Merge pull request #3476 from aryan9600/revert-auto-stage

Update git/gogit to v0.4.1
update git/gogit to v0.4.1
2026-03-01 19:26:55 +00:00 · 2023-01-10 20:33:09 +05:30 · 2023-01-10 17:15:51 +05:30 · 2023-01-09 14:23:23 +00:00 · 2023-01-09 00:57:58 +00:00 · 2023-01-06 16:20:36 +05:30
129 changed files with 3573 additions and 2709 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,9 @@
 version: 2
 updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    labels: ["area/build"]
    schedule:
      # by default this will be on a monday.
      interval: "weekly"
--- a/.github/runners/README.md
+++ b/.github/runners/README.md
@@ -1,24 +1,32 @@
 # Flux ARM64 GitHub runners
-The Flux ARM64 end-to-end tests run on Equinix instances provisioned with Docker and GitHub self-hosted runners.
+The Flux ARM64 end-to-end tests run on Equinix Metal instances provisioned with Docker and GitHub self-hosted runners.
 ## Current instances
-| Runner        | Instance            | Region |
+| Repository                  | Runner           | Instance               | Location      |
-|---------------|---------------------|--------|
+|-----------------------------|------------------|------------------------|---------------|
-| equinix-arm-1 | flux-equinix-arm-01 | AMS1   |
+| flux2                       | equinix-arm-dc-1 | flux-equinix-arm-dc-01 | Washington DC |
-| equinix-arm-2 | flux-equinix-arm-01 | AMS1   |
+| flux2                       | equinix-arm-dc-2 | flux-equinix-arm-dc-01 | Washington DC |
-| equinix-arm-3 | flux-equinix-arm-01 | AMS1   |
+| flux2                       | equinix-arm-da-1 | flux-equinix-arm-da-01 | Dallas        |
-| equinix-arm-4 | flux-equinix-arm-02 | DFW2   |
+| flux2                       | equinix-arm-da-2 | flux-equinix-arm-da-01 | Dallas        |
-| equinix-arm-5 | flux-equinix-arm-02 | DFW2   |
+| source-controller           | equinix-arm-dc-1 | flux-equinix-arm-dc-01 | Washington DC |
-| equinix-arm-6 | flux-equinix-arm-02 | DFW2   |
+| source-controller           | equinix-arm-da-1 | flux-equinix-arm-da-01 | Dallas        |
 | image-automation-controller | equinix-arm-dc-1 | flux-equinix-arm-dc-01 | Washington DC |
 | image-automation-controller | equinix-arm-da-1 | flux-equinix-arm-da-01 | Dallas        |
 Instance spec:
 - Ampere Altra Q80-30 80-core processor @ 2.8GHz
 - 2 x 960GB NVME
 - 256GB RAM
 - 2 x 25Gbps
 ## Instance setup
 In order to add a new runner to the GitHub Actions pool,
 first create a server on Equinix with the following configuration:
- Type: c2.large.arm
+- Type: `c3.large.arm64`
- OS: Ubuntu 20.04
+- OS: `Ubuntu 22.04 LTS`
 ### Install prerequisites
@@ -54,14 +62,14 @@ sudo ./prereq.sh
 - Retrieve the GitHub runner token from the repository [settings page](https://github.com/fluxcd/flux2/settings/actions/runners/new?arch=arm64&os=linux)
- Create 3 directories `runner1`, `runner2`, `runner3`
+- Create two directories `flux2-01`, `flux2-02`
 - In each dir run:
 ```shell
 curl -sL https://raw.githubusercontent.com/fluxcd/flux2/main/.github/runners/runner-setup.sh > runner-setup.sh \
  && chmod +x ./runner-setup.sh
-./runner-setup.sh equinix-arm-<NUMBER> <TOKEN>
+./runner-setup.sh equinix-arm-<NUMBER> <TOKEN> <REPO>
 ```
 - Reboot the instance
--- a/.github/runners/prereq.sh
+++ b/.github/runners/prereq.sh
@@ -18,11 +18,11 @@
 set -eu
-KIND_VERSION=0.14.0
+KIND_VERSION=0.17.0
 KUBECTL_VERSION=1.24.0
-KUSTOMIZE_VERSION=4.5.4
+KUSTOMIZE_VERSION=4.5.7
-HELM_VERSION=3.8.2
+HELM_VERSION=3.10.1
-GITHUB_RUNNER_VERSION=2.291.1
+GITHUB_RUNNER_VERSION=2.298.2
 PACKAGES="apt-transport-https ca-certificates software-properties-common build-essential libssl-dev gnupg lsb-release jq pkg-config"
 # install prerequisites
@@ -31,6 +31,10 @@ apt-get update \
  && apt-get clean \
  && rm -rf /var/lib/apt/lists/*
 # fix Kubernetes DNS resolution
 rm /etc/resolv.conf
 cat "/run/systemd/resolve/stub-resolv.conf" | sed '/search/d' > /etc/resolv.conf
 # install docker
 curl -fsSL https://get.docker.com -o get-docker.sh \
  && chmod +x get-docker.sh
--- a/.github/runners/runner-setup.sh
+++ b/.github/runners/runner-setup.sh
@@ -22,7 +22,7 @@ RUNNER_NAME=$1
 REPOSITORY_TOKEN=$2
 REPOSITORY_URL=${3:-https://github.com/fluxcd/flux2}
-GITHUB_RUNNER_VERSION=2.285.1
+GITHUB_RUNNER_VERSION=2.298.2
 # download runner
 curl -o actions-runner-linux-arm64.tar.gz -L https://github.com/actions/runner/releases/download/v${GITHUB_RUNNER_VERSION}/actions-runner-linux-arm64-${GITHUB_RUNNER_VERSION}.tar.gz \
--- a/.github/workflows/README.md
+++ b/.github/workflows/README.md
@@ -0,0 +1,50 @@
 # Flux GitHub Workflows
 ## End-to-end Testing
 The e2e workflows run a series of tests to ensure that the Flux CLI and
 the GitOps Toolkit controllers work well all together.
 The tests are written in Go, Bash, Make and Terraform.
 | Workflow           | Jobs                 | Runner         | Role                                          |
 |--------------------|----------------------|----------------|-----------------------------------------------|
 | e2e.yaml           | e2e-amd64-kubernetes | GitHub Ubuntu  | integration testing with Kubernetes Kind<br/> |
 | e2e-arm64.yaml     | e2e-arm64-kubernetes | Equinix Ubuntu | integration testing with Kubernetes Kind<br/> |
 | e2e-bootstrap.yaml | e2e-boostrap-github  | GitHub Ubuntu  | integration testing with GitHub API<br/>      |
 | e2e-azure.yaml     | e2e-amd64-aks        | GitHub Ubuntu  | integration testing with Azure API<br/>       |
 | scan.yaml          | scan-fossa           | GitHub Ubuntu  | license scanning<br/>                         |
 | scan.yaml          | scan-snyk            | GitHub Ubuntu  | vulnerability scanning<br/>                   |
 | scan.yaml          | scan-codeql          | GitHub Ubuntu  | vulnerability scanning<br/>                   |
 ## Components Update
 The components update workflow scans the GitOps Toolkit controller repositories for new releases,
 amd when it finds a new controller version, the workflow performs the following steps:
 - Updates the controller API package version in `go.mod`.
 - Patches the controller CRDs version in the `manifests/crds` overlay.
 - Patches the controller Deployment version in `manifests/bases` overlay.
 - Opens a Pull Request against the `main` branch.
 - Triggers the e2e test suite to run for the opened PR.
 | Workflow    | Jobs              | Runner        | Role                                                |
 |-------------|-------------------|---------------|-----------------------------------------------------|
 | update.yaml | update-components | GitHub Ubuntu | update the GitOps Toolkit APIs and controllers<br/> |
 ## Release
 The release workflow is triggered by a semver Git tag and performs the following steps:
 - Generates the Flux install manifests (YAML).
 - Generates the OpenAPI validation schemas for the GitOps Toolkit CRDs (JSON).
 - Generates a Software Bill of Materials (SPDX JSON).
 - Builds the Flux CLI binaries and the multi-arch container images.
 - Pushes the container images to GitHub Container Registry and DockerHub.
 - Signs the sbom, the binaries checksum and the container images with Cosign and GitHub OIDC.
 - Uploads the sbom, binaries, checksums and install manifests to GitHub Releases.
 - Pushes the install manifests as OCI artifacts to GitHub Container Registry and DockerHub.
 - Signs the OCI artifacts with Cosign and GitHub OIDC.
 | Workflow     | Jobs                   | Runner        | Role                                                 |
 |--------------|------------------------|---------------|------------------------------------------------------|
 | release.yaml | release-flux-cli       | GitHub Ubuntu | build, push and sign the CLI release artifacts<br/>  |
 | release.yaml | release-flux-manifests | GitHub Ubuntu | build, push and sign the Flux install manifests<br/> |
--- a/.github/workflows/e2e-arm64.yaml
+++ b/.github/workflows/e2e-arm64.yaml
@@ -3,33 +3,97 @@ name: e2e-arm64
 on:
  workflow_dispatch:
  push:
-    branches: [ main, update-components ]
+    branches: [ main, update-components, e2e-arm64* ]
 permissions:
  contents: read
 jobs:
-  test:
+  e2e-arm64-kubernetes:
    # Hosted on Equinix
    # Docs: https://github.com/fluxcd/flux2/tree/main/.github/runners
    runs-on: [self-hosted, Linux, ARM64, equinix]
    strategy:
      matrix:
        # Keep this list up-to-date with https://endoflife.date/kubernetes
        KUBERNETES_VERSION: [ 1.23.13, 1.24.7, 1.25.3 ]
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
      - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
        with:
-          go-version: 1.18.x
+          go-version: 1.19.x
      - name: Prepare
        id: prep
        run: |
-          echo ::set-output name=CLUSTER::arm64-${GITHUB_SHA:0:7}-$(date +%s)
+          ID=${GITHUB_SHA:0:7}-${{ matrix.KUBERNETES_VERSION }}-$(date +%s)
-          echo ::set-output name=CONTEXT::kind-arm64-${GITHUB_SHA:0:7}-$(date +%s)
+          echo "CLUSTER=arm64-${ID}" >> $GITHUB_OUTPUT
      - name: Build
        run: |
          make build
      - name: Setup Kubernetes Kind
        run: |
-          kind create cluster --name ${{ steps.prep.outputs.CLUSTER }} --kubeconfig=/tmp/${{ steps.prep.outputs.CLUSTER }}
+          kind create cluster \
          --wait 5m \
          --name ${{ steps.prep.outputs.CLUSTER }} \
          --kubeconfig=/tmp/${{ steps.prep.outputs.CLUSTER }} \
          --image=kindest/node:v${{ matrix.KUBERNETES_VERSION }}
      - name: Run e2e tests
        run: TEST_KUBECONFIG=/tmp/${{ steps.prep.outputs.CLUSTER }} make e2e
      - name: Run multi-tenancy tests
        env:
          KUBECONFIG: /tmp/${{ steps.prep.outputs.CLUSTER }}
        run: |
          ./bin/flux install
          ./bin/flux create source git flux-system \
          --interval=15m \
          --url=https://github.com/fluxcd/flux2-multi-tenancy \
          --branch=main \
          --ignore-paths="./clusters/**/flux-system/"
          ./bin/flux create kustomization flux-system \
          --interval=15m \
          --source=flux-system \
          --path=./clusters/staging
          kubectl -n flux-system wait kustomization/tenants --for=condition=ready --timeout=5m
          kubectl -n apps wait kustomization/dev-team --for=condition=ready --timeout=1m
          kubectl -n apps wait helmrelease/podinfo --for=condition=ready --timeout=1m
      - name: Run monitoring tests
        # Keep this test in sync with https://fluxcd.io/flux/guides/monitoring/
        env:
          KUBECONFIG: /tmp/${{ steps.prep.outputs.CLUSTER }}
        run: |
          ./bin/flux create source git flux-monitoring \
          --interval=30m \
          --url=https://github.com/fluxcd/flux2 \
          --branch=${GITHUB_REF#refs/heads/}
          ./bin/flux create kustomization kube-prometheus-stack \
          --interval=1h \
          --prune \
          --source=flux-monitoring \
          --path="./manifests/monitoring/kube-prometheus-stack" \
          --health-check-timeout=5m \
          --wait
          ./bin/flux create kustomization monitoring-config \
          --depends-on=kube-prometheus-stack \
          --interval=1h \
          --prune=true \
          --source=flux-monitoring \
          --path="./manifests/monitoring/monitoring-config" \
          --health-check-timeout=1m \
          --wait
          kubectl -n flux-system wait kustomization/kube-prometheus-stack --for=condition=ready --timeout=5m
          kubectl -n flux-system wait kustomization/monitoring-config --for=condition=ready --timeout=5m
          kubectl -n monitoring wait helmrelease/kube-prometheus-stack --for=condition=ready --timeout=1m
      - name: Debug failure
        if: failure()
        env:
          KUBECONFIG: /tmp/${{ steps.prep.outputs.CLUSTER }}
        run: |
          kubectl -n flux-system get all
          kubectl -n flux-system describe po 
          kubectl -n flux-system logs deploy/source-controller
          kubectl -n flux-system logs deploy/kustomize-controller
      - name: Cleanup
        if: always()
        run: |
--- a/.github/workflows/e2e-azure.yaml
+++ b/.github/workflows/e2e-azure.yaml
@@ -7,31 +7,26 @@ on:
  push:
    branches: [ azure* ]
 permissions:
  contents: read
 jobs:
-  e2e:
+  e2e-amd64-aks:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
      - name: Restore Go cache
-        uses: actions/cache@v3
+        uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go1.18-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go1.18-
      - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
        with:
-          go-version: 1.18.x
+          go-version: 1.19.x
      - name: Install libgit2
        run: |
          sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 648ACFD622F3D138
          sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 0E98404D386FA1D9
          echo "deb http://deb.debian.org/debian unstable main" | sudo tee -a /etc/apt/sources.list
          echo "deb-src http://deb.debian.org/debian unstable main" | sudo tee -a /etc/apt/sources.list
          sudo apt-get update
          sudo apt-get install -y --allow-downgrades libgit2-dev/unstable zlib1g-dev/unstable libssh2-1-dev/unstable libpcre3-dev/unstable
      - name: Setup Flux CLI
        run: |
          make build
@@ -44,7 +39,7 @@ jobs:
          mkdir -p $HOME/.local/bin
          mv sops-v3.7.1.linux $HOME/.local/bin/sops
      - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v1
+        uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1  # v2
        with:
          terraform_version: 1.2.8
          terraform_wrapper: false
--- a/.github/workflows/e2e-bootstrap.yaml
+++ b/.github/workflows/e2e-bootstrap.yaml
@@ -1,34 +1,38 @@
-name: bootstrap
+name: e2e-bootstrap
 on:
  workflow_dispatch:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
 permissions:
  contents: read
 jobs:
-  github:
+  e2e-boostrap-github:
    runs-on: ubuntu-latest
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
      - name: Restore Go cache
-        uses: actions/cache@v3
+        uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go1.18-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go1.18-
      - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
        with:
-          go-version: 1.18.x
+          go-version: 1.19.x
      - name: Setup Kubernetes
-        uses: engineerd/setup-kind@v0.5.0
+        uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0
        with:
-          version: v0.11.1
+          version: v0.16.0
-          image: kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6
+          image: kindest/node:v1.25.2@sha256:9be91e9e9cdf116809841fc77ebdb8845443c4c72fe5218f3ae9eb57fdb4bace
      - name: Setup Kustomize
        uses: fluxcd/pkg//actions/kustomize@main
      - name: Build
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -1,13 +1,17 @@
 name: e2e
 on:
  workflow_dispatch:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main, oci ]
 permissions:
  contents: read
 jobs:
-  kind:
+  e2e-amd64-kubernetes:
    runs-on: ubuntu-latest
    services:
      registry:
@@ -16,23 +20,23 @@ jobs:
          - 5000:5000
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
      - name: Restore Go cache
-        uses: actions/cache@v3
+        uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go1.18-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go1.18-
      - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
        with:
-          go-version: 1.18.x
+          go-version: 1.19.x
      - name: Setup Kubernetes
-        uses: engineerd/setup-kind@v0.5.0
+        uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0
        with:
          version: v0.11.1
-          image: kindest/node:v1.20.7
+          image: kindest/node:v1.23.13
          config: .github/kind/config.yaml # disable KIND-net
      - name: Setup Calico for network policy
        run: |
@@ -218,14 +222,13 @@ jobs:
          /tmp/flux create source git flux-system \
          --url=https://github.com/fluxcd/flux2-kustomize-helm-example \
          --branch=main \
          --ignore-paths="./clusters/**/flux-system/" \
          --recurse-submodules
          /tmp/flux create kustomization flux-system \
          --source=flux-system \
          --path=./clusters/staging
-          kubectl -n flux-system wait kustomization/infrastructure --for=condition=ready --timeout=5m
+          kubectl -n flux-system wait kustomization/infra-controllers --for=condition=ready --timeout=5m
          kubectl -n flux-system wait kustomization/apps --for=condition=ready --timeout=5m
          kubectl -n nginx wait helmrelease/nginx --for=condition=ready --timeout=5m
          kubectl -n redis wait helmrelease/redis --for=condition=ready --timeout=5m
          kubectl -n podinfo wait helmrelease/podinfo --for=condition=ready --timeout=5m
      - name: flux tree
        run: |
--- a/.github/workflows/release-manifests.yml
+++ b/.github/workflows/release-manifests.yml
@@ -1,73 +0,0 @@
 name: release-manifests
 on:
  release:
    types: [published]
  workflow_dispatch:
 permissions:
  id-token: write # needed for keyless signing
  packages: write # needed for ghcr access
 jobs:
  build-push:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Setup Kustomize
        uses: fluxcd/pkg/actions/kustomize@main
      - name: Setup Flux CLI
        uses: ./action/
      - name: Prepare
        id: prep
        run: |
          VERSION=$(flux version --client | awk '{ print $NF }')
          echo ::set-output name=VERSION::${VERSION}
      - name: Login to GHCR
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: fluxcdbot
          password: ${{ secrets.GHCR_TOKEN }}
      - name: Login to DockerHub
        uses: docker/login-action@v2
        with:
          username: fluxcdbot
          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
      - name: Push manifests to GHCR
        run: |
          mkdir -p ./ghcr.io/flux-system
          flux install --registry=ghcr.io/fluxcd \
          --components-extra=image-reflector-controller,image-automation-controller \
          --export > ./ghcr.io/flux-system/gotk-components.yaml
          cd ./ghcr.io && flux push artifact \
          oci://ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }} \
          --path="./flux-system" \
          --source=${{ github.repositoryUrl }} \
          --revision="${{ github.ref_name }}/${{ github.sha }}"
      - name: Push manifests to DockerHub
        run: |
          mkdir -p ./docker.io/flux-system
          flux install --registry=docker.io/fluxcd \
          --components-extra=image-reflector-controller,image-automation-controller \
          --export > ./docker.io/flux-system/gotk-components.yaml
          cd ./docker.io && flux push artifact \
          oci://docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }} \
          --path="./flux-system" \
          --source=${{ github.repositoryUrl }} \
          --revision="${{ github.ref_name }}/${{ github.sha }}"
      - uses: sigstore/cosign-installer@main
      - name: Sign manifests
        env:
          COSIGN_EXPERIMENTAL: 1
        run: |
          cosign sign ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }}
          cosign sign docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }}
      - name: Tag manifests
        run: |
          flux tag artifact oci://ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }} \
          --tag latest
          flux tag artifact oci://docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }} \
          --tag latest
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -5,41 +5,43 @@ on:
    tags: [ 'v*' ]
 permissions:
-  contents: write # needed to write releases
+  contents: read
  id-token: write # needed for keyless signing
  packages: write # needed for ghcr access
 jobs:
-  goreleaser:
+  release-flux-cli:
    runs-on: ubuntu-latest
    permissions:
      contents: write # needed to write releases
      id-token: write # needed for keyless signing
      packages: write # needed for ghcr access
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
      - name: Unshallow
        run: git fetch --prune --unshallow
      - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
        with:
-          go-version: 1.18.x
+          go-version: 1.19.x
      - name: Setup QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2
      - name: Setup Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325  # v2
      - name: Setup Syft
-        uses: anchore/sbom-action/download-syft@v0
+        uses: anchore/sbom-action/download-syft@06e109483e6aa305a2b2395eabae554e51530e1d # v0.13.1
      - name: Setup Cosign
-        uses: sigstore/cosign-installer@main
+        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
      - name: Setup Kustomize
        uses: fluxcd/pkg//actions/kustomize@main
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2
        with:
          registry: ghcr.io
          username: fluxcdbot
          password: ${{ secrets.GHCR_TOKEN }}
      - name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a  # v2
        with:
          username: fluxcdbot
          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
@@ -51,10 +53,8 @@ jobs:
      - name: Build CRDs
        run: |
          kustomize build manifests/crds > all-crds.yaml
      # Pinned to commit before https://github.com/fluxcd/pkg/pull/189 due to
      # introduction faulty behavior.
      - name: Generate OpenAPI JSON schemas from CRDs
-        uses: fluxcd/pkg//actions/crdjsonschema@49e26aa2ee9e734c3233c560253fd9542afe18ae
+        uses: fluxcd/pkg//actions/crdjsonschema@main
        with:
          crd: all-crds.yaml
          output: schemas
@@ -73,7 +73,7 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v3
+        uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1 # v3
        with:
          version: latest
          args: release --release-notes=output/notes.md --skip-validate
@@ -81,3 +81,69 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
          AUR_BOT_SSH_PRIVATE_KEY: ${{ secrets.AUR_BOT_SSH_PRIVATE_KEY }}
  release-flux-manifests:
    runs-on: ubuntu-latest
    needs: release-flux-cli
    permissions:
      id-token: write
      packages: write
    steps:
      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
      - name: Setup Kustomize
        uses: fluxcd/pkg/actions/kustomize@main
      - name: Setup Flux CLI
        uses: ./action/
      - name: Prepare
        id: prep
        run: |
          VERSION=$(flux version --client | awk '{ print $NF }')
          echo ::set-output name=VERSION::${VERSION}
      - name: Login to GHCR
        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2
        with:
          registry: ghcr.io
          username: fluxcdbot
          password: ${{ secrets.GHCR_TOKEN }}
      - name: Login to DockerHub
        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2
        with:
          username: fluxcdbot
          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
      - name: Push manifests to GHCR
        run: |
          mkdir -p ./ghcr.io/flux-system
          flux install --registry=ghcr.io/fluxcd \
          --components-extra=image-reflector-controller,image-automation-controller \
          --export > ./ghcr.io/flux-system/gotk-components.yaml
          cd ./ghcr.io && flux push artifact \
          oci://ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }} \
          --path="./flux-system" \
          --source=${{ github.repositoryUrl }} \
          --revision="${{ github.ref_name }}/${{ github.sha }}"
      - name: Push manifests to DockerHub
        run: |
          mkdir -p ./docker.io/flux-system
          flux install --registry=docker.io/fluxcd \
          --components-extra=image-reflector-controller,image-automation-controller \
          --export > ./docker.io/flux-system/gotk-components.yaml
          cd ./docker.io && flux push artifact \
          oci://docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }} \
          --path="./flux-system" \
          --source=${{ github.repositoryUrl }} \
          --revision="${{ github.ref_name }}/${{ github.sha }}"
      - uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
      - name: Sign manifests
        env:
          COSIGN_EXPERIMENTAL: 1
        run: |
          cosign sign ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }}
          cosign sign docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }}
      - name: Tag manifests
        run: |
          flux tag artifact oci://ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }} \
          --tag latest
          flux tag artifact oci://docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }} \
          --tag latest
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@@ -1,6 +1,7 @@
 name: scan
 on:
  workflow_dispatch:
  push:
    branches: [ main ]
  pull_request:
@@ -9,60 +10,62 @@ on:
    - cron: '18 10 * * 3'
 permissions:
-  contents: read # for actions/checkout to fetch code
+  contents: read
  security-events: write # for codeQL to write security events
 jobs:
-  fossa:
+  scan-fossa:
    name: FOSSA
    runs-on: ubuntu-latest
    if: github.actor != 'dependabot[bot]'
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
      - name: Run FOSSA scan and upload build data
-        uses: fossa-contrib/fossa-action@v1
+        uses: fossa-contrib/fossa-action@6cffaa064112e1cf9b5798c6224f9487dc1ec316 # v1
        with:
          # FOSSA Push-Only API Token
          fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
          github-token: ${{ github.token }}
-  snyk:
+  scan-snyk:
    name: Snyk
    runs-on: ubuntu-latest
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+    permissions:
      security-events: write
    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
      - name: Setup Kustomize
        uses: fluxcd/pkg//actions/kustomize@main
      - name: Build manifests
        run: |
          make cmd/flux/.manifests.done
      - name: Run Snyk to check for vulnerabilities
-        uses: snyk/actions/golang@master
+        uses: snyk/actions/golang@1cc9026f51d822442cb4b872d8d7ead8cc69a018 # v0.3.0
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --sarif-file-output=snyk.sarif
      - name: Upload result to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@v1
+        uses: github/codeql-action/upload-sarif@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2
        with:
          sarif_file: snyk.sarif
-  codeql:
+  scan-codeql:
    name: CodeQL
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    if: github.actor != 'dependabot[bot]'
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
      - name: Set up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
        with:
-          go-version: 1.18
+          go-version: 1.19.x
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2
        with:
          languages: go
      - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+        uses: github/codeql-action/autobuild@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2
      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2
--- a/.github/workflows/update.yaml
+++ b/.github/workflows/update.yaml
@@ -1,4 +1,4 @@
-name: Update Components
+name: update
 on:
  workflow_dispatch:
@@ -7,16 +7,22 @@ on:
  push:
    branches: [main]
 permissions:
  contents: read
 jobs:
  update-components:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
    steps:
      - name: Check out code
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
      - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
        with:
-          go-version: 1.18.x
+          go-version: 1.19.x
      - name: Update component versions
        id: update
        run: |
@@ -69,7 +75,7 @@ jobs:
      - name: Create Pull Request
        id: cpr
-        uses: peter-evans/create-pull-request@v3
+        uses: peter-evans/create-pull-request@2b011faafdcbc9ceb11414d64d0573f37c774b04 # v4
        with:
          token: ${{ secrets.BOT_GITHUB_TOKEN }}
          commit-message: |
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -67,7 +67,7 @@ for source changes.
 Prerequisites:
-* go >= 1.17
+* go >= 1.19
 * kubectl >= 1.20
 * kustomize >= 4.4
 * coreutils (on Mac OS)
--- a/6
+++ b/6
@@ -3,7 +3,7 @@ FROM alpine:3.16 as builder
 RUN apk add --no-cache ca-certificates curl
 ARG ARCH=linux/amd64
-ARG KUBECTL_VER=1.25.0
+ARG KUBECTL_VER=1.25.4
 RUN curl -sL https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VER}/bin/${ARCH}/kubectl \
    -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \
@@ -11,10 +11,6 @@ RUN curl -sL https://storage.googleapis.com/kubernetes-release/release/v${KUBECT
 FROM alpine:3.16 as flux-cli
 # Create minimal nsswitch.conf file to prioritize the usage of /etc/hosts over DNS queries.
 # https://github.com/gliderlabs/docker-alpine/issues/367#issuecomment-354316460
 RUN [ ! -e /etc/nsswitch.conf ] && echo 'hosts: files dns' > /etc/nsswitch.conf
 RUN apk add --no-cache ca-certificates
 COPY --from=builder /usr/local/bin/kubectl /usr/local/bin/
--- a/4
+++ b/4
@@ -17,8 +17,8 @@ rwildcard=$(foreach d,$(wildcard $(addsuffix *,$(1))),$(call rwildcard,$(d)/,$(2
 all: test build
 tidy:
-	go mod tidy -compat=1.18
+	go mod tidy -compat=1.19
-	cd tests/azure && go mod tidy -compat=1.18
+	cd tests/azure && go mod tidy -compat=1.19
 fmt:
 	go fmt ./...
--- a/README.md
+++ b/README.md
@@ -1,14 +1,13 @@
 # Flux version 2
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4782/badge)](https://bestpractices.coreinfrastructure.org/projects/4782)
 [![e2e](https://github.com/fluxcd/flux2/workflows/e2e/badge.svg)](https://github.com/fluxcd/flux2/actions)
 [![report](https://goreportcard.com/badge/github.com/fluxcd/flux2)](https://goreportcard.com/report/github.com/fluxcd/flux2)
 [![license](https://img.shields.io/github/license/fluxcd/flux2.svg)](https://github.com/fluxcd/flux2/blob/main/LICENSE)
 [![release](https://img.shields.io/github/release/fluxcd/flux2/all.svg)](https://github.com/fluxcd/flux2/releases)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4782/badge)](https://bestpractices.coreinfrastructure.org/projects/4782)
 [![FOSSA Status](https://app.fossa.com/api/projects/custom%2B162%2Fgithub.com%2Ffluxcd%2Fflux2.svg?type=shield)](https://app.fossa.com/projects/custom%2B162%2Fgithub.com%2Ffluxcd%2Fflux2?ref=badge_shield)
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/flux2)](https://artifacthub.io/packages/helm/fluxcd-community/flux2)
 Flux is a tool for keeping Kubernetes clusters in sync with sources of
-configuration (like Git repositories), and automating updates to
+configuration (like Git repositories and OCI artifacts),
-configuration when there is new code to deploy.
+and automating updates to configuration when there is new code to deploy.
 Flux version 2 ("v2") is built from the ground up to use Kubernetes'
 API extension system, and to integrate with Prometheus and other core
@@ -20,7 +19,8 @@ Flux v2 is constructed with the [GitOps Toolkit](#gitops-toolkit), a
 set of composable APIs and specialized tools for building Continuous
 Delivery on top of Kubernetes.
-Flux is a Cloud Native Computing Foundation ([CNCF](https://www.cncf.io/)) project.
+Flux is a Cloud Native Computing Foundation ([CNCF](https://www.cncf.io/)) project, used in
 production by various [organisations](https://fluxcd.io/adopters) and [cloud providers](https://fluxcd.io/ecosystem).
 ## Quickstart and documentation
@@ -77,16 +77,17 @@ new contributors and there are a multitude of ways to get involved.
 - Getting Started?
    - Look at our [Get Started guide](https://fluxcd.io/flux/get-started/) and give us feedback
 - Need help?
-    - First: Ask questions on our [GH Discussions page](https://github.com/fluxcd/flux2/discussions)
+    - First: Ask questions on our [GH Discussions page](https://github.com/fluxcd/flux2/discussions).
-    - Second: Talk to us in the #flux channel on [CNCF Slack](https://slack.cncf.io/)
+    - Second: Talk to us in the #flux channel on [CNCF Slack](https://slack.cncf.io/).
    - Please follow our [Support Guidelines](https://fluxcd.io/support/)
      (in short: be nice, be respectful of volunteers' time, understand that maintainers and
      contributors cannot respond to all DMs, and keep discussions in the public #flux channel as much as possible).
 - Have feature proposals or want to contribute?
-    - Propose features on our [GH Discussions page](https://github.com/fluxcd/flux2/discussions)
+    - Propose features on our [GitHub Discussions page](https://github.com/fluxcd/flux2/discussions).
-    - Join our upcoming dev meetings ([meeting access and agenda](https://docs.google.com/document/d/1l_M0om0qUEN_NNiGgpqJ2tvsF2iioHkaARDeh6b70B0/view))
+    - Join our upcoming dev meetings ([meeting access and agenda](https://docs.google.com/document/d/1l_M0om0qUEN_NNiGgpqJ2tvsF2iioHkaARDeh6b70B0/view)).
    - [Join the flux-dev mailing list](https://lists.cncf.io/g/cncf-flux-dev).
-    - Check out [how to contribute](CONTRIBUTING.md) to the project
+    - Check out [how to contribute](CONTRIBUTING.md) to the project.
    - Check out the [project roadmap](https://fluxcd.io/roadmap/).
 ### Events
--- a/cmd/flux/alert.go
+++ b/cmd/flux/alert.go
@@ -19,7 +19,7 @@ package main
 import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
 )
 // notificationv1.Alert
--- a/cmd/flux/alert_provider.go
+++ b/cmd/flux/alert_provider.go
@@ -19,7 +19,7 @@ package main
 import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
 )
 // notificationv1.Provider
--- a/cmd/flux/bootstrap_bitbucket_server.go
+++ b/cmd/flux/bootstrap_bitbucket_server.go
@@ -22,14 +22,14 @@ import (
 	"os"
 	"time"
-	"github.com/go-git/go-git/v5/plumbing/transport/http"
+	"github.com/fluxcd/pkg/git"
 	"github.com/fluxcd/pkg/git/gogit"
 	"github.com/spf13/cobra"
 	"github.com/fluxcd/flux2/internal/bootstrap"
 	"github.com/fluxcd/flux2/internal/bootstrap/git/gogit"
 	"github.com/fluxcd/flux2/internal/bootstrap/provider"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/flux2/pkg/bootstrap"
 	"github.com/fluxcd/flux2/pkg/bootstrap/provider"
 	"github.com/fluxcd/flux2/pkg/manifestgen"
 	"github.com/fluxcd/flux2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
@@ -128,7 +128,9 @@ func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	// Manifest base
-	if ver, err := getVersion(bootstrapArgs.version); err == nil {
+	if ver, err := getVersion(bootstrapArgs.version); err != nil {
 		return err
 	} else {
 		bootstrapArgs.version = ver
 	}
 	manifestsBase, err := buildEmbeddedManifestBase()
@@ -171,10 +173,17 @@ func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("failed to create temporary working dir: %w", err)
 	}
 	defer os.RemoveAll(tmpDir)
-	gitClient := gogit.New(tmpDir, &http.BasicAuth{
+
-		Username: user,
+	clientOpts := []gogit.ClientOption{gogit.WithDiskStorage(), gogit.WithFallbackToDefaultKnownHosts()}
-		Password: bitbucketToken,
+	gitClient, err := gogit.NewClient(tmpDir, &git.AuthOptions{
-	})
+		Transport: git.HTTPS,
 		Username:  user,
 		Password:  bitbucketToken,
 		CAFile:    caBundle,
 	}, clientOpts...)
 	if err != nil {
 		return fmt.Errorf("failed to create a Git client: %w", err)
 	}
 	// Install manifest config
 	installOptions := install.Options{
@@ -212,19 +221,18 @@ func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
 			secretOpts.Username = bServerArgs.username
 		}
 		secretOpts.Password = bitbucketToken
-
+		secretOpts.CAFile = caBundle
 		if bootstrapArgs.caFile != "" {
 			secretOpts.CAFilePath = bootstrapArgs.caFile
 		}
 	} else {
 		keypair, err := sourcesecret.LoadKeyPairFromPath(bootstrapArgs.privateKeyFile, gitArgs.password)
 		if err != nil {
 			return err
 		}
 		secretOpts.Keypair = keypair
 		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
 		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
 		secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
 		secretOpts.SSHHostname = bServerArgs.hostname
-		if bootstrapArgs.privateKeyFile != "" {
+		secretOpts.SSHHostname = bServerArgs.hostname
 			secretOpts.PrivateKeyPath = bootstrapArgs.privateKeyFile
 		}
 		if bootstrapArgs.sshHostname != "" {
 			secretOpts.SSHHostname = bootstrapArgs.sshHostname
 		}
@@ -243,19 +251,24 @@ func bootstrapBServerCmdRun(cmd *cobra.Command, args []string) error {
 		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
 	}
 	entityList, err := bootstrap.LoadEntityListFromPath(bootstrapArgs.gpgKeyRingPath)
 	if err != nil {
 		return err
 	}
 	// Bootstrap config
 	bootstrapOpts := []bootstrap.GitProviderOption{
 		bootstrap.WithProviderRepository(bServerArgs.owner, bServerArgs.repository, bServerArgs.personal),
 		bootstrap.WithBranch(bootstrapArgs.branch),
 		bootstrap.WithBootstrapTransportType("https"),
-		bootstrap.WithAuthor(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
+		bootstrap.WithSignature(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
 		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
 		bootstrap.WithProviderTeamPermissions(mapTeamSlice(bServerArgs.teams, bServerDefaultPermission)),
 		bootstrap.WithReadWriteKeyPermissions(bServerArgs.readWriteKey),
 		bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions),
 		bootstrap.WithLogger(logger),
-		bootstrap.WithCABundle(caBundle),
+		bootstrap.WithGitCommitSigning(entityList, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
 		bootstrap.WithGitCommitSigning(bootstrapArgs.gpgKeyRingPath, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
 	}
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
--- a/cmd/flux/bootstrap_git.go
+++ b/cmd/flux/bootstrap_git.go
@@ -24,21 +24,19 @@ import (
 	"strings"
 	"time"
 	"github.com/go-git/go-git/v5/plumbing/transport"
 	"github.com/go-git/go-git/v5/plumbing/transport/http"
 	"github.com/go-git/go-git/v5/plumbing/transport/ssh"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"github.com/fluxcd/flux2/internal/bootstrap"
 	"github.com/fluxcd/flux2/internal/bootstrap/git/gogit"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/flux2/pkg/bootstrap"
 	"github.com/fluxcd/flux2/pkg/manifestgen"
 	"github.com/fluxcd/flux2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
 	"github.com/fluxcd/pkg/git"
 	"github.com/fluxcd/pkg/git/gogit"
 )
 var bootstrapGitCmd = &cobra.Command{
@@ -62,6 +60,12 @@ command will perform an upgrade if needed.`,
  # Run bootstrap for a Git repository with a private key and password
  flux bootstrap git --url=ssh://git@example.com/repository.git --private-key-file=<path/to/private.key> --password=<password>
  # Run bootstrap for a Git repository on AWS CodeCommit
  flux bootstrap git --url=ssh://<SSH-Key-ID>@git-codecommit.<region>.amazonaws.com/v1/repos/<repository> --private-key-file=<path/to/private.key> --password=<SSH-passphrase>
  # Run bootstrap for a Git repository on Azure Devops
  flux bootstrap git --url=ssh://git@ssh.dev.azure.com/v3/<org>/<project>/<repository> --ssh-key-algorithm=rsa --ssh-rsa-bits=4096
 `,
 	RunE: bootstrapGitCmdRun,
 }
@@ -116,9 +120,22 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 	if err != nil {
 		return err
 	}
-	gitAuth, err := transportForURL(repositoryURL)
+
-	if err != nil {
+	if strings.Contains(repositoryURL.Hostname(), "git-codecommit") && strings.Contains(repositoryURL.Hostname(), "amazonaws.com") {
-		return err
+		if repositoryURL.Scheme == string(git.SSH) {
 			if repositoryURL.User == nil {
 				return fmt.Errorf("invalid AWS CodeCommit url: ssh username should be specified in the url")
 			}
 			if repositoryURL.User.Username() == git.DefaultPublicKeyAuthUser {
 				return fmt.Errorf("invalid AWS CodeCommit url: ssh username should be the SSH key ID for the provided private key")
 			}
 			if bootstrapArgs.privateKeyFile == "" {
 				return fmt.Errorf("private key file is required for bootstrapping against AWS CodeCommit using ssh")
 			}
 		}
 		if repositoryURL.Scheme == string(git.HTTPS) && !bootstrapArgs.tokenAuth {
 			return fmt.Errorf("--token-auth=true must be specified for using a HTTPS AWS CodeCommit url")
 		}
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
@@ -130,7 +147,9 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	// Manifest base
-	if ver, err := getVersion(bootstrapArgs.version); err == nil {
+	if ver, err := getVersion(bootstrapArgs.version); err != nil {
 		return err
 	} else {
 		bootstrapArgs.version = ver
 	}
 	manifestsBase, err := buildEmbeddedManifestBase()
@@ -145,7 +164,28 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("failed to create temporary working dir: %w", err)
 	}
 	defer os.RemoveAll(tmpDir)
-	gitClient := gogit.New(tmpDir, gitAuth)
+
 	var caBundle []byte
 	if bootstrapArgs.caFile != "" {
 		var err error
 		caBundle, err = os.ReadFile(bootstrapArgs.caFile)
 		if err != nil {
 			return fmt.Errorf("unable to read TLS CA file: %w", err)
 		}
 	}
 	authOpts, err := getAuthOpts(repositoryURL, caBundle)
 	if err != nil {
 		return fmt.Errorf("failed to create authentication options for %s: %w", repositoryURL.String(), err)
 	}
 	clientOpts := []gogit.ClientOption{gogit.WithDiskStorage(), gogit.WithFallbackToDefaultKnownHosts()}
 	if gitArgs.insecureHttpAllowed {
 		clientOpts = append(clientOpts, gogit.WithInsecureCredentialsOverHTTP())
 	}
 	gitClient, err := gogit.NewClient(tmpDir, authOpts, clientOpts...)
 	if err != nil {
 		return fmt.Errorf("failed to create a Git client: %w", err)
 	}
 	// Install manifest config
 	installOptions := install.Options{
@@ -179,10 +219,7 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 	if bootstrapArgs.tokenAuth {
 		secretOpts.Username = gitArgs.username
 		secretOpts.Password = gitArgs.password
-
+		secretOpts.CAFile = caBundle
 		if bootstrapArgs.caFile != "" {
 			secretOpts.CAFilePath = bootstrapArgs.caFile
 		}
 		// Remove port of the given host when not syncing over HTTP/S to not assume port for protocol
 		// This _might_ be overwritten later on by e.g. --ssh-hostname
@@ -192,7 +229,9 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 		// Configure repository URL to match auth config for sync.
 		repositoryURL.User = nil
-		repositoryURL.Scheme = "https"
+		if !gitArgs.insecureHttpAllowed {
 			repositoryURL.Scheme = "https"
 		}
 	} else {
 		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
 		secretOpts.Password = gitArgs.password
@@ -211,9 +250,12 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 		if bootstrapArgs.sshHostname != "" {
 			repositoryURL.Host = bootstrapArgs.sshHostname
 		}
-		if bootstrapArgs.privateKeyFile != "" {
+
-			secretOpts.PrivateKeyPath = bootstrapArgs.privateKeyFile
+		keypair, err := sourcesecret.LoadKeyPairFromPath(bootstrapArgs.privateKeyFile, gitArgs.password)
 		if err != nil {
 			return err
 		}
 		secretOpts.Keypair = keypair
 		// Configure last as it depends on the config above.
 		secretOpts.SSHHostname = repositoryURL.Host
@@ -233,26 +275,21 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
 	}
-	var caBundle []byte
+	entityList, err := bootstrap.LoadEntityListFromPath(bootstrapArgs.gpgKeyRingPath)
-	if bootstrapArgs.caFile != "" {
+	if err != nil {
-		var err error
+		return err
 		caBundle, err = os.ReadFile(bootstrapArgs.caFile)
 		if err != nil {
 			return fmt.Errorf("unable to read TLS CA file: %w", err)
 		}
 	}
 	// Bootstrap config
 	bootstrapOpts := []bootstrap.GitOption{
 		bootstrap.WithRepositoryURL(gitArgs.url),
 		bootstrap.WithBranch(bootstrapArgs.branch),
-		bootstrap.WithAuthor(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
+		bootstrap.WithSignature(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
 		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
 		bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions),
 		bootstrap.WithPostGenerateSecretFunc(promptPublicKey),
 		bootstrap.WithLogger(logger),
-		bootstrap.WithCABundle(caBundle),
+		bootstrap.WithGitCommitSigning(entityList, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
 		bootstrap.WithGitCommitSigning(bootstrapArgs.gpgKeyRingPath, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
 	}
 	// Setup bootstrapper with constructed configs
@@ -265,30 +302,47 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 	return bootstrap.Run(ctx, b, manifestsBase, installOptions, secretOpts, syncOpts, rootArgs.pollInterval, rootArgs.timeout)
 }
-// transportForURL constructs a transport.AuthMethod based on the scheme
+// getAuthOpts retruns a AuthOptions based on the scheme
 // of the given URL and the configured flags. If the protocol equals
 // "ssh" but no private key is configured, authentication using the local
 // SSH-agent is attempted.
-func transportForURL(u *url.URL) (transport.AuthMethod, error) {
+func getAuthOpts(u *url.URL, caBundle []byte) (*git.AuthOptions, error) {
 	switch u.Scheme {
 	case "http":
 		if !gitArgs.insecureHttpAllowed {
 			return nil, fmt.Errorf("scheme http is insecure, pass --allow-insecure-http=true to allow it")
 		}
-		return &http.BasicAuth{
+		return &git.AuthOptions{
-			Username: gitArgs.username,
+			Transport: git.HTTP,
-			Password: gitArgs.password,
+			Username:  gitArgs.username,
 			Password:  gitArgs.password,
 		}, nil
 	case "https":
-		return &http.BasicAuth{
+		return &git.AuthOptions{
-			Username: gitArgs.username,
+			Transport: git.HTTPS,
-			Password: gitArgs.password,
+			Username:  gitArgs.username,
 			Password:  gitArgs.password,
 			CAFile:    caBundle,
 		}, nil
 	case "ssh":
-		if bootstrapArgs.privateKeyFile != "" {
+		authOpts := &git.AuthOptions{
-			return ssh.NewPublicKeysFromFile(u.User.Username(), bootstrapArgs.privateKeyFile, gitArgs.password)
+			Transport: git.SSH,
 			Username:  u.User.Username(),
 			Password:  gitArgs.password,
 		}
-		return nil, nil
+		if bootstrapArgs.privateKeyFile != "" {
 			pk, err := os.ReadFile(bootstrapArgs.privateKeyFile)
 			if err != nil {
 				return nil, err
 			}
 			kh, err := sourcesecret.ScanHostKey(u.Host)
 			if err != nil {
 				return nil, err
 			}
 			authOpts.Identity = pk
 			authOpts.KnownHosts = kh
 		}
 		return authOpts, nil
 	default:
 		return nil, fmt.Errorf("scheme %q is not supported", u.Scheme)
 	}
--- a/cmd/flux/bootstrap_github.go
+++ b/cmd/flux/bootstrap_github.go
@@ -22,14 +22,14 @@ import (
 	"os"
 	"time"
-	"github.com/go-git/go-git/v5/plumbing/transport/http"
+	"github.com/fluxcd/pkg/git"
 	"github.com/fluxcd/pkg/git/gogit"
 	"github.com/spf13/cobra"
 	"github.com/fluxcd/flux2/internal/bootstrap"
 	"github.com/fluxcd/flux2/internal/bootstrap/git/gogit"
 	"github.com/fluxcd/flux2/internal/bootstrap/provider"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/flux2/pkg/bootstrap"
 	"github.com/fluxcd/flux2/pkg/bootstrap/provider"
 	"github.com/fluxcd/flux2/pkg/manifestgen"
 	"github.com/fluxcd/flux2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
@@ -132,7 +132,9 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	// Manifest base
-	if ver, err := getVersion(bootstrapArgs.version); err == nil {
+	if ver, err := getVersion(bootstrapArgs.version); err != nil {
 		return err
 	} else {
 		bootstrapArgs.version = ver
 	}
 	manifestsBase, err := buildEmbeddedManifestBase()
@@ -161,16 +163,22 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 	// Lazy go-git repository
 	tmpDir, err := manifestgen.MkdirTempAbs("", "flux-bootstrap-")
 	if err != nil {
 		return fmt.Errorf("failed to create temporary working dir: %w", err)
 	}
 	defer os.RemoveAll(tmpDir)
-	gitClient := gogit.New(tmpDir, &http.BasicAuth{
+
-		Username: githubArgs.owner,
+	clientOpts := []gogit.ClientOption{gogit.WithDiskStorage(), gogit.WithFallbackToDefaultKnownHosts()}
-		Password: ghToken,
+	gitClient, err := gogit.NewClient(tmpDir, &git.AuthOptions{
-	})
+		Transport: git.HTTPS,
 		Username:  githubArgs.owner,
 		Password:  ghToken,
 		CAFile:    caBundle,
 	}, clientOpts...)
 	if err != nil {
 		return fmt.Errorf("failed to create a Git client: %w", err)
 	}
 	// Install manifest config
 	installOptions := install.Options{
@@ -204,16 +212,13 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 	if bootstrapArgs.tokenAuth {
 		secretOpts.Username = "git"
 		secretOpts.Password = ghToken
-
+		secretOpts.CAFile = caBundle
 		if bootstrapArgs.caFile != "" {
 			secretOpts.CAFilePath = bootstrapArgs.caFile
 		}
 	} else {
 		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
 		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
 		secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
 		secretOpts.SSHHostname = githubArgs.hostname
 		secretOpts.SSHHostname = githubArgs.hostname
 		if bootstrapArgs.sshHostname != "" {
 			secretOpts.SSHHostname = bootstrapArgs.sshHostname
 		}
@@ -232,19 +237,23 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
 	}
 	entityList, err := bootstrap.LoadEntityListFromPath(bootstrapArgs.gpgKeyRingPath)
 	if err != nil {
 		return err
 	}
 	// Bootstrap config
 	bootstrapOpts := []bootstrap.GitProviderOption{
 		bootstrap.WithProviderRepository(githubArgs.owner, githubArgs.repository, githubArgs.personal),
 		bootstrap.WithBranch(bootstrapArgs.branch),
 		bootstrap.WithBootstrapTransportType("https"),
-		bootstrap.WithAuthor(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
+		bootstrap.WithSignature(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
 		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
 		bootstrap.WithProviderTeamPermissions(mapTeamSlice(githubArgs.teams, ghDefaultPermission)),
 		bootstrap.WithReadWriteKeyPermissions(githubArgs.readWriteKey),
 		bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions),
 		bootstrap.WithLogger(logger),
-		bootstrap.WithCABundle(caBundle),
+		bootstrap.WithGitCommitSigning(entityList, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
 		bootstrap.WithGitCommitSigning(bootstrapArgs.gpgKeyRingPath, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
 	}
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
--- a/cmd/flux/bootstrap_gitlab.go
+++ b/cmd/flux/bootstrap_gitlab.go
@@ -24,14 +24,14 @@ import (
 	"strings"
 	"time"
-	"github.com/go-git/go-git/v5/plumbing/transport/http"
+	"github.com/fluxcd/pkg/git"
 	"github.com/fluxcd/pkg/git/gogit"
 	"github.com/spf13/cobra"
 	"github.com/fluxcd/flux2/internal/bootstrap"
 	"github.com/fluxcd/flux2/internal/bootstrap/git/gogit"
 	"github.com/fluxcd/flux2/internal/bootstrap/provider"
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/flux2/pkg/bootstrap"
 	"github.com/fluxcd/flux2/pkg/bootstrap/provider"
 	"github.com/fluxcd/flux2/pkg/manifestgen"
 	"github.com/fluxcd/flux2/pkg/manifestgen/install"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
@@ -136,7 +136,9 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	// Manifest base
-	if ver, err := getVersion(bootstrapArgs.version); err == nil {
+	if ver, err := getVersion(bootstrapArgs.version); err != nil {
 		return err
 	} else {
 		bootstrapArgs.version = ver
 	}
 	manifestsBase, err := buildEmbeddedManifestBase()
@@ -178,10 +180,17 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("failed to create temporary working dir: %w", err)
 	}
 	defer os.RemoveAll(tmpDir)
-	gitClient := gogit.New(tmpDir, &http.BasicAuth{
+
-		Username: gitlabArgs.owner,
+	clientOpts := []gogit.ClientOption{gogit.WithDiskStorage(), gogit.WithFallbackToDefaultKnownHosts()}
-		Password: glToken,
+	gitClient, err := gogit.NewClient(tmpDir, &git.AuthOptions{
-	})
+		Transport: git.HTTPS,
 		Username:  gitlabArgs.owner,
 		Password:  glToken,
 		CAFile:    caBundle,
 	}, clientOpts...)
 	if err != nil {
 		return fmt.Errorf("failed to create a Git client: %w", err)
 	}
 	// Install manifest config
 	installOptions := install.Options{
@@ -215,19 +224,18 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 	if bootstrapArgs.tokenAuth {
 		secretOpts.Username = "git"
 		secretOpts.Password = glToken
-
+		secretOpts.CAFile = caBundle
 		if bootstrapArgs.caFile != "" {
 			secretOpts.CAFilePath = bootstrapArgs.caFile
 		}
 	} else {
 		keypair, err := sourcesecret.LoadKeyPairFromPath(bootstrapArgs.privateKeyFile, gitArgs.password)
 		if err != nil {
 			return err
 		}
 		secretOpts.Keypair = keypair
 		secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(bootstrapArgs.keyAlgorithm)
 		secretOpts.RSAKeyBits = int(bootstrapArgs.keyRSABits)
 		secretOpts.ECDSACurve = bootstrapArgs.keyECDSACurve.Curve
 		secretOpts.SSHHostname = gitlabArgs.hostname
-		if bootstrapArgs.privateKeyFile != "" {
+		secretOpts.SSHHostname = gitlabArgs.hostname
 			secretOpts.PrivateKeyPath = bootstrapArgs.privateKeyFile
 		}
 		if bootstrapArgs.sshHostname != "" {
 			secretOpts.SSHHostname = bootstrapArgs.sshHostname
 		}
@@ -246,19 +254,23 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 		RecurseSubmodules: bootstrapArgs.recurseSubmodules,
 	}
 	entityList, err := bootstrap.LoadEntityListFromPath(bootstrapArgs.gpgKeyRingPath)
 	if err != nil {
 		return err
 	}
 	// Bootstrap config
 	bootstrapOpts := []bootstrap.GitProviderOption{
 		bootstrap.WithProviderRepository(gitlabArgs.owner, gitlabArgs.repository, gitlabArgs.personal),
 		bootstrap.WithBranch(bootstrapArgs.branch),
 		bootstrap.WithBootstrapTransportType("https"),
-		bootstrap.WithAuthor(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
+		bootstrap.WithSignature(bootstrapArgs.authorName, bootstrapArgs.authorEmail),
 		bootstrap.WithCommitMessageAppendix(bootstrapArgs.commitMessageAppendix),
 		bootstrap.WithProviderTeamPermissions(mapTeamSlice(gitlabArgs.teams, glDefaultPermission)),
 		bootstrap.WithReadWriteKeyPermissions(gitlabArgs.readWriteKey),
 		bootstrap.WithKubeconfig(kubeconfigArgs, kubeclientOptions),
 		bootstrap.WithLogger(logger),
-		bootstrap.WithCABundle(caBundle),
+		bootstrap.WithGitCommitSigning(entityList, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
 		bootstrap.WithGitCommitSigning(bootstrapArgs.gpgKeyRingPath, bootstrapArgs.gpgPassphrase, bootstrapArgs.gpgKeyID),
 	}
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
--- a/cmd/flux/build_artifact.go
+++ b/cmd/flux/build_artifact.go
@@ -17,7 +17,10 @@ limitations under the License.
 package main
 import (
 	"bufio"
 	"bytes"
 	"fmt"
 	"io"
 	"os"
 	"strings"
@@ -30,10 +33,13 @@ import (
 var buildArtifactCmd = &cobra.Command{
 	Use:   "artifact",
 	Short: "Build artifact",
-	Long:  `The build artifact command creates a tgz file with the manifests from the given directory.`,
+	Long:  `The build artifact command creates a tgz file with the manifests from the given directory or a single manifest file.`,
 	Example: `  # Build the given manifests directory into an artifact
  flux build artifact --path ./path/to/local/manifests --output ./path/to/artifact.tgz
  # Build the given single manifest file into an artifact
  flux build artifact --path ./path/to/local/manifest.yaml --output ./path/to/artifact.tgz
  # List the files bundled in the artifact
  tar -ztvf ./path/to/artifact.tgz
 `,
@@ -51,7 +57,7 @@ var excludeOCI = append(strings.Split(sourceignore.ExcludeVCS, ","), strings.Spl
 var buildArtifactArgs buildArtifactFlags
 func init() {
-	buildArtifactCmd.Flags().StringVar(&buildArtifactArgs.path, "path", "", "Path to the directory where the Kubernetes manifests are located.")
+	buildArtifactCmd.Flags().StringVarP(&buildArtifactArgs.path, "path", "p", "", "Path to the directory where the Kubernetes manifests are located.")
 	buildArtifactCmd.Flags().StringVarP(&buildArtifactArgs.output, "output", "o", "artifact.tgz", "Path to where the artifact tgz file should be written.")
 	buildArtifactCmd.Flags().StringSliceVar(&buildArtifactArgs.ignorePaths, "ignore-paths", excludeOCI, "set paths to ignore in .gitignore format")
@@ -63,18 +69,48 @@ func buildArtifactCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("invalid path %q", buildArtifactArgs.path)
 	}
-	if fs, err := os.Stat(buildArtifactArgs.path); err != nil || !fs.IsDir() {
+	path := buildArtifactArgs.path
-		return fmt.Errorf("invalid path '%s', must point to an existing directory", buildArtifactArgs.path)
+	var err error
 	if buildArtifactArgs.path == "-" {
 		path, err = saveReaderToFile(os.Stdin)
 		if err != nil {
 			return err
 		}
 		defer os.Remove(path)
 	}
-	logger.Actionf("building artifact from %s", buildArtifactArgs.path)
+	if _, err := os.Stat(path); err != nil {
 		return fmt.Errorf("invalid path '%s', must point to an existing directory or file", path)
 	}
 	logger.Actionf("building artifact from %s", path)
 	ociClient := oci.NewLocalClient()
-	if err := ociClient.Build(buildArtifactArgs.output, buildArtifactArgs.path, buildArtifactArgs.ignorePaths); err != nil {
+	if err := ociClient.Build(buildArtifactArgs.output, path, buildArtifactArgs.ignorePaths); err != nil {
 		return fmt.Errorf("bulding artifact failed, error: %w", err)
 	}
 	logger.Successf("artifact created at %s", buildArtifactArgs.output)
 	return nil
 }
 func saveReaderToFile(reader io.Reader) (string, error) {
 	b, err := io.ReadAll(bufio.NewReader(reader))
 	if err != nil {
 		return "", err
 	}
 	b = bytes.TrimRight(b, "\r\n")
 	f, err := os.CreateTemp("", "*.yaml")
 	if err != nil {
 		return "", fmt.Errorf("unable to create temp dir for stdin")
 	}
 	defer f.Close()
 	if _, err := f.Write(b); err != nil {
 		return "", fmt.Errorf("error writing stdin to file: %w", err)
 	}
 	return f.Name(), nil
 }
--- a/cmd/flux/build_artifact_test.go
+++ b/cmd/flux/build_artifact_test.go
@@ -0,0 +1,70 @@
 /*
 Copyright 2022 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"os"
 	"strings"
 	"testing"
 	. "github.com/onsi/gomega"
 )
 func Test_saveReaderToFile(t *testing.T) {
 	g := NewWithT(t)
 	testString := `apiVersion: v1
 kind: ConfigMap
 metadata:
  name: myapp
 data:
  foo: bar`
 	tests := []struct {
 		name      string
 		string    string
 		expectErr bool
 	}{
 		{
 			name:   "yaml",
 			string: testString,
 		},
 		{
 			name:   "yaml with carriage return",
 			string: testString + "\r\n",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			tmpFile, err := saveReaderToFile(strings.NewReader(tt.string))
 			g.Expect(err).To(BeNil())
 			defer os.Remove(tmpFile)
 			b, err := os.ReadFile(tmpFile)
 			if tt.expectErr {
 				g.Expect(err).To(Not(BeNil()))
 				return
 			}
 			g.Expect(err).To(BeNil())
 			g.Expect(string(b)).To(BeEquivalentTo(testString))
 		})
 	}
 }
--- a/cmd/flux/build_kustomization.go
+++ b/cmd/flux/build_kustomization.go
@@ -40,7 +40,11 @@ It is possible to specify a Flux kustomization file using --kustomization-file.`
 flux build kustomization my-app --path ./path/to/local/manifests
 # Build using a local flux kustomization file
-flux build kustomization my-app --path ./path/to/local/manifests --kustomization-file ./path/to/local/my-app.yaml`,
+flux build kustomization my-app --path ./path/to/local/manifests --kustomization-file ./path/to/local/my-app.yaml
 # Build in dry-run mode without connecting to the cluster.
 # Note that variable substitutions from Secrets and ConfigMaps are skipped in dry-run mode.
 flux build kustomization my-app --path ./path/to/local/manifests --kustomization-file ./path/to/local/my-app.yaml --dry-run`,
 	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
 	RunE:              buildKsCmdRun,
 }
@@ -48,6 +52,7 @@ flux build kustomization my-app --path ./path/to/local/manifests --kustomization
 type buildKsFlags struct {
 	kustomizationFile string
 	path              string
 	dryRun            bool
 }
 var buildKsArgs buildKsFlags
@@ -55,10 +60,11 @@ var buildKsArgs buildKsFlags
 func init() {
 	buildKsCmd.Flags().StringVar(&buildKsArgs.path, "path", "", "Path to the manifests location.")
 	buildKsCmd.Flags().StringVar(&buildKsArgs.kustomizationFile, "kustomization-file", "", "Path to the Flux Kustomization YAML file.")
 	buildKsCmd.Flags().BoolVar(&buildKsArgs.dryRun, "dry-run", false, "Dry run mode.")
 	buildCmd.AddCommand(buildKsCmd)
 }
-func buildKsCmdRun(cmd *cobra.Command, args []string) error {
+func buildKsCmdRun(cmd *cobra.Command, args []string) (err error) {
 	if len(args) < 1 {
 		return fmt.Errorf("%s name is required", kustomizationType.humanKind)
 	}
@@ -72,13 +78,32 @@ func buildKsCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("invalid resource path %q", buildKsArgs.path)
 	}
 	if buildKsArgs.dryRun && buildKsArgs.kustomizationFile == "" {
 		return fmt.Errorf("dry-run mode requires a kustomization file")
 	}
 	if buildKsArgs.kustomizationFile != "" {
 		if fs, err := os.Stat(buildKsArgs.kustomizationFile); os.IsNotExist(err) || fs.IsDir() {
 			return fmt.Errorf("invalid kustomization file %q", buildKsArgs.kustomizationFile)
 		}
 	}
-	builder, err := build.NewBuilder(kubeconfigArgs, kubeclientOptions, name, buildKsArgs.path, build.WithTimeout(rootArgs.timeout), build.WithKustomizationFile(buildKsArgs.kustomizationFile))
+	var builder *build.Builder
 	if buildKsArgs.dryRun {
 		builder, err = build.NewBuilder(name, buildKsArgs.path,
 			build.WithTimeout(rootArgs.timeout),
 			build.WithKustomizationFile(buildKsArgs.kustomizationFile),
 			build.WithDryRun(buildKsArgs.dryRun),
 			build.WithNamespace(*kubeconfigArgs.Namespace),
 		)
 	} else {
 		builder, err = build.NewBuilder(name, buildKsArgs.path,
 			build.WithClientConfig(kubeconfigArgs, kubeclientOptions),
 			build.WithTimeout(rootArgs.timeout),
 			build.WithKustomizationFile(buildKsArgs.kustomizationFile),
 		)
 	}
 	if err != nil {
 		return err
 	}
--- a/cmd/flux/build_kustomization_test.go
+++ b/cmd/flux/build_kustomization_test.go
@@ -142,6 +142,12 @@ spec:
 			resultFile: "./testdata/build-kustomization/podinfo-with-var-substitution-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 		{
 			name:       "build deployment and configmap with var substitution in dry-run mode",
 			args:       "build kustomization podinfo --kustomization-file ./testdata/build-kustomization/podinfo.yaml --path ./testdata/build-kustomization/var-substitution --dry-run",
 			resultFile: "./testdata/build-kustomization/podinfo-with-var-substitution-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 	}
 	tmpl := map[string]string{
--- a/cmd/flux/check.go
+++ b/cmd/flux/check.go
@@ -242,8 +242,9 @@ func crdsCheck() bool {
 		}
 		for _, crd := range list.Items {
-			if len(crd.Status.StoredVersions) > 0 {
+			versions := crd.Status.StoredVersions
-				logger.Successf(crd.Name + "/" + crd.Status.StoredVersions[0])
+			if len(versions) > 0 {
 				logger.Successf(crd.Name + "/" + versions[len(versions)-1])
 			} else {
 				ok = false
 				logger.Failuref("no stored versions for %s", crd.Name)
--- a/cmd/flux/completion_powershell.go
+++ b/cmd/flux/completion_powershell.go
@@ -34,12 +34,12 @@ To configure your powershell shell to load completions for each session add to y
 Windows:
 cd "$env:USERPROFILE\Documents\WindowsPowerShell\Modules"
-flux completion >> flux-completion.ps1
+flux completion powershell >> flux-completion.ps1
 Linux:
 cd "${XDG_CONFIG_HOME:-"$HOME/.config/"}/powershell/modules"
-flux completion >> flux-completions.ps1`,
+flux completion powershell >> flux-completions.ps1`,
 	Run: func(cmd *cobra.Command, args []string) {
 		rootCmd.GenPowerShellCompletion(os.Stdout)
 	},
--- a/cmd/flux/create.go
+++ b/cmd/flux/create.go
@@ -79,12 +79,12 @@ type upsertable interface {
 // want to update. The mutate function is nullary -- you mutate a
 // value in the closure, e.g., by doing this:
 //
-//     var existing Value
+//	var existing Value
-//     existing.Name = name
+//	existing.Name = name
-//     existing.Namespace = ns
+//	existing.Namespace = ns
-//     upsert(ctx, client, valueAdapter{&value}, func() error {
+//	upsert(ctx, client, valueAdapter{&value}, func() error {
-//       value.Spec = onePreparedEarlier
+//	  value.Spec = onePreparedEarlier
-//     })
+//	})
 func (names apiType) upsert(ctx context.Context, kubeClient client.Client, object upsertable, mutate func() error) (types.NamespacedName, error) {
 	nsname := types.NamespacedName{
 		Namespace: object.GetNamespace(),
--- a/cmd/flux/create_alert.go
+++ b/cmd/flux/create_alert.go
@@ -28,7 +28,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/flux2/internal/utils"
--- a/cmd/flux/create_alertprovider.go
+++ b/cmd/flux/create_alertprovider.go
@@ -28,7 +28,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/flux2/internal/utils"
--- a/cmd/flux/create_kustomization.go
+++ b/cmd/flux/create_kustomization.go
@@ -169,7 +169,7 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	if kustomizationArgs.kubeConfigSecretRef != "" {
-		kustomization.Spec.KubeConfig = &kustomizev1.KubeConfig{
+		kustomization.Spec.KubeConfig = &meta.KubeConfigReference{
 			SecretRef: meta.SecretKeyReference{
 				Name: kustomizationArgs.kubeConfigSecretRef,
 			},
--- a/cmd/flux/create_receiver.go
+++ b/cmd/flux/create_receiver.go
@@ -28,7 +28,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/flux2/internal/utils"
--- a/cmd/flux/create_secret_git.go
+++ b/cmd/flux/create_secret_git.go
@@ -21,6 +21,7 @@ import (
 	"crypto/elliptic"
 	"fmt"
 	"net/url"
 	"os"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
@@ -135,8 +136,12 @@ func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	switch u.Scheme {
 	case "ssh":
 		keypair, err := sourcesecret.LoadKeyPairFromPath(secretGitArgs.privateKeyFile, secretGitArgs.password)
 		if err != nil {
 			return err
 		}
 		opts.Keypair = keypair
 		opts.SSHHostname = u.Host
 		opts.PrivateKeyPath = secretGitArgs.privateKeyFile
 		opts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(secretGitArgs.keyAlgorithm)
 		opts.RSAKeyBits = int(secretGitArgs.rsaBits)
 		opts.ECDSACurve = secretGitArgs.ecdsaCurve.Curve
@@ -147,7 +152,13 @@ func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
 		}
 		opts.Username = secretGitArgs.username
 		opts.Password = secretGitArgs.password
-		opts.CAFilePath = secretGitArgs.caFile
+		if secretGitArgs.caFile != "" {
 			caBundle, err := os.ReadFile(secretGitArgs.caFile)
 			if err != nil {
 				return fmt.Errorf("unable to read TLS CA file: %w", err)
 			}
 			opts.CAFile = caBundle
 		}
 	default:
 		return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme)
 	}
--- a/cmd/flux/create_secret_helm.go
+++ b/cmd/flux/create_secret_helm.go
@@ -18,6 +18,8 @@ package main
 import (
 	"context"
 	"fmt"
 	"os"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
@@ -74,15 +76,34 @@ func createSecretHelmCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 	caBundle := []byte{}
 	if secretHelmArgs.caFile != "" {
 		var err error
 		caBundle, err = os.ReadFile(secretHelmArgs.caFile)
 		if err != nil {
 			return fmt.Errorf("unable to read TLS CA file: %w", err)
 		}
 	}
 	var certFile, keyFile []byte
 	if secretHelmArgs.certFile != "" && secretHelmArgs.keyFile != "" {
 		if certFile, err = os.ReadFile(secretHelmArgs.certFile); err != nil {
 			return fmt.Errorf("failed to read cert file: %w", err)
 		}
 		if keyFile, err = os.ReadFile(secretHelmArgs.keyFile); err != nil {
 			return fmt.Errorf("failed to read key file: %w", err)
 		}
 	}
 	opts := sourcesecret.Options{
-		Name:         name,
+		Name:      name,
-		Namespace:    *kubeconfigArgs.Namespace,
+		Namespace: *kubeconfigArgs.Namespace,
-		Labels:       labels,
+		Labels:    labels,
-		Username:     secretHelmArgs.username,
+		Username:  secretHelmArgs.username,
-		Password:     secretHelmArgs.password,
+		Password:  secretHelmArgs.password,
-		CAFilePath:   secretHelmArgs.caFile,
+		CAFile:    caBundle,
-		CertFilePath: secretHelmArgs.certFile,
+		CertFile:  certFile,
-		KeyFilePath:  secretHelmArgs.keyFile,
+		KeyFile:   keyFile,
 	}
 	secret, err := sourcesecret.Generate(opts)
 	if err != nil {
--- a/cmd/flux/create_secret_tls.go
+++ b/cmd/flux/create_secret_tls.go
@@ -18,6 +18,8 @@ package main
 import (
 	"context"
 	"fmt"
 	"os"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
@@ -73,13 +75,32 @@ func createSecretTLSCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 	caBundle := []byte{}
 	if secretTLSArgs.caFile != "" {
 		var err error
 		caBundle, err = os.ReadFile(secretTLSArgs.caFile)
 		if err != nil {
 			return fmt.Errorf("unable to read TLS CA file: %w", err)
 		}
 	}
 	var certFile, keyFile []byte
 	if secretTLSArgs.certFile != "" && secretTLSArgs.keyFile != "" {
 		if certFile, err = os.ReadFile(secretTLSArgs.certFile); err != nil {
 			return fmt.Errorf("failed to read cert file: %w", err)
 		}
 		if keyFile, err = os.ReadFile(secretTLSArgs.keyFile); err != nil {
 			return fmt.Errorf("failed to read key file: %w", err)
 		}
 	}
 	opts := sourcesecret.Options{
-		Name:         name,
+		Name:      name,
-		Namespace:    *kubeconfigArgs.Namespace,
+		Namespace: *kubeconfigArgs.Namespace,
-		Labels:       labels,
+		Labels:    labels,
-		CAFilePath:   secretTLSArgs.caFile,
+		CAFile:    caBundle,
-		CertFilePath: secretTLSArgs.certFile,
+		CertFile:  certFile,
-		KeyFilePath:  secretTLSArgs.keyFile,
+		KeyFile:   keyFile,
 	}
 	secret, err := sourcesecret.Generate(opts)
 	if err != nil {
--- a/cmd/flux/create_source_git.go
+++ b/cmd/flux/create_source_git.go
@@ -259,16 +259,26 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 		}
 		switch u.Scheme {
 		case "ssh":
 			keypair, err := sourcesecret.LoadKeyPairFromPath(sourceGitArgs.privateKeyFile, sourceGitArgs.password)
 			if err != nil {
 				return err
 			}
 			secretOpts.Keypair = keypair
 			secretOpts.SSHHostname = u.Host
 			secretOpts.PrivateKeyPath = sourceGitArgs.privateKeyFile
 			secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(sourceGitArgs.keyAlgorithm)
 			secretOpts.RSAKeyBits = int(sourceGitArgs.keyRSABits)
 			secretOpts.ECDSACurve = sourceGitArgs.keyECDSACurve.Curve
 			secretOpts.Password = sourceGitArgs.password
 		case "https":
 			if sourceGitArgs.caFile != "" {
 				caBundle, err := os.ReadFile(sourceGitArgs.caFile)
 				if err != nil {
 					return fmt.Errorf("unable to read TLS CA file: %w", err)
 				}
 				secretOpts.CAFile = caBundle
 			}
 			secretOpts.Username = sourceGitArgs.username
 			secretOpts.Password = sourceGitArgs.password
 			secretOpts.CAFilePath = sourceGitArgs.caFile
 		case "http":
 			logger.Warningf("insecure configuration: credentials configured for an HTTP URL")
 			secretOpts.Username = sourceGitArgs.username
--- a/cmd/flux/create_source_helm.go
+++ b/cmd/flux/create_source_helm.go
@@ -168,6 +168,25 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 	caBundle := []byte{}
 	if sourceHelmArgs.caFile != "" {
 		var err error
 		caBundle, err = os.ReadFile(sourceHelmArgs.caFile)
 		if err != nil {
 			return fmt.Errorf("unable to read TLS CA file: %w", err)
 		}
 	}
 	var certFile, keyFile []byte
 	if sourceHelmArgs.certFile != "" && sourceHelmArgs.keyFile != "" {
 		if certFile, err = os.ReadFile(sourceHelmArgs.certFile); err != nil {
 			return fmt.Errorf("failed to read cert file: %w", err)
 		}
 		if keyFile, err = os.ReadFile(sourceHelmArgs.keyFile); err != nil {
 			return fmt.Errorf("failed to read key file: %w", err)
 		}
 	}
 	logger.Generatef("generating HelmRepository source")
 	if sourceHelmArgs.secretRef == "" {
 		secretName := fmt.Sprintf("helm-%s", name)
@@ -176,9 +195,9 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 			Namespace:    *kubeconfigArgs.Namespace,
 			Username:     sourceHelmArgs.username,
 			Password:     sourceHelmArgs.password,
-			CertFilePath: sourceHelmArgs.certFile,
+			CAFile:       caBundle,
-			KeyFilePath:  sourceHelmArgs.keyFile,
+			CertFile:     certFile,
-			CAFilePath:   sourceHelmArgs.caFile,
+			KeyFile:      keyFile,
 			ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 		}
 		secret, err := sourcesecret.Generate(secretOpts)
--- a/cmd/flux/delete_alert.go
+++ b/cmd/flux/delete_alert.go
@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
 )
 var deleteAlertCmd = &cobra.Command{
--- a/cmd/flux/delete_alertprovider.go
+++ b/cmd/flux/delete_alertprovider.go
@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
 )
 var deleteAlertProviderCmd = &cobra.Command{
--- a/cmd/flux/delete_receiver.go
+++ b/cmd/flux/delete_receiver.go
@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
 )
 var deleteReceiverCmd = &cobra.Command{
--- a/cmd/flux/diff_artifact.go
+++ b/cmd/flux/diff_artifact.go
@@ -0,0 +1,111 @@
 /*
 Copyright 2022 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"os"
 	"github.com/fluxcd/flux2/internal/flags"
 	oci "github.com/fluxcd/pkg/oci/client"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 	"github.com/spf13/cobra"
 )
 var diffArtifactCmd = &cobra.Command{
 	Use:   "artifact",
 	Short: "Diff Artifact",
 	Long:  `The diff artifact command computes the diff between the remote OCI artifact and a local directory or file`,
 	Example: `# Check if local files differ from remote
 flux diff artifact oci://ghcr.io/stefanprodan/manifests:podinfo:6.2.0 --path=./kustomize`,
 	RunE: diffArtifactCmdRun,
 }
 type diffArtifactFlags struct {
 	path        string
 	creds       string
 	provider    flags.SourceOCIProvider
 	ignorePaths []string
 }
 var diffArtifactArgs = newDiffArtifactArgs()
 func newDiffArtifactArgs() diffArtifactFlags {
 	return diffArtifactFlags{
 		provider: flags.SourceOCIProvider(sourcev1.GenericOCIProvider),
 	}
 }
 func init() {
 	diffArtifactCmd.Flags().StringVar(&diffArtifactArgs.path, "path", "", "path to the directory where the Kubernetes manifests are located")
 	diffArtifactCmd.Flags().StringVar(&diffArtifactArgs.creds, "creds", "", "credentials for OCI registry in the format <username>[:<password>] if --provider is generic")
 	diffArtifactCmd.Flags().Var(&diffArtifactArgs.provider, "provider", sourceOCIRepositoryArgs.provider.Description())
 	diffArtifactCmd.Flags().StringSliceVar(&diffArtifactArgs.ignorePaths, "ignore-paths", excludeOCI, "set paths to ignore in .gitignore format")
 	diffCmd.AddCommand(diffArtifactCmd)
 }
 func diffArtifactCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("artifact URL is required")
 	}
 	ociURL := args[0]
 	if diffArtifactArgs.path == "" {
 		return fmt.Errorf("invalid path %q", diffArtifactArgs.path)
 	}
 	url, err := oci.ParseArtifactURL(ociURL)
 	if err != nil {
 		return err
 	}
 	if _, err := os.Stat(diffArtifactArgs.path); err != nil {
 		return fmt.Errorf("invalid path '%s', must point to an existing directory or file", diffArtifactArgs.path)
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 	ociClient := oci.NewLocalClient()
 	if diffArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && diffArtifactArgs.creds != "" {
 		logger.Actionf("logging in to registry with credentials")
 		if err := ociClient.LoginWithCredentials(diffArtifactArgs.creds); err != nil {
 			return fmt.Errorf("could not login with credentials: %w", err)
 		}
 	}
 	if diffArtifactArgs.provider.String() != sourcev1.GenericOCIProvider {
 		logger.Actionf("logging in to registry with provider credentials")
 		ociProvider, err := diffArtifactArgs.provider.ToOCIProvider()
 		if err != nil {
 			return fmt.Errorf("provider not supported: %w", err)
 		}
 		if err := ociClient.LoginWithProvider(ctx, url, ociProvider); err != nil {
 			return fmt.Errorf("error during login with provider: %w", err)
 		}
 	}
 	if err := ociClient.Diff(ctx, url, diffArtifactArgs.path, diffArtifactArgs.ignorePaths); err != nil {
 		return err
 	}
 	logger.Successf("no changes detected")
 	return nil
 }
--- a/cmd/flux/diff_artifact_test.go
+++ b/cmd/flux/diff_artifact_test.go
@@ -0,0 +1,109 @@
 //go:build unit
 // +build unit
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
 	"fmt"
 	"testing"
 	"time"
 	"github.com/distribution/distribution/v3/configuration"
 	"github.com/distribution/distribution/v3/registry"
 	_ "github.com/distribution/distribution/v3/registry/auth/htpasswd"
 	_ "github.com/distribution/distribution/v3/registry/storage/driver/inmemory"
 	"github.com/phayes/freeport"
 	ctrl "sigs.k8s.io/controller-runtime"
 )
 var dockerReg string
 func setupRegistryServer(ctx context.Context) error {
 	// Registry config
 	config := &configuration.Configuration{}
 	port, err := freeport.GetFreePort()
 	if err != nil {
 		return fmt.Errorf("failed to get free port: %s", err)
 	}
 	dockerReg = fmt.Sprintf("localhost:%d", port)
 	config.HTTP.Addr = fmt.Sprintf("127.0.0.1:%d", port)
 	config.HTTP.DrainTimeout = time.Duration(10) * time.Second
 	config.Storage = map[string]configuration.Parameters{"inmemory": map[string]interface{}{}}
 	dockerRegistry, err := registry.NewRegistry(ctx, config)
 	if err != nil {
 		return fmt.Errorf("failed to create docker registry: %w", err)
 	}
 	// Start Docker registry
 	go dockerRegistry.ListenAndServe()
 	return nil
 }
 func TestDiffArtifact(t *testing.T) {
 	tests := []struct {
 		name     string
 		url      string
 		argsTpl  string
 		pushFile string
 		diffFile string
 		assert   assertFunc
 	}{
 		{
 			name:     "should not fail if there is no diff",
 			url:      "oci://%s/podinfo:1.0.0",
 			argsTpl:  "diff artifact  %s --path=%s",
 			pushFile: "./testdata/diff-artifact/deployment.yaml",
 			diffFile: "./testdata/diff-artifact/deployment.yaml",
 			assert:   assertGoldenFile("testdata/diff-artifact/success.golden"),
 		},
 		{
 			name:     "should fail if there is a diff",
 			url:      "oci://%s/podinfo:2.0.0",
 			argsTpl:  "diff artifact %s --path=%s",
 			pushFile: "./testdata/diff-artifact/deployment.yaml",
 			diffFile: "./testdata/diff-artifact/deployment-diff.yaml",
 			assert:   assertError("the remote artifact contents differs from the local one"),
 		},
 	}
 	ctx := ctrl.SetupSignalHandler()
 	err := setupRegistryServer(ctx)
 	if err != nil {
 		panic(fmt.Sprintf("failed to start docker registry: %s", err))
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			tt.url = fmt.Sprintf(tt.url, dockerReg)
 			_, err := executeCommand("push artifact " + tt.url + " --path=" + tt.pushFile + " --source=test --revision=test")
 			if err != nil {
 				t.Fatalf(fmt.Errorf("failed to push image: %w", err).Error())
 			}
 			cmd := cmdTestCase{
 				args:   fmt.Sprintf(tt.argsTpl, tt.url, tt.diffFile),
 				assert: tt.assert,
 			}
 			cmd.runTestCmd(t)
 		})
 	}
 }
--- a/cmd/flux/diff_kustomization.go
+++ b/cmd/flux/diff_kustomization.go
@@ -77,12 +77,21 @@ func diffKsCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}
-	var builder *build.Builder
+	var (
-	var err error
+		builder *build.Builder
 		err     error
 	)
 	if diffKsArgs.progressBar {
-		builder, err = build.NewBuilder(kubeconfigArgs, kubeclientOptions, name, diffKsArgs.path, build.WithTimeout(rootArgs.timeout), build.WithKustomizationFile(diffKsArgs.kustomizationFile), build.WithProgressBar())
+		builder, err = build.NewBuilder(name, diffKsArgs.path,
 			build.WithClientConfig(kubeconfigArgs, kubeclientOptions),
 			build.WithTimeout(rootArgs.timeout),
 			build.WithKustomizationFile(diffKsArgs.kustomizationFile),
 			build.WithProgressBar())
 	} else {
-		builder, err = build.NewBuilder(kubeconfigArgs, kubeclientOptions, name, diffKsArgs.path, build.WithTimeout(rootArgs.timeout), build.WithKustomizationFile(diffKsArgs.kustomizationFile))
+		builder, err = build.NewBuilder(name, diffKsArgs.path,
 			build.WithClientConfig(kubeconfigArgs, kubeclientOptions),
 			build.WithTimeout(rootArgs.timeout),
 			build.WithKustomizationFile(diffKsArgs.kustomizationFile))
 	}
 	if err != nil {
--- a/cmd/flux/diff_kustomization_test.go
+++ b/cmd/flux/diff_kustomization_test.go
@@ -97,7 +97,7 @@ func TestDiffKustomization(t *testing.T) {
 		"fluxns": allocateNamespace("flux-system"),
 	}
-	b, _ := build.NewBuilder(kubeconfigArgs, kubeclientOptions, "podinfo", "")
+	b, _ := build.NewBuilder("podinfo", "", build.WithClientConfig(kubeconfigArgs, kubeclientOptions))
 	resourceManager, err := b.Manager()
 	if err != nil {
--- a/cmd/flux/export_alert.go
+++ b/cmd/flux/export_alert.go
@@ -20,7 +20,7 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
 )
 var exportAlertCmd = &cobra.Command{
--- a/cmd/flux/export_alertprovider.go
+++ b/cmd/flux/export_alertprovider.go
@@ -20,7 +20,7 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
 )
 var exportAlertProviderCmd = &cobra.Command{
--- a/cmd/flux/export_receiver.go
+++ b/cmd/flux/export_receiver.go
@@ -20,7 +20,7 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
 )
 var exportReceiverCmd = &cobra.Command{
--- a/cmd/flux/get.go
+++ b/cmd/flux/get.go
@@ -214,7 +214,6 @@ func getRowsToPrint(getAll bool, list summarisable) ([][]string, error) {
 	return rows, nil
 }
 //
 // watch starts a client-side watch of one or more resources.
 func (get *getCommand) watch(ctx context.Context, kubeClient client.WithWatch, cmd *cobra.Command, args []string, listOpts []client.ListOption) error {
 	w, err := kubeClient.Watch(ctx, get.list.asClientList(), listOpts...)
--- a/cmd/flux/get_alert.go
+++ b/cmd/flux/get_alert.go
@@ -24,7 +24,7 @@ import (
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/runtime"
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
 )
 var getAlertCmd = &cobra.Command{
--- a/cmd/flux/get_alertprovider.go
+++ b/cmd/flux/get_alertprovider.go
@@ -22,7 +22,7 @@ import (
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/runtime"
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
 )
 var getAlertProviderCmd = &cobra.Command{
--- a/cmd/flux/get_all.go
+++ b/cmd/flux/get_all.go
@@ -23,7 +23,7 @@ import (
 	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
 )
 var getAllCmd = &cobra.Command{
--- a/cmd/flux/get_receiver.go
+++ b/cmd/flux/get_receiver.go
@@ -24,7 +24,7 @@ import (
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/runtime"
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
 )
 var getReceiverCmd = &cobra.Command{
--- a/cmd/flux/push_artifact.go
+++ b/cmd/flux/push_artifact.go
@@ -31,7 +31,7 @@ import (
 var pushArtifactCmd = &cobra.Command{
 	Use:   "artifact",
 	Short: "Push artifact",
-	Long: `The push artifact command creates a tarball from the given directory and uploads the artifact to an OCI repository.
+	Long: `The push artifact command creates a tarball from the given directory or the single file and uploads the artifact to an OCI repository.
 The command can read the credentials from '~/.docker/config.json' but they can also be passed with --creds. It can also login to a supported provider with the --provider flag.`,
 	Example: `  # Push manifests to GHCR using the short Git SHA as the OCI artifact tag
  echo $GITHUB_PAT | docker login ghcr.io --username flux --password-stdin
@@ -40,6 +40,18 @@ The command can read the credentials from '~/.docker/config.json' but they can a
 	--source="$(git config --get remote.origin.url)" \
 	--revision="$(git branch --show-current)/$(git rev-parse HEAD)"
  # Push manifests passed into stdin to GHCR
  kustomize build . | flux push artifact oci://ghcr.io/org/config/app:$(git rev-parse --short HEAD) -p - \ 
    --source="$(git config --get remote.origin.url)" \
    --revision="$(git branch --show-current)/$(git rev-parse HEAD)"
  # Push single manifest file to GHCR using the short Git SHA as the OCI artifact tag
  echo $GITHUB_PAT | docker login ghcr.io --username flux --password-stdin
  flux push artifact oci://ghcr.io/org/config/app:$(git rev-parse --short HEAD) \
 	--path="./path/to/local/manifest.yaml" \
 	--source="$(git config --get remote.origin.url)" \
 	--revision="$(git branch --show-current)/$(git rev-parse HEAD)"
  # Push manifests to Docker Hub using the Git tag as the OCI artifact tag
  echo $DOCKER_PAT | docker login --username flux --password-stdin
  flux push artifact oci://docker.io/org/app-config:$(git tag --points-at HEAD) \
@@ -117,8 +129,18 @@ func pushArtifactCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
-	if fs, err := os.Stat(pushArtifactArgs.path); err != nil || !fs.IsDir() {
+	path := pushArtifactArgs.path
-		return fmt.Errorf("invalid path %q", pushArtifactArgs.path)
+	if pushArtifactArgs.path == "-" {
 		path, err = saveReaderToFile(os.Stdin)
 		if err != nil {
 			return err
 		}
 		defer os.Remove(path)
 	}
 	if _, err := os.Stat(path); err != nil {
 		return fmt.Errorf("invalid path '%s', must point to an existing directory or file: %w", path, err)
 	}
 	meta := oci.Metadata{
@@ -152,7 +174,7 @@ func pushArtifactCmdRun(cmd *cobra.Command, args []string) error {
 	logger.Actionf("pushing artifact to %s", url)
-	digest, err := ociClient.Push(ctx, url, pushArtifactArgs.path, meta, pushArtifactArgs.ignorePaths)
+	digest, err := ociClient.Push(ctx, url, path, meta, pushArtifactArgs.ignorePaths)
 	if err != nil {
 		return fmt.Errorf("pushing artifact failed: %w", err)
 	}
--- a/cmd/flux/receiver.go
+++ b/cmd/flux/receiver.go
@@ -19,7 +19,7 @@ package main
 import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
 )
 // notificationv1.Receiver
--- a/cmd/flux/reconcile.go
+++ b/cmd/flux/reconcile.go
@@ -30,7 +30,7 @@ import (
 	"k8s.io/client-go/util/retry"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"github.com/fluxcd/notification-controller/api/v1beta1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/flux2/internal/utils"
@@ -111,7 +111,7 @@ func (reconcile reconcileCommand) run(cmd *cobra.Command, args []string) error {
 	}
 	logger.Successf("%s annotated", reconcile.kind)
-	if reconcile.kind == v1beta1.AlertKind || reconcile.kind == v1beta1.ReceiverKind {
+	if reconcile.kind == notificationv1.AlertKind || reconcile.kind == notificationv1.ReceiverKind {
 		if err = wait.PollImmediate(rootArgs.pollInterval, rootArgs.timeout,
 			isReconcileReady(ctx, kubeClient, namespacedName, reconcile.object)); err != nil {
 			return err
--- a/cmd/flux/reconcile_alert.go
+++ b/cmd/flux/reconcile_alert.go
@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
 )
 var reconcileAlertCmd = &cobra.Command{
--- a/cmd/flux/reconcile_alertprovider.go
+++ b/cmd/flux/reconcile_alertprovider.go
@@ -25,7 +25,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/flux2/internal/utils"
--- a/cmd/flux/reconcile_receiver.go
+++ b/cmd/flux/reconcile_receiver.go
@@ -25,7 +25,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/flux2/internal/utils"
--- a/cmd/flux/resume_alert.go
+++ b/cmd/flux/resume_alert.go
@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
 )
 var resumeAlertCmd = &cobra.Command{
--- a/cmd/flux/resume_receiver.go
+++ b/cmd/flux/resume_receiver.go
@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
 )
 var resumeReceiverCmd = &cobra.Command{
--- a/cmd/flux/suspend_alert.go
+++ b/cmd/flux/suspend_alert.go
@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
 )
 var suspendAlertCmd = &cobra.Command{
--- a/cmd/flux/suspend_receiver.go
+++ b/cmd/flux/suspend_receiver.go
@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
 )
 var suspendReceiverCmd = &cobra.Command{
--- a/cmd/flux/testdata/build-kustomization/delete-service/hpa.yaml
+++ b/cmd/flux/testdata/build-kustomization/delete-service/hpa.yaml
@@ -1,4 +1,4 @@
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
  name: podinfo
--- a/cmd/flux/testdata/build-kustomization/podinfo-result.yaml
+++ b/cmd/flux/testdata/build-kustomization/podinfo-result.yaml
@@ -77,7 +77,7 @@ spec:
            cpu: 100m
            memory: 64Mi
 ---
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
  labels:
--- a/cmd/flux/testdata/build-kustomization/podinfo-without-service-result.yaml
+++ b/cmd/flux/testdata/build-kustomization/podinfo-without-service-result.yaml
@@ -77,7 +77,7 @@ spec:
            cpu: 100m
            memory: 64Mi
 ---
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
  labels:
--- a/cmd/flux/testdata/build-kustomization/podinfo/hpa.yaml
+++ b/cmd/flux/testdata/build-kustomization/podinfo/hpa.yaml
@@ -1,4 +1,4 @@
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
  name: podinfo
--- a/cmd/flux/testdata/diff-artifact/deployment-diff.yaml
+++ b/cmd/flux/testdata/diff-artifact/deployment-diff.yaml
@@ -0,0 +1,78 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  labels:
      kustomize.toolkit.fluxcd.io/name: podinfo
      kustomize.toolkit.fluxcd.io/namespace: {{ .fluxns }}
  name: podinfo-diff
  namespace: default
 spec:
  minReadySeconds: 3
  revisionHistoryLimit: 5
  progressDeadlineSeconds: 60
  strategy:
    rollingUpdate:
      maxUnavailable: 0
    type: RollingUpdate
  selector:
    matchLabels:
      app: podinfo
  template:
    metadata:
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "9797"
      labels:
        app: podinfo
    spec:
      containers:
      - name: podinfod
        image: ghcr.io/stefanprodan/podinfo:6.0.10
        imagePullPolicy: IfNotPresent
        ports:
        - name: http
          containerPort: 9898
          protocol: TCP
        - name: http-metrics
          containerPort: 9797
          protocol: TCP
        - name: grpc
          containerPort: 9999
          protocol: TCP
        command:
        - ./podinfo
        - --port=9898
        - --port-metrics=9797
        - --grpc-port=9999
        - --grpc-service-name=podinfo
        - --level=info
        - --random-delay=false
        - --random-error=false
        env:
        - name: PODINFO_UI_COLOR
          value: "#34577c"
        livenessProbe:
          exec:
            command:
            - podcli
            - check
            - http
            - localhost:9898/healthz
          initialDelaySeconds: 5
          timeoutSeconds: 5
        readinessProbe:
          exec:
            command:
            - podcli
            - check
            - http
            - localhost:9898/readyz
          initialDelaySeconds: 5
          timeoutSeconds: 5
        resources:
          limits:
            cpu: 2000m
            memory: 512Mi
          requests:
            cpu: 100m
            memory: 64Mi
--- a/cmd/flux/testdata/diff-artifact/deployment.yaml
+++ b/cmd/flux/testdata/diff-artifact/deployment.yaml
@@ -0,0 +1,78 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  labels:
      kustomize.toolkit.fluxcd.io/name: podinfo
      kustomize.toolkit.fluxcd.io/namespace: {{ .fluxns }}
  name: podinfo
  namespace: default
 spec:
  minReadySeconds: 3
  revisionHistoryLimit: 5
  progressDeadlineSeconds: 60
  strategy:
    rollingUpdate:
      maxUnavailable: 0
    type: RollingUpdate
  selector:
    matchLabels:
      app: podinfo
  template:
    metadata:
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "9797"
      labels:
        app: podinfo
    spec:
      containers:
      - name: podinfod
        image: ghcr.io/stefanprodan/podinfo:6.0.10
        imagePullPolicy: IfNotPresent
        ports:
        - name: http
          containerPort: 9898
          protocol: TCP
        - name: http-metrics
          containerPort: 9797
          protocol: TCP
        - name: grpc
          containerPort: 9999
          protocol: TCP
        command:
        - ./podinfo
        - --port=9898
        - --port-metrics=9797
        - --grpc-port=9999
        - --grpc-service-name=podinfo
        - --level=info
        - --random-delay=false
        - --random-error=false
        env:
        - name: PODINFO_UI_COLOR
          value: "#34577c"
        livenessProbe:
          exec:
            command:
            - podcli
            - check
            - http
            - localhost:9898/healthz
          initialDelaySeconds: 5
          timeoutSeconds: 5
        readinessProbe:
          exec:
            command:
            - podcli
            - check
            - http
            - localhost:9898/readyz
          initialDelaySeconds: 5
          timeoutSeconds: 5
        resources:
          limits:
            cpu: 2000m
            memory: 512Mi
          requests:
            cpu: 100m
            memory: 64Mi
--- a/cmd/flux/testdata/diff-artifact/success.golden
+++ b/cmd/flux/testdata/diff-artifact/success.golden
@@ -0,0 +1 @@
 ✔ no changes detected
--- a/cmd/flux/testdata/export/alert.yaml
+++ b/cmd/flux/testdata/export/alert.yaml
@@ -1,5 +1,5 @@
 ---
-apiVersion: notification.toolkit.fluxcd.io/v1beta1
+apiVersion: notification.toolkit.fluxcd.io/v1beta2
 kind: Alert
 metadata:
  name: flux-system
--- a/cmd/flux/testdata/export/objects.yaml
+++ b/cmd/flux/testdata/export/objects.yaml
@@ -4,7 +4,7 @@ kind: Namespace
 metadata:
  name: {{ .fluxns }}
 ---
-apiVersion: notification.toolkit.fluxcd.io/v1beta1
+apiVersion: notification.toolkit.fluxcd.io/v1beta2
 kind: Provider
 metadata:
  name: slack
@@ -14,7 +14,7 @@ spec:
  channel: 'A channel with spacess'
  address: https://hooks.slack.com/services/mock
 ---
-apiVersion: notification.toolkit.fluxcd.io/v1beta1
+apiVersion: notification.toolkit.fluxcd.io/v1beta2
 kind: Alert
 metadata:
  name: flux-system
@@ -97,7 +97,7 @@ spec:
  interval: 5m
  prune: true
 ---
-apiVersion: notification.toolkit.fluxcd.io/v1beta1
+apiVersion: notification.toolkit.fluxcd.io/v1beta2
 kind: Receiver
 metadata:
  name: flux-system
--- a/cmd/flux/testdata/export/provider.yaml
+++ b/cmd/flux/testdata/export/provider.yaml
@@ -1,5 +1,5 @@
 ---
-apiVersion: notification.toolkit.fluxcd.io/v1beta1
+apiVersion: notification.toolkit.fluxcd.io/v1beta2
 kind: Provider
 metadata:
  name: slack
--- a/cmd/flux/testdata/export/receiver.yaml
+++ b/cmd/flux/testdata/export/receiver.yaml
@@ -1,5 +1,5 @@
 ---
-apiVersion: notification.toolkit.fluxcd.io/v1beta1
+apiVersion: notification.toolkit.fluxcd.io/v1beta2
 kind: Receiver
 metadata:
  name: flux-system
--- a/cmd/flux/testdata/oci/create_source_oci.golden
+++ b/cmd/flux/testdata/oci/create_source_oci.golden
@@ -2,4 +2,4 @@
 ✔ OCIRepository created
 ◎ waiting for OCIRepository reconciliation
 ✔ OCIRepository reconciliation completed
-✔ fetched revision: dbdb109711ffb3be77504d2670dbe13c24dd63d8d7f1fb489d350e5bfe930dd3
+✔ fetched revision: 6.1.6/dbdb109711ffb3be77504d2670dbe13c24dd63d8d7f1fb489d350e5bfe930dd3
--- a/cmd/flux/testdata/oci/get_oci.golden
+++ b/cmd/flux/testdata/oci/get_oci.golden
@@ -1,2 +1,2 @@
-NAME 	REVISION                                                        	SUSPENDED	READY	MESSAGE                                                                                       
+NAME 	REVISION                                                              	SUSPENDED	READY	MESSAGE                                                                                             
-thrfg	dbdb109711ffb3be77504d2670dbe13c24dd63d8d7f1fb489d350e5bfe930dd3	False    	True 	stored artifact for digest 'dbdb109711ffb3be77504d2670dbe13c24dd63d8d7f1fb489d350e5bfe930dd3'	
+thrfg	6.1.6/dbdb109711ffb3be77504d2670dbe13c24dd63d8d7f1fb489d350e5bfe930dd3	False    	True 	stored artifact for digest '6.1.6/dbdb109711ffb3be77504d2670dbe13c24dd63d8d7f1fb489d350e5bfe930dd3'	
--- a/cmd/flux/testdata/oci/reconcile_oci.golden
+++ b/cmd/flux/testdata/oci/reconcile_oci.golden
@@ -1,4 +1,4 @@
 ► annotating OCIRepository thrfg in {{ .ns }} namespace
 ✔ OCIRepository annotated
 ◎ waiting for OCIRepository reconciliation
-✔ fetched revision dbdb109711ffb3be77504d2670dbe13c24dd63d8d7f1fb489d350e5bfe930dd3
+✔ fetched revision 6.1.6/dbdb109711ffb3be77504d2670dbe13c24dd63d8d7f1fb489d350e5bfe930dd3
--- a/cmd/flux/testdata/oci/resume_oci.golden
+++ b/cmd/flux/testdata/oci/resume_oci.golden
@@ -2,4 +2,4 @@
 ✔ source oci resumed
 ◎ waiting for OCIRepository reconciliation
 ✔ OCIRepository reconciliation completed
-✔ fetched revision dbdb109711ffb3be77504d2670dbe13c24dd63d8d7f1fb489d350e5bfe930dd3
+✔ fetched revision 6.1.6/dbdb109711ffb3be77504d2670dbe13c24dd63d8d7f1fb489d350e5bfe930dd3
--- a/cmd/flux/uninstall.go
+++ b/cmd/flux/uninstall.go
@@ -22,22 +22,9 @@ import (
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/manifestgen"
+	"github.com/fluxcd/flux2/pkg/uninstall"
 	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
 	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
 	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 var uninstallCmd = &cobra.Command{
@@ -91,317 +78,18 @@ func uninstallCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	logger.Actionf("deleting components in %s namespace", *kubeconfigArgs.Namespace)
-	uninstallComponents(ctx, kubeClient, *kubeconfigArgs.Namespace, uninstallArgs.dryRun)
+	uninstall.Components(ctx, logger, kubeClient, *kubeconfigArgs.Namespace, uninstallArgs.dryRun)
 	logger.Actionf("deleting toolkit.fluxcd.io finalizers in all namespaces")
-	uninstallFinalizers(ctx, kubeClient, uninstallArgs.dryRun)
+	uninstall.Finalizers(ctx, logger, kubeClient, uninstallArgs.dryRun)
 	logger.Actionf("deleting toolkit.fluxcd.io custom resource definitions")
-	uninstallCustomResourceDefinitions(ctx, kubeClient, uninstallArgs.dryRun)
+	uninstall.CustomResourceDefinitions(ctx, logger, kubeClient, uninstallArgs.dryRun)
 	if !uninstallArgs.keepNamespace {
-		uninstallNamespace(ctx, kubeClient, *kubeconfigArgs.Namespace, uninstallArgs.dryRun)
+		uninstall.Namespace(ctx, logger, kubeClient, *kubeconfigArgs.Namespace, uninstallArgs.dryRun)
 	}
 	logger.Successf("uninstall finished")
 	return nil
 }
 func uninstallComponents(ctx context.Context, kubeClient client.Client, namespace string, dryRun bool) {
 	opts, dryRunStr := getDeleteOptions(dryRun)
 	selector := client.MatchingLabels{manifestgen.PartOfLabelKey: manifestgen.PartOfLabelValue}
 	{
 		var list appsv1.DeploymentList
 		if err := kubeClient.List(ctx, &list, client.InNamespace(namespace), selector); err == nil {
 			for _, r := range list.Items {
 				if err := kubeClient.Delete(ctx, &r, opts); err != nil {
 					logger.Failuref("Deployment/%s/%s deletion failed: %s", r.Namespace, r.Name, err.Error())
 				} else {
 					logger.Successf("Deployment/%s/%s deleted %s", r.Namespace, r.Name, dryRunStr)
 				}
 			}
 		}
 	}
 	{
 		var list corev1.ServiceList
 		if err := kubeClient.List(ctx, &list, client.InNamespace(namespace), selector); err == nil {
 			for _, r := range list.Items {
 				if err := kubeClient.Delete(ctx, &r, opts); err != nil {
 					logger.Failuref("Service/%s/%s deletion failed: %s", r.Namespace, r.Name, err.Error())
 				} else {
 					logger.Successf("Service/%s/%s deleted %s", r.Namespace, r.Name, dryRunStr)
 				}
 			}
 		}
 	}
 	{
 		var list networkingv1.NetworkPolicyList
 		if err := kubeClient.List(ctx, &list, client.InNamespace(namespace), selector); err == nil {
 			for _, r := range list.Items {
 				if err := kubeClient.Delete(ctx, &r, opts); err != nil {
 					logger.Failuref("NetworkPolicy/%s/%s deletion failed: %s", r.Namespace, r.Name, err.Error())
 				} else {
 					logger.Successf("NetworkPolicy/%s/%s deleted %s", r.Namespace, r.Name, dryRunStr)
 				}
 			}
 		}
 	}
 	{
 		var list corev1.ServiceAccountList
 		if err := kubeClient.List(ctx, &list, client.InNamespace(namespace), selector); err == nil {
 			for _, r := range list.Items {
 				if err := kubeClient.Delete(ctx, &r, opts); err != nil {
 					logger.Failuref("ServiceAccount/%s/%s deletion failed: %s", r.Namespace, r.Name, err.Error())
 				} else {
 					logger.Successf("ServiceAccount/%s/%s deleted %s", r.Namespace, r.Name, dryRunStr)
 				}
 			}
 		}
 	}
 	{
 		var list rbacv1.ClusterRoleList
 		if err := kubeClient.List(ctx, &list, selector); err == nil {
 			for _, r := range list.Items {
 				if err := kubeClient.Delete(ctx, &r, opts); err != nil {
 					logger.Failuref("ClusterRole/%s deletion failed: %s", r.Name, err.Error())
 				} else {
 					logger.Successf("ClusterRole/%s deleted %s", r.Name, dryRunStr)
 				}
 			}
 		}
 	}
 	{
 		var list rbacv1.ClusterRoleBindingList
 		if err := kubeClient.List(ctx, &list, selector); err == nil {
 			for _, r := range list.Items {
 				if err := kubeClient.Delete(ctx, &r, opts); err != nil {
 					logger.Failuref("ClusterRoleBinding/%s deletion failed: %s", r.Name, err.Error())
 				} else {
 					logger.Successf("ClusterRoleBinding/%s deleted %s", r.Name, dryRunStr)
 				}
 			}
 		}
 	}
 }
 func uninstallFinalizers(ctx context.Context, kubeClient client.Client, dryRun bool) {
 	opts, dryRunStr := getUpdateOptions(dryRun)
 	{
 		var list sourcev1.GitRepositoryList
 		if err := kubeClient.List(ctx, &list, client.InNamespace("")); err == nil {
 			for _, r := range list.Items {
 				r.Finalizers = []string{}
 				if err := kubeClient.Update(ctx, &r, opts); err != nil {
 					logger.Failuref("%s/%s/%s removing finalizers failed: %s", r.Kind, r.Namespace, r.Name, err.Error())
 				} else {
 					logger.Successf("%s/%s/%s finalizers deleted %s", r.Kind, r.Namespace, r.Name, dryRunStr)
 				}
 			}
 		}
 	}
 	{
 		var list sourcev1.OCIRepositoryList
 		if err := kubeClient.List(ctx, &list, client.InNamespace("")); err == nil {
 			for _, r := range list.Items {
 				r.Finalizers = []string{}
 				if err := kubeClient.Update(ctx, &r, opts); err != nil {
 					logger.Failuref("%s/%s/%s removing finalizers failed: %s", r.Kind, r.Namespace, r.Name, err.Error())
 				} else {
 					logger.Successf("%s/%s/%s finalizers deleted %s", r.Kind, r.Namespace, r.Name, dryRunStr)
 				}
 			}
 		}
 	}
 	{
 		var list sourcev1.HelmRepositoryList
 		if err := kubeClient.List(ctx, &list, client.InNamespace("")); err == nil {
 			for _, r := range list.Items {
 				r.Finalizers = []string{}
 				if err := kubeClient.Update(ctx, &r, opts); err != nil {
 					logger.Failuref("%s/%s/%s removing finalizers failed: %s", r.Kind, r.Namespace, r.Name, err.Error())
 				} else {
 					logger.Successf("%s/%s/%s finalizers deleted %s", r.Kind, r.Namespace, r.Name, dryRunStr)
 				}
 			}
 		}
 	}
 	{
 		var list sourcev1.HelmChartList
 		if err := kubeClient.List(ctx, &list, client.InNamespace("")); err == nil {
 			for _, r := range list.Items {
 				r.Finalizers = []string{}
 				if err := kubeClient.Update(ctx, &r, opts); err != nil {
 					logger.Failuref("%s/%s/%s removing finalizers failed: %s", r.Kind, r.Namespace, r.Name, err.Error())
 				} else {
 					logger.Successf("%s/%s/%s finalizers deleted %s", r.Kind, r.Namespace, r.Name, dryRunStr)
 				}
 			}
 		}
 	}
 	{
 		var list sourcev1.BucketList
 		if err := kubeClient.List(ctx, &list, client.InNamespace("")); err == nil {
 			for _, r := range list.Items {
 				r.Finalizers = []string{}
 				if err := kubeClient.Update(ctx, &r, opts); err != nil {
 					logger.Failuref("%s/%s/%s removing finalizers failed: %s", r.Kind, r.Namespace, r.Name, err.Error())
 				} else {
 					logger.Successf("%s/%s/%s finalizers deleted %s", r.Kind, r.Namespace, r.Name, dryRunStr)
 				}
 			}
 		}
 	}
 	{
 		var list kustomizev1.KustomizationList
 		if err := kubeClient.List(ctx, &list, client.InNamespace("")); err == nil {
 			for _, r := range list.Items {
 				r.Finalizers = []string{}
 				if err := kubeClient.Update(ctx, &r, opts); err != nil {
 					logger.Failuref("%s/%s/%s removing finalizers failed: %s", r.Kind, r.Namespace, r.Name, err.Error())
 				} else {
 					logger.Successf("%s/%s/%s finalizers deleted %s", r.Kind, r.Namespace, r.Name, dryRunStr)
 				}
 			}
 		}
 	}
 	{
 		var list helmv2.HelmReleaseList
 		if err := kubeClient.List(ctx, &list, client.InNamespace("")); err == nil {
 			for _, r := range list.Items {
 				r.Finalizers = []string{}
 				if err := kubeClient.Update(ctx, &r, opts); err != nil {
 					logger.Failuref("%s/%s/%s removing finalizers failed: %s", r.Kind, r.Namespace, r.Name, err.Error())
 				} else {
 					logger.Successf("%s/%s/%s finalizers deleted %s", r.Kind, r.Namespace, r.Name, dryRunStr)
 				}
 			}
 		}
 	}
 	{
 		var list notificationv1.AlertList
 		if err := kubeClient.List(ctx, &list, client.InNamespace("")); err == nil {
 			for _, r := range list.Items {
 				r.Finalizers = []string{}
 				if err := kubeClient.Update(ctx, &r, opts); err != nil {
 					logger.Failuref("%s/%s/%s removing finalizers failed: %s", r.Kind, r.Namespace, r.Name, err.Error())
 				} else {
 					logger.Successf("%s/%s/%s finalizers deleted %s", r.Kind, r.Namespace, r.Name, dryRunStr)
 				}
 			}
 		}
 	}
 	{
 		var list notificationv1.ProviderList
 		if err := kubeClient.List(ctx, &list, client.InNamespace("")); err == nil {
 			for _, r := range list.Items {
 				r.Finalizers = []string{}
 				if err := kubeClient.Update(ctx, &r, opts); err != nil {
 					logger.Failuref("%s/%s/%s removing finalizers failed: %s", r.Kind, r.Namespace, r.Name, err.Error())
 				} else {
 					logger.Successf("%s/%s/%s finalizers deleted %s", r.Kind, r.Namespace, r.Name, dryRunStr)
 				}
 			}
 		}
 	}
 	{
 		var list notificationv1.ReceiverList
 		if err := kubeClient.List(ctx, &list, client.InNamespace("")); err == nil {
 			for _, r := range list.Items {
 				r.Finalizers = []string{}
 				if err := kubeClient.Update(ctx, &r, opts); err != nil {
 					logger.Failuref("%s/%s/%s removing finalizers failed: %s", r.Kind, r.Namespace, r.Name, err.Error())
 				} else {
 					logger.Successf("%s/%s/%s finalizers deleted %s", r.Kind, r.Namespace, r.Name, dryRunStr)
 				}
 			}
 		}
 	}
 	{
 		var list imagev1.ImagePolicyList
 		if err := kubeClient.List(ctx, &list, client.InNamespace("")); err == nil {
 			for _, r := range list.Items {
 				r.Finalizers = []string{}
 				if err := kubeClient.Update(ctx, &r, opts); err != nil {
 					logger.Failuref("%s/%s/%s removing finalizers failed: %s", r.Kind, r.Namespace, r.Name, err.Error())
 				} else {
 					logger.Successf("%s/%s/%s finalizers deleted %s", r.Kind, r.Namespace, r.Name, dryRunStr)
 				}
 			}
 		}
 	}
 	{
 		var list imagev1.ImageRepositoryList
 		if err := kubeClient.List(ctx, &list, client.InNamespace("")); err == nil {
 			for _, r := range list.Items {
 				r.Finalizers = []string{}
 				if err := kubeClient.Update(ctx, &r, opts); err != nil {
 					logger.Failuref("%s/%s/%s removing finalizers failed: %s", r.Kind, r.Namespace, r.Name, err.Error())
 				} else {
 					logger.Successf("%s/%s/%s finalizers deleted %s", r.Kind, r.Namespace, r.Name, dryRunStr)
 				}
 			}
 		}
 	}
 	{
 		var list autov1.ImageUpdateAutomationList
 		if err := kubeClient.List(ctx, &list, client.InNamespace("")); err == nil {
 			for _, r := range list.Items {
 				r.Finalizers = []string{}
 				if err := kubeClient.Update(ctx, &r, opts); err != nil {
 					logger.Failuref("%s/%s/%s removing finalizers failed: %s", r.Kind, r.Namespace, r.Name, err.Error())
 				} else {
 					logger.Successf("%s/%s/%s finalizers deleted %s", r.Kind, r.Namespace, r.Name, dryRunStr)
 				}
 			}
 		}
 	}
 }
 func uninstallCustomResourceDefinitions(ctx context.Context, kubeClient client.Client, dryRun bool) {
 	opts, dryRunStr := getDeleteOptions(dryRun)
 	selector := client.MatchingLabels{manifestgen.PartOfLabelKey: manifestgen.PartOfLabelValue}
 	{
 		var list apiextensionsv1.CustomResourceDefinitionList
 		if err := kubeClient.List(ctx, &list, selector); err == nil {
 			for _, r := range list.Items {
 				if err := kubeClient.Delete(ctx, &r, opts); err != nil {
 					logger.Failuref("CustomResourceDefinition/%s deletion failed: %s", r.Name, err.Error())
 				} else {
 					logger.Successf("CustomResourceDefinition/%s deleted %s", r.Name, dryRunStr)
 				}
 			}
 		}
 	}
 }
 func uninstallNamespace(ctx context.Context, kubeClient client.Client, namespace string, dryRun bool) {
 	opts, dryRunStr := getDeleteOptions(dryRun)
 	ns := corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: namespace}}
 	if err := kubeClient.Delete(ctx, &ns, opts); err != nil {
 		logger.Failuref("Namespace/%s deletion failed: %s", namespace, err.Error())
 	} else {
 		logger.Successf("Namespace/%s deleted %s", namespace, dryRunStr)
 	}
 }
 func getDeleteOptions(dryRun bool) (*client.DeleteOptions, string) {
 	opts := &client.DeleteOptions{}
 	var dryRunStr string
 	if dryRun {
 		client.DryRunAll.ApplyToDelete(opts)
 		dryRunStr = "(dry run)"
 	}
 	return opts, dryRunStr
 }
 func getUpdateOptions(dryRun bool) (*client.UpdateOptions, string) {
 	opts := &client.UpdateOptions{}
 	var dryRunStr string
 	if dryRun {
 		client.DryRunAll.ApplyToUpdate(opts)
 		dryRunStr = "(dry run)"
 	}
 	return opts, dryRunStr
 }
--- a/go.mod
+++ b/go.mod
@@ -3,62 +3,68 @@ module github.com/fluxcd/flux2
 go 1.18
 require (
-	github.com/Masterminds/semver/v3 v3.1.1
+	github.com/Masterminds/semver/v3 v3.2.0
-	github.com/ProtonMail/go-crypto v0.0.0-20220824120805-4b6e5c587895
+	github.com/ProtonMail/go-crypto v0.0.0-20221026131551-cf6655e29de4
 	github.com/cyphar/filepath-securejoin v0.2.3
-	github.com/fluxcd/go-git-providers v0.8.0
+	github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2
-	github.com/fluxcd/helm-controller/api v0.24.0
+	github.com/fluxcd/go-git-providers v0.12.0
-	github.com/fluxcd/image-automation-controller/api v0.25.0
+	github.com/fluxcd/go-git/v5 v5.0.0-20221219190809-2e5c9d01cfc4
-	github.com/fluxcd/image-reflector-controller/api v0.21.0
+	github.com/fluxcd/helm-controller/api v0.28.1
-	github.com/fluxcd/kustomize-controller/api v0.28.0
+	github.com/fluxcd/image-automation-controller/api v0.28.0
-	github.com/fluxcd/notification-controller/api v0.26.0
+	github.com/fluxcd/image-reflector-controller/api v0.23.1
-	github.com/fluxcd/pkg/apis/meta v0.15.0
+	github.com/fluxcd/kustomize-controller/api v0.32.0
-	github.com/fluxcd/pkg/kustomize v0.7.0
+	github.com/fluxcd/notification-controller/api v0.30.2
-	github.com/fluxcd/pkg/oci v0.9.0
+	github.com/fluxcd/pkg/apis/meta v0.18.0
-	github.com/fluxcd/pkg/runtime v0.18.0
+	github.com/fluxcd/pkg/git v0.7.0
-	github.com/fluxcd/pkg/sourceignore v0.2.0
+	github.com/fluxcd/pkg/git/gogit v0.4.1
-	github.com/fluxcd/pkg/ssa v0.19.0
+	github.com/fluxcd/pkg/kustomize v0.12.0
-	github.com/fluxcd/pkg/ssh v0.6.0
+	github.com/fluxcd/pkg/oci v0.17.0
 	github.com/fluxcd/pkg/runtime v0.24.0
 	github.com/fluxcd/pkg/sourceignore v0.3.0
 	github.com/fluxcd/pkg/ssa v0.22.0
 	github.com/fluxcd/pkg/ssh v0.7.0
 	github.com/fluxcd/pkg/untar v0.2.0
 	github.com/fluxcd/pkg/version v0.2.0
-	github.com/fluxcd/source-controller/api v0.29.0
+	github.com/fluxcd/source-controller/api v0.33.0
 	github.com/go-git/go-git/v5 v5.4.2
 	github.com/gonvenience/bunt v1.3.4
 	github.com/gonvenience/ytbx v1.4.4
-	github.com/google/go-cmp v0.5.8
+	github.com/google/go-cmp v0.5.9
-	github.com/google/go-containerregistry v0.11.0
+	github.com/google/go-containerregistry v0.12.1
-	github.com/hashicorp/go-multierror v1.1.1
+	github.com/homeport/dyff v1.5.6
 	github.com/homeport/dyff v1.5.5
 	github.com/lucasb-eyer/go-colorful v1.2.0
 	github.com/manifoldco/promptui v0.9.0
 	github.com/mattn/go-shellwords v1.0.12
 	github.com/olekukonko/tablewriter v0.0.5
-	github.com/onsi/gomega v1.20.1
+	github.com/onsi/gomega v1.24.2
-	github.com/spf13/cobra v1.5.0
+	github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5
 	github.com/spf13/cobra v1.6.1
 	github.com/spf13/pflag v1.0.5
 	github.com/theckman/yacspin v0.13.12
-	golang.org/x/crypto v0.0.0-20220826181053-bd7e27e6170d
+	golang.org/x/crypto v0.4.0
-	golang.org/x/term v0.0.0-20220722155259-a9ba230a4035
+	golang.org/x/term v0.3.0
-	k8s.io/api v0.25.0
+	k8s.io/api v0.25.4
-	k8s.io/apiextensions-apiserver v0.25.0
+	k8s.io/apiextensions-apiserver v0.25.4
-	k8s.io/apimachinery v0.25.0
+	k8s.io/apimachinery v0.25.4
-	k8s.io/cli-runtime v0.25.0
+	k8s.io/cli-runtime v0.25.4
-	k8s.io/client-go v0.25.0
+	k8s.io/client-go v0.25.4
-	k8s.io/kubectl v0.25.0
+	k8s.io/kubectl v0.25.4
-	sigs.k8s.io/cli-utils v0.33.0
+	sigs.k8s.io/cli-utils v0.34.0
-	sigs.k8s.io/controller-runtime v0.12.3
+	sigs.k8s.io/controller-runtime v0.13.1
 	sigs.k8s.io/kustomize/api v0.12.1
 	sigs.k8s.io/kustomize/kyaml v0.13.9
 	sigs.k8s.io/yaml v1.3.0
 )
 // Fix CVE-2022-32149
 replace golang.org/x/text => golang.org/x/text v0.4.0
 // Fix CVE-2022-28948
 replace gopkg.in/yaml.v3 => gopkg.in/yaml.v3 v3.0.1
 require (
 	cloud.google.com/go v0.99.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.2 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.2.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.2.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
@@ -67,68 +73,96 @@ require (
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v0.5.1 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v0.7.0 // indirect
 	github.com/BurntSushi/toml v1.0.0 // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
-	github.com/Microsoft/go-winio v0.5.2 // indirect
+	github.com/Microsoft/go-winio v0.6.0 // indirect
 	github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d // indirect
 	github.com/acomagu/bufpipe v1.0.3 // indirect
-	github.com/aws/aws-sdk-go v1.44.84 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.17.2 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.18.4 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.13.4 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.20 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.26 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.20 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.27 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ecr v1.17.22 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.20 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.11.26 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.9 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.17.6 // indirect
 	github.com/aws/smithy-go v1.13.5 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bshuster-repo/logrus-logstash-hook v1.0.0 // indirect
 	github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd // indirect
 	github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b // indirect
 	github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/chai2010/gettext-go v1.0.2 // indirect
 	github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e // indirect
-	github.com/cloudflare/circl v1.1.0 // indirect
+	github.com/cloudflare/circl v1.3.1 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.12.0 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.12.1 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/docker/cli v20.10.17+incompatible // indirect
+	github.com/docker/cli v20.10.20+incompatible // indirect
 	github.com/docker/distribution v2.8.1+incompatible // indirect
-	github.com/docker/docker v20.10.17+incompatible // indirect
+	github.com/docker/docker v20.10.20+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.6.4 // indirect
+	github.com/docker/docker-credential-helpers v0.7.0 // indirect
-	github.com/drone/envsubst/v2 v2.0.0-20210730161058-179042472c46 // indirect
+	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
-	github.com/emicklei/go-restful/v3 v3.8.0 // indirect
+	github.com/docker/go-metrics v0.0.1 // indirect
-	github.com/emirpasic/gods v1.12.0 // indirect
+	github.com/docker/libtrust v0.0.0-20150114040149-fa567046d9b1 // indirect
-	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
+	github.com/drone/envsubst v1.0.3 // indirect
-	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
+	github.com/emicklei/go-restful/v3 v3.10.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
 	github.com/fatih/color v1.13.0 // indirect
 	github.com/felixge/httpsnoop v1.0.1 // indirect
 	github.com/fluxcd/pkg/apis/acl v0.1.0 // indirect
-	github.com/fluxcd/pkg/apis/kustomize v0.5.0 // indirect
+	github.com/fluxcd/pkg/apis/kustomize v0.7.0 // indirect
-	github.com/fsnotify/fsnotify v1.5.1 // indirect
+	github.com/fluxcd/pkg/tar v0.2.0 // indirect
-	github.com/go-errors/errors v1.0.1 // indirect
+	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
 	github.com/go-git/gcfg v1.5.0 // indirect
 	github.com/go-git/go-billy/v5 v5.3.1 // indirect
 	github.com/go-git/go-git/v5 v5.4.2 // indirect
 	github.com/go-logr/logr v1.2.3 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.20.0 // indirect
-	github.com/go-openapi/swag v0.21.1 // indirect
+	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt v3.2.1+incompatible // indirect
+	github.com/golang-jwt/jwt/v4 v4.4.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.4.1 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/gomodule/redigo v1.8.2 // indirect
 	github.com/gonvenience/neat v1.3.11 // indirect
 	github.com/gonvenience/term v1.0.2 // indirect
 	github.com/gonvenience/text v1.0.7 // indirect
 	github.com/gonvenience/wrap v1.1.2 // indirect
-	github.com/google/btree v1.0.1 // indirect
+	github.com/google/btree v1.1.2 // indirect
 	github.com/google/gnostic v0.6.9 // indirect
-	github.com/google/go-github/v45 v45.2.0 // indirect
+	github.com/google/go-github/v48 v48.2.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/gorilla/handlers v1.5.1 // indirect
 	github.com/gorilla/mux v1.8.0 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
-	github.com/hashicorp/errwrap v1.0.0 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.1 // indirect
-	github.com/imdario/mergo v0.3.12 // indirect
+	github.com/hashicorp/golang-lru v0.5.4 // indirect
-	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/imdario/mergo v0.3.13 // indirect
 	github.com/inconshreveable/mousetrap v1.0.1 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 // indirect
+	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/klauspost/compress v1.15.8 // indirect
+	github.com/klauspost/compress v1.15.11 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
@@ -136,24 +170,25 @@ require (
 	github.com/mattn/go-colorable v0.1.12 // indirect
 	github.com/mattn/go-isatty v0.0.14 // indirect
 	github.com/mattn/go-runewidth v0.0.13 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
-	github.com/mitchellh/go-wordwrap v1.0.0 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/mitchellh/hashstructure v1.1.0 // indirect
 	github.com/moby/spdystream v0.2.0 // indirect
-	github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 // indirect
+	github.com/moby/term v0.0.0-20221105221325-4eb28fa6025c // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198 // indirect
+	github.com/opencontainers/image-spec v1.1.0-rc2 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pjbgf/sha1cd v0.2.3 // indirect
 	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/prometheus/client_golang v1.13.0 // indirect
+	github.com/prometheus/client_golang v1.14.0 // indirect
-	github.com/prometheus/client_model v0.2.0 // indirect
+	github.com/prometheus/client_model v0.3.0 // indirect
 	github.com/prometheus/common v0.37.0 // indirect
 	github.com/prometheus/procfs v0.8.0 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
@@ -161,19 +196,25 @@ require (
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/sergi/go-diff v1.2.0 // indirect
 	github.com/sirupsen/logrus v1.9.0 // indirect
 	github.com/skeema/knownhosts v1.1.0 // indirect
 	github.com/texttheater/golang-levenshtein v1.0.1 // indirect
 	github.com/vbatts/tar-split v0.11.2 // indirect
 	github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74 // indirect
-	github.com/xanzy/go-gitlab v0.69.0 // indirect
+	github.com/xanzy/go-gitlab v0.77.0 // indirect
-	github.com/xanzy/ssh-agent v0.3.0 // indirect
+	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xlab/treeprint v1.1.0 // indirect
-	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
+	github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43 // indirect
-	golang.org/x/net v0.0.0-20220722155237-a158d28d115b // indirect
+	github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50 // indirect
-	golang.org/x/oauth2 v0.0.0-20220722155238-128564f6959c // indirect
+	github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f // indirect
-	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 // indirect
+	go.starlark.net v0.0.0-20221028183056-acb66ad56dd2 // indirect
-	golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f // indirect
+	golang.org/x/mod v0.7.0 // indirect
-	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/net v0.4.0 // indirect
-	golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 // indirect
+	golang.org/x/oauth2 v0.2.0 // indirect
 	golang.org/x/sync v0.1.0 // indirect
 	golang.org/x/sys v0.3.0 // indirect
 	golang.org/x/text v0.5.0 // indirect
 	golang.org/x/time v0.2.0 // indirect
 	golang.org/x/tools v0.4.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.28.1 // indirect
@@ -181,10 +222,10 @@ require (
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/component-base v0.25.0 // indirect
+	k8s.io/component-base v0.25.4 // indirect
-	k8s.io/klog/v2 v2.70.1 // indirect
+	k8s.io/klog/v2 v2.80.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 // indirect
+	k8s.io/kube-openapi v0.0.0-20221110221610-a28e98eb7c70 // indirect
-	k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed // indirect
+	k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2 // indirect
-	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/internal/bootstrap/git/commit_options.go
+++ b/internal/bootstrap/git/commit_options.go
@@ -1,42 +0,0 @@
 package git
 // Option is a some configuration that modifies options for a commit.
 type Option interface {
 	// ApplyToCommit applies this configuration to a given commit option.
 	ApplyToCommit(*CommitOptions)
 }
 // CommitOptions contains options for making a commit.
 type CommitOptions struct {
 	*GPGSigningInfo
 }
 // GPGSigningInfo contains information for signing a commit.
 type GPGSigningInfo struct {
 	KeyRingPath string
 	Passphrase  string
 	KeyID       string
 }
 type GpgSigningOption struct {
 	*GPGSigningInfo
 }
 func (w GpgSigningOption) ApplyToCommit(in *CommitOptions) {
 	in.GPGSigningInfo = w.GPGSigningInfo
 }
 func WithGpgSigningOption(path, passphrase, keyID string) Option {
 	// Return nil if no path is set, even if other options are configured.
 	if path == "" {
 		return GpgSigningOption{}
 	}
 	return GpgSigningOption{
 		GPGSigningInfo: &GPGSigningInfo{
 			KeyRingPath: path,
 			Passphrase:  passphrase,
 			KeyID:       keyID,
 		},
 	}
 }
--- a/internal/bootstrap/git/git.go
+++ b/internal/bootstrap/git/git.go
@@ -1,52 +0,0 @@
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package git
 import (
 	"context"
 	"errors"
 	"io"
 )
 var (
 	ErrNoGitRepository = errors.New("no git repository")
 	ErrNoStagedFiles   = errors.New("no staged files")
 )
 type Author struct {
 	Name  string
 	Email string
 }
 type Commit struct {
 	Author
 	Hash    string
 	Message string
 }
 // Git is an interface for basic Git operations on a single branch of a
 // remote repository.
 type Git interface {
 	Init(url, branch string) (bool, error)
 	Clone(ctx context.Context, url, branch string, caBundle []byte) (bool, error)
 	Write(path string, reader io.Reader) error
 	Commit(message Commit, options ...Option) (string, error)
 	Push(ctx context.Context, caBundle []byte) error
 	Status() (bool, error)
 	Head() (string, error)
 	Path() string
 }
--- a/internal/bootstrap/git/gogit/gogit.go
+++ b/internal/bootstrap/git/gogit/gogit.go
@@ -1,296 +0,0 @@
 /*
 Copyright 2021 The Flux authors
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package gogit
 import (
 	"context"
 	"fmt"
 	"io"
 	"os"
 	"path/filepath"
 	"strings"
 	"time"
 	"github.com/ProtonMail/go-crypto/openpgp"
 	gogit "github.com/go-git/go-git/v5"
 	"github.com/go-git/go-git/v5/config"
 	"github.com/go-git/go-git/v5/plumbing"
 	"github.com/go-git/go-git/v5/plumbing/object"
 	"github.com/go-git/go-git/v5/plumbing/transport"
 	"github.com/fluxcd/flux2/internal/bootstrap/git"
 )
 type GoGit struct {
 	path       string
 	auth       transport.AuthMethod
 	repository *gogit.Repository
 }
 type CommitOptions struct {
 	GpgKeyPath       string
 	GpgKeyPassphrase string
 	KeyID            string
 }
 func New(path string, auth transport.AuthMethod) *GoGit {
 	return &GoGit{
 		path: path,
 		auth: auth,
 	}
 }
 func (g *GoGit) Init(url, branch string) (bool, error) {
 	if g.repository != nil {
 		return false, nil
 	}
 	r, err := gogit.PlainInit(g.path, false)
 	if err != nil {
 		return false, err
 	}
 	if _, err = r.CreateRemote(&config.RemoteConfig{
 		Name: gogit.DefaultRemoteName,
 		URLs: []string{url},
 	}); err != nil {
 		return false, err
 	}
 	branchRef := plumbing.NewBranchReferenceName(branch)
 	if err = r.CreateBranch(&config.Branch{
 		Name:   branch,
 		Remote: gogit.DefaultRemoteName,
 		Merge:  branchRef,
 	}); err != nil {
 		return false, err
 	}
 	// PlainInit assumes the initial branch to always be master, we can
 	// overwrite this by setting the reference of the Storer to a new
 	// symbolic reference (as there are no commits yet) that points
 	// the HEAD to our new branch.
 	if err = r.Storer.SetReference(plumbing.NewSymbolicReference(plumbing.HEAD, branchRef)); err != nil {
 		return false, err
 	}
 	g.repository = r
 	return true, nil
 }
 func (g *GoGit) Clone(ctx context.Context, url, branch string, caBundle []byte) (bool, error) {
 	branchRef := plumbing.NewBranchReferenceName(branch)
 	r, err := gogit.PlainCloneContext(ctx, g.path, false, &gogit.CloneOptions{
 		URL:           url,
 		Auth:          g.auth,
 		RemoteName:    gogit.DefaultRemoteName,
 		ReferenceName: branchRef,
 		SingleBranch:  true,
 		NoCheckout: false,
 		Progress:   nil,
 		Tags:       gogit.NoTags,
 		CABundle:   caBundle,
 	})
 	if err != nil {
 		if err == transport.ErrEmptyRemoteRepository || isRemoteBranchNotFoundErr(err, branchRef.String()) {
 			return g.Init(url, branch)
 		}
 		return false, err
 	}
 	g.repository = r
 	return true, nil
 }
 func (g *GoGit) Write(path string, reader io.Reader) error {
 	if g.repository == nil {
 		return git.ErrNoGitRepository
 	}
 	wt, err := g.repository.Worktree()
 	if err != nil {
 		return err
 	}
 	f, err := wt.Filesystem.Create(path)
 	if err != nil {
 		return err
 	}
 	defer f.Close()
 	_, err = io.Copy(f, reader)
 	return err
 }
 func (g *GoGit) Commit(message git.Commit, opts ...git.Option) (string, error) {
 	if g.repository == nil {
 		return "", git.ErrNoGitRepository
 	}
 	wt, err := g.repository.Worktree()
 	if err != nil {
 		return "", err
 	}
 	status, err := wt.Status()
 	if err != nil {
 		return "", err
 	}
 	// apply the options
 	options := &git.CommitOptions{}
 	for _, opt := range opts {
 		opt.ApplyToCommit(options)
 	}
 	// go-git has [a bug](https://github.com/go-git/go-git/issues/253)
 	// whereby it thinks broken symlinks to absolute paths are
 	// modified. There's no circumstance in which we want to commit a
 	// change to a broken symlink: so, detect and skip those.
 	var changed bool
 	for file, _ := range status {
 		abspath := filepath.Join(g.path, file)
 		info, err := os.Lstat(abspath)
 		if err != nil {
 			return "", fmt.Errorf("checking if %s is a symlink: %w", file, err)
 		}
 		if info.Mode()&os.ModeSymlink > 0 {
 			// symlinks are OK; broken symlinks are probably a result
 			// of the bug mentioned above, but not of interest in any
 			// case.
 			if _, err := os.Stat(abspath); os.IsNotExist(err) {
 				continue
 			}
 		}
 		_, _ = wt.Add(file)
 		changed = true
 	}
 	if !changed {
 		head, err := g.repository.Head()
 		if err != nil {
 			return "", err
 		}
 		return head.Hash().String(), git.ErrNoStagedFiles
 	}
 	commitOpts := &gogit.CommitOptions{
 		Author: &object.Signature{
 			Name:  message.Name,
 			Email: message.Email,
 			When:  time.Now(),
 		},
 	}
 	if options.GPGSigningInfo != nil {
 		entity, err := getOpenPgpEntity(*options.GPGSigningInfo)
 		if err != nil {
 			return "", err
 		}
 		commitOpts.SignKey = entity
 	}
 	commit, err := wt.Commit(message.Message, commitOpts)
 	if err != nil {
 		return "", err
 	}
 	return commit.String(), nil
 }
 func (g *GoGit) Push(ctx context.Context, caBundle []byte) error {
 	if g.repository == nil {
 		return git.ErrNoGitRepository
 	}
 	return g.repository.PushContext(ctx, &gogit.PushOptions{
 		RemoteName: gogit.DefaultRemoteName,
 		Auth:       g.auth,
 		Progress:   nil,
 		CABundle:   caBundle,
 	})
 }
 func (g *GoGit) Status() (bool, error) {
 	if g.repository == nil {
 		return false, git.ErrNoGitRepository
 	}
 	wt, err := g.repository.Worktree()
 	if err != nil {
 		return false, err
 	}
 	status, err := wt.Status()
 	if err != nil {
 		return false, err
 	}
 	return status.IsClean(), nil
 }
 func (g *GoGit) Head() (string, error) {
 	if g.repository == nil {
 		return "", git.ErrNoGitRepository
 	}
 	head, err := g.repository.Head()
 	if err != nil {
 		return "", err
 	}
 	return head.Hash().String(), nil
 }
 func (g *GoGit) Path() string {
 	return g.path
 }
 func isRemoteBranchNotFoundErr(err error, ref string) bool {
 	return strings.Contains(err.Error(), fmt.Sprintf("couldn't find remote ref %q", ref))
 }
 func getOpenPgpEntity(info git.GPGSigningInfo) (*openpgp.Entity, error) {
 	r, err := os.Open(info.KeyRingPath)
 	if err != nil {
 		return nil, fmt.Errorf("unable to open GPG key ring: %w", err)
 	}
 	entityList, err := openpgp.ReadKeyRing(r)
 	if err != nil {
 		return nil, err
 	}
 	if len(entityList) == 0 {
 		return nil, fmt.Errorf("empty GPG key ring")
 	}
 	var entity *openpgp.Entity
 	if info.KeyID != "" {
 		for _, ent := range entityList {
 			if ent.PrimaryKey.KeyIdString() == info.KeyID {
 				entity = ent
 			}
 		}
 		if entity == nil {
 			return nil, fmt.Errorf("no GPG private key matching key id '%s' found", info.KeyID)
 		}
 	} else {
 		entity = entityList[0]
 	}
 	err = entity.PrivateKey.Decrypt([]byte(info.Passphrase))
 	if err != nil {
 		return nil, fmt.Errorf("unable to decrypt GPG private key: %w", err)
 	}
 	return entity, nil
 }
--- a/internal/bootstrap/git/gogit/gogit_test.go
+++ b/internal/bootstrap/git/gogit/gogit_test.go
@@ -1,67 +0,0 @@
 //go:build unit
 // +build unit
 package gogit
 import (
 	"testing"
 	"github.com/fluxcd/flux2/internal/bootstrap/git"
 )
 func TestGetOpenPgpEntity(t *testing.T) {
 	tests := []struct {
 		name       string
 		keyPath    string
 		passphrase string
 		id         string
 		expectErr  bool
 	}{
 		{
 			name:       "no default key id given",
 			keyPath:    "testdata/private.key",
 			passphrase: "flux",
 			id:         "",
 			expectErr:  false,
 		},
 		{
 			name:       "key id given",
 			keyPath:    "testdata/private.key",
 			passphrase: "flux",
 			id:         "0619327DBD777415",
 			expectErr:  false,
 		},
 		{
 			name:       "wrong key id",
 			keyPath:    "testdata/private.key",
 			passphrase: "flux",
 			id:         "0619327DBD777416",
 			expectErr:  true,
 		},
 		{
 			name:       "wrong password",
 			keyPath:    "testdata/private.key",
 			passphrase: "fluxe",
 			id:         "0619327DBD777415",
 			expectErr:  true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			gpgInfo := git.GPGSigningInfo{
 				KeyRingPath: tt.keyPath,
 				Passphrase:  tt.passphrase,
 				KeyID:       tt.id,
 			}
 			_, err := getOpenPgpEntity(gpgInfo)
 			if err != nil && !tt.expectErr {
 				t.Errorf("unexpected error: %s", err)
 			}
 			if err == nil && tt.expectErr {
 				t.Errorf("expected error when %s", tt.name)
 			}
 		})
 	}
 }
--- a/internal/bootstrap/git/gogit/testdata/private.key
+++ b/internal/bootstrap/git/gogit/testdata/private.key
--- a/internal/build/build.go
+++ b/internal/build/build.go
@@ -42,8 +42,8 @@ import (
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
 	"github.com/fluxcd/pkg/kustomize"
 	"github.com/fluxcd/pkg/kustomize/filesys"
 	runclient "github.com/fluxcd/pkg/runtime/client"
 	"sigs.k8s.io/kustomize/kyaml/filesys"
 	"github.com/fluxcd/flux2/internal/utils"
 )
@@ -76,10 +76,13 @@ type Builder struct {
 	kustomization *kustomizev1.Kustomization
 	timeout       time.Duration
 	spinner       *yacspin.Spinner
 	dryRun        bool
 }
 // BuilderOptionFunc is a function that configures a Builder
 type BuilderOptionFunc func(b *Builder) error
 // WithKustomizationFile sets the kustomization file
 func WithKustomizationFile(file string) BuilderOptionFunc {
 	return func(b *Builder) error {
 		b.kustomizationFile = file
@@ -87,6 +90,7 @@ func WithKustomizationFile(file string) BuilderOptionFunc {
 	}
 }
 // WithTimeout sets the timeout for the builder
 func WithTimeout(timeout time.Duration) BuilderOptionFunc {
 	return func(b *Builder) error {
 		b.timeout = timeout
@@ -116,24 +120,55 @@ func WithProgressBar() BuilderOptionFunc {
 	}
 }
 // WithClientConfig sets the client configuration
 func WithClientConfig(rcg *genericclioptions.ConfigFlags, clientOpts *runclient.Options) BuilderOptionFunc {
 	return func(b *Builder) error {
 		kubeClient, err := utils.KubeClient(rcg, clientOpts)
 		if err != nil {
 			return err
 		}
 		restMapper, err := rcg.ToRESTMapper()
 		if err != nil {
 			return err
 		}
 		b.client = kubeClient
 		b.restMapper = restMapper
 		b.namespace = *rcg.Namespace
 		return nil
 	}
 }
 // WithNamespace sets the namespace
 func WithNamespace(namespace string) BuilderOptionFunc {
 	return func(b *Builder) error {
 		b.namespace = namespace
 		return nil
 	}
 }
 // WithDryRun sets the dry-run flag
 func WithDryRun(dryRun bool) BuilderOptionFunc {
 	return func(b *Builder) error {
 		b.dryRun = dryRun
 		return nil
 	}
 }
 // NewBuilder returns a new Builder
-// to dp : create functional options
+// It takes a kustomization name and a path to the resources
-func NewBuilder(rcg *genericclioptions.ConfigFlags, clientOpts *runclient.Options, name, resources string, opts ...BuilderOptionFunc) (*Builder, error) {
+// It also takes a list of BuilderOptionFunc to configure the builder
-	kubeClient, err := utils.KubeClient(rcg, clientOpts)
+// One of the options is WithClientConfig, that must be provided for the builder to work
-	if err != nil {
+// with the k8s cluster
-		return nil, err
+// One other option is WithKustomizationFile, that must be provided for the builder to work
-	}
+// with a local kustomization file. If the kustomization file is not provided, the builder
-
+// will try to retrieve the kustomization object from the k8s cluster.
-	restMapper, err := rcg.ToRESTMapper()
+// WithDryRun sets the dry-run flag, and needs to be provided if the builder is used for
-	if err != nil {
+// a dry-run. This flag works in conjunction with WithKustomizationFile, because the
-		return nil, err
+// kustomization object is not retrieved from the k8s cluster when the dry-run flag is set.
-	}
+func NewBuilder(name, resources string, opts ...BuilderOptionFunc) (*Builder, error) {
 	b := &Builder{
 		client:        kubeClient,
 		restMapper:    restMapper,
 		name:          name,
 		namespace:     *rcg.Namespace,
 		resourcesPath: resources,
 	}
@@ -147,6 +182,14 @@ func NewBuilder(rcg *genericclioptions.ConfigFlags, clientOpts *runclient.Option
 		b.timeout = defaultTimeout
 	}
 	if b.dryRun && b.kustomizationFile == "" {
 		return nil, fmt.Errorf("kustomization file is required for dry-run")
 	}
 	if !b.dryRun && b.client == nil {
 		return nil, fmt.Errorf("client is required for live run")
 	}
 	return b, nil
 }
@@ -188,7 +231,7 @@ func (b *Builder) build() (m resmap.ResMap, err error) {
 	defer cancel()
 	// Get the kustomization object
-	k := &kustomizev1.Kustomization{}
+	var k *kustomizev1.Kustomization
 	if b.kustomizationFile != "" {
 		k, err = b.unMarshallKustomization()
 		if err != nil {
@@ -273,7 +316,7 @@ func (b *Builder) generate(kustomization kustomizev1.Kustomization, dirPath stri
 	if err != nil {
 		return "", err
 	}
-	gen := kustomize.NewGenerator(unstructured.Unstructured{Object: data})
+	gen := kustomize.NewGenerator("", unstructured.Unstructured{Object: data})
 	// acuire the lock
 	b.mu.Lock()
@@ -283,17 +326,13 @@ func (b *Builder) generate(kustomization kustomizev1.Kustomization, dirPath stri
 }
 func (b *Builder) do(ctx context.Context, kustomization kustomizev1.Kustomization, dirPath string) (resmap.ResMap, error) {
-	// TODO(hidde): provide option to enforce FS boundaries of local build
+	fs := filesys.MakeFsOnDisk()
 	fs, err := filesys.MakeFsOnDiskSecureBuild("/")
 	if err != nil {
 		return nil, fmt.Errorf("kustomization build failed: %w", err)
 	}
 	// acuire the lock
 	b.mu.Lock()
 	defer b.mu.Unlock()
-	m, err := kustomize.BuildKustomization(fs, dirPath)
+	m, err := kustomize.Build(fs, dirPath)
 	if err != nil {
 		return nil, fmt.Errorf("kustomize build failed: %w", err)
 	}
@@ -305,7 +344,7 @@ func (b *Builder) do(ctx context.Context, kustomization kustomizev1.Kustomizatio
 			if err != nil {
 				return nil, err
 			}
-			outRes, err := kustomize.SubstituteVariables(ctx, b.client, unstructured.Unstructured{Object: data}, res)
+			outRes, err := kustomize.SubstituteVariables(ctx, b.client, unstructured.Unstructured{Object: data}, res, b.dryRun)
 			if err != nil {
 				return nil, fmt.Errorf("var substitution failed for '%s': %w", res.GetName(), err)
 			}
--- a/internal/build/diff.go
+++ b/internal/build/diff.go
@@ -27,20 +27,22 @@ import (
 	"sort"
 	"strings"
 	"github.com/fluxcd/flux2/pkg/printers"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
 	"github.com/fluxcd/pkg/ssa"
 	"github.com/gonvenience/bunt"
 	"github.com/gonvenience/ytbx"
 	"github.com/google/go-cmp/cmp"
 	"github.com/hashicorp/go-multierror"
 	"github.com/homeport/dyff/pkg/dyff"
 	"github.com/lucasb-eyer/go-colorful"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/errors"
 	"sigs.k8s.io/cli-utils/pkg/kstatus/polling"
 	"sigs.k8s.io/cli-utils/pkg/object"
 	"sigs.k8s.io/yaml"
 	"github.com/fluxcd/pkg/ssa"
 	"github.com/fluxcd/flux2/pkg/printers"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
 )
 func (b *Builder) Manager() (*ssa.ResourceManager, error) {
@@ -85,7 +87,7 @@ func (b *Builder) Diff() (string, bool, error) {
 		}
 	}
-	var diffErrs error
+	var diffErrs []error
 	// create an inventory of objects to be reconciled
 	newInventory := newInventory()
 	for _, obj := range objects {
@@ -97,7 +99,7 @@ func (b *Builder) Diff() (string, bool, error) {
 		change, liveObject, mergedObject, err := resourceManager.Diff(ctx, obj, diffOptions)
 		if err != nil {
 			// gather errors and continue, as we want to see all the diffs
-			diffErrs = multierror.Append(diffErrs, err)
+			diffErrs = append(diffErrs, err)
 			continue
 		}
@@ -135,7 +137,7 @@ func (b *Builder) Diff() (string, bool, error) {
 		b.spinner.Message("processing inventory")
 	}
-	if b.kustomization.Spec.Prune && diffErrs == nil {
+	if b.kustomization.Spec.Prune && len(diffErrs) == 0 {
 		oldStatus := b.kustomization.Status.DeepCopy()
 		if oldStatus.Inventory != nil {
 			diffObjects, err := diffInventory(oldStatus.Inventory, newInventory)
@@ -155,7 +157,7 @@ func (b *Builder) Diff() (string, bool, error) {
 		}
 	}
-	return output.String(), createdOrDrifted, diffErrs
+	return output.String(), createdOrDrifted, errors.Reduce(errors.Flatten(errors.NewAggregate(diffErrs)))
 }
 func writeYamls(liveObject, mergedObject *unstructured.Unstructured) (string, string, string, error) {
--- a/internal/utils/utils.go
+++ b/internal/utils/utils.go
@@ -45,7 +45,7 @@ import (
 	imageautov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
 	imagereflectv1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
 	"github.com/fluxcd/pkg/apis/meta"
 	runclient "github.com/fluxcd/pkg/runtime/client"
 	"github.com/fluxcd/pkg/version"
--- a/manifests/bases/helm-controller/kustomization.yaml
+++ b/manifests/bases/helm-controller/kustomization.yaml
@@ -1,9 +1,11 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- https://github.com/fluxcd/helm-controller/releases/download/v0.24.0/helm-controller.crds.yaml
+- https://github.com/fluxcd/helm-controller/releases/download/v0.28.1/helm-controller.crds.yaml
- https://github.com/fluxcd/helm-controller/releases/download/v0.24.0/helm-controller.deployment.yaml
+- https://github.com/fluxcd/helm-controller/releases/download/v0.28.1/helm-controller.deployment.yaml
 - account.yaml
 transformers:
 - labels.yaml
 patchesJson6902:
 - target:
    group: apps
--- a/manifests/bases/helm-controller/labels.yaml
+++ b/manifests/bases/helm-controller/labels.yaml
@@ -0,0 +1,9 @@
 apiVersion: builtin
 kind: LabelTransformer
 metadata:
  name: labels
 labels:
  app.kubernetes.io/component: helm-controller
 fieldSpecs:
  - path: metadata/labels
    create: true
--- a/manifests/bases/image-automation-controller/kustomization.yaml
+++ b/manifests/bases/image-automation-controller/kustomization.yaml
@@ -1,9 +1,11 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- https://github.com/fluxcd/image-automation-controller/releases/download/v0.25.0/image-automation-controller.crds.yaml
+- https://github.com/fluxcd/image-automation-controller/releases/download/v0.28.0/image-automation-controller.crds.yaml
- https://github.com/fluxcd/image-automation-controller/releases/download/v0.25.0/image-automation-controller.deployment.yaml
+- https://github.com/fluxcd/image-automation-controller/releases/download/v0.28.0/image-automation-controller.deployment.yaml
 - account.yaml
 transformers:
 - labels.yaml
 patchesJson6902:
 - target:
    group: apps
--- a/manifests/bases/image-automation-controller/labels.yaml
+++ b/manifests/bases/image-automation-controller/labels.yaml
@@ -0,0 +1,9 @@
 apiVersion: builtin
 kind: LabelTransformer
 metadata:
  name: labels
 labels:
  app.kubernetes.io/component: image-automation-controller
 fieldSpecs:
  - path: metadata/labels
    create: true
--- a/manifests/bases/image-reflector-controller/kustomization.yaml
+++ b/manifests/bases/image-reflector-controller/kustomization.yaml
@@ -1,9 +1,11 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.21.0/image-reflector-controller.crds.yaml
+- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.23.1/image-reflector-controller.crds.yaml
- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.21.0/image-reflector-controller.deployment.yaml
+- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.23.1/image-reflector-controller.deployment.yaml
 - account.yaml
 transformers:
 - labels.yaml
 patchesJson6902:
 - target:
    group: apps
--- a/manifests/bases/image-reflector-controller/labels.yaml
+++ b/manifests/bases/image-reflector-controller/labels.yaml
@@ -0,0 +1,9 @@
 apiVersion: builtin
 kind: LabelTransformer
 metadata:
  name: labels
 labels:
  app.kubernetes.io/component: image-reflector-controller
 fieldSpecs:
  - path: metadata/labels
    create: true
--- a/manifests/bases/kustomize-controller/kustomization.yaml
+++ b/manifests/bases/kustomize-controller/kustomization.yaml
@@ -1,9 +1,11 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- https://github.com/fluxcd/kustomize-controller/releases/download/v0.28.0/kustomize-controller.crds.yaml
+- https://github.com/fluxcd/kustomize-controller/releases/download/v0.32.0/kustomize-controller.crds.yaml
- https://github.com/fluxcd/kustomize-controller/releases/download/v0.28.0/kustomize-controller.deployment.yaml
+- https://github.com/fluxcd/kustomize-controller/releases/download/v0.32.0/kustomize-controller.deployment.yaml
 - account.yaml
 transformers:
 - labels.yaml
 patchesJson6902:
 - target:
    group: apps
@@ -11,4 +13,3 @@ patchesJson6902:
    kind: Deployment
    name: kustomize-controller
  path: patch.yaml
--- a/manifests/bases/kustomize-controller/labels.yaml
+++ b/manifests/bases/kustomize-controller/labels.yaml
@@ -0,0 +1,9 @@
 apiVersion: builtin
 kind: LabelTransformer
 metadata:
  name: labels
 labels:
  app.kubernetes.io/component: kustomize-controller
 fieldSpecs:
  - path: metadata/labels
    create: true
--- a/manifests/bases/notification-controller/kustomization.yaml
+++ b/manifests/bases/notification-controller/kustomization.yaml
@@ -1,9 +1,11 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- https://github.com/fluxcd/notification-controller/releases/download/v0.26.0/notification-controller.crds.yaml
+- https://github.com/fluxcd/notification-controller/releases/download/v0.30.2/notification-controller.crds.yaml
- https://github.com/fluxcd/notification-controller/releases/download/v0.26.0/notification-controller.deployment.yaml
+- https://github.com/fluxcd/notification-controller/releases/download/v0.30.2/notification-controller.deployment.yaml
 - account.yaml
 transformers:
 - labels.yaml
 patchesJson6902:
  - target:
      group: apps
--- a/manifests/bases/notification-controller/labels.yaml
+++ b/manifests/bases/notification-controller/labels.yaml
@@ -0,0 +1,9 @@
 apiVersion: builtin
 kind: LabelTransformer
 metadata:
  name: labels
 labels:
  app.kubernetes.io/component: notification-controller
 fieldSpecs:
  - path: metadata/labels
    create: true
--- a/Show More
+++ b/Show More
`@@ -1,2 +1,2 @@`
	`NAME REVISION SUSPENDED READY MESSAGE`	`NAME REVISION SUSPENDED READY MESSAGE`
	`thrfg dbdb109711ffb3be77504d2670dbe13c24dd63d8d7f1fb489d350e5bfe930dd3 False True stored artifact for digest 'dbdb109711ffb3be77504d2670dbe13c24dd63d8d7f1fb489d350e5bfe930dd3'`	`thrfg 6.1.6/dbdb109711ffb3be77504d2670dbe13c24dd63d8d7f1fb489d350e5bfe930dd3 False True stored artifact for digest '6.1.6/dbdb109711ffb3be77504d2670dbe13c24dd63d8d7f1fb489d350e5bfe930dd3'`