Merge pull request #4327 from fluxcd/backport-4284-to-release/v2.1.x

[release/v2.1.x] Make `flux pull` work for OCI artifacts produced by other tools
Print artifact source and revision only when available
2026-03-01 11:16:56 +00:00 · 2023-10-12 16:30:07 +03:00 · 2023-10-12 13:15:10 +00:00 · 2023-10-12 13:15:10 +00:00 · 2023-10-12 14:25:35 +02:00 · 2023-10-12 12:12:21 +00:00
316 changed files with 4029 additions and 2768 deletions
--- a/.github/aur/flux-bin/.SRCINFO.template
+++ b/.github/aur/flux-bin/.SRCINFO.template
@@ -4,19 +4,16 @@ pkgbase = flux-bin
 	pkgrel = ${PKGREL}
 	url = https://fluxcd.io/
 	arch = x86_64
 	arch = armv6h
 	arch = armv7h
 	arch = aarch64
 	license = APACHE
 	optdepends = bash-completion: auto-completion for flux in Bash
 	optdepends = zsh-completions: auto-completion for flux in ZSH
-	source_x86_64 = ${PKGNAME}-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${PKGVER}/flux_${PKGVER}_linux_amd64.tar.gz
+	source_x86_64 = flux-bin-${PKGVER}_linux_amd64.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_amd64.tar.gz
 	sha256sums_x86_64 = ${SHA256SUM_AMD64}
-	source_armv6h = ${PKGNAME}-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${PKGVER}/flux_${PKGVER}_linux_arm.tar.gz
+	source_armv7h = flux-bin-${PKGVER}_linux_arm.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_arm.tar.gz
 	sha256sums_armv6h = ${SHA256SUM_ARM}
 	source_armv7h = ${PKGNAME}-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${PKGVER}/flux_${PKGVER}_linux_arm.tar.gz
 	sha256sums_armv7h = ${SHA256SUM_ARM}
-	source_aarch64 = ${PKGNAME}-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${PKGVER}/flux_${PKGVER}_linux_arm64.tar.gz
+	source_aarch64 = flux-bin-${PKGVER}_linux_arm64.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_arm64.tar.gz
 	sha256sums_aarch64 = ${SHA256SUM_ARM64}
 pkgname = flux-bin
--- a/.github/aur/flux-bin/PKGBUILD.template
+++ b/.github/aur/flux-bin/PKGBUILD.template
@@ -4,37 +4,32 @@
 pkgname=flux-bin
 pkgver=${PKGVER}
 pkgrel=${PKGREL}
 _srcname=flux
 _srcver=${VERSION}
 pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
 url="https://fluxcd.io/"
-arch=("x86_64" "armv6h" "armv7h" "aarch64")
+arch=("x86_64" "armv7h" "aarch64")
 license=("APACHE")
 optdepends=('bash-completion: auto-completion for flux in Bash'
            'zsh-completions: auto-completion for flux in ZSH')
 source_x86_64=(
-  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_amd64.tar.gz"
+  "${pkgname}-${pkgver}_linux_amd64.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${_srcver}/flux_${_srcver}_linux_amd64.tar.gz"
 )
 source_armv6h=(
  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm.tar.gz"
 )
 source_armv7h=(
-  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm.tar.gz"
+  "${pkgname}-${pkgver}_linux_arm.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${_srcver}/flux_${_srcver}_linux_arm.tar.gz"
 )
 source_aarch64=(
-  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${pkgver}/flux_${pkgver}_linux_arm64.tar.gz"
+  "${pkgname}-${pkgver}_linux_arm64.tar.gz::https://github.com/fluxcd/flux2/releases/download/v${_srcver}/flux_${_srcver}_linux_arm64.tar.gz"
 )
 sha256sums_x86_64=(
  ${SHA256SUM_AMD64}
 )
 sha256sums_armv6h=(
  ${SHA256SUM_ARM}
 )
 sha256sums_armv7h=(
  ${SHA256SUM_ARM}
 )
 sha256sums_aarch64=(
  ${SHA256SUM_ARM64}
 )
 _srcname=flux
 package() {
 	install -Dm755 ${_srcname} "${pkgdir}/usr/bin/${_srcname}"
--- a/.github/aur/flux-bin/publish.sh
+++ b/.github/aur/flux-bin/publish.sh
@@ -28,6 +28,7 @@ git clone aur@aur.archlinux.org:$PKGNAME $GITDIR 2>&1
 CURRENT_PKGVER=$(cat $GITDIR/.SRCINFO | grep pkgver | awk '{ print $3 }')
 CURRENT_PKGREL=$(cat $GITDIR/.SRCINFO | grep pkgrel | awk '{ print $3 }')
 # Transform pre-release to AUR compatible version format
 export PKGVER=${VERSION/-/}
 if [[ "${CURRENT_PKGVER}" == "${PKGVER}" ]]; then
@@ -36,12 +37,12 @@ else
    export PKGREL=1
 fi
-export SHA256SUM_ARM=$(sha256sum ${ROOT}/dist/flux_${PKGVER}_linux_arm.tar.gz | awk '{ print $1 }')
+export SHA256SUM_ARM=$(sha256sum ${ROOT}/dist/flux_${VERSION}_linux_arm.tar.gz | awk '{ print $1 }')
-export SHA256SUM_ARM64=$(sha256sum ${ROOT}/dist/flux_${PKGVER}_linux_arm64.tar.gz | awk '{ print $1 }')
+export SHA256SUM_ARM64=$(sha256sum ${ROOT}/dist/flux_${VERSION}_linux_arm64.tar.gz | awk '{ print $1 }')
-export SHA256SUM_AMD64=$(sha256sum ${ROOT}/dist/flux_${PKGVER}_linux_amd64.tar.gz | awk '{ print $1 }')
+export SHA256SUM_AMD64=$(sha256sum ${ROOT}/dist/flux_${VERSION}_linux_amd64.tar.gz | awk '{ print $1 }')
-envsubst '$PKGVER $PKGREL $SHA256SUM_AMD64 $SHA256SUM_ARM $SHA256SUM_ARM64' < .SRCINFO.template > $GITDIR/.SRCINFO
+envsubst '$VERSION $PKGVER $PKGREL $SHA256SUM_AMD64 $SHA256SUM_ARM $SHA256SUM_ARM64' < .SRCINFO.template > $GITDIR/.SRCINFO
-envsubst '$PKGVER $PKGREL $SHA256SUM_AMD64 $SHA256SUM_ARM $SHA256SUM_ARM64' < PKGBUILD.template > $GITDIR/PKGBUILD
+envsubst '$VERSION $PKGVER $PKGREL $SHA256SUM_AMD64 $SHA256SUM_ARM $SHA256SUM_ARM64' < PKGBUILD.template > $GITDIR/PKGBUILD
 cd $GITDIR
 git config user.name "fluxcdbot"
--- a/.github/aur/flux-go/.SRCINFO.template
+++ b/.github/aur/flux-go/.SRCINFO.template
@@ -4,7 +4,6 @@ pkgbase = flux-go
 	pkgrel = ${PKGREL}
 	url = https://fluxcd.io/
 	arch = x86_64
 	arch = armv6h
 	arch = armv7h
 	arch = aarch64
 	license = APACHE
@@ -13,6 +12,6 @@ pkgbase = flux-go
 	provides = flux-bin
 	conflicts = flux-bin
  replaces = flux-cli
-	source = flux-go-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/archive/v${PKGVER}.tar.gz
+	source = flux-go-${PKGVER}.tar.gz::https://github.com/fluxcd/flux2/archive/v${VERSION}.tar.gz
 pkgname = flux-go
--- a/.github/aur/flux-go/PKGBUILD.template
+++ b/.github/aur/flux-go/PKGBUILD.template
@@ -4,43 +4,44 @@
 pkgname=flux-go
 pkgver=${PKGVER}
 pkgrel=${PKGREL}
 _srcname=flux
 _srcver=${VERSION}
 pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
 url="https://fluxcd.io/"
-arch=("x86_64" "armv6h" "armv7h" "aarch64")
+arch=("x86_64" "armv7h" "aarch64")
 license=("APACHE")
 provides=("flux-bin")
 conflicts=("flux-bin")
 replaces=("flux-cli")
 depends=("glibc")
-makedepends=('go>=1.17', 'kustomize>=3.0')
+makedepends=('go>=1.20', 'kustomize>=5.0')
 optdepends=('bash-completion: auto-completion for flux in Bash',
 'zsh-completions: auto-completion for flux in ZSH')
 source=(
-  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/archive/v${pkgver}.tar.gz"
+  "${pkgname}-${pkgver}.tar.gz::https://github.com/fluxcd/flux2/archive/v${_srcver}.tar.gz"
 )
 sha256sums=(
  ${SHA256SUM}
 )
 _srcname=flux
 build() {
-  cd "flux2-${pkgver}"
+  cd "flux2-${_srcver}"
  export CGO_LDFLAGS="$LDFLAGS"
  export CGO_CFLAGS="$CFLAGS"
  export CGO_CXXFLAGS="$CXXFLAGS"
  export CGO_CPPFLAGS="$CPPFLAGS"
  export GOFLAGS="-buildmode=pie -trimpath -mod=readonly -modcacherw"
  make cmd/flux/.manifests.done
-  go build -ldflags "-linkmode=external -X main.VERSION=${pkgver}" -o ${_srcname} ./cmd/flux
+  go build -ldflags "-linkmode=external -X main.VERSION=${_srcver}" -o ${_srcname} ./cmd/flux
 }
 check() {
-  cd "flux2-${pkgver}"
+  cd "flux2-${_srcver}"
  case $CARCH in
    aarch64)
      export ENVTEST_ARCH=arm64
      ;;
-    armv6h|armv7h)
+    armv7h)
      export ENVTEST_ARCH=arm
      ;;
  esac
@@ -48,7 +49,7 @@ check() {
 }
 package() {
-  cd "flux2-${pkgver}"
+  cd "flux2-${_srcver}"
  install -Dm755 ${_srcname} "${pkgdir}/usr/bin/${_srcname}"
  install -Dm644 LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
--- a/.github/aur/flux-go/publish.sh
+++ b/.github/aur/flux-go/publish.sh
@@ -28,6 +28,7 @@ git clone aur@aur.archlinux.org:$PKGNAME $GITDIR 2>&1
 CURRENT_PKGVER=$(cat $GITDIR/.SRCINFO | grep pkgver | awk '{ print $3 }')
 CURRENT_PKGREL=$(cat $GITDIR/.SRCINFO | grep pkgrel | awk '{ print $3 }')
 # Transform pre-release to AUR compatible version format
 export PKGVER=${VERSION/-/}
 if [[ "${CURRENT_PKGVER}" == "${PKGVER}" ]]; then
@@ -36,10 +37,10 @@ else
    export PKGREL=1
 fi
-export SHA256SUM=$(curl -sL https://github.com/fluxcd/flux2/archive/v$PKGVER.tar.gz | sha256sum | awk '{ print $1 }')
+export SHA256SUM=$(curl -sL https://github.com/fluxcd/flux2/archive/v${VERSION}.tar.gz | sha256sum | awk '{ print $1 }')
-envsubst '$PKGVER $PKGREL $SHA256SUM' < .SRCINFO.template > $GITDIR/.SRCINFO
+envsubst '$VERSION $PKGVER $PKGREL $SHA256SUM' < .SRCINFO.template > $GITDIR/.SRCINFO
-envsubst '$PKGVER $PKGREL $SHA256SUM' < PKGBUILD.template > $GITDIR/PKGBUILD
+envsubst '$VERSION $PKGVER $PKGREL $SHA256SUM' < PKGBUILD.template > $GITDIR/PKGBUILD
 cd $GITDIR
 git config user.name "fluxcdbot"
--- a/.github/aur/flux-scm/.SRCINFO.template
+++ b/.github/aur/flux-scm/.SRCINFO.template
@@ -4,7 +4,6 @@ pkgbase = flux-scm
 	pkgrel = ${PKGREL}
 	url = https://fluxcd.io/
 	arch = x86_64
 	arch = armv6h
 	arch = armv7h
 	arch = aarch64
 	license = APACHE
--- a/.github/aur/flux-scm/PKGBUILD.template
+++ b/.github/aur/flux-scm/PKGBUILD.template
@@ -4,21 +4,21 @@
 pkgname=flux-scm
 pkgver=${PKGVER}
 pkgrel=${PKGREL}
 _srcname=flux
 pkgdesc="Open and extensible continuous delivery solution for Kubernetes"
 url="https://fluxcd.io/"
-arch=("x86_64" "armv6h" "armv7h" "aarch64")
+arch=("x86_64" "armv7h" "aarch64")
 license=("APACHE")
 provides=("flux-bin")
 conflicts=("flux-bin")
 depends=("glibc")
-makedepends=('go>=1.17', 'kustomize>=3.0', 'git')
+makedepends=('go>=1.20', 'kustomize>=5.0', 'git')
 optdepends=('bash-completion: auto-completion for flux in Bash',
 'zsh-completions: auto-completion for flux in ZSH')
 source=(
  "git+https://github.com/fluxcd/flux2.git"
 )
 md5sums=('SKIP')
 _srcname=flux
 pkgver() {
  cd "flux2"
@@ -42,7 +42,7 @@ check() {
    aarch64)
      export ENVTEST_ARCH=arm64
      ;;
-    armv6h|armv7h)
+    armv7h)
      export ENVTEST_ARCH=arm
      ;;
  esac
--- a/.github/aur/flux-scm/publish.sh
+++ b/.github/aur/flux-scm/publish.sh
@@ -28,6 +28,7 @@ git clone aur@aur.archlinux.org:$PKGNAME $GITDIR 2>&1
 CURRENT_PKGVER=$(cat $GITDIR/.SRCINFO | grep pkgver | awk '{ print $3 }')
 CURRENT_PKGREL=$(cat $GITDIR/.SRCINFO | grep pkgrel | awk '{ print $3 }')
 # Transform pre-release to AUR compatible version format
 export PKGVER=${VERSION/-/}
 if [[ "${CURRENT_PKGVER}" == "${PKGVER}" ]]; then
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -3,7 +3,14 @@ version: 2
 updates:
  - package-ecosystem: "github-actions"
    directory: "/"
-    labels: ["area/build"]
+    labels: ["area/ci", "dependencies"]
    groups:
      # Group all updates together, so that they are all applied in a single PR.
      # Grouped updates are currently in beta and is subject to change.
      # xref: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups
      ci:
        patterns:
          - "*"
    schedule:
-      # by default this will be on a monday.
+      # By default, this will be on a monday.
      interval: "weekly"
--- a/.github/labels.yaml
+++ b/.github/labels.yaml
@@ -0,0 +1,49 @@
 # Configuration file to declaratively configure labels
 # Ref: https://github.com/EndBug/label-sync#Config-files
 - name: area/bootstrap
  description: Bootstrap related issues and pull requests
  color: '#86efc9'
 - name: area/install
  description: Install and uninstall related issues and pull requests
  color: '#86efc9'
 - name: area/diff
  description: Diff related issues and pull requests
  color: '#BA4192'
 - name: area/bucket
  description: Bucket related issues and pull requests
  color: '#00b140'
 - name: area/git
  description: Git related issues and pull requests
  color: '#863faf'
 - name: area/oci
  description: OCI related issues and pull requests
  color: '#c739ff'
 - name: area/kustomization
  description: Kustomization related issues and pull requests
  color: '#00e54d'
 - name: area/helm
  description: Helm related issues and pull requests
  color: '#1673b6'
 - name: area/image-automation
  description: Automated image updates related issues and pull requests
  color: '#c5def5'
 - name: area/monitoring
  description: Monitoring related issues and pull requests
  color: '#dd75ae'
 - name: area/multi-tenancy
  description: Multi-tenancy related issues and pull requests
  color: '#72CDBD'
 - name: area/notification
  description: Notification API related issues and pull requests
  color: '#434ec1'
 - name: area/source
  description: Source API related issues and pull requests
  color: '#863faf'
 - name: area/rfc
  description: Feature request proposals in the RFC format
  color: '#D621C3'
  aliases: ['area/RFC']
 - name: backport:release/v2.0.x
  description: To be backported to release/v2.0.x
  color: '#ffd700'
--- a/.github/workflows/action.yaml
+++ b/.github/workflows/action.yaml
@@ -0,0 +1,29 @@
 name: test-gh-action
 on:
  pull_request:
    paths:
      - 'action/**'
  push:
    paths:
      - 'action/**'
    branches:
      - 'main'
      - 'release/**'
 permissions: read-all
 jobs:
  actions:
    strategy:
      fail-fast: false
      matrix:
        version: [ubuntu-latest, macos-latest, windows-latest]
    runs-on: ${{ matrix.version }}
    name: action on ${{ matrix.version }}
    steps:
      - name: Checkout
        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
      - name: Setup flux
        uses: ./action
--- a/.github/workflows/backport.yaml
+++ b/.github/workflows/backport.yaml
@@ -0,0 +1,31 @@
 name: backport
 on:
  pull_request_target:
    types: [closed, labeled]
 jobs:
  pull-request:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
    if: github.event.pull_request.state == 'closed' && github.event.pull_request.merged && (github.event_name != 'labeled' || startsWith('backport:', github.event.label.name))
    steps:
      - name: Checkout
        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Create backport PRs
        uses: korthout/backport-action@bd68141f079bd036e45ea8149bc9d174d5a04703 # v1.4.0
        # xref: https://github.com/korthout/backport-action#inputs
        with:
          # Use token to allow workflows to be triggered for the created PR
          github_token: ${{ secrets.BOT_GITHUB_TOKEN }}
          # Match labels with a pattern `backport:<target-branch>`
          label_pattern: '^backport:([^ ]+)$'
          # A bit shorter pull-request title than the default
          pull_title: '[${target_branch}] ${pull_title}'
          # Simpler PR description than default
          pull_description: |-
            Automated backport to `${target_branch}`, triggered by a label in #${pull_number}.
--- a/.github/workflows/e2e-arm64.yaml
+++ b/.github/workflows/e2e-arm64.yaml
@@ -3,7 +3,7 @@ name: e2e-arm64
 on:
  workflow_dispatch:
  push:
-    branches: [ main, update-components, e2e-arm64* ]
+    branches: [ 'main', 'update-components', 'e2e-*', 'release/**' ]
 permissions:
  contents: read
@@ -17,14 +17,18 @@ jobs:
      matrix:
        # Keep this list up-to-date with https://endoflife.date/kubernetes
        # Check which versions are available on DockerHub with 'crane ls kindest/node'
-        KUBERNETES_VERSION: [ 1.24.7, 1.25.3, 1.26.0 ]
+        KUBERNETES_VERSION: [ 1.25.11, 1.26.6, 1.27.3, 1.28.0 ]
      fail-fast: false
    steps:
      - name: Checkout
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
      - name: Setup Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
        with:
          go-version: 1.20.x
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Prepare
        id: prep
        run: |
--- a/.github/workflows/e2e-azure.yaml
+++ b/.github/workflows/e2e-azure.yaml
@@ -5,7 +5,17 @@ on:
  schedule:
    - cron:  '0 6 * * *'
  push:
-    branches: [ azure* ]
+    branches:
      - main
    paths:
      - 'tests/**'
      - '.github/workflows/e2e-azure.yaml'
  pull_request:
    branches:
      - main
    paths:
      - 'tests/**'
      - '.github/workflows/e2e-azure.yaml'
 permissions:
  contents: read
@@ -13,20 +23,18 @@ permissions:
 jobs:
  e2e-amd64-aks:
    runs-on: ubuntu-22.04
    # This job is currently disabled since if always evaluates to false. Remove the false check when Azure subscription is enabled
    if: false && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
      - name: Checkout
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
      - name: Restore Go cache
        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go1.20-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go1.20-
      - name: Setup Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
        with:
          go-version: 1.20.x
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Setup Flux CLI
        run: |
          make build
--- a/.github/workflows/e2e-bootstrap.yaml
+++ b/.github/workflows/e2e-bootstrap.yaml
@@ -3,9 +3,10 @@ name: e2e-bootstrap
 on:
  workflow_dispatch:
  push:
-    branches: [ main ]
+    branches: [ 'main', 'release/**' ]
  pull_request:
-    branches: [ main ]
+    branches: [ 'main', 'release/**' ]
    paths-ignore: [ 'docs/**', 'rfcs/**' ]
 permissions:
  contents: read
@@ -16,27 +17,23 @@ jobs:
    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
      - name: Checkout
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
      - name: Restore Go cache
        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go1.20-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go1.20-
      - name: Setup Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
        with:
          go-version: 1.20.x
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Setup Kubernetes
-        uses: helm/kind-action@d8ccf8fb623ce1bb360ae2f45f323d9d5c5e9f00 # v1.5.0
+        uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
        with:
-          version: v0.17.0
+          version: v0.20.0
          cluster_name: kind
          # The versions below should target the newest Kubernetes version
          # Keep this up-to-date with https://endoflife.date/kubernetes
-          node_image: kindest/node:v1.26.0
+          node_image: kindest/node:v1.28.0@sha256:9f3ff58f19dcf1a0611d11e8ac989fdb30a28f40f236f59f0bea31fb956ccf5c
-          kubectl_version: v1.26.2
+          kubectl_version: v1.28.0
      - name: Setup Kustomize
        uses: fluxcd/pkg/actions/kustomize@main
      - name: Build
@@ -102,7 +99,6 @@ jobs:
          --path=test-cluster \
          --read-write-key
          /tmp/flux reconcile image repository podinfo
          /tmp/flux reconcile image update flux-system
          /tmp/flux get images all
          retries=10
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -3,9 +3,10 @@ name: e2e
 on:
  workflow_dispatch:
  push:
-    branches: [ main ]
+    branches: [ 'main', 'release/**' ]
  pull_request:
-    branches: [ main, oci ]
+    branches: [ 'main', 'release/**' ]
    paths-ignore: [ 'docs/**', 'rfcs/**' ]
 permissions:
  contents: read
@@ -20,28 +21,24 @@ jobs:
          - 5000:5000
    steps:
      - name: Checkout
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
      - name: Restore Go cache
        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go1.20-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go1.20-
      - name: Setup Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
        with:
          go-version: 1.20.x
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Setup Kubernetes
-        uses: helm/kind-action@d8ccf8fb623ce1bb360ae2f45f323d9d5c5e9f00 # v1.5.0
+        uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
        with:
-          version: v0.17.0
+          version: v0.20.0
          cluster_name: kind
          config: .github/kind/config.yaml # disable KIND-net
          # The versions below should target the newest Kubernetes version
          # Keep this up-to-date with https://endoflife.date/kubernetes
-          node_image: kindest/node:v1.26.0
+          node_image: kindest/node:v1.28.0@sha256:9f3ff58f19dcf1a0611d11e8ac989fdb30a28f40f236f59f0bea31fb956ccf5c
-          kubectl_version: v1.26.2
+          kubectl_version: v1.28.0
      - name: Setup Calico for network policy
        run: |
          kubectl apply -f https://docs.projectcalico.org/v3.25/manifests/calico.yaml
--- a/.github/workflows/ossf.yaml
+++ b/.github/workflows/ossf.yaml
@@ -0,0 +1,39 @@
 name: ossf
 on:
  workflow_dispatch:
  push:
    branches:
      - main
  schedule:
    # Weekly on Saturdays.
    - cron:  '30 1 * * 6'
 permissions: read-all
 jobs:
  scorecard:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
      id-token: write
      actions: read
      contents: read
    steps:
      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
      - name: Run analysis
        uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0
        with:
          results_file: results.sarif
          results_format: sarif
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          publish_results: true
      - name: Upload artifact
        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5
      - name: Upload SARIF results
        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
        with:
          sarif_file: results.sarif
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -9,6 +9,10 @@ permissions:
 jobs:
  release-flux-cli:
    outputs:
      hashes: ${{ steps.slsa.outputs.hashes }}
      image_url: ${{ steps.slsa.outputs.image_url }}
      image_digest: ${{ steps.slsa.outputs.image_digest }}
    runs-on: ubuntu-latest
    permissions:
      contents: write # needed to write releases
@@ -16,32 +20,33 @@ jobs:
      packages: write # needed for ghcr access
    steps:
      - name: Checkout
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
      - name: Unshallow
        run: git fetch --prune --unshallow
      - name: Setup Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
        with:
          go-version: 1.20.x
          cache: false
      - name: Setup QEMU
-        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
+        uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
      - name: Setup Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7  # v2.4.1
+        uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1  # v2.9.1
      - name: Setup Syft
-        uses: anchore/sbom-action/download-syft@07978da4bdb4faa726e52dfc6b1bed63d4b56479 # v0.13.3
+        uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3
      - name: Setup Cosign
-        uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65 # v3.0.1
+        uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1
      - name: Setup Kustomize
        uses: fluxcd/pkg/actions/kustomize@main
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
        with:
          registry: ghcr.io
          username: fluxcdbot
          password: ${{ secrets.GHCR_TOKEN }}
      - name: Login to Docker Hub
-        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a  # v2.1.0
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc  # v2.2.0
        with:
          username: fluxcdbot
          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
@@ -73,7 +78,8 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0
+        id: run-goreleaser
        uses: goreleaser/goreleaser-action@3fa32b8bb5620a2c1afe798654bbad59f9da4906 # v4.4.0
        with:
          version: latest
          args: release --release-notes=output/notes.md --skip-validate
@@ -81,6 +87,22 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
          AUR_BOT_SSH_PRIVATE_KEY: ${{ secrets.AUR_BOT_SSH_PRIVATE_KEY }}
      - name: Generate SLSA metadata
        id: slsa
        env:
          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
        run: |
          set -euo pipefail
          hashes=$(echo -E $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
          echo "hashes=$hashes" >> $GITHUB_OUTPUT
          image_url=fluxcd/flux-cli:$GITHUB_REF_NAME
          echo "image_url=$image_url" >> $GITHUB_OUTPUT
          image_digest=$(docker buildx imagetools inspect ${image_url}  --format '{{json .}}' | jq -r .manifest.digest)
          echo "image_digest=$image_digest" >> $GITHUB_OUTPUT
  release-flux-manifests:
    runs-on: ubuntu-latest
    needs: release-flux-cli
@@ -88,7 +110,7 @@ jobs:
      id-token: write
      packages: write
    steps:
-      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
      - name: Setup Kustomize
        uses: fluxcd/pkg/actions/kustomize@main
      - name: Setup Flux CLI
@@ -99,13 +121,13 @@ jobs:
          VERSION=$(flux version --client | awk '{ print $NF }')
          echo "version=${VERSION}" >> $GITHUB_OUTPUT
      - name: Login to GHCR
-        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
        with:
          registry: ghcr.io
          username: fluxcdbot
          password: ${{ secrets.GHCR_TOKEN }}
      - name: Login to DockerHub
-        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
        with:
          username: fluxcdbot
          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
@@ -133,7 +155,7 @@ jobs:
          --path="./flux-system" \
          --source=${{ github.repositoryUrl }} \
          --revision="${{ github.ref_name }}@sha1:${{ github.sha }}"
-      - uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65 # v3.0.1
+      - uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1
      - name: Sign manifests
        env:
          COSIGN_EXPERIMENTAL: 1
@@ -147,3 +169,43 @@ jobs:
          flux tag artifact oci://docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }} \
          --tag latest
  release-provenance:
    needs: [release-flux-cli]
    permissions:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      contents: write # for uploading attestations to GitHub releases.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
    with:
      provenance-name: "provenance.intoto.jsonl"
      base64-subjects: "${{ needs.release-flux-cli.outputs.hashes }}"
      upload-assets: true
  dockerhub-provenance:
    needs: [release-flux-cli]
    permissions:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for uploading attestations.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
    with:
      image: ${{ needs.release-flux-cli.outputs.image_url }}
      digest: ${{ needs.release-flux-cli.outputs.image_digest }}
      registry-username: fluxcdbot
    secrets:
      registry-password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
  ghcr-provenance:
    needs: [release-flux-cli]
    permissions:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for uploading attestations.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
    with:
      image: ghcr.io/${{ needs.release-flux-cli.outputs.image_url }}
      digest: ${{ needs.release-flux-cli.outputs.image_digest }}
      registry-username: fluxcdbot
    secrets:
      registry-password: ${{ secrets.GHCR_TOKEN }}
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@@ -3,9 +3,9 @@ name: scan
 on:
  workflow_dispatch:
  push:
-    branches: [ main ]
+    branches: [ 'main', 'release/**' ]
  pull_request:
-    branches: [ main ]
+    branches: [ 'main', 'release/**' ]
  schedule:
    - cron: '18 10 * * 3'
@@ -17,7 +17,7 @@ jobs:
    runs-on: ubuntu-latest
    if: github.actor != 'dependabot[bot]'
    steps:
-      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
      - name: Run FOSSA scan and upload build data
        uses: fossa-contrib/fossa-action@6728dc6fe9a068c648d080c33829ffbe56565023 # v2.0.0
        with:
@@ -31,18 +31,21 @@ jobs:
      security-events: write
    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
-      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
      - name: Setup Kustomize
        uses: fluxcd/pkg/actions/kustomize@main
      - name: Setup Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
        with:
          go-version: 1.20.x
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Download modules and build manifests
        run: |
          make tidy
          make cmd/flux/.manifests.done
-      - uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb
+      - uses: snyk/actions/setup@b98d498629f1c368650224d6d212bf7dfa89e4bf
      - name:  Run Snyk to check for vulnerabilities
        continue-on-error: true
        run: |
@@ -50,7 +53,7 @@ jobs:
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      - name: Upload result to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.2.5
+        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
        with:
          sarif_file: snyk.sarif
@@ -61,16 +64,22 @@ jobs:
    if: github.actor != 'dependabot[bot]'
    steps:
      - name: Checkout repository
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
-      - name: Set up Go
+      - name: Setup Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
        with:
          go-version: 1.20.x
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.2.5
+        uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
        with:
          languages: go
          # xref: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
          # xref: https://codeql.github.com/codeql-query-help/go/
          queries: security-and-quality
      - name: Autobuild
-        uses: github/codeql-action/autobuild@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.2.5
+        uses: github/codeql-action/autobuild@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.2.5
+        uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
--- a/.github/workflows/sync-labels.yaml
+++ b/.github/workflows/sync-labels.yaml
@@ -0,0 +1,28 @@
 name: sync-labels
 on:
  workflow_dispatch:
  push:
    branches:
      - main
    paths:
      - .github/labels.yaml
 permissions:
  contents: read
 jobs:
  labels:
    name: Run sync
    runs-on: ubuntu-latest
    permissions:
      issues: write
    steps:
      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
      - uses: EndBug/label-sync@da00f2c11fdb78e4fae44adac2fdd713778ea3e8 # v2.3.2
        with:
          # Configuration file
          config-file: |
            https://raw.githubusercontent.com/fluxcd/community/main/.github/standard-labels.yaml
            .github/labels.yaml
          # Strictly declarative
          delete-other-labels: true
--- a/.github/workflows/update.yaml
+++ b/.github/workflows/update.yaml
@@ -18,11 +18,14 @@ jobs:
      pull-requests: write
    steps:
      - name: Check out code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
      - name: Setup Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
        with:
          go-version: 1.20.x
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Update component versions
        id: update
        run: |
@@ -81,7 +84,7 @@ jobs:
      - name: Create Pull Request
        id: cpr
-        uses: peter-evans/create-pull-request@2b011faafdcbc9ceb11414d64d0573f37c774b04 # v4.2.3
+        uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2
        with:
          token: ${{ secrets.BOT_GITHUB_TOKEN }}
          commit-message: |
@@ -96,7 +99,7 @@ jobs:
          body: |
            ${{ steps.update.outputs.pr_body }}
          labels: |
-            area/build
+            dependencies
          reviewers: ${{ secrets.ASSIGNEES }}
      - name: Check output
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -83,14 +83,7 @@ brews:
    install: |
      bin.install "flux"
-      bash_output = Utils.safe_popen_read(bin/"flux", "completion", "bash")
+      generate_completions_from_executable(bin/"flux", "completion")
      (bash_completion/"flux").write bash_output
      zsh_output = Utils.safe_popen_read(bin/"flux", "completion", "zsh")
      (zsh_completion/"_flux").write zsh_output
      fish_output = Utils.safe_popen_read(bin/"flux", "completion", "fish")
      (fish_completion/"flux.fish").write fish_output
    test: |
      system "#{bin}/flux --version"
 publishers:
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -68,8 +68,8 @@ for source changes.
 Prerequisites:
 * go >= 1.20
-* kubectl >= 1.20
+* kubectl >= 1.24
-* kustomize >= 4.4
+* kustomize >= 5.0
 * coreutils (on Mac OS)
 Install the [controller-runtime/envtest](https://github.com/kubernetes-sigs/controller-runtime/tree/master/tools/setup-envtest) binaries with:
--- a/6
+++ b/6
@@ -1,15 +1,15 @@
-FROM alpine:3.17 as builder
+FROM alpine:3.18 as builder
 RUN apk add --no-cache ca-certificates curl
 ARG ARCH=linux/amd64
-ARG KUBECTL_VER=1.26.2
+ARG KUBECTL_VER=1.27.3
 RUN curl -sL https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VER}/bin/${ARCH}/kubectl \
    -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \
    kubectl version --client=true
-FROM alpine:3.17 as flux-cli
+FROM alpine:3.18 as flux-cli
 RUN apk add --no-cache ca-certificates
--- a/README.md
+++ b/README.md
@@ -2,6 +2,7 @@
 [![release](https://img.shields.io/github/release/fluxcd/flux2/all.svg)](https://github.com/fluxcd/flux2/releases)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4782/badge)](https://bestpractices.coreinfrastructure.org/projects/4782)
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/fluxcd/flux2/badge)](https://api.securityscorecards.dev/projects/github.com/fluxcd/flux2)
 [![FOSSA Status](https://app.fossa.com/api/projects/custom%2B162%2Fgithub.com%2Ffluxcd%2Fflux2.svg?type=shield)](https://app.fossa.com/projects/custom%2B162%2Fgithub.com%2Ffluxcd%2Fflux2?ref=badge_shield)
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/flux2)](https://artifacthub.io/packages/helm/fluxcd-community/flux2)
@@ -42,7 +43,7 @@ runtime for Flux v2. The APIs comprise Kubernetes custom resources,
 which can be created and updated by a cluster user, or by other
 automation tooling.
-![overview](docs/_files/gitops-toolkit.png)
+![overview](https://fluxcd.io/img/diagrams/gitops-toolkit.png)
 You can use the toolkit to extend Flux, or to build your own systems
 for continuous delivery -- see [the developer
--- a/action/README.md
+++ b/action/README.md
@@ -1,216 +1,22 @@
 # Flux GitHub Action
-Usage:
+To install the latest Flux CLI on Linux, macOS or Windows GitHub runners:
 ```yaml
-    steps:
+steps:
-      - name: Setup Flux CLI
+  - name: Setup Flux CLI
-        uses: fluxcd/flux2/action@main
+    uses: fluxcd/flux2/action@main
-      - name: Run Flux commands
+    with:
-        run: flux -v
+      version: 'latest'
  - name: Run Flux CLI
    run: flux version --client
 ```
-The latest stable version of the `flux` binary is downloaded from
+The Flux GitHub Action can be used to automate various tasks in CI, such as:
 GitHub [releases](https://github.com/fluxcd/flux2/releases)
 and placed at `/usr/local/bin/flux`.
-Note that this action can only be used on GitHub **Linux** runners.
+- [Automate Flux upgrades on clusters via Pull Requests](https://fluxcd.io/flux/flux-gh-action/#automate-flux-updates)
-You can change the arch (defaults to `amd64`) with:
+- [Push Kubernetes manifests to container registries](https://fluxcd.io/flux/flux-gh-action/#push-kubernetes-manifests-to-container-registries)
 - [Run end-to-end testing with Flux and Kubernetes Kind](https://fluxcd.io/flux/flux-gh-action/#end-to-end-testing)
-```yaml
+For more information, please see the [Flux GitHub Action documentation](/flux/flux-gh-action.md).
    steps:
      - name: Setup Flux CLI
        uses: fluxcd/flux2/action@main
        with:
          arch: arm64 # can be amd64, arm64 or arm
 ```
 You can download a specific version with:
 ```yaml
    steps:
      - name: Setup Flux CLI
        uses: fluxcd/flux2/action@main
        with:
          version: 0.32.0
 ```
 You can also authenticate against the GitHub API using GitHub Actions' `GITHUB_TOKEN` secret.
 For more information, please [read about the GitHub token secret](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret).
 ```yaml
    steps:
      - name: Setup Flux CLI
        uses: fluxcd/flux2/action@main
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
 ```
 This is useful if you are seeing failures on shared runners, those failures are usually API limits being hit.
 ### Automate Flux updates
 Example workflow for updating Flux's components generated with `flux bootstrap --path=clusters/production`:
 ```yaml
 name: update-flux
 on:
  workflow_dispatch:
  schedule:
    - cron: "0 * * * *"
 permissions:
  contents: write
  pull-requests: write
 jobs:
  components:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
        uses: actions/checkout@v3
      - name: Setup Flux CLI
        uses: fluxcd/flux2/action@main
      - name: Check for updates
        id: update
        run: |
          flux install \
            --export > ./clusters/production/flux-system/gotk-components.yaml
          VERSION="$(flux -v)"
          echo "flux_version=$VERSION" >> $GITHUB_OUTPUT
      - name: Create Pull Request
        uses: peter-evans/create-pull-request@v4
        with:
            token: ${{ secrets.GITHUB_TOKEN }}
            branch: update-flux
            commit-message: Update to ${{ steps.update.outputs.flux_version }}
            title: Update to ${{ steps.update.outputs.flux_version }}
            body: |
              ${{ steps.update.outputs.flux_version }}
 ```
 ### Push Kubernetes manifests to container registries
 Example workflow for publishing Kubernetes manifests bundled as OCI artifacts to GitHub Container Registry:
 ```yaml
 name: push-artifact-staging
 on:
  push:
    branches:
      - 'main'
 permissions:
  packages: write # needed for ghcr.io access
 env:
  OCI_REPO: "oci://ghcr.io/my-org/manifests/${{ github.event.repository.name }}"
 jobs:
  kubernetes:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Setup Flux CLI
        uses: fluxcd/flux2/action@main
      - name: Login to GHCR
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Generate manifests
        run: |
          kustomize build ./manifests/staging > ./deploy/app.yaml
      - name: Push manifests
        run: |
          flux push artifact $OCI_REPO:$(git rev-parse --short HEAD) \
            --path="./deploy" \
            --source="$(git config --get remote.origin.url)" \
            --revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)"
      - name: Deploy manifests to staging
        run: |
          flux tag artifact $OCI_REPO:$(git rev-parse --short HEAD) --tag staging
 ```
 ### Push and sign Kubernetes manifests to container registries
 Example workflow for publishing Kubernetes manifests bundled as OCI artifacts
 which are signed with Cosign and GitHub OIDC:
 ```yaml
 name: push-sign-artifact
 on:
  push:
    branches:
      - 'main'
 permissions:
  packages: write # needed for ghcr.io access
  id-token: write # needed for keyless signing
 env:
  OCI_REPO: "oci://ghcr.io/my-org/manifests/${{ github.event.repository.name }}"
 jobs:
  kubernetes:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Setup Flux CLI
        uses: fluxcd/flux2/action@main
      - name: Setup Cosign
        uses: sigstore/cosign-installer@main
      - name: Login to GHCR
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Push and sign manifests
        run: |
          digest_url=$(flux push artifact \
          $OCI_REPO:$(git rev-parse --short HEAD) \
          --path="./manifests" \
          --source="$(git config --get remote.origin.url)" \
          --revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)" |\
          jq -r '. | .repository + "@" + .digest')
          cosign sign $digest_url
 ```
 ### End-to-end testing
 Example workflow for running Flux in Kubernetes Kind:
 ```yaml
 name: e2e
 on:
  push:
    branches:
      - '*'
 jobs:
  kubernetes:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Setup Flux CLI
        uses: fluxcd/flux2/action@main
      - name: Setup Kubernetes Kind
        uses: engineerd/setup-kind@v0.5.0
      - name: Install Flux in Kubernetes Kind
        run: flux install
 ```
 A complete e2e testing workflow is available here
 [flux2-kustomize-helm-example](https://github.com/fluxcd/flux2-kustomize-helm-example/blob/main/.github/workflows/e2e.yaml)
--- a/action/action.yml
+++ b/action/action.yml
@@ -1,64 +1,120 @@
 name: Setup Flux CLI
-description: A GitHub Action for running Flux commands
+description: A GitHub Action for installing the Flux CLI
-author: Stefan Prodan
+author: Flux project
 branding:
  color: blue
  icon: command
 inputs:
  version:
-    description: "Flux version e.g. 0.8.0 (defaults to latest stable release)"
+    description: "Flux version e.g. 2.0.0 (defaults to latest stable release)"
    required: false
  arch:
    description: "arch can be amd64, arm64 or arm"
-    required: true
+    required: false
-    default: "amd64"
+    deprecationMessage: "No longer required, action will now detect runner arch."
  bindir:
-    description: "Optional location of the Flux binary. Will not use sudo if set. Updates System Path."
+    description: "Alternative location for the Flux binary, defaults to path relative to $RUNNER_TOOL_CACHE."
    required: false
  token:
-    description: "GitHub Token used to authentication against the API (generally only needed to prevent quota limit errors)"
+    description: "Token used to authentication against the GitHub.com API. Defaults to the token from the GitHub context of the workflow."
    required: false
 runs:
  using: composite
  steps:
-    - name: "Download flux binary to tmp"
+    - name: "Download the binary to the runner's cache dir"
      shell: bash
      run: |
        ARCH=${{ inputs.arch }}
        VERSION=${{ inputs.version }}
        TOKEN=${{ inputs.token }}
-        if [ -z "${VERSION}" ]; then
+        TOKEN=${{ inputs.token }}
-          if [ -n "${TOKEN}" ]; then
+        if [[ -z "$TOKEN" ]]; then
-            VERSION_SLUG=$(curl https://api.github.com/repos/fluxcd/flux2/releases/latest --silent --location --header "Authorization: token ${TOKEN}" | grep tag_name)
+          TOKEN=${{ github.token }}
-          else
+        fi
-            # With no GITHUB_TOKEN you will experience occasional failures due to rate limiting
+
-            # Ref: https://github.com/fluxcd/flux2/issues/3509#issuecomment-1400820992
+        if [[ -z "$VERSION" ]] || [[ "$VERSION" = "latest" ]]; then
-            VERSION_SLUG=$(curl https://api.github.com/repos/fluxcd/flux2/releases/latest --silent --location | grep tag_name)
+          VERSION=$(curl -fsSL -H "Authorization: token ${TOKEN}" https://api.github.com/repos/fluxcd/flux2/releases/latest | grep tag_name | cut -d '"' -f 4)
        fi
        if [[ -z "$VERSION" ]]; then
          echo "Unable to determine Flux CLI version"
          exit 1
        fi
        if [[ $VERSION = v* ]]; then
          VERSION="${VERSION:1}"
        fi
        OS=$(echo "${RUNNER_OS}" | tr '[:upper:]' '[:lower:]')
        if [[ "$OS" == "macos" ]]; then
          OS="darwin"
        fi
        ARCH=$(echo "${RUNNER_ARCH}" | tr '[:upper:]' '[:lower:]')
        if [[ "$ARCH" == "x64" ]]; then
          ARCH="amd64"
        elif [[ "$ARCH" == "x86" ]]; then
          ARCH="386"
        fi
        FLUX_EXEC_FILE="flux"
        if [[ "$OS" == "windows" ]]; then
            FLUX_EXEC_FILE="${FLUX_EXEC_FILE}.exe"
        fi
        FLUX_TOOL_DIR=${{ inputs.bindir }}
        if [[ -z "$FLUX_TOOL_DIR" ]]; then
          FLUX_TOOL_DIR="${RUNNER_TOOL_CACHE}/flux2/${VERSION}/${OS}/${ARCH}"
        fi
        if [[ ! -x "$FLUX_TOOL_DIR/FLUX_EXEC_FILE" ]]; then
          DL_DIR="$(mktemp -dt flux2-XXXXXX)"
          trap 'rm -rf $DL_DIR' EXIT
          echo "Downloading flux ${VERSION} for ${OS}/${ARCH}"
          FLUX_TARGET_FILE="flux_${VERSION}_${OS}_${ARCH}.tar.gz"
          if [[ "$OS" == "windows" ]]; then
            FLUX_TARGET_FILE="flux_${VERSION}_${OS}_${ARCH}.zip"
          fi
-          VERSION=$(echo "${VERSION_SLUG}" | sed -E 's/.*"([^"]+)".*/\1/' | cut -c 2-)
+          FLUX_CHECKSUMS_FILE="flux_${VERSION}_checksums.txt"
          FLUX_DOWNLOAD_URL="https://github.com/fluxcd/flux2/releases/download/v${VERSION}/"
          curl -fsSL -o "$DL_DIR/$FLUX_TARGET_FILE" "$FLUX_DOWNLOAD_URL/$FLUX_TARGET_FILE"
          curl -fsSL -o "$DL_DIR/$FLUX_CHECKSUMS_FILE" "$FLUX_DOWNLOAD_URL/$FLUX_CHECKSUMS_FILE"
          echo "Verifying checksum"
          sum=""
          if command -v openssl > /dev/null; then
            sum=$(openssl sha256 "$DL_DIR/$FLUX_TARGET_FILE" | awk '{print $2}')
          elif command -v sha256sum > /dev/null; then
            sum=$(sha256sum "$DL_DIR/$FLUX_TARGET_FILE" | awk '{print $1}')
          fi
          if [[ -z "$sum" ]]; then
            echo "Neither openssl nor sha256sum found. Cannot calculate checksum."
            exit 1
          fi
          expected_sum=$(grep " $FLUX_TARGET_FILE\$" "$DL_DIR/$FLUX_CHECKSUMS_FILE" | awk '{print $1}')
          if [ "$sum" != "$expected_sum" ]; then
            echo "SHA sum of ${FLUX_TARGET_FILE} does not match. Aborting."
            exit 1
          fi
          echo "Installing flux to ${FLUX_TOOL_DIR}"
          mkdir -p "$FLUX_TOOL_DIR"
          if [[ "$OS" == "windows" ]]; then
            unzip "$DL_DIR/$FLUX_TARGET_FILE" "$FLUX_EXEC_FILE" -d "$FLUX_TOOL_DIR"
          else
            tar xzf "$DL_DIR/$FLUX_TARGET_FILE" -C "$FLUX_TOOL_DIR" $FLUX_EXEC_FILE
          fi
          chmod +x "$FLUX_TOOL_DIR/$FLUX_EXEC_FILE"
        fi
-        BIN_URL="https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_${ARCH}.tar.gz"
+        echo "Adding flux to path"
-        curl --silent --fail --location "${BIN_URL}" --output /tmp/flux.tar.gz
+        echo "$FLUX_TOOL_DIR" >> "$GITHUB_PATH"
-        mkdir -p /tmp/flux
+
-        tar -C /tmp/flux/ -zxvf /tmp/flux.tar.gz
+    - name: "Print installed flux version"
    - name: "Copy Flux binary to execute location"
      shell: bash
      run: |
        BINDIR=${{ inputs.bindir }}
        if [ -z "${BINDIR}" ]; then
          sudo cp /tmp/flux/flux /usr/local/bin
        else
          cp /tmp/flux/flux "${BINDIR}"
          echo "${BINDIR}" >> $GITHUB_PATH
        fi
    - name: "Cleanup tmp"
      shell: bash
      run: |
        rm -rf /tmp/flux/ /tmp/flux.tar.gz
    - name: "Verify correct installation of binary"
      shell: bash
      run: |
        flux -v
--- a/cmd/flux/bootstrap.go
+++ b/cmd/flux/bootstrap.go
@@ -23,10 +23,10 @@ import (
 	"github.com/spf13/cobra"
-	"github.com/fluxcd/flux2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/manifestgen"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 )
 var bootstrapCmd = &cobra.Command{
--- a/cmd/flux/bootstrap_bitbucket_server.go
+++ b/cmd/flux/bootstrap_bitbucket_server.go
@@ -26,14 +26,14 @@ import (
 	"github.com/fluxcd/pkg/git/gogit"
 	"github.com/spf13/cobra"
-	"github.com/fluxcd/flux2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/bootstrap"
+	"github.com/fluxcd/flux2/v2/pkg/bootstrap"
-	"github.com/fluxcd/flux2/pkg/bootstrap/provider"
+	"github.com/fluxcd/flux2/v2/pkg/bootstrap/provider"
-	"github.com/fluxcd/flux2/pkg/manifestgen"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
-	"github.com/fluxcd/flux2/pkg/manifestgen/install"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sync"
 )
 var bootstrapBServerCmd = &cobra.Command{
--- a/cmd/flux/bootstrap_git.go
+++ b/cmd/flux/bootstrap_git.go
@@ -28,13 +28,13 @@ import (
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
-	"github.com/fluxcd/flux2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/bootstrap"
+	"github.com/fluxcd/flux2/v2/pkg/bootstrap"
-	"github.com/fluxcd/flux2/pkg/manifestgen"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
-	"github.com/fluxcd/flux2/pkg/manifestgen/install"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sync"
 	"github.com/fluxcd/pkg/git"
 	"github.com/fluxcd/pkg/git/gogit"
 )
@@ -134,7 +134,7 @@ func bootstrapGitCmdRun(cmd *cobra.Command, args []string) error {
 			}
 		}
 		if repositoryURL.Scheme == string(git.HTTPS) && !bootstrapArgs.tokenAuth {
-			return fmt.Errorf("--token-auth=true must be specified for using a HTTPS AWS CodeCommit url")
+			return fmt.Errorf("--token-auth=true must be specified for using an HTTPS AWS CodeCommit url")
 		}
 	}
--- a/cmd/flux/bootstrap_github.go
+++ b/cmd/flux/bootstrap_github.go
@@ -26,14 +26,14 @@ import (
 	"github.com/fluxcd/pkg/git/gogit"
 	"github.com/spf13/cobra"
-	"github.com/fluxcd/flux2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/bootstrap"
+	"github.com/fluxcd/flux2/v2/pkg/bootstrap"
-	"github.com/fluxcd/flux2/pkg/bootstrap/provider"
+	"github.com/fluxcd/flux2/v2/pkg/bootstrap/provider"
-	"github.com/fluxcd/flux2/pkg/manifestgen"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
-	"github.com/fluxcd/flux2/pkg/manifestgen/install"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sync"
 )
 var bootstrapGitHubCmd = &cobra.Command{
--- a/cmd/flux/bootstrap_gitlab.go
+++ b/cmd/flux/bootstrap_gitlab.go
@@ -28,14 +28,14 @@ import (
 	"github.com/fluxcd/pkg/git/gogit"
 	"github.com/spf13/cobra"
-	"github.com/fluxcd/flux2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/bootstrap"
+	"github.com/fluxcd/flux2/v2/pkg/bootstrap"
-	"github.com/fluxcd/flux2/pkg/bootstrap/provider"
+	"github.com/fluxcd/flux2/v2/pkg/bootstrap/provider"
-	"github.com/fluxcd/flux2/pkg/manifestgen"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
-	"github.com/fluxcd/flux2/pkg/manifestgen/install"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sync"
 )
 var bootstrapGitLabCmd = &cobra.Command{
@@ -65,7 +65,11 @@ the bootstrap command will perform an upgrade if needed.`,
  flux bootstrap gitlab --owner=<group> --repository=<repository name> --hostname=<domain> --token-auth
  # Run bootstrap for a an existing repository with a branch named main
-  flux bootstrap gitlab --owner=<organization> --repository=<repository name> --branch=main --token-auth`,
+  flux bootstrap gitlab --owner=<organization> --repository=<repository name> --branch=main --token-auth
  # Run bootstrap for a private repository using Deploy Token authentication
  flux bootstrap gitlab --owner=<group> --repository=<repository name> --deploy-token-auth
  `,
 	RunE: bootstrapGitLabCmdRun,
 }
@@ -77,16 +81,17 @@ const (
 )
 type gitlabFlags struct {
-	owner        string
+	owner           string
-	repository   string
+	repository      string
-	interval     time.Duration
+	interval        time.Duration
-	personal     bool
+	personal        bool
-	private      bool
+	private         bool
-	hostname     string
+	hostname        string
-	path         flags.SafeRelativePath
+	path            flags.SafeRelativePath
-	teams        []string
+	teams           []string
-	readWriteKey bool
+	readWriteKey    bool
-	reconcile    bool
+	reconcile       bool
 	deployTokenAuth bool
 }
 var gitlabArgs gitlabFlags
@@ -102,6 +107,7 @@ func init() {
 	bootstrapGitLabCmd.Flags().Var(&gitlabArgs.path, "path", "path relative to the repository root, when specified the cluster sync will be scoped to this path")
 	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.readWriteKey, "read-write-key", false, "if true, the deploy key is configured with read/write permissions")
 	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.reconcile, "reconcile", false, "if true, the configured options are also reconciled if the repository already exists")
 	bootstrapGitLabCmd.Flags().BoolVar(&gitlabArgs.deployTokenAuth, "deploy-token-auth", false, "when enabled, a Project Deploy Token is generated and will be used instead of the SSH deploy token")
 	bootstrapCmd.AddCommand(bootstrapGitLabCmd)
 }
@@ -123,6 +129,10 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 	if bootstrapArgs.tokenAuth && gitlabArgs.deployTokenAuth {
 		return fmt.Errorf("--token-auth and --deploy-token-auth cannot be set both.")
 	}
 	if err := bootstrapValidate(); err != nil {
 		return err
 	}
@@ -225,6 +235,9 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 		secretOpts.Username = "git"
 		secretOpts.Password = glToken
 		secretOpts.CAFile = caBundle
 	} else if gitlabArgs.deployTokenAuth {
 		// the actual deploy token will be reconciled later
 		secretOpts.CAFile = caBundle
 	} else {
 		keypair, err := sourcesecret.LoadKeyPairFromPath(bootstrapArgs.privateKeyFile, gitArgs.password)
 		if err != nil {
@@ -274,9 +287,12 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 	if bootstrapArgs.sshHostname != "" {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSSHHostname(bootstrapArgs.sshHostname))
 	}
-	if bootstrapArgs.tokenAuth {
+	if bootstrapArgs.tokenAuth || gitlabArgs.deployTokenAuth {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithSyncTransportType("https"))
 	}
 	if gitlabArgs.deployTokenAuth {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithDeployTokenAuth())
 	}
 	if !gitlabArgs.private {
 		bootstrapOpts = append(bootstrapOpts, bootstrap.WithProviderRepositoryConfig("", "", "public"))
 	}
--- a/cmd/flux/build.go
+++ b/cmd/flux/build.go
@@ -23,7 +23,7 @@ import (
 var buildCmd = &cobra.Command{
 	Use:   "build",
 	Short: "Build a flux resource",
-	Long:  "The build command is used to build flux resources.",
+	Long:  `The build command is used to build flux resources.`,
 }
 func init() {
--- a/cmd/flux/build_artifact.go
+++ b/cmd/flux/build_artifact.go
@@ -33,7 +33,8 @@ import (
 var buildArtifactCmd = &cobra.Command{
 	Use:   "artifact",
 	Short: "Build artifact",
-	Long:  `The build artifact command creates a tgz file with the manifests from the given directory or a single manifest file.`,
+	Long: withPreviewNote(`The build artifact command creates a tgz file with the manifests
 from the given directory or a single manifest file.`),
 	Example: `  # Build the given manifests directory into an artifact
  flux build artifact --path ./path/to/local/manifests --output ./path/to/artifact.tgz
@@ -86,7 +87,7 @@ func buildArtifactCmdRun(cmd *cobra.Command, args []string) error {
 	logger.Actionf("building artifact from %s", path)
-	ociClient := oci.NewLocalClient()
+	ociClient := oci.NewClient(oci.DefaultOptions())
 	if err := ociClient.Build(buildArtifactArgs.output, path, buildArtifactArgs.ignorePaths); err != nil {
 		return fmt.Errorf("bulding artifact failed, error: %w", err)
 	}
--- a/cmd/flux/build_kustomization.go
+++ b/cmd/flux/build_kustomization.go
@@ -21,10 +21,12 @@ import (
 	"os"
 	"os/signal"
 	"github.com/fluxcd/pkg/ssa"
 	"github.com/spf13/cobra"
-	"github.com/fluxcd/flux2/internal/build"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
+
 	"github.com/fluxcd/flux2/v2/internal/build"
 )
 var buildKsCmd = &cobra.Command{
@@ -44,7 +46,14 @@ flux build kustomization my-app --path ./path/to/local/manifests --kustomization
 # Build in dry-run mode without connecting to the cluster.
 # Note that variable substitutions from Secrets and ConfigMaps are skipped in dry-run mode.
-flux build kustomization my-app --path ./path/to/local/manifests --kustomization-file ./path/to/local/my-app.yaml --dry-run`,
+flux build kustomization my-app --path ./path/to/local/manifests \
 	--kustomization-file ./path/to/local/my-app.yaml \
 	--dry-run
 # Exclude files by providing a comma separated list of entries that follow the .gitignore pattern fromat.
 flux build kustomization my-app --path ./path/to/local/manifests \
 	--kustomization-file ./path/to/local/my-app.yaml \
 	--ignore-paths "/to_ignore/**/*.yaml,ignore.yaml"`,
 	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
 	RunE:              buildKsCmdRun,
 }
@@ -52,6 +61,7 @@ flux build kustomization my-app --path ./path/to/local/manifests --kustomization
 type buildKsFlags struct {
 	kustomizationFile string
 	path              string
 	ignorePaths       []string
 	dryRun            bool
 }
@@ -60,6 +70,7 @@ var buildKsArgs buildKsFlags
 func init() {
 	buildKsCmd.Flags().StringVar(&buildKsArgs.path, "path", "", "Path to the manifests location.")
 	buildKsCmd.Flags().StringVar(&buildKsArgs.kustomizationFile, "kustomization-file", "", "Path to the Flux Kustomization YAML file.")
 	buildKsCmd.Flags().StringSliceVar(&buildKsArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore in .gitignore format")
 	buildKsCmd.Flags().BoolVar(&buildKsArgs.dryRun, "dry-run", false, "Dry run mode.")
 	buildCmd.AddCommand(buildKsCmd)
 }
@@ -95,12 +106,14 @@ func buildKsCmdRun(cmd *cobra.Command, args []string) (err error) {
 			build.WithKustomizationFile(buildKsArgs.kustomizationFile),
 			build.WithDryRun(buildKsArgs.dryRun),
 			build.WithNamespace(*kubeconfigArgs.Namespace),
 			build.WithIgnore(buildKsArgs.ignorePaths),
 		)
 	} else {
 		builder, err = build.NewBuilder(name, buildKsArgs.path,
 			build.WithClientConfig(kubeconfigArgs, kubeclientOptions),
 			build.WithTimeout(rootArgs.timeout),
 			build.WithKustomizationFile(buildKsArgs.kustomizationFile),
 			build.WithIgnore(buildKsArgs.ignorePaths),
 		)
 	}
@@ -114,12 +127,17 @@ func buildKsCmdRun(cmd *cobra.Command, args []string) (err error) {
 	errChan := make(chan error)
 	go func() {
-		manifests, err := builder.Build()
+		objects, err := builder.Build()
 		if err != nil {
 			errChan <- err
 		}
-		cmd.Print(string(manifests))
+		manifests, err := ssa.ObjectsToYAML(objects)
 		if err != nil {
 			errChan <- err
 		}
 		cmd.Print(manifests)
 		errChan <- nil
 	}()
--- a/cmd/flux/build_kustomization_test.go
+++ b/cmd/flux/build_kustomization_test.go
@@ -63,6 +63,12 @@ func TestBuildKustomization(t *testing.T) {
 			resultFile: "./testdata/build-kustomization/podinfo-with-var-substitution-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 		{
 			name:       "build ignore",
 			args:       "build kustomization podinfo --path ./testdata/build-kustomization/ignore --ignore-paths \"!configmap.yaml,!secret.yaml\"",
 			resultFile: "./testdata/build-kustomization/podinfo-with-ignore-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
 	}
 	tmpl := map[string]string{
@@ -92,7 +98,7 @@ func TestBuildKustomization(t *testing.T) {
 }
 func TestBuildLocalKustomization(t *testing.T) {
-	podinfo := `apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+	podinfo := `apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: podinfo
@@ -153,6 +159,7 @@ spec:
 	tmpl := map[string]string{
 		"fluxns": allocateNamespace("flux-system"),
 	}
 	setup(t, tmpl)
 	testEnv.CreateObjectFile("./testdata/build-kustomization/podinfo-source.yaml", tmpl, t)
--- a/cmd/flux/check.go
+++ b/cmd/flux/check.go
@@ -30,17 +30,17 @@ import (
 	"github.com/fluxcd/pkg/version"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/manifestgen"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen"
-	"github.com/fluxcd/flux2/pkg/manifestgen/install"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
-	"github.com/fluxcd/flux2/pkg/status"
+	"github.com/fluxcd/flux2/v2/pkg/status"
 )
 var checkCmd = &cobra.Command{
 	Use:   "check",
 	Short: "Check requirements and installation",
-	Long: `The check command will perform a series of checks to validate that
+	Long: withPreviewNote(`The check command will perform a series of checks to validate that
-the local environment is configured correctly and if the installed components are healthy.`,
+the local environment is configured correctly and if the installed components are healthy.`),
 	Example: `  # Run pre-installation checks
  flux check --pre
@@ -57,7 +57,7 @@ type checkFlags struct {
 }
 var kubernetesConstraints = []string{
-	">=1.20.6-0",
+	">=1.25.0-0",
 }
 var checkArgs checkFlags
--- a/cmd/flux/check_test.go
+++ b/cmd/flux/check_test.go
@@ -25,7 +25,7 @@ import (
 	"strings"
 	"testing"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )
 func TestCheckPre(t *testing.T) {
--- a/cmd/flux/completion.go
+++ b/cmd/flux/completion.go
@@ -20,7 +20,7 @@ import (
 	"context"
 	"strings"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -31,7 +31,7 @@ import (
 var completionCmd = &cobra.Command{
 	Use:   "completion",
 	Short: "Generates completion scripts for various shells",
-	Long:  "The completion sub-command generates completion scripts for various shells",
+	Long:  `The completion sub-command generates completion scripts for various shells.`,
 }
 func init() {
--- a/cmd/flux/completion_bash.go
+++ b/cmd/flux/completion_bash.go
@@ -25,6 +25,7 @@ import (
 var completionBashCmd = &cobra.Command{
 	Use:   "bash",
 	Short: "Generates bash completion scripts",
 	Long:  `The completion sub-command generates completion scripts for bash.`,
 	Example: `To load completion run
 . <(flux completion bash)
--- a/cmd/flux/completion_fish.go
+++ b/cmd/flux/completion_fish.go
@@ -25,6 +25,7 @@ import (
 var completionFishCmd = &cobra.Command{
 	Use:   "fish",
 	Short: "Generates fish completion scripts",
 	Long:  `The completion sub-command generates completion scripts for fish.`,
 	Example: `To configure your fish shell to load completions for each session write this script to your completions dir:
 flux completion fish > ~/.config/fish/completions/flux.fish
--- a/cmd/flux/completion_powershell.go
+++ b/cmd/flux/completion_powershell.go
@@ -25,6 +25,7 @@ import (
 var completionPowerShellCmd = &cobra.Command{
 	Use:   "powershell",
 	Short: "Generates powershell completion scripts",
 	Long:  `The completion sub-command generates completion scripts for powershell.`,
 	Example: `To load completion run
 . <(flux completion powershell)
--- a/cmd/flux/completion_zsh.go
+++ b/cmd/flux/completion_zsh.go
@@ -26,6 +26,7 @@ import (
 var completionZshCmd = &cobra.Command{
 	Use:   "zsh",
 	Short: "Generates zsh completion scripts",
 	Long:  `The completion sub-command generates completion scripts for zsh.`,
 	Example: `To load completion run
 . <(flux completion zsh)
--- a/cmd/flux/create.go
+++ b/cmd/flux/create.go
@@ -30,13 +30,13 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )
 var createCmd = &cobra.Command{
 	Use:   "create",
 	Short: "Create or update sources and resources",
-	Long:  "The create sub-commands generate sources and resources.",
+	Long:  `The create sub-commands generate sources and resources.`,
 }
 type createFlags struct {
--- a/cmd/flux/create_alert.go
+++ b/cmd/flux/create_alert.go
@@ -28,16 +28,17 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
 	notificationv1b2 "github.com/fluxcd/notification-controller/api/v1beta2"
 	"github.com/fluxcd/pkg/apis/meta"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )
 var createAlertCmd = &cobra.Command{
 	Use:   "alert [name]",
 	Short: "Create or update a Alert resource",
-	Long:  "The create alert command generates a Alert resource.",
+	Long:  withPreviewNote(`The create alert command generates a Alert resource.`),
 	Example: `  # Create an Alert for kustomization events
  flux create alert \
  --event-severity info \
@@ -96,13 +97,13 @@ func createAlertCmdRun(cmd *cobra.Command, args []string) error {
 		logger.Generatef("generating Alert")
 	}
-	alert := notificationv1.Alert{
+	alert := notificationv1b2.Alert{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
 			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
-		Spec: notificationv1.AlertSpec{
+		Spec: notificationv1b2.AlertSpec{
 			ProviderRef: meta.LocalObjectReference{
 				Name: alertArgs.providerRef,
 			},
@@ -140,13 +141,13 @@ func createAlertCmdRun(cmd *cobra.Command, args []string) error {
 }
 func upsertAlert(ctx context.Context, kubeClient client.Client,
-	alert *notificationv1.Alert) (types.NamespacedName, error) {
+	alert *notificationv1b2.Alert) (types.NamespacedName, error) {
 	namespacedName := types.NamespacedName{
 		Namespace: alert.GetNamespace(),
 		Name:      alert.GetName(),
 	}
-	var existing notificationv1.Alert
+	var existing notificationv1b2.Alert
 	err := kubeClient.Get(ctx, namespacedName, &existing)
 	if err != nil {
 		if errors.IsNotFound(err) {
@@ -171,7 +172,7 @@ func upsertAlert(ctx context.Context, kubeClient client.Client,
 }
 func isAlertReady(ctx context.Context, kubeClient client.Client,
-	namespacedName types.NamespacedName, alert *notificationv1.Alert) wait.ConditionFunc {
+	namespacedName types.NamespacedName, alert *notificationv1b2.Alert) wait.ConditionFunc {
 	return func() (bool, error) {
 		err := kubeClient.Get(ctx, namespacedName, alert)
 		if err != nil {
--- a/cmd/flux/create_alertprovider.go
+++ b/cmd/flux/create_alertprovider.go
@@ -31,13 +31,13 @@ import (
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
 	"github.com/fluxcd/pkg/apis/meta"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )
 var createAlertProviderCmd = &cobra.Command{
 	Use:   "alert-provider [name]",
 	Short: "Create or update a Provider resource",
-	Long:  "The create alert-provider command generates a Provider resource.",
+	Long:  withPreviewNote(`The create alert-provider command generates a Provider resource.`),
 	Example: `  # Create a Provider for a Slack channel
  flux create alert-provider slack \
  --type slack \
--- a/cmd/flux/create_helmrelease.go
+++ b/cmd/flux/create_helmrelease.go
@@ -24,8 +24,8 @@ import (
 	"strings"
 	"time"
-	"github.com/fluxcd/flux2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/runtime/transform"
@@ -46,7 +46,7 @@ var createHelmReleaseCmd = &cobra.Command{
 	Use:     "helmrelease [name]",
 	Aliases: []string{"hr"},
 	Short:   "Create or update a HelmRelease resource",
-	Long:    "The helmrelease create command generates a HelmRelease resource for a given HelmRepository source.",
+	Long:    withPreviewNote(`The helmrelease create command generates a HelmRelease resource for a given HelmRepository source.`),
 	Example: `  # Create a HelmRelease with a chart from a HelmRepository source
  flux create hr podinfo \
    --interval=10m \
@@ -83,9 +83,9 @@ var createHelmReleaseCmd = &cobra.Command{
  # Create a HelmRelease with a custom release name
  flux create hr podinfo \
-    --release-name=podinfo-dev
+    --release-name=podinfo-dev \
    --source=HelmRepository/podinfo \
-    --chart=podinfo \
+    --chart=podinfo
  # Create a HelmRelease targeting another namespace than the resource
  flux create hr podinfo \
--- a/cmd/flux/create_image.go
+++ b/cmd/flux/create_image.go
@@ -20,14 +20,12 @@ import (
 	"github.com/spf13/cobra"
 )
 const createImageLong = `The create image sub-commands work with image automation objects; that is,
 object controlling updates to git based on e.g., new container images
 being available.`
 var createImageCmd = &cobra.Command{
 	Use:   "image",
 	Short: "Create or update resources dealing with image automation",
-	Long:  createImageLong,
+	Long: `The create image sub-commands work with image automation objects;
 that is, object controlling updates to git based on e.g., new container images
 being available.`,
 }
 func init() {
--- a/cmd/flux/create_image_policy.go
+++ b/cmd/flux/create_image_policy.go
@@ -34,12 +34,12 @@ import (
 var createImagePolicyCmd = &cobra.Command{
 	Use:   "policy [name]",
 	Short: "Create or update an ImagePolicy object",
-	Long: `The create image policy command generates an ImagePolicy resource.
+	Long: withPreviewNote(`The create image policy command generates an ImagePolicy resource.
 An ImagePolicy object calculates a "latest image" given an image
 repository and a policy, e.g., semver.
 The image that sorts highest according to the policy is recorded in
-the status of the object.`,
+the status of the object.`),
 	Example: `  # Create an ImagePolicy to select the latest stable release
  flux create image policy podinfo \
    --image-ref=podinfo \
--- a/cmd/flux/create_image_repository.go
+++ b/cmd/flux/create_image_repository.go
@@ -32,8 +32,8 @@ import (
 var createImageRepositoryCmd = &cobra.Command{
 	Use:   "repository [name]",
 	Short: "Create or update an ImageRepository object",
-	Long: `The create image repository command generates an ImageRepository resource.
+	Long: withPreviewNote(`The create image repository command generates an ImageRepository resource.
-An ImageRepository object specifies an image repository to scan.`,
+An ImageRepository object specifies an image repository to scan.`),
 	Example: `  # Create an ImageRepository object to scan the alpine image repository:
  flux create image repository alpine-repo --image alpine --interval 20m
--- a/cmd/flux/create_image_update.go
+++ b/cmd/flux/create_image_update.go
@@ -23,15 +23,15 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )
 var createImageUpdateCmd = &cobra.Command{
 	Use:   "update [name]",
 	Short: "Create or update an ImageUpdateAutomation object",
-	Long: `The create image update command generates an ImageUpdateAutomation resource.
+	Long: withPreviewNote(`The create image update command generates an ImageUpdateAutomation resource.
 An ImageUpdateAutomation object specifies an automated update to images
-mentioned in YAMLs in a git repository.`,
+mentioned in YAMLs in a git repository.`),
 	Example: `  # Configure image updates for the main repository created by flux bootstrap
  flux create image update flux-system \
    --git-repo-ref=flux-system \
--- a/cmd/flux/create_kustomization.go
+++ b/cmd/flux/create_kustomization.go
@@ -31,18 +31,18 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 	"github.com/fluxcd/pkg/apis/meta"
-	"github.com/fluxcd/flux2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )
 var createKsCmd = &cobra.Command{
 	Use:     "kustomization [name]",
 	Aliases: []string{"ks"},
 	Short:   "Create or update a Kustomization resource",
-	Long:    "The create command generates a Kustomization resource for a given source.",
+	Long:    `The create command generates a Kustomization resource for a given source.`,
 	Example: `  # Create a Kustomization resource from a source at a given path
  flux create kustomization kyverno \
    --source=GitRepository/kyverno \
@@ -97,6 +97,7 @@ type kustomizationFlags struct {
 	targetNamespace     string
 	wait                bool
 	kubeConfigSecretRef string
 	retryInterval       time.Duration
 }
 var kustomizationArgs = NewKustomizationFlags()
@@ -116,6 +117,7 @@ func init() {
 	createKsCmd.Flags().StringVar(&kustomizationArgs.targetNamespace, "target-namespace", "", "overrides the namespace of all Kustomization objects reconciled by this Kustomization")
 	createKsCmd.Flags().StringVar(&kustomizationArgs.kubeConfigSecretRef, "kubeconfig-secret-ref", "", "the name of the Kubernetes Secret that contains a key with the kubeconfig file for connecting to a remote cluster")
 	createKsCmd.Flags().MarkDeprecated("validation", "this arg is no longer used, all resources are validated using server-side apply dry-run")
 	createKsCmd.Flags().DurationVar(&kustomizationArgs.retryInterval, "retry-interval", 0, "the interval at which to retry a previously failed reconciliation")
 	createCmd.AddCommand(createKsCmd)
 }
@@ -238,6 +240,10 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}
 	if kustomizationArgs.retryInterval > 0 {
 		kustomization.Spec.RetryInterval = &metav1.Duration{Duration: kustomizationArgs.retryInterval}
 	}
 	if createArgs.export {
 		return printExport(exportKs(&kustomization))
 	}
--- a/cmd/flux/create_receiver.go
+++ b/cmd/flux/create_receiver.go
@@ -28,16 +28,16 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
 	"github.com/fluxcd/pkg/apis/meta"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )
 var createReceiverCmd = &cobra.Command{
 	Use:   "receiver [name]",
 	Short: "Create or update a Receiver resource",
-	Long:  "The create receiver command generates a Receiver resource.",
+	Long:  `The create receiver command generates a Receiver resource.`,
 	Example: `  # Create a Receiver
  flux create receiver github-receiver \
 	--type github \
@@ -145,7 +145,7 @@ func createReceiverCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	logger.Successf("Receiver %s is ready", name)
-	logger.Successf("generated webhook URL %s", receiver.Status.URL)
+	logger.Successf("generated webhook URL %s", receiver.Status.WebhookPath)
 	return nil
 }
--- a/cmd/flux/create_secret.go
+++ b/cmd/flux/create_secret.go
@@ -29,7 +29,7 @@ import (
 var createSecretCmd = &cobra.Command{
 	Use:   "secret",
 	Short: "Create or update Kubernetes secrets",
-	Long:  "The create source sub-commands generate Kubernetes secrets specific to Flux.",
+	Long:  `The create source sub-commands generate Kubernetes secrets specific to Flux.`,
 }
 func init() {
--- a/cmd/flux/create_secret_git.go
+++ b/cmd/flux/create_secret_git.go
@@ -27,17 +27,19 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/yaml"
-	"github.com/fluxcd/flux2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 )
 var createSecretGitCmd = &cobra.Command{
 	Use:   "git [name]",
 	Short: "Create or update a Kubernetes secret for Git authentication",
 	Long: `The create secret git command generates a Kubernetes secret with Git credentials.
-For Git over SSH, the host and SSH keys are automatically generated and stored in the secret.
+For Git over SSH, the host and SSH keys are automatically generated and stored
-For Git over HTTP/S, the provided basic authentication credentials are stored in the secret.`,
+in the secret.
 For Git over HTTP/S, the provided basic authentication credentials or bearer
 authentication token are stored in the secret.`,
 	Example: `  # Create a Git SSH authentication secret using an ECDSA P-521 curve public key
  flux create secret git podinfo-auth \
@@ -86,7 +88,9 @@ type secretGitFlags struct {
 	rsaBits        flags.RSAKeyBits
 	ecdsaCurve     flags.ECDSACurve
 	caFile         string
 	caCrtFile      string
 	privateKeyFile string
 	bearerToken    string
 }
 var secretGitArgs = NewSecretGitFlags()
@@ -99,7 +103,9 @@ func init() {
 	createSecretGitCmd.Flags().Var(&secretGitArgs.rsaBits, "ssh-rsa-bits", secretGitArgs.rsaBits.Description())
 	createSecretGitCmd.Flags().Var(&secretGitArgs.ecdsaCurve, "ssh-ecdsa-curve", secretGitArgs.ecdsaCurve.Description())
 	createSecretGitCmd.Flags().StringVar(&secretGitArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates")
 	createSecretGitCmd.Flags().StringVar(&secretGitArgs.caCrtFile, "ca-crt-file", "", "path to TLS CA certificate file used for validating self-signed certificates; takes precedence over --ca-file")
 	createSecretGitCmd.Flags().StringVar(&secretGitArgs.privateKeyFile, "private-key-file", "", "path to a passwordless private key file used for authenticating to the Git SSH server")
 	createSecretGitCmd.Flags().StringVar(&secretGitArgs.bearerToken, "bearer-token", "", "bearer authentication token")
 	createSecretCmd.AddCommand(createSecretGitCmd)
 }
@@ -147,17 +153,27 @@ func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
 		opts.ECDSACurve = secretGitArgs.ecdsaCurve.Curve
 		opts.Password = secretGitArgs.password
 	case "http", "https":
-		if secretGitArgs.username == "" || secretGitArgs.password == "" {
+		if (secretGitArgs.username == "" || secretGitArgs.password == "") && secretGitArgs.bearerToken == "" {
-			return fmt.Errorf("for Git over HTTP/S the username and password are required")
+			return fmt.Errorf("for Git over HTTP/S the username and password, or a bearer token is required")
 		}
 		opts.Username = secretGitArgs.username
 		opts.Password = secretGitArgs.password
-		if secretGitArgs.caFile != "" {
+		opts.BearerToken = secretGitArgs.bearerToken
-			caBundle, err := os.ReadFile(secretGitArgs.caFile)
+		if secretGitArgs.username != "" && secretGitArgs.password != "" && secretGitArgs.bearerToken != "" {
 			return fmt.Errorf("user credentials and bearer token cannot be used together")
 		}
 		// --ca-crt-file takes precedence over --ca-file.
 		if secretGitArgs.caCrtFile != "" {
 			opts.CACrt, err = os.ReadFile(secretGitArgs.caCrtFile)
 			if err != nil {
 				return fmt.Errorf("unable to read TLS CA file: %w", err)
 			}
 		} else if secretGitArgs.caFile != "" {
 			opts.CAFile, err = os.ReadFile(secretGitArgs.caFile)
 			if err != nil {
 				return fmt.Errorf("unable to read TLS CA file: %w", err)
 			}
 			opts.CAFile = caBundle
 		}
 	default:
 		return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme)
--- a/cmd/flux/create_secret_git_test.go
+++ b/cmd/flux/create_secret_git_test.go
@@ -1,10 +1,21 @@
 package main
 import (
 	"fmt"
 	"os"
 	"testing"
 )
 func TestCreateGitSecret(t *testing.T) {
 	file, err := os.CreateTemp(t.TempDir(), "ca-crt")
 	if err != nil {
 		t.Fatal("could not create CA certificate file")
 	}
 	_, err = file.Write([]byte("ca-data"))
 	if err != nil {
 		t.Fatal("could not write to CA certificate file")
 	}
 	tests := []struct {
 		name   string
 		args   string
@@ -30,6 +41,21 @@ func TestCreateGitSecret(t *testing.T) {
 			args:   "create secret git podinfo-auth --url=ssh://git@github.com/stefanprodan/podinfo --private-key-file=./testdata/create_secret/git/ecdsa-password.private --password=password --namespace=my-namespace --export",
 			assert: assertGoldenFile("testdata/create_secret/git/git-ssh-secret-password.yaml"),
 		},
 		{
 			name:   "git authentication with bearer token",
 			args:   "create secret git bearer-token-auth --url=https://github.com/stefanprodan/podinfo --bearer-token=ghp_baR2qnFF0O41WlucePL3udt2N9vVZS4R0hAS --namespace=my-namespace --export",
 			assert: assertGoldenFile("testdata/create_secret/git/git-bearer-token.yaml"),
 		},
 		{
 			name:   "git authentication with CA certificate",
 			args:   fmt.Sprintf("create secret git ca-crt --url=https://github.com/stefanprodan/podinfo --password=my-password --username=my-username --ca-crt-file=%s --namespace=my-namespace --export", file.Name()),
 			assert: assertGoldenFile("testdata/create_secret/git/secret-ca-crt.yaml"),
 		},
 		{
 			name:   "git authentication with basic auth and bearer token",
 			args:   "create secret git podinfo-auth --url=https://github.com/stefanprodan/podinfo --username=aaa --password=zzzz --bearer-token=aaaa --namespace=my-namespace --export",
 			assert: assertError("user credentials and bearer token cannot be used together"),
 		},
 	}
 	for _, tt := range tests {
--- a/cmd/flux/create_secret_helm.go
+++ b/cmd/flux/create_secret_helm.go
@@ -25,14 +25,14 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/yaml"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 )
 var createSecretHelmCmd = &cobra.Command{
 	Use:   "helm [name]",
 	Short: "Create or update a Kubernetes secret for Helm repository authentication",
-	Long:  `The create secret helm command generates a Kubernetes secret with basic authentication credentials.`,
+	Long:  withPreviewNote(`The create secret helm command generates a Kubernetes secret with basic authentication credentials.`),
 	Example: ` # Create a Helm authentication secret on disk and encrypt it with Mozilla SOPS
  flux create secret helm repo-auth \
    --namespace=my-namespace \
@@ -41,15 +41,8 @@ var createSecretHelmCmd = &cobra.Command{
    --export > repo-auth.yaml
  sops --encrypt --encrypted-regex '^(data|stringData)$' \
-    --in-place repo-auth.yaml
+    --in-place repo-auth.yaml`,
  # Create a Helm authentication secret using a custom TLS cert
  flux create secret helm repo-auth \
    --username=username \
    --password=password \
    --cert-file=./cert.crt \
    --key-file=./key.crt \
    --ca-file=./ca.crt`,
 	RunE: createSecretHelmCmdRun,
 }
@@ -62,9 +55,16 @@ type secretHelmFlags struct {
 var secretHelmArgs secretHelmFlags
 func init() {
-	createSecretHelmCmd.Flags().StringVarP(&secretHelmArgs.username, "username", "u", "", "basic authentication username")
+	flags := createSecretHelmCmd.Flags()
-	createSecretHelmCmd.Flags().StringVarP(&secretHelmArgs.password, "password", "p", "", "basic authentication password")
+	flags.StringVarP(&secretHelmArgs.username, "username", "u", "", "basic authentication username")
-	initSecretTLSFlags(createSecretHelmCmd.Flags(), &secretHelmArgs.secretTLSFlags)
+	flags.StringVarP(&secretHelmArgs.password, "password", "p", "", "basic authentication password")
 	initSecretDeprecatedTLSFlags(flags, &secretHelmArgs.secretTLSFlags)
 	deprecationMsg := "please use the command `flux create secret tls` to generate TLS secrets"
 	flags.MarkDeprecated("cert-file", deprecationMsg)
 	flags.MarkDeprecated("key-file", deprecationMsg)
 	flags.MarkDeprecated("ca-file", deprecationMsg)
 	createSecretCmd.AddCommand(createSecretHelmCmd)
 }
--- a/cmd/flux/create_secret_oci.go
+++ b/cmd/flux/create_secret_oci.go
@@ -20,8 +20,8 @@ import (
 	"context"
 	"fmt"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
@@ -31,7 +31,7 @@ import (
 var createSecretOCICmd = &cobra.Command{
 	Use:   "oci [name]",
 	Short: "Create or update a Kubernetes image pull secret",
-	Long:  `The create secret oci command generates a Kubernetes secret that can be used for OCIRepository authentication`,
+	Long:  withPreviewNote(`The create secret oci command generates a Kubernetes secret that can be used for OCIRepository authentication`),
 	Example: `  # Create an OCI authentication secret on disk and encrypt it with Mozilla SOPS
  flux create secret oci podinfo-auth \
    --url=ghcr.io \
--- a/cmd/flux/create_secret_tls.go
+++ b/cmd/flux/create_secret_tls.go
@@ -26,20 +26,21 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/yaml"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 )
 var createSecretTLSCmd = &cobra.Command{
 	Use:   "tls [name]",
 	Short: "Create or update a Kubernetes secret with TLS certificates",
-	Long:  `The create secret tls command generates a Kubernetes secret with certificates for use with TLS.`,
+	Long:  withPreviewNote(`The create secret tls command generates a Kubernetes secret with certificates for use with TLS.`),
 	Example: ` # Create a TLS secret on disk and encrypt it with Mozilla SOPS.
  # Files are expected to be PEM-encoded.
  flux create secret tls certs \
    --namespace=my-namespace \
-    --cert-file=./client.crt \
+    --tls-crt-file=./client.crt \
-    --key-file=./client.key \
+    --tls-key-file=./client.key \
    --ca-crt-file=./ca.crt \
    --export > certs.yaml
  sops --encrypt --encrypted-regex '^(data|stringData)$' \
@@ -48,22 +49,37 @@ var createSecretTLSCmd = &cobra.Command{
 }
 type secretTLSFlags struct {
-	certFile string
+	certFile   string
-	keyFile  string
+	keyFile    string
-	caFile   string
+	caFile     string
 	caCrtFile  string
 	tlsKeyFile string
 	tlsCrtFile string
 }
 var secretTLSArgs secretTLSFlags
-func initSecretTLSFlags(flags *pflag.FlagSet, args *secretTLSFlags) {
+func initSecretDeprecatedTLSFlags(flags *pflag.FlagSet, args *secretTLSFlags) {
 	flags.StringVar(&args.certFile, "cert-file", "", "TLS authentication cert file path")
 	flags.StringVar(&args.keyFile, "key-file", "", "TLS authentication key file path")
 	flags.StringVar(&args.caFile, "ca-file", "", "TLS authentication CA file path")
 }
 func initSecretTLSFlags(flags *pflag.FlagSet, args *secretTLSFlags) {
 	flags.StringVar(&args.tlsCrtFile, "tls-crt-file", "", "TLS authentication cert file path")
 	flags.StringVar(&args.tlsKeyFile, "tls-key-file", "", "TLS authentication key file path")
 	flags.StringVar(&args.caCrtFile, "ca-crt-file", "", "TLS authentication CA file path")
 }
 func init() {
 	flags := createSecretTLSCmd.Flags()
 	initSecretDeprecatedTLSFlags(flags, &secretTLSArgs)
 	initSecretTLSFlags(flags, &secretTLSArgs)
 	flags.MarkDeprecated("cert-file", "please use --tls-crt-file instead")
 	flags.MarkDeprecated("key-file", "please use --tls-key-file instead")
 	flags.MarkDeprecated("ca-file", "please use --ca-crt-file instead")
 	createSecretCmd.AddCommand(createSecretTLSCmd)
 }
@@ -75,33 +91,40 @@ func createSecretTLSCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
-	caBundle := []byte{}
+	opts := sourcesecret.Options{
-	if secretTLSArgs.caFile != "" {
+		Name:      name,
-		var err error
+		Namespace: *kubeconfigArgs.Namespace,
-		caBundle, err = os.ReadFile(secretTLSArgs.caFile)
+		Labels:    labels,
 	}
 	if secretTLSArgs.caCrtFile != "" {
 		opts.CACrt, err = os.ReadFile(secretTLSArgs.caCrtFile)
 		if err != nil {
 			return fmt.Errorf("unable to read TLS CA file: %w", err)
 		}
 	} else if secretTLSArgs.caFile != "" {
 		opts.CAFile, err = os.ReadFile(secretTLSArgs.caFile)
 		if err != nil {
 			return fmt.Errorf("unable to read TLS CA file: %w", err)
 		}
 	}
-	var certFile, keyFile []byte
+	if secretTLSArgs.tlsCrtFile != "" && secretTLSArgs.tlsKeyFile != "" {
-	if secretTLSArgs.certFile != "" && secretTLSArgs.keyFile != "" {
+		if opts.TLSCrt, err = os.ReadFile(secretTLSArgs.tlsCrtFile); err != nil {
 		if certFile, err = os.ReadFile(secretTLSArgs.certFile); err != nil {
 			return fmt.Errorf("failed to read cert file: %w", err)
 		}
-		if keyFile, err = os.ReadFile(secretTLSArgs.keyFile); err != nil {
+		if opts.TLSKey, err = os.ReadFile(secretTLSArgs.tlsKeyFile); err != nil {
 			return fmt.Errorf("failed to read key file: %w", err)
 		}
 	} else if secretTLSArgs.certFile != "" && secretTLSArgs.keyFile != "" {
 		if opts.CertFile, err = os.ReadFile(secretTLSArgs.certFile); err != nil {
 			return fmt.Errorf("failed to read cert file: %w", err)
 		}
 		if opts.KeyFile, err = os.ReadFile(secretTLSArgs.keyFile); err != nil {
 			return fmt.Errorf("failed to read key file: %w", err)
 		}
 	}
 	opts := sourcesecret.Options{
 		Name:      name,
 		Namespace: *kubeconfigArgs.Namespace,
 		Labels:    labels,
 		CAFile:    caBundle,
 		CertFile:  certFile,
 		KeyFile:   keyFile,
 	}
 	secret, err := sourcesecret.Generate(opts)
 	if err != nil {
 		return err
--- a/cmd/flux/create_secret_tls_test.go
+++ b/cmd/flux/create_secret_tls_test.go
@@ -4,7 +4,7 @@ import (
 	"testing"
 )
-func TestCreateTlsSecretNoArgs(t *testing.T) {
+func TestCreateTlsSecret(t *testing.T) {
 	tests := []struct {
 		name   string
 		args   string
@@ -15,9 +15,13 @@ func TestCreateTlsSecretNoArgs(t *testing.T) {
 			assert: assertError("name is required"),
 		},
 		{
-			args:   "create secret tls certs --namespace=my-namespace --cert-file=./testdata/create_secret/tls/test-cert.pem --key-file=./testdata/create_secret/tls/test-key.pem --export",
+			args:   "create secret tls certs --namespace=my-namespace --tls-crt-file=./testdata/create_secret/tls/test-cert.pem --tls-key-file=./testdata/create_secret/tls/test-key.pem --ca-crt-file=./testdata/create_secret/tls/test-ca.pem --export",
 			assert: assertGoldenFile("testdata/create_secret/tls/secret-tls.yaml"),
 		},
 		{
 			args:   "create secret tls certs --namespace=my-namespace --cert-file=./testdata/create_secret/tls/test-cert.pem --key-file=./testdata/create_secret/tls/test-key.pem --ca-file=./testdata/create_secret/tls/test-ca.pem --export",
 			assert: assertGoldenFile("testdata/create_secret/tls/deprecated-secret-tls.yaml"),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
--- a/cmd/flux/create_source.go
+++ b/cmd/flux/create_source.go
@@ -25,7 +25,7 @@ import (
 var createSourceCmd = &cobra.Command{
 	Use:   "source",
 	Short: "Create or update sources",
-	Long:  "The create source sub-commands generate sources.",
+	Long:  `The create source sub-commands generate sources.`,
 }
 type createSourceFlags struct {
--- a/cmd/flux/create_source_bucket.go
+++ b/cmd/flux/create_source_bucket.go
@@ -35,15 +35,15 @@ import (
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
-	"github.com/fluxcd/flux2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )
 var createSourceBucketCmd = &cobra.Command{
 	Use:   "bucket [name]",
 	Short: "Create or update a Bucket source",
-	Long: `The create source bucket command generates a Bucket resource and waits for it to be downloaded.
+	Long: withPreviewNote(`The create source bucket command generates a Bucket resource and waits for it to be downloaded.
-For Buckets with static authentication, the credentials are stored in a Kubernetes secret.`,
+For Buckets with static authentication, the credentials are stored in a Kubernetes secret.`),
 	Example: `  # Create a source for a Bucket using static authentication
  flux create source bucket podinfo \
 	--bucket-name=podinfo \
--- a/cmd/flux/create_source_git.go
+++ b/cmd/flux/create_source_git.go
@@ -37,11 +37,11 @@ import (
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/runtime/conditions"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
-	"github.com/fluxcd/flux2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 )
 type sourceGitFlags struct {
@@ -49,6 +49,8 @@ type sourceGitFlags struct {
 	branch            string
 	tag               string
 	semver            string
 	refName           string
 	commit            string
 	username          string
 	password          string
 	keyAlgorithm      flags.PublicKeyAlgorithm
@@ -129,6 +131,8 @@ func init() {
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.branch, "branch", "", "git branch")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.tag, "tag", "", "git tag")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.semver, "tag-semver", "", "git tag semver range")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.refName, "ref-name", "", " git reference name")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.commit, "commit", "", "git commit")
 	createSourceGitCmd.Flags().StringVarP(&sourceGitArgs.username, "username", "u", "", "basic authentication username")
 	createSourceGitCmd.Flags().StringVarP(&sourceGitArgs.password, "password", "p", "", "basic authentication password")
 	createSourceGitCmd.Flags().Var(&sourceGitArgs.keyAlgorithm, "ssh-key-algorithm", sourceGitArgs.keyAlgorithm.Description())
@@ -168,8 +172,8 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme)
 	}
-	if sourceGitArgs.branch == "" && sourceGitArgs.tag == "" && sourceGitArgs.semver == "" {
+	if sourceGitArgs.branch == "" && sourceGitArgs.tag == "" && sourceGitArgs.semver == "" && sourceGitArgs.commit == "" && sourceGitArgs.refName == "" {
-		return fmt.Errorf("a Git ref is required, use one of the following: --branch, --tag or --tag-semver")
+		return fmt.Errorf("a Git ref is required, use one of the following: --branch, --tag, --commit, --ref-name or --tag-semver")
 	}
 	if sourceGitArgs.caFile != "" && u.Scheme == "ssh" {
@@ -214,7 +218,12 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 		gitRepository.Spec.Timeout = &metav1.Duration{Duration: createSourceArgs.fetchTimeout}
 	}
-	if sourceGitArgs.semver != "" {
+	if sourceGitArgs.commit != "" {
 		gitRepository.Spec.Reference.Commit = sourceGitArgs.commit
 		gitRepository.Spec.Reference.Branch = sourceGitArgs.branch
 	} else if sourceGitArgs.refName != "" {
 		gitRepository.Spec.Reference.Name = sourceGitArgs.refName
 	} else if sourceGitArgs.semver != "" {
 		gitRepository.Spec.Reference.SemVer = sourceGitArgs.semver
 	} else if sourceGitArgs.tag != "" {
 		gitRepository.Spec.Reference.Tag = sourceGitArgs.tag
--- a/cmd/flux/create_source_git_test.go
+++ b/cmd/flux/create_source_git_test.go
@@ -24,14 +24,15 @@ import (
 	"testing"
 	"time"
 	"github.com/fluxcd/pkg/apis/meta"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 	"k8s.io/apimachinery/pkg/api/errors"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"github.com/fluxcd/pkg/apis/meta"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )
 var pollInterval = 50 * time.Millisecond
@@ -98,6 +99,41 @@ func TestCreateSourceGitExport(t *testing.T) {
 			command,
 			assertGoldenFile("testdata/create_source_git/export.golden"),
 		},
 		{
 			name:   "no args",
 			args:   "create secret git",
 			assert: assertError("name is required"),
 		},
 		{
 			name:   "source with commit",
 			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --commit=c88a2f41 --interval=1m0s --export",
 			assert: assertGoldenFile("./testdata/create_source_git/source-git-commit.yaml"),
 		},
 		{
 			name:   "source with ref name",
 			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --ref-name=refs/heads/main --interval=1m0s --export",
 			assert: assertGoldenFile("testdata/create_source_git/source-git-refname.yaml"),
 		},
 		{
 			name:   "source with branch name and commit",
 			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --branch=main --commit=c88a2f41 --interval=1m0s --export",
 			assert: assertGoldenFile("testdata/create_source_git/source-git-branch-commit.yaml"),
 		},
 		{
 			name:   "source with semver",
 			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --tag-semver=v1.01 --interval=1m0s --export",
 			assert: assertGoldenFile("testdata/create_source_git/source-git-semver.yaml"),
 		},
 		{
 			name:   "source with git tag",
 			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --tag=test --interval=1m0s --export",
 			assert: assertGoldenFile("testdata/create_source_git/source-git-tag.yaml"),
 		},
 		{
 			name:   "source with git branch",
 			args:   "create source git podinfo --namespace=flux-system --url=https://github.com/stefanprodan/podinfo --branch=test --interval=1m0s --export",
 			assert: assertGoldenFile("testdata/create_source_git/source-git-branch.yaml"),
 		},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
@@ -141,6 +177,9 @@ func TestCreateSourceGit(t *testing.T) {
 				repo.Status.Artifact = &sourcev1.Artifact{
 					Path:     "some-path",
 					Revision: "v1",
 					LastUpdateTime: metav1.Time{
 						Time: time.Now(),
 					},
 				}
 			},
 		}, {
--- a/cmd/flux/create_source_helm.go
+++ b/cmd/flux/create_source_helm.go
@@ -35,15 +35,15 @@ import (
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/sourcesecret"
 )
 var createSourceHelmCmd = &cobra.Command{
 	Use:   "helm [name]",
 	Short: "Create or update a HelmRepository source",
-	Long: `The create source helm command generates a HelmRepository resource and waits for it to fetch the index.
+	Long: withPreviewNote(`The create source helm command generates a HelmRepository resource and waits for it to fetch the index.
-For private Helm repositories, the basic authentication credentials are stored in a Kubernetes secret.`,
+For private Helm repositories, the basic authentication credentials are stored in a Kubernetes secret.`),
 	Example: `  # Create a source for an HTTPS public Helm repository
  flux create source helm podinfo \
    --url=https://stefanprodan.github.io/podinfo \
@@ -64,13 +64,13 @@ For private Helm repositories, the basic authentication credentials are stored i
  # Create a source for an OCI Helm repository
  flux create source helm podinfo \
-    --url=oci://ghcr.io/stefanprodan/charts/podinfo
+    --url=oci://ghcr.io/stefanprodan/charts/podinfo \
    --username=username \
    --password=password
  # Create a source for an OCI Helm repository using an existing secret with basic auth or dockerconfig credentials
  flux create source helm podinfo \
-    --url=oci://ghcr.io/stefanprodan/charts/podinfo
+    --url=oci://ghcr.io/stefanprodan/charts/podinfo \
    --secret-ref=docker-config`,
 	RunE: createSourceHelmCmdRun,
 }
@@ -83,6 +83,7 @@ type sourceHelmFlags struct {
 	keyFile         string
 	caFile          string
 	secretRef       string
 	ociProvider     string
 	passCredentials bool
 }
@@ -96,6 +97,7 @@ func init() {
 	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.keyFile, "key-file", "", "TLS authentication key file path")
 	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.caFile, "ca-file", "", "TLS authentication CA file path")
 	createSourceHelmCmd.Flags().StringVarP(&sourceHelmArgs.secretRef, "secret-ref", "", "", "the name of an existing secret containing TLS, basic auth or docker-config credentials")
 	createSourceHelmCmd.Flags().StringVar(&sourceHelmArgs.ociProvider, "oci-provider", "", "OCI provider for authentication")
 	createSourceHelmCmd.Flags().BoolVarP(&sourceHelmArgs.passCredentials, "pass-credentials", "", false, "pass credentials to all domains")
 	createSourceCmd.AddCommand(createSourceHelmCmd)
@@ -143,6 +145,7 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	if url.Scheme == sourcev1.HelmRepositoryTypeOCI {
 		helmRepository.Spec.Type = sourcev1.HelmRepositoryTypeOCI
 		helmRepository.Spec.Provider = sourceHelmArgs.ociProvider
 	}
 	if createSourceArgs.fetchTimeout > 0 {
--- a/cmd/flux/create_source_oci.go
+++ b/cmd/flux/create_source_oci.go
@@ -33,14 +33,14 @@ import (
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
-	"github.com/fluxcd/flux2/internal/flags"
+	"github.com/fluxcd/flux2/v2/internal/flags"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )
 var createSourceOCIRepositoryCmd = &cobra.Command{
 	Use:   "oci [name]",
 	Short: "Create or update an OCIRepository",
-	Long:  `The create source oci command generates an OCIRepository resource and waits for it to be ready.`,
+	Long:  withPreviewNote(`The create source oci command generates an OCIRepository resource and waits for it to be ready.`),
 	Example: `  # Create an OCIRepository for a public container image
  flux create source oci podinfo \
    --url=oci://ghcr.io/stefanprodan/manifests/podinfo \
--- a/cmd/flux/create_tenant.go
+++ b/cmd/flux/create_tenant.go
@@ -21,7 +21,7 @@ import (
 	"context"
 	"fmt"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
@@ -37,8 +37,8 @@ import (
 var createTenantCmd = &cobra.Command{
 	Use:   "tenant",
 	Short: "Create or update a tenant",
-	Long: `The create tenant command generates namespaces, service accounts and role bindings to limit the
+	Long: withPreviewNote(`The create tenant command generates namespaces, service accounts and role bindings to limit the
-reconcilers scope to the tenant namespaces.`,
+reconcilers scope to the tenant namespaces.`),
 	Example: `  # Create a tenant with access to a namespace 
  flux create tenant dev-team \
    --with-namespace=frontend \
--- a/cmd/flux/delete.go
+++ b/cmd/flux/delete.go
@@ -24,13 +24,13 @@ import (
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/types"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )
 var deleteCmd = &cobra.Command{
 	Use:   "delete",
 	Short: "Delete sources and resources",
-	Long:  "The delete sub-commands delete sources and resources.",
+	Long:  `The delete sub-commands delete sources and resources.`,
 }
 type deleteFlags struct {
--- a/cmd/flux/delete_alert.go
+++ b/cmd/flux/delete_alert.go
@@ -25,7 +25,7 @@ import (
 var deleteAlertCmd = &cobra.Command{
 	Use:   "alert [name]",
 	Short: "Delete a Alert resource",
-	Long:  "The delete alert command removes the given Alert from the cluster.",
+	Long:  withPreviewNote("The delete alert command removes the given Alert from the cluster."),
 	Example: `  # Delete an Alert and the Kubernetes resources created by it
  flux delete alert main`,
 	ValidArgsFunction: resourceNamesCompletionFunc(notificationv1.GroupVersion.WithKind(notificationv1.AlertKind)),
--- a/cmd/flux/delete_alertprovider.go
+++ b/cmd/flux/delete_alertprovider.go
@@ -25,7 +25,7 @@ import (
 var deleteAlertProviderCmd = &cobra.Command{
 	Use:   "alert-provider [name]",
 	Short: "Delete a Provider resource",
-	Long:  "The delete alert-provider command removes the given Provider from the cluster.",
+	Long:  withPreviewNote("The delete alert-provider command removes the given Provider from the cluster."),
 	Example: `  # Delete a Provider and the Kubernetes resources created by it
  flux delete alert-provider slack`,
 	ValidArgsFunction: resourceNamesCompletionFunc(notificationv1.GroupVersion.WithKind(notificationv1.ProviderKind)),
--- a/cmd/flux/delete_helmrelease.go
+++ b/cmd/flux/delete_helmrelease.go
@@ -26,7 +26,7 @@ var deleteHelmReleaseCmd = &cobra.Command{
 	Use:     "helmrelease [name]",
 	Aliases: []string{"hr"},
 	Short:   "Delete a HelmRelease resource",
-	Long:    "The delete helmrelease command removes the given HelmRelease from the cluster.",
+	Long:    withPreviewNote("The delete helmrelease command removes the given HelmRelease from the cluster."),
 	Example: `  # Delete a Helm release and the Kubernetes resources created by it
  flux delete hr podinfo`,
 	ValidArgsFunction: resourceNamesCompletionFunc(helmv2.GroupVersion.WithKind(helmv2.HelmReleaseKind)),
--- a/cmd/flux/delete_image.go
+++ b/cmd/flux/delete_image.go
@@ -23,7 +23,7 @@ import (
 var deleteImageCmd = &cobra.Command{
 	Use:   "image",
 	Short: "Delete image automation objects",
-	Long:  "The delete image sub-commands delete image automation objects.",
+	Long:  `The delete image sub-commands delete image automation objects.`,
 }
 func init() {
--- a/cmd/flux/delete_image_policy.go
+++ b/cmd/flux/delete_image_policy.go
@@ -25,7 +25,7 @@ import (
 var deleteImagePolicyCmd = &cobra.Command{
 	Use:   "policy [name]",
 	Short: "Delete an ImagePolicy object",
-	Long:  "The delete image policy command deletes the given ImagePolicy from the cluster.",
+	Long:  withPreviewNote(`The delete image policy command deletes the given ImagePolicy from the cluster.`),
 	Example: `  # Delete an image policy
  flux delete image policy alpine3.x`,
 	ValidArgsFunction: resourceNamesCompletionFunc(imagev1.GroupVersion.WithKind(imagev1.ImagePolicyKind)),
--- a/cmd/flux/delete_image_repository.go
+++ b/cmd/flux/delete_image_repository.go
@@ -25,7 +25,7 @@ import (
 var deleteImageRepositoryCmd = &cobra.Command{
 	Use:   "repository [name]",
 	Short: "Delete an ImageRepository object",
-	Long:  "The delete image repository command deletes the given ImageRepository from the cluster.",
+	Long:  withPreviewNote("The delete image repository command deletes the given ImageRepository from the cluster."),
 	Example: `  # Delete an image repository
  flux delete image repository alpine`,
 	ValidArgsFunction: resourceNamesCompletionFunc(imagev1.GroupVersion.WithKind(imagev1.ImageRepositoryKind)),
--- a/cmd/flux/delete_image_update.go
+++ b/cmd/flux/delete_image_update.go
@@ -25,7 +25,7 @@ import (
 var deleteImageUpdateCmd = &cobra.Command{
 	Use:   "update [name]",
 	Short: "Delete an ImageUpdateAutomation object",
-	Long:  "The delete image update command deletes the given ImageUpdateAutomation from the cluster.",
+	Long:  withPreviewNote(`The delete image update command deletes the given ImageUpdateAutomation from the cluster.`),
 	Example: `  # Delete an image update automation
  flux delete image update latest-images`,
 	ValidArgsFunction: resourceNamesCompletionFunc(autov1.GroupVersion.WithKind(autov1.ImageUpdateAutomationKind)),
--- a/cmd/flux/delete_kustomization.go
+++ b/cmd/flux/delete_kustomization.go
@@ -19,14 +19,14 @@ package main
 import (
 	"github.com/spf13/cobra"
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 )
 var deleteKsCmd = &cobra.Command{
 	Use:     "kustomization [name]",
 	Aliases: []string{"ks"},
 	Short:   "Delete a Kustomization resource",
-	Long:    "The delete kustomization command deletes the given Kustomization from the cluster.",
+	Long:    `The delete kustomization command deletes the given Kustomization from the cluster.`,
 	Example: `  # Delete a kustomization and the Kubernetes resources created by it when prune is enabled
  flux delete kustomization podinfo`,
 	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
--- a/cmd/flux/delete_receiver.go
+++ b/cmd/flux/delete_receiver.go
@@ -19,13 +19,13 @@ package main
 import (
 	"github.com/spf13/cobra"
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
 )
 var deleteReceiverCmd = &cobra.Command{
 	Use:   "receiver [name]",
 	Short: "Delete a Receiver resource",
-	Long:  "The delete receiver command removes the given Receiver from the cluster.",
+	Long:  `The delete receiver command removes the given Receiver from the cluster.`,
 	Example: `  # Delete an Receiver and the Kubernetes resources created by it
  flux delete receiver main`,
 	ValidArgsFunction: resourceNamesCompletionFunc(notificationv1.GroupVersion.WithKind(notificationv1.ReceiverKind)),
--- a/cmd/flux/delete_source.go
+++ b/cmd/flux/delete_source.go
@@ -23,7 +23,7 @@ import (
 var deleteSourceCmd = &cobra.Command{
 	Use:   "source",
 	Short: "Delete sources",
-	Long:  "The delete source sub-commands delete sources.",
+	Long:  `The delete source sub-commands delete sources.`,
 }
 func init() {
--- a/cmd/flux/delete_source_bucket.go
+++ b/cmd/flux/delete_source_bucket.go
@@ -25,7 +25,7 @@ import (
 var deleteSourceBucketCmd = &cobra.Command{
 	Use:   "bucket [name]",
 	Short: "Delete a Bucket source",
-	Long:  "The delete source bucket command deletes the given Bucket from the cluster.",
+	Long:  withPreviewNote("The delete source bucket command deletes the given Bucket from the cluster."),
 	Example: `  # Delete a Bucket source
  flux delete source bucket podinfo`,
 	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.BucketKind)),
--- a/cmd/flux/delete_source_git.go
+++ b/cmd/flux/delete_source_git.go
@@ -19,13 +19,13 @@ package main
 import (
 	"github.com/spf13/cobra"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )
 var deleteSourceGitCmd = &cobra.Command{
 	Use:   "git [name]",
 	Short: "Delete a GitRepository source",
-	Long:  "The delete source git command deletes the given GitRepository from the cluster.",
+	Long:  `The delete source git command deletes the given GitRepository from the cluster.`,
 	Example: `  # Delete a Git repository
  flux delete source git podinfo`,
 	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.GitRepositoryKind)),
--- a/cmd/flux/delete_source_helm.go
+++ b/cmd/flux/delete_source_helm.go
@@ -25,7 +25,7 @@ import (
 var deleteSourceHelmCmd = &cobra.Command{
 	Use:   "helm [name]",
 	Short: "Delete a HelmRepository source",
-	Long:  "The delete source helm command deletes the given HelmRepository from the cluster.",
+	Long:  withPreviewNote("The delete source helm command deletes the given HelmRepository from the cluster."),
 	Example: `  # Delete a Helm repository
  flux delete source helm podinfo`,
 	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.HelmRepositoryKind)),
--- a/cmd/flux/delete_source_oci.go
+++ b/cmd/flux/delete_source_oci.go
@@ -25,7 +25,7 @@ import (
 var deleteSourceOCIRepositoryCmd = &cobra.Command{
 	Use:   "oci [name]",
 	Short: "Delete an OCIRepository source",
-	Long:  "The delete source oci command deletes the given OCIRepository from the cluster.",
+	Long:  withPreviewNote("The delete source oci command deletes the given OCIRepository from the cluster."),
 	Example: `  # Delete an OCIRepository 
  flux delete source oci podinfo`,
 	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.OCIRepositoryKind)),
--- a/cmd/flux/diff.go
+++ b/cmd/flux/diff.go
@@ -23,7 +23,7 @@ import (
 var diffCmd = &cobra.Command{
 	Use:   "diff",
 	Short: "Diff a flux resource",
-	Long:  "The diff command is used to do a server-side dry-run on flux resources, then prints the diff.",
+	Long:  `The diff command is used to do a server-side dry-run on flux resources, then prints the diff.`,
 }
 func init() {
--- a/cmd/flux/diff_artifact.go
+++ b/cmd/flux/diff_artifact.go
@@ -21,16 +21,17 @@ import (
 	"fmt"
 	"os"
 	"github.com/fluxcd/flux2/internal/flags"
 	oci "github.com/fluxcd/pkg/oci/client"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 	"github.com/spf13/cobra"
 	"github.com/fluxcd/flux2/v2/internal/flags"
 )
 var diffArtifactCmd = &cobra.Command{
 	Use:   "artifact",
 	Short: "Diff Artifact",
-	Long:  `The diff artifact command computes the diff between the remote OCI artifact and a local directory or file`,
+	Long:  withPreviewNote(`The diff artifact command computes the diff between the remote OCI artifact and a local directory or file`),
 	Example: `# Check if local files differ from remote
 flux diff artifact oci://ghcr.io/stefanprodan/manifests:podinfo:6.2.0 --path=./kustomize`,
 	RunE: diffArtifactCmdRun,
@@ -81,7 +82,7 @@ func diffArtifactCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-	ociClient := oci.NewLocalClient()
+	ociClient := oci.NewClient(oci.DefaultOptions())
 	if diffArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && diffArtifactArgs.creds != "" {
 		logger.Actionf("logging in to registry with credentials")
--- a/cmd/flux/diff_kustomization.go
+++ b/cmd/flux/diff_kustomization.go
@@ -23,8 +23,8 @@ import (
 	"github.com/spf13/cobra"
-	"github.com/fluxcd/flux2/internal/build"
+	"github.com/fluxcd/flux2/v2/internal/build"
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 )
 var diffKsCmd = &cobra.Command{
@@ -37,7 +37,13 @@ Exit status: 0 No differences were found. 1 Differences were found. >1 diff fail
 flux diff kustomization my-app --path ./path/to/local/manifests
 # Preview using a local flux kustomization file
-flux diff kustomization my-app --path ./path/to/local/manifests --kustomization-file ./path/to/local/my-app.yaml`,
+flux diff kustomization my-app --path ./path/to/local/manifests \
 	--kustomization-file ./path/to/local/my-app.yaml
 # Exclude files by providing a comma separated list of entries that follow the .gitignore pattern fromat.
 flux diff kustomization my-app --path ./path/to/local/manifests \
 	--kustomization-file ./path/to/local/my-app.yaml \
 	--ignore-paths "/to_ignore/**/*.yaml,ignore.yaml"`,
 	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
 	RunE:              diffKsCmdRun,
 }
@@ -45,6 +51,7 @@ flux diff kustomization my-app --path ./path/to/local/manifests --kustomization-
 type diffKsFlags struct {
 	kustomizationFile string
 	path              string
 	ignorePaths       []string
 	progressBar       bool
 }
@@ -53,6 +60,7 @@ var diffKsArgs diffKsFlags
 func init() {
 	diffKsCmd.Flags().StringVar(&diffKsArgs.path, "path", "", "Path to a local directory that matches the specified Kustomization.spec.path.")
 	diffKsCmd.Flags().BoolVar(&diffKsArgs.progressBar, "progress-bar", true, "Boolean to set the progress bar. The default value is true.")
 	diffKsCmd.Flags().StringSliceVar(&diffKsArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore in .gitignore format")
 	diffKsCmd.Flags().StringVar(&diffKsArgs.kustomizationFile, "kustomization-file", "", "Path to the Flux Kustomization YAML file.")
 	diffCmd.AddCommand(diffKsCmd)
 }
@@ -86,12 +94,16 @@ func diffKsCmdRun(cmd *cobra.Command, args []string) error {
 			build.WithClientConfig(kubeconfigArgs, kubeclientOptions),
 			build.WithTimeout(rootArgs.timeout),
 			build.WithKustomizationFile(diffKsArgs.kustomizationFile),
-			build.WithProgressBar())
+			build.WithProgressBar(),
 			build.WithIgnore(diffKsArgs.ignorePaths),
 		)
 	} else {
 		builder, err = build.NewBuilder(name, diffKsArgs.path,
 			build.WithClientConfig(kubeconfigArgs, kubeclientOptions),
 			build.WithTimeout(rootArgs.timeout),
-			build.WithKustomizationFile(diffKsArgs.kustomizationFile))
+			build.WithKustomizationFile(diffKsArgs.kustomizationFile),
 			build.WithIgnore(diffKsArgs.ignorePaths),
 		)
 	}
 	if err != nil {
--- a/cmd/flux/diff_kustomization_test.go
+++ b/cmd/flux/diff_kustomization_test.go
@@ -25,7 +25,7 @@ import (
 	"strings"
 	"testing"
-	"github.com/fluxcd/flux2/internal/build"
+	"github.com/fluxcd/flux2/v2/internal/build"
 	"github.com/fluxcd/pkg/ssa"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
@@ -91,6 +91,12 @@ func TestDiffKustomization(t *testing.T) {
 			objectFile: "./testdata/diff-kustomization/stringdata-sops-secret.yaml",
 			assert:     assertGoldenFile("./testdata/diff-kustomization/diff-with-drifted-stringdata-sops-secret.golden"),
 		},
 		{
 			name:       "diff where kustomization file has multiple objects with the same name",
 			args:       "diff kustomization podinfo --path ./testdata/build-kustomization/podinfo --progress-bar=false --kustomization-file ./testdata/diff-kustomization/flux-kustomization-multiobj.yaml",
 			objectFile: "",
 			assert:     assertGoldenFile("./testdata/diff-kustomization/nothing-is-deployed.golden"),
 		},
 	}
 	tmpl := map[string]string{
--- a/cmd/flux/events.go
+++ b/cmd/flux/events.go
@@ -42,18 +42,20 @@ import (
 	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
 	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
 	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	notificationv1b2 "github.com/fluxcd/notification-controller/api/v1beta2"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
-	"github.com/fluxcd/flux2/pkg/printers"
+	"github.com/fluxcd/flux2/v2/pkg/printers"
 )
 var eventsCmd = &cobra.Command{
 	Use:   "events",
 	Short: "Display Kubernetes events for Flux resources",
-	Long:  "The events sub-command shows Kubernetes events from Flux resources",
+	Long:  withPreviewNote("The events sub-command shows Kubernetes events from Flux resources"),
 	Example: ` # Display events for flux resources in default namespace
 	flux events -n default
@@ -125,6 +127,9 @@ func eventsCmdRun(cmd *cobra.Command, args []string) error {
 	}
 	rows, err := getRows(ctx, kubeclient, clientListOpts, refListOpts, showNamespace)
 	if err != nil {
 		return err
 	}
 	if len(rows) == 0 {
 		if eventArgs.allNamespaces {
 			logger.Failuref("No events found.")
@@ -390,18 +395,18 @@ var fluxKindMap = refMap{
 		gv:              helmv2.GroupVersion,
 		crossNamespaced: true,
 		otherRefs: func(namespace, name string) []string {
-			return []string{fmt.Sprintf("%s/%s-%s", sourcev1.HelmChartKind, namespace, name)}
+			return []string{fmt.Sprintf("%s/%s-%s", sourcev1b2.HelmChartKind, namespace, name)}
 		},
 		field: []string{"spec", "chart", "spec", "sourceRef"},
 	},
-	notificationv1.AlertKind: {
+	notificationv1b2.AlertKind: {
-		gv:              notificationv1.GroupVersion,
+		gv:              notificationv1b2.GroupVersion,
-		kind:            notificationv1.ProviderKind,
+		kind:            notificationv1b2.ProviderKind,
 		crossNamespaced: false,
 		field:           []string{"spec", "providerRef"},
 	},
-	notificationv1.ReceiverKind: {gv: notificationv1.GroupVersion},
+	notificationv1.ReceiverKind:   {gv: notificationv1.GroupVersion},
-	notificationv1.ProviderKind: {gv: notificationv1.GroupVersion},
+	notificationv1b2.ProviderKind: {gv: notificationv1b2.GroupVersion},
 	imagev1.ImagePolicyKind: {
 		gv:              imagev1.GroupVersion,
 		kind:            imagev1.ImageRepositoryKind,
@@ -409,10 +414,10 @@ var fluxKindMap = refMap{
 		field:           []string{"spec", "imageRepositoryRef"},
 	},
 	sourcev1.GitRepositoryKind:       {gv: sourcev1.GroupVersion},
-	sourcev1.OCIRepositoryKind:       {gv: sourcev1.GroupVersion},
+	sourcev1b2.OCIRepositoryKind:     {gv: sourcev1b2.GroupVersion},
-	sourcev1.BucketKind:              {gv: sourcev1.GroupVersion},
+	sourcev1b2.BucketKind:            {gv: sourcev1b2.GroupVersion},
-	sourcev1.HelmRepositoryKind:      {gv: sourcev1.GroupVersion},
+	sourcev1b2.HelmRepositoryKind:    {gv: sourcev1b2.GroupVersion},
-	sourcev1.HelmChartKind:           {gv: sourcev1.GroupVersion},
+	sourcev1b2.HelmChartKind:         {gv: sourcev1b2.GroupVersion},
 	autov1.ImageUpdateAutomationKind: {gv: autov1.GroupVersion},
 	imagev1.ImageRepositoryKind:      {gv: imagev1.GroupVersion},
 }
--- a/cmd/flux/events_test.go
+++ b/cmd/flux/events_test.go
@@ -23,15 +23,6 @@ import (
 	"strings"
 	"testing"
 	"github.com/fluxcd/flux2/internal/utils"
 	helmv2beta1 "github.com/fluxcd/helm-controller/api/v2beta1"
 	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
 	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
 	eventv1 "github.com/fluxcd/pkg/apis/event/v1beta1"
 	"github.com/fluxcd/pkg/ssa"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 	. "github.com/onsi/gomega"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -40,10 +31,23 @@ import (
 	cmdutil "k8s.io/kubectl/pkg/cmd/util"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	helmv2beta1 "github.com/fluxcd/helm-controller/api/v2beta1"
 	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta1"
 	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
 	notificationv1b2 "github.com/fluxcd/notification-controller/api/v1beta2"
 	eventv1 "github.com/fluxcd/pkg/apis/event/v1beta1"
 	"github.com/fluxcd/pkg/ssa"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
 	"github.com/fluxcd/flux2/v2/internal/utils"
 )
 var objects = `
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: flux-system
@@ -56,7 +60,7 @@ spec:
    kind: GitRepository
    name: flux-system
 ---
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: podinfo
@@ -70,7 +74,7 @@ spec:
    name: flux-system
    namespace: flux-system
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
  name: flux-system
@@ -376,9 +380,11 @@ func getScheme() *runtime.Scheme {
 	kustomizev1.AddToScheme(newscheme)
 	helmv2beta1.AddToScheme(newscheme)
 	notificationv1.AddToScheme(newscheme)
 	notificationv1b2.AddToScheme(newscheme)
 	imagev1.AddToScheme(newscheme)
 	autov1.AddToScheme(newscheme)
 	sourcev1.AddToScheme(newscheme)
 	sourcev1b2.AddToScheme(newscheme)
 	return newscheme
 }
--- a/cmd/flux/export.go
+++ b/cmd/flux/export.go
@@ -26,13 +26,13 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )
 var exportCmd = &cobra.Command{
 	Use:   "export",
 	Short: "Export resources in YAML format",
-	Long:  "The export sub-commands export resources in YAML format.",
+	Long:  `The export sub-commands export resources in YAML format.`,
 }
 type exportFlags struct {
@@ -122,5 +122,6 @@ func printExport(export interface{}) error {
 func resourceToString(data []byte) string {
 	data = bytes.Replace(data, []byte("  creationTimestamp: null\n"), []byte(""), 1)
 	data = bytes.Replace(data, []byte("status: {}\n"), []byte(""), 1)
 	data = bytes.TrimSpace(data)
 	return string(data)
 }
--- a/cmd/flux/export_alert.go
+++ b/cmd/flux/export_alert.go
@@ -26,7 +26,7 @@ import (
 var exportAlertCmd = &cobra.Command{
 	Use:   "alert [name]",
 	Short: "Export Alert resources in YAML format",
-	Long:  "The export alert command exports one or all Alert resources in YAML format.",
+	Long:  withPreviewNote("The export alert command exports one or all Alert resources in YAML format."),
 	Example: `  # Export all Alert resources
  flux export alert --all > alerts.yaml
--- a/cmd/flux/export_alertprovider.go
+++ b/cmd/flux/export_alertprovider.go
@@ -26,7 +26,7 @@ import (
 var exportAlertProviderCmd = &cobra.Command{
 	Use:   "alert-provider [name]",
 	Short: "Export Provider resources in YAML format",
-	Long:  "The export alert-provider command exports one or all Provider resources in YAML format.",
+	Long:  withPreviewNote("The export alert-provider command exports one or all Provider resources in YAML format."),
 	Example: `  # Export all Provider resources
  flux export alert-provider --all > alert-providers.yaml
--- a/cmd/flux/export_helmrelease.go
+++ b/cmd/flux/export_helmrelease.go
@@ -27,7 +27,7 @@ var exportHelmReleaseCmd = &cobra.Command{
 	Use:     "helmrelease [name]",
 	Aliases: []string{"hr"},
 	Short:   "Export HelmRelease resources in YAML format",
-	Long:    "The export helmrelease command exports one or all HelmRelease resources in YAML format.",
+	Long:    withPreviewNote("The export helmrelease command exports one or all HelmRelease resources in YAML format."),
 	Example: `  # Export all HelmRelease resources
  flux export helmrelease --all > kustomizations.yaml
--- a/cmd/flux/export_image.go
+++ b/cmd/flux/export_image.go
@@ -23,7 +23,7 @@ import (
 var exportImageCmd = &cobra.Command{
 	Use:   "image",
 	Short: "Export image automation objects",
-	Long:  "The export image sub-commands export image automation objects in YAML format.",
+	Long:  `The export image sub-commands export image automation objects in YAML format.`,
 }
 func init() {
--- a/cmd/flux/export_image_policy.go
+++ b/cmd/flux/export_image_policy.go
@@ -26,7 +26,7 @@ import (
 var exportImagePolicyCmd = &cobra.Command{
 	Use:   "policy [name]",
 	Short: "Export ImagePolicy resources in YAML format",
-	Long:  "The export image policy command exports one or all ImagePolicy resources in YAML format.",
+	Long:  withPreviewNote("The export image policy command exports one or all ImagePolicy resources in YAML format."),
 	Example: `  # Export all ImagePolicy resources
  flux export image policy --all > image-policies.yaml
--- a/cmd/flux/export_image_repository.go
+++ b/cmd/flux/export_image_repository.go
@@ -26,7 +26,7 @@ import (
 var exportImageRepositoryCmd = &cobra.Command{
 	Use:   "repository [name]",
 	Short: "Export ImageRepository resources in YAML format",
-	Long:  "The export image repository command exports one or all ImageRepository resources in YAML format.",
+	Long:  withPreviewNote("The export image repository command exports one or all ImageRepository resources in YAML format."),
 	Example: `  # Export all ImageRepository resources
  flux export image repository --all > image-repositories.yaml
--- a/cmd/flux/export_image_update.go
+++ b/cmd/flux/export_image_update.go
@@ -26,7 +26,7 @@ import (
 var exportImageUpdateCmd = &cobra.Command{
 	Use:   "update [name]",
 	Short: "Export ImageUpdateAutomation resources in YAML format",
-	Long:  "The export image update command exports one or all ImageUpdateAutomation resources in YAML format.",
+	Long:  withPreviewNote("The export image update command exports one or all ImageUpdateAutomation resources in YAML format."),
 	Example: `  # Export all ImageUpdateAutomation resources
  flux export image update --all > updates.yaml
--- a/cmd/flux/export_kustomization.go
+++ b/cmd/flux/export_kustomization.go
@@ -20,14 +20,14 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 )
 var exportKsCmd = &cobra.Command{
 	Use:     "kustomization [name]",
 	Aliases: []string{"ks"},
 	Short:   "Export Kustomization resources in YAML format",
-	Long:    "The export kustomization command exports one or all Kustomization resources in YAML format.",
+	Long:    `The export kustomization command exports one or all Kustomization resources in YAML format.`,
 	Example: `  # Export all Kustomization resources
  flux export kustomization --all > kustomizations.yaml
--- a/cmd/flux/export_receiver.go
+++ b/cmd/flux/export_receiver.go
@@ -20,13 +20,13 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta2"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
 )
 var exportReceiverCmd = &cobra.Command{
 	Use:   "receiver [name]",
 	Short: "Export Receiver resources in YAML format",
-	Long:  "The export receiver command exports one or all Receiver resources in YAML format.",
+	Long:  `The export receiver command exports one or all Receiver resources in YAML format.`,
 	Example: `  # Export all Receiver resources
  flux export receiver --all > receivers.yaml
@@ -44,7 +44,7 @@ func init() {
 }
 func exportReceiver(receiver *notificationv1.Receiver) interface{} {
-	gvk := notificationv1.GroupVersion.WithKind("Receiver")
+	gvk := notificationv1.GroupVersion.WithKind(notificationv1.ReceiverKind)
 	export := notificationv1.Receiver{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       gvk.Kind,
--- a/cmd/flux/export_secret.go
+++ b/cmd/flux/export_secret.go
@@ -26,7 +26,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )
 // exportableWithSecret represents a type that you can fetch from the Kubernetes
--- a/Show More
+++ b/Show More