Merge pull request #5216 from fluxcd/backport-5214-to-release/v2.5.x

[release/v2.5.x] Update kustomize-controller to v1.5.1
Update toolkit components
209 changed files with 2964 additions and 3408 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -6,9 +6,11 @@ updates:
    labels: ["area/ci", "dependencies"]
    groups:
      # Group all updates together, so that they are all applied in a single PR.
      # Grouped updates are currently in beta and is subject to change.
      # xref: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups
      ci:
        patterns:
          - "*"
    schedule:
-      interval: "monthly"
+      # By default, this will be on a monday.
      interval: "weekly"
--- a/.github/labels.yaml
+++ b/.github/labels.yaml
@ -44,12 +44,15 @@
  description: Feature request proposals in the RFC format
  color: '#D621C3'
  aliases: ['area/RFC']
- name: backport:release/v2.4.x
+- name: backport:release/v2.0.x
-  description: To be backported to release/v2.4.x
+  description: To be backported to release/v2.0.x
  color: '#ffd700'
- name: backport:release/v2.5.x
+- name: backport:release/v2.1.x
-  description: To be backported to release/v2.5.x
+  description: To be backported to release/v2.1.x
  color: '#ffd700'
- name: backport:release/v2.6.x
+- name: backport:release/v2.2.x
-  description: To be backported to release/v2.6.x
+  description: To be backported to release/v2.2.x
  color: '#ffd700'
 - name: backport:release/v2.3.x
  description: To be backported to release/v2.3.x
  color: '#ffd700'
--- a/.github/workflows/backport.yaml
+++ b/.github/workflows/backport.yaml
@ -20,7 +20,7 @@ jobs:
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Create backport PRs
-        uses: korthout/backport-action@0193454f0c5947491d348f33a275c119f30eb736 # v3.2.1
+        uses: korthout/backport-action@be567af183754f6a5d831ae90f648954763f17f5 # v3.1.0
        # xref: https://github.com/korthout/backport-action#inputs
        with:
          # Use token to allow workflows to be triggered for the created PR
--- a/.github/workflows/conformance.yaml
+++ b/.github/workflows/conformance.yaml
@ -9,7 +9,7 @@ permissions:
  contents: read
 env:
-  GO_VERSION: 1.24.x
+  GO_VERSION: 1.23.x
 jobs:
  conform-kubernetes:
@ -19,13 +19,13 @@ jobs:
      matrix:
        # Keep this list up-to-date with https://endoflife.date/kubernetes
        # Build images with https://github.com/fluxcd/flux-benchmark/actions/workflows/build-kind.yaml
-        KUBERNETES_VERSION: [1.31.5, 1.32.1, 1.33.0]
+        KUBERNETES_VERSION: [1.30.9, 1.31.5, 1.32.1 ]
      fail-fast: false
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
          go-version: ${{ env.GO_VERSION }}
          cache-dependency-path: |
@ -42,7 +42,7 @@ jobs:
      - name: Setup Kubernetes
        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
        with:
-          version: v0.27.0
+          version: v0.22.0
          cluster_name: ${{ steps.prep.outputs.CLUSTER }}
          node_image: ghcr.io/fluxcd/kindest/node:v${{ matrix.KUBERNETES_VERSION }}-arm64
      - name: Run e2e tests
@ -76,13 +76,13 @@ jobs:
      matrix:
        # Keep this list up-to-date with https://endoflife.date/kubernetes
        # Available versions can be found with "replicated cluster versions"
-        K3S_VERSION: [ 1.31.8, 1.32.4, 1.33.0 ]
+        K3S_VERSION: [ 1.30.9, 1.31.5, 1.32.1 ]
      fail-fast: false
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
          go-version: ${{ env.GO_VERSION }}
          cache-dependency-path: |
@ -97,7 +97,7 @@ jobs:
          KUBECONFIG_PATH="$(git rev-parse --show-toplevel)/bin/kubeconfig.yaml"
          echo "kubeconfig-path=${KUBECONFIG_PATH}" >> $GITHUB_OUTPUT
      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@9e79277372c4746ff091eba1f10aee82974ecdaa # main
+        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
      - name: Build
        run: make build-dev
      - name: Create repository
@ -107,7 +107,7 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: Create cluster
        id: create-cluster
-        uses: replicatedhq/replicated-actions/create-cluster@49b440dabd7e0e868cbbabda5cfc0d8332a279fa # v1.19.0
+        uses: replicatedhq/replicated-actions/create-cluster@c98ab3b97925af5db9faf3f9676df7a9c6736985 # v1.17.0
        with:
          api-token: ${{ secrets.REPLICATED_API_TOKEN }}
          kubernetes-distribution: "k3s"
@ -151,7 +151,7 @@ jobs:
          kubectl delete ns flux-system --wait
      - name: Delete cluster
        if: ${{ always() }}
-        uses: replicatedhq/replicated-actions/remove-cluster@49b440dabd7e0e868cbbabda5cfc0d8332a279fa # v1.19.0
+        uses: replicatedhq/replicated-actions/remove-cluster@c98ab3b97925af5db9faf3f9676df7a9c6736985 # v1.17.0
        continue-on-error: true
        with:
          api-token: ${{ secrets.REPLICATED_API_TOKEN }}
@ -169,13 +169,13 @@ jobs:
    strategy:
      matrix:
        # Keep this list up-to-date with https://endoflife.date/red-hat-openshift
-        OPENSHIFT_VERSION: [ 4.18.0-okd ]
+        OPENSHIFT_VERSION: [ 4.17.0-okd ]
      fail-fast: false
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
          go-version: ${{ env.GO_VERSION }}
          cache-dependency-path: |
@ -190,7 +190,7 @@ jobs:
          KUBECONFIG_PATH="$(git rev-parse --show-toplevel)/bin/kubeconfig.yaml"
          echo "kubeconfig-path=${KUBECONFIG_PATH}" >> $GITHUB_OUTPUT
      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@9e79277372c4746ff091eba1f10aee82974ecdaa # main
+        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
      - name: Build
        run: make build-dev
      - name: Create repository
@ -200,7 +200,7 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: Create cluster
        id: create-cluster
-        uses: replicatedhq/replicated-actions/create-cluster@49b440dabd7e0e868cbbabda5cfc0d8332a279fa # v1.19.0
+        uses: replicatedhq/replicated-actions/create-cluster@c98ab3b97925af5db9faf3f9676df7a9c6736985 # v1.17.0
        with:
          api-token: ${{ secrets.REPLICATED_API_TOKEN }}
          kubernetes-distribution: "openshift"
@ -242,7 +242,7 @@ jobs:
          kubectl delete ns flux-system --wait
      - name: Delete cluster
        if: ${{ always() }}
-        uses: replicatedhq/replicated-actions/remove-cluster@49b440dabd7e0e868cbbabda5cfc0d8332a279fa # v1.19.0
+        uses: replicatedhq/replicated-actions/remove-cluster@c98ab3b97925af5db9faf3f9676df7a9c6736985 # v1.17.0
        continue-on-error: true
        with:
          api-token: ${{ secrets.REPLICATED_API_TOKEN }}
--- a/.github/workflows/e2e-azure.yaml
+++ b/.github/workflows/e2e-azure.yaml
@ -32,9 +32,9 @@ jobs:
      - name: CheckoutD
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
-          go-version: 1.24.x
+          go-version: 1.23.x
          cache-dependency-path: tests/integration/go.sum
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
@ -49,7 +49,7 @@ jobs:
        env:
          SOPS_VER: 3.7.1
      - name: Authenticate to Azure
-        uses: Azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v1.4.6
+        uses: Azure/login@a65d910e8af852a8061c627c456678983e180302 # v1.4.6
        with:
          creds: '{"clientId":"${{ secrets.AZ_ARM_CLIENT_ID }}","clientSecret":"${{ secrets.AZ_ARM_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZ_ARM_TENANT_ID }}"}'
      - name: Set dynamic variables in .env
--- a/.github/workflows/e2e-bootstrap.yaml
+++ b/.github/workflows/e2e-bootstrap.yaml
@ -19,9 +19,9 @@ jobs:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
-          go-version: 1.24.x
+          go-version: 1.23.x
          cache-dependency-path: |
            **/go.sum
            **/go.mod
@ -32,12 +32,12 @@ jobs:
          cluster_name: kind
          # The versions below should target the newest Kubernetes version
          # Keep this up-to-date with https://endoflife.date/kubernetes
-          node_image: ghcr.io/fluxcd/kindest/node:v1.33.0-amd64
+          node_image: ghcr.io/fluxcd/kindest/node:v1.31.0-amd64
-          kubectl_version: v1.32.0
+          kubectl_version: v1.31.0
      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@9e79277372c4746ff091eba1f10aee82974ecdaa # main
+        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
      - name: Setup yq
-        uses: fluxcd/pkg/actions/yq@9e79277372c4746ff091eba1f10aee82974ecdaa # main
+        uses: fluxcd/pkg/actions/yq@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
      - name: Build
        run: make build-dev
      - name: Set outputs
@ -107,8 +107,6 @@ jobs:
          ./bin/flux reconcile image repository podinfo
          ./bin/flux reconcile image update flux-system
          ./bin/flux get images all
          ./bin/flux -n flux-system events --for ImageUpdateAutomation/flux-system
          kubectl -n flux-system get -o yaml ImageUpdateAutomation flux-system
          kubectl -n flux-system get -o yaml ImageUpdateAutomation flux-system | \
           yq '.status.lastPushCommit | length > 1' | grep 'true'
        env:
--- a/.github/workflows/e2e-gcp.yaml
+++ b/.github/workflows/e2e-gcp.yaml
@ -31,9 +31,9 @@ jobs:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
-          go-version: 1.24.x
+          go-version: 1.23.x
          cache-dependency-path: tests/integration/go.sum
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
@ -48,7 +48,7 @@ jobs:
        env:
          SOPS_VER: 3.7.1
      - name: Authenticate to Google Cloud
-        uses: google-github-actions/auth@ba79af03959ebeac9769e648f473a284504d9193 # v2.1.10
+        uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8
        id: 'auth'
        with:
          credentials_json: '${{ secrets.FLUX2_E2E_GOOGLE_CREDENTIALS }}'
@ -56,11 +56,11 @@ jobs:
      - name: Setup gcloud
        uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
      - name: Setup QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0
      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
      - name: Log into us-central1-docker.pkg.dev
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: us-central1-docker.pkg.dev
          username: oauth2accesstoken
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@ -25,9 +25,9 @@ jobs:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
-          go-version: 1.24.x
+          go-version: 1.23.x
          cache-dependency-path: |
            **/go.sum
            **/go.mod
@ -40,13 +40,13 @@ jobs:
          config: .github/kind/config.yaml # disable KIND-net
          # The versions below should target the oldest supported Kubernetes version
          # Keep this up-to-date with https://endoflife.date/kubernetes
-          node_image: ghcr.io/fluxcd/kindest/node:v1.31.5-amd64
+          node_image: ghcr.io/fluxcd/kindest/node:v1.30.9-amd64
-          kubectl_version: v1.32.0
+          kubectl_version: v1.30.9
      - name: Setup Calico for network policy
        run: |
          kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.3/manifests/calico.yaml
      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@9e79277372c4746ff091eba1f10aee82974ecdaa # main
+        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
      - name: Run tests
        run: make test
      - name: Run e2e tests
@ -247,7 +247,7 @@ jobs:
      - name: Debug failure
        if: failure()
        run: |
-          kubectl version --client
+          kubectl version --client --short
          kubectl -n flux-system get all
          kubectl -n flux-system describe pods
          kubectl -n flux-system get kustomizations -oyaml
--- a/.github/workflows/ossf.yaml
+++ b/.github/workflows/ossf.yaml
@ -21,19 +21,19 @@ jobs:
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Run analysis
-        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
        with:
          results_file: results.sarif
          results_format: sarif
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          publish_results: true
      - name: Upload artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5
      - name: Upload SARIF results
-        uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
+        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
        with:
          sarif_file: results.sarif
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -2,7 +2,7 @@ name: release
 on:
  push:
-    tags: ["v*"]
+    tags: [ 'v*' ]
 permissions:
  contents: read
@ -24,29 +24,29 @@ jobs:
      - name: Unshallow
        run: git fetch --prune --unshallow
      - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
-          go-version: 1.24.x
+          go-version: 1.23.x
          cache: false
      - name: Setup QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0
      - name: Setup Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca  # v3.9.0
      - name: Setup Syft
-        uses: anchore/sbom-action/download-syft@cee1b8e05ae5b2593a75e197229729eabaa9f8ec # v0.20.2
+        uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
      - name: Setup Cosign
-        uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3.9.1
+        uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3.8.0
      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@9e79277372c4746ff091eba1f10aee82974ecdaa # main
+        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ghcr.io
          username: fluxcdbot
-          password: ${{ secrets.GITHUB_TOKEN }}
+          password: ${{ secrets.GHCR_TOKEN }}
      - name: Login to Docker Hub
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567  # v3.3.0
        with:
          username: fluxcdbot
          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
@ -59,19 +59,30 @@ jobs:
        run: |
          kustomize build manifests/crds > all-crds.yaml
      - name: Generate OpenAPI JSON schemas from CRDs
-        uses: fluxcd/pkg/actions/crdjsonschema@9e79277372c4746ff091eba1f10aee82974ecdaa # main
+        uses: fluxcd/pkg/actions/crdjsonschema@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
        with:
          crd: all-crds.yaml
          output: schemas
      - name: Archive the OpenAPI JSON schemas
        run: |
          tar -czvf ./output/crd-schemas.tar.gz -C schemas .
      - name: Download release notes utility
        env:
          GH_REL_URL: https://github.com/buchanae/github-release-notes/releases/download/0.2.0/github-release-notes-linux-amd64-0.2.0.tar.gz
        run: cd /tmp && curl -sSL ${GH_REL_URL} | tar xz && sudo mv github-release-notes /usr/local/bin/
      - name: Generate release notes
        run: |
          NOTES="./output/notes.md"
          echo '## CLI Changelog' > ${NOTES}
          github-release-notes -org fluxcd -repo flux2 -since-latest-release -include-author >> ${NOTES}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Run GoReleaser
        id: run-goreleaser
-        uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
+        uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
        with:
          version: latest
-          args: release --skip=validate
+          args: release --release-notes=output/notes.md --skip=validate
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
@ -82,13 +93,13 @@ jobs:
          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
        run: |
          set -euo pipefail
-
+          
          hashes=$(echo -E $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
          echo "hashes=$hashes" >> $GITHUB_OUTPUT
-
+          
          image_url=fluxcd/flux-cli:$GITHUB_REF_NAME
          echo "image_url=$image_url" >> $GITHUB_OUTPUT
-
+          
          image_digest=$(docker buildx imagetools inspect ${image_url}  --format '{{json .}}' | jq -r .manifest.digest)
          echo "image_digest=$image_digest" >> $GITHUB_OUTPUT
@ -101,7 +112,7 @@ jobs:
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@9e79277372c4746ff091eba1f10aee82974ecdaa # main
+        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
      - name: Setup Flux CLI
        uses: ./action/
      - name: Prepare
@ -110,13 +121,13 @@ jobs:
          VERSION=$(flux version --client | awk '{ print $NF }')
          echo "version=${VERSION}" >> $GITHUB_OUTPUT
      - name: Login to GHCR
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ghcr.io
          username: fluxcdbot
-          password: ${{ secrets.GITHUB_TOKEN }}
+          password: ${{ secrets.GHCR_TOKEN }}
      - name: Login to DockerHub
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          username: fluxcdbot
          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
@ -126,7 +137,7 @@ jobs:
          flux install --registry=ghcr.io/fluxcd \
          --components-extra=image-reflector-controller,image-automation-controller \
          --export > ./ghcr.io/flux-system/gotk-components.yaml
-
+          
          cd ./ghcr.io && flux push artifact \
          oci://ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }} \
          --path="./flux-system" \
@ -138,13 +149,13 @@ jobs:
          flux install --registry=docker.io/fluxcd \
          --components-extra=image-reflector-controller,image-automation-controller \
          --export > ./docker.io/flux-system/gotk-components.yaml
-
+          
          cd ./docker.io && flux push artifact \
          oci://docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }} \
          --path="./flux-system" \
          --source=${{ github.repositoryUrl }} \
          --revision="${{ github.ref_name }}@sha1:${{ github.sha }}"
-      - uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3.9.1
+      - uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3.8.0
      - name: Sign manifests
        env:
          COSIGN_EXPERIMENTAL: 1
@ -165,7 +176,7 @@ jobs:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      contents: write # for uploading attestations to GitHub releases.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
    with:
      provenance-name: "provenance.intoto.jsonl"
      base64-subjects: "${{ needs.release-flux-cli.outputs.hashes }}"
@ -177,7 +188,7 @@ jobs:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for uploading attestations.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
    with:
      image: ${{ needs.release-flux-cli.outputs.image_url }}
      digest: ${{ needs.release-flux-cli.outputs.image_digest }}
@ -191,10 +202,10 @@ jobs:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for uploading attestations.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
    with:
      image: ghcr.io/${{ needs.release-flux-cli.outputs.image_url }}
      digest: ${{ needs.release-flux-cli.outputs.image_digest }}
      registry-username: fluxcdbot
    secrets:
-      registry-password: ${{ secrets.GITHUB_TOKEN }}
+      registry-password: ${{ secrets.GHCR_TOKEN }}
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@ -19,12 +19,45 @@ jobs:
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Run FOSSA scan and upload build data
-        uses: fossa-contrib/fossa-action@3d2ef181b1820d6dcd1972f86a767d18167fa19b # v3.0.1
+        uses: fossa-contrib/fossa-action@cdc5065bcdee31a32e47d4585df72d66e8e941c2 # v3.0.0
        with:
          # FOSSA Push-Only API Token
          fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
          github-token: ${{ github.token }}
  scan-snyk:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Kustomize
        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
      - name: Setup Go
        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
          go-version-file: 'go.mod'
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Download modules and build manifests
        run: |
          make tidy
          make cmd/flux/.manifests.done
      - uses: snyk/actions/setup@b98d498629f1c368650224d6d212bf7dfa89e4bf
      - name:  Run Snyk to check for vulnerabilities
        continue-on-error: true
        run: |
          snyk test --all-projects --sarif-file-output=snyk.sarif
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      - name: Upload result to GitHub Code Scanning
        continue-on-error: true
        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
        with:
          sarif_file: snyk.sarif
  scan-codeql:
    runs-on: ubuntu-latest
    permissions:
@ -34,20 +67,20 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
          go-version-file: 'go.mod'
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
+        uses: github/codeql-action/init@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
        with:
          languages: go
          # xref: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
          # xref: https://codeql.github.com/codeql-query-help/go/
          queries: security-and-quality
      - name: Autobuild
-        uses: github/codeql-action/autobuild@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
+        uses: github/codeql-action/autobuild@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
+        uses: github/codeql-action/analyze@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
--- a/.github/workflows/update.yaml
+++ b/.github/workflows/update.yaml
@ -20,21 +20,19 @@ jobs:
      - name: Check out code
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
-          go-version: 1.24.x
+          go-version: 1.23.x
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Update component versions
        id: update
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          PR_BODY=$(mktemp)
          bump_version() {
-            local LATEST_VERSION=$(curl -s -H "Authorization: token ${GITHUB_TOKEN}" https://api.github.com/repos/fluxcd/$1/releases | jq -r 'sort_by(.published_at) | .[-1] | .tag_name')
+            local LATEST_VERSION=$(curl -s https://api.github.com/repos/fluxcd/$1/releases | jq -r 'sort_by(.published_at) | .[-1] | .tag_name')
            local CTRL_VERSION=$(sed -n "s/.*$1\/releases\/download\/\(.*\)\/.*/\1/p;n" manifests/bases/$1/kustomization.yaml)
            local CRD_VERSION=$(sed -n "s/.*$1\/releases\/download\/\(.*\)\/.*/\1/p" manifests/crds/kustomization.yaml)
            local MOD_VERSION=$(go list -m -f '{{ .Version }}' "github.com/fluxcd/$1/api")
@ -86,7 +84,7 @@ jobs:
      - name: Create Pull Request
        id: cpr
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
        with:
          token: ${{ secrets.BOT_GITHUB_TOKEN }}
          commit-message: |
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@ -1,6 +1,4 @@
 project_name: flux
 changelog:
  use: github-native
 builds:
  - <<: &build_defaults
      binary: flux
--- a/.scorecard.yml
+++ b/.scorecard.yml
@ -1,5 +0,0 @@
 annotations:
  - checks:
      - dangerous-workflow
    reasons:
      - reason: not-applicable # This workflow does not run untrusted code, the bot will only backport a code if the a PR was approved and merged into main.
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -67,8 +67,8 @@ for source changes.
 Prerequisites:
-* go >= 1.24
+* go >= 1.20
-* kubectl >= 1.30
+* kubectl >= 1.24
 * kustomize >= 5.0
 * coreutils (on Mac OS)
--- a/2
+++ b/2
@ -3,7 +3,7 @@ FROM alpine:3.21 AS builder
 RUN apk add --no-cache ca-certificates curl
 ARG ARCH=linux/amd64
-ARG KUBECTL_VER=1.33.0
+ARG KUBECTL_VER=1.32.2
 RUN curl -sL https://dl.k8s.io/release/v${KUBECTL_VER}/bin/${ARCH}/kubectl \
    -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl
--- a/4
+++ b/4
@ -17,8 +17,8 @@ rwildcard=$(foreach d,$(wildcard $(addsuffix *,$(1))),$(call rwildcard,$(d)/,$(2
 all: test build
 tidy:
-	go mod tidy -compat=1.24
+	go mod tidy -compat=1.23
-	cd tests/integration && go mod tidy -compat=1.24
+	cd tests/integration && go mod tidy -compat=1.23
 fmt:
 	go fmt ./...
--- a/cmd/flux/bootstrap_gitlab.go
+++ b/cmd/flux/bootstrap_gitlab.go
@ -42,7 +42,7 @@ import (
 var bootstrapGitLabCmd = &cobra.Command{
 	Use:   "gitlab",
 	Short: "Deploy Flux on a cluster connected to a GitLab repository",
-	Long: `The bootstrap gitlab command creates the GitLab repository if it doesn't exist and
+	Long: `The bootstrap gitlab command creates the GitLab repository if it doesn't exists and
 commits the Flux manifests to the specified branch.
 Then it configures the target cluster to synchronize with that repository.
 If the Flux components are present on the cluster,
--- a/cmd/flux/build_artifact.go
+++ b/cmd/flux/build_artifact.go
@ -26,15 +26,15 @@ import (
 	"github.com/spf13/cobra"
-	"github.com/fluxcd/pkg/oci"
+	oci "github.com/fluxcd/pkg/oci/client"
 	"github.com/fluxcd/pkg/sourceignore"
 )
 var buildArtifactCmd = &cobra.Command{
 	Use:   "artifact",
 	Short: "Build artifact",
-	Long: `The build artifact command creates a tgz file with the manifests
+	Long: withPreviewNote(`The build artifact command creates a tgz file with the manifests
-from the given directory or a single manifest file.`,
+from the given directory or a single manifest file.`),
 	Example: `  # Build the given manifests directory into an artifact
  flux build artifact --path ./path/to/local/manifests --output ./path/to/artifact.tgz
--- a/cmd/flux/build_kustomization_test.go
+++ b/cmd/flux/build_kustomization_test.go
@ -169,12 +169,6 @@ spec:
 			resultFile: "./testdata/build-kustomization/podinfo-with-my-app-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 		{
 			name:       "build with recursive in dry-run mode",
 			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/podinfo-with-my-app --recursive --local-sources GitRepository/default/podinfo=./testdata/build-kustomization --dry-run",
 			resultFile: "./testdata/build-kustomization/podinfo-with-my-app-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 	}
 	tmpl := map[string]string{
--- a/cmd/flux/check.go
+++ b/cmd/flux/check.go
@ -60,7 +60,7 @@ type checkFlags struct {
 }
 var kubernetesConstraints = []string{
-	">=1.31.0-0",
+	">=1.30.0-0",
 }
 var checkArgs checkFlags
@ -217,7 +217,7 @@ func componentsCheck(ctx context.Context, kubeClient client.Client) bool {
 				}
 			}
 			for _, c := range d.Spec.Template.Spec.Containers {
-				logger.Actionf("%s", c.Image)
+				logger.Actionf(c.Image)
 			}
 		}
 	}
@ -238,7 +238,7 @@ func crdsCheck(ctx context.Context, kubeClient client.Client) bool {
 		for _, crd := range list.Items {
 			versions := crd.Status.StoredVersions
 			if len(versions) > 0 {
-				logger.Successf("%s", crd.Name+"/"+versions[len(versions)-1])
+				logger.Successf(crd.Name + "/" + versions[len(versions)-1])
 			} else {
 				ok = false
 				logger.Failuref("no stored versions for %s", crd.Name)
--- a/cmd/flux/create_helmrelease.go
+++ b/cmd/flux/create_helmrelease.go
@ -37,6 +37,7 @@ import (
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/runtime/transform"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
@ -141,7 +142,7 @@ var helmReleaseArgs helmReleaseFlags
 var supportedHelmReleaseValuesFromKinds = []string{"Secret", "ConfigMap"}
-var supportedHelmReleaseReferenceKinds = []string{sourcev1.OCIRepositoryKind, sourcev1.HelmChartKind}
+var supportedHelmReleaseReferenceKinds = []string{sourcev1b2.OCIRepositoryKind, sourcev1.HelmChartKind}
 func init() {
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.name, "release-name", "", "name used for the Helm release, defaults to a composition of '[<target-namespace>-]<HelmRelease-name>'")
@ -221,7 +222,7 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	case helmReleaseArgs.chartRef != "":
 		kind, name, ns := utils.ParseObjectKindNameNamespace(helmReleaseArgs.chartRef)
-		if kind != sourcev1.HelmChartKind && kind != sourcev1.OCIRepositoryKind {
+		if kind != sourcev1.HelmChartKind && kind != sourcev1b2.OCIRepositoryKind {
 			return fmt.Errorf("chart reference kind '%s' is not supported, must be one of: %s",
 				kind, strings.Join(supportedHelmReleaseReferenceKinds, ", "))
 		}
@ -234,7 +235,7 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	if helmReleaseArgs.kubeConfigSecretRef != "" {
 		helmRelease.Spec.KubeConfig = &meta.KubeConfigReference{
-			SecretRef: &meta.SecretKeyReference{
+			SecretRef: meta.SecretKeyReference{
 				Name: helmReleaseArgs.kubeConfigSecretRef,
 			},
 		}
--- a/cmd/flux/create_image_policy.go
+++ b/cmd/flux/create_image_policy.go
@ -20,7 +20,6 @@ import (
 	"fmt"
 	"regexp/syntax"
 	"strings"
 	"time"
 	"unicode"
 	"unicode/utf8"
@ -35,12 +34,12 @@ import (
 var createImagePolicyCmd = &cobra.Command{
 	Use:   "policy [name]",
 	Short: "Create or update an ImagePolicy object",
-	Long: `The create image policy command generates an ImagePolicy resource.
+	Long: withPreviewNote(`The create image policy command generates an ImagePolicy resource.
 An ImagePolicy object calculates a "latest image" given an image
 repository and a policy, e.g., semver.
 The image that sorts highest according to the policy is recorded in
-the status of the object.`,
+the status of the object.`),
 	Example: `  # Create an ImagePolicy to select the latest stable release
  flux create image policy podinfo \
    --image-ref=podinfo \
@ -61,8 +60,6 @@ type imagePolicyFlags struct {
 	numeric       string
 	filterRegex   string
 	filterExtract string
 	reflectDigest string
 	interval      time.Duration
 }
 var imagePolicyArgs = imagePolicyFlags{}
@ -75,8 +72,6 @@ func init() {
 	flags.StringVar(&imagePolicyArgs.numeric, "select-numeric", "", "use numeric sorting to select image; either \"asc\" meaning select the last, or \"desc\" meaning select the first")
 	flags.StringVar(&imagePolicyArgs.filterRegex, "filter-regex", "", "regular expression pattern used to filter the image tags")
 	flags.StringVar(&imagePolicyArgs.filterExtract, "filter-extract", "", "replacement pattern (using capture groups from --filter-regex) to use for sorting")
 	flags.StringVar(&imagePolicyArgs.reflectDigest, "reflect-digest", "", "the digest reflection policy to use when observing latest image tags (one of 'Never', 'IfNotPresent', 'Never')")
 	flags.DurationVar(&imagePolicyArgs.interval, "interval", 0, "the interval at which to check for new image digests when the policy is set to 'Always'")
 	createImageCmd.AddCommand(createImagePolicyCmd)
 }
@ -158,20 +153,6 @@ func createImagePolicyRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("cannot specify --filter-extract without specifying --filter-regex")
 	}
 	if p := imagev1.ReflectionPolicy(imagePolicyArgs.reflectDigest); p != "" {
 		if p != imagev1.ReflectNever && p != imagev1.ReflectIfNotPresent && p != imagev1.ReflectAlways {
 			return fmt.Errorf("invalid value for --reflect-digest, must be one of 'Never', 'IfNotPresent', 'Always'")
 		}
 		policy.Spec.DigestReflectionPolicy = p
 	}
 	if imagePolicyArgs.interval != 0 {
 		if imagePolicyArgs.reflectDigest != string(imagev1.ReflectAlways) {
 			return fmt.Errorf("the --interval flag can only be used with the 'Always' digest reflection policy, use --reflect-digest=Always")
 		}
 		policy.Spec.Interval = &metav1.Duration{Duration: imagePolicyArgs.interval}
 	}
 	if createArgs.export {
 		return printExport(exportImagePolicy(&policy))
 	}
--- a/cmd/flux/create_image_repository.go
+++ b/cmd/flux/create_image_repository.go
@ -32,8 +32,8 @@ import (
 var createImageRepositoryCmd = &cobra.Command{
 	Use:   "repository [name]",
 	Short: "Create or update an ImageRepository object",
-	Long: `The create image repository command generates an ImageRepository resource.
+	Long: withPreviewNote(`The create image repository command generates an ImageRepository resource.
-An ImageRepository object specifies an image repository to scan.`,
+An ImageRepository object specifies an image repository to scan.`),
 	Example: `  # Create an ImageRepository object to scan the alpine image repository:
  flux create image repository alpine-repo --image alpine --interval 20m
--- a/cmd/flux/create_image_update.go
+++ b/cmd/flux/create_image_update.go
@ -29,9 +29,9 @@ import (
 var createImageUpdateCmd = &cobra.Command{
 	Use:   "update [name]",
 	Short: "Create or update an ImageUpdateAutomation object",
-	Long: `The create image update command generates an ImageUpdateAutomation resource.
+	Long: withPreviewNote(`The create image update command generates an ImageUpdateAutomation resource.
 An ImageUpdateAutomation object specifies an automated update to images
-mentioned in YAMLs in a git repository.`,
+mentioned in YAMLs in a git repository.`),
 	Example: `  # Configure image updates for the main repository created by flux bootstrap
  flux create image update flux-system \
    --git-repo-ref=flux-system \
--- a/cmd/flux/create_kustomization.go
+++ b/cmd/flux/create_kustomization.go
@ -171,7 +171,7 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 	if kustomizationArgs.kubeConfigSecretRef != "" {
 		kustomization.Spec.KubeConfig = &meta.KubeConfigReference{
-			SecretRef: &meta.SecretKeyReference{
+			SecretRef: meta.SecretKeyReference{
 				Name: kustomizationArgs.kubeConfigSecretRef,
 			},
 		}
--- a/cmd/flux/create_secret_git.go
+++ b/cmd/flux/create_secret_git.go
@ -172,7 +172,7 @@ func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme)
 	}
-	secret, err := sourcesecret.GenerateGit(opts)
+	secret, err := sourcesecret.Generate(opts)
 	if err != nil {
 		return err
 	}
--- a/cmd/flux/create_secret_github_app.go
+++ b/cmd/flux/create_secret_github_app.go
@ -99,7 +99,7 @@ func createSecretGitHubAppCmdRun(cmd *cobra.Command, args []string) error {
 		opts.GitHubAppBaseURL = secretGitHubAppArgs.baseURL
 	}
-	secret, err := sourcesecret.GenerateGitHubApp(opts)
+	secret, err := sourcesecret.Generate(opts)
 	if err != nil {
 		return err
 	}
--- a/cmd/flux/create_secret_helm.go
+++ b/cmd/flux/create_secret_helm.go
@ -83,12 +83,10 @@ func createSecretHelmCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	var certFile, keyFile []byte
-	if secretHelmArgs.tlsCrtFile != "" {
+	if secretHelmArgs.tlsCrtFile != "" && secretHelmArgs.tlsKeyFile != "" {
 		if certFile, err = os.ReadFile(secretHelmArgs.tlsCrtFile); err != nil {
 			return fmt.Errorf("failed to read cert file: %w", err)
 		}
 	}
 	if secretHelmArgs.tlsKeyFile != "" {
 		if keyFile, err = os.ReadFile(secretHelmArgs.tlsKeyFile); err != nil {
 			return fmt.Errorf("failed to read key file: %w", err)
 		}
@ -104,7 +102,7 @@ func createSecretHelmCmdRun(cmd *cobra.Command, args []string) error {
 		TLSCrt:    certFile,
 		TLSKey:    keyFile,
 	}
-	secret, err := sourcesecret.GenerateHelm(opts)
+	secret, err := sourcesecret.Generate(opts)
 	if err != nil {
 		return err
 	}
--- a/cmd/flux/create_secret_notation.go
+++ b/cmd/flux/create_secret_notation.go
@ -132,7 +132,7 @@ func createSecretNotationCmdRun(cmd *cobra.Command, args []string) error {
 		VerificationCrts: caCerts,
 		TrustPolicy:      policy,
 	}
-	secret, err := sourcesecret.GenerateNotation(opts)
+	secret, err := sourcesecret.Generate(opts)
 	if err != nil {
 		return err
 	}
--- a/cmd/flux/create_secret_oci.go
+++ b/cmd/flux/create_secret_oci.go
@ -92,7 +92,7 @@ func createSecretOCICmdRun(cmd *cobra.Command, args []string) error {
 		Username:  secretOCIArgs.username,
 	}
-	secret, err := sourcesecret.GenerateOCI(opts)
+	secret, err := sourcesecret.Generate(opts)
 	if err != nil {
 		return err
 	}
--- a/cmd/flux/create_secret_proxy.go
+++ b/cmd/flux/create_secret_proxy.go
@ -83,7 +83,7 @@ func createSecretProxyCmdRun(cmd *cobra.Command, args []string) error {
 		Username:  secretProxyArgs.username,
 		Password:  secretProxyArgs.password,
 	}
-	secret, err := sourcesecret.GenerateProxy(opts)
+	secret, err := sourcesecret.Generate(opts)
 	if err != nil {
 		return err
 	}
--- a/cmd/flux/create_secret_tls.go
+++ b/cmd/flux/create_secret_tls.go
@ -84,18 +84,16 @@ func createSecretTLSCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}
-	if secretTLSArgs.tlsCrtFile != "" {
+	if secretTLSArgs.tlsCrtFile != "" && secretTLSArgs.tlsKeyFile != "" {
 		if opts.TLSCrt, err = os.ReadFile(secretTLSArgs.tlsCrtFile); err != nil {
 			return fmt.Errorf("failed to read cert file: %w", err)
 		}
 	}
 	if secretTLSArgs.tlsKeyFile != "" {
 		if opts.TLSKey, err = os.ReadFile(secretTLSArgs.tlsKeyFile); err != nil {
 			return fmt.Errorf("failed to read key file: %w", err)
 		}
 	}
-	secret, err := sourcesecret.GenerateTLS(opts)
+	secret, err := sourcesecret.Generate(opts)
 	if err != nil {
 		return err
 	}
--- a/cmd/flux/create_source_git.go
+++ b/cmd/flux/create_source_git.go
@ -44,26 +44,25 @@ import (
 )
 type sourceGitFlags struct {
-	url                 string
+	url               string
-	branch              string
+	branch            string
-	tag                 string
+	tag               string
-	semver              string
+	semver            string
-	refName             string
+	refName           string
-	commit              string
+	commit            string
-	username            string
+	username          string
-	password            string
+	password          string
-	keyAlgorithm        flags.PublicKeyAlgorithm
+	keyAlgorithm      flags.PublicKeyAlgorithm
-	keyRSABits          flags.RSAKeyBits
+	keyRSABits        flags.RSAKeyBits
-	keyECDSACurve       flags.ECDSACurve
+	keyECDSACurve     flags.ECDSACurve
-	secretRef           string
+	secretRef         string
-	proxySecretRef      string
+	proxySecretRef    string
-	provider            flags.SourceGitProvider
+	provider          flags.SourceGitProvider
-	caFile              string
+	caFile            string
-	privateKeyFile      string
+	privateKeyFile    string
-	recurseSubmodules   bool
+	recurseSubmodules bool
-	silent              bool
+	silent            bool
-	ignorePaths         []string
+	ignorePaths       []string
 	sparseCheckoutPaths []string
 }
 var createSourceGitCmd = &cobra.Command{
@ -139,7 +138,7 @@ func init() {
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.branch, "branch", "", "git branch")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.tag, "tag", "", "git tag")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.semver, "tag-semver", "", "git tag semver range")
-	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.refName, "ref-name", "", "git reference name")
+	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.refName, "ref-name", "", " git reference name")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.commit, "commit", "", "git commit")
 	createSourceGitCmd.Flags().StringVarP(&sourceGitArgs.username, "username", "u", "", "basic authentication username")
 	createSourceGitCmd.Flags().StringVarP(&sourceGitArgs.password, "password", "p", "", "basic authentication password")
@ -155,7 +154,6 @@ func init() {
 		"when enabled, configures the GitRepository source to initialize and include Git submodules in the artifact it produces")
 	createSourceGitCmd.Flags().BoolVarP(&sourceGitArgs.silent, "silent", "s", false, "assumes the deploy key is already setup, skips confirmation")
 	createSourceGitCmd.Flags().StringSliceVar(&sourceGitArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore in git resource (can specify multiple paths with commas: path1,path2)")
 	createSourceGitCmd.Flags().StringSliceVar(&sourceGitArgs.sparseCheckoutPaths, "sparse-checkout-paths", nil, "set paths to sparse checkout in git resource (can specify multiple paths with commas: path1,path2)")
 	createSourceCmd.AddCommand(createSourceGitCmd)
 }
@ -222,7 +220,6 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 			RecurseSubmodules: sourceGitArgs.recurseSubmodules,
 			Reference:         &sourcev1.GitRepositoryRef{},
 			Ignore:            ignorePaths,
 			SparseCheckout:    sourceGitArgs.sparseCheckoutPaths,
 		},
 	}
@ -305,7 +302,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 			secretOpts.Username = sourceGitArgs.username
 			secretOpts.Password = sourceGitArgs.password
 		}
-		secret, err := sourcesecret.GenerateGit(secretOpts)
+		secret, err := sourcesecret.Generate(secretOpts)
 		if err != nil {
 			return err
 		}
--- a/cmd/flux/create_source_git_test.go
+++ b/cmd/flux/create_source_git_test.go
@ -87,7 +87,7 @@ func (r *reconciler) conditionFunc() (bool, error) {
 }
 func TestCreateSourceGitExport(t *testing.T) {
-	var command = "create source git podinfo --url=https://github.com/stefanprodan/podinfo --branch=master --sparse-checkout-paths .cosign,non-existent-dir/ --ignore-paths .cosign,non-existent-dir/ -n default --interval 1m --export --timeout=" + testTimeout.String()
+	var command = "create source git podinfo --url=https://github.com/stefanprodan/podinfo --branch=master --ignore-paths .cosign,non-existent-dir/ -n default --interval 1m --export --timeout=" + testTimeout.String()
 	cases := []struct {
 		name   string
--- a/cmd/flux/create_source_helm.go
+++ b/cmd/flux/create_source_helm.go
@ -202,7 +202,7 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 			TLSKey:       keyFile,
 			ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 		}
-		secret, err := sourcesecret.GenerateHelm(secretOpts)
+		secret, err := sourcesecret.Generate(secretOpts)
 		if err != nil {
 			return err
 		}
--- a/cmd/flux/create_source_oci.go
+++ b/cmd/flux/create_source_oci.go
@ -29,7 +29,9 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"github.com/fluxcd/pkg/apis/meta"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
@ -79,7 +81,7 @@ var sourceOCIRepositoryArgs = newSourceOCIFlags()
 func newSourceOCIFlags() sourceOCIRepositoryFlags {
 	return sourceOCIRepositoryFlags{
-		provider: flags.SourceOCIProvider(sourcev1.GenericOCIProvider),
+		provider: flags.SourceOCIProvider(sourcev1b2.GenericOCIProvider),
 	}
 }
@ -125,20 +127,20 @@ func createSourceOCIRepositoryCmdRun(cmd *cobra.Command, args []string) error {
 		ignorePaths = &ignorePathsStr
 	}
-	repository := &sourcev1.OCIRepository{
+	repository := &sourcev1b2.OCIRepository{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
 			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
-		Spec: sourcev1.OCIRepositorySpec{
+		Spec: sourcev1b2.OCIRepositorySpec{
 			Provider: sourceOCIRepositoryArgs.provider.String(),
 			URL:      sourceOCIRepositoryArgs.url,
 			Insecure: sourceOCIRepositoryArgs.insecure,
 			Interval: metav1.Duration{
 				Duration: createArgs.interval,
 			},
-			Reference: &sourcev1.OCIRepositoryRef{},
+			Reference: &sourcev1b2.OCIRepositoryRef{},
 			Ignore:    ignorePaths,
 		},
 	}
@ -235,13 +237,13 @@ func createSourceOCIRepositoryCmdRun(cmd *cobra.Command, args []string) error {
 }
 func upsertOCIRepository(ctx context.Context, kubeClient client.Client,
-	ociRepository *sourcev1.OCIRepository) (types.NamespacedName, error) {
+	ociRepository *sourcev1b2.OCIRepository) (types.NamespacedName, error) {
 	namespacedName := types.NamespacedName{
 		Namespace: ociRepository.GetNamespace(),
 		Name:      ociRepository.GetName(),
 	}
-	var existing sourcev1.OCIRepository
+	var existing sourcev1b2.OCIRepository
 	err := kubeClient.Get(ctx, namespacedName, &existing)
 	if err != nil {
 		if errors.IsNotFound(err) {
--- a/cmd/flux/create_tenant.go
+++ b/cmd/flux/create_tenant.go
@ -59,7 +59,6 @@ const (
 type tenantFlags struct {
 	namespaces  []string
 	clusterRole string
 	account     string
 }
 var tenantArgs tenantFlags
@ -67,7 +66,6 @@ var tenantArgs tenantFlags
 func init() {
 	createTenantCmd.Flags().StringSliceVar(&tenantArgs.namespaces, "with-namespace", nil, "namespace belonging to this tenant")
 	createTenantCmd.Flags().StringVar(&tenantArgs.clusterRole, "cluster-role", "cluster-admin", "cluster role of the tenant role binding")
 	createTenantCmd.Flags().StringVar(&tenantArgs.account, "with-service-account", "", "service account belonging to this tenant")
 	createCmd.AddCommand(createTenantCmd)
 }
@ -109,17 +107,9 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 		}
 		namespaces = append(namespaces, namespace)
 		accountName := tenant
 		if tenantArgs.account != "" {
 			accountName = tenantArgs.account
 		}
 		if err := validation.IsQualifiedName(accountName); len(err) > 0 {
 			return fmt.Errorf("invalid service-account name '%s': %v", accountName, err)
 		}
 		account := corev1.ServiceAccount{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      accountName,
+				Name:      tenant,
 				Namespace: ns,
 				Labels:    objLabels,
 			},
@ -141,7 +131,7 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 				},
 				{
 					Kind:      "ServiceAccount",
-					Name:      accountName,
+					Name:      tenant,
 					Namespace: ns,
 				},
 			},
@ -293,9 +283,9 @@ func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, rol
 		return err
 	}
-	rootCmd.Println("---")
+	fmt.Println("---")
 	data = bytes.Replace(data, []byte("spec: {}\n"), []byte(""), 1)
-	rootCmd.Println(resourceToString(data))
+	fmt.Println(resourceToString(data))
 	account.TypeMeta = metav1.TypeMeta{
 		APIVersion: "v1",
@ -306,9 +296,9 @@ func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, rol
 		return err
 	}
-	rootCmd.Println("---")
+	fmt.Println("---")
 	data = bytes.Replace(data, []byte("spec: {}\n"), []byte(""), 1)
-	rootCmd.Println(resourceToString(data))
+	fmt.Println(resourceToString(data))
 	roleBinding.TypeMeta = metav1.TypeMeta{
 		APIVersion: "rbac.authorization.k8s.io/v1",
@ -319,8 +309,8 @@ func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, rol
 		return err
 	}
-	rootCmd.Println("---")
+	fmt.Println("---")
-	rootCmd.Println(resourceToString(data))
+	fmt.Println(resourceToString(data))
 	return nil
 }
--- a/cmd/flux/create_tenant_test.go
+++ b/cmd/flux/create_tenant_test.go
@ -1,68 +0,0 @@
 //go:build e2e
 // +build e2e
 /*
 Copyright 2025 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"testing"
 )
 func TestCreateTenant(t *testing.T) {
 	tests := []struct {
 		name   string
 		args   string
 		assert assertFunc
 	}{
 		{
 			name:   "no args",
 			args:   "create tenant",
 			assert: assertError("name is required"),
 		},
 		{
 			name:   "no namespace",
 			args:   "create tenant dev-team --cluster-role=cluster-admin",
 			assert: assertError("with-namespace is required"),
 		},
 		{
 			name:   "basic tenant",
 			args:   "create tenant dev-team --with-namespace=apps --cluster-role=cluster-admin --export",
 			assert: assertGoldenFile("./testdata/create_tenant/tenant-basic.yaml"),
 		},
 		{
 			name:   "tenant with custom serviceaccount",
 			args:   "create tenant dev-team --with-namespace=apps --cluster-role=cluster-admin --with-service-account=flux-tenant --export",
 			assert: assertGoldenFile("./testdata/create_tenant/tenant-with-service-account.yaml"),
 		},
 		{
 			name:   "tenant with custom cluster role",
 			args:   "create tenant dev-team --with-namespace=apps --cluster-role=custom-role --export",
 			assert: assertGoldenFile("./testdata/create_tenant/tenant-with-cluster-role.yaml"),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cmd := cmdTestCase{
 				args:   tt.args,
 				assert: tt.assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
--- a/cmd/flux/debug_helmrelease.go
+++ b/cmd/flux/debug_helmrelease.go
@ -21,6 +21,7 @@ import (
 	"fmt"
 	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/chartutil"
 	"github.com/go-logr/logr"
 	"github.com/spf13/cobra"
@ -92,12 +93,23 @@ func debugHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	if debugHelmReleaseArgs.showValues {
 		// TODO(stefan): remove the mapping when helm-controller/api v1.2.0 has been released
 		var valuesRefs []meta.ValuesReference
 		for _, source := range hr.Spec.ValuesFrom {
 			valuesRefs = append(valuesRefs, meta.ValuesReference{
 				Kind:      source.Kind,
 				Name:      source.Name,
 				ValuesKey: source.ValuesKey,
 				Optional:  source.Optional,
 			})
 		}
 		finalValues, err := chartutil.ChartValuesFromReferences(ctx,
 			logr.Discard(),
 			kubeClient,
 			hr.GetNamespace(),
 			hr.GetValues(),
-			hr.Spec.ValuesFrom...)
+			valuesRefs...)
 		if err != nil {
 			return err
 		}
--- a/cmd/flux/delete_image_policy.go
+++ b/cmd/flux/delete_image_policy.go
@ -25,7 +25,7 @@ import (
 var deleteImagePolicyCmd = &cobra.Command{
 	Use:   "policy [name]",
 	Short: "Delete an ImagePolicy object",
-	Long:  `The delete image policy command deletes the given ImagePolicy from the cluster.`,
+	Long:  withPreviewNote(`The delete image policy command deletes the given ImagePolicy from the cluster.`),
 	Example: `  # Delete an image policy
  flux delete image policy alpine3.x`,
 	ValidArgsFunction: resourceNamesCompletionFunc(imagev1.GroupVersion.WithKind(imagev1.ImagePolicyKind)),
--- a/cmd/flux/delete_image_repository.go
+++ b/cmd/flux/delete_image_repository.go
@ -25,7 +25,7 @@ import (
 var deleteImageRepositoryCmd = &cobra.Command{
 	Use:   "repository [name]",
 	Short: "Delete an ImageRepository object",
-	Long:  "The delete image repository command deletes the given ImageRepository from the cluster.",
+	Long:  withPreviewNote("The delete image repository command deletes the given ImageRepository from the cluster."),
 	Example: `  # Delete an image repository
  flux delete image repository alpine`,
 	ValidArgsFunction: resourceNamesCompletionFunc(imagev1.GroupVersion.WithKind(imagev1.ImageRepositoryKind)),
--- a/cmd/flux/delete_image_update.go
+++ b/cmd/flux/delete_image_update.go
@ -25,7 +25,7 @@ import (
 var deleteImageUpdateCmd = &cobra.Command{
 	Use:   "update [name]",
 	Short: "Delete an ImageUpdateAutomation object",
-	Long:  `The delete image update command deletes the given ImageUpdateAutomation from the cluster.`,
+	Long:  withPreviewNote(`The delete image update command deletes the given ImageUpdateAutomation from the cluster.`),
 	Example: `  # Delete an image update automation
  flux delete image update latest-images`,
 	ValidArgsFunction: resourceNamesCompletionFunc(autov1.GroupVersion.WithKind(autov1.ImageUpdateAutomationKind)),
--- a/cmd/flux/delete_source_chart.go
+++ b/cmd/flux/delete_source_chart.go
@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 var deleteSourceChartCmd = &cobra.Command{
--- a/cmd/flux/delete_source_oci.go
+++ b/cmd/flux/delete_source_oci.go
@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 var deleteSourceOCIRepositoryCmd = &cobra.Command{
--- a/cmd/flux/diff_artifact.go
+++ b/cmd/flux/diff_artifact.go
@ -21,9 +21,8 @@ import (
 	"fmt"
 	"os"
-	"github.com/fluxcd/pkg/oci"
+	oci "github.com/fluxcd/pkg/oci/client"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 	"github.com/google/go-containerregistry/pkg/crane"
 	"github.com/spf13/cobra"
 	"github.com/fluxcd/flux2/v2/internal/flags"
@ -32,7 +31,7 @@ import (
 var diffArtifactCmd = &cobra.Command{
 	Use:   "artifact",
 	Short: "Diff Artifact",
-	Long:  `The diff artifact command computes the diff between the remote OCI artifact and a local directory or file`,
+	Long:  withPreviewNote(`The diff artifact command computes the diff between the remote OCI artifact and a local directory or file`),
 	Example: `# Check if local files differ from remote
 flux diff artifact oci://ghcr.io/stefanprodan/manifests:podinfo:6.2.0 --path=./kustomize`,
 	RunE: diffArtifactCmdRun,
@ -43,7 +42,6 @@ type diffArtifactFlags struct {
 	creds       string
 	provider    flags.SourceOCIProvider
 	ignorePaths []string
 	insecure    bool
 }
 var diffArtifactArgs = newDiffArtifactArgs()
@ -59,7 +57,6 @@ func init() {
 	diffArtifactCmd.Flags().StringVar(&diffArtifactArgs.creds, "creds", "", "credentials for OCI registry in the format <username>[:<password>] if --provider is generic")
 	diffArtifactCmd.Flags().Var(&diffArtifactArgs.provider, "provider", sourceOCIRepositoryArgs.provider.Description())
 	diffArtifactCmd.Flags().StringSliceVar(&diffArtifactArgs.ignorePaths, "ignore-paths", excludeOCI, "set paths to ignore in .gitignore format")
 	diffArtifactCmd.Flags().BoolVar(&diffArtifactArgs.insecure, "insecure-registry", false, "allows the remote artifact to be pulled without TLS")
 	diffCmd.AddCommand(diffArtifactCmd)
 }
@ -85,27 +82,24 @@ func diffArtifactCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	opts := oci.DefaultOptions()
+	ociClient := oci.NewClient(oci.DefaultOptions())
-	if diffArtifactArgs.insecure {
+	if diffArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && diffArtifactArgs.creds != "" {
-		opts = append(opts, crane.Insecure)
+		logger.Actionf("logging in to registry with credentials")
 		if err := ociClient.LoginWithCredentials(diffArtifactArgs.creds); err != nil {
 			return fmt.Errorf("could not login with credentials: %w", err)
 		}
 	}
 	if diffArtifactArgs.provider.String() != sourcev1.GenericOCIProvider {
 		logger.Actionf("logging in to registry with provider credentials")
-		opt, err := loginWithProvider(ctx, url, diffArtifactArgs.provider.String())
+		ociProvider, err := diffArtifactArgs.provider.ToOCIProvider()
 		if err != nil {
-			return fmt.Errorf("error during login with provider: %w", err)
+			return fmt.Errorf("provider not supported: %w", err)
 		}
 		opts = append(opts, opt)
 	}
-	ociClient := oci.NewClient(opts)
+		if err := ociClient.LoginWithProvider(ctx, url, ociProvider); err != nil {
-
+			return fmt.Errorf("error during login with provider: %w", err)
 	if diffArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && diffArtifactArgs.creds != "" {
 		logger.Actionf("logging in to registry with credentials")
 		if err := ociClient.LoginWithCredentials(diffArtifactArgs.creds); err != nil {
 			return fmt.Errorf("could not login with credentials: %w", err)
 		}
 	}
--- a/cmd/flux/diff_artifact_test.go
+++ b/cmd/flux/diff_artifact_test.go
@ -96,7 +96,7 @@ func TestDiffArtifact(t *testing.T) {
 			tt.url = fmt.Sprintf(tt.url, dockerReg)
 			_, err := executeCommand("push artifact " + tt.url + " --path=" + tt.pushFile + " --source=test --revision=test")
 			if err != nil {
-				t.Fatal(fmt.Errorf("failed to push image: %w", err).Error())
+				t.Fatalf(fmt.Errorf("failed to push image: %w", err).Error())
 			}
 			cmd := cmdTestCase{
--- a/cmd/flux/diff_kustomization_test.go
+++ b/cmd/flux/diff_kustomization_test.go
@ -27,7 +27,6 @@ import (
 	"github.com/fluxcd/flux2/v2/internal/build"
 	"github.com/fluxcd/pkg/ssa"
 	"github.com/fluxcd/pkg/ssa/normalize"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
@ -152,7 +151,7 @@ func createObjectFromFile(objectFile string, templateValues map[string]string, t
 		t.Fatalf("Error decoding yaml file '%s': %v", objectFile, err)
 	}
-	if err := normalize.UnstructuredList(clientObjects); err != nil {
+	if err := ssa.SetNativeKindsDefaults(clientObjects); err != nil {
 		t.Fatalf("Error setting native kinds defaults for '%s': %v", objectFile, err)
 	}
--- a/cmd/flux/events.go
+++ b/cmd/flux/events.go
@ -46,6 +46,7 @@ import (
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
 	notificationv1b3 "github.com/fluxcd/notification-controller/api/v1beta3"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/flux2/v2/pkg/printers"
@ -445,7 +446,7 @@ var fluxKindMap = refMap{
 		field:           []string{"spec", "sourceRef"},
 	},
 	sourcev1.GitRepositoryKind:       {gvk: sourcev1.GroupVersion.WithKind(sourcev1.GitRepositoryKind)},
-	sourcev1.OCIRepositoryKind:       {gvk: sourcev1.GroupVersion.WithKind(sourcev1.OCIRepositoryKind)},
+	sourcev1b2.OCIRepositoryKind:     {gvk: sourcev1b2.GroupVersion.WithKind(sourcev1b2.OCIRepositoryKind)},
 	sourcev1.BucketKind:              {gvk: sourcev1.GroupVersion.WithKind(sourcev1.BucketKind)},
 	sourcev1.HelmRepositoryKind:      {gvk: sourcev1.GroupVersion.WithKind(sourcev1.HelmRepositoryKind)},
 	autov1.ImageUpdateAutomationKind: {gvk: autov1.GroupVersion.WithKind(autov1.ImageUpdateAutomationKind)},
--- a/cmd/flux/export_image_policy.go
+++ b/cmd/flux/export_image_policy.go
@ -26,7 +26,7 @@ import (
 var exportImagePolicyCmd = &cobra.Command{
 	Use:   "policy [name]",
 	Short: "Export ImagePolicy resources in YAML format",
-	Long:  "The export image policy command exports one or all ImagePolicy resources in YAML format.",
+	Long:  withPreviewNote("The export image policy command exports one or all ImagePolicy resources in YAML format."),
 	Example: `  # Export all ImagePolicy resources
  flux export image policy --all > image-policies.yaml
--- a/cmd/flux/export_image_repository.go
+++ b/cmd/flux/export_image_repository.go
@ -26,7 +26,7 @@ import (
 var exportImageRepositoryCmd = &cobra.Command{
 	Use:   "repository [name]",
 	Short: "Export ImageRepository resources in YAML format",
-	Long:  "The export image repository command exports one or all ImageRepository resources in YAML format.",
+	Long:  withPreviewNote("The export image repository command exports one or all ImageRepository resources in YAML format."),
 	Example: `  # Export all ImageRepository resources
  flux export image repository --all > image-repositories.yaml
--- a/cmd/flux/export_image_update.go
+++ b/cmd/flux/export_image_update.go
@ -26,7 +26,7 @@ import (
 var exportImageUpdateCmd = &cobra.Command{
 	Use:   "update [name]",
 	Short: "Export ImageUpdateAutomation resources in YAML format",
-	Long:  "The export image update command exports one or all ImageUpdateAutomation resources in YAML format.",
+	Long:  withPreviewNote("The export image update command exports one or all ImageUpdateAutomation resources in YAML format."),
 	Example: `  # Export all ImageUpdateAutomation resources
  flux export image update --all > updates.yaml
--- a/cmd/flux/export_source_oci.go
+++ b/cmd/flux/export_source_oci.go
@ -21,7 +21,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 var exportSourceOCIRepositoryCmd = &cobra.Command{
--- a/cmd/flux/get.go
+++ b/cmd/flux/get.go
@ -184,13 +184,13 @@ func (get getCommand) run(cmd *cobra.Command, args []string) error {
 	if get.list.len() == 0 {
 		if len(args) > 0 {
-			return fmt.Errorf("%s object '%s' not found in %s namespace",
+			logger.Failuref("%s object '%s' not found in %s namespace",
 				get.kind,
 				args[0],
 				namespaceNameOrAny(getArgs.allNamespaces, *kubeconfigArgs.Namespace),
 			)
 		} else if !getAll {
-			return fmt.Errorf("no %s objects found in %s namespace",
+			logger.Failuref("no %s objects found in %s namespace",
 				get.kind,
 				namespaceNameOrAny(getArgs.allNamespaces, *kubeconfigArgs.Namespace),
 			)
--- a/cmd/flux/get_all.go
+++ b/cmd/flux/get_all.go
@ -87,7 +87,7 @@ var getAllCmd = &cobra.Command{
 func logError(err error) {
 	if !apimeta.IsNoMatchError(err) {
-		logger.Failuref("%s", err.Error())
+		logger.Failuref(err.Error())
 	}
 }
--- a/cmd/flux/get_image_all.go
+++ b/cmd/flux/get_image_all.go
@ -26,7 +26,7 @@ import (
 var getImageAllCmd = &cobra.Command{
 	Use:   "all",
 	Short: "Get all image statuses",
-	Long:  "The get image sub-commands print the statuses of all image objects.",
+	Long:  withPreviewNote("The get image sub-commands print the statuses of all image objects."),
 	Example: `  # List all image objects in a namespace
  flux get images all --namespace=flux-system
@ -55,7 +55,7 @@ var getImageAllCmd = &cobra.Command{
 		for _, c := range allImageCmd {
 			if err := c.run(cmd, args); err != nil {
-				logger.Failuref("%s", err.Error())
+				logger.Failuref(err.Error())
 			}
 		}
--- a/cmd/flux/get_image_policy.go
+++ b/cmd/flux/get_image_policy.go
@ -28,7 +28,7 @@ import (
 var getImagePolicyCmd = &cobra.Command{
 	Use:   "policy",
 	Short: "Get ImagePolicy status",
-	Long:  "The get image policy command prints the status of ImagePolicy objects.",
+	Long:  withPreviewNote("The get image policy command prints the status of ImagePolicy objects."),
 	Example: `  # List all image policies and their status
  flux get image policy
--- a/cmd/flux/get_image_repository.go
+++ b/cmd/flux/get_image_repository.go
@ -32,7 +32,7 @@ import (
 var getImageRepositoryCmd = &cobra.Command{
 	Use:   "repository",
 	Short: "Get ImageRepository status",
-	Long:  "The get image repository command prints the status of ImageRepository objects.",
+	Long:  withPreviewNote("The get image repository command prints the status of ImageRepository objects."),
 	Example: `  # List all image repositories and their status
  flux get image repository
--- a/cmd/flux/get_image_update.go
+++ b/cmd/flux/get_image_update.go
@ -32,7 +32,7 @@ import (
 var getImageUpdateCmd = &cobra.Command{
 	Use:   "update",
 	Short: "Get ImageUpdateAutomation status",
-	Long:  "The get image update command prints the status of ImageUpdateAutomation objects.",
+	Long:  withPreviewNote("The get image update command prints the status of ImageUpdateAutomation objects."),
 	Example: `  # List all image update automation object and their status
  flux get image update
--- a/cmd/flux/get_source_all.go
+++ b/cmd/flux/get_source_all.go
@ -21,6 +21,7 @@ import (
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 var getSourceAllCmd = &cobra.Command{
@ -41,7 +42,7 @@ var getSourceAllCmd = &cobra.Command{
 		var allSourceCmd = []getCommand{
 			{
 				apiType: ociRepositoryType,
-				list:    &ociRepositoryListAdapter{&sourcev1.OCIRepositoryList{}},
+				list:    &ociRepositoryListAdapter{&sourcev1b2.OCIRepositoryList{}},
 			},
 			{
 				apiType: bucketType,
@ -64,7 +65,7 @@ var getSourceAllCmd = &cobra.Command{
 		for _, c := range allSourceCmd {
 			if err := c.run(cmd, args); err != nil {
 				if !apimeta.IsNoMatchError(err) {
-					logger.Failuref("%s", err.Error())
+					logger.Failuref(err.Error())
 				}
 			}
 		}
--- a/cmd/flux/get_source_oci.go
+++ b/cmd/flux/get_source_oci.go
@ -25,7 +25,7 @@ import (
 	"golang.org/x/text/language"
 	"k8s.io/apimachinery/pkg/runtime"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 )
--- a/cmd/flux/get_test.go
+++ b/cmd/flux/get_test.go
@ -19,10 +19,7 @@ limitations under the License.
 package main
-import (
+import "testing"
 	"fmt"
 	"testing"
 )
 func Test_GetCmd(t *testing.T) {
 	tmpl := map[string]string{
@ -62,76 +59,3 @@ func Test_GetCmd(t *testing.T) {
 		})
 	}
 }
 func Test_GetCmdErrors(t *testing.T) {
 	tmpl := map[string]string{
 		"fluxns": allocateNamespace("flux-system"),
 	}
 	testEnv.CreateObjectFile("./testdata/get/objects.yaml", tmpl, t)
 	tests := []struct {
 		name   string
 		args   string
 		assert assertFunc
 	}{
 		{
 			name:   "specific object not found",
 			args:   "get kustomization non-existent-resource -n " + tmpl["fluxns"],
 			assert: assertError(fmt.Sprintf("Kustomization object 'non-existent-resource' not found in \"%s\" namespace", tmpl["fluxns"])),
 		},
 		{
 			name:   "no objects found in namespace",
 			args:   "get helmrelease -n " + tmpl["fluxns"],
 			assert: assertError(fmt.Sprintf("no HelmRelease objects found in \"%s\" namespace", tmpl["fluxns"])),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cmd := cmdTestCase{
 				args:   tt.args,
 				assert: tt.assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
 func Test_GetCmdSuccess(t *testing.T) {
 	tmpl := map[string]string{
 		"fluxns": allocateNamespace("flux-system"),
 	}
 	testEnv.CreateObjectFile("./testdata/get/objects.yaml", tmpl, t)
 	tests := []struct {
 		name   string
 		args   string
 		assert assertFunc
 	}{
 		{
 			name:   "list sources git",
 			args:   "get sources git -n " + tmpl["fluxns"],
 			assert: assertSuccess(),
 		},
 		{
 			name:   "get help",
 			args:   "get --help",
 			assert: assertSuccess(),
 		},
 		{
 			name:   "get with all namespaces flag",
 			args:   "get sources git -A",
 			assert: assertSuccess(),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cmd := cmdTestCase{
 				args:   tt.args,
 				assert: tt.assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
--- a/cmd/flux/image_test.go
+++ b/cmd/flux/image_test.go
@ -38,7 +38,7 @@ func TestImageScanning(t *testing.T) {
 			"testdata/image/create_image_repository.golden",
 		},
 		{
-			"create image policy podinfo-semver --image-ref=podinfo --interval=10m --reflect-digest=Always --select-semver=5.0.x",
+			"create image policy podinfo-semver --image-ref=podinfo --interval=10m --select-semver=5.0.x",
 			"testdata/image/create_image_policy.golden",
 		},
 		{
@ -46,7 +46,7 @@ func TestImageScanning(t *testing.T) {
 			"testdata/image/get_image_policy_semver.golden",
 		},
 		{
-			`create image policy podinfo-regex --image-ref=podinfo --select-semver=">4.0.0" --filter-regex="5\.0\.0"`,
+			`create image policy podinfo-regex --image-ref=podinfo --interval=10m --select-semver=">4.0.0" --filter-regex="5\.0\.0"`,
 			"testdata/image/create_image_policy.golden",
 		},
 		{
--- a/cmd/flux/install.go
+++ b/cmd/flux/install.go
@ -250,7 +250,7 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 			Username:  credentials[0],
 			Password:  credentials[1],
 		}
-		imagePullSecret, err := sourcesecret.GenerateOCI(secretOpts)
+		imagePullSecret, err := sourcesecret.Generate(secretOpts)
 		if err != nil {
 			return fmt.Errorf("install failed: %w", err)
 		}
--- a/cmd/flux/list_artifact.go
+++ b/cmd/flux/list_artifact.go
@ -20,11 +20,10 @@ import (
 	"context"
 	"fmt"
 	"github.com/google/go-containerregistry/pkg/crane"
 	"github.com/spf13/cobra"
-	"github.com/fluxcd/pkg/oci"
+	oci "github.com/fluxcd/pkg/oci/client"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/pkg/printers"
@ -35,7 +34,6 @@ type listArtifactFlags struct {
 	regexFilter  string
 	creds        string
 	provider     flags.SourceOCIProvider
 	insecure     bool
 }
 var listArtifactArgs = newListArtifactFlags()
@ -49,8 +47,8 @@ func newListArtifactFlags() listArtifactFlags {
 var listArtifactsCmd = &cobra.Command{
 	Use:   "artifacts",
 	Short: "list artifacts",
-	Long: `The list command fetches the tags and their metadata from a remote OCI repository.
+	Long: withPreviewNote(`The list command fetches the tags and their metadata from a remote OCI repository.
-The command can read the credentials from '~/.docker/config.json' but they can also be passed with --creds. It can also login to a supported provider with the --provider flag.`,
+The command can read the credentials from '~/.docker/config.json' but they can also be passed with --creds. It can also login to a supported provider with the --provider flag.`),
 	Example: `  # List the artifacts stored in an OCI repository
  flux list artifact oci://ghcr.io/org/config/app
 `,
@ -62,7 +60,6 @@ func init() {
 	listArtifactsCmd.Flags().StringVar(&listArtifactArgs.regexFilter, "filter-regex", "", "filter tags returned from the oci repository using regex")
 	listArtifactsCmd.Flags().StringVar(&listArtifactArgs.creds, "creds", "", "credentials for OCI registry in the format <username>[:<password>] if --provider is generic")
 	listArtifactsCmd.Flags().Var(&listArtifactArgs.provider, "provider", listArtifactArgs.provider.Description())
 	listArtifactsCmd.Flags().BoolVar(&listArtifactArgs.insecure, "insecure-registry", false, "allows the remote artifacts list to be fetched without TLS")
 	listCmd.AddCommand(listArtifactsCmd)
 }
@ -81,27 +78,24 @@ func listArtifactsCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
-	ociOpts := oci.DefaultOptions()
+	ociClient := oci.NewClient(oci.DefaultOptions())
 	if listArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && listArtifactArgs.creds != "" {
 		logger.Actionf("logging in to registry with credentials")
 		if err := ociClient.LoginWithCredentials(listArtifactArgs.creds); err != nil {
 			return fmt.Errorf("could not login with credentials: %w", err)
 		}
 	}
 	if listArtifactArgs.provider.String() != sourcev1.GenericOCIProvider {
 		logger.Actionf("logging in to registry with provider credentials")
-		ociOpt, err := loginWithProvider(ctx, url, listArtifactArgs.provider.String())
+		ociProvider, err := listArtifactArgs.provider.ToOCIProvider()
 		if err != nil {
-			return fmt.Errorf("error during login with provider: %w", err)
+			return fmt.Errorf("provider not supported: %w", err)
 		}
 		ociOpts = append(ociOpts, ociOpt)
 	}
-	if listArtifactArgs.insecure {
+		if err := ociClient.LoginWithProvider(ctx, url, ociProvider); err != nil {
-		ociOpts = append(ociOpts, crane.Insecure)
+			return fmt.Errorf("error during login with provider: %w", err)
 	}
 	ociClient := oci.NewClient(ociOpts)
 	if listArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && listArtifactArgs.creds != "" {
 		logger.Actionf("logging in to registry with credentials")
 		if err := ociClient.LoginWithCredentials(listArtifactArgs.creds); err != nil {
 			return fmt.Errorf("could not login with credentials: %w", err)
 		}
 	}
--- a/cmd/flux/oci.go
+++ b/cmd/flux/oci.go
@ -1,41 +0,0 @@
 /*
 Copyright 2025 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/google/go-containerregistry/pkg/crane"
 	"github.com/fluxcd/pkg/auth"
 	"github.com/fluxcd/pkg/auth/azure"
 	authutils "github.com/fluxcd/pkg/auth/utils"
 )
 // loginWithProvider gets a crane authentication option for the given provider and URL.
 func loginWithProvider(ctx context.Context, url, provider string) (crane.Option, error) {
 	var opts []auth.Option
 	if provider == azure.ProviderName {
 		opts = append(opts, auth.WithAllowShellOut())
 	}
 	authenticator, err := authutils.GetArtifactRegistryCredentials(ctx, provider, url, opts...)
 	if err != nil {
 		return nil, fmt.Errorf("could not login to provider %s with url %s: %w", provider, url, err)
 	}
 	return crane.WithAuth(authenticator), nil
 }
--- a/cmd/flux/pull_artifact.go
+++ b/cmd/flux/pull_artifact.go
@ -21,20 +21,19 @@ import (
 	"fmt"
 	"os"
-	"github.com/google/go-containerregistry/pkg/crane"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 	"github.com/spf13/cobra"
 	"github.com/fluxcd/pkg/oci"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	oci "github.com/fluxcd/pkg/oci/client"
 )
 var pullArtifactCmd = &cobra.Command{
 	Use:   "artifact",
 	Short: "Pull artifact",
-	Long: `The pull artifact command downloads and extracts the OCI artifact content to the given path.
+	Long: withPreviewNote(`The pull artifact command downloads and extracts the OCI artifact content to the given path.
-The command can read the credentials from '~/.docker/config.json' but they can also be passed with --creds. It can also login to a supported provider with the --provider flag.`,
+The command can read the credentials from '~/.docker/config.json' but they can also be passed with --creds. It can also login to a supported provider with the --provider flag.`),
 	Example: `  # Pull an OCI artifact created by flux from GHCR
  flux pull artifact oci://ghcr.io/org/manifests/app:v0.0.1 --output ./path/to/local/manifests
 `,
@ -44,7 +43,6 @@ The command can read the credentials from '~/.docker/config.json' but they can a
 type pullArtifactFlags struct {
 	output   string
 	creds    string
 	insecure bool
 	provider flags.SourceOCIProvider
 }
@ -60,7 +58,6 @@ func init() {
 	pullArtifactCmd.Flags().StringVarP(&pullArtifactArgs.output, "output", "o", "", "path where the artifact content should be extracted.")
 	pullArtifactCmd.Flags().StringVar(&pullArtifactArgs.creds, "creds", "", "credentials for OCI registry in the format <username>[:<password>] if --provider is generic")
 	pullArtifactCmd.Flags().Var(&pullArtifactArgs.provider, "provider", sourceOCIRepositoryArgs.provider.Description())
 	pullArtifactCmd.Flags().BoolVar(&pullArtifactArgs.insecure, "insecure-registry", false, "allows artifacts to be pulled without TLS")
 	pullCmd.AddCommand(pullArtifactCmd)
 }
@ -86,27 +83,24 @@ func pullArtifactCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	opts := oci.DefaultOptions()
+	ociClient := oci.NewClient(oci.DefaultOptions())
-	if pullArtifactArgs.insecure {
+	if pullArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && pullArtifactArgs.creds != "" {
-		opts = append(opts, crane.Insecure)
+		logger.Actionf("logging in to registry with credentials")
 		if err := ociClient.LoginWithCredentials(pullArtifactArgs.creds); err != nil {
 			return fmt.Errorf("could not login with credentials: %w", err)
 		}
 	}
 	if pullArtifactArgs.provider.String() != sourcev1.GenericOCIProvider {
 		logger.Actionf("logging in to registry with provider credentials")
-		opt, err := loginWithProvider(ctx, url, pullArtifactArgs.provider.String())
+		ociProvider, err := pullArtifactArgs.provider.ToOCIProvider()
 		if err != nil {
-			return fmt.Errorf("error during login with provider: %w", err)
+			return fmt.Errorf("provider not supported: %w", err)
 		}
 		opts = append(opts, opt)
 	}
 	ociClient := oci.NewClient(opts)
-	if pullArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && pullArtifactArgs.creds != "" {
+		if err := ociClient.LoginWithProvider(ctx, url, ociProvider); err != nil {
-		logger.Actionf("logging in to registry with credentials")
+			return fmt.Errorf("error during login with provider: %w", err)
 		if err := ociClient.LoginWithCredentials(pullArtifactArgs.creds); err != nil {
 			return fmt.Errorf("could not login with credentials: %w", err)
 		}
 	}
--- a/cmd/flux/push_artifact.go
+++ b/cmd/flux/push_artifact.go
@ -34,7 +34,9 @@ import (
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/pkg/oci"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+	"github.com/fluxcd/pkg/oci/auth/login"
 	"github.com/fluxcd/pkg/oci/client"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 	"github.com/fluxcd/flux2/v2/internal/flags"
 )
@ -42,8 +44,8 @@ import (
 var pushArtifactCmd = &cobra.Command{
 	Use:   "artifact",
 	Short: "Push artifact",
-	Long: `The push artifact command creates a tarball from the given directory or the single file and uploads the artifact to an OCI repository.
+	Long: withPreviewNote(`The push artifact command creates a tarball from the given directory or the single file and uploads the artifact to an OCI repository.
-The command can read the credentials from '~/.docker/config.json' but they can also be passed with --creds. It can also login to a supported provider with the --provider flag.`,
+The command can read the credentials from '~/.docker/config.json' but they can also be passed with --creds. It can also login to a supported provider with the --provider flag.`),
 	Example: `  # Push manifests to GHCR using the short Git SHA as the OCI artifact tag
  echo $GITHUB_PAT | docker login ghcr.io --username flux --password-stdin
  flux push artifact oci://ghcr.io/org/config/app:$(git rev-parse --short HEAD) \
@ -113,7 +115,6 @@ type pushArtifactFlags struct {
 	output       string
 	debug        bool
 	reproducible bool
 	insecure     bool
 }
 var pushArtifactArgs = newPushArtifactFlags()
@ -136,7 +137,6 @@ func init() {
 		"the format in which the artifact digest should be printed, can be 'json' or 'yaml'")
 	pushArtifactCmd.Flags().BoolVarP(&pushArtifactArgs.debug, "debug", "", false, "display logs from underlying library")
 	pushArtifactCmd.Flags().BoolVar(&pushArtifactArgs.reproducible, "reproducible", false, "ensure reproducible image digests by setting the created timestamp to '1970-01-01T00:00:00Z'")
 	pushArtifactCmd.Flags().BoolVar(&pushArtifactArgs.insecure, "insecure-registry", false, "allows artifacts to be pushed without TLS")
 	pushCmd.AddCommand(pushArtifactCmd)
 }
@ -159,7 +159,7 @@ func pushArtifactCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("invalid path %q", pushArtifactArgs.path)
 	}
-	url, err := oci.ParseArtifactURL(ociURL)
+	url, err := client.ParseArtifactURL(ociURL)
 	if err != nil {
 		return err
 	}
@ -198,7 +198,7 @@ func pushArtifactCmdRun(cmd *cobra.Command, args []string) error {
 		logs.Warn.SetOutput(os.Stderr)
 	}
-	meta := oci.Metadata{
+	meta := client.Metadata{
 		Source:      pushArtifactArgs.source,
 		Revision:    pushArtifactArgs.revision,
 		Annotations: annotations,
@ -212,24 +212,29 @@ func pushArtifactCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	var authenticator authn.Authenticator
+	var auth authn.Authenticator
-	opts := oci.DefaultOptions()
+	opts := client.DefaultOptions()
 	if pushArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && pushArtifactArgs.creds != "" {
 		logger.Actionf("logging in to registry with credentials")
-		authenticator, err = oci.GetAuthFromCredentials(pushArtifactArgs.creds)
+		auth, err = client.GetAuthFromCredentials(pushArtifactArgs.creds)
 		if err != nil {
 			return fmt.Errorf("could not login with credentials: %w", err)
 		}
-		opts = append(opts, crane.WithAuth(authenticator))
+		opts = append(opts, crane.WithAuth(auth))
 	}
-	if provider := pushArtifactArgs.provider.String(); provider != sourcev1.GenericOCIProvider {
+	if pushArtifactArgs.provider.String() != sourcev1.GenericOCIProvider {
 		logger.Actionf("logging in to registry with provider credentials")
-		authOpt, err := loginWithProvider(ctx, url, provider)
+		ociProvider, err := pushArtifactArgs.provider.ToOCIProvider()
 		if err != nil {
 			return fmt.Errorf("provider not supported: %w", err)
 		}
 		auth, err = login.NewManager().Login(ctx, url, ref, getProviderLoginOption(ociProvider))
 		if err != nil {
 			return fmt.Errorf("error during login with provider: %w", err)
 		}
-		opts = append(opts, authOpt)
+		opts = append(opts, crane.WithAuth(auth))
 	}
 	if rootArgs.timeout != 0 {
@ -244,37 +249,27 @@ func pushArtifactCmdRun(cmd *cobra.Command, args []string) error {
 			Cap:   rootArgs.timeout,
 		}
-		if authenticator == nil {
+		if auth == nil {
-			authenticator, err = authn.DefaultKeychain.Resolve(ref.Context())
+			auth, err = authn.DefaultKeychain.Resolve(ref.Context())
 			if err != nil {
 				return err
 			}
 		}
-		transportOpts, err := oci.WithRetryTransport(ctx,
+		transportOpts, err := client.WithRetryTransport(ctx, ref, auth, backoff, []string{ref.Context().Scope(transport.PushScope)})
 			ref,
 			authenticator,
 			backoff,
 			[]string{ref.Context().Scope(transport.PushScope)},
 			pushArtifactArgs.insecure,
 		)
 		if err != nil {
 			return fmt.Errorf("error setting up transport: %w", err)
 		}
-		opts = append(opts, transportOpts, oci.WithRetryBackOff(backoff))
+		opts = append(opts, transportOpts, client.WithRetryBackOff(backoff))
 	}
 	if pushArtifactArgs.output == "" {
 		logger.Actionf("pushing artifact to %s", url)
 	}
-	if pushArtifactArgs.insecure {
+	ociClient := client.NewClient(opts)
 		opts = append(opts, crane.Insecure)
 	}
 	ociClient := oci.NewClient(opts)
 	digestURL, err := ociClient.Push(ctx, url, path,
-		oci.WithPushMetadata(meta),
+		client.WithPushMetadata(meta),
-		oci.WithPushIgnorePaths(pushArtifactArgs.ignorePaths...),
+		client.WithPushIgnorePaths(pushArtifactArgs.ignorePaths...),
 	)
 	if err != nil {
 		return fmt.Errorf("pushing artifact failed: %w", err)
@ -322,3 +317,16 @@ func pushArtifactCmdRun(cmd *cobra.Command, args []string) error {
 	return nil
 }
 func getProviderLoginOption(provider oci.Provider) login.ProviderOptions {
 	var opts login.ProviderOptions
 	switch provider {
 	case oci.ProviderAzure:
 		opts.AzureAutoLogin = true
 	case oci.ProviderAWS:
 		opts.AwsAutoLogin = true
 	case oci.ProviderGCP:
 		opts.GcpAutoLogin = true
 	}
 	return opts
 }
--- a/cmd/flux/readiness.go
+++ b/cmd/flux/readiness.go
@ -108,7 +108,7 @@ func isObjectReady(obj client.Object, statusType objectStatusType) (bool, error)
 	case kstatus.InProgressStatus:
 		return false, nil
 	default:
-		return false, fmt.Errorf("%s", result.Message)
+		return false, fmt.Errorf(result.Message)
 	}
 }
--- a/cmd/flux/reconcile.go
+++ b/cmd/flux/reconcile.go
@ -132,7 +132,7 @@ func (reconcile reconcileCommand) run(cmd *cobra.Command, args []string) error {
 	if readyCond.Status != metav1.ConditionTrue {
 		return fmt.Errorf("%s reconciliation failed: '%s'", reconcile.kind, readyCond.Message)
 	}
-	logger.Successf("%s", reconcile.object.successMessage())
+	logger.Successf(reconcile.object.successMessage())
 	return nil
 }
--- a/cmd/flux/reconcile_helmrelease.go
+++ b/cmd/flux/reconcile_helmrelease.go
@ -24,6 +24,7 @@ import (
 	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 var reconcileHrCmd = &cobra.Command{
@ -91,7 +92,7 @@ func (obj helmReleaseAdapter) getSource() (reconcileSource, types.NamespacedName
 		}
 		return reconcileCommand{
 			apiType: ociRepositoryType,
-			object:  ociRepositoryAdapter{&sourcev1.OCIRepository{}},
+			object:  ociRepositoryAdapter{&sourcev1b2.OCIRepository{}},
 		}, namespacedName
 	default:
 		// default case assumes the HelmRelease is using a HelmChartTemplate
--- a/cmd/flux/reconcile_kustomization.go
+++ b/cmd/flux/reconcile_kustomization.go
@ -22,6 +22,7 @@ import (
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 var reconcileKsCmd = &cobra.Command{
@ -65,10 +66,10 @@ func (obj kustomizationAdapter) reconcileSource() bool {
 func (obj kustomizationAdapter) getSource() (reconcileSource, types.NamespacedName) {
 	var cmd reconcileCommand
 	switch obj.Spec.SourceRef.Kind {
-	case sourcev1.OCIRepositoryKind:
+	case sourcev1b2.OCIRepositoryKind:
 		cmd = reconcileCommand{
 			apiType: ociRepositoryType,
-			object:  ociRepositoryAdapter{&sourcev1.OCIRepository{}},
+			object:  ociRepositoryAdapter{&sourcev1b2.OCIRepository{}},
 		}
 	case sourcev1.GitRepositoryKind:
 		cmd = reconcileCommand{
--- a/cmd/flux/reconcile_source_oci.go
+++ b/cmd/flux/reconcile_source_oci.go
@ -21,7 +21,7 @@ import (
 	"github.com/spf13/cobra"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 var reconcileSourceOCIRepositoryCmd = &cobra.Command{
--- a/cmd/flux/reconcile_with_source.go
+++ b/cmd/flux/reconcile_with_source.go
@ -96,6 +96,6 @@ func (reconcile reconcileWithSourceCommand) run(cmd *cobra.Command, args []strin
 	if readyCond.Status != metav1.ConditionTrue {
 		return fmt.Errorf("%s reconciliation failed: %s", reconcile.kind, readyCond.Message)
 	}
-	logger.Successf("%s", reconcile.object.successMessage())
+	logger.Successf(reconcile.object.successMessage())
 	return nil
 }
--- a/cmd/flux/resume.go
+++ b/cmd/flux/resume.go
@ -251,9 +251,9 @@ func (resume resumeCommand) printMessage(responses []reconcileResponse) {
 			continue
 		}
 		if r.err != nil {
-			logger.Failuref("%s", r.err.Error())
+			logger.Failuref(r.err.Error())
 		}
 		logger.Successf("%s %s reconciliation completed", resume.kind, r.asClientObject().GetName())
-		logger.Successf("%s", r.successMessage())
+		logger.Successf(r.successMessage())
 	}
 }
--- a/cmd/flux/resume_source_oci.go
+++ b/cmd/flux/resume_source_oci.go
@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 var resumeSourceOCIRepositoryCmd = &cobra.Command{
--- a/cmd/flux/source.go
+++ b/cmd/flux/source.go
@ -20,6 +20,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 // These are general-purpose adapters for attaching methods to, for
@ -29,13 +30,13 @@ import (
 // sourcev1.ociRepository
 var ociRepositoryType = apiType{
-	kind:         sourcev1.OCIRepositoryKind,
+	kind:         sourcev1b2.OCIRepositoryKind,
 	humanKind:    "source oci",
-	groupVersion: sourcev1.GroupVersion,
+	groupVersion: sourcev1b2.GroupVersion,
 }
 type ociRepositoryAdapter struct {
-	*sourcev1.OCIRepository
+	*sourcev1b2.OCIRepository
 }
 func (a ociRepositoryAdapter) asClientObject() client.Object {
@ -49,7 +50,7 @@ func (a ociRepositoryAdapter) deepCopyClientObject() client.Object {
 // sourcev1b2.OCIRepositoryList
 type ociRepositoryListAdapter struct {
-	*sourcev1.OCIRepositoryList
+	*sourcev1b2.OCIRepositoryList
 }
 func (a ociRepositoryListAdapter) asClientList() client.ObjectList {
--- a/cmd/flux/stats.go
+++ b/cmd/flux/stats.go
@ -34,6 +34,7 @@ import (
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
 	notificationv1b3 "github.com/fluxcd/notification-controller/api/v1beta3"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/flux2/v2/pkg/printers"
@ -81,9 +82,9 @@ func runStatsCmd(cmd *cobra.Command, args []string) error {
 			Group:   sourcev1.GroupVersion.Group,
 		},
 		{
-			Kind:    sourcev1.OCIRepositoryKind,
+			Kind:    sourcev1b2.OCIRepositoryKind,
-			Version: sourcev1.GroupVersion.Version,
+			Version: sourcev1b2.GroupVersion.Version,
-			Group:   sourcev1.GroupVersion.Group,
+			Group:   sourcev1b2.GroupVersion.Group,
 		},
 		{
 			Kind:    sourcev1.HelmRepositoryKind,
--- a/cmd/flux/suspend_source_oci.go
+++ b/cmd/flux/suspend_source_oci.go
@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 var suspendSourceOCIRepositoryCmd = &cobra.Command{
--- a/cmd/flux/tag_artifact.go
+++ b/cmd/flux/tag_artifact.go
@ -22,8 +22,8 @@ import (
 	"github.com/spf13/cobra"
-	"github.com/fluxcd/pkg/oci"
+	oci "github.com/fluxcd/pkg/oci/client"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 	"github.com/fluxcd/flux2/v2/internal/flags"
 )
@ -31,8 +31,8 @@ import (
 var tagArtifactCmd = &cobra.Command{
 	Use:   "artifact",
 	Short: "Tag artifact",
-	Long: `The tag artifact command creates tags for the given OCI artifact.
+	Long: withPreviewNote(`The tag artifact command creates tags for the given OCI artifact.
-The command can read the credentials from '~/.docker/config.json' but they can also be passed with --creds. It can also login to a supported provider with the --provider flag.`,
+The command can read the credentials from '~/.docker/config.json' but they can also be passed with --creds. It can also login to a supported provider with the --provider flag.`),
 	Example: `  # Tag an artifact version as latest
  flux tag artifact oci://ghcr.io/org/manifests/app:v0.0.1 --tag latest
 `,
@ -78,23 +78,24 @@ func tagArtifactCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	opts := oci.DefaultOptions()
+	ociClient := oci.NewClient(oci.DefaultOptions())
 	if tagArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && tagArtifactArgs.creds != "" {
 		logger.Actionf("logging in to registry with credentials")
 		if err := ociClient.LoginWithCredentials(tagArtifactArgs.creds); err != nil {
 			return fmt.Errorf("could not login with credentials: %w", err)
 		}
 	}
 	if tagArtifactArgs.provider.String() != sourcev1.GenericOCIProvider {
 		logger.Actionf("logging in to registry with provider credentials")
-		opt, err := loginWithProvider(ctx, url, tagArtifactArgs.provider.String())
+		ociProvider, err := tagArtifactArgs.provider.ToOCIProvider()
 		if err != nil {
-			return fmt.Errorf("error during login with provider: %w", err)
+			return fmt.Errorf("provider not supported: %w", err)
 		}
 		opts = append(opts, opt)
 	}
 	ociClient := oci.NewClient(opts)
-	if tagArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && tagArtifactArgs.creds != "" {
+		if err := ociClient.LoginWithProvider(ctx, url, ociProvider); err != nil {
-		logger.Actionf("logging in to registry with credentials")
+			return fmt.Errorf("error during login with provider: %w", err)
 		if err := ociClient.LoginWithCredentials(tagArtifactArgs.creds); err != nil {
 			return fmt.Errorf("could not login with credentials: %w", err)
 		}
 	}
--- a/cmd/flux/testdata/check/check_pre.golden
+++ b/cmd/flux/testdata/check/check_pre.golden
@ -1,3 +1,3 @@
 ► checking prerequisites
-✔ Kubernetes {{ .serverVersion }} >=1.31.0-0
+✔ Kubernetes {{ .serverVersion }} >=1.30.0-0
 ✔ prerequisites checks passed
--- a/cmd/flux/testdata/create_hr/setup-source.yaml
+++ b/cmd/flux/testdata/create_hr/setup-source.yaml
@ -27,7 +27,7 @@ spec:
    kind: HelmRepository
    name: podinfo
 ---
-apiVersion: source.toolkit.fluxcd.io/v1
+apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: OCIRepository
 metadata:
  name: podinfo
--- a/cmd/flux/testdata/create_secret/githubapp/secret-with-baseurl.yaml
+++ b/cmd/flux/testdata/create_secret/githubapp/secret-with-baseurl.yaml
@ -36,5 +36,4 @@ stringData:
    lbD102oXw9lUefVI0McyQIN9J58ewDC79AG7gU/fTSt6F75OeFLOJmoedQo33Y+s
    bUytJtOhHbLRNxwgalhjBUNWICrDktqJmumNOEOOPBqVz7RGwUg=
    -----END RSA PRIVATE KEY-----
 type: Opaque
--- a/cmd/flux/testdata/create_secret/githubapp/secret.yaml
+++ b/cmd/flux/testdata/create_secret/githubapp/secret.yaml
@ -35,5 +35,4 @@ stringData:
    lbD102oXw9lUefVI0McyQIN9J58ewDC79AG7gU/fTSt6F75OeFLOJmoedQo33Y+s
    bUytJtOhHbLRNxwgalhjBUNWICrDktqJmumNOEOOPBqVz7RGwUg=
    -----END RSA PRIVATE KEY-----
 type: Opaque
--- a/cmd/flux/testdata/create_secret/helm/secret-helm.yaml
+++ b/cmd/flux/testdata/create_secret/helm/secret-helm.yaml
@ -7,5 +7,4 @@ metadata:
 stringData:
  password: my-password
  username: my-username
 type: kubernetes.io/basic-auth
--- a/cmd/flux/testdata/create_secret/oci/create-secret.yaml
+++ b/cmd/flux/testdata/create_secret/oci/create-secret.yaml
@ -5,15 +5,6 @@ metadata:
  name: ghcr
  namespace: my-namespace
 stringData:
-  .dockerconfigjson: |-
+  .dockerconfigjson: '{"auths":{"ghcr.io":{"username":"stefanprodan","password":"password","auth":"c3RlZmFucHJvZGFuOnBhc3N3b3Jk"}}}'
    {
      "auths": {
        "ghcr.io": {
          "username": "stefanprodan",
          "password": "password",
          "auth": "c3RlZmFucHJvZGFuOnBhc3N3b3Jk"
        }
      }
    }
 type: kubernetes.io/dockerconfigjson
--- a/cmd/flux/testdata/create_secret/proxy/secret-proxy.yaml
+++ b/cmd/flux/testdata/create_secret/proxy/secret-proxy.yaml
@ -8,5 +8,4 @@ stringData:
  address: https://my-proxy.com
  password: my-password
  username: my-username
 type: Opaque
--- a/cmd/flux/testdata/create_source_git/export.golden
+++ b/cmd/flux/testdata/create_source_git/export.golden
@ -11,7 +11,4 @@ spec:
  interval: 1m0s
  ref:
    branch: master
  sparseCheckout:
  - .cosign
  - non-existent-dir/
  url: https://github.com/stefanprodan/podinfo
--- a/cmd/flux/testdata/create_tenant/tenant-basic.yaml
+++ b/cmd/flux/testdata/create_tenant/tenant-basic.yaml
@ -1,34 +0,0 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  labels:
    toolkit.fluxcd.io/tenant: dev-team
  name: apps
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  labels:
    toolkit.fluxcd.io/tenant: dev-team
  name: dev-team
  namespace: apps
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  labels:
    toolkit.fluxcd.io/tenant: dev-team
  name: dev-team-reconciler
  namespace: apps
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
 subjects:
 - apiGroup: rbac.authorization.k8s.io
  kind: User
  name: gotk:apps:reconciler
 - kind: ServiceAccount
  name: dev-team
  namespace: apps
--- a/cmd/flux/testdata/create_tenant/tenant-with-cluster-role.yaml
+++ b/cmd/flux/testdata/create_tenant/tenant-with-cluster-role.yaml
@ -1,34 +0,0 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  labels:
    toolkit.fluxcd.io/tenant: dev-team
  name: apps
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  labels:
    toolkit.fluxcd.io/tenant: dev-team
  name: dev-team
  namespace: apps
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  labels:
    toolkit.fluxcd.io/tenant: dev-team
  name: dev-team-reconciler
  namespace: apps
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: custom-role
 subjects:
 - apiGroup: rbac.authorization.k8s.io
  kind: User
  name: gotk:apps:reconciler
 - kind: ServiceAccount
  name: dev-team
  namespace: apps
--- a/cmd/flux/testdata/create_tenant/tenant-with-service-account.yaml
+++ b/cmd/flux/testdata/create_tenant/tenant-with-service-account.yaml
@ -1,34 +0,0 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  labels:
    toolkit.fluxcd.io/tenant: dev-team
  name: apps
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  labels:
    toolkit.fluxcd.io/tenant: dev-team
  name: flux-tenant
  namespace: apps
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  labels:
    toolkit.fluxcd.io/tenant: dev-team
  name: dev-team-reconciler
  namespace: apps
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
 subjects:
 - apiGroup: rbac.authorization.k8s.io
  kind: User
  name: gotk:apps:reconciler
 - kind: ServiceAccount
  name: flux-tenant
  namespace: apps
--- a/cmd/flux/testdata/debug_helmrelease/objects.yaml
+++ b/cmd/flux/testdata/debug_helmrelease/objects.yaml
@ -38,10 +38,6 @@ spec:
    - kind: Secret
      name: test
      valuesKey: secrets.yaml
    - kind: Secret
      name: test
      valuesKey: flatValue
      targetPath: aFlatValue
    - kind: ConfigMap
      name: none
      optional: true
@ -65,4 +61,3 @@ stringData:
  secrets.yaml: |
    secret: "test"
    override: "secret"
  flatValue: some-flat-value
--- a/cmd/flux/testdata/debug_helmrelease/values-from.golden.yaml
+++ b/cmd/flux/testdata/debug_helmrelease/values-from.golden.yaml
@ -1,4 +1,3 @@
 aFlatValue: some-flat-value
 cm: test
 image:
  repository: stefanprodan/podinfo
--- a/cmd/flux/testdata/diff-kustomization/diff-with-drifted-key-sops-secret.golden
+++ b/cmd/flux/testdata/diff-kustomization/diff-with-drifted-key-sops-secret.golden
@ -6,7 +6,7 @@
 ► Secret/default/podinfo-token-77t89m9b67 drifted
 data
- one map entry removed:   + one map entry added:
+  - one map entry removed:     + one map entry added:
-drift-key: "*****"           token: "*****"
+    drift-key: "*****"           token: "*****"
 ► Secret/default/db-user-pass-bkbd782d2c created
--- a/cmd/flux/testdata/diff-kustomization/diff-with-drifted-secret.golden
+++ b/cmd/flux/testdata/diff-kustomization/diff-with-drifted-secret.golden
@ -7,7 +7,7 @@
 ► Secret/default/db-user-pass-bkbd782d2c drifted
 data.password
-± value change
+  ± value change
- *** (before)
+    - *** (before)
-+ *** (after)
+    + *** (after)
--- a/cmd/flux/testdata/diff-kustomization/diff-with-drifted-service.golden
+++ b/cmd/flux/testdata/diff-kustomization/diff-with-drifted-service.golden
@ -3,9 +3,9 @@
 ► Service/default/podinfo drifted
 spec.ports.http.port
-± value change
+  ± value change
- 9899
+    - 9899
-+ 9898
+    + 9898
 ► Secret/default/docker-secret created
 ► Secret/default/secret-basic-auth-stringdata created
--- a/cmd/flux/testdata/diff-kustomization/diff-with-drifted-stringdata-sops-secret.golden
+++ b/cmd/flux/testdata/diff-kustomization/diff-with-drifted-stringdata-sops-secret.golden
@ -5,8 +5,8 @@
 ► Secret/default/secret-basic-auth-stringdata drifted
 data
- one map entry removed:   + one map entry added:
+  - one map entry removed:     + one map entry added:
-username1: "*****"           username: "*****"
+    username1: "*****"           username: "*****"
 ► Secret/default/podinfo-token-77t89m9b67 created
 ► Secret/default/db-user-pass-bkbd782d2c created
--- a/cmd/flux/testdata/export/image-policy.yaml
+++ b/cmd/flux/testdata/export/image-policy.yaml
@ -5,7 +5,6 @@ metadata:
  name: flux-system
  namespace: {{ .fluxns }}
 spec:
  digestReflectionPolicy: Never
  imageRepositoryRef:
    name: flux-system
  policy:
--- a/cmd/flux/testdata/image/get_image_policy_regex.golden
+++ b/cmd/flux/testdata/image/get_image_policy_regex.golden
@ -1,2 +1,2 @@
-NAME         	LATEST IMAGE                      	READY	MESSAGE                                                             
+NAME         	LATEST IMAGE                      	READY	MESSAGE                                                               
-podinfo-regex	ghcr.io/stefanprodan/podinfo:5.0.0	True 	Latest image tag for ghcr.io/stefanprodan/podinfo resolved to 5.0.0	
+podinfo-regex	ghcr.io/stefanprodan/podinfo:5.0.0	True 	Latest image tag for 'ghcr.io/stefanprodan/podinfo' resolved to 5.0.0	
--- a/cmd/flux/testdata/image/get_image_policy_semver.golden
+++ b/cmd/flux/testdata/image/get_image_policy_semver.golden
@ -1,2 +1,2 @@
-NAME          	LATEST IMAGE                      	READY	MESSAGE                                                                                                                                                 
+NAME          	LATEST IMAGE                      	READY	MESSAGE                                                               
-podinfo-semver	ghcr.io/stefanprodan/podinfo:5.0.3	True 	Latest image tag for ghcr.io/stefanprodan/podinfo resolved to 5.0.3 with digest sha256:8704da90172710d422af855049175c1a8295731cbe2ad3b9a1c1074feecf8c10	
+podinfo-semver	ghcr.io/stefanprodan/podinfo:5.0.3	True 	Latest image tag for 'ghcr.io/stefanprodan/podinfo' resolved to 5.0.3	
--- a/Show More
+++ b/Show More
`@ -1,2 +1,2 @@`
	`NAME LATEST IMAGE READY MESSAGE`	`NAME LATEST IMAGE READY MESSAGE`
	`podinfo-regex ghcr.io/stefanprodan/podinfo:5.0.0 True Latest image tag for ghcr.io/stefanprodan/podinfo resolved to 5.0.0`	`podinfo-regex ghcr.io/stefanprodan/podinfo:5.0.0 True Latest image tag for 'ghcr.io/stefanprodan/podinfo' resolved to 5.0.0`