Merge pull request #5509 from RussellAult/action-without-api

`fluxcd/flux2/action`: Determine latest version without using GitHub API
fluxcd/flux2/action: Determine latest version without using GitHub API
2026-03-01 11:16:56 +00:00 · 2025-09-30 07:23:03 +01:00 · 2025-09-30 07:19:32 +01:00 · 2025-09-28 21:12:32 +01:00 · 2025-09-28 19:59:27 +00:00 · 2025-09-26 11:04:46 +01:00
315 changed files with 8254 additions and 3791 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -6,11 +6,9 @@ updates:
    labels: ["area/ci", "dependencies"]
    groups:
      # Group all updates together, so that they are all applied in a single PR.
      # Grouped updates are currently in beta and is subject to change.
      # xref: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups
      ci:
        patterns:
          - "*"
    schedule:
-      # By default, this will be on a monday.
+      interval: "monthly"
      interval: "weekly"
--- a/.github/labels.yaml
+++ b/.github/labels.yaml
@@ -44,15 +44,12 @@
  description: Feature request proposals in the RFC format
  color: '#D621C3'
  aliases: ['area/RFC']
- name: backport:release/v2.0.x
+- name: backport:release/v2.4.x
-  description: To be backported to release/v2.0.x
+  description: To be backported to release/v2.4.x
  color: '#ffd700'
- name: backport:release/v2.1.x
+- name: backport:release/v2.5.x
-  description: To be backported to release/v2.1.x
+  description: To be backported to release/v2.5.x
  color: '#ffd700'
- name: backport:release/v2.2.x
+- name: backport:release/v2.6.x
-  description: To be backported to release/v2.2.x
+  description: To be backported to release/v2.6.x
  color: '#ffd700'
 - name: backport:release/v2.3.x
  description: To be backported to release/v2.3.x
  color: '#ffd700'
--- a/.github/workflows/action.yaml
+++ b/.github/workflows/action.yaml
@@ -24,6 +24,6 @@ jobs:
    name: action on ${{ matrix.version }}
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup flux
        uses: ./action
--- a/.github/workflows/backport.yaml
+++ b/.github/workflows/backport.yaml
@@ -1,34 +1,13 @@
 name: backport
 on:
  pull_request_target:
    types: [closed, labeled]
-
+permissions: read-all
 permissions: 
  contents: read
 jobs:
-  pull-request:
+  backport:
    runs-on: ubuntu-latest
    permissions:
-      contents: write
+      contents: write # for reading and creating branches.
-      pull-requests: write
+      pull-requests: write # for creating pull requests against release branches.
-    if: github.event.pull_request.state == 'closed' && github.event.pull_request.merged && (github.event_name != 'labeled' || startsWith('backport:', github.event.label.name))
+    uses: fluxcd/gha-workflows/.github/workflows/backport.yaml@v0.4.0
-    steps:
+    secrets:
-      - name: Checkout
+      github-token: ${{ secrets.GITHUB_TOKEN }}
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Create backport PRs
        uses: korthout/backport-action@be567af183754f6a5d831ae90f648954763f17f5 # v3.1.0
        # xref: https://github.com/korthout/backport-action#inputs
        with:
          # Use token to allow workflows to be triggered for the created PR
          github_token: ${{ secrets.BOT_GITHUB_TOKEN }}
          # Match labels with a pattern `backport:<target-branch>`
          label_pattern: '^backport:([^ ]+)$'
          # A bit shorter pull-request title than the default
          pull_title: '[${target_branch}] ${pull_title}'
          # Simpler PR description than default
          pull_description: |-
            Automated backport to `${target_branch}`, triggered by a label in #${pull_number}.
--- a/.github/workflows/conformance.yaml
+++ b/.github/workflows/conformance.yaml
@@ -9,7 +9,7 @@ permissions:
  contents: read
 env:
-  GO_VERSION: 1.22.x
+  GO_VERSION: 1.25.x
 jobs:
  conform-kubernetes:
@@ -19,13 +19,13 @@ jobs:
      matrix:
        # Keep this list up-to-date with https://endoflife.date/kubernetes
        # Build images with https://github.com/fluxcd/flux-benchmark/actions/workflows/build-kind.yaml
-        KUBERNETES_VERSION: [ 1.28.11, 1.29.6, 1.30.2, 1.31.0 ]
+        KUBERNETES_VERSION: [1.32.1, 1.33.0, 1.34.1]
      fail-fast: false
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version: ${{ env.GO_VERSION }}
          cache-dependency-path: |
@@ -40,9 +40,9 @@ jobs:
        run: |
          make build
      - name: Setup Kubernetes
-        uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
        with:
-          version: v0.22.0
+          version: v0.30.0
          cluster_name: ${{ steps.prep.outputs.CLUSTER }}
          node_image: ghcr.io/fluxcd/kindest/node:v${{ matrix.KUBERNETES_VERSION }}-arm64
      - name: Run e2e tests
@@ -76,13 +76,13 @@ jobs:
      matrix:
        # Keep this list up-to-date with https://endoflife.date/kubernetes
        # Available versions can be found with "replicated cluster versions"
-        K3S_VERSION: [ 1.28.7,  1.29.2 ]
+        K3S_VERSION: [ 1.32.8, 1.33.4 ]
      fail-fast: false
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version: ${{ env.GO_VERSION }}
          cache-dependency-path: |
@@ -97,7 +97,7 @@ jobs:
          KUBECONFIG_PATH="$(git rev-parse --show-toplevel)/bin/kubeconfig.yaml"
          echo "kubeconfig-path=${KUBECONFIG_PATH}" >> $GITHUB_OUTPUT
      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@e40e7ed2bc31c6b6e36d263b6299e5082d9fef12 # main
+        uses: fluxcd/pkg/actions/kustomize@bf02f0a2d612cc07e0892166369fa8f63246aabb # main
      - name: Build
        run: make build-dev
      - name: Create repository
@@ -107,7 +107,7 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: Create cluster
        id: create-cluster
-        uses: replicatedhq/compatibility-actions/create-cluster@77121785951d05387334b773644c356885191f14 # v1.16.2
+        uses: replicatedhq/replicated-actions/create-cluster@49b440dabd7e0e868cbbabda5cfc0d8332a279fa # v1.19.0
        with:
          api-token: ${{ secrets.REPLICATED_API_TOKEN }}
          kubernetes-distribution: "k3s"
@@ -151,7 +151,7 @@ jobs:
          kubectl delete ns flux-system --wait
      - name: Delete cluster
        if: ${{ always() }}
-        uses: replicatedhq/replicated-actions/remove-cluster@77121785951d05387334b773644c356885191f14 # v1.16.2
+        uses: replicatedhq/replicated-actions/remove-cluster@49b440dabd7e0e868cbbabda5cfc0d8332a279fa # v1.19.0
        continue-on-error: true
        with:
          api-token: ${{ secrets.REPLICATED_API_TOKEN }}
@@ -169,13 +169,13 @@ jobs:
    strategy:
      matrix:
        # Keep this list up-to-date with https://endoflife.date/red-hat-openshift
-        OPENSHIFT_VERSION: [ 4.15.0-okd ]
+        OPENSHIFT_VERSION: [ 4.19.0-okd ]
      fail-fast: false
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version: ${{ env.GO_VERSION }}
          cache-dependency-path: |
@@ -190,7 +190,7 @@ jobs:
          KUBECONFIG_PATH="$(git rev-parse --show-toplevel)/bin/kubeconfig.yaml"
          echo "kubeconfig-path=${KUBECONFIG_PATH}" >> $GITHUB_OUTPUT
      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@e40e7ed2bc31c6b6e36d263b6299e5082d9fef12 # main
+        uses: fluxcd/pkg/actions/kustomize@bf02f0a2d612cc07e0892166369fa8f63246aabb # main
      - name: Build
        run: make build-dev
      - name: Create repository
@@ -200,7 +200,7 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
      - name: Create cluster
        id: create-cluster
-        uses: replicatedhq/compatibility-actions/create-cluster@77121785951d05387334b773644c356885191f14 # v1.16.2
+        uses: replicatedhq/replicated-actions/create-cluster@49b440dabd7e0e868cbbabda5cfc0d8332a279fa # v1.19.0
        with:
          api-token: ${{ secrets.REPLICATED_API_TOKEN }}
          kubernetes-distribution: "openshift"
@@ -242,7 +242,7 @@ jobs:
          kubectl delete ns flux-system --wait
      - name: Delete cluster
        if: ${{ always() }}
-        uses: replicatedhq/replicated-actions/remove-cluster@77121785951d05387334b773644c356885191f14 # v1.16.2
+        uses: replicatedhq/replicated-actions/remove-cluster@49b440dabd7e0e868cbbabda5cfc0d8332a279fa # v1.19.0
        continue-on-error: true
        with:
          api-token: ${{ secrets.REPLICATED_API_TOKEN }}
--- a/.github/workflows/e2e-azure.yaml
+++ b/.github/workflows/e2e-azure.yaml
@@ -22,20 +22,21 @@ permissions:
 jobs:
  e2e-aks:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: ./tests/integration
-    # This job is currently disabled. Remove the false check when Azure subscription is enabled.
+    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    if: false && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
      - name: CheckoutD
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
-          go-version: 1.23.x
+          go-version: 1.25.x
          cache-dependency-path: tests/integration/go.sum
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
      - name: Setup Flux CLI
        run: make build
        working-directory: ./
@@ -47,9 +48,9 @@ jobs:
        env:
          SOPS_VER: 3.7.1
      - name: Authenticate to Azure
-        uses: Azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v1.4.6
+        uses: Azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v1.4.6
        with:
-          creds: '{"clientId":"${{ secrets.AZ_ARM_CLIENT_ID }}","clientSecret":"${{ secrets.AZ_ARM_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZ_ARM_TENANT_ID }}"}'
+          creds: '{"clientId":"${{ secrets.ARM_CLIENT_ID }}","clientSecret":"${{ secrets.ARM_CLIENT_SECRET }}","subscriptionId":"${{ secrets.ARM_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.ARM_TENANT_ID }}"}'
      - name: Set dynamic variables in .env
        run: |
          cat > .env <<EOF
@@ -59,33 +60,35 @@ jobs:
        run: cat .env
      - name: Run Azure e2e tests
        env:
-          ARM_CLIENT_ID: ${{ secrets.AZ_ARM_CLIENT_ID }}
+          ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
-          ARM_CLIENT_SECRET: ${{ secrets.AZ_ARM_CLIENT_SECRET }}
+          ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
-          ARM_SUBSCRIPTION_ID: ${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}
+          ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
-          ARM_TENANT_ID: ${{ secrets.AZ_ARM_TENANT_ID }}
+          ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
          TF_VAR_azuredevops_org: ${{ secrets.TF_VAR_azuredevops_org }}
          TF_VAR_azuredevops_pat: ${{ secrets.TF_VAR_azuredevops_pat }}
-          TF_VAR_location: ${{ vars.TF_VAR_azure_location }}
+          TF_VAR_azure_location: ${{ vars.TF_VAR_azure_location }}
-          GITREPO_SSH_CONTENTS: ${{ secrets.AZURE_GITREPO_SSH_CONTENTS }}
+          GITREPO_SSH_CONTENTS: ${{ secrets.GIT_SSH_IDENTITY }}
-          GITREPO_SSH_PUB_CONTENTS: ${{ secrets.AZURE_GITREPO_SSH_PUB_CONTENTS }}
+          GITREPO_SSH_PUB_CONTENTS: ${{ secrets.GIT_SSH_IDENTITY_PUB }}
        run: |
          source .env
          mkdir -p ./build/ssh
-          touch ./build/ssh/key
+          cat <<EOF > build/ssh/key
-          echo $GITREPO_SSH_CONTENTS | base64 -d > build/ssh/key
+          $GITREPO_SSH_CONTENTS
          EOF
          export GITREPO_SSH_PATH=build/ssh/key
-          touch ./build/ssh/key.pub
+          cat <<EOF > build/ssh/key.pub
-          echo $GITREPO_SSH_PUB_CONTENTS | base64 -d > ./build/ssh/key.pub
+          $GITREPO_SSH_PUB_CONTENTS
          EOF
          export GITREPO_SSH_PUB_PATH=build/ssh/key.pub
          make test-azure
      - name: Ensure resource cleanup
        if: ${{ always() }}
        env:
-          ARM_CLIENT_ID: ${{ secrets.AZ_ARM_CLIENT_ID }}
+          ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
-          ARM_CLIENT_SECRET: ${{ secrets.AZ_ARM_CLIENT_SECRET }}
+          ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
-          ARM_SUBSCRIPTION_ID: ${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}
+          ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
-          ARM_TENANT_ID: ${{ secrets.AZ_ARM_TENANT_ID }}
+          ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
          TF_VAR_azuredevops_org: ${{ secrets.TF_VAR_azuredevops_org }}
          TF_VAR_azuredevops_pat: ${{ secrets.TF_VAR_azuredevops_pat }}
-          TF_VAR_location: ${{ vars.TF_VAR_azure_location }}
+          TF_VAR_azure_location: ${{ vars.TF_VAR_azure_location }}
        run: source .env && make destroy-azure
--- a/.github/workflows/e2e-bootstrap.yaml
+++ b/.github/workflows/e2e-bootstrap.yaml
@@ -17,27 +17,27 @@ jobs:
    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
-          go-version: 1.23.x
+          go-version: 1.25.x
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Setup Kubernetes
-        uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
        with:
-          version: v0.22.0
+          version: v0.30.0
          cluster_name: kind
          # The versions below should target the newest Kubernetes version
          # Keep this up-to-date with https://endoflife.date/kubernetes
-          node_image: ghcr.io/fluxcd/kindest/node:v1.30.0-amd64
+          node_image: ghcr.io/fluxcd/kindest/node:v1.32.1-amd64
-          kubectl_version: v1.30.0
+          kubectl_version: v1.32.0
      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@e40e7ed2bc31c6b6e36d263b6299e5082d9fef12 # main
+        uses: fluxcd/pkg/actions/kustomize@bf02f0a2d612cc07e0892166369fa8f63246aabb # main
      - name: Setup yq
-        uses: fluxcd/pkg/actions/yq@e40e7ed2bc31c6b6e36d263b6299e5082d9fef12 # main
+        uses: fluxcd/pkg/actions/yq@bf02f0a2d612cc07e0892166369fa8f63246aabb # main
      - name: Build
        run: make build-dev
      - name: Set outputs
@@ -107,6 +107,8 @@ jobs:
          ./bin/flux reconcile image repository podinfo
          ./bin/flux reconcile image update flux-system
          ./bin/flux get images all
          ./bin/flux -n flux-system events --for ImageUpdateAutomation/flux-system
          kubectl -n flux-system get -o yaml ImageUpdateAutomation flux-system
          kubectl -n flux-system get -o yaml ImageUpdateAutomation flux-system | \
           yq '.status.lastPushCommit | length > 1' | grep 'true'
        env:
--- a/.github/workflows/e2e-gcp.yaml
+++ b/.github/workflows/e2e-gcp.yaml
@@ -22,19 +22,21 @@ permissions:
 jobs:
  e2e-gcp:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: ./tests/integration
    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
-          go-version: 1.23.x
+          go-version: 1.25.x
          cache-dependency-path: tests/integration/go.sum
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
      - name: Setup Flux CLI
        run: make build
        working-directory: ./
@@ -46,19 +48,19 @@ jobs:
        env:
          SOPS_VER: 3.7.1
      - name: Authenticate to Google Cloud
-        uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5
+        uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
        id: 'auth'
        with:
          credentials_json: '${{ secrets.FLUX2_E2E_GOOGLE_CREDENTIALS }}'
          token_format: 'access_token'
      - name: Setup gcloud
-        uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1
+        uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
      - name: Setup QEMU
-        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
      - name: Log into us-central1-docker.pkg.dev
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
        with:
          registry: us-central1-docker.pkg.dev
          username: oauth2accesstoken
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -23,30 +23,30 @@ jobs:
          - 5000:5000
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
-          go-version: 1.23.x
+          go-version: 1.25.x
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Setup Kubernetes
-        uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
        with:
-          version: v0.22.0
+          version: v0.30.0
          cluster_name: kind
          wait: 5s
          config: .github/kind/config.yaml # disable KIND-net
          # The versions below should target the oldest supported Kubernetes version
          # Keep this up-to-date with https://endoflife.date/kubernetes
-          node_image: ghcr.io/fluxcd/kindest/node:v1.28.9-amd64
+          node_image: ghcr.io/fluxcd/kindest/node:v1.32.1-amd64
-          kubectl_version: v1.28.9
+          kubectl_version: v1.32.0
      - name: Setup Calico for network policy
        run: |
          kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.3/manifests/calico.yaml
      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@e40e7ed2bc31c6b6e36d263b6299e5082d9fef12 # main
+        uses: fluxcd/pkg/actions/kustomize@bf02f0a2d612cc07e0892166369fa8f63246aabb # main
      - name: Run tests
        run: make test
      - name: Run e2e tests
@@ -238,6 +238,9 @@ jobs:
      - name: flux check
        run: |
          ./bin/flux check
      - name: flux migrate
        run: |
          ./bin/flux migrate
      - name: flux version
        run: |
          ./bin/flux version
@@ -247,7 +250,7 @@ jobs:
      - name: Debug failure
        if: failure()
        run: |
-          kubectl version --client --short
+          kubectl version --client
          kubectl -n flux-system get all
          kubectl -n flux-system describe pods
          kubectl -n flux-system get kustomizations -oyaml
--- a/.github/workflows/ossf.yaml
+++ b/.github/workflows/ossf.yaml
@@ -19,21 +19,21 @@ jobs:
      actions: read
      contents: read
    steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Run analysis
-        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
        with:
          results_file: results.sarif
          results_format: sarif
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          publish_results: true
      - name: Upload artifact
-        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5
      - name: Upload SARIF results
-        uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5
+        uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
        with:
          sarif_file: results.sarif
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -2,7 +2,7 @@ name: release
 on:
  push:
-    tags: [ 'v*' ]
+    tags: ["v*"]
 permissions:
  contents: read
@@ -20,33 +20,33 @@ jobs:
      packages: write # needed for ghcr access
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Unshallow
        run: git fetch --prune --unshallow
      - name: Setup Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
-          go-version: 1.23.x
+          go-version: 1.25.x
          cache: false
      - name: Setup QEMU
-        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
      - name: Setup Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db  # v3.6.1
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
      - name: Setup Syft
-        uses: anchore/sbom-action/download-syft@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2
+        uses: anchore/sbom-action/download-syft@f8bdd1d8ac5e901a77a92f111440fdb1b593736b # v0.20.6
      - name: Setup Cosign
-        uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
+        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@e40e7ed2bc31c6b6e36d263b6299e5082d9fef12 # main
+        uses: fluxcd/pkg/actions/kustomize@bf02f0a2d612cc07e0892166369fa8f63246aabb # main
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
        with:
          registry: ghcr.io
          username: fluxcdbot
-          password: ${{ secrets.GHCR_TOKEN }}
+          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Login to Docker Hub
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567  # v3.3.0
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
        with:
          username: fluxcdbot
          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
@@ -59,30 +59,19 @@ jobs:
        run: |
          kustomize build manifests/crds > all-crds.yaml
      - name: Generate OpenAPI JSON schemas from CRDs
-        uses: fluxcd/pkg/actions/crdjsonschema@e40e7ed2bc31c6b6e36d263b6299e5082d9fef12 # main
+        uses: fluxcd/pkg/actions/crdjsonschema@bf02f0a2d612cc07e0892166369fa8f63246aabb # main
        with:
          crd: all-crds.yaml
          output: schemas
      - name: Archive the OpenAPI JSON schemas
        run: |
          tar -czvf ./output/crd-schemas.tar.gz -C schemas .
      - name: Download release notes utility
        env:
          GH_REL_URL: https://github.com/buchanae/github-release-notes/releases/download/0.2.0/github-release-notes-linux-amd64-0.2.0.tar.gz
        run: cd /tmp && curl -sSL ${GH_REL_URL} | tar xz && sudo mv github-release-notes /usr/local/bin/
      - name: Generate release notes
        run: |
          NOTES="./output/notes.md"
          echo '## CLI Changelog' > ${NOTES}
          github-release-notes -org fluxcd -repo flux2 -since-latest-release -include-author >> ${NOTES}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Run GoReleaser
        id: run-goreleaser
-        uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
        with:
          version: latest
-          args: release --release-notes=output/notes.md --skip=validate
+          args: release --skip=validate
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
@@ -93,13 +82,13 @@ jobs:
          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
        run: |
          set -euo pipefail
-          
+
          hashes=$(echo -E $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
          echo "hashes=$hashes" >> $GITHUB_OUTPUT
-          
+
          image_url=fluxcd/flux-cli:$GITHUB_REF_NAME
          echo "image_url=$image_url" >> $GITHUB_OUTPUT
-          
+
          image_digest=$(docker buildx imagetools inspect ${image_url}  --format '{{json .}}' | jq -r .manifest.digest)
          echo "image_digest=$image_digest" >> $GITHUB_OUTPUT
@@ -110,9 +99,9 @@ jobs:
      id-token: write
      packages: write
    steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@e40e7ed2bc31c6b6e36d263b6299e5082d9fef12 # main
+        uses: fluxcd/pkg/actions/kustomize@bf02f0a2d612cc07e0892166369fa8f63246aabb # main
      - name: Setup Flux CLI
        uses: ./action/
      - name: Prepare
@@ -121,13 +110,13 @@ jobs:
          VERSION=$(flux version --client | awk '{ print $NF }')
          echo "version=${VERSION}" >> $GITHUB_OUTPUT
      - name: Login to GHCR
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
        with:
          registry: ghcr.io
          username: fluxcdbot
-          password: ${{ secrets.GHCR_TOKEN }}
+          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Login to DockerHub
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
        with:
          username: fluxcdbot
          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
@@ -137,7 +126,7 @@ jobs:
          flux install --registry=ghcr.io/fluxcd \
          --components-extra=image-reflector-controller,image-automation-controller \
          --export > ./ghcr.io/flux-system/gotk-components.yaml
-          
+
          cd ./ghcr.io && flux push artifact \
          oci://ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }} \
          --path="./flux-system" \
@@ -149,13 +138,13 @@ jobs:
          flux install --registry=docker.io/fluxcd \
          --components-extra=image-reflector-controller,image-automation-controller \
          --export > ./docker.io/flux-system/gotk-components.yaml
-          
+
          cd ./docker.io && flux push artifact \
          oci://docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }} \
          --path="./flux-system" \
          --source=${{ github.repositoryUrl }} \
          --revision="${{ github.ref_name }}@sha1:${{ github.sha }}"
-      - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
+      - uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
      - name: Sign manifests
        env:
          COSIGN_EXPERIMENTAL: 1
@@ -176,7 +165,7 @@ jobs:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      contents: write # for uploading attestations to GitHub releases.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
    with:
      provenance-name: "provenance.intoto.jsonl"
      base64-subjects: "${{ needs.release-flux-cli.outputs.hashes }}"
@@ -188,7 +177,7 @@ jobs:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for uploading attestations.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
    with:
      image: ${{ needs.release-flux-cli.outputs.image_url }}
      digest: ${{ needs.release-flux-cli.outputs.image_digest }}
@@ -202,10 +191,10 @@ jobs:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for uploading attestations.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
    with:
      image: ghcr.io/${{ needs.release-flux-cli.outputs.image_url }}
      digest: ${{ needs.release-flux-cli.outputs.image_digest }}
      registry-username: fluxcdbot
    secrets:
-      registry-password: ${{ secrets.GHCR_TOKEN }}
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@@ -1,5 +1,4 @@
 name: scan
 on:
  workflow_dispatch:
  push:
@@ -8,79 +7,13 @@ on:
    branches: [ 'main', 'release/**' ]
  schedule:
    - cron: '18 10 * * 3'
-
+permissions: read-all
 permissions:
  contents: read
 jobs:
-  scan-fossa:
+  analyze:
    runs-on: ubuntu-latest
    if: github.actor != 'dependabot[bot]'
    steps:
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      - name: Run FOSSA scan and upload build data
        uses: fossa-contrib/fossa-action@cdc5065bcdee31a32e47d4585df72d66e8e941c2 # v3.0.0
        with:
          # FOSSA Push-Only API Token
          fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
          github-token: ${{ github.token }}
  scan-snyk:
    runs-on: ubuntu-latest
    permissions:
-      security-events: write
+      contents: read # for reading the repository code.
-    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
+      security-events: write # for uploading the CodeQL analysis results.
-    steps:
+    uses: fluxcd/gha-workflows/.github/workflows/code-scan.yaml@v0.4.0
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+    secrets:
-      - name: Setup Kustomize
+      github-token: ${{ secrets.GITHUB_TOKEN }}
-        uses: fluxcd/pkg/actions/kustomize@e40e7ed2bc31c6b6e36d263b6299e5082d9fef12 # main
+      fossa-token: ${{ secrets.FOSSA_TOKEN }}
      - name: Setup Go
        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
        with:
          go-version-file: 'go.mod'
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Download modules and build manifests
        run: |
          make tidy
          make cmd/flux/.manifests.done
      - uses: snyk/actions/setup@b98d498629f1c368650224d6d212bf7dfa89e4bf
      - name:  Run Snyk to check for vulnerabilities
        continue-on-error: true
        run: |
          snyk test --all-projects --sarif-file-output=snyk.sarif
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      - name: Upload result to GitHub Code Scanning
        continue-on-error: true
        uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5
        with:
          sarif_file: snyk.sarif
  scan-codeql:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    if: github.actor != 'dependabot[bot]'
    steps:
      - name: Checkout repository
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      - name: Setup Go
        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
        with:
          go-version-file: 'go.mod'
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Initialize CodeQL
        uses: github/codeql-action/init@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5
        with:
          languages: go
          # xref: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
          # xref: https://codeql.github.com/codeql-query-help/go/
          queries: security-and-quality
      - name: Autobuild
        uses: github/codeql-action/autobuild@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5
--- a/.github/workflows/sync-labels.yaml
+++ b/.github/workflows/sync-labels.yaml
@@ -6,23 +6,12 @@ on:
      - main
    paths:
      - .github/labels.yaml
-
+permissions: read-all
 permissions:
  contents: read
 jobs:
-  labels:
+  sync-labels:
    name: Run sync
    runs-on: ubuntu-latest
    permissions:
-      issues: write
+      contents: read # for reading the labels file.
-    steps:
+      issues: write # for creating and updating labels.
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+    uses: fluxcd/gha-workflows/.github/workflows/labels-sync.yaml@v0.4.0
-      - uses: EndBug/label-sync@52074158190acb45f3077f9099fea818aa43f97a # v2.3.3
+    secrets:
-        with:
+      github-token: ${{ secrets.GITHUB_TOKEN }}
          # Configuration file
          config-file: |
            https://raw.githubusercontent.com/fluxcd/community/main/.github/standard-labels.yaml
            .github/labels.yaml
          # Strictly declarative
          delete-other-labels: true
--- a/.github/workflows/update.yaml
+++ b/.github/workflows/update.yaml
@@ -2,8 +2,6 @@ name: update
 on:
  workflow_dispatch:
  schedule:
    - cron: "0 * * * *"
  push:
    branches: [main]
@@ -18,24 +16,37 @@ jobs:
      pull-requests: write
    steps:
      - name: Check out code
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
-          go-version: 1.23.x
+          go-version: 1.25.x
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Update component versions
        id: update
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          PR_BODY=$(mktemp)
          bump_version() {
-            local LATEST_VERSION=$(curl -s https://api.github.com/repos/fluxcd/$1/releases | jq -r 'sort_by(.published_at) | .[-1] | .tag_name')
+            local LATEST_VERSION=$(curl -s -H "Authorization: token ${GITHUB_TOKEN}" https://api.github.com/repos/fluxcd/$1/releases | jq -r 'sort_by(.published_at) | .[-1] | .tag_name')
            if [[ "$LATEST_VERSION" == *"-rc"* ]]; then
              echo "Skipping release candidate version for $1: $LATEST_VERSION"
              return
            fi
            local CTRL_VERSION=$(sed -n "s/.*$1\/releases\/download\/\(.*\)\/.*/\1/p;n" manifests/bases/$1/kustomization.yaml)
            local CRD_VERSION=$(sed -n "s/.*$1\/releases\/download\/\(.*\)\/.*/\1/p" manifests/crds/kustomization.yaml)
-            local MOD_VERSION=$(go list -m -f '{{ .Version }}' "github.com/fluxcd/$1/api")
+          
            local API_PKG="github.com/fluxcd/$1/api"
            if [[ "$1" == "source-watcher" ]]; then
              API_PKG="github.com/fluxcd/$1/api/v2"
            fi
            local MOD_VERSION=$(go list -m -f '{{ .Version }}' "$API_PKG")
            local changed=false
@@ -50,7 +61,7 @@ jobs:
            fi
            if [[ "${MOD_VERSION}" != "${LATEST_VERSION}" ]]; then
-              go mod edit -require="github.com/fluxcd/$1/api@${LATEST_VERSION}"
+              go mod edit -require="$API_PKG@${LATEST_VERSION}"
              make tidy
              changed=true
            fi
@@ -69,6 +80,7 @@ jobs:
            bump_version notification-controller
            bump_version image-reflector-controller
            bump_version image-automation-controller
            bump_version source-watcher
            # diff change
            git diff
@@ -84,7 +96,7 @@ jobs:
      - name: Create Pull Request
        id: cpr
-        uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
        with:
          token: ${{ secrets.BOT_GITHUB_TOKEN }}
          commit-message: |
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -1,4 +1,6 @@
 project_name: flux
 changelog:
  use: github-native
 builds:
  - <<: &build_defaults
      binary: flux
--- a/.scorecard.yml
+++ b/.scorecard.yml
@@ -0,0 +1,5 @@
 annotations:
  - checks:
      - dangerous-workflow
    reasons:
      - reason: not-applicable # This workflow does not run untrusted code, the bot will only backport a code if the a PR was approved and merged into main.
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -67,8 +67,8 @@ for source changes.
 Prerequisites:
-* go >= 1.20
+* go >= 1.24
-* kubectl >= 1.24
+* kubectl >= 1.30
 * kustomize >= 5.0
 * coreutils (on Mac OS)
--- a/13
+++ b/13
@@ -1,15 +1,16 @@
-FROM alpine:3.20 as builder
+FROM alpine:3.22 AS builder
 RUN apk add --no-cache ca-certificates curl
 ARG ARCH=linux/amd64
-ARG KUBECTL_VER=1.31.0
+ARG KUBECTL_VER=1.34.0
-RUN curl -sL https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VER}/bin/${ARCH}/kubectl \
+RUN curl -sL https://dl.k8s.io/release/v${KUBECTL_VER}/bin/${ARCH}/kubectl \
-    -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \
+    -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl
    kubectl version --client=true
-FROM alpine:3.20 as flux-cli
+RUN kubectl version --client=true
 FROM alpine:3.22 AS flux-cli
 RUN apk add --no-cache ca-certificates
--- a/4
+++ b/4
@@ -17,8 +17,8 @@ rwildcard=$(foreach d,$(wildcard $(addsuffix *,$(1))),$(call rwildcard,$(d)/,$(2
 all: test build
 tidy:
-	go mod tidy -compat=1.22
+	go mod tidy -compat=1.25
-	cd tests/integration && go mod tidy -compat=1.22
+	cd tests/integration && go mod tidy -compat=1.25
 fmt:
 	go fmt ./...
--- a/action/action.yml
+++ b/action/action.yml
@@ -16,23 +16,24 @@ inputs:
    description: "Alternative location for the Flux binary, defaults to path relative to $RUNNER_TOOL_CACHE."
    required: false
  token:
-    description: "Token used to authentication against the GitHub.com API. Defaults to the token from the GitHub context of the workflow."
+    description: "Token used to authenticate against the GitHub.com API."
    required: false
 runs:
  using: composite
  steps:
    - name: "Download the binary to the runner's cache dir"
      shell: bash
      env:
        VERSION: "${{ inputs.version }}"
        FLUX_TOOL_DIR: "${{ inputs.bindir }}"
        TOKEN: "${{ inputs.token }}"
      run: |
        VERSION=${{ inputs.version }}
        TOKEN=${{ inputs.token }}
        if [[ -z "$TOKEN" ]]; then
          TOKEN=${{ github.token }}
        fi
        if [[ -z "$VERSION" ]] || [[ "$VERSION" = "latest" ]]; then
-          VERSION=$(curl -fsSL -H "Authorization: token ${TOKEN}" https://api.github.com/repos/fluxcd/flux2/releases/latest | grep tag_name | cut -d '"' -f 4)
+          if [[ "${TOKEN}" != '' ]]; then
            VERSION=$(curl -fsSL -H "Authorization: token ${TOKEN}" https://api.github.com/repos/fluxcd/flux2/releases/latest | grep tag_name | cut -d '"' -f 4)
          else
            VERSION=$(curl -w "%{url_effective}\n" -IsSL https://github.com/fluxcd/flux2/releases/latest -o /dev/null | sed 's$^.*/$$')
          fi
        fi
        if [[ -z "$VERSION" ]]; then
          echo "Unable to determine Flux CLI version"
@@ -59,7 +60,6 @@ runs:
            FLUX_EXEC_FILE="${FLUX_EXEC_FILE}.exe"
        fi
        FLUX_TOOL_DIR=${{ inputs.bindir }}
        if [[ -z "$FLUX_TOOL_DIR" ]]; then
          FLUX_TOOL_DIR="${RUNNER_TOOL_CACHE}/flux2/${VERSION}/${OS}/${ARCH}"
        fi
--- a/cmd/flux/artifact.go
+++ b/cmd/flux/artifact.go
@@ -0,0 +1,57 @@
 /*
 Copyright 2025 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	swapi "github.com/fluxcd/source-watcher/api/v2/v1beta1"
 )
 // swapi.ArtifactGenerator
 var artifactGeneratorType = apiType{
 	kind:         swapi.ArtifactGeneratorKind,
 	humanKind:    "artifactgenerator",
 	groupVersion: swapi.GroupVersion,
 }
 type artifactGeneratorAdapter struct {
 	*swapi.ArtifactGenerator
 }
 func (h artifactGeneratorAdapter) asClientObject() client.Object {
 	return h.ArtifactGenerator
 }
 func (h artifactGeneratorAdapter) deepCopyClientObject() client.Object {
 	return h.ArtifactGenerator.DeepCopy()
 }
 // swapi.ArtifactGeneratorList
 type artifactGeneratorListAdapter struct {
 	*swapi.ArtifactGeneratorList
 }
 func (h artifactGeneratorListAdapter) asClientList() client.ObjectList {
 	return h.ArtifactGeneratorList
 }
 func (h artifactGeneratorListAdapter) len() int {
 	return len(h.ArtifactGeneratorList.Items)
 }
--- a/cmd/flux/bootstrap.go
+++ b/cmd/flux/bootstrap.go
@@ -97,7 +97,7 @@ func init() {
 	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapArgs.defaultComponents, "components", rootArgs.defaults.Components,
 		"list of components, accepts comma-separated values")
 	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapArgs.extraComponents, "components-extra", nil,
-		"list of components in addition to those supplied or defaulted, accepts values such as 'image-reflector-controller,image-automation-controller'")
+		"list of components in addition to those supplied or defaulted, accepts values such as 'image-reflector-controller,image-automation-controller,source-watcher'")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.registry, "registry", "ghcr.io/fluxcd",
 		"container registry where the Flux controller images are published")
--- a/cmd/flux/bootstrap_bitbucket_server.go
+++ b/cmd/flux/bootstrap_bitbucket_server.go
@@ -226,7 +226,7 @@ func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
 			secretOpts.Username = bServerArgs.username
 		}
 		secretOpts.Password = bitbucketToken
-		secretOpts.CAFile = caBundle
+		secretOpts.CACrt = caBundle
 	} else {
 		keypair, err := sourcesecret.LoadKeyPairFromPath(bootstrapArgs.privateKeyFile, gitArgs.password)
 		if err != nil {
--- a/cmd/flux/bootstrap_git.go
+++ b/cmd/flux/bootstrap_git.go
@@ -243,7 +243,7 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 			secretOpts.Password = gitArgs.password
 		}
-		secretOpts.CAFile = caBundle
+		secretOpts.CACrt = caBundle
 		// Remove port of the given host when not syncing over HTTP/S to not assume port for protocol
 		// This _might_ be overwritten later on by e.g. --ssh-hostname
--- a/cmd/flux/bootstrap_gitea.go
+++ b/cmd/flux/bootstrap_gitea.go
@@ -210,7 +210,7 @@ func bootstrapGiteaCmdRun(cmd *cobra.Command, args []string) error {
 	if bootstrapArgs.tokenAuth {
 		secretOpts.Username = "git"
 		secretOpts.Password = gtToken
-		secretOpts.CAFile = caBundle
+		secretOpts.CACrt = caBundle
 	} else {
 		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
 		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
--- a/cmd/flux/bootstrap_github.go
+++ b/cmd/flux/bootstrap_github.go
@@ -217,7 +217,7 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 	if bootstrapArgs.tokenAuth {
 		secretOpts.Username = "git"
 		secretOpts.Password = ghToken
-		secretOpts.CAFile = caBundle
+		secretOpts.CACrt = caBundle
 	} else {
 		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
 		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
--- a/cmd/flux/bootstrap_gitlab.go
+++ b/cmd/flux/bootstrap_gitlab.go
@@ -42,7 +42,7 @@ import (
 var bootstrapGitLabCmd = &cobra.Command{
 	Use:   "gitlab",
 	Short: "Deploy Flux on a cluster connected to a GitLab repository",
-	Long: `The bootstrap gitlab command creates the GitLab repository if it doesn't exists and
+	Long: `The bootstrap gitlab command creates the GitLab repository if it doesn't exist and
 commits the Flux manifests to the specified branch.
 Then it configures the target cluster to synchronize with that repository.
 If the Flux components are present on the cluster,
@@ -257,10 +257,10 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 	if bootstrapArgs.tokenAuth {
 		secretOpts.Username = "git"
 		secretOpts.Password = glToken
-		secretOpts.CAFile = caBundle
+		secretOpts.CACrt = caBundle
 	} else if gitlabArgs.deployTokenAuth {
 		// the actual deploy token will be reconciled later
-		secretOpts.CAFile = caBundle
+		secretOpts.CACrt = caBundle
 	} else {
 		keypair, err := sourcesecret.LoadKeyPairFromPath(bootstrapArgs.privateKeyFile, gitArgs.password)
 		if err != nil {
--- a/cmd/flux/build_artifact.go
+++ b/cmd/flux/build_artifact.go
@@ -26,15 +26,15 @@ import (
 	"github.com/spf13/cobra"
-	oci "github.com/fluxcd/pkg/oci/client"
+	"github.com/fluxcd/pkg/oci"
 	"github.com/fluxcd/pkg/sourceignore"
 )
 var buildArtifactCmd = &cobra.Command{
 	Use:   "artifact",
 	Short: "Build artifact",
-	Long: withPreviewNote(`The build artifact command creates a tgz file with the manifests
+	Long: `The build artifact command creates a tgz file with the manifests
-from the given directory or a single manifest file.`),
+from the given directory or a single manifest file.`,
 	Example: `  # Build the given manifests directory into an artifact
  flux build artifact --path ./path/to/local/manifests --output ./path/to/artifact.tgz
--- a/cmd/flux/build_kustomization.go
+++ b/cmd/flux/build_kustomization.go
@@ -53,7 +53,12 @@ flux build kustomization my-app --path ./path/to/local/manifests \
 # Exclude files by providing a comma separated list of entries that follow the .gitignore pattern fromat.
 flux build kustomization my-app --path ./path/to/local/manifests \
 	--kustomization-file ./path/to/local/my-app.yaml \
-	--ignore-paths "/to_ignore/**/*.yaml,ignore.yaml"`,
+	--ignore-paths "/to_ignore/**/*.yaml,ignore.yaml"
 # Run recursively on all encountered Kustomizations
 flux build kustomization my-app --path ./path/to/local/manifests \
 	--recursive \
 	--local-sources GitRepository/flux-system/my-repo=./path/to/local/git`,
 	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
 	RunE:              buildKsCmdRun,
 }
@@ -64,6 +69,8 @@ type buildKsFlags struct {
 	ignorePaths       []string
 	dryRun            bool
 	strictSubst       bool
 	recursive         bool
 	localSources      map[string]string
 }
 var buildKsArgs buildKsFlags
@@ -75,6 +82,8 @@ func init() {
 	buildKsCmd.Flags().BoolVar(&buildKsArgs.dryRun, "dry-run", false, "Dry run mode.")
 	buildKsCmd.Flags().BoolVar(&buildKsArgs.strictSubst, "strict-substitute", false,
 		"When enabled, the post build substitutions will fail if a var without a default value is declared in files but is missing from the input vars.")
 	buildKsCmd.Flags().BoolVarP(&buildKsArgs.recursive, "recursive", "r", false, "Recursively build Kustomizations")
 	buildKsCmd.Flags().StringToStringVar(&buildKsArgs.localSources, "local-sources", nil, "Comma-separated list of repositories in format: Kind/namespace/name=path")
 	buildCmd.AddCommand(buildKsCmd)
 }
@@ -111,6 +120,8 @@ func buildKsCmdRun(cmd *cobra.Command, args []string) (err error) {
 			build.WithNamespace(*kubeconfigArgs.Namespace),
 			build.WithIgnore(buildKsArgs.ignorePaths),
 			build.WithStrictSubstitute(buildKsArgs.strictSubst),
 			build.WithRecursive(buildKsArgs.recursive),
 			build.WithLocalSources(buildKsArgs.localSources),
 		)
 	} else {
 		builder, err = build.NewBuilder(name, buildKsArgs.path,
@@ -119,6 +130,8 @@ func buildKsCmdRun(cmd *cobra.Command, args []string) (err error) {
 			build.WithKustomizationFile(buildKsArgs.kustomizationFile),
 			build.WithIgnore(buildKsArgs.ignorePaths),
 			build.WithStrictSubstitute(buildKsArgs.strictSubst),
 			build.WithRecursive(buildKsArgs.recursive),
 			build.WithLocalSources(buildKsArgs.localSources),
 		)
 	}
--- a/cmd/flux/build_kustomization_test.go
+++ b/cmd/flux/build_kustomization_test.go
@@ -22,6 +22,7 @@ package main
 import (
 	"bytes"
 	"os"
 	"path/filepath"
 	"testing"
 	"text/template"
 )
@@ -69,6 +70,12 @@ func TestBuildKustomization(t *testing.T) {
 			resultFile: "./testdata/build-kustomization/podinfo-with-ignore-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 		{
 			name:       "build with recursive",
 			args:       "build kustomization podinfo --path ./testdata/build-kustomization/podinfo-with-my-app --recursive --local-sources GitRepository/default/podinfo=./testdata/build-kustomization",
 			resultFile: "./testdata/build-kustomization/podinfo-with-my-app-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 	}
 	tmpl := map[string]string{
@@ -118,6 +125,8 @@ spec:
      cluster_region: "eu-central-1"
 `
 	tmpFile := filepath.Join(t.TempDir(), "podinfo.yaml")
 	tests := []struct {
 		name       string
 		args       string
@@ -132,28 +141,40 @@ spec:
 		},
 		{
 			name:       "build podinfo",
-			args:       "build kustomization podinfo --kustomization-file ./testdata/build-kustomization/podinfo.yaml --path ./testdata/build-kustomization/podinfo",
+			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/podinfo",
 			resultFile: "./testdata/build-kustomization/podinfo-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 		{
 			name:       "build podinfo without service",
-			args:       "build kustomization podinfo --kustomization-file ./testdata/build-kustomization/podinfo.yaml --path ./testdata/build-kustomization/delete-service",
+			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/delete-service",
 			resultFile: "./testdata/build-kustomization/podinfo-without-service-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 		{
 			name:       "build deployment and configmap with var substitution",
-			args:       "build kustomization podinfo --kustomization-file ./testdata/build-kustomization/podinfo.yaml --path ./testdata/build-kustomization/var-substitution",
+			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/var-substitution",
 			resultFile: "./testdata/build-kustomization/podinfo-with-var-substitution-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 		{
 			name:       "build deployment and configmap with var substitution in dry-run mode",
-			args:       "build kustomization podinfo --kustomization-file ./testdata/build-kustomization/podinfo.yaml --path ./testdata/build-kustomization/var-substitution --dry-run",
+			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/var-substitution --dry-run",
 			resultFile: "./testdata/build-kustomization/podinfo-with-var-substitution-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 		{
 			name:       "build with recursive",
 			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/podinfo-with-my-app --recursive --local-sources GitRepository/default/podinfo=./testdata/build-kustomization",
 			resultFile: "./testdata/build-kustomization/podinfo-with-my-app-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 		{
 			name:       "build with recursive in dry-run mode",
 			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/podinfo-with-my-app --recursive --local-sources GitRepository/default/podinfo=./testdata/build-kustomization --dry-run",
 			resultFile: "./testdata/build-kustomization/podinfo-with-my-app-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 	}
 	tmpl := map[string]string{
@@ -161,8 +182,6 @@ spec:
 	}
 	setup(t, tmpl)
 	testEnv.CreateObjectFile("./testdata/build-kustomization/podinfo-source.yaml", tmpl, t)
 	temp, err := template.New("podinfo").Parse(podinfo)
 	if err != nil {
 		t.Fatal(err)
@@ -174,11 +193,10 @@ spec:
 		t.Fatal(err)
 	}
-	err = os.WriteFile("./testdata/build-kustomization/podinfo.yaml", b.Bytes(), 0666)
+	err = os.WriteFile(tmpFile, b.Bytes(), 0666)
 	if err != nil {
 		t.Fatal(err)
 	}
 	t.Cleanup(func() { _ = os.Remove("./testdata/build-kustomization/podinfo.yaml") })
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
--- a/cmd/flux/check.go
+++ b/cmd/flux/check.go
@@ -60,7 +60,7 @@ type checkFlags struct {
 }
 var kubernetesConstraints = []string{
-	">=1.28.0-0",
+	">=1.32.0-0",
 }
 var checkArgs checkFlags
@@ -217,7 +217,7 @@ func componentsCheck(ctx context.Context, kubeClient client.Client) bool {
 				}
 			}
 			for _, c := range d.Spec.Template.Spec.Containers {
-				logger.Actionf(c.Image)
+				logger.Actionf("%s", c.Image)
 			}
 		}
 	}
@@ -238,7 +238,7 @@ func crdsCheck(ctx context.Context, kubeClient client.Client) bool {
 		for _, crd := range list.Items {
 			versions := crd.Status.StoredVersions
 			if len(versions) > 0 {
-				logger.Successf(crd.Name + "/" + versions[len(versions)-1])
+				logger.Successf("%s", crd.Name+"/"+versions[len(versions)-1])
 			} else {
 				ok = false
 				logger.Failuref("no stored versions for %s", crd.Name)
--- a/cmd/flux/create.go
+++ b/cmd/flux/create.go
@@ -125,7 +125,7 @@ func (names apiType) upsertAndWait(object upsertWaitable, mutate func() error) e
 	logger.Generatef("generating %s", names.kind)
 	logger.Actionf("applying %s", names.kind)
-	namespacedName, err := imageRepositoryType.upsert(ctx, kubeClient, object, mutate)
+	namespacedName, err := names.upsert(ctx, kubeClient, object, mutate)
 	if err != nil {
 		return err
 	}
--- a/cmd/flux/create_helmrelease.go
+++ b/cmd/flux/create_helmrelease.go
@@ -37,7 +37,6 @@ import (
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/runtime/transform"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
@@ -95,6 +94,13 @@ var createHelmReleaseCmd = &cobra.Command{
    --source=HelmRepository/podinfo \
    --chart=podinfo
  # Create a HelmRelease with custom storage namespace for hub-and-spoke model
  flux create hr podinfo \
    --target-namespace=production \
    --storage-namespace=fluxcd-system \
    --source=HelmRepository/podinfo \
    --chart=podinfo
  # Create a HelmRelease using a source from a different namespace
  flux create hr podinfo \
    --namespace=default \
@@ -128,6 +134,7 @@ type helmReleaseFlags struct {
 	chartVersion        string
 	chartRef            string
 	targetNamespace     string
 	storageNamespace    string
 	createNamespace     bool
 	valuesFiles         []string
 	valuesFrom          []string
@@ -142,7 +149,7 @@ var helmReleaseArgs helmReleaseFlags
 var supportedHelmReleaseValuesFromKinds = []string{"Secret", "ConfigMap"}
-var supportedHelmReleaseReferenceKinds = []string{sourcev1b2.OCIRepositoryKind, sourcev1.HelmChartKind}
+var supportedHelmReleaseReferenceKinds = []string{sourcev1.OCIRepositoryKind, sourcev1.HelmChartKind}
 func init() {
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.name, "release-name", "", "name used for the Helm release, defaults to a composition of '[<target-namespace>-]<HelmRelease-name>'")
@@ -151,6 +158,7 @@ func init() {
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.chartVersion, "chart-version", "", "Helm chart version, accepts a semver range (ignored for charts from GitRepository sources)")
 	createHelmReleaseCmd.Flags().StringSliceVar(&helmReleaseArgs.dependsOn, "depends-on", nil, "HelmReleases that must be ready before this release can be installed, supported formats '<name>' and '<namespace>/<name>'")
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.targetNamespace, "target-namespace", "", "namespace to install this release, defaults to the HelmRelease namespace")
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.storageNamespace, "storage-namespace", "", "namespace to store the Helm release, defaults to the target namespace")
 	createHelmReleaseCmd.Flags().BoolVar(&helmReleaseArgs.createNamespace, "create-target-namespace", false, "create the target namespace if it does not exist")
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.saName, "service-account", "", "the name of the service account to impersonate when reconciling this HelmRelease")
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.reconcileStrategy, "reconcile-strategy", "ChartVersion", "the reconcile strategy for helm chart created by the helm release(accepted values: Revision and ChartRevision)")
@@ -166,6 +174,10 @@ func init() {
 func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]
 	if helmReleaseArgs.storageNamespace == "" && helmReleaseArgs.targetNamespace != "" {
 		helmReleaseArgs.storageNamespace = helmReleaseArgs.targetNamespace
 	}
 	if helmReleaseArgs.chart == "" && helmReleaseArgs.chartRef == "" {
 		return fmt.Errorf("chart or chart-ref is required")
 	}
@@ -192,15 +204,27 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 		},
 		Spec: helmv2.HelmReleaseSpec{
 			ReleaseName: helmReleaseArgs.name,
 			DependsOn:   utils.MakeDependsOn(helmReleaseArgs.dependsOn),
 			Interval: metav1.Duration{
 				Duration: createArgs.interval,
 			},
-			TargetNamespace: helmReleaseArgs.targetNamespace,
+			TargetNamespace:  helmReleaseArgs.targetNamespace,
-			Suspend:         false,
+			StorageNamespace: helmReleaseArgs.storageNamespace,
 			Suspend:          false,
 		},
 	}
 	if len(helmReleaseArgs.dependsOn) > 0 {
 		ls := utils.MakeDependsOn(helmReleaseArgs.dependsOn)
 		hrDependsOn := make([]helmv2.DependencyReference, 0, len(ls))
 		for _, d := range ls {
 			hrDependsOn = append(hrDependsOn, helmv2.DependencyReference{
 				Name:      d.Name,
 				Namespace: d.Namespace,
 			})
 		}
 		helmRelease.Spec.DependsOn = hrDependsOn
 	}
 	switch {
 	case helmReleaseArgs.chart != "":
 		helmRelease.Spec.Chart = &helmv2.HelmChartTemplate{
@@ -222,7 +246,7 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	case helmReleaseArgs.chartRef != "":
 		kind, name, ns := utils.ParseObjectKindNameNamespace(helmReleaseArgs.chartRef)
-		if kind != sourcev1.HelmChartKind && kind != sourcev1b2.OCIRepositoryKind {
+		if kind != sourcev1.HelmChartKind && kind != sourcev1.OCIRepositoryKind {
 			return fmt.Errorf("chart reference kind '%s' is not supported, must be one of: %s",
 				kind, strings.Join(supportedHelmReleaseReferenceKinds, ", "))
 		}
@@ -235,7 +259,7 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	if helmReleaseArgs.kubeConfigSecretRef != "" {
 		helmRelease.Spec.KubeConfig = &meta.KubeConfigReference{
-			SecretRef: meta.SecretKeyReference{
+			SecretRef: &meta.SecretKeyReference{
 				Name: helmReleaseArgs.kubeConfigSecretRef,
 			},
 		}
--- a/cmd/flux/create_image_policy.go
+++ b/cmd/flux/create_image_policy.go
@@ -20,6 +20,7 @@ import (
 	"fmt"
 	"regexp/syntax"
 	"strings"
 	"time"
 	"unicode"
 	"unicode/utf8"
@@ -28,18 +29,18 @@ import (
 	"github.com/fluxcd/pkg/apis/meta"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )
 var createImagePolicyCmd = &cobra.Command{
 	Use:   "policy [name]",
 	Short: "Create or update an ImagePolicy object",
-	Long: withPreviewNote(`The create image policy command generates an ImagePolicy resource.
+	Long: `The create image policy command generates an ImagePolicy resource.
 An ImagePolicy object calculates a "latest image" given an image
 repository and a policy, e.g., semver.
 The image that sorts highest according to the policy is recorded in
-the status of the object.`),
+the status of the object.`,
 	Example: `  # Create an ImagePolicy to select the latest stable release
  flux create image policy podinfo \
    --image-ref=podinfo \
@@ -60,6 +61,8 @@ type imagePolicyFlags struct {
 	numeric       string
 	filterRegex   string
 	filterExtract string
 	reflectDigest string
 	interval      time.Duration
 }
 var imagePolicyArgs = imagePolicyFlags{}
@@ -72,16 +75,12 @@ func init() {
 	flags.StringVar(&imagePolicyArgs.numeric, "select-numeric", "", "use numeric sorting to select image; either \"asc\" meaning select the last, or \"desc\" meaning select the first")
 	flags.StringVar(&imagePolicyArgs.filterRegex, "filter-regex", "", "regular expression pattern used to filter the image tags")
 	flags.StringVar(&imagePolicyArgs.filterExtract, "filter-extract", "", "replacement pattern (using capture groups from --filter-regex) to use for sorting")
 	flags.StringVar(&imagePolicyArgs.reflectDigest, "reflect-digest", "", "the digest reflection policy to use when observing latest image tags (one of 'Never', 'IfNotPresent', 'Never')")
 	flags.DurationVar(&imagePolicyArgs.interval, "interval", 0, "the interval at which to check for new image digests when the policy is set to 'Always'")
 	createImageCmd.AddCommand(createImagePolicyCmd)
 }
 // getObservedGeneration is implemented here, since it's not
 // (presently) needed elsewhere.
 func (obj imagePolicyAdapter) getObservedGeneration() int64 {
 	return obj.ImagePolicy.Status.ObservedGeneration
 }
 func createImagePolicyRun(cmd *cobra.Command, args []string) error {
 	objectName := args[0]
@@ -153,6 +152,20 @@ func createImagePolicyRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("cannot specify --filter-extract without specifying --filter-regex")
 	}
 	if p := imagev1.ReflectionPolicy(imagePolicyArgs.reflectDigest); p != "" {
 		if p != imagev1.ReflectNever && p != imagev1.ReflectIfNotPresent && p != imagev1.ReflectAlways {
 			return fmt.Errorf("invalid value for --reflect-digest, must be one of 'Never', 'IfNotPresent', 'Always'")
 		}
 		policy.Spec.DigestReflectionPolicy = p
 	}
 	if imagePolicyArgs.interval != 0 {
 		if imagePolicyArgs.reflectDigest != string(imagev1.ReflectAlways) {
 			return fmt.Errorf("the --interval flag can only be used with the 'Always' digest reflection policy, use --reflect-digest=Always")
 		}
 		policy.Spec.Interval = &metav1.Duration{Duration: imagePolicyArgs.interval}
 	}
 	if createArgs.export {
 		return printExport(exportImagePolicy(&policy))
 	}
--- a/cmd/flux/create_image_repository.go
+++ b/cmd/flux/create_image_repository.go
@@ -26,14 +26,14 @@ import (
 	"github.com/fluxcd/pkg/apis/meta"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )
 var createImageRepositoryCmd = &cobra.Command{
 	Use:   "repository [name]",
 	Short: "Create or update an ImageRepository object",
-	Long: withPreviewNote(`The create image repository command generates an ImageRepository resource.
+	Long: `The create image repository command generates an ImageRepository resource.
-An ImageRepository object specifies an image repository to scan.`),
+An ImageRepository object specifies an image repository to scan.`,
 	Example: `  # Create an ImageRepository object to scan the alpine image repository:
  flux create image repository alpine-repo --image alpine --interval 20m
--- a/cmd/flux/create_image_update.go
+++ b/cmd/flux/create_image_update.go
@@ -22,16 +22,16 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )
 var createImageUpdateCmd = &cobra.Command{
 	Use:   "update [name]",
 	Short: "Create or update an ImageUpdateAutomation object",
-	Long: withPreviewNote(`The create image update command generates an ImageUpdateAutomation resource.
+	Long: `The create image update command generates an ImageUpdateAutomation resource.
 An ImageUpdateAutomation object specifies an automated update to images
-mentioned in YAMLs in a git repository.`),
+mentioned in YAMLs in a git repository.`,
 	Example: `  # Configure image updates for the main repository created by flux bootstrap
  flux create image update flux-system \
    --git-repo-ref=flux-system \
--- a/cmd/flux/create_kustomization.go
+++ b/cmd/flux/create_kustomization.go
@@ -153,7 +153,6 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 			Labels:    kslabels,
 		},
 		Spec: kustomizev1.KustomizationSpec{
 			DependsOn: utils.MakeDependsOn(kustomizationArgs.dependsOn),
 			Interval: metav1.Duration{
 				Duration: createArgs.interval,
 			},
@@ -169,9 +168,21 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 		},
 	}
 	if len(kustomizationArgs.dependsOn) > 0 {
 		ls := utils.MakeDependsOn(kustomizationArgs.dependsOn)
 		ksDependsOn := make([]kustomizev1.DependencyReference, 0, len(ls))
 		for _, d := range ls {
 			ksDependsOn = append(ksDependsOn, kustomizev1.DependencyReference{
 				Name:      d.Name,
 				Namespace: d.Namespace,
 			})
 		}
 		kustomization.Spec.DependsOn = ksDependsOn
 	}
 	if kustomizationArgs.kubeConfigSecretRef != "" {
 		kustomization.Spec.KubeConfig = &meta.KubeConfigReference{
-			SecretRef: meta.SecretKeyReference{
+			SecretRef: &meta.SecretKeyReference{
 				Name: kustomizationArgs.kubeConfigSecretRef,
 			},
 		}
--- a/cmd/flux/create_secret_git.go
+++ b/cmd/flux/create_secret_git.go
@@ -87,7 +87,6 @@ type secretGitFlags struct {
 	keyAlgorithm   flags.PublicKeyAlgorithm
 	rsaBits        flags.RSAKeyBits
 	ecdsaCurve     flags.ECDSACurve
 	caFile         string
 	caCrtFile      string
 	privateKeyFile string
 	bearerToken    string
@@ -102,8 +101,7 @@ func init() {
 	createSecretGitCmd.Flags().Var(&secretGitArgs.keyAlgorithm, "ssh-key-algorithm", secretGitArgs.keyAlgorithm.Description())
 	createSecretGitCmd.Flags().Var(&secretGitArgs.rsaBits, "ssh-rsa-bits", secretGitArgs.rsaBits.Description())
 	createSecretGitCmd.Flags().Var(&secretGitArgs.ecdsaCurve, "ssh-ecdsa-curve", secretGitArgs.ecdsaCurve.Description())
-	createSecretGitCmd.Flags().StringVar(&secretGitArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates")
+	createSecretGitCmd.Flags().StringVar(&secretGitArgs.caCrtFile, "ca-crt-file", "", "path to TLS CA certificate file used for validating self-signed certificates")
 	createSecretGitCmd.Flags().StringVar(&secretGitArgs.caCrtFile, "ca-crt-file", "", "path to TLS CA certificate file used for validating self-signed certificates; takes precedence over --ca-file")
 	createSecretGitCmd.Flags().StringVar(&secretGitArgs.privateKeyFile, "private-key-file", "", "path to a passwordless private key file used for authenticating to the Git SSH server")
 	createSecretGitCmd.Flags().StringVar(&secretGitArgs.bearerToken, "bearer-token", "", "bearer authentication token")
@@ -169,17 +167,12 @@ func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
 			if err != nil {
 				return fmt.Errorf("unable to read TLS CA file: %w", err)
 			}
 		} else if secretGitArgs.caFile != "" {
 			opts.CAFile, err = os.ReadFile(secretGitArgs.caFile)
 			if err != nil {
 				return fmt.Errorf("unable to read TLS CA file: %w", err)
 			}
 		}
 	default:
 		return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme)
 	}
-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateGit(opts)
 	if err != nil {
 		return err
 	}
--- a/cmd/flux/create_secret_github_app.go
+++ b/cmd/flux/create_secret_github_app.go
@@ -0,0 +1,128 @@
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"os"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/yaml"
 )
 var createSecretGitHubAppCmd = &cobra.Command{
 	Use:   "githubapp [name]",
 	Short: "Create or update a github app secret",
 	Long:  withPreviewNote(`The create secret githubapp command generates a Kubernetes secret that can be used for GitRepository authentication with github app`),
 	Example: `  # Create a githubapp authentication secret on disk and encrypt it with Mozilla SOPS
  flux create secret githubapp podinfo-auth \
    --app-id="1" \
    --app-installation-id="2" \
    --app-private-key=./private-key-file.pem \
    --export > githubapp-auth.yaml
  sops --encrypt --encrypted-regex '^(data|stringData)$' \
    --in-place githubapp-auth.yaml
 	`,
 	RunE: createSecretGitHubAppCmdRun,
 }
 type secretGitHubAppFlags struct {
 	appID             string
 	appInstallationID string
 	privateKeyFile    string
 	baseURL           string
 }
 var secretGitHubAppArgs = secretGitHubAppFlags{}
 func init() {
 	createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.appID, "app-id", "", "github app ID")
 	createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.appInstallationID, "app-installation-id", "", "github app installation ID")
 	createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.privateKeyFile, "app-private-key", "", "github app private key file path")
 	createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.baseURL, "app-base-url", "", "github app base URL")
 	createSecretCmd.AddCommand(createSecretGitHubAppCmd)
 }
 func createSecretGitHubAppCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("name is required")
 	}
 	secretName := args[0]
 	if secretGitHubAppArgs.appID == "" {
 		return fmt.Errorf("--app-id is required")
 	}
 	if secretGitHubAppArgs.appInstallationID == "" {
 		return fmt.Errorf("--app-installation-id is required")
 	}
 	if secretGitHubAppArgs.privateKeyFile == "" {
 		return fmt.Errorf("--app-private-key is required")
 	}
 	privateKey, err := os.ReadFile(secretGitHubAppArgs.privateKeyFile)
 	if err != nil {
 		return fmt.Errorf("unable to read private key file: %w", err)
 	}
 	opts := sourcesecret.Options{
 		Name:                    secretName,
 		Namespace:               *kubeconfigArgs.Namespace,
 		GitHubAppID:             secretGitHubAppArgs.appID,
 		GitHubAppInstallationID: secretGitHubAppArgs.appInstallationID,
 		GitHubAppPrivateKey:     string(privateKey),
 	}
 	if secretGitHubAppArgs.baseURL != "" {
 		opts.GitHubAppBaseURL = secretGitHubAppArgs.baseURL
 	}
 	secret, err := sourcesecret.GenerateGitHubApp(opts)
 	if err != nil {
 		return err
 	}
 	if createArgs.export {
 		rootCmd.Println(secret.Content)
 		return nil
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
 	var s corev1.Secret
 	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
 		return err
 	}
 	if err := upsertSecret(ctx, kubeClient, s); err != nil {
 		return err
 	}
 	logger.Actionf("githubapp secret '%s' created in '%s' namespace", secretName, *kubeconfigArgs.Namespace)
 	return nil
 }
--- a/cmd/flux/create_secret_githubapp_test.go
+++ b/cmd/flux/create_secret_githubapp_test.go
@@ -0,0 +1,74 @@
 /*
 Copyright 2022 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"testing"
 )
 func TestCreateSecretGitHubApp(t *testing.T) {
 	tests := []struct {
 		name   string
 		args   string
 		assert assertFunc
 	}{
 		{
 			name:   "create githubapp secret with missing name",
 			args:   "create secret githubapp",
 			assert: assertError("name is required"),
 		},
 		{
 			name:   "create githubapp secret with missing app-id",
 			args:   "create secret githubapp appinfo",
 			assert: assertError("--app-id is required"),
 		},
 		{
 			name:   "create githubapp secret with missing appInstallationID",
 			args:   "create secret githubapp appinfo --app-id 1",
 			assert: assertError("--app-installation-id is required"),
 		},
 		{
 			name:   "create githubapp secret with missing private key file",
 			args:   "create secret githubapp appinfo --app-id 1 --app-installation-id 2",
 			assert: assertError("--app-private-key is required"),
 		},
 		{
 			name:   "create githubapp secret with private key file that does not exist",
 			args:   "create secret githubapp appinfo --app-id 1 --app-installation-id 2 --app-private-key pk.pem",
 			assert: assertError("unable to read private key file: open pk.pem: no such file or directory"),
 		},
 		{
 			name:   "create githubapp secret with app info",
 			args:   "create secret githubapp appinfo --namespace my-namespace --app-id 1 --app-installation-id 2 --app-private-key ./testdata/create_secret/githubapp/test-private-key.pem --export",
 			assert: assertGoldenFile("testdata/create_secret/githubapp/secret.yaml"),
 		},
 		{
 			name:   "create githubapp secret with appinfo and base url",
 			args:   "create secret githubapp appinfo --namespace my-namespace --app-id 1 --app-installation-id 2 --app-private-key ./testdata/create_secret/githubapp/test-private-key.pem --app-base-url www.example.com/api/v3 --export",
 			assert: assertGoldenFile("testdata/create_secret/githubapp/secret-with-baseurl.yaml"),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cmd := cmdTestCase{
 				args:   tt.args,
 				assert: tt.assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
--- a/cmd/flux/create_secret_helm.go
+++ b/cmd/flux/create_secret_helm.go
@@ -58,12 +58,9 @@ func init() {
 	flags := createSecretHelmCmd.Flags()
 	flags.StringVarP(&secretHelmArgs.username, "username", "u", "", "basic authentication username")
 	flags.StringVarP(&secretHelmArgs.password, "password", "p", "", "basic authentication password")
-
+	flags.StringVar(&secretHelmArgs.tlsCrtFile, "tls-crt-file", "", "TLS authentication cert file path")
-	initSecretDeprecatedTLSFlags(flags, &secretHelmArgs.secretTLSFlags)
+	flags.StringVar(&secretHelmArgs.tlsKeyFile, "tls-key-file", "", "TLS authentication key file path")
-	deprecationMsg := "please use the command `flux create secret tls` to generate TLS secrets"
+	flags.StringVar(&secretHelmArgs.caCrtFile, "ca-crt-file", "", "TLS authentication CA file path")
 	flags.MarkDeprecated("cert-file", deprecationMsg)
 	flags.MarkDeprecated("key-file", deprecationMsg)
 	flags.MarkDeprecated("ca-file", deprecationMsg)
 	createSecretCmd.AddCommand(createSecretHelmCmd)
 }
@@ -77,20 +74,22 @@ func createSecretHelmCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	caBundle := []byte{}
-	if secretHelmArgs.caFile != "" {
+	if secretHelmArgs.caCrtFile != "" {
 		var err error
-		caBundle, err = os.ReadFile(secretHelmArgs.caFile)
+		caBundle, err = os.ReadFile(secretHelmArgs.caCrtFile)
 		if err != nil {
 			return fmt.Errorf("unable to read TLS CA file: %w", err)
 		}
 	}
 	var certFile, keyFile []byte
-	if secretHelmArgs.certFile != "" && secretHelmArgs.keyFile != "" {
+	if secretHelmArgs.tlsCrtFile != "" {
-		if certFile, err = os.ReadFile(secretHelmArgs.certFile); err != nil {
+		if certFile, err = os.ReadFile(secretHelmArgs.tlsCrtFile); err != nil {
 			return fmt.Errorf("failed to read cert file: %w", err)
 		}
-		if keyFile, err = os.ReadFile(secretHelmArgs.keyFile); err != nil {
+	}
 	if secretHelmArgs.tlsKeyFile != "" {
 		if keyFile, err = os.ReadFile(secretHelmArgs.tlsKeyFile); err != nil {
 			return fmt.Errorf("failed to read key file: %w", err)
 		}
 	}
@@ -101,11 +100,11 @@ func createSecretHelmCmdRun(cmd *cobra.Command, args []string) error {
 		Labels:    labels,
 		Username:  secretHelmArgs.username,
 		Password:  secretHelmArgs.password,
-		CAFile:    caBundle,
+		CACrt:     caBundle,
-		CertFile:  certFile,
+		TLSCrt:    certFile,
-		KeyFile:   keyFile,
+		TLSKey:    keyFile,
 	}
-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateHelm(opts)
 	if err != nil {
 		return err
 	}
--- a/cmd/flux/create_secret_notation.go
+++ b/cmd/flux/create_secret_notation.go
@@ -132,7 +132,7 @@ func createSecretNotationCmdRun(cmd *cobra.Command, args []string) error {
 		VerificationCrts: caCerts,
 		TrustPolicy:      policy,
 	}
-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateNotation(opts)
 	if err != nil {
 		return err
 	}
--- a/cmd/flux/create_secret_notation_test.go
+++ b/cmd/flux/create_secret_notation_test.go
@@ -84,7 +84,7 @@ func TestCreateNotationSecret(t *testing.T) {
 		{
 			name:   "invalid trust policy",
 			args:   fmt.Sprintf("create secret notation notation-config --ca-cert-file=%s --trust-policy-file=%s", t.TempDir(), invalidTrustPolicy),
-			assert: assertError("invalid trust policy: a trust policy statement is missing a name, every statement requires a name"),
+			assert: assertError("invalid trust policy: trust policy: a trust policy statement is missing a name, every statement requires a name"),
 		},
 		{
 			name:   "invalid trust policy json",
--- a/cmd/flux/create_secret_oci.go
+++ b/cmd/flux/create_secret_oci.go
@@ -92,7 +92,7 @@ func createSecretOCICmdRun(cmd *cobra.Command, args []string) error {
 		Username:  secretOCIArgs.username,
 	}
-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateOCI(opts)
 	if err != nil {
 		return err
 	}
--- a/cmd/flux/create_secret_proxy.go
+++ b/cmd/flux/create_secret_proxy.go
@@ -0,0 +1,112 @@
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"errors"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 )
 var createSecretProxyCmd = &cobra.Command{
 	Use:   "proxy [name]",
 	Short: "Create or update a Kubernetes secret for proxy authentication",
 	Long: `The create secret proxy command generates a Kubernetes secret with the
 proxy address and the basic authentication credentials.`,
 	Example: ` # Create a proxy secret on disk and encrypt it with SOPS
  flux create secret proxy my-proxy \
    --namespace=my-namespace \
    --address=https://my-proxy.com \
    --username=my-username \
    --password=my-password \
    --export > proxy.yaml
  sops --encrypt --encrypted-regex '^(data|stringData)$' \
    --in-place proxy.yaml`,
 	RunE: createSecretProxyCmdRun,
 }
 type secretProxyFlags struct {
 	address  string
 	username string
 	password string
 }
 var secretProxyArgs secretProxyFlags
 func init() {
 	createSecretProxyCmd.Flags().StringVar(&secretProxyArgs.address, "address", "", "proxy address")
 	createSecretProxyCmd.Flags().StringVarP(&secretProxyArgs.username, "username", "u", "", "basic authentication username")
 	createSecretProxyCmd.Flags().StringVarP(&secretProxyArgs.password, "password", "p", "", "basic authentication password")
 	createSecretCmd.AddCommand(createSecretProxyCmd)
 }
 func createSecretProxyCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]
 	labels, err := parseLabels()
 	if err != nil {
 		return err
 	}
 	if secretProxyArgs.address == "" {
 		return errors.New("address is required")
 	}
 	opts := sourcesecret.Options{
 		Name:      name,
 		Namespace: *kubeconfigArgs.Namespace,
 		Labels:    labels,
 		Address:   secretProxyArgs.address,
 		Username:  secretProxyArgs.username,
 		Password:  secretProxyArgs.password,
 	}
 	secret, err := sourcesecret.GenerateProxy(opts)
 	if err != nil {
 		return err
 	}
 	if createArgs.export {
 		rootCmd.Println(secret.Content)
 		return nil
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
 	var s corev1.Secret
 	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
 		return err
 	}
 	if err := upsertSecret(ctx, kubeClient, s); err != nil {
 		return err
 	}
 	logger.Actionf("proxy secret '%s' created in '%s' namespace", name, *kubeconfigArgs.Namespace)
 	return nil
 }
--- a/cmd/flux/create_secret_proxy_test.go
+++ b/cmd/flux/create_secret_proxy_test.go
@@ -0,0 +1,47 @@
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"testing"
 )
 func TestCreateProxySecret(t *testing.T) {
 	tests := []struct {
 		name   string
 		args   string
 		assert assertFunc
 	}{
 		{
 			args:   "create secret proxy proxy-secret",
 			assert: assertError("address is required"),
 		},
 		{
 			args:   "create secret proxy proxy-secret --address=https://my-proxy.com --username=my-username --password=my-password --namespace=my-namespace --export",
 			assert: assertGoldenFile("testdata/create_secret/proxy/secret-proxy.yaml"),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cmd := cmdTestCase{
 				args:   tt.args,
 				assert: tt.assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
--- a/cmd/flux/create_secret_tls.go
+++ b/cmd/flux/create_secret_tls.go
@@ -22,7 +22,6 @@ import (
 	"os"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/yaml"
@@ -33,8 +32,8 @@ import (
 var createSecretTLSCmd = &cobra.Command{
 	Use:   "tls [name]",
 	Short: "Create or update a Kubernetes secret with TLS certificates",
-	Long:  withPreviewNote(`The create secret tls command generates a Kubernetes secret with certificates for use with TLS.`),
+	Long:  `The create secret tls command generates a Kubernetes secret with certificates for use with TLS.`,
-	Example: ` # Create a TLS secret on disk and encrypt it with Mozilla SOPS.
+	Example: ` # Create a TLS secret on disk and encrypt it with SOPS.
  # Files are expected to be PEM-encoded.
  flux create secret tls certs \
    --namespace=my-namespace \
@@ -49,9 +48,6 @@ var createSecretTLSCmd = &cobra.Command{
 }
 type secretTLSFlags struct {
 	certFile   string
 	keyFile    string
 	caFile     string
 	caCrtFile  string
 	tlsKeyFile string
 	tlsCrtFile string
@@ -59,26 +55,10 @@ type secretTLSFlags struct {
 var secretTLSArgs secretTLSFlags
 func initSecretDeprecatedTLSFlags(flags *pflag.FlagSet, args *secretTLSFlags) {
 	flags.StringVar(&args.certFile, "cert-file", "", "TLS authentication cert file path")
 	flags.StringVar(&args.keyFile, "key-file", "", "TLS authentication key file path")
 	flags.StringVar(&args.caFile, "ca-file", "", "TLS authentication CA file path")
 }
 func initSecretTLSFlags(flags *pflag.FlagSet, args *secretTLSFlags) {
 	flags.StringVar(&args.tlsCrtFile, "tls-crt-file", "", "TLS authentication cert file path")
 	flags.StringVar(&args.tlsKeyFile, "tls-key-file", "", "TLS authentication key file path")
 	flags.StringVar(&args.caCrtFile, "ca-crt-file", "", "TLS authentication CA file path")
 }
 func init() {
-	flags := createSecretTLSCmd.Flags()
+	createSecretTLSCmd.Flags().StringVar(&secretTLSArgs.tlsCrtFile, "tls-crt-file", "", "TLS authentication cert file path")
-	initSecretDeprecatedTLSFlags(flags, &secretTLSArgs)
+	createSecretTLSCmd.Flags().StringVar(&secretTLSArgs.tlsKeyFile, "tls-key-file", "", "TLS authentication key file path")
-	initSecretTLSFlags(flags, &secretTLSArgs)
+	createSecretTLSCmd.Flags().StringVar(&secretTLSArgs.caCrtFile, "ca-crt-file", "", "TLS authentication CA file path")
 	flags.MarkDeprecated("cert-file", "please use --tls-crt-file instead")
 	flags.MarkDeprecated("key-file", "please use --tls-key-file instead")
 	flags.MarkDeprecated("ca-file", "please use --ca-crt-file instead")
 	createSecretCmd.AddCommand(createSecretTLSCmd)
 }
@@ -102,30 +82,20 @@ func createSecretTLSCmdRun(cmd *cobra.Command, args []string) error {
 		if err != nil {
 			return fmt.Errorf("unable to read TLS CA file: %w", err)
 		}
 	} else if secretTLSArgs.caFile != "" {
 		opts.CAFile, err = os.ReadFile(secretTLSArgs.caFile)
 		if err != nil {
 			return fmt.Errorf("unable to read TLS CA file: %w", err)
 		}
 	}
-	if secretTLSArgs.tlsCrtFile != "" && secretTLSArgs.tlsKeyFile != "" {
+	if secretTLSArgs.tlsCrtFile != "" {
 		if opts.TLSCrt, err = os.ReadFile(secretTLSArgs.tlsCrtFile); err != nil {
 			return fmt.Errorf("failed to read cert file: %w", err)
 		}
 	}
 	if secretTLSArgs.tlsKeyFile != "" {
 		if opts.TLSKey, err = os.ReadFile(secretTLSArgs.tlsKeyFile); err != nil {
 			return fmt.Errorf("failed to read key file: %w", err)
 		}
 	} else if secretTLSArgs.certFile != "" && secretTLSArgs.keyFile != "" {
 		if opts.CertFile, err = os.ReadFile(secretTLSArgs.certFile); err != nil {
 			return fmt.Errorf("failed to read cert file: %w", err)
 		}
 		if opts.KeyFile, err = os.ReadFile(secretTLSArgs.keyFile); err != nil {
 			return fmt.Errorf("failed to read key file: %w", err)
 		}
 	}
-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateTLS(opts)
 	if err != nil {
 		return err
 	}
--- a/cmd/flux/create_secret_tls_test.go
+++ b/cmd/flux/create_secret_tls_test.go
@@ -18,10 +18,6 @@ func TestCreateTlsSecret(t *testing.T) {
 			args:   "create secret tls certs --namespace=my-namespace --tls-crt-file=./testdata/create_secret/tls/test-cert.pem --tls-key-file=./testdata/create_secret/tls/test-key.pem --ca-crt-file=./testdata/create_secret/tls/test-ca.pem --export",
 			assert: assertGoldenFile("testdata/create_secret/tls/secret-tls.yaml"),
 		},
 		{
 			args:   "create secret tls certs --namespace=my-namespace --cert-file=./testdata/create_secret/tls/test-cert.pem --key-file=./testdata/create_secret/tls/test-key.pem --ca-file=./testdata/create_secret/tls/test-ca.pem --export",
 			assert: assertGoldenFile("testdata/create_secret/tls/deprecated-secret-tls.yaml"),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
--- a/cmd/flux/create_source_bucket.go
+++ b/cmd/flux/create_source_bucket.go
@@ -19,7 +19,6 @@ package main
 import (
 	"context"
 	"fmt"
 	"os"
 	"strings"
 	"github.com/spf13/cobra"
@@ -32,7 +31,7 @@ import (
 	"github.com/fluxcd/pkg/apis/meta"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
@@ -41,8 +40,8 @@ import (
 var createSourceBucketCmd = &cobra.Command{
 	Use:   "bucket [name]",
 	Short: "Create or update a Bucket source",
-	Long: withPreviewNote(`The create source bucket command generates a Bucket resource and waits for it to be downloaded.
+	Long: `The create source bucket command generates a Bucket resource and waits for it to be downloaded.
-For Buckets with static authentication, the credentials are stored in a Kubernetes secret.`),
+For Buckets with static authentication, the credentials are stored in a Kubernetes secret.`,
 	Example: `  # Create a source for a Bucket using static authentication
  flux create source bucket podinfo \
 	--bucket-name=podinfo \
@@ -63,15 +62,16 @@ For Buckets with static authentication, the credentials are stored in a Kubernet
 }
 type sourceBucketFlags struct {
-	name        string
+	name           string
-	provider    flags.SourceBucketProvider
+	provider       flags.SourceBucketProvider
-	endpoint    string
+	endpoint       string
-	accessKey   string
+	accessKey      string
-	secretKey   string
+	secretKey      string
-	region      string
+	region         string
-	insecure    bool
+	insecure       bool
-	secretRef   string
+	secretRef      string
-	ignorePaths []string
+	proxySecretRef string
 	ignorePaths    []string
 }
 var sourceBucketArgs = newSourceBucketFlags()
@@ -85,6 +85,7 @@ func init() {
 	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.region, "region", "", "the bucket region")
 	createSourceBucketCmd.Flags().BoolVar(&sourceBucketArgs.insecure, "insecure", false, "for when connecting to a non-TLS S3 HTTP endpoint")
 	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.secretRef, "secret-ref", "", "the name of an existing secret containing credentials")
 	createSourceBucketCmd.Flags().StringVar(&sourceBucketArgs.proxySecretRef, "proxy-secret-ref", "", "the name of an existing secret containing the proxy address and credentials")
 	createSourceBucketCmd.Flags().StringSliceVar(&sourceBucketArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore in bucket resource (can specify multiple paths with commas: path1,path2)")
 	createSourceCmd.AddCommand(createSourceBucketCmd)
@@ -92,7 +93,7 @@ func init() {
 func newSourceBucketFlags() sourceBucketFlags {
 	return sourceBucketFlags{
-		provider: flags.SourceBucketProvider(sourcev1.GenericBucketProvider),
+		provider: flags.SourceBucketProvider(sourcev1.BucketProviderGeneric),
 	}
 }
@@ -112,12 +113,6 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 	tmpDir, err := os.MkdirTemp("", name)
 	if err != nil {
 		return err
 	}
 	defer os.RemoveAll(tmpDir)
 	var ignorePaths *string
 	if len(sourceBucketArgs.ignorePaths) > 0 {
 		ignorePathsStr := strings.Join(sourceBucketArgs.ignorePaths, "\n")
@@ -153,6 +148,12 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}
 	if sourceBucketArgs.proxySecretRef != "" {
 		bucket.Spec.ProxySecretRef = &meta.LocalObjectReference{
 			Name: sourceBucketArgs.proxySecretRef,
 		}
 	}
 	if createArgs.export {
 		return printExport(exportBucket(bucket))
 	}
--- a/cmd/flux/create_source_git.go
+++ b/cmd/flux/create_source_git.go
@@ -44,23 +44,26 @@ import (
 )
 type sourceGitFlags struct {
-	url               string
+	url                 string
-	branch            string
+	branch              string
-	tag               string
+	tag                 string
-	semver            string
+	semver              string
-	refName           string
+	refName             string
-	commit            string
+	commit              string
-	username          string
+	username            string
-	password          string
+	password            string
-	keyAlgorithm      flags.PublicKeyAlgorithm
+	keyAlgorithm        flags.PublicKeyAlgorithm
-	keyRSABits        flags.RSAKeyBits
+	keyRSABits          flags.RSAKeyBits
-	keyECDSACurve     flags.ECDSACurve
+	keyECDSACurve       flags.ECDSACurve
-	secretRef         string
+	secretRef           string
-	caFile            string
+	proxySecretRef      string
-	privateKeyFile    string
+	provider            flags.SourceGitProvider
-	recurseSubmodules bool
+	caFile              string
-	silent            bool
+	privateKeyFile      string
-	ignorePaths       []string
+	recurseSubmodules   bool
 	silent              bool
 	ignorePaths         []string
 	sparseCheckoutPaths []string
 }
 var createSourceGitCmd = &cobra.Command{
@@ -119,7 +122,13 @@ For private Git repositories, the basic authentication credentials are stored in
    --url=https://github.com/stefanprodan/podinfo \
    --branch=master \
    --username=username \
-    --password=password`,
+    --password=password
  # Create a source for a Git repository using azure provider
  flux create source git podinfo \
    --url=https://dev.azure.com/foo/bar/_git/podinfo \
    --branch=master \
    --provider=azure`,
 	RunE: createSourceGitCmdRun,
 }
@@ -130,20 +139,23 @@ func init() {
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.branch, "branch", "", "git branch")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.tag, "tag", "", "git tag")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.semver, "tag-semver", "", "git tag semver range")
-	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.refName, "ref-name", "", " git reference name")
+	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.refName, "ref-name", "", "git reference name")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.commit, "commit", "", "git commit")
 	createSourceGitCmd.Flags().StringVarP(&sourceGitArgs.username, "username", "u", "", "basic authentication username")
 	createSourceGitCmd.Flags().StringVarP(&sourceGitArgs.password, "password", "p", "", "basic authentication password")
 	createSourceGitCmd.Flags().Var(&sourceGitArgs.keyAlgorithm, "ssh-key-algorithm", sourceGitArgs.keyAlgorithm.Description())
 	createSourceGitCmd.Flags().Var(&sourceGitArgs.keyRSABits, "ssh-rsa-bits", sourceGitArgs.keyRSABits.Description())
 	createSourceGitCmd.Flags().Var(&sourceGitArgs.keyECDSACurve, "ssh-ecdsa-curve", sourceGitArgs.keyECDSACurve.Description())
-	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.secretRef, "secret-ref", "", "the name of an existing secret containing SSH or basic credentials")
+	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.secretRef, "secret-ref", "", "the name of an existing secret containing SSH or basic credentials or github app authentication")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.proxySecretRef, "proxy-secret-ref", "", "the name of an existing secret containing the proxy address and credentials")
 	createSourceGitCmd.Flags().Var(&sourceGitArgs.provider, "provider", sourceGitArgs.provider.Description())
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.privateKeyFile, "private-key-file", "", "path to a passwordless private key file used for authenticating to the Git SSH server")
 	createSourceGitCmd.Flags().BoolVar(&sourceGitArgs.recurseSubmodules, "recurse-submodules", false,
 		"when enabled, configures the GitRepository source to initialize and include Git submodules in the artifact it produces")
 	createSourceGitCmd.Flags().BoolVarP(&sourceGitArgs.silent, "silent", "s", false, "assumes the deploy key is already setup, skips confirmation")
 	createSourceGitCmd.Flags().StringSliceVar(&sourceGitArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore in git resource (can specify multiple paths with commas: path1,path2)")
 	createSourceGitCmd.Flags().StringSliceVar(&sourceGitArgs.sparseCheckoutPaths, "sparse-checkout-paths", nil, "set paths to sparse checkout in git resource (can specify multiple paths with commas: path1,path2)")
 	createSourceCmd.AddCommand(createSourceGitCmd)
 }
@@ -179,12 +191,6 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("specifying a CA file is not supported for Git over SSH")
 	}
 	tmpDir, err := os.MkdirTemp("", name)
 	if err != nil {
 		return err
 	}
 	defer os.RemoveAll(tmpDir)
 	sourceLabels, err := parseLabels()
 	if err != nil {
 		return err
@@ -210,6 +216,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 			RecurseSubmodules: sourceGitArgs.recurseSubmodules,
 			Reference:         &sourcev1.GitRepositoryRef{},
 			Ignore:            ignorePaths,
 			SparseCheckout:    sourceGitArgs.sparseCheckoutPaths,
 		},
 	}
@@ -236,6 +243,16 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}
 	if sourceGitArgs.proxySecretRef != "" {
 		gitRepository.Spec.ProxySecretRef = &meta.LocalObjectReference{
 			Name: sourceGitArgs.proxySecretRef,
 		}
 	}
 	if provider := sourceGitArgs.provider.String(); provider != "" {
 		gitRepository.Spec.Provider = provider
 	}
 	if createArgs.export {
 		return printExport(exportGit(&gitRepository))
 	}
@@ -273,7 +290,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 				if err != nil {
 					return fmt.Errorf("unable to read TLS CA file: %w", err)
 				}
-				secretOpts.CAFile = caBundle
+				secretOpts.CACrt = caBundle
 			}
 			secretOpts.Username = sourceGitArgs.username
 			secretOpts.Password = sourceGitArgs.password
@@ -282,7 +299,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 			secretOpts.Username = sourceGitArgs.username
 			secretOpts.Password = sourceGitArgs.password
 		}
-		secret, err := sourcesecret.Generate(secretOpts)
+		secret, err := sourcesecret.GenerateGit(secretOpts)
 		if err != nil {
 			return err
 		}
--- a/cmd/flux/create_source_git_test.go
+++ b/cmd/flux/create_source_git_test.go
@@ -87,7 +87,7 @@ func (r *reconciler) conditionFunc() (bool, error) {
 }
 func TestCreateSourceGitExport(t *testing.T) {
-	var command = "create source git podinfo --url=https://github.com/stefanprodan/podinfo --branch=master --ignore-paths .cosign,non-existent-dir/ -n default --interval 1m --export --timeout=" + testTimeout.String()
+	var command = "create source git podinfo --url=https://github.com/stefanprodan/podinfo --branch=master --sparse-checkout-paths .cosign,non-existent-dir/ --ignore-paths .cosign,non-existent-dir/ -n default --interval 1m --export --timeout=" + testTimeout.String()
 	cases := []struct {
 		name   string
@@ -101,7 +101,7 @@ func TestCreateSourceGitExport(t *testing.T) {
 		},
 		{
 			name:   "no args",
-			args:   "create secret git",
+			args:   "create source git --url=https://github.com/stefanprodan/podinfo",
 			assert: assertError("name is required"),
 		},
 		{
@@ -134,6 +134,36 @@ func TestCreateSourceGitExport(t *testing.T) {
 			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --branch=test --interval=1m0s --export",
 			assert: assertGoldenFile("testdata/create_source_git/source-git-branch.yaml"),
 		},
 		{
 			name:   "source with generic provider",
 			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --provider generic --branch=test --interval=1m0s --export",
 			assert: assertGoldenFile("testdata/create_source_git/source-git-provider-generic.yaml"),
 		},
 		{
 			name:   "source with azure provider",
 			args:   "create source git podinfo --namespace=flux-system --url=https://dev.azure.com/foo/bar/_git/podinfo --provider azure --branch=test --interval=1m0s --export",
 			assert: assertGoldenFile("testdata/create_source_git/source-git-provider-azure.yaml"),
 		},
 		{
 			name:   "source with github provider",
 			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --provider github --branch=test --interval=1m0s --secret-ref appinfo --export",
 			assert: assertGoldenFile("testdata/create_source_git/source-git-provider-github.yaml"),
 		},
 		{
 			name:   "source with invalid provider",
 			args:   "create source git podinfo --namespace=flux-system --url=https://dev.azure.com/foo/bar/_git/podinfo --provider dummy --branch=test --interval=1m0s --export",
 			assert: assertError("invalid argument \"dummy\" for \"--provider\" flag: source Git provider 'dummy' is not supported, must be one of: generic|azure|github"),
 		},
 		{
 			name:   "source with empty provider",
 			args:   "create source git podinfo --namespace=flux-system --url=https://dev.azure.com/foo/bar/_git/podinfo --provider \"\" --branch=test --interval=1m0s --export",
 			assert: assertError("invalid argument \"\" for \"--provider\" flag: no source Git provider given, please specify the Git provider name"),
 		},
 		{
 			name:   "source with no provider",
 			args:   "create source git podinfo --namespace=flux-system --url=https://dev.azure.com/foo/bar/_git/podinfo --branch=test --interval=1m0s --export --provider",
 			assert: assertError("flag needs an argument: --provider"),
 		},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
@@ -174,12 +204,13 @@ func TestCreateSourceGit(t *testing.T) {
 					ObservedGeneration: repo.GetGeneration(),
 				}
 				apimeta.SetStatusCondition(&repo.Status.Conditions, newCondition)
-				repo.Status.Artifact = &sourcev1.Artifact{
+				repo.Status.Artifact = &meta.Artifact{
 					Path:     "some-path",
 					Revision: "v1",
 					LastUpdateTime: metav1.Time{
 						Time: time.Now(),
 					},
 					Digest: "sha256:1234567890abcdef",
 				}
 				repo.Status.ObservedGeneration = repo.GetGeneration()
 			},
--- a/cmd/flux/create_source_helm.go
+++ b/cmd/flux/create_source_helm.go
@@ -114,12 +114,6 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 	tmpDir, err := os.MkdirTemp("", name)
 	if err != nil {
 		return err
 	}
 	defer os.RemoveAll(tmpDir)
 	if _, err := url.Parse(sourceHelmArgs.url); err != nil {
 		return fmt.Errorf("url parse failed: %w", err)
 	}
@@ -197,12 +191,12 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 			Namespace:    *kubeconfigArgs.Namespace,
 			Username:     sourceHelmArgs.username,
 			Password:     sourceHelmArgs.password,
-			CAFile:       caBundle,
+			CACrt:        caBundle,
-			CertFile:     certFile,
+			TLSCrt:       certFile,
-			KeyFile:      keyFile,
+			TLSKey:       keyFile,
 			ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 		}
-		secret, err := sourcesecret.Generate(secretOpts)
+		secret, err := sourcesecret.GenerateHelm(secretOpts)
 		if err != nil {
 			return err
 		}
--- a/cmd/flux/create_source_oci.go
+++ b/cmd/flux/create_source_oci.go
@@ -29,9 +29,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"github.com/fluxcd/pkg/apis/meta"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
@@ -65,6 +63,7 @@ type sourceOCIRepositoryFlags struct {
 	semver           string
 	digest           string
 	secretRef        string
 	proxySecretRef   string
 	serviceAccount   string
 	certSecretRef    string
 	verifyProvider   flags.SourceOCIVerifyProvider
@@ -80,7 +79,7 @@ var sourceOCIRepositoryArgs = newSourceOCIFlags()
 func newSourceOCIFlags() sourceOCIRepositoryFlags {
 	return sourceOCIRepositoryFlags{
-		provider: flags.SourceOCIProvider(sourcev1b2.GenericOCIProvider),
+		provider: flags.SourceOCIProvider(sourcev1.GenericOCIProvider),
 	}
 }
@@ -91,6 +90,7 @@ func init() {
 	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.semver, "tag-semver", "", "the OCI artifact tag semver range")
 	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.digest, "digest", "", "the OCI artifact digest")
 	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.secretRef, "secret-ref", "", "the name of the Kubernetes image pull secret (type 'kubernetes.io/dockerconfigjson')")
 	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.proxySecretRef, "proxy-secret-ref", "", "the name of an existing secret containing the proxy address and credentials")
 	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.serviceAccount, "service-account", "", "the name of the Kubernetes service account that refers to an image pull secret")
 	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.certSecretRef, "cert-ref", "", "the name of a secret to use for TLS certificates")
 	createSourceOCIRepositoryCmd.Flags().Var(&sourceOCIRepositoryArgs.verifyProvider, "verify-provider", sourceOCIRepositoryArgs.verifyProvider.Description())
@@ -125,20 +125,20 @@ func createSourceOCIRepositoryCmdRun(cmd *cobra.Command, args []string) error {
 		ignorePaths = &ignorePathsStr
 	}
-	repository := &sourcev1b2.OCIRepository{
+	repository := &sourcev1.OCIRepository{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
 			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
-		Spec: sourcev1b2.OCIRepositorySpec{
+		Spec: sourcev1.OCIRepositorySpec{
 			Provider: sourceOCIRepositoryArgs.provider.String(),
 			URL:      sourceOCIRepositoryArgs.url,
 			Insecure: sourceOCIRepositoryArgs.insecure,
 			Interval: metav1.Duration{
 				Duration: createArgs.interval,
 			},
-			Reference: &sourcev1b2.OCIRepositoryRef{},
+			Reference: &sourcev1.OCIRepositoryRef{},
 			Ignore:    ignorePaths,
 		},
 	}
@@ -167,6 +167,12 @@ func createSourceOCIRepositoryCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}
 	if secretName := sourceOCIRepositoryArgs.proxySecretRef; secretName != "" {
 		repository.Spec.ProxySecretRef = &meta.LocalObjectReference{
 			Name: secretName,
 		}
 	}
 	if secretName := sourceOCIRepositoryArgs.certSecretRef; secretName != "" {
 		repository.Spec.CertSecretRef = &meta.LocalObjectReference{
 			Name: secretName,
@@ -229,13 +235,13 @@ func createSourceOCIRepositoryCmdRun(cmd *cobra.Command, args []string) error {
 }
 func upsertOCIRepository(ctx context.Context, kubeClient client.Client,
-	ociRepository *sourcev1b2.OCIRepository) (types.NamespacedName, error) {
+	ociRepository *sourcev1.OCIRepository) (types.NamespacedName, error) {
 	namespacedName := types.NamespacedName{
 		Namespace: ociRepository.GetNamespace(),
 		Name:      ociRepository.GetName(),
 	}
-	var existing sourcev1b2.OCIRepository
+	var existing sourcev1.OCIRepository
 	err := kubeClient.Get(ctx, namespacedName, &existing)
 	if err != nil {
 		if errors.IsNotFound(err) {
--- a/cmd/flux/create_tenant.go
+++ b/cmd/flux/create_tenant.go
@@ -21,7 +21,6 @@ import (
 	"context"
 	"fmt"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
@@ -32,6 +31,8 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 )
 var createTenantCmd = &cobra.Command{
@@ -59,6 +60,7 @@ const (
 type tenantFlags struct {
 	namespaces  []string
 	clusterRole string
 	account     string
 }
 var tenantArgs tenantFlags
@@ -66,6 +68,7 @@ var tenantArgs tenantFlags
 func init() {
 	createTenantCmd.Flags().StringSliceVar(&tenantArgs.namespaces, "with-namespace", nil, "namespace belonging to this tenant")
 	createTenantCmd.Flags().StringVar(&tenantArgs.clusterRole, "cluster-role", "cluster-admin", "cluster role of the tenant role binding")
 	createTenantCmd.Flags().StringVar(&tenantArgs.account, "with-service-account", "", "service account belonging to this tenant")
 	createCmd.AddCommand(createTenantCmd)
 }
@@ -107,9 +110,17 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 		}
 		namespaces = append(namespaces, namespace)
 		accountName := tenant
 		if tenantArgs.account != "" {
 			accountName = tenantArgs.account
 		}
 		if err := validation.IsQualifiedName(accountName); len(err) > 0 {
 			return fmt.Errorf("invalid service-account name '%s': %v", accountName, err)
 		}
 		account := corev1.ServiceAccount{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      tenant,
+				Name:      accountName,
 				Namespace: ns,
 				Labels:    objLabels,
 			},
@@ -131,7 +142,7 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 				},
 				{
 					Kind:      "ServiceAccount",
-					Name:      tenant,
+					Name:      accountName,
 					Namespace: ns,
 				},
 			},
@@ -282,10 +293,10 @@ func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, rol
 	if err != nil {
 		return err
 	}
 	fmt.Println("---")
 	data = bytes.Replace(data, []byte("spec: {}\n"), []byte(""), 1)
-	fmt.Println(resourceToString(data))
+
 	printlnStdout("---")
 	printlnStdout(resourceToString(data))
 	account.TypeMeta = metav1.TypeMeta{
 		APIVersion: "v1",
@@ -295,10 +306,10 @@ func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, rol
 	if err != nil {
 		return err
 	}
 	fmt.Println("---")
 	data = bytes.Replace(data, []byte("spec: {}\n"), []byte(""), 1)
-	fmt.Println(resourceToString(data))
+
 	printlnStdout("---")
 	printlnStdout(resourceToString(data))
 	roleBinding.TypeMeta = metav1.TypeMeta{
 		APIVersion: "rbac.authorization.k8s.io/v1",
@@ -309,8 +320,8 @@ func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, rol
 		return err
 	}
-	fmt.Println("---")
+	printlnStdout("---")
-	fmt.Println(resourceToString(data))
+	printlnStdout(resourceToString(data))
 	return nil
 }
--- a/cmd/flux/create_tenant_test.go
+++ b/cmd/flux/create_tenant_test.go
@@ -0,0 +1,68 @@
 //go:build e2e
 // +build e2e
 /*
 Copyright 2025 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"testing"
 )
 func TestCreateTenant(t *testing.T) {
 	tests := []struct {
 		name   string
 		args   string
 		assert assertFunc
 	}{
 		{
 			name:   "no args",
 			args:   "create tenant",
 			assert: assertError("name is required"),
 		},
 		{
 			name:   "no namespace",
 			args:   "create tenant dev-team --cluster-role=cluster-admin",
 			assert: assertError("with-namespace is required"),
 		},
 		{
 			name:   "basic tenant",
 			args:   "create tenant dev-team --with-namespace=apps --cluster-role=cluster-admin --export",
 			assert: assertGoldenFile("./testdata/create_tenant/tenant-basic.yaml"),
 		},
 		{
 			name:   "tenant with custom serviceaccount",
 			args:   "create tenant dev-team --with-namespace=apps --cluster-role=cluster-admin --with-service-account=flux-tenant --export",
 			assert: assertGoldenFile("./testdata/create_tenant/tenant-with-service-account.yaml"),
 		},
 		{
 			name:   "tenant with custom cluster role",
 			args:   "create tenant dev-team --with-namespace=apps --cluster-role=custom-role --export",
 			assert: assertGoldenFile("./testdata/create_tenant/tenant-with-cluster-role.yaml"),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cmd := cmdTestCase{
 				args:   tt.args,
 				assert: tt.assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
--- a/cmd/flux/debug.go
+++ b/cmd/flux/debug.go
@@ -0,0 +1,31 @@
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"github.com/spf13/cobra"
 )
 var debugCmd = &cobra.Command{
 	Use:   "debug",
 	Short: "Debug a flux resource",
 	Long:  `The debug command can be used to troubleshoot failing resource reconciliations.`,
 }
 func init() {
 	rootCmd.AddCommand(debugCmd)
 }
--- a/cmd/flux/debug_helmrelease.go
+++ b/cmd/flux/debug_helmrelease.go
@@ -0,0 +1,142 @@
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 	"github.com/fluxcd/pkg/chartutil"
 	"github.com/go-logr/logr"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 )
 var debugHelmReleaseCmd = &cobra.Command{
 	Use:     "helmrelease [name]",
 	Aliases: []string{"hr"},
 	Short:   "Debug a HelmRelease resource",
 	Long: withPreviewNote(`The debug helmrelease command can be used to troubleshoot failing Helm release reconciliations.
 WARNING: This command will print sensitive information if Kubernetes Secrets are referenced in the HelmRelease .spec.valuesFrom field.`),
 	Example: `  # Print the status of a Helm release
  flux debug hr podinfo --show-status
  # Export the final values of a Helm release composed from referred ConfigMaps and Secrets
  flux debug hr podinfo --show-values > values.yaml
  # Print the reconciliation history of a Helm release
  flux debug hr podinfo --show-history`,
 	RunE:              debugHelmReleaseCmdRun,
 	Args:              cobra.ExactArgs(1),
 	ValidArgsFunction: resourceNamesCompletionFunc(helmv2.GroupVersion.WithKind(helmv2.HelmReleaseKind)),
 }
 type debugHelmReleaseFlags struct {
 	showStatus  bool
 	showValues  bool
 	showHistory bool
 }
 var debugHelmReleaseArgs debugHelmReleaseFlags
 func init() {
 	debugHelmReleaseCmd.Flags().BoolVar(&debugHelmReleaseArgs.showStatus, "show-status", false, "print the status of the Helm release")
 	debugHelmReleaseCmd.Flags().BoolVar(&debugHelmReleaseArgs.showValues, "show-values", false, "print the final values of the Helm release")
 	debugHelmReleaseCmd.Flags().BoolVar(&debugHelmReleaseArgs.showHistory, "show-history", false, "print the reconciliation history of the Helm release")
 	debugCmd.AddCommand(debugHelmReleaseCmd)
 }
 func debugHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]
 	flagsSet := 0
 	if debugHelmReleaseArgs.showStatus {
 		flagsSet++
 	}
 	if debugHelmReleaseArgs.showValues {
 		flagsSet++
 	}
 	if debugHelmReleaseArgs.showHistory {
 		flagsSet++
 	}
 	if flagsSet != 1 {
 		return fmt.Errorf("exactly one of --show-status, --show-values, or --show-history must be set")
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
 	hr := &helmv2.HelmRelease{}
 	hrName := types.NamespacedName{Namespace: *kubeconfigArgs.Namespace, Name: name}
 	if err := kubeClient.Get(ctx, hrName, hr); err != nil {
 		return err
 	}
 	if debugHelmReleaseArgs.showStatus {
 		status, err := yaml.Marshal(hr.Status)
 		if err != nil {
 			return err
 		}
 		rootCmd.Println("# Status documentation: https://fluxcd.io/flux/components/helm/helmreleases/#helmrelease-status")
 		rootCmd.Print(string(status))
 		return nil
 	}
 	if debugHelmReleaseArgs.showValues {
 		finalValues, err := chartutil.ChartValuesFromReferences(ctx,
 			logr.Discard(),
 			kubeClient,
 			hr.GetNamespace(),
 			hr.GetValues(),
 			hr.Spec.ValuesFrom...)
 		if err != nil {
 			return err
 		}
 		values, err := yaml.Marshal(finalValues)
 		if err != nil {
 			return err
 		}
 		rootCmd.Print(string(values))
 	}
 	if debugHelmReleaseArgs.showHistory {
 		if len(hr.Status.History) == 0 {
 			hr.Status.History = helmv2.Snapshots{}
 		}
 		history, err := yaml.Marshal(hr.Status.History)
 		if err != nil {
 			return err
 		}
 		rootCmd.Println("# History documentation: https://fluxcd.io/flux/components/helm/helmreleases/#history")
 		rootCmd.Print(string(history))
 		return nil
 	}
 	return nil
 }
--- a/cmd/flux/debug_helmrelease_test.go
+++ b/cmd/flux/debug_helmrelease_test.go
@@ -0,0 +1,83 @@
 //go:build unit
 // +build unit
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"testing"
 )
 func TestDebugHelmRelease(t *testing.T) {
 	namespace := allocateNamespace("debug")
 	objectFile := "testdata/debug_helmrelease/objects.yaml"
 	tmpl := map[string]string{
 		"fluxns": namespace,
 	}
 	testEnv.CreateObjectFile(objectFile, tmpl, t)
 	cases := []struct {
 		name       string
 		arg        string
 		goldenFile string
 		tmpl       map[string]string
 	}{
 		{
 			"debug status",
 			"debug helmrelease test-values-inline --show-status --show-values=false",
 			"testdata/debug_helmrelease/status.golden.yaml",
 			tmpl,
 		},
 		{
 			"debug values",
 			"debug helmrelease test-values-inline --show-values --show-status=false",
 			"testdata/debug_helmrelease/values-inline.golden.yaml",
 			tmpl,
 		},
 		{
 			"debug values from",
 			"debug helmrelease test-values-from --show-values --show-status=false",
 			"testdata/debug_helmrelease/values-from.golden.yaml",
 			tmpl,
 		},
 		{
 			"debug history",
 			"debug helmrelease test-with-history --show-history --show-status=false",
 			"testdata/debug_helmrelease/history.golden.yaml",
 			tmpl,
 		},
 		{
 			"debug history empty",
 			"debug helmrelease test-values-inline --show-history --show-status=false",
 			"testdata/debug_helmrelease/history-empty.golden.yaml",
 			tmpl,
 		},
 	}
 	for _, tt := range cases {
 		t.Run(tt.name, func(t *testing.T) {
 			cmd := cmdTestCase{
 				args:   tt.arg + " -n=" + namespace,
 				assert: assertGoldenTemplateFile(tt.goldenFile, tmpl),
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
--- a/cmd/flux/debug_kustomization.go
+++ b/cmd/flux/debug_kustomization.go
@@ -0,0 +1,164 @@
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"errors"
 	"fmt"
 	"sort"
 	"strings"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/kustomize"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 )
 var debugKustomizationCmd = &cobra.Command{
 	Use:     "kustomization [name]",
 	Aliases: []string{"ks"},
 	Short:   "Debug a Flux Kustomization resource",
 	Long: withPreviewNote(`The debug kustomization command can be used to troubleshoot failing Flux Kustomization reconciliations.
 WARNING: This command will print sensitive information if Kubernetes Secrets are referenced in the Kustomization .spec.postBuild.substituteFrom field.`),
 	Example: `  # Print the status of a Flux Kustomization
  flux debug ks podinfo --show-status
  # Export the final variables used for post-build substitutions composed from referred ConfigMaps and Secrets
  flux debug ks podinfo --show-vars > vars.env
  # Print the reconciliation history of a Flux Kustomization
  flux debug ks podinfo --show-history`,
 	RunE:              debugKustomizationCmdRun,
 	Args:              cobra.ExactArgs(1),
 	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
 }
 type debugKustomizationFlags struct {
 	showStatus  bool
 	showVars    bool
 	showHistory bool
 }
 var debugKustomizationArgs debugKustomizationFlags
 func init() {
 	debugKustomizationCmd.Flags().BoolVar(&debugKustomizationArgs.showStatus, "show-status", false, "print the status of the Flux Kustomization")
 	debugKustomizationCmd.Flags().BoolVar(&debugKustomizationArgs.showVars, "show-vars", false, "print the final vars of the Flux Kustomization in dot env format")
 	debugKustomizationCmd.Flags().BoolVar(&debugKustomizationArgs.showHistory, "show-history", false, "print the reconciliation history of the Flux Kustomization")
 	debugCmd.AddCommand(debugKustomizationCmd)
 }
 func debugKustomizationCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]
 	flagsSet := 0
 	if debugKustomizationArgs.showStatus {
 		flagsSet++
 	}
 	if debugKustomizationArgs.showVars {
 		flagsSet++
 	}
 	if debugKustomizationArgs.showHistory {
 		flagsSet++
 	}
 	if flagsSet != 1 {
 		return fmt.Errorf("exactly one of --show-status, --show-vars, or --show-history must be set")
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	kubeClient, err := utils.KubeClient(kubeconfigArgs, kubeclientOptions)
 	if err != nil {
 		return err
 	}
 	ks := &kustomizev1.Kustomization{}
 	ksName := types.NamespacedName{Namespace: *kubeconfigArgs.Namespace, Name: name}
 	if err := kubeClient.Get(ctx, ksName, ks); err != nil {
 		return err
 	}
 	if debugKustomizationArgs.showStatus {
 		status, err := yaml.Marshal(ks.Status)
 		if err != nil {
 			return err
 		}
 		rootCmd.Println("# Status documentation: https://fluxcd.io/flux/components/kustomize/kustomizations/#kustomization-status")
 		rootCmd.Print(string(status))
 		return nil
 	}
 	if debugKustomizationArgs.showVars {
 		if ks.Spec.PostBuild == nil {
 			return errors.New("no post build substitutions found")
 		}
 		ksObj, err := runtime.DefaultUnstructuredConverter.ToUnstructured(ks)
 		if err != nil {
 			return err
 		}
 		finalVars, err := kustomize.LoadVariables(ctx, kubeClient, unstructured.Unstructured{Object: ksObj})
 		if err != nil {
 			return err
 		}
 		if len(ks.Spec.PostBuild.Substitute) > 0 {
 			for k, v := range ks.Spec.PostBuild.Substitute {
 				// Remove new lines from the values as they are not supported.
 				// Replicates the controller behavior from
 				// https://github.com/fluxcd/pkg/blob/main/kustomize/kustomize_varsub.go
 				finalVars[k] = strings.ReplaceAll(v, "\n", "")
 			}
 		}
 		keys := make([]string, 0, len(finalVars))
 		for k := range finalVars {
 			keys = append(keys, k)
 		}
 		sort.Strings(keys)
 		for _, k := range keys {
 			rootCmd.Println(k + "=" + finalVars[k])
 		}
 	}
 	if debugKustomizationArgs.showHistory {
 		if len(ks.Status.History) == 0 {
 			ks.Status.History = meta.History{}
 		}
 		history, err := yaml.Marshal(ks.Status.History)
 		if err != nil {
 			return err
 		}
 		rootCmd.Println("# History documentation: https://fluxcd.io/flux/components/kustomize/kustomizations/#history")
 		rootCmd.Print(string(history))
 		return nil
 	}
 	return nil
 }
--- a/cmd/flux/debug_kustomization_test.go
+++ b/cmd/flux/debug_kustomization_test.go
@@ -0,0 +1,82 @@
 //go:build unit
 // +build unit
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"testing"
 )
 func TestDebugKustomization(t *testing.T) {
 	namespace := allocateNamespace("debug")
 	objectFile := "testdata/debug_kustomization/objects.yaml"
 	tmpl := map[string]string{
 		"fluxns": namespace,
 	}
 	testEnv.CreateObjectFile(objectFile, tmpl, t)
 	cases := []struct {
 		name       string
 		arg        string
 		goldenFile string
 		tmpl       map[string]string
 	}{
 		{
 			"debug status",
 			"debug ks test --show-status --show-vars=false",
 			"testdata/debug_kustomization/status.golden.yaml",
 			tmpl,
 		},
 		{
 			"debug vars",
 			"debug ks test --show-vars --show-status=false",
 			"testdata/debug_kustomization/vars.golden.env",
 			tmpl,
 		},
 		{
 			"debug vars from",
 			"debug ks test-from --show-vars --show-status=false",
 			"testdata/debug_kustomization/vars-from.golden.env",
 			tmpl,
 		}, {
 			"debug history",
 			"debug ks test-with-history --show-history --show-status=false",
 			"testdata/debug_kustomization/history.golden.yaml",
 			tmpl,
 		},
 		{
 			"debug history empty",
 			"debug ks test --show-history --show-status=false",
 			"testdata/debug_kustomization/history-empty.golden.yaml",
 			tmpl,
 		},
 	}
 	for _, tt := range cases {
 		t.Run(tt.name, func(t *testing.T) {
 			cmd := cmdTestCase{
 				args:   tt.arg + " -n=" + namespace,
 				assert: assertGoldenTemplateFile(tt.goldenFile, tmpl),
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
--- a/cmd/flux/delete_image_policy.go
+++ b/cmd/flux/delete_image_policy.go
@@ -19,13 +19,13 @@ package main
 import (
 	"github.com/spf13/cobra"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )
 var deleteImagePolicyCmd = &cobra.Command{
 	Use:   "policy [name]",
 	Short: "Delete an ImagePolicy object",
-	Long:  withPreviewNote(`The delete image policy command deletes the given ImagePolicy from the cluster.`),
+	Long:  `The delete image policy command deletes the given ImagePolicy from the cluster.`,
 	Example: `  # Delete an image policy
  flux delete image policy alpine3.x`,
 	ValidArgsFunction: resourceNamesCompletionFunc(imagev1.GroupVersion.WithKind(imagev1.ImagePolicyKind)),
--- a/cmd/flux/delete_image_repository.go
+++ b/cmd/flux/delete_image_repository.go
@@ -19,13 +19,13 @@ package main
 import (
 	"github.com/spf13/cobra"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )
 var deleteImageRepositoryCmd = &cobra.Command{
 	Use:   "repository [name]",
 	Short: "Delete an ImageRepository object",
-	Long:  withPreviewNote("The delete image repository command deletes the given ImageRepository from the cluster."),
+	Long:  "The delete image repository command deletes the given ImageRepository from the cluster.",
 	Example: `  # Delete an image repository
  flux delete image repository alpine`,
 	ValidArgsFunction: resourceNamesCompletionFunc(imagev1.GroupVersion.WithKind(imagev1.ImageRepositoryKind)),
--- a/cmd/flux/delete_image_update.go
+++ b/cmd/flux/delete_image_update.go
@@ -19,13 +19,13 @@ package main
 import (
 	"github.com/spf13/cobra"
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1"
 )
 var deleteImageUpdateCmd = &cobra.Command{
 	Use:   "update [name]",
 	Short: "Delete an ImageUpdateAutomation object",
-	Long:  withPreviewNote(`The delete image update command deletes the given ImageUpdateAutomation from the cluster.`),
+	Long:  `The delete image update command deletes the given ImageUpdateAutomation from the cluster.`,
 	Example: `  # Delete an image update automation
  flux delete image update latest-images`,
 	ValidArgsFunction: resourceNamesCompletionFunc(autov1.GroupVersion.WithKind(autov1.ImageUpdateAutomationKind)),
--- a/cmd/flux/delete_source_bucket.go
+++ b/cmd/flux/delete_source_bucket.go
@@ -19,13 +19,13 @@ package main
 import (
 	"github.com/spf13/cobra"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )
 var deleteSourceBucketCmd = &cobra.Command{
 	Use:   "bucket [name]",
 	Short: "Delete a Bucket source",
-	Long:  withPreviewNote("The delete source bucket command deletes the given Bucket from the cluster."),
+	Long:  "The delete source bucket command deletes the given Bucket from the cluster.",
 	Example: `  # Delete a Bucket source
  flux delete source bucket podinfo`,
 	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.BucketKind)),
--- a/cmd/flux/delete_source_chart.go
+++ b/cmd/flux/delete_source_chart.go
@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )
 var deleteSourceChartCmd = &cobra.Command{
--- a/cmd/flux/delete_source_oci.go
+++ b/cmd/flux/delete_source_oci.go
@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )
 var deleteSourceOCIRepositoryCmd = &cobra.Command{
--- a/cmd/flux/diff_artifact.go
+++ b/cmd/flux/diff_artifact.go
@@ -21,8 +21,9 @@ import (
 	"fmt"
 	"os"
-	oci "github.com/fluxcd/pkg/oci/client"
+	"github.com/fluxcd/pkg/oci"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	"github.com/google/go-containerregistry/pkg/crane"
 	"github.com/spf13/cobra"
 	"github.com/fluxcd/flux2/v2/internal/flags"
@@ -31,7 +32,7 @@ import (
 var diffArtifactCmd = &cobra.Command{
 	Use:   "artifact",
 	Short: "Diff Artifact",
-	Long:  withPreviewNote(`The diff artifact command computes the diff between the remote OCI artifact and a local directory or file`),
+	Long:  `The diff artifact command computes the diff between the remote OCI artifact and a local directory or file`,
 	Example: `# Check if local files differ from remote
 flux diff artifact oci://ghcr.io/stefanprodan/manifests:podinfo:6.2.0 --path=./kustomize`,
 	RunE: diffArtifactCmdRun,
@@ -42,6 +43,7 @@ type diffArtifactFlags struct {
 	creds       string
 	provider    flags.SourceOCIProvider
 	ignorePaths []string
 	insecure    bool
 }
 var diffArtifactArgs = newDiffArtifactArgs()
@@ -57,6 +59,7 @@ func init() {
 	diffArtifactCmd.Flags().StringVar(&diffArtifactArgs.creds, "creds", "", "credentials for OCI registry in the format <username>[:<password>] if --provider is generic")
 	diffArtifactCmd.Flags().Var(&diffArtifactArgs.provider, "provider", sourceOCIRepositoryArgs.provider.Description())
 	diffArtifactCmd.Flags().StringSliceVar(&diffArtifactArgs.ignorePaths, "ignore-paths", excludeOCI, "set paths to ignore in .gitignore format")
 	diffArtifactCmd.Flags().BoolVar(&diffArtifactArgs.insecure, "insecure-registry", false, "allows the remote artifact to be pulled without TLS")
 	diffCmd.AddCommand(diffArtifactCmd)
 }
@@ -82,7 +85,22 @@ func diffArtifactCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	ociClient := oci.NewClient(oci.DefaultOptions())
+	opts := oci.DefaultOptions()
 	if diffArtifactArgs.insecure {
 		opts = append(opts, crane.Insecure)
 	}
 	if diffArtifactArgs.provider.String() != sourcev1.GenericOCIProvider {
 		logger.Actionf("logging in to registry with provider credentials")
 		opt, err := loginWithProvider(ctx, url, diffArtifactArgs.provider.String())
 		if err != nil {
 			return fmt.Errorf("error during login with provider: %w", err)
 		}
 		opts = append(opts, opt)
 	}
 	ociClient := oci.NewClient(opts)
 	if diffArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && diffArtifactArgs.creds != "" {
 		logger.Actionf("logging in to registry with credentials")
@@ -91,18 +109,6 @@ func diffArtifactCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}
 	if diffArtifactArgs.provider.String() != sourcev1.GenericOCIProvider {
 		logger.Actionf("logging in to registry with provider credentials")
 		ociProvider, err := diffArtifactArgs.provider.ToOCIProvider()
 		if err != nil {
 			return fmt.Errorf("provider not supported: %w", err)
 		}
 		if err := ociClient.LoginWithProvider(ctx, url, ociProvider); err != nil {
 			return fmt.Errorf("error during login with provider: %w", err)
 		}
 	}
 	if err := ociClient.Diff(ctx, url, diffArtifactArgs.path, diffArtifactArgs.ignorePaths); err != nil {
 		return err
 	}
--- a/cmd/flux/diff_artifact_test.go
+++ b/cmd/flux/diff_artifact_test.go
@@ -96,7 +96,7 @@ func TestDiffArtifact(t *testing.T) {
 			tt.url = fmt.Sprintf(tt.url, dockerReg)
 			_, err := executeCommand("push artifact " + tt.url + " --path=" + tt.pushFile + " --source=test --revision=test")
 			if err != nil {
-				t.Fatalf(fmt.Errorf("failed to push image: %w", err).Error())
+				t.Fatal(fmt.Errorf("failed to push image: %w", err).Error())
 			}
 			cmd := cmdTestCase{
--- a/cmd/flux/diff_kustomization.go
+++ b/cmd/flux/diff_kustomization.go
@@ -44,7 +44,12 @@ flux diff kustomization my-app --path ./path/to/local/manifests \
 # Exclude files by providing a comma separated list of entries that follow the .gitignore pattern fromat.
 flux diff kustomization my-app --path ./path/to/local/manifests \
 	--kustomization-file ./path/to/local/my-app.yaml \
-	--ignore-paths "/to_ignore/**/*.yaml,ignore.yaml"`,
+	--ignore-paths "/to_ignore/**/*.yaml,ignore.yaml"
 # Run recursively on all encountered Kustomizations
 flux diff kustomization my-app --path ./path/to/local/manifests \
    --recursive \
    --local-sources GitRepository/flux-system/my-repo=./path/to/local/git`,
 	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
 	RunE:              diffKsCmdRun,
 }
@@ -55,6 +60,8 @@ type diffKsFlags struct {
 	ignorePaths       []string
 	progressBar       bool
 	strictSubst       bool
 	recursive         bool
 	localSources      map[string]string
 }
 var diffKsArgs diffKsFlags
@@ -66,6 +73,8 @@ func init() {
 	diffKsCmd.Flags().StringVar(&diffKsArgs.kustomizationFile, "kustomization-file", "", "Path to the Flux Kustomization YAML file.")
 	diffKsCmd.Flags().BoolVar(&diffKsArgs.strictSubst, "strict-substitute", false,
 		"When enabled, the post build substitutions will fail if a var without a default value is declared in files but is missing from the input vars.")
 	diffKsCmd.Flags().BoolVarP(&diffKsArgs.recursive, "recursive", "r", false, "Recursively diff Kustomizations")
 	diffKsCmd.Flags().StringToStringVar(&diffKsArgs.localSources, "local-sources", nil, "Comma-separated list of repositories in format: Kind/namespace/name=path")
 	diffCmd.AddCommand(diffKsCmd)
 }
@@ -101,6 +110,9 @@ func diffKsCmdRun(cmd *cobra.Command, args []string) error {
 			build.WithProgressBar(),
 			build.WithIgnore(diffKsArgs.ignorePaths),
 			build.WithStrictSubstitute(diffKsArgs.strictSubst),
 			build.WithRecursive(diffKsArgs.recursive),
 			build.WithLocalSources(diffKsArgs.localSources),
 			build.WithSingleKustomization(),
 		)
 	} else {
 		builder, err = build.NewBuilder(name, diffKsArgs.path,
@@ -109,6 +121,9 @@ func diffKsCmdRun(cmd *cobra.Command, args []string) error {
 			build.WithKustomizationFile(diffKsArgs.kustomizationFile),
 			build.WithIgnore(diffKsArgs.ignorePaths),
 			build.WithStrictSubstitute(diffKsArgs.strictSubst),
 			build.WithRecursive(diffKsArgs.recursive),
 			build.WithLocalSources(diffKsArgs.localSources),
 			build.WithSingleKustomization(),
 		)
 	}
@@ -138,6 +153,12 @@ func diffKsCmdRun(cmd *cobra.Command, args []string) error {
 	select {
 	case <-sigc:
 		if diffKsArgs.progressBar {
 			err := builder.StopSpinner()
 			if err != nil {
 				return err
 			}
 		}
 		fmt.Println("Build cancelled... exiting.")
 		return builder.Cancel()
 	case err := <-errChan:
--- a/cmd/flux/diff_kustomization_test.go
+++ b/cmd/flux/diff_kustomization_test.go
@@ -27,6 +27,7 @@ import (
 	"github.com/fluxcd/flux2/v2/internal/build"
 	"github.com/fluxcd/pkg/ssa"
 	"github.com/fluxcd/pkg/ssa/normalize"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
@@ -97,6 +98,12 @@ func TestDiffKustomization(t *testing.T) {
 			objectFile: "",
 			assert:     assertGoldenFile("./testdata/diff-kustomization/nothing-is-deployed.golden"),
 		},
 		{
 			name:       "diff with recursive",
 			args:       "diff kustomization podinfo --path ./testdata/build-kustomization/podinfo-with-my-app --progress-bar=false --recursive --local-sources GitRepository/default/podinfo=./testdata/build-kustomization",
 			objectFile: "./testdata/diff-kustomization/my-app.yaml",
 			assert:     assertGoldenFile("./testdata/diff-kustomization/diff-with-recursive.golden"),
 		},
 	}
 	tmpl := map[string]string{
@@ -145,7 +152,7 @@ func createObjectFromFile(objectFile string, templateValues map[string]string, t
 		t.Fatalf("Error decoding yaml file '%s': %v", objectFile, err)
 	}
-	if err := ssa.SetNativeKindsDefaults(clientObjects); err != nil {
+	if err := normalize.UnstructuredList(clientObjects); err != nil {
 		t.Fatalf("Error setting native kinds defaults for '%s': %v", objectFile, err)
 	}
--- a/cmd/flux/events.go
+++ b/cmd/flux/events.go
@@ -20,7 +20,6 @@ package main
 import (
 	"context"
 	"fmt"
 	"os"
 	"sort"
 	"strings"
 	"time"
@@ -40,13 +39,13 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	helmv2 "github.com/fluxcd/helm-controller/api/v2"
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
 	notificationv1b3 "github.com/fluxcd/notification-controller/api/v1beta3"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
-	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
+	swapi "github.com/fluxcd/source-watcher/api/v2/v1beta1"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/flux2/v2/pkg/printers"
@@ -113,7 +112,12 @@ func eventsCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	var diffRefNs bool
-	clientListOpts := []client.ListOption{client.InNamespace(*kubeconfigArgs.Namespace)}
+	// Build the base list options. When --all-namespaces is set we must NOT constrain the
 	// query to a single namespace, otherwise we silently return a partial result set.
 	clientListOpts := []client.ListOption{}
 	if !eventArgs.allNamespaces {
 		clientListOpts = append(clientListOpts, client.InNamespace(*kubeconfigArgs.Namespace))
 	}
 	var refListOpts [][]client.ListOption
 	if eventArgs.forSelector != "" {
 		kind, name := getKindNameFromSelector(eventArgs.forSelector)
@@ -247,7 +251,7 @@ func eventsCmdWatchRun(ctx context.Context, kubeclient client.WithWatch, listOpt
 			hdr = getHeaders(showNs)
 			firstIteration = false
 		}
-		return printers.TablePrinter(hdr).Print(os.Stdout, [][]string{rows})
+		return printers.TablePrinter(hdr).Print(rootCmd.OutOrStdout(), [][]string{rows})
 	}
 	for _, refOpts := range refListOpts {
@@ -446,11 +450,12 @@ var fluxKindMap = refMap{
 		field:           []string{"spec", "sourceRef"},
 	},
 	sourcev1.GitRepositoryKind:       {gvk: sourcev1.GroupVersion.WithKind(sourcev1.GitRepositoryKind)},
-	sourcev1b2.OCIRepositoryKind:     {gvk: sourcev1b2.GroupVersion.WithKind(sourcev1b2.OCIRepositoryKind)},
+	sourcev1.OCIRepositoryKind:       {gvk: sourcev1.GroupVersion.WithKind(sourcev1.OCIRepositoryKind)},
-	sourcev1b2.BucketKind:            {gvk: sourcev1b2.GroupVersion.WithKind(sourcev1b2.BucketKind)},
+	sourcev1.BucketKind:              {gvk: sourcev1.GroupVersion.WithKind(sourcev1.BucketKind)},
 	sourcev1.HelmRepositoryKind:      {gvk: sourcev1.GroupVersion.WithKind(sourcev1.HelmRepositoryKind)},
 	autov1.ImageUpdateAutomationKind: {gvk: autov1.GroupVersion.WithKind(autov1.ImageUpdateAutomationKind)},
 	imagev1.ImageRepositoryKind:      {gvk: imagev1.GroupVersion.WithKind(imagev1.ImageRepositoryKind)},
 	swapi.ArtifactGeneratorKind:      {gvk: swapi.GroupVersion.WithKind(swapi.ArtifactGeneratorKind)},
 }
 func ignoreEvent(e corev1.Event) bool {
--- a/cmd/flux/events_test.go
+++ b/cmd/flux/events_test.go
@@ -140,7 +140,7 @@ spec:
  address: https://hooks.slack.com/services/mock
  type: slack
 ---
-apiVersion: image.toolkit.fluxcd.io/v1beta2
+apiVersion: image.toolkit.fluxcd.io/v1
 kind: ImagePolicy
 metadata:
  name: podinfo
--- a/cmd/flux/export.go
+++ b/cmd/flux/export.go
@@ -109,13 +109,13 @@ func (export exportCommand) run(cmd *cobra.Command, args []string) error {
 	return nil
 }
-func printExport(export interface{}) error {
+func printExport(export any) error {
 	data, err := yaml.Marshal(export)
 	if err != nil {
 		return err
 	}
-	rootCmd.Println("---")
+	printlnStdout("---")
-	rootCmd.Println(resourceToString(data))
+	printlnStdout(resourceToString(data))
 	return nil
 }
--- a/cmd/flux/export_artifact.go
+++ b/cmd/flux/export_artifact.go
@@ -0,0 +1,31 @@
 /*
 Copyright 2025 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"github.com/spf13/cobra"
 )
 var exportArtifactCmd = &cobra.Command{
 	Use:   "artifact",
 	Short: "Export artifact objects",
 	Long:  `The export artifact sub-commands export artifacts objects in YAML format.`,
 }
 func init() {
 	exportCmd.AddCommand(exportArtifactCmd)
 }
--- a/cmd/flux/export_artifact_generator.go
+++ b/cmd/flux/export_artifact_generator.go
@@ -0,0 +1,72 @@
 /*
 Copyright 2025 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	swapi "github.com/fluxcd/source-watcher/api/v2/v1beta1"
 )
 var exportArtifactGeneratorCmd = &cobra.Command{
 	Use:   "generator [name]",
 	Short: "Export ArtifactGenerator resources in YAML format",
 	Long:  "The export artifact generator command exports one or all ArtifactGenerator resources in YAML format.",
 	Example: `  # Export all ArtifactGenerator resources
  flux export artifact generator --all > artifact-generators.yaml
  # Export a specific generator
  flux export artifact generator my-generator > my-generator.yaml`,
 	ValidArgsFunction: resourceNamesCompletionFunc(swapi.GroupVersion.WithKind(swapi.ArtifactGeneratorKind)),
 	RunE: exportCommand{
 		object: artifactGeneratorAdapter{&swapi.ArtifactGenerator{}},
 		list:   artifactGeneratorListAdapter{&swapi.ArtifactGeneratorList{}},
 	}.run,
 }
 func init() {
 	exportArtifactCmd.AddCommand(exportArtifactGeneratorCmd)
 }
 // Export returns an ArtifactGenerator value which has
 // extraneous information stripped out.
 func exportArtifactGenerator(item *swapi.ArtifactGenerator) interface{} {
 	gvk := swapi.GroupVersion.WithKind(swapi.ArtifactGeneratorKind)
 	export := swapi.ArtifactGenerator{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       gvk.Kind,
 			APIVersion: gvk.GroupVersion().String(),
 		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name:        item.Name,
 			Namespace:   item.Namespace,
 			Labels:      item.Labels,
 			Annotations: item.Annotations,
 		},
 		Spec: item.Spec,
 	}
 	return export
 }
 func (ex artifactGeneratorAdapter) export() interface{} {
 	return exportArtifactGenerator(ex.ArtifactGenerator)
 }
 func (ex artifactGeneratorListAdapter) exportItem(i int) interface{} {
 	return exportArtifactGenerator(&ex.ArtifactGeneratorList.Items[i])
 }
--- a/cmd/flux/export_image_policy.go
+++ b/cmd/flux/export_image_policy.go
@@ -20,13 +20,13 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )
 var exportImagePolicyCmd = &cobra.Command{
 	Use:   "policy [name]",
 	Short: "Export ImagePolicy resources in YAML format",
-	Long:  withPreviewNote("The export image policy command exports one or all ImagePolicy resources in YAML format."),
+	Long:  "The export image policy command exports one or all ImagePolicy resources in YAML format.",
 	Example: `  # Export all ImagePolicy resources
  flux export image policy --all > image-policies.yaml
--- a/cmd/flux/export_image_repository.go
+++ b/cmd/flux/export_image_repository.go
@@ -20,13 +20,13 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )
 var exportImageRepositoryCmd = &cobra.Command{
 	Use:   "repository [name]",
 	Short: "Export ImageRepository resources in YAML format",
-	Long:  withPreviewNote("The export image repository command exports one or all ImageRepository resources in YAML format."),
+	Long:  "The export image repository command exports one or all ImageRepository resources in YAML format.",
 	Example: `  # Export all ImageRepository resources
  flux export image repository --all > image-repositories.yaml
--- a/cmd/flux/export_image_update.go
+++ b/cmd/flux/export_image_update.go
@@ -20,13 +20,13 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1"
 )
 var exportImageUpdateCmd = &cobra.Command{
 	Use:   "update [name]",
 	Short: "Export ImageUpdateAutomation resources in YAML format",
-	Long:  withPreviewNote("The export image update command exports one or all ImageUpdateAutomation resources in YAML format."),
+	Long:  "The export image update command exports one or all ImageUpdateAutomation resources in YAML format.",
 	Example: `  # Export all ImageUpdateAutomation resources
  flux export image update --all > updates.yaml
--- a/cmd/flux/export_source_bucket.go
+++ b/cmd/flux/export_source_bucket.go
@@ -21,13 +21,13 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )
 var exportSourceBucketCmd = &cobra.Command{
 	Use:   "bucket [name]",
 	Short: "Export Bucket sources in YAML format",
-	Long:  withPreviewNote("The export source git command exports one or all Bucket sources in YAML format."),
+	Long:  "The export source git command exports one or all Bucket sources in YAML format.",
 	Example: `  # Export all Bucket sources
  flux export source bucket --all > sources.yaml
--- a/cmd/flux/export_source_oci.go
+++ b/cmd/flux/export_source_oci.go
@@ -21,7 +21,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )
 var exportSourceOCIRepositoryCmd = &cobra.Command{
--- a/cmd/flux/export_test.go
+++ b/cmd/flux/export_test.go
@@ -1,6 +1,22 @@
 //go:build unit
 // +build unit
 /*
 Copyright 2024 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
--- a/cmd/flux/get.go
+++ b/cmd/flux/get.go
@@ -184,13 +184,13 @@ func (get getCommand) run(cmd *cobra.Command, args []string) error {
 	if get.list.len() == 0 {
 		if len(args) > 0 {
-			logger.Failuref("%s object '%s' not found in %s namespace",
+			return fmt.Errorf("%s object '%s' not found in %s namespace",
 				get.kind,
 				args[0],
 				namespaceNameOrAny(getArgs.allNamespaces, *kubeconfigArgs.Namespace),
 			)
 		} else if !getAll {
-			logger.Failuref("no %s objects found in %s namespace",
+			return fmt.Errorf("no %s objects found in %s namespace",
 				get.kind,
 				namespaceNameOrAny(getArgs.allNamespaces, *kubeconfigArgs.Namespace),
 			)
--- a/cmd/flux/get_all.go
+++ b/cmd/flux/get_all.go
@@ -87,7 +87,7 @@ var getAllCmd = &cobra.Command{
 func logError(err error) {
 	if !apimeta.IsNoMatchError(err) {
-		logger.Failuref(err.Error())
+		logger.Failuref("%s", err.Error())
 	}
 }
--- a/cmd/flux/get_artifact.go
+++ b/cmd/flux/get_artifact.go
@@ -0,0 +1,32 @@
 /*
 Copyright 2025 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"github.com/spf13/cobra"
 )
 var getArtifactCmd = &cobra.Command{
 	Use:     "artifacts",
 	Aliases: []string{"artifact"},
 	Short:   "Get artifact object status",
 	Long:    `The get artifact sub-commands print the status of artifact objects.`,
 }
 func init() {
 	getCmd.AddCommand(getArtifactCmd)
 }
--- a/cmd/flux/get_artifact_generator.go
+++ b/cmd/flux/get_artifact_generator.go
@@ -0,0 +1,93 @@
 /*
 Copyright 2025 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"fmt"
 	"strconv"
 	"github.com/spf13/cobra"
 	"golang.org/x/text/cases"
 	"golang.org/x/text/language"
 	"k8s.io/apimachinery/pkg/runtime"
 	swapi "github.com/fluxcd/source-watcher/api/v2/v1beta1"
 )
 var getArtifactGeneratorCmd = &cobra.Command{
 	Use:     "generators",
 	Aliases: []string{"generator"},
 	Short:   "Get artifact generator statuses",
 	Long:    `The get artifact generator command prints the statuses of the resources.`,
 	Example: `  # List all ArtifactGenerators and their status
  flux get artifact generators`,
 	ValidArgsFunction: resourceNamesCompletionFunc(swapi.GroupVersion.WithKind(swapi.ArtifactGeneratorKind)),
 	RunE: func(cmd *cobra.Command, args []string) error {
 		get := getCommand{
 			apiType: receiverType,
 			list:    artifactGeneratorListAdapter{&swapi.ArtifactGeneratorList{}},
 			funcMap: make(typeMap),
 		}
 		err := get.funcMap.registerCommand(get.apiType.kind, func(obj runtime.Object) (summarisable, error) {
 			o, ok := obj.(*swapi.ArtifactGenerator)
 			if !ok {
 				return nil, fmt.Errorf("impossible to cast type %#v generator", obj)
 			}
 			sink := artifactGeneratorListAdapter{&swapi.ArtifactGeneratorList{
 				Items: []swapi.ArtifactGenerator{
 					*o,
 				}}}
 			return sink, nil
 		})
 		if err != nil {
 			return err
 		}
 		if err := get.run(cmd, args); err != nil {
 			return err
 		}
 		return nil
 	},
 }
 func init() {
 	getArtifactCmd.AddCommand(getArtifactGeneratorCmd)
 }
 func (s artifactGeneratorListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
 	item := s.Items[i]
 	status, msg := statusAndMessage(item.Status.Conditions)
 	return append(nameColumns(&item, includeNamespace, includeKind),
 		cases.Title(language.English).String(strconv.FormatBool(item.IsDisabled())), status, msg)
 }
 func (s artifactGeneratorListAdapter) headers(includeNamespace bool) []string {
 	headers := []string{"Name", "Suspended", "Ready", "Message"}
 	if includeNamespace {
 		return append(namespaceHeader, headers...)
 	}
 	return headers
 }
 func (s artifactGeneratorListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
 	item := s.Items[i]
 	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
 }
--- a/cmd/flux/get_image_all.go
+++ b/cmd/flux/get_image_all.go
@@ -19,14 +19,14 @@ package main
 import (
 	"github.com/spf13/cobra"
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )
 var getImageAllCmd = &cobra.Command{
 	Use:   "all",
 	Short: "Get all image statuses",
-	Long:  withPreviewNote("The get image sub-commands print the statuses of all image objects."),
+	Long:  "The get image sub-commands print the statuses of all image objects.",
 	Example: `  # List all image objects in a namespace
  flux get images all --namespace=flux-system
@@ -55,7 +55,7 @@ var getImageAllCmd = &cobra.Command{
 		for _, c := range allImageCmd {
 			if err := c.run(cmd, args); err != nil {
-				logger.Failuref(err.Error())
+				logger.Failuref("%s", err.Error())
 			}
 		}
--- a/cmd/flux/get_image_policy.go
+++ b/cmd/flux/get_image_policy.go
@@ -22,13 +22,13 @@ import (
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/runtime"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )
 var getImagePolicyCmd = &cobra.Command{
 	Use:   "policy",
 	Short: "Get ImagePolicy status",
-	Long:  withPreviewNote("The get image policy command prints the status of ImagePolicy objects."),
+	Long:  "The get image policy command prints the status of ImagePolicy objects.",
 	Example: `  # List all image policies and their status
  flux get image policy
@@ -74,11 +74,16 @@ func init() {
 func (s imagePolicyListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
 	item := s.Items[i]
 	status, msg := statusAndMessage(item.Status.Conditions)
-	return append(nameColumns(&item, includeNamespace, includeKind), item.Status.LatestImage, status, msg)
+	var image, tag string
 	if ref := item.Status.LatestRef; ref != nil {
 		image = ref.Name
 		tag = ref.Tag
 	}
 	return append(nameColumns(&item, includeNamespace, includeKind), image, tag, status, msg)
 }
 func (s imagePolicyListAdapter) headers(includeNamespace bool) []string {
-	headers := []string{"Name", "Latest image", "Ready", "Message"}
+	headers := []string{"Name", "Image", "Tag", "Ready", "Message"}
 	if includeNamespace {
 		return append(namespaceHeader, headers...)
 	}
--- a/cmd/flux/get_image_repository.go
+++ b/cmd/flux/get_image_repository.go
@@ -26,13 +26,13 @@ import (
 	"golang.org/x/text/language"
 	"k8s.io/apimachinery/pkg/runtime"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )
 var getImageRepositoryCmd = &cobra.Command{
 	Use:   "repository",
 	Short: "Get ImageRepository status",
-	Long:  withPreviewNote("The get image repository command prints the status of ImageRepository objects."),
+	Long:  "The get image repository command prints the status of ImageRepository objects.",
 	Example: `  # List all image repositories and their status
  flux get image repository
--- a/cmd/flux/get_image_update.go
+++ b/cmd/flux/get_image_update.go
@@ -26,13 +26,13 @@ import (
 	"golang.org/x/text/language"
 	"k8s.io/apimachinery/pkg/runtime"
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1"
 )
 var getImageUpdateCmd = &cobra.Command{
 	Use:   "update",
 	Short: "Get ImageUpdateAutomation status",
-	Long:  withPreviewNote("The get image update command prints the status of ImageUpdateAutomation objects."),
+	Long:  "The get image update command prints the status of ImageUpdateAutomation objects.",
 	Example: `  # List all image update automation object and their status
  flux get image update
--- a/cmd/flux/get_source_all.go
+++ b/cmd/flux/get_source_all.go
@@ -21,7 +21,6 @@ import (
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 var getSourceAllCmd = &cobra.Command{
@@ -42,11 +41,11 @@ var getSourceAllCmd = &cobra.Command{
 		var allSourceCmd = []getCommand{
 			{
 				apiType: ociRepositoryType,
-				list:    &ociRepositoryListAdapter{&sourcev1b2.OCIRepositoryList{}},
+				list:    &ociRepositoryListAdapter{&sourcev1.OCIRepositoryList{}},
 			},
 			{
 				apiType: bucketType,
-				list:    &bucketListAdapter{&sourcev1b2.BucketList{}},
+				list:    &bucketListAdapter{&sourcev1.BucketList{}},
 			},
 			{
 				apiType: gitRepositoryType,
@@ -65,7 +64,7 @@ var getSourceAllCmd = &cobra.Command{
 		for _, c := range allSourceCmd {
 			if err := c.run(cmd, args); err != nil {
 				if !apimeta.IsNoMatchError(err) {
-					logger.Failuref(err.Error())
+					logger.Failuref("%s", err.Error())
 				}
 			}
 		}
--- a/cmd/flux/get_source_bucket.go
+++ b/cmd/flux/get_source_bucket.go
@@ -25,7 +25,7 @@ import (
 	"golang.org/x/text/language"
 	"k8s.io/apimachinery/pkg/runtime"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 )
@@ -33,7 +33,7 @@ import (
 var getSourceBucketCmd = &cobra.Command{
 	Use:   "bucket",
 	Short: "Get Bucket source statuses",
-	Long:  withPreviewNote("The get sources bucket command prints the status of the Bucket sources."),
+	Long:  "The get sources bucket command prints the status of the Bucket sources.",
 	Example: `  # List all Buckets and their status
  flux get sources bucket
--- a/cmd/flux/get_source_oci.go
+++ b/cmd/flux/get_source_oci.go
@@ -25,7 +25,7 @@ import (
 	"golang.org/x/text/language"
 	"k8s.io/apimachinery/pkg/runtime"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 )
--- a/cmd/flux/get_test.go
+++ b/cmd/flux/get_test.go
@@ -19,7 +19,10 @@ limitations under the License.
 package main
-import "testing"
+import (
 	"fmt"
 	"testing"
 )
 func Test_GetCmd(t *testing.T) {
 	tmpl := map[string]string{
@@ -59,3 +62,76 @@ func Test_GetCmd(t *testing.T) {
 		})
 	}
 }
 func Test_GetCmdErrors(t *testing.T) {
 	tmpl := map[string]string{
 		"fluxns": allocateNamespace("flux-system"),
 	}
 	testEnv.CreateObjectFile("./testdata/get/objects.yaml", tmpl, t)
 	tests := []struct {
 		name   string
 		args   string
 		assert assertFunc
 	}{
 		{
 			name:   "specific object not found",
 			args:   "get kustomization non-existent-resource -n " + tmpl["fluxns"],
 			assert: assertError(fmt.Sprintf("Kustomization object 'non-existent-resource' not found in \"%s\" namespace", tmpl["fluxns"])),
 		},
 		{
 			name:   "no objects found in namespace",
 			args:   "get helmrelease -n " + tmpl["fluxns"],
 			assert: assertError(fmt.Sprintf("no HelmRelease objects found in \"%s\" namespace", tmpl["fluxns"])),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cmd := cmdTestCase{
 				args:   tt.args,
 				assert: tt.assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
 func Test_GetCmdSuccess(t *testing.T) {
 	tmpl := map[string]string{
 		"fluxns": allocateNamespace("flux-system"),
 	}
 	testEnv.CreateObjectFile("./testdata/get/objects.yaml", tmpl, t)
 	tests := []struct {
 		name   string
 		args   string
 		assert assertFunc
 	}{
 		{
 			name:   "list sources git",
 			args:   "get sources git -n " + tmpl["fluxns"],
 			assert: assertSuccess(),
 		},
 		{
 			name:   "get help",
 			args:   "get --help",
 			assert: assertSuccess(),
 		},
 		{
 			name:   "get with all namespaces flag",
 			args:   "get sources git -A",
 			assert: assertSuccess(),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cmd := cmdTestCase{
 				args:   tt.args,
 				assert: tt.assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
--- a/cmd/flux/image.go
+++ b/cmd/flux/image.go
@@ -17,10 +17,12 @@ limitations under the License.
 package main
 import (
 	"fmt"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )
 // These are general-purpose adapters for attaching methods to, for
@@ -77,6 +79,34 @@ func (a imagePolicyAdapter) asClientObject() client.Object {
 	return a.ImagePolicy
 }
 func (a imagePolicyAdapter) deepCopyClientObject() client.Object {
 	return a.ImagePolicy.DeepCopy()
 }
 func (a imagePolicyAdapter) isStatic() bool {
 	return false
 }
 func (a imagePolicyAdapter) lastHandledReconcileRequest() string {
 	return a.Status.GetLastHandledReconcileRequest()
 }
 func (a imagePolicyAdapter) isSuspended() bool {
 	return a.Spec.Suspend
 }
 func (a imagePolicyAdapter) setSuspended() {
 	a.Spec.Suspend = true
 }
 func (a imagePolicyAdapter) successMessage() string {
 	return fmt.Sprintf("selected ref %s", a.Status.LatestRef.String())
 }
 func (a imagePolicyAdapter) setUnsuspended() {
 	a.Spec.Suspend = false
 }
 // imagev1.ImagePolicyList
 type imagePolicyListAdapter struct {
@@ -91,6 +121,18 @@ func (a imagePolicyListAdapter) len() int {
 	return len(a.ImagePolicyList.Items)
 }
 func (a imagePolicyListAdapter) resumeItem(i int) resumable {
 	return &imagePolicyAdapter{&a.ImagePolicyList.Items[i]}
 }
 func (obj imagePolicyAdapter) getObservedGeneration() int64 {
 	return obj.ImagePolicy.Status.ObservedGeneration
 }
 func (a imagePolicyListAdapter) item(i int) suspendable {
 	return &imagePolicyAdapter{&a.ImagePolicyList.Items[i]}
 }
 // autov1.ImageUpdateAutomation
 var imageUpdateAutomationType = apiType{
--- a/cmd/flux/image_test.go
+++ b/cmd/flux/image_test.go
@@ -38,7 +38,7 @@ func TestImageScanning(t *testing.T) {
 			"testdata/image/create_image_repository.golden",
 		},
 		{
-			"create image policy podinfo-semver --image-ref=podinfo --interval=10m --select-semver=5.0.x",
+			"create image policy podinfo-semver --image-ref=podinfo --interval=10m --reflect-digest=Always --select-semver=5.0.x",
 			"testdata/image/create_image_policy.golden",
 		},
 		{
@@ -46,13 +46,25 @@ func TestImageScanning(t *testing.T) {
 			"testdata/image/get_image_policy_semver.golden",
 		},
 		{
-			`create image policy podinfo-regex --image-ref=podinfo --interval=10m --select-semver=">4.0.0" --filter-regex="5\.0\.0"`,
+			`create image policy podinfo-regex --image-ref=podinfo --select-semver=">4.0.0" --filter-regex="5\.0\.0"`,
 			"testdata/image/create_image_policy.golden",
 		},
 		{
 			"get image policy podinfo-regex",
 			"testdata/image/get_image_policy_regex.golden",
 		},
 		{
 			"suspend image policy podinfo-semver",
 			"testdata/image/suspend_image_policy.golden",
 		},
 		{
 			"resume image policy podinfo-semver",
 			"testdata/image/resume_image_policy.golden",
 		},
 		{
 			"reconcile image policy podinfo-semver",
 			"testdata/image/reconcile_image_policy.golden",
 		},
 	}
 	for _, tc := range cases {
--- a/cmd/flux/install.go
+++ b/cmd/flux/install.go
@@ -83,7 +83,7 @@ type installFlags struct {
 	force              bool
 }
-var installArgs = NewInstallFlags()
+var installArgs = newInstallFlags()
 func init() {
 	installCmd.Flags().BoolVar(&installArgs.export, "export", false,
@@ -93,7 +93,7 @@ func init() {
 	installCmd.Flags().StringSliceVar(&installArgs.defaultComponents, "components", rootArgs.defaults.Components,
 		"list of components, accepts comma-separated values")
 	installCmd.Flags().StringSliceVar(&installArgs.extraComponents, "components-extra", nil,
-		"list of components in addition to those supplied or defaulted, accepts values such as 'image-reflector-controller,image-automation-controller'")
+		"list of components in addition to those supplied or defaulted, accepts values such as 'image-reflector-controller,image-automation-controller,source-watcher'")
 	installCmd.Flags().StringVar(&installArgs.manifestsPath, "manifests", "", "path to the manifest directory")
 	installCmd.Flags().StringVar(&installArgs.registry, "registry", rootArgs.defaults.Registry,
 		"container registry where the toolkit images are published")
@@ -115,9 +115,14 @@ func init() {
 	rootCmd.AddCommand(installCmd)
 }
-func NewInstallFlags() installFlags {
+func newInstallFlags() installFlags {
 	return installFlags{
-		logLevel: flags.LogLevel(rootArgs.defaults.LogLevel),
+		logLevel:           flags.LogLevel(rootArgs.defaults.LogLevel),
 		defaultComponents:  rootArgs.defaults.Components,
 		registry:           rootArgs.defaults.Registry,
 		watchAllNamespaces: rootArgs.defaults.WatchAllNamespaces,
 		networkPolicy:      rootArgs.defaults.NetworkPolicy,
 		clusterDomain:      rootArgs.defaults.ClusterDomain,
 	}
 }
@@ -195,10 +200,13 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	if installArgs.export {
-		fmt.Print(manifest.Content)
+		_, err = rootCmd.OutOrStdout().Write([]byte(manifest.Content))
-		return nil
+		return err
 	} else if rootArgs.verbose {
-		fmt.Print(manifest.Content)
+		_, err = rootCmd.OutOrStdout().Write([]byte(manifest.Content))
 		if err != nil {
 			return err
 		}
 	}
 	logger.Successf("manifests build completed")
@@ -238,7 +246,7 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("install failed: %w", err)
 	}
-	fmt.Fprintln(os.Stderr, applyOutput)
+	rootCmd.Println(applyOutput)
 	if opts.ImagePullSecret != "" && opts.RegistryCredential != "" {
 		logger.Actionf("generating image pull secret %s", opts.ImagePullSecret)
@@ -250,7 +258,7 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 			Username:  credentials[0],
 			Password:  credentials[1],
 		}
-		imagePullSecret, err := sourcesecret.Generate(secretOpts)
+		imagePullSecret, err := sourcesecret.GenerateOCI(secretOpts)
 		if err != nil {
 			return fmt.Errorf("install failed: %w", err)
 		}
--- a/cmd/flux/install_test.go
+++ b/cmd/flux/install_test.go
@@ -1,5 +1,5 @@
 /*
-Copyright 2022 The Flux authors
+Copyright 2025 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -16,7 +16,17 @@ limitations under the License.
 package main
-import "testing"
+import (
 	"strings"
 	"testing"
 	. "github.com/onsi/gomega"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	ssautil "github.com/fluxcd/pkg/ssa/utils"
 	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
 )
 func TestInstall(t *testing.T) {
 	// The pointer to kubeconfigArgs.Namespace is shared across
@@ -59,3 +69,43 @@ func TestInstall(t *testing.T) {
 		})
 	}
 }
 func TestInstall_ComponentsExtra(t *testing.T) {
 	g := NewWithT(t)
 	command := "install --export --components-extra=" +
 		strings.Join(install.MakeDefaultOptions().ComponentsExtra, ",")
 	output, err := executeCommand(command)
 	g.Expect(err).NotTo(HaveOccurred())
 	manifests, err := ssautil.ReadObjects(strings.NewReader(output))
 	g.Expect(err).NotTo(HaveOccurred())
 	foundImageAutomation := false
 	foundImageReflector := false
 	foundSourceWatcher := false
 	foundExternalArtifact := false
 	for _, obj := range manifests {
 		if obj.GetKind() == "Deployment" && obj.GetName() == "image-automation-controller" {
 			foundImageAutomation = true
 		}
 		if obj.GetKind() == "Deployment" && obj.GetName() == "image-reflector-controller" {
 			foundImageReflector = true
 		}
 		if obj.GetKind() == "Deployment" && obj.GetName() == "source-watcher" {
 			foundSourceWatcher = true
 		}
 		if obj.GetKind() == "Deployment" &&
 			(obj.GetName() == "kustomize-controller" || obj.GetName() == "helm-controller") {
 			containers, _, _ := unstructured.NestedSlice(obj.Object, "spec", "template", "spec", "containers")
 			g.Expect(containers).ToNot(BeEmpty())
 			args, _, _ := unstructured.NestedSlice(containers[0].(map[string]any), "args")
 			g.Expect(args).To(ContainElement("--feature-gates=ExternalArtifact=true"))
 			foundExternalArtifact = true
 		}
 	}
 	g.Expect(foundImageAutomation).To(BeTrue(), "image-automation-controller deployment not found")
 	g.Expect(foundImageReflector).To(BeTrue(), "image-reflector-controller deployment not found")
 	g.Expect(foundSourceWatcher).To(BeTrue(), "source-watcher deployment not found")
 	g.Expect(foundExternalArtifact).To(BeTrue(), "ExternalArtifact feature gate not found")
 }
--- a/cmd/flux/list_artifact.go
+++ b/cmd/flux/list_artifact.go
@@ -20,10 +20,11 @@ import (
 	"context"
 	"fmt"
 	"github.com/google/go-containerregistry/pkg/crane"
 	"github.com/spf13/cobra"
-	oci "github.com/fluxcd/pkg/oci/client"
+	"github.com/fluxcd/pkg/oci"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/pkg/printers"
@@ -34,6 +35,7 @@ type listArtifactFlags struct {
 	regexFilter  string
 	creds        string
 	provider     flags.SourceOCIProvider
 	insecure     bool
 }
 var listArtifactArgs = newListArtifactFlags()
@@ -47,8 +49,8 @@ func newListArtifactFlags() listArtifactFlags {
 var listArtifactsCmd = &cobra.Command{
 	Use:   "artifacts",
 	Short: "list artifacts",
-	Long: withPreviewNote(`The list command fetches the tags and their metadata from a remote OCI repository.
+	Long: `The list command fetches the tags and their metadata from a remote OCI repository.
-The command can read the credentials from '~/.docker/config.json' but they can also be passed with --creds. It can also login to a supported provider with the --provider flag.`),
+The command can read the credentials from '~/.docker/config.json' but they can also be passed with --creds. It can also login to a supported provider with the --provider flag.`,
 	Example: `  # List the artifacts stored in an OCI repository
  flux list artifact oci://ghcr.io/org/config/app
 `,
@@ -60,6 +62,7 @@ func init() {
 	listArtifactsCmd.Flags().StringVar(&listArtifactArgs.regexFilter, "filter-regex", "", "filter tags returned from the oci repository using regex")
 	listArtifactsCmd.Flags().StringVar(&listArtifactArgs.creds, "creds", "", "credentials for OCI registry in the format <username>[:<password>] if --provider is generic")
 	listArtifactsCmd.Flags().Var(&listArtifactArgs.provider, "provider", listArtifactArgs.provider.Description())
 	listArtifactsCmd.Flags().BoolVar(&listArtifactArgs.insecure, "insecure-registry", false, "allows the remote artifacts list to be fetched without TLS")
 	listCmd.AddCommand(listArtifactsCmd)
 }
@@ -78,7 +81,22 @@ func listArtifactsCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
-	ociClient := oci.NewClient(oci.DefaultOptions())
+	ociOpts := oci.DefaultOptions()
 	if listArtifactArgs.provider.String() != sourcev1.GenericOCIProvider {
 		logger.Actionf("logging in to registry with provider credentials")
 		ociOpt, err := loginWithProvider(ctx, url, listArtifactArgs.provider.String())
 		if err != nil {
 			return fmt.Errorf("error during login with provider: %w", err)
 		}
 		ociOpts = append(ociOpts, ociOpt)
 	}
 	if listArtifactArgs.insecure {
 		ociOpts = append(ociOpts, crane.Insecure)
 	}
 	ociClient := oci.NewClient(ociOpts)
 	if listArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && listArtifactArgs.creds != "" {
 		logger.Actionf("logging in to registry with credentials")
@@ -87,18 +105,6 @@ func listArtifactsCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}
 	if listArtifactArgs.provider.String() != sourcev1.GenericOCIProvider {
 		logger.Actionf("logging in to registry with provider credentials")
 		ociProvider, err := listArtifactArgs.provider.ToOCIProvider()
 		if err != nil {
 			return fmt.Errorf("provider not supported: %w", err)
 		}
 		if err := ociClient.LoginWithProvider(ctx, url, ociProvider); err != nil {
 			return fmt.Errorf("error during login with provider: %w", err)
 		}
 	}
 	opts := oci.ListOptions{
 		RegexFilter:  listArtifactArgs.regexFilter,
 		SemverFilter: listArtifactArgs.semverFilter,
--- a/cmd/flux/main.go
+++ b/cmd/flux/main.go
@@ -247,3 +247,8 @@ While we try our best to not introduce breaking changes, they may occur when
 we adapt to new features and/or find better ways to facilitate what it does.`
 	return fmt.Sprintf("%s\n\n%s", strings.TrimSpace(desc), previewNote)
 }
 // printlnStdout prints the given text to stdout with a newline.
 func printlnStdout(txt string) {
 	_, _ = rootCmd.OutOrStdout().Write([]byte(txt + "\n"))
 }
--- a/cmd/flux/main_test.go
+++ b/cmd/flux/main_test.go
@@ -429,7 +429,9 @@ func resetCmdArgs() {
 		tail:          -1,
 		fluxNamespace: rootArgs.defaults.Namespace,
 	}
-	buildKsArgs = buildKsFlags{}
+	buildKsArgs = buildKsFlags{
 		localSources: map[string]string{},
 	}
 	checkArgs = checkFlags{}
 	createArgs = createFlags{}
 	deleteArgs = deleteFlags{}
@@ -445,12 +447,14 @@ func resetCmdArgs() {
 	imagePolicyArgs = imagePolicyFlags{}
 	imageRepoArgs = imageRepoFlags{}
 	imageUpdateArgs = imageUpdateFlags{}
 	installArgs = newInstallFlags()
 	kustomizationArgs = NewKustomizationFlags()
 	receiverArgs = receiverFlags{}
 	resumeArgs = ResumeFlags{}
 	rhrArgs = reconcileHelmReleaseFlags{}
 	rksArgs = reconcileKsFlags{}
 	secretGitArgs = NewSecretGitFlags()
 	secretProxyArgs = secretProxyFlags{}
 	secretHelmArgs = secretHelmFlags{}
 	secretTLSArgs = secretTLSFlags{}
 	sourceBucketArgs = sourceBucketFlags{}
@@ -466,6 +470,8 @@ func resetCmdArgs() {
 		output: "yaml",
 	}
 	envsubstArgs = envsubstFlags{}
 	debugHelmReleaseArgs = debugHelmReleaseFlags{}
 	debugKustomizationArgs = debugKustomizationFlags{}
 }
 func isChangeError(err error) bool {
--- a/Show More
+++ b/Show More