
@@ -187,7 +189,7 @@ func TestListResponseError(t *testing.T) {
 	defer ts.Close()
 	svc, _ := NewBitbucketServiceNoAuth(context.Background(), ts.URL, "PROJECT", "REPO")
 	_, err := ListPullRequests(context.Background(), svc, []v1alpha1.PullRequestGeneratorFilter{})
-	assert.Error(t, err)
+	require.Error(t, err)
 }

 func TestListResponseMalformed(t *testing.T) {
@@ -212,7 +214,7 @@ func TestListResponseMalformed(t *testing.T) {
 	defer ts.Close()
 	svc, _ := NewBitbucketServiceNoAuth(context.Background(), ts.URL, "PROJECT", "REPO")
 	_, err := ListPullRequests(context.Background(), svc, []v1alpha1.PullRequestGeneratorFilter{})
-	assert.Error(t, err)
+	require.Error(t, err)
 }

 func TestListResponseEmpty(t *testing.T) {
@@ -236,9 +238,9 @@ func TestListResponseEmpty(t *testing.T) {
 	}))
 	defer ts.Close()
 	svc, err := NewBitbucketServiceNoAuth(context.Background(), ts.URL, "PROJECT", "REPO")
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	pullRequests, err := ListPullRequests(context.Background(), svc, []v1alpha1.PullRequestGeneratorFilter{})
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.Empty(t, pullRequests)
 }

@@ -314,14 +316,14 @@ func TestListPullRequestBranchMatch(t *testing.T) {
 	defer ts.Close()
 	regexp := `feature-1[\d]{2}`
 	svc, err := NewBitbucketServiceNoAuth(context.Background(), ts.URL, "PROJECT", "REPO")
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	pullRequests, err := ListPullRequests(context.Background(), svc, []v1alpha1.PullRequestGeneratorFilter{
 		{
 			BranchMatch: &regexp,
 		},
 	})
-	assert.NoError(t, err)
-	assert.Equal(t, 2, len(pullRequests))
+	require.NoError(t, err)
+	assert.Len(t, pullRequests, 2)
 	assert.Equal(t, PullRequest{
 		Number:       101,
 		Branch:       "feature-101",
@@ -339,14 +341,14 @@ func TestListPullRequestBranchMatch(t *testing.T) {

 	regexp = `.*2$`
 	svc, err = NewBitbucketServiceNoAuth(context.Background(), ts.URL, "PROJECT", "REPO")
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	pullRequests, err = ListPullRequests(context.Background(), svc, []v1alpha1.PullRequestGeneratorFilter{
 		{
 			BranchMatch: &regexp,
 		},
 	})
-	assert.NoError(t, err)
-	assert.Equal(t, 1, len(pullRequests))
+	require.NoError(t, err)
+	assert.Len(t, pullRequests, 1)
 	assert.Equal(t, PullRequest{
 		Number:       102,
 		Branch:       "feature-102",
@@ -357,11 +359,11 @@ func TestListPullRequestBranchMatch(t *testing.T) {

 	regexp = `[\d{2}`
 	svc, err = NewBitbucketServiceNoAuth(context.Background(), ts.URL, "PROJECT", "REPO")
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	_, err = ListPullRequests(context.Background(), svc, []v1alpha1.PullRequestGeneratorFilter{
 		{
 			BranchMatch: &regexp,
 		},
 	})
-	assert.Error(t, err)
+	require.Error(t, err)
 }
--- a/applicationset/services/pull_request/gitea_test.go
+++ b/applicationset/services/pull_request/gitea_test.go
@@ -10,6 +10,7 @@ import (

 	"code.gitea.io/sdk/gitea"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func giteaMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
@@ -250,14 +251,14 @@ func TestGiteaList(t *testing.T) {
 		giteaMockHandler(t)(w, r)
 	}))
 	host, err := NewGiteaService(context.Background(), "", ts.URL, "test-argocd", "pr-test", false)
-	assert.Nil(t, err)
+	require.NoError(t, err)
 	prs, err := host.List(context.Background())
-	assert.Nil(t, err)
-	assert.Equal(t, len(prs), 1)
-	assert.Equal(t, prs[0].Number, 1)
-	assert.Equal(t, prs[0].Branch, "test")
-	assert.Equal(t, prs[0].TargetBranch, "main")
-	assert.Equal(t, prs[0].HeadSHA, "7bbaf62d92ddfafd9cc8b340c619abaec32bc09f")
+	require.NoError(t, err)
+	assert.Len(t, prs, 1)
+	assert.Equal(t, 1, prs[0].Number)
+	assert.Equal(t, "test", prs[0].Branch)
+	assert.Equal(t, "main", prs[0].TargetBranch)
+	assert.Equal(t, "7bbaf62d92ddfafd9cc8b340c619abaec32bc09f", prs[0].HeadSHA)
 }

 func TestGetGiteaPRLabelNames(t *testing.T) {
--- a/applicationset/services/pull_request/gitlab.go
+++ b/applicationset/services/pull_request/gitlab.go
@@ -6,9 +6,10 @@ import (
 	"net/http"
 	"os"

-	"github.com/argoproj/argo-cd/v2/applicationset/utils"
 	"github.com/hashicorp/go-retryablehttp"
 	gitlab "github.com/xanzy/go-gitlab"
+
+	"github.com/argoproj/argo-cd/v2/applicationset/utils"
 )

 type GitLabService struct {
@@ -42,7 +43,7 @@ func NewGitLabService(ctx context.Context, token, url, project string, labels []

 	client, err := gitlab.NewClient(token, clientOptionFns...)
 	if err != nil {
-		return nil, fmt.Errorf("error creating Gitlab client: %v", err)
+		return nil, fmt.Errorf("error creating Gitlab client: %w", err)
 	}

 	return &GitLabService{
@@ -54,7 +55,6 @@ func NewGitLabService(ctx context.Context, token, url, project string, labels []
 }

 func (g *GitLabService) List(ctx context.Context) ([]*PullRequest, error) {
-
 	// Filter the merge requests on labels, if they are specified.
 	var labels *gitlab.Labels
 	if len(g.labels) > 0 {
@@ -76,7 +76,7 @@ func (g *GitLabService) List(ctx context.Context) ([]*PullRequest, error) {
 	for {
 		mrs, resp, err := g.client.MergeRequests.ListProjectMergeRequests(g.project, opts)
 		if err != nil {
-			return nil, fmt.Errorf("error listing merge requests for project '%s': %v", g.project, err)
+			return nil, fmt.Errorf("error listing merge requests for project '%s': %w", g.project, err)
 		}
 		for _, mr := range mrs {
 			pullRequests = append(pullRequests, &PullRequest{
--- a/applicationset/services/pull_request/gitlab_test.go
+++ b/applicationset/services/pull_request/gitlab_test.go
@@ -9,6 +9,7 @@ import (
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func writeMRListResponse(t *testing.T, w io.Writer) {
@@ -35,10 +36,10 @@ func TestGitLabServiceCustomBaseURL(t *testing.T) {
 	})

 	svc, err := NewGitLabService(context.Background(), "", server.URL, "278964", nil, "", "", false)
-	assert.NoError(t, err)
+	require.NoError(t, err)

 	_, err = svc.List(context.Background())
-	assert.NoError(t, err)
+	require.NoError(t, err)
 }

 func TestGitLabServiceToken(t *testing.T) {
@@ -54,10 +55,10 @@ func TestGitLabServiceToken(t *testing.T) {
 	})

 	svc, err := NewGitLabService(context.Background(), "token-123", server.URL, "278964", nil, "", "", false)
-	assert.NoError(t, err)
+	require.NoError(t, err)

 	_, err = svc.List(context.Background())
-	assert.NoError(t, err)
+	require.NoError(t, err)
 }

 func TestList(t *testing.T) {
@@ -73,15 +74,15 @@ func TestList(t *testing.T) {
 	})

 	svc, err := NewGitLabService(context.Background(), "", server.URL, "278964", []string{}, "", "", false)
-	assert.NoError(t, err)
+	require.NoError(t, err)

 	prs, err := svc.List(context.Background())
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.Len(t, prs, 1)
-	assert.Equal(t, prs[0].Number, 15442)
-	assert.Equal(t, prs[0].Branch, "use-structured-logging-for-db-load-balancer")
-	assert.Equal(t, prs[0].TargetBranch, "master")
-	assert.Equal(t, prs[0].HeadSHA, "2fc4e8b972ff3208ec63b6143e34ad67ff343ad7")
+	assert.Equal(t, 15442, prs[0].Number)
+	assert.Equal(t, "use-structured-logging-for-db-load-balancer", prs[0].Branch)
+	assert.Equal(t, "master", prs[0].TargetBranch)
+	assert.Equal(t, "2fc4e8b972ff3208ec63b6143e34ad67ff343ad7", prs[0].HeadSHA)
 }

 func TestListWithLabels(t *testing.T) {
@@ -97,10 +98,10 @@ func TestListWithLabels(t *testing.T) {
 	})

 	svc, err := NewGitLabService(context.Background(), "", server.URL, "278964", []string{"feature", "ready"}, "", "", false)
-	assert.NoError(t, err)
+	require.NoError(t, err)

 	_, err = svc.List(context.Background())
-	assert.NoError(t, err)
+	require.NoError(t, err)
 }

 func TestListWithState(t *testing.T) {
@@ -116,8 +117,8 @@ func TestListWithState(t *testing.T) {
 	})

 	svc, err := NewGitLabService(context.Background(), "", server.URL, "278964", []string{}, "opened", "", false)
-	assert.NoError(t, err)
+	require.NoError(t, err)

 	_, err = svc.List(context.Background())
-	assert.NoError(t, err)
+	require.NoError(t, err)
 }
--- a/applicationset/services/pull_request/utils.go
+++ b/applicationset/services/pull_request/utils.go
@@ -16,13 +16,13 @@ func compileFilters(filters []argoprojiov1alpha1.PullRequestGeneratorFilter) ([]
 		if filter.BranchMatch != nil {
 			outFilter.BranchMatch, err = regexp.Compile(*filter.BranchMatch)
 			if err != nil {
-				return nil, fmt.Errorf("error compiling BranchMatch regexp %q: %v", *filter.BranchMatch, err)
+				return nil, fmt.Errorf("error compiling BranchMatch regexp %q: %w", *filter.BranchMatch, err)
 			}
 		}
 		if filter.TargetBranchMatch != nil {
 			outFilter.TargetBranchMatch, err = regexp.Compile(*filter.TargetBranchMatch)
 			if err != nil {
-				return nil, fmt.Errorf("error compiling TargetBranchMatch regexp %q: %v", *filter.TargetBranchMatch, err)
+				return nil, fmt.Errorf("error compiling TargetBranchMatch regexp %q: %w", *filter.TargetBranchMatch, err)
 			}
 		}
 		outFilters = append(outFilters, outFilter)
--- a/applicationset/services/pull_request/utils_test.go
+++ b/applicationset/services/pull_request/utils_test.go
@@ -4,13 +4,16 @@ import (
 	"context"
 	"testing"

-	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )

 func strp(s string) *string {
 	return &s
 }
+
 func TestFilterBranchMatchBadRegexp(t *testing.T) {
 	provider, _ := NewFakeService(
 		context.Background(),
@@ -30,7 +33,7 @@ func TestFilterBranchMatchBadRegexp(t *testing.T) {
 		},
 	}
 	_, err := ListPullRequests(context.Background(), provider, filters)
-	assert.Error(t, err)
+	require.Error(t, err)
 }

 func TestFilterBranchMatch(t *testing.T) {
@@ -70,7 +73,7 @@ func TestFilterBranchMatch(t *testing.T) {
 		},
 	}
 	pullRequests, err := ListPullRequests(context.Background(), provider, filters)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.Len(t, pullRequests, 1)
 	assert.Equal(t, "two", pullRequests[0].Branch)
 }
@@ -112,7 +115,7 @@ func TestFilterTargetBranchMatch(t *testing.T) {
 		},
 	}
 	pullRequests, err := ListPullRequests(context.Background(), provider, filters)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.Len(t, pullRequests, 1)
 	assert.Equal(t, "two", pullRequests[0].Branch)
 }
@@ -157,7 +160,7 @@ func TestMultiFilterOr(t *testing.T) {
 		},
 	}
 	pullRequests, err := ListPullRequests(context.Background(), provider, filters)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.Len(t, pullRequests, 3)
 	assert.Equal(t, "two", pullRequests[0].Branch)
 	assert.Equal(t, "three", pullRequests[1].Branch)
@@ -206,7 +209,7 @@ func TestMultiFilterOrWithTargetBranchFilter(t *testing.T) {
 		},
 	}
 	pullRequests, err := ListPullRequests(context.Background(), provider, filters)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.Len(t, pullRequests, 2)
 	assert.Equal(t, "two", pullRequests[0].Branch)
 	assert.Equal(t, "four", pullRequests[1].Branch)
@@ -233,7 +236,7 @@ func TestNoFilters(t *testing.T) {
 	)
 	filters := []argoprojiov1alpha1.PullRequestGeneratorFilter{}
 	repos, err := ListPullRequests(context.Background(), provider, filters)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.Len(t, repos, 2)
 	assert.Equal(t, "one", repos[0].Branch)
 	assert.Equal(t, "two", repos[1].Branch)
--- a/applicationset/services/repo_service.go
+++ b/applicationset/services/repo_service.go
@@ -6,49 +6,39 @@ import (

 	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	"github.com/argoproj/argo-cd/v2/reposerver/apiclient"
-	"github.com/argoproj/argo-cd/v2/util/db"
 	"github.com/argoproj/argo-cd/v2/util/git"
 	"github.com/argoproj/argo-cd/v2/util/io"
 )

-//go:generate go run github.com/vektra/mockery/v2@v2.25.1 --name=RepositoryDB
-
-// RepositoryDB Is a lean facade for ArgoDB,
-// Using a lean interface makes it easier to test the functionality of the git generator
-type RepositoryDB interface {
-	GetRepository(ctx context.Context, url string) (*v1alpha1.Repository, error)
-}
-
 type argoCDService struct {
-	repositoriesDB         RepositoryDB
+	getRepository          func(ctx context.Context, url, project string) (*v1alpha1.Repository, error)
 	storecreds             git.CredsStore
 	submoduleEnabled       bool
 	repoServerClientSet    apiclient.Clientset
 	newFileGlobbingEnabled bool
 }

-//go:generate go run github.com/vektra/mockery/v2@v2.25.1 --name=Repos
+//go:generate go run github.com/vektra/mockery/v2@v2.40.2 --name=Repos

 type Repos interface {
-
 	// GetFiles returns content of files (not directories) within the target repo
-	GetFiles(ctx context.Context, repoURL string, revision string, pattern string, noRevisionCache bool) (map[string][]byte, error)
+	GetFiles(ctx context.Context, repoURL string, revision string, pattern string, noRevisionCache, verifyCommit bool) (map[string][]byte, error)

 	// GetDirectories returns a list of directories (not files) within the target repo
-	GetDirectories(ctx context.Context, repoURL string, revision string, noRevisionCache bool) ([]string, error)
+	GetDirectories(ctx context.Context, repoURL string, revision string, noRevisionCache, verifyCommit bool) ([]string, error)
 }

-func NewArgoCDService(db db.ArgoDB, submoduleEnabled bool, repoClientset apiclient.Clientset, newFileGlobbingEnabled bool) (Repos, error) {
+func NewArgoCDService(getRepository func(ctx context.Context, url, project string) (*v1alpha1.Repository, error), submoduleEnabled bool, repoClientset apiclient.Clientset, newFileGlobbingEnabled bool) (Repos, error) {
 	return &argoCDService{
-		repositoriesDB:         db.(RepositoryDB),
+		getRepository:          getRepository,
 		submoduleEnabled:       submoduleEnabled,
 		repoServerClientSet:    repoClientset,
 		newFileGlobbingEnabled: newFileGlobbingEnabled,
 	}, nil
 }

-func (a *argoCDService) GetFiles(ctx context.Context, repoURL string, revision string, pattern string, noRevisionCache bool) (map[string][]byte, error) {
-	repo, err := a.repositoriesDB.GetRepository(ctx, repoURL)
+func (a *argoCDService) GetFiles(ctx context.Context, repoURL string, revision string, pattern string, noRevisionCache, verifyCommit bool) (map[string][]byte, error) {
+	repo, err := a.getRepository(ctx, repoURL, "")
 	if err != nil {
 		return nil, fmt.Errorf("error in GetRepository: %w", err)
 	}
@@ -60,6 +50,7 @@ func (a *argoCDService) GetFiles(ctx context.Context, repoURL string, revision s
 		Path:                      pattern,
 		NewGitFileGlobbingEnabled: a.newFileGlobbingEnabled,
 		NoRevisionCache:           noRevisionCache,
+		VerifyCommit:              verifyCommit,
 	}
 	closer, client, err := a.repoServerClientSet.NewRepoServerClient()
 	if err != nil {
@@ -74,8 +65,8 @@ func (a *argoCDService) GetFiles(ctx context.Context, repoURL string, revision s
 	return fileResponse.GetMap(), nil
 }

-func (a *argoCDService) GetDirectories(ctx context.Context, repoURL string, revision string, noRevisionCache bool) ([]string, error) {
-	repo, err := a.repositoriesDB.GetRepository(ctx, repoURL)
+func (a *argoCDService) GetDirectories(ctx context.Context, repoURL string, revision string, noRevisionCache, verifyCommit bool) ([]string, error) {
+	repo, err := a.getRepository(ctx, repoURL, "")
 	if err != nil {
 		return nil, fmt.Errorf("error in GetRepository: %w", err)
 	}
@@ -85,6 +76,7 @@ func (a *argoCDService) GetDirectories(ctx context.Context, repoURL string, revi
 		SubmoduleEnabled: a.submoduleEnabled,
 		Revision:         revision,
 		NoRevisionCache:  noRevisionCache,
+		VerifyCommit:     verifyCommit,
 	}

 	closer, client, err := a.repoServerClientSet.NewRepoServerClient()
@@ -98,5 +90,4 @@ func (a *argoCDService) GetDirectories(ctx context.Context, repoURL string, revi
 		return nil, fmt.Errorf("error retrieving Git Directories: %w", err)
 	}
 	return dirResponse.GetPaths(), nil
-
 }
--- a/applicationset/services/repo_service_test.go
+++ b/applicationset/services/repo_service_test.go
@@ -5,23 +5,22 @@ import (
 	"fmt"
 	"testing"

-	"github.com/argoproj/argo-cd/v2/applicationset/services/mocks"
-	"github.com/argoproj/argo-cd/v2/reposerver/apiclient"
-	repo_mocks "github.com/argoproj/argo-cd/v2/reposerver/apiclient/mocks"
-	db_mocks "github.com/argoproj/argo-cd/v2/util/db/mocks"
-	"github.com/argoproj/argo-cd/v2/util/git"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/require"
+
+	"github.com/argoproj/argo-cd/v2/reposerver/apiclient"
+	repo_mocks "github.com/argoproj/argo-cd/v2/reposerver/apiclient/mocks"
+	"github.com/argoproj/argo-cd/v2/util/git"

 	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )

 func TestGetDirectories(t *testing.T) {
-
 	type fields struct {
-		repositoriesDBFuncs   []func(*mocks.RepositoryDB)
 		storecreds            git.CredsStore
 		submoduleEnabled      bool
+		getRepository         func(ctx context.Context, url, project string) (*v1alpha1.Repository, error)
 		repoServerClientFuncs []func(*repo_mocks.RepoServerServiceClient)
 	}
 	type args struct {
@@ -29,6 +28,7 @@ func TestGetDirectories(t *testing.T) {
 		repoURL         string
 		revision        string
 		noRevisionCache bool
+		verifyCommit    bool
 	}
 	tests := []struct {
 		name    string
@@ -38,17 +38,13 @@ func TestGetDirectories(t *testing.T) {
 		wantErr assert.ErrorAssertionFunc
 	}{
 		{name: "ErrorGettingRepos", fields: fields{
-			repositoriesDBFuncs: []func(*mocks.RepositoryDB){
-				func(db *mocks.RepositoryDB) {
-					db.On("GetRepository", mock.Anything, mock.Anything).Return(nil, fmt.Errorf("unable to get repos"))
-				},
+			getRepository: func(ctx context.Context, url, project string) (*v1alpha1.Repository, error) {
+				return nil, fmt.Errorf("unable to get repos")
 			},
 		}, args: args{}, want: nil, wantErr: assert.Error},
 		{name: "ErrorGettingDirs", fields: fields{
-			repositoriesDBFuncs: []func(*mocks.RepositoryDB){
-				func(db *mocks.RepositoryDB) {
-					db.On("GetRepository", mock.Anything, mock.Anything).Return(&v1alpha1.Repository{}, nil)
-				},
+			getRepository: func(ctx context.Context, url, project string) (*v1alpha1.Repository, error) {
+				return &v1alpha1.Repository{}, nil
 			},
 			repoServerClientFuncs: []func(*repo_mocks.RepoServerServiceClient){
 				func(client *repo_mocks.RepoServerServiceClient) {
@@ -57,10 +53,8 @@ func TestGetDirectories(t *testing.T) {
 			},
 		}, args: args{}, want: nil, wantErr: assert.Error},
 		{name: "HappyCase", fields: fields{
-			repositoriesDBFuncs: []func(*mocks.RepositoryDB){
-				func(db *mocks.RepositoryDB) {
-					db.On("GetRepository", mock.Anything, mock.Anything).Return(&v1alpha1.Repository{}, nil)
-				},
+			getRepository: func(ctx context.Context, url, project string) (*v1alpha1.Repository, error) {
+				return &v1alpha1.Repository{}, nil
 			},
 			repoServerClientFuncs: []func(*repo_mocks.RepoServerServiceClient){
 				func(client *repo_mocks.RepoServerServiceClient) {
@@ -70,26 +64,32 @@ func TestGetDirectories(t *testing.T) {
 				},
 			},
 		}, args: args{}, want: []string{"foo", "foo/bar", "bar/foo"}, wantErr: assert.NoError},
+		{name: "ErrorVerifyingCommit", fields: fields{
+			getRepository: func(ctx context.Context, url, project string) (*v1alpha1.Repository, error) {
+				return &v1alpha1.Repository{}, nil
+			},
+			repoServerClientFuncs: []func(*repo_mocks.RepoServerServiceClient){
+				func(client *repo_mocks.RepoServerServiceClient) {
+					client.On("GetGitDirectories", mock.Anything, mock.Anything).Return(nil, fmt.Errorf("revision HEAD is not signed"))
+				},
+			},
+		}, args: args{}, want: nil, wantErr: assert.Error},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			mockDb := &mocks.RepositoryDB{}
 			mockRepoClient := &repo_mocks.RepoServerServiceClient{}
 			// decorate the mocks
-			for i := range tt.fields.repositoriesDBFuncs {
-				tt.fields.repositoriesDBFuncs[i](mockDb)
-			}
 			for i := range tt.fields.repoServerClientFuncs {
 				tt.fields.repoServerClientFuncs[i](mockRepoClient)
 			}

 			a := &argoCDService{
-				repositoriesDB:      mockDb,
+				getRepository:       tt.fields.getRepository,
 				storecreds:          tt.fields.storecreds,
 				submoduleEnabled:    tt.fields.submoduleEnabled,
 				repoServerClientSet: &repo_mocks.Clientset{RepoServerServiceClient: mockRepoClient},
 			}
-			got, err := a.GetDirectories(tt.args.ctx, tt.args.repoURL, tt.args.revision, tt.args.noRevisionCache)
+			got, err := a.GetDirectories(tt.args.ctx, tt.args.repoURL, tt.args.revision, tt.args.noRevisionCache, tt.args.verifyCommit)
 			if !tt.wantErr(t, err, fmt.Sprintf("GetDirectories(%v, %v, %v, %v)", tt.args.ctx, tt.args.repoURL, tt.args.revision, tt.args.noRevisionCache)) {
 				return
 			}
@@ -100,10 +100,10 @@ func TestGetDirectories(t *testing.T) {

 func TestGetFiles(t *testing.T) {
 	type fields struct {
-		repositoriesDBFuncs   []func(*mocks.RepositoryDB)
 		storecreds            git.CredsStore
 		submoduleEnabled      bool
 		repoServerClientFuncs []func(*repo_mocks.RepoServerServiceClient)
+		getRepository         func(ctx context.Context, url, project string) (*v1alpha1.Repository, error)
 	}
 	type args struct {
 		ctx             context.Context
@@ -111,6 +111,7 @@ func TestGetFiles(t *testing.T) {
 		revision        string
 		pattern         string
 		noRevisionCache bool
+		verifyCommit    bool
 	}
 	tests := []struct {
 		name    string
@@ -120,17 +121,13 @@ func TestGetFiles(t *testing.T) {
 		wantErr assert.ErrorAssertionFunc
 	}{
 		{name: "ErrorGettingRepos", fields: fields{
-			repositoriesDBFuncs: []func(*mocks.RepositoryDB){
-				func(db *mocks.RepositoryDB) {
-					db.On("GetRepository", mock.Anything, mock.Anything).Return(nil, fmt.Errorf("unable to get repos"))
-				},
+			getRepository: func(ctx context.Context, url, project string) (*v1alpha1.Repository, error) {
+				return nil, fmt.Errorf("unable to get repos")
 			},
 		}, args: args{}, want: nil, wantErr: assert.Error},
 		{name: "ErrorGettingFiles", fields: fields{
-			repositoriesDBFuncs: []func(*mocks.RepositoryDB){
-				func(db *mocks.RepositoryDB) {
-					db.On("GetRepository", mock.Anything, mock.Anything).Return(&v1alpha1.Repository{}, nil)
-				},
+			getRepository: func(ctx context.Context, url, project string) (*v1alpha1.Repository, error) {
+				return &v1alpha1.Repository{}, nil
 			},
 			repoServerClientFuncs: []func(*repo_mocks.RepoServerServiceClient){
 				func(client *repo_mocks.RepoServerServiceClient) {
@@ -139,10 +136,8 @@ func TestGetFiles(t *testing.T) {
 			},
 		}, args: args{}, want: nil, wantErr: assert.Error},
 		{name: "HappyCase", fields: fields{
-			repositoriesDBFuncs: []func(*mocks.RepositoryDB){
-				func(db *mocks.RepositoryDB) {
-					db.On("GetRepository", mock.Anything, mock.Anything).Return(&v1alpha1.Repository{}, nil)
-				},
+			getRepository: func(ctx context.Context, url, project string) (*v1alpha1.Repository, error) {
+				return &v1alpha1.Repository{}, nil
 			},
 			repoServerClientFuncs: []func(*repo_mocks.RepoServerServiceClient){
 				func(client *repo_mocks.RepoServerServiceClient) {
@@ -158,26 +153,32 @@ func TestGetFiles(t *testing.T) {
 			"foo.json": []byte("hello: world!"),
 			"bar.yaml": []byte("yay: appsets"),
 		}, wantErr: assert.NoError},
+		{name: "ErrorVerifyingCommit", fields: fields{
+			getRepository: func(ctx context.Context, url, project string) (*v1alpha1.Repository, error) {
+				return &v1alpha1.Repository{}, nil
+			},
+			repoServerClientFuncs: []func(*repo_mocks.RepoServerServiceClient){
+				func(client *repo_mocks.RepoServerServiceClient) {
+					client.On("GetGitFiles", mock.Anything, mock.Anything).Return(nil, fmt.Errorf("revision HEAD is not signed"))
+				},
+			},
+		}, args: args{}, want: nil, wantErr: assert.Error},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			mockDb := &mocks.RepositoryDB{}
 			mockRepoClient := &repo_mocks.RepoServerServiceClient{}
 			// decorate the mocks
-			for i := range tt.fields.repositoriesDBFuncs {
-				tt.fields.repositoriesDBFuncs[i](mockDb)
-			}
 			for i := range tt.fields.repoServerClientFuncs {
 				tt.fields.repoServerClientFuncs[i](mockRepoClient)
 			}

 			a := &argoCDService{
-				repositoriesDB:      mockDb,
+				getRepository:       tt.fields.getRepository,
 				storecreds:          tt.fields.storecreds,
 				submoduleEnabled:    tt.fields.submoduleEnabled,
 				repoServerClientSet: &repo_mocks.Clientset{RepoServerServiceClient: mockRepoClient},
 			}
-			got, err := a.GetFiles(tt.args.ctx, tt.args.repoURL, tt.args.revision, tt.args.pattern, tt.args.noRevisionCache)
+			got, err := a.GetFiles(tt.args.ctx, tt.args.repoURL, tt.args.revision, tt.args.pattern, tt.args.noRevisionCache, tt.args.verifyCommit)
 			if !tt.wantErr(t, err, fmt.Sprintf("GetFiles(%v, %v, %v, %v, %v)", tt.args.ctx, tt.args.repoURL, tt.args.revision, tt.args.pattern, tt.args.noRevisionCache)) {
 				return
 			}
@@ -187,7 +188,9 @@ func TestGetFiles(t *testing.T) {
 }

 func TestNewArgoCDService(t *testing.T) {
-	service, err := NewArgoCDService(&db_mocks.ArgoDB{}, false, &repo_mocks.Clientset{}, false)
-	assert.NoError(t, err, err)
+	service, err := NewArgoCDService(func(ctx context.Context, url, project string) (*v1alpha1.Repository, error) {
+		return &v1alpha1.Repository{}, nil
+	}, false, &repo_mocks.Clientset{}, false)
+	require.NoError(t, err, err)
 	assert.NotNil(t, service)
 }
--- a/applicationset/services/scm_provider/aws_codecommit.go
+++ b/applicationset/services/scm_provider/aws_codecommit.go
@@ -2,13 +2,14 @@ package scm_provider

 import (
 	"context"
+	"errors"
 	"fmt"
-	"github.com/aws/aws-sdk-go/aws/request"
 	pathpkg "path"
 	"path/filepath"
 	"strings"

-	application "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/aws/aws-sdk-go/aws/request"
+
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/arn"
 	"github.com/aws/aws-sdk-go/aws/awserr"
@@ -19,6 +20,8 @@ import (
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/exp/maps"
 	"k8s.io/utils/strings/slices"
+
+	application "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )

 const (
@@ -325,7 +328,8 @@ func getCodeCommitFIPSEndpoint(repoUrl string) (string, error) {
 }

 func hasAwsError(err error, codes ...string) bool {
-	if awsErr, ok := err.(awserr.Error); ok {
+	var awsErr awserr.Error
+	if errors.As(err, &awsErr) {
 		return slices.Contains(codes, awsErr.Code())
 	}
 	return false
@@ -354,7 +358,7 @@ func createAWSDiscoveryClients(_ context.Context, role string, region string) (*
 			Credentials: assumeRoleCreds,
 		})
 		if err != nil {
-			return nil, nil, fmt.Errorf("error creating new AWS discovery session: %s", err)
+			return nil, nil, fmt.Errorf("error creating new AWS discovery session: %w", err)
 		}
 	} else {
 		log.Debugf("role is not provided for AWS CodeCommit discovery, using pod role")
--- a/applicationset/services/scm_provider/aws_codecommit_test.go
+++ b/applicationset/services/scm_provider/aws_codecommit_test.go
@@ -6,14 +6,15 @@ import (
 	"sort"
 	"testing"

-	"github.com/argoproj/argo-cd/v2/applicationset/services/scm_provider/aws_codecommit/mocks"
-	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/codecommit"
 	"github.com/aws/aws-sdk-go/service/resourcegroupstaggingapi"
 	"github.com/google/go-cmp/cmp"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
+
+	"github.com/argoproj/argo-cd/v2/applicationset/services/scm_provider/aws_codecommit/mocks"
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )

 type awsCodeCommitTestRepository struct {
--- a/applicationset/services/scm_provider/azure_devops.go
+++ b/applicationset/services/scm_provider/azure_devops.go
@@ -2,6 +2,7 @@ package scm_provider

 import (
 	"context"
+	"errors"
 	"fmt"
 	netUrl "net/url"
 	"strings"
@@ -51,8 +52,10 @@ type AzureDevOpsProvider struct {
 	allBranches   bool
 }

-var _ SCMProviderService = &AzureDevOpsProvider{}
-var _ AzureDevOpsClientFactory = &devopsFactoryImpl{}
+var (
+	_ SCMProviderService       = &AzureDevOpsProvider{}
+	_ AzureDevOpsClientFactory = &devopsFactoryImpl{}
+)

 func NewAzureDevOpsProvider(ctx context.Context, accessToken string, org string, url string, project string, allBranches bool) (*AzureDevOpsProvider, error) {
 	if accessToken == "" {
@@ -60,7 +63,6 @@ func NewAzureDevOpsProvider(ctx context.Context, accessToken string, org string,
 	}

 	devOpsURL, err := getValidDevOpsURL(url, org)
-
 	if err != nil {
 		return nil, err
 	}
@@ -77,7 +79,6 @@ func (g *AzureDevOpsProvider) ListRepos(ctx context.Context, cloneProtocol strin
 	}
 	getRepoArgs := azureGit.GetRepositoriesArgs{Project: &g.teamProject}
 	azureRepos, err := gitClient.GetRepositories(ctx, getRepoArgs)
-
 	if err != nil {
 		return nil, err
 	}
@@ -106,7 +107,7 @@ func (g *AzureDevOpsProvider) RepoHasPath(ctx context.Context, repo *Repository,
 	}

 	var repoId string
-	if uuid, isUuid := repo.RepositoryId.(uuid.UUID); isUuid { //most likely an UUID, but do type-safe check anyway. Do %v fallback if not expected type.
+	if uuid, isUuid := repo.RepositoryId.(uuid.UUID); isUuid { // most likely an UUID, but do type-safe check anyway. Do %v fallback if not expected type.
 		repoId = uuid.String()
 	} else {
 		repoId = fmt.Sprintf("%v", repo.RepositoryId)
@@ -115,9 +116,9 @@ func (g *AzureDevOpsProvider) RepoHasPath(ctx context.Context, repo *Repository,
 	branchName := repo.Branch
 	getItemArgs := azureGit.GetItemArgs{RepositoryId: &repoId, Project: &g.teamProject, Path: &path, VersionDescriptor: &azureGit.GitVersionDescriptor{Version: &branchName}}
 	_, err = gitClient.GetItem(ctx, getItemArgs)
-
 	if err != nil {
-		if wrappedError, isWrappedError := err.(azuredevops.WrappedError); isWrappedError && wrappedError.TypeKey != nil {
+		var wrappedError azuredevops.WrappedError
+		if errors.As(err, &wrappedError) && wrappedError.TypeKey != nil {
 			if *wrappedError.TypeKey == AzureDevOpsErrorsTypeKeyValues.GitItemNotFound {
 				return false, nil
 			}
@@ -138,11 +139,12 @@ func (g *AzureDevOpsProvider) GetBranches(ctx context.Context, repo *Repository)
 	repos := []*Repository{}

 	if !g.allBranches {
-		defaultBranchName := strings.Replace(repo.Branch, "refs/heads/", "", 1) //Azure DevOps returns default branch info like 'refs/heads/main', but does not support branch lookup of this format.
+		defaultBranchName := strings.Replace(repo.Branch, "refs/heads/", "", 1) // Azure DevOps returns default branch info like 'refs/heads/main', but does not support branch lookup of this format.
 		getBranchArgs := azureGit.GetBranchArgs{RepositoryId: &repo.Repository, Project: &g.teamProject, Name: &defaultBranchName}
 		branchResult, err := gitClient.GetBranch(ctx, getBranchArgs)
 		if err != nil {
-			if wrappedError, isWrappedError := err.(azuredevops.WrappedError); isWrappedError && wrappedError.TypeKey != nil {
+			var wrappedError azuredevops.WrappedError
+			if errors.As(err, &wrappedError) && wrappedError.TypeKey != nil {
 				if *wrappedError.TypeKey == AzureDevOpsErrorsTypeKeyValues.GitRepositoryNotFound {
 					return repos, nil
 				}
@@ -170,7 +172,8 @@ func (g *AzureDevOpsProvider) GetBranches(ctx context.Context, repo *Repository)
 	getBranchesRequest := azureGit.GetBranchesArgs{RepositoryId: &repo.Repository, Project: &g.teamProject}
 	branches, err := gitClient.GetBranches(ctx, getBranchesRequest)
 	if err != nil {
-		if wrappedError, isWrappedError := err.(azuredevops.WrappedError); isWrappedError && wrappedError.TypeKey != nil {
+		var wrappedError azuredevops.WrappedError
+		if errors.As(err, &wrappedError) && wrappedError.TypeKey != nil {
 			if *wrappedError.TypeKey == AzureDevOpsErrorsTypeKeyValues.GitRepositoryNotFound {
 				return repos, nil
 			}
@@ -209,7 +212,6 @@ func getValidDevOpsURL(url string, org string) (string, error) {
 	devOpsURL := fmt.Sprintf("%s%s%s", url, separator, org)

 	urlCheck, err := netUrl.ParseRequestURI(devOpsURL)
-
 	if err != nil {
 		return "", fmt.Errorf("got an invalid URL for the Azure SCM generator: %w", err)
 	}
--- a/applicationset/services/scm_provider/azure_devops/git/mocks/Client.go
+++ b/applicationset/services/scm_provider/azure_devops/git/mocks/Client.go
--- a/applicationset/services/scm_provider/azure_devops_test.go
+++ b/applicationset/services/scm_provider/azure_devops_test.go
@@ -8,15 +8,19 @@ import (
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
-	"k8s.io/utils/pointer"
+	"github.com/stretchr/testify/require"
+	"k8s.io/utils/ptr"

-	azureMock "github.com/argoproj/argo-cd/v2/applicationset/services/scm_provider/azure_devops/git/mocks"
 	"github.com/microsoft/azure-devops-go-api/azuredevops"
 	azureGit "github.com/microsoft/azure-devops-go-api/azuredevops/git"
+
+	azureMock "github.com/argoproj/argo-cd/v2/applicationset/services/scm_provider/azure_devops/git/mocks"
 )

+//go:generate go run github.com/vektra/mockery/v2@v2.40.2 --srcpkg=github.com/microsoft/azure-devops-go-api/azuredevops/git --name=Client --output=azure_devops/git/mocks --outpkg=mocks
+
 func s(input string) *string {
-	return pointer.String(input)
+	return ptr.To(input)
 }

 func TestAzureDevopsRepoHasPath(t *testing.T) {
@@ -89,26 +93,24 @@ func TestAzureDevopsRepoHasPath(t *testing.T) {
 			hasPath, err := provider.RepoHasPath(ctx, repo, path)

 			if testCase.clientError != nil {
-				assert.ErrorContains(t, err, testCase.clientError.Error())
+				require.ErrorContains(t, err, testCase.clientError.Error())
 				gitClientMock.AssertNotCalled(t, "GetItem", ctx, azureGit.GetItemArgs{Project: &teamProject, Path: &path, VersionDescriptor: &azureGit.GitVersionDescriptor{Version: &branchName}, RepositoryId: repoId})

 				return
 			}

 			if testCase.returnError {
-				assert.ErrorContains(t, err, testCase.errorMessage)
+				require.ErrorContains(t, err, testCase.errorMessage)
 			}

 			assert.Equal(t, testCase.pathFound, hasPath)

 			gitClientMock.AssertCalled(t, "GetItem", ctx, azureGit.GetItemArgs{Project: &teamProject, Path: &path, VersionDescriptor: &azureGit.GitVersionDescriptor{Version: &branchName}, RepositoryId: repoId})
-
 		})
 	}
 }

 func TestGetDefaultBranchOnDisabledRepo(t *testing.T) {
-
 	organization := "myorg"
 	teamProject := "myorg_project"
 	repoName := "myorg_project_repo"
@@ -155,9 +157,9 @@ func TestGetDefaultBranchOnDisabledRepo(t *testing.T) {
 			branches, err := provider.GetBranches(ctx, repo)

 			if testCase.shouldReturnError {
-				assert.Error(t, err)
+				require.Error(t, err)
 			} else {
-				assert.NoError(t, err)
+				require.NoError(t, err)
 			}

 			assert.Empty(t, branches)
@@ -168,7 +170,6 @@ func TestGetDefaultBranchOnDisabledRepo(t *testing.T) {
 }

 func TestGetAllBranchesOnDisabledRepo(t *testing.T) {
-
 	organization := "myorg"
 	teamProject := "myorg_project"
 	repoName := "myorg_project_repo"
@@ -215,9 +216,9 @@ func TestGetAllBranchesOnDisabledRepo(t *testing.T) {
 			branches, err := provider.GetBranches(ctx, repo)

 			if testCase.shouldReturnError {
-				assert.Error(t, err)
+				require.Error(t, err)
 			} else {
-				assert.NoError(t, err)
+				require.NoError(t, err)
 			}

 			assert.Empty(t, branches)
@@ -228,9 +229,7 @@ func TestGetAllBranchesOnDisabledRepo(t *testing.T) {
 }

 func TestAzureDevOpsGetDefaultBranchStripsRefsName(t *testing.T) {
-
 	t.Run("Get branches only default branch removes characters before querying azure devops", func(t *testing.T) {
-
 		organization := "myorg"
 		teamProject := "myorg_project"
 		repoName := "myorg_project_repo"
@@ -253,7 +252,7 @@ func TestAzureDevOpsGetDefaultBranchStripsRefsName(t *testing.T) {
 		provider := AzureDevOpsProvider{organization: organization, teamProject: teamProject, clientFactory: clientFactoryMock, allBranches: false}
 		branches, err := provider.GetBranches(ctx, repo)

-		assert.NoError(t, err)
+		require.NoError(t, err)
 		assert.Len(t, branches, 1)
 		assert.Equal(t, strippedBranchName, branches[0].Branch)

@@ -310,7 +309,7 @@ func TestAzureDevOpsGetBranchesDefultBranchOnly(t *testing.T) {
 			branches, err := provider.GetBranches(ctx, repo)

 			if testCase.clientError != nil {
-				assert.ErrorContains(t, err, testCase.clientError.Error())
+				require.ErrorContains(t, err, testCase.clientError.Error())
 				gitClientMock.AssertNotCalled(t, "GetBranch", ctx, azureGit.GetBranchArgs{RepositoryId: &repoName, Project: &teamProject, Name: &defaultBranch})

 				return
@@ -318,7 +317,7 @@ func TestAzureDevOpsGetBranchesDefultBranchOnly(t *testing.T) {

 			if testCase.getBranchesApiError != nil {
 				assert.Empty(t, branches)
-				assert.ErrorContains(t, err, testCase.getBranchesApiError.Error())
+				require.ErrorContains(t, err, testCase.getBranchesApiError.Error())
 			} else {
 				if testCase.expectedBranch != nil {
 					assert.NotEmpty(t, branches)
@@ -394,21 +393,20 @@ func TestAzureDevopsGetBranches(t *testing.T) {
 			branches, err := provider.GetBranches(ctx, repo)

 			if testCase.expectedProcessingErrorMsg != "" {
-				assert.ErrorContains(t, err, testCase.expectedProcessingErrorMsg)
+				require.ErrorContains(t, err, testCase.expectedProcessingErrorMsg)
 				assert.Nil(t, branches)

 				return
 			}
 			if testCase.clientError != nil {
-				assert.ErrorContains(t, err, testCase.clientError.Error())
+				require.ErrorContains(t, err, testCase.clientError.Error())
 				gitClientMock.AssertNotCalled(t, "GetBranches", ctx, azureGit.GetBranchesArgs{RepositoryId: &repoName, Project: &teamProject})
 				return
-
 			}

 			if testCase.getBranchesApiError != nil {
 				assert.Empty(t, branches)
-				assert.ErrorContains(t, err, testCase.getBranchesApiError.Error())
+				require.ErrorContains(t, err, testCase.getBranchesApiError.Error())
 			} else {
 				if len(*testCase.expectedBranches) > 0 {
 					assert.NotEmpty(t, branches)
@@ -472,14 +470,14 @@ func TestGetAzureDevopsRepositories(t *testing.T) {
 				{Name: s("missing_default_branch"), RemoteUrl: s("https://remoteurl.u"), Id: repoId},
 				{DefaultBranch: s("missing_name"), RemoteUrl: s("https://remoteurl.u"), Id: repoId},
 				{Name: s("missing_remote_url"), DefaultBranch: s("main"), Id: repoId},
-				{Name: s("missing_id"), DefaultBranch: s("main"), RemoteUrl: s("https://remoteurl.u")}},
+				{Name: s("missing_id"), DefaultBranch: s("main"), RemoteUrl: s("https://remoteurl.u")},
+			},
 			expectedNumberOfRepos: 1,
 		},
 	}

 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-
 			gitClientMock := azureMock.Client{}
 			gitClientMock.On("GetRepositories", ctx, azureGit.GetRepositoriesArgs{Project: s(teamProject)}).Return(&testCase.repositories, testCase.getRepositoriesError)

@@ -491,7 +489,7 @@ func TestGetAzureDevopsRepositories(t *testing.T) {
 			repositories, err := provider.ListRepos(ctx, "https")

 			if testCase.getRepositoriesError != nil {
-				assert.Error(t, err, "Expected an error from test case %v", testCase.name)
+				require.Error(t, err, "Expected an error from test case %v", testCase.name)
 			}

 			if testCase.expectedNumberOfRepos == 0 {
--- a/applicationset/services/scm_provider/bitbucket_cloud.go
+++ b/applicationset/services/scm_provider/bitbucket_cloud.go
@@ -52,7 +52,6 @@ func (c *ExtendedClient) GetContents(repo *Repository, path string) (bool, error
 var _ SCMProviderService = &BitBucketCloudProvider{}

 func NewBitBucketCloudProvider(ctx context.Context, owner string, user string, password string, allBranches bool) (*BitBucketCloudProvider, error) {
-
 	client := &ExtendedClient{
 		bitbucket.NewBasicAuth(user, password),
 		user,
@@ -66,13 +65,13 @@ func (g *BitBucketCloudProvider) GetBranches(ctx context.Context, repo *Reposito
 	repos := []*Repository{}
 	branches, err := g.listBranches(repo)
 	if err != nil {
-		return nil, fmt.Errorf("error listing branches for %s/%s: %v", repo.Organization, repo.Repository, err)
+		return nil, fmt.Errorf("error listing branches for %s/%s: %w", repo.Organization, repo.Repository, err)
 	}

 	for _, branch := range branches {
 		hash, ok := branch.Target["hash"].(string)
 		if !ok {
-			return nil, fmt.Errorf("error getting SHA for branch for %s/%s/%s: %v", g.owner, repo.Repository, branch.Name, err)
+			return nil, fmt.Errorf("error getting SHA for branch for %s/%s/%s: %w", g.owner, repo.Repository, branch.Name, err)
 		}
 		repos = append(repos, &Repository{
 			Organization: repo.Organization,
@@ -98,12 +97,12 @@ func (g *BitBucketCloudProvider) ListRepos(ctx context.Context, cloneProtocol st
 	repos := []*Repository{}
 	accountReposResp, err := g.client.Repositories.ListForAccount(opt)
 	if err != nil {
-		return nil, fmt.Errorf("error listing repositories for %s: %v", g.owner, err)
+		return nil, fmt.Errorf("error listing repositories for %s: %w", g.owner, err)
 	}
 	for _, bitBucketRepo := range accountReposResp.Items {
 		cloneUrl, err := findCloneURL(cloneProtocol, &bitBucketRepo)
 		if err != nil {
-			return nil, fmt.Errorf("error fetching clone url for repo %s: %v", bitBucketRepo.Slug, err)
+			return nil, fmt.Errorf("error fetching clone url for repo %s: %w", bitBucketRepo.Slug, err)
 		}
 		repos = append(repos, &Repository{
 			Organization: g.owner,
@@ -151,11 +150,9 @@ func (g *BitBucketCloudProvider) listBranches(repo *Repository) ([]bitbucket.Rep
 		return nil, err
 	}
 	return branches.Branches, nil
-
 }

 func findCloneURL(cloneProtocol string, repo *bitbucket.Repository) (*string, error) {
-
 	cloneLinks, ok := repo.Links["clone"].([]interface{})
 	if !ok {
 		return nil, fmt.Errorf("unknown type returned from repo links")
--- a/applicationset/services/scm_provider/bitbucket_cloud_test.go
+++ b/applicationset/services/scm_provider/bitbucket_cloud_test.go
@@ -8,6 +8,7 @@ import (
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"

 	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )
@@ -18,7 +19,7 @@ func TestBitbucketHasRepo(t *testing.T) {
 			res.WriteHeader(http.StatusNotFound)
 			_, err := res.Write([]byte(""))
 			if err != nil {
-				assert.NoError(t, fmt.Errorf("Error in mock response %v", err))
+				require.NoError(t, fmt.Errorf("Error in mock response %w", err))
 			}
 		}
 		if req.URL.Path == "/repositories/test-owner/testmike/src/dc1edb6c7d650d8ba67719ddf7b662ad8f8fb798/.gitignore" {
@@ -55,7 +56,7 @@ func TestBitbucketHasRepo(t *testing.T) {
 				"size": 624
 			}`))
 			if err != nil {
-				assert.NoError(t, fmt.Errorf("Error in mock response %v", err))
+				require.NoError(t, fmt.Errorf("Error in mock response %w", err))
 			}
 		}
 	}))
@@ -95,7 +96,7 @@ func TestBitbucketHasRepo(t *testing.T) {
 			}
 			hasPath, err := provider.RepoHasPath(context.Background(), repo, c.path)
 			if err != nil {
-				assert.Error(t, fmt.Errorf("Error in test %v", err))
+				require.Error(t, fmt.Errorf("Error in test %w", err))
 			}
 			if c.status != http.StatusOK {
 				assert.False(t, hasPath)
@@ -208,7 +209,7 @@ func TestBitbucketListRepos(t *testing.T) {
 				"size": 1
 			}`))
 			if err != nil {
-				assert.NoError(t, fmt.Errorf("Error in mock response %v", err))
+				require.NoError(t, fmt.Errorf("Error in mock response %w", err))
 			}
 		}
 		if req.URL.Path == "/repositories/test-owner/testmike/refs/branches/main" {
@@ -303,7 +304,7 @@ func TestBitbucketListRepos(t *testing.T) {
 				}
 			}`))
 			if err != nil {
-				assert.NoError(t, fmt.Errorf("Error in mock response %v", err))
+				require.NoError(t, fmt.Errorf("Error in mock response %w", err))
 			}
 		}
 		if req.URL.Path == "/repositories/test-owner" {
@@ -442,7 +443,7 @@ func TestBitbucketListRepos(t *testing.T) {
 			"size": 1
 		}`))
 			if err != nil {
-				assert.NoError(t, fmt.Errorf("Error in mock response %v", err))
+				require.NoError(t, fmt.Errorf("Error in mock response %w", err))
 			}
 		}
 	}))
@@ -489,9 +490,9 @@ func TestBitbucketListRepos(t *testing.T) {
 			provider, _ := NewBitBucketCloudProvider(context.Background(), c.owner, "user", "password", c.allBranches)
 			rawRepos, err := ListRepos(context.Background(), provider, c.filters, c.proto)
 			if c.hasError {
-				assert.Error(t, err)
+				require.Error(t, err)
 			} else {
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				repos := []*Repository{}
 				branches := []string{}
 				for _, r := range rawRepos {
--- a/applicationset/services/scm_provider/bitbucket_server.go
+++ b/applicationset/services/scm_provider/bitbucket_server.go
@@ -2,12 +2,14 @@ package scm_provider

 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"

-	"github.com/argoproj/argo-cd/v2/applicationset/utils"
 	bitbucketv1 "github.com/gfleury/go-bitbucket-v1"
 	log "github.com/sirupsen/logrus"
+
+	"github.com/argoproj/argo-cd/v2/applicationset/utils"
 )

 type BitbucketServerProvider struct {
@@ -54,12 +56,12 @@ func (b *BitbucketServerProvider) ListRepos(_ context.Context, cloneProtocol str
 	for {
 		response, err := b.client.DefaultApi.GetRepositoriesWithOptions(b.projectKey, paged)
 		if err != nil {
-			return nil, fmt.Errorf("error listing repositories for %s: %v", b.projectKey, err)
+			return nil, fmt.Errorf("error listing repositories for %s: %w", b.projectKey, err)
 		}
 		repositories, err := bitbucketv1.GetRepositoriesResponse(response)
 		if err != nil {
 			log.Errorf("error parsing repositories response '%v'", response.Values)
-			return nil, fmt.Errorf("error parsing repositories response %s: %v", b.projectKey, err)
+			return nil, fmt.Errorf("error parsing repositories response %s: %w", b.projectKey, err)
 		}
 		for _, bitbucketRepo := range repositories {
 			var url string
@@ -126,7 +128,7 @@ func (b *BitbucketServerProvider) GetBranches(_ context.Context, repo *Repositor
 	repos := []*Repository{}
 	branches, err := b.listBranches(repo)
 	if err != nil {
-		return nil, fmt.Errorf("error listing branches for %s/%s: %v", repo.Organization, repo.Repository, err)
+		return nil, fmt.Errorf("error listing branches for %s/%s: %w", repo.Organization, repo.Repository, err)
 	}

 	for _, branch := range branches {
@@ -163,12 +165,12 @@ func (b *BitbucketServerProvider) listBranches(repo *Repository) ([]bitbucketv1.
 	for {
 		response, err := b.client.DefaultApi.GetBranches(repo.Organization, repo.Repository, paged)
 		if err != nil {
-			return nil, fmt.Errorf("error listing branches for %s/%s: %v", repo.Organization, repo.Repository, err)
+			return nil, fmt.Errorf("error listing branches for %s/%s: %w", repo.Organization, repo.Repository, err)
 		}
 		bitbucketBranches, err := bitbucketv1.GetBranchesResponse(response)
 		if err != nil {
 			log.Errorf("error parsing branches response '%v'", response.Values)
-			return nil, fmt.Errorf("error parsing branches response for %s/%s: %v", repo.Organization, repo.Repository, err)
+			return nil, fmt.Errorf("error parsing branches response for %s/%s: %w", repo.Organization, repo.Repository, err)
 		}

 		branches = append(branches, bitbucketBranches...)
@@ -186,7 +188,7 @@ func (b *BitbucketServerProvider) getDefaultBranch(org string, repo string) (*bi
 	response, err := b.client.DefaultApi.GetDefaultBranch(org, repo)
 	// The API will return 404 if a default branch is set but doesn't exist. In case the repo is empty and default branch is unset,
 	// we will get an EOF and a nil response.
-	if (response != nil && response.StatusCode == 404) || (response == nil && err == io.EOF) {
+	if (response != nil && response.StatusCode == 404) || (response == nil && err != nil && errors.Is(err, io.EOF)) {
 		return nil, nil
 	}
 	if err != nil {
--- a/applicationset/services/scm_provider/bitbucket_server_test.go
+++ b/applicationset/services/scm_provider/bitbucket_server_test.go
@@ -8,6 +8,7 @@ import (
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func defaultHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
@@ -79,8 +80,8 @@ func defaultHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 }

 func verifyDefaultRepo(t *testing.T, err error, repos []*Repository) {
-	assert.NoError(t, err)
-	assert.Equal(t, 1, len(repos))
+	require.NoError(t, err)
+	assert.Len(t, repos, 1)
 	assert.Equal(t, Repository{
 		Organization: "PROJECT",
 		Repository:   "REPO",
@@ -99,7 +100,7 @@ func TestListReposNoAuth(t *testing.T) {
 	}))
 	defer ts.Close()
 	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", true)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	repos, err := provider.ListRepos(context.Background(), "ssh")
 	verifyDefaultRepo(t, err, repos)
 }
@@ -191,10 +192,10 @@ func TestListReposPagination(t *testing.T) {
 	}))
 	defer ts.Close()
 	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", true)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	repos, err := provider.ListRepos(context.Background(), "ssh")
-	assert.NoError(t, err)
-	assert.Equal(t, 2, len(repos))
+	require.NoError(t, err)
+	assert.Len(t, repos, 2)
 	assert.Equal(t, Repository{
 		Organization: "PROJECT",
 		Repository:   "REPO",
@@ -268,7 +269,7 @@ func TestGetBranchesBranchPagination(t *testing.T) {
 	}))
 	defer ts.Close()
 	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", true)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	repos, err := provider.GetBranches(context.Background(), &Repository{
 		Organization: "PROJECT",
 		Repository:   "REPO",
@@ -276,8 +277,8 @@ func TestGetBranchesBranchPagination(t *testing.T) {
 		Labels:       []string{},
 		RepositoryId: 1,
 	})
-	assert.NoError(t, err)
-	assert.Equal(t, 2, len(repos))
+	require.NoError(t, err)
+	assert.Len(t, repos, 2)
 	assert.Equal(t, Repository{
 		Organization: "PROJECT",
 		Repository:   "REPO",
@@ -321,7 +322,7 @@ func TestGetBranchesDefaultOnly(t *testing.T) {
 	}))
 	defer ts.Close()
 	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", false)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	repos, err := provider.GetBranches(context.Background(), &Repository{
 		Organization: "PROJECT",
 		Repository:   "REPO",
@@ -329,8 +330,8 @@ func TestGetBranchesDefaultOnly(t *testing.T) {
 		Labels:       []string{},
 		RepositoryId: 1,
 	})
-	assert.NoError(t, err)
-	assert.Equal(t, 1, len(repos))
+	require.NoError(t, err)
+	assert.Len(t, repos, 1)
 	assert.Equal(t, Repository{
 		Organization: "PROJECT",
 		Repository:   "REPO",
@@ -353,7 +354,7 @@ func TestGetBranchesMissingDefault(t *testing.T) {
 	}))
 	defer ts.Close()
 	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", false)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	repos, err := provider.GetBranches(context.Background(), &Repository{
 		Organization: "PROJECT",
 		Repository:   "REPO",
@@ -361,7 +362,7 @@ func TestGetBranchesMissingDefault(t *testing.T) {
 		Labels:       []string{},
 		RepositoryId: 1,
 	})
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.Empty(t, repos)
 }

@@ -375,7 +376,7 @@ func TestGetBranchesEmptyRepo(t *testing.T) {
 	}))
 	defer ts.Close()
 	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", false)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	repos, err := provider.GetBranches(context.Background(), &Repository{
 		Organization: "PROJECT",
 		Repository:   "REPO",
@@ -384,7 +385,7 @@ func TestGetBranchesEmptyRepo(t *testing.T) {
 		RepositoryId: 1,
 	})
 	assert.Empty(t, repos)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 }

 func TestGetBranchesErrorDefaultBranch(t *testing.T) {
@@ -398,7 +399,7 @@ func TestGetBranchesErrorDefaultBranch(t *testing.T) {
 	}))
 	defer ts.Close()
 	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", false)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	_, err = provider.GetBranches(context.Background(), &Repository{
 		Organization: "PROJECT",
 		Repository:   "REPO",
@@ -406,7 +407,7 @@ func TestGetBranchesErrorDefaultBranch(t *testing.T) {
 		Labels:       []string{},
 		RepositoryId: 1,
 	})
-	assert.Error(t, err)
+	require.Error(t, err)
 }

 func TestListReposBasicAuth(t *testing.T) {
@@ -417,7 +418,7 @@ func TestListReposBasicAuth(t *testing.T) {
 	}))
 	defer ts.Close()
 	provider, err := NewBitbucketServerProviderBasicAuth(context.Background(), "user", "password", ts.URL, "PROJECT", true)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	repos, err := provider.ListRepos(context.Background(), "ssh")
 	verifyDefaultRepo(t, err, repos)
 }
@@ -444,10 +445,10 @@ func TestListReposDefaultBranch(t *testing.T) {
 	}))
 	defer ts.Close()
 	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", false)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	repos, err := provider.ListRepos(context.Background(), "ssh")
-	assert.NoError(t, err)
-	assert.Equal(t, 1, len(repos))
+	require.NoError(t, err)
+	assert.Len(t, repos, 1)
 	assert.Equal(t, Repository{
 		Organization: "PROJECT",
 		Repository:   "REPO",
@@ -470,9 +471,9 @@ func TestListReposMissingDefaultBranch(t *testing.T) {
 	}))
 	defer ts.Close()
 	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", false)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	repos, err := provider.ListRepos(context.Background(), "ssh")
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.Empty(t, repos)
 }

@@ -487,9 +488,9 @@ func TestListReposErrorDefaultBranch(t *testing.T) {
 	}))
 	defer ts.Close()
 	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", false)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	_, err = provider.ListRepos(context.Background(), "ssh")
-	assert.Error(t, err)
+	require.Error(t, err)
 }

 func TestListReposCloneProtocol(t *testing.T) {
@@ -499,10 +500,10 @@ func TestListReposCloneProtocol(t *testing.T) {
 	}))
 	defer ts.Close()
 	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", true)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	repos, err := provider.ListRepos(context.Background(), "https")
-	assert.NoError(t, err)
-	assert.Equal(t, 1, len(repos))
+	require.NoError(t, err)
+	assert.Len(t, repos, 1)
 	assert.Equal(t, Repository{
 		Organization: "PROJECT",
 		Repository:   "REPO",
@@ -521,9 +522,9 @@ func TestListReposUnknownProtocol(t *testing.T) {
 	}))
 	defer ts.Close()
 	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", true)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	_, errProtocol := provider.ListRepos(context.Background(), "http")
-	assert.NotNil(t, errProtocol)
+	require.Error(t, errProtocol)
 }

 func TestBitbucketServerHasPath(t *testing.T) {
@@ -559,36 +560,36 @@ func TestBitbucketServerHasPath(t *testing.T) {
 	}))
 	defer ts.Close()
 	provider, err := NewBitbucketServerProviderNoAuth(context.Background(), ts.URL, "PROJECT", true)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	repo := &Repository{
 		Organization: "PROJECT",
 		Repository:   "REPO",
 		Branch:       "main",
 	}
 	ok, err := provider.RepoHasPath(context.Background(), repo, "pkg")
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.True(t, ok)

 	ok, err = provider.RepoHasPath(context.Background(), repo, "pkg/")
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.True(t, ok)

 	ok, err = provider.RepoHasPath(context.Background(), repo, "anotherpkg/file.txt")
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.True(t, ok)

 	ok, err = provider.RepoHasPath(context.Background(), repo, "anotherpkg/missing.txt")
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.False(t, ok)

 	ok, err = provider.RepoHasPath(context.Background(), repo, "notathing")
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.False(t, ok)

 	ok, err = provider.RepoHasPath(context.Background(), repo, "return-redirect")
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.True(t, ok)

 	_, err = provider.RepoHasPath(context.Background(), repo, "unauthorized-response")
-	assert.Error(t, err)
+	require.Error(t, err)
 }
--- a/applicationset/services/scm_provider/gitea_test.go
+++ b/applicationset/services/scm_provider/gitea_test.go
@@ -258,6 +258,7 @@ func giteaMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 		}
 	}
 }
+
 func TestGiteaListRepos(t *testing.T) {
 	cases := []struct {
 		name, proto, url                        string
@@ -305,9 +306,9 @@ func TestGiteaListRepos(t *testing.T) {
 			provider, _ := NewGiteaProvider(context.Background(), "test-argocd", "", ts.URL, c.allBranches, false)
 			rawRepos, err := ListRepos(context.Background(), provider, c.filters, c.proto)
 			if c.hasError {
-				assert.NotNil(t, err)
+				require.Error(t, err)
 			} else {
-				assert.Nil(t, err)
+				require.NoError(t, err)
 				// Just check that this one project shows up. Not a great test but better thing nothing?
 				repos := []*Repository{}
 				branches := []string{}
@@ -341,19 +342,19 @@ func TestGiteaHasPath(t *testing.T) {

 	t.Run("file exists", func(t *testing.T) {
 		ok, err := host.RepoHasPath(context.Background(), repo, "README.md")
-		assert.Nil(t, err)
+		require.NoError(t, err)
 		assert.True(t, ok)
 	})

 	t.Run("directory exists", func(t *testing.T) {
 		ok, err := host.RepoHasPath(context.Background(), repo, "gitea")
-		assert.Nil(t, err)
+		require.NoError(t, err)
 		assert.True(t, ok)
 	})

 	t.Run("does not exists", func(t *testing.T) {
 		ok, err := host.RepoHasPath(context.Background(), repo, "notathing")
-		assert.Nil(t, err)
+		require.NoError(t, err)
 		assert.False(t, ok)
 	})
 }
--- a/applicationset/services/scm_provider/github_test.go
+++ b/applicationset/services/scm_provider/github_test.go
@@ -8,6 +8,7 @@ import (
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"

 	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )
@@ -244,9 +245,9 @@ func TestGithubListRepos(t *testing.T) {
 			provider, _ := NewGithubProvider(context.Background(), "argoproj", "", ts.URL, c.allBranches)
 			rawRepos, err := ListRepos(context.Background(), provider, c.filters, c.proto)
 			if c.hasError {
-				assert.Error(t, err)
+				require.Error(t, err)
 			} else {
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				// Just check that this one project shows up. Not a great test but better thing nothing?
 				repos := []*Repository{}
 				branches := []string{}
@@ -278,11 +279,11 @@ func TestGithubHasPath(t *testing.T) {
 		Branch:       "master",
 	}
 	ok, err := host.RepoHasPath(context.Background(), repo, "pkg/")
-	assert.Nil(t, err)
+	require.NoError(t, err)
 	assert.True(t, ok)

 	ok, err = host.RepoHasPath(context.Background(), repo, "notathing/")
-	assert.Nil(t, err)
+	require.NoError(t, err)
 	assert.False(t, ok)
 }

@@ -299,26 +300,26 @@ func TestGithubGetBranches(t *testing.T) {
 	}
 	repos, err := host.GetBranches(context.Background(), repo)
 	if err != nil {
-		assert.NoError(t, err)
+		require.NoError(t, err)
 	} else {
-		assert.Equal(t, repos[0].Branch, "master")
+		assert.Equal(t, "master", repos[0].Branch)
 	}
-	//Branch Doesn't exists instead of error will return no error
+	// Branch Doesn't exists instead of error will return no error
 	repo2 := &Repository{
 		Organization: "argoproj",
 		Repository:   "applicationset",
 		Branch:       "main",
 	}
 	_, err = host.GetBranches(context.Background(), repo2)
-	assert.NoError(t, err)
+	require.NoError(t, err)

 	// Get all branches
 	host.allBranches = true
 	repos, err = host.GetBranches(context.Background(), repo)
 	if err != nil {
-		assert.NoError(t, err)
+		require.NoError(t, err)
 	} else {
 		// considering master  branch to  exist.
-		assert.Equal(t, len(repos), 1)
+		assert.Len(t, repos, 1)
 	}
 }
--- a/applicationset/services/scm_provider/gitlab.go
+++ b/applicationset/services/scm_provider/gitlab.go
@@ -7,9 +7,10 @@ import (
 	"os"
 	pathpkg "path"

-	"github.com/argoproj/argo-cd/v2/applicationset/utils"
 	"github.com/hashicorp/go-retryablehttp"
 	"github.com/xanzy/go-gitlab"
+
+	"github.com/argoproj/argo-cd/v2/applicationset/utils"
 )

 type GitlabProvider struct {
@@ -57,7 +58,7 @@ func (g *GitlabProvider) GetBranches(ctx context.Context, repo *Repository) ([]*
 	repos := []*Repository{}
 	branches, err := g.listBranches(ctx, repo)
 	if err != nil {
-		return nil, fmt.Errorf("error listing branches for %s/%s: %v", repo.Organization, repo.Repository, err)
+		return nil, fmt.Errorf("error listing branches for %s/%s: %w", repo.Organization, repo.Repository, err)
 	}

 	for _, branch := range branches {
@@ -86,7 +87,7 @@ func (g *GitlabProvider) ListRepos(ctx context.Context, cloneProtocol string) ([
 	for {
 		gitlabRepos, resp, err := g.client.Groups.ListGroupProjects(g.organization, opt)
 		if err != nil {
-			return nil, fmt.Errorf("error listing projects for %s: %v", g.organization, err)
+			return nil, fmt.Errorf("error listing projects for %s: %w", g.organization, err)
 		}
 		for _, gitlabRepo := range gitlabRepos {
 			var url string
--- a/applicationset/services/scm_provider/gitlab_test.go
+++ b/applicationset/services/scm_provider/gitlab_test.go
@@ -9,6 +9,7 @@ import (
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"

 	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )
@@ -1046,6 +1047,7 @@ func gitlabMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 		}
 	}
 }
+
 func TestGitlabListRepos(t *testing.T) {
 	cases := []struct {
 		name, proto, url, topic                                                  string
@@ -1122,9 +1124,9 @@ func TestGitlabListRepos(t *testing.T) {
 			provider, _ := NewGitlabProvider(context.Background(), "test-argocd-proton", "", ts.URL, c.allBranches, c.includeSubgroups, c.includeSharedProjects, c.insecure, "", c.topic)
 			rawRepos, err := ListRepos(context.Background(), provider, c.filters, c.proto)
 			if c.hasError {
-				assert.NotNil(t, err)
+				require.Error(t, err)
 			} else {
-				assert.Nil(t, err)
+				require.NoError(t, err)
 				// Just check that this one project shows up. Not a great test but better than nothing?
 				repos := []*Repository{}
 				uniqueRepos := map[string]int{}
@@ -1143,11 +1145,11 @@ func TestGitlabListRepos(t *testing.T) {
 				}
 				// In case of listing subgroups, validate the number of returned projects
 				if c.includeSubgroups || c.includeSharedProjects {
-					assert.Equal(t, 2, len(uniqueRepos))
+					assert.Len(t, uniqueRepos, 2)
 				}
 				// In case we filter on the topic, ensure we got only one repo returned
 				if c.topic != "" {
-					assert.Equal(t, 1, len(uniqueRepos))
+					assert.Len(t, uniqueRepos, 1)
 				}
 			}
 		})
@@ -1194,7 +1196,7 @@ func TestGitlabHasPath(t *testing.T) {
 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {
 			ok, err := host.RepoHasPath(context.Background(), repo, c.path)
-			assert.Nil(t, err)
+			require.NoError(t, err)
 			assert.Equal(t, c.exists, ok)
 		})
 	}
@@ -1212,8 +1214,8 @@ func TestGitlabGetBranches(t *testing.T) {
 	}
 	t.Run("branch exists", func(t *testing.T) {
 		repos, err := host.GetBranches(context.Background(), repo)
-		assert.Nil(t, err)
-		assert.Equal(t, repos[0].Branch, "master")
+		require.NoError(t, err)
+		assert.Equal(t, "master", repos[0].Branch)
 	})

 	repo2 := &Repository{
@@ -1222,6 +1224,6 @@ func TestGitlabGetBranches(t *testing.T) {
 	}
 	t.Run("unknown branch", func(t *testing.T) {
 		_, err := host.GetBranches(context.Background(), repo2)
-		assert.NoError(t, err)
+		require.NoError(t, err)
 	})
 }
--- a/applicationset/services/scm_provider/mock.go
+++ b/applicationset/services/scm_provider/mock.go
@@ -44,7 +44,6 @@ func (m *MockProvider) GetBranches(_ context.Context, repo *Repository) ([]*Repo
 				branchRepos = append(branchRepos, candidateRepo)
 			}
 		}
-
 	}
 	return branchRepos, nil
 }
--- a/applicationset/services/scm_provider/utils.go
+++ b/applicationset/services/scm_provider/utils.go
@@ -17,14 +17,14 @@ func compileFilters(filters []argoprojiov1alpha1.SCMProviderGeneratorFilter) ([]
 		if filter.RepositoryMatch != nil {
 			outFilter.RepositoryMatch, err = regexp.Compile(*filter.RepositoryMatch)
 			if err != nil {
-				return nil, fmt.Errorf("error compiling RepositoryMatch regexp %q: %v", *filter.RepositoryMatch, err)
+				return nil, fmt.Errorf("error compiling RepositoryMatch regexp %q: %w", *filter.RepositoryMatch, err)
 			}
 			outFilter.FilterType = FilterTypeRepo
 		}
 		if filter.LabelMatch != nil {
 			outFilter.LabelMatch, err = regexp.Compile(*filter.LabelMatch)
 			if err != nil {
-				return nil, fmt.Errorf("error compiling LabelMatch regexp %q: %v", *filter.LabelMatch, err)
+				return nil, fmt.Errorf("error compiling LabelMatch regexp %q: %w", *filter.LabelMatch, err)
 			}
 			outFilter.FilterType = FilterTypeRepo
 		}
@@ -39,7 +39,7 @@ func compileFilters(filters []argoprojiov1alpha1.SCMProviderGeneratorFilter) ([]
 		if filter.BranchMatch != nil {
 			outFilter.BranchMatch, err = regexp.Compile(*filter.BranchMatch)
 			if err != nil {
-				return nil, fmt.Errorf("error compiling BranchMatch regexp %q: %v", *filter.BranchMatch, err)
+				return nil, fmt.Errorf("error compiling BranchMatch regexp %q: %w", *filter.BranchMatch, err)
 			}
 			outFilter.FilterType = FilterTypeBranch
 		}
--- a/applicationset/services/scm_provider/utils_test.go
+++ b/applicationset/services/scm_provider/utils_test.go
@@ -6,6 +6,7 @@ import (
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"

 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )
@@ -37,7 +38,7 @@ func TestFilterRepoMatch(t *testing.T) {
 		},
 	}
 	repos, err := ListRepos(context.Background(), provider, filters, "")
-	assert.Nil(t, err)
+	require.NoError(t, err)
 	assert.Len(t, repos, 2)
 	assert.Equal(t, "one", repos[0].Repository)
 	assert.Equal(t, "three", repos[1].Repository)
@@ -66,7 +67,7 @@ func TestFilterLabelMatch(t *testing.T) {
 		},
 	}
 	repos, err := ListRepos(context.Background(), provider, filters, "")
-	assert.Nil(t, err)
+	require.NoError(t, err)
 	assert.Len(t, repos, 2)
 	assert.Equal(t, "one", repos[0].Repository)
 	assert.Equal(t, "two", repos[1].Repository)
@@ -92,7 +93,7 @@ func TestFilterPathExists(t *testing.T) {
 		},
 	}
 	repos, err := ListRepos(context.Background(), provider, filters, "")
-	assert.Nil(t, err)
+	require.NoError(t, err)
 	assert.Len(t, repos, 1)
 	assert.Equal(t, "two", repos[0].Repository)
 }
@@ -117,9 +118,10 @@ func TestFilterPathDoesntExists(t *testing.T) {
 		},
 	}
 	repos, err := ListRepos(context.Background(), provider, filters, "")
-	assert.Nil(t, err)
+	require.NoError(t, err)
 	assert.Len(t, repos, 2)
 }
+
 func TestFilterRepoMatchBadRegexp(t *testing.T) {
 	provider := &MockProvider{
 		Repos: []*Repository{
@@ -134,7 +136,7 @@ func TestFilterRepoMatchBadRegexp(t *testing.T) {
 		},
 	}
 	_, err := ListRepos(context.Background(), provider, filters, "")
-	assert.NotNil(t, err)
+	require.Error(t, err)
 }

 func TestFilterLabelMatchBadRegexp(t *testing.T) {
@@ -151,7 +153,7 @@ func TestFilterLabelMatchBadRegexp(t *testing.T) {
 		},
 	}
 	_, err := ListRepos(context.Background(), provider, filters, "")
-	assert.NotNil(t, err)
+	require.Error(t, err)
 }

 func TestFilterBranchMatch(t *testing.T) {
@@ -185,7 +187,7 @@ func TestFilterBranchMatch(t *testing.T) {
 		},
 	}
 	repos, err := ListRepos(context.Background(), provider, filters, "")
-	assert.Nil(t, err)
+	require.NoError(t, err)
 	assert.Len(t, repos, 2)
 	assert.Equal(t, "one", repos[0].Repository)
 	assert.Equal(t, "two", repos[0].Branch)
@@ -217,7 +219,7 @@ func TestMultiFilterAnd(t *testing.T) {
 		},
 	}
 	repos, err := ListRepos(context.Background(), provider, filters, "")
-	assert.Nil(t, err)
+	require.NoError(t, err)
 	assert.Len(t, repos, 1)
 	assert.Equal(t, "two", repos[0].Repository)
 }
@@ -248,7 +250,7 @@ func TestMultiFilterOr(t *testing.T) {
 		},
 	}
 	repos, err := ListRepos(context.Background(), provider, filters, "")
-	assert.Nil(t, err)
+	require.NoError(t, err)
 	assert.Len(t, repos, 3)
 	assert.Equal(t, "one", repos[0].Repository)
 	assert.Equal(t, "two", repos[1].Repository)
@@ -274,7 +276,7 @@ func TestNoFilters(t *testing.T) {
 	}
 	filters := []argoprojiov1alpha1.SCMProviderGeneratorFilter{}
 	repos, err := ListRepos(context.Background(), provider, filters, "")
-	assert.Nil(t, err)
+	require.NoError(t, err)
 	assert.Len(t, repos, 3)
 	assert.Equal(t, "one", repos[0].Repository)
 	assert.Equal(t, "two", repos[1].Repository)
@@ -311,8 +313,10 @@ func TestApplicableFilterMap(t *testing.T) {
 		BranchMatch: &regexp.Regexp{},
 		FilterType:  FilterTypeBranch,
 	}
-	filterMap := getApplicableFilters([]*Filter{&branchFilter, &repoFilter,
-		&pathExistsFilter, &labelMatchFilter, &unsetFilter, &additionalBranchFilter, &pathDoesntExistsFilter})
+	filterMap := getApplicableFilters([]*Filter{
+		&branchFilter, &repoFilter,
+		&pathExistsFilter, &labelMatchFilter, &unsetFilter, &additionalBranchFilter, &pathDoesntExistsFilter,
+	})

 	assert.Len(t, filterMap[FilterTypeRepo], 2)
 	assert.Len(t, filterMap[FilterTypeBranch], 4)
--- a/applicationset/utils/clusterUtils.go
+++ b/applicationset/utils/clusterUtils.go
@@ -17,7 +17,7 @@ import (
 	appv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"

 	"k8s.io/client-go/kubernetes"
-	"k8s.io/utils/pointer"
+	"k8s.io/utils/ptr"
 )

 // The contents of this file are from
@@ -55,16 +55,14 @@ func ValidateDestination(ctx context.Context, dest *appv1.ApplicationDestination
 		if dest.Server == "" {
 			server, err := getDestinationServer(ctx, dest.Name, clientset, argoCDNamespace)
 			if err != nil {
-				return fmt.Errorf("unable to find destination server: %v", err)
+				return fmt.Errorf("unable to find destination server: %w", err)
 			}
 			if server == "" {
 				return fmt.Errorf("application references destination cluster %s which does not exist", dest.Name)
 			}
 			dest.SetInferredServer(server)
-		} else {
-			if !dest.IsServerInferred() {
-				return fmt.Errorf("application destination can't have both name and server defined: %s %s", dest.Name, dest.Server)
-			}
+		} else if !dest.IsServerInferred() {
+			return fmt.Errorf("application destination can't have both name and server defined: %s %s", dest.Name, dest.Server)
 		}
 	}
 	return nil
@@ -93,7 +91,6 @@ func getDestinationServer(ctx context.Context, clusterName string, clientset kub
 }

 func ListClusters(ctx context.Context, clientset kubernetes.Interface, namespace string) (*appv1.ClusterList, error) {
-
 	clusterSecretsList, err := clientset.CoreV1().Secrets(namespace).List(ctx,
 		metav1.ListOptions{LabelSelector: common.LabelKeySecretType + "=" + common.LabelValueSecretTypeCluster})
 	if err != nil {
@@ -114,7 +111,7 @@ func ListClusters(ctx context.Context, clientset kubernetes.Interface, namespace
 		// This line has changed from the original Argo CD code: now receives an error, and handles it
 		cluster, err := secretToCluster(&clusterSecret)
 		if err != nil || cluster == nil {
-			return nil, fmt.Errorf("unable to convert cluster secret to cluster object '%s': %v", clusterSecret.Name, err)
+			return nil, fmt.Errorf("unable to convert cluster secret to cluster object '%s': %w", clusterSecret.Name, err)
 		}

 		clusterList.Items[i] = *cluster
@@ -180,7 +177,7 @@ func secretToCluster(s *corev1.Secret) (*appv1.Cluster, error) {
 		if val, err := strconv.Atoi(string(shardStr)); err != nil {
 			log.Warnf("Error while parsing shard in cluster secret '%s': %v", s.Name, err)
 		} else {
-			shard = pointer.Int64(int64(val))
+			shard = ptr.To(int64(val))
 		}
 	}
 	cluster := appv1.Cluster{
--- a/applicationset/utils/clusterUtils_test.go
+++ b/applicationset/utils/clusterUtils_test.go
@@ -6,6 +6,7 @@ import (
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -33,14 +34,14 @@ func Test_secretToCluster(t *testing.T) {
 		},
 	}
 	cluster, err := secretToCluster(secret)
-	assert.Nil(t, err)
-	assert.Equal(t, *cluster, argoappv1.Cluster{
+	require.NoError(t, err)
+	assert.Equal(t, argoappv1.Cluster{
 		Name:   "test",
 		Server: "http://mycluster",
 		Config: argoappv1.ClusterConfig{
 			Username: "foo",
 		},
-	})
+	}, *cluster)
 }

 // From Argo CD util/db/cluster_test.go
@@ -56,15 +57,14 @@ func Test_secretToCluster_NoConfig(t *testing.T) {
 		},
 	}
 	cluster, err := secretToCluster(secret)
-	assert.Nil(t, err)
-	assert.Equal(t, *cluster, argoappv1.Cluster{
+	require.NoError(t, err)
+	assert.Equal(t, argoappv1.Cluster{
 		Name:   "test",
 		Server: "http://mycluster",
-	})
+	}, *cluster)
 }

 func createClusterSecret(secretName string, clusterName string, clusterServer string) *corev1.Secret {
-
 	secret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      secretName,
@@ -81,22 +81,19 @@ func createClusterSecret(secretName string, clusterName string, clusterServer st
 	}

 	return secret
-
 }

 // From util/argo/argo_test.go
 // (ported to use kubeclientset)
 func TestValidateDestination(t *testing.T) {
-
 	t.Run("Validate destination with server url", func(t *testing.T) {
-
 		dest := argoappv1.ApplicationDestination{
 			Server:    "https://127.0.0.1:6443",
 			Namespace: "default",
 		}

 		appCond := ValidateDestination(context.Background(), &dest, nil, fakeNamespace)
-		assert.Nil(t, appCond)
+		require.NoError(t, appCond)
 		assert.False(t, dest.IsServerInferred())
 	})

@@ -111,7 +108,7 @@ func TestValidateDestination(t *testing.T) {
 		kubeclientset := fake.NewSimpleClientset(objects...)

 		appCond := ValidateDestination(context.Background(), &dest, kubeclientset, fakeNamespace)
-		assert.Nil(t, appCond)
+		require.NoError(t, appCond)
 		assert.Equal(t, "https://127.0.0.1:6443", dest.Server)
 		assert.True(t, dest.IsServerInferred())
 	})
@@ -174,5 +171,4 @@ func TestValidateDestination(t *testing.T) {
 		assert.Equal(t, "unable to find destination server: there are 2 clusters with the same name: [https://127.0.0.1:2443 https://127.0.0.1:8443]", err.Error())
 		assert.False(t, dest.IsServerInferred())
 	})
-
 }
--- a/applicationset/utils/createOrUpdate.go
+++ b/applicationset/utils/createOrUpdate.go
@@ -20,6 +20,7 @@ import (
 	argov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	"github.com/argoproj/argo-cd/v2/util/argo"
 	argodiff "github.com/argoproj/argo-cd/v2/util/argo/diff"
+	"github.com/argoproj/argo-cd/v2/util/argo/normalizers"
 )

 // CreateOrUpdate overrides "sigs.k8s.io/controller-runtime" function
@@ -35,8 +36,7 @@ import (
 // The MutateFn is called regardless of creating or updating an object.
 //
 // It returns the executed operation and an error.
-func CreateOrUpdate(ctx context.Context, logCtx *log.Entry, c client.Client, ignoreAppDifferences argov1alpha1.ApplicationSetIgnoreDifferences, obj *argov1alpha1.Application, f controllerutil.MutateFn) (controllerutil.OperationResult, error) {
-
+func CreateOrUpdate(ctx context.Context, logCtx *log.Entry, c client.Client, ignoreAppDifferences argov1alpha1.ApplicationSetIgnoreDifferences, ignoreNormalizerOpts normalizers.IgnoreNormalizerOpts, obj *argov1alpha1.Application, f controllerutil.MutateFn) (controllerutil.OperationResult, error) {
 	key := client.ObjectKeyFromObject(obj)
 	if err := c.Get(ctx, key, obj); err != nil {
 		if !errors.IsNotFound(err) {
@@ -60,7 +60,7 @@ func CreateOrUpdate(ctx context.Context, logCtx *log.Entry, c client.Client, ign

 	// Apply ignoreApplicationDifferences rules to remove ignored fields from both the live and the desired state. This
 	// prevents those differences from appearing in the diff and therefore in the patch.
-	err := applyIgnoreDifferences(ignoreAppDifferences, normalizedLive, obj)
+	err := applyIgnoreDifferences(ignoreAppDifferences, normalizedLive, obj, ignoreNormalizerOpts)
 	if err != nil {
 		return controllerutil.OperationResultNone, fmt.Errorf("failed to apply ignore differences: %w", err)
 	}
@@ -134,14 +134,14 @@ func mutate(f controllerutil.MutateFn, key client.ObjectKey, obj client.Object)
 }

 // applyIgnoreDifferences applies the ignore differences rules to the found application. It modifies the applications in place.
-func applyIgnoreDifferences(applicationSetIgnoreDifferences argov1alpha1.ApplicationSetIgnoreDifferences, found *argov1alpha1.Application, generatedApp *argov1alpha1.Application) error {
+func applyIgnoreDifferences(applicationSetIgnoreDifferences argov1alpha1.ApplicationSetIgnoreDifferences, found *argov1alpha1.Application, generatedApp *argov1alpha1.Application, ignoreNormalizerOpts normalizers.IgnoreNormalizerOpts) error {
 	if len(applicationSetIgnoreDifferences) == 0 {
 		return nil
 	}

 	generatedAppCopy := generatedApp.DeepCopy()
 	diffConfig, err := argodiff.NewDiffConfigBuilder().
-		WithDiffSettings(applicationSetIgnoreDifferences.ToApplicationIgnoreDifferences(), nil, false).
+		WithDiffSettings(applicationSetIgnoreDifferences.ToApplicationIgnoreDifferences(), nil, false, ignoreNormalizerOpts).
 		WithNoCache().
 		Build()
 	if err != nil {
--- a/applicationset/utils/createOrUpdate_test.go
+++ b/applicationset/utils/createOrUpdate_test.go
@@ -9,6 +9,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

 	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/util/argo/normalizers"
 )

 func Test_applyIgnoreDifferences(t *testing.T) {
@@ -222,7 +223,7 @@ spec:
 			generatedApp := v1alpha1.Application{TypeMeta: appMeta}
 			err = yaml.Unmarshal([]byte(tc.generatedApp), &generatedApp)
 			require.NoError(t, err, tc.generatedApp)
-			err = applyIgnoreDifferences(tc.ignoreDifferences, &foundApp, &generatedApp)
+			err = applyIgnoreDifferences(tc.ignoreDifferences, &foundApp, &generatedApp, normalizers.IgnoreNormalizerOpts{})
 			require.NoError(t, err)
 			yamlFound, err := yaml.Marshal(tc.foundApp)
 			require.NoError(t, err)
--- a/applicationset/utils/map.go
+++ b/applicationset/utils/map.go
@@ -26,7 +26,6 @@ func ConvertToMapStringInterface(mapStringString map[string]string) map[string]i
 }

 func CombineStringMaps(aSI map[string]interface{}, bSI map[string]interface{}) (map[string]string, error) {
-
 	a := ConvertToMapStringString(aSI)
 	b := ConvertToMapStringString(bSI)

@@ -49,7 +48,6 @@ func CombineStringMaps(aSI map[string]interface{}, bSI map[string]interface{}) (

 // CombineStringMapsAllowDuplicates merges two maps. Where there are duplicates, take the latter map's value.
 func CombineStringMapsAllowDuplicates(aSI map[string]interface{}, bSI map[string]interface{}) (map[string]string, error) {
-
 	a := ConvertToMapStringString(aSI)
 	b := ConvertToMapStringString(bSI)

--- a/applicationset/utils/map_test.go
+++ b/applicationset/utils/map_test.go
@@ -5,6 +5,7 @@ import (
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func TestCombineStringMaps(t *testing.T) {
@@ -49,10 +50,9 @@ func TestCombineStringMaps(t *testing.T) {
 			if testCaseCopy.expectedErr != nil {
 				assert.EqualError(t, err, testCaseCopy.expectedErr.Error())
 			} else {
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, testCaseCopy.expected, got)
 			}
-
 		})
 	}
 }
--- a/applicationset/utils/selector.go
+++ b/applicationset/utils/selector.go
@@ -2,15 +2,16 @@ package utils

 import (
 	"fmt"
+	"sort"
+	"strconv"
+	"strings"
+
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/selection"
 	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/klog/v2"
-	"sort"
-	"strconv"
-	"strings"
 )

 var (
--- a/applicationset/utils/utils.go
+++ b/applicationset/utils/utils.go
@@ -44,8 +44,7 @@ type Renderer interface {
 	Replace(tmpl string, replaceMap map[string]interface{}, useGoTemplate bool, goTemplateOptions []string) (string, error)
 }

-type Render struct {
-}
+type Render struct{}

 func copyValueIntoUnexported(destination, value reflect.Value) {
 	reflect.NewAt(destination.Type(), unsafe.Pointer(destination.UnsafeAddr())).
@@ -54,7 +53,7 @@ func copyValueIntoUnexported(destination, value reflect.Value) {
 }

 func copyUnexported(copy, original reflect.Value) {
-	var unexported = reflect.NewAt(original.Type(), unsafe.Pointer(original.UnsafeAddr())).Elem()
+	unexported := reflect.NewAt(original.Type(), unsafe.Pointer(original.UnsafeAddr())).Elem()
 	copyValueIntoUnexported(copy, unexported)
 }

@@ -127,7 +126,7 @@ func (r *Render) deeplyReplace(copy, original reflect.Value, replaceMap map[stri
 	// If it is a struct we translate each field
 	case reflect.Struct:
 		for i := 0; i < original.NumField(); i += 1 {
-			var currentType = fmt.Sprintf("%s.%s", original.Type().Field(i).Name, original.Type().PkgPath())
+			currentType := fmt.Sprintf("%s.%s", original.Type().Field(i).Name, original.Type().PkgPath())
 			// specific case time
 			if currentType == "time.Time" {
 				copy.Field(i).Set(original.Field(i))
@@ -269,9 +268,8 @@ func (r *Render) RenderTemplateParams(tmpl *argoappsv1.Application, syncPolicy *
 	// b) there IS a syncPolicy, but preserveResourcesOnDeletion is set to false
 	// See TestRenderTemplateParamsFinalizers in util_test.go for test-based definition of behaviour
 	if (syncPolicy == nil || !syncPolicy.PreserveResourcesOnDeletion) &&
-		((*replacedTmpl).ObjectMeta.Finalizers == nil || len((*replacedTmpl).ObjectMeta.Finalizers) == 0) {
-
-		(*replacedTmpl).ObjectMeta.Finalizers = []string{"resources-finalizer.argocd.argoproj.io"}
+		(replacedTmpl.ObjectMeta.Finalizers == nil || len(replacedTmpl.ObjectMeta.Finalizers) == 0) {
+		replacedTmpl.ObjectMeta.Finalizers = []string{"resources-finalizer.argocd.argoproj.io"}
 	}

 	return replacedTmpl, nil
@@ -486,7 +484,6 @@ func SlugifyName(args ...interface{}) string {
 }

 func getTlsConfigWithCACert(scmRootCAPath string) *tls.Config {
-
 	tlsConfig := &tls.Config{}

 	if scmRootCAPath != "" {
--- a/applicationset/utils/utils_test.go
+++ b/applicationset/utils/utils_test.go
@@ -21,7 +21,6 @@ import (
 )

 func TestRenderTemplateParams(t *testing.T) {
-
 	// Believe it or not, this is actually less complex than the equivalent solution using reflection
 	fieldMap := map[string]func(app *argoappsv1.Application) *string{}
 	fieldMap["Path"] = func(app *argoappsv1.Application) *string { return &app.Spec.Source.Path }
@@ -165,11 +164,8 @@ func TestRenderTemplateParams(t *testing.T) {
 	}

 	for _, test := range tests {
-
 		t.Run(test.name, func(t *testing.T) {
-
 			for fieldName, getPtrFunc := range fieldMap {
-
 				// Clone the template application
 				application := emptyApplication.DeepCopy()

@@ -184,23 +180,21 @@ func TestRenderTemplateParams(t *testing.T) {
 				// the target field has been templated into the expected value
 				actualValue := *getPtrFunc(newApplication)
 				assert.Equal(t, test.expectedVal, actualValue, "Field '%s' had an unexpected value. expected: '%s' value: '%s'", fieldName, test.expectedVal, actualValue)
-				assert.Equal(t, newApplication.ObjectMeta.Annotations["annotation-key"], "annotation-value")
-				assert.Equal(t, newApplication.ObjectMeta.Annotations["annotation-key2"], "annotation-value2")
-				assert.Equal(t, newApplication.ObjectMeta.Labels["label-key"], "label-value")
-				assert.Equal(t, newApplication.ObjectMeta.Labels["label-key2"], "label-value2")
-				assert.Equal(t, newApplication.ObjectMeta.Name, "application-one")
-				assert.Equal(t, newApplication.ObjectMeta.Namespace, "default")
+				assert.Equal(t, "annotation-value", newApplication.ObjectMeta.Annotations["annotation-key"])
+				assert.Equal(t, "annotation-value2", newApplication.ObjectMeta.Annotations["annotation-key2"])
+				assert.Equal(t, "label-value", newApplication.ObjectMeta.Labels["label-key"])
+				assert.Equal(t, "label-value2", newApplication.ObjectMeta.Labels["label-key2"])
+				assert.Equal(t, "application-one", newApplication.ObjectMeta.Name)
+				assert.Equal(t, "default", newApplication.ObjectMeta.Namespace)
 				assert.Equal(t, newApplication.ObjectMeta.UID, types.UID("d546da12-06b7-4f9a-8ea2-3adb16a20e2b"))
 				assert.Equal(t, newApplication.ObjectMeta.CreationTimestamp, application.ObjectMeta.CreationTimestamp)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 			}
 		})
 	}
-
 }

 func TestRenderHelmValuesObjectJson(t *testing.T) {
-
 	params := map[string]interface{}{
 		"test": "Hello world",
 	}
@@ -243,19 +237,17 @@ func TestRenderHelmValuesObjectJson(t *testing.T) {
 	render := Render{}
 	newApplication, err := render.RenderTemplateParams(application, nil, params, true, []string{})

-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.NotNil(t, newApplication)

 	var unmarshaled interface{}
 	err = json.Unmarshal(newApplication.Spec.Source.Helm.ValuesObject.Raw, &unmarshaled)

-	assert.NoError(t, err)
-	assert.Equal(t, unmarshaled.(map[string]interface{})["some"].(map[string]interface{})["string"], "Hello world")
-
+	require.NoError(t, err)
+	assert.Equal(t, "Hello world", unmarshaled.(map[string]interface{})["some"].(map[string]interface{})["string"])
 }

 func TestRenderHelmValuesObjectYaml(t *testing.T) {
-
 	params := map[string]interface{}{
 		"test": "Hello world",
 	}
@@ -295,19 +287,17 @@ func TestRenderHelmValuesObjectYaml(t *testing.T) {
 	render := Render{}
 	newApplication, err := render.RenderTemplateParams(application, nil, params, true, []string{})

-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.NotNil(t, newApplication)

 	var unmarshaled interface{}
 	err = json.Unmarshal(newApplication.Spec.Source.Helm.ValuesObject.Raw, &unmarshaled)

-	assert.NoError(t, err)
-	assert.Equal(t, unmarshaled.(map[string]interface{})["some"].(map[string]interface{})["string"], "Hello world")
-
+	require.NoError(t, err)
+	assert.Equal(t, "Hello world", unmarshaled.(map[string]interface{})["some"].(map[string]interface{})["string"])
 }

 func TestRenderTemplateParamsGoTemplate(t *testing.T) {
-
 	// Believe it or not, this is actually less complex than the equivalent solution using reflection
 	fieldMap := map[string]func(app *argoappsv1.Application) *string{}
 	fieldMap["Path"] = func(app *argoappsv1.Application) *string { return &app.Spec.Source.Path }
@@ -616,11 +606,8 @@ func TestRenderTemplateParamsGoTemplate(t *testing.T) {
 	}

 	for _, test := range tests {
-
 		t.Run(test.name, func(t *testing.T) {
-
 			for fieldName, getPtrFunc := range fieldMap {
-
 				// Clone the template application
 				application := emptyApplication.DeepCopy()

@@ -634,18 +621,18 @@ func TestRenderTemplateParamsGoTemplate(t *testing.T) {
 				// Retrieve the value of the target field from the newApplication, then verify that
 				// the target field has been templated into the expected value
 				if test.errorMessage != "" {
-					assert.Error(t, err)
+					require.Error(t, err)
 					assert.Equal(t, test.errorMessage, err.Error())
 				} else {
-					assert.NoError(t, err)
+					require.NoError(t, err)
 					actualValue := *getPtrFunc(newApplication)
 					assert.Equal(t, test.expectedVal, actualValue, "Field '%s' had an unexpected value. expected: '%s' value: '%s'", fieldName, test.expectedVal, actualValue)
-					assert.Equal(t, newApplication.ObjectMeta.Annotations["annotation-key"], "annotation-value")
-					assert.Equal(t, newApplication.ObjectMeta.Annotations["annotation-key2"], "annotation-value2")
-					assert.Equal(t, newApplication.ObjectMeta.Labels["label-key"], "label-value")
-					assert.Equal(t, newApplication.ObjectMeta.Labels["label-key2"], "label-value2")
-					assert.Equal(t, newApplication.ObjectMeta.Name, "application-one")
-					assert.Equal(t, newApplication.ObjectMeta.Namespace, "default")
+					assert.Equal(t, "annotation-value", newApplication.ObjectMeta.Annotations["annotation-key"])
+					assert.Equal(t, "annotation-value2", newApplication.ObjectMeta.Annotations["annotation-key2"])
+					assert.Equal(t, "label-value", newApplication.ObjectMeta.Labels["label-key"])
+					assert.Equal(t, "label-value2", newApplication.ObjectMeta.Labels["label-key2"])
+					assert.Equal(t, "application-one", newApplication.ObjectMeta.Name)
+					assert.Equal(t, "default", newApplication.ObjectMeta.Namespace)
 					assert.Equal(t, newApplication.ObjectMeta.UID, types.UID("d546da12-06b7-4f9a-8ea2-3adb16a20e2b"))
 					assert.Equal(t, newApplication.ObjectMeta.CreationTimestamp, application.ObjectMeta.CreationTimestamp)
 				}
@@ -679,7 +666,7 @@ func TestRenderGeneratorParams_does_not_panic(t *testing.T) {
 		},
 	}
 	_, err := render.RenderGeneratorParams(generator, params, true, []string{})
-	assert.NoError(t, err)
+	require.NoError(t, err)
 }

 func TestRenderTemplateKeys(t *testing.T) {
@@ -701,7 +688,7 @@ func TestRenderTemplateKeys(t *testing.T) {
 		newApplication, err := render.RenderTemplateParams(application, nil, params, false, nil)
 		require.NoError(t, err)
 		require.Contains(t, newApplication.ObjectMeta.Annotations, "annotation-some-key")
-		assert.Equal(t, newApplication.ObjectMeta.Annotations["annotation-some-key"], "annotation-some-value")
+		assert.Equal(t, "annotation-some-value", newApplication.ObjectMeta.Annotations["annotation-some-key"])
 	})
 	t.Run("gotemplate", func(t *testing.T) {
 		application := &argoappsv1.Application{
@@ -721,7 +708,7 @@ func TestRenderTemplateKeys(t *testing.T) {
 		newApplication, err := render.RenderTemplateParams(application, nil, params, true, nil)
 		require.NoError(t, err)
 		require.Contains(t, newApplication.ObjectMeta.Annotations, "annotation-some-key")
-		assert.Equal(t, newApplication.ObjectMeta.Annotations["annotation-some-key"], "annotation-some-value")
+		assert.Equal(t, "annotation-some-value", newApplication.ObjectMeta.Annotations["annotation-some-key"])
 	})
 }

@@ -729,12 +716,11 @@ func Test_Render_Replace_no_panic_on_missing_closing_brace(t *testing.T) {
 	r := &Render{}
 	assert.NotPanics(t, func() {
 		_, err := r.Replace("{{properly.closed}} {{improperly.closed}", nil, false, []string{})
-		assert.Error(t, err)
+		require.Error(t, err)
 	})
 }

 func TestRenderTemplateParamsFinalizers(t *testing.T) {
-
 	emptyApplication := &argoappsv1.Application{
 		Spec: argoappsv1.ApplicationSpec{
 			Source: &argoappsv1.ApplicationSource{
@@ -813,9 +799,7 @@ func TestRenderTemplateParamsFinalizers(t *testing.T) {
 			expectedFinalizers: []string{"resources-finalizer.argocd.argoproj.io/background"},
 		},
 	} {
-
 		t.Run(c.testName, func(t *testing.T) {
-
 			// Clone the template application
 			application := emptyApplication.DeepCopy()
 			application.Finalizers = c.existingFinalizers
@@ -828,23 +812,19 @@ func TestRenderTemplateParamsFinalizers(t *testing.T) {
 			render := Render{}

 			res, err := render.RenderTemplateParams(application, c.syncPolicy, params, true, nil)
-			assert.Nil(t, err)
+			require.NoError(t, err)

 			assert.ElementsMatch(t, res.Finalizers, c.expectedFinalizers)
-
 		})
-
 	}
-
 }

 func TestCheckInvalidGenerators(t *testing.T) {
-
 	scheme := runtime.NewScheme()
 	err := argoappsv1.AddToScheme(scheme)
-	assert.Nil(t, err)
+	require.NoError(t, err)
 	err = argoappsv1.AddToScheme(scheme)
-	assert.Nil(t, err)
+	require.NoError(t, err)

 	for _, c := range []struct {
 		testName    string
@@ -932,7 +912,7 @@ func TestCheckInvalidGenerators(t *testing.T) {
 		hook := logtest.NewGlobal()

 		_ = CheckInvalidGenerators(&c.appSet)
-		assert.True(t, len(hook.Entries) >= 1, c.testName)
+		assert.GreaterOrEqual(t, len(hook.Entries), 1, c.testName)
 		assert.NotNil(t, hook.LastEntry(), c.testName)
 		if hook.LastEntry() != nil {
 			assert.Equal(t, logrus.WarnLevel, hook.LastEntry().Level, c.testName)
@@ -943,12 +923,11 @@ func TestCheckInvalidGenerators(t *testing.T) {
 }

 func TestInvalidGenerators(t *testing.T) {
-
 	scheme := runtime.NewScheme()
 	err := argoappsv1.AddToScheme(scheme)
-	assert.Nil(t, err)
+	require.NoError(t, err)
 	err = argoappsv1.AddToScheme(scheme)
-	assert.Nil(t, err)
+	require.NoError(t, err)

 	for _, c := range []struct {
 		testName        string
@@ -1322,7 +1301,7 @@ xO7Tr5lAo74vNUkF2EHNaI28/RGnJPm2TIxZqy4rNH6L
 `

 	rootCAPath := path.Join(temppath, "foo.example.com")
-	err := os.WriteFile(rootCAPath, []byte(cert), 0666)
+	err := os.WriteFile(rootCAPath, []byte(cert), 0o666)
 	if err != nil {
 		panic(err)
 	}
--- a/applicationset/webhook/webhook.go
+++ b/applicationset/webhook/webhook.go
@@ -26,9 +26,7 @@ import (
 	log "github.com/sirupsen/logrus"
 )

-var (
-	errBasicAuthVerificationFailed = errors.New("basic auth verification failed")
-)
+var errBasicAuthVerificationFailed = errors.New("basic auth verification failed")

 type WebhookHandler struct {
 	namespace              string
@@ -72,19 +70,19 @@ func NewWebhookHandler(namespace string, argocdSettingsMgr *argosettings.Setting
 	// register the webhook secrets stored under "argocd-secret" for verifying incoming payloads
 	argocdSettings, err := argocdSettingsMgr.GetSettings()
 	if err != nil {
-		return nil, fmt.Errorf("Failed to get argocd settings: %v", err)
+		return nil, fmt.Errorf("Failed to get argocd settings: %w", err)
 	}
 	githubHandler, err := github.New(github.Options.Secret(argocdSettings.WebhookGitHubSecret))
 	if err != nil {
-		return nil, fmt.Errorf("Unable to init GitHub webhook: %v", err)
+		return nil, fmt.Errorf("Unable to init GitHub webhook: %w", err)
 	}
 	gitlabHandler, err := gitlab.New(gitlab.Options.Secret(argocdSettings.WebhookGitLabSecret))
 	if err != nil {
-		return nil, fmt.Errorf("Unable to init GitLab webhook: %v", err)
+		return nil, fmt.Errorf("Unable to init GitLab webhook: %w", err)
 	}
 	azuredevopsHandler, err := azuredevops.New()
 	if err != nil {
-		return nil, fmt.Errorf("Unable to init Azure DevOps webhook: %v", err)
+		return nil, fmt.Errorf("Unable to init Azure DevOps webhook: %w", err)
 	}
 	azuredevopsAuthHandler := func(r *http.Request) error {
 		if argocdSettings.WebhookAzureDevOpsUsername != "" && argocdSettings.WebhookAzureDevOpsPassword != "" {
@@ -514,7 +512,7 @@ func (h *WebhookHandler) shouldRefreshMatrixGenerator(gen *v1alpha1.MatrixGenera
 	relGenerators := generators.GetRelevantGenerators(requestedGenerator0, h.generators)
 	params := []map[string]interface{}{}
 	for _, g := range relGenerators {
-		p, err := g.GenerateParams(requestedGenerator0, appSet)
+		p, err := g.GenerateParams(requestedGenerator0, appSet, h.client)
 		if err != nil {
 			log.Error(err)
 			return false
--- a/applicationset/webhook/webhook_test.go
+++ b/applicationset/webhook/webhook_test.go
@@ -14,10 +14,12 @@ import (

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	kubefake "k8s.io/client-go/kubernetes/fake"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"

 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
@@ -37,7 +39,7 @@ func (g *generatorMock) GetTemplate(appSetGenerator *v1alpha1.ApplicationSetGene
 	return &v1alpha1.ApplicationSetTemplate{}
 }

-func (g *generatorMock) GenerateParams(appSetGenerator *v1alpha1.ApplicationSetGenerator, _ *v1alpha1.ApplicationSet) ([]map[string]interface{}, error) {
+func (g *generatorMock) GenerateParams(appSetGenerator *v1alpha1.ApplicationSetGenerator, _ *v1alpha1.ApplicationSet, client client.Client) ([]map[string]interface{}, error) {
 	return []map[string]interface{}{}, nil
 }

@@ -179,9 +181,9 @@ func TestWebhookHandler(t *testing.T) {
 	fakeClient := newFakeClient(namespace)
 	scheme := runtime.NewScheme()
 	err := v1alpha1.AddToScheme(scheme)
-	assert.Nil(t, err)
+	require.NoError(t, err)
 	err = v1alpha1.AddToScheme(scheme)
-	assert.Nil(t, err)
+	require.NoError(t, err)

 	for _, test := range tt {
 		t.Run(test.desc, func(t *testing.T) {
@@ -205,21 +207,21 @@ func TestWebhookHandler(t *testing.T) {
 			).Build()
 			set := argosettings.NewSettingsManager(context.TODO(), fakeClient, namespace)
 			h, err := NewWebhookHandler(namespace, set, fc, mockGenerators())
-			assert.Nil(t, err)
+			require.NoError(t, err)

 			req := httptest.NewRequest(http.MethodPost, "/api/webhook", nil)
 			req.Header.Set(test.headerKey, test.headerValue)
 			eventJSON, err := os.ReadFile(filepath.Join("testdata", test.payloadFile))
-			assert.NoError(t, err)
+			require.NoError(t, err)
 			req.Body = io.NopCloser(bytes.NewReader(eventJSON))
 			w := httptest.NewRecorder()

 			h.Handler(w, req)
-			assert.Equal(t, w.Code, test.expectedStatusCode)
+			assert.Equal(t, test.expectedStatusCode, w.Code)

 			list := &v1alpha1.ApplicationSetList{}
 			err = fc.List(context.TODO(), list)
-			assert.Nil(t, err)
+			require.NoError(t, err)
 			effectedAppSetsAsExpected := make(map[string]bool)
 			for _, appSetName := range test.effectedAppSets {
 				effectedAppSetsAsExpected[appSetName] = false
--- a/assets/swagger.json
+++ b/assets/swagger.json
@@ -384,7 +384,7 @@
        "parameters": [
          {
            "type": "string",
-            "description": "Name must be unique within a namespace. Is required when creating resources, although\nsome resources may allow a client to request the generation of an appropriate name\nautomatically. Name is primarily intended for creation idempotence and configuration\ndefinition.\nCannot be updated.\nMore info: http://kubernetes.io/docs/user-guide/identifiers#names\n+optional",
+            "description": "Name must be unique within a namespace. Is required when creating resources, although\nsome resources may allow a client to request the generation of an appropriate name\nautomatically. Name is primarily intended for creation idempotence and configuration\ndefinition.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names\n+optional",
            "name": "application.metadata.name",
            "in": "path",
            "required": true
@@ -975,6 +975,25 @@
            "type": "string",
            "name": "project",
            "in": "query"
+          },
+          {
+            "type": "array",
+            "items": {
+              "type": "string",
+              "format": "int64"
+            },
+            "collectionFormat": "multi",
+            "name": "sourcePositions",
+            "in": "query"
+          },
+          {
+            "type": "array",
+            "items": {
+              "type": "string"
+            },
+            "collectionFormat": "multi",
+            "name": "revisions",
+            "in": "query"
          }
        ],
        "responses": {
@@ -1614,6 +1633,20 @@
            "type": "string",
            "name": "project",
            "in": "query"
+          },
+          {
+            "type": "integer",
+            "format": "int32",
+            "description": "source index (for multi source apps).",
+            "name": "sourceIndex",
+            "in": "query"
+          },
+          {
+            "type": "integer",
+            "format": "int32",
+            "description": "versionId from historical data (for multi source apps).",
+            "name": "versionId",
+            "in": "query"
          }
        ],
        "responses": {
@@ -1664,6 +1697,20 @@
            "type": "string",
            "name": "project",
            "in": "query"
+          },
+          {
+            "type": "integer",
+            "format": "int32",
+            "description": "source index (for multi source apps).",
+            "name": "sourceIndex",
+            "in": "query"
+          },
+          {
+            "type": "integer",
+            "format": "int32",
+            "description": "versionId from historical data (for multi source apps).",
+            "name": "versionId",
+            "in": "query"
          }
        ],
        "responses": {
@@ -2011,6 +2058,43 @@
        }
      }
    },
+    "/api/v1/applicationsets/{name}/resource-tree": {
+      "get": {
+        "tags": [
+          "ApplicationSetService"
+        ],
+        "summary": "ResourceTree returns resource tree",
+        "operationId": "ApplicationSetService_ResourceTree",
+        "parameters": [
+          {
+            "type": "string",
+            "name": "name",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "string",
+            "description": "The application set namespace. Default empty is argocd control plane namespace.",
+            "name": "appsetNamespace",
+            "in": "query"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1alpha1ApplicationSetTree"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/runtimeError"
+            }
+          }
+        }
+      }
+    },
    "/api/v1/certificates": {
      "get": {
        "tags": [
@@ -2912,7 +2996,7 @@
        "parameters": [
          {
            "type": "string",
-            "description": "Name must be unique within a namespace. Is required when creating resources, although\nsome resources may allow a client to request the generation of an appropriate name\nautomatically. Name is primarily intended for creation idempotence and configuration\ndefinition.\nCannot be updated.\nMore info: http://kubernetes.io/docs/user-guide/identifiers#names\n+optional",
+            "description": "Name must be unique within a namespace. Is required when creating resources, although\nsome resources may allow a client to request the generation of an appropriate name\nautomatically. Name is primarily intended for creation idempotence and configuration\ndefinition.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names\n+optional",
            "name": "project.metadata.name",
            "in": "path",
            "required": true
@@ -3115,7 +3199,7 @@
        "parameters": [
          {
            "type": "string",
-            "description": "URL is the URL that this credentials matches to",
+            "description": "URL is the URL to which these credentials match",
            "name": "creds.url",
            "in": "path",
            "required": true
@@ -3195,6 +3279,12 @@
            "description": "Whether to force a cache refresh on repo's connection state.",
            "name": "forceRefresh",
            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "App project for query.",
+            "name": "appProject",
+            "in": "query"
          }
        ],
        "responses": {
@@ -3317,6 +3407,12 @@
            "description": "Whether to force a cache refresh on repo's connection state.",
            "name": "forceRefresh",
            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "App project for query.",
+            "name": "appProject",
+            "in": "query"
          }
        ],
        "responses": {
@@ -3353,6 +3449,12 @@
            "description": "Whether to force a cache refresh on repo's connection state.",
            "name": "forceRefresh",
            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "App project for query.",
+            "name": "appProject",
+            "in": "query"
          }
        ],
        "responses": {
@@ -3437,6 +3539,12 @@
            "description": "Whether to force a cache refresh on repo's connection state.",
            "name": "forceRefresh",
            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "App project for query.",
+            "name": "appProject",
+            "in": "query"
          }
        ],
        "responses": {
@@ -3474,6 +3582,12 @@
            "description": "Whether to force a cache refresh on repo's connection state.",
            "name": "forceRefresh",
            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "App project for query.",
+            "name": "appProject",
+            "in": "query"
          }
        ],
        "responses": {
@@ -4219,6 +4333,19 @@
        "revision": {
          "type": "string"
        },
+        "revisions": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "sourcePositions": {
+          "type": "array",
+          "items": {
+            "type": "string",
+            "format": "int64"
+          }
+        },
        "strategy": {
          "$ref": "#/definitions/v1alpha1SyncStrategy"
        },
@@ -5031,6 +5158,16 @@
        },
        "source": {
          "$ref": "#/definitions/v1alpha1ApplicationSource"
+        },
+        "sourceIndex": {
+          "type": "integer",
+          "format": "int32",
+          "title": "source index (for multi source apps)"
+        },
+        "versionId": {
+          "type": "integer",
+          "format": "int32",
+          "title": "versionId from historical data (for multi source apps)"
        }
      }
    },
@@ -5334,8 +5471,8 @@
      "type": "object",
      "properties": {
        "key": {
-          "type": "string",
-          "title": "key is the label key that the selector applies to.\n+patchMergeKey=key\n+patchStrategy=merge"
+          "description": "key is the label key that the selector applies to.",
+          "type": "string"
        },
        "operator": {
          "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.",
@@ -5385,6 +5522,10 @@
          "type": "string",
          "title": "IP is set for load-balancer ingress points that are IP based\n(typically GCE or OpenStack load-balancers)\n+optional"
        },
+        "ipMode": {
+          "type": "string",
+          "title": "IPMode specifies how the load-balancer IP behaves, and may only be specified when the ip field is specified.\nSetting this to \"VIP\" indicates that traffic is delivered to the node with\nthe destination set to the load-balancer's IP and port.\nSetting this to \"Proxy\" indicates that traffic is delivered to the node or pod with\nthe destination set to the node's IP and node port or the pod's IP and port.\nService implementations may use this information to adjust traffic routing.\n+optional"
+        },
        "ports": {
          "type": "array",
          "title": "Ports is a list of records of service ports\nIf used, every port defined in the service should have an entry in it\n+listType=atomic\n+optional",
@@ -5494,7 +5635,7 @@
      "properties": {
        "annotations": {
          "type": "object",
-          "title": "Annotations is an unstructured key value map stored with a resource that may be\nset by external tools to store and retrieve arbitrary metadata. They are not\nqueryable and should be preserved when modifying objects.\nMore info: http://kubernetes.io/docs/user-guide/annotations\n+optional",
+          "title": "Annotations is an unstructured key value map stored with a resource that may be\nset by external tools to store and retrieve arbitrary metadata. They are not\nqueryable and should be preserved when modifying objects.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations\n+optional",
          "additionalProperties": {
            "type": "string"
          }
@@ -5528,7 +5669,7 @@
        },
        "labels": {
          "type": "object",
-          "title": "Map of string keys and values that can be used to organize and categorize\n(scope and select) objects. May match selectors of replication controllers\nand services.\nMore info: http://kubernetes.io/docs/user-guide/labels\n+optional",
+          "title": "Map of string keys and values that can be used to organize and categorize\n(scope and select) objects. May match selectors of replication controllers\nand services.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels\n+optional",
          "additionalProperties": {
            "type": "string"
          }
@@ -5542,10 +5683,10 @@
        },
        "name": {
          "type": "string",
-          "title": "Name must be unique within a namespace. Is required when creating resources, although\nsome resources may allow a client to request the generation of an appropriate name\nautomatically. Name is primarily intended for creation idempotence and configuration\ndefinition.\nCannot be updated.\nMore info: http://kubernetes.io/docs/user-guide/identifiers#names\n+optional"
+          "title": "Name must be unique within a namespace. Is required when creating resources, although\nsome resources may allow a client to request the generation of an appropriate name\nautomatically. Name is primarily intended for creation idempotence and configuration\ndefinition.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names\n+optional"
        },
        "namespace": {
-          "description": "Namespace defines the space within which each name must be unique. An empty namespace is\nequivalent to the \"default\" namespace, but \"default\" is the canonical representation.\nNot all objects are required to be scoped to a namespace - the value of this field for\nthose objects will be empty.\n\nMust be a DNS_LABEL.\nCannot be updated.\nMore info: http://kubernetes.io/docs/user-guide/namespaces\n+optional",
+          "description": "Namespace defines the space within which each name must be unique. An empty namespace is\nequivalent to the \"default\" namespace, but \"default\" is the canonical representation.\nNot all objects are required to be scoped to a namespace - the value of this field for\nthose objects will be empty.\n\nMust be a DNS_LABEL.\nCannot be updated.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces\n+optional",
          "type": "string"
        },
        "ownerReferences": {
@@ -5564,7 +5705,7 @@
          "title": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.\n+optional"
        },
        "uid": {
-          "description": "UID is the unique in time and space value for this object. It is typically generated by\nthe server on successful creation of a resource and is not allowed to change on PUT\noperations.\n\nPopulated by the system.\nRead-only.\nMore info: http://kubernetes.io/docs/user-guide/identifiers#uids\n+optional",
+          "description": "UID is the unique in time and space value for this object. It is typically generated by\nthe server on successful creation of a resource and is not allowed to change on PUT\noperations.\n\nPopulated by the system.\nRead-only.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids\n+optional",
          "type": "string"
        }
      }
@@ -5625,11 +5766,11 @@
        },
        "name": {
          "type": "string",
-          "title": "Name of the referent.\nMore info: http://kubernetes.io/docs/user-guide/identifiers#names"
+          "title": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names"
        },
        "uid": {
          "type": "string",
-          "title": "UID of the referent.\nMore info: http://kubernetes.io/docs/user-guide/identifiers#uids"
+          "title": "UID of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids"
        }
      }
    },
@@ -5806,7 +5947,7 @@
    },
    "v1alpha1Application": {
      "type": "object",
-      "title": "Application is a definition of Application resource.\n+genclient\n+genclient:noStatus\n+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object\n+kubebuilder:resource:path=applications,shortName=app;apps\n+kubebuilder:printcolumn:name=\"Sync Status\",type=string,JSONPath=`.status.sync.status`\n+kubebuilder:printcolumn:name=\"Health Status\",type=string,JSONPath=`.status.health.status`\n+kubebuilder:printcolumn:name=\"Revision\",type=string,JSONPath=`.status.sync.revision`,priority=10",
+      "title": "Application is a definition of Application resource.\n+genclient\n+genclient:noStatus\n+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object\n+kubebuilder:resource:path=applications,shortName=app;apps\n+kubebuilder:printcolumn:name=\"Sync Status\",type=string,JSONPath=`.status.sync.status`\n+kubebuilder:printcolumn:name=\"Health Status\",type=string,JSONPath=`.status.health.status`\n+kubebuilder:printcolumn:name=\"Revision\",type=string,JSONPath=`.status.sync.revision`,priority=10\n+kubebuilder:printcolumn:name=\"Project\",type=string,JSONPath=`.spec.project`,priority=10",
      "properties": {
        "metadata": {
          "$ref": "#/definitions/v1ObjectMeta"
@@ -5943,12 +6084,19 @@
        "step": {
          "type": "string",
          "title": "Step tracks which step this Application should be updated in"
+        },
+        "targetrevisions": {
+          "description": "TargetRevision tracks the desired revisions the Application should be synced to.",
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
        }
      }
    },
    "v1alpha1ApplicationSetCondition": {
      "type": "object",
-      "title": "ApplicationSetCondition contains details about an applicationset condition, which is usally an error or warning",
+      "title": "ApplicationSetCondition contains details about an applicationset condition, which is usually an error or warning",
      "properties": {
        "lastTransitionTime": {
          "$ref": "#/definitions/v1Time"
@@ -6169,6 +6317,13 @@
          "items": {
            "$ref": "#/definitions/v1alpha1ApplicationSetCondition"
          }
+        },
+        "resources": {
+          "description": "Resources is a list of Applications resources managed by this application set.",
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/v1alpha1ResourceStatus"
+          }
        }
      }
    },
@@ -6240,6 +6395,19 @@
        }
      }
    },
+    "v1alpha1ApplicationSetTree": {
+      "type": "object",
+      "title": "ApplicationSetTree holds nodes which belongs to the application\nUsed to build a tree of an ApplicationSet and its children",
+      "properties": {
+        "nodes": {
+          "type": "array",
+          "title": "Nodes contains list of nodes which are directly managed by the applicationset",
+          "items": {
+            "$ref": "#/definitions/v1alpha1ResourceNode"
+          }
+        }
+      }
+    },
    "v1alpha1ApplicationSource": {
      "type": "object",
      "title": "ApplicationSource contains all required information about the source of an application",
@@ -7965,7 +8133,7 @@
        },
        "url": {
          "type": "string",
-          "title": "URL is the URL that this credentials matches to"
+          "title": "URL is the URL to which these credentials match"
        },
        "username": {
          "type": "string",
@@ -8051,7 +8219,7 @@
        },
        "project": {
          "type": "string",
-          "title": "Reference between project and repository that allow you automatically to be added as item inside SourceRepos project entity"
+          "title": "Reference between project and repository that allows it to be automatically added as an item inside SourceRepos project entity"
        },
        "proxy": {
          "type": "string",
--- a/cmd/argocd-application-controller/commands/argocd_application_controller.go
+++ b/cmd/argocd-application-controller/commands/argocd_application_controller.go
@@ -21,6 +21,7 @@ import (
 	appclientset "github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned"
 	"github.com/argoproj/argo-cd/v2/pkg/ratelimiter"
 	"github.com/argoproj/argo-cd/v2/reposerver/apiclient"
+	"github.com/argoproj/argo-cd/v2/util/argo/normalizers"
 	cacheutil "github.com/argoproj/argo-cd/v2/util/cache"
 	appstatecache "github.com/argoproj/argo-cd/v2/util/cache/appstate"
 	"github.com/argoproj/argo-cd/v2/util/cli"
@@ -72,8 +73,9 @@ func NewCommand() *cobra.Command {
 		shardingAlgorithm                string
 		enableDynamicClusterDistribution bool
 		serverSideDiff                   bool
+		ignoreNormalizerOpts             normalizers.IgnoreNormalizerOpts
 	)
-	var command = cobra.Command{
+	command := cobra.Command{
 		Use:               cliName,
 		Short:             "Run ArgoCD Application Controller",
 		Long:              "ArgoCD application controller is a Kubernetes controller that continuously monitors running applications and compares the current, live state against the desired target state (as specified in the repo). This command runs Application Controller in the foreground.  It can be configured by following options.",
@@ -169,6 +171,7 @@ func NewCommand() *cobra.Command {
 				&workqueueRateLimit,
 				serverSideDiff,
 				enableDynamicClusterDistribution,
+				ignoreNormalizerOpts,
 			)
 			errors.CheckError(err)
 			cacheutil.CollectMetrics(redisClient, appController.GetMetricsServer())
@@ -217,7 +220,7 @@ func NewCommand() *cobra.Command {
 	command.Flags().StringSliceVar(&otlpAttrs, "otlp-attrs", env.StringsFromEnv("ARGOCD_APPLICATION_CONTROLLER_OTLP_ATTRS", []string{}, ","), "List of OpenTelemetry collector extra attrs when send traces, each attribute is separated by a colon(e.g. key:value)")
 	command.Flags().StringSliceVar(&applicationNamespaces, "application-namespaces", env.StringsFromEnv("ARGOCD_APPLICATION_NAMESPACES", []string{}, ","), "List of additional namespaces that applications are allowed to be reconciled from")
 	command.Flags().BoolVar(&persistResourceHealth, "persist-resource-health", env.ParseBoolFromEnv("ARGOCD_APPLICATION_CONTROLLER_PERSIST_RESOURCE_HEALTH", true), "Enables storing the managed resources health in the Application CRD")
-	command.Flags().StringVar(&shardingAlgorithm, "sharding-method", env.StringFromEnv(common.EnvControllerShardingAlgorithm, common.DefaultShardingAlgorithm), "Enables choice of sharding method. Supported sharding methods are : [legacy, round-robin] ")
+	command.Flags().StringVar(&shardingAlgorithm, "sharding-method", env.StringFromEnv(common.EnvControllerShardingAlgorithm, common.DefaultShardingAlgorithm), "Enables choice of sharding method. Supported sharding methods are : [legacy, round-robin, consistent-hashing] ")
 	// global queue rate limit config
 	command.Flags().Int64Var(&workqueueRateLimit.BucketSize, "wq-bucket-size", env.ParseInt64FromEnv("WORKQUEUE_BUCKET_SIZE", 500, 1, math.MaxInt64), "Set Workqueue Rate Limiter Bucket Size, default 500")
 	command.Flags().Float64Var(&workqueueRateLimit.BucketQPS, "wq-bucket-qps", env.ParseFloat64FromEnv("WORKQUEUE_BUCKET_QPS", math.MaxFloat64, 1, math.MaxFloat64), "Set Workqueue Rate Limiter Bucket QPS, default set to MaxFloat64 which disables the bucket limiter")
@@ -229,6 +232,7 @@ func NewCommand() *cobra.Command {
 	command.Flags().Float64Var(&workqueueRateLimit.BackoffFactor, "wq-backoff-factor", env.ParseFloat64FromEnv("WORKQUEUE_BACKOFF_FACTOR", 1.5, 0, math.MaxFloat64), "Set Workqueue Per Item Rate Limiter Backoff Factor, default is 1.5")
 	command.Flags().BoolVar(&enableDynamicClusterDistribution, "dynamic-cluster-distribution-enabled", env.ParseBoolFromEnv(common.EnvEnableDynamicClusterDistribution, false), "Enables dynamic cluster distribution.")
 	command.Flags().BoolVar(&serverSideDiff, "server-side-diff-enabled", env.ParseBoolFromEnv(common.EnvServerSideDiff, false), "Feature flag to enable ServerSide diff. Default (\"false\")")
+	command.Flags().DurationVar(&ignoreNormalizerOpts.JQExecutionTimeout, "ignore-normalizer-jq-execution-timeout-seconds", env.ParseDurationFromEnv("ARGOCD_IGNORE_NORMALIZER_JQ_TIMEOUT", 0*time.Second, 0, math.MaxInt64), "Set ignore normalizer JQ execution timeout")
 	cacheSource = appstatecache.AddCacheFlagsToCmd(&command, cacheutil.Options{
 		OnClientCreated: func(client *redis.Client) {
 			redisClient = client
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .11.0
 .12.2