Merge pull request #5216 from fluxcd/backport-5214-to-release/v2.5.x

[release/v2.5.x] Update kustomize-controller to v1.5.1
Update toolkit components
22 changed files with 83 additions and 1402 deletions
--- a/.github/labels.yaml
+++ b/.github/labels.yaml
@ -44,12 +44,15 @@
  description: Feature request proposals in the RFC format
  color: '#D621C3'
  aliases: ['area/RFC']
- name: backport:release/v2.3.x
+- name: backport:release/v2.0.x
-  description: To be backported to release/v2.3.x
+  description: To be backported to release/v2.0.x
  color: '#ffd700'
 - name: backport:release/v2.1.x
  description: To be backported to release/v2.1.x
  color: '#ffd700'
- name: backport:release/v2.4.x
+- name: backport:release/v2.2.x
-  description: To be backported to release/v2.4.x
+  description: To be backported to release/v2.2.x
  color: '#ffd700'
- name: backport:release/v2.5.x
+- name: backport:release/v2.3.x
-  description: To be backported to release/v2.5.x
+  description: To be backported to release/v2.3.x
  color: '#ffd700'
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -2,7 +2,7 @@ name: release
 on:
  push:
-    tags: ["v*"]
+    tags: [ 'v*' ]
 permissions:
  contents: read
@ -32,7 +32,7 @@ jobs:
        uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0
      - name: Setup Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
+        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca  # v3.9.0
      - name: Setup Syft
        uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
      - name: Setup Cosign
@ -44,9 +44,9 @@ jobs:
        with:
          registry: ghcr.io
          username: fluxcdbot
-          password: ${{ secrets.GITHUB_TOKEN }}
+          password: ${{ secrets.GHCR_TOKEN }}
      - name: Login to Docker Hub
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567  # v3.3.0
        with:
          username: fluxcdbot
          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
@ -66,12 +66,23 @@ jobs:
      - name: Archive the OpenAPI JSON schemas
        run: |
          tar -czvf ./output/crd-schemas.tar.gz -C schemas .
      - name: Download release notes utility
        env:
          GH_REL_URL: https://github.com/buchanae/github-release-notes/releases/download/0.2.0/github-release-notes-linux-amd64-0.2.0.tar.gz
        run: cd /tmp && curl -sSL ${GH_REL_URL} | tar xz && sudo mv github-release-notes /usr/local/bin/
      - name: Generate release notes
        run: |
          NOTES="./output/notes.md"
          echo '## CLI Changelog' > ${NOTES}
          github-release-notes -org fluxcd -repo flux2 -since-latest-release -include-author >> ${NOTES}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Run GoReleaser
        id: run-goreleaser
        uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
        with:
          version: latest
-          args: release --skip=validate
+          args: release --release-notes=output/notes.md --skip=validate
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
@ -114,7 +125,7 @@ jobs:
        with:
          registry: ghcr.io
          username: fluxcdbot
-          password: ${{ secrets.GITHUB_TOKEN }}
+          password: ${{ secrets.GHCR_TOKEN }}
      - name: Login to DockerHub
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
@ -197,4 +208,4 @@ jobs:
      digest: ${{ needs.release-flux-cli.outputs.image_digest }}
      registry-username: fluxcdbot
    secrets:
-      registry-password: ${{ secrets.GITHUB_TOKEN }}
+      registry-password: ${{ secrets.GHCR_TOKEN }}
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@ -1,6 +1,4 @@
 project_name: flux
 changelog:
  use: github-native
 builds:
  - <<: &build_defaults
      binary: flux
--- a/.scorecard.yml
+++ b/.scorecard.yml
@ -1,5 +0,0 @@
 annotations:
  - checks:
      - dangerous-workflow
    reasons:
      - reason: not-applicable # This workflow does not run untrusted code, the bot will only backport a code if the a PR was approved and merged into main.
--- a/cmd/flux/build_kustomization_test.go
+++ b/cmd/flux/build_kustomization_test.go
@ -169,12 +169,6 @@ spec:
 			resultFile: "./testdata/build-kustomization/podinfo-with-my-app-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 		{
 			name:       "build with recursive in dry-run mode",
 			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/podinfo-with-my-app --recursive --local-sources GitRepository/default/podinfo=./testdata/build-kustomization --dry-run",
 			resultFile: "./testdata/build-kustomization/podinfo-with-my-app-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 	}
 	tmpl := map[string]string{
--- a/cmd/flux/create_source_git.go
+++ b/cmd/flux/create_source_git.go
@ -138,7 +138,7 @@ func init() {
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.branch, "branch", "", "git branch")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.tag, "tag", "", "git tag")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.semver, "tag-semver", "", "git tag semver range")
-	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.refName, "ref-name", "", "git reference name")
+	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.refName, "ref-name", "", " git reference name")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.commit, "commit", "", "git commit")
 	createSourceGitCmd.Flags().StringVarP(&sourceGitArgs.username, "username", "u", "", "basic authentication username")
 	createSourceGitCmd.Flags().StringVarP(&sourceGitArgs.password, "password", "p", "", "basic authentication password")
--- a/cmd/flux/debug_helmrelease.go
+++ b/cmd/flux/debug_helmrelease.go
@ -21,6 +21,7 @@ import (
 	"fmt"
 	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/chartutil"
 	"github.com/go-logr/logr"
 	"github.com/spf13/cobra"
@ -92,12 +93,23 @@ func debugHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	if debugHelmReleaseArgs.showValues {
 		// TODO(stefan): remove the mapping when helm-controller/api v1.2.0 has been released
 		var valuesRefs []meta.ValuesReference
 		for _, source := range hr.Spec.ValuesFrom {
 			valuesRefs = append(valuesRefs, meta.ValuesReference{
 				Kind:      source.Kind,
 				Name:      source.Name,
 				ValuesKey: source.ValuesKey,
 				Optional:  source.Optional,
 			})
 		}
 		finalValues, err := chartutil.ChartValuesFromReferences(ctx,
 			logr.Discard(),
 			kubeClient,
 			hr.GetNamespace(),
 			hr.GetValues(),
-			hr.Spec.ValuesFrom...)
+			valuesRefs...)
 		if err != nil {
 			return err
 		}
--- a/cmd/flux/diff_artifact.go
+++ b/cmd/flux/diff_artifact.go
@ -23,7 +23,6 @@ import (
 	oci "github.com/fluxcd/pkg/oci/client"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 	"github.com/google/go-containerregistry/pkg/crane"
 	"github.com/spf13/cobra"
 	"github.com/fluxcd/flux2/v2/internal/flags"
@ -43,7 +42,6 @@ type diffArtifactFlags struct {
 	creds       string
 	provider    flags.SourceOCIProvider
 	ignorePaths []string
 	insecure    bool
 }
 var diffArtifactArgs = newDiffArtifactArgs()
@ -59,7 +57,6 @@ func init() {
 	diffArtifactCmd.Flags().StringVar(&diffArtifactArgs.creds, "creds", "", "credentials for OCI registry in the format <username>[:<password>] if --provider is generic")
 	diffArtifactCmd.Flags().Var(&diffArtifactArgs.provider, "provider", sourceOCIRepositoryArgs.provider.Description())
 	diffArtifactCmd.Flags().StringSliceVar(&diffArtifactArgs.ignorePaths, "ignore-paths", excludeOCI, "set paths to ignore in .gitignore format")
 	diffArtifactCmd.Flags().BoolVar(&diffArtifactArgs.insecure, "insecure-registry", false, "allows the remote artifact to be pulled without TLS")
 	diffCmd.AddCommand(diffArtifactCmd)
 }
@ -85,13 +82,7 @@ func diffArtifactCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	opts := oci.DefaultOptions()
+	ociClient := oci.NewClient(oci.DefaultOptions())
 	if diffArtifactArgs.insecure {
 		opts = append(opts, crane.Insecure)
 	}
 	ociClient := oci.NewClient(opts)
 	if diffArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && diffArtifactArgs.creds != "" {
 		logger.Actionf("logging in to registry with credentials")
--- a/cmd/flux/list_artifact.go
+++ b/cmd/flux/list_artifact.go
@ -20,7 +20,6 @@ import (
 	"context"
 	"fmt"
 	"github.com/google/go-containerregistry/pkg/crane"
 	"github.com/spf13/cobra"
 	oci "github.com/fluxcd/pkg/oci/client"
@ -35,7 +34,6 @@ type listArtifactFlags struct {
 	regexFilter  string
 	creds        string
 	provider     flags.SourceOCIProvider
 	insecure     bool
 }
 var listArtifactArgs = newListArtifactFlags()
@ -62,7 +60,6 @@ func init() {
 	listArtifactsCmd.Flags().StringVar(&listArtifactArgs.regexFilter, "filter-regex", "", "filter tags returned from the oci repository using regex")
 	listArtifactsCmd.Flags().StringVar(&listArtifactArgs.creds, "creds", "", "credentials for OCI registry in the format <username>[:<password>] if --provider is generic")
 	listArtifactsCmd.Flags().Var(&listArtifactArgs.provider, "provider", listArtifactArgs.provider.Description())
 	listArtifactsCmd.Flags().BoolVar(&listArtifactArgs.insecure, "insecure-registry", false, "allows the remote artifacts list to be fetched without TLS")
 	listCmd.AddCommand(listArtifactsCmd)
 }
@ -81,13 +78,7 @@ func listArtifactsCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
-	ociOpts := oci.DefaultOptions()
+	ociClient := oci.NewClient(oci.DefaultOptions())
 	if listArtifactArgs.insecure {
 		ociOpts = append(ociOpts, crane.Insecure)
 	}
 	ociClient := oci.NewClient(ociOpts)
 	if listArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && listArtifactArgs.creds != "" {
 		logger.Actionf("logging in to registry with credentials")
--- a/cmd/flux/pull_artifact.go
+++ b/cmd/flux/pull_artifact.go
@ -22,7 +22,6 @@ import (
 	"os"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 	"github.com/google/go-containerregistry/pkg/crane"
 	"github.com/spf13/cobra"
 	"github.com/fluxcd/flux2/v2/internal/flags"
@ -44,7 +43,6 @@ The command can read the credentials from '~/.docker/config.json' but they can a
 type pullArtifactFlags struct {
 	output   string
 	creds    string
 	insecure bool
 	provider flags.SourceOCIProvider
 }
@ -60,7 +58,6 @@ func init() {
 	pullArtifactCmd.Flags().StringVarP(&pullArtifactArgs.output, "output", "o", "", "path where the artifact content should be extracted.")
 	pullArtifactCmd.Flags().StringVar(&pullArtifactArgs.creds, "creds", "", "credentials for OCI registry in the format <username>[:<password>] if --provider is generic")
 	pullArtifactCmd.Flags().Var(&pullArtifactArgs.provider, "provider", sourceOCIRepositoryArgs.provider.Description())
 	pullArtifactCmd.Flags().BoolVar(&pullArtifactArgs.insecure, "insecure-registry", false, "allows artifacts to be pulled without TLS")
 	pullCmd.AddCommand(pullArtifactCmd)
 }
@ -86,13 +83,7 @@ func pullArtifactCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	opts := oci.DefaultOptions()
+	ociClient := oci.NewClient(oci.DefaultOptions())
 	if pullArtifactArgs.insecure {
 		opts = append(opts, crane.Insecure)
 	}
 	ociClient := oci.NewClient(opts)
 	if pullArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && pullArtifactArgs.creds != "" {
 		logger.Actionf("logging in to registry with credentials")
--- a/cmd/flux/push_artifact.go
+++ b/cmd/flux/push_artifact.go
@ -115,7 +115,6 @@ type pushArtifactFlags struct {
 	output       string
 	debug        bool
 	reproducible bool
 	insecure     bool
 }
 var pushArtifactArgs = newPushArtifactFlags()
@ -138,7 +137,6 @@ func init() {
 		"the format in which the artifact digest should be printed, can be 'json' or 'yaml'")
 	pushArtifactCmd.Flags().BoolVarP(&pushArtifactArgs.debug, "debug", "", false, "display logs from underlying library")
 	pushArtifactCmd.Flags().BoolVar(&pushArtifactArgs.reproducible, "reproducible", false, "ensure reproducible image digests by setting the created timestamp to '1970-01-01T00:00:00Z'")
 	pushArtifactCmd.Flags().BoolVar(&pushArtifactArgs.insecure, "insecure-registry", false, "allows artifacts to be pushed without TLS")
 	pushCmd.AddCommand(pushArtifactCmd)
 }
@ -268,10 +266,6 @@ func pushArtifactCmdRun(cmd *cobra.Command, args []string) error {
 		logger.Actionf("pushing artifact to %s", url)
 	}
 	if pushArtifactArgs.insecure {
 		opts = append(opts, crane.Insecure)
 	}
 	ociClient := client.NewClient(opts)
 	digestURL, err := ociClient.Push(ctx, url, path,
 		client.WithPushMetadata(meta),
--- a/cmd/flux/testdata/debug_helmrelease/objects.yaml
+++ b/cmd/flux/testdata/debug_helmrelease/objects.yaml
@ -38,10 +38,6 @@ spec:
    - kind: Secret
      name: test
      valuesKey: secrets.yaml
    - kind: Secret
      name: test
      valuesKey: flatValue
      targetPath: aFlatValue
    - kind: ConfigMap
      name: none
      optional: true
@ -65,4 +61,3 @@ stringData:
  secrets.yaml: |
    secret: "test"
    override: "secret"
  flatValue: some-flat-value
--- a/cmd/flux/testdata/debug_helmrelease/values-from.golden.yaml
+++ b/cmd/flux/testdata/debug_helmrelease/values-from.golden.yaml
@ -1,4 +1,3 @@
 aFlatValue: some-flat-value
 cm: test
 image:
  repository: stefanprodan/podinfo
--- a/go.mod
+++ b/go.mod
@ -50,15 +50,15 @@ require (
 	github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5
 	github.com/spf13/cobra v1.8.1
 	github.com/theckman/yacspin v0.13.12
-	golang.org/x/crypto v0.36.0
+	golang.org/x/crypto v0.33.0
-	golang.org/x/term v0.30.0
+	golang.org/x/term v0.29.0
-	golang.org/x/text v0.23.0
+	golang.org/x/text v0.22.0
 	k8s.io/api v0.32.2
 	k8s.io/apiextensions-apiserver v0.32.2
 	k8s.io/apimachinery v0.32.2
-	k8s.io/cli-runtime v0.32.2
+	k8s.io/cli-runtime v0.32.1
 	k8s.io/client-go v0.32.2
-	k8s.io/kubectl v0.32.2
+	k8s.io/kubectl v0.32.1
 	sigs.k8s.io/controller-runtime v0.20.2
 	sigs.k8s.io/kustomize/api v0.19.0
 	sigs.k8s.io/kustomize/kyaml v0.19.0
@ -239,10 +239,10 @@ require (
 	go.opentelemetry.io/otel/sdk/metric v1.32.0 // indirect
 	go.opentelemetry.io/otel/trace v1.34.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.4.0 // indirect
-	golang.org/x/net v0.37.0 // indirect
+	golang.org/x/net v0.35.0 // indirect
 	golang.org/x/oauth2 v0.25.0 // indirect
-	golang.org/x/sync v0.12.0 // indirect
+	golang.org/x/sync v0.11.0 // indirect
-	golang.org/x/sys v0.31.0 // indirect
+	golang.org/x/sys v0.30.0 // indirect
 	golang.org/x/time v0.9.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 // indirect
@ -254,7 +254,7 @@ require (
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	helm.sh/helm/v3 v3.17.3 // indirect
+	helm.sh/helm/v3 v3.17.0 // indirect
 	k8s.io/component-base v0.32.2 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20241212222426-2c72e554b1e7 // indirect
--- a/go.sum
+++ b/go.sum
@ -616,8 +616,8 @@ golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliY
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
+golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
-golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
+golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
@ -642,8 +642,8 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/net v0.37.0 h1:1zLorHbz+LYj7MQlSf1+2tPIIgibq2eL5xkrGk6f+2c=
+golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8=
-golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk=
 golang.org/x/oauth2 v0.25.0 h1:CY4y7XT9v0cRI9oupztF8AgiIu99L/ksR/Xp/6jrZ70=
 golang.org/x/oauth2 v0.25.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -657,8 +657,8 @@ golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
+golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
-golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@ -685,8 +685,8 @@ golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
+golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
-golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@ -696,8 +696,8 @@ golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
-golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
+golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU=
-golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
+golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@ -708,8 +708,8 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
+golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
-golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
+golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@ -758,16 +758,16 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
 gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
-helm.sh/helm/v3 v3.17.3 h1:3n5rW3D0ArjFl0p4/oWO8IbY/HKaNNwJtOQFdH2AZHg=
+helm.sh/helm/v3 v3.17.0 h1:DUD4AGdNVn7PSTYfxe1gmQG7s18QeWv/4jI9TubnhT0=
-helm.sh/helm/v3 v3.17.3/go.mod h1:+uJKMH/UiMzZQOALR3XUf3BLIoczI2RKKD6bMhPh4G8=
+helm.sh/helm/v3 v3.17.0/go.mod h1:Mo7eGyKPPHlS0Ml67W8z/lbkox/gD9Xt1XpD6bxvZZA=
 k8s.io/api v0.32.2 h1:bZrMLEkgizC24G9eViHGOPbW+aRo9duEISRIJKfdJuw=
 k8s.io/api v0.32.2/go.mod h1:hKlhk4x1sJyYnHENsrdCWw31FEmCijNGPJO5WzHiJ6Y=
 k8s.io/apiextensions-apiserver v0.32.2 h1:2YMk285jWMk2188V2AERy5yDwBYrjgWYggscghPCvV4=
 k8s.io/apiextensions-apiserver v0.32.2/go.mod h1:GPwf8sph7YlJT3H6aKUWtd0E+oyShk/YHWQHf/OOgCA=
 k8s.io/apimachinery v0.32.2 h1:yoQBR9ZGkA6Rgmhbp/yuT9/g+4lxtsGYwW6dR6BDPLQ=
 k8s.io/apimachinery v0.32.2/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
-k8s.io/cli-runtime v0.32.2 h1:aKQR4foh9qeyckKRkNXUccP9moxzffyndZAvr+IXMks=
+k8s.io/cli-runtime v0.32.1 h1:19nwZPlYGJPUDbhAxDIS2/oydCikvKMHsxroKNGA2mM=
-k8s.io/cli-runtime v0.32.2/go.mod h1:a/JpeMztz3xDa7GCyyShcwe55p8pbcCVQxvqZnIwXN8=
+k8s.io/cli-runtime v0.32.1/go.mod h1:NJPbeadVFnV2E7B7vF+FvU09mpwYlZCu8PqjzfuOnkY=
 k8s.io/client-go v0.32.2 h1:4dYCD4Nz+9RApM2b/3BtVvBHw54QjMFUl1OLcJG5yOA=
 k8s.io/client-go v0.32.2/go.mod h1:fpZ4oJXclZ3r2nDOv+Ux3XcJutfrwjKTCHz2H3sww94=
 k8s.io/component-base v0.32.2 h1:1aUL5Vdmu7qNo4ZsE+569PV5zFatM9hl+lb3dEea2zU=
@ -776,8 +776,8 @@ k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kube-openapi v0.0.0-20241212222426-2c72e554b1e7 h1:hcha5B1kVACrLujCKLbr8XWMxCxzQx42DY8QKYJrDLg=
 k8s.io/kube-openapi v0.0.0-20241212222426-2c72e554b1e7/go.mod h1:GewRfANuJ70iYzvn+i4lezLDAFzvjxZYK1gn1lWcfas=
-k8s.io/kubectl v0.32.2 h1:TAkag6+XfSBgkqK9I7ZvwtF0WVtUAvK8ZqTt+5zi1Us=
+k8s.io/kubectl v0.32.1 h1:/btLtXLQUU1rWx8AEvX9jrb9LaI6yeezt3sFALhB8M8=
-k8s.io/kubectl v0.32.2/go.mod h1:+h/NQFSPxiDZYX/WZaWw9fwYezGLISP0ud8nQKg+3g8=
+k8s.io/kubectl v0.32.1/go.mod h1:sezNuyWi1STk4ZNPVRIFfgjqMI6XMf+oCVLjZen/pFQ=
 k8s.io/utils v0.0.0-20241210054802-24370beab758 h1:sdbE21q2nlQtFh65saZY+rRM6x6aJJI8IUa1AmH/qa0=
 k8s.io/utils v0.0.0-20241210054802-24370beab758/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/controller-runtime v0.20.2 h1:/439OZVxoEc02psi1h4QO3bHzTgu49bb347Xp4gW1pc=
--- a/internal/build/build.go
+++ b/internal/build/build.go
@ -258,7 +258,7 @@ func NewBuilder(name, resources string, opts ...BuilderOptionFunc) (*Builder, er
 		b.timeout = defaultTimeout
 	}
-	if b.dryRun && b.kustomizationFile == "" && b.kustomization == nil {
+	if b.dryRun && b.kustomizationFile == "" {
 		return nil, fmt.Errorf("kustomization file is required for dry-run")
 	}
@ -355,9 +355,7 @@ func (b *Builder) build() (m resmap.ResMap, err error) {
 	// Get the kustomization object
 	liveKus := &kustomizev1.Kustomization{}
-	if b.dryRun {
+	if !b.dryRun {
 		liveKus = b.kustomization
 	} else {
 		liveKus, err = b.getKustomization(ctx)
 		if err != nil {
 			if !apierrors.IsNotFound(err) || b.kustomization == nil {
@ -367,7 +365,6 @@ func (b *Builder) build() (m resmap.ResMap, err error) {
 			liveKus = b.kustomization
 		}
 	}
 	k, err := b.resolveKustomization(liveKus)
 	if err != nil {
 		err = fmt.Errorf("failed to get kustomization object: %w", err)
@ -435,7 +432,6 @@ func (b *Builder) kustomizationBuild(k *kustomizev1.Kustomization) ([]*unstructu
 		WithStrictSubstitute(b.strictSubst),
 		WithRecursive(b.recursive),
 		WithLocalSources(b.localSources),
 		WithDryRun(b.dryRun),
 	)
 	if err != nil {
 		return nil, err
@ -468,8 +464,6 @@ func (b *Builder) unMarshallKustomization() (*kustomizev1.Kustomization, error)
 	decoder := k8syaml.NewYAMLOrJSONDecoder(bytes.NewBuffer(data), len(data))
 	// check for kustomization in yaml with the same name and namespace
 	for {
 		// ensure the target struct is emptied before decoding
 		k = &kustomizev1.Kustomization{}
 		err = decoder.Decode(k)
 		if err != nil {
 			if err == io.EOF {
--- a/internal/build/build_test.go
+++ b/internal/build/build_test.go
@ -226,16 +226,6 @@ func Test_unMarshallKustomization(t *testing.T) {
 			}
 		})
 	}
 	t.Run("correct parsing of multiple documents", func(t *testing.T) {
 		b.kustomizationFile = "testdata/local-kustomization/multi-doc-reset.yaml"
 		ks, err := b.unMarshallKustomization()
 		if err != nil {
 			t.Errorf("unexpected err '%s'", err)
 		}
 		if len(ks.Spec.Components) > 0 {
 			t.Errorf("previous Kustomization in file leaked into subsequent Kustomizations")
 		}
 	})
 }
 func Test_ResolveKustomization(t *testing.T) {
--- a/internal/build/testdata/local-kustomization/multi-doc-reset.yaml
+++ b/internal/build/testdata/local-kustomization/multi-doc-reset.yaml
@ -1,18 +0,0 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: first
  namespace: flux-system
 spec:
  path: "./k8s/first"
  components:
  - foo
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: podinfo
  namespace: flux-system
 spec:
  path: "./k8s/second"
 ---
--- a/rfcs/0007-git-repo-passwordless-auth/README.md
+++ b/rfcs/0007-git-repo-passwordless-auth/README.md
@ -262,7 +262,7 @@ spec:
 ---
 kind: Secret
 metadata:
-  name: github-app
+  name: github-sa
 stringData:
  githubAppID: <app-id>
  githubInstallationID: <installation-id>
--- a/rfcs/0008-custom-event-metadata-from-annotations/README.md
+++ b/rfcs/0008-custom-event-metadata-from-annotations/README.md
@ -1,6 +1,6 @@
 # RFC-0008 Custom Event Metadata from Annotations
-**Status:** implemented
+**Status:** implementable
 <!--
 Status represents the current state of the RFC.
@ -9,7 +9,7 @@ Must be one of `provisional`, `implementable`, `implemented`, `deferred`, `rejec
 **Creation date:** 2024-05-23
-**Last update:** 2025-02-22
+**Last update:** 2024-12-17
 ## Summary
@ -241,8 +241,6 @@ To disable the feature, do not use `event.toolkit.fluxcd.io/` as a prefix in Flu
 ## Implementation History
 * RFC implemented and generally available in Flux v2.5.
 <!--
 Major milestones in the lifecycle of the RFC such as:
 - The first Flux release where an initial version of the RFC was available.
--- a/rfcs/0009-custom-health-checks/README.md
+++ b/rfcs/0009-custom-health-checks/README.md
@ -1,10 +1,10 @@
 # RFC-0009 Custom Health Checks for Kustomization using Common Expression Language (CEL)
-**Status:** implemented
+**Status:** implementable
 **Creation date:** 2024-01-05
-**Last update:** 2025-02-22
+**Last update:** 2025-01-23
 ## Summary
@ -329,4 +329,3 @@ We will implement a `CEL` environment that will use the Kubernetes CEL library t
 ## Implementation History
 * RFC implemented and generally available in Flux v2.5.
--- a/rfcs/0010-multi-tenant-workload-identity/README.md
+++ b/rfcs/0010-multi-tenant-workload-identity/README.md