Add EOL update task to release checklist

Added a checklist item to update the last patch release of the EOL minor release series. Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
chore(deps): bump renovatebot/github-action from 43.0.19 to 43.0.20 (#25156 )
2026-02-20 09:38:49 +01:00 · 2025-11-04 09:59:32 -05:00 · 2025-11-04 02:54:20 -10:00 · 2025-11-04 17:56:19 +05:30 · 2025-11-03 19:13:30 -05:00 · 2025-11-03 21:48:14 +00:00
1334 changed files with 180587 additions and 29609 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -2,7 +2,7 @@
 name: Bug report
 about: Create a report to help us improve
 title: ''
-labels: 'bug'
+labels: ['bug', 'triage/pending']
 assignees: ''
 ---

@@ -10,9 +10,9 @@ assignees: ''

 Checklist:

-* [ ] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
-* [ ] I've included steps to reproduce the bug.
-* [ ] I've pasted the output of `argocd version`.
+- [ ] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
+- [ ] I've included steps to reproduce the bug.
+- [ ] I've pasted the output of `argocd version`.

 **Describe the bug**

--- a/.github/ISSUE_TEMPLATE/enhancement_proposal.md
+++ b/.github/ISSUE_TEMPLATE/enhancement_proposal.md
@@ -2,9 +2,10 @@
 name: Enhancement proposal
 about: Propose an enhancement for this project
 title: ''
-labels: 'enhancement'
+labels: ['enhancement', 'triage/pending']
 assignees: ''
 ---
+
 # Summary

 What change you think needs making.
@@ -15,4 +16,4 @@ Please give examples of your use case, e.g. when would you use this.

 # Proposal

-How do you think this should be implemented?
+How do you think this should be implemented?
--- a/.github/ISSUE_TEMPLATE/new_dev_tool.md
+++ b/.github/ISSUE_TEMPLATE/new_dev_tool.md
@@ -2,17 +2,17 @@
 name: New Dev Tool Request
 about: This is a request for adding a new tool for setting up a dev environment.
 title: ''
-labels: ''
+labels: ['component:dev-env', 'triage/pending']
 assignees: ''
 ---

 Checklist:

-* [ ] I am willing to maintain this tool, or have another Argo CD maintainer who is. 
-* [ ] I have another Argo CD maintainer who is willing to help maintain this tool (there needs to be at least two maintainers willing to maintain this tool)
-* [ ] I have a lead sponsor who is a core Argo CD maintainer
-* [ ] There is a PR which adds said tool - this is so that the maintainers can assess the impact of having this in the tree
-* [ ] I have given a motivation why this should be added
+- [ ] I am willing to maintain this tool, or have another Argo CD maintainer who is.
+- [ ] I have another Argo CD maintainer who is willing to help maintain this tool (there needs to be at least two maintainers willing to maintain this tool)
+- [ ] I have a lead sponsor who is a core Argo CD maintainer
+- [ ] There is a PR which adds said tool - this is so that the maintainers can assess the impact of having this in the tree
+- [ ] I have given a motivation why this should be added

 ### The proposer

@@ -24,7 +24,7 @@ Checklist:

 ### Motivation

-<!-- Why this tool would be useful to have in the tree. --> 
+<!-- Why this tool would be useful to have in the tree. -->

 ### Link to PR (Optional)

--- a/.github/ISSUE_TEMPLATE/release.md
+++ b/.github/ISSUE_TEMPLATE/release.md
@@ -22,5 +22,6 @@ Target GA date: ___. __, ____
 - [ ] At release date, evaluate if any bugs justify delaying the release. If not, cut the release (or delegate this task to an Approver and coordinate timing)
 - [ ] If unreleased changes are on the release branch for {current minor version minus 3}, cut a final patch release for that series (or delegate this task to an Approver and coordinate timing)
 - [ ] After the release, post in #argo-cd that the {current minor version minus 3} has reached EOL (example: https://cloud-native.slack.com/archives/C01TSERG0KZ/p1667336234059729)
+ - [ ] Update the last patch release of the EOL minor release series to say that the version is EOL
 - [ ] (For the next release champion) Review the [items scheduled for the next release](https://github.com/orgs/argoproj/projects/25). If any item does not have an assignee who can commit to finish the feature, move it to the next release.
- - [ ] (For the next release champion) Schedule a time mid-way through the release cycle to review items again.
+ - [ ] (For the next release champion) Schedule a time mid-way through the release cycle to review items again.
--- a/.github/ISSUE_TEMPLATE/security_logs.md
+++ b/.github/ISSUE_TEMPLATE/security_logs.md
@@ -1,10 +1,11 @@
 ---
 name: Security log
 about: Propose adding security-related logs or tagging existing logs with security fields
-title: "seclog: [Event Description]"
-labels: security-log
-assignees: notfromstatefarm
+title: 'seclog: [Event Description]'
+labels: ['security', 'triage/pending']
+assignees: ''
 ---
+
 # Event to be logged

 Specify the event that needs to be logged or existing logs that need to be tagged.
@@ -16,4 +17,3 @@ What security level should these events be logged under? Refer to https://argo-c
 # Common Weakness Enumeration

 Is there an associated [CWE](https://cwe.mitre.org/) that could be tagged as well?
-
--- a/.github/cherry-pick-bot.yml
+++ b/.github/cherry-pick-bot.yml
@@ -1,3 +0,0 @@
-enabled: true
-preservePullRequestTitle: true
-
--- a/.github/configs/renovate-config.js
+++ b/.github/configs/renovate-config.js
@@ -0,0 +1,15 @@
+module.exports = {
+    platform: 'github',
+    gitAuthor: 'renovate[bot] <renovate[bot]@users.noreply.github.com>',
+    autodiscover: false,
+    allowPostUpgradeCommandTemplating: true,
+    allowedPostUpgradeCommands: ["make mockgen"],
+    extends: [
+        "github>argoproj/argo-cd//renovate-presets/commons.json5",
+        "github>argoproj/argo-cd//renovate-presets/custom-managers/shell.json5",
+        "github>argoproj/argo-cd//renovate-presets/custom-managers/yaml.json5",
+        "github>argoproj/argo-cd//renovate-presets/fix/disable-all-updates.json5",
+        "github>argoproj/argo-cd//renovate-presets/devtool.json5",
+        "github>argoproj/argo-cd//renovate-presets/docs.json5"
+    ]
+}
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -8,7 +8,7 @@ Checklist:

 * [ ] Either (a) I've created an [enhancement proposal](https://github.com/argoproj/argo-cd/issues/new/choose) and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
 * [ ] The title of the PR states what changed and the related issues number (used for the release note).
-* [ ] The title of the PR conforms to the [Toolchain Guide](https://argo-cd.readthedocs.io/en/latest/developer-guide/toolchain-guide/#title-of-the-pr)
+* [ ] The title of the PR conforms to the [Title of the PR](https://argo-cd.readthedocs.io/en/latest/developer-guide/submit-your-pr/#title-of-the-pr)
 * [ ] I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
 * [ ] I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
 * [ ] Does this PR require documentation updates?
--- a/.github/workflows/bump-major-version.yaml
+++ b/.github/workflows/bump-major-version.yaml
@@ -13,7 +13,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694  # v4.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
@@ -37,7 +37,7 @@ jobs:
        working-directory: /home/runner/go/src/github.com/argoproj/argo-cd

      - name: Setup Golang
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Add ~/go/bin to PATH
--- a/.github/workflows/cherry-pick-single.yml
+++ b/.github/workflows/cherry-pick-single.yml
@@ -0,0 +1,121 @@
+name: Cherry Pick Single
+
+on:
+  workflow_call:
+    inputs:
+      merge_commit_sha:
+        required: true
+        type: string
+        description: "The merge commit SHA to cherry-pick"
+      version_number:
+        required: true
+        type: string
+        description: "The version number (from cherry-pick/ label)"
+      pr_number:
+        required: true
+        type: string
+        description: "The original PR number"
+      pr_title:
+        required: true
+        type: string
+        description: "The original PR title"
+    secrets:
+      CHERRYPICK_APP_ID:
+        required: true
+      CHERRYPICK_APP_PRIVATE_KEY:
+        required: true
+
+jobs:
+  cherry-pick:
+    name: Cherry Pick to ${{ inputs.version_number }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate a token
+        id: generate-token
+        uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1
+        with:
+          app-id: ${{ secrets.CHERRYPICK_APP_ID }}
+          private-key: ${{ secrets.CHERRYPICK_APP_PRIVATE_KEY }}
+
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
+        with:
+          fetch-depth: 0
+          token: ${{ steps.generate-token.outputs.token }}
+
+      - name: Configure Git
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Cherry pick commit
+        id: cherry-pick
+        run: |
+          set -e
+
+          MERGE_COMMIT="${{ inputs.merge_commit_sha }}"
+          TARGET_BRANCH="release-${{ inputs.version_number }}"
+
+          echo "🍒 Cherry-picking commit $MERGE_COMMIT to branch $TARGET_BRANCH"
+
+          # Check if target branch exists
+          if ! git show-ref --verify --quiet "refs/remotes/origin/$TARGET_BRANCH"; then
+            echo "❌ Target branch '$TARGET_BRANCH' does not exist"
+            exit 1
+          fi
+
+          # Create new branch for cherry-pick
+          CHERRY_PICK_BRANCH="cherry-pick-${{ inputs.pr_number }}-to-${TARGET_BRANCH}"
+          git checkout -b "$CHERRY_PICK_BRANCH" "origin/$TARGET_BRANCH"
+
+          # Perform cherry-pick
+          if git cherry-pick -m 1 "$MERGE_COMMIT"; then
+            echo "✅ Cherry-pick successful"
+
+            # Extract Signed-off-by from the cherry-pick commit
+            SIGNOFF=$(git log -1 --pretty=format:"%B" | grep -E '^Signed-off-by:' || echo "")
+
+            # Push the new branch
+            git push origin "$CHERRY_PICK_BRANCH"
+
+            # Save data for PR creation
+            echo "branch_name=$CHERRY_PICK_BRANCH" >> "$GITHUB_OUTPUT"
+            echo "signoff=$SIGNOFF" >> "$GITHUB_OUTPUT"
+            echo "target_branch=$TARGET_BRANCH" >> "$GITHUB_OUTPUT"
+          else
+            echo "❌ Cherry-pick failed due to conflicts"
+            git cherry-pick --abort
+            exit 1
+          fi
+
+      - name: Create Pull Request
+        run: |
+          # Create cherry-pick PR
+          TITLE="${PR_TITLE} (cherry-pick #${{ inputs.pr_number }} for ${{ inputs.version_number }})"
+          BODY=$(cat <<EOF
+          Cherry-picked ${PR_TITLE} (#${{ inputs.pr_number }})
+
+          ${{ steps.cherry-pick.outputs.signoff }}
+          EOF
+          )
+
+          gh pr create \
+            --title "$TITLE" \
+            --body "$BODY" \
+            --base "${{ steps.cherry-pick.outputs.target_branch }}" \
+            --head "${{ steps.cherry-pick.outputs.branch_name }}"
+
+          # Comment on original PR
+          gh pr comment ${{ inputs.pr_number }} \
+            --body "🍒 Cherry-pick PR created for ${{ inputs.version_number }}: #$(gh pr list --head ${{ steps.cherry-pick.outputs.branch_name }} --json number --jq '.[0].number')"
+        env:
+          PR_TITLE: ${{ inputs.pr_title }}
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+
+      - name: Comment on failure
+        if: failure()
+        run: |
+          gh pr comment ${{ inputs.pr_number }} \
+            --body "❌ Cherry-pick failed for ${{ inputs.version_number }}. Please check the [workflow logs](https://github.com/argoproj/argo-cd/actions/runs/${{ github.run_id }}) for details."
+        env:
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
--- a/.github/workflows/cherry-pick.yml
+++ b/.github/workflows/cherry-pick.yml
@@ -0,0 +1,53 @@
+name: Cherry Pick
+
+on:
+  pull_request_target:
+    branches:
+      - master
+    types: ["labeled", "closed"]
+
+jobs:
+  find-labels:
+    name: Find Cherry Pick Labels
+    if: |
+      github.event.pull_request.merged == true && (
+        (github.event.action == 'labeled' && startsWith(github.event.label.name, 'cherry-pick/')) ||
+        (github.event.action == 'closed' && contains(toJSON(github.event.pull_request.labels.*.name), 'cherry-pick/'))
+      )
+    runs-on: ubuntu-latest
+    outputs:
+      labels: ${{ steps.extract-labels.outputs.labels }}
+    steps:
+      - name: Extract cherry-pick labels
+        id: extract-labels
+        run: |
+          if [[ "${{ github.event.action }}" == "labeled" ]]; then
+            # Label was just added - use it directly
+            LABEL_NAME="${{ github.event.label.name }}"
+            VERSION="${LABEL_NAME#cherry-pick/}"
+            CHERRY_PICK_DATA='[{"label":"'$LABEL_NAME'","version":"'$VERSION'"}]'
+          else
+            # PR was closed - find all cherry-pick labels
+            CHERRY_PICK_DATA=$(echo '${{ toJSON(github.event.pull_request.labels) }}' | jq -c '[.[] | select(.name | startswith("cherry-pick/")) | {label: .name, version: (.name | sub("cherry-pick/"; ""))}]')
+          fi
+
+          echo "labels=$CHERRY_PICK_DATA" >> "$GITHUB_OUTPUT"
+          echo "Found cherry-pick data: $CHERRY_PICK_DATA"
+
+  cherry-pick:
+    name: Cherry Pick
+    needs: find-labels
+    if: needs.find-labels.outputs.labels != '[]'
+    strategy:
+      matrix:
+        include: ${{ fromJSON(needs.find-labels.outputs.labels) }}
+      fail-fast: false
+    uses: ./.github/workflows/cherry-pick-single.yml
+    with:
+      merge_commit_sha: ${{ github.event.pull_request.merge_commit_sha }}
+      version_number: ${{ matrix.version }}
+      pr_number: ${{ github.event.pull_request.number }}
+      pr_title: ${{ github.event.pull_request.title }}
+    secrets:
+      CHERRYPICK_APP_ID: ${{ vars.CHERRYPICK_APP_ID }}
+      CHERRYPICK_APP_PRIVATE_KEY: ${{ secrets.CHERRYPICK_APP_PRIVATE_KEY }}
--- a/.github/workflows/ci-build.yaml
+++ b/.github/workflows/ci-build.yaml
@@ -14,7 +14,7 @@ on:
 env:
  # Golang version to use across CI steps
  # renovate: datasource=golang-version packageName=golang
-  GOLANG_VERSION: '1.24.6'
+  GOLANG_VERSION: '1.25.3'

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@@ -31,8 +31,8 @@ jobs:
      frontend: ${{ steps.filter.outputs.frontend_any_changed }}
      docs: ${{ steps.filter.outputs.docs_any_changed }}
    steps:
-      - uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
-      - uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        id: filter
        with:
          # Any file which is not under docs/, ui/ or is not a markdown file is counted as a backend file
@@ -55,9 +55,9 @@ jobs:
      - changes
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup Golang
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Download all Go modules
@@ -67,7 +67,6 @@ jobs:
        run: |
          go mod tidy
          git diff --exit-code -- .
-
  build-go:
    name: Build & cache Go code
    if: ${{ needs.changes.outputs.backend == 'true' }}
@@ -76,13 +75,13 @@ jobs:
      - changes
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup Golang
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Restore go build cache
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -103,16 +102,16 @@ jobs:
      - changes
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup Golang
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Run golangci-lint
        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
        with:
          # renovate: datasource=go packageName=github.com/golangci/golangci-lint versioning=regex:^v(?<major>\d+)\.(?<minor>\d+)\.(?<patch>\d+)?$
-          version: v2.1.6
+          version: v2.5.0
          args: --verbose

  test-go:
@@ -129,11 +128,11 @@ jobs:
      - name: Create checkout directory
        run: mkdir -p ~/go/src/github.com/argoproj
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Create symlink in GOPATH
        run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
      - name: Setup Golang
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Install required packages
@@ -153,7 +152,7 @@ jobs:
        run: |
          echo "/usr/local/bin" >> $GITHUB_PATH
      - name: Restore go build cache
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -174,7 +173,7 @@ jobs:
      - name: Run all unit tests
        run: make test-local
      - name: Generate test results artifacts
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: test-results
          path: test-results
@@ -193,11 +192,11 @@ jobs:
      - name: Create checkout directory
        run: mkdir -p ~/go/src/github.com/argoproj
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Create symlink in GOPATH
        run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
      - name: Setup Golang
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Install required packages
@@ -217,7 +216,7 @@ jobs:
        run: |
          echo "/usr/local/bin" >> $GITHUB_PATH
      - name: Restore go build cache
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -238,7 +237,7 @@ jobs:
      - name: Run all unit tests
        run: make test-race-local
      - name: Generate test results artifacts
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: race-results
          path: test-results/
@@ -251,9 +250,9 @@ jobs:
      - changes
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup Golang
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Create symlink in GOPATH
@@ -303,15 +302,15 @@ jobs:
      - changes
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup NodeJS
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
        with:
          # renovate: datasource=node-version packageName=node versioning=node
          node-version: '22.9.0'
      - name: Restore node dependency cache
        id: cache-dependencies
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        with:
          path: ui/node_modules
          key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -336,10 +335,10 @@ jobs:
  shellcheck:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - run: |
          sudo apt-get install shellcheck
-          shellcheck -e SC2086 -e SC2046 -e SC2068 -e SC2206 -e SC2048 -e SC2059 -e SC2154 -e SC2034 -e SC2016 -e SC2128 -e SC1091 -e SC2207  $(find . -type f -name '*.sh') | tee sc.log
+          shellcheck -e SC2059 -e SC2154 -e SC2034 -e SC2016 -e SC1091 $(find . -type f -name '*.sh' | grep -v './ui/node_modules') | tee sc.log
          test ! -s sc.log

  analyze:
@@ -355,12 +354,12 @@ jobs:
      sonar_secret: ${{ secrets.SONAR_TOKEN }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
      - name: Restore node dependency cache
        id: cache-dependencies
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        with:
          path: ui/node_modules
          key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -368,12 +367,12 @@ jobs:
        run: |
          rm -rf ui/node_modules/argo-ui/node_modules
      - name: Get e2e code coverage
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
        with:
          name: e2e-code-coverage
          path: e2e-code-coverage
      - name: Get unit test code coverage
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
        with:
          name: test-results
          path: test-results
@@ -385,7 +384,7 @@ jobs:
        run: |
          go tool covdata percent -i=test-results,e2e-code-coverage/applicationset-controller,e2e-code-coverage/repo-server,e2e-code-coverage/app-controller,e2e-code-coverage/commit-server -o test-results/full-coverage.out
      - name: Upload code coverage information to codecov.io
-        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
        with:
          files: test-results/full-coverage.out
          fail_ci_if_error: true
@@ -402,12 +401,12 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        uses: SonarSource/sonarqube-scan-action@2500896589ef8f7247069a56136f8dc177c27ccf # v5.2.0
+        uses: SonarSource/sonarqube-scan-action@1a6d90ebcb0e6a6b1d87e37ba693fe453195ae25 # v5.3.1
        if: env.sonar_secret != ''
  test-e2e:
    name: Run end-to-end tests
    if: ${{ needs.changes.outputs.backend == 'true' }}
-    runs-on: ubuntu-22.04
+    runs-on: oracle-vm-16cpu-64gb-x86-64
    strategy:
      fail-fast: false
      matrix:
@@ -426,7 +425,7 @@ jobs:
      - build-go
      - changes
    env:
-      GOPATH: /home/runner/go
+      GOPATH: /home/ubuntu/go
      ARGOCD_FAKE_IN_CLUSTER: 'true'
      ARGOCD_SSH_DATA_PATH: '/tmp/argo-e2e/app/config/ssh'
      ARGOCD_TLS_DATA_PATH: '/tmp/argo-e2e/app/config/tls'
@@ -447,9 +446,9 @@ jobs:
          swap-storage: false
          tool-cache: false
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup Golang
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: GH actions workaround - Kill XSP4 process
@@ -462,19 +461,19 @@ jobs:
          set -x
          curl -sfL https://get.k3s.io | sh -
          sudo chmod -R a+rw /etc/rancher/k3s
-          sudo mkdir -p $HOME/.kube && sudo chown -R runner $HOME/.kube
+          sudo mkdir -p $HOME/.kube && sudo chown -R ubuntu $HOME/.kube
          sudo k3s kubectl config view --raw > $HOME/.kube/config
-          sudo chown runner $HOME/.kube/config
+          sudo chown ubuntu $HOME/.kube/config
          sudo chmod go-r $HOME/.kube/config
          kubectl version
      - name: Restore go build cache
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        with:
          path: ~/.cache/go-build
          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
      - name: Add ~/go/bin to PATH
        run: |
-          echo "/home/runner/go/bin" >> $GITHUB_PATH
+          echo "/home/ubuntu/go/bin" >> $GITHUB_PATH
      - name: Add /usr/local/bin to PATH
        run: |
          echo "/usr/local/bin" >> $GITHUB_PATH
@@ -496,11 +495,11 @@ jobs:
        run: |
          docker pull ghcr.io/dexidp/dex:v2.43.0
          docker pull argoproj/argo-cd-ci-builder:v1.0.0
-          docker pull redis:7.2.7-alpine
+          docker pull redis:8.2.1-alpine
      - name: Create target directory for binaries in the build-process
        run: |
          mkdir -p dist
-          chown runner dist
+          chown ubuntu dist
      - name: Run E2E server and wait for it being available
        timeout-minutes: 30
        run: |
@@ -526,13 +525,13 @@ jobs:
          goreman run stop-all || echo "goreman trouble"
          sleep 30
      - name: Upload e2e coverage report
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: e2e-code-coverage
          path: /tmp/coverage
        if: ${{ matrix.k3s.latest }}
      - name: Upload e2e-server logs
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: e2e-server-k8s${{ matrix.k3s.version }}.log
          path: /tmp/e2e-server.log
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -29,11 +29,11 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: Checkout repository
-      uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

    # Use correct go version. https://github.com/github/codeql-action/issues/1842#issuecomment-1704398087
    - name: Setup Golang
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
      with:
        go-version-file: go.mod
      
--- a/.github/workflows/image-reuse.yaml
+++ b/.github/workflows/image-reuse.yaml
@@ -56,24 +56,24 @@ jobs:
      image-digest: ${{ steps.image.outputs.digest }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
        if: ${{ github.ref_type == 'tag'}}

      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        if: ${{ github.ref_type != 'tag'}}

      - name: Setup Golang
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version: ${{ inputs.go-version }}
          cache: false

      - name: Install cosign
-        uses: sigstore/cosign-installer@fb28c2b6339dcd94da6e4cbcbc5e888961f6f8c3 # v3.9.0
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0

      - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
      - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
@@ -103,7 +103,7 @@ jobs:
            echo 'EOF' >> $GITHUB_ENV

      - name: Login to Quay.io
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: quay.io
          username: ${{ secrets.quay_username }}
@@ -111,7 +111,7 @@ jobs:
        if: ${{ inputs.quay_image_name && inputs.push }}

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
          username: ${{ secrets.ghcr_username }}
@@ -119,7 +119,7 @@ jobs:
        if: ${{ inputs.ghcr_image_name && inputs.push }}

      - name: Login to dockerhub Container Registry
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.docker_username }}
          password: ${{ secrets.docker_password }}
--- a/.github/workflows/image.yaml
+++ b/.github/workflows/image.yaml
@@ -25,7 +25,7 @@ jobs:
      image-tag: ${{ steps.image.outputs.tag}}
      platforms: ${{ steps.platforms.outputs.platforms }}
    steps:
-      - uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Set image tag for ghcr
        run: echo "tag=$(cat ./VERSION)-${GITHUB_SHA::8}" >> $GITHUB_OUTPUT
@@ -53,7 +53,7 @@ jobs:
    with:
      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
      # renovate: datasource=golang-version packageName=golang
-      go-version: 1.24.6
+      go-version: 1.25.3
      platforms: ${{ needs.set-vars.outputs.platforms }}
      push: false

@@ -70,7 +70,7 @@ jobs:
      ghcr_image_name: ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }}
      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
      # renovate: datasource=golang-version packageName=golang
-      go-version: 1.24.6
+      go-version: 1.25.3
      platforms: ${{ needs.set-vars.outputs.platforms }}
      push: true
    secrets:
@@ -106,7 +106,7 @@ jobs:
    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
    runs-on: ubuntu-22.04
    steps:
-      - uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - run: git clone "https://$TOKEN@github.com/argoproj/argoproj-deployments"
        env:
          TOKEN: ${{ secrets.TOKEN }}
--- a/.github/workflows/init-release.yaml
+++ b/.github/workflows/init-release.yaml
@@ -23,7 +23,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694  # v4.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -11,7 +11,7 @@ permissions: {}

 env:
  # renovate: datasource=golang-version packageName=golang
-  GOLANG_VERSION: '1.24.6' # Note: go-version must also be set in job argocd-image.with.go-version
+  GOLANG_VERSION: '1.25.3' # Note: go-version must also be set in job argocd-image.with.go-version

 jobs:
  argocd-image:
@@ -25,13 +25,49 @@ jobs:
      quay_image_name: quay.io/argoproj/argocd:${{ github.ref_name }}
      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
      # renovate: datasource=golang-version packageName=golang
-      go-version: 1.24.6
+      go-version: 1.25.3
      platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
      push: true
    secrets:
      quay_username: ${{ secrets.RELEASE_QUAY_USERNAME }}
      quay_password: ${{ secrets.RELEASE_QUAY_TOKEN }}

+  setup-variables:
+    name: Setup Release Variables
+    if: github.repository == 'argoproj/argo-cd'
+    runs-on: ubuntu-22.04
+    outputs:
+      is_pre_release: ${{ steps.var.outputs.is_pre_release }}
+      is_latest_release: ${{ steps.var.outputs.is_latest_release }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Setup variables
+        id: var
+        run: |
+          set -xue
+          # Fetch all tag information
+          git fetch --prune --tags --force
+
+          LATEST_RELEASE_TAG=$(git -c 'versionsort.suffix=-rc' tag --list --sort=version:refname | grep -v '-' | tail -n1)
+
+          PRE_RELEASE=false
+          # Check if latest tag is a pre-release
+          if echo ${{ github.ref_name }} | grep -E -- '-rc[0-9]+$';then
+            PRE_RELEASE=true
+          fi
+
+          IS_LATEST=false
+          # Ensure latest release tag matches github.ref_name
+          if [[ $LATEST_RELEASE_TAG == ${{ github.ref_name }} ]];then
+            IS_LATEST=true
+          fi
+          echo "is_pre_release=$PRE_RELEASE" >> $GITHUB_OUTPUT
+          echo "is_latest_release=$IS_LATEST" >> $GITHUB_OUTPUT
+
  argocd-image-provenance:
    needs: [argocd-image]
    permissions:
@@ -50,18 +86,20 @@ jobs:

  goreleaser:
    needs:
+      - setup-variables
      - argocd-image
      - argocd-image-provenance
    permissions:
      contents: write # used for uploading assets
    if: github.repository == 'argoproj/argo-cd'
    runs-on: ubuntu-22.04
+    env:
+      GORELEASER_MAKE_LATEST: ${{ needs.setup-variables.outputs.is_latest_release }}
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}
-
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
@@ -70,7 +108,7 @@ jobs:
        run: git fetch --force --tags

      - name: Setup Golang
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
          cache: false
@@ -96,7 +134,7 @@ jobs:
          tool-cache: false

      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
        id: run-goreleaser
        with:
          version: latest
@@ -142,18 +180,18 @@ jobs:
    permissions:
      contents: write # Needed for release uploads
    outputs:
-      hashes: ${{ steps.sbom-hash.outputs.hashes}}
+      hashes: ${{ steps.sbom-hash.outputs.hashes }}
    if: github.repository == 'argoproj/argo-cd'
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: Setup Golang
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
          cache: false
@@ -198,7 +236,7 @@ jobs:
          echo "hashes=$(sha256sum /tmp/sbom.tar.gz | base64 -w0)" >> "$GITHUB_OUTPUT"

      - name: Upload SBOM
-        uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2
+        uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
@@ -221,6 +259,7 @@ jobs:

  post-release:
    needs:
+      - setup-variables
      - argocd-image
      - goreleaser
      - generate-sbom
@@ -229,9 +268,11 @@ jobs:
      pull-requests: write # Needed to create PR for VERSION update.
    if: github.repository == 'argoproj/argo-cd'
    runs-on: ubuntu-22.04
+    env:
+      TAG_STABLE: ${{ needs.setup-variables.outputs.is_latest_release }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
@@ -242,27 +283,6 @@ jobs:
          git config --global user.email 'ci@argoproj.com'
          git config --global user.name 'CI'

-      - name: Check if tag is the latest version and not a pre-release
-        run: |
-          set -xue
-          # Fetch all tag information
-          git fetch --prune --tags --force
-
-          LATEST_TAG=$(git -c 'versionsort.suffix=-rc' tag --list --sort=version:refname | tail -n1)
-
-          PRE_RELEASE=false
-          # Check if latest tag is a pre-release
-          if echo $LATEST_TAG | grep -E -- '-rc[0-9]+$';then
-            PRE_RELEASE=true
-          fi
-
-          # Ensure latest tag matches github.ref_name & not a pre-release
-          if [[ $LATEST_TAG == ${{ github.ref_name }} ]] && [[ $PRE_RELEASE != 'true' ]];then
-            echo "TAG_STABLE=true" >> $GITHUB_ENV
-          else
-            echo "TAG_STABLE=false" >> $GITHUB_ENV
-          fi
-
      - name: Update stable tag to latest version
        run: |
          git tag -f stable ${{ github.ref_name }}
--- a/.github/workflows/renovate.yaml
+++ b/.github/workflows/renovate.yaml
@@ -0,0 +1,39 @@
+name: Renovate
+on:
+  schedule:
+    - cron: '0 * * * *'
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    if: github.repository == 'argoproj/argo-cd'
+    steps:
+      - name: Get token
+        id: get_token
+        uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1
+        with:
+          app-id: ${{ vars.RENOVATE_APP_ID }}
+          private-key: ${{ secrets.RENOVATE_APP_PRIVATE_KEY }}
+
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0
+
+      # Some codegen commands require Go to be setup
+      - name: Setup Golang
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          # renovate: datasource=golang-version packageName=golang
+          go-version: 1.25.3
+
+      - name: Self-hosted Renovate
+        uses: renovatebot/github-action@ea850436a5fe75c0925d583c7a02c60a5865461d #43.0.20
+        with:
+          configurationFile: .github/configs/renovate-config.js
+          token: '${{ steps.get_token.outputs.token }}'
+        env:
+          LOG_LEVEL: 'debug'
+          RENOVATE_REPOSITORIES: '${{ github.repository }}'
--- a/.github/workflows/scorecard.yaml
+++ b/.github/workflows/scorecard.yaml
@@ -30,12 +30,12 @@ jobs:

    steps:
      - name: "Checkout code"
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

      - name: "Run analysis"
-        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
        with:
          results_file: results.sarif
          results_format: sarif
@@ -54,7 +54,7 @@ jobs:
      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
      - name: "Upload artifact"
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: SARIF file
          path: results.sarif
--- a/.github/workflows/update-snyk.yaml
+++ b/.github/workflows/update-snyk.yaml
@@ -17,7 +17,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Build reports
--- a/.gitignore
+++ b/.gitignore
@@ -20,6 +20,7 @@ node_modules/
 .kube/
 ./test/cmp/*.sock
 .envrc.remote
+.mirrord/
 .*.swp
 rerunreport.txt

--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -22,6 +22,7 @@ linters:
    - govet
    - importas
    - misspell
+    - noctx
    - perfsprint
    - revive
    - staticcheck
@@ -58,7 +59,6 @@ linters:
        - commentedOutCode
        - deferInLoop
        - exitAfterDefer
-        - exposedSyncMutex
        - hugeParam
        - importShadow
        - paramTypeCombine # Leave disabled, there are too many failures to be worth fixing.
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -49,13 +49,14 @@ archives:
      - argocd-cli
    name_template: |-
      {{ .ProjectName }}-{{ .Os }}-{{ .Arch }}
-    formats: [ binary ]
+    formats: [binary]

 checksum:
  name_template: 'cli_checksums.txt'
  algorithm: sha256

 release:
+  make_latest: '{{ .Env.GORELEASER_MAKE_LATEST }}'
  prerelease: auto
  draft: false
  header: |
@@ -80,7 +81,7 @@ release:
    All Argo CD container images are signed by cosign.  A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the [documentation](https://argo-cd.readthedocs.io/en/stable/operator-manual/signed-release-assets) on how to verify.

    ## Release Notes Blog Post
-    For a detailed breakdown of the key changes and improvements in this release, check out the [official blog post](https://blog.argoproj.io/announcing-argo-cd-v3-1-f4389bc783c8)
+    For a detailed breakdown of the key changes and improvements in this release, check out the [official blog post](https://blog.argoproj.io/argo-cd-v3-0-release-candidate-a0b933f4e58f)

    ## Upgrading

--- a/.mockery.yaml
+++ b/.mockery.yaml
@@ -1,11 +1,5 @@
 dir: '{{.InterfaceDir}}/mocks'
-structname: '{{.InterfaceName}}'
 filename: '{{.InterfaceName}}.go'
-pkgname: mocks
-
-template-data:
-  unroll-variadic: true
-
 packages:
  github.com/argoproj/argo-cd/v3/applicationset/generators:
    interfaces:
@@ -14,17 +8,15 @@ packages:
    interfaces:
      Repos: {}
  github.com/argoproj/argo-cd/v3/applicationset/services/scm_provider:
-    config:
-      dir: applicationset/services/scm_provider/aws_codecommit/mocks
    interfaces:
      AWSCodeCommitClient: {}
      AWSTaggingClient: {}
+      AzureDevOpsClientFactory: {}
  github.com/argoproj/argo-cd/v3/applicationset/utils:
    interfaces:
      Renderer: {}
  github.com/argoproj/argo-cd/v3/commitserver/apiclient:
    interfaces:
-      Clientset: {}
      CommitServiceClient: {}
  github.com/argoproj/argo-cd/v3/commitserver/commit:
    interfaces:
@@ -32,6 +24,10 @@ packages:
  github.com/argoproj/argo-cd/v3/controller/cache:
    interfaces:
      LiveStateCache: {}
+  github.com/argoproj/argo-cd/v3/controller/hydrator:
+    interfaces:
+      Dependencies: {}
+      RepoGetter: {}
  github.com/argoproj/argo-cd/v3/pkg/apiclient/cluster:
    interfaces:
      ClusterServiceServer: {}
@@ -44,8 +40,8 @@ packages:
      AppProjectInterface: {}
  github.com/argoproj/argo-cd/v3/reposerver/apiclient:
    interfaces:
-      RepoServerService_GenerateManifestWithFilesClient: {}
      RepoServerServiceClient: {}
+      RepoServerService_GenerateManifestWithFilesClient: {}
  github.com/argoproj/argo-cd/v3/server/application:
    interfaces:
      Broadcaster: {}
@@ -60,26 +56,37 @@ packages:
  github.com/argoproj/argo-cd/v3/util/db:
    interfaces:
      ArgoDB: {}
+      RepoCredsDB: {}
  github.com/argoproj/argo-cd/v3/util/git:
    interfaces:
      Client: {}
  github.com/argoproj/argo-cd/v3/util/helm:
    interfaces:
      Client: {}
-  github.com/argoproj/argo-cd/v3/util/oci:
-    interfaces:
-      Client: {}
  github.com/argoproj/argo-cd/v3/util/io:
    interfaces:
      TempPaths: {}
  github.com/argoproj/argo-cd/v3/util/notification/argocd:
    interfaces:
      Service: {}
+  github.com/argoproj/argo-cd/v3/util/oci:
+    interfaces:
+      Client: {}
  github.com/argoproj/argo-cd/v3/util/workloadidentity:
    interfaces:
      TokenProvider: {}
+  github.com/argoproj/gitops-engine/pkg/cache:
+    interfaces:
+      ClusterCache: {}
+  github.com/argoproj/gitops-engine/pkg/diff:
+    interfaces:
+      ServerSideDryRunner: {}
  github.com/microsoft/azure-devops-go-api/azuredevops/v7/git:
    config:
      dir: applicationset/services/scm_provider/azure_devops/git/mocks
    interfaces:
      Client: {}
+pkgname: mocks
+structname: '{{.InterfaceName}}'
+template-data:
+  unroll-variadic: true
--- a/6
+++ b/6
@@ -12,3 +12,9 @@
 /.github/**               @argoproj/argocd-approvers @argoproj/argocd-approvers-ci
 /.goreleaser.yaml         @argoproj/argocd-approvers @argoproj/argocd-approvers-ci
 /sonar-project.properties @argoproj/argocd-approvers @argoproj/argocd-approvers-ci
+
+# CLI
+/cmd/argocd/** @argoproj/argocd-approvers @argoproj/argocd-approvers-cli
+/cmd/main.go @argoproj/argocd-approvers @argoproj/argocd-approvers-cli
+# Also include @argoproj/argocd-approvers-docs to avoid requiring CLI approvers for docs-only PRs.
+/docs/operator-manual/ @argoproj/argocd-approvers @argoproj/argocd-approvers-docs @argoproj/argocd-approvers-cli
--- a/8
+++ b/8
@@ -1,10 +1,10 @@
-ARG BASE_IMAGE=docker.io/library/ubuntu:24.04@sha256:80dd3c3b9c6cecb9f1667e9290b3bc61b78c2678c02cbdae5f0fea92cc6734ab
+ARG BASE_IMAGE=docker.io/library/ubuntu:25.04@sha256:27771fb7b40a58237c98e8d3e6b9ecdd9289cec69a857fccfb85ff36294dac20
 ####################################################################################################
 # Builder image
 # Initial stage which pulls prepares build dependencies and CLI tooling we need for our final image
 # Also used as the image in CI jobs so needs all dependencies
 ####################################################################################################
-FROM docker.io/library/golang:1.24.6@sha256:2c89c41fb9efc3807029b59af69645867cfe978d2b877d475be0d72f6c6ce6f6 AS builder
+FROM docker.io/library/golang:1.25.3@sha256:6bac879c5b77e0fc9c556a5ed8920e89dab1709bd510a854903509c828f67f96 AS builder

 WORKDIR /tmp

@@ -103,11 +103,13 @@ RUN HOST_ARCH=$TARGETARCH NODE_ENV='production' NODE_ONLINE_ENV='online' NODE_OP
 ####################################################################################################
 # Argo CD Build stage which performs the actual build of Argo CD binaries
 ####################################################################################################
-FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.24.6@sha256:2c89c41fb9efc3807029b59af69645867cfe978d2b877d475be0d72f6c6ce6f6 AS argocd-build
+FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.25.3@sha256:6bac879c5b77e0fc9c556a5ed8920e89dab1709bd510a854903509c828f67f96 AS argocd-build

 WORKDIR /go/src/github.com/argoproj/argo-cd

 COPY go.* ./
+RUN mkdir -p gitops-engine
+COPY gitops-engine/go.* ./gitops-engine
 RUN go mod download

 # Perform the build
--- a/Dockerfile.tilt
+++ b/Dockerfile.tilt
@@ -1,4 +1,4 @@
-FROM docker.io/library/golang:1.24.1@sha256:c5adecdb7b3f8c5ca3c88648a861882849cc8b02fed68ece31e25de88ad13418 
+FROM docker.io/library/golang:1.25.3@sha256:6bac879c5b77e0fc9c556a5ed8920e89dab1709bd510a854903509c828f67f96

 ENV DEBIAN_FRONTEND=noninteractive

--- a/22
+++ b/22
@@ -43,6 +43,17 @@ endif
 DOCKER_SRCDIR?=$(GOPATH)/src
 DOCKER_WORKDIR?=/go/src/github.com/argoproj/argo-cd

+# Allows you to control which Docker network the test-util containers attach to.
+# This is particularly useful if you are running Kubernetes in Docker (e.g., k3d)
+# and want the test containers to reach the Kubernetes API via an already-existing Docker network.
+DOCKER_NETWORK ?= default
+
+ifneq ($(DOCKER_NETWORK),default)
+DOCKER_NETWORK_ARG := --network $(DOCKER_NETWORK)
+else
+DOCKER_NETWORK_ARG :=
+endif
+
 ARGOCD_PROCFILE?=Procfile

 # pointing to python 3.7 to match https://github.com/argoproj/argo-cd/blob/master/.readthedocs.yml
@@ -113,11 +124,11 @@ define run-in-test-server
 		-v ${GOPATH}/pkg/mod:/go/pkg/mod${VOLUME_MOUNT} \
 		-v ${GOCACHE}:/tmp/go-build-cache${VOLUME_MOUNT} \
 		-v ${HOME}/.kube:/home/user/.kube${VOLUME_MOUNT} \
-		-v /tmp:/tmp${VOLUME_MOUNT} \
 		-w ${DOCKER_WORKDIR} \
 		-p ${ARGOCD_E2E_APISERVER_PORT}:8080 \
 		-p 4000:4000 \
 		-p 5000:5000 \
+		$(DOCKER_NETWORK_ARG)\
 		$(PODMAN_ARGS) \
 		$(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE):$(TEST_TOOLS_TAG) \
 		bash -c "$(1)"
@@ -138,8 +149,8 @@ define run-in-test-client
 		-v ${GOPATH}/pkg/mod:/go/pkg/mod${VOLUME_MOUNT} \
 		-v ${GOCACHE}:/tmp/go-build-cache${VOLUME_MOUNT} \
 		-v ${HOME}/.kube:/home/user/.kube${VOLUME_MOUNT} \
-		-v /tmp:/tmp${VOLUME_MOUNT} \
 		-w ${DOCKER_WORKDIR} \
+		$(DOCKER_NETWORK_ARG)\
 		$(PODMAN_ARGS) \
 		$(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE):$(TEST_TOOLS_TAG) \
 		bash -c "$(1)"
@@ -250,8 +261,12 @@ clidocsgen:
 actionsdocsgen:
 	hack/generate-actions-list.sh

+.PHONY: resourceiconsgen
+resourceiconsgen:
+	hack/generate-icons-typescript.sh
+
 .PHONY: codegen-local
-codegen-local: mod-vendor-local mockgen gogen protogen clientgen openapigen clidocsgen actionsdocsgen manifests-local notification-docs notification-catalog
+codegen-local: mod-vendor-local mockgen gogen protogen clientgen openapigen clidocsgen actionsdocsgen resourceiconsgen manifests-local notification-docs notification-catalog
 	rm -rf vendor/

 .PHONY: codegen-local-fast
@@ -604,6 +619,7 @@ install-test-tools-local:
 .PHONY: install-codegen-tools-local
 install-codegen-tools-local:
 	./hack/install.sh codegen-tools
+	./hack/install.sh codegen-go-tools

 # Installs all tools required for running codegen (Go packages)
 .PHONY: install-go-tools-local
--- a/2
+++ b/2
@@ -9,6 +9,6 @@ ui: sh -c 'cd ui && ${ARGOCD_E2E_YARN_CMD:-yarn} start'
 git-server: test/fixture/testrepos/start-git.sh
 helm-registry: test/fixture/testrepos/start-helm-registry.sh
 oci-registry: test/fixture/testrepos/start-authenticated-helm-registry.sh
-dev-mounter: [[ "$ARGOCD_E2E_TEST" != "true" ]] && go run hack/dev-mounter/main.go --configmap argocd-ssh-known-hosts-cm=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} --configmap argocd-tls-certs-cm=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} --configmap argocd-gpg-keys-cm=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source}
+dev-mounter: [ "$ARGOCD_E2E_TEST" != "true" ] && go run hack/dev-mounter/main.go --configmap argocd-ssh-known-hosts-cm=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} --configmap argocd-tls-certs-cm=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} --configmap argocd-gpg-keys-cm=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source}
 applicationset-controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/applicationset-controller} FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-applicationset-controller $COMMAND --loglevel debug --metrics-addr localhost:12345 --probe-addr localhost:12346 --argocd-repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081}"
 notification: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/notification} FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_BINARY_NAME=argocd-notifications $COMMAND --loglevel debug --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --self-service-notification-enabled=${ARGOCD_NOTIFICATION_CONTROLLER_SELF_SERVICE_NOTIFICATION_ENABLED:-'false'}"
--- a/SECURITY-INSIGHTS.yml
+++ b/SECURITY-INSIGHTS.yml
@@ -3,9 +3,9 @@ header:
  expiration-date: '2024-10-31T00:00:00.000Z' # One year from initial release.
  last-updated: '2023-10-27'
  last-reviewed: '2023-10-27'
-  commit-hash: 226a670fe6b3c6769ff6d18e6839298a58e4577d
+  commit-hash: 06ef059f9fc7cf9da2dfaef2a505ee1e3c693485
  project-url: https://github.com/argoproj/argo-cd
-  project-release: v3.1.0
+  project-release: v3.3.0
  changelog: https://github.com/argoproj/argo-cd/releases
  license: https://github.com/argoproj/argo-cd/blob/master/LICENSE
 project-lifecycle:
--- a/11
+++ b/11
@@ -10,6 +10,14 @@ cmd_button(
    text='make codegen-local',
 )

+cmd_button(
+    'make test-local',
+    argv=['sh', '-c', 'make test-local'],
+    location=location.NAV,
+    icon_name='science',
+    text='make test-local',
+)
+
 # add ui button in web ui to run make codegen-local (top nav)
 cmd_button(
    'make cli-local',
@@ -69,7 +77,7 @@ docker_build_with_restart(
    ],
    platform=platform,
    live_update=[
-        sync('.tilt-bin/argocd_linux_amd64', '/usr/local/bin/argocd'),
+        sync('.tilt-bin/argocd_linux', '/usr/local/bin/argocd'),
    ],
    only=[
        '.tilt-bin',
@@ -260,6 +268,7 @@ local_resource(
    'make lint-local',
    deps = code_deps,
    allow_parallel=True,
+    resource_deps=['vendor']
 )

 local_resource(
--- a/USERS.md
+++ b/USERS.md
@@ -5,8 +5,10 @@ PR with your organization name if you are using Argo CD.

 Currently, the following organizations are **officially** using Argo CD:

+1. [100ms](https://www.100ms.ai/)
 1. [127Labs](https://127labs.com/)
 1. [3Rein](https://www.3rein.com/)
+1. [42 School](https://42.fr/)
 1. [4data](https://4data.ch/)
 1. [7shifts](https://www.7shifts.com/)
 1. [Adevinta](https://www.adevinta.com/)
@@ -40,6 +42,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Back Market](https://www.backmarket.com)
 1. [Bajaj Finserv Health Ltd.](https://www.bajajfinservhealth.in)
 1. [Baloise](https://www.baloise.com)
+1. [Batumbu](https://batumbu.id)
 1. [BCDevExchange DevOps Platform](https://bcdevexchange.org/DevOpsPlatform)
 1. [Beat](https://thebeat.co/en/)
 1. [Beez Innovation Labs](https://www.beezlabs.com/)
@@ -60,6 +63,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Camptocamp](https://camptocamp.com)
 1. [Candis](https://www.candis.io)
 1. [Capital One](https://www.capitalone.com)
+1. [Capptain LTD](https://capptain.co/)
 1. [CARFAX Europe](https://www.carfax.eu)
 1. [CARFAX](https://www.carfax.com)
 1. [Carrefour Group](https://www.carrefour.com)
@@ -71,6 +75,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Chime](https://www.chime.com)
 1. [Chronicle Labs](https://chroniclelabs.org)
 1. [Cisco ET&I](https://eti.cisco.com/)
+1. [Close](https://www.close.com/)
 1. [Cloud Posse](https://www.cloudposse.com/)
 1. [Cloud Scale](https://cloudscaleinc.com/)
 1. [CloudScript](https://www.cloudscript.com.br/)
@@ -160,6 +165,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Hiya](https://hiya.com)
 1. [Honestbank](https://honestbank.com)
 1. [Hostinger](https://www.hostinger.com)
+1. [Hotjar](https://www.hotjar.com)
 1. [IABAI](https://www.iab.ai)
 1. [IBM](https://www.ibm.com/)
 1. [Ibotta](https://home.ibotta.com)
@@ -173,6 +179,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Info Support](https://www.infosupport.com/)
 1. [InsideBoard](https://www.insideboard.com)
 1. [Instruqt](https://www.instruqt.com)
+1. [Intel](https://www.intel.com)
 1. [Intuit](https://www.intuit.com/)
 1. [Jellysmack](https://www.jellysmack.com)
 1. [Joblift](https://joblift.com/)
@@ -303,7 +310,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Relex Solutions](https://www.relexsolutions.com/)
 1. [RightRev](https://rightrev.com/)
 1. [Rijkswaterstaat](https://www.rijkswaterstaat.nl/en)
-1. [Rise](https://www.risecard.eu/)
+1. Rise
 1. [Riskified](https://www.riskified.com/)
 1. [Robotinfra](https://www.robotinfra.com)
 1. [Rocket.Chat](https://rocket.chat)
@@ -320,7 +327,10 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [SEEK](https://seek.com.au)
 1. [SEKAI](https://www.sekai.io/)
 1. [Semgrep](https://semgrep.com)
+1. [Seznam.cz](https://o-seznam.cz/)
 1. [Shield](https://shield.com)
+1. [Shipfox](https://www.shipfox.io)
+1. [Shock Media](https://www.shockmedia.nl)
 1. [SI Analytics](https://si-analytics.ai)
 1. [Sidewalk Entertainment](https://sidewalkplay.com/)
 1. [Skit](https://skit.ai/)
@@ -333,6 +343,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Snapp](https://snapp.ir/)
 1. [Snyk](https://snyk.io/)
 1. [Softway Medical](https://www.softwaymedical.fr/)
+1. [Sophotech](https://sopho.tech)
 1. [South China Morning Post (SCMP)](https://www.scmp.com/)
 1. [Speee](https://speee.jp/)
 1. [Spendesk](https://spendesk.com/)
--- a/2
+++ b/2
@@ -1 +1 @@
-3.1.0
+3.3.0
--- a/applicationset/controllers/applicationset_controller.go
+++ b/applicationset/controllers/applicationset_controller.go
--- a/applicationset/controllers/applicationset_controller_test.go
+++ b/applicationset/controllers/applicationset_controller_test.go
--- a/applicationset/controllers/template/template_test.go
+++ b/applicationset/controllers/template/template_test.go
@@ -86,28 +86,28 @@ func TestGenerateApplications(t *testing.T) {
 		}

 		t.Run(cc.name, func(t *testing.T) {
-			generatorMock := genmock.Generator{}
+			generatorMock := &genmock.Generator{}
 			generator := v1alpha1.ApplicationSetGenerator{
 				List: &v1alpha1.ListGenerator{},
 			}

-			generatorMock.On("GenerateParams", &generator, mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).
+			generatorMock.EXPECT().GenerateParams(&generator, mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).
 				Return(cc.params, cc.generateParamsError)

-			generatorMock.On("GetTemplate", &generator).
+			generatorMock.EXPECT().GetTemplate(&generator).
 				Return(&v1alpha1.ApplicationSetTemplate{})

-			rendererMock := rendmock.Renderer{}
+			rendererMock := &rendmock.Renderer{}

 			var expectedApps []v1alpha1.Application

 			if cc.generateParamsError == nil {
 				for _, p := range cc.params {
 					if cc.rendererError != nil {
-						rendererMock.On("RenderTemplateParams", GetTempApplication(cc.template), mock.AnythingOfType("*v1alpha1.ApplicationSetSyncPolicy"), p, false, []string(nil)).
+						rendererMock.EXPECT().RenderTemplateParams(GetTempApplication(cc.template), mock.AnythingOfType("*v1alpha1.ApplicationSetSyncPolicy"), p, false, []string(nil)).
 							Return(nil, cc.rendererError)
 					} else {
-						rendererMock.On("RenderTemplateParams", GetTempApplication(cc.template), mock.AnythingOfType("*v1alpha1.ApplicationSetSyncPolicy"), p, false, []string(nil)).
+						rendererMock.EXPECT().RenderTemplateParams(GetTempApplication(cc.template), mock.AnythingOfType("*v1alpha1.ApplicationSetSyncPolicy"), p, false, []string(nil)).
 							Return(&app, nil)
 						expectedApps = append(expectedApps, app)
 					}
@@ -115,9 +115,9 @@ func TestGenerateApplications(t *testing.T) {
 			}

 			generators := map[string]generators.Generator{
-				"List": &generatorMock,
+				"List": generatorMock,
 			}
-			renderer := &rendererMock
+			renderer := rendererMock

 			got, reason, err := GenerateApplications(log.NewEntry(log.StandardLogger()), v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
@@ -200,26 +200,26 @@ func TestMergeTemplateApplications(t *testing.T) {
 		cc := c

 		t.Run(cc.name, func(t *testing.T) {
-			generatorMock := genmock.Generator{}
+			generatorMock := &genmock.Generator{}
 			generator := v1alpha1.ApplicationSetGenerator{
 				List: &v1alpha1.ListGenerator{},
 			}

-			generatorMock.On("GenerateParams", &generator, mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).
+			generatorMock.EXPECT().GenerateParams(&generator, mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).
 				Return(cc.params, nil)

-			generatorMock.On("GetTemplate", &generator).
+			generatorMock.EXPECT().GetTemplate(&generator).
 				Return(&cc.overrideTemplate)

-			rendererMock := rendmock.Renderer{}
+			rendererMock := &rendmock.Renderer{}

-			rendererMock.On("RenderTemplateParams", GetTempApplication(cc.expectedMerged), mock.AnythingOfType("*v1alpha1.ApplicationSetSyncPolicy"), cc.params[0], false, []string(nil)).
+			rendererMock.EXPECT().RenderTemplateParams(GetTempApplication(cc.expectedMerged), mock.AnythingOfType("*v1alpha1.ApplicationSetSyncPolicy"), cc.params[0], false, []string(nil)).
 				Return(&cc.expectedApps[0], nil)

 			generators := map[string]generators.Generator{
-				"List": &generatorMock,
+				"List": generatorMock,
 			}
-			renderer := &rendererMock
+			renderer := rendererMock

 			got, _, _ := GenerateApplications(log.NewEntry(log.StandardLogger()), v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
@@ -312,19 +312,19 @@ func TestGenerateAppsUsingPullRequestGenerator(t *testing.T) {
 		},
 	} {
 		t.Run(cases.name, func(t *testing.T) {
-			generatorMock := genmock.Generator{}
+			generatorMock := &genmock.Generator{}
 			generator := v1alpha1.ApplicationSetGenerator{
 				PullRequest: &v1alpha1.PullRequestGenerator{},
 			}

-			generatorMock.On("GenerateParams", &generator, mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).
+			generatorMock.EXPECT().GenerateParams(&generator, mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).
 				Return(cases.params, nil)

-			generatorMock.On("GetTemplate", &generator).
-				Return(&cases.template, nil)
+			generatorMock.EXPECT().GetTemplate(&generator).
+				Return(&cases.template)

 			generators := map[string]generators.Generator{
-				"PullRequest": &generatorMock,
+				"PullRequest": generatorMock,
 			}
 			renderer := &utils.Render{}

--- a/applicationset/generators/cluster.go
+++ b/applicationset/generators/cluster.go
@@ -79,14 +79,10 @@ func (g *ClusterGenerator) GenerateParams(appSetGenerator *argoappsetv1alpha1.Ap
 		return nil, fmt.Errorf("error getting cluster secrets: %w", err)
 	}

-	res := []map[string]any{}
+	paramHolder := &paramHolder{isFlatMode: appSetGenerator.Clusters.FlatList}
+	logCtx.Debugf("Using flat mode = %t for cluster generator", paramHolder.isFlatMode)

 	secretsFound := []corev1.Secret{}
-
-	isFlatMode := appSetGenerator.Clusters.FlatList
-	logCtx.Debugf("Using flat mode = %t for cluster generator", isFlatMode)
-	clustersParams := make([]map[string]any, 0)
-
 	for _, cluster := range clustersFromArgoCD {
 		// If there is a secret for this cluster, then it's a non-local cluster, so it will be
 		// handled by the next step.
@@ -105,72 +101,80 @@ func (g *ClusterGenerator) GenerateParams(appSetGenerator *argoappsetv1alpha1.Ap
 				return nil, fmt.Errorf("error appending templated values for local cluster: %w", err)
 			}

-			if isFlatMode {
-				clustersParams = append(clustersParams, params)
-			} else {
-				res = append(res, params)
-			}
-
+			paramHolder.append(params)
 			logCtx.WithField("cluster", "local cluster").Info("matched local cluster")
 		}
 	}

 	// For each matching cluster secret (non-local clusters only)
 	for _, cluster := range secretsFound {
-		params := map[string]any{}
-
-		params["name"] = string(cluster.Data["name"])
-		params["nameNormalized"] = utils.SanitizeName(string(cluster.Data["name"]))
-		params["server"] = string(cluster.Data["server"])
-
-		project, ok := cluster.Data["project"]
-		if ok {
-			params["project"] = string(project)
-		} else {
-			params["project"] = ""
-		}
-
-		if appSet.Spec.GoTemplate {
-			meta := map[string]any{}
-
-			if len(cluster.Annotations) > 0 {
-				meta["annotations"] = cluster.Annotations
-			}
-			if len(cluster.Labels) > 0 {
-				meta["labels"] = cluster.Labels
-			}
-
-			params["metadata"] = meta
-		} else {
-			for key, value := range cluster.Annotations {
-				params["metadata.annotations."+key] = value
-			}
-
-			for key, value := range cluster.Labels {
-				params["metadata.labels."+key] = value
-			}
-		}
+		params := g.getClusterParameters(cluster, appSet)

 		err = appendTemplatedValues(appSetGenerator.Clusters.Values, params, appSet.Spec.GoTemplate, appSet.Spec.GoTemplateOptions)
 		if err != nil {
 			return nil, fmt.Errorf("error appending templated values for cluster: %w", err)
 		}

-		if isFlatMode {
-			clustersParams = append(clustersParams, params)
-		} else {
-			res = append(res, params)
-		}
-
+		paramHolder.append(params)
 		logCtx.WithField("cluster", cluster.Name).Debug("matched cluster secret")
 	}

-	if isFlatMode {
-		res = append(res, map[string]any{
-			"clusters": clustersParams,
-		})
+	return paramHolder.consolidate(), nil
+}
+
+type paramHolder struct {
+	isFlatMode bool
+	params     []map[string]any
+}
+
+func (p *paramHolder) append(params map[string]any) {
+	p.params = append(p.params, params)
+}
+
+func (p *paramHolder) consolidate() []map[string]any {
+	if p.isFlatMode {
+		p.params = []map[string]any{
+			{"clusters": p.params},
+		}
 	}
-	return res, nil
+	return p.params
+}
+
+func (g *ClusterGenerator) getClusterParameters(cluster corev1.Secret, appSet *argoappsetv1alpha1.ApplicationSet) map[string]any {
+	params := map[string]any{}
+
+	params["name"] = string(cluster.Data["name"])
+	params["nameNormalized"] = utils.SanitizeName(string(cluster.Data["name"]))
+	params["server"] = string(cluster.Data["server"])
+
+	project, ok := cluster.Data["project"]
+	if ok {
+		params["project"] = string(project)
+	} else {
+		params["project"] = ""
+	}
+
+	if appSet.Spec.GoTemplate {
+		meta := map[string]any{}
+
+		if len(cluster.Annotations) > 0 {
+			meta["annotations"] = cluster.Annotations
+		}
+		if len(cluster.Labels) > 0 {
+			meta["labels"] = cluster.Labels
+		}
+
+		params["metadata"] = meta
+	} else {
+		for key, value := range cluster.Annotations {
+			params["metadata.annotations."+key] = value
+		}
+
+		for key, value := range cluster.Labels {
+			params["metadata.labels."+key] = value
+		}
+	}
+	return params
 }

 func (g *ClusterGenerator) getSecretsByClusterName(log *log.Entry, appSetGenerator *argoappsetv1alpha1.ApplicationSetGenerator) (map[string]corev1.Secret, error) {
--- a/applicationset/generators/generator_spec_processor_test.go
+++ b/applicationset/generators/generator_spec_processor_test.go
@@ -223,7 +223,7 @@ func TestTransForm(t *testing.T) {
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
 			testGenerators := map[string]Generator{
-				"Clusters": getMockClusterGenerator(),
+				"Clusters": getMockClusterGenerator(t.Context()),
 			}

 			applicationSetInfo := argov1alpha1.ApplicationSet{
@@ -260,7 +260,7 @@ func emptyTemplate() argov1alpha1.ApplicationSetTemplate {
 	}
 }

-func getMockClusterGenerator() Generator {
+func getMockClusterGenerator(ctx context.Context) Generator {
 	clusters := []crtclient.Object{
 		&corev1.Secret{
 			TypeMeta: metav1.TypeMeta{
@@ -342,19 +342,19 @@ func getMockClusterGenerator() Generator {
 	appClientset := kubefake.NewSimpleClientset(runtimeClusters...)

 	fakeClient := fake.NewClientBuilder().WithObjects(clusters...).Build()
-	return NewClusterGenerator(context.Background(), fakeClient, appClientset, "namespace")
+	return NewClusterGenerator(ctx, fakeClient, appClientset, "namespace")
 }

 func getMockGitGenerator() Generator {
-	argoCDServiceMock := mocks.Repos{}
-	argoCDServiceMock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything).Return([]string{"app1", "app2", "app_3", "p1/app4"}, nil)
-	gitGenerator := NewGitGenerator(&argoCDServiceMock, "namespace")
+	argoCDServiceMock := &mocks.Repos{}
+	argoCDServiceMock.EXPECT().GetDirectories(mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return([]string{"app1", "app2", "app_3", "p1/app4"}, nil)
+	gitGenerator := NewGitGenerator(argoCDServiceMock, "namespace")
 	return gitGenerator
 }

 func TestGetRelevantGenerators(t *testing.T) {
 	testGenerators := map[string]Generator{
-		"Clusters": getMockClusterGenerator(),
+		"Clusters": getMockClusterGenerator(t.Context()),
 		"Git":      getMockGitGenerator(),
 	}

--- a/applicationset/generators/git.go
+++ b/applicationset/generators/git.go
@@ -29,10 +29,10 @@ type GitGenerator struct {
 }

 // NewGitGenerator creates a new instance of Git Generator
-func NewGitGenerator(repos services.Repos, namespace string) Generator {
+func NewGitGenerator(repos services.Repos, controllerNamespace string) Generator {
 	g := &GitGenerator{
 		repos:     repos,
-		namespace: namespace,
+		namespace: controllerNamespace,
 	}

 	return g
@@ -78,11 +78,11 @@ func (g *GitGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.Applic
 	if !strings.Contains(appSet.Spec.Template.Spec.Project, "{{") {
 		project := appSet.Spec.Template.Spec.Project
 		appProject := &argoprojiov1alpha1.AppProject{}
-		namespace := g.namespace
-		if namespace == "" {
-			namespace = appSet.Namespace
+		controllerNamespace := g.namespace
+		if controllerNamespace == "" {
+			controllerNamespace = appSet.Namespace
 		}
-		if err := client.Get(context.TODO(), types.NamespacedName{Name: project, Namespace: namespace}, appProject); err != nil {
+		if err := client.Get(context.TODO(), types.NamespacedName{Name: project, Namespace: controllerNamespace}, appProject); err != nil {
 			return nil, fmt.Errorf("error getting project %s: %w", project, err)
 		}
 		// we need to verify the signature on the Git revision if GPG is enabled
@@ -222,19 +222,18 @@ func (g *GitGenerator) generateParamsForGitFiles(appSetGenerator *argoprojiov1al
 func (g *GitGenerator) generateParamsFromGitFile(filePath string, fileContent []byte, values map[string]string, useGoTemplate bool, goTemplateOptions []string, pathParamPrefix string) ([]map[string]any, error) {
 	objectsFound := []map[string]any{}

-	// First, we attempt to parse as an array
-	err := yaml.Unmarshal(fileContent, &objectsFound)
-	if err != nil {
-		// If unable to parse as an array, attempt to parse as a single object
-		singleObj := make(map[string]any)
-		err = yaml.Unmarshal(fileContent, &singleObj)
+	// First, we attempt to parse as a single object.
+	// This will also succeed for empty files.
+	singleObj := map[string]any{}
+	err := yaml.Unmarshal(fileContent, &singleObj)
+	if err == nil {
+		objectsFound = append(objectsFound, singleObj)
+	} else {
+		// If unable to parse as an object, try to parse as an array
+		err = yaml.Unmarshal(fileContent, &objectsFound)
 		if err != nil {
 			return nil, fmt.Errorf("unable to parse file: %w", err)
 		}
-		objectsFound = append(objectsFound, singleObj)
-	} else if len(objectsFound) == 0 {
-		// If file is valid but empty, add a default empty item
-		objectsFound = append(objectsFound, map[string]any{})
 	}

 	res := []map[string]any{}
--- a/applicationset/generators/git_test.go
+++ b/applicationset/generators/git_test.go
@@ -320,11 +320,11 @@ func TestGitGenerateParamsFromDirectories(t *testing.T) {
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()

-			argoCDServiceMock := mocks.Repos{}
+			argoCDServiceMock := mocks.NewRepos(t)

-			argoCDServiceMock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)
+			argoCDServiceMock.EXPECT().GetDirectories(mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)

-			gitGenerator := NewGitGenerator(&argoCDServiceMock, "")
+			gitGenerator := NewGitGenerator(argoCDServiceMock, "")
 			applicationSetInfo := v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -357,8 +357,6 @@ func TestGitGenerateParamsFromDirectories(t *testing.T) {
 				require.NoError(t, err)
 				assert.Equal(t, testCaseCopy.expected, got)
 			}
-
-			argoCDServiceMock.AssertExpectations(t)
 		})
 	}
 }
@@ -623,11 +621,11 @@ func TestGitGenerateParamsFromDirectoriesGoTemplate(t *testing.T) {
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()

-			argoCDServiceMock := mocks.Repos{}
+			argoCDServiceMock := mocks.NewRepos(t)

-			argoCDServiceMock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)
+			argoCDServiceMock.EXPECT().GetDirectories(mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)

-			gitGenerator := NewGitGenerator(&argoCDServiceMock, "")
+			gitGenerator := NewGitGenerator(argoCDServiceMock, "")
 			applicationSetInfo := v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -660,8 +658,6 @@ func TestGitGenerateParamsFromDirectoriesGoTemplate(t *testing.T) {
 				require.NoError(t, err)
 				assert.Equal(t, testCaseCopy.expected, got)
 			}
-
-			argoCDServiceMock.AssertExpectations(t)
 		})
 	}
 }
@@ -825,7 +821,7 @@ func TestGitGenerateParamsFromFiles(t *testing.T) {
 			},
 			repoPathsError: nil,
 			expected:       []map[string]any{},
-			expectedError:  errors.New("error generating params from git: unable to process file 'cluster-config/production/config.json': unable to parse file: error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string into Go value of type map[string]interface {}"),
+			expectedError:  errors.New("error generating params from git: unable to process file 'cluster-config/production/config.json': unable to parse file: error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string into Go value of type []map[string]interface {}"),
 		},
 		{
 			name:  "test JSON array",
@@ -982,6 +978,16 @@ cluster:
 			},
 			expectedError: nil,
 		},
+		{
+			name:  "test empty YAML array",
+			files: []v1alpha1.GitFileGeneratorItem{{Path: "**/config.yaml"}},
+			repoFileContents: map[string][]byte{
+				"cluster-config/production/config.yaml": []byte(`[]`),
+			},
+			repoPathsError: nil,
+			expected:       []map[string]any{},
+			expectedError:  nil,
+		},
 	}

 	for _, testCase := range cases {
@@ -990,11 +996,11 @@ cluster:
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()

-			argoCDServiceMock := mocks.Repos{}
-			argoCDServiceMock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).
+			argoCDServiceMock := mocks.NewRepos(t)
+			argoCDServiceMock.EXPECT().GetFiles(mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).
 				Return(testCaseCopy.repoFileContents, testCaseCopy.repoPathsError)

-			gitGenerator := NewGitGenerator(&argoCDServiceMock, "")
+			gitGenerator := NewGitGenerator(argoCDServiceMock, "")
 			applicationSetInfo := v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -1026,8 +1032,6 @@ cluster:
 				require.NoError(t, err)
 				assert.ElementsMatch(t, testCaseCopy.expected, got)
 			}
-
-			argoCDServiceMock.AssertExpectations(t)
 		})
 	}
 }
@@ -1321,7 +1325,7 @@ env: testing
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()

-			argoCDServiceMock := mocks.Repos{}
+			argoCDServiceMock := mocks.NewRepos(t)

 			// IMPORTANT: we try to get the files from the repo server that matches the patterns
 			// If we find those files also satisfy the exclude pattern, we remove them from map
@@ -1329,18 +1333,16 @@ env: testing
 			// With the below mock setup, we make sure that if the GetFiles() function gets called
 			// for a include or exclude pattern, it should always return the includeFiles or excludeFiles.
 			for _, pattern := range testCaseCopy.excludePattern {
-				argoCDServiceMock.
-					On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
+				argoCDServiceMock.EXPECT().GetFiles(mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
 					Return(testCaseCopy.excludeFiles, testCaseCopy.repoPathsError)
 			}

 			for _, pattern := range testCaseCopy.includePattern {
-				argoCDServiceMock.
-					On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
+				argoCDServiceMock.EXPECT().GetFiles(mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
 					Return(testCaseCopy.includeFiles, testCaseCopy.repoPathsError)
 			}

-			gitGenerator := NewGitGenerator(&argoCDServiceMock, "")
+			gitGenerator := NewGitGenerator(argoCDServiceMock, "")
 			applicationSetInfo := v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -1372,8 +1374,6 @@ env: testing
 				require.NoError(t, err)
 				assert.ElementsMatch(t, testCaseCopy.expected, got)
 			}
-
-			argoCDServiceMock.AssertExpectations(t)
 		})
 	}
 }
@@ -1662,7 +1662,7 @@ env: testing
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()

-			argoCDServiceMock := mocks.Repos{}
+			argoCDServiceMock := mocks.NewRepos(t)

 			// IMPORTANT: we try to get the files from the repo server that matches the patterns
 			// If we find those files also satisfy the exclude pattern, we remove them from map
@@ -1670,18 +1670,16 @@ env: testing
 			// With the below mock setup, we make sure that if the GetFiles() function gets called
 			// for a include or exclude pattern, it should always return the includeFiles or excludeFiles.
 			for _, pattern := range testCaseCopy.excludePattern {
-				argoCDServiceMock.
-					On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
+				argoCDServiceMock.EXPECT().GetFiles(mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
 					Return(testCaseCopy.excludeFiles, testCaseCopy.repoPathsError)
 			}

 			for _, pattern := range testCaseCopy.includePattern {
-				argoCDServiceMock.
-					On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
+				argoCDServiceMock.EXPECT().GetFiles(mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
 					Return(testCaseCopy.includeFiles, testCaseCopy.repoPathsError)
 			}

-			gitGenerator := NewGitGenerator(&argoCDServiceMock, "")
+			gitGenerator := NewGitGenerator(argoCDServiceMock, "")
 			applicationSetInfo := v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -1713,8 +1711,6 @@ env: testing
 				require.NoError(t, err)
 				assert.ElementsMatch(t, testCaseCopy.expected, got)
 			}
-
-			argoCDServiceMock.AssertExpectations(t)
 		})
 	}
 }
@@ -1898,25 +1894,23 @@ func TestGitGeneratorParamsFromFilesWithExcludeOptionGoTemplate(t *testing.T) {
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()

-			argoCDServiceMock := mocks.Repos{}
+			argoCDServiceMock := mocks.NewRepos(t)
 			// IMPORTANT: we try to get the files from the repo server that matches the patterns
 			// If we find those files also satisfy the exclude pattern, we remove them from map
 			// This is generally done by the g.repos.GetFiles() function.
 			// With the below mock setup, we make sure that if the GetFiles() function gets called
 			// for a include or exclude pattern, it should always return the includeFiles or excludeFiles.
 			for _, pattern := range testCaseCopy.excludePattern {
-				argoCDServiceMock.
-					On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
+				argoCDServiceMock.EXPECT().GetFiles(mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
 					Return(testCaseCopy.excludeFiles, testCaseCopy.repoPathsError)
 			}

 			for _, pattern := range testCaseCopy.includePattern {
-				argoCDServiceMock.
-					On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
+				argoCDServiceMock.EXPECT().GetFiles(mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
 					Return(testCaseCopy.includeFiles, testCaseCopy.repoPathsError)
 			}

-			gitGenerator := NewGitGenerator(&argoCDServiceMock, "")
+			gitGenerator := NewGitGenerator(argoCDServiceMock, "")
 			applicationSetInfo := v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -1948,8 +1942,6 @@ func TestGitGeneratorParamsFromFilesWithExcludeOptionGoTemplate(t *testing.T) {
 				require.NoError(t, err)
 				assert.ElementsMatch(t, testCaseCopy.expected, got)
 			}
-
-			argoCDServiceMock.AssertExpectations(t)
 		})
 	}
 }
@@ -2060,7 +2052,7 @@ func TestGitGenerateParamsFromFilesGoTemplate(t *testing.T) {
 			},
 			repoPathsError: nil,
 			expected:       []map[string]any{},
-			expectedError:  errors.New("error generating params from git: unable to process file 'cluster-config/production/config.json': unable to parse file: error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string into Go value of type map[string]interface {}"),
+			expectedError:  errors.New("error generating params from git: unable to process file 'cluster-config/production/config.json': unable to parse file: error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string into Go value of type []map[string]interface {}"),
 		},
 		{
 			name:  "test JSON array",
@@ -2269,11 +2261,11 @@ cluster:
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()

-			argoCDServiceMock := mocks.Repos{}
-			argoCDServiceMock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).
+			argoCDServiceMock := mocks.NewRepos(t)
+			argoCDServiceMock.EXPECT().GetFiles(mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).
 				Return(testCaseCopy.repoFileContents, testCaseCopy.repoPathsError)

-			gitGenerator := NewGitGenerator(&argoCDServiceMock, "")
+			gitGenerator := NewGitGenerator(argoCDServiceMock, "")
 			applicationSetInfo := v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -2305,8 +2297,6 @@ cluster:
 				require.NoError(t, err)
 				assert.ElementsMatch(t, testCaseCopy.expected, got)
 			}
-
-			argoCDServiceMock.AssertExpectations(t)
 		})
 	}
 }
@@ -2472,7 +2462,7 @@ func TestGitGenerator_GenerateParams(t *testing.T) {
 		},
 	}
 	for _, testCase := range cases {
-		argoCDServiceMock := mocks.Repos{}
+		argoCDServiceMock := mocks.NewRepos(t)

 		if testCase.callGetDirectories {
 			var project any
@@ -2482,9 +2472,9 @@ func TestGitGenerator_GenerateParams(t *testing.T) {
 				project = mock.Anything
 			}

-			argoCDServiceMock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything, project, mock.Anything, mock.Anything).Return(testCase.repoApps, testCase.repoPathsError)
+			argoCDServiceMock.EXPECT().GetDirectories(mock.Anything, mock.Anything, mock.Anything, project, mock.Anything, mock.Anything).Return(testCase.repoApps, testCase.repoPathsError)
 		}
-		gitGenerator := NewGitGenerator(&argoCDServiceMock, "argocd")
+		gitGenerator := NewGitGenerator(argoCDServiceMock, "argocd")

 		scheme := runtime.NewScheme()
 		err := v1alpha1.AddToScheme(scheme)
@@ -2500,7 +2490,5 @@ func TestGitGenerator_GenerateParams(t *testing.T) {
 			require.NoError(t, err)
 			assert.Equal(t, testCase.expected, got)
 		}
-
-		argoCDServiceMock.AssertExpectations(t)
 	}
 }
--- a/applicationset/generators/matrix_test.go
+++ b/applicationset/generators/matrix_test.go
@@ -12,12 +12,12 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"

-	"github.com/argoproj/argo-cd/v3/applicationset/services/mocks"
-
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"

+	generatorsMock "github.com/argoproj/argo-cd/v3/applicationset/generators/mocks"
+	servicesMocks "github.com/argoproj/argo-cd/v3/applicationset/services/mocks"
 	"github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 )

@@ -136,7 +136,7 @@ func TestMatrixGenerate(t *testing.T) {
 		testCaseCopy := testCase // Since tests may run in parallel

 		t.Run(testCaseCopy.name, func(t *testing.T) {
-			genMock := &generatorMock{}
+			genMock := &generatorsMock.Generator{}
 			appSet := &v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -149,7 +149,7 @@ func TestMatrixGenerate(t *testing.T) {
 					Git:  g.Git,
 					List: g.List,
 				}
-				genMock.On("GenerateParams", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet, mock.Anything).Return([]map[string]any{
+				genMock.EXPECT().GenerateParams(mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet, mock.Anything).Return([]map[string]any{
 					{
 						"path":                    "app1",
 						"path.basename":           "app1",
@@ -162,7 +162,7 @@ func TestMatrixGenerate(t *testing.T) {
 					},
 				}, nil)

-				genMock.On("GetTemplate", &gitGeneratorSpec).
+				genMock.EXPECT().GetTemplate(&gitGeneratorSpec).
 					Return(&v1alpha1.ApplicationSetTemplate{})
 			}

@@ -343,7 +343,7 @@ func TestMatrixGenerateGoTemplate(t *testing.T) {
 		testCaseCopy := testCase // Since tests may run in parallel

 		t.Run(testCaseCopy.name, func(t *testing.T) {
-			genMock := &generatorMock{}
+			genMock := &generatorsMock.Generator{}
 			appSet := &v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -358,7 +358,7 @@ func TestMatrixGenerateGoTemplate(t *testing.T) {
 					Git:  g.Git,
 					List: g.List,
 				}
-				genMock.On("GenerateParams", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet, mock.Anything).Return([]map[string]any{
+				genMock.EXPECT().GenerateParams(mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet, mock.Anything).Return([]map[string]any{
 					{
 						"path": map[string]string{
 							"path":               "app1",
@@ -375,7 +375,7 @@ func TestMatrixGenerateGoTemplate(t *testing.T) {
 					},
 				}, nil)

-				genMock.On("GetTemplate", &gitGeneratorSpec).
+				genMock.EXPECT().GetTemplate(&gitGeneratorSpec).
 					Return(&v1alpha1.ApplicationSetTemplate{})
 			}

@@ -507,7 +507,7 @@ func TestMatrixGetRequeueAfter(t *testing.T) {
 		testCaseCopy := testCase // Since tests may run in parallel

 		t.Run(testCaseCopy.name, func(t *testing.T) {
-			mock := &generatorMock{}
+			mock := &generatorsMock.Generator{}

 			for _, g := range testCaseCopy.baseGenerators {
 				gitGeneratorSpec := v1alpha1.ApplicationSetGenerator{
@@ -517,7 +517,7 @@ func TestMatrixGetRequeueAfter(t *testing.T) {
 					SCMProvider:             g.SCMProvider,
 					ClusterDecisionResource: g.ClusterDecisionResource,
 				}
-				mock.On("GetRequeueAfter", &gitGeneratorSpec).Return(testCaseCopy.gitGetRequeueAfter, nil)
+				mock.EXPECT().GetRequeueAfter(&gitGeneratorSpec).Return(testCaseCopy.gitGetRequeueAfter)
 			}

 			matrixGenerator := NewMatrixGenerator(
@@ -634,7 +634,7 @@ func TestInterpolatedMatrixGenerate(t *testing.T) {
 		testCaseCopy := testCase // Since tests may run in parallel

 		t.Run(testCaseCopy.name, func(t *testing.T) {
-			genMock := &generatorMock{}
+			genMock := &generatorsMock.Generator{}
 			appSet := &v1alpha1.ApplicationSet{}

 			appClientset := kubefake.NewSimpleClientset(runtimeClusters...)
@@ -650,7 +650,7 @@ func TestInterpolatedMatrixGenerate(t *testing.T) {
 					Git:      g.Git,
 					Clusters: g.Clusters,
 				}
-				genMock.On("GenerateParams", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet).Return([]map[string]any{
+				genMock.EXPECT().GenerateParams(mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet, mock.Anything).Return([]map[string]any{
 					{
 						"path":                    "examples/git-generator-files-discovery/cluster-config/dev/config.json",
 						"path.basename":           "dev",
@@ -662,7 +662,7 @@ func TestInterpolatedMatrixGenerate(t *testing.T) {
 						"path.basenameNormalized": "prod",
 					},
 				}, nil)
-				genMock.On("GetTemplate", &gitGeneratorSpec).
+				genMock.EXPECT().GetTemplate(&gitGeneratorSpec).
 					Return(&v1alpha1.ApplicationSetTemplate{})
 			}
 			matrixGenerator := NewMatrixGenerator(
@@ -813,7 +813,7 @@ func TestInterpolatedMatrixGenerateGoTemplate(t *testing.T) {
 		testCaseCopy := testCase // Since tests may run in parallel

 		t.Run(testCaseCopy.name, func(t *testing.T) {
-			genMock := &generatorMock{}
+			genMock := &generatorsMock.Generator{}
 			appSet := &v1alpha1.ApplicationSet{
 				Spec: v1alpha1.ApplicationSetSpec{
 					GoTemplate: true,
@@ -833,7 +833,7 @@ func TestInterpolatedMatrixGenerateGoTemplate(t *testing.T) {
 					Git:      g.Git,
 					Clusters: g.Clusters,
 				}
-				genMock.On("GenerateParams", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet).Return([]map[string]any{
+				genMock.EXPECT().GenerateParams(mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet, mock.Anything).Return([]map[string]any{
 					{
 						"path": map[string]string{
 							"path":               "examples/git-generator-files-discovery/cluster-config/dev/config.json",
@@ -849,7 +849,7 @@ func TestInterpolatedMatrixGenerateGoTemplate(t *testing.T) {
 						},
 					},
 				}, nil)
-				genMock.On("GetTemplate", &gitGeneratorSpec).
+				genMock.EXPECT().GetTemplate(&gitGeneratorSpec).
 					Return(&v1alpha1.ApplicationSetTemplate{})
 			}
 			matrixGenerator := NewMatrixGenerator(
@@ -969,7 +969,7 @@ func TestMatrixGenerateListElementsYaml(t *testing.T) {
 		testCaseCopy := testCase // Since tests may run in parallel

 		t.Run(testCaseCopy.name, func(t *testing.T) {
-			genMock := &generatorMock{}
+			genMock := &generatorsMock.Generator{}
 			appSet := &v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -984,7 +984,7 @@ func TestMatrixGenerateListElementsYaml(t *testing.T) {
 					Git:  g.Git,
 					List: g.List,
 				}
-				genMock.On("GenerateParams", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet).Return([]map[string]any{{
+				genMock.EXPECT().GenerateParams(mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet, mock.Anything).Return([]map[string]any{{
 					"foo": map[string]any{
 						"bar": []any{
 							map[string]any{
@@ -1009,7 +1009,7 @@ func TestMatrixGenerateListElementsYaml(t *testing.T) {
 						},
 					},
 				}}, nil)
-				genMock.On("GetTemplate", &gitGeneratorSpec).
+				genMock.EXPECT().GetTemplate(&gitGeneratorSpec).
 					Return(&v1alpha1.ApplicationSetTemplate{})
 			}

@@ -1037,28 +1037,6 @@ func TestMatrixGenerateListElementsYaml(t *testing.T) {
 	}
 }

-type generatorMock struct {
-	mock.Mock
-}
-
-func (g *generatorMock) GetTemplate(appSetGenerator *v1alpha1.ApplicationSetGenerator) *v1alpha1.ApplicationSetTemplate {
-	args := g.Called(appSetGenerator)
-
-	return args.Get(0).(*v1alpha1.ApplicationSetTemplate)
-}
-
-func (g *generatorMock) GenerateParams(appSetGenerator *v1alpha1.ApplicationSetGenerator, appSet *v1alpha1.ApplicationSet, _ client.Client) ([]map[string]any, error) {
-	args := g.Called(appSetGenerator, appSet)
-
-	return args.Get(0).([]map[string]any), args.Error(1)
-}
-
-func (g *generatorMock) GetRequeueAfter(appSetGenerator *v1alpha1.ApplicationSetGenerator) time.Duration {
-	args := g.Called(appSetGenerator)
-
-	return args.Get(0).(time.Duration)
-}
-
 func TestGitGenerator_GenerateParams_list_x_git_matrix_generator(t *testing.T) {
 	// Given a matrix generator over a list generator and a git files generator, the nested git files generator should
 	// be treated as a files generator, and it should produce parameters.
@@ -1072,11 +1050,11 @@ func TestGitGenerator_GenerateParams_list_x_git_matrix_generator(t *testing.T) {
 	// Now instead of checking for nil, we check whether the field is a non-empty slice. This test prevents a regression
 	// of that bug.

-	listGeneratorMock := &generatorMock{}
-	listGeneratorMock.On("GenerateParams", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).Return([]map[string]any{
+	listGeneratorMock := &generatorsMock.Generator{}
+	listGeneratorMock.EXPECT().GenerateParams(mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).Return([]map[string]any{
 		{"some": "value"},
 	}, nil)
-	listGeneratorMock.On("GetTemplate", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator")).Return(&v1alpha1.ApplicationSetTemplate{})
+	listGeneratorMock.EXPECT().GetTemplate(mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator")).Return(&v1alpha1.ApplicationSetTemplate{})

 	gitGeneratorSpec := &v1alpha1.GitGenerator{
 		RepoURL: "https://git.example.com",
@@ -1085,10 +1063,10 @@ func TestGitGenerator_GenerateParams_list_x_git_matrix_generator(t *testing.T) {
 		},
 	}

-	repoServiceMock := &mocks.Repos{}
-	repoServiceMock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(map[string][]byte{
+	repoServiceMock := &servicesMocks.Repos{}
+	repoServiceMock.EXPECT().GetFiles(mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(map[string][]byte{
 		"some/path.json": []byte("test: content"),
-	}, nil)
+	}, nil).Maybe()
 	gitGenerator := NewGitGenerator(repoServiceMock, "")

 	matrixGenerator := NewMatrixGenerator(map[string]Generator{
--- a/applicationset/generators/pull_request.go
+++ b/applicationset/generators/pull_request.go
@@ -11,6 +11,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"

 	"github.com/gosimple/slug"
+	log "github.com/sirupsen/logrus"

 	"github.com/argoproj/argo-cd/v3/applicationset/services"
 	pullrequest "github.com/argoproj/argo-cd/v3/applicationset/services/pull_request"
@@ -18,8 +19,6 @@ import (
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 )

-var _ Generator = (*PullRequestGenerator)(nil)
-
 const (
 	DefaultPullRequestRequeueAfter = 30 * time.Minute
 )
@@ -49,6 +48,10 @@ func (g *PullRequestGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alph
 	return DefaultPullRequestRequeueAfter
 }

+func (g *PullRequestGenerator) GetContinueOnRepoNotFoundError(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator) bool {
+	return appSetGenerator.PullRequest.ContinueOnRepoNotFoundError
+}
+
 func (g *PullRequestGenerator) GetTemplate(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator) *argoprojiov1alpha1.ApplicationSetTemplate {
 	return &appSetGenerator.PullRequest.Template
 }
@@ -69,10 +72,15 @@ func (g *PullRequestGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 	}

 	pulls, err := pullrequest.ListPullRequests(ctx, svc, appSetGenerator.PullRequest.Filters)
+	params := make([]map[string]any, 0, len(pulls))
 	if err != nil {
+		if pullrequest.IsRepositoryNotFoundError(err) && g.GetContinueOnRepoNotFoundError(appSetGenerator) {
+			log.WithError(err).WithField("generator", g).
+				Warn("Skipping params generation for this repository since it was not found.")
+			return params, nil
+		}
 		return nil, fmt.Errorf("error listing repos: %w", err)
 	}
-	params := make([]map[string]any, 0, len(pulls))

 	// In order to follow the DNS label standard as defined in RFC 1123,
 	// we need to limit the 'branch' to 50 to give room to append/suffix-ing it
@@ -111,15 +119,15 @@ func (g *PullRequestGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 			"author":             pull.Author,
 		}

-		err := appendTemplatedValues(appSetGenerator.PullRequest.Values, paramMap, applicationSetInfo.Spec.GoTemplate, applicationSetInfo.Spec.GoTemplateOptions)
-		if err != nil {
-			return nil, fmt.Errorf("failed to append templated values: %w", err)
-		}
-
 		// PR lables will only be supported for Go Template appsets, since fasttemplate will be deprecated.
 		if applicationSetInfo != nil && applicationSetInfo.Spec.GoTemplate {
 			paramMap["labels"] = pull.Labels
 		}
+
+		err := appendTemplatedValues(appSetGenerator.PullRequest.Values, paramMap, applicationSetInfo.Spec.GoTemplate, applicationSetInfo.Spec.GoTemplateOptions)
+		if err != nil {
+			return nil, fmt.Errorf("failed to append templated values: %w", err)
+		}
 		params = append(params, paramMap)
 	}
 	return params, nil
--- a/applicationset/generators/pull_request_test.go
+++ b/applicationset/generators/pull_request_test.go
@@ -16,11 +16,12 @@ import (
 func TestPullRequestGithubGenerateParams(t *testing.T) {
 	ctx := t.Context()
 	cases := []struct {
-		selectFunc     func(context.Context, *argoprojiov1alpha1.PullRequestGenerator, *argoprojiov1alpha1.ApplicationSet) (pullrequest.PullRequestService, error)
-		values         map[string]string
-		expected       []map[string]any
-		expectedErr    error
-		applicationSet argoprojiov1alpha1.ApplicationSet
+		selectFunc                  func(context.Context, *argoprojiov1alpha1.PullRequestGenerator, *argoprojiov1alpha1.ApplicationSet) (pullrequest.PullRequestService, error)
+		values                      map[string]string
+		expected                    []map[string]any
+		expectedErr                 error
+		applicationSet              argoprojiov1alpha1.ApplicationSet
+		continueOnRepoNotFoundError bool
 	}{
 		{
 			selectFunc: func(context.Context, *argoprojiov1alpha1.PullRequestGenerator, *argoprojiov1alpha1.ApplicationSet) (pullrequest.PullRequestService, error) {
@@ -171,6 +172,30 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 			expected:    nil,
 			expectedErr: errors.New("error listing repos: fake error"),
 		},
+		{
+			selectFunc: func(context.Context, *argoprojiov1alpha1.PullRequestGenerator, *argoprojiov1alpha1.ApplicationSet) (pullrequest.PullRequestService, error) {
+				return pullrequest.NewFakeService(
+					ctx,
+					nil,
+					pullrequest.NewRepositoryNotFoundError(errors.New("repository not found")),
+				)
+			},
+			expected:                    []map[string]any{},
+			expectedErr:                 nil,
+			continueOnRepoNotFoundError: true,
+		},
+		{
+			selectFunc: func(context.Context, *argoprojiov1alpha1.PullRequestGenerator, *argoprojiov1alpha1.ApplicationSet) (pullrequest.PullRequestService, error) {
+				return pullrequest.NewFakeService(
+					ctx,
+					nil,
+					pullrequest.NewRepositoryNotFoundError(errors.New("repository not found")),
+				)
+			},
+			expected:                    nil,
+			expectedErr:                 errors.New("error listing repos: repository not found"),
+			continueOnRepoNotFoundError: false,
+		},
 		{
 			selectFunc: func(context.Context, *argoprojiov1alpha1.PullRequestGenerator, *argoprojiov1alpha1.ApplicationSet) (pullrequest.PullRequestService, error) {
 				return pullrequest.NewFakeService(
@@ -252,6 +277,51 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 				},
 			},
 		},
+		{
+			selectFunc: func(context.Context, *argoprojiov1alpha1.PullRequestGenerator, *argoprojiov1alpha1.ApplicationSet) (pullrequest.PullRequestService, error) {
+				return pullrequest.NewFakeService(
+					ctx,
+					[]*pullrequest.PullRequest{
+						{
+							Number:       1,
+							Title:        "title1",
+							Branch:       "my_branch",
+							TargetBranch: "master",
+							HeadSHA:      "abcd",
+							Author:       "testName",
+							Labels:       []string{"preview", "preview:team1"},
+						},
+					},
+					nil,
+				)
+			},
+			values: map[string]string{
+				"preview_env": "{{ regexFind \"(team1|team2)\" (.labels | join \",\") }}",
+			},
+			expected: []map[string]any{
+				{
+					"number":             "1",
+					"title":              "title1",
+					"branch":             "my_branch",
+					"branch_slug":        "my-branch",
+					"target_branch":      "master",
+					"target_branch_slug": "master",
+					"head_sha":           "abcd",
+					"head_short_sha":     "abcd",
+					"head_short_sha_7":   "abcd",
+					"author":             "testName",
+					"labels":             []string{"preview", "preview:team1"},
+					"values":             map[string]string{"preview_env": "team1"},
+				},
+			},
+			expectedErr: nil,
+			applicationSet: argoprojiov1alpha1.ApplicationSet{
+				Spec: argoprojiov1alpha1.ApplicationSetSpec{
+					// Application set is using fasttemplate.
+					GoTemplate: true,
+				},
+			},
+		},
 	}

 	for _, c := range cases {
@@ -260,7 +330,8 @@ func TestPullRequestGithubGenerateParams(t *testing.T) {
 		}
 		generatorConfig := argoprojiov1alpha1.ApplicationSetGenerator{
 			PullRequest: &argoprojiov1alpha1.PullRequestGenerator{
-				Values: c.values,
+				Values:                      c.values,
+				ContinueOnRepoNotFoundError: c.continueOnRepoNotFoundError,
 			},
 		}

--- a/applicationset/generators/utils.go
+++ b/applicationset/generators/utils.go
@@ -10,15 +10,15 @@ import (
 	"github.com/argoproj/argo-cd/v3/applicationset/services"
 )

-func GetGenerators(ctx context.Context, c client.Client, k8sClient kubernetes.Interface, namespace string, argoCDService services.Repos, dynamicClient dynamic.Interface, scmConfig SCMConfig) map[string]Generator {
+func GetGenerators(ctx context.Context, c client.Client, k8sClient kubernetes.Interface, controllerNamespace string, argoCDService services.Repos, dynamicClient dynamic.Interface, scmConfig SCMConfig) map[string]Generator {
 	terminalGenerators := map[string]Generator{
 		"List":                    NewListGenerator(),
-		"Clusters":                NewClusterGenerator(ctx, c, k8sClient, namespace),
-		"Git":                     NewGitGenerator(argoCDService, namespace),
+		"Clusters":                NewClusterGenerator(ctx, c, k8sClient, controllerNamespace),
+		"Git":                     NewGitGenerator(argoCDService, controllerNamespace),
 		"SCMProvider":             NewSCMProviderGenerator(c, scmConfig),
-		"ClusterDecisionResource": NewDuckTypeGenerator(ctx, dynamicClient, k8sClient, namespace),
+		"ClusterDecisionResource": NewDuckTypeGenerator(ctx, dynamicClient, k8sClient, controllerNamespace),
 		"PullRequest":             NewPullRequestGenerator(c, scmConfig),
-		"Plugin":                  NewPluginGenerator(c, namespace),
+		"Plugin":                  NewPluginGenerator(c, controllerNamespace),
 	}

 	nestedGenerators := map[string]Generator{
--- a/applicationset/metrics/metrics_test.go
+++ b/applicationset/metrics/metrics_test.go
@@ -174,7 +174,7 @@ func TestApplicationsetCollector(t *testing.T) {
 	appsetCollector := newAppsetCollector(utils.NewAppsetLister(client), collectedLabels, filter)

 	metrics.Registry.MustRegister(appsetCollector)
-	req, err := http.NewRequest(http.MethodGet, "/metrics", http.NoBody)
+	req, err := http.NewRequestWithContext(t.Context(), http.MethodGet, "/metrics", http.NoBody)
 	require.NoError(t, err)
 	rr := httptest.NewRecorder()
 	handler := promhttp.HandlerFor(metrics.Registry, promhttp.HandlerOpts{})
@@ -216,7 +216,7 @@ func TestObserveReconcile(t *testing.T) {

 	appsetMetrics := NewApplicationsetMetrics(utils.NewAppsetLister(client), collectedLabels, filter)

-	req, err := http.NewRequest(http.MethodGet, "/metrics", http.NoBody)
+	req, err := http.NewRequestWithContext(t.Context(), http.MethodGet, "/metrics", http.NoBody)
 	require.NoError(t, err)
 	rr := httptest.NewRecorder()
 	handler := promhttp.HandlerFor(metrics.Registry, promhttp.HandlerOpts{})
--- a/applicationset/services/github_metrics_test.go
+++ b/applicationset/services/github_metrics_test.go
@@ -97,7 +97,9 @@ func TestGitHubMetrics_CollectorApproach_Success(t *testing.T) {
 		),
 	}

-	req, _ := http.NewRequest(http.MethodGet, ts.URL+URL, http.NoBody)
+	ctx := t.Context()
+
+	req, _ := http.NewRequestWithContext(ctx, http.MethodGet, ts.URL+URL, http.NoBody)
 	resp, err := client.Do(req)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -109,7 +111,11 @@ func TestGitHubMetrics_CollectorApproach_Success(t *testing.T) {
 	server := httptest.NewServer(handler)
 	defer server.Close()

-	resp, err = http.Get(server.URL)
+	req, err = http.NewRequestWithContext(ctx, http.MethodGet, server.URL, http.NoBody)
+	if err != nil {
+		t.Fatalf("failed to create request: %v", err)
+	}
+	resp, err = http.DefaultClient.Do(req)
 	if err != nil {
 		t.Fatalf("failed to scrape metrics: %v", err)
 	}
@@ -151,15 +157,23 @@ func TestGitHubMetrics_CollectorApproach_NoRateLimitMetricsOnNilResponse(t *test
 			metrics:        metrics,
 		},
 	}
+	ctx := t.Context()

-	req, _ := http.NewRequest(http.MethodGet, URL, http.NoBody)
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, URL, http.NoBody)
+	if err != nil {
+		t.Fatalf("failed to create request: %v", err)
+	}
 	_, _ = client.Do(req)

 	handler := promhttp.HandlerFor(reg, promhttp.HandlerOpts{})
 	server := httptest.NewServer(handler)
 	defer server.Close()

-	resp, err := http.Get(server.URL)
+	req, err = http.NewRequestWithContext(ctx, http.MethodGet, server.URL, http.NoBody)
+	if err != nil {
+		t.Fatalf("failed to create request: %v", err)
+	}
+	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
 		t.Fatalf("failed to scrape metrics: %v", err)
 	}
--- a/applicationset/services/pull_request/azure_devops.go
+++ b/applicationset/services/pull_request/azure_devops.go
@@ -10,7 +10,10 @@ import (
 	"github.com/microsoft/azure-devops-go-api/azuredevops/v7/git"
 )

-const AZURE_DEVOPS_DEFAULT_URL = "https://dev.azure.com"
+const (
+	AZURE_DEVOPS_DEFAULT_URL             = "https://dev.azure.com"
+	AZURE_DEVOPS_PROJECT_NOT_FOUND_ERROR = "The following project does not exist"
+)

 type AzureDevOpsClientFactory interface {
 	// Returns an Azure Devops Client interface.
@@ -70,13 +73,22 @@ func (a *AzureDevOpsService) List(ctx context.Context) ([]*PullRequest, error) {
 		SearchCriteria: &git.GitPullRequestSearchCriteria{},
 	}

+	pullRequests := []*PullRequest{}
+
 	azurePullRequests, err := client.GetPullRequestsByProject(ctx, args)
 	if err != nil {
+		// A standard Http 404 error is not returned for Azure DevOps,
+		// so checking the error message for a specific pattern.
+		// NOTE: Since the repos are filtered later, only existence of the project
+		// is relevant for AzureDevOps
+		if strings.Contains(err.Error(), AZURE_DEVOPS_PROJECT_NOT_FOUND_ERROR) {
+			// return a custom error indicating that the repository is not found,
+			// but also return the empty result since the decision to continue or not in this case is made by the caller
+			return pullRequests, NewRepositoryNotFoundError(err)
+		}
 		return nil, fmt.Errorf("failed to get pull requests by project: %w", err)
 	}

-	pullRequests := []*PullRequest{}
-
 	for _, pr := range *azurePullRequests {
 		if pr.Repository == nil ||
 			pr.Repository.Name == nil ||
--- a/applicationset/services/pull_request/azure_devops_test.go
+++ b/applicationset/services/pull_request/azure_devops_test.go
@@ -1,7 +1,7 @@
 package pull_request

 import (
-	"context"
+	"errors"
 	"testing"

 	"github.com/microsoft/azure-devops-go-api/azuredevops/v7/core"
@@ -12,6 +12,7 @@ import (
 	"github.com/stretchr/testify/require"

 	azureMock "github.com/argoproj/argo-cd/v3/applicationset/services/scm_provider/azure_devops/git/mocks"
+	"github.com/argoproj/argo-cd/v3/applicationset/services/scm_provider/mocks"
 )

 func createBoolPtr(x bool) *bool {
@@ -34,29 +35,6 @@ func createUniqueNamePtr(x string) *string {
 	return &x
 }

-type AzureClientFactoryMock struct {
-	mock *mock.Mock
-}
-
-func (m *AzureClientFactoryMock) GetClient(ctx context.Context) (git.Client, error) {
-	args := m.mock.Called(ctx)
-
-	var client git.Client
-	c := args.Get(0)
-	if c != nil {
-		client = c.(git.Client)
-	}
-
-	var err error
-	if len(args) > 1 {
-		if e, ok := args.Get(1).(error); ok {
-			err = e
-		}
-	}
-
-	return client, err
-}
-
 func TestListPullRequest(t *testing.T) {
 	teamProject := "myorg_project"
 	repoName := "myorg_project_repo"
@@ -90,10 +68,10 @@ func TestListPullRequest(t *testing.T) {
 		SearchCriteria: &git.GitPullRequestSearchCriteria{},
 	}

-	gitClientMock := azureMock.Client{}
-	clientFactoryMock := &AzureClientFactoryMock{mock: &mock.Mock{}}
-	clientFactoryMock.mock.On("GetClient", mock.Anything).Return(&gitClientMock, nil)
-	gitClientMock.On("GetPullRequestsByProject", ctx, args).Return(&pullRequestMock, nil)
+	gitClientMock := &azureMock.Client{}
+	clientFactoryMock := &mocks.AzureDevOpsClientFactory{}
+	clientFactoryMock.EXPECT().GetClient(mock.Anything).Return(gitClientMock, nil)
+	gitClientMock.EXPECT().GetPullRequestsByProject(mock.Anything, args).Return(&pullRequestMock, nil)

 	provider := AzureDevOpsService{
 		clientFactory: clientFactoryMock,
@@ -235,3 +213,36 @@ func TestBuildURL(t *testing.T) {
 		})
 	}
 }
+
+func TestAzureDevOpsListReturnsRepositoryNotFoundError(t *testing.T) {
+	args := git.GetPullRequestsByProjectArgs{
+		Project:        createStringPtr("nonexistent"),
+		SearchCriteria: &git.GitPullRequestSearchCriteria{},
+	}
+
+	pullRequestMock := []git.GitPullRequest{}
+
+	gitClientMock := &azureMock.Client{}
+	clientFactoryMock := &mocks.AzureDevOpsClientFactory{}
+	clientFactoryMock.EXPECT().GetClient(mock.Anything).Return(gitClientMock, nil)
+
+	// Mock the GetPullRequestsByProject to return an error containing "404"
+	gitClientMock.EXPECT().GetPullRequestsByProject(mock.Anything, args).Return(&pullRequestMock,
+		errors.New("The following project does not exist:"))
+
+	provider := AzureDevOpsService{
+		clientFactory: clientFactoryMock,
+		project:       "nonexistent",
+		repo:          "nonexistent",
+		labels:        nil,
+	}
+
+	prs, err := provider.List(t.Context())
+
+	// Should return empty pull requests list
+	assert.Empty(t, prs)
+
+	// Should return RepositoryNotFoundError
+	require.Error(t, err)
+	assert.True(t, IsRepositoryNotFoundError(err), "Expected RepositoryNotFoundError but got: %v", err)
+}
--- a/applicationset/services/pull_request/bitbucket_cloud.go
+++ b/applicationset/services/pull_request/bitbucket_cloud.go
@@ -6,6 +6,7 @@ import (
 	"errors"
 	"fmt"
 	"net/url"
+	"strings"

 	"github.com/ktrysmt/go-bitbucket"
 )
@@ -117,8 +118,17 @@ func (b *BitbucketCloudService) List(_ context.Context) ([]*PullRequest, error)
 		RepoSlug: b.repositorySlug,
 	}

+	pullRequests := []*PullRequest{}
+
 	response, err := b.client.Repositories.PullRequests.Gets(opts)
 	if err != nil {
+		// A standard Http 404 error is not returned for Bitbucket Cloud,
+		// so checking the error message for a specific pattern
+		if strings.Contains(err.Error(), "404 Not Found") {
+			// return a custom error indicating that the repository is not found,
+			// but also return the empty result since the decision to continue or not in this case is made by the caller
+			return pullRequests, NewRepositoryNotFoundError(err)
+		}
 		return nil, fmt.Errorf("error listing pull requests for %s/%s: %w", b.owner, b.repositorySlug, err)
 	}

@@ -142,7 +152,6 @@ func (b *BitbucketCloudService) List(_ context.Context) ([]*PullRequest, error)
 		return nil, fmt.Errorf("error unmarshalling json to type '[]BitbucketCloudPullRequest': %w", err)
 	}

-	pullRequests := []*PullRequest{}
 	for _, pull := range pulls {
 		pullRequests = append(pullRequests, &PullRequest{
 			Number:       pull.ID,
--- a/applicationset/services/pull_request/bitbucket_cloud_test.go
+++ b/applicationset/services/pull_request/bitbucket_cloud_test.go
@@ -492,3 +492,29 @@ func TestListPullRequestBranchMatchCloud(t *testing.T) {
 		TargetBranch: "branch-200",
 	}, *pullRequests[0])
 }
+
+func TestBitbucketCloudListReturnsRepositoryNotFoundError(t *testing.T) {
+	mux := http.NewServeMux()
+	server := httptest.NewServer(mux)
+	defer server.Close()
+
+	path := "/repositories/nonexistent/nonexistent/pullrequests/"
+
+	mux.HandleFunc(path, func(w http.ResponseWriter, _ *http.Request) {
+		// Return 404 status to simulate repository not found
+		w.WriteHeader(http.StatusNotFound)
+		_, _ = w.Write([]byte(`{"message": "404 Project Not Found"}`))
+	})
+
+	svc, err := NewBitbucketCloudServiceNoAuth(server.URL, "nonexistent", "nonexistent")
+	require.NoError(t, err)
+
+	prs, err := svc.List(t.Context())
+
+	// Should return empty pull requests list
+	assert.Empty(t, prs)
+
+	// Should return RepositoryNotFoundError
+	require.Error(t, err)
+	assert.True(t, IsRepositoryNotFoundError(err), "Expected RepositoryNotFoundError but got: %v", err)
+}
--- a/applicationset/services/pull_request/bitbucket_server.go
+++ b/applicationset/services/pull_request/bitbucket_server.go
@@ -8,7 +8,7 @@ import (
 	bitbucketv1 "github.com/gfleury/go-bitbucket-v1"
 	log "github.com/sirupsen/logrus"

-	"github.com/argoproj/argo-cd/v3/applicationset/utils"
+	"github.com/argoproj/argo-cd/v3/applicationset/services"
 )

 type BitbucketService struct {
@@ -49,15 +49,10 @@ func NewBitbucketServiceNoAuth(ctx context.Context, url, projectKey, repositoryS
 }

 func newBitbucketService(ctx context.Context, bitbucketConfig *bitbucketv1.Configuration, projectKey, repositorySlug string, scmRootCAPath string, insecure bool, caCerts []byte) (PullRequestService, error) {
-	bitbucketConfig.BasePath = utils.NormalizeBitbucketBasePath(bitbucketConfig.BasePath)
-	tlsConfig := utils.GetTlsConfig(scmRootCAPath, insecure, caCerts)
-	bitbucketConfig.HTTPClient = &http.Client{Transport: &http.Transport{
-		TLSClientConfig: tlsConfig,
-	}}
-	bitbucketClient := bitbucketv1.NewAPIClient(ctx, bitbucketConfig)
+	bbClient := services.SetupBitbucketClient(ctx, bitbucketConfig, scmRootCAPath, insecure, caCerts)

 	return &BitbucketService{
-		client:         bitbucketClient,
+		client:         bbClient,
 		projectKey:     projectKey,
 		repositorySlug: repositorySlug,
 	}, nil
@@ -72,6 +67,11 @@ func (b *BitbucketService) List(_ context.Context) ([]*PullRequest, error) {
 	for {
 		response, err := b.client.DefaultApi.GetPullRequestsPage(b.projectKey, b.repositorySlug, paged)
 		if err != nil {
+			if response != nil && response.Response != nil && response.StatusCode == http.StatusNotFound {
+				// return a custom error indicating that the repository is not found,
+				// but also return the empty result since the decision to continue or not in this case is made by the caller
+				return pullRequests, NewRepositoryNotFoundError(err)
+			}
 			return nil, fmt.Errorf("error listing pull requests for %s/%s: %w", b.projectKey, b.repositorySlug, err)
 		}
 		pulls, err := bitbucketv1.GetPullRequestsResponse(response)
--- a/applicationset/services/pull_request/bitbucket_server_test.go
+++ b/applicationset/services/pull_request/bitbucket_server_test.go
@@ -510,3 +510,29 @@ func TestListPullRequestBranchMatch(t *testing.T) {
 	})
 	require.Error(t, err)
 }
+
+func TestBitbucketServerListReturnsRepositoryNotFoundError(t *testing.T) {
+	mux := http.NewServeMux()
+	server := httptest.NewServer(mux)
+	defer server.Close()
+
+	path := "/rest/api/1.0/projects/nonexistent/repos/nonexistent/pull-requests?limit=100"
+
+	mux.HandleFunc(path, func(w http.ResponseWriter, _ *http.Request) {
+		// Return 404 status to simulate repository not found
+		w.WriteHeader(http.StatusNotFound)
+		_, _ = w.Write([]byte(`{"message": "404 Project Not Found"}`))
+	})
+
+	svc, err := NewBitbucketServiceNoAuth(t.Context(), server.URL, "nonexistent", "nonexistent", "", false, nil)
+	require.NoError(t, err)
+
+	prs, err := svc.List(t.Context())
+
+	// Should return empty pull requests list
+	assert.Empty(t, prs)
+
+	// Should return RepositoryNotFoundError
+	require.Error(t, err)
+	assert.True(t, IsRepositoryNotFoundError(err), "Expected RepositoryNotFoundError but got: %v", err)
+}
--- a/applicationset/services/pull_request/errors.go
+++ b/applicationset/services/pull_request/errors.go
@@ -0,0 +1,23 @@
+package pull_request
+
+import "errors"
+
+// RepositoryNotFoundError represents an error when a repository is not found by a pull request provider
+type RepositoryNotFoundError struct {
+	causingError error
+}
+
+func (e *RepositoryNotFoundError) Error() string {
+	return e.causingError.Error()
+}
+
+// NewRepositoryNotFoundError creates a new repository not found error
+func NewRepositoryNotFoundError(err error) error {
+	return &RepositoryNotFoundError{causingError: err}
+}
+
+// IsRepositoryNotFoundError checks if the given error is a repository not found error
+func IsRepositoryNotFoundError(err error) bool {
+	var repoErr *RepositoryNotFoundError
+	return errors.As(err, &repoErr)
+}
--- a/applicationset/services/pull_request/errors_test.go
+++ b/applicationset/services/pull_request/errors_test.go
@@ -0,0 +1,48 @@
+package pull_request
+
+import (
+	"errors"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestRepositoryNotFoundError(t *testing.T) {
+	t.Run("NewRepositoryNotFoundError creates correct error type", func(t *testing.T) {
+		originalErr := errors.New("repository does not exist")
+		repoNotFoundErr := NewRepositoryNotFoundError(originalErr)
+
+		require.Error(t, repoNotFoundErr)
+		assert.Equal(t, "repository does not exist", repoNotFoundErr.Error())
+	})
+
+	t.Run("IsRepositoryNotFoundError identifies RepositoryNotFoundError", func(t *testing.T) {
+		originalErr := errors.New("repository does not exist")
+		repoNotFoundErr := NewRepositoryNotFoundError(originalErr)
+
+		assert.True(t, IsRepositoryNotFoundError(repoNotFoundErr))
+	})
+
+	t.Run("IsRepositoryNotFoundError returns false for regular errors", func(t *testing.T) {
+		regularErr := errors.New("some other error")
+
+		assert.False(t, IsRepositoryNotFoundError(regularErr))
+	})
+
+	t.Run("IsRepositoryNotFoundError returns false for nil error", func(t *testing.T) {
+		assert.False(t, IsRepositoryNotFoundError(nil))
+	})
+
+	t.Run("IsRepositoryNotFoundError works with wrapped errors", func(t *testing.T) {
+		originalErr := errors.New("repository does not exist")
+		repoNotFoundErr := NewRepositoryNotFoundError(originalErr)
+		wrappedErr := errors.New("wrapped: " + repoNotFoundErr.Error())
+
+		// Direct RepositoryNotFoundError should be identified
+		assert.True(t, IsRepositoryNotFoundError(repoNotFoundErr))
+
+		// Wrapped string error should not be identified (this is expected behavior)
+		assert.False(t, IsRepositoryNotFoundError(wrappedErr))
+	})
+}
--- a/applicationset/services/pull_request/gitea.go
+++ b/applicationset/services/pull_request/gitea.go
@@ -52,11 +52,17 @@ func (g *GiteaService) List(ctx context.Context) ([]*PullRequest, error) {
 		State: gitea.StateOpen,
 	}
 	g.client.SetContext(ctx)
-	prs, _, err := g.client.ListRepoPullRequests(g.owner, g.repo, opts)
+	list := []*PullRequest{}
+	prs, resp, err := g.client.ListRepoPullRequests(g.owner, g.repo, opts)
 	if err != nil {
+		if resp != nil && resp.StatusCode == http.StatusNotFound {
+			// return a custom error indicating that the repository is not found,
+			// but also returning the empty result since the decision to continue or not in this case is made by the caller
+			return list, NewRepositoryNotFoundError(err)
+		}
 		return nil, err
 	}
-	list := []*PullRequest{}
+
 	for _, pr := range prs {
 		if !giteaContainLabels(g.labels, pr.Labels) {
 			continue
--- a/applicationset/services/pull_request/gitea_test.go
+++ b/applicationset/services/pull_request/gitea_test.go
@@ -339,3 +339,35 @@ func TestGetGiteaPRLabelNames(t *testing.T) {
 		})
 	}
 }
+
+func TestGiteaListReturnsRepositoryNotFoundError(t *testing.T) {
+	mux := http.NewServeMux()
+	server := httptest.NewServer(mux)
+	defer server.Close()
+
+	// Handle version endpoint that Gitea client calls first
+	mux.HandleFunc("/api/v1/version", func(w http.ResponseWriter, _ *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		_, _ = w.Write([]byte(`{"version":"1.17.0+dev-452-g1f0541780"}`))
+	})
+
+	path := "/api/v1/repos/nonexistent/nonexistent/pulls?limit=0&page=1&state=open"
+
+	mux.HandleFunc(path, func(w http.ResponseWriter, _ *http.Request) {
+		// Return 404 status to simulate repository not found
+		w.WriteHeader(http.StatusNotFound)
+		_, _ = w.Write([]byte(`{"message": "404 Project Not Found"}`))
+	})
+
+	svc, err := NewGiteaService("", server.URL, "nonexistent", "nonexistent", []string{}, false)
+	require.NoError(t, err)
+
+	prs, err := svc.List(t.Context())
+
+	// Should return empty pull requests list
+	assert.Empty(t, prs)
+
+	// Should return RepositoryNotFoundError
+	require.Error(t, err)
+	assert.True(t, IsRepositoryNotFoundError(err), "Expected RepositoryNotFoundError but got: %v", err)
+}
--- a/applicationset/services/pull_request/github.go
+++ b/applicationset/services/pull_request/github.go
@@ -64,6 +64,11 @@ func (g *GithubService) List(ctx context.Context) ([]*PullRequest, error) {
 	for {
 		pulls, resp, err := g.client.PullRequests.List(ctx, g.owner, g.repo, opts)
 		if err != nil {
+			if resp != nil && resp.StatusCode == http.StatusNotFound {
+				// return a custom error indicating that the repository is not found,
+				// but also returning the empty result since the decision to continue or not in this case is made by the caller
+				return pullRequests, NewRepositoryNotFoundError(err)
+			}
 			return nil, fmt.Errorf("error listing pull requests for %s/%s: %w", g.owner, g.repo, err)
 		}
 		for _, pull := range pulls {
--- a/applicationset/services/pull_request/github_test.go
+++ b/applicationset/services/pull_request/github_test.go
@@ -1,9 +1,12 @@
 package pull_request

 import (
+	"net/http"
+	"net/http/httptest"
 	"testing"

 	"github.com/google/go-github/v69/github"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

@@ -86,3 +89,29 @@ func TestGetGitHubPRLabelNames(t *testing.T) {
 		})
 	}
 }
+
+func TestGitHubListReturnsRepositoryNotFoundError(t *testing.T) {
+	mux := http.NewServeMux()
+	server := httptest.NewServer(mux)
+	defer server.Close()
+
+	path := "/repos/nonexistent/nonexistent/pulls"
+
+	mux.HandleFunc(path, func(w http.ResponseWriter, _ *http.Request) {
+		// Return 404 status to simulate repository not found
+		w.WriteHeader(http.StatusNotFound)
+		_, _ = w.Write([]byte(`{"message": "404 Project Not Found"}`))
+	})
+
+	svc, err := NewGithubService("", server.URL, "nonexistent", "nonexistent", []string{}, nil)
+	require.NoError(t, err)
+
+	prs, err := svc.List(t.Context())
+
+	// Should return empty pull requests list
+	assert.Empty(t, prs)
+
+	// Should return RepositoryNotFoundError
+	require.Error(t, err)
+	assert.True(t, IsRepositoryNotFoundError(err), "Expected RepositoryNotFoundError but got: %v", err)
+}
--- a/applicationset/services/pull_request/gitlab.go
+++ b/applicationset/services/pull_request/gitlab.go
@@ -76,6 +76,11 @@ func (g *GitLabService) List(ctx context.Context) ([]*PullRequest, error) {
 	for {
 		mrs, resp, err := g.client.MergeRequests.ListProjectMergeRequests(g.project, opts, gitlab.WithContext(ctx))
 		if err != nil {
+			if resp != nil && resp.StatusCode == http.StatusNotFound {
+				// return a custom error indicating that the repository is not found,
+				// but also returning the empty result since the decision to continue or not in this case is made by the caller
+				return pullRequests, NewRepositoryNotFoundError(err)
+			}
 			return nil, fmt.Errorf("error listing merge requests for project '%s': %w", g.project, err)
 		}
 		for _, mr := range mrs {
--- a/applicationset/services/pull_request/gitlab_test.go
+++ b/applicationset/services/pull_request/gitlab_test.go
@@ -191,3 +191,29 @@ func TestListWithStateTLS(t *testing.T) {
 		})
 	}
 }
+
+func TestGitLabListReturnsRepositoryNotFoundError(t *testing.T) {
+	mux := http.NewServeMux()
+	server := httptest.NewServer(mux)
+	defer server.Close()
+
+	path := "/api/v4/projects/nonexistent/merge_requests"
+
+	mux.HandleFunc(path, func(w http.ResponseWriter, _ *http.Request) {
+		// Return 404 status to simulate repository not found
+		w.WriteHeader(http.StatusNotFound)
+		_, _ = w.Write([]byte(`{"message": "404 Project Not Found"}`))
+	})
+
+	svc, err := NewGitLabService("", server.URL, "nonexistent", []string{}, "", "", false, nil)
+	require.NoError(t, err)
+
+	prs, err := svc.List(t.Context())
+
+	// Should return empty pull requests list
+	assert.Empty(t, prs)
+
+	// Should return RepositoryNotFoundError
+	require.Error(t, err)
+	assert.True(t, IsRepositoryNotFoundError(err), "Expected RepositoryNotFoundError but got: %v", err)
+}
--- a/applicationset/services/pull_request/interface.go
+++ b/applicationset/services/pull_request/interface.go
@@ -30,4 +30,5 @@ type PullRequestService interface {
 type Filter struct {
 	BranchMatch       *regexp.Regexp
 	TargetBranchMatch *regexp.Regexp
+	TitleMatch        *regexp.Regexp
 }
--- a/applicationset/services/pull_request/utils.go
+++ b/applicationset/services/pull_request/utils.go
@@ -25,6 +25,12 @@ func compileFilters(filters []argoprojiov1alpha1.PullRequestGeneratorFilter) ([]
 				return nil, fmt.Errorf("error compiling TargetBranchMatch regexp %q: %w", *filter.TargetBranchMatch, err)
 			}
 		}
+		if filter.TitleMatch != nil {
+			outFilter.TitleMatch, err = regexp.Compile(*filter.TitleMatch)
+			if err != nil {
+				return nil, fmt.Errorf("error compiling TitleMatch regexp %q: %w", *filter.TitleMatch, err)
+			}
+		}
 		outFilters = append(outFilters, outFilter)
 	}
 	return outFilters, nil
@@ -37,6 +43,9 @@ func matchFilter(pullRequest *PullRequest, filter *Filter) bool {
 	if filter.TargetBranchMatch != nil && !filter.TargetBranchMatch.MatchString(pullRequest.TargetBranch) {
 		return false
 	}
+	if filter.TitleMatch != nil && !filter.TitleMatch.MatchString(pullRequest.Title) {
+		return false
+	}

 	return true
 }
--- a/applicationset/services/pull_request/utils_test.go
+++ b/applicationset/services/pull_request/utils_test.go
@@ -137,6 +137,110 @@ func TestFilterTargetBranchMatch(t *testing.T) {
 	assert.Equal(t, "two", pullRequests[0].Branch)
 }

+func TestFilterTitleMatch(t *testing.T) {
+	provider, _ := NewFakeService(
+		t.Context(),
+		[]*PullRequest{
+			{
+				Number:       1,
+				Title:        "PR one - filter",
+				Branch:       "one",
+				TargetBranch: "master",
+				HeadSHA:      "189d92cbf9ff857a39e6feccd32798ca700fb958",
+				Author:       "name1",
+			},
+			{
+				Number:       2,
+				Title:        "PR two - ignore",
+				Branch:       "two",
+				TargetBranch: "branch1",
+				HeadSHA:      "289d92cbf9ff857a39e6feccd32798ca700fb958",
+				Author:       "name2",
+			},
+			{
+				Number:       3,
+				Title:        "[filter] PR three",
+				Branch:       "three",
+				TargetBranch: "branch2",
+				HeadSHA:      "389d92cbf9ff857a39e6feccd32798ca700fb958",
+				Author:       "name3",
+			},
+			{
+				Number:       4,
+				Title:        "[ignore] PR four",
+				Branch:       "four",
+				TargetBranch: "branch3",
+				HeadSHA:      "489d92cbf9ff857a39e6feccd32798ca700fb958",
+				Author:       "name4",
+			},
+		},
+		nil,
+	)
+	filters := []argoprojiov1alpha1.PullRequestGeneratorFilter{
+		{
+			TitleMatch: strp("\\[filter]"),
+		},
+	}
+	pullRequests, err := ListPullRequests(t.Context(), provider, filters)
+	require.NoError(t, err)
+	assert.Len(t, pullRequests, 1)
+	assert.Equal(t, "three", pullRequests[0].Branch)
+}
+
+func TestMultiFilterOrWithTitle(t *testing.T) {
+	provider, _ := NewFakeService(
+		t.Context(),
+		[]*PullRequest{
+			{
+				Number:       1,
+				Title:        "PR one - filter",
+				Branch:       "one",
+				TargetBranch: "master",
+				HeadSHA:      "189d92cbf9ff857a39e6feccd32798ca700fb958",
+				Author:       "name1",
+			},
+			{
+				Number:       2,
+				Title:        "PR two - ignore",
+				Branch:       "two",
+				TargetBranch: "branch1",
+				HeadSHA:      "289d92cbf9ff857a39e6feccd32798ca700fb958",
+				Author:       "name2",
+			},
+			{
+				Number:       3,
+				Title:        "[filter] PR three",
+				Branch:       "three",
+				TargetBranch: "branch2",
+				HeadSHA:      "389d92cbf9ff857a39e6feccd32798ca700fb958",
+				Author:       "name3",
+			},
+			{
+				Number:       4,
+				Title:        "[ignore] PR four",
+				Branch:       "four",
+				TargetBranch: "branch3",
+				HeadSHA:      "489d92cbf9ff857a39e6feccd32798ca700fb958",
+				Author:       "name4",
+			},
+		},
+		nil,
+	)
+	filters := []argoprojiov1alpha1.PullRequestGeneratorFilter{
+		{
+			TitleMatch: strp("\\[filter]"),
+		},
+		{
+			TitleMatch: strp("- filter"),
+		},
+	}
+	pullRequests, err := ListPullRequests(t.Context(), provider, filters)
+	require.NoError(t, err)
+	assert.Len(t, pullRequests, 2)
+	assert.Equal(t, "one", pullRequests[0].Branch)
+	assert.Equal(t, "three", pullRequests[1].Branch)
+}
+
 func TestMultiFilterOr(t *testing.T) {
 	provider, _ := NewFakeService(
 		t.Context(),
@@ -192,7 +296,7 @@ func TestMultiFilterOr(t *testing.T) {
 	assert.Equal(t, "four", pullRequests[2].Branch)
 }

-func TestMultiFilterOrWithTargetBranchFilter(t *testing.T) {
+func TestMultiFilterOrWithTargetBranchFilterOrWithTitleFilter(t *testing.T) {
 	provider, _ := NewFakeService(
 		t.Context(),
 		[]*PullRequest{
@@ -228,6 +332,14 @@ func TestMultiFilterOrWithTargetBranchFilter(t *testing.T) {
 				HeadSHA:      "489d92cbf9ff857a39e6feccd32798ca700fb958",
 				Author:       "name4",
 			},
+			{
+				Number:       5,
+				Title:        "PR title is different than branch name",
+				Branch:       "five",
+				TargetBranch: "branch3",
+				HeadSHA:      "489d92cbf9ff857a39e6feccd32798ca700fb958",
+				Author:       "name5",
+			},
 		},
 		nil,
 	)
@@ -240,12 +352,21 @@ func TestMultiFilterOrWithTargetBranchFilter(t *testing.T) {
 			BranchMatch:       strp("r"),
 			TargetBranchMatch: strp("3"),
 		},
+		{
+			TitleMatch: strp("two"),
+		},
+		{
+			BranchMatch: strp("five"),
+			TitleMatch:  strp("PR title is different than branch name"),
+		},
 	}
 	pullRequests, err := ListPullRequests(t.Context(), provider, filters)
 	require.NoError(t, err)
-	assert.Len(t, pullRequests, 2)
+	assert.Len(t, pullRequests, 3)
 	assert.Equal(t, "two", pullRequests[0].Branch)
 	assert.Equal(t, "four", pullRequests[1].Branch)
+	assert.Equal(t, "five", pullRequests[2].Branch)
+	assert.Equal(t, "PR title is different than branch name", pullRequests[2].Title)
 }

 func TestNoFilters(t *testing.T) {
--- a/applicationset/services/scm_provider/aws_codecommit_test.go
+++ b/applicationset/services/scm_provider/aws_codecommit_test.go
@@ -12,7 +12,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"

-	"github.com/argoproj/argo-cd/v3/applicationset/services/scm_provider/aws_codecommit/mocks"
+	"github.com/argoproj/argo-cd/v3/applicationset/services/scm_provider/mocks"
 	"github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 )

@@ -177,9 +177,8 @@ func TestAWSCodeCommitListRepos(t *testing.T) {
 				if repo.getRepositoryNilMetadata {
 					repoMetadata = nil
 				}
-				codeCommitClient.
-					On("GetRepositoryWithContext", ctx, &codecommit.GetRepositoryInput{RepositoryName: aws.String(repo.name)}).
-					Return(&codecommit.GetRepositoryOutput{RepositoryMetadata: repoMetadata}, repo.getRepositoryError)
+				codeCommitClient.EXPECT().GetRepositoryWithContext(mock.Anything, &codecommit.GetRepositoryInput{RepositoryName: aws.String(repo.name)}).
+					Return(&codecommit.GetRepositoryOutput{RepositoryMetadata: repoMetadata}, repo.getRepositoryError).Maybe()
 				codecommitRepoNameIdPairs = append(codecommitRepoNameIdPairs, &codecommit.RepositoryNameIdPair{
 					RepositoryId:   aws.String(repo.id),
 					RepositoryName: aws.String(repo.name),
@@ -193,20 +192,18 @@ func TestAWSCodeCommitListRepos(t *testing.T) {
 			}

 			if testCase.expectListAtCodeCommit {
-				codeCommitClient.
-					On("ListRepositoriesWithContext", ctx, &codecommit.ListRepositoriesInput{}).
+				codeCommitClient.EXPECT().ListRepositoriesWithContext(mock.Anything, &codecommit.ListRepositoriesInput{}).
 					Return(&codecommit.ListRepositoriesOutput{
 						Repositories: codecommitRepoNameIdPairs,
-					}, testCase.listRepositoryError)
+					}, testCase.listRepositoryError).Maybe()
 			} else {
-				taggingClient.
-					On("GetResourcesWithContext", ctx, mock.MatchedBy(equalIgnoringTagFilterOrder(&resourcegroupstaggingapi.GetResourcesInput{
-						TagFilters:          testCase.expectTagFilters,
-						ResourceTypeFilters: aws.StringSlice([]string{resourceTypeCodeCommitRepository}),
-					}))).
+				taggingClient.EXPECT().GetResourcesWithContext(mock.Anything, mock.MatchedBy(equalIgnoringTagFilterOrder(&resourcegroupstaggingapi.GetResourcesInput{
+					TagFilters:          testCase.expectTagFilters,
+					ResourceTypeFilters: aws.StringSlice([]string{resourceTypeCodeCommitRepository}),
+				}))).
 					Return(&resourcegroupstaggingapi.GetResourcesOutput{
 						ResourceTagMappingList: resourceTaggings,
-					}, testCase.listRepositoryError)
+					}, testCase.listRepositoryError).Maybe()
 			}

 			provider := &AWSCodeCommitProvider{
@@ -350,13 +347,12 @@ func TestAWSCodeCommitRepoHasPath(t *testing.T) {
 			taggingClient := mocks.NewAWSTaggingClient(t)
 			ctx := t.Context()
 			if testCase.expectedGetFolderPath != "" {
-				codeCommitClient.
-					On("GetFolderWithContext", ctx, &codecommit.GetFolderInput{
-						CommitSpecifier: aws.String(branch),
-						FolderPath:      aws.String(testCase.expectedGetFolderPath),
-						RepositoryName:  aws.String(repoName),
-					}).
-					Return(testCase.getFolderOutput, testCase.getFolderError)
+				codeCommitClient.EXPECT().GetFolderWithContext(mock.Anything, &codecommit.GetFolderInput{
+					CommitSpecifier: aws.String(branch),
+					FolderPath:      aws.String(testCase.expectedGetFolderPath),
+					RepositoryName:  aws.String(repoName),
+				}).
+					Return(testCase.getFolderOutput, testCase.getFolderError).Maybe()
 			}
 			provider := &AWSCodeCommitProvider{
 				codeCommitClient: codeCommitClient,
@@ -423,18 +419,16 @@ func TestAWSCodeCommitGetBranches(t *testing.T) {
 			taggingClient := mocks.NewAWSTaggingClient(t)
 			ctx := t.Context()
 			if testCase.allBranches {
-				codeCommitClient.
-					On("ListBranchesWithContext", ctx, &codecommit.ListBranchesInput{
-						RepositoryName: aws.String(name),
-					}).
-					Return(&codecommit.ListBranchesOutput{Branches: aws.StringSlice(testCase.branches)}, testCase.apiError)
+				codeCommitClient.EXPECT().ListBranchesWithContext(mock.Anything, &codecommit.ListBranchesInput{
+					RepositoryName: aws.String(name),
+				}).
+					Return(&codecommit.ListBranchesOutput{Branches: aws.StringSlice(testCase.branches)}, testCase.apiError).Maybe()
 			} else {
-				codeCommitClient.
-					On("GetRepositoryWithContext", ctx, &codecommit.GetRepositoryInput{RepositoryName: aws.String(name)}).
+				codeCommitClient.EXPECT().GetRepositoryWithContext(mock.Anything, &codecommit.GetRepositoryInput{RepositoryName: aws.String(name)}).
 					Return(&codecommit.GetRepositoryOutput{RepositoryMetadata: &codecommit.RepositoryMetadata{
 						AccountId:     aws.String(organization),
 						DefaultBranch: aws.String(defaultBranch),
-					}}, testCase.apiError)
+					}}, testCase.apiError).Maybe()
 			}
 			provider := &AWSCodeCommitProvider{
 				codeCommitClient: codeCommitClient,
--- a/applicationset/services/scm_provider/azure_devops_test.go
+++ b/applicationset/services/scm_provider/azure_devops_test.go
@@ -1,7 +1,6 @@
 package scm_provider

 import (
-	"context"
 	"errors"
 	"fmt"
 	"testing"
@@ -16,6 +15,7 @@ import (
 	azureGit "github.com/microsoft/azure-devops-go-api/azuredevops/v7/git"

 	azureMock "github.com/argoproj/argo-cd/v3/applicationset/services/scm_provider/azure_devops/git/mocks"
+	"github.com/argoproj/argo-cd/v3/applicationset/services/scm_provider/mocks"
 )

 func s(input string) *string {
@@ -78,13 +78,13 @@ func TestAzureDevopsRepoHasPath(t *testing.T) {

 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			gitClientMock := azureMock.Client{}
+			gitClientMock := &azureMock.Client{}

-			clientFactoryMock := &AzureClientFactoryMock{mock: &mock.Mock{}}
-			clientFactoryMock.mock.On("GetClient", mock.Anything).Return(&gitClientMock, testCase.clientError)
+			clientFactoryMock := &mocks.AzureDevOpsClientFactory{}
+			clientFactoryMock.EXPECT().GetClient(mock.Anything).Return(gitClientMock, testCase.clientError)

 			repoId := &uuid
-			gitClientMock.On("GetItem", ctx, azureGit.GetItemArgs{Project: &teamProject, Path: &path, VersionDescriptor: &azureGit.GitVersionDescriptor{Version: &branchName}, RepositoryId: repoId}).Return(nil, testCase.azureDevopsError)
+			gitClientMock.EXPECT().GetItem(mock.Anything, azureGit.GetItemArgs{Project: &teamProject, Path: &path, VersionDescriptor: &azureGit.GitVersionDescriptor{Version: &branchName}, RepositoryId: repoId}).Return(nil, testCase.azureDevopsError)

 			provider := AzureDevOpsProvider{organization: organization, teamProject: teamProject, clientFactory: clientFactoryMock}

@@ -143,12 +143,12 @@ func TestGetDefaultBranchOnDisabledRepo(t *testing.T) {
 		t.Run(testCase.name, func(t *testing.T) {
 			uuid := uuid.New().String()

-			gitClientMock := azureMock.Client{}
+			gitClientMock := azureMock.NewClient(t)

-			clientFactoryMock := &AzureClientFactoryMock{mock: &mock.Mock{}}
-			clientFactoryMock.mock.On("GetClient", mock.Anything).Return(&gitClientMock, nil)
+			clientFactoryMock := &mocks.AzureDevOpsClientFactory{}
+			clientFactoryMock.EXPECT().GetClient(mock.Anything).Return(gitClientMock, nil)

-			gitClientMock.On("GetBranch", ctx, azureGit.GetBranchArgs{RepositoryId: &repoName, Project: &teamProject, Name: &defaultBranch}).Return(nil, testCase.azureDevOpsError)
+			gitClientMock.EXPECT().GetBranch(mock.Anything, azureGit.GetBranchArgs{RepositoryId: &repoName, Project: &teamProject, Name: &defaultBranch}).Return(nil, testCase.azureDevOpsError)

 			repo := &Repository{Organization: organization, Repository: repoName, RepositoryId: uuid, Branch: defaultBranch}

@@ -162,8 +162,6 @@ func TestGetDefaultBranchOnDisabledRepo(t *testing.T) {
 			}

 			assert.Empty(t, branches)
-
-			gitClientMock.AssertExpectations(t)
 		})
 	}
 }
@@ -202,12 +200,12 @@ func TestGetAllBranchesOnDisabledRepo(t *testing.T) {
 		t.Run(testCase.name, func(t *testing.T) {
 			uuid := uuid.New().String()

-			gitClientMock := azureMock.Client{}
+			gitClientMock := azureMock.NewClient(t)

-			clientFactoryMock := &AzureClientFactoryMock{mock: &mock.Mock{}}
-			clientFactoryMock.mock.On("GetClient", mock.Anything).Return(&gitClientMock, nil)
+			clientFactoryMock := &mocks.AzureDevOpsClientFactory{}
+			clientFactoryMock.EXPECT().GetClient(mock.Anything).Return(gitClientMock, nil)

-			gitClientMock.On("GetBranches", ctx, azureGit.GetBranchesArgs{RepositoryId: &repoName, Project: &teamProject}).Return(nil, testCase.azureDevOpsError)
+			gitClientMock.EXPECT().GetBranches(mock.Anything, azureGit.GetBranchesArgs{RepositoryId: &repoName, Project: &teamProject}).Return(nil, testCase.azureDevOpsError)

 			repo := &Repository{Organization: organization, Repository: repoName, RepositoryId: uuid, Branch: defaultBranch}

@@ -221,8 +219,6 @@ func TestGetAllBranchesOnDisabledRepo(t *testing.T) {
 			}

 			assert.Empty(t, branches)
-
-			gitClientMock.AssertExpectations(t)
 		})
 	}
 }
@@ -241,12 +237,12 @@ func TestAzureDevOpsGetDefaultBranchStripsRefsName(t *testing.T) {
 		branchReturn := &azureGit.GitBranchStats{Name: &strippedBranchName, Commit: &azureGit.GitCommitRef{CommitId: s("abc123233223")}}
 		repo := &Repository{Organization: organization, Repository: repoName, RepositoryId: uuid, Branch: defaultBranch}

-		gitClientMock := azureMock.Client{}
+		gitClientMock := &azureMock.Client{}

-		clientFactoryMock := &AzureClientFactoryMock{mock: &mock.Mock{}}
-		clientFactoryMock.mock.On("GetClient", mock.Anything).Return(&gitClientMock, nil)
+		clientFactoryMock := &mocks.AzureDevOpsClientFactory{}
+		clientFactoryMock.EXPECT().GetClient(mock.Anything).Return(gitClientMock, nil)

-		gitClientMock.On("GetBranch", ctx, azureGit.GetBranchArgs{RepositoryId: &repoName, Project: &teamProject, Name: &strippedBranchName}).Return(branchReturn, nil)
+		gitClientMock.EXPECT().GetBranch(mock.Anything, azureGit.GetBranchArgs{RepositoryId: &repoName, Project: &teamProject, Name: &strippedBranchName}).Return(branchReturn, nil).Maybe()

 		provider := AzureDevOpsProvider{organization: organization, teamProject: teamProject, clientFactory: clientFactoryMock, allBranches: false}
 		branches, err := provider.GetBranches(ctx, repo)
@@ -295,12 +291,12 @@ func TestAzureDevOpsGetBranchesDefultBranchOnly(t *testing.T) {

 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			gitClientMock := azureMock.Client{}
+			gitClientMock := &azureMock.Client{}

-			clientFactoryMock := &AzureClientFactoryMock{mock: &mock.Mock{}}
-			clientFactoryMock.mock.On("GetClient", mock.Anything).Return(&gitClientMock, testCase.clientError)
+			clientFactoryMock := &mocks.AzureDevOpsClientFactory{}
+			clientFactoryMock.EXPECT().GetClient(mock.Anything).Return(gitClientMock, testCase.clientError)

-			gitClientMock.On("GetBranch", ctx, azureGit.GetBranchArgs{RepositoryId: &repoName, Project: &teamProject, Name: &defaultBranch}).Return(testCase.expectedBranch, testCase.getBranchesAPIError)
+			gitClientMock.EXPECT().GetBranch(mock.Anything, azureGit.GetBranchArgs{RepositoryId: &repoName, Project: &teamProject, Name: &defaultBranch}).Return(testCase.expectedBranch, testCase.getBranchesAPIError)

 			repo := &Repository{Organization: organization, Repository: repoName, RepositoryId: uuid, Branch: defaultBranch}

@@ -379,12 +375,12 @@ func TestAzureDevopsGetBranches(t *testing.T) {

 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			gitClientMock := azureMock.Client{}
+			gitClientMock := &azureMock.Client{}

-			clientFactoryMock := &AzureClientFactoryMock{mock: &mock.Mock{}}
-			clientFactoryMock.mock.On("GetClient", mock.Anything).Return(&gitClientMock, testCase.clientError)
+			clientFactoryMock := &mocks.AzureDevOpsClientFactory{}
+			clientFactoryMock.EXPECT().GetClient(mock.Anything).Return(gitClientMock, testCase.clientError)

-			gitClientMock.On("GetBranches", ctx, azureGit.GetBranchesArgs{RepositoryId: &repoName, Project: &teamProject}).Return(testCase.expectedBranches, testCase.getBranchesAPIError)
+			gitClientMock.EXPECT().GetBranches(mock.Anything, azureGit.GetBranchesArgs{RepositoryId: &repoName, Project: &teamProject}).Return(testCase.expectedBranches, testCase.getBranchesAPIError)

 			repo := &Repository{Organization: organization, Repository: repoName, RepositoryId: uuid}

@@ -427,7 +423,6 @@ func TestGetAzureDevopsRepositories(t *testing.T) {
 	teamProject := "myorg_project"

 	uuid := uuid.New()
-	ctx := t.Context()

 	repoId := &uuid

@@ -477,15 +472,15 @@ func TestGetAzureDevopsRepositories(t *testing.T) {

 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			gitClientMock := azureMock.Client{}
-			gitClientMock.On("GetRepositories", ctx, azureGit.GetRepositoriesArgs{Project: s(teamProject)}).Return(&testCase.repositories, testCase.getRepositoriesError)
+			gitClientMock := azureMock.NewClient(t)
+			gitClientMock.EXPECT().GetRepositories(mock.Anything, azureGit.GetRepositoriesArgs{Project: s(teamProject)}).Return(&testCase.repositories, testCase.getRepositoriesError)

-			clientFactoryMock := &AzureClientFactoryMock{mock: &mock.Mock{}}
-			clientFactoryMock.mock.On("GetClient", mock.Anything).Return(&gitClientMock)
+			clientFactoryMock := &mocks.AzureDevOpsClientFactory{}
+			clientFactoryMock.EXPECT().GetClient(mock.Anything).Return(gitClientMock, nil)

 			provider := AzureDevOpsProvider{organization: organization, teamProject: teamProject, clientFactory: clientFactoryMock}

-			repositories, err := provider.ListRepos(ctx, "https")
+			repositories, err := provider.ListRepos(t.Context(), "https")

 			if testCase.getRepositoriesError != nil {
 				require.Error(t, err, "Expected an error from test case %v", testCase.name)
@@ -497,31 +492,6 @@ func TestGetAzureDevopsRepositories(t *testing.T) {
 				assert.NotEmpty(t, repositories)
 				assert.Len(t, repositories, testCase.expectedNumberOfRepos)
 			}
-
-			gitClientMock.AssertExpectations(t)
 		})
 	}
 }
-
-type AzureClientFactoryMock struct {
-	mock *mock.Mock
-}
-
-func (m *AzureClientFactoryMock) GetClient(ctx context.Context) (azureGit.Client, error) {
-	args := m.mock.Called(ctx)
-
-	var client azureGit.Client
-	c := args.Get(0)
-	if c != nil {
-		client = c.(azureGit.Client)
-	}
-
-	var err error
-	if len(args) > 1 {
-		if e, ok := args.Get(1).(error); ok {
-			err = e
-		}
-	}
-
-	return client, err
-}
--- a/applicationset/services/scm_provider/bitbucket_cloud.go
+++ b/applicationset/services/scm_provider/bitbucket_cloud.go
@@ -30,7 +30,7 @@ func (c *ExtendedClient) GetContents(repo *Repository, path string) (bool, error
 	urlStr += fmt.Sprintf("/repositories/%s/%s/src/%s/%s?format=meta", c.owner, repo.Repository, repo.SHA, path)
 	body := strings.NewReader("")

-	req, err := http.NewRequest(http.MethodGet, urlStr, body)
+	req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, urlStr, body)
 	if err != nil {
 		return false, err
 	}
--- a/applicationset/services/scm_provider/bitbucket_server.go
+++ b/applicationset/services/scm_provider/bitbucket_server.go
@@ -10,7 +10,7 @@ import (
 	bitbucketv1 "github.com/gfleury/go-bitbucket-v1"
 	log "github.com/sirupsen/logrus"

-	"github.com/argoproj/argo-cd/v3/applicationset/utils"
+	"github.com/argoproj/argo-cd/v3/applicationset/services"
 )

 type BitbucketServerProvider struct {
@@ -49,15 +49,10 @@ func NewBitbucketServerProviderNoAuth(ctx context.Context, url, projectKey strin
 }

 func newBitbucketServerProvider(ctx context.Context, bitbucketConfig *bitbucketv1.Configuration, projectKey string, allBranches bool, scmRootCAPath string, insecure bool, caCerts []byte) (*BitbucketServerProvider, error) {
-	bitbucketConfig.BasePath = utils.NormalizeBitbucketBasePath(bitbucketConfig.BasePath)
-	tlsConfig := utils.GetTlsConfig(scmRootCAPath, insecure, caCerts)
-	bitbucketConfig.HTTPClient = &http.Client{Transport: &http.Transport{
-		TLSClientConfig: tlsConfig,
-	}}
-	bitbucketClient := bitbucketv1.NewAPIClient(ctx, bitbucketConfig)
+	bbClient := services.SetupBitbucketClient(ctx, bitbucketConfig, scmRootCAPath, insecure, caCerts)

 	return &BitbucketServerProvider{
-		client:      bitbucketClient,
+		client:      bbClient,
 		projectKey:  projectKey,
 		allBranches: allBranches,
 	}, nil
--- a/applicationset/services/scm_provider/aws_codecommit/mocks/AWSCodeCommitClient.go
+++ b/applicationset/services/scm_provider/aws_codecommit/mocks/AWSCodeCommitClient.go
--- a/applicationset/services/scm_provider/aws_codecommit/mocks/AWSTaggingClient.go
+++ b/applicationset/services/scm_provider/aws_codecommit/mocks/AWSTaggingClient.go
--- a/applicationset/services/scm_provider/mocks/AzureDevOpsClientFactory.go
+++ b/applicationset/services/scm_provider/mocks/AzureDevOpsClientFactory.go
@@ -0,0 +1,101 @@
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package mocks
+
+import (
+	"context"
+
+	"github.com/microsoft/azure-devops-go-api/azuredevops/v7/git"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewAzureDevOpsClientFactory creates a new instance of AzureDevOpsClientFactory. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewAzureDevOpsClientFactory(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *AzureDevOpsClientFactory {
+	mock := &AzureDevOpsClientFactory{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// AzureDevOpsClientFactory is an autogenerated mock type for the AzureDevOpsClientFactory type
+type AzureDevOpsClientFactory struct {
+	mock.Mock
+}
+
+type AzureDevOpsClientFactory_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *AzureDevOpsClientFactory) EXPECT() *AzureDevOpsClientFactory_Expecter {
+	return &AzureDevOpsClientFactory_Expecter{mock: &_m.Mock}
+}
+
+// GetClient provides a mock function for the type AzureDevOpsClientFactory
+func (_mock *AzureDevOpsClientFactory) GetClient(ctx context.Context) (git.Client, error) {
+	ret := _mock.Called(ctx)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetClient")
+	}
+
+	var r0 git.Client
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context) (git.Client, error)); ok {
+		return returnFunc(ctx)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context) git.Client); ok {
+		r0 = returnFunc(ctx)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(git.Client)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context) error); ok {
+		r1 = returnFunc(ctx)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// AzureDevOpsClientFactory_GetClient_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetClient'
+type AzureDevOpsClientFactory_GetClient_Call struct {
+	*mock.Call
+}
+
+// GetClient is a helper method to define mock.On call
+//   - ctx context.Context
+func (_e *AzureDevOpsClientFactory_Expecter) GetClient(ctx interface{}) *AzureDevOpsClientFactory_GetClient_Call {
+	return &AzureDevOpsClientFactory_GetClient_Call{Call: _e.mock.On("GetClient", ctx)}
+}
+
+func (_c *AzureDevOpsClientFactory_GetClient_Call) Run(run func(ctx context.Context)) *AzureDevOpsClientFactory_GetClient_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *AzureDevOpsClientFactory_GetClient_Call) Return(client git.Client, err error) *AzureDevOpsClientFactory_GetClient_Call {
+	_c.Call.Return(client, err)
+	return _c
+}
+
+func (_c *AzureDevOpsClientFactory_GetClient_Call) RunAndReturn(run func(ctx context.Context) (git.Client, error)) *AzureDevOpsClientFactory_GetClient_Call {
+	_c.Call.Return(run)
+	return _c
+}
--- a/applicationset/services/util.go
+++ b/applicationset/services/util.go
@@ -0,0 +1,22 @@
+package services
+
+import (
+	"context"
+	"net/http"
+
+	bitbucketv1 "github.com/gfleury/go-bitbucket-v1"
+
+	"github.com/argoproj/argo-cd/v3/applicationset/utils"
+)
+
+// SetupBitbucketClient configures and creates a Bitbucket API client with TLS settings
+func SetupBitbucketClient(ctx context.Context, config *bitbucketv1.Configuration, scmRootCAPath string, insecure bool, caCerts []byte) *bitbucketv1.APIClient {
+	config.BasePath = utils.NormalizeBitbucketBasePath(config.BasePath)
+	tlsConfig := utils.GetTlsConfig(scmRootCAPath, insecure, caCerts)
+
+	transport := http.DefaultTransport.(*http.Transport).Clone()
+	transport.TLSClientConfig = tlsConfig
+	config.HTTPClient = &http.Client{Transport: transport}
+
+	return bitbucketv1.NewAPIClient(ctx, config)
+}
--- a/applicationset/services/util_test.go
+++ b/applicationset/services/util_test.go
@@ -0,0 +1,36 @@
+package services
+
+import (
+	"crypto/tls"
+	"net/http"
+	"testing"
+	"time"
+
+	bitbucketv1 "github.com/gfleury/go-bitbucket-v1"
+	"github.com/stretchr/testify/require"
+)
+
+func TestSetupBitbucketClient(t *testing.T) {
+	ctx := t.Context()
+	cfg := &bitbucketv1.Configuration{}
+
+	// Act
+	client := SetupBitbucketClient(ctx, cfg, "", false, nil)
+
+	// Assert
+	require.NotNil(t, client, "expected client to be created")
+	require.NotNil(t, cfg.HTTPClient, "expected HTTPClient to be set")
+
+	// The transport should be a clone of DefaultTransport
+	tr, ok := cfg.HTTPClient.Transport.(*http.Transport)
+	require.True(t, ok, "expected HTTPClient.Transport to be *http.Transport")
+	require.NotSame(t, http.DefaultTransport, tr, "transport should be a clone, not the global DefaultTransport")
+
+	// Ensure TLSClientConfig is set
+	require.IsType(t, &tls.Config{}, tr.TLSClientConfig)
+
+	// Defaults from http.DefaultTransport.Clone() should be preserved
+	require.Greater(t, tr.IdleConnTimeout, time.Duration(0), "IdleConnTimeout should be non-zero")
+	require.Positive(t, tr.MaxIdleConns, "MaxIdleConns should be non-zero")
+	require.Greater(t, tr.TLSHandshakeTimeout, time.Duration(0), "TLSHandshakeTimeout should be non-zero")
+}
--- a/applicationset/utils/kubernetes.go
+++ b/applicationset/utils/kubernetes.go
@@ -14,7 +14,7 @@ import (

 var ErrDisallowedSecretAccess = fmt.Errorf("secret must have label %q=%q", common.LabelKeySecretType, common.LabelValueSecretTypeSCMCreds)

-// getSecretRef gets the value of the key for the specified Secret resource.
+// GetSecretRef gets the value of the key for the specified Secret resource.
 func GetSecretRef(ctx context.Context, k8sClient client.Client, ref *argoprojiov1alpha1.SecretRef, namespace string, tokenRefStrictMode bool) (string, error) {
 	if ref == nil {
 		return "", nil
--- a/applicationset/utils/utils.go
+++ b/applicationset/utils/utils.go
@@ -399,19 +399,19 @@ func addInvalidGeneratorNames(names map[string]bool, applicationSetInfo *argoapp
 	var values map[string]any
 	err := json.Unmarshal([]byte(config), &values)
 	if err != nil {
-		log.Warnf("couldn't unmarshal kubectl.kubernetes.io/last-applied-configuration: %+v", config)
+		log.Warnf("could not unmarshal kubectl.kubernetes.io/last-applied-configuration: %+v", config)
 		return
 	}

 	spec, ok := values["spec"].(map[string]any)
 	if !ok {
-		log.Warn("coundn't get spec from kubectl.kubernetes.io/last-applied-configuration annotation")
+		log.Warn("could not get spec from kubectl.kubernetes.io/last-applied-configuration annotation")
 		return
 	}

 	generators, ok := spec["generators"].([]any)
 	if !ok {
-		log.Warn("coundn't get generators from kubectl.kubernetes.io/last-applied-configuration annotation")
+		log.Warn("could not get generators from kubectl.kubernetes.io/last-applied-configuration annotation")
 		return
 	}

@@ -422,7 +422,7 @@ func addInvalidGeneratorNames(names map[string]bool, applicationSetInfo *argoapp

 	generator, ok := generators[index].(map[string]any)
 	if !ok {
-		log.Warn("coundn't get generator from kubectl.kubernetes.io/last-applied-configuration annotation")
+		log.Warn("could not get generator from kubectl.kubernetes.io/last-applied-configuration annotation")
 		return
 	}

--- a/applicationset/webhook/webhook.go
+++ b/applicationset/webhook/webhook.go
@@ -26,10 +26,14 @@ import (
 	"github.com/go-playground/webhooks/v6/github"
 	"github.com/go-playground/webhooks/v6/gitlab"
 	log "github.com/sirupsen/logrus"
+
+	"github.com/argoproj/argo-cd/v3/util/guard"
 )

 const payloadQueueSize = 50000

+const panicMsgAppSet = "panic while processing applicationset-controller webhook event"
+
 type WebhookHandler struct {
 	sync.WaitGroup // for testing
 	github         *github.Webhook
@@ -74,15 +78,15 @@ func NewWebhookHandler(webhookParallelism int, argocdSettingsMgr *argosettings.S
 	if err != nil {
 		return nil, fmt.Errorf("failed to get argocd settings: %w", err)
 	}
-	githubHandler, err := github.New(github.Options.Secret(argocdSettings.WebhookGitHubSecret))
+	githubHandler, err := github.New(github.Options.Secret(argocdSettings.GetWebhookGitHubSecret()))
 	if err != nil {
 		return nil, fmt.Errorf("unable to init GitHub webhook: %w", err)
 	}
-	gitlabHandler, err := gitlab.New(gitlab.Options.Secret(argocdSettings.WebhookGitLabSecret))
+	gitlabHandler, err := gitlab.New(gitlab.Options.Secret(argocdSettings.GetWebhookGitLabSecret()))
 	if err != nil {
 		return nil, fmt.Errorf("unable to init GitLab webhook: %w", err)
 	}
-	azuredevopsHandler, err := azuredevops.New(azuredevops.Options.BasicAuth(argocdSettings.WebhookAzureDevOpsUsername, argocdSettings.WebhookAzureDevOpsPassword))
+	azuredevopsHandler, err := azuredevops.New(azuredevops.Options.BasicAuth(argocdSettings.GetWebhookAzureDevOpsUsername(), argocdSettings.GetWebhookAzureDevOpsPassword()))
 	if err != nil {
 		return nil, fmt.Errorf("unable to init Azure DevOps webhook: %w", err)
 	}
@@ -102,6 +106,7 @@ func NewWebhookHandler(webhookParallelism int, argocdSettingsMgr *argosettings.S
 }

 func (h *WebhookHandler) startWorkerPool(webhookParallelism int) {
+	compLog := log.WithField("component", "applicationset-webhook")
 	for i := 0; i < webhookParallelism; i++ {
 		h.Add(1)
 		go func() {
@@ -111,7 +116,7 @@ func (h *WebhookHandler) startWorkerPool(webhookParallelism int) {
 				if !ok {
 					return
 				}
-				h.HandleEvent(payload)
+				guard.RecoverAndLog(func() { h.HandleEvent(payload) }, compLog, panicMsgAppSet)
 			}
 		}()
 	}
@@ -339,7 +344,7 @@ func genRevisionHasChanged(gen *v1alpha1.GitGenerator, revision string, touchedH

 func gitGeneratorUsesURL(gen *v1alpha1.GitGenerator, webURL string, repoRegexp *regexp.Regexp) bool {
 	if !repoRegexp.MatchString(gen.RepoURL) {
-		log.Debugf("%s does not match %s", gen.RepoURL, repoRegexp.String())
+		log.Warnf("%s does not match %s", gen.RepoURL, repoRegexp.String())
 		return false
 	}

--- a/assets/builtin-policy.csv
+++ b/assets/builtin-policy.csv
@@ -7,6 +7,7 @@
 # p, <role/user/group>, <resource>, <action>, <object>, <allow/deny>

 p, role:readonly, applications, get, */*, allow
+p, role:readonly, applicationsets, get, */*, allow
 p, role:readonly, certificates, get, *, allow
 p, role:readonly, clusters, get, *, allow
 p, role:readonly, repositories, get, *, allow
--- a/assets/swagger.json
+++ b/assets/swagger.json
@@ -374,6 +374,56 @@
        }
      }
    },
+    "/api/v1/applications/{appName}/server-side-diff": {
+      "get": {
+        "tags": [
+          "ApplicationService"
+        ],
+        "summary": "ServerSideDiff performs server-side diff calculation using dry-run apply",
+        "operationId": "ApplicationService_ServerSideDiff",
+        "parameters": [
+          {
+            "type": "string",
+            "name": "appName",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "string",
+            "name": "appNamespace",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "name": "project",
+            "in": "query"
+          },
+          {
+            "type": "array",
+            "items": {
+              "type": "string"
+            },
+            "collectionFormat": "multi",
+            "name": "targetManifests",
+            "in": "query"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/applicationApplicationServerSideDiffResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/runtimeError"
+            }
+          }
+        }
+      }
+    },
    "/api/v1/applications/{application.metadata.name}": {
      "put": {
        "tags": [
@@ -999,6 +1049,11 @@
            "collectionFormat": "multi",
            "name": "revisions",
            "in": "query"
+          },
+          {
+            "type": "boolean",
+            "name": "noCache",
+            "in": "query"
          }
        ],
        "responses": {
@@ -5019,6 +5074,20 @@
        }
      }
    },
+    "applicationApplicationServerSideDiffResponse": {
+      "type": "object",
+      "properties": {
+        "items": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/v1alpha1ResourceDiff"
+          }
+        },
+        "modified": {
+          "type": "boolean"
+        }
+      }
+    },
    "applicationApplicationSyncRequest": {
      "type": "object",
      "title": "ApplicationSyncRequest is a request to apply the config state to live state",
@@ -5550,6 +5619,9 @@
        "statusBadgeRootUrl": {
          "type": "string"
        },
+        "syncWithReplaceAllowed": {
+          "type": "boolean"
+        },
        "trackingMethod": {
          "type": "string"
        },
@@ -7008,7 +7080,7 @@
        },
        "status": {
          "type": "string",
-          "title": "Status contains the AppSet's perceived status of the managed Application resource: (Waiting, Pending, Progressing, Healthy)"
+          "title": "Status contains the AppSet's perceived status of the managed Application resource"
        },
        "step": {
          "type": "string",
@@ -7253,6 +7325,11 @@
          "items": {
            "$ref": "#/definitions/applicationv1alpha1ResourceStatus"
          }
+        },
+        "resourcesCount": {
+          "description": "ResourcesCount is the total number of resources managed by this application set. The count may be higher than actual number of items in the Resources field when\nthe number of managed resources exceeds the limit imposed by the controller (to avoid making the status field too large).",
+          "type": "integer",
+          "format": "int64"
        }
      }
    },
@@ -7260,6 +7337,10 @@
      "description": "ApplicationSetStrategy configures how generated Applications are updated in sequence.",
      "type": "object",
      "properties": {
+        "deletionOrder": {
+          "type": "string",
+          "title": "DeletionOrder allows specifying the order for deleting generated apps when progressive sync is enabled.\naccepts values \"AllAtOnce\" and \"Reverse\""
+        },
        "rollingSync": {
          "$ref": "#/definitions/v1alpha1ApplicationSetRolloutStrategy"
        },
@@ -8176,7 +8257,7 @@
      }
    },
    "v1alpha1ConfigMapKeyRef": {
-      "description": "Utility struct for a reference to a configmap key.",
+      "description": "ConfigMapKeyRef struct for a reference to a configmap key.",
      "type": "object",
      "properties": {
        "configMapName": {
@@ -8635,12 +8716,20 @@
      "title": "KustomizeOptions are options for kustomize to use when building manifests",
      "properties": {
        "binaryPath": {
+          "description": "Deprecated: Use settings.Settings instead. See: settings.Settings.KustomizeVersions.\nIf this field is set, it will be used as the Kustomize binary path.\nOtherwise, Versions is used.",
          "type": "string",
          "title": "BinaryPath holds optional path to kustomize binary"
        },
        "buildOptions": {
          "type": "string",
          "title": "BuildOptions is a string of build parameters to use when calling `kustomize build`"
+        },
+        "versions": {
+          "description": "Versions is a list of Kustomize versions and their corresponding binary paths and build options.",
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/v1alpha1KustomizeVersion"
+          }
        }
      }
    },
@@ -8704,6 +8793,24 @@
        }
      }
    },
+    "v1alpha1KustomizeVersion": {
+      "type": "object",
+      "title": "KustomizeVersion holds information about additional Kustomize versions",
+      "properties": {
+        "buildOptions": {
+          "type": "string",
+          "title": "BuildOptions that are specific to a Kustomize version"
+        },
+        "name": {
+          "type": "string",
+          "title": "Name holds Kustomize version name"
+        },
+        "path": {
+          "type": "string",
+          "title": "Path holds the corresponding binary path"
+        }
+      }
+    },
    "v1alpha1ListGenerator": {
      "type": "object",
      "title": "ListGenerator include items info",
@@ -9025,6 +9132,10 @@
        "bitbucketServer": {
          "$ref": "#/definitions/v1alpha1PullRequestGeneratorBitbucketServer"
        },
+        "continueOnRepoNotFoundError": {
+          "description": "ContinueOnRepoNotFoundError is a flag to continue the ApplicationSet Pull Request generator parameters generation even if the repository is not found.",
+          "type": "boolean"
+        },
        "filters": {
          "description": "Filters for which pull requests should be considered.",
          "type": "array",
@@ -9154,6 +9265,9 @@
        },
        "targetBranchMatch": {
          "type": "string"
+        },
+        "titleMatch": {
+          "type": "string"
        }
      }
    },
@@ -9225,7 +9339,7 @@
      }
    },
    "v1alpha1PullRequestGeneratorGithub": {
-      "description": "PullRequestGenerator defines connection info specific to GitHub.",
+      "description": "PullRequestGeneratorGithub defines connection info specific to GitHub.",
      "type": "object",
      "properties": {
        "api": {
@@ -9366,6 +9480,11 @@
        "connectionState": {
          "$ref": "#/definitions/v1alpha1ConnectionState"
        },
+        "depth": {
+          "description": "Depth specifies the depth for shallow clones. A value of 0 or omitting the field indicates a full clone.",
+          "type": "integer",
+          "format": "int64"
+        },
        "enableLfs": {
          "description": "EnableLFS specifies whether git-lfs support should be enabled for this repo. Only valid for Git repositories.",
          "type": "boolean"
@@ -9557,21 +9676,9 @@
      "description": "ResourceActionParam represents a parameter for a resource action.\nIt includes a name, value, type, and an optional default value for the parameter.",
      "type": "object",
      "properties": {
-        "default": {
-          "description": "Default is the default value of the parameter, if any.",
-          "type": "string"
-        },
        "name": {
          "description": "Name is the name of the parameter.",
          "type": "string"
-        },
-        "type": {
-          "description": "Type is the type of the parameter (e.g., string, integer).",
-          "type": "string"
-        },
-        "value": {
-          "description": "Value is the value of the parameter.",
-          "type": "string"
        }
      }
    },
@@ -9871,6 +9978,10 @@
          "description": "Limit is the maximum number of attempts for retrying a failed sync. If set to 0, no retries will be performed.",
          "type": "integer",
          "format": "int64"
+        },
+        "refresh": {
+          "type": "boolean",
+          "title": "Refresh indicates if the latest revision should be used on retry instead of the initial one (default: false)"
        }
      }
    },
@@ -10237,7 +10348,7 @@
      }
    },
    "v1alpha1SecretRef": {
-      "description": "Utility struct for a reference to a secret key.",
+      "description": "SecretRef struct for a reference to a secret key.",
      "type": "object",
      "properties": {
        "key": {
@@ -10451,7 +10562,7 @@
          "type": "boolean",
          "title": "AllowEmpty allows apps have zero live resources (default: false)"
        },
-        "enable": {
+        "enabled": {
          "type": "boolean",
          "title": "Enable allows apps to explicitly control automated sync"
        },
@@ -10470,12 +10581,12 @@
      "type": "object",
      "properties": {
        "path": {
-          "description": "Path is a directory path within the git repository where hydrated manifests should be committed to and synced\nfrom. If hydrateTo is set, this is just the path from which hydrated manifests will be synced.",
+          "description": "Path is a directory path within the git repository where hydrated manifests should be committed to and synced\nfrom. The Path should never point to the root of the repo. If hydrateTo is set, this is just the path from which\nhydrated manifests will be synced.\n\n+kubebuilder:validation:Required\n+kubebuilder:validation:MinLength=1\n+kubebuilder:validation:Pattern=`^.{2,}|[^./]$`",
          "type": "string"
        },
        "targetBranch": {
-          "type": "string",
-          "title": "TargetBranch is the branch to which hydrated manifests should be committed"
+          "description": "TargetBranch is the branch from which hydrated manifests will be synced.\nIf HydrateTo is not set, this is also the branch to which hydrated manifests are committed.",
+          "type": "string"
        }
      }
    },
--- a/cmd/argocd-applicationset-controller/commands/applicationset_controller.go
+++ b/cmd/argocd-applicationset-controller/commands/applicationset_controller.go
@@ -14,6 +14,7 @@ import (

 	"github.com/argoproj/argo-cd/v3/reposerver/apiclient"
 	logutils "github.com/argoproj/argo-cd/v3/util/log"
+	"github.com/argoproj/argo-cd/v3/util/profile"
 	"github.com/argoproj/argo-cd/v3/util/tls"

 	"github.com/argoproj/argo-cd/v3/applicationset/controllers"
@@ -79,6 +80,7 @@ func NewCommand() *cobra.Command {
 		enableScmProviders           bool
 		webhookParallelism           int
 		tokenRefStrictMode           bool
+		maxResourcesStatusCount      int
 	)
 	scheme := runtime.NewScheme()
 	_ = clientgoscheme.AddToScheme(scheme)
@@ -169,6 +171,15 @@ func NewCommand() *cobra.Command {
 				log.Error(err, "unable to start manager")
 				os.Exit(1)
 			}
+
+			pprofMux := http.NewServeMux()
+			profile.RegisterProfiler(pprofMux)
+			// This looks a little strange. Eg, not using ctrl.Options PprofBindAddress and then adding the pprof mux
+			// to the metrics server. However, it allows for the controller to dynamically expose the pprof endpoints
+			// and use the existing metrics server, the same pattern that the application controller and api-server follow.
+			if err = mgr.AddMetricsServerExtraHandler("/debug/pprof/", pprofMux); err != nil {
+				log.Error(err, "failed to register pprof handlers")
+			}
 			dynamicClient, err := dynamic.NewForConfig(mgr.GetConfig())
 			errors.CheckError(err)
 			k8sClient, err := kubernetes.NewForConfig(mgr.GetConfig())
@@ -231,6 +242,7 @@ func NewCommand() *cobra.Command {
 				GlobalPreservedAnnotations: globalPreservedAnnotations,
 				GlobalPreservedLabels:      globalPreservedLabels,
 				Metrics:                    &metrics,
+				MaxResourcesStatusCount:    maxResourcesStatusCount,
 			}).SetupWithManager(mgr, enableProgressiveSyncs, maxConcurrentReconciliations); err != nil {
 				log.Error(err, "unable to create controller", "controller", "ApplicationSet")
 				os.Exit(1)
@@ -268,13 +280,14 @@ func NewCommand() *cobra.Command {
 	command.Flags().BoolVar(&repoServerPlaintext, "repo-server-plaintext", env.ParseBoolFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER_PLAINTEXT", false), "Disable TLS on connections to repo server")
 	command.Flags().BoolVar(&repoServerStrictTLS, "repo-server-strict-tls", env.ParseBoolFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER_STRICT_TLS", false), "Whether to use strict validation of the TLS cert presented by the repo server")
 	command.Flags().IntVar(&repoServerTimeoutSeconds, "repo-server-timeout-seconds", env.ParseNumFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS", 60, 0, math.MaxInt64), "Repo server RPC call timeout seconds.")
-	command.Flags().IntVar(&maxConcurrentReconciliations, "concurrent-reconciliations", env.ParseNumFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_CONCURRENT_RECONCILIATIONS", 10, 1, 100), "Max concurrent reconciliations limit for the controller")
+	command.Flags().IntVar(&maxConcurrentReconciliations, "concurrent-reconciliations", env.ParseNumFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_CONCURRENT_RECONCILIATIONS", 10, 1, math.MaxInt), "Max concurrent reconciliations limit for the controller")
 	command.Flags().StringVar(&scmRootCAPath, "scm-root-ca-path", env.StringFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_SCM_ROOT_CA_PATH", ""), "Provide Root CA Path for self-signed TLS Certificates")
 	command.Flags().StringSliceVar(&globalPreservedAnnotations, "preserved-annotations", env.StringsFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_GLOBAL_PRESERVED_ANNOTATIONS", []string{}, ","), "Sets global preserved field values for annotations")
 	command.Flags().StringSliceVar(&globalPreservedLabels, "preserved-labels", env.StringsFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_GLOBAL_PRESERVED_LABELS", []string{}, ","), "Sets global preserved field values for labels")
 	command.Flags().IntVar(&webhookParallelism, "webhook-parallelism-limit", env.ParseNumFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_WEBHOOK_PARALLELISM_LIMIT", 50, 1, 1000), "Number of webhook requests processed concurrently")
 	command.Flags().StringSliceVar(&metricsAplicationsetLabels, "metrics-applicationset-labels", []string{}, "List of Application labels that will be added to the argocd_applicationset_labels metric")
 	command.Flags().BoolVar(&enableGitHubAPIMetrics, "enable-github-api-metrics", env.ParseBoolFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_GITHUB_API_METRICS", false), "Enable GitHub API metrics for generators that use the GitHub API")
+	command.Flags().IntVar(&maxResourcesStatusCount, "max-resources-status-count", env.ParseNumFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_MAX_RESOURCES_STATUS_COUNT", 0, 0, math.MaxInt), "Max number of resources stored in appset status.")

 	return &command
 }
--- a/cmd/argocd-commit-server/commands/argocd_commit_server.go
+++ b/cmd/argocd-commit-server/commands/argocd_commit_server.go
@@ -38,7 +38,7 @@ func NewCommand() *cobra.Command {
 		Use:   "argocd-commit-server",
 		Short: "Run Argo CD Commit Server",
 		Long:  "Argo CD Commit Server is an internal service which commits and pushes hydrated manifests to git. This command runs Commit Server in the foreground.",
-		RunE: func(_ *cobra.Command, _ []string) error {
+		RunE: func(cmd *cobra.Command, _ []string) error {
 			vers := common.GetVersion()
 			vers.LogStartupInfo(
 				"Argo CD Commit Server",
@@ -59,8 +59,10 @@ func NewCommand() *cobra.Command {

 			server := commitserver.NewServer(askPassServer, metricsServer)
 			grpc := server.CreateGRPC()
+			ctx := cmd.Context()

-			listener, err := net.Listen("tcp", fmt.Sprintf("%s:%d", listenHost, listenPort))
+			lc := &net.ListenConfig{}
+			listener, err := lc.Listen(ctx, "tcp", fmt.Sprintf("%s:%d", listenHost, listenPort))
 			errors.CheckError(err)

 			healthz.ServeHealthCheck(http.DefaultServeMux, func(r *http.Request) error {
--- a/cmd/argocd-dex/commands/argocd_dex.go
+++ b/cmd/argocd-dex/commands/argocd_dex.go
@@ -115,7 +115,7 @@ func NewRunDexCommand() *cobra.Command {
 					err = os.WriteFile("/tmp/dex.yaml", dexCfgBytes, 0o644)
 					errors.CheckError(err)
 					log.Debug(redactor(string(dexCfgBytes)))
-					cmd = exec.Command("dex", "serve", "/tmp/dex.yaml")
+					cmd = exec.CommandContext(ctx, "dex", "serve", "/tmp/dex.yaml")
 					cmd.Stdout = os.Stdout
 					cmd.Stderr = os.Stderr
 					err = cmd.Start()
--- a/cmd/argocd-git-ask-pass/commands/argocd_git_ask_pass.go
+++ b/cmd/argocd-git-ask-pass/commands/argocd_git_ask_pass.go
@@ -35,7 +35,7 @@ func NewCommand() *cobra.Command {
 			if nonce == "" {
 				errors.CheckError(fmt.Errorf("%s is not set", askpass.ASKPASS_NONCE_ENV))
 			}
-			conn, err := grpc_util.BlockingDial(ctx, "unix", askpass.SocketPath, nil, grpc.WithTransportCredentials(insecure.NewCredentials()))
+			conn, err := grpc_util.BlockingNewClient(ctx, "unix", askpass.SocketPath, nil, grpc.WithTransportCredentials(insecure.NewCredentials()))
 			errors.CheckError(err)
 			defer utilio.Close(conn)
 			client := askpass.NewAskPassServiceClient(conn)
--- a/cmd/argocd-notification/commands/controller.go
+++ b/cmd/argocd-notification/commands/controller.go
@@ -11,16 +11,6 @@ import (
 	"sync"
 	"syscall"

-	"github.com/argoproj/argo-cd/v3/common"
-	"github.com/argoproj/argo-cd/v3/reposerver/apiclient"
-
-	"github.com/argoproj/argo-cd/v3/util/env"
-	"github.com/argoproj/argo-cd/v3/util/errors"
-	service "github.com/argoproj/argo-cd/v3/util/notification/argocd"
-	"github.com/argoproj/argo-cd/v3/util/tls"
-
-	notificationscontroller "github.com/argoproj/argo-cd/v3/notification_controller/controller"
-
 	"github.com/argoproj/notifications-engine/pkg/controller"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
@@ -30,27 +20,25 @@ import (
 	"k8s.io/client-go/kubernetes"
 	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
 	"k8s.io/client-go/tools/clientcmd"
+
+	"github.com/argoproj/argo-cd/v3/common"
+	notificationscontroller "github.com/argoproj/argo-cd/v3/notification_controller/controller"
+	"github.com/argoproj/argo-cd/v3/reposerver/apiclient"
+	"github.com/argoproj/argo-cd/v3/util/cli"
+	"github.com/argoproj/argo-cd/v3/util/env"
+	"github.com/argoproj/argo-cd/v3/util/errors"
+	service "github.com/argoproj/argo-cd/v3/util/notification/argocd"
+	"github.com/argoproj/argo-cd/v3/util/tls"
 )

 const (
 	defaultMetricsPort = 9001
 )

-func addK8SFlagsToCmd(cmd *cobra.Command) clientcmd.ClientConfig {
-	loadingRules := clientcmd.NewDefaultClientConfigLoadingRules()
-	loadingRules.DefaultClientConfig = &clientcmd.DefaultClientConfig
-	overrides := clientcmd.ConfigOverrides{}
-	kflags := clientcmd.RecommendedConfigOverrideFlags("")
-	cmd.PersistentFlags().StringVar(&loadingRules.ExplicitPath, "kubeconfig", "", "Path to a kube config. Only required if out-of-cluster")
-	clientcmd.BindOverrideFlags(&overrides, cmd.PersistentFlags(), kflags)
-	return clientcmd.NewInteractiveDeferredLoadingClientConfig(loadingRules, &overrides, os.Stdin)
-}
-
 func NewCommand() *cobra.Command {
 	var (
 		clientConfig                   clientcmd.ClientConfig
 		processorsCount                int
-		namespace                      string
 		appLabelSelector               string
 		logLevel                       string
 		logFormat                      string
@@ -175,10 +163,9 @@ func NewCommand() *cobra.Command {
 			return nil
 		},
 	}
-	clientConfig = addK8SFlagsToCmd(&command)
+	clientConfig = cli.AddKubectlFlagsToCmd(&command)
 	command.Flags().IntVar(&processorsCount, "processors-count", 1, "Processors count.")
 	command.Flags().StringVar(&appLabelSelector, "app-label-selector", "", "App label selector.")
-	command.Flags().StringVar(&namespace, "namespace", "", "Namespace which controller handles. Current namespace if empty.")
 	command.Flags().StringVar(&logLevel, "loglevel", env.StringFromEnv("ARGOCD_NOTIFICATIONS_CONTROLLER_LOGLEVEL", "info"), "Set the logging level. One of: debug|info|warn|error")
 	command.Flags().StringVar(&logFormat, "logformat", env.StringFromEnv("ARGOCD_NOTIFICATIONS_CONTROLLER_LOGFORMAT", "json"), "Set the logging format. One of: json|text")
 	command.Flags().IntVar(&metricsPort, "metrics-port", defaultMetricsPort, "Metrics port")
--- a/cmd/argocd-repo-server/commands/argocd_repo_server.go
+++ b/cmd/argocd-repo-server/commands/argocd_repo_server.go
@@ -169,7 +169,8 @@ func NewCommand() *cobra.Command {
 			}

 			grpc := server.CreateGRPC()
-			listener, err := net.Listen("tcp", fmt.Sprintf("%s:%d", listenHost, listenPort))
+			lc := &net.ListenConfig{}
+			listener, err := lc.Listen(ctx, "tcp", fmt.Sprintf("%s:%d", listenHost, listenPort))
 			errors.CheckError(err)

 			healthz.ServeHealthCheck(http.DefaultServeMux, func(r *http.Request) error {
--- a/cmd/argocd/commands/admin/app.go
+++ b/cmd/argocd/commands/admin/app.go
@@ -415,7 +415,6 @@ func reconcileApplications(
 		},
 		settingsMgr,
 		stateCache,
-		projInformer,
 		server,
 		cache,
 		time.Second,
@@ -464,7 +463,7 @@ func reconcileApplications(
 		sources = append(sources, app.Spec.GetSource())
 		revisions = append(revisions, app.Spec.GetSource().TargetRevision)

-		res, err := appStateManager.CompareAppState(&app, proj, revisions, sources, false, false, nil, false, false)
+		res, err := appStateManager.CompareAppState(&app, proj, revisions, sources, false, false, nil, false)
 		if err != nil {
 			return nil, fmt.Errorf("error comparing app states: %w", err)
 		}
--- a/cmd/argocd/commands/admin/app_test.go
+++ b/cmd/argocd/commands/admin/app_test.go
@@ -105,26 +105,26 @@ func TestGetReconcileResults_Refresh(t *testing.T) {
 	appClientset := appfake.NewSimpleClientset(app, proj)
 	deployment := test.NewDeployment()
 	kubeClientset := kubefake.NewClientset(deployment, argoCM, argoCDSecret)
-	clusterCache := clustermocks.ClusterCache{}
-	clusterCache.On("IsNamespaced", mock.Anything).Return(true, nil)
-	clusterCache.On("GetGVKParser", mock.Anything).Return(nil)
-	repoServerClient := mocks.RepoServerServiceClient{}
-	repoServerClient.On("GenerateManifest", mock.Anything, mock.Anything).Return(&argocdclient.ManifestResponse{
+	clusterCache := &clustermocks.ClusterCache{}
+	clusterCache.EXPECT().IsNamespaced(mock.Anything).Return(true, nil)
+	clusterCache.EXPECT().GetGVKParser().Return(nil)
+	repoServerClient := &mocks.RepoServerServiceClient{}
+	repoServerClient.EXPECT().GenerateManifest(mock.Anything, mock.Anything).Return(&argocdclient.ManifestResponse{
 		Manifests: []string{test.DeploymentManifest},
 	}, nil)
-	repoServerClientset := mocks.Clientset{RepoServerServiceClient: &repoServerClient}
-	liveStateCache := cachemocks.LiveStateCache{}
-	liveStateCache.On("GetManagedLiveObjs", mock.Anything, mock.Anything, mock.Anything).Return(map[kube.ResourceKey]*unstructured.Unstructured{
+	repoServerClientset := &mocks.Clientset{RepoServerServiceClient: repoServerClient}
+	liveStateCache := &cachemocks.LiveStateCache{}
+	liveStateCache.EXPECT().GetManagedLiveObjs(mock.Anything, mock.Anything, mock.Anything).Return(map[kube.ResourceKey]*unstructured.Unstructured{
 		kube.GetResourceKey(deployment): deployment,
 	}, nil)
-	liveStateCache.On("GetVersionsInfo", mock.Anything).Return("v1.2.3", nil, nil)
-	liveStateCache.On("Init").Return(nil, nil)
-	liveStateCache.On("GetClusterCache", mock.Anything).Return(&clusterCache, nil)
-	liveStateCache.On("IsNamespaced", mock.Anything, mock.Anything).Return(true, nil)
+	liveStateCache.EXPECT().GetVersionsInfo(mock.Anything).Return("v1.2.3", nil, nil)
+	liveStateCache.EXPECT().Init().Return(nil)
+	liveStateCache.EXPECT().GetClusterCache(mock.Anything).Return(clusterCache, nil)
+	liveStateCache.EXPECT().IsNamespaced(mock.Anything, mock.Anything).Return(true, nil)

-	result, err := reconcileApplications(ctx, kubeClientset, appClientset, "default", &repoServerClientset, "",
+	result, err := reconcileApplications(ctx, kubeClientset, appClientset, "default", repoServerClientset, "",
 		func(_ db.ArgoDB, _ cache.SharedIndexInformer, _ *settings.SettingsManager, _ *metrics.MetricsServer) statecache.LiveStateCache {
-			return &liveStateCache
+			return liveStateCache
 		},
 		false,
 		normalizers.IgnoreNormalizerOpts{},
--- a/cmd/argocd/commands/admin/cluster.go
+++ b/cmd/argocd/commands/admin/cluster.go
@@ -14,6 +14,7 @@ import (
 	"github.com/redis/go-redis/v9"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/kubernetes/fake"
@@ -608,7 +609,31 @@ func NewGenClusterConfigCommand(pathOpts *clientcmd.PathOptions) *cobra.Command
 			clientConfig := clientcmd.NewDefaultClientConfig(*cfgAccess, &overrides)
 			conf, err := clientConfig.ClientConfig()
 			errors.CheckError(err)
-			kubeClientset := fake.NewClientset()
+			// Seed a minimal in-memory Argo CD environment so settings retrieval succeeds
+			argoCDCM := &corev1.ConfigMap{
+				TypeMeta: metav1.TypeMeta{Kind: "ConfigMap", APIVersion: "v1"},
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      common.ArgoCDConfigMapName,
+					Namespace: ArgoCDNamespace,
+					Labels: map[string]string{
+						"app.kubernetes.io/part-of": "argocd",
+					},
+				},
+			}
+			argoCDSecret := &corev1.Secret{
+				TypeMeta: metav1.TypeMeta{Kind: "Secret", APIVersion: "v1"},
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      common.ArgoCDSecretName,
+					Namespace: ArgoCDNamespace,
+					Labels: map[string]string{
+						"app.kubernetes.io/part-of": "argocd",
+					},
+				},
+				Data: map[string][]byte{
+					"server.secretkey": []byte("test"),
+				},
+			}
+			kubeClientset := fake.NewClientset(argoCDCM, argoCDSecret)

 			var awsAuthConf *v1alpha1.AWSAuthConfig
 			var execProviderConf *v1alpha1.ExecProviderConfig
--- a/cmd/argocd/commands/admin/dashboard_test.go
+++ b/cmd/argocd/commands/admin/dashboard_test.go
@@ -24,24 +24,24 @@ func TestRun_SignalHandling_GracefulShutdown(t *testing.T) {
 		},
 	}

-	var err error
+	var runErr error
 	doneCh := make(chan struct{})
 	go func() {
-		err = d.Run(t.Context(), &DashboardConfig{ClientOpts: &apiclient.ClientOptions{}})
+		runErr = d.Run(t.Context(), &DashboardConfig{ClientOpts: &apiclient.ClientOptions{}})
 		close(doneCh)
 	}()

 	// Allow some time for the dashboard to register the signal handler
 	time.Sleep(50 * time.Millisecond)

-	proc, err := os.FindProcess(os.Getpid())
-	require.NoErrorf(t, err, "failed to find process: %v", err)
-	err = proc.Signal(syscall.SIGINT)
-	require.NoErrorf(t, err, "failed to send SIGINT: %v", err)
+	proc, procErr := os.FindProcess(os.Getpid())
+	require.NoErrorf(t, procErr, "failed to find process: %v", procErr)
+	sigErr := proc.Signal(syscall.SIGINT)
+	require.NoErrorf(t, sigErr, "failed to send SIGINT: %v", sigErr)

 	select {
 	case <-doneCh:
-		require.NoError(t, err)
+		require.NoError(t, runErr)
 	case <-time.After(500 * time.Millisecond):
 		t.Fatal("timeout: dashboard.Run did not exit after SIGINT")
 	}
--- a/cmd/argocd/commands/admin/notifications.go
+++ b/cmd/argocd/commands/admin/notifications.go
@@ -30,11 +30,12 @@ func NewNotificationsCommand() *cobra.Command {
 	)

 	var argocdService service.Service
+
 	toolsCommand := cmd.NewToolsCommand(
 		"notifications",
 		"argocd admin notifications",
 		applications,
-		settings.GetFactorySettingsForCLI(argocdService, "argocd-notifications-secret", "argocd-notifications-cm", false),
+		settings.GetFactorySettingsForCLI(func() service.Service { return argocdService }, "argocd-notifications-secret", "argocd-notifications-cm", false),
 		func(clientConfig clientcmd.ClientConfig) {
 			k8sCfg, err := clientConfig.ClientConfig()
 			if err != nil {
--- a/cmd/argocd/commands/admin/settings_test.go
+++ b/cmd/argocd/commands/admin/settings_test.go
@@ -40,9 +40,7 @@ func captureStdout(callback func()) (string, error) {
 	return string(data), err
 }

-func newSettingsManager(data map[string]string) *settings.SettingsManager {
-	ctx := context.Background()
-
+func newSettingsManager(ctx context.Context, data map[string]string) *settings.SettingsManager {
 	clientset := fake.NewClientset(&corev1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: "default",
@@ -69,8 +67,8 @@ type fakeCmdContext struct {
 	mgr *settings.SettingsManager
 }

-func newCmdContext(data map[string]string) *fakeCmdContext {
-	return &fakeCmdContext{mgr: newSettingsManager(data)}
+func newCmdContext(ctx context.Context, data map[string]string) *fakeCmdContext {
+	return &fakeCmdContext{mgr: newSettingsManager(ctx, data)}
 }

 func (ctx *fakeCmdContext) createSettingsManager(context.Context) (*settings.SettingsManager, error) {
@@ -182,7 +180,7 @@ admissionregistration.k8s.io/MutatingWebhookConfiguration:
 			if !assert.True(t, ok) {
 				return
 			}
-			summary, err := validator(newSettingsManager(tc.data))
+			summary, err := validator(newSettingsManager(t.Context(), tc.data))
 			if tc.containsSummary != "" {
 				require.NoError(t, err)
 				assert.Contains(t, summary, tc.containsSummary)
@@ -249,7 +247,7 @@ func tempFile(content string) (string, io.Closer, error) {
 }

 func TestValidateSettingsCommand_NoErrors(t *testing.T) {
-	cmd := NewValidateSettingsCommand(newCmdContext(map[string]string{}))
+	cmd := NewValidateSettingsCommand(newCmdContext(t.Context(), map[string]string{}))
 	out, err := captureStdout(func() {
 		err := cmd.Execute()
 		require.NoError(t, err)
@@ -267,7 +265,7 @@ func TestResourceOverrideIgnoreDifferences(t *testing.T) {
 	defer utilio.Close(closer)

 	t.Run("NoOverridesConfigured", func(t *testing.T) {
-		cmd := NewResourceOverridesCommand(newCmdContext(map[string]string{}))
+		cmd := NewResourceOverridesCommand(newCmdContext(t.Context(), map[string]string{}))
 		out, err := captureStdout(func() {
 			cmd.SetArgs([]string{"ignore-differences", f})
 			err := cmd.Execute()
@@ -278,7 +276,7 @@ func TestResourceOverrideIgnoreDifferences(t *testing.T) {
 	})

 	t.Run("DataIgnored", func(t *testing.T) {
-		cmd := NewResourceOverridesCommand(newCmdContext(map[string]string{
+		cmd := NewResourceOverridesCommand(newCmdContext(t.Context(), map[string]string{
 			"resource.customizations": `apps/Deployment:
  ignoreDifferences: |
    jsonPointers:
@@ -300,7 +298,7 @@ func TestResourceOverrideHealth(t *testing.T) {
 	defer utilio.Close(closer)

 	t.Run("NoHealthAssessment", func(t *testing.T) {
-		cmd := NewResourceOverridesCommand(newCmdContext(map[string]string{
+		cmd := NewResourceOverridesCommand(newCmdContext(t.Context(), map[string]string{
 			"resource.customizations": `example.com/ExampleResource: {}`,
 		}))
 		out, err := captureStdout(func() {
@@ -313,7 +311,7 @@ func TestResourceOverrideHealth(t *testing.T) {
 	})

 	t.Run("HealthAssessmentConfigured", func(t *testing.T) {
-		cmd := NewResourceOverridesCommand(newCmdContext(map[string]string{
+		cmd := NewResourceOverridesCommand(newCmdContext(t.Context(), map[string]string{
 			"resource.customizations": `example.com/ExampleResource:
  health.lua: |
    return { status = "Progressing" }
@@ -329,7 +327,7 @@ func TestResourceOverrideHealth(t *testing.T) {
 	})

 	t.Run("HealthAssessmentConfiguredWildcard", func(t *testing.T) {
-		cmd := NewResourceOverridesCommand(newCmdContext(map[string]string{
+		cmd := NewResourceOverridesCommand(newCmdContext(t.Context(), map[string]string{
 			"resource.customizations": `example.com/*:
  health.lua: |
    return { status = "Progressing" }
@@ -355,7 +353,7 @@ func TestResourceOverrideAction(t *testing.T) {
 	defer utilio.Close(closer)

 	t.Run("NoActions", func(t *testing.T) {
-		cmd := NewResourceOverridesCommand(newCmdContext(map[string]string{
+		cmd := NewResourceOverridesCommand(newCmdContext(t.Context(), map[string]string{
 			"resource.customizations": `apps/Deployment: {}`,
 		}))
 		out, err := captureStdout(func() {
@@ -368,7 +366,7 @@ func TestResourceOverrideAction(t *testing.T) {
 	})

 	t.Run("OldStyleActionConfigured", func(t *testing.T) {
-		cmd := NewResourceOverridesCommand(newCmdContext(map[string]string{
+		cmd := NewResourceOverridesCommand(newCmdContext(t.Context(), map[string]string{
 			"resource.customizations": `apps/Deployment:
  actions: |
    discovery.lua: |
@@ -404,7 +402,7 @@ resume   false
 	})

 	t.Run("NewStyleActionConfigured", func(t *testing.T) {
-		cmd := NewResourceOverridesCommand(newCmdContext(map[string]string{
+		cmd := NewResourceOverridesCommand(newCmdContext(t.Context(), map[string]string{
 			"resource.customizations": `batch/CronJob:
  actions: |
    discovery.lua: |
--- a/cmd/argocd/commands/app.go
+++ b/cmd/argocd/commands/app.go
@@ -39,9 +39,13 @@ import (
 	"github.com/argoproj/argo-cd/v3/cmd/argocd/commands/headless"
 	"github.com/argoproj/argo-cd/v3/cmd/argocd/commands/utils"
 	cmdutil "github.com/argoproj/argo-cd/v3/cmd/util"
+	argocommon "github.com/argoproj/argo-cd/v3/common"
 	"github.com/argoproj/argo-cd/v3/controller"
 	argocdclient "github.com/argoproj/argo-cd/v3/pkg/apiclient"
 	"github.com/argoproj/argo-cd/v3/pkg/apiclient/application"
+
+	resourceutil "github.com/argoproj/gitops-engine/pkg/sync/resource"
+
 	clusterpkg "github.com/argoproj/argo-cd/v3/pkg/apiclient/cluster"
 	projectpkg "github.com/argoproj/argo-cd/v3/pkg/apiclient/project"
 	"github.com/argoproj/argo-cd/v3/pkg/apiclient/settings"
@@ -95,6 +99,7 @@ func NewApplicationCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comman
 	command.AddCommand(NewApplicationTerminateOpCommand(clientOpts))
 	command.AddCommand(NewApplicationEditCommand(clientOpts))
 	command.AddCommand(NewApplicationPatchCommand(clientOpts))
+	command.AddCommand(NewApplicationGetResourceCommand(clientOpts))
 	command.AddCommand(NewApplicationPatchResourceCommand(clientOpts))
 	command.AddCommand(NewApplicationDeleteResourceCommand(clientOpts))
 	command.AddCommand(NewApplicationResourceActionsCommand(clientOpts))
@@ -348,7 +353,7 @@ func NewApplicationGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Com
 	command := &cobra.Command{
 		Use:   "get APPNAME",
 		Short: "Get application details",
-		Example: templates.Examples(`  
+		Example: templates.Examples(`
  # Get basic details about the application "my-app" in wide format
  argocd app get my-app -o wide

@@ -378,7 +383,7 @@ func NewApplicationGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Com

  # Get application details and display them in a tree format
  argocd app get my-app --output tree
-  
+
  # Get application details and display them in a detailed tree format
  argocd app get my-app --output tree=detailed
  		`),
@@ -536,7 +541,7 @@ func NewApplicationLogsCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 	command := &cobra.Command{
 		Use:   "logs APPNAME",
 		Short: "Get logs of application pods",
-		Example: templates.Examples(`  
+		Example: templates.Examples(`
  # Get logs of pods associated with the application "my-app"
  argocd app logs my-app

@@ -850,7 +855,7 @@ func NewApplicationSetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Com
 	command := &cobra.Command{
 		Use:   "set APPNAME",
 		Short: "Set application parameters",
-		Example: templates.Examples(`  
+		Example: templates.Examples(`
  # Set application parameters for the application "my-app"
  argocd app set my-app --parameter key1=value1 --parameter key2=value2

@@ -1281,6 +1286,7 @@ func NewApplicationDiffCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 		revision             string
 		localRepoRoot        string
 		serverSideGenerate   bool
+		serverSideDiff       bool
 		localIncludes        []string
 		appNamespace         string
 		revisions            []string
@@ -1343,6 +1349,22 @@ func NewApplicationDiffCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 			argoSettings, err := settingsIf.Get(ctx, &settings.SettingsQuery{})
 			errors.CheckError(err)
 			diffOption := &DifferenceOption{}
+
+			hasServerSideDiffAnnotation := resourceutil.HasAnnotationOption(app, argocommon.AnnotationCompareOptions, "ServerSideDiff=true")
+
+			// Use annotation if flag not explicitly set
+			if !c.Flags().Changed("server-side-diff") {
+				serverSideDiff = hasServerSideDiffAnnotation
+			} else if serverSideDiff && !hasServerSideDiffAnnotation {
+				// Flag explicitly set to true, but app annotation is not set
+				fmt.Fprintf(os.Stderr, "Warning: Application does not have ServerSideDiff=true annotation.\n")
+			}
+
+			// Server side diff with local requires server side generate to be set as there will be a mismatch with client-generated manifests.
+			if serverSideDiff && local != "" && !serverSideGenerate {
+				log.Fatal("--server-side-diff with --local requires --server-side-generate.")
+			}
+
 			switch {
 			case app.Spec.HasMultipleSources() && len(revisions) > 0 && len(sourcePositions) > 0:
 				numOfSources := int64(len(app.Spec.GetSources()))
@@ -1357,6 +1379,7 @@ func NewApplicationDiffCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 					AppNamespace:    &appNs,
 					Revisions:       revisions,
 					SourcePositions: sourcePositions,
+					NoCache:         &hardRefresh,
 				}
 				res, err := appIf.GetManifests(ctx, &q)
 				errors.CheckError(err)
@@ -1368,6 +1391,7 @@ func NewApplicationDiffCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 					Name:         &appName,
 					Revision:     &revision,
 					AppNamespace: &appNs,
+					NoCache:      &hardRefresh,
 				}
 				res, err := appIf.GetManifests(ctx, &q)
 				errors.CheckError(err)
@@ -1398,7 +1422,8 @@ func NewApplicationDiffCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 				}
 			}
 			proj := getProject(ctx, c, clientOpts, app.Spec.Project)
-			foundDiffs := findandPrintDiff(ctx, app, proj.Project, resources, argoSettings, diffOption, ignoreNormalizerOpts)
+
+			foundDiffs := findAndPrintDiff(ctx, app, proj.Project, resources, argoSettings, diffOption, ignoreNormalizerOpts, serverSideDiff, appIf, app.GetName(), app.GetNamespace())
 			if foundDiffs && exitCode {
 				os.Exit(diffExitCode)
 			}
@@ -1407,11 +1432,12 @@ func NewApplicationDiffCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 	command.Flags().BoolVar(&refresh, "refresh", false, "Refresh application data when retrieving")
 	command.Flags().BoolVar(&hardRefresh, "hard-refresh", false, "Refresh application data as well as target manifests cache")
 	command.Flags().BoolVar(&exitCode, "exit-code", true, "Return non-zero exit code when there is a diff. May also return non-zero exit code if there is an error.")
-	command.Flags().IntVar(&diffExitCode, "diff-exit-code", 1, "Return specified exit code when there is a diff. Typical error code is 20.")
+	command.Flags().IntVar(&diffExitCode, "diff-exit-code", 1, "Return specified exit code when there is a diff. Typical error code is 20 but use another exit code if you want to differentiate from the generic exit code (20) returned by all CLI commands.")
 	command.Flags().StringVar(&local, "local", "", "Compare live app to a local manifests")
 	command.Flags().StringVar(&revision, "revision", "", "Compare live app to a particular revision")
 	command.Flags().StringVar(&localRepoRoot, "local-repo-root", "/", "Path to the repository root. Used together with --local allows setting the repository root")
 	command.Flags().BoolVar(&serverSideGenerate, "server-side-generate", false, "Used with --local, this will send your manifests to the server for diffing")
+	command.Flags().BoolVar(&serverSideDiff, "server-side-diff", false, "Use server-side diff to calculate the diff. This will default to true if the ServerSideDiff annotation is set on the application.")
 	command.Flags().StringArrayVar(&localIncludes, "local-include", []string{"*.yaml", "*.yml", "*.json"}, "Used with --server-side-generate, specify patterns of filenames to send. Matching is based on filename and not path.")
 	command.Flags().StringVarP(&appNamespace, "app-namespace", "N", "", "Only render the difference in namespace")
 	command.Flags().StringArrayVar(&revisions, "revisions", []string{}, "Show manifests at specific revisions for source position in source-positions")
@@ -1421,6 +1447,101 @@ func NewApplicationDiffCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 	return command
 }

+// printResourceDiff prints the diff header and calls cli.PrintDiff for a resource
+func printResourceDiff(group, kind, namespace, name string, live, target *unstructured.Unstructured) {
+	fmt.Printf("\n===== %s/%s %s/%s ======\n", group, kind, namespace, name)
+	_ = cli.PrintDiff(name, live, target)
+}
+
+// findAndPrintServerSideDiff performs a server-side diff by making requests to the api server and prints the response
+func findAndPrintServerSideDiff(ctx context.Context, app *argoappv1.Application, items []objKeyLiveTarget, resources *application.ManagedResourcesResponse, appIf application.ApplicationServiceClient, appName, appNs string) bool {
+	// Process each item for server-side diff
+	foundDiffs := false
+	for _, item := range items {
+		if item.target != nil && hook.IsHook(item.target) || item.live != nil && hook.IsHook(item.live) {
+			continue
+		}
+
+		// For server-side diff, we need to create aligned arrays for this specific resource
+		var liveResource *argoappv1.ResourceDiff
+		var targetManifest string
+
+		if item.live != nil {
+			for _, res := range resources.Items {
+				if res.Group == item.key.Group && res.Kind == item.key.Kind &&
+					res.Namespace == item.key.Namespace && res.Name == item.key.Name {
+					liveResource = res
+					break
+				}
+			}
+		}
+
+		if liveResource == nil {
+			// Create empty live resource for creation case
+			liveResource = &argoappv1.ResourceDiff{
+				Group:       item.key.Group,
+				Kind:        item.key.Kind,
+				Namespace:   item.key.Namespace,
+				Name:        item.key.Name,
+				LiveState:   "",
+				TargetState: "",
+				Modified:    true,
+			}
+		}
+
+		if item.target != nil {
+			jsonBytes, err := json.Marshal(item.target)
+			if err != nil {
+				errors.CheckError(fmt.Errorf("error marshaling target object: %w", err))
+			}
+			targetManifest = string(jsonBytes)
+		}
+
+		// Call server-side diff for this individual resource
+		serverSideDiffQuery := &application.ApplicationServerSideDiffQuery{
+			AppName:         &appName,
+			AppNamespace:    &appNs,
+			Project:         &app.Spec.Project,
+			LiveResources:   []*argoappv1.ResourceDiff{liveResource},
+			TargetManifests: []string{targetManifest},
+		}
+
+		serverSideDiffRes, err := appIf.ServerSideDiff(ctx, serverSideDiffQuery)
+		if err != nil {
+			errors.CheckError(err)
+		}
+
+		// Extract diff for this resource
+		for _, resultItem := range serverSideDiffRes.Items {
+			if resultItem.Hook || (!resultItem.Modified && resultItem.TargetState != "" && resultItem.LiveState != "") {
+				continue
+			}
+
+			if resultItem.Modified || resultItem.TargetState == "" || resultItem.LiveState == "" {
+				var live, target *unstructured.Unstructured
+
+				if resultItem.TargetState != "" && resultItem.TargetState != "null" {
+					target = &unstructured.Unstructured{}
+					err = json.Unmarshal([]byte(resultItem.TargetState), target)
+					errors.CheckError(err)
+				}
+
+				if resultItem.LiveState != "" && resultItem.LiveState != "null" {
+					live = &unstructured.Unstructured{}
+					err = json.Unmarshal([]byte(resultItem.LiveState), live)
+					errors.CheckError(err)
+				}
+
+				// Print resulting diff for this resource
+				foundDiffs = true
+				printResourceDiff(resultItem.Group, resultItem.Kind, resultItem.Namespace, resultItem.Name, live, target)
+			}
+		}
+	}
+
+	return foundDiffs
+}
+
 // DifferenceOption struct to store diff options
 type DifferenceOption struct {
 	local         string
@@ -1432,47 +1553,15 @@ type DifferenceOption struct {
 	revisions     []string
 }

-// findandPrintDiff ... Prints difference between application current state and state stored in git or locally, returns boolean as true if difference is found else returns false
-func findandPrintDiff(ctx context.Context, app *argoappv1.Application, proj *argoappv1.AppProject, resources *application.ManagedResourcesResponse, argoSettings *settings.Settings, diffOptions *DifferenceOption, ignoreNormalizerOpts normalizers.IgnoreNormalizerOpts) bool {
+// findAndPrintDiff ... Prints difference between application current state and state stored in git or locally, returns boolean as true if difference is found else returns false
+func findAndPrintDiff(ctx context.Context, app *argoappv1.Application, proj *argoappv1.AppProject, resources *application.ManagedResourcesResponse, argoSettings *settings.Settings, diffOptions *DifferenceOption, ignoreNormalizerOpts normalizers.IgnoreNormalizerOpts, useServerSideDiff bool, appIf application.ApplicationServiceClient, appName, appNs string) bool {
 	var foundDiffs bool
-	liveObjs, err := cmdutil.LiveObjects(resources.Items)
+
+	items, err := prepareObjectsForDiff(ctx, app, proj, resources, argoSettings, diffOptions)
 	errors.CheckError(err)
-	items := make([]objKeyLiveTarget, 0)
-	switch {
-	case diffOptions.local != "":
-		localObjs := groupObjsByKey(getLocalObjects(ctx, app, proj, diffOptions.local, diffOptions.localRepoRoot, argoSettings.AppLabelKey, diffOptions.cluster.Info.ServerVersion, diffOptions.cluster.Info.APIVersions, argoSettings.KustomizeOptions, argoSettings.TrackingMethod), liveObjs, app.Spec.Destination.Namespace)
-		items = groupObjsForDiff(resources, localObjs, items, argoSettings, app.InstanceName(argoSettings.ControllerNamespace), app.Spec.Destination.Namespace)
-	case diffOptions.revision != "" || len(diffOptions.revisions) > 0:
-		var unstructureds []*unstructured.Unstructured
-		for _, mfst := range diffOptions.res.Manifests {
-			obj, err := argoappv1.UnmarshalToUnstructured(mfst)
-			errors.CheckError(err)
-			unstructureds = append(unstructureds, obj)
-		}
-		groupedObjs := groupObjsByKey(unstructureds, liveObjs, app.Spec.Destination.Namespace)
-		items = groupObjsForDiff(resources, groupedObjs, items, argoSettings, app.InstanceName(argoSettings.ControllerNamespace), app.Spec.Destination.Namespace)
-	case diffOptions.serversideRes != nil:
-		var unstructureds []*unstructured.Unstructured
-		for _, mfst := range diffOptions.serversideRes.Manifests {
-			obj, err := argoappv1.UnmarshalToUnstructured(mfst)
-			errors.CheckError(err)
-			unstructureds = append(unstructureds, obj)
-		}
-		groupedObjs := groupObjsByKey(unstructureds, liveObjs, app.Spec.Destination.Namespace)
-		items = groupObjsForDiff(resources, groupedObjs, items, argoSettings, app.InstanceName(argoSettings.ControllerNamespace), app.Spec.Destination.Namespace)
-	default:
-		for i := range resources.Items {
-			res := resources.Items[i]
-			live := &unstructured.Unstructured{}
-			err := json.Unmarshal([]byte(res.NormalizedLiveState), &live)
-			errors.CheckError(err)

-			target := &unstructured.Unstructured{}
-			err = json.Unmarshal([]byte(res.TargetState), &target)
-			errors.CheckError(err)
-
-			items = append(items, objKeyLiveTarget{kube.NewResourceKey(res.Group, res.Kind, res.Namespace, res.Name), live, target})
-		}
+	if useServerSideDiff {
+		return findAndPrintServerSideDiff(ctx, app, items, resources, appIf, appName, appNs)
 	}

 	for _, item := range items {
@@ -1499,7 +1588,6 @@ func findandPrintDiff(ctx context.Context, app *argoappv1.Application, proj *arg
 		errors.CheckError(err)

 		if diffRes.Modified || item.target == nil || item.live == nil {
-			fmt.Printf("\n===== %s/%s %s/%s ======\n", item.key.Group, item.key.Kind, item.key.Namespace, item.key.Name)
 			var live *unstructured.Unstructured
 			var target *unstructured.Unstructured
 			if item.target != nil && item.live != nil {
@@ -1511,10 +1599,8 @@ func findandPrintDiff(ctx context.Context, app *argoappv1.Application, proj *arg
 				live = item.live
 				target = item.target
 			}
-			if !foundDiffs {
-				foundDiffs = true
-			}
-			_ = cli.PrintDiff(item.key.Name, live, target)
+			foundDiffs = true
+			printResourceDiff(item.key.Group, item.key.Kind, item.key.Namespace, item.key.Name, live, target)
 		}
 	}
 	return foundDiffs
@@ -1708,6 +1794,7 @@ func NewApplicationListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 		repo         string
 		appNamespace string
 		cluster      string
+		path         string
 	)
 	command := &cobra.Command{
 		Use:   "list",
@@ -1743,6 +1830,9 @@ func NewApplicationListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 			if cluster != "" {
 				appList = argo.FilterByCluster(appList, cluster)
 			}
+			if path != "" {
+				appList = argo.FilterByPath(appList, path)
+			}

 			switch output {
 			case "yaml", "json":
@@ -1763,6 +1853,7 @@ func NewApplicationListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 	command.Flags().StringVarP(&repo, "repo", "r", "", "List apps by source repo URL")
 	command.Flags().StringVarP(&appNamespace, "app-namespace", "N", "", "Only list applications in namespace")
 	command.Flags().StringVarP(&cluster, "cluster", "c", "", "List apps by cluster name or url")
+	command.Flags().StringVarP(&path, "path", "P", "", "List apps by path")
 	return command
 }

@@ -2001,6 +2092,7 @@ func NewApplicationSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 		applyOutOfSyncOnly      bool
 		async                   bool
 		retryLimit              int64
+		retryRefresh            bool
 		retryBackoffDuration    time.Duration
 		retryBackoffMaxDuration time.Duration
 		retryBackoffFactor      int64
@@ -2272,9 +2364,10 @@ func NewApplicationSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 				default:
 					log.Fatalf("Unknown sync strategy: '%s'", strategy)
 				}
-				if retryLimit > 0 {
+				if retryLimit != 0 {
 					syncReq.RetryStrategy = &argoappv1.RetryStrategy{
-						Limit: retryLimit,
+						Limit:   retryLimit,
+						Refresh: retryRefresh,
 						Backoff: &argoappv1.Backoff{
 							Duration:    retryBackoffDuration.String(),
 							MaxDuration: retryBackoffMaxDuration.String(),
@@ -2296,7 +2389,11 @@ func NewApplicationSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 					fmt.Printf("====== Previewing differences between live and desired state of application %s ======\n", appQualifiedName)

 					proj := getProject(ctx, c, clientOpts, app.Spec.Project)
-					foundDiffs = findandPrintDiff(ctx, app, proj.Project, resources, argoSettings, diffOption, ignoreNormalizerOpts)
+
+					// Check if application has ServerSideDiff annotation
+					serverSideDiff := resourceutil.HasAnnotationOption(app, argocommon.AnnotationCompareOptions, "ServerSideDiff=true")
+
+					foundDiffs = findAndPrintDiff(ctx, app, proj.Project, resources, argoSettings, diffOption, ignoreNormalizerOpts, serverSideDiff, appIf, appName, appNs)
 					if !foundDiffs {
 						fmt.Printf("====== No Differences found ======\n")
 						// if no differences found, then no need to sync
@@ -2339,6 +2436,7 @@ func NewApplicationSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 	command.Flags().StringArrayVar(&labels, "label", []string{}, "Sync only specific resources with a label. This option may be specified repeatedly.")
 	command.Flags().UintVar(&timeout, "timeout", defaultCheckTimeoutSeconds, "Time out after this many seconds")
 	command.Flags().Int64Var(&retryLimit, "retry-limit", 0, "Max number of allowed sync retries")
+	command.Flags().BoolVar(&retryRefresh, "retry-refresh", false, "Indicates if the latest revision should be used on retry instead of the initial one")
 	command.Flags().DurationVar(&retryBackoffDuration, "retry-backoff-duration", argoappv1.DefaultSyncRetryDuration, "Retry backoff base duration. Input needs to be a duration (e.g. 2m, 1h)")
 	command.Flags().DurationVar(&retryBackoffMaxDuration, "retry-backoff-max-duration", argoappv1.DefaultSyncRetryMaxDuration, "Max retry backoff duration. Input needs to be a duration (e.g. 2m, 1h)")
 	command.Flags().Int64Var(&retryBackoffFactor, "retry-backoff-factor", argoappv1.DefaultSyncRetryFactor, "Factor multiplies the base duration after each failed retry")
@@ -3396,7 +3494,7 @@ func NewApplicationRemoveSourceCommand(clientOpts *argocdclient.ClientOptions) *
 		Short: "Remove a source from multiple sources application.",
 		Example: `  # Remove the source at position 1 from application's sources. Counting starts at 1.
  argocd app remove-source myapplication --source-position 1
-  
+
  # Remove the source named "test" from application's sources.
  argocd app remove-source myapplication --source-name test`,
 		Run: func(c *cobra.Command, args []string) {
@@ -3519,3 +3617,60 @@ func NewApplicationConfirmDeletionCommand(clientOpts *argocdclient.ClientOptions
 	command.Flags().StringVarP(&appNamespace, "app-namespace", "N", "", "Namespace of the target application where the source will be appended")
 	return command
 }
+
+// prepareObjectsForDiff prepares objects for diffing using the switch statement
+// to handle different diff options and building the objKeyLiveTarget items
+func prepareObjectsForDiff(ctx context.Context, app *argoappv1.Application, proj *argoappv1.AppProject, resources *application.ManagedResourcesResponse, argoSettings *settings.Settings, diffOptions *DifferenceOption) ([]objKeyLiveTarget, error) {
+	liveObjs, err := cmdutil.LiveObjects(resources.Items)
+	if err != nil {
+		return nil, err
+	}
+	items := make([]objKeyLiveTarget, 0)
+
+	switch {
+	case diffOptions.local != "":
+		localObjs := groupObjsByKey(getLocalObjects(ctx, app, proj, diffOptions.local, diffOptions.localRepoRoot, argoSettings.AppLabelKey, diffOptions.cluster.Info.ServerVersion, diffOptions.cluster.Info.APIVersions, argoSettings.KustomizeOptions, argoSettings.TrackingMethod), liveObjs, app.Spec.Destination.Namespace)
+		items = groupObjsForDiff(resources, localObjs, items, argoSettings, app.InstanceName(argoSettings.ControllerNamespace), app.Spec.Destination.Namespace)
+	case diffOptions.revision != "" || len(diffOptions.revisions) > 0:
+		var unstructureds []*unstructured.Unstructured
+		for _, mfst := range diffOptions.res.Manifests {
+			obj, err := argoappv1.UnmarshalToUnstructured(mfst)
+			if err != nil {
+				return nil, err
+			}
+			unstructureds = append(unstructureds, obj)
+		}
+		groupedObjs := groupObjsByKey(unstructureds, liveObjs, app.Spec.Destination.Namespace)
+		items = groupObjsForDiff(resources, groupedObjs, items, argoSettings, app.InstanceName(argoSettings.ControllerNamespace), app.Spec.Destination.Namespace)
+	case diffOptions.serversideRes != nil:
+		var unstructureds []*unstructured.Unstructured
+		for _, mfst := range diffOptions.serversideRes.Manifests {
+			obj, err := argoappv1.UnmarshalToUnstructured(mfst)
+			if err != nil {
+				return nil, err
+			}
+			unstructureds = append(unstructureds, obj)
+		}
+		groupedObjs := groupObjsByKey(unstructureds, liveObjs, app.Spec.Destination.Namespace)
+		items = groupObjsForDiff(resources, groupedObjs, items, argoSettings, app.InstanceName(argoSettings.ControllerNamespace), app.Spec.Destination.Namespace)
+	default:
+		for i := range resources.Items {
+			res := resources.Items[i]
+			live := &unstructured.Unstructured{}
+			err := json.Unmarshal([]byte(res.NormalizedLiveState), &live)
+			if err != nil {
+				return nil, err
+			}
+
+			target := &unstructured.Unstructured{}
+			err = json.Unmarshal([]byte(res.TargetState), &target)
+			if err != nil {
+				return nil, err
+			}
+
+			items = append(items, objKeyLiveTarget{kube.NewResourceKey(res.Group, res.Kind, res.Namespace, res.Name), live, target})
+		}
+	}
+
+	return items, nil
+}
--- a/cmd/argocd/commands/app_resource_test.go
+++ b/cmd/argocd/commands/app_resource_test.go
@@ -2,11 +2,14 @@ package commands

 import (
 	"bytes"
+	"encoding/json"
+	"strings"
 	"testing"
 	"text/tabwriter"

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"

 	"github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 )
@@ -117,3 +120,561 @@ func TestPrintResourcesTree(t *testing.T) {

 	assert.Equal(t, expectation, output)
 }
+
+func TestFilterFieldsFromObject(t *testing.T) {
+	tests := []struct {
+		name             string
+		obj              unstructured.Unstructured
+		filteredFields   []string
+		expectedFields   []string
+		unexpectedFields []string
+	}{
+		{
+			name: "filter nested field",
+			obj: unstructured.Unstructured{
+				Object: map[string]any{
+					"apiVersion": "vX",
+					"kind":       "kind",
+					"metadata": map[string]any{
+						"name": "test",
+					},
+					"spec": map[string]any{
+						"testfield": map[string]any{
+							"nestedtest": "test",
+						},
+						"testfield2": "test",
+					},
+				},
+			},
+			filteredFields:   []string{"spec.testfield.nestedtest"},
+			expectedFields:   []string{"spec.testfield.nestedtest"},
+			unexpectedFields: []string{"spec.testfield2"},
+		},
+		{
+			name: "filter multiple fields",
+			obj: unstructured.Unstructured{
+				Object: map[string]any{
+					"apiVersion": "vX",
+					"kind":       "kind",
+					"metadata": map[string]any{
+						"name": "test",
+					},
+					"spec": map[string]any{
+						"testfield": map[string]any{
+							"nestedtest": "test",
+						},
+						"testfield2": "test",
+						"testfield3": "deleteme",
+					},
+				},
+			},
+			filteredFields:   []string{"spec.testfield.nestedtest", "spec.testfield3"},
+			expectedFields:   []string{"spec.testfield.nestedtest"},
+			unexpectedFields: []string{"spec.testfield2"},
+		},
+		{
+			name: "filter nested list object",
+			obj: unstructured.Unstructured{
+				Object: map[string]any{
+					"apiVersion": "vX",
+					"kind":       "kind",
+					"metadata": map[string]any{
+						"name": "test",
+					},
+					"spec": map[string]any{
+						"testfield": map[string]any{
+							"nestedtest": "test",
+						},
+						"testfield2": "test",
+					},
+				},
+			},
+			filteredFields:   []string{"spec.testfield.nestedtest"},
+			expectedFields:   []string{"spec.testfield.nestedtest"},
+			unexpectedFields: []string{"spec.testfield2"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tt.obj.SetName("test-object")
+
+			filtered := filterFieldsFromObject(&tt.obj, tt.filteredFields)
+
+			for _, field := range tt.expectedFields {
+				fieldPath := strings.Split(field, ".")
+				_, exists, err := unstructured.NestedFieldCopy(filtered.Object, fieldPath...)
+				require.NoError(t, err)
+				assert.True(t, exists, "Expected field %s to exist", field)
+			}
+
+			for _, field := range tt.unexpectedFields {
+				fieldPath := strings.Split(field, ".")
+				_, exists, err := unstructured.NestedFieldCopy(filtered.Object, fieldPath...)
+				require.NoError(t, err)
+				assert.False(t, exists, "Expected field %s to not exist", field)
+			}
+
+			assert.Equal(t, tt.obj.GetName(), filtered.GetName())
+		})
+	}
+}
+
+func TestExtractNestedItem(t *testing.T) {
+	tests := []struct {
+		name     string
+		obj      map[string]any
+		fields   []string
+		depth    int
+		expected map[string]any
+	}{
+		{
+			name: "extract simple nested item",
+			obj: map[string]any{
+				"listofitems": []any{
+					map[string]any{
+						"extract":     "123",
+						"dontextract": "abc",
+					},
+					map[string]any{
+						"extract":     "456",
+						"dontextract": "def",
+					},
+					map[string]any{
+						"extract":     "789",
+						"dontextract": "ghi",
+					},
+				},
+			},
+			fields: []string{"listofitems", "extract"},
+			depth:  0,
+			expected: map[string]any{
+				"listofitems": []any{
+					map[string]any{
+						"extract": "123",
+					},
+					map[string]any{
+						"extract": "456",
+					},
+					map[string]any{
+						"extract": "789",
+					},
+				},
+			},
+		},
+		{
+			name: "double nested list of objects",
+			obj: map[string]any{
+				"listofitems": []any{
+					map[string]any{
+						"doublenested": []any{
+							map[string]any{
+								"extract": "123",
+							},
+						},
+						"dontextract": "abc",
+					},
+					map[string]any{
+						"doublenested": []any{
+							map[string]any{
+								"extract": "456",
+							},
+						},
+						"dontextract": "def",
+					},
+					map[string]any{
+						"doublenested": []any{
+							map[string]any{
+								"extract": "789",
+							},
+						},
+						"dontextract": "ghi",
+					},
+				},
+			},
+			fields: []string{"listofitems", "doublenested", "extract"},
+			depth:  0,
+			expected: map[string]any{
+				"listofitems": []any{
+					map[string]any{
+						"doublenested": []any{
+							map[string]any{
+								"extract": "123",
+							},
+						},
+					},
+					map[string]any{
+						"doublenested": []any{
+							map[string]any{
+								"extract": "456",
+							},
+						},
+					},
+					map[string]any{
+						"doublenested": []any{
+							map[string]any{
+								"extract": "789",
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name:     "depth is greater then list of field size",
+			obj:      map[string]any{"test1": "1234567890"},
+			fields:   []string{"test1"},
+			depth:    4,
+			expected: nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			filteredObj := extractNestedItem(tt.obj, tt.fields, tt.depth)
+			assert.Equal(t, tt.expected, filteredObj, "Did not get the correct filtered obj")
+		})
+	}
+}
+
+func TestExtractItemsFromList(t *testing.T) {
+	tests := []struct {
+		name     string
+		list     []any
+		fields   []string
+		expected []any
+	}{
+		{
+			name: "test simple field",
+			list: []any{
+				map[string]any{"extract": "value1", "dontextract": "valueA"},
+				map[string]any{"extract": "value2", "dontextract": "valueB"},
+				map[string]any{"extract": "value3", "dontextract": "valueC"},
+			},
+			fields: []string{"extract"},
+			expected: []any{
+				map[string]any{"extract": "value1"},
+				map[string]any{"extract": "value2"},
+				map[string]any{"extract": "value3"},
+			},
+		},
+		{
+			name: "test simple field with some depth",
+			list: []any{
+				map[string]any{
+					"test1": map[string]any{
+						"test2": map[string]any{
+							"extract":     "123",
+							"dontextract": "abc",
+						},
+					},
+				},
+				map[string]any{
+					"test1": map[string]any{
+						"test2": map[string]any{
+							"extract":     "456",
+							"dontextract": "def",
+						},
+					},
+				},
+				map[string]any{
+					"test1": map[string]any{
+						"test2": map[string]any{
+							"extract":     "789",
+							"dontextract": "ghi",
+						},
+					},
+				},
+			},
+			fields: []string{"test1", "test2", "extract"},
+			expected: []any{
+				map[string]any{
+					"test1": map[string]any{
+						"test2": map[string]any{
+							"extract": "123",
+						},
+					},
+				},
+				map[string]any{
+					"test1": map[string]any{
+						"test2": map[string]any{
+							"extract": "456",
+						},
+					},
+				},
+				map[string]any{
+					"test1": map[string]any{
+						"test2": map[string]any{
+							"extract": "789",
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "test a missing field",
+			list: []any{
+				map[string]any{"test1": "123"},
+				map[string]any{"test1": "456"},
+				map[string]any{"test1": "789"},
+			},
+			fields:   []string{"test2"},
+			expected: nil,
+		},
+		{
+			name: "test getting an object",
+			list: []any{
+				map[string]any{
+					"extract": map[string]any{
+						"keyA": "valueA",
+						"keyB": "valueB",
+						"keyC": "valueC",
+					},
+					"dontextract": map[string]any{
+						"key1": "value1",
+						"key2": "value2",
+						"key3": "value3",
+					},
+				},
+				map[string]any{
+					"extract": map[string]any{
+						"keyD": "valueD",
+						"keyE": "valueE",
+						"keyF": "valueF",
+					},
+					"dontextract": map[string]any{
+						"key4": "value4",
+						"key5": "value5",
+						"key6": "value6",
+					},
+				},
+			},
+			fields: []string{"extract"},
+			expected: []any{
+				map[string]any{
+					"extract": map[string]any{
+						"keyA": "valueA",
+						"keyB": "valueB",
+						"keyC": "valueC",
+					},
+				},
+				map[string]any{
+					"extract": map[string]any{
+						"keyD": "valueD",
+						"keyE": "valueE",
+						"keyF": "valueF",
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			extractedList := extractItemsFromList(tt.list, tt.fields)
+			assert.Equal(t, tt.expected, extractedList, "Lists were not equal")
+		})
+	}
+}
+
+func TestReconstructObject(t *testing.T) {
+	tests := []struct {
+		name      string
+		extracted []any
+		fields    []string
+		depth     int
+		expected  map[string]any
+	}{
+		{
+			name:      "simple single field at depth 0",
+			extracted: []any{"value1", "value2"},
+			fields:    []string{"items"},
+			depth:     0,
+			expected: map[string]any{
+				"items": []any{"value1", "value2"},
+			},
+		},
+		{
+			name:      "object nested at depth 1",
+			extracted: []any{map[string]any{"key": "value"}},
+			fields:    []string{"test1", "test2"},
+			depth:     1,
+			expected: map[string]any{
+				"test1": map[string]any{
+					"test2": []any{map[string]any{"key": "value"}},
+				},
+			},
+		},
+		{
+			name:      "empty list of extracted items",
+			extracted: []any{},
+			fields:    []string{"test1"},
+			depth:     0,
+			expected: map[string]any{
+				"test1": []any{},
+			},
+		},
+		{
+			name: "complex object nesteed at depth 2",
+			extracted: []any{map[string]any{
+				"obj1": map[string]any{
+					"key1": "value1",
+					"key2": "value2",
+				},
+				"obj2": map[string]any{
+					"keyA": "valueA",
+					"keyB": "valueB",
+				},
+			}},
+			fields: []string{"test1", "test2", "test3"},
+			depth:  2,
+			expected: map[string]any{
+				"test1": map[string]any{
+					"test2": map[string]any{
+						"test3": []any{
+							map[string]any{
+								"obj1": map[string]any{
+									"key1": "value1",
+									"key2": "value2",
+								},
+								"obj2": map[string]any{
+									"keyA": "valueA",
+									"keyB": "valueB",
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			filteredObj := reconstructObject(tt.extracted, tt.fields, tt.depth)
+			assert.Equal(t, tt.expected, filteredObj, "objects were not equal")
+		})
+	}
+}
+
+func TestPrintManifests(t *testing.T) {
+	obj := unstructured.Unstructured{
+		Object: map[string]any{
+			"apiVersion": "vX",
+			"kind":       "test",
+			"metadata": map[string]any{
+				"name": "unit-test",
+			},
+			"spec": map[string]any{
+				"testfield": "testvalue",
+			},
+		},
+	}
+
+	expectedYAML := `apiVersion: vX
+kind: test
+metadata:
+    name: unit-test
+spec:
+    testfield: testvalue
+`
+
+	output, _ := captureOutput(func() error {
+		printManifests(&[]unstructured.Unstructured{obj}, false, true, "yaml")
+		return nil
+	})
+	assert.Equal(t, expectedYAML+"\n", output, "Incorrect yaml output for printManifests")
+
+	output, _ = captureOutput(func() error {
+		printManifests(&[]unstructured.Unstructured{obj, obj}, false, true, "yaml")
+		return nil
+	})
+	assert.Equal(t, expectedYAML+"\n---\n"+expectedYAML+"\n", output, "Incorrect yaml output with multiple objs.")
+
+	expectedJSON := `{
+ "apiVersion": "vX",
+ "kind": "test",
+ "metadata": {
+  "name": "unit-test"
+ },
+ "spec": {
+  "testfield": "testvalue"
+ }
+}`
+
+	output, _ = captureOutput(func() error {
+		printManifests(&[]unstructured.Unstructured{obj}, false, true, "json")
+		return nil
+	})
+	assert.Equal(t, expectedJSON+"\n", output, "Incorrect json output.")
+
+	output, _ = captureOutput(func() error {
+		printManifests(&[]unstructured.Unstructured{obj, obj}, false, true, "json")
+		return nil
+	})
+	assert.Equal(t, expectedJSON+"\n---\n"+expectedJSON+"\n", output, "Incorrect json output with multiple objs.")
+
+	output, _ = captureOutput(func() error {
+		printManifests(&[]unstructured.Unstructured{obj}, true, true, "wide")
+		return nil
+	})
+	assert.Contains(t, output, "FIELD           RESOURCE NAME  VALUE", "Missing or incorrect header line for table print with showing names.")
+	assert.Contains(t, output, "apiVersion      unit-test      vX", "Missing or incorrect row in table related to apiVersion with showing names.")
+	assert.Contains(t, output, "kind            unit-test      test", "Missing or incorrect line in the table related to kind with showing names.")
+	assert.Contains(t, output, "spec.testfield  unit-test      testvalue", "Missing or incorrect line in the table related to spec.testfield with showing names.")
+	assert.NotContains(t, output, "metadata.name   unit-test      testvalue", "Missing or incorrect line in the table related to metadata.name with showing names.")
+
+	output, _ = captureOutput(func() error {
+		printManifests(&[]unstructured.Unstructured{obj}, true, false, "wide")
+		return nil
+	})
+	assert.Contains(t, output, "FIELD           VALUE", "Missing or incorrect header line for table print with not showing names.")
+	assert.Contains(t, output, "apiVersion      vX", "Missing or incorrect row in table related to apiVersion with not showing names.")
+	assert.Contains(t, output, "kind            test", "Missing or incorrect row in the table related to kind with not showing names.")
+	assert.Contains(t, output, "spec.testfield  testvalue", "Missing or incorrect row in the table related to spec.testefield with not showing names.")
+	assert.NotContains(t, output, "metadata.name   testvalue", "Missing or incorrect row in the tbale related to metadata.name with not showing names.")
+}
+
+func TestPrintManifests_FilterNestedListObject_Wide(t *testing.T) {
+	obj := unstructured.Unstructured{
+		Object: map[string]any{
+			"apiVersion": "vX",
+			"kind":       "kind",
+			"metadata": map[string]any{
+				"name": "unit-test",
+			},
+			"status": map[string]any{
+				"podIPs": []map[string]any{
+					{
+						"IP": "127.0.0.1",
+					},
+					{
+						"IP": "127.0.0.2",
+					},
+				},
+			},
+		},
+	}
+
+	output, _ := captureOutput(func() error {
+		v, err := json.Marshal(&obj)
+		if err != nil {
+			return nil
+		}
+
+		var obj2 *unstructured.Unstructured
+		err = json.Unmarshal([]byte(v), &obj2)
+		if err != nil {
+			return nil
+		}
+		printManifests(&[]unstructured.Unstructured{*obj2}, false, true, "wide")
+		return nil
+	})
+
+	// Verify table header
+	assert.Contains(t, output, "FIELD                RESOURCE NAME  VALUE", "Missing a line in the table")
+	assert.Contains(t, output, "apiVersion           unit-test      vX", "Test for apiVersion field failed for wide output")
+	assert.Contains(t, output, "kind                 unit-test      kind", "Test for kind field failed for wide output")
+	assert.Contains(t, output, "status.podIPs[0].IP  unit-test      127.0.0.1", "Test for podIP array index 0 field failed for wide output")
+	assert.Contains(t, output, "status.podIPs[1].IP  unit-test      127.0.0.2", "Test for podIP array index 1 field failed for wide output")
+}
--- a/cmd/argocd/commands/app_resources.go
+++ b/cmd/argocd/commands/app_resources.go
@@ -1,16 +1,22 @@
 package commands

 import (
+	"encoding/json"
 	"fmt"
 	"os"
+	"strconv"
+	"strings"
 	"text/tabwriter"

+	"gopkg.in/yaml.v3"
+
 	"github.com/argoproj/argo-cd/v3/cmd/argocd/commands/utils"
 	"github.com/argoproj/argo-cd/v3/cmd/util"
 	"github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"

 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/utils/ptr"

@@ -22,15 +28,273 @@ import (
 	utilio "github.com/argoproj/argo-cd/v3/util/io"
 )

+// NewApplicationGetResourceCommand returns a new instance of the `app get-resource` command
+func NewApplicationGetResourceCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		resourceName      string
+		kind              string
+		project           string
+		filteredFields    []string
+		showManagedFields bool
+		output            string
+	)
+	command := &cobra.Command{
+		Use:   "get-resource APPNAME",
+		Short: "Get details about the live Kubernetes manifests of a resource in an application. The filter-fields flag can be used to only display fields you want to see.",
+		Example: `
+  # Get a specific resource, Pod my-app-pod, in 'my-app' by name in wide format
+    argocd app get-resource my-app --kind Pod --resource-name my-app-pod
+
+  # Get a specific resource, Pod my-app-pod, in 'my-app' by name in yaml format
+    argocd app get-resource my-app --kind Pod --resource-name my-app-pod -o yaml
+
+  # Get a specific resource, Pod my-app-pod, in 'my-app' by name in json format
+    argocd app get-resource my-app --kind Pod --resource-name my-app-pod -o json
+
+  # Get details about all Pods in the application
+    argocd app get-resource my-app --kind Pod
+
+  # Get a specific resource with managed fields, Pod my-app-pod, in 'my-app' by name in wide format
+    argocd app get-resource my-app --kind Pod --resource-name my-app-pod --show-managed-fields
+
+  # Get the details of a specific field in a resource in 'my-app' in the wide format
+    argocd app get-resource my-app --kind Pod --filter-fields status.podIP
+
+  # Get the details of multiple specific fields in a specific resource in 'my-app' in the wide format
+    argocd app get-resource my-app --kind Pod --resource-name my-app-pod --filter-fields status.podIP,status.hostIP`,
+	}
+
+	command.Run = func(c *cobra.Command, args []string) {
+		ctx := c.Context()
+
+		if len(args) != 1 {
+			c.HelpFunc()(c, args)
+			os.Exit(1)
+		}
+
+		appName, appNs := argo.ParseFromQualifiedName(args[0], "")
+
+		conn, appIf := headless.NewClientOrDie(clientOpts, c).NewApplicationClientOrDie()
+		defer utilio.Close(conn)
+
+		tree, err := appIf.ResourceTree(ctx, &applicationpkg.ResourcesQuery{
+			ApplicationName: &appName,
+			AppNamespace:    &appNs,
+		})
+		errors.CheckError(err)
+
+		// Get manifests of resources
+		// If resource name is "" find all resources of that kind
+		var resources []unstructured.Unstructured
+		var fetchedStr string
+		for _, r := range tree.Nodes {
+			if (resourceName != "" && r.Name != resourceName) || r.Kind != kind {
+				continue
+			}
+			resource, err := appIf.GetResource(ctx, &applicationpkg.ApplicationResourceRequest{
+				Name:         &appName,
+				AppNamespace: &appNs,
+				Group:        &r.Group,
+				Kind:         &r.Kind,
+				Namespace:    &r.Namespace,
+				Project:      &project,
+				ResourceName: &r.Name,
+				Version:      &r.Version,
+			})
+			errors.CheckError(err)
+			manifest := resource.GetManifest()
+
+			var obj *unstructured.Unstructured
+			err = json.Unmarshal([]byte(manifest), &obj)
+			errors.CheckError(err)
+
+			if !showManagedFields {
+				unstructured.RemoveNestedField(obj.Object, "metadata", "managedFields")
+			}
+
+			if len(filteredFields) != 0 {
+				obj = filterFieldsFromObject(obj, filteredFields)
+			}
+
+			fetchedStr += obj.GetName() + ", "
+			resources = append(resources, *obj)
+		}
+		printManifests(&resources, len(filteredFields) > 0, resourceName == "", output)
+
+		if fetchedStr != "" {
+			fetchedStr = strings.TrimSuffix(fetchedStr, ", ")
+		}
+		log.Infof("Resources '%s' fetched", fetchedStr)
+	}
+
+	command.Flags().StringVar(&resourceName, "resource-name", "", "Name of resource, if none is included will output details of all resources with specified kind")
+	command.Flags().StringVar(&kind, "kind", "", "Kind of resource [REQUIRED]")
+	err := command.MarkFlagRequired("kind")
+	errors.CheckError(err)
+	command.Flags().StringVar(&project, "project", "", "Project of resource")
+	command.Flags().StringSliceVar(&filteredFields, "filter-fields", nil, "A comma separated list of fields to display, if not provided will output the entire manifest")
+	command.Flags().BoolVar(&showManagedFields, "show-managed-fields", false, "Show managed fields in the output manifest")
+	command.Flags().StringVarP(&output, "output", "o", "wide", "Format of the output, wide, yaml, or json")
+	return command
+}
+
+// filterFieldsFromObject creates a new unstructured object containing only the specified fields from the source object.
+func filterFieldsFromObject(obj *unstructured.Unstructured, filteredFields []string) *unstructured.Unstructured {
+	var filteredObj unstructured.Unstructured
+	filteredObj.Object = make(map[string]any)
+
+	for _, f := range filteredFields {
+		fields := strings.Split(f, ".")
+
+		value, exists, err := unstructured.NestedFieldCopy(obj.Object, fields...)
+		if exists {
+			errors.CheckError(err)
+			err = unstructured.SetNestedField(filteredObj.Object, value, fields...)
+			errors.CheckError(err)
+		} else {
+			// If doesn't exist assume its a nested inside a list of objects
+			value := extractNestedItem(obj.Object, fields, 0)
+			filteredObj.Object = value
+		}
+	}
+	filteredObj.SetName(obj.GetName())
+	return &filteredObj
+}
+
+// extractNestedItem recursively extracts an item that may be nested inside a list of objects.
+func extractNestedItem(obj map[string]any, fields []string, depth int) map[string]any {
+	if depth >= len(fields) {
+		return nil
+	}
+
+	value, exists, _ := unstructured.NestedFieldCopy(obj, fields[:depth+1]...)
+	list, ok := value.([]any)
+	if !exists || !ok {
+		return extractNestedItem(obj, fields, depth+1)
+	}
+
+	extractedItems := extractItemsFromList(list, fields[depth+1:])
+	if len(extractedItems) == 0 {
+		for _, e := range list {
+			if o, ok := e.(map[string]any); ok {
+				result := extractNestedItem(o, fields[depth+1:], 0)
+				extractedItems = append(extractedItems, result)
+			}
+		}
+	}
+
+	filteredObj := reconstructObject(extractedItems, fields, depth)
+	return filteredObj
+}
+
+// extractItemsFromList processes a list of objects and extracts specific fields from each item.
+func extractItemsFromList(list []any, fields []string) []any {
+	var extratedObjs []any
+	for _, e := range list {
+		extractedObj := make(map[string]any)
+		if o, ok := e.(map[string]any); ok {
+			value, exists, _ := unstructured.NestedFieldCopy(o, fields...)
+			if !exists {
+				continue
+			}
+			err := unstructured.SetNestedField(extractedObj, value, fields...)
+			errors.CheckError(err)
+			extratedObjs = append(extratedObjs, extractedObj)
+		}
+	}
+	return extratedObjs
+}
+
+// reconstructObject rebuilds the original object structure by placing extracted items back into their proper nested location.
+func reconstructObject(extracted []any, fields []string, depth int) map[string]any {
+	obj := make(map[string]any)
+	err := unstructured.SetNestedField(obj, extracted, fields[:depth+1]...)
+	errors.CheckError(err)
+	return obj
+}
+
+// printManifests outputs resource manifests in the specified format (wide, JSON, or YAML).
+func printManifests(objs *[]unstructured.Unstructured, filteredFields bool, showName bool, output string) {
+	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+	if showName {
+		fmt.Fprintf(w, "FIELD\tRESOURCE NAME\tVALUE\n")
+	} else {
+		fmt.Fprintf(w, "FIELD\tVALUE\n")
+	}
+
+	for i, o := range *objs {
+		if output == "json" || output == "yaml" {
+			var formattedManifest []byte
+			var err error
+			if output == "json" {
+				formattedManifest, err = json.MarshalIndent(o.Object, "", " ")
+			} else {
+				formattedManifest, err = yaml.Marshal(o.Object)
+			}
+			errors.CheckError(err)
+
+			fmt.Println(string(formattedManifest))
+			if len(*objs) > 1 && i != len(*objs)-1 {
+				fmt.Println("---")
+			}
+		} else {
+			name := o.GetName()
+			if filteredFields {
+				unstructured.RemoveNestedField(o.Object, "metadata", "name")
+			}
+
+			printManifestAsTable(w, name, showName, o.Object, "")
+		}
+	}
+
+	if output != "json" && output != "yaml" {
+		err := w.Flush()
+		errors.CheckError(err)
+	}
+}
+
+// printManifestAsTable recursively prints a manifest object as a tabular view with nested fields flattened.
+func printManifestAsTable(w *tabwriter.Writer, name string, showName bool, obj map[string]any, parentField string) {
+	for key, value := range obj {
+		field := parentField + key
+		switch v := value.(type) {
+		case map[string]any:
+			printManifestAsTable(w, name, showName, v, field+".")
+		case []any:
+			for i, e := range v {
+				index := "[" + strconv.Itoa(i) + "]"
+
+				if innerObj, ok := e.(map[string]any); ok {
+					printManifestAsTable(w, name, showName, innerObj, field+index+".")
+				} else {
+					if showName {
+						fmt.Fprintf(w, "%v\t%v\t%v\n", field+index, name, e)
+					} else {
+						fmt.Fprintf(w, "%v\t%v\n", field+index, e)
+					}
+				}
+			}
+		default:
+			if showName {
+				fmt.Fprintf(w, "%v\t%v\t%v\n", field, name, v)
+			} else {
+				fmt.Fprintf(w, "%v\t%v\n", field, v)
+			}
+		}
+	}
+}
+
 func NewApplicationPatchResourceCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
-	var patch string
-	var patchType string
-	var resourceName string
-	var namespace string
-	var kind string
-	var group string
-	var all bool
-	var project string
+	var (
+		patch        string
+		patchType    string
+		resourceName string
+		namespace    string
+		kind         string
+		group        string
+		all          bool
+		project      string
+	)
 	command := &cobra.Command{
 		Use:   "patch-resource APPNAME",
 		Short: "Patch resource in an application",
@@ -90,14 +354,16 @@ func NewApplicationPatchResourceCommand(clientOpts *argocdclient.ClientOptions)
 }

 func NewApplicationDeleteResourceCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
-	var resourceName string
-	var namespace string
-	var kind string
-	var group string
-	var force bool
-	var orphan bool
-	var all bool
-	var project string
+	var (
+		resourceName string
+		namespace    string
+		kind         string
+		group        string
+		force        bool
+		orphan       bool
+		all          bool
+		project      string
+	)
 	command := &cobra.Command{
 		Use:   "delete-resource APPNAME",
 		Short: "Delete resource in an application",
@@ -253,13 +519,16 @@ func printResources(listAll bool, orphaned bool, appResourceTree *v1alpha1.Appli
 			}
 		}
 	}
-	_ = w.Flush()
+	err := w.Flush()
+	errors.CheckError(err)
 }

 func NewApplicationListResourcesCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
-	var orphaned bool
-	var output string
-	var project string
+	var (
+		orphaned bool
+		output   string
+		project  string
+	)
 	command := &cobra.Command{
 		Use:   "resources APPNAME",
 		Short: "List resource of application",
--- a/cmd/argocd/commands/app_test.go
+++ b/cmd/argocd/commands/app_test.go
@@ -2253,6 +2253,10 @@ func (c *fakeAppServiceClient) ListResourceLinks(_ context.Context, _ *applicati
 	return nil, nil
 }

+func (c *fakeAppServiceClient) ServerSideDiff(_ context.Context, _ *applicationpkg.ApplicationServerSideDiffQuery, _ ...grpc.CallOption) (*applicationpkg.ApplicationServerSideDiffResponse, error) {
+	return nil, nil
+}
+
 type fakeAcdClient struct {
 	simulateTimeout uint
 }
--- a/cmd/argocd/commands/bcrypt.go
+++ b/cmd/argocd/commands/bcrypt.go
@@ -6,6 +6,8 @@ import (

 	"github.com/spf13/cobra"
 	"golang.org/x/crypto/bcrypt"
+
+	"github.com/argoproj/argo-cd/v3/util/cli"
 )

 // NewBcryptCmd represents the bcrypt command
@@ -15,22 +17,25 @@ func NewBcryptCmd() *cobra.Command {
 		Use:   "bcrypt",
 		Short: "Generate bcrypt hash for any password",
 		Example: `# Generate bcrypt hash for any password 
-argocd account bcrypt --password YOUR_PASSWORD`,
+argocd account bcrypt --password YOUR_PASSWORD
+
+# Prompt for password input
+argocd account bcrypt
+
+# Read password from stdin
+echo -e "password" | argocd account bcrypt`,
 		Run: func(cmd *cobra.Command, _ []string) {
+			password = cli.PromptPassword(password)
 			bytePassword := []byte(password)
 			// Hashing the password
 			hash, err := bcrypt.GenerateFromPassword(bytePassword, bcrypt.DefaultCost)
 			if err != nil {
-				log.Fatalf("Failed to genarate bcrypt hash: %v", err)
+				log.Fatalf("Failed to generate bcrypt hash: %v", err)
 			}
 			fmt.Fprint(cmd.OutOrStdout(), string(hash))
 		},
 	}

 	bcryptCmd.Flags().StringVar(&password, "password", "", "Password for which bcrypt hash is generated")
-	err := bcryptCmd.MarkFlagRequired("password")
-	if err != nil {
-		return nil
-	}
 	return bcryptCmd
 }
--- a/cmd/argocd/commands/bcrypt_test.go
+++ b/cmd/argocd/commands/bcrypt_test.go
@@ -2,9 +2,11 @@ package commands

 import (
 	"bytes"
+	"os"
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"golang.org/x/crypto/bcrypt"
 )

@@ -20,3 +22,27 @@ func TestGeneratePassword(t *testing.T) {
 	err = bcrypt.CompareHashAndPassword(output.Bytes(), []byte("abc"))
 	assert.NoError(t, err)
 }
+
+func TestGeneratePasswordWithStdin(t *testing.T) {
+	oldStdin := os.Stdin
+	defer func() {
+		os.Stdin = oldStdin
+	}()
+
+	input := bytes.NewBufferString("abc\n")
+	r, w, _ := os.Pipe()
+	_, _ = w.Write(input.Bytes())
+	w.Close()
+	os.Stdin = r
+
+	bcryptCmd := NewBcryptCmd()
+	bcryptCmd.SetArgs([]string{})
+	output := new(bytes.Buffer)
+	bcryptCmd.SetOut(output)
+
+	err := bcryptCmd.Execute()
+	require.NoError(t, err)
+
+	err = bcrypt.CompareHashAndPassword(output.Bytes(), []byte("abc"))
+	assert.NoError(t, err)
+}
--- a/cmd/argocd/commands/configure.go
+++ b/cmd/argocd/commands/configure.go
@@ -2,6 +2,7 @@ package commands

 import (
 	"fmt"
+	"os"
 	"strconv"

 	"github.com/spf13/cobra"
@@ -27,6 +28,10 @@ argocd configure --prompts-enabled=false`,
 		Run: func(_ *cobra.Command, _ []string) {
 			localCfg, err := localconfig.ReadLocalConfig(globalClientOpts.ConfigPath)
 			errors.CheckError(err)
+			if localCfg == nil {
+				fmt.Println("No local configuration found")
+				os.Exit(1)
+			}

 			localCfg.PromptsEnabled = promptsEnabled

--- a/cmd/argocd/commands/gpg_test.go
+++ b/cmd/argocd/commands/gpg_test.go
@@ -0,0 +1,103 @@
+package commands
+
+import (
+	"regexp"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	appsv1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
+)
+
+// splitColumns splits a line produced by tabwriter using runs of 2 or more spaces
+// as delimiters to obtain logical columns regardless of alignment padding.
+func splitColumns(line string) []string {
+	re := regexp.MustCompile(`\s{2,}`)
+	return re.Split(strings.TrimSpace(line), -1)
+}
+
+func Test_printKeyTable_Empty(t *testing.T) {
+	out, err := captureOutput(func() error {
+		printKeyTable([]appsv1.GnuPGPublicKey{})
+		return nil
+	})
+	require.NoError(t, err)
+
+	lines := strings.Split(strings.TrimRight(out, "\n"), "\n")
+	require.Len(t, lines, 1)
+
+	headerCols := splitColumns(lines[0])
+	assert.Equal(t, []string{"KEYID", "TYPE", "IDENTITY"}, headerCols)
+}
+
+func Test_printKeyTable_Single(t *testing.T) {
+	keys := []appsv1.GnuPGPublicKey{
+		{
+			KeyID:   "ABCDEF1234567890",
+			SubType: "rsa4096",
+			Owner:   "Alice <alice@example.com>",
+		},
+	}
+
+	out, err := captureOutput(func() error {
+		printKeyTable(keys)
+		return nil
+	})
+	require.NoError(t, err)
+
+	lines := strings.Split(strings.TrimRight(out, "\n"), "\n")
+	require.Len(t, lines, 2)
+
+	// Header
+	assert.Equal(t, []string{"KEYID", "TYPE", "IDENTITY"}, splitColumns(lines[0]))
+
+	// Row
+	row := splitColumns(lines[1])
+	require.Len(t, row, 3)
+	assert.Equal(t, "ABCDEF1234567890", row[0])
+	assert.Equal(t, "RSA4096", row[1]) // subtype upper-cased
+	assert.Equal(t, "Alice <alice@example.com>", row[2])
+}
+
+func Test_printKeyTable_Multiple(t *testing.T) {
+	keys := []appsv1.GnuPGPublicKey{
+		{
+			KeyID:   "ABCD",
+			SubType: "ed25519",
+			Owner:   "User One <one@example.com>",
+		},
+		{
+			KeyID:   "0123456789ABCDEF",
+			SubType: "rsa2048",
+			Owner:   "Second User <second@example.com>",
+		},
+	}
+
+	out, err := captureOutput(func() error {
+		printKeyTable(keys)
+		return nil
+	})
+	require.NoError(t, err)
+
+	lines := strings.Split(strings.TrimRight(out, "\n"), "\n")
+	require.Len(t, lines, 3)
+
+	// Header
+	assert.Equal(t, []string{"KEYID", "TYPE", "IDENTITY"}, splitColumns(lines[0]))
+
+	// First row
+	row1 := splitColumns(lines[1])
+	require.Len(t, row1, 3)
+	assert.Equal(t, "ABCD", row1[0])
+	assert.Equal(t, "ED25519", row1[1])
+	assert.Equal(t, "User One <one@example.com>", row1[2])
+
+	// Second row
+	row2 := splitColumns(lines[2])
+	require.Len(t, row2, 3)
+	assert.Equal(t, "0123456789ABCDEF", row2[0])
+	assert.Equal(t, "RSA2048", row2[1])
+	assert.Equal(t, "Second User <second@example.com>", row2[2])
+}
--- a/cmd/argocd/commands/headless/headless.go
+++ b/cmd/argocd/commands/headless/headless.go
@@ -213,7 +213,8 @@ func MaybeStartLocalServer(ctx context.Context, clientOpts *apiclient.ClientOpti
 	}
 	if port == nil || *port == 0 {
 		addr := *address + ":0"
-		ln, err := net.Listen("tcp", addr)
+		lc := &net.ListenConfig{}
+		ln, err := lc.Listen(ctx, "tcp", addr)
 		if err != nil {
 			return nil, fmt.Errorf("failed to listen on %q: %w", addr, err)
 		}
--- a/cmd/argocd/commands/login.go
+++ b/cmd/argocd/commands/login.go
@@ -42,6 +42,7 @@ func NewLoginCommand(globalClientOpts *argocdclient.ClientOptions) *cobra.Comman
 		username         string
 		password         string
 		sso              bool
+		callback         string
 		ssoPort          int
 		skipTestTLS      bool
 		ssoLaunchBrowser bool
@@ -138,7 +139,7 @@ argocd login cd.argoproj.io --core`,
 					errors.CheckError(err)
 					oauth2conf, provider, err := acdClient.OIDCConfig(ctx, acdSet)
 					errors.CheckError(err)
-					tokenString, refreshToken = oauth2Login(ctx, ssoPort, acdSet.GetOIDCConfig(), oauth2conf, provider, ssoLaunchBrowser)
+					tokenString, refreshToken = oauth2Login(ctx, callback, ssoPort, acdSet.GetOIDCConfig(), oauth2conf, provider, ssoLaunchBrowser)
 				}
 				parser := jwt.NewParser(jwt.WithoutClaimsValidation())
 				claims := jwt.MapClaims{}
@@ -185,8 +186,8 @@ argocd login cd.argoproj.io --core`,
 	command.Flags().StringVar(&password, "password", "", "The password of an account to authenticate")
 	command.Flags().BoolVar(&sso, "sso", false, "Perform SSO login")
 	command.Flags().IntVar(&ssoPort, "sso-port", DefaultSSOLocalPort, "Port to run local OAuth2 login application")
-	command.Flags().
-		BoolVar(&skipTestTLS, "skip-test-tls", false, "Skip testing whether the server is configured with TLS (this can help when the command hangs for no apparent reason)")
+	command.Flags().StringVar(&callback, "callback", "", "Scheme, Host and Port for the callback URL")
+	command.Flags().BoolVar(&skipTestTLS, "skip-test-tls", false, "Skip testing whether the server is configured with TLS (this can help when the command hangs for no apparent reason)")
 	command.Flags().BoolVar(&ssoLaunchBrowser, "sso-launch-browser", true, "Automatically launch the system default browser when performing SSO login")
 	return command
 }
@@ -205,13 +206,19 @@ func userDisplayName(claims jwt.MapClaims) string {
 // returns the JWT token and a refresh token (if supported)
 func oauth2Login(
 	ctx context.Context,
+	callback string,
 	port int,
 	oidcSettings *settingspkg.OIDCConfig,
 	oauth2conf *oauth2.Config,
 	provider *oidc.Provider,
 	ssoLaunchBrowser bool,
 ) (string, string) {
-	oauth2conf.RedirectURL = fmt.Sprintf("http://localhost:%d/auth/callback", port)
+	redirectBase := callback
+	if redirectBase == "" {
+		redirectBase = "http://localhost:" + strconv.Itoa(port)
+	}
+
+	oauth2conf.RedirectURL = redirectBase + "/auth/callback"
 	oidcConf, err := oidcutil.ParseConfig(provider)
 	errors.CheckError(err)
 	log.Debug("OIDC Configuration:")
--- a/cmd/argocd/commands/logout.go
+++ b/cmd/argocd/commands/logout.go
@@ -19,9 +19,12 @@ func NewLogoutCommand(globalClientOpts *argocdclient.ClientOptions) *cobra.Comma
 		Use:   "logout CONTEXT",
 		Short: "Log out from Argo CD",
 		Long:  "Log out from Argo CD",
-		Example: `# To log out of argocd
-$ argocd logout
+		Example: `# Logout from the active Argo CD context
 # This can be helpful for security reasons or when you want to switch between different Argo CD contexts or accounts.
+argocd logout CONTEXT
+
+# Logout from a specific context named 'cd.argoproj.io'
+argocd logout cd.argoproj.io
 `,
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) == 0 {
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .1.0
 .3.0