build(deps): bump the ci group across 1 directory with 11 updates

Bumps the ci group with 11 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/setup-go](https://github.com/actions/setup-go) | `6.3.0` | `6.4.0` | | [fluxcd/pkg](https://github.com/fluxcd/pkg) | `1.27.0` | `1.31.0` | | [replicatedhq/replicated-actions](https://github.com/replicatedhq/replicated-actions) | `1.20.0` | `1.24.0` | | [Azure/login](https://github.com/azure/login) | `2.3.0` | `3.0.0` | | [docker/login-action](https://github.com/docker/login-action) | `4.0.0` | `4.1.0` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `7.0.0` | `7.0.1` | | [github/codeql-action](https://github.com/github/codeql-action) | `4.32.6` | `4.35.2` | | [anchore/sbom-action](https://github.com/anchore/sbom-action) | `0.23.1` | `0.24.0` | | [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) | `4.1.0` | `4.1.1` | | [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) | `7.0.0` | `7.2.1` | | [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) | `8.1.0` | `8.1.1` | Updates `actions/setup-go` from 6.3.0 to 6.4.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/4b73464bb391d4059bd26b0524d20df3927bd417...4a3601121dd01d1626a1e23e37211e3254c1c06c) Updates `fluxcd/pkg` from 1.27.0 to 1.31.0 - [Commits](https://github.com/fluxcd/pkg/compare/9a8c0edd5da84dc51a585738c67e3a3950d7fbf0...1bfcca47168cb6d2d7dfdc5b35d8b379a773976d) Updates `replicatedhq/replicated-actions` from 1.20.0 to 1.24.0 - [Release notes](https://github.com/replicatedhq/replicated-actions/releases) - [Commits](https://github.com/replicatedhq/replicated-actions/compare/1abb33f5274580b14f49f2a12d819df7920e4d9b...7e1b21f10a961592f292e7dadda93466d886427f) Updates `Azure/login` from 2.3.0 to 3.0.0 - [Release notes](https://github.com/azure/login/releases) - [Commits](https://github.com/azure/login/compare/a457da9ea143d694b1b9c7c869ebb04ebe844ef5...532459ea530d8321f2fb9bb10d1e0bcf23869a43) Updates `docker/login-action` from 4.0.0 to 4.1.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/b45d80f862d83dbcd57f89517bcf500b2ab88fb2...4907a6ddec9925e35a0a9e82d7399ccc52663121) Updates `actions/upload-artifact` from 7.0.0 to 7.0.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/bbbca2ddaa5d8feaa63e36b76fdaad77386f024f...043fb46d1a93c77aae656e7c1c64a875d1fc6a0a) Updates `github/codeql-action` from 4.32.6 to 4.35.2 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/0d579ffd059c29b07949a3cce3983f0780820c98...95e58e9a2cdfd71adc6e0353d5c52f41a045d225) Updates `anchore/sbom-action` from 0.23.1 to 0.24.0 - [Release notes](https://github.com/anchore/sbom-action/releases) - [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md) - [Commits](https://github.com/anchore/sbom-action/compare/57aae528053a48a3f6235f2d9461b05fbcb7366d...e22c389904149dbc22b58101806040fa8d37a610) Updates `sigstore/cosign-installer` from 4.1.0 to 4.1.1 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/ba7bc0a3fef59531c69a25acd34668d6d3fe6f22...cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003) Updates `goreleaser/goreleaser-action` from 7.0.0 to 7.2.1 - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](https://github.com/goreleaser/goreleaser-action/compare/ec59f474b9834571250b370d4735c50f8e2d1e29...1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8) Updates `peter-evans/create-pull-request` from 8.1.0 to 8.1.1 - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/c0f553fe549906ede9cf27b5156039d195d2ece0...5f6978faf089d4d20b00c7766989d076bb2fc7f1) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci - dependency-name: fluxcd/pkg dependency-version: 1.31.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci - dependency-name: replicatedhq/replicated-actions dependency-version: 1.24.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci - dependency-name: Azure/login dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: ci - dependency-name: docker/login-action dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: ci - dependency-name: github/codeql-action dependency-version: 4.35.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci - dependency-name: anchore/sbom-action dependency-version: 0.24.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci - dependency-name: sigstore/cosign-installer dependency-version: 4.1.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: ci - dependency-name: goreleaser/goreleaser-action dependency-version: 7.2.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci - dependency-name: peter-evans/create-pull-request dependency-version: 8.1.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: ci ... Signed-off-by: dependabot[bot] <support@github.com>
Merge pull request #5831 from jtyr/jtyr-context-ns
2026-05-29 11:20:49 +00:00 · 2026-05-01 01:05:02 +00:00 · 2026-04-30 09:58:47 +01:00 · 2026-04-30 08:19:41 +01:00 · 2026-04-29 17:00:37 +03:00 · 2026-04-29 18:01:18 +05:30
394 changed files with 14978 additions and 4005 deletions
@@ -6,11 +6,9 @@ updates:
    labels: ["area/ci", "dependencies"]
    groups:
      # Group all updates together, so that they are all applied in a single PR.
-      # Grouped updates are currently in beta and is subject to change.
      # xref: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups
      ci:
        patterns:
          - "*"
    schedule:
-      # By default, this will be on a monday.
-      interval: "weekly"
+      interval: "monthly"
@@ -44,15 +44,12 @@
  description: Feature request proposals in the RFC format
  color: '#D621C3'
  aliases: ['area/RFC']
- name: backport:release/v2.0.x
-  description: To be backported to release/v2.0.x
+- name: backport:release/v2.6.x
+  description: To be backported to release/v2.6.x
  color: '#ffd700'
- name: backport:release/v2.1.x
-  description: To be backported to release/v2.1.x
+- name: backport:release/v2.7.x
+  description: To be backported to release/v2.7.x
  color: '#ffd700'
- name: backport:release/v2.2.x
-  description: To be backported to release/v2.2.x
-  color: '#ffd700'
- name: backport:release/v2.3.x
-  description: To be backported to release/v2.3.x
+- name: backport:release/v2.8.x
+  description: To be backported to release/v2.8.x
  color: '#ffd700'
@@ -23,7 +23,7 @@ amd when it finds a new controller version, the workflow performs the following
 - Updates the controller API package version in `go.mod`.
 - Patches the controller CRDs version in the `manifests/crds` overlay.
 - Patches the controller Deployment version in `manifests/bases` overlay.
- Opens a Pull Request against the `main` branch.
+- Opens a Pull Request against the checked out branch.
 - Triggers the e2e test suite to run for the opened PR.


@@ -24,6 +24,6 @@ jobs:
    name: action on ${{ matrix.version }}
    steps:
      - name: Checkout
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup flux
        uses: ./action
@@ -1,34 +1,13 @@
 name: backport
-
 on:
  pull_request_target:
    types: [closed, labeled]
-
-permissions: 
-  contents: read
-
+permissions: read-all
 jobs:
-  pull-request:
-    runs-on: ubuntu-latest
+  backport:
    permissions:
-      contents: write
-      pull-requests: write
-    if: github.event.pull_request.state == 'closed' && github.event.pull_request.merged && (github.event_name != 'labeled' || startsWith('backport:', github.event.label.name))
-    steps:
-      - name: Checkout
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-      - name: Create backport PRs
-        uses: korthout/backport-action@be567af183754f6a5d831ae90f648954763f17f5 # v3.1.0
-        # xref: https://github.com/korthout/backport-action#inputs
-        with:
-          # Use token to allow workflows to be triggered for the created PR
-          github_token: ${{ secrets.BOT_GITHUB_TOKEN }}
-          # Match labels with a pattern `backport:<target-branch>`
-          label_pattern: '^backport:([^ ]+)$'
-          # A bit shorter pull-request title than the default
-          pull_title: '[${target_branch}] ${pull_title}'
-          # Simpler PR description than default
-          pull_description: |-
-            Automated backport to `${target_branch}`, triggered by a label in #${pull_number}.
+      contents: write # for reading and creating branches.
+      pull-requests: write # for creating pull requests against release branches.
+    uses: fluxcd/gha-workflows/.github/workflows/backport.yaml@v0.9.0
+    secrets:
+      github-token: ${{ secrets.BOT_GITHUB_TOKEN }}
@@ -3,13 +3,13 @@ name: conformance
 on:
  workflow_dispatch:
  push:
-    branches: [ 'main', 'update-components', 'release/**', 'conform*' ]
+    branches: [ 'main', 'update-components-**', 'release/**', 'conform*' ]

 permissions:
  contents: read

 env:
-  GO_VERSION: 1.22.x
+  GO_VERSION: 1.26.x

 jobs:
  conform-kubernetes:
@@ -19,13 +19,13 @@ jobs:
      matrix:
        # Keep this list up-to-date with https://endoflife.date/kubernetes
        # Build images with https://github.com/fluxcd/flux-benchmark/actions/workflows/build-kind.yaml
-        KUBERNETES_VERSION: [1.29.7, 1.30.2, 1.31.1 ]
+        KUBERNETES_VERSION: [1.33.0, 1.34.1, 1.35.0]
      fail-fast: false
    steps:
      - name: Checkout
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ env.GO_VERSION }}
          cache-dependency-path: |
@@ -40,9 +40,9 @@ jobs:
        run: |
          make build
      - name: Setup Kubernetes
-        uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
+        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0
        with:
-          version: v0.22.0
+          version: v0.30.0
          cluster_name: ${{ steps.prep.outputs.CLUSTER }}
          node_image: ghcr.io/fluxcd/kindest/node:v${{ matrix.KUBERNETES_VERSION }}-arm64
      - name: Run e2e tests
@@ -76,13 +76,13 @@ jobs:
      matrix:
        # Keep this list up-to-date with https://endoflife.date/kubernetes
        # Available versions can be found with "replicated cluster versions"
-        K3S_VERSION: [ 1.29.9, 1.30.5, 1.31.1 ]
+        K3S_VERSION: [ 1.33.7, 1.34.3, 1.35.0 ]
      fail-fast: false
    steps:
      - name: Checkout
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ env.GO_VERSION }}
          cache-dependency-path: |
@@ -97,7 +97,7 @@ jobs:
          KUBECONFIG_PATH="$(git rev-parse --show-toplevel)/bin/kubeconfig.yaml"
          echo "kubeconfig-path=${KUBECONFIG_PATH}" >> $GITHUB_OUTPUT
      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@30c101fc7c9fac4d84937ff4890a3da46a9db2dd # main
+        uses: fluxcd/pkg/actions/kustomize@1bfcca47168cb6d2d7dfdc5b35d8b379a773976d # main
      - name: Build
        run: make build-dev
      - name: Create repository
@@ -107,7 +107,7 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: Create cluster
        id: create-cluster
-        uses: replicatedhq/compatibility-actions/create-cluster@77121785951d05387334b773644c356885191f14 # v1.16.2
+        uses: replicatedhq/replicated-actions/create-cluster@7e1b21f10a961592f292e7dadda93466d886427f # v1.24.0
        with:
          api-token: ${{ secrets.REPLICATED_API_TOKEN }}
          kubernetes-distribution: "k3s"
@@ -120,8 +120,7 @@ jobs:
        run: TEST_KUBECONFIG=${{ steps.prep.outputs.kubeconfig-path }} make e2e
      - name: Run flux bootstrap
        run: |
-          ./bin/flux bootstrap git --manifests ./manifests/install/ \
-          --components-extra=image-reflector-controller,image-automation-controller \
+          ./bin/flux bootstrap git --manifests ./manifests/test/ \
          --url=https://github.com/fluxcd-testing/${{ steps.prep.outputs.cluster }} \
          --branch=main \
          --path=clusters/k3s \
@@ -151,7 +150,7 @@ jobs:
          kubectl delete ns flux-system --wait
      - name: Delete cluster
        if: ${{ always() }}
-        uses: replicatedhq/replicated-actions/remove-cluster@77121785951d05387334b773644c356885191f14 # v1.16.2
+        uses: replicatedhq/replicated-actions/remove-cluster@7e1b21f10a961592f292e7dadda93466d886427f # v1.24.0
        continue-on-error: true
        with:
          api-token: ${{ secrets.REPLICATED_API_TOKEN }}
@@ -169,13 +168,13 @@ jobs:
    strategy:
      matrix:
        # Keep this list up-to-date with https://endoflife.date/red-hat-openshift
-        OPENSHIFT_VERSION: [ 4.15.0-okd ]
+        OPENSHIFT_VERSION: [ 4.20.0-okd ]
      fail-fast: false
    steps:
      - name: Checkout
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ env.GO_VERSION }}
          cache-dependency-path: |
@@ -190,7 +189,7 @@ jobs:
          KUBECONFIG_PATH="$(git rev-parse --show-toplevel)/bin/kubeconfig.yaml"
          echo "kubeconfig-path=${KUBECONFIG_PATH}" >> $GITHUB_OUTPUT
      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@30c101fc7c9fac4d84937ff4890a3da46a9db2dd # main
+        uses: fluxcd/pkg/actions/kustomize@1bfcca47168cb6d2d7dfdc5b35d8b379a773976d # main
      - name: Build
        run: make build-dev
      - name: Create repository
@@ -200,7 +199,7 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: Create cluster
        id: create-cluster
-        uses: replicatedhq/compatibility-actions/create-cluster@77121785951d05387334b773644c356885191f14 # v1.16.2
+        uses: replicatedhq/replicated-actions/create-cluster@7e1b21f10a961592f292e7dadda93466d886427f # v1.24.0
        with:
          api-token: ${{ secrets.REPLICATED_API_TOKEN }}
          kubernetes-distribution: "openshift"
@@ -212,7 +211,6 @@ jobs:
      - name: Run flux bootstrap
        run: |
          ./bin/flux bootstrap git --manifests ./manifests/openshift/ \
-          --components-extra=image-reflector-controller,image-automation-controller \
          --url=https://github.com/fluxcd-testing/${{ steps.prep.outputs.cluster }} \
          --branch=main \
          --path=clusters/openshift \
@@ -242,7 +240,7 @@ jobs:
          kubectl delete ns flux-system --wait
      - name: Delete cluster
        if: ${{ always() }}
-        uses: replicatedhq/replicated-actions/remove-cluster@77121785951d05387334b773644c356885191f14 # v1.16.2
+        uses: replicatedhq/replicated-actions/remove-cluster@7e1b21f10a961592f292e7dadda93466d886427f # v1.24.0
        continue-on-error: true
        with:
          api-token: ${{ secrets.REPLICATED_API_TOKEN }}
@@ -22,20 +22,21 @@ permissions:

 jobs:
  e2e-aks:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: ./tests/integration
-    # This job is currently disabled. Remove the false check when Azure subscription is enabled.
-    if: false && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
+    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
      - name: CheckoutD
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
-          go-version: 1.23.x
+          go-version: 1.26.x
          cache-dependency-path: tests/integration/go.sum
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0
      - name: Setup Flux CLI
        run: make build
        working-directory: ./
@@ -47,9 +48,9 @@ jobs:
        env:
          SOPS_VER: 3.7.1
      - name: Authenticate to Azure
-        uses: Azure/login@a65d910e8af852a8061c627c456678983e180302 # v1.4.6
+        uses: Azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v1.4.6
        with:
-          creds: '{"clientId":"${{ secrets.AZ_ARM_CLIENT_ID }}","clientSecret":"${{ secrets.AZ_ARM_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZ_ARM_TENANT_ID }}"}'
+          creds: '{"clientId":"${{ secrets.ARM_CLIENT_ID }}","clientSecret":"${{ secrets.ARM_CLIENT_SECRET }}","subscriptionId":"${{ secrets.ARM_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.ARM_TENANT_ID }}"}'
      - name: Set dynamic variables in .env
        run: |
          cat > .env <<EOF
@@ -59,33 +60,35 @@ jobs:
        run: cat .env
      - name: Run Azure e2e tests
        env:
-          ARM_CLIENT_ID: ${{ secrets.AZ_ARM_CLIENT_ID }}
-          ARM_CLIENT_SECRET: ${{ secrets.AZ_ARM_CLIENT_SECRET }}
-          ARM_SUBSCRIPTION_ID: ${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}
-          ARM_TENANT_ID: ${{ secrets.AZ_ARM_TENANT_ID }}
+          ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
+          ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
+          ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
+          ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
          TF_VAR_azuredevops_org: ${{ secrets.TF_VAR_azuredevops_org }}
          TF_VAR_azuredevops_pat: ${{ secrets.TF_VAR_azuredevops_pat }}
-          TF_VAR_location: ${{ vars.TF_VAR_azure_location }}
-          GITREPO_SSH_CONTENTS: ${{ secrets.AZURE_GITREPO_SSH_CONTENTS }}
-          GITREPO_SSH_PUB_CONTENTS: ${{ secrets.AZURE_GITREPO_SSH_PUB_CONTENTS }}
+          TF_VAR_azure_location: ${{ vars.TF_VAR_azure_location }}
+          GITREPO_SSH_CONTENTS: ${{ secrets.GIT_SSH_IDENTITY }}
+          GITREPO_SSH_PUB_CONTENTS: ${{ secrets.GIT_SSH_IDENTITY_PUB }}
        run: |
          source .env
          mkdir -p ./build/ssh
-          touch ./build/ssh/key
-          echo $GITREPO_SSH_CONTENTS | base64 -d > build/ssh/key
+          cat <<EOF > build/ssh/key
+          $GITREPO_SSH_CONTENTS
+          EOF
          export GITREPO_SSH_PATH=build/ssh/key
-          touch ./build/ssh/key.pub
-          echo $GITREPO_SSH_PUB_CONTENTS | base64 -d > ./build/ssh/key.pub
+          cat <<EOF > build/ssh/key.pub
+          $GITREPO_SSH_PUB_CONTENTS
+          EOF
          export GITREPO_SSH_PUB_PATH=build/ssh/key.pub
          make test-azure
      - name: Ensure resource cleanup
        if: ${{ always() }}
        env:
-          ARM_CLIENT_ID: ${{ secrets.AZ_ARM_CLIENT_ID }}
-          ARM_CLIENT_SECRET: ${{ secrets.AZ_ARM_CLIENT_SECRET }}
-          ARM_SUBSCRIPTION_ID: ${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}
-          ARM_TENANT_ID: ${{ secrets.AZ_ARM_TENANT_ID }}
+          ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
+          ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
+          ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
+          ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
          TF_VAR_azuredevops_org: ${{ secrets.TF_VAR_azuredevops_org }}
          TF_VAR_azuredevops_pat: ${{ secrets.TF_VAR_azuredevops_pat }}
-          TF_VAR_location: ${{ vars.TF_VAR_azure_location }}
+          TF_VAR_azure_location: ${{ vars.TF_VAR_azure_location }}
        run: source .env && make destroy-azure
@@ -17,27 +17,27 @@ jobs:
    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
      - name: Checkout
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
-          go-version: 1.23.x
+          go-version: 1.26.x
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Setup Kubernetes
-        uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
+        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0
        with:
-          version: v0.24.0
+          version: v0.30.0
          cluster_name: kind
          # The versions below should target the newest Kubernetes version
          # Keep this up-to-date with https://endoflife.date/kubernetes
-          node_image: ghcr.io/fluxcd/kindest/node:v1.31.0-amd64
-          kubectl_version: v1.31.0
+          node_image: ghcr.io/fluxcd/kindest/node:v1.33.0-amd64
+          kubectl_version: v1.33.0
      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@30c101fc7c9fac4d84937ff4890a3da46a9db2dd # main
+        uses: fluxcd/pkg/actions/kustomize@1bfcca47168cb6d2d7dfdc5b35d8b379a773976d # main
      - name: Setup yq
-        uses: fluxcd/pkg/actions/yq@30c101fc7c9fac4d84937ff4890a3da46a9db2dd # main
+        uses: fluxcd/pkg/actions/yq@1bfcca47168cb6d2d7dfdc5b35d8b379a773976d # main
      - name: Build
        run: make build-dev
      - name: Set outputs
@@ -51,7 +51,7 @@ jobs:
          echo "test_repo_name=$TEST_REPO_NAME" >> $GITHUB_OUTPUT
      - name: bootstrap init
        run: |
-          ./bin/flux bootstrap github --manifests ./manifests/install/ \
+          ./bin/flux bootstrap github --manifests ./manifests/test/ \
          --owner=fluxcd-testing \
          --image-pull-secret=ghcr-auth \
          --registry-creds=fluxcd:$GITHUB_TOKEN \
@@ -66,7 +66,7 @@ jobs:
          kubectl -n flux-system get secret ghcr-auth | grep dockerconfigjson
      - name: bootstrap no-op
        run: |
-          ./bin/flux bootstrap github --manifests ./manifests/install/ \
+          ./bin/flux bootstrap github --manifests ./manifests/test/ \
          --owner=fluxcd-testing \
          --image-pull-secret=ghcr-auth \
          --repository=${{ steps.vars.outputs.test_repo_name }} \
@@ -78,7 +78,7 @@ jobs:
      - name: bootstrap customize
        run: |
          make setup-bootstrap-patch
-          ./bin/flux bootstrap github --manifests ./manifests/install/ \
+          ./bin/flux bootstrap github --manifests ./manifests/test/ \
          --owner=fluxcd-testing \
          --repository=${{ steps.vars.outputs.test_repo_name }} \
          --branch=main \
@@ -98,15 +98,18 @@ jobs:
      - name: test image automation
        run: |
          make setup-image-automation
-          ./bin/flux bootstrap github --manifests ./manifests/install/ \
+          ./bin/flux bootstrap github --manifests ./manifests/test/ \
          --owner=fluxcd-testing \
          --repository=${{ steps.vars.outputs.test_repo_name }} \
          --branch=main \
          --path=test-cluster \
          --read-write-key
          ./bin/flux reconcile image repository podinfo
+          ./bin/flux reconcile image policy podinfo
          ./bin/flux reconcile image update flux-system
          ./bin/flux get images all
+          ./bin/flux -n flux-system events --for ImageUpdateAutomation/flux-system
+          kubectl -n flux-system get -o yaml ImageUpdateAutomation flux-system
          kubectl -n flux-system get -o yaml ImageUpdateAutomation flux-system | \
           yq '.status.lastPushCommit | length > 1' | grep 'true'
        env:
@@ -22,19 +22,21 @@ permissions:

 jobs:
  e2e-gcp:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: ./tests/integration
    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
      - name: Checkout
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
-          go-version: 1.23.x
+          go-version: 1.26.x
          cache-dependency-path: tests/integration/go.sum
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0
      - name: Setup Flux CLI
        run: make build
        working-directory: ./
@@ -46,19 +48,19 @@ jobs:
        env:
          SOPS_VER: 3.7.1
      - name: Authenticate to Google Cloud
-        uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5
+        uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
        id: 'auth'
        with:
          credentials_json: '${{ secrets.FLUX2_E2E_GOOGLE_CREDENTIALS }}'
          token_format: 'access_token'
      - name: Setup gcloud
-        uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1
+        uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
      - name: Setup QEMU
-        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
      - name: Log into us-central1-docker.pkg.dev
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: us-central1-docker.pkg.dev
          username: oauth2accesstoken
@@ -23,30 +23,30 @@ jobs:
          - 5000:5000
    steps:
      - name: Checkout
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
-          go-version: 1.23.x
+          go-version: 1.26.x
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Setup Kubernetes
-        uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
+        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0
        with:
-          version: v0.24.0
+          version: v0.30.0
          cluster_name: kind
          wait: 5s
          config: .github/kind/config.yaml # disable KIND-net
          # The versions below should target the oldest supported Kubernetes version
          # Keep this up-to-date with https://endoflife.date/kubernetes
-          node_image: ghcr.io/fluxcd/kindest/node:v1.29.7-amd64
-          kubectl_version: v1.29.7
+          node_image: ghcr.io/fluxcd/kindest/node:v1.33.0-amd64
+          kubectl_version: v1.33.0
      - name: Setup Calico for network policy
        run: |
          kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.3/manifests/calico.yaml
      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@30c101fc7c9fac4d84937ff4890a3da46a9db2dd # main
+        uses: fluxcd/pkg/actions/kustomize@1bfcca47168cb6d2d7dfdc5b35d8b379a773976d # main
      - name: Run tests
        run: make test
      - name: Run e2e tests
@@ -65,7 +65,7 @@ jobs:
          ./bin/flux check --pre
      - name: flux install --manifests
        run: |
-          ./bin/flux install --manifests ./manifests/install/
+          ./bin/flux install --manifests ./manifests/test/
      - name: flux create secret
        run: |
          ./bin/flux create secret git git-ssh-test \
@@ -238,6 +238,9 @@ jobs:
      - name: flux check
        run: |
          ./bin/flux check
+      - name: flux migrate
+        run: |
+          ./bin/flux migrate
      - name: flux version
        run: |
          ./bin/flux version
@@ -247,7 +250,7 @@ jobs:
      - name: Debug failure
        if: failure()
        run: |
-          kubectl version --client --short
+          kubectl version --client
          kubectl -n flux-system get all
          kubectl -n flux-system describe pods
          kubectl -n flux-system get kustomizations -oyaml
@@ -19,21 +19,21 @@ jobs:
      actions: read
      contents: read
    steps:
-      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Run analysis
-        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
        with:
          results_file: results.sarif
          results_format: sarif
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          publish_results: true
      - name: Upload artifact
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5
      - name: Upload SARIF results
-        uses: github/codeql-action/upload-sarif@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
        with:
          sarif_file: results.sarif
@@ -2,7 +2,7 @@ name: release

 on:
  push:
-    tags: [ 'v*' ]
+    tags: ["v*"]

 permissions:
  contents: read
@@ -13,40 +13,44 @@ jobs:
      hashes: ${{ steps.slsa.outputs.hashes }}
      image_url: ${{ steps.slsa.outputs.image_url }}
      image_digest: ${{ steps.slsa.outputs.image_digest }}
-    runs-on: ubuntu-latest
+    runs-on:
+      group: "Default Larger Runners"
+      labels: ubuntu-latest-16-cores
    permissions:
      contents: write # needed to write releases
      id-token: write # needed for keyless signing
      packages: write # needed for ghcr access
    steps:
      - name: Checkout
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Unshallow
        run: git fetch --prune --unshallow
      - name: Setup Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
-          go-version: 1.23.x
+          go-version: 1.26.x
          cache: false
      - name: Setup QEMU
-        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
      - name: Setup Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db  # v3.6.1
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
      - name: Setup Syft
-        uses: anchore/sbom-action/download-syft@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2
+        uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
      - name: Setup Cosign
-        uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+        with:
+          cosign-release: v2.6.1 # TODO: remove after Flux 2.8 with support for cosign v3
      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@30c101fc7c9fac4d84937ff4890a3da46a9db2dd # main
+        uses: fluxcd/pkg/actions/kustomize@1bfcca47168cb6d2d7dfdc5b35d8b379a773976d # main
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: fluxcdbot
-          password: ${{ secrets.GHCR_TOKEN }}
+          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Login to Docker Hub
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567  # v3.3.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: fluxcdbot
          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
@@ -59,30 +63,19 @@ jobs:
        run: |
          kustomize build manifests/crds > all-crds.yaml
      - name: Generate OpenAPI JSON schemas from CRDs
-        uses: fluxcd/pkg/actions/crdjsonschema@30c101fc7c9fac4d84937ff4890a3da46a9db2dd # main
+        uses: fluxcd/pkg/actions/crdjsonschema@1bfcca47168cb6d2d7dfdc5b35d8b379a773976d # main
        with:
          crd: all-crds.yaml
          output: schemas
      - name: Archive the OpenAPI JSON schemas
        run: |
          tar -czvf ./output/crd-schemas.tar.gz -C schemas .
-      - name: Download release notes utility
-        env:
-          GH_REL_URL: https://github.com/buchanae/github-release-notes/releases/download/0.2.0/github-release-notes-linux-amd64-0.2.0.tar.gz
-        run: cd /tmp && curl -sSL ${GH_REL_URL} | tar xz && sudo mv github-release-notes /usr/local/bin/
-      - name: Generate release notes
-        run: |
-          NOTES="./output/notes.md"
-          echo '## CLI Changelog' > ${NOTES}
-          github-release-notes -org fluxcd -repo flux2 -since-latest-release -include-author >> ${NOTES}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Run GoReleaser
        id: run-goreleaser
-        uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
+        uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7.2.1
        with:
          version: latest
-          args: release --release-notes=output/notes.md --skip=validate
+          args: release --skip=validate
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
@@ -110,24 +103,26 @@ jobs:
      id-token: write
      packages: write
    steps:
-      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@30c101fc7c9fac4d84937ff4890a3da46a9db2dd # main
+        uses: fluxcd/pkg/actions/kustomize@1bfcca47168cb6d2d7dfdc5b35d8b379a773976d # main
      - name: Setup Flux CLI
        uses: ./action/
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Prepare
        id: prep
        run: |
          VERSION=$(flux version --client | awk '{ print $NF }')
          echo "version=${VERSION}" >> $GITHUB_OUTPUT
      - name: Login to GHCR
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: fluxcdbot
-          password: ${{ secrets.GHCR_TOKEN }}
+          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Login to DockerHub
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: fluxcdbot
          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
@@ -155,7 +150,9 @@ jobs:
          --path="./flux-system" \
          --source=${{ github.repositoryUrl }} \
          --revision="${{ github.ref_name }}@sha1:${{ github.sha }}"
-      - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
+      - uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+        with:
+          cosign-release: v2.6.1 # TODO: remove after Flux 2.8 with support for cosign v3
      - name: Sign manifests
        env:
          COSIGN_EXPERIMENTAL: 1
@@ -176,7 +173,7 @@ jobs:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      contents: write # for uploading attestations to GitHub releases.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
    with:
      provenance-name: "provenance.intoto.jsonl"
      base64-subjects: "${{ needs.release-flux-cli.outputs.hashes }}"
@@ -188,7 +185,7 @@ jobs:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for uploading attestations.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
    with:
      image: ${{ needs.release-flux-cli.outputs.image_url }}
      digest: ${{ needs.release-flux-cli.outputs.image_digest }}
@@ -202,10 +199,10 @@ jobs:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for uploading attestations.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
    with:
      image: ghcr.io/${{ needs.release-flux-cli.outputs.image_url }}
      digest: ${{ needs.release-flux-cli.outputs.image_digest }}
      registry-username: fluxcdbot
    secrets:
-      registry-password: ${{ secrets.GHCR_TOKEN }}
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
@@ -1,5 +1,4 @@
 name: scan
-
 on:
  workflow_dispatch:
  push:
@@ -8,79 +7,13 @@ on:
    branches: [ 'main', 'release/**' ]
  schedule:
    - cron: '18 10 * * 3'
-
-permissions:
-  contents: read
-
+permissions: read-all
 jobs:
-  scan-fossa:
-    runs-on: ubuntu-latest
-    if: github.actor != 'dependabot[bot]'
-    steps:
-      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
-      - name: Run FOSSA scan and upload build data
-        uses: fossa-contrib/fossa-action@cdc5065bcdee31a32e47d4585df72d66e8e941c2 # v3.0.0
-        with:
-          # FOSSA Push-Only API Token
-          fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
-          github-token: ${{ github.token }}
-
-  scan-snyk:
-    runs-on: ubuntu-latest
+  analyze:
    permissions:
-      security-events: write
-    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
-    steps:
-      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
-      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@30c101fc7c9fac4d84937ff4890a3da46a9db2dd # main
-      - name: Setup Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
-        with:
-          go-version-file: 'go.mod'
-          cache-dependency-path: |
-            **/go.sum
-            **/go.mod
-      - name: Download modules and build manifests
-        run: |
-          make tidy
-          make cmd/flux/.manifests.done
-      - uses: snyk/actions/setup@b98d498629f1c368650224d6d212bf7dfa89e4bf
-      - name:  Run Snyk to check for vulnerabilities
-        continue-on-error: true
-        run: |
-          snyk test --all-projects --sarif-file-output=snyk.sarif
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-      - name: Upload result to GitHub Code Scanning
-        continue-on-error: true
-        uses: github/codeql-action/upload-sarif@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9
-        with:
-          sarif_file: snyk.sarif
-
-  scan-codeql:
-    runs-on: ubuntu-latest
-    permissions:
-      security-events: write
-    if: github.actor != 'dependabot[bot]'
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
-      - name: Setup Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
-        with:
-          go-version-file: 'go.mod'
-          cache-dependency-path: |
-            **/go.sum
-            **/go.mod
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9
-        with:
-          languages: go
-          # xref: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-          # xref: https://codeql.github.com/codeql-query-help/go/
-          queries: security-and-quality
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9
+      contents: read # for reading the repository code.
+      security-events: write # for uploading the CodeQL analysis results.
+    uses: fluxcd/gha-workflows/.github/workflows/code-scan.yaml@v0.9.0
+    secrets:
+      github-token: ${{ secrets.GITHUB_TOKEN }}
+      fossa-token: ${{ secrets.FOSSA_TOKEN }}
@@ -6,23 +6,12 @@ on:
      - main
    paths:
      - .github/labels.yaml
-
-permissions:
-  contents: read
-
+permissions: read-all
 jobs:
-  labels:
-    name: Run sync
-    runs-on: ubuntu-latest
+  sync-labels:
    permissions:
-      issues: write
-    steps:
-      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
-      - uses: EndBug/label-sync@52074158190acb45f3077f9099fea818aa43f97a # v2.3.3
-        with:
-          # Configuration file
-          config-file: |
-            https://raw.githubusercontent.com/fluxcd/community/main/.github/standard-labels.yaml
-            .github/labels.yaml
-          # Strictly declarative
-          delete-other-labels: true
+      contents: read # for reading the labels file.
+      issues: write # for creating and updating labels.
+    uses: fluxcd/gha-workflows/.github/workflows/labels-sync.yaml@v0.9.0
+    secrets:
+      github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -2,8 +2,6 @@ name: update

 on:
  workflow_dispatch:
-  schedule:
-    - cron: "0 * * * *"
  push:
    branches: [main]

@@ -18,24 +16,37 @@ jobs:
      pull-requests: write
    steps:
      - name: Check out code
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
-          go-version: 1.23.x
+          go-version: 1.26.x
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Update component versions
        id: update
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          PR_BODY=$(mktemp)

          bump_version() {
-            local LATEST_VERSION=$(curl -s https://api.github.com/repos/fluxcd/$1/releases | jq -r 'sort_by(.published_at) | .[-1] | .tag_name')
+            local LATEST_VERSION=$(curl -s -H "Authorization: token ${GITHUB_TOKEN}" https://api.github.com/repos/fluxcd/$1/releases | jq -r 'sort_by(.published_at) | .[-1] | .tag_name')
+
+            if [[ "$LATEST_VERSION" == *"-rc"* ]]; then
+              echo "Skipping release candidate version for $1: $LATEST_VERSION"
+              return
+            fi
+
            local CTRL_VERSION=$(sed -n "s/.*$1\/releases\/download\/\(.*\)\/.*/\1/p;n" manifests/bases/$1/kustomization.yaml)
            local CRD_VERSION=$(sed -n "s/.*$1\/releases\/download\/\(.*\)\/.*/\1/p" manifests/crds/kustomization.yaml)
-            local MOD_VERSION=$(go list -m -f '{{ .Version }}' "github.com/fluxcd/$1/api")
+          
+            local API_PKG="github.com/fluxcd/$1/api"
+            if [[ "$1" == "source-watcher" ]]; then
+              API_PKG="github.com/fluxcd/$1/api/v2"
+            fi
+            local MOD_VERSION=$(go list -m -f '{{ .Version }}' "$API_PKG")

            local changed=false

@@ -50,7 +61,7 @@ jobs:
            fi

            if [[ "${MOD_VERSION}" != "${LATEST_VERSION}" ]]; then
-              go mod edit -require="github.com/fluxcd/$1/api@${LATEST_VERSION}"
+              go mod edit -require="$API_PKG@${LATEST_VERSION}"
              make tidy
              changed=true
            fi
@@ -69,6 +80,7 @@ jobs:
            bump_version notification-controller
            bump_version image-reflector-controller
            bump_version image-automation-controller
+            bump_version source-watcher

            # diff change
            git diff
@@ -84,7 +96,7 @@ jobs:

      - name: Create Pull Request
        id: cpr
-        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
        with:
          token: ${{ secrets.BOT_GITHUB_TOKEN }}
          commit-message: |
@@ -94,7 +106,7 @@ jobs:
          committer: GitHub <noreply@github.com>
          author: fluxcdbot <fluxcdbot@users.noreply.github.com>
          signoff: true
-          branch: update-components
+          branch: update-components-${{ github.ref_name }}
          title: Update toolkit components
          body: |
            ${{ steps.update.outputs.pr_body }}
@@ -0,0 +1,13 @@
+name: upgrade-fluxcd-pkg
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  upgrade-fluxcd-pkg:
+    uses: fluxcd/gha-workflows/.github/workflows/upgrade-fluxcd-pkg.yaml@v0.9.0
+    secrets:
+      github-token: ${{ secrets.BOT_GITHUB_TOKEN }}
@@ -1,4 +1,6 @@
 project_name: flux
+changelog:
+  use: github-native
 builds:
  - <<: &build_defaults
      binary: flux
@@ -86,22 +88,6 @@ brews:
      generate_completions_from_executable(bin/"flux", "completion")
    test: |
      system "#{bin}/flux --version"
-publishers:
-  - name: aur-pkg-bin
-    env:
-      - AUR_BOT_SSH_PRIVATE_KEY={{ .Env.AUR_BOT_SSH_PRIVATE_KEY }}
-    cmd: |
-      .github/aur/flux-bin/publish.sh {{ .Version }}
-  - name: aur-pkg-scm
-    env:
-      - AUR_BOT_SSH_PRIVATE_KEY={{ .Env.AUR_BOT_SSH_PRIVATE_KEY }}
-    cmd: |
-      .github/aur/flux-scm/publish.sh {{ .Version }}
-  - name: aur-pkg-go
-    env:
-      - AUR_BOT_SSH_PRIVATE_KEY={{ .Env.AUR_BOT_SSH_PRIVATE_KEY }}
-    cmd: |
-      .github/aur/flux-go/publish.sh {{ .Version }}
 dockers:
 - image_templates:
    - 'fluxcd/flux-cli:{{ .Tag }}-amd64'
@@ -0,0 +1,5 @@
+annotations:
+  - checks:
+      - dangerous-workflow
+    reasons:
+      - reason: not-applicable # This workflow does not run untrusted code, the bot will only backport a code if the a PR was approved and merged into main.
@@ -0,0 +1,151 @@
+# AGENTS.md
+
+Guidance for AI coding assistants working in `fluxcd/flux2`. Read this file before making changes.
+
+## Contribution workflow for AI agents
+
+These rules come from [`fluxcd/flux2/CONTRIBUTING.md`](https://github.com/fluxcd/flux2/blob/main/CONTRIBUTING.md) and apply to every Flux repository.
+
+- **Do not add `Signed-off-by` or `Co-authored-by` trailers with your agent name.** Only a human can legally certify the DCO.
+- **Disclose AI assistance** with an `Assisted-by` trailer naming your agent and model:
+  ```sh
+  git commit -s -m "Add support for X" --trailer "Assisted-by: <agent-name>/<model-id>"
+  ```
+  The `-s` flag adds the human's `Signed-off-by` from their git config — do not remove it.
+- **Commit message format:** Subject in imperative mood ("Add feature X" instead of "Adding feature X"), capitalized, no trailing period, ≤50 characters. Body wrapped at 72 columns, explaining what and why. No `@mentions` or `#123` issue references in the commit — put those in the PR description.
+- **Trim verbiage:** in PR descriptions, commit messages, and code comments. No marketing prose, no restating the diff, no emojis.
+- **Rebase, don't merge:** Never merge `main` into the feature branch; rebase onto the latest `main` and push with `--force-with-lease`. Squash before merge when asked.
+- **Pre-PR gate:** `make tidy fmt vet && make test` must pass and the working tree must be clean.
+- **Flux is GA:** Backward compatibility is mandatory. Breaking changes to CLI flags, output format, or behavior will be rejected. Design additive changes.
+- **Copyright:** All new `.go` files must begin with the header from `cmd/flux/main.go` (Apache 2.0). Update the year to the current year when copying.
+- **Tests:** New features, improvements and fixes must have test coverage. Add unit tests in `cmd/flux/*_test.go` tagged `//go:build unit`. Follow the existing `cmdTestCase` + golden file patterns. Run tests locally before pushing.
+
+## Code quality
+
+Before submitting code, review your changes for the following:
+
+- **No secrets in logs or output.** Never surface auth tokens, passwords, deploy keys, or credential URLs in error messages, log lines, or CLI output. Bootstrap and source-secret commands handle sensitive material — take extra care.
+- **No unchecked I/O.** Close HTTP response bodies, file handles, and tar readers in `defer` statements. Check and propagate errors from I/O operations.
+- **No path traversal.** Validate and sanitize file paths extracted from archives or user input. Never `filepath.Join` with untrusted components without validation.
+- **No command injection.** Do not shell out via `os/exec` for git, helm, or kustomize operations. Use the Go libraries already in use (`fluxcd/pkg/git`, `fluxcd/pkg/kustomize`, `fluxcd/pkg/ssa`).
+- **No hardcoded defaults for security settings.** TLS verification must remain enabled by default. Git auth settings come from user-provided secrets.
+- **Error handling.** Wrap errors with `%w` for chain inspection. Do not swallow errors silently. CLI errors must be actionable — tell the user what went wrong and how to fix it without leaking internal state.
+- **Resource cleanup.** Ensure temporary files and directories (manifest staging, downloaded tarballs) are cleaned up on all code paths (success and error). Use `defer` and `t.TempDir()` in tests.
+- **No panics.** Never use `panic` in runtime code paths. Return errors and let the CLI handle them gracefully.
+- **Output discipline.** Machine-readable data (tables, YAML, JSON) goes to stdout via `rootCmd.OutOrStdout()`. Human-readable status messages go to stderr via the `stderrLogger`.
+- **Minimal surface.** Keep new exported APIs in `pkg/` to the minimum needed. Every export is a backward-compatibility commitment.
+
+## Project overview
+
+flux2 is the Flux CLI (`flux` command) and distribution repository. It is **not** a controller — it consumes CRD APIs from six independent controller repos (source-controller, kustomize-controller, helm-controller, notification-controller, image-reflector-controller, image-automation-controller). It serves two purposes:
+
+1. **CLI tool** — a Cobra-based binary that installs Flux onto Kubernetes clusters, bootstraps GitOps pipelines, and manages all Flux CRD objects (create, get, export, reconcile, suspend, resume, delete, diff, build, etc.).
+2. **Distribution hub** — it bundles the Kustomize manifests for all Flux controllers and releases them as `manifests.tar.gz` on GitHub. Those manifests are also compiled into the binary itself via `//go:embed`.
+
+## Repository layout
+
+- `cmd/flux/` — all CLI source. Single `main` package with one file per command or resource type. `main.go` defines the root cobra command with global flags. `manifests.embed.go` embeds the generated controller manifests via `//go:embed`.
+- `internal/build/` — `flux build kustomization` logic (kustomize-based diff/build, SOPS secret masking).
+- `internal/flags/` — custom `pflag.Value` types providing enum validation (e.g. `LogLevel`, `ECDSACurve`, `RSAKeyBits`, `PublicKeyAlgorithm`, `DecryptionProvider`).
+- `internal/tree/` — tree-printing helper for `flux tree kustomization`.
+- `internal/utils/` — shared helpers: `KubeClient`, `KubeConfig`, `NewScheme` (registers all controller API groups), `Apply` (SSA-based two-phase apply), `ExecKubectlCommand`, `ValidateComponents`.
+- `pkg/bootstrap/` — bootstrap orchestration: `Run()`, `PlainGitBootstrapper`, `ProviderBootstrapper`. `provider/` has the git provider factory (GitHub, GitLab, Gitea, Bitbucket).
+- `pkg/log/` — `Logger` interface (`Actionf`, `Generatef`, `Waitingf`, `Successf`, `Warningf`, `Failuref`).
+- `pkg/manifestgen/` — manifest generation for install, sync, kustomization, and source secrets.
+- `pkg/printers/` — specialized printers `TablePrinter` and `DyffPrinter`.
+- `pkg/status/` — `StatusChecker` using `fluxcd/cli-utils` kstatus polling.
+- `pkg/uninstall/` — `flux uninstall` logic.
+- `manifests/` — Kustomize bases per controller, RBAC, network policies, CRD references, and `scripts/bundle.sh` which runs `kustomize build` to generate `cmd/flux/manifests/`.
+- `tests/integration/` — cloud e2e tests (Azure/GCP) with their own `go.mod` and Terraform infrastructure.
+- `rfcs/` — Request for Comments documents for major design proposals and changes.
+
+## CLI architecture
+
+Commands are Cobra-based, organized as parent + per-resource children:
+- Group files (`create.go`, `get.go`, `reconcile.go`, etc.) register the parent subcommand.
+- Per-resource files (`create_kustomization.go`, `get_helmrelease.go`, etc.) register children.
+
+Core interfaces in `cmd/flux/` enable generic command implementations:
+- `adapter` / `copyable` / `listAdapter` — wrap controller API types for generic CRUD.
+- `reconcilable` — annotate-and-poll pattern for triggering reconciliation.
+- `summarisable` — generic table output for `get` commands.
+
+Each resource type (e.g. `kustomizationAdapter` in `kustomization.go`) wraps the controller API type and implements these interfaces. Follow this pattern when adding new resource support.
+
+Commands interact with the Kubernetes API via `internal/utils.KubeClient()` → `client.WithWatch`. `internal/utils.NewScheme()` registers all six controller API groups plus core k8s types. `internal/utils.Apply()` implements SSA-based two-phase apply (CRDs/Namespaces first, then remaining objects).
+
+## Manifest pipeline
+
+1. `manifests/bases/<controller>/` contains a Kustomize base per controller referencing the controller's GitHub release for CRDs and deployment manifests.
+2. `manifests/install/kustomization.yaml` assembles all bases plus RBAC and policies.
+3. `manifests/scripts/bundle.sh` runs `kustomize build` on each base, writing output to `cmd/flux/manifests/` (not checked in — generated).
+4. The Makefile `$(EMBEDDED_MANIFESTS_TARGET)` runs `bundle.sh` and creates a sentinel file `cmd/flux/.manifests.done`.
+5. `cmd/flux/manifests.embed.go` uses `//go:embed manifests/*.yaml` to compile everything into the binary.
+
+When modifying `manifests/`, always run `make build` and verify the generated output before committing. Never hand-edit files under `cmd/flux/manifests/`.
+
+## Build, test, lint
+
+All targets in the root `Makefile`. Go version tracks `go.mod`.
+
+- `make tidy` — tidy the root module and `tests/integration/`.
+- `make fmt` / `make vet` — run in the root module.
+- `make build` — builds `bin/flux` (CGO disabled, version injected via ldflags). Depends on embedded manifests being generated.
+- `make build-dev` — builds with `DEV_VERSION`.
+- `make install` / `make install-dev` — `go install` or copy to `/usr/local/bin`.
+- `make test` — unit tests with envtest: runs `tidy fmt vet install-envtest`, then `go test ./... -coverprofile cover.out --tags=unit $(TEST_ARGS)`.
+- `make e2e` — e2e tests against a live cluster: `go test ./cmd/flux/... --tags=e2e -v -failfast`.
+- `make test-with-kind` — sets up a kind cluster, runs e2e, tears it down.
+- `make install-envtest` — downloads `setup-envtest` and fetches k8s binaries into `testbin/`.
+
+Run a single test: `make test TEST_ARGS='-run TestCreate -v'`.
+
+## Codegen and generated files
+
+Check `go.mod` and the `Makefile` for current dependency and tool versions. The main codegen pipeline is the manifest bundle:
+
+```sh
+./manifests/scripts/bundle.sh
+```
+
+Generated files (never hand-edit):
+
+- `cmd/flux/manifests/*.yaml` — generated by `bundle.sh` from `manifests/` sources.
+- `cmd/flux/.manifests.done` — sentinel file tracking bundle state.
+
+Bump `fluxcd/pkg/*` and controller `api` modules as a set. Run `make tidy` after any bump.
+
+## Conventions
+
+- Standard `gofmt`. All exported names need doc comments.
+- **Command pattern:** follow the existing group-parent + per-resource-child cobra structure. New resources need an adapter type implementing `adapter`, `copyable`, and the relevant command interfaces (`reconcilable`, `summarisable`, etc.).
+- **Output:** stderr for human status messages via `stderrLogger` (Unicode symbols: `►` action, `✔` success, `✗` failure, `◎` waiting, `⚠️` warning, `✚` generate). Stdout for machine-readable data (tables, YAML, JSON) via `rootCmd.OutOrStdout()`.
+- **Global flags:** kubeconfig flags come from `k8s.io/cli-runtime/pkg/genericclioptions.ConfigFlags`. Client tuning comes from `fluxcd/pkg/runtime/client.Options`. `FLUX_SYSTEM_NAMESPACE` env var overrides the default namespace.
+- **SSA apply:** always use `internal/utils.Apply()` (two-phase: CRDs/Namespaces first, then rest). Do not apply manifests directly via the k8s client.
+- **Reconcile triggering:** patch `meta.ReconcileRequestAnnotation` with a timestamp, then poll with `kstatus.Compute()` until ready. See `reconcile.go`.
+- **Error handling:** return errors from `RunE`. Use `*RequestError` with exit codes for actionable CLI errors. Exit code 1 = warning, anything else = failure.
+- **Flags:** use `internal/flags/` custom `pflag.Value` types for enum flags (providers, algorithms, sources). Add new enum types there.
+
+## Testing
+
+Three test suites with build tags:
+
+- **Unit** (`//go:build unit`): lives in `cmd/flux/*_test.go`. Uses `controller-runtime/envtest` for an in-process fake k8s API. CRDs are loaded from `cmd/flux/manifests/` (embedded manifests). Pattern: `cmdTestCase{args: "...", assert: assertGoldenFile("testdata/...")}`. The `executeCommand()` helper captures stdout.
+- **E2e** (`//go:build e2e`): lives in `cmd/flux/*_test.go`. Requires a live cluster via `TEST_KUBECONFIG`. `TestMain` runs `flux install` for setup and teardown.
+- **Integration** (`//go:build integration`): lives in `tests/integration/` with its own `go.mod`. Uses Terraform-provisioned cloud clusters.
+
+Golden files live in `cmd/flux/testdata/`. Update them with `go test ./cmd/flux/... --tags=unit -update`.
+
+Run a single unit test: `make test TEST_ARGS='-run TestInstall -v'`.
+
+## Gotchas and non-obvious rules
+
+- The `cmd/flux/manifests/` directory is **generated, not checked in**. It is created by `manifests/scripts/bundle.sh` and embedded into the binary. `make build` and `make test` both trigger the bundle if the sentinel file is stale.
+- `kustomize` must be on `PATH` for `bundle.sh` to work. If you see "command not found" errors during build, install kustomize.
+- `internal/utils.NewScheme()` registers all six controller API groups. Adding support for a new CRD type means updating the scheme registration there.
+- The `VERSION` constant is injected via `-ldflags` at build time. In dev builds it defaults to `0.0.0-dev.0`. The embedded manifest version check (`isEmbeddedVersion`) determines whether `flux install` uses compiled-in manifests or downloads from GitHub.
+- `resetCmdArgs()` in tests is critical — Cobra persists flag state between test runs. Every test case must reset to avoid pollution.
+- `executeCommand()` captures stdout only. Stderr output (from `stderrLogger`) is not captured in test assertions. If your command's output goes to the wrong stream, tests will silently pass with empty golden files.
+- The `adapter` / `listAdapter` interfaces use type assertions internally. If you add a new resource type and forget to implement an interface method, you'll get a runtime panic in the generic command handler, not a compile error. Add interface compliance checks (`var _ reconcilable = ...`).
+- Bootstrap commands create real Git commits and push to real repos. E2e tests for bootstrap need careful cleanup. Do not add bootstrap e2e tests without a corresponding teardown.
+- `pkg/` packages are importable by external consumers (e.g. Terraform provider, other tools). Treat their exported surface as public API.
@@ -1,154 +1,129 @@
 # Contributing

-Flux is [Apache 2.0 licensed](https://github.com/fluxcd/flux2/blob/main/LICENSE) and
-accepts contributions via GitHub pull requests. This document outlines
-some of the conventions on to make it easier to get your contribution
-accepted.
+Flux is [Apache 2.0 licensed](https://github.com/fluxcd/flux2/blob/main/LICENSE) and accepts contributions via GitHub pull requests.
+This document outlines the conventions to get your contribution accepted.
+We gratefully welcome improvements to documentation as well as code contributions.

-We gratefully welcome improvements to issues and documentation as well as to
-code.
+If you are new to the project, we recommend starting with documentation improvements or
+small bug fixes to get familiar with the codebase and the contribution process.
+
+## Project Structure
+
+The Flux project consists of a set of Kubernetes controllers and tools that implement the GitOps pattern.
+The main repositories in the Flux project are:
+
+- [fluxcd/flux2](https://github.com/fluxcd/flux2): The Flux distribution and command-line interface (CLI)
+- [fluxcd/pkg](https://github.com/fluxcd/pkg): The GitOps Toolkit Go SDK for building Flux controllers and CLI plugins
+- [fluxcd/source-controller](https://github.com/fluxcd/source-controller): Kubernetes operator for managing sources (Git, OCI and Helm repositories, S3-compatible Buckets)
+- [fluxcd/source-watcher](https://github.com/fluxcd/source-watcher): Kubernetes operator for advanced source composition and decomposition patterns
+- [fluxcd/kustomize-controller](https://github.com/fluxcd/kustomize-controller): Kubernetes operator for building GitOps pipelines with Kustomize
+- [fluxcd/helm-controller](https://github.com/fluxcd/helm-controller): Kubernetes operator for lifecycle management of Helm releases
+- [fluxcd/notification-controller](https://github.com/fluxcd/notification-controller): Kubernetes operator for handling inbound and outbound events (alerts and webhook receivers)
+- [fluxcd/image-reflector-controller](https://github.com/fluxcd/image-reflector-controller): Kubernetes operator for scanning container registries for new image tags and digests
+- [fluxcd/image-automation-controller](https://github.com/fluxcd/image-automation-controller): Kubernetes operator for patching container image tags and digests in Git repositories
+- [fluxcd/website](https://github.com/fluxcd/website): The Flux documentation website accessible at <https://fluxcd.io/>
+
+## AI Coding Assistants Guidance
+
+Using AI Agents to help write your PR is acceptable, but as the author, you are responsible
+for understanding the code and the documentation you submit. Please review all the AI-generated
+content and make sure it follows the guidelines in this document before submitting your PR.
+
+All Flux repositories contain an `AGENTS.md` file. You must point your AI Agent to
+`AGENTS.md` and ask it to follow the guidelines and conventions described there.
+
+Trim down the verbiage in the PR description, commit messages and code comments.
+When engaging with Flux maintainers please refrain from using AI Agents to
+generate responses, we want to talk to you, not to your AI Agent.
+
+AI Agents **must not** add `Signed-off-by` or `Co-authored-by` tags to the commit message.
+Only humans can legally certify the Developer Certificate of Origin ([DCO](https://developercertificate.org/)).
+
+You should disclose the use of AI Agents in the description of your PR and
+in the commit message using the `Assisted-by: AGENT_NAME/LLM_VERSION` tag.
+
+Adding the `Assisted-by` tag to the commit message can be done with:
+
+```sh
+git commit -s -m "Your commit message" --trailer "Assisted-by: <agent>/<model>"
+```
+
+**Note** that the `Signed-off-by` tag is set via the `-s` flag using your real name and email
+(`user.name` and `user.email` must be set in Git config).
+
+Example of a commit message disclosing the use of AI assistance:
+
+```text
+Add version info to plugin listing
+
+Add a version column to the `flux plugin list` table output and populate
+it with the semantic version info extracted from the plugin's recipe file.
+For plugins installed via symlinks, the version is set to `unknown`.
+
+Signed-off-by: Jane Doe <jane.doe@example.com>
+Assisted-by: copilot/gpt-5.4
+```

 ## Certificate of Origin

-By contributing to this project you agree to the Developer Certificate of
-Origin (DCO). This document was created by the Linux Kernel community and is a
-simple statement that you, as a contributor, have the legal right to make the
-contribution.
+By contributing to this project you agree to the Developer Certificate of Origin (DCO).
+This document was created by the Linux Kernel community and is a simple statement that you,
+as a contributor, have the legal right to make the contribution.

-We require all commits to be signed. By signing off with your signature, you
-certify that you wrote the patch or otherwise have the right to contribute the
-material by the rules of the [DCO](DCO):
+We require all commits to be signed. By signing off with your signature, you certify that you wrote
+the patch or otherwise have the right to contribute the material by the rules of the [DCO](https://raw.githubusercontent.com/fluxcd/flux2/refs/heads/main/DCO):

 `Signed-off-by: Jane Doe <jane.doe@example.com>`

-The signature must contain your real name
-(sorry, no pseudonyms or anonymous contributions)
-If your `user.name` and `user.email` are configured in your Git config,
+The signature must contain your real name (sorry, no pseudonyms or anonymous contributions).
+If your `user.name` and `user.email` are set in your Git config,
 you can sign your commit automatically with `git commit -s`.

-## Communications
-
-For realtime communications we use Slack: To join the conversation, simply
-join the [CNCF](https://slack.cncf.io/) Slack workspace and use the
-[#flux-contributors](https://cloud-native.slack.com/messages/flux-contributors/) channel.
-
-To discuss ideas and specifications we use [Github
-Discussions](https://github.com/fluxcd/flux2/discussions).
-
-For announcements we use a mailing list as well. Simply subscribe to
-[flux-dev on cncf.io](https://lists.cncf.io/g/cncf-flux-dev)
-to join the conversation (there you can also add calendar invites
-to your Google calendar for our [Flux
-meeting](https://docs.google.com/document/d/1l_M0om0qUEN_NNiGgpqJ2tvsF2iioHkaARDeh6b70B0/view)).
-
-## Understanding Flux and the GitOps Toolkit
-
-If you are entirely new to Flux and the GitOps Toolkit,
-you might want to take a look at the [introductory talk and demo](https://www.youtube.com/watch?v=qQBtSkgl7tI).
-
-This project is composed of:
-
- [flux2](https://github.com/fluxcd/flux2): The Flux CLI
- [source-manager](https://github.com/fluxcd/source-controller): Kubernetes operator for managing sources (Git and Helm repositories, S3-compatible Buckets)
- [kustomize-controller](https://github.com/fluxcd/kustomize-controller): Kubernetes operator for building GitOps pipelines with Kustomize
- [helm-controller](https://github.com/fluxcd/helm-controller): Kubernetes operator for building GitOps pipelines with Helm
- [notification-controller](https://github.com/fluxcd/notification-controller): Kubernetes operator for handling inbound and outbound events
- [image-reflector-controller](https://github.com/fluxcd/image-reflector-controller): Kubernetes operator for scanning container registries
- [image-automation-controller](https://github.com/fluxcd/image-automation-controller): Kubernetes operator for patches container image tags in Git
-
-### Understanding the code
-
-To get started with developing controllers, you might want to review
-[our guide](https://fluxcd.io/flux/gitops-toolkit/source-watcher/) which
-walks you through writing a short and concise controller that watches out
-for source changes.
-
-## How to run the test suite
-
-Prerequisites:
-
-* go >= 1.20
-* kubectl >= 1.24
-* kustomize >= 5.0
-* coreutils (on Mac OS)
-
-Install the [controller-runtime/envtest](https://github.com/kubernetes-sigs/controller-runtime/tree/master/tools/setup-envtest) binaries with:
-
-```bash
-make install-envtest
-```
-
-Then you can run the unit tests with:
-
-```bash
-make test
-```
-
-After [installing Kubernetes kind](https://kind.sigs.k8s.io/docs/user/quick-start#installation) on your machine,
-create a cluster for testing with:
-
-```bash
-make setup-kind
-```
-
-Then you can run the end-to-end tests with:
-
-```bash
-make e2e
-```
-
-When the output of the Flux CLI changes, to automatically update the golden
-files used in the test, pass `-update` flag to the test as:
-
-```bash
-make e2e TEST_ARGS="-update"
-```
-
-Since not all packages use golden files for testing, `-update` argument must be
-passed only for the packages that use golden files. Use the variables
-`TEST_PKG_PATH` for unit tests and `E2E_TEST_PKG_PATH` for e2e tests, to set the
-path of the target test package:
-
-```bash
-# Unit test
-make test TEST_PKG_PATH="./cmd/flux" TEST_ARGS="-update"
-# e2e test
-make e2e E2E_TEST_PKG_PATH="./cmd/flux" TEST_ARGS="-update"
-```
-
-Teardown the e2e environment with:
-
-```bash
-make cleanup-kind
-```
-
 ## Acceptance policy

 These things will make a PR more likely to be accepted:

- a well-described requirement
- tests for new code
- tests for old code!
- new code and tests follow the conventions in old code and tests
- a good commit message (see below)
- all code must abide [Go Code Review Comments](https://github.com/golang/go/wiki/CodeReviewComments)
- names should abide [What's in a name](https://talks.golang.org/2014/names.slide#1)
- code must build on both Linux and Darwin, via plain `go build`
- code should have appropriate test coverage and tests should be written
-  to work with `go test`
+- Addressing an open issue, if one doesn't exist, please open an issue to discuss the problem and the proposed solution before submitting a PR.
+- Flux is GA software and we are committed to maintaining backward compatibility. If your contribution introduces a breaking change, expect for your PR to be rejected.
+- New code and tests must follow the conventions in the existing code and tests. All new code must have good test coverage and be well documented.
+- All top-level Go code and exported names should have doc comments, as should non-trivial unexported type or function declarations.
+- Before submitting a PR, make sure that your code is properly formatted by running `make tidy fmt vet` and that all tests are passing by running `make test`.

 In general, we will merge a PR once one maintainer has endorsed it.
 For substantial changes, more people may become involved, and you might
 get asked to resubmit the PR or divide the changes into more than one PR.

-### Format of the Commit Message
+## Format of the Commit Message

-For the GitOps Toolkit controllers we prefer the following rules for good commit messages:
+For the Flux project we prefer the following rules:

- Limit the subject to 50 characters and write as the continuation
-  of the sentence "If applied, this commit will ..."
- Explain what and why in the body, if more than a trivial change;
-  wrap it at 72 characters.
+- Limit the subject to 50 characters, start with a capital letter and do not end with a period.
+- Explain what and why in the body, if more than a trivial change; wrap it at 72 characters.
+- Use the imperative mood in the subject line (e.g., "Add support for X" instead of "Added support for X" or "Adds support for X").
+- Do not include GitHub mentions to issues in the commit message, use the PR description instead (e.g., "Fixes #123" or "Closes #123").
+- Do not include GitHub mentions to accounts (e.g., `@username` or `@team`) within the commit message.

-The [following article](https://chris.beams.io/posts/git-commit/#seven-rules)
-has some more helpful advice on documenting your work.
+## Pull Request Process
+
+Fork the repository and create a new branch for your changes, do not commit directly to the `main` branch.
+Once you have made your changes and committed them, push your branch to your fork and open a pull request
+against the `main` branch of the Flux repository.
+
+During the review process, you may be asked to make changes to your PR. Add commits to address the feedback
+without force pushing, as this will make it easier for reviewers to see the changes.
+Before committing, make sure to run `make test` to ensure that your code will pass the CI checks.
+
+When the review process is complete, you will be asked to **squash** the commits and **rebase** your branch.
+**Do not merge** the `main` branch into your branch, instead, rebase your branch on top of the latest `main`
+branch after **syncing your fork** with the latest changes from the Flux repository. After rebasing,
+you can push your branch with the `--force-with-lease` option to update the PR.
+
+## Communications
+
+For realtime communications we use Slack. To reach out to the Flux maintainers and contributors,
+join the [CNCF](https://slack.cncf.io/) Slack workspace and use the [#flux-contributors](https://cloud-native.slack.com/messages/flux-contributors/) channel.
+To discuss ideas and specifications we use [GitHub Discussions](https://github.com/fluxcd/flux2/discussions).
+
+For announcements, we use a mailing list as well. Subscribe to
+[flux-dev on cncf.io](https://lists.cncf.io/g/cncf-flux-dev), there you can also add calendar invites
+to your Google calendar for our [Flux dev meeting](https://docs.google.com/document/d/1l_M0om0qUEN_NNiGgpqJ2tvsF2iioHkaARDeh6b70B0/view).
@@ -1,15 +1,16 @@
-FROM alpine:3.20 as builder
+FROM alpine:3.23 AS builder

 RUN apk add --no-cache ca-certificates curl

 ARG ARCH=linux/amd64
-ARG KUBECTL_VER=1.31.0
+ARG KUBECTL_VER=1.35.0

-RUN curl -sL https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VER}/bin/${ARCH}/kubectl \
-    -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \
-    kubectl version --client=true
+RUN curl -sL https://dl.k8s.io/release/v${KUBECTL_VER}/bin/${ARCH}/kubectl \
+    -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl

-FROM alpine:3.20 as flux-cli
+RUN kubectl version --client=true
+
+FROM alpine:3.23 AS flux-cli

 RUN apk add --no-cache ca-certificates

@@ -17,8 +17,8 @@ rwildcard=$(foreach d,$(wildcard $(addsuffix *,$(1))),$(call rwildcard,$(d)/,$(2
 all: test build

 tidy:
-	go mod tidy -compat=1.22
-	cd tests/integration && go mod tidy -compat=1.22
+	go mod tidy -compat=1.26
+	cd tests/integration && go mod tidy -compat=1.26

 fmt:
 	go fmt ./...
@@ -52,12 +52,14 @@ guides](https://fluxcd.io/flux/gitops-toolkit/source-watcher/).

 ### Components

- [Source Controller](https://fluxcd.io/flux/components/source/)
+- [Source Controllers](https://fluxcd.io/flux/components/source/)
    - [GitRepository CRD](https://fluxcd.io/flux/components/source/gitrepositories/)
    - [OCIRepository CRD](https://fluxcd.io/flux/components/source/ocirepositories/)
    - [HelmRepository CRD](https://fluxcd.io/flux/components/source/helmrepositories/)
    - [HelmChart CRD](https://fluxcd.io/flux/components/source/helmcharts/)
    - [Bucket CRD](https://fluxcd.io/flux/components/source/buckets/)
+    - [ExternalArtifact CRD](https://fluxcd.io/flux/components/source/externalartifacts/)
+    - [ArtifactGenerator CRD](https://fluxcd.io/flux/components/source/artifactgenerators/)
 - [Kustomize Controller](https://fluxcd.io/flux/components/kustomize/)
    - [Kustomization CRD](https://fluxcd.io/flux/components/kustomize/kustomizations/)
 - [Helm Controller](https://fluxcd.io/flux/components/helm/)
@@ -16,23 +16,24 @@ inputs:
    description: "Alternative location for the Flux binary, defaults to path relative to $RUNNER_TOOL_CACHE."
    required: false
  token:
-    description: "Token used to authentication against the GitHub.com API. Defaults to the token from the GitHub context of the workflow."
+    description: "Token used to authenticate against the GitHub.com API."
    required: false
 runs:
  using: composite
  steps:
    - name: "Download the binary to the runner's cache dir"
      shell: bash
+      env:
+        VERSION: "${{ inputs.version }}"
+        FLUX_TOOL_DIR: "${{ inputs.bindir }}"
+        TOKEN: "${{ inputs.token }}"
      run: |
-        VERSION=${{ inputs.version }}
-
-        TOKEN=${{ inputs.token }}
-        if [[ -z "$TOKEN" ]]; then
-          TOKEN=${{ github.token }}
-        fi
-
        if [[ -z "$VERSION" ]] || [[ "$VERSION" = "latest" ]]; then
+          if [[ "${TOKEN}" != '' ]]; then
            VERSION=$(curl -fsSL -H "Authorization: token ${TOKEN}" https://api.github.com/repos/fluxcd/flux2/releases/latest | grep tag_name | cut -d '"' -f 4)
+          else
+            VERSION=$(curl -w "%{url_effective}\n" -IsSL https://github.com/fluxcd/flux2/releases/latest -o /dev/null | sed 's$^.*/$$')
+          fi
        fi
        if [[ -z "$VERSION" ]]; then
          echo "Unable to determine Flux CLI version"
@@ -59,7 +60,6 @@ runs:
            FLUX_EXEC_FILE="${FLUX_EXEC_FILE}.exe"
        fi

-        FLUX_TOOL_DIR=${{ inputs.bindir }}
        if [[ -z "$FLUX_TOOL_DIR" ]]; then
          FLUX_TOOL_DIR="${RUNNER_TOOL_CACHE}/flux2/${VERSION}/${OS}/${ARCH}"
        fi
@@ -77,8 +77,36 @@ runs:

          FLUX_DOWNLOAD_URL="https://github.com/fluxcd/flux2/releases/download/v${VERSION}/"

-          curl -fsSL -o "$DL_DIR/$FLUX_TARGET_FILE" "$FLUX_DOWNLOAD_URL/$FLUX_TARGET_FILE"
-          curl -fsSL -o "$DL_DIR/$FLUX_CHECKSUMS_FILE" "$FLUX_DOWNLOAD_URL/$FLUX_CHECKSUMS_FILE"
+          MAX_RETRIES=5
+          RETRY_DELAY=5
+          
+          for i in $(seq 1 $MAX_RETRIES); do
+            echo "Downloading flux binary (attempt $i/$MAX_RETRIES)"
+            if curl -fsSL -o "$DL_DIR/$FLUX_TARGET_FILE" "$FLUX_DOWNLOAD_URL/$FLUX_TARGET_FILE"; then
+              break
+            fi
+            if [ $i -lt $MAX_RETRIES ]; then
+              echo "Download failed, retrying in ${RETRY_DELAY} seconds..."
+              sleep $RETRY_DELAY
+            else
+              echo "Failed to download flux binary after $MAX_RETRIES attempts"
+              exit 1
+            fi
+          done
+          
+          for i in $(seq 1 $MAX_RETRIES); do
+            echo "Downloading checksums file (attempt $i/$MAX_RETRIES)"
+            if curl -fsSL -o "$DL_DIR/$FLUX_CHECKSUMS_FILE" "$FLUX_DOWNLOAD_URL/$FLUX_CHECKSUMS_FILE"; then
+              break
+            fi
+            if [ $i -lt $MAX_RETRIES ]; then
+              echo "Download failed, retrying in ${RETRY_DELAY} seconds..."
+              sleep $RETRY_DELAY
+            else
+              echo "Failed to download checksums file after $MAX_RETRIES attempts"
+              exit 1
+            fi
+          done
        
          echo "Verifying checksum"
          sum=""
@@ -0,0 +1,57 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	swapi "github.com/fluxcd/source-watcher/api/v2/v1beta1"
+)
+
+// swapi.ArtifactGenerator
+
+var artifactGeneratorType = apiType{
+	kind:         swapi.ArtifactGeneratorKind,
+	humanKind:    "artifactgenerator",
+	groupVersion: swapi.GroupVersion,
+}
+
+type artifactGeneratorAdapter struct {
+	*swapi.ArtifactGenerator
+}
+
+func (h artifactGeneratorAdapter) asClientObject() client.Object {
+	return h.ArtifactGenerator
+}
+
+func (h artifactGeneratorAdapter) deepCopyClientObject() client.Object {
+	return h.ArtifactGenerator.DeepCopy()
+}
+
+// swapi.ArtifactGeneratorList
+
+type artifactGeneratorListAdapter struct {
+	*swapi.ArtifactGeneratorList
+}
+
+func (h artifactGeneratorListAdapter) asClientList() client.ObjectList {
+	return h.ArtifactGeneratorList
+}
+
+func (h artifactGeneratorListAdapter) len() int {
+	return len(h.ArtifactGeneratorList.Items)
+}
@@ -97,7 +97,7 @@ func init() {
 	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapArgs.defaultComponents, "components", rootArgs.defaults.Components,
 		"list of components, accepts comma-separated values")
 	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapArgs.extraComponents, "components-extra", nil,
-		"list of components in addition to those supplied or defaulted, accepts values such as 'image-reflector-controller,image-automation-controller'")
+		"list of components in addition to those supplied or defaulted, accepts values such as 'image-reflector-controller,image-automation-controller,source-watcher'")

 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.registry, "registry", "ghcr.io/fluxcd",
 		"container registry where the Flux controller images are published")
@@ -42,7 +42,7 @@ import (
 var bootstrapGitLabCmd = &cobra.Command{
 	Use:   "gitlab",
 	Short: "Deploy Flux on a cluster connected to a GitLab repository",
-	Long: `The bootstrap gitlab command creates the GitLab repository if it doesn't exists and
+	Long: `The bootstrap gitlab command creates the GitLab repository if it doesn't exist and
 commits the Flux manifests to the specified branch.
 Then it configures the target cluster to synchronize with that repository.
 If the Flux components are present on the cluster,
@@ -22,19 +22,20 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"path/filepath"
 	"strings"

 	"github.com/spf13/cobra"

-	oci "github.com/fluxcd/pkg/oci/client"
+	"github.com/fluxcd/pkg/oci"
 	"github.com/fluxcd/pkg/sourceignore"
 )

 var buildArtifactCmd = &cobra.Command{
 	Use:   "artifact",
 	Short: "Build artifact",
-	Long: withPreviewNote(`The build artifact command creates a tgz file with the manifests
-from the given directory or a single manifest file.`),
+	Long: `The build artifact command creates a tgz file with the manifests
+from the given directory or a single manifest file.`,
 	Example: `  # Build the given manifests directory into an artifact
  flux build artifact --path ./path/to/local/manifests --output ./path/to/artifact.tgz

@@ -51,6 +52,7 @@ type buildArtifactFlags struct {
 	output          string
 	path            string
 	ignorePaths     []string
+	resolveSymlinks bool
 }

 var excludeOCI = append(strings.Split(sourceignore.ExcludeVCS, ","), strings.Split(sourceignore.ExcludeExt, ",")...)
@@ -61,6 +63,7 @@ func init() {
 	buildArtifactCmd.Flags().StringVarP(&buildArtifactArgs.path, "path", "p", "", "Path to the directory where the Kubernetes manifests are located.")
 	buildArtifactCmd.Flags().StringVarP(&buildArtifactArgs.output, "output", "o", "artifact.tgz", "Path to where the artifact tgz file should be written.")
 	buildArtifactCmd.Flags().StringSliceVar(&buildArtifactArgs.ignorePaths, "ignore-paths", excludeOCI, "set paths to ignore in .gitignore format")
+	buildArtifactCmd.Flags().BoolVar(&buildArtifactArgs.resolveSymlinks, "resolve-symlinks", false, "resolve symlinks by copying their targets into the artifact")

 	buildCmd.AddCommand(buildArtifactCmd)
 }
@@ -85,6 +88,15 @@ func buildArtifactCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("invalid path '%s', must point to an existing directory or file", path)
 	}

+	if buildArtifactArgs.resolveSymlinks {
+		resolved, cleanupDir, err := resolveSymlinks(path)
+		if err != nil {
+			return fmt.Errorf("resolving symlinks failed: %w", err)
+		}
+		defer os.RemoveAll(cleanupDir)
+		path = resolved
+	}
+
 	logger.Actionf("building artifact from %s", path)

 	ociClient := oci.NewClient(oci.DefaultOptions())
@@ -96,6 +108,141 @@ func buildArtifactCmdRun(cmd *cobra.Command, args []string) error {
 	return nil
 }

+// resolveSymlinks creates a temporary directory with symlinks resolved to their
+// real file contents. This allows building artifacts from symlink trees (e.g.,
+// those created by Nix) where the actual files live outside the source directory.
+// It returns the resolved path and the temporary directory path for cleanup.
+func resolveSymlinks(srcPath string) (string, string, error) {
+	absPath, err := filepath.Abs(srcPath)
+	if err != nil {
+		return "", "", err
+	}
+
+	info, err := os.Stat(absPath)
+	if err != nil {
+		return "", "", err
+	}
+
+	// For a single file, resolve the symlink and return the path to the
+	// copied file within the temp dir, preserving file semantics for callers.
+	if !info.IsDir() {
+		resolved, err := filepath.EvalSymlinks(absPath)
+		if err != nil {
+			return "", "", fmt.Errorf("resolving symlink for %s: %w", absPath, err)
+		}
+		tmpDir, err := os.MkdirTemp("", "flux-artifact-*")
+		if err != nil {
+			return "", "", err
+		}
+		dst := filepath.Join(tmpDir, filepath.Base(absPath))
+		if err := copyFile(resolved, dst); err != nil {
+			os.RemoveAll(tmpDir)
+			return "", "", err
+		}
+		return dst, tmpDir, nil
+	}
+
+	tmpDir, err := os.MkdirTemp("", "flux-artifact-*")
+	if err != nil {
+		return "", "", err
+	}
+
+	visited := make(map[string]bool)
+	if err := copyDir(absPath, tmpDir, visited); err != nil {
+		os.RemoveAll(tmpDir)
+		return "", "", err
+	}
+
+	return tmpDir, tmpDir, nil
+}
+
+// copyDir recursively copies the contents of srcDir to dstDir, resolving any
+// symlinks encountered along the way. The visited map tracks resolved real
+// directory paths to detect and break symlink cycles.
+func copyDir(srcDir, dstDir string, visited map[string]bool) error {
+	real, err := filepath.EvalSymlinks(srcDir)
+	if err != nil {
+		return fmt.Errorf("resolving symlink %s: %w", srcDir, err)
+	}
+	abs, err := filepath.Abs(real)
+	if err != nil {
+		return fmt.Errorf("getting absolute path for %s: %w", real, err)
+	}
+	if visited[abs] {
+		return nil // break the cycle
+	}
+	visited[abs] = true
+	defer delete(visited, abs)
+	entries, err := os.ReadDir(srcDir)
+	if err != nil {
+		return err
+	}
+
+	for _, entry := range entries {
+		srcPath := filepath.Join(srcDir, entry.Name())
+		dstPath := filepath.Join(dstDir, entry.Name())
+
+		// Resolve symlinks to get the real path and info.
+		realPath, err := filepath.EvalSymlinks(srcPath)
+		if err != nil {
+			return fmt.Errorf("resolving symlink %s: %w", srcPath, err)
+		}
+		realInfo, err := os.Stat(realPath)
+		if err != nil {
+			return fmt.Errorf("stat resolved path %s: %w", realPath, err)
+		}
+
+		if realInfo.IsDir() {
+			if err := os.MkdirAll(dstPath, realInfo.Mode()); err != nil {
+				return err
+			}
+			// Recursively copy the resolved directory contents.
+			if err := copyDir(realPath, dstPath, visited); err != nil {
+				return err
+			}
+			continue
+		}
+
+		if !realInfo.Mode().IsRegular() {
+			continue
+		}
+
+		if err := copyFile(realPath, dstPath); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func copyFile(src, dst string) error {
+	srcInfo, err := os.Stat(src)
+	if err != nil {
+		return err
+	}
+
+	in, err := os.Open(src)
+	if err != nil {
+		return err
+	}
+	defer in.Close()
+
+	if err := os.MkdirAll(filepath.Dir(dst), 0o755); err != nil {
+		return err
+	}
+
+	out, err := os.OpenFile(dst, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, srcInfo.Mode())
+	if err != nil {
+		return err
+	}
+	defer out.Close()
+
+	if _, err := io.Copy(out, in); err != nil {
+		return err
+	}
+	return out.Close()
+}
+
 func saveReaderToFile(reader io.Reader) (string, error) {
 	b, err := io.ReadAll(bufio.NewReader(reader))
 	if err != nil {
@@ -18,6 +18,7 @@ package main

 import (
 	"os"
+	"path/filepath"
 	"strings"
 	"testing"

@@ -68,3 +69,149 @@ data:

 	}
 }
+
+func Test_resolveSymlinks(t *testing.T) {
+	g := NewWithT(t)
+
+	// Create source directory with a real file
+	srcDir := t.TempDir()
+	realFile := filepath.Join(srcDir, "real.yaml")
+	g.Expect(os.WriteFile(realFile, []byte("apiVersion: v1\nkind: Namespace\nmetadata:\n  name: test\n"), 0o644)).To(Succeed())
+
+	// Create a directory with symlinks pointing to files outside it
+	symlinkDir := t.TempDir()
+	symlinkFile := filepath.Join(symlinkDir, "linked.yaml")
+	g.Expect(os.Symlink(realFile, symlinkFile)).To(Succeed())
+
+	// Also add a regular file in the symlink dir
+	regularFile := filepath.Join(symlinkDir, "regular.yaml")
+	g.Expect(os.WriteFile(regularFile, []byte("apiVersion: v1\nkind: ConfigMap\n"), 0o644)).To(Succeed())
+
+	// Create a symlinked subdirectory
+	subDir := filepath.Join(srcDir, "subdir")
+	g.Expect(os.MkdirAll(subDir, 0o755)).To(Succeed())
+	g.Expect(os.WriteFile(filepath.Join(subDir, "nested.yaml"), []byte("nested"), 0o644)).To(Succeed())
+	g.Expect(os.Symlink(subDir, filepath.Join(symlinkDir, "linkeddir"))).To(Succeed())
+
+	// Resolve symlinks
+	resolved, cleanupDir, err := resolveSymlinks(symlinkDir)
+	g.Expect(err).To(BeNil())
+	t.Cleanup(func() { os.RemoveAll(cleanupDir) })
+
+	// Verify the regular file was copied
+	content, err := os.ReadFile(filepath.Join(resolved, "regular.yaml"))
+	g.Expect(err).To(BeNil())
+	g.Expect(string(content)).To(Equal("apiVersion: v1\nkind: ConfigMap\n"))
+
+	// Verify the symlinked file was resolved and copied
+	content, err = os.ReadFile(filepath.Join(resolved, "linked.yaml"))
+	g.Expect(err).To(BeNil())
+	g.Expect(string(content)).To(ContainSubstring("kind: Namespace"))
+
+	// Verify that the resolved file is a regular file, not a symlink
+	info, err := os.Lstat(filepath.Join(resolved, "linked.yaml"))
+	g.Expect(err).To(BeNil())
+	g.Expect(info.Mode().IsRegular()).To(BeTrue())
+
+	// Verify that the symlinked directory was resolved and its contents were copied
+	content, err = os.ReadFile(filepath.Join(resolved, "linkeddir", "nested.yaml"))
+	g.Expect(err).To(BeNil())
+	g.Expect(string(content)).To(Equal("nested"))
+
+	// Verify that the file inside the symlinked directory is a regular file
+	info, err = os.Lstat(filepath.Join(resolved, "linkeddir", "nested.yaml"))
+	g.Expect(err).To(BeNil())
+	g.Expect(info.Mode().IsRegular()).To(BeTrue())
+}
+
+func Test_resolveSymlinks_singleFile(t *testing.T) {
+	g := NewWithT(t)
+
+	// Create a real file
+	srcDir := t.TempDir()
+	realFile := filepath.Join(srcDir, "manifest.yaml")
+	g.Expect(os.WriteFile(realFile, []byte("kind: ConfigMap"), 0o644)).To(Succeed())
+
+	// Create a symlink to the real file
+	linkDir := t.TempDir()
+	linkFile := filepath.Join(linkDir, "link.yaml")
+	g.Expect(os.Symlink(realFile, linkFile)).To(Succeed())
+
+	// Resolve the single symlinked file
+	resolved, cleanupDir, err := resolveSymlinks(linkFile)
+	g.Expect(err).To(BeNil())
+	t.Cleanup(func() { os.RemoveAll(cleanupDir) })
+
+	// The returned path should be a file, not a directory
+	info, err := os.Stat(resolved)
+	g.Expect(err).To(BeNil())
+	g.Expect(info.IsDir()).To(BeFalse())
+
+	// Verify contents
+	content, err := os.ReadFile(resolved)
+	g.Expect(err).To(BeNil())
+	g.Expect(string(content)).To(Equal("kind: ConfigMap"))
+}
+
+func Test_resolveSymlinks_cycle(t *testing.T) {
+	g := NewWithT(t)
+
+	// Create a directory with a symlink cycle: dir/link -> dir
+	dir := t.TempDir()
+	g.Expect(os.WriteFile(filepath.Join(dir, "file.yaml"), []byte("data"), 0o644)).To(Succeed())
+	g.Expect(os.Symlink(dir, filepath.Join(dir, "cycle"))).To(Succeed())
+
+	// resolveSymlinks should not infinite-loop
+	resolved, cleanupDir, err := resolveSymlinks(dir)
+	g.Expect(err).To(BeNil())
+	t.Cleanup(func() { os.RemoveAll(cleanupDir) })
+
+	// The file should be copied
+	content, err := os.ReadFile(filepath.Join(resolved, "file.yaml"))
+	g.Expect(err).To(BeNil())
+	g.Expect(string(content)).To(Equal("data"))
+
+	// The cycle directory should exist but not cause infinite nesting
+	_, err = os.Stat(filepath.Join(resolved, "cycle"))
+	g.Expect(err).To(BeNil())
+
+	// There should NOT be deeply nested cycle/cycle/cycle/... paths
+	_, err = os.Stat(filepath.Join(resolved, "cycle", "cycle", "cycle"))
+	g.Expect(os.IsNotExist(err)).To(BeTrue())
+}
+
+func Test_resolveSymlinks_multipleLinksSameTarget(t *testing.T) {
+	g := NewWithT(t)
+
+	// Create source directory with a real file inside a dir
+	srcDir := t.TempDir()
+	targetDir := filepath.Join(srcDir, "target")
+	g.Expect(os.MkdirAll(targetDir, 0o755)).To(Succeed())
+	g.Expect(os.WriteFile(filepath.Join(targetDir, "file.yaml"), []byte("data"), 0o644)).To(Succeed())
+
+	// Create a directory with multiple symlinks pointing to targetDir
+	symlinkDir := t.TempDir()
+
+	// Link 1
+	link1 := filepath.Join(symlinkDir, "link1")
+	g.Expect(os.Symlink(targetDir, link1)).To(Succeed())
+
+	// Link 2
+	link2 := filepath.Join(symlinkDir, "link2")
+	g.Expect(os.Symlink(targetDir, link2)).To(Succeed())
+
+	// Resolve symlinks
+	resolved, cleanupDir, err := resolveSymlinks(symlinkDir)
+	g.Expect(err).To(BeNil())
+	t.Cleanup(func() { os.RemoveAll(cleanupDir) })
+
+	// Verify link1 has the file
+	content, err := os.ReadFile(filepath.Join(resolved, "link1", "file.yaml"))
+	g.Expect(err).To(BeNil())
+	g.Expect(string(content)).To(Equal("data"))
+
+	// Verify link2 ALSO has the file
+	content2, err := os.ReadFile(filepath.Join(resolved, "link2", "file.yaml"))
+	g.Expect(err).To(BeNil())
+	g.Expect(string(content2)).To(Equal("data"))
+}
@@ -20,6 +20,7 @@ import (
 	"fmt"
 	"os"
 	"os/signal"
+	"path/filepath"

 	"github.com/spf13/cobra"

@@ -53,12 +54,12 @@ flux build kustomization my-app --path ./path/to/local/manifests \
 # Exclude files by providing a comma separated list of entries that follow the .gitignore pattern fromat.
 flux build kustomization my-app --path ./path/to/local/manifests \
 	--kustomization-file ./path/to/local/my-app.yaml \
-	--ignore-paths "/to_ignore/**/*.yaml,ignore.yaml
+	--ignore-paths "/to_ignore/**/*.yaml,ignore.yaml"

 # Run recursively on all encountered Kustomizations
 flux build kustomization my-app --path ./path/to/local/manifests \
 	--recursive \
-	--local-sources GitRepository/flux-system/my-repo=./path/to/local/git"`,
+	--local-sources GitRepository/flux-system/my-repo=./path/to/local/git`,
 	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
 	RunE:              buildKsCmdRun,
 }
@@ -71,6 +72,7 @@ type buildKsFlags struct {
 	strictSubst       bool
 	recursive         bool
 	localSources      map[string]string
+	inMemoryBuild     bool
 }

 var buildKsArgs buildKsFlags
@@ -84,6 +86,8 @@ func init() {
 		"When enabled, the post build substitutions will fail if a var without a default value is declared in files but is missing from the input vars.")
 	buildKsCmd.Flags().BoolVarP(&buildKsArgs.recursive, "recursive", "r", false, "Recursively build Kustomizations")
 	buildKsCmd.Flags().StringToStringVar(&buildKsArgs.localSources, "local-sources", nil, "Comma-separated list of repositories in format: Kind/namespace/name=path")
+	buildKsCmd.Flags().BoolVar(&buildKsArgs.inMemoryBuild, "in-memory-build", true,
+		"Use in-memory filesystem during build.")
 	buildCmd.AddCommand(buildKsCmd)
 }

@@ -97,6 +101,13 @@ func buildKsCmdRun(cmd *cobra.Command, args []string) (err error) {
 		return fmt.Errorf("invalid resource path %q", buildKsArgs.path)
 	}

+	// Normalize the path to handle Windows absolute and relative paths correctly
+	buildKsArgs.path, err = filepath.Abs(buildKsArgs.path)
+	if err != nil {
+		return fmt.Errorf("failed to resolve absolute path: %w", err)
+	}
+	buildKsArgs.path = filepath.Clean(buildKsArgs.path)
+
 	if fs, err := os.Stat(buildKsArgs.path); err != nil || !fs.IsDir() {
 		return fmt.Errorf("invalid resource path %q", buildKsArgs.path)
 	}
@@ -122,6 +133,7 @@ func buildKsCmdRun(cmd *cobra.Command, args []string) (err error) {
 			build.WithStrictSubstitute(buildKsArgs.strictSubst),
 			build.WithRecursive(buildKsArgs.recursive),
 			build.WithLocalSources(buildKsArgs.localSources),
+			build.WithInMemoryBuild(buildKsArgs.inMemoryBuild),
 		)
 	} else {
 		builder, err = build.NewBuilder(name, buildKsArgs.path,
@@ -132,6 +144,7 @@ func buildKsCmdRun(cmd *cobra.Command, args []string) (err error) {
 			build.WithStrictSubstitute(buildKsArgs.strictSubst),
 			build.WithRecursive(buildKsArgs.recursive),
 			build.WithLocalSources(buildKsArgs.localSources),
+			build.WithInMemoryBuild(buildKsArgs.inMemoryBuild),
 		)
 	}

@@ -52,6 +52,12 @@ func TestBuildKustomization(t *testing.T) {
 			resultFile: "./testdata/build-kustomization/podinfo-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
+		{
+			name:       "build podinfo (on-disk)",
+			args:       "build kustomization podinfo --path ./testdata/build-kustomization/podinfo --in-memory-build=false",
+			resultFile: "./testdata/build-kustomization/podinfo-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
 		{
 			name:       "build podinfo without service",
 			args:       "build kustomization podinfo --path ./testdata/build-kustomization/delete-service",
@@ -70,12 +76,24 @@ func TestBuildKustomization(t *testing.T) {
 			resultFile: "./testdata/build-kustomization/podinfo-with-ignore-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
+		{
+			name:       "build ignore (on-disk)",
+			args:       "build kustomization podinfo --path ./testdata/build-kustomization/ignore --ignore-paths \"!configmap.yaml,!secret.yaml\" --in-memory-build=false",
+			resultFile: "./testdata/build-kustomization/podinfo-with-ignore-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
 		{
 			name:       "build with recursive",
 			args:       "build kustomization podinfo --path ./testdata/build-kustomization/podinfo-with-my-app --recursive --local-sources GitRepository/default/podinfo=./testdata/build-kustomization",
 			resultFile: "./testdata/build-kustomization/podinfo-with-my-app-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
+		{
+			name:       "build with recursive (on-disk)",
+			args:       "build kustomization podinfo --path ./testdata/build-kustomization/podinfo-with-my-app --recursive --local-sources GitRepository/default/podinfo=./testdata/build-kustomization --in-memory-build=false",
+			resultFile: "./testdata/build-kustomization/podinfo-with-my-app-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
 	}

 	tmpl := map[string]string{
@@ -145,6 +163,12 @@ spec:
 			resultFile: "./testdata/build-kustomization/podinfo-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
+		{
+			name:       "build podinfo (on-disk)",
+			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/podinfo --in-memory-build=false",
+			resultFile: "./testdata/build-kustomization/podinfo-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
 		{
 			name:       "build podinfo without service",
 			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/delete-service",
@@ -169,6 +193,24 @@ spec:
 			resultFile: "./testdata/build-kustomization/podinfo-with-my-app-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
+		{
+			name:       "build with recursive in dry-run mode",
+			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/podinfo-with-my-app --recursive --local-sources GitRepository/default/podinfo=./testdata/build-kustomization --dry-run",
+			resultFile: "./testdata/build-kustomization/podinfo-with-my-app-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+		{
+			name:       "build with recursive (on-disk)",
+			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/podinfo-with-my-app --recursive --local-sources GitRepository/default/podinfo=./testdata/build-kustomization --in-memory-build=false",
+			resultFile: "./testdata/build-kustomization/podinfo-with-my-app-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+		{
+			name:       "build with recursive in dry-run mode (on-disk)",
+			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/podinfo-with-my-app --recursive --local-sources GitRepository/default/podinfo=./testdata/build-kustomization --in-memory-build=false --dry-run",
+			resultFile: "./testdata/build-kustomization/podinfo-with-my-app-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
 	}

 	tmpl := map[string]string{
@@ -212,3 +254,71 @@ spec:
 		})
 	}
 }
+
+// TestBuildKustomizationPathNormalization verifies that absolute and complex
+// paths are normalized to prevent path concatenation bugs (issue #5673).
+// Without normalization, paths could be duplicated like: /path/test/path/test/file
+func TestBuildKustomizationPathNormalization(t *testing.T) {
+	// Get absolute path to testdata to test absolute path handling
+	absTestDataPath, err := filepath.Abs("testdata/build-kustomization/podinfo")
+	if err != nil {
+		t.Fatalf("failed to get absolute path: %v", err)
+	}
+
+	tests := []struct {
+		name       string
+		args       string
+		resultFile string
+		assertFunc string
+	}{
+		{
+			name:       "build with absolute path",
+			args:       "build kustomization podinfo --path " + absTestDataPath,
+			resultFile: "./testdata/build-kustomization/podinfo-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+		{
+			name:       "build with absolute path (on-disk)",
+			args:       "build kustomization podinfo --path " + absTestDataPath + " --in-memory-build=false",
+			resultFile: "./testdata/build-kustomization/podinfo-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+		{
+			name:       "build with complex relative path (parent dir)",
+			args:       "build kustomization podinfo --path ./testdata/build-kustomization/../build-kustomization/podinfo",
+			resultFile: "./testdata/build-kustomization/podinfo-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+		{
+			name:       "build with path containing redundant separators",
+			args:       "build kustomization podinfo --path ./testdata//build-kustomization//podinfo",
+			resultFile: "./testdata/build-kustomization/podinfo-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+	}
+
+	tmpl := map[string]string{
+		"fluxns": allocateNamespace("flux-system"),
+	}
+	setup(t, tmpl)
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var assert assertFunc
+
+			switch tt.assertFunc {
+			case "assertGoldenTemplateFile":
+				assert = assertGoldenTemplateFile(tt.resultFile, tmpl)
+			case "assertError":
+				assert = assertError(tt.resultFile)
+			}
+
+			cmd := cmdTestCase{
+				args:   tt.args + " -n " + tmpl["fluxns"],
+				assert: assert,
+			}
+
+			cmd.runTestCmd(t)
+		})
+	}
+}
@@ -60,7 +60,7 @@ type checkFlags struct {
 }

 var kubernetesConstraints = []string{
-	">=1.28.0-0",
+	">=1.33.0-0",
 }

 var checkArgs checkFlags
@@ -217,7 +217,7 @@ func componentsCheck(ctx context.Context, kubeClient client.Client) bool {
 				}
 			}
 			for _, c := range d.Spec.Template.Spec.Containers {
-				logger.Actionf(c.Image)
+				logger.Actionf("%s", c.Image)
 			}
 		}
 	}
@@ -238,7 +238,7 @@ func crdsCheck(ctx context.Context, kubeClient client.Client) bool {
 		for _, crd := range list.Items {
 			versions := crd.Status.StoredVersions
 			if len(versions) > 0 {
-				logger.Successf(crd.Name + "/" + versions[len(versions)-1])
+				logger.Successf("%s", crd.Name+"/"+versions[len(versions)-1])
 			} else {
 				ok = false
 				logger.Failuref("no stored versions for %s", crd.Name)
@@ -125,7 +125,7 @@ func (names apiType) upsertAndWait(object upsertWaitable, mutate func() error) e
 	logger.Generatef("generating %s", names.kind)
 	logger.Actionf("applying %s", names.kind)

-	namespacedName, err := imageRepositoryType.upsert(ctx, kubeClient, object, mutate)
+	namespacedName, err := names.upsert(ctx, kubeClient, object, mutate)
 	if err != nil {
 		return err
 	}
@@ -37,7 +37,6 @@ import (
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/runtime/transform"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
-	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"

 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
@@ -95,6 +94,13 @@ var createHelmReleaseCmd = &cobra.Command{
    --source=HelmRepository/podinfo \
    --chart=podinfo

+  # Create a HelmRelease with custom storage namespace for hub-and-spoke model
+  flux create hr podinfo \
+    --target-namespace=production \
+    --storage-namespace=fluxcd-system \
+    --source=HelmRepository/podinfo \
+    --chart=podinfo
+
  # Create a HelmRelease using a source from a different namespace
  flux create hr podinfo \
    --namespace=default \
@@ -128,6 +134,7 @@ type helmReleaseFlags struct {
 	chartVersion        string
 	chartRef            string
 	targetNamespace     string
+	storageNamespace    string
 	createNamespace     bool
 	valuesFiles         []string
 	valuesFrom          []string
@@ -142,7 +149,7 @@ var helmReleaseArgs helmReleaseFlags

 var supportedHelmReleaseValuesFromKinds = []string{"Secret", "ConfigMap"}

-var supportedHelmReleaseReferenceKinds = []string{sourcev1b2.OCIRepositoryKind, sourcev1.HelmChartKind}
+var supportedHelmReleaseReferenceKinds = []string{sourcev1.OCIRepositoryKind, sourcev1.HelmChartKind}

 func init() {
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.name, "release-name", "", "name used for the Helm release, defaults to a composition of '[<target-namespace>-]<HelmRelease-name>'")
@@ -151,6 +158,7 @@ func init() {
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.chartVersion, "chart-version", "", "Helm chart version, accepts a semver range (ignored for charts from GitRepository sources)")
 	createHelmReleaseCmd.Flags().StringSliceVar(&helmReleaseArgs.dependsOn, "depends-on", nil, "HelmReleases that must be ready before this release can be installed, supported formats '<name>' and '<namespace>/<name>'")
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.targetNamespace, "target-namespace", "", "namespace to install this release, defaults to the HelmRelease namespace")
+	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.storageNamespace, "storage-namespace", "", "namespace to store the Helm release, defaults to the target namespace")
 	createHelmReleaseCmd.Flags().BoolVar(&helmReleaseArgs.createNamespace, "create-target-namespace", false, "create the target namespace if it does not exist")
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.saName, "service-account", "", "the name of the service account to impersonate when reconciling this HelmRelease")
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.reconcileStrategy, "reconcile-strategy", "ChartVersion", "the reconcile strategy for helm chart created by the helm release(accepted values: Revision and ChartRevision)")
@@ -166,10 +174,18 @@ func init() {
 func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]

+	if helmReleaseArgs.storageNamespace == "" && helmReleaseArgs.targetNamespace != "" {
+		helmReleaseArgs.storageNamespace = helmReleaseArgs.targetNamespace
+	}
+
 	if helmReleaseArgs.chart == "" && helmReleaseArgs.chartRef == "" {
 		return fmt.Errorf("chart or chart-ref is required")
 	}

+	if helmReleaseArgs.chart != "" && helmReleaseArgs.chartRef != "" {
+		return fmt.Errorf("cannot use --chart in combination with --chart-ref")
+	}
+
 	sourceLabels, err := parseLabels()
 	if err != nil {
 		return err
@@ -192,15 +208,27 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 		},
 		Spec: helmv2.HelmReleaseSpec{
 			ReleaseName: helmReleaseArgs.name,
-			DependsOn:   utils.MakeDependsOn(helmReleaseArgs.dependsOn),
 			Interval: metav1.Duration{
 				Duration: createArgs.interval,
 			},
 			TargetNamespace:  helmReleaseArgs.targetNamespace,
+			StorageNamespace: helmReleaseArgs.storageNamespace,
 			Suspend:          false,
 		},
 	}

+	if len(helmReleaseArgs.dependsOn) > 0 {
+		ls := utils.MakeDependsOn(helmReleaseArgs.dependsOn)
+		hrDependsOn := make([]helmv2.DependencyReference, 0, len(ls))
+		for _, d := range ls {
+			hrDependsOn = append(hrDependsOn, helmv2.DependencyReference{
+				Name:      d.Name,
+				Namespace: d.Namespace,
+			})
+		}
+		helmRelease.Spec.DependsOn = hrDependsOn
+	}
+
 	switch {
 	case helmReleaseArgs.chart != "":
 		helmRelease.Spec.Chart = &helmv2.HelmChartTemplate{
@@ -222,7 +250,7 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	case helmReleaseArgs.chartRef != "":
 		kind, name, ns := utils.ParseObjectKindNameNamespace(helmReleaseArgs.chartRef)
-		if kind != sourcev1.HelmChartKind && kind != sourcev1b2.OCIRepositoryKind {
+		if kind != sourcev1.HelmChartKind && kind != sourcev1.OCIRepositoryKind {
 			return fmt.Errorf("chart reference kind '%s' is not supported, must be one of: %s",
 				kind, strings.Join(supportedHelmReleaseReferenceKinds, ", "))
 		}
@@ -235,7 +263,7 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {

 	if helmReleaseArgs.kubeConfigSecretRef != "" {
 		helmRelease.Spec.KubeConfig = &meta.KubeConfigReference{
-			SecretRef: meta.SecretKeyReference{
+			SecretRef: &meta.SecretKeyReference{
 				Name: helmReleaseArgs.kubeConfigSecretRef,
 			},
 		}
@@ -42,6 +42,11 @@ func TestCreateHelmRelease(t *testing.T) {
 			args:   "create helmrelease podinfo --export",
 			assert: assertError("chart or chart-ref is required"),
 		},
+		{
+			name:   "chart and chartRef used in combination",
+			args:   "create helmrelease podinfo --chart podinfo --chart-ref foobar/podinfo --export",
+			assert: assertError("cannot use --chart in combination with --chart-ref"),
+		},
 		{
 			name:   "unknown source kind",
 			args:   "create helmrelease podinfo --source foobar/podinfo --chart podinfo --export",
@@ -20,6 +20,7 @@ import (
 	"fmt"
 	"regexp/syntax"
 	"strings"
+	"time"
 	"unicode"
 	"unicode/utf8"

@@ -28,18 +29,18 @@ import (

 	"github.com/fluxcd/pkg/apis/meta"

-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )

 var createImagePolicyCmd = &cobra.Command{
 	Use:   "policy [name]",
 	Short: "Create or update an ImagePolicy object",
-	Long: withPreviewNote(`The create image policy command generates an ImagePolicy resource.
+	Long: `The create image policy command generates an ImagePolicy resource.
 An ImagePolicy object calculates a "latest image" given an image
 repository and a policy, e.g., semver.

 The image that sorts highest according to the policy is recorded in
-the status of the object.`),
+the status of the object.`,
 	Example: `  # Create an ImagePolicy to select the latest stable release
  flux create image policy podinfo \
    --image-ref=podinfo \
@@ -60,6 +61,8 @@ type imagePolicyFlags struct {
 	numeric       string
 	filterRegex   string
 	filterExtract string
+	reflectDigest string
+	interval      time.Duration
 }

 var imagePolicyArgs = imagePolicyFlags{}
@@ -72,16 +75,12 @@ func init() {
 	flags.StringVar(&imagePolicyArgs.numeric, "select-numeric", "", "use numeric sorting to select image; either \"asc\" meaning select the last, or \"desc\" meaning select the first")
 	flags.StringVar(&imagePolicyArgs.filterRegex, "filter-regex", "", "regular expression pattern used to filter the image tags")
 	flags.StringVar(&imagePolicyArgs.filterExtract, "filter-extract", "", "replacement pattern (using capture groups from --filter-regex) to use for sorting")
+	flags.StringVar(&imagePolicyArgs.reflectDigest, "reflect-digest", "", "the digest reflection policy to use when observing latest image tags (one of 'Never', 'IfNotPresent', 'Never')")
+	flags.DurationVar(&imagePolicyArgs.interval, "interval", 0, "the interval at which to check for new image digests when the policy is set to 'Always'")

 	createImageCmd.AddCommand(createImagePolicyCmd)
 }

-// getObservedGeneration is implemented here, since it's not
-// (presently) needed elsewhere.
-func (obj imagePolicyAdapter) getObservedGeneration() int64 {
-	return obj.ImagePolicy.Status.ObservedGeneration
-}
-
 func createImagePolicyRun(cmd *cobra.Command, args []string) error {
 	objectName := args[0]

@@ -153,6 +152,20 @@ func createImagePolicyRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("cannot specify --filter-extract without specifying --filter-regex")
 	}

+	if p := imagev1.ReflectionPolicy(imagePolicyArgs.reflectDigest); p != "" {
+		if p != imagev1.ReflectNever && p != imagev1.ReflectIfNotPresent && p != imagev1.ReflectAlways {
+			return fmt.Errorf("invalid value for --reflect-digest, must be one of 'Never', 'IfNotPresent', 'Always'")
+		}
+		policy.Spec.DigestReflectionPolicy = p
+	}
+
+	if imagePolicyArgs.interval != 0 {
+		if imagePolicyArgs.reflectDigest != string(imagev1.ReflectAlways) {
+			return fmt.Errorf("the --interval flag can only be used with the 'Always' digest reflection policy, use --reflect-digest=Always")
+		}
+		policy.Spec.Interval = &metav1.Duration{Duration: imagePolicyArgs.interval}
+	}
+
 	if createArgs.export {
 		return printExport(exportImagePolicy(&policy))
 	}
@@ -26,14 +26,14 @@ import (

 	"github.com/fluxcd/pkg/apis/meta"

-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )

 var createImageRepositoryCmd = &cobra.Command{
 	Use:   "repository [name]",
 	Short: "Create or update an ImageRepository object",
-	Long: withPreviewNote(`The create image repository command generates an ImageRepository resource.
-An ImageRepository object specifies an image repository to scan.`),
+	Long: `The create image repository command generates an ImageRepository resource.
+An ImageRepository object specifies an image repository to scan.`,
 	Example: `  # Create an ImageRepository object to scan the alpine image repository:
  flux create image repository alpine-repo --image alpine --interval 20m

@@ -22,16 +22,16 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )

 var createImageUpdateCmd = &cobra.Command{
 	Use:   "update [name]",
 	Short: "Create or update an ImageUpdateAutomation object",
-	Long: withPreviewNote(`The create image update command generates an ImageUpdateAutomation resource.
+	Long: `The create image update command generates an ImageUpdateAutomation resource.
 An ImageUpdateAutomation object specifies an automated update to images
-mentioned in YAMLs in a git repository.`),
+mentioned in YAMLs in a git repository.`,
 	Example: `  # Configure image updates for the main repository created by flux bootstrap
  flux create image update flux-system \
    --git-repo-ref=flux-system \
@@ -136,6 +136,9 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 	if !strings.HasPrefix(kustomizationArgs.path.String(), "./") {
 		return fmt.Errorf("path must begin with ./")
 	}
+	if kustomizationArgs.source.Name == "" {
+		return fmt.Errorf("source is required")
+	}

 	if !createArgs.export {
 		logger.Generatef("generating Kustomization")
@@ -153,7 +156,6 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 			Labels:    kslabels,
 		},
 		Spec: kustomizev1.KustomizationSpec{
-			DependsOn: utils.MakeDependsOn(kustomizationArgs.dependsOn),
 			Interval: metav1.Duration{
 				Duration: createArgs.interval,
 			},
@@ -169,9 +171,21 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 		},
 	}

+	if len(kustomizationArgs.dependsOn) > 0 {
+		ls := utils.MakeDependsOn(kustomizationArgs.dependsOn)
+		ksDependsOn := make([]kustomizev1.DependencyReference, 0, len(ls))
+		for _, d := range ls {
+			ksDependsOn = append(ksDependsOn, kustomizev1.DependencyReference{
+				Name:      d.Name,
+				Namespace: d.Namespace,
+			})
+		}
+		kustomization.Spec.DependsOn = ksDependsOn
+	}
+
 	if kustomizationArgs.kubeConfigSecretRef != "" {
 		kustomization.Spec.KubeConfig = &meta.KubeConfigReference{
-			SecretRef: meta.SecretKeyReference{
+			SecretRef: &meta.SecretKeyReference{
 				Name: kustomizationArgs.kubeConfigSecretRef,
 			},
 		}
@@ -0,0 +1,48 @@
+//go:build unit
+// +build unit
+
+/*
+Copyright 2026 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import "testing"
+
+func TestCreateKustomization(t *testing.T) {
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			// A user creating a kustomization without --source gets a confusing
+			// API-level error about spec.sourceRef.kind instead of a clear message.
+			name:   "missing source",
+			args:   "create kustomization my-app --path=./deploy --export",
+			assert: assertError("source is required"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args,
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}
@@ -30,6 +30,7 @@ import (
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
 	"github.com/fluxcd/pkg/apis/meta"

+	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 )

@@ -49,7 +50,7 @@ var createReceiverCmd = &cobra.Command{
 }

 type receiverFlags struct {
-	receiverType string
+	receiverType flags.ReceiverType
 	secretRef    string
 	events       []string
 	resources    []string
@@ -58,7 +59,7 @@ type receiverFlags struct {
 var receiverArgs receiverFlags

 func init() {
-	createReceiverCmd.Flags().StringVar(&receiverArgs.receiverType, "type", "", "")
+	createReceiverCmd.Flags().Var(&receiverArgs.receiverType, "type", receiverArgs.receiverType.Description())
 	createReceiverCmd.Flags().StringVar(&receiverArgs.secretRef, "secret-ref", "", "")
 	createReceiverCmd.Flags().StringSliceVar(&receiverArgs.events, "event", []string{}, "also accepts comma-separated values")
 	createReceiverCmd.Flags().StringSliceVar(&receiverArgs.resources, "resource", []string{}, "also accepts comma-separated values")
@@ -109,7 +110,7 @@ func createReceiverCmdRun(cmd *cobra.Command, args []string) error {
 			Labels:    sourceLabels,
 		},
 		Spec: notificationv1.ReceiverSpec{
-			Type:      receiverArgs.receiverType,
+			Type:      receiverArgs.receiverType.String(),
 			Events:    receiverArgs.events,
 			Resources: resources,
 			SecretRef: meta.LocalObjectReference{
@@ -56,6 +56,22 @@ func upsertSecret(ctx context.Context, kubeClient client.Client, secret corev1.S
 	}

 	existing.StringData = secret.StringData
+	if secret.Annotations != nil {
+		if existing.Annotations == nil {
+			existing.Annotations = make(map[string]string)
+		}
+		for k, v := range secret.Annotations {
+			existing.Annotations[k] = v
+		}
+	}
+	if secret.Labels != nil {
+		if existing.Labels == nil {
+			existing.Labels = make(map[string]string)
+		}
+		for k, v := range secret.Labels {
+			existing.Labels[k] = v
+		}
+	}
 	if err := kubeClient.Update(ctx, &existing); err != nil {
 		return err
 	}
@@ -172,7 +172,7 @@ func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme)
 	}

-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateGit(opts)
 	if err != nil {
 		return err
 	}
@@ -0,0 +1,116 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"os"
+
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/yaml"
+)
+
+var createSecretGitHubAppCmd = &cobra.Command{
+	Use:   "githubapp [name]",
+	Short: "Create or update a github app secret",
+	Long:  withPreviewNote(`The create secret githubapp command generates a Kubernetes secret that can be used for GitRepository authentication with github app`),
+	Example: `  # Create a githubapp authentication secret on disk and encrypt it with Mozilla SOPS
+  flux create secret githubapp podinfo-auth \
+    --app-id="1" \
+    --app-installation-id="2" \
+    --app-private-key=./private-key-file.pem \
+    --export > githubapp-auth.yaml
+
+  sops --encrypt --encrypted-regex '^(data|stringData)$' \
+    --in-place githubapp-auth.yaml
+	`,
+	RunE: createSecretGitHubAppCmdRun,
+}
+
+type secretGitHubAppFlags struct {
+	appID                string
+	appInstallationOwner string
+	appInstallationID    string
+	privateKeyFile       string
+	baseURL              string
+}
+
+var secretGitHubAppArgs = secretGitHubAppFlags{}
+
+func init() {
+	createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.appID, "app-id", "", "github app ID")
+	createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.appInstallationOwner, "app-installation-owner", "", "github app installation owner (user or organization)")
+	createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.appInstallationID, "app-installation-id", "", "github app installation ID")
+	createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.privateKeyFile, "app-private-key", "", "github app private key file path")
+	createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.baseURL, "app-base-url", "", "github app base URL")
+
+	createSecretCmd.AddCommand(createSecretGitHubAppCmd)
+}
+
+func createSecretGitHubAppCmdRun(cmd *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("name is required")
+	}
+
+	secretName := args[0]
+
+	privateKey, err := os.ReadFile(secretGitHubAppArgs.privateKeyFile)
+	if err != nil {
+		return fmt.Errorf("unable to read private key file: %w", err)
+	}
+
+	opts := sourcesecret.Options{
+		Name:                       secretName,
+		Namespace:                  *kubeconfigArgs.Namespace,
+		GitHubAppID:                secretGitHubAppArgs.appID,
+		GitHubAppInstallationOwner: secretGitHubAppArgs.appInstallationOwner,
+		GitHubAppInstallationID:    secretGitHubAppArgs.appInstallationID,
+		GitHubAppPrivateKey:        string(privateKey),
+		GitHubAppBaseURL:           secretGitHubAppArgs.baseURL,
+	}
+
+	secret, err := sourcesecret.GenerateGitHubApp(opts)
+	if err != nil {
+		return err
+	}
+
+	if createArgs.export {
+		rootCmd.Println(secret.Content)
+		return nil
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return err
+	}
+	var s corev1.Secret
+	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
+		return err
+	}
+	if err := upsertSecret(ctx, kubeClient, s); err != nil {
+		return err
+	}
+
+	logger.Actionf("githubapp secret '%s' created in '%s' namespace", secretName, *kubeconfigArgs.Namespace)
+	return nil
+}
@@ -0,0 +1,59 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"testing"
+)
+
+func TestCreateSecretGitHubApp(t *testing.T) {
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			name:   "create githubapp secret with missing name",
+			args:   "create secret githubapp",
+			assert: assertError("name is required"),
+		},
+		{
+			name:   "create githubapp secret with private key file that does not exist",
+			args:   "create secret githubapp appinfo --app-id 1 --app-installation-id 2 --app-private-key pk.pem",
+			assert: assertError("unable to read private key file: open pk.pem: no such file or directory"),
+		},
+		{
+			name:   "create githubapp secret with app info",
+			args:   "create secret githubapp appinfo --namespace my-namespace --app-id 1 --app-installation-owner my-org --app-private-key ./testdata/create_secret/githubapp/test-private-key.pem --export",
+			assert: assertGoldenFile("testdata/create_secret/githubapp/secret.yaml"),
+		},
+		{
+			name:   "create githubapp secret with appinfo and base url",
+			args:   "create secret githubapp appinfo --namespace my-namespace --app-id 1 --app-installation-id 2 --app-private-key ./testdata/create_secret/githubapp/test-private-key.pem --app-base-url www.example.com/api/v3 --export",
+			assert: assertGoldenFile("testdata/create_secret/githubapp/secret-with-baseurl.yaml"),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args,
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}
@@ -83,10 +83,12 @@ func createSecretHelmCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	var certFile, keyFile []byte
-	if secretHelmArgs.tlsCrtFile != "" && secretHelmArgs.tlsKeyFile != "" {
+	if secretHelmArgs.tlsCrtFile != "" {
 		if certFile, err = os.ReadFile(secretHelmArgs.tlsCrtFile); err != nil {
 			return fmt.Errorf("failed to read cert file: %w", err)
 		}
+	}
+	if secretHelmArgs.tlsKeyFile != "" {
 		if keyFile, err = os.ReadFile(secretHelmArgs.tlsKeyFile); err != nil {
 			return fmt.Errorf("failed to read key file: %w", err)
 		}
@@ -102,7 +104,7 @@ func createSecretHelmCmdRun(cmd *cobra.Command, args []string) error {
 		TLSCrt:    certFile,
 		TLSKey:    keyFile,
 	}
-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateHelm(opts)
 	if err != nil {
 		return err
 	}
@@ -132,7 +132,7 @@ func createSecretNotationCmdRun(cmd *cobra.Command, args []string) error {
 		VerificationCrts: caCerts,
 		TrustPolicy:      policy,
 	}
-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateNotation(opts)
 	if err != nil {
 		return err
 	}
@@ -92,7 +92,7 @@ func createSecretOCICmdRun(cmd *cobra.Command, args []string) error {
 		Username:  secretOCIArgs.username,
 	}

-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateOCI(opts)
 	if err != nil {
 		return err
 	}
@@ -83,7 +83,7 @@ func createSecretProxyCmdRun(cmd *cobra.Command, args []string) error {
 		Username:  secretProxyArgs.username,
 		Password:  secretProxyArgs.password,
 	}
-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateProxy(opts)
 	if err != nil {
 		return err
 	}
@@ -0,0 +1,134 @@
+/*
+Copyright 2026 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/yaml"
+
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
+
+	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/utils"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
+)
+
+var createSecretReceiverCmd = &cobra.Command{
+	Use:   "receiver [name]",
+	Short: "Create or update a Kubernetes secret for a Receiver webhook",
+	Long: `The create secret receiver command generates a Kubernetes secret with
+the token used for webhook payload validation and an annotation with the
+computed webhook URL.`,
+	Example: `  # Create a receiver secret for a GitHub webhook
+  flux create secret receiver github-receiver \
+    --namespace=my-namespace \
+    --type=github \
+    --hostname=flux.example.com \
+    --export
+
+  # Create a receiver secret for GCR with email claim
+  flux create secret receiver gcr-receiver \
+    --namespace=my-namespace \
+    --type=gcr \
+    --hostname=flux.example.com \
+    --email-claim=sa@project.iam.gserviceaccount.com \
+    --export`,
+	RunE: createSecretReceiverCmdRun,
+}
+
+type secretReceiverFlags struct {
+	receiverType  flags.ReceiverType
+	token         string
+	hostname      string
+	emailClaim    string
+	audienceClaim string
+}
+
+var secretReceiverArgs secretReceiverFlags
+
+func init() {
+	createSecretReceiverCmd.Flags().Var(&secretReceiverArgs.receiverType, "type", secretReceiverArgs.receiverType.Description())
+	createSecretReceiverCmd.Flags().StringVar(&secretReceiverArgs.token, "token", "", "webhook token used for payload validation and URL computation, auto-generated if not specified")
+	createSecretReceiverCmd.Flags().StringVar(&secretReceiverArgs.hostname, "hostname", "", "hostname for the webhook URL e.g. flux.example.com")
+	createSecretReceiverCmd.Flags().StringVar(&secretReceiverArgs.emailClaim, "email-claim", "", "IAM service account email, required for gcr type")
+	createSecretReceiverCmd.Flags().StringVar(&secretReceiverArgs.audienceClaim, "audience-claim", "", "custom OIDC token audience for gcr type, defaults to the webhook URL")
+
+	createSecretCmd.AddCommand(createSecretReceiverCmd)
+}
+
+func createSecretReceiverCmdRun(cmd *cobra.Command, args []string) error {
+	name := args[0]
+
+	if secretReceiverArgs.receiverType == "" {
+		return fmt.Errorf("--type is required")
+	}
+
+	if secretReceiverArgs.hostname == "" {
+		return fmt.Errorf("--hostname is required")
+	}
+
+	if secretReceiverArgs.receiverType.String() == notificationv1.GCRReceiver && secretReceiverArgs.emailClaim == "" {
+		return fmt.Errorf("--email-claim is required for gcr receiver type")
+	}
+
+	labels, err := parseLabels()
+	if err != nil {
+		return err
+	}
+
+	opts := sourcesecret.Options{
+		Name:          name,
+		Namespace:     *kubeconfigArgs.Namespace,
+		Labels:        labels,
+		ReceiverType:  secretReceiverArgs.receiverType.String(),
+		Token:         secretReceiverArgs.token,
+		Hostname:      secretReceiverArgs.hostname,
+		EmailClaim:    secretReceiverArgs.emailClaim,
+		AudienceClaim: secretReceiverArgs.audienceClaim,
+	}
+
+	secret, err := sourcesecret.GenerateReceiver(opts)
+	if err != nil {
+		return err
+	}
+
+	if createArgs.export {
+		rootCmd.Println(secret.Content)
+		return nil
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return err
+	}
+	var s corev1.Secret
+	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
+		return err
+	}
+	if err := upsertSecret(ctx, kubeClient, s); err != nil {
+		return err
+	}
+
+	logger.Actionf("receiver secret '%s' created in '%s' namespace", name, *kubeconfigArgs.Namespace)
+	return nil
+}
@@ -0,0 +1,74 @@
+/*
+Copyright 2026 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"testing"
+)
+
+func TestCreateReceiverSecret(t *testing.T) {
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			name:   "missing type",
+			args:   "create secret receiver test-secret --token=t --hostname=h",
+			assert: assertError("--type is required"),
+		},
+		{
+			name:   "invalid type",
+			args:   "create secret receiver test-secret --type=invalid --token=t --hostname=h",
+			assert: assertError("invalid argument \"invalid\" for \"--type\" flag: receiver type 'invalid' is not supported, must be one of: generic, generic-hmac, github, gitlab, bitbucket, harbor, dockerhub, quay, gcr, nexus, acr, cdevents"),
+		},
+		{
+			name:   "missing hostname",
+			args:   "create secret receiver test-secret --type=github --token=t",
+			assert: assertError("--hostname is required"),
+		},
+		{
+			name:   "gcr missing email-claim",
+			args:   "create secret receiver test-secret --type=gcr --token=t --hostname=h",
+			assert: assertError("--email-claim is required for gcr receiver type"),
+		},
+		{
+			name:   "github receiver secret",
+			args:   "create secret receiver receiver-secret --type=github --token=test-token --hostname=flux.example.com --namespace=my-namespace --export",
+			assert: assertGoldenFile("testdata/create_secret/receiver/secret-receiver.yaml"),
+		},
+		{
+			name:   "gcr receiver secret",
+			args:   "create secret receiver gcr-secret --type=gcr --token=test-token --hostname=flux.example.com --email-claim=sa@project.iam.gserviceaccount.com --namespace=my-namespace --export",
+			assert: assertGoldenFile("testdata/create_secret/receiver/secret-receiver-gcr.yaml"),
+		},
+		{
+			name:   "gcr receiver secret with custom audience",
+			args:   "create secret receiver gcr-secret --type=gcr --token=test-token --hostname=flux.example.com --email-claim=sa@project.iam.gserviceaccount.com --audience-claim=https://custom.audience.example.com --namespace=my-namespace --export",
+			assert: assertGoldenFile("testdata/create_secret/receiver/secret-receiver-gcr-audience.yaml"),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args,
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}
@@ -84,16 +84,18 @@ func createSecretTLSCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}

-	if secretTLSArgs.tlsCrtFile != "" && secretTLSArgs.tlsKeyFile != "" {
+	if secretTLSArgs.tlsCrtFile != "" {
 		if opts.TLSCrt, err = os.ReadFile(secretTLSArgs.tlsCrtFile); err != nil {
 			return fmt.Errorf("failed to read cert file: %w", err)
 		}
+	}
+	if secretTLSArgs.tlsKeyFile != "" {
 		if opts.TLSKey, err = os.ReadFile(secretTLSArgs.tlsKeyFile); err != nil {
 			return fmt.Errorf("failed to read key file: %w", err)
 		}
 	}

-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateTLS(opts)
 	if err != nil {
 		return err
 	}
@@ -19,7 +19,6 @@ package main
 import (
 	"context"
 	"fmt"
-	"os"
 	"strings"

 	"github.com/spf13/cobra"
@@ -114,12 +113,6 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}

-	tmpDir, err := os.MkdirTemp("", name)
-	if err != nil {
-		return err
-	}
-	defer os.RemoveAll(tmpDir)
-
 	var ignorePaths *string
 	if len(sourceBucketArgs.ignorePaths) > 0 {
 		ignorePathsStr := strings.Join(sourceBucketArgs.ignorePaths, "\n")
@@ -63,6 +63,7 @@ type sourceGitFlags struct {
 	recurseSubmodules   bool
 	silent              bool
 	ignorePaths         []string
+	sparseCheckoutPaths []string
 }

 var createSourceGitCmd = &cobra.Command{
@@ -138,14 +139,14 @@ func init() {
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.branch, "branch", "", "git branch")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.tag, "tag", "", "git tag")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.semver, "tag-semver", "", "git tag semver range")
-	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.refName, "ref-name", "", " git reference name")
+	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.refName, "ref-name", "", "git reference name")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.commit, "commit", "", "git commit")
 	createSourceGitCmd.Flags().StringVarP(&sourceGitArgs.username, "username", "u", "", "basic authentication username")
 	createSourceGitCmd.Flags().StringVarP(&sourceGitArgs.password, "password", "p", "", "basic authentication password")
 	createSourceGitCmd.Flags().Var(&sourceGitArgs.keyAlgorithm, "ssh-key-algorithm", sourceGitArgs.keyAlgorithm.Description())
 	createSourceGitCmd.Flags().Var(&sourceGitArgs.keyRSABits, "ssh-rsa-bits", sourceGitArgs.keyRSABits.Description())
 	createSourceGitCmd.Flags().Var(&sourceGitArgs.keyECDSACurve, "ssh-ecdsa-curve", sourceGitArgs.keyECDSACurve.Description())
-	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.secretRef, "secret-ref", "", "the name of an existing secret containing SSH or basic credentials")
+	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.secretRef, "secret-ref", "", "the name of an existing secret containing SSH or basic credentials or github app authentication")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.proxySecretRef, "proxy-secret-ref", "", "the name of an existing secret containing the proxy address and credentials")
 	createSourceGitCmd.Flags().Var(&sourceGitArgs.provider, "provider", sourceGitArgs.provider.Description())
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates")
@@ -154,6 +155,7 @@ func init() {
 		"when enabled, configures the GitRepository source to initialize and include Git submodules in the artifact it produces")
 	createSourceGitCmd.Flags().BoolVarP(&sourceGitArgs.silent, "silent", "s", false, "assumes the deploy key is already setup, skips confirmation")
 	createSourceGitCmd.Flags().StringSliceVar(&sourceGitArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore in git resource (can specify multiple paths with commas: path1,path2)")
+	createSourceGitCmd.Flags().StringSliceVar(&sourceGitArgs.sparseCheckoutPaths, "sparse-checkout-paths", nil, "set paths to sparse checkout in git resource (can specify multiple paths with commas: path1,path2)")

 	createSourceCmd.AddCommand(createSourceGitCmd)
 }
@@ -189,12 +191,6 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("specifying a CA file is not supported for Git over SSH")
 	}

-	tmpDir, err := os.MkdirTemp("", name)
-	if err != nil {
-		return err
-	}
-	defer os.RemoveAll(tmpDir)
-
 	sourceLabels, err := parseLabels()
 	if err != nil {
 		return err
@@ -220,6 +216,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 			RecurseSubmodules: sourceGitArgs.recurseSubmodules,
 			Reference:         &sourcev1.GitRepositoryRef{},
 			Ignore:            ignorePaths,
+			SparseCheckout:    sourceGitArgs.sparseCheckoutPaths,
 		},
 	}

@@ -302,7 +299,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 			secretOpts.Username = sourceGitArgs.username
 			secretOpts.Password = sourceGitArgs.password
 		}
-		secret, err := sourcesecret.Generate(secretOpts)
+		secret, err := sourcesecret.GenerateGit(secretOpts)
 		if err != nil {
 			return err
 		}
@@ -87,7 +87,7 @@ func (r *reconciler) conditionFunc() (bool, error) {
 }

 func TestCreateSourceGitExport(t *testing.T) {
-	var command = "create source git podinfo --url=https://github.com/stefanprodan/podinfo --branch=master --ignore-paths .cosign,non-existent-dir/ -n default --interval 1m --export --timeout=" + testTimeout.String()
+	var command = "create source git podinfo --url=https://github.com/stefanprodan/podinfo --branch=master --sparse-checkout-paths .cosign,non-existent-dir/ --ignore-paths .cosign,non-existent-dir/ -n default --interval 1m --export --timeout=" + testTimeout.String()

 	cases := []struct {
 		name   string
@@ -101,7 +101,7 @@ func TestCreateSourceGitExport(t *testing.T) {
 		},
 		{
 			name:   "no args",
-			args:   "create secret git",
+			args:   "create source git --url=https://github.com/stefanprodan/podinfo",
 			assert: assertError("name is required"),
 		},
 		{
@@ -144,10 +144,15 @@ func TestCreateSourceGitExport(t *testing.T) {
 			args:   "create source git podinfo --namespace=flux-system --url=https://dev.azure.com/foo/bar/_git/podinfo --provider azure --branch=test --interval=1m0s --export",
 			assert: assertGoldenFile("testdata/create_source_git/source-git-provider-azure.yaml"),
 		},
+		{
+			name:   "source with github provider",
+			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --provider github --branch=test --interval=1m0s --secret-ref appinfo --export",
+			assert: assertGoldenFile("testdata/create_source_git/source-git-provider-github.yaml"),
+		},
 		{
 			name:   "source with invalid provider",
 			args:   "create source git podinfo --namespace=flux-system --url=https://dev.azure.com/foo/bar/_git/podinfo --provider dummy --branch=test --interval=1m0s --export",
-			assert: assertError("invalid argument \"dummy\" for \"--provider\" flag: source Git provider 'dummy' is not supported, must be one of: generic|azure"),
+			assert: assertError("invalid argument \"dummy\" for \"--provider\" flag: source Git provider 'dummy' is not supported, must be one of: generic|azure|github"),
 		},
 		{
 			name:   "source with empty provider",
@@ -199,12 +204,13 @@ func TestCreateSourceGit(t *testing.T) {
 					ObservedGeneration: repo.GetGeneration(),
 				}
 				apimeta.SetStatusCondition(&repo.Status.Conditions, newCondition)
-				repo.Status.Artifact = &sourcev1.Artifact{
+				repo.Status.Artifact = &meta.Artifact{
 					Path:     "some-path",
 					Revision: "v1",
 					LastUpdateTime: metav1.Time{
 						Time: time.Now(),
 					},
+					Digest: "sha256:1234567890abcdef",
 				}
 				repo.Status.ObservedGeneration = repo.GetGeneration()
 			},
@@ -114,12 +114,6 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}

-	tmpDir, err := os.MkdirTemp("", name)
-	if err != nil {
-		return err
-	}
-	defer os.RemoveAll(tmpDir)
-
 	if _, err := url.Parse(sourceHelmArgs.url); err != nil {
 		return fmt.Errorf("url parse failed: %w", err)
 	}
@@ -202,7 +196,7 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 			TLSKey:       keyFile,
 			ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 		}
-		secret, err := sourcesecret.Generate(secretOpts)
+		secret, err := sourcesecret.GenerateHelm(secretOpts)
 		if err != nil {
 			return err
 		}
@@ -29,9 +29,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"

 	"github.com/fluxcd/pkg/apis/meta"
-
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
-	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"

 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
@@ -81,7 +79,7 @@ var sourceOCIRepositoryArgs = newSourceOCIFlags()

 func newSourceOCIFlags() sourceOCIRepositoryFlags {
 	return sourceOCIRepositoryFlags{
-		provider: flags.SourceOCIProvider(sourcev1b2.GenericOCIProvider),
+		provider: flags.SourceOCIProvider(sourcev1.GenericOCIProvider),
 	}
 }

@@ -127,20 +125,20 @@ func createSourceOCIRepositoryCmdRun(cmd *cobra.Command, args []string) error {
 		ignorePaths = &ignorePathsStr
 	}

-	repository := &sourcev1b2.OCIRepository{
+	repository := &sourcev1.OCIRepository{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
 			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
-		Spec: sourcev1b2.OCIRepositorySpec{
+		Spec: sourcev1.OCIRepositorySpec{
 			Provider: sourceOCIRepositoryArgs.provider.String(),
 			URL:      sourceOCIRepositoryArgs.url,
 			Insecure: sourceOCIRepositoryArgs.insecure,
 			Interval: metav1.Duration{
 				Duration: createArgs.interval,
 			},
-			Reference: &sourcev1b2.OCIRepositoryRef{},
+			Reference: &sourcev1.OCIRepositoryRef{},
 			Ignore:    ignorePaths,
 		},
 	}
@@ -237,13 +235,13 @@ func createSourceOCIRepositoryCmdRun(cmd *cobra.Command, args []string) error {
 }

 func upsertOCIRepository(ctx context.Context, kubeClient client.Client,
-	ociRepository *sourcev1b2.OCIRepository) (types.NamespacedName, error) {
+	ociRepository *sourcev1.OCIRepository) (types.NamespacedName, error) {
 	namespacedName := types.NamespacedName{
 		Namespace: ociRepository.GetNamespace(),
 		Name:      ociRepository.GetName(),
 	}

-	var existing sourcev1b2.OCIRepository
+	var existing sourcev1.OCIRepository
 	err := kubeClient.Get(ctx, namespacedName, &existing)
 	if err != nil {
 		if errors.IsNotFound(err) {
@@ -21,7 +21,6 @@ import (
 	"context"
 	"fmt"

-	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
@@ -32,6 +31,8 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
+
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )

 var createTenantCmd = &cobra.Command{
@@ -59,6 +60,8 @@ const (
 type tenantFlags struct {
 	namespaces    []string
 	clusterRole   string
+	account       string
+	skipNamespace bool
 }

 var tenantArgs tenantFlags
@@ -66,6 +69,8 @@ var tenantArgs tenantFlags
 func init() {
 	createTenantCmd.Flags().StringSliceVar(&tenantArgs.namespaces, "with-namespace", nil, "namespace belonging to this tenant")
 	createTenantCmd.Flags().StringVar(&tenantArgs.clusterRole, "cluster-role", "cluster-admin", "cluster role of the tenant role binding")
+	createTenantCmd.Flags().StringVar(&tenantArgs.account, "with-service-account", "", "service account belonging to this tenant")
+	createTenantCmd.Flags().BoolVar(&tenantArgs.skipNamespace, "skip-namespace", false, "skip namespace creation (namespace must exist already)")
 	createCmd.AddCommand(createTenantCmd)
 }

@@ -107,9 +112,17 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 		}
 		namespaces = append(namespaces, namespace)

+		accountName := tenant
+		if tenantArgs.account != "" {
+			accountName = tenantArgs.account
+		}
+		if err := validation.IsQualifiedName(accountName); len(err) > 0 {
+			return fmt.Errorf("invalid service-account name '%s': %v", accountName, err)
+		}
+
 		account := corev1.ServiceAccount{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      tenant,
+				Name:      accountName,
 				Namespace: ns,
 				Labels:    objLabels,
 			},
@@ -131,7 +144,7 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 				},
 				{
 					Kind:      "ServiceAccount",
-					Name:      tenant,
+					Name:      accountName,
 					Namespace: ns,
 				},
 			},
@@ -146,7 +159,7 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {

 	if createArgs.export {
 		for i := range tenantArgs.namespaces {
-			if err := exportTenant(namespaces[i], accounts[i], roleBindings[i]); err != nil {
+			if err := exportTenant(namespaces[i], accounts[i], roleBindings[i], tenantArgs.skipNamespace); err != nil {
 				return err
 			}
 		}
@@ -162,10 +175,12 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	for i := range tenantArgs.namespaces {
+		if !tenantArgs.skipNamespace {
 			logger.Actionf("applying namespace %s", namespaces[i].Name)
 			if err := upsertNamespace(ctx, kubeClient, namespaces[i]); err != nil {
 				return err
 			}
+		}

 		logger.Actionf("applying service account %s", accounts[i].Name)
 		if err := upsertServiceAccount(ctx, kubeClient, accounts[i]); err != nil {
@@ -273,19 +288,24 @@ func upsertRoleBinding(ctx context.Context, kubeClient client.Client, roleBindin
 	return nil
 }

-func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, roleBinding rbacv1.RoleBinding) error {
+func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, roleBinding rbacv1.RoleBinding, skipNamespace bool) error {
+	var data []byte
+	var err error
+
+	if !skipNamespace {
 		namespace.TypeMeta = metav1.TypeMeta{
 			APIVersion: "v1",
 			Kind:       "Namespace",
 		}
-	data, err := yaml.Marshal(namespace)
+		data, err = yaml.Marshal(namespace)
 		if err != nil {
 			return err
 		}
-
-	fmt.Println("---")
 		data = bytes.Replace(data, []byte("spec: {}\n"), []byte(""), 1)
-	fmt.Println(resourceToString(data))
+
+		printlnStdout("---")
+		printlnStdout(resourceToString(data))
+	}

 	account.TypeMeta = metav1.TypeMeta{
 		APIVersion: "v1",
@@ -295,10 +315,10 @@ func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, rol
 	if err != nil {
 		return err
 	}
-
-	fmt.Println("---")
 	data = bytes.Replace(data, []byte("spec: {}\n"), []byte(""), 1)
-	fmt.Println(resourceToString(data))
+
+	printlnStdout("---")
+	printlnStdout(resourceToString(data))

 	roleBinding.TypeMeta = metav1.TypeMeta{
 		APIVersion: "rbac.authorization.k8s.io/v1",
@@ -309,8 +329,8 @@ func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, rol
 		return err
 	}

-	fmt.Println("---")
-	fmt.Println(resourceToString(data))
+	printlnStdout("---")
+	printlnStdout(resourceToString(data))

 	return nil
 }
@@ -0,0 +1,73 @@
+//go:build e2e
+// +build e2e
+
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"testing"
+)
+
+func TestCreateTenant(t *testing.T) {
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			name:   "no args",
+			args:   "create tenant",
+			assert: assertError("name is required"),
+		},
+		{
+			name:   "no namespace",
+			args:   "create tenant dev-team --cluster-role=cluster-admin",
+			assert: assertError("with-namespace is required"),
+		},
+		{
+			name:   "basic tenant",
+			args:   "create tenant dev-team --with-namespace=apps --cluster-role=cluster-admin --export",
+			assert: assertGoldenFile("./testdata/create_tenant/tenant-basic.yaml"),
+		},
+		{
+			name:   "tenant with custom serviceaccount",
+			args:   "create tenant dev-team --with-namespace=apps --cluster-role=cluster-admin --with-service-account=flux-tenant --export",
+			assert: assertGoldenFile("./testdata/create_tenant/tenant-with-service-account.yaml"),
+		},
+		{
+			name:   "tenant with custom cluster role",
+			args:   "create tenant dev-team --with-namespace=apps --cluster-role=custom-role --export",
+			assert: assertGoldenFile("./testdata/create_tenant/tenant-with-cluster-role.yaml"),
+		},
+		{
+			name:   "tenant with skip namespace",
+			args:   "create tenant dev-team --with-namespace=apps --cluster-role=cluster-admin --skip-namespace --export",
+			assert: assertGoldenFile("./testdata/create_tenant/tenant-with-skip-namespace.yaml"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args,
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}
@@ -0,0 +1,31 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var debugCmd = &cobra.Command{
+	Use:   "debug",
+	Short: "Debug a flux resource",
+	Long:  `The debug command can be used to troubleshoot failing resource reconciliations.`,
+}
+
+func init() {
+	rootCmd.AddCommand(debugCmd)
+}
@@ -0,0 +1,142 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
+	"github.com/fluxcd/pkg/chartutil"
+	"github.com/go-logr/logr"
+	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/yaml"
+
+	"github.com/fluxcd/flux2/v2/internal/utils"
+)
+
+var debugHelmReleaseCmd = &cobra.Command{
+	Use:     "helmrelease [name]",
+	Aliases: []string{"hr"},
+	Short:   "Debug a HelmRelease resource",
+	Long: withPreviewNote(`The debug helmrelease command can be used to troubleshoot failing Helm release reconciliations.
+WARNING: This command will print sensitive information if Kubernetes Secrets are referenced in the HelmRelease .spec.valuesFrom field.`),
+	Example: `  # Print the status of a Helm release
+  flux debug hr podinfo --show-status
+
+  # Export the final values of a Helm release composed from referred ConfigMaps and Secrets
+  flux debug hr podinfo --show-values > values.yaml
+
+  # Print the reconciliation history of a Helm release
+  flux debug hr podinfo --show-history`,
+	RunE:              debugHelmReleaseCmdRun,
+	Args:              cobra.ExactArgs(1),
+	ValidArgsFunction: resourceNamesCompletionFunc(helmv2.GroupVersion.WithKind(helmv2.HelmReleaseKind)),
+}
+
+type debugHelmReleaseFlags struct {
+	showStatus  bool
+	showValues  bool
+	showHistory bool
+}
+
+var debugHelmReleaseArgs debugHelmReleaseFlags
+
+func init() {
+	debugHelmReleaseCmd.Flags().BoolVar(&debugHelmReleaseArgs.showStatus, "show-status", false, "print the status of the Helm release")
+	debugHelmReleaseCmd.Flags().BoolVar(&debugHelmReleaseArgs.showValues, "show-values", false, "print the final values of the Helm release")
+	debugHelmReleaseCmd.Flags().BoolVar(&debugHelmReleaseArgs.showHistory, "show-history", false, "print the reconciliation history of the Helm release")
+	debugCmd.AddCommand(debugHelmReleaseCmd)
+}
+
+func debugHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
+	name := args[0]
+
+	flagsSet := 0
+	if debugHelmReleaseArgs.showStatus {
+		flagsSet++
+	}
+	if debugHelmReleaseArgs.showValues {
+		flagsSet++
+	}
+	if debugHelmReleaseArgs.showHistory {
+		flagsSet++
+	}
+	if flagsSet != 1 {
+		return fmt.Errorf("exactly one of --show-status, --show-values, or --show-history must be set")
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return err
+	}
+
+	hr := &helmv2.HelmRelease{}
+	hrName := types.NamespacedName{Namespace: *kubeconfigArgs.Namespace, Name: name}
+	if err := kubeClient.Get(ctx, hrName, hr); err != nil {
+		return err
+	}
+
+	if debugHelmReleaseArgs.showStatus {
+		status, err := yaml.Marshal(hr.Status)
+		if err != nil {
+			return err
+		}
+		rootCmd.Println("# Status documentation: https://fluxcd.io/flux/components/helm/helmreleases/#helmrelease-status")
+		rootCmd.Print(string(status))
+		return nil
+	}
+
+	if debugHelmReleaseArgs.showValues {
+		finalValues, err := chartutil.ChartValuesFromReferences(ctx,
+			logr.Discard(),
+			kubeClient,
+			hr.GetNamespace(),
+			hr.GetValues(),
+			hr.Spec.ValuesFrom...)
+		if err != nil {
+			return err
+		}
+
+		values, err := yaml.Marshal(finalValues)
+		if err != nil {
+			return err
+		}
+		rootCmd.Print(string(values))
+	}
+
+	if debugHelmReleaseArgs.showHistory {
+		if len(hr.Status.History) == 0 {
+			hr.Status.History = helmv2.Snapshots{}
+		}
+
+		history, err := yaml.Marshal(hr.Status.History)
+		if err != nil {
+			return err
+		}
+
+		rootCmd.Println("# History documentation: https://fluxcd.io/flux/components/helm/helmreleases/#history")
+		rootCmd.Print(string(history))
+		return nil
+	}
+
+	return nil
+}
@@ -0,0 +1,83 @@
+//go:build unit
+// +build unit
+
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"testing"
+)
+
+func TestDebugHelmRelease(t *testing.T) {
+	namespace := allocateNamespace("debug")
+
+	objectFile := "testdata/debug_helmrelease/objects.yaml"
+	tmpl := map[string]string{
+		"fluxns": namespace,
+	}
+	testEnv.CreateObjectFile(objectFile, tmpl, t)
+
+	cases := []struct {
+		name       string
+		arg        string
+		goldenFile string
+		tmpl       map[string]string
+	}{
+		{
+			"debug status",
+			"debug helmrelease test-values-inline --show-status --show-values=false",
+			"testdata/debug_helmrelease/status.golden.yaml",
+			tmpl,
+		},
+		{
+			"debug values",
+			"debug helmrelease test-values-inline --show-values --show-status=false",
+			"testdata/debug_helmrelease/values-inline.golden.yaml",
+			tmpl,
+		},
+		{
+			"debug values from",
+			"debug helmrelease test-values-from --show-values --show-status=false",
+			"testdata/debug_helmrelease/values-from.golden.yaml",
+			tmpl,
+		},
+		{
+			"debug history",
+			"debug helmrelease test-with-history --show-history --show-status=false",
+			"testdata/debug_helmrelease/history.golden.yaml",
+			tmpl,
+		},
+		{
+			"debug history empty",
+			"debug helmrelease test-values-inline --show-history --show-status=false",
+			"testdata/debug_helmrelease/history-empty.golden.yaml",
+			tmpl,
+		},
+	}
+
+	for _, tt := range cases {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.arg + " -n=" + namespace,
+				assert: assertGoldenTemplateFile(tt.goldenFile, tmpl),
+			}
+
+			cmd.runTestCmd(t)
+		})
+	}
+}
@@ -0,0 +1,164 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"sort"
+	"strings"
+
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
+	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/kustomize"
+	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/yaml"
+
+	"github.com/fluxcd/flux2/v2/internal/utils"
+)
+
+var debugKustomizationCmd = &cobra.Command{
+	Use:     "kustomization [name]",
+	Aliases: []string{"ks"},
+	Short:   "Debug a Flux Kustomization resource",
+	Long: withPreviewNote(`The debug kustomization command can be used to troubleshoot failing Flux Kustomization reconciliations.
+WARNING: This command will print sensitive information if Kubernetes Secrets are referenced in the Kustomization .spec.postBuild.substituteFrom field.`),
+	Example: `  # Print the status of a Flux Kustomization
+  flux debug ks podinfo --show-status
+
+  # Export the final variables used for post-build substitutions composed from referred ConfigMaps and Secrets
+  flux debug ks podinfo --show-vars > vars.env
+
+  # Print the reconciliation history of a Flux Kustomization
+  flux debug ks podinfo --show-history`,
+	RunE:              debugKustomizationCmdRun,
+	Args:              cobra.ExactArgs(1),
+	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
+}
+
+type debugKustomizationFlags struct {
+	showStatus  bool
+	showVars    bool
+	showHistory bool
+}
+
+var debugKustomizationArgs debugKustomizationFlags
+
+func init() {
+	debugKustomizationCmd.Flags().BoolVar(&debugKustomizationArgs.showStatus, "show-status", false, "print the status of the Flux Kustomization")
+	debugKustomizationCmd.Flags().BoolVar(&debugKustomizationArgs.showVars, "show-vars", false, "print the final vars of the Flux Kustomization in dot env format")
+	debugKustomizationCmd.Flags().BoolVar(&debugKustomizationArgs.showHistory, "show-history", false, "print the reconciliation history of the Flux Kustomization")
+	debugCmd.AddCommand(debugKustomizationCmd)
+}
+
+func debugKustomizationCmdRun(cmd *cobra.Command, args []string) error {
+	name := args[0]
+
+	flagsSet := 0
+	if debugKustomizationArgs.showStatus {
+		flagsSet++
+	}
+	if debugKustomizationArgs.showVars {
+		flagsSet++
+	}
+	if debugKustomizationArgs.showHistory {
+		flagsSet++
+	}
+	if flagsSet != 1 {
+		return fmt.Errorf("exactly one of --show-status, --show-vars, or --show-history must be set")
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return err
+	}
+
+	ks := &kustomizev1.Kustomization{}
+	ksName := types.NamespacedName{Namespace: *kubeconfigArgs.Namespace, Name: name}
+	if err := kubeClient.Get(ctx, ksName, ks); err != nil {
+		return err
+	}
+
+	if debugKustomizationArgs.showStatus {
+		status, err := yaml.Marshal(ks.Status)
+		if err != nil {
+			return err
+		}
+		rootCmd.Println("# Status documentation: https://fluxcd.io/flux/components/kustomize/kustomizations/#kustomization-status")
+		rootCmd.Print(string(status))
+		return nil
+	}
+
+	if debugKustomizationArgs.showVars {
+		if ks.Spec.PostBuild == nil {
+			return errors.New("no post build substitutions found")
+		}
+
+		ksObj, err := runtime.DefaultUnstructuredConverter.ToUnstructured(ks)
+		if err != nil {
+			return err
+		}
+
+		finalVars, err := kustomize.LoadVariables(ctx, kubeClient, unstructured.Unstructured{Object: ksObj})
+		if err != nil {
+			return err
+		}
+
+		if len(ks.Spec.PostBuild.Substitute) > 0 {
+			for k, v := range ks.Spec.PostBuild.Substitute {
+				// Remove new lines from the values as they are not supported.
+				// Replicates the controller behavior from
+				// https://github.com/fluxcd/pkg/blob/main/kustomize/kustomize_varsub.go
+				finalVars[k] = strings.ReplaceAll(v, "\n", "")
+			}
+		}
+
+		keys := make([]string, 0, len(finalVars))
+		for k := range finalVars {
+			keys = append(keys, k)
+		}
+		sort.Strings(keys)
+
+		for _, k := range keys {
+			rootCmd.Println(k + "=" + finalVars[k])
+		}
+	}
+
+	if debugKustomizationArgs.showHistory {
+		if len(ks.Status.History) == 0 {
+			ks.Status.History = meta.History{}
+		}
+
+		history, err := yaml.Marshal(ks.Status.History)
+		if err != nil {
+			return err
+		}
+
+		rootCmd.Println("# History documentation: https://fluxcd.io/flux/components/kustomize/kustomizations/#history")
+		rootCmd.Print(string(history))
+		return nil
+	}
+
+	return nil
+}
@@ -0,0 +1,82 @@
+//go:build unit
+// +build unit
+
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"testing"
+)
+
+func TestDebugKustomization(t *testing.T) {
+	namespace := allocateNamespace("debug")
+
+	objectFile := "testdata/debug_kustomization/objects.yaml"
+	tmpl := map[string]string{
+		"fluxns": namespace,
+	}
+	testEnv.CreateObjectFile(objectFile, tmpl, t)
+
+	cases := []struct {
+		name       string
+		arg        string
+		goldenFile string
+		tmpl       map[string]string
+	}{
+		{
+			"debug status",
+			"debug ks test --show-status --show-vars=false",
+			"testdata/debug_kustomization/status.golden.yaml",
+			tmpl,
+		},
+		{
+			"debug vars",
+			"debug ks test --show-vars --show-status=false",
+			"testdata/debug_kustomization/vars.golden.env",
+			tmpl,
+		},
+		{
+			"debug vars from",
+			"debug ks test-from --show-vars --show-status=false",
+			"testdata/debug_kustomization/vars-from.golden.env",
+			tmpl,
+		}, {
+			"debug history",
+			"debug ks test-with-history --show-history --show-status=false",
+			"testdata/debug_kustomization/history.golden.yaml",
+			tmpl,
+		},
+		{
+			"debug history empty",
+			"debug ks test --show-history --show-status=false",
+			"testdata/debug_kustomization/history-empty.golden.yaml",
+			tmpl,
+		},
+	}
+
+	for _, tt := range cases {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.arg + " -n=" + namespace,
+				assert: assertGoldenTemplateFile(tt.goldenFile, tmpl),
+			}
+
+			cmd.runTestCmd(t)
+		})
+	}
+}
@@ -19,13 +19,13 @@ package main
 import (
 	"github.com/spf13/cobra"

-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )

 var deleteImagePolicyCmd = &cobra.Command{
 	Use:   "policy [name]",
 	Short: "Delete an ImagePolicy object",
-	Long:  withPreviewNote(`The delete image policy command deletes the given ImagePolicy from the cluster.`),
+	Long:  `The delete image policy command deletes the given ImagePolicy from the cluster.`,
 	Example: `  # Delete an image policy
  flux delete image policy alpine3.x`,
 	ValidArgsFunction: resourceNamesCompletionFunc(imagev1.GroupVersion.WithKind(imagev1.ImagePolicyKind)),
@@ -19,13 +19,13 @@ package main
 import (
 	"github.com/spf13/cobra"

-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )

 var deleteImageRepositoryCmd = &cobra.Command{
 	Use:   "repository [name]",
 	Short: "Delete an ImageRepository object",
-	Long:  withPreviewNote("The delete image repository command deletes the given ImageRepository from the cluster."),
+	Long:  "The delete image repository command deletes the given ImageRepository from the cluster.",
 	Example: `  # Delete an image repository
  flux delete image repository alpine`,
 	ValidArgsFunction: resourceNamesCompletionFunc(imagev1.GroupVersion.WithKind(imagev1.ImageRepositoryKind)),
@@ -19,13 +19,13 @@ package main
 import (
 	"github.com/spf13/cobra"

-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1"
 )

 var deleteImageUpdateCmd = &cobra.Command{
 	Use:   "update [name]",
 	Short: "Delete an ImageUpdateAutomation object",
-	Long:  withPreviewNote(`The delete image update command deletes the given ImageUpdateAutomation from the cluster.`),
+	Long:  `The delete image update command deletes the given ImageUpdateAutomation from the cluster.`,
 	Example: `  # Delete an image update automation
  flux delete image update latest-images`,
 	ValidArgsFunction: resourceNamesCompletionFunc(autov1.GroupVersion.WithKind(autov1.ImageUpdateAutomationKind)),
@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"

-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )

 var deleteSourceChartCmd = &cobra.Command{
@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"

-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )

 var deleteSourceOCIRepositoryCmd = &cobra.Command{
@@ -21,8 +21,9 @@ import (
 	"fmt"
 	"os"

-	oci "github.com/fluxcd/pkg/oci/client"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	"github.com/fluxcd/pkg/oci"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+	"github.com/google/go-containerregistry/pkg/crane"
 	"github.com/spf13/cobra"

 	"github.com/fluxcd/flux2/v2/internal/flags"
@@ -31,7 +32,7 @@ import (
 var diffArtifactCmd = &cobra.Command{
 	Use:   "artifact",
 	Short: "Diff Artifact",
-	Long:  withPreviewNote(`The diff artifact command computes the diff between the remote OCI artifact and a local directory or file`),
+	Long:  `The diff artifact command computes the diff between the remote OCI artifact and a local directory or file`,
 	Example: `# Check if local files differ from remote
 flux diff artifact oci://ghcr.io/stefanprodan/manifests:podinfo:6.2.0 --path=./kustomize`,
 	RunE: diffArtifactCmdRun,
@@ -42,6 +43,7 @@ type diffArtifactFlags struct {
 	creds       string
 	provider    flags.SourceOCIProvider
 	ignorePaths []string
+	insecure    bool
 }

 var diffArtifactArgs = newDiffArtifactArgs()
@@ -57,6 +59,7 @@ func init() {
 	diffArtifactCmd.Flags().StringVar(&diffArtifactArgs.creds, "creds", "", "credentials for OCI registry in the format <username>[:<password>] if --provider is generic")
 	diffArtifactCmd.Flags().Var(&diffArtifactArgs.provider, "provider", sourceOCIRepositoryArgs.provider.Description())
 	diffArtifactCmd.Flags().StringSliceVar(&diffArtifactArgs.ignorePaths, "ignore-paths", excludeOCI, "set paths to ignore in .gitignore format")
+	diffArtifactCmd.Flags().BoolVar(&diffArtifactArgs.insecure, "insecure-registry", false, "allows the remote artifact to be pulled without TLS")
 	diffCmd.AddCommand(diffArtifactCmd)
 }

@@ -82,7 +85,22 @@ func diffArtifactCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()

-	ociClient := oci.NewClient(oci.DefaultOptions())
+	opts := oci.DefaultOptions()
+
+	if diffArtifactArgs.insecure {
+		opts = append(opts, crane.Insecure)
+	}
+
+	if diffArtifactArgs.provider.String() != sourcev1.GenericOCIProvider {
+		logger.Actionf("logging in to registry with provider credentials")
+		opt, _, err := loginWithProvider(ctx, url, diffArtifactArgs.provider.String())
+		if err != nil {
+			return fmt.Errorf("error during login with provider: %w", err)
+		}
+		opts = append(opts, opt)
+	}
+
+	ociClient := oci.NewClient(opts)

 	if diffArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && diffArtifactArgs.creds != "" {
 		logger.Actionf("logging in to registry with credentials")
@@ -91,18 +109,6 @@ func diffArtifactCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}

-	if diffArtifactArgs.provider.String() != sourcev1.GenericOCIProvider {
-		logger.Actionf("logging in to registry with provider credentials")
-		ociProvider, err := diffArtifactArgs.provider.ToOCIProvider()
-		if err != nil {
-			return fmt.Errorf("provider not supported: %w", err)
-		}
-
-		if err := ociClient.LoginWithProvider(ctx, url, ociProvider); err != nil {
-			return fmt.Errorf("error during login with provider: %w", err)
-		}
-	}
-
 	if err := ociClient.Diff(ctx, url, diffArtifactArgs.path, diffArtifactArgs.ignorePaths); err != nil {
 		return err
 	}
@@ -96,7 +96,7 @@ func TestDiffArtifact(t *testing.T) {
 			tt.url = fmt.Sprintf(tt.url, dockerReg)
 			_, err := executeCommand("push artifact " + tt.url + " --path=" + tt.pushFile + " --source=test --revision=test")
 			if err != nil {
-				t.Fatalf(fmt.Errorf("failed to push image: %w", err).Error())
+				t.Fatal(fmt.Errorf("failed to push image: %w", err).Error())
 			}

 			cmd := cmdTestCase{
@@ -44,12 +44,12 @@ flux diff kustomization my-app --path ./path/to/local/manifests \
 # Exclude files by providing a comma separated list of entries that follow the .gitignore pattern fromat.
 flux diff kustomization my-app --path ./path/to/local/manifests \
 	--kustomization-file ./path/to/local/my-app.yaml \
-	--ignore-paths "/to_ignore/**/*.yaml,ignore.yaml
+	--ignore-paths "/to_ignore/**/*.yaml,ignore.yaml"

 # Run recursively on all encountered Kustomizations
 flux diff kustomization my-app --path ./path/to/local/manifests \
    --recursive \
-    --local-sources GitRepository/flux-system/my-repo=./path/to/local/git"`,
+    --local-sources GitRepository/flux-system/my-repo=./path/to/local/git`,
 	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
 	RunE:              diffKsCmdRun,
 }
@@ -62,6 +62,8 @@ type diffKsFlags struct {
 	strictSubst       bool
 	recursive         bool
 	localSources      map[string]string
+	inMemoryBuild     bool
+	ignoreNotFound    bool
 }

 var diffKsArgs diffKsFlags
@@ -75,6 +77,10 @@ func init() {
 		"When enabled, the post build substitutions will fail if a var without a default value is declared in files but is missing from the input vars.")
 	diffKsCmd.Flags().BoolVarP(&diffKsArgs.recursive, "recursive", "r", false, "Recursively diff Kustomizations")
 	diffKsCmd.Flags().StringToStringVar(&diffKsArgs.localSources, "local-sources", nil, "Comma-separated list of repositories in format: Kind/namespace/name=path")
+	diffKsCmd.Flags().BoolVar(&diffKsArgs.inMemoryBuild, "in-memory-build", true,
+		"Use in-memory filesystem during build.")
+	diffKsCmd.Flags().BoolVar(&diffKsArgs.ignoreNotFound, "ignore-not-found", false,
+		"Ignore Kustomization not found errors on the cluster when diffing.")
 	diffCmd.AddCommand(diffKsCmd)
 }

@@ -113,6 +119,8 @@ func diffKsCmdRun(cmd *cobra.Command, args []string) error {
 			build.WithRecursive(diffKsArgs.recursive),
 			build.WithLocalSources(diffKsArgs.localSources),
 			build.WithSingleKustomization(),
+			build.WithInMemoryBuild(diffKsArgs.inMemoryBuild),
+			build.WithIgnoreNotFound(diffKsArgs.ignoreNotFound),
 		)
 	} else {
 		builder, err = build.NewBuilder(name, diffKsArgs.path,
@@ -124,6 +132,8 @@ func diffKsCmdRun(cmd *cobra.Command, args []string) error {
 			build.WithRecursive(diffKsArgs.recursive),
 			build.WithLocalSources(diffKsArgs.localSources),
 			build.WithSingleKustomization(),
+			build.WithInMemoryBuild(diffKsArgs.inMemoryBuild),
+			build.WithIgnoreNotFound(diffKsArgs.ignoreNotFound),
 		)
 	}

@@ -27,6 +27,7 @@ import (

 	"github.com/fluxcd/flux2/v2/internal/build"
 	"github.com/fluxcd/pkg/ssa"
+	"github.com/fluxcd/pkg/ssa/normalize"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )

@@ -47,7 +48,7 @@ func TestDiffKustomization(t *testing.T) {
 			name:       "diff nothing deployed",
 			args:       "diff kustomization podinfo --path ./testdata/build-kustomization/podinfo --progress-bar=false",
 			objectFile: "",
-			assert:     assertGoldenFile("./testdata/diff-kustomization/nothing-is-deployed.golden"),
+			assert:     assertGoldenFile("./testdata/diff-kustomization/diff-new-kustomization.golden"),
 		},
 		{
 			name:       "diff with a deployment object",
@@ -95,7 +96,7 @@ func TestDiffKustomization(t *testing.T) {
 			name:       "diff where kustomization file has multiple objects with the same name",
 			args:       "diff kustomization podinfo --path ./testdata/build-kustomization/podinfo --progress-bar=false --kustomization-file ./testdata/diff-kustomization/flux-kustomization-multiobj.yaml",
 			objectFile: "",
-			assert:     assertGoldenFile("./testdata/diff-kustomization/nothing-is-deployed.golden"),
+			assert:     assertGoldenFile("./testdata/diff-kustomization/diff-new-kustomization.golden"),
 		},
 		{
 			name:       "diff with recursive",
@@ -137,6 +138,118 @@ func TestDiffKustomization(t *testing.T) {
 	}
 }

+// TestDiffKustomizationNotDeployed tests `flux diff ks` when the Kustomization
+// CR does not exist in the cluster but is provided via --kustomization-file.
+// Reproduces https://github.com/fluxcd/flux2/issues/5439
+func TestDiffKustomizationNotDeployed(t *testing.T) {
+	// Use a dedicated namespace with NO setup() -- the Kustomization CR
+	// intentionally does not exist in the cluster.
+	tmpl := map[string]string{
+		"fluxns": allocateNamespace("flux-system"),
+	}
+	setupTestNamespace(tmpl["fluxns"], t)
+
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			name: "fails without --ignore-not-found",
+			args: "diff kustomization podinfo --path ./testdata/build-kustomization/podinfo --progress-bar=false " +
+				"--kustomization-file ./testdata/diff-kustomization/flux-kustomization-local-only.yaml",
+			assert: assertError("failed to get kustomization object: kustomizations.kustomize.toolkit.fluxcd.io \"podinfo\" not found"),
+		},
+		{
+			name: "succeeds with --ignore-not-found and --kustomization-file",
+			args: "diff kustomization podinfo --path ./testdata/build-kustomization/podinfo --progress-bar=false " +
+				"--kustomization-file ./testdata/diff-kustomization/flux-kustomization-local-only.yaml " +
+				"--ignore-not-found",
+			assert: assertGoldenFile("./testdata/diff-kustomization/diff-new-kustomization.golden"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args + " -n " + tmpl["fluxns"],
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}
+
+// TestDiffKustomizationTakeOwnership tests `flux diff ks` when taking ownership
+// of existing resources on the cluster. A "pre-existing" configmap is applied
+// to the cluster, and the kustomization contains a matching configmap; the
+// diff should show the labels added by flux
+func TestDiffKustomizationTakeOwnership(t *testing.T) {
+	tmpl := map[string]string{
+		"fluxns": allocateNamespace("flux-system"),
+	}
+	setupTestNamespace(tmpl["fluxns"], t)
+
+	b, _ := build.NewBuilder("configmaps", "", build.WithClientConfig(kubeconfigArgs, kubeclientOptions))
+	resourceManager, err := b.Manager()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Pre-create the "existing" configmap in the cluster without Flux labels
+	if _, err := resourceManager.ApplyAll(context.Background(), createObjectFromFile("./testdata/diff-kustomization/existing-configmap.yaml", tmpl, t), ssa.DefaultApplyOptions()); err != nil {
+		t.Fatal(err)
+	}
+
+	cmd := cmdTestCase{
+		args: "diff kustomization configmaps --path ./testdata/build-kustomization/configmaps --progress-bar=false " +
+			"--kustomization-file ./testdata/diff-kustomization/flux-kustomization-configmaps.yaml " +
+			"--ignore-not-found" +
+			" -n " + tmpl["fluxns"],
+		assert: assertGoldenFile("./testdata/diff-kustomization/diff-taking-ownership.golden"),
+	}
+	cmd.runTestCmd(t)
+}
+
+// TestDiffKustomizationNewNamespaceAndConfigmap runs `flux diff ks` when the
+// kustomization creates a new namespace and resources inside it. The server-side
+// dry-run cannot resolve resources in a namespace that doesn't exist yet,
+// consistent with `kubectl diff --server-side` behavior.
+func TestDiffKustomizationNewNamespaceAndConfigmap(t *testing.T) {
+	tmpl := map[string]string{
+		"fluxns": allocateNamespace("flux-system"),
+	}
+	setupTestNamespace(tmpl["fluxns"], t)
+
+	cmd := cmdTestCase{
+		args: "diff kustomization new-namespace-and-configmap --path ./testdata/build-kustomization/new-namespace-and-configmap --progress-bar=false " +
+			"--kustomization-file ./testdata/diff-kustomization/flux-kustomization-new-namespace-and-configmap.yaml " +
+			"--ignore-not-found" +
+			" -n " + tmpl["fluxns"],
+		assert: assertError("ConfigMap/new-ns/app-config not found: namespaces \"new-ns\" not found"),
+	}
+	cmd.runTestCmd(t)
+}
+
+// TestDiffKustomizationNewNamespaceOnly runs `flux diff ks` when the
+// kustomization creates only a new namespace. The diff should show the
+// namespace as created.
+func TestDiffKustomizationNewNamespaceOnly(t *testing.T) {
+	tmpl := map[string]string{
+		"fluxns": allocateNamespace("flux-system"),
+	}
+	setupTestNamespace(tmpl["fluxns"], t)
+
+	cmd := cmdTestCase{
+		args: "diff kustomization new-namespace-only --path ./testdata/build-kustomization/new-namespace-only --progress-bar=false " +
+			"--kustomization-file ./testdata/diff-kustomization/flux-kustomization-new-namespace-only.yaml " +
+			"--ignore-not-found" +
+			" -n " + tmpl["fluxns"],
+		assert: assertGoldenFile("./testdata/diff-kustomization/diff-new-namespace-only.golden"),
+	}
+	cmd.runTestCmd(t)
+}
+
 func createObjectFromFile(objectFile string, templateValues map[string]string, t *testing.T) []*unstructured.Unstructured {
 	buf, err := os.ReadFile(objectFile)
 	if err != nil {
@@ -151,7 +264,7 @@ func createObjectFromFile(objectFile string, templateValues map[string]string, t
 		t.Fatalf("Error decoding yaml file '%s': %v", objectFile, err)
 	}

-	if err := ssa.SetNativeKindsDefaults(clientObjects); err != nil {
+	if err := normalize.UnstructuredList(clientObjects); err != nil {
 		t.Fatalf("Error setting native kinds defaults for '%s': %v", objectFile, err)
 	}

@@ -20,7 +20,6 @@ package main
 import (
 	"context"
 	"fmt"
-	"os"
 	"sort"
 	"strings"
 	"time"
@@ -40,13 +39,13 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"

 	helmv2 "github.com/fluxcd/helm-controller/api/v2"
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
 	notificationv1b3 "github.com/fluxcd/notification-controller/api/v1beta3"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
-	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
+	swapi "github.com/fluxcd/source-watcher/api/v2/v1beta1"

 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/flux2/v2/pkg/printers"
@@ -113,7 +112,12 @@ func eventsCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	var diffRefNs bool
-	clientListOpts := []client.ListOption{client.InNamespace(*kubeconfigArgs.Namespace)}
+	// Build the base list options. When --all-namespaces is set we must NOT constrain the
+	// query to a single namespace, otherwise we silently return a partial result set.
+	clientListOpts := []client.ListOption{}
+	if !eventArgs.allNamespaces {
+		clientListOpts = append(clientListOpts, client.InNamespace(*kubeconfigArgs.Namespace))
+	}
 	var refListOpts [][]client.ListOption
 	if eventArgs.forSelector != "" {
 		kind, name := getKindNameFromSelector(eventArgs.forSelector)
@@ -192,11 +196,14 @@ func getRows(ctx context.Context, kubeclient client.Client, clientListOpts []cli

 func addEventsToList(ctx context.Context, kubeclient client.Client, el *corev1.EventList, clientListOpts []client.ListOption) error {
 	listOpts := &metav1.ListOptions{}
-	clientListOpts = append(clientListOpts, client.Limit(cmdutil.DefaultChunkSize))
 	err := runtimeresource.FollowContinue(listOpts,
 		func(options metav1.ListOptions) (runtime.Object, error) {
 			newEvents := &corev1.EventList{}
-			if err := kubeclient.List(ctx, newEvents, clientListOpts...); err != nil {
+			opts := append(clientListOpts, client.Limit(cmdutil.DefaultChunkSize))
+			if options.Continue != "" {
+				opts = append(opts, client.Continue(options.Continue))
+			}
+			if err := kubeclient.List(ctx, newEvents, opts...); err != nil {
 				return nil, fmt.Errorf("error getting events: %w", err)
 			}
 			el.Items = append(el.Items, newEvents.Items...)
@@ -247,7 +254,7 @@ func eventsCmdWatchRun(ctx context.Context, kubeclient client.WithWatch, listOpt
 			hdr = getHeaders(showNs)
 			firstIteration = false
 		}
-		return printers.TablePrinter(hdr).Print(os.Stdout, [][]string{rows})
+		return printers.TablePrinter(hdr).Print(rootCmd.OutOrStdout(), [][]string{rows})
 	}

 	for _, refOpts := range refListOpts {
@@ -446,11 +453,12 @@ var fluxKindMap = refMap{
 		field:           []string{"spec", "sourceRef"},
 	},
 	sourcev1.GitRepositoryKind:       {gvk: sourcev1.GroupVersion.WithKind(sourcev1.GitRepositoryKind)},
-	sourcev1b2.OCIRepositoryKind:     {gvk: sourcev1b2.GroupVersion.WithKind(sourcev1b2.OCIRepositoryKind)},
+	sourcev1.OCIRepositoryKind:       {gvk: sourcev1.GroupVersion.WithKind(sourcev1.OCIRepositoryKind)},
 	sourcev1.BucketKind:              {gvk: sourcev1.GroupVersion.WithKind(sourcev1.BucketKind)},
 	sourcev1.HelmRepositoryKind:      {gvk: sourcev1.GroupVersion.WithKind(sourcev1.HelmRepositoryKind)},
 	autov1.ImageUpdateAutomationKind: {gvk: autov1.GroupVersion.WithKind(autov1.ImageUpdateAutomationKind)},
 	imagev1.ImageRepositoryKind:      {gvk: imagev1.GroupVersion.WithKind(imagev1.ImageRepositoryKind)},
+	swapi.ArtifactGeneratorKind:      {gvk: swapi.GroupVersion.WithKind(swapi.ArtifactGeneratorKind)},
 }

 func ignoreEvent(e corev1.Event) bool {
@@ -20,11 +20,13 @@ package main
 import (
 	"context"
 	"fmt"
+	"strconv"
 	"strings"
 	"testing"

 	. "github.com/onsi/gomega"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -140,7 +142,7 @@ spec:
  address: https://hooks.slack.com/services/mock
  type: slack
 ---
-apiVersion: image.toolkit.fluxcd.io/v1beta2
+apiVersion: image.toolkit.fluxcd.io/v1
 kind: ImagePolicy
 metadata:
  name: podinfo
@@ -419,6 +421,108 @@ func createEvent(obj client.Object, eventType, msg, reason string) corev1.Event
 	}
 }

+// paginatedClient wraps a client.Client and simulates real Kubernetes API
+// pagination by splitting List results into pages of pageSize items,
+// using the ListMeta.Continue token.
+type paginatedClient struct {
+	client.Client
+	pageSize int
+}
+
+func (c *paginatedClient) List(ctx context.Context, list client.ObjectList, opts ...client.ListOption) error {
+	listOpts := &client.ListOptions{}
+	listOpts.ApplyOptions(opts)
+
+	// Fetch all results from the underlying client (without Limit/Continue).
+	stripped := make([]client.ListOption, 0, len(opts))
+	for _, o := range opts {
+		if _, ok := o.(client.Limit); ok {
+			continue
+		}
+		if _, ok := o.(client.Continue); ok {
+			continue
+		}
+		stripped = append(stripped, o)
+	}
+	if err := c.Client.List(ctx, list, stripped...); err != nil {
+		return err
+	}
+
+	items, err := meta.ExtractList(list)
+	if err != nil {
+		return err
+	}
+
+	// Determine the page window based on the Continue token.
+	start := 0
+	if listOpts.Continue != "" {
+		n, err := strconv.Atoi(listOpts.Continue)
+		if err != nil {
+			return fmt.Errorf("invalid continue token: %w", err)
+		}
+		start = n
+	}
+	if start > len(items) {
+		start = len(items)
+	}
+
+	end := start + c.pageSize
+	if end > len(items) {
+		end = len(items)
+	}
+
+	page := items[start:end]
+	if err := meta.SetList(list, page); err != nil {
+		return err
+	}
+
+	// Set the Continue token when there are more pages.
+	listAccessor, err := meta.ListAccessor(list)
+	if err != nil {
+		return err
+	}
+	if end < len(items) {
+		listAccessor.SetContinue(strconv.Itoa(end))
+	} else {
+		listAccessor.SetContinue("")
+	}
+
+	return nil
+}
+
+func Test_addEventsToList_pagination(t *testing.T) {
+	g := NewWithT(t)
+	objs, err := ssautil.ReadObjects(strings.NewReader(objects))
+	g.Expect(err).To(Not(HaveOccurred()))
+
+	builder := fake.NewClientBuilder().WithScheme(utils.NewScheme())
+	for _, obj := range objs {
+		builder = builder.WithObjects(obj)
+	}
+
+	eventList := &corev1.EventList{}
+	for _, obj := range objs {
+		infoEvent := createEvent(obj, eventv1.EventSeverityInfo, "Info Message", "Info Reason")
+		warningEvent := createEvent(obj, eventv1.EventSeverityError, "Error Message", "Error Reason")
+		eventList.Items = append(eventList.Items, infoEvent, warningEvent)
+	}
+	builder = builder.WithLists(eventList)
+	c := builder.Build()
+
+	totalEvents := len(eventList.Items)
+	g.Expect(totalEvents).To(BeNumerically(">", 2), "need more than 2 events to test pagination")
+
+	// Wrap the client to paginate at 2 items per page, forcing multiple
+	// round-trips through FollowContinue.
+	pc := &paginatedClient{Client: c, pageSize: 2}
+
+	el := &corev1.EventList{}
+	err = addEventsToList(context.Background(), pc, el, nil)
+	g.Expect(err).To(Not(HaveOccurred()))
+	g.Expect(el.Items).To(HaveLen(totalEvents),
+		"addEventsToList should collect all events across paginated responses")
+}
+
 func kindNameIndexer(obj client.Object) []string {
 	e, ok := obj.(*corev1.Event)
 	if !ok {
@@ -109,13 +109,13 @@ func (export exportCommand) run(cmd *cobra.Command, args []string) error {
 	return nil
 }

-func printExport(export interface{}) error {
+func printExport(export any) error {
 	data, err := yaml.Marshal(export)
 	if err != nil {
 		return err
 	}
-	rootCmd.Println("---")
-	rootCmd.Println(resourceToString(data))
+	printlnStdout("---")
+	printlnStdout(resourceToString(data))
 	return nil
 }

@@ -0,0 +1,31 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var exportArtifactCmd = &cobra.Command{
+	Use:   "artifact",
+	Short: "Export artifact objects",
+	Long:  `The export artifact sub-commands export artifacts objects in YAML format.`,
+}
+
+func init() {
+	exportCmd.AddCommand(exportArtifactCmd)
+}
@@ -0,0 +1,72 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	swapi "github.com/fluxcd/source-watcher/api/v2/v1beta1"
+)
+
+var exportArtifactGeneratorCmd = &cobra.Command{
+	Use:   "generator [name]",
+	Short: "Export ArtifactGenerator resources in YAML format",
+	Long:  "The export artifact generator command exports one or all ArtifactGenerator resources in YAML format.",
+	Example: `  # Export all ArtifactGenerator resources
+  flux export artifact generator --all > artifact-generators.yaml
+
+  # Export a specific generator
+  flux export artifact generator my-generator > my-generator.yaml`,
+	ValidArgsFunction: resourceNamesCompletionFunc(swapi.GroupVersion.WithKind(swapi.ArtifactGeneratorKind)),
+	RunE: exportCommand{
+		object: artifactGeneratorAdapter{&swapi.ArtifactGenerator{}},
+		list:   artifactGeneratorListAdapter{&swapi.ArtifactGeneratorList{}},
+	}.run,
+}
+
+func init() {
+	exportArtifactCmd.AddCommand(exportArtifactGeneratorCmd)
+}
+
+// Export returns an ArtifactGenerator value which has
+// extraneous information stripped out.
+func exportArtifactGenerator(item *swapi.ArtifactGenerator) interface{} {
+	gvk := swapi.GroupVersion.WithKind(swapi.ArtifactGeneratorKind)
+	export := swapi.ArtifactGenerator{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       gvk.Kind,
+			APIVersion: gvk.GroupVersion().String(),
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        item.Name,
+			Namespace:   item.Namespace,
+			Labels:      item.Labels,
+			Annotations: item.Annotations,
+		},
+		Spec: item.Spec,
+	}
+	return export
+}
+
+func (ex artifactGeneratorAdapter) export() interface{} {
+	return exportArtifactGenerator(ex.ArtifactGenerator)
+}
+
+func (ex artifactGeneratorListAdapter) exportItem(i int) interface{} {
+	return exportArtifactGenerator(&ex.ArtifactGeneratorList.Items[i])
+}
@@ -20,13 +20,13 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )

 var exportImagePolicyCmd = &cobra.Command{
 	Use:   "policy [name]",
 	Short: "Export ImagePolicy resources in YAML format",
-	Long:  withPreviewNote("The export image policy command exports one or all ImagePolicy resources in YAML format."),
+	Long:  "The export image policy command exports one or all ImagePolicy resources in YAML format.",
 	Example: `  # Export all ImagePolicy resources
  flux export image policy --all > image-policies.yaml

@@ -20,13 +20,13 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )

 var exportImageRepositoryCmd = &cobra.Command{
 	Use:   "repository [name]",
 	Short: "Export ImageRepository resources in YAML format",
-	Long:  withPreviewNote("The export image repository command exports one or all ImageRepository resources in YAML format."),
+	Long:  "The export image repository command exports one or all ImageRepository resources in YAML format.",
 	Example: `  # Export all ImageRepository resources
  flux export image repository --all > image-repositories.yaml

@@ -20,13 +20,13 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1"
 )

 var exportImageUpdateCmd = &cobra.Command{
 	Use:   "update [name]",
 	Short: "Export ImageUpdateAutomation resources in YAML format",
-	Long:  withPreviewNote("The export image update command exports one or all ImageUpdateAutomation resources in YAML format."),
+	Long:  "The export image update command exports one or all ImageUpdateAutomation resources in YAML format.",
 	Example: `  # Export all ImageUpdateAutomation resources
  flux export image update --all > updates.yaml

@@ -0,0 +1,84 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+)
+
+var exportSourceExternalCmd = &cobra.Command{
+	Use:   "external [name]",
+	Short: "Export ExternalArtifact sources in YAML format",
+	Long:  "The export source external command exports one or all ExternalArtifact sources in YAML format.",
+	Example: `  # Export all ExternalArtifact sources
+  flux export source external --all > sources.yaml
+
+  # Export a specific ExternalArtifact
+  flux export source external my-artifact > source.yaml`,
+	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.ExternalArtifactKind)),
+	RunE: exportWithSecretCommand{
+		list:   externalArtifactListAdapter{&sourcev1.ExternalArtifactList{}},
+		object: externalArtifactAdapter{&sourcev1.ExternalArtifact{}},
+	}.run,
+}
+
+func init() {
+	exportSourceCmd.AddCommand(exportSourceExternalCmd)
+}
+
+func exportExternalArtifact(source *sourcev1.ExternalArtifact) any {
+	gvk := sourcev1.GroupVersion.WithKind(sourcev1.ExternalArtifactKind)
+	export := sourcev1.ExternalArtifact{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       gvk.Kind,
+			APIVersion: gvk.GroupVersion().String(),
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        source.Name,
+			Namespace:   source.Namespace,
+			Labels:      source.Labels,
+			Annotations: source.Annotations,
+		},
+		Spec: source.Spec,
+	}
+	return export
+}
+
+func getExternalArtifactSecret(source *sourcev1.ExternalArtifact) *types.NamespacedName {
+	// ExternalArtifact does not have a secretRef in its spec, this satisfies the interface
+	return nil
+}
+
+func (ex externalArtifactAdapter) secret() *types.NamespacedName {
+	return getExternalArtifactSecret(ex.ExternalArtifact)
+}
+
+func (ex externalArtifactListAdapter) secretItem(i int) *types.NamespacedName {
+	return getExternalArtifactSecret(&ex.ExternalArtifactList.Items[i])
+}
+
+func (ex externalArtifactAdapter) export() any {
+	return exportExternalArtifact(ex.ExternalArtifact)
+}
+
+func (ex externalArtifactListAdapter) exportItem(i int) any {
+	return exportExternalArtifact(&ex.ExternalArtifactList.Items[i])
+}
@@ -21,7 +21,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"

-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )

 var exportSourceOCIRepositoryCmd = &cobra.Command{
@@ -1,6 +1,22 @@
 //go:build unit
 // +build unit

+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
 package main

 import (
@@ -94,6 +110,12 @@ func TestExport(t *testing.T) {
 			"testdata/export/bucket.yaml",
 			tmpl,
 		},
+		{
+			"source external",
+			"export source external flux-system",
+			"testdata/export/external-artifact.yaml",
+			tmpl,
+		},
 	}

 	for _, tt := range cases {
@@ -184,13 +184,13 @@ func (get getCommand) run(cmd *cobra.Command, args []string) error {

 	if get.list.len() == 0 {
 		if len(args) > 0 {
-			logger.Failuref("%s object '%s' not found in %s namespace",
+			return fmt.Errorf("%s object '%s' not found in %s namespace",
 				get.kind,
 				args[0],
 				namespaceNameOrAny(getArgs.allNamespaces, *kubeconfigArgs.Namespace),
 			)
 		} else if !getAll {
-			logger.Failuref("no %s objects found in %s namespace",
+			return fmt.Errorf("no %s objects found in %s namespace",
 				get.kind,
 				namespaceNameOrAny(getArgs.allNamespaces, *kubeconfigArgs.Namespace),
 			)
@@ -87,7 +87,7 @@ var getAllCmd = &cobra.Command{

 func logError(err error) {
 	if !apimeta.IsNoMatchError(err) {
-		logger.Failuref(err.Error())
+		logger.Failuref("%s", err.Error())
 	}
 }

@@ -0,0 +1,32 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var getArtifactCmd = &cobra.Command{
+	Use:     "artifacts",
+	Aliases: []string{"artifact"},
+	Short:   "Get artifact object status",
+	Long:    `The get artifact sub-commands print the status of artifact objects.`,
+}
+
+func init() {
+	getCmd.AddCommand(getArtifactCmd)
+}
@@ -0,0 +1,93 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+	"strconv"
+
+	"github.com/spf13/cobra"
+	"golang.org/x/text/cases"
+	"golang.org/x/text/language"
+	"k8s.io/apimachinery/pkg/runtime"
+
+	swapi "github.com/fluxcd/source-watcher/api/v2/v1beta1"
+)
+
+var getArtifactGeneratorCmd = &cobra.Command{
+	Use:     "generators",
+	Aliases: []string{"generator"},
+	Short:   "Get artifact generator statuses",
+	Long:    `The get artifact generator command prints the statuses of the resources.`,
+	Example: `  # List all ArtifactGenerators and their status
+  flux get artifact generators`,
+	ValidArgsFunction: resourceNamesCompletionFunc(swapi.GroupVersion.WithKind(swapi.ArtifactGeneratorKind)),
+	RunE: func(cmd *cobra.Command, args []string) error {
+		get := getCommand{
+			apiType: receiverType,
+			list:    artifactGeneratorListAdapter{&swapi.ArtifactGeneratorList{}},
+			funcMap: make(typeMap),
+		}
+
+		err := get.funcMap.registerCommand(get.apiType.kind, func(obj runtime.Object) (summarisable, error) {
+			o, ok := obj.(*swapi.ArtifactGenerator)
+			if !ok {
+				return nil, fmt.Errorf("impossible to cast type %#v generator", obj)
+			}
+
+			sink := artifactGeneratorListAdapter{&swapi.ArtifactGeneratorList{
+				Items: []swapi.ArtifactGenerator{
+					*o,
+				}}}
+			return sink, nil
+		})
+
+		if err != nil {
+			return err
+		}
+
+		if err := get.run(cmd, args); err != nil {
+			return err
+		}
+
+		return nil
+	},
+}
+
+func init() {
+	getArtifactCmd.AddCommand(getArtifactGeneratorCmd)
+}
+
+func (s artifactGeneratorListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
+	item := s.Items[i]
+	status, msg := statusAndMessage(item.Status.Conditions)
+	return append(nameColumns(&item, includeNamespace, includeKind),
+		cases.Title(language.English).String(strconv.FormatBool(item.IsDisabled())), status, msg)
+}
+
+func (s artifactGeneratorListAdapter) headers(includeNamespace bool) []string {
+	headers := []string{"Name", "Suspended", "Ready", "Message"}
+	if includeNamespace {
+		return append(namespaceHeader, headers...)
+	}
+	return headers
+}
+
+func (s artifactGeneratorListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
+	item := s.Items[i]
+	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
+}
@@ -28,13 +28,22 @@ import (
 	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 )

+type getHelmReleaseFlags struct {
+	showSource bool
+}
+
+var getHrArgs getHelmReleaseFlags
+
 var getHelmReleaseCmd = &cobra.Command{
 	Use:     "helmreleases",
 	Aliases: []string{"hr", "helmrelease"},
 	Short:   "Get HelmRelease statuses",
 	Long:    "The get helmreleases command prints the statuses of the resources.",
 	Example: `  # List all Helm releases and their status
-  flux get helmreleases`,
+  flux get helmreleases
+
+  # List all Helm releases with source information
+  flux get helmreleases --show-source`,
 	ValidArgsFunction: resourceNamesCompletionFunc(helmv2.GroupVersion.WithKind(helmv2.HelmReleaseKind)),
 	RunE: func(cmd *cobra.Command, args []string) error {
 		get := getCommand{
@@ -69,6 +78,7 @@ var getHelmReleaseCmd = &cobra.Command{
 }

 func init() {
+	getHelmReleaseCmd.Flags().BoolVar(&getHrArgs.showSource, "show-source", false, "show the source reference for each helmrelease")
 	getCmd.AddCommand(getHelmReleaseCmd)
 }

@@ -79,16 +89,45 @@ func getHelmReleaseRevision(helmRelease helmv2.HelmRelease) string {
 	return helmRelease.Status.LastAttemptedRevision
 }

+func getHelmReleaseSource(item helmv2.HelmRelease) string {
+	if item.Spec.ChartRef != nil {
+		ns := item.Spec.ChartRef.Namespace
+		if ns == "" {
+			ns = item.GetNamespace()
+		}
+		return fmt.Sprintf("%s/%s/%s",
+			item.Spec.ChartRef.Kind,
+			ns,
+			item.Spec.ChartRef.Name)
+	}
+	ns := item.Spec.Chart.Spec.SourceRef.Namespace
+	if ns == "" {
+		ns = item.GetNamespace()
+	}
+	return fmt.Sprintf("%s/%s/%s",
+		item.Spec.Chart.Spec.SourceRef.Kind,
+		ns,
+		item.Spec.Chart.Spec.SourceRef.Name)
+}
+
 func (a helmReleaseListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
 	item := a.Items[i]
 	revision := getHelmReleaseRevision(item)
 	status, msg := statusAndMessage(item.Status.Conditions)
-	return append(nameColumns(&item, includeNamespace, includeKind),
+	row := nameColumns(&item, includeNamespace, includeKind)
+	if getHrArgs.showSource {
+		row = append(row, getHelmReleaseSource(item))
+	}
+	return append(row,
 		revision, cases.Title(language.English).String(strconv.FormatBool(item.Spec.Suspend)), status, msg)
 }

 func (a helmReleaseListAdapter) headers(includeNamespace bool) []string {
-	headers := []string{"Name", "Revision", "Suspended", "Ready", "Message"}
+	headers := []string{"Name"}
+	if getHrArgs.showSource {
+		headers = append(headers, "Source")
+	}
+	headers = append(headers, "Revision", "Suspended", "Ready", "Message")
 	if includeNamespace {
 		headers = append([]string{"Namespace"}, headers...)
 	}
@@ -19,14 +19,14 @@ package main
 import (
 	"github.com/spf13/cobra"

-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )

 var getImageAllCmd = &cobra.Command{
 	Use:   "all",
 	Short: "Get all image statuses",
-	Long:  withPreviewNote("The get image sub-commands print the statuses of all image objects."),
+	Long:  "The get image sub-commands print the statuses of all image objects.",
 	Example: `  # List all image objects in a namespace
  flux get images all --namespace=flux-system

@@ -55,7 +55,7 @@ var getImageAllCmd = &cobra.Command{

 		for _, c := range allImageCmd {
 			if err := c.run(cmd, args); err != nil {
-				logger.Failuref(err.Error())
+				logger.Failuref("%s", err.Error())
 			}
 		}

@@ -22,13 +22,13 @@ import (
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/runtime"

-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )

 var getImagePolicyCmd = &cobra.Command{
 	Use:   "policy",
 	Short: "Get ImagePolicy status",
-	Long:  withPreviewNote("The get image policy command prints the status of ImagePolicy objects."),
+	Long:  "The get image policy command prints the status of ImagePolicy objects.",
 	Example: `  # List all image policies and their status
  flux get image policy

@@ -74,11 +74,16 @@ func init() {
 func (s imagePolicyListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
 	item := s.Items[i]
 	status, msg := statusAndMessage(item.Status.Conditions)
-	return append(nameColumns(&item, includeNamespace, includeKind), item.Status.LatestImage, status, msg)
+	var image, tag string
+	if ref := item.Status.LatestRef; ref != nil {
+		image = ref.Name
+		tag = ref.Tag
+	}
+	return append(nameColumns(&item, includeNamespace, includeKind), image, tag, status, msg)
 }

 func (s imagePolicyListAdapter) headers(includeNamespace bool) []string {
-	headers := []string{"Name", "Latest image", "Ready", "Message"}
+	headers := []string{"Name", "Image", "Tag", "Ready", "Message"}
 	if includeNamespace {
 		return append(namespaceHeader, headers...)
 	}
@@ -26,13 +26,13 @@ import (
 	"golang.org/x/text/language"
 	"k8s.io/apimachinery/pkg/runtime"

-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )

 var getImageRepositoryCmd = &cobra.Command{
 	Use:   "repository",
 	Short: "Get ImageRepository status",
-	Long:  withPreviewNote("The get image repository command prints the status of ImageRepository objects."),
+	Long:  "The get image repository command prints the status of ImageRepository objects.",
 	Example: `  # List all image repositories and their status
  flux get image repository

@@ -26,13 +26,13 @@ import (
 	"golang.org/x/text/language"
 	"k8s.io/apimachinery/pkg/runtime"

-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1"
 )

 var getImageUpdateCmd = &cobra.Command{
 	Use:   "update",
 	Short: "Get ImageUpdateAutomation status",
-	Long:  withPreviewNote("The get image update command prints the status of ImageUpdateAutomation objects."),
+	Long:  "The get image update command prints the status of ImageUpdateAutomation objects.",
 	Example: `  # List all image update automation object and their status
  flux get image update

@@ -30,13 +30,22 @@ import (
 	"github.com/fluxcd/flux2/v2/internal/utils"
 )

+type getKustomizationFlags struct {
+	showSource bool
+}
+
+var getKsArgs getKustomizationFlags
+
 var getKsCmd = &cobra.Command{
 	Use:     "kustomizations",
 	Aliases: []string{"ks", "kustomization"},
 	Short:   "Get Kustomization statuses",
 	Long:    `The get kustomizations command prints the statuses of the resources.`,
 	Example: `  # List all kustomizations and their status
-  flux get kustomizations`,
+  flux get kustomizations
+
+  # List all kustomizations with source information
+  flux get kustomizations --show-source`,
 	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
 	RunE: func(cmd *cobra.Command, args []string) error {
 		get := getCommand{
@@ -74,6 +83,7 @@ var getKsCmd = &cobra.Command{
 }

 func init() {
+	getKsCmd.Flags().BoolVar(&getKsArgs.showSource, "show-source", false, "show the source reference for each kustomization")
 	getCmd.AddCommand(getKsCmd)
 }

@@ -83,12 +93,27 @@ func (a kustomizationListAdapter) summariseItem(i int, includeNamespace bool, in
 	status, msg := statusAndMessage(item.Status.Conditions)
 	revision = utils.TruncateHex(revision)
 	msg = utils.TruncateHex(msg)
-	return append(nameColumns(&item, includeNamespace, includeKind),
+	row := nameColumns(&item, includeNamespace, includeKind)
+	if getKsArgs.showSource {
+		sourceNs := item.Spec.SourceRef.Namespace
+		if sourceNs == "" {
+			sourceNs = item.GetNamespace()
+		}
+		row = append(row, fmt.Sprintf("%s/%s/%s",
+			item.Spec.SourceRef.Kind,
+			sourceNs,
+			item.Spec.SourceRef.Name))
+	}
+	return append(row,
 		revision, cases.Title(language.English).String(strconv.FormatBool(item.Spec.Suspend)), status, msg)
 }

 func (a kustomizationListAdapter) headers(includeNamespace bool) []string {
-	headers := []string{"Name", "Revision", "Suspended", "Ready", "Message"}
+	headers := []string{"Name"}
+	if getKsArgs.showSource {
+		headers = append(headers, "Source")
+	}
+	headers = append(headers, "Revision", "Suspended", "Ready", "Message")
 	if includeNamespace {
 		headers = append([]string{"Namespace"}, headers...)
 	}
@@ -21,7 +21,6 @@ import (
 	apimeta "k8s.io/apimachinery/pkg/api/meta"

 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
-	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
 )

 var getSourceAllCmd = &cobra.Command{
@@ -42,7 +41,7 @@ var getSourceAllCmd = &cobra.Command{
 		var allSourceCmd = []getCommand{
 			{
 				apiType: ociRepositoryType,
-				list:    &ociRepositoryListAdapter{&sourcev1b2.OCIRepositoryList{}},
+				list:    &ociRepositoryListAdapter{&sourcev1.OCIRepositoryList{}},
 			},
 			{
 				apiType: bucketType,
@@ -60,12 +59,16 @@ var getSourceAllCmd = &cobra.Command{
 				apiType: helmChartType,
 				list:    &helmChartListAdapter{&sourcev1.HelmChartList{}},
 			},
+			{
+				apiType: externalArtifactType,
+				list:    &externalArtifactListAdapter{&sourcev1.ExternalArtifactList{}},
+			},
 		}

 		for _, c := range allSourceCmd {
 			if err := c.run(cmd, args); err != nil {
 				if !apimeta.IsNoMatchError(err) {
-					logger.Failuref(err.Error())
+					logger.Failuref("%s", err.Error())
 				}
 			}
 		}
@@ -0,0 +1,108 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/runtime"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+
+	"github.com/fluxcd/flux2/v2/internal/utils"
+)
+
+var getSourceExternalCmd = &cobra.Command{
+	Use:   "external",
+	Short: "Get ExternalArtifact source statuses",
+	Long:  `The get sources external command prints the status of the ExternalArtifact sources.`,
+	Example: `  # List all ExternalArtifacts and their status
+  flux get sources external
+
+  # List ExternalArtifacts from all namespaces
+  flux get sources external --all-namespaces`,
+	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.ExternalArtifactKind)),
+	RunE: func(cmd *cobra.Command, args []string) error {
+		get := getCommand{
+			apiType: externalArtifactType,
+			list:    &externalArtifactListAdapter{&sourcev1.ExternalArtifactList{}},
+			funcMap: make(typeMap),
+		}
+
+		err := get.funcMap.registerCommand(get.apiType.kind, func(obj runtime.Object) (summarisable, error) {
+			o, ok := obj.(*sourcev1.ExternalArtifact)
+			if !ok {
+				return nil, fmt.Errorf("impossible to cast type %#v to ExternalArtifact", obj)
+			}
+
+			sink := &externalArtifactListAdapter{&sourcev1.ExternalArtifactList{
+				Items: []sourcev1.ExternalArtifact{
+					*o,
+				}}}
+			return sink, nil
+		})
+
+		if err != nil {
+			return err
+		}
+
+		if err := get.run(cmd, args); err != nil {
+			return err
+		}
+
+		return nil
+	},
+}
+
+func init() {
+	getSourceCmd.AddCommand(getSourceExternalCmd)
+}
+
+func (a *externalArtifactListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
+	item := a.Items[i]
+	var revision string
+	if item.Status.Artifact != nil {
+		revision = item.Status.Artifact.Revision
+	}
+	status, msg := statusAndMessage(item.Status.Conditions)
+	revision = utils.TruncateHex(revision)
+	msg = utils.TruncateHex(msg)
+
+	var source string
+	if item.Spec.SourceRef != nil {
+		source = fmt.Sprintf("%s/%s/%s",
+			item.Spec.SourceRef.Kind,
+			item.Spec.SourceRef.Namespace,
+			item.Spec.SourceRef.Name)
+	}
+	return append(nameColumns(&item, includeNamespace, includeKind),
+		revision, source, status, msg)
+}
+
+func (a externalArtifactListAdapter) headers(includeNamespace bool) []string {
+	headers := []string{"Name", "Revision", "Source", "Ready", "Message"}
+	if includeNamespace {
+		headers = append([]string{"Namespace"}, headers...)
+	}
+	return headers
+}
+
+func (a externalArtifactListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
+	item := a.Items[i]
+	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
+}
@@ -25,7 +25,7 @@ import (
 	"golang.org/x/text/language"
 	"k8s.io/apimachinery/pkg/runtime"

-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"

 	"github.com/fluxcd/flux2/v2/internal/utils"
 )
@@ -19,7 +19,10 @@ limitations under the License.

 package main

-import "testing"
+import (
+	"fmt"
+	"testing"
+)

 func Test_GetCmd(t *testing.T) {
 	tmpl := map[string]string{
@@ -59,3 +62,76 @@ func Test_GetCmd(t *testing.T) {
 		})
 	}
 }
+
+func Test_GetCmdErrors(t *testing.T) {
+	tmpl := map[string]string{
+		"fluxns": allocateNamespace("flux-system"),
+	}
+	testEnv.CreateObjectFile("./testdata/get/objects.yaml", tmpl, t)
+
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			name:   "specific object not found",
+			args:   "get kustomization non-existent-resource -n " + tmpl["fluxns"],
+			assert: assertError(fmt.Sprintf("Kustomization object 'non-existent-resource' not found in \"%s\" namespace", tmpl["fluxns"])),
+		},
+		{
+			name:   "no objects found in namespace",
+			args:   "get helmrelease -n " + tmpl["fluxns"],
+			assert: assertError(fmt.Sprintf("no HelmRelease objects found in \"%s\" namespace", tmpl["fluxns"])),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args,
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}
+
+func Test_GetCmdSuccess(t *testing.T) {
+	tmpl := map[string]string{
+		"fluxns": allocateNamespace("flux-system"),
+	}
+	testEnv.CreateObjectFile("./testdata/get/objects.yaml", tmpl, t)
+
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			name:   "list sources git",
+			args:   "get sources git -n " + tmpl["fluxns"],
+			assert: assertSuccess(),
+		},
+		{
+			name:   "get help",
+			args:   "get --help",
+			assert: assertSuccess(),
+		},
+		{
+			name:   "get with all namespaces flag",
+			args:   "get sources git -A",
+			assert: assertSuccess(),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args,
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}
@@ -17,10 +17,12 @@ limitations under the License.
 package main

 import (
+	"fmt"
+
 	"sigs.k8s.io/controller-runtime/pkg/client"

-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )

 // These are general-purpose adapters for attaching methods to, for
@@ -77,6 +79,34 @@ func (a imagePolicyAdapter) asClientObject() client.Object {
 	return a.ImagePolicy
 }

+func (a imagePolicyAdapter) deepCopyClientObject() client.Object {
+	return a.ImagePolicy.DeepCopy()
+}
+
+func (a imagePolicyAdapter) isStatic() bool {
+	return false
+}
+
+func (a imagePolicyAdapter) lastHandledReconcileRequest() string {
+	return a.Status.GetLastHandledReconcileRequest()
+}
+
+func (a imagePolicyAdapter) isSuspended() bool {
+	return a.Spec.Suspend
+}
+
+func (a imagePolicyAdapter) setSuspended() {
+	a.Spec.Suspend = true
+}
+
+func (a imagePolicyAdapter) successMessage() string {
+	return fmt.Sprintf("selected ref %s", a.Status.LatestRef.String())
+}
+
+func (a imagePolicyAdapter) setUnsuspended() {
+	a.Spec.Suspend = false
+}
+
 // imagev1.ImagePolicyList

 type imagePolicyListAdapter struct {
@@ -91,6 +121,18 @@ func (a imagePolicyListAdapter) len() int {
 	return len(a.ImagePolicyList.Items)
 }

+func (a imagePolicyListAdapter) resumeItem(i int) resumable {
+	return &imagePolicyAdapter{&a.ImagePolicyList.Items[i]}
+}
+
+func (obj imagePolicyAdapter) getObservedGeneration() int64 {
+	return obj.ImagePolicy.Status.ObservedGeneration
+}
+
+func (a imagePolicyListAdapter) item(i int) suspendable {
+	return &imagePolicyAdapter{&a.ImagePolicyList.Items[i]}
+}
+
 // autov1.ImageUpdateAutomation

 var imageUpdateAutomationType = apiType{
@@ -38,7 +38,7 @@ func TestImageScanning(t *testing.T) {
 			"testdata/image/create_image_repository.golden",
 		},
 		{
-			"create image policy podinfo-semver --image-ref=podinfo --interval=10m --select-semver=5.0.x",
+			"create image policy podinfo-semver --image-ref=podinfo --interval=10m --reflect-digest=Always --select-semver=5.0.x",
 			"testdata/image/create_image_policy.golden",
 		},
 		{
@@ -46,13 +46,25 @@ func TestImageScanning(t *testing.T) {
 			"testdata/image/get_image_policy_semver.golden",
 		},
 		{
-			`create image policy podinfo-regex --image-ref=podinfo --interval=10m --select-semver=">4.0.0" --filter-regex="5\.0\.0"`,
+			`create image policy podinfo-regex --image-ref=podinfo --select-semver=">4.0.0" --filter-regex="5\.0\.0"`,
 			"testdata/image/create_image_policy.golden",
 		},
 		{
 			"get image policy podinfo-regex",
 			"testdata/image/get_image_policy_regex.golden",
 		},
+		{
+			"suspend image policy podinfo-semver",
+			"testdata/image/suspend_image_policy.golden",
+		},
+		{
+			"resume image policy podinfo-semver",
+			"testdata/image/resume_image_policy.golden",
+		},
+		{
+			"reconcile image policy podinfo-semver",
+			"testdata/image/reconcile_image_policy.golden",
+		},
 	}

 	for _, tc := range cases {
--- a/Show More
+++ b/Show More