Merge pull request #5741 from fluxcd/backport-5740-to-release/v2.8.x

[release/v2.8.x] Update toolkit components

.github/dependabot.yml

@@ -6,11 +6,9 @@ updates:
     labels: ["area/ci", "dependencies"]
     groups:
       # Group all updates together, so that they are all applied in a single PR.
-      # Grouped updates are currently in beta and is subject to change.
       # xref: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups
       ci:
         patterns:
           - "*"
     schedule:
-      # By default, this will be on a monday.
-      interval: "weekly"
+      interval: "monthly"

.github/labels.yaml

@@ -44,15 +44,12 @@
   description: Feature request proposals in the RFC format
   color: '#D621C3'
   aliases: ['area/RFC']
-- name: backport:release/v2.0.x
-  description: To be backported to release/v2.0.x
+- name: backport:release/v2.5.x
+  description: To be backported to release/v2.5.x
   color: '#ffd700'
-- name: backport:release/v2.1.x
-  description: To be backported to release/v2.1.x
+- name: backport:release/v2.6.x
+  description: To be backported to release/v2.6.x
   color: '#ffd700'
-- name: backport:release/v2.2.x
-  description: To be backported to release/v2.2.x
-  color: '#ffd700'
-- name: backport:release/v2.3.x
-  description: To be backported to release/v2.3.x
+- name: backport:release/v2.7.x
+  description: To be backported to release/v2.7.x
   color: '#ffd700'

.github/workflows/action.yaml

@@ -24,6 +24,6 @@ jobs:
     name: action on ${{ matrix.version }}
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Setup flux
         uses: ./action

.github/workflows/backport.yaml

@@ -1,34 +1,13 @@
 name: backport
-
 on:
   pull_request_target:
     types: [closed, labeled]
-
-permissions: 
-  contents: read
-
+permissions: read-all
 jobs:
-  pull-request:
-    runs-on: ubuntu-latest
+  backport:
     permissions:
-      contents: write
-      pull-requests: write
-    if: github.event.pull_request.state == 'closed' && github.event.pull_request.merged && (github.event_name != 'labeled' || startsWith('backport:', github.event.label.name))
-    steps:
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-      - name: Create backport PRs
-        uses: korthout/backport-action@be567af183754f6a5d831ae90f648954763f17f5 # v3.1.0
-        # xref: https://github.com/korthout/backport-action#inputs
-        with:
-          # Use token to allow workflows to be triggered for the created PR
-          github_token: ${{ secrets.BOT_GITHUB_TOKEN }}
-          # Match labels with a pattern `backport:<target-branch>`
-          label_pattern: '^backport:([^ ]+)$'
-          # A bit shorter pull-request title than the default
-          pull_title: '[${target_branch}] ${pull_title}'
-          # Simpler PR description than default
-          pull_description: |-
-            Automated backport to `${target_branch}`, triggered by a label in #${pull_number}.
+      contents: write # for reading and creating branches.
+      pull-requests: write # for creating pull requests against release branches.
+    uses: fluxcd/gha-workflows/.github/workflows/backport.yaml@v0.9.0
+    secrets:
+      github-token: ${{ secrets.BOT_GITHUB_TOKEN }}

.github/workflows/conformance.yaml

@@ -9,7 +9,7 @@ permissions:
   contents: read
 
 env:
-  GO_VERSION: 1.23.x
+  GO_VERSION: 1.26.x
 
 jobs:
   conform-kubernetes:
@@ -19,13 +19,13 @@ jobs:
       matrix:
         # Keep this list up-to-date with https://endoflife.date/kubernetes
         # Build images with https://github.com/fluxcd/flux-benchmark/actions/workflows/build-kind.yaml
-        KUBERNETES_VERSION: [1.30.9, 1.31.5, 1.32.1 ]
+        KUBERNETES_VERSION: [1.33.0, 1.34.1, 1.35.0]
       fail-fast: false
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Setup Go
-        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
           go-version: ${{ env.GO_VERSION }}
           cache-dependency-path: |
@@ -40,9 +40,9 @@ jobs:
         run: |
           make build
       - name: Setup Kubernetes
-        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
+        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0
         with:
-          version: v0.22.0
+          version: v0.30.0
           cluster_name: ${{ steps.prep.outputs.CLUSTER }}
           node_image: ghcr.io/fluxcd/kindest/node:v${{ matrix.KUBERNETES_VERSION }}-arm64
       - name: Run e2e tests
@@ -76,13 +76,13 @@ jobs:
       matrix:
         # Keep this list up-to-date with https://endoflife.date/kubernetes
         # Available versions can be found with "replicated cluster versions"
-        K3S_VERSION: [ 1.30.9, 1.31.5, 1.32.1 ]
+        K3S_VERSION: [ 1.33.7, 1.34.3, 1.35.0 ]
       fail-fast: false
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Setup Go
-        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
           go-version: ${{ env.GO_VERSION }}
           cache-dependency-path: |
@@ -97,7 +97,7 @@ jobs:
           KUBECONFIG_PATH="$(git rev-parse --show-toplevel)/bin/kubeconfig.yaml"
           echo "kubeconfig-path=${KUBECONFIG_PATH}" >> $GITHUB_OUTPUT
       - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
+        uses: fluxcd/pkg/actions/kustomize@9a8c0edd5da84dc51a585738c67e3a3950d7fbf0 # main
       - name: Build
         run: make build-dev
       - name: Create repository
@@ -107,7 +107,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
       - name: Create cluster
         id: create-cluster
-        uses: replicatedhq/replicated-actions/create-cluster@c98ab3b97925af5db9faf3f9676df7a9c6736985 # v1.17.0
+        uses: replicatedhq/replicated-actions/create-cluster@49b440dabd7e0e868cbbabda5cfc0d8332a279fa # v1.19.0
         with:
           api-token: ${{ secrets.REPLICATED_API_TOKEN }}
           kubernetes-distribution: "k3s"
@@ -120,8 +120,7 @@ jobs:
         run: TEST_KUBECONFIG=${{ steps.prep.outputs.kubeconfig-path }} make e2e
       - name: Run flux bootstrap
         run: |
-          ./bin/flux bootstrap git --manifests ./manifests/install/ \
-          --components-extra=image-reflector-controller,image-automation-controller \
+          ./bin/flux bootstrap git --manifests ./manifests/test/ \
           --url=https://github.com/fluxcd-testing/${{ steps.prep.outputs.cluster }} \
           --branch=main \
           --path=clusters/k3s \
@@ -151,7 +150,7 @@ jobs:
           kubectl delete ns flux-system --wait
       - name: Delete cluster
         if: ${{ always() }}
-        uses: replicatedhq/replicated-actions/remove-cluster@c98ab3b97925af5db9faf3f9676df7a9c6736985 # v1.17.0
+        uses: replicatedhq/replicated-actions/remove-cluster@49b440dabd7e0e868cbbabda5cfc0d8332a279fa # v1.19.0
         continue-on-error: true
         with:
           api-token: ${{ secrets.REPLICATED_API_TOKEN }}
@@ -169,13 +168,13 @@ jobs:
     strategy:
       matrix:
         # Keep this list up-to-date with https://endoflife.date/red-hat-openshift
-        OPENSHIFT_VERSION: [ 4.17.0-okd ]
+        OPENSHIFT_VERSION: [ 4.20.0-okd ]
       fail-fast: false
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Setup Go
-        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
           go-version: ${{ env.GO_VERSION }}
           cache-dependency-path: |
@@ -190,7 +189,7 @@ jobs:
           KUBECONFIG_PATH="$(git rev-parse --show-toplevel)/bin/kubeconfig.yaml"
           echo "kubeconfig-path=${KUBECONFIG_PATH}" >> $GITHUB_OUTPUT
       - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
+        uses: fluxcd/pkg/actions/kustomize@9a8c0edd5da84dc51a585738c67e3a3950d7fbf0 # main
       - name: Build
         run: make build-dev
       - name: Create repository
@@ -200,7 +199,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITPROVIDER_BOT_TOKEN }}
       - name: Create cluster
         id: create-cluster
-        uses: replicatedhq/replicated-actions/create-cluster@c98ab3b97925af5db9faf3f9676df7a9c6736985 # v1.17.0
+        uses: replicatedhq/replicated-actions/create-cluster@49b440dabd7e0e868cbbabda5cfc0d8332a279fa # v1.19.0
         with:
           api-token: ${{ secrets.REPLICATED_API_TOKEN }}
           kubernetes-distribution: "openshift"
@@ -212,7 +211,6 @@ jobs:
       - name: Run flux bootstrap
         run: |
           ./bin/flux bootstrap git --manifests ./manifests/openshift/ \
-          --components-extra=image-reflector-controller,image-automation-controller \
           --url=https://github.com/fluxcd-testing/${{ steps.prep.outputs.cluster }} \
           --branch=main \
           --path=clusters/openshift \
@@ -242,7 +240,7 @@ jobs:
           kubectl delete ns flux-system --wait
       - name: Delete cluster
         if: ${{ always() }}
-        uses: replicatedhq/replicated-actions/remove-cluster@c98ab3b97925af5db9faf3f9676df7a9c6736985 # v1.17.0
+        uses: replicatedhq/replicated-actions/remove-cluster@49b440dabd7e0e868cbbabda5cfc0d8332a279fa # v1.19.0
         continue-on-error: true
         with:
           api-token: ${{ secrets.REPLICATED_API_TOKEN }}

.github/workflows/e2e-azure.yaml

@@ -22,19 +22,18 @@ permissions:
 
 jobs:
   e2e-aks:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     defaults:
       run:
         working-directory: ./tests/integration
-    # This job is currently disabled. Remove the false check when Azure subscription is enabled.
-    if: false && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
+    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
     steps:
       - name: CheckoutD
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Setup Go
-        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
-          go-version: 1.23.x
+          go-version: 1.26.x
           cache-dependency-path: tests/integration/go.sum
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
@@ -49,9 +48,9 @@ jobs:
         env:
           SOPS_VER: 3.7.1
       - name: Authenticate to Azure
-        uses: Azure/login@a65d910e8af852a8061c627c456678983e180302 # v1.4.6
+        uses: Azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v1.4.6
         with:
-          creds: '{"clientId":"${{ secrets.AZ_ARM_CLIENT_ID }}","clientSecret":"${{ secrets.AZ_ARM_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZ_ARM_TENANT_ID }}"}'
+          creds: '{"clientId":"${{ secrets.ARM_CLIENT_ID }}","clientSecret":"${{ secrets.ARM_CLIENT_SECRET }}","subscriptionId":"${{ secrets.ARM_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.ARM_TENANT_ID }}"}'
       - name: Set dynamic variables in .env
         run: |
           cat > .env <<EOF
@@ -61,33 +60,35 @@ jobs:
         run: cat .env
       - name: Run Azure e2e tests
         env:
-          ARM_CLIENT_ID: ${{ secrets.AZ_ARM_CLIENT_ID }}
-          ARM_CLIENT_SECRET: ${{ secrets.AZ_ARM_CLIENT_SECRET }}
-          ARM_SUBSCRIPTION_ID: ${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}
-          ARM_TENANT_ID: ${{ secrets.AZ_ARM_TENANT_ID }}
+          ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
+          ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
+          ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
+          ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
           TF_VAR_azuredevops_org: ${{ secrets.TF_VAR_azuredevops_org }}
           TF_VAR_azuredevops_pat: ${{ secrets.TF_VAR_azuredevops_pat }}
-          TF_VAR_location: ${{ vars.TF_VAR_azure_location }}
-          GITREPO_SSH_CONTENTS: ${{ secrets.AZURE_GITREPO_SSH_CONTENTS }}
-          GITREPO_SSH_PUB_CONTENTS: ${{ secrets.AZURE_GITREPO_SSH_PUB_CONTENTS }}
+          TF_VAR_azure_location: ${{ vars.TF_VAR_azure_location }}
+          GITREPO_SSH_CONTENTS: ${{ secrets.GIT_SSH_IDENTITY }}
+          GITREPO_SSH_PUB_CONTENTS: ${{ secrets.GIT_SSH_IDENTITY_PUB }}
         run: |
           source .env
           mkdir -p ./build/ssh
-          touch ./build/ssh/key
-          echo $GITREPO_SSH_CONTENTS | base64 -d > build/ssh/key
+          cat <<EOF > build/ssh/key
+          $GITREPO_SSH_CONTENTS
+          EOF
           export GITREPO_SSH_PATH=build/ssh/key
-          touch ./build/ssh/key.pub
-          echo $GITREPO_SSH_PUB_CONTENTS | base64 -d > ./build/ssh/key.pub
+          cat <<EOF > build/ssh/key.pub
+          $GITREPO_SSH_PUB_CONTENTS
+          EOF
           export GITREPO_SSH_PUB_PATH=build/ssh/key.pub
           make test-azure
       - name: Ensure resource cleanup
         if: ${{ always() }}
         env:
-          ARM_CLIENT_ID: ${{ secrets.AZ_ARM_CLIENT_ID }}
-          ARM_CLIENT_SECRET: ${{ secrets.AZ_ARM_CLIENT_SECRET }}
-          ARM_SUBSCRIPTION_ID: ${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}
-          ARM_TENANT_ID: ${{ secrets.AZ_ARM_TENANT_ID }}
+          ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
+          ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
+          ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
+          ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
           TF_VAR_azuredevops_org: ${{ secrets.TF_VAR_azuredevops_org }}
           TF_VAR_azuredevops_pat: ${{ secrets.TF_VAR_azuredevops_pat }}
-          TF_VAR_location: ${{ vars.TF_VAR_azure_location }}
+          TF_VAR_azure_location: ${{ vars.TF_VAR_azure_location }}
         run: source .env && make destroy-azure

.github/workflows/e2e-bootstrap.yaml

@@ -17,27 +17,27 @@ jobs:
     if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Setup Go
-        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
-          go-version: 1.23.x
+          go-version: 1.26.x
           cache-dependency-path: |
             **/go.sum
             **/go.mod
       - name: Setup Kubernetes
-        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
+        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0
         with:
-          version: v0.24.0
+          version: v0.30.0
           cluster_name: kind
           # The versions below should target the newest Kubernetes version
           # Keep this up-to-date with https://endoflife.date/kubernetes
-          node_image: ghcr.io/fluxcd/kindest/node:v1.31.0-amd64
-          kubectl_version: v1.31.0
+          node_image: ghcr.io/fluxcd/kindest/node:v1.33.0-amd64
+          kubectl_version: v1.33.0
       - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
+        uses: fluxcd/pkg/actions/kustomize@9a8c0edd5da84dc51a585738c67e3a3950d7fbf0 # main
       - name: Setup yq
-        uses: fluxcd/pkg/actions/yq@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
+        uses: fluxcd/pkg/actions/yq@9a8c0edd5da84dc51a585738c67e3a3950d7fbf0 # main
       - name: Build
         run: make build-dev
       - name: Set outputs
@@ -51,7 +51,7 @@ jobs:
           echo "test_repo_name=$TEST_REPO_NAME" >> $GITHUB_OUTPUT
       - name: bootstrap init
         run: |
-          ./bin/flux bootstrap github --manifests ./manifests/install/ \
+          ./bin/flux bootstrap github --manifests ./manifests/test/ \
           --owner=fluxcd-testing \
           --image-pull-secret=ghcr-auth \
           --registry-creds=fluxcd:$GITHUB_TOKEN \
@@ -66,7 +66,7 @@ jobs:
           kubectl -n flux-system get secret ghcr-auth | grep dockerconfigjson
       - name: bootstrap no-op
         run: |
-          ./bin/flux bootstrap github --manifests ./manifests/install/ \
+          ./bin/flux bootstrap github --manifests ./manifests/test/ \
           --owner=fluxcd-testing \
           --image-pull-secret=ghcr-auth \
           --repository=${{ steps.vars.outputs.test_repo_name }} \
@@ -78,7 +78,7 @@ jobs:
       - name: bootstrap customize
         run: |
           make setup-bootstrap-patch
-          ./bin/flux bootstrap github --manifests ./manifests/install/ \
+          ./bin/flux bootstrap github --manifests ./manifests/test/ \
           --owner=fluxcd-testing \
           --repository=${{ steps.vars.outputs.test_repo_name }} \
           --branch=main \
@@ -98,15 +98,18 @@ jobs:
       - name: test image automation
         run: |
           make setup-image-automation
-          ./bin/flux bootstrap github --manifests ./manifests/install/ \
+          ./bin/flux bootstrap github --manifests ./manifests/test/ \
           --owner=fluxcd-testing \
           --repository=${{ steps.vars.outputs.test_repo_name }} \
           --branch=main \
           --path=test-cluster \
           --read-write-key
           ./bin/flux reconcile image repository podinfo
+          ./bin/flux reconcile image policy podinfo
           ./bin/flux reconcile image update flux-system
           ./bin/flux get images all
+          ./bin/flux -n flux-system events --for ImageUpdateAutomation/flux-system
+          kubectl -n flux-system get -o yaml ImageUpdateAutomation flux-system
           kubectl -n flux-system get -o yaml ImageUpdateAutomation flux-system | \
            yq '.status.lastPushCommit | length > 1' | grep 'true'
         env:

.github/workflows/e2e-gcp.yaml

@@ -22,18 +22,18 @@ permissions:
 
 jobs:
   e2e-gcp:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     defaults:
       run:
         working-directory: ./tests/integration
     if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Setup Go
-        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
-          go-version: 1.23.x
+          go-version: 1.26.x
           cache-dependency-path: tests/integration/go.sum
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
@@ -48,19 +48,19 @@ jobs:
         env:
           SOPS_VER: 3.7.1
       - name: Authenticate to Google Cloud
-        uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8
+        uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
         id: 'auth'
         with:
           credentials_json: '${{ secrets.FLUX2_E2E_GOOGLE_CREDENTIALS }}'
           token_format: 'access_token'
       - name: Setup gcloud
-        uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
+        uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
       - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
       - name: Log into us-central1-docker.pkg.dev
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           registry: us-central1-docker.pkg.dev
           username: oauth2accesstoken

.github/workflows/e2e.yaml

@@ -23,30 +23,30 @@ jobs:
           - 5000:5000
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Setup Go
-        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
-          go-version: 1.23.x
+          go-version: 1.26.x
           cache-dependency-path: |
             **/go.sum
             **/go.mod
       - name: Setup Kubernetes
-        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
+        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0
         with:
-          version: v0.24.0
+          version: v0.30.0
           cluster_name: kind
           wait: 5s
           config: .github/kind/config.yaml # disable KIND-net
           # The versions below should target the oldest supported Kubernetes version
           # Keep this up-to-date with https://endoflife.date/kubernetes
-          node_image: ghcr.io/fluxcd/kindest/node:v1.30.9-amd64
-          kubectl_version: v1.30.9
+          node_image: ghcr.io/fluxcd/kindest/node:v1.33.0-amd64
+          kubectl_version: v1.33.0
       - name: Setup Calico for network policy
         run: |
           kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.3/manifests/calico.yaml
       - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
+        uses: fluxcd/pkg/actions/kustomize@9a8c0edd5da84dc51a585738c67e3a3950d7fbf0 # main
       - name: Run tests
         run: make test
       - name: Run e2e tests
@@ -65,7 +65,7 @@ jobs:
           ./bin/flux check --pre
       - name: flux install --manifests
         run: |
-          ./bin/flux install --manifests ./manifests/install/
+          ./bin/flux install --manifests ./manifests/test/
       - name: flux create secret
         run: |
           ./bin/flux create secret git git-ssh-test \
@@ -238,6 +238,9 @@ jobs:
       - name: flux check
         run: |
           ./bin/flux check
+      - name: flux migrate
+        run: |
+          ./bin/flux migrate
       - name: flux version
         run: |
           ./bin/flux version
@@ -247,7 +250,7 @@ jobs:
       - name: Debug failure
         if: failure()
         run: |
-          kubectl version --client --short
+          kubectl version --client
           kubectl -n flux-system get all
           kubectl -n flux-system describe pods
           kubectl -n flux-system get kustomizations -oyaml

.github/workflows/ossf.yaml

@@ -19,21 +19,21 @@ jobs:
       actions: read
       contents: read
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Run analysis
-        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
         with:
           results_file: results.sarif
           results_format: sarif
           repo_token: ${{ secrets.GITHUB_TOKEN }}
           publish_results: true
       - name: Upload artifact
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
       - name: Upload SARIF results
-        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
         with:
           sarif_file: results.sarif

.github/workflows/release.yaml

@@ -2,7 +2,7 @@ name: release
 
 on:
   push:
-    tags: [ 'v*' ]
+    tags: ["v*"]
 
 permissions:
   contents: read
@@ -13,40 +13,44 @@ jobs:
       hashes: ${{ steps.slsa.outputs.hashes }}
       image_url: ${{ steps.slsa.outputs.image_url }}
       image_digest: ${{ steps.slsa.outputs.image_digest }}
-    runs-on: ubuntu-latest
+    runs-on:
+      group: "Default Larger Runners"
+      labels: ubuntu-latest-16-cores
     permissions:
       contents: write # needed to write releases
       id-token: write # needed for keyless signing
       packages: write # needed for ghcr access
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Unshallow
         run: git fetch --prune --unshallow
       - name: Setup Go
-        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
-          go-version: 1.23.x
+          go-version: 1.26.x
           cache: false
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
       - name: Setup Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca  # v3.9.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
       - name: Setup Syft
-        uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
+        uses: anchore/sbom-action/download-syft@28d71544de8eaf1b958d335707167c5f783590ad # v0.22.2
       - name: Setup Cosign
-        uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3.8.0
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+        with:
+          cosign-release: v2.6.1 # TODO: remove after Flux 2.8 with support for cosign v3
       - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
+        uses: fluxcd/pkg/actions/kustomize@9a8c0edd5da84dc51a585738c67e3a3950d7fbf0 # main
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           registry: ghcr.io
           username: fluxcdbot
-          password: ${{ secrets.GHCR_TOKEN }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Login to Docker Hub
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567  # v3.3.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           username: fluxcdbot
           password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
@@ -59,30 +63,19 @@ jobs:
         run: |
           kustomize build manifests/crds > all-crds.yaml
       - name: Generate OpenAPI JSON schemas from CRDs
-        uses: fluxcd/pkg/actions/crdjsonschema@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
+        uses: fluxcd/pkg/actions/crdjsonschema@9a8c0edd5da84dc51a585738c67e3a3950d7fbf0 # main
         with:
           crd: all-crds.yaml
           output: schemas
       - name: Archive the OpenAPI JSON schemas
         run: |
           tar -czvf ./output/crd-schemas.tar.gz -C schemas .
-      - name: Download release notes utility
-        env:
-          GH_REL_URL: https://github.com/buchanae/github-release-notes/releases/download/0.2.0/github-release-notes-linux-amd64-0.2.0.tar.gz
-        run: cd /tmp && curl -sSL ${GH_REL_URL} | tar xz && sudo mv github-release-notes /usr/local/bin/
-      - name: Generate release notes
-        run: |
-          NOTES="./output/notes.md"
-          echo '## CLI Changelog' > ${NOTES}
-          github-release-notes -org fluxcd -repo flux2 -since-latest-release -include-author >> ${NOTES}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Run GoReleaser
         id: run-goreleaser
-        uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         with:
           version: latest
-          args: release --release-notes=output/notes.md --skip=validate
+          args: release --skip=validate
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
@@ -93,13 +86,13 @@ jobs:
           ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
         run: |
           set -euo pipefail
-          
+
           hashes=$(echo -E $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
           echo "hashes=$hashes" >> $GITHUB_OUTPUT
-          
+
           image_url=fluxcd/flux-cli:$GITHUB_REF_NAME
           echo "image_url=$image_url" >> $GITHUB_OUTPUT
-          
+
           image_digest=$(docker buildx imagetools inspect ${image_url}  --format '{{json .}}' | jq -r .manifest.digest)
           echo "image_digest=$image_digest" >> $GITHUB_OUTPUT
 
@@ -110,24 +103,26 @@ jobs:
       id-token: write
       packages: write
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
+        uses: fluxcd/pkg/actions/kustomize@9a8c0edd5da84dc51a585738c67e3a3950d7fbf0 # main
       - name: Setup Flux CLI
         uses: ./action/
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
       - name: Prepare
         id: prep
         run: |
           VERSION=$(flux version --client | awk '{ print $NF }')
           echo "version=${VERSION}" >> $GITHUB_OUTPUT
       - name: Login to GHCR
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           registry: ghcr.io
           username: fluxcdbot
-          password: ${{ secrets.GHCR_TOKEN }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Login to DockerHub
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           username: fluxcdbot
           password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
@@ -137,7 +132,7 @@ jobs:
           flux install --registry=ghcr.io/fluxcd \
           --components-extra=image-reflector-controller,image-automation-controller \
           --export > ./ghcr.io/flux-system/gotk-components.yaml
-          
+
           cd ./ghcr.io && flux push artifact \
           oci://ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }} \
           --path="./flux-system" \
@@ -149,13 +144,15 @@ jobs:
           flux install --registry=docker.io/fluxcd \
           --components-extra=image-reflector-controller,image-automation-controller \
           --export > ./docker.io/flux-system/gotk-components.yaml
-          
+
           cd ./docker.io && flux push artifact \
           oci://docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.version }} \
           --path="./flux-system" \
           --source=${{ github.repositoryUrl }} \
           --revision="${{ github.ref_name }}@sha1:${{ github.sha }}"
-      - uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3.8.0
+      - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+        with:
+          cosign-release: v2.6.1 # TODO: remove after Flux 2.8 with support for cosign v3
       - name: Sign manifests
         env:
           COSIGN_EXPERIMENTAL: 1
@@ -176,7 +173,7 @@ jobs:
       actions: read # for detecting the Github Actions environment.
       id-token: write # for creating OIDC tokens for signing.
       contents: write # for uploading attestations to GitHub releases.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
     with:
       provenance-name: "provenance.intoto.jsonl"
       base64-subjects: "${{ needs.release-flux-cli.outputs.hashes }}"
@@ -188,7 +185,7 @@ jobs:
       actions: read # for detecting the Github Actions environment.
       id-token: write # for creating OIDC tokens for signing.
       packages: write # for uploading attestations.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
     with:
       image: ${{ needs.release-flux-cli.outputs.image_url }}
       digest: ${{ needs.release-flux-cli.outputs.image_digest }}
@@ -202,10 +199,10 @@ jobs:
       actions: read # for detecting the Github Actions environment.
       id-token: write # for creating OIDC tokens for signing.
       packages: write # for uploading attestations.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
     with:
       image: ghcr.io/${{ needs.release-flux-cli.outputs.image_url }}
       digest: ${{ needs.release-flux-cli.outputs.image_digest }}
       registry-username: fluxcdbot
     secrets:
-      registry-password: ${{ secrets.GHCR_TOKEN }}
+      registry-password: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/scan.yaml

@@ -1,5 +1,4 @@
 name: scan
-
 on:
   workflow_dispatch:
   push:
@@ -8,79 +7,13 @@ on:
     branches: [ 'main', 'release/**' ]
   schedule:
     - cron: '18 10 * * 3'
-
-permissions:
-  contents: read
-
+permissions: read-all
 jobs:
-  scan-fossa:
-    runs-on: ubuntu-latest
-    if: github.actor != 'dependabot[bot]'
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Run FOSSA scan and upload build data
-        uses: fossa-contrib/fossa-action@cdc5065bcdee31a32e47d4585df72d66e8e941c2 # v3.0.0
-        with:
-          # FOSSA Push-Only API Token
-          fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
-          github-token: ${{ github.token }}
-
-  scan-snyk:
-    runs-on: ubuntu-latest
+  analyze:
     permissions:
-      security-events: write
-    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@c964ce7b91949ff4b5e3959db4f1d7bb2e029a49 # main
-      - name: Setup Go
-        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
-        with:
-          go-version-file: 'go.mod'
-          cache-dependency-path: |
-            **/go.sum
-            **/go.mod
-      - name: Download modules and build manifests
-        run: |
-          make tidy
-          make cmd/flux/.manifests.done
-      - uses: snyk/actions/setup@b98d498629f1c368650224d6d212bf7dfa89e4bf
-      - name:  Run Snyk to check for vulnerabilities
-        continue-on-error: true
-        run: |
-          snyk test --all-projects --sarif-file-output=snyk.sarif
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-      - name: Upload result to GitHub Code Scanning
-        continue-on-error: true
-        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
-        with:
-          sarif_file: snyk.sarif
-
-  scan-codeql:
-    runs-on: ubuntu-latest
-    permissions:
-      security-events: write
-    if: github.actor != 'dependabot[bot]'
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Setup Go
-        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
-        with:
-          go-version-file: 'go.mod'
-          cache-dependency-path: |
-            **/go.sum
-            **/go.mod
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
-        with:
-          languages: go
-          # xref: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-          # xref: https://codeql.github.com/codeql-query-help/go/
-          queries: security-and-quality
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+      contents: read # for reading the repository code.
+      security-events: write # for uploading the CodeQL analysis results.
+    uses: fluxcd/gha-workflows/.github/workflows/code-scan.yaml@v0.9.0
+    secrets:
+      github-token: ${{ secrets.GITHUB_TOKEN }}
+      fossa-token: ${{ secrets.FOSSA_TOKEN }}

.github/workflows/sync-labels.yaml

@@ -6,23 +6,12 @@ on:
       - main
     paths:
       - .github/labels.yaml
-
-permissions:
-  contents: read
-
+permissions: read-all
 jobs:
-  labels:
-    name: Run sync
-    runs-on: ubuntu-latest
+  sync-labels:
     permissions:
-      issues: write
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: EndBug/label-sync@52074158190acb45f3077f9099fea818aa43f97a # v2.3.3
-        with:
-          # Configuration file
-          config-file: |
-            https://raw.githubusercontent.com/fluxcd/community/main/.github/standard-labels.yaml
-            .github/labels.yaml
-          # Strictly declarative
-          delete-other-labels: true
+      contents: read # for reading the labels file.
+      issues: write # for creating and updating labels.
+    uses: fluxcd/gha-workflows/.github/workflows/labels-sync.yaml@v0.9.0
+    secrets:
+      github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/update.yaml

@@ -2,8 +2,6 @@ name: update
 
 on:
   workflow_dispatch:
-  schedule:
-    - cron: "0 * * * *"
   push:
     branches: [main]
 
@@ -18,24 +16,37 @@ jobs:
       pull-requests: write
     steps:
       - name: Check out code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Setup Go
-        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
-          go-version: 1.23.x
+          go-version: 1.26.x
           cache-dependency-path: |
             **/go.sum
             **/go.mod
       - name: Update component versions
         id: update
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           PR_BODY=$(mktemp)
 
           bump_version() {
-            local LATEST_VERSION=$(curl -s https://api.github.com/repos/fluxcd/$1/releases | jq -r 'sort_by(.published_at) | .[-1] | .tag_name')
+            local LATEST_VERSION=$(curl -s -H "Authorization: token ${GITHUB_TOKEN}" https://api.github.com/repos/fluxcd/$1/releases | jq -r 'sort_by(.published_at) | .[-1] | .tag_name')
+
+            if [[ "$LATEST_VERSION" == *"-rc"* ]]; then
+              echo "Skipping release candidate version for $1: $LATEST_VERSION"
+              return
+            fi
+
             local CTRL_VERSION=$(sed -n "s/.*$1\/releases\/download\/\(.*\)\/.*/\1/p;n" manifests/bases/$1/kustomization.yaml)
             local CRD_VERSION=$(sed -n "s/.*$1\/releases\/download\/\(.*\)\/.*/\1/p" manifests/crds/kustomization.yaml)
-            local MOD_VERSION=$(go list -m -f '{{ .Version }}' "github.com/fluxcd/$1/api")
+          
+            local API_PKG="github.com/fluxcd/$1/api"
+            if [[ "$1" == "source-watcher" ]]; then
+              API_PKG="github.com/fluxcd/$1/api/v2"
+            fi
+            local MOD_VERSION=$(go list -m -f '{{ .Version }}' "$API_PKG")
 
             local changed=false
 
@@ -50,7 +61,7 @@ jobs:
             fi
 
             if [[ "${MOD_VERSION}" != "${LATEST_VERSION}" ]]; then
-              go mod edit -require="github.com/fluxcd/$1/api@${LATEST_VERSION}"
+              go mod edit -require="$API_PKG@${LATEST_VERSION}"
               make tidy
               changed=true
             fi
@@ -69,6 +80,7 @@ jobs:
             bump_version notification-controller
             bump_version image-reflector-controller
             bump_version image-automation-controller
+            bump_version source-watcher
 
             # diff change
             git diff
@@ -84,7 +96,7 @@ jobs:
 
       - name: Create Pull Request
         id: cpr
-        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
         with:
           token: ${{ secrets.BOT_GITHUB_TOKEN }}
           commit-message: |

.github/workflows/upgrade-fluxcd-pkg.yaml

@@ -0,0 +1,10 @@
+name: upgrade-fluxcd-pkg
+
+on:
+  workflow_dispatch:
+
+jobs:
+  upgrade-fluxcd-pkg:
+    uses: fluxcd/gha-workflows/.github/workflows/upgrade-fluxcd-pkg.yaml@v0.9.0
+    secrets:
+      github-token: ${{ secrets.BOT_GITHUB_TOKEN }}

.goreleaser.yml

@@ -1,4 +1,6 @@
 project_name: flux
+changelog:
+  use: github-native
 builds:
   - <<: &build_defaults
       binary: flux
@@ -86,22 +88,6 @@ brews:
       generate_completions_from_executable(bin/"flux", "completion")
     test: |
       system "#{bin}/flux --version"
-publishers:
-  - name: aur-pkg-bin
-    env:
-      - AUR_BOT_SSH_PRIVATE_KEY={{ .Env.AUR_BOT_SSH_PRIVATE_KEY }}
-    cmd: |
-      .github/aur/flux-bin/publish.sh {{ .Version }}
-  - name: aur-pkg-scm
-    env:
-      - AUR_BOT_SSH_PRIVATE_KEY={{ .Env.AUR_BOT_SSH_PRIVATE_KEY }}
-    cmd: |
-      .github/aur/flux-scm/publish.sh {{ .Version }}
-  - name: aur-pkg-go
-    env:
-      - AUR_BOT_SSH_PRIVATE_KEY={{ .Env.AUR_BOT_SSH_PRIVATE_KEY }}
-    cmd: |
-      .github/aur/flux-go/publish.sh {{ .Version }}
 dockers:
 - image_templates:
     - 'fluxcd/flux-cli:{{ .Tag }}-amd64'

.scorecard.yml

@@ -0,0 +1,5 @@
+annotations:
+  - checks:
+      - dangerous-workflow
+    reasons:
+      - reason: not-applicable # This workflow does not run untrusted code, the bot will only backport a code if the a PR was approved and merged into main.

CONTRIBUTING.md

@@ -49,7 +49,8 @@ you might want to take a look at the [introductory talk and demo](https://www.yo
 This project is composed of:
 
 - [flux2](https://github.com/fluxcd/flux2): The Flux CLI
-- [source-manager](https://github.com/fluxcd/source-controller): Kubernetes operator for managing sources (Git and Helm repositories, S3-compatible Buckets)
+- [source-controller](https://github.com/fluxcd/source-controller): Kubernetes operator for managing sources (Git, OCI and Helm repositories, S3-compatible Buckets)
+- [source-watcher](https://github.com/fluxcd/source-watcher): Kubernetes operator for advanced source composition and decomposition patterns
 - [kustomize-controller](https://github.com/fluxcd/kustomize-controller): Kubernetes operator for building GitOps pipelines with Kustomize
 - [helm-controller](https://github.com/fluxcd/helm-controller): Kubernetes operator for building GitOps pipelines with Helm
 - [notification-controller](https://github.com/fluxcd/notification-controller): Kubernetes operator for handling inbound and outbound events
@@ -67,10 +68,9 @@ for source changes.
 
 Prerequisites:
 
-* go >= 1.20
-* kubectl >= 1.24
+* go >= 1.26
+* kubectl >= 1.33
 * kustomize >= 5.0
-* coreutils (on Mac OS)
 
 Install the [controller-runtime/envtest](https://github.com/kubernetes-sigs/controller-runtime/tree/master/tools/setup-envtest) binaries with:
 

Dockerfile

@@ -1,16 +1,16 @@
-FROM alpine:3.21 AS builder
+FROM alpine:3.23 AS builder
 
 RUN apk add --no-cache ca-certificates curl
 
 ARG ARCH=linux/amd64
-ARG KUBECTL_VER=1.32.2
+ARG KUBECTL_VER=1.35.0
 
 RUN curl -sL https://dl.k8s.io/release/v${KUBECTL_VER}/bin/${ARCH}/kubectl \
     -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl
 
 RUN kubectl version --client=true
 
-FROM alpine:3.21 AS flux-cli
+FROM alpine:3.23 AS flux-cli
 
 RUN apk add --no-cache ca-certificates
 

Makefile

@@ -17,8 +17,8 @@ rwildcard=$(foreach d,$(wildcard $(addsuffix *,$(1))),$(call rwildcard,$(d)/,$(2
 all: test build
 
 tidy:
-	go mod tidy -compat=1.23
-	cd tests/integration && go mod tidy -compat=1.23
+	go mod tidy -compat=1.26
+	cd tests/integration && go mod tidy -compat=1.26
 
 fmt:
 	go fmt ./...

README.md

@@ -52,12 +52,14 @@ guides](https://fluxcd.io/flux/gitops-toolkit/source-watcher/).
 
 ### Components
 
-- [Source Controller](https://fluxcd.io/flux/components/source/)
+- [Source Controllers](https://fluxcd.io/flux/components/source/)
     - [GitRepository CRD](https://fluxcd.io/flux/components/source/gitrepositories/)
     - [OCIRepository CRD](https://fluxcd.io/flux/components/source/ocirepositories/)
     - [HelmRepository CRD](https://fluxcd.io/flux/components/source/helmrepositories/)
     - [HelmChart CRD](https://fluxcd.io/flux/components/source/helmcharts/)
     - [Bucket CRD](https://fluxcd.io/flux/components/source/buckets/)
+    - [ExternalArtifact CRD](https://fluxcd.io/flux/components/source/externalartifacts/)
+    - [ArtifactGenerator CRD](https://fluxcd.io/flux/components/source/artifactgenerators/)
 - [Kustomize Controller](https://fluxcd.io/flux/components/kustomize/)
     - [Kustomization CRD](https://fluxcd.io/flux/components/kustomize/kustomizations/)
 - [Helm Controller](https://fluxcd.io/flux/components/helm/)

action/action.yml

@@ -16,23 +16,24 @@ inputs:
     description: "Alternative location for the Flux binary, defaults to path relative to $RUNNER_TOOL_CACHE."
     required: false
   token:
-    description: "Token used to authentication against the GitHub.com API. Defaults to the token from the GitHub context of the workflow."
+    description: "Token used to authenticate against the GitHub.com API."
     required: false
 runs:
   using: composite
   steps:
     - name: "Download the binary to the runner's cache dir"
       shell: bash
+      env:
+        VERSION: "${{ inputs.version }}"
+        FLUX_TOOL_DIR: "${{ inputs.bindir }}"
+        TOKEN: "${{ inputs.token }}"
       run: |
-        VERSION=${{ inputs.version }}
-
-        TOKEN=${{ inputs.token }}
-        if [[ -z "$TOKEN" ]]; then
-          TOKEN=${{ github.token }}
-        fi
-
         if [[ -z "$VERSION" ]] || [[ "$VERSION" = "latest" ]]; then
-          VERSION=$(curl -fsSL -H "Authorization: token ${TOKEN}" https://api.github.com/repos/fluxcd/flux2/releases/latest | grep tag_name | cut -d '"' -f 4)
+          if [[ "${TOKEN}" != '' ]]; then
+            VERSION=$(curl -fsSL -H "Authorization: token ${TOKEN}" https://api.github.com/repos/fluxcd/flux2/releases/latest | grep tag_name | cut -d '"' -f 4)
+          else
+            VERSION=$(curl -w "%{url_effective}\n" -IsSL https://github.com/fluxcd/flux2/releases/latest -o /dev/null | sed 's$^.*/$$')
+          fi
         fi
         if [[ -z "$VERSION" ]]; then
           echo "Unable to determine Flux CLI version"
@@ -59,7 +60,6 @@ runs:
             FLUX_EXEC_FILE="${FLUX_EXEC_FILE}.exe"
         fi
 
-        FLUX_TOOL_DIR=${{ inputs.bindir }}
         if [[ -z "$FLUX_TOOL_DIR" ]]; then
           FLUX_TOOL_DIR="${RUNNER_TOOL_CACHE}/flux2/${VERSION}/${OS}/${ARCH}"
         fi
@@ -77,9 +77,37 @@ runs:
 
           FLUX_DOWNLOAD_URL="https://github.com/fluxcd/flux2/releases/download/v${VERSION}/"
 
-          curl -fsSL -o "$DL_DIR/$FLUX_TARGET_FILE" "$FLUX_DOWNLOAD_URL/$FLUX_TARGET_FILE"
-          curl -fsSL -o "$DL_DIR/$FLUX_CHECKSUMS_FILE" "$FLUX_DOWNLOAD_URL/$FLUX_CHECKSUMS_FILE"
-
+          MAX_RETRIES=5
+          RETRY_DELAY=5
+          
+          for i in $(seq 1 $MAX_RETRIES); do
+            echo "Downloading flux binary (attempt $i/$MAX_RETRIES)"
+            if curl -fsSL -o "$DL_DIR/$FLUX_TARGET_FILE" "$FLUX_DOWNLOAD_URL/$FLUX_TARGET_FILE"; then
+              break
+            fi
+            if [ $i -lt $MAX_RETRIES ]; then
+              echo "Download failed, retrying in ${RETRY_DELAY} seconds..."
+              sleep $RETRY_DELAY
+            else
+              echo "Failed to download flux binary after $MAX_RETRIES attempts"
+              exit 1
+            fi
+          done
+          
+          for i in $(seq 1 $MAX_RETRIES); do
+            echo "Downloading checksums file (attempt $i/$MAX_RETRIES)"
+            if curl -fsSL -o "$DL_DIR/$FLUX_CHECKSUMS_FILE" "$FLUX_DOWNLOAD_URL/$FLUX_CHECKSUMS_FILE"; then
+              break
+            fi
+            if [ $i -lt $MAX_RETRIES ]; then
+              echo "Download failed, retrying in ${RETRY_DELAY} seconds..."
+              sleep $RETRY_DELAY
+            else
+              echo "Failed to download checksums file after $MAX_RETRIES attempts"
+              exit 1
+            fi
+          done
+        
           echo "Verifying checksum"
           sum=""
           if command -v openssl > /dev/null; then

cmd/flux/artifact.go

@@ -0,0 +1,57 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	swapi "github.com/fluxcd/source-watcher/api/v2/v1beta1"
+)
+
+// swapi.ArtifactGenerator
+
+var artifactGeneratorType = apiType{
+	kind:         swapi.ArtifactGeneratorKind,
+	humanKind:    "artifactgenerator",
+	groupVersion: swapi.GroupVersion,
+}
+
+type artifactGeneratorAdapter struct {
+	*swapi.ArtifactGenerator
+}
+
+func (h artifactGeneratorAdapter) asClientObject() client.Object {
+	return h.ArtifactGenerator
+}
+
+func (h artifactGeneratorAdapter) deepCopyClientObject() client.Object {
+	return h.ArtifactGenerator.DeepCopy()
+}
+
+// swapi.ArtifactGeneratorList
+
+type artifactGeneratorListAdapter struct {
+	*swapi.ArtifactGeneratorList
+}
+
+func (h artifactGeneratorListAdapter) asClientList() client.ObjectList {
+	return h.ArtifactGeneratorList
+}
+
+func (h artifactGeneratorListAdapter) len() int {
+	return len(h.ArtifactGeneratorList.Items)
+}

cmd/flux/bootstrap.go

@@ -97,7 +97,7 @@ func init() {
 	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapArgs.defaultComponents, "components", rootArgs.defaults.Components,
 		"list of components, accepts comma-separated values")
 	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapArgs.extraComponents, "components-extra", nil,
-		"list of components in addition to those supplied or defaulted, accepts values such as 'image-reflector-controller,image-automation-controller'")
+		"list of components in addition to those supplied or defaulted, accepts values such as 'image-reflector-controller,image-automation-controller,source-watcher'")
 
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.registry, "registry", "ghcr.io/fluxcd",
 		"container registry where the Flux controller images are published")

cmd/flux/bootstrap_gitlab.go

@@ -42,7 +42,7 @@ import (
 var bootstrapGitLabCmd = &cobra.Command{
 	Use:   "gitlab",
 	Short: "Deploy Flux on a cluster connected to a GitLab repository",
-	Long: `The bootstrap gitlab command creates the GitLab repository if it doesn't exists and
+	Long: `The bootstrap gitlab command creates the GitLab repository if it doesn't exist and
 commits the Flux manifests to the specified branch.
 Then it configures the target cluster to synchronize with that repository.
 If the Flux components are present on the cluster,

cmd/flux/build_artifact.go

@@ -26,15 +26,15 @@ import (
 
 	"github.com/spf13/cobra"
 
-	oci "github.com/fluxcd/pkg/oci/client"
+	"github.com/fluxcd/pkg/oci"
 	"github.com/fluxcd/pkg/sourceignore"
 )
 
 var buildArtifactCmd = &cobra.Command{
 	Use:   "artifact",
 	Short: "Build artifact",
-	Long: withPreviewNote(`The build artifact command creates a tgz file with the manifests
-from the given directory or a single manifest file.`),
+	Long: `The build artifact command creates a tgz file with the manifests
+from the given directory or a single manifest file.`,
 	Example: `  # Build the given manifests directory into an artifact
   flux build artifact --path ./path/to/local/manifests --output ./path/to/artifact.tgz
 

cmd/flux/build_kustomization.go

@@ -20,6 +20,7 @@ import (
 	"fmt"
 	"os"
 	"os/signal"
+	"path/filepath"
 
 	"github.com/spf13/cobra"
 
@@ -97,6 +98,13 @@ func buildKsCmdRun(cmd *cobra.Command, args []string) (err error) {
 		return fmt.Errorf("invalid resource path %q", buildKsArgs.path)
 	}
 
+	// Normalize the path to handle Windows absolute and relative paths correctly
+	buildKsArgs.path, err = filepath.Abs(buildKsArgs.path)
+	if err != nil {
+		return fmt.Errorf("failed to resolve absolute path: %w", err)
+	}
+	buildKsArgs.path = filepath.Clean(buildKsArgs.path)
+
 	if fs, err := os.Stat(buildKsArgs.path); err != nil || !fs.IsDir() {
 		return fmt.Errorf("invalid resource path %q", buildKsArgs.path)
 	}

cmd/flux/build_kustomization_test.go

@@ -169,6 +169,12 @@ spec:
 			resultFile: "./testdata/build-kustomization/podinfo-with-my-app-result.yaml",
 			assertFunc: "assertGoldenTemplateFile",
 		},
+		{
+			name:       "build with recursive in dry-run mode",
+			args:       "build kustomization podinfo --kustomization-file " + tmpFile + " --path ./testdata/build-kustomization/podinfo-with-my-app --recursive --local-sources GitRepository/default/podinfo=./testdata/build-kustomization --dry-run",
+			resultFile: "./testdata/build-kustomization/podinfo-with-my-app-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
 	}
 
 	tmpl := map[string]string{
@@ -212,3 +218,65 @@ spec:
 		})
 	}
 }
+
+// TestBuildKustomizationPathNormalization verifies that absolute and complex
+// paths are normalized to prevent path concatenation bugs (issue #5673).
+// Without normalization, paths could be duplicated like: /path/test/path/test/file
+func TestBuildKustomizationPathNormalization(t *testing.T) {
+	// Get absolute path to testdata to test absolute path handling
+	absTestDataPath, err := filepath.Abs("testdata/build-kustomization/podinfo")
+	if err != nil {
+		t.Fatalf("failed to get absolute path: %v", err)
+	}
+
+	tests := []struct {
+		name       string
+		args       string
+		resultFile string
+		assertFunc string
+	}{
+		{
+			name:       "build with absolute path",
+			args:       "build kustomization podinfo --path " + absTestDataPath,
+			resultFile: "./testdata/build-kustomization/podinfo-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+		{
+			name:       "build with complex relative path (parent dir)",
+			args:       "build kustomization podinfo --path ./testdata/build-kustomization/../build-kustomization/podinfo",
+			resultFile: "./testdata/build-kustomization/podinfo-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+		{
+			name:       "build with path containing redundant separators",
+			args:       "build kustomization podinfo --path ./testdata//build-kustomization//podinfo",
+			resultFile: "./testdata/build-kustomization/podinfo-result.yaml",
+			assertFunc: "assertGoldenTemplateFile",
+		},
+	}
+
+	tmpl := map[string]string{
+		"fluxns": allocateNamespace("flux-system"),
+	}
+	setup(t, tmpl)
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var assert assertFunc
+
+			switch tt.assertFunc {
+			case "assertGoldenTemplateFile":
+				assert = assertGoldenTemplateFile(tt.resultFile, tmpl)
+			case "assertError":
+				assert = assertError(tt.resultFile)
+			}
+
+			cmd := cmdTestCase{
+				args:   tt.args + " -n " + tmpl["fluxns"],
+				assert: assert,
+			}
+
+			cmd.runTestCmd(t)
+		})
+	}
+}

cmd/flux/check.go

@@ -60,7 +60,7 @@ type checkFlags struct {
 }
 
 var kubernetesConstraints = []string{
-	">=1.30.0-0",
+	">=1.33.0-0",
 }
 
 var checkArgs checkFlags
@@ -217,7 +217,7 @@ func componentsCheck(ctx context.Context, kubeClient client.Client) bool {
 				}
 			}
 			for _, c := range d.Spec.Template.Spec.Containers {
-				logger.Actionf(c.Image)
+				logger.Actionf("%s", c.Image)
 			}
 		}
 	}
@@ -238,7 +238,7 @@ func crdsCheck(ctx context.Context, kubeClient client.Client) bool {
 		for _, crd := range list.Items {
 			versions := crd.Status.StoredVersions
 			if len(versions) > 0 {
-				logger.Successf(crd.Name + "/" + versions[len(versions)-1])
+				logger.Successf("%s", crd.Name+"/"+versions[len(versions)-1])
 			} else {
 				ok = false
 				logger.Failuref("no stored versions for %s", crd.Name)

cmd/flux/create_helmrelease.go

@@ -37,7 +37,6 @@ import (
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/runtime/transform"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
-	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
 
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
@@ -95,6 +94,13 @@ var createHelmReleaseCmd = &cobra.Command{
     --source=HelmRepository/podinfo \
     --chart=podinfo
 
+  # Create a HelmRelease with custom storage namespace for hub-and-spoke model
+  flux create hr podinfo \
+    --target-namespace=production \
+    --storage-namespace=fluxcd-system \
+    --source=HelmRepository/podinfo \
+    --chart=podinfo
+
   # Create a HelmRelease using a source from a different namespace
   flux create hr podinfo \
     --namespace=default \
@@ -128,6 +134,7 @@ type helmReleaseFlags struct {
 	chartVersion        string
 	chartRef            string
 	targetNamespace     string
+	storageNamespace    string
 	createNamespace     bool
 	valuesFiles         []string
 	valuesFrom          []string
@@ -142,7 +149,7 @@ var helmReleaseArgs helmReleaseFlags
 
 var supportedHelmReleaseValuesFromKinds = []string{"Secret", "ConfigMap"}
 
-var supportedHelmReleaseReferenceKinds = []string{sourcev1b2.OCIRepositoryKind, sourcev1.HelmChartKind}
+var supportedHelmReleaseReferenceKinds = []string{sourcev1.OCIRepositoryKind, sourcev1.HelmChartKind}
 
 func init() {
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.name, "release-name", "", "name used for the Helm release, defaults to a composition of '[<target-namespace>-]<HelmRelease-name>'")
@@ -151,6 +158,7 @@ func init() {
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.chartVersion, "chart-version", "", "Helm chart version, accepts a semver range (ignored for charts from GitRepository sources)")
 	createHelmReleaseCmd.Flags().StringSliceVar(&helmReleaseArgs.dependsOn, "depends-on", nil, "HelmReleases that must be ready before this release can be installed, supported formats '<name>' and '<namespace>/<name>'")
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.targetNamespace, "target-namespace", "", "namespace to install this release, defaults to the HelmRelease namespace")
+	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.storageNamespace, "storage-namespace", "", "namespace to store the Helm release, defaults to the target namespace")
 	createHelmReleaseCmd.Flags().BoolVar(&helmReleaseArgs.createNamespace, "create-target-namespace", false, "create the target namespace if it does not exist")
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.saName, "service-account", "", "the name of the service account to impersonate when reconciling this HelmRelease")
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.reconcileStrategy, "reconcile-strategy", "ChartVersion", "the reconcile strategy for helm chart created by the helm release(accepted values: Revision and ChartRevision)")
@@ -166,10 +174,18 @@ func init() {
 func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]
 
+	if helmReleaseArgs.storageNamespace == "" && helmReleaseArgs.targetNamespace != "" {
+		helmReleaseArgs.storageNamespace = helmReleaseArgs.targetNamespace
+	}
+
 	if helmReleaseArgs.chart == "" && helmReleaseArgs.chartRef == "" {
 		return fmt.Errorf("chart or chart-ref is required")
 	}
 
+	if helmReleaseArgs.chart != "" && helmReleaseArgs.chartRef != "" {
+		return fmt.Errorf("cannot use --chart in combination with --chart-ref")
+	}
+
 	sourceLabels, err := parseLabels()
 	if err != nil {
 		return err
@@ -192,15 +208,27 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 		},
 		Spec: helmv2.HelmReleaseSpec{
 			ReleaseName: helmReleaseArgs.name,
-			DependsOn:   utils.MakeDependsOn(helmReleaseArgs.dependsOn),
 			Interval: metav1.Duration{
 				Duration: createArgs.interval,
 			},
-			TargetNamespace: helmReleaseArgs.targetNamespace,
-			Suspend:         false,
+			TargetNamespace:  helmReleaseArgs.targetNamespace,
+			StorageNamespace: helmReleaseArgs.storageNamespace,
+			Suspend:          false,
 		},
 	}
 
+	if len(helmReleaseArgs.dependsOn) > 0 {
+		ls := utils.MakeDependsOn(helmReleaseArgs.dependsOn)
+		hrDependsOn := make([]helmv2.DependencyReference, 0, len(ls))
+		for _, d := range ls {
+			hrDependsOn = append(hrDependsOn, helmv2.DependencyReference{
+				Name:      d.Name,
+				Namespace: d.Namespace,
+			})
+		}
+		helmRelease.Spec.DependsOn = hrDependsOn
+	}
+
 	switch {
 	case helmReleaseArgs.chart != "":
 		helmRelease.Spec.Chart = &helmv2.HelmChartTemplate{
@@ -222,7 +250,7 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	case helmReleaseArgs.chartRef != "":
 		kind, name, ns := utils.ParseObjectKindNameNamespace(helmReleaseArgs.chartRef)
-		if kind != sourcev1.HelmChartKind && kind != sourcev1b2.OCIRepositoryKind {
+		if kind != sourcev1.HelmChartKind && kind != sourcev1.OCIRepositoryKind {
 			return fmt.Errorf("chart reference kind '%s' is not supported, must be one of: %s",
 				kind, strings.Join(supportedHelmReleaseReferenceKinds, ", "))
 		}
@@ -235,7 +263,7 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 
 	if helmReleaseArgs.kubeConfigSecretRef != "" {
 		helmRelease.Spec.KubeConfig = &meta.KubeConfigReference{
-			SecretRef: meta.SecretKeyReference{
+			SecretRef: &meta.SecretKeyReference{
 				Name: helmReleaseArgs.kubeConfigSecretRef,
 			},
 		}

cmd/flux/create_helmrelease_test.go

@@ -42,6 +42,11 @@ func TestCreateHelmRelease(t *testing.T) {
 			args:   "create helmrelease podinfo --export",
 			assert: assertError("chart or chart-ref is required"),
 		},
+		{
+			name:   "chart and chartRef used in combination",
+			args:   "create helmrelease podinfo --chart podinfo --chart-ref foobar/podinfo --export",
+			assert: assertError("cannot use --chart in combination with --chart-ref"),
+		},
 		{
 			name:   "unknown source kind",
 			args:   "create helmrelease podinfo --source foobar/podinfo --chart podinfo --export",

cmd/flux/create_image_policy.go

@@ -20,6 +20,7 @@ import (
 	"fmt"
 	"regexp/syntax"
 	"strings"
+	"time"
 	"unicode"
 	"unicode/utf8"
 
@@ -28,18 +29,18 @@ import (
 
 	"github.com/fluxcd/pkg/apis/meta"
 
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )
 
 var createImagePolicyCmd = &cobra.Command{
 	Use:   "policy [name]",
 	Short: "Create or update an ImagePolicy object",
-	Long: withPreviewNote(`The create image policy command generates an ImagePolicy resource.
+	Long: `The create image policy command generates an ImagePolicy resource.
 An ImagePolicy object calculates a "latest image" given an image
 repository and a policy, e.g., semver.
 
 The image that sorts highest according to the policy is recorded in
-the status of the object.`),
+the status of the object.`,
 	Example: `  # Create an ImagePolicy to select the latest stable release
   flux create image policy podinfo \
     --image-ref=podinfo \
@@ -60,6 +61,8 @@ type imagePolicyFlags struct {
 	numeric       string
 	filterRegex   string
 	filterExtract string
+	reflectDigest string
+	interval      time.Duration
 }
 
 var imagePolicyArgs = imagePolicyFlags{}
@@ -72,16 +75,12 @@ func init() {
 	flags.StringVar(&imagePolicyArgs.numeric, "select-numeric", "", "use numeric sorting to select image; either \"asc\" meaning select the last, or \"desc\" meaning select the first")
 	flags.StringVar(&imagePolicyArgs.filterRegex, "filter-regex", "", "regular expression pattern used to filter the image tags")
 	flags.StringVar(&imagePolicyArgs.filterExtract, "filter-extract", "", "replacement pattern (using capture groups from --filter-regex) to use for sorting")
+	flags.StringVar(&imagePolicyArgs.reflectDigest, "reflect-digest", "", "the digest reflection policy to use when observing latest image tags (one of 'Never', 'IfNotPresent', 'Never')")
+	flags.DurationVar(&imagePolicyArgs.interval, "interval", 0, "the interval at which to check for new image digests when the policy is set to 'Always'")
 
 	createImageCmd.AddCommand(createImagePolicyCmd)
 }
 
-// getObservedGeneration is implemented here, since it's not
-// (presently) needed elsewhere.
-func (obj imagePolicyAdapter) getObservedGeneration() int64 {
-	return obj.ImagePolicy.Status.ObservedGeneration
-}
-
 func createImagePolicyRun(cmd *cobra.Command, args []string) error {
 	objectName := args[0]
 
@@ -153,6 +152,20 @@ func createImagePolicyRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("cannot specify --filter-extract without specifying --filter-regex")
 	}
 
+	if p := imagev1.ReflectionPolicy(imagePolicyArgs.reflectDigest); p != "" {
+		if p != imagev1.ReflectNever && p != imagev1.ReflectIfNotPresent && p != imagev1.ReflectAlways {
+			return fmt.Errorf("invalid value for --reflect-digest, must be one of 'Never', 'IfNotPresent', 'Always'")
+		}
+		policy.Spec.DigestReflectionPolicy = p
+	}
+
+	if imagePolicyArgs.interval != 0 {
+		if imagePolicyArgs.reflectDigest != string(imagev1.ReflectAlways) {
+			return fmt.Errorf("the --interval flag can only be used with the 'Always' digest reflection policy, use --reflect-digest=Always")
+		}
+		policy.Spec.Interval = &metav1.Duration{Duration: imagePolicyArgs.interval}
+	}
+
 	if createArgs.export {
 		return printExport(exportImagePolicy(&policy))
 	}

cmd/flux/create_image_repository.go

@@ -26,14 +26,14 @@ import (
 
 	"github.com/fluxcd/pkg/apis/meta"
 
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )
 
 var createImageRepositoryCmd = &cobra.Command{
 	Use:   "repository [name]",
 	Short: "Create or update an ImageRepository object",
-	Long: withPreviewNote(`The create image repository command generates an ImageRepository resource.
-An ImageRepository object specifies an image repository to scan.`),
+	Long: `The create image repository command generates an ImageRepository resource.
+An ImageRepository object specifies an image repository to scan.`,
 	Example: `  # Create an ImageRepository object to scan the alpine image repository:
   flux create image repository alpine-repo --image alpine --interval 20m
 

cmd/flux/create_image_update.go

@@ -22,16 +22,16 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )
 
 var createImageUpdateCmd = &cobra.Command{
 	Use:   "update [name]",
 	Short: "Create or update an ImageUpdateAutomation object",
-	Long: withPreviewNote(`The create image update command generates an ImageUpdateAutomation resource.
+	Long: `The create image update command generates an ImageUpdateAutomation resource.
 An ImageUpdateAutomation object specifies an automated update to images
-mentioned in YAMLs in a git repository.`),
+mentioned in YAMLs in a git repository.`,
 	Example: `  # Configure image updates for the main repository created by flux bootstrap
   flux create image update flux-system \
     --git-repo-ref=flux-system \

cmd/flux/create_kustomization.go

@@ -153,7 +153,6 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 			Labels:    kslabels,
 		},
 		Spec: kustomizev1.KustomizationSpec{
-			DependsOn: utils.MakeDependsOn(kustomizationArgs.dependsOn),
 			Interval: metav1.Duration{
 				Duration: createArgs.interval,
 			},
@@ -169,9 +168,21 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 		},
 	}
 
+	if len(kustomizationArgs.dependsOn) > 0 {
+		ls := utils.MakeDependsOn(kustomizationArgs.dependsOn)
+		ksDependsOn := make([]kustomizev1.DependencyReference, 0, len(ls))
+		for _, d := range ls {
+			ksDependsOn = append(ksDependsOn, kustomizev1.DependencyReference{
+				Name:      d.Name,
+				Namespace: d.Namespace,
+			})
+		}
+		kustomization.Spec.DependsOn = ksDependsOn
+	}
+
 	if kustomizationArgs.kubeConfigSecretRef != "" {
 		kustomization.Spec.KubeConfig = &meta.KubeConfigReference{
-			SecretRef: meta.SecretKeyReference{
+			SecretRef: &meta.SecretKeyReference{
 				Name: kustomizationArgs.kubeConfigSecretRef,
 			},
 		}

cmd/flux/create_secret_git.go

@@ -172,7 +172,7 @@ func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme)
 	}
 
-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateGit(opts)
 	if err != nil {
 		return err
 	}

cmd/flux/create_secret_github_app.go

@@ -46,16 +46,18 @@ var createSecretGitHubAppCmd = &cobra.Command{
 }
 
 type secretGitHubAppFlags struct {
-	appID             string
-	appInstallationID string
-	privateKeyFile    string
-	baseURL           string
+	appID                string
+	appInstallationOwner string
+	appInstallationID    string
+	privateKeyFile       string
+	baseURL              string
 }
 
 var secretGitHubAppArgs = secretGitHubAppFlags{}
 
 func init() {
 	createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.appID, "app-id", "", "github app ID")
+	createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.appInstallationOwner, "app-installation-owner", "", "github app installation owner (user or organization)")
 	createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.appInstallationID, "app-installation-id", "", "github app installation ID")
 	createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.privateKeyFile, "app-private-key", "", "github app private key file path")
 	createSecretGitHubAppCmd.Flags().StringVar(&secretGitHubAppArgs.baseURL, "app-base-url", "", "github app base URL")
@@ -70,36 +72,22 @@ func createSecretGitHubAppCmdRun(cmd *cobra.Command, args []string) error {
 
 	secretName := args[0]
 
-	if secretGitHubAppArgs.appID == "" {
-		return fmt.Errorf("--app-id is required")
-	}
-
-	if secretGitHubAppArgs.appInstallationID == "" {
-		return fmt.Errorf("--app-installation-id is required")
-	}
-
-	if secretGitHubAppArgs.privateKeyFile == "" {
-		return fmt.Errorf("--app-private-key is required")
-	}
-
 	privateKey, err := os.ReadFile(secretGitHubAppArgs.privateKeyFile)
 	if err != nil {
 		return fmt.Errorf("unable to read private key file: %w", err)
 	}
 
 	opts := sourcesecret.Options{
-		Name:                    secretName,
-		Namespace:               *kubeconfigArgs.Namespace,
-		GitHubAppID:             secretGitHubAppArgs.appID,
-		GitHubAppInstallationID: secretGitHubAppArgs.appInstallationID,
-		GitHubAppPrivateKey:     string(privateKey),
+		Name:                       secretName,
+		Namespace:                  *kubeconfigArgs.Namespace,
+		GitHubAppID:                secretGitHubAppArgs.appID,
+		GitHubAppInstallationOwner: secretGitHubAppArgs.appInstallationOwner,
+		GitHubAppInstallationID:    secretGitHubAppArgs.appInstallationID,
+		GitHubAppPrivateKey:        string(privateKey),
+		GitHubAppBaseURL:           secretGitHubAppArgs.baseURL,
 	}
 
-	if secretGitHubAppArgs.baseURL != "" {
-		opts.GitHubAppBaseURL = secretGitHubAppArgs.baseURL
-	}
-
-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateGitHubApp(opts)
 	if err != nil {
 		return err
 	}

cmd/flux/create_secret_githubapp_test.go

@@ -31,21 +31,6 @@ func TestCreateSecretGitHubApp(t *testing.T) {
 			args:   "create secret githubapp",
 			assert: assertError("name is required"),
 		},
-		{
-			name:   "create githubapp secret with missing app-id",
-			args:   "create secret githubapp appinfo",
-			assert: assertError("--app-id is required"),
-		},
-		{
-			name:   "create githubapp secret with missing appInstallationID",
-			args:   "create secret githubapp appinfo --app-id 1",
-			assert: assertError("--app-installation-id is required"),
-		},
-		{
-			name:   "create githubapp secret with missing private key file",
-			args:   "create secret githubapp appinfo --app-id 1 --app-installation-id 2",
-			assert: assertError("--app-private-key is required"),
-		},
 		{
 			name:   "create githubapp secret with private key file that does not exist",
 			args:   "create secret githubapp appinfo --app-id 1 --app-installation-id 2 --app-private-key pk.pem",
@@ -53,7 +38,7 @@ func TestCreateSecretGitHubApp(t *testing.T) {
 		},
 		{
 			name:   "create githubapp secret with app info",
-			args:   "create secret githubapp appinfo --namespace my-namespace --app-id 1 --app-installation-id 2 --app-private-key ./testdata/create_secret/githubapp/test-private-key.pem --export",
+			args:   "create secret githubapp appinfo --namespace my-namespace --app-id 1 --app-installation-owner my-org --app-private-key ./testdata/create_secret/githubapp/test-private-key.pem --export",
 			assert: assertGoldenFile("testdata/create_secret/githubapp/secret.yaml"),
 		},
 		{

cmd/flux/create_secret_helm.go

@@ -83,10 +83,12 @@ func createSecretHelmCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	var certFile, keyFile []byte
-	if secretHelmArgs.tlsCrtFile != "" && secretHelmArgs.tlsKeyFile != "" {
+	if secretHelmArgs.tlsCrtFile != "" {
 		if certFile, err = os.ReadFile(secretHelmArgs.tlsCrtFile); err != nil {
 			return fmt.Errorf("failed to read cert file: %w", err)
 		}
+	}
+	if secretHelmArgs.tlsKeyFile != "" {
 		if keyFile, err = os.ReadFile(secretHelmArgs.tlsKeyFile); err != nil {
 			return fmt.Errorf("failed to read key file: %w", err)
 		}
@@ -102,7 +104,7 @@ func createSecretHelmCmdRun(cmd *cobra.Command, args []string) error {
 		TLSCrt:    certFile,
 		TLSKey:    keyFile,
 	}
-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateHelm(opts)
 	if err != nil {
 		return err
 	}

cmd/flux/create_secret_notation.go

@@ -132,7 +132,7 @@ func createSecretNotationCmdRun(cmd *cobra.Command, args []string) error {
 		VerificationCrts: caCerts,
 		TrustPolicy:      policy,
 	}
-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateNotation(opts)
 	if err != nil {
 		return err
 	}

cmd/flux/create_secret_oci.go

@@ -92,7 +92,7 @@ func createSecretOCICmdRun(cmd *cobra.Command, args []string) error {
 		Username:  secretOCIArgs.username,
 	}
 
-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateOCI(opts)
 	if err != nil {
 		return err
 	}

cmd/flux/create_secret_proxy.go

@@ -83,7 +83,7 @@ func createSecretProxyCmdRun(cmd *cobra.Command, args []string) error {
 		Username:  secretProxyArgs.username,
 		Password:  secretProxyArgs.password,
 	}
-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateProxy(opts)
 	if err != nil {
 		return err
 	}

cmd/flux/create_secret_tls.go

@@ -84,16 +84,18 @@ func createSecretTLSCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}
 
-	if secretTLSArgs.tlsCrtFile != "" && secretTLSArgs.tlsKeyFile != "" {
+	if secretTLSArgs.tlsCrtFile != "" {
 		if opts.TLSCrt, err = os.ReadFile(secretTLSArgs.tlsCrtFile); err != nil {
 			return fmt.Errorf("failed to read cert file: %w", err)
 		}
+	}
+	if secretTLSArgs.tlsKeyFile != "" {
 		if opts.TLSKey, err = os.ReadFile(secretTLSArgs.tlsKeyFile); err != nil {
 			return fmt.Errorf("failed to read key file: %w", err)
 		}
 	}
 
-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateTLS(opts)
 	if err != nil {
 		return err
 	}

cmd/flux/create_source_bucket.go

@@ -19,7 +19,6 @@ package main
 import (
 	"context"
 	"fmt"
-	"os"
 	"strings"
 
 	"github.com/spf13/cobra"
@@ -114,12 +113,6 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	tmpDir, err := os.MkdirTemp("", name)
-	if err != nil {
-		return err
-	}
-	defer os.RemoveAll(tmpDir)
-
 	var ignorePaths *string
 	if len(sourceBucketArgs.ignorePaths) > 0 {
 		ignorePathsStr := strings.Join(sourceBucketArgs.ignorePaths, "\n")

cmd/flux/create_source_git.go

@@ -44,25 +44,26 @@ import (
 )
 
 type sourceGitFlags struct {
-	url               string
-	branch            string
-	tag               string
-	semver            string
-	refName           string
-	commit            string
-	username          string
-	password          string
-	keyAlgorithm      flags.PublicKeyAlgorithm
-	keyRSABits        flags.RSAKeyBits
-	keyECDSACurve     flags.ECDSACurve
-	secretRef         string
-	proxySecretRef    string
-	provider          flags.SourceGitProvider
-	caFile            string
-	privateKeyFile    string
-	recurseSubmodules bool
-	silent            bool
-	ignorePaths       []string
+	url                 string
+	branch              string
+	tag                 string
+	semver              string
+	refName             string
+	commit              string
+	username            string
+	password            string
+	keyAlgorithm        flags.PublicKeyAlgorithm
+	keyRSABits          flags.RSAKeyBits
+	keyECDSACurve       flags.ECDSACurve
+	secretRef           string
+	proxySecretRef      string
+	provider            flags.SourceGitProvider
+	caFile              string
+	privateKeyFile      string
+	recurseSubmodules   bool
+	silent              bool
+	ignorePaths         []string
+	sparseCheckoutPaths []string
 }
 
 var createSourceGitCmd = &cobra.Command{
@@ -138,7 +139,7 @@ func init() {
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.branch, "branch", "", "git branch")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.tag, "tag", "", "git tag")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.semver, "tag-semver", "", "git tag semver range")
-	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.refName, "ref-name", "", " git reference name")
+	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.refName, "ref-name", "", "git reference name")
 	createSourceGitCmd.Flags().StringVar(&sourceGitArgs.commit, "commit", "", "git commit")
 	createSourceGitCmd.Flags().StringVarP(&sourceGitArgs.username, "username", "u", "", "basic authentication username")
 	createSourceGitCmd.Flags().StringVarP(&sourceGitArgs.password, "password", "p", "", "basic authentication password")
@@ -154,6 +155,7 @@ func init() {
 		"when enabled, configures the GitRepository source to initialize and include Git submodules in the artifact it produces")
 	createSourceGitCmd.Flags().BoolVarP(&sourceGitArgs.silent, "silent", "s", false, "assumes the deploy key is already setup, skips confirmation")
 	createSourceGitCmd.Flags().StringSliceVar(&sourceGitArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore in git resource (can specify multiple paths with commas: path1,path2)")
+	createSourceGitCmd.Flags().StringSliceVar(&sourceGitArgs.sparseCheckoutPaths, "sparse-checkout-paths", nil, "set paths to sparse checkout in git resource (can specify multiple paths with commas: path1,path2)")
 
 	createSourceCmd.AddCommand(createSourceGitCmd)
 }
@@ -189,12 +191,6 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("specifying a CA file is not supported for Git over SSH")
 	}
 
-	tmpDir, err := os.MkdirTemp("", name)
-	if err != nil {
-		return err
-	}
-	defer os.RemoveAll(tmpDir)
-
 	sourceLabels, err := parseLabels()
 	if err != nil {
 		return err
@@ -220,6 +216,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 			RecurseSubmodules: sourceGitArgs.recurseSubmodules,
 			Reference:         &sourcev1.GitRepositoryRef{},
 			Ignore:            ignorePaths,
+			SparseCheckout:    sourceGitArgs.sparseCheckoutPaths,
 		},
 	}
 
@@ -302,7 +299,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 			secretOpts.Username = sourceGitArgs.username
 			secretOpts.Password = sourceGitArgs.password
 		}
-		secret, err := sourcesecret.Generate(secretOpts)
+		secret, err := sourcesecret.GenerateGit(secretOpts)
 		if err != nil {
 			return err
 		}

cmd/flux/create_source_git_test.go

@@ -87,7 +87,7 @@ func (r *reconciler) conditionFunc() (bool, error) {
 }
 
 func TestCreateSourceGitExport(t *testing.T) {
-	var command = "create source git podinfo --url=https://github.com/stefanprodan/podinfo --branch=master --ignore-paths .cosign,non-existent-dir/ -n default --interval 1m --export --timeout=" + testTimeout.String()
+	var command = "create source git podinfo --url=https://github.com/stefanprodan/podinfo --branch=master --sparse-checkout-paths .cosign,non-existent-dir/ --ignore-paths .cosign,non-existent-dir/ -n default --interval 1m --export --timeout=" + testTimeout.String()
 
 	cases := []struct {
 		name   string
@@ -101,7 +101,7 @@ func TestCreateSourceGitExport(t *testing.T) {
 		},
 		{
 			name:   "no args",
-			args:   "create secret git",
+			args:   "create source git --url=https://github.com/stefanprodan/podinfo",
 			assert: assertError("name is required"),
 		},
 		{
@@ -204,12 +204,13 @@ func TestCreateSourceGit(t *testing.T) {
 					ObservedGeneration: repo.GetGeneration(),
 				}
 				apimeta.SetStatusCondition(&repo.Status.Conditions, newCondition)
-				repo.Status.Artifact = &sourcev1.Artifact{
+				repo.Status.Artifact = &meta.Artifact{
 					Path:     "some-path",
 					Revision: "v1",
 					LastUpdateTime: metav1.Time{
 						Time: time.Now(),
 					},
+					Digest: "sha256:1234567890abcdef",
 				}
 				repo.Status.ObservedGeneration = repo.GetGeneration()
 			},

cmd/flux/create_source_helm.go

@@ -114,12 +114,6 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	tmpDir, err := os.MkdirTemp("", name)
-	if err != nil {
-		return err
-	}
-	defer os.RemoveAll(tmpDir)
-
 	if _, err := url.Parse(sourceHelmArgs.url); err != nil {
 		return fmt.Errorf("url parse failed: %w", err)
 	}
@@ -202,7 +196,7 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 			TLSKey:       keyFile,
 			ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 		}
-		secret, err := sourcesecret.Generate(secretOpts)
+		secret, err := sourcesecret.GenerateHelm(secretOpts)
 		if err != nil {
 			return err
 		}

cmd/flux/create_source_oci.go

@@ -29,9 +29,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/fluxcd/pkg/apis/meta"
-
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
-	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
 
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/internal/utils"
@@ -81,7 +79,7 @@ var sourceOCIRepositoryArgs = newSourceOCIFlags()
 
 func newSourceOCIFlags() sourceOCIRepositoryFlags {
 	return sourceOCIRepositoryFlags{
-		provider: flags.SourceOCIProvider(sourcev1b2.GenericOCIProvider),
+		provider: flags.SourceOCIProvider(sourcev1.GenericOCIProvider),
 	}
 }
 
@@ -127,20 +125,20 @@ func createSourceOCIRepositoryCmdRun(cmd *cobra.Command, args []string) error {
 		ignorePaths = &ignorePathsStr
 	}
 
-	repository := &sourcev1b2.OCIRepository{
+	repository := &sourcev1.OCIRepository{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
 			Namespace: *kubeconfigArgs.Namespace,
 			Labels:    sourceLabels,
 		},
-		Spec: sourcev1b2.OCIRepositorySpec{
+		Spec: sourcev1.OCIRepositorySpec{
 			Provider: sourceOCIRepositoryArgs.provider.String(),
 			URL:      sourceOCIRepositoryArgs.url,
 			Insecure: sourceOCIRepositoryArgs.insecure,
 			Interval: metav1.Duration{
 				Duration: createArgs.interval,
 			},
-			Reference: &sourcev1b2.OCIRepositoryRef{},
+			Reference: &sourcev1.OCIRepositoryRef{},
 			Ignore:    ignorePaths,
 		},
 	}
@@ -237,13 +235,13 @@ func createSourceOCIRepositoryCmdRun(cmd *cobra.Command, args []string) error {
 }
 
 func upsertOCIRepository(ctx context.Context, kubeClient client.Client,
-	ociRepository *sourcev1b2.OCIRepository) (types.NamespacedName, error) {
+	ociRepository *sourcev1.OCIRepository) (types.NamespacedName, error) {
 	namespacedName := types.NamespacedName{
 		Namespace: ociRepository.GetNamespace(),
 		Name:      ociRepository.GetName(),
 	}
 
-	var existing sourcev1b2.OCIRepository
+	var existing sourcev1.OCIRepository
 	err := kubeClient.Get(ctx, namespacedName, &existing)
 	if err != nil {
 		if errors.IsNotFound(err) {

cmd/flux/create_tenant.go

@@ -21,7 +21,6 @@ import (
 	"context"
 	"fmt"
 
-	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
@@ -32,6 +31,8 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
+
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )
 
 var createTenantCmd = &cobra.Command{
@@ -57,8 +58,10 @@ const (
 )
 
 type tenantFlags struct {
-	namespaces  []string
-	clusterRole string
+	namespaces    []string
+	clusterRole   string
+	account       string
+	skipNamespace bool
 }
 
 var tenantArgs tenantFlags
@@ -66,6 +69,8 @@ var tenantArgs tenantFlags
 func init() {
 	createTenantCmd.Flags().StringSliceVar(&tenantArgs.namespaces, "with-namespace", nil, "namespace belonging to this tenant")
 	createTenantCmd.Flags().StringVar(&tenantArgs.clusterRole, "cluster-role", "cluster-admin", "cluster role of the tenant role binding")
+	createTenantCmd.Flags().StringVar(&tenantArgs.account, "with-service-account", "", "service account belonging to this tenant")
+	createTenantCmd.Flags().BoolVar(&tenantArgs.skipNamespace, "skip-namespace", false, "skip namespace creation (namespace must exist already)")
 	createCmd.AddCommand(createTenantCmd)
 }
 
@@ -107,9 +112,17 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 		}
 		namespaces = append(namespaces, namespace)
 
+		accountName := tenant
+		if tenantArgs.account != "" {
+			accountName = tenantArgs.account
+		}
+		if err := validation.IsQualifiedName(accountName); len(err) > 0 {
+			return fmt.Errorf("invalid service-account name '%s': %v", accountName, err)
+		}
+
 		account := corev1.ServiceAccount{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      tenant,
+				Name:      accountName,
 				Namespace: ns,
 				Labels:    objLabels,
 			},
@@ -131,7 +144,7 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 				},
 				{
 					Kind:      "ServiceAccount",
-					Name:      tenant,
+					Name:      accountName,
 					Namespace: ns,
 				},
 			},
@@ -146,7 +159,7 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 
 	if createArgs.export {
 		for i := range tenantArgs.namespaces {
-			if err := exportTenant(namespaces[i], accounts[i], roleBindings[i]); err != nil {
+			if err := exportTenant(namespaces[i], accounts[i], roleBindings[i], tenantArgs.skipNamespace); err != nil {
 				return err
 			}
 		}
@@ -162,9 +175,11 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	for i := range tenantArgs.namespaces {
-		logger.Actionf("applying namespace %s", namespaces[i].Name)
-		if err := upsertNamespace(ctx, kubeClient, namespaces[i]); err != nil {
-			return err
+		if !tenantArgs.skipNamespace {
+			logger.Actionf("applying namespace %s", namespaces[i].Name)
+			if err := upsertNamespace(ctx, kubeClient, namespaces[i]); err != nil {
+				return err
+			}
 		}
 
 		logger.Actionf("applying service account %s", accounts[i].Name)
@@ -273,19 +288,24 @@ func upsertRoleBinding(ctx context.Context, kubeClient client.Client, roleBindin
 	return nil
 }
 
-func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, roleBinding rbacv1.RoleBinding) error {
-	namespace.TypeMeta = metav1.TypeMeta{
-		APIVersion: "v1",
-		Kind:       "Namespace",
-	}
-	data, err := yaml.Marshal(namespace)
-	if err != nil {
-		return err
-	}
+func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, roleBinding rbacv1.RoleBinding, skipNamespace bool) error {
+	var data []byte
+	var err error
 
-	fmt.Println("---")
-	data = bytes.Replace(data, []byte("spec: {}\n"), []byte(""), 1)
-	fmt.Println(resourceToString(data))
+	if !skipNamespace {
+		namespace.TypeMeta = metav1.TypeMeta{
+			APIVersion: "v1",
+			Kind:       "Namespace",
+		}
+		data, err = yaml.Marshal(namespace)
+		if err != nil {
+			return err
+		}
+		data = bytes.Replace(data, []byte("spec: {}\n"), []byte(""), 1)
+
+		printlnStdout("---")
+		printlnStdout(resourceToString(data))
+	}
 
 	account.TypeMeta = metav1.TypeMeta{
 		APIVersion: "v1",
@@ -295,10 +315,10 @@ func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, rol
 	if err != nil {
 		return err
 	}
-
-	fmt.Println("---")
 	data = bytes.Replace(data, []byte("spec: {}\n"), []byte(""), 1)
-	fmt.Println(resourceToString(data))
+
+	printlnStdout("---")
+	printlnStdout(resourceToString(data))
 
 	roleBinding.TypeMeta = metav1.TypeMeta{
 		APIVersion: "rbac.authorization.k8s.io/v1",
@@ -309,8 +329,8 @@ func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, rol
 		return err
 	}
 
-	fmt.Println("---")
-	fmt.Println(resourceToString(data))
+	printlnStdout("---")
+	printlnStdout(resourceToString(data))
 
 	return nil
 }

cmd/flux/create_tenant_test.go

@@ -0,0 +1,73 @@
+//go:build e2e
+// +build e2e
+
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"testing"
+)
+
+func TestCreateTenant(t *testing.T) {
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			name:   "no args",
+			args:   "create tenant",
+			assert: assertError("name is required"),
+		},
+		{
+			name:   "no namespace",
+			args:   "create tenant dev-team --cluster-role=cluster-admin",
+			assert: assertError("with-namespace is required"),
+		},
+		{
+			name:   "basic tenant",
+			args:   "create tenant dev-team --with-namespace=apps --cluster-role=cluster-admin --export",
+			assert: assertGoldenFile("./testdata/create_tenant/tenant-basic.yaml"),
+		},
+		{
+			name:   "tenant with custom serviceaccount",
+			args:   "create tenant dev-team --with-namespace=apps --cluster-role=cluster-admin --with-service-account=flux-tenant --export",
+			assert: assertGoldenFile("./testdata/create_tenant/tenant-with-service-account.yaml"),
+		},
+		{
+			name:   "tenant with custom cluster role",
+			args:   "create tenant dev-team --with-namespace=apps --cluster-role=custom-role --export",
+			assert: assertGoldenFile("./testdata/create_tenant/tenant-with-cluster-role.yaml"),
+		},
+		{
+			name:   "tenant with skip namespace",
+			args:   "create tenant dev-team --with-namespace=apps --cluster-role=cluster-admin --skip-namespace --export",
+			assert: assertGoldenFile("./testdata/create_tenant/tenant-with-skip-namespace.yaml"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args,
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}

cmd/flux/debug_helmrelease.go

@@ -21,7 +21,6 @@ import (
 	"fmt"
 
 	helmv2 "github.com/fluxcd/helm-controller/api/v2"
-	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/chartutil"
 	"github.com/go-logr/logr"
 	"github.com/spf13/cobra"
@@ -41,15 +40,19 @@ WARNING: This command will print sensitive information if Kubernetes Secrets are
   flux debug hr podinfo --show-status
 
   # Export the final values of a Helm release composed from referred ConfigMaps and Secrets
-  flux debug hr podinfo --show-values > values.yaml`,
+  flux debug hr podinfo --show-values > values.yaml
+
+  # Print the reconciliation history of a Helm release
+  flux debug hr podinfo --show-history`,
 	RunE:              debugHelmReleaseCmdRun,
 	Args:              cobra.ExactArgs(1),
 	ValidArgsFunction: resourceNamesCompletionFunc(helmv2.GroupVersion.WithKind(helmv2.HelmReleaseKind)),
 }
 
 type debugHelmReleaseFlags struct {
-	showStatus bool
-	showValues bool
+	showStatus  bool
+	showValues  bool
+	showHistory bool
 }
 
 var debugHelmReleaseArgs debugHelmReleaseFlags
@@ -57,15 +60,25 @@ var debugHelmReleaseArgs debugHelmReleaseFlags
 func init() {
 	debugHelmReleaseCmd.Flags().BoolVar(&debugHelmReleaseArgs.showStatus, "show-status", false, "print the status of the Helm release")
 	debugHelmReleaseCmd.Flags().BoolVar(&debugHelmReleaseArgs.showValues, "show-values", false, "print the final values of the Helm release")
+	debugHelmReleaseCmd.Flags().BoolVar(&debugHelmReleaseArgs.showHistory, "show-history", false, "print the reconciliation history of the Helm release")
 	debugCmd.AddCommand(debugHelmReleaseCmd)
 }
 
 func debugHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]
 
-	if (!debugHelmReleaseArgs.showStatus && !debugHelmReleaseArgs.showValues) ||
-		(debugHelmReleaseArgs.showStatus && debugHelmReleaseArgs.showValues) {
-		return fmt.Errorf("either --show-status or --show-values must be set")
+	flagsSet := 0
+	if debugHelmReleaseArgs.showStatus {
+		flagsSet++
+	}
+	if debugHelmReleaseArgs.showValues {
+		flagsSet++
+	}
+	if debugHelmReleaseArgs.showHistory {
+		flagsSet++
+	}
+	if flagsSet != 1 {
+		return fmt.Errorf("exactly one of --show-status, --show-values, or --show-history must be set")
 	}
 
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
@@ -93,23 +106,12 @@ func debugHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	if debugHelmReleaseArgs.showValues {
-		// TODO(stefan): remove the mapping when helm-controller/api v1.2.0 has been released
-		var valuesRefs []meta.ValuesReference
-		for _, source := range hr.Spec.ValuesFrom {
-			valuesRefs = append(valuesRefs, meta.ValuesReference{
-				Kind:      source.Kind,
-				Name:      source.Name,
-				ValuesKey: source.ValuesKey,
-				Optional:  source.Optional,
-			})
-		}
-
 		finalValues, err := chartutil.ChartValuesFromReferences(ctx,
 			logr.Discard(),
 			kubeClient,
 			hr.GetNamespace(),
 			hr.GetValues(),
-			valuesRefs...)
+			hr.Spec.ValuesFrom...)
 		if err != nil {
 			return err
 		}
@@ -121,5 +123,20 @@ func debugHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 		rootCmd.Print(string(values))
 	}
 
+	if debugHelmReleaseArgs.showHistory {
+		if len(hr.Status.History) == 0 {
+			hr.Status.History = helmv2.Snapshots{}
+		}
+
+		history, err := yaml.Marshal(hr.Status.History)
+		if err != nil {
+			return err
+		}
+
+		rootCmd.Println("# History documentation: https://fluxcd.io/flux/components/helm/helmreleases/#history")
+		rootCmd.Print(string(history))
+		return nil
+	}
+
 	return nil
 }

cmd/flux/debug_helmrelease_test.go

@@ -56,6 +56,18 @@ func TestDebugHelmRelease(t *testing.T) {
 			"testdata/debug_helmrelease/values-from.golden.yaml",
 			tmpl,
 		},
+		{
+			"debug history",
+			"debug helmrelease test-with-history --show-history --show-status=false",
+			"testdata/debug_helmrelease/history.golden.yaml",
+			tmpl,
+		},
+		{
+			"debug history empty",
+			"debug helmrelease test-values-inline --show-history --show-status=false",
+			"testdata/debug_helmrelease/history-empty.golden.yaml",
+			tmpl,
+		},
 	}
 
 	for _, tt := range cases {

cmd/flux/debug_kustomization.go

@@ -24,6 +24,7 @@ import (
 	"strings"
 
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
+	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/kustomize"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -44,15 +45,19 @@ WARNING: This command will print sensitive information if Kubernetes Secrets are
   flux debug ks podinfo --show-status
 
   # Export the final variables used for post-build substitutions composed from referred ConfigMaps and Secrets
-  flux debug ks podinfo --show-vars > vars.env`,
+  flux debug ks podinfo --show-vars > vars.env
+
+  # Print the reconciliation history of a Flux Kustomization
+  flux debug ks podinfo --show-history`,
 	RunE:              debugKustomizationCmdRun,
 	Args:              cobra.ExactArgs(1),
 	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
 }
 
 type debugKustomizationFlags struct {
-	showStatus bool
-	showVars   bool
+	showStatus  bool
+	showVars    bool
+	showHistory bool
 }
 
 var debugKustomizationArgs debugKustomizationFlags
@@ -60,15 +65,25 @@ var debugKustomizationArgs debugKustomizationFlags
 func init() {
 	debugKustomizationCmd.Flags().BoolVar(&debugKustomizationArgs.showStatus, "show-status", false, "print the status of the Flux Kustomization")
 	debugKustomizationCmd.Flags().BoolVar(&debugKustomizationArgs.showVars, "show-vars", false, "print the final vars of the Flux Kustomization in dot env format")
+	debugKustomizationCmd.Flags().BoolVar(&debugKustomizationArgs.showHistory, "show-history", false, "print the reconciliation history of the Flux Kustomization")
 	debugCmd.AddCommand(debugKustomizationCmd)
 }
 
 func debugKustomizationCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]
 
-	if (!debugKustomizationArgs.showStatus && !debugKustomizationArgs.showVars) ||
-		(debugKustomizationArgs.showStatus && debugKustomizationArgs.showVars) {
-		return fmt.Errorf("either --show-status or --show-vars must be set")
+	flagsSet := 0
+	if debugKustomizationArgs.showStatus {
+		flagsSet++
+	}
+	if debugKustomizationArgs.showVars {
+		flagsSet++
+	}
+	if debugKustomizationArgs.showHistory {
+		flagsSet++
+	}
+	if flagsSet != 1 {
+		return fmt.Errorf("exactly one of --show-status, --show-vars, or --show-history must be set")
 	}
 
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
@@ -130,5 +145,20 @@ func debugKustomizationCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}
 
+	if debugKustomizationArgs.showHistory {
+		if len(ks.Status.History) == 0 {
+			ks.Status.History = meta.History{}
+		}
+
+		history, err := yaml.Marshal(ks.Status.History)
+		if err != nil {
+			return err
+		}
+
+		rootCmd.Println("# History documentation: https://fluxcd.io/flux/components/kustomize/kustomizations/#history")
+		rootCmd.Print(string(history))
+		return nil
+	}
+
 	return nil
 }

cmd/flux/debug_kustomization_test.go

@@ -55,6 +55,17 @@ func TestDebugKustomization(t *testing.T) {
 			"debug ks test-from --show-vars --show-status=false",
 			"testdata/debug_kustomization/vars-from.golden.env",
 			tmpl,
+		}, {
+			"debug history",
+			"debug ks test-with-history --show-history --show-status=false",
+			"testdata/debug_kustomization/history.golden.yaml",
+			tmpl,
+		},
+		{
+			"debug history empty",
+			"debug ks test --show-history --show-status=false",
+			"testdata/debug_kustomization/history-empty.golden.yaml",
+			tmpl,
 		},
 	}
 

cmd/flux/delete_image_policy.go

@@ -19,13 +19,13 @@ package main
 import (
 	"github.com/spf13/cobra"
 
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )
 
 var deleteImagePolicyCmd = &cobra.Command{
 	Use:   "policy [name]",
 	Short: "Delete an ImagePolicy object",
-	Long:  withPreviewNote(`The delete image policy command deletes the given ImagePolicy from the cluster.`),
+	Long:  `The delete image policy command deletes the given ImagePolicy from the cluster.`,
 	Example: `  # Delete an image policy
   flux delete image policy alpine3.x`,
 	ValidArgsFunction: resourceNamesCompletionFunc(imagev1.GroupVersion.WithKind(imagev1.ImagePolicyKind)),

cmd/flux/delete_image_repository.go

@@ -19,13 +19,13 @@ package main
 import (
 	"github.com/spf13/cobra"
 
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )
 
 var deleteImageRepositoryCmd = &cobra.Command{
 	Use:   "repository [name]",
 	Short: "Delete an ImageRepository object",
-	Long:  withPreviewNote("The delete image repository command deletes the given ImageRepository from the cluster."),
+	Long:  "The delete image repository command deletes the given ImageRepository from the cluster.",
 	Example: `  # Delete an image repository
   flux delete image repository alpine`,
 	ValidArgsFunction: resourceNamesCompletionFunc(imagev1.GroupVersion.WithKind(imagev1.ImageRepositoryKind)),

cmd/flux/delete_image_update.go

@@ -19,13 +19,13 @@ package main
 import (
 	"github.com/spf13/cobra"
 
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1"
 )
 
 var deleteImageUpdateCmd = &cobra.Command{
 	Use:   "update [name]",
 	Short: "Delete an ImageUpdateAutomation object",
-	Long:  withPreviewNote(`The delete image update command deletes the given ImageUpdateAutomation from the cluster.`),
+	Long:  `The delete image update command deletes the given ImageUpdateAutomation from the cluster.`,
 	Example: `  # Delete an image update automation
   flux delete image update latest-images`,
 	ValidArgsFunction: resourceNamesCompletionFunc(autov1.GroupVersion.WithKind(autov1.ImageUpdateAutomationKind)),

cmd/flux/delete_source_chart.go

@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"
 
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )
 
 var deleteSourceChartCmd = &cobra.Command{

cmd/flux/delete_source_oci.go

@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"
 
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )
 
 var deleteSourceOCIRepositoryCmd = &cobra.Command{

cmd/flux/diff_artifact.go

@@ -21,8 +21,9 @@ import (
 	"fmt"
 	"os"
 
-	oci "github.com/fluxcd/pkg/oci/client"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	"github.com/fluxcd/pkg/oci"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+	"github.com/google/go-containerregistry/pkg/crane"
 	"github.com/spf13/cobra"
 
 	"github.com/fluxcd/flux2/v2/internal/flags"
@@ -31,7 +32,7 @@ import (
 var diffArtifactCmd = &cobra.Command{
 	Use:   "artifact",
 	Short: "Diff Artifact",
-	Long:  withPreviewNote(`The diff artifact command computes the diff between the remote OCI artifact and a local directory or file`),
+	Long:  `The diff artifact command computes the diff between the remote OCI artifact and a local directory or file`,
 	Example: `# Check if local files differ from remote
 flux diff artifact oci://ghcr.io/stefanprodan/manifests:podinfo:6.2.0 --path=./kustomize`,
 	RunE: diffArtifactCmdRun,
@@ -42,6 +43,7 @@ type diffArtifactFlags struct {
 	creds       string
 	provider    flags.SourceOCIProvider
 	ignorePaths []string
+	insecure    bool
 }
 
 var diffArtifactArgs = newDiffArtifactArgs()
@@ -57,6 +59,7 @@ func init() {
 	diffArtifactCmd.Flags().StringVar(&diffArtifactArgs.creds, "creds", "", "credentials for OCI registry in the format <username>[:<password>] if --provider is generic")
 	diffArtifactCmd.Flags().Var(&diffArtifactArgs.provider, "provider", sourceOCIRepositoryArgs.provider.Description())
 	diffArtifactCmd.Flags().StringSliceVar(&diffArtifactArgs.ignorePaths, "ignore-paths", excludeOCI, "set paths to ignore in .gitignore format")
+	diffArtifactCmd.Flags().BoolVar(&diffArtifactArgs.insecure, "insecure-registry", false, "allows the remote artifact to be pulled without TLS")
 	diffCmd.AddCommand(diffArtifactCmd)
 }
 
@@ -82,7 +85,22 @@ func diffArtifactCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	ociClient := oci.NewClient(oci.DefaultOptions())
+	opts := oci.DefaultOptions()
+
+	if diffArtifactArgs.insecure {
+		opts = append(opts, crane.Insecure)
+	}
+
+	if diffArtifactArgs.provider.String() != sourcev1.GenericOCIProvider {
+		logger.Actionf("logging in to registry with provider credentials")
+		opt, _, err := loginWithProvider(ctx, url, diffArtifactArgs.provider.String())
+		if err != nil {
+			return fmt.Errorf("error during login with provider: %w", err)
+		}
+		opts = append(opts, opt)
+	}
+
+	ociClient := oci.NewClient(opts)
 
 	if diffArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && diffArtifactArgs.creds != "" {
 		logger.Actionf("logging in to registry with credentials")
@@ -91,18 +109,6 @@ func diffArtifactCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}
 
-	if diffArtifactArgs.provider.String() != sourcev1.GenericOCIProvider {
-		logger.Actionf("logging in to registry with provider credentials")
-		ociProvider, err := diffArtifactArgs.provider.ToOCIProvider()
-		if err != nil {
-			return fmt.Errorf("provider not supported: %w", err)
-		}
-
-		if err := ociClient.LoginWithProvider(ctx, url, ociProvider); err != nil {
-			return fmt.Errorf("error during login with provider: %w", err)
-		}
-	}
-
 	if err := ociClient.Diff(ctx, url, diffArtifactArgs.path, diffArtifactArgs.ignorePaths); err != nil {
 		return err
 	}

cmd/flux/diff_artifact_test.go

@@ -96,7 +96,7 @@ func TestDiffArtifact(t *testing.T) {
 			tt.url = fmt.Sprintf(tt.url, dockerReg)
 			_, err := executeCommand("push artifact " + tt.url + " --path=" + tt.pushFile + " --source=test --revision=test")
 			if err != nil {
-				t.Fatalf(fmt.Errorf("failed to push image: %w", err).Error())
+				t.Fatal(fmt.Errorf("failed to push image: %w", err).Error())
 			}
 
 			cmd := cmdTestCase{

cmd/flux/diff_kustomization_test.go

@@ -27,6 +27,7 @@ import (
 
 	"github.com/fluxcd/flux2/v2/internal/build"
 	"github.com/fluxcd/pkg/ssa"
+	"github.com/fluxcd/pkg/ssa/normalize"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
@@ -151,7 +152,7 @@ func createObjectFromFile(objectFile string, templateValues map[string]string, t
 		t.Fatalf("Error decoding yaml file '%s': %v", objectFile, err)
 	}
 
-	if err := ssa.SetNativeKindsDefaults(clientObjects); err != nil {
+	if err := normalize.UnstructuredList(clientObjects); err != nil {
 		t.Fatalf("Error setting native kinds defaults for '%s': %v", objectFile, err)
 	}
 

cmd/flux/events.go

@@ -20,7 +20,6 @@ package main
 import (
 	"context"
 	"fmt"
-	"os"
 	"sort"
 	"strings"
 	"time"
@@ -40,13 +39,13 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	helmv2 "github.com/fluxcd/helm-controller/api/v2"
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
 	notificationv1b3 "github.com/fluxcd/notification-controller/api/v1beta3"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
-	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
+	swapi "github.com/fluxcd/source-watcher/api/v2/v1beta1"
 
 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/flux2/v2/pkg/printers"
@@ -113,7 +112,12 @@ func eventsCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	var diffRefNs bool
-	clientListOpts := []client.ListOption{client.InNamespace(*kubeconfigArgs.Namespace)}
+	// Build the base list options. When --all-namespaces is set we must NOT constrain the
+	// query to a single namespace, otherwise we silently return a partial result set.
+	clientListOpts := []client.ListOption{}
+	if !eventArgs.allNamespaces {
+		clientListOpts = append(clientListOpts, client.InNamespace(*kubeconfigArgs.Namespace))
+	}
 	var refListOpts [][]client.ListOption
 	if eventArgs.forSelector != "" {
 		kind, name := getKindNameFromSelector(eventArgs.forSelector)
@@ -192,11 +196,14 @@ func getRows(ctx context.Context, kubeclient client.Client, clientListOpts []cli
 
 func addEventsToList(ctx context.Context, kubeclient client.Client, el *corev1.EventList, clientListOpts []client.ListOption) error {
 	listOpts := &metav1.ListOptions{}
-	clientListOpts = append(clientListOpts, client.Limit(cmdutil.DefaultChunkSize))
 	err := runtimeresource.FollowContinue(listOpts,
 		func(options metav1.ListOptions) (runtime.Object, error) {
 			newEvents := &corev1.EventList{}
-			if err := kubeclient.List(ctx, newEvents, clientListOpts...); err != nil {
+			opts := append(clientListOpts, client.Limit(cmdutil.DefaultChunkSize))
+			if options.Continue != "" {
+				opts = append(opts, client.Continue(options.Continue))
+			}
+			if err := kubeclient.List(ctx, newEvents, opts...); err != nil {
 				return nil, fmt.Errorf("error getting events: %w", err)
 			}
 			el.Items = append(el.Items, newEvents.Items...)
@@ -247,7 +254,7 @@ func eventsCmdWatchRun(ctx context.Context, kubeclient client.WithWatch, listOpt
 			hdr = getHeaders(showNs)
 			firstIteration = false
 		}
-		return printers.TablePrinter(hdr).Print(os.Stdout, [][]string{rows})
+		return printers.TablePrinter(hdr).Print(rootCmd.OutOrStdout(), [][]string{rows})
 	}
 
 	for _, refOpts := range refListOpts {
@@ -446,11 +453,12 @@ var fluxKindMap = refMap{
 		field:           []string{"spec", "sourceRef"},
 	},
 	sourcev1.GitRepositoryKind:       {gvk: sourcev1.GroupVersion.WithKind(sourcev1.GitRepositoryKind)},
-	sourcev1b2.OCIRepositoryKind:     {gvk: sourcev1b2.GroupVersion.WithKind(sourcev1b2.OCIRepositoryKind)},
+	sourcev1.OCIRepositoryKind:       {gvk: sourcev1.GroupVersion.WithKind(sourcev1.OCIRepositoryKind)},
 	sourcev1.BucketKind:              {gvk: sourcev1.GroupVersion.WithKind(sourcev1.BucketKind)},
 	sourcev1.HelmRepositoryKind:      {gvk: sourcev1.GroupVersion.WithKind(sourcev1.HelmRepositoryKind)},
 	autov1.ImageUpdateAutomationKind: {gvk: autov1.GroupVersion.WithKind(autov1.ImageUpdateAutomationKind)},
 	imagev1.ImageRepositoryKind:      {gvk: imagev1.GroupVersion.WithKind(imagev1.ImageRepositoryKind)},
+	swapi.ArtifactGeneratorKind:      {gvk: swapi.GroupVersion.WithKind(swapi.ArtifactGeneratorKind)},
 }
 
 func ignoreEvent(e corev1.Event) bool {

cmd/flux/events_test.go

@@ -20,11 +20,13 @@ package main
 import (
 	"context"
 	"fmt"
+	"strconv"
 	"strings"
 	"testing"
 
 	. "github.com/onsi/gomega"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -140,7 +142,7 @@ spec:
   address: https://hooks.slack.com/services/mock
   type: slack
 ---
-apiVersion: image.toolkit.fluxcd.io/v1beta2
+apiVersion: image.toolkit.fluxcd.io/v1
 kind: ImagePolicy
 metadata:
   name: podinfo
@@ -419,6 +421,108 @@ func createEvent(obj client.Object, eventType, msg, reason string) corev1.Event
 	}
 }
 
+// paginatedClient wraps a client.Client and simulates real Kubernetes API
+// pagination by splitting List results into pages of pageSize items,
+// using the ListMeta.Continue token.
+type paginatedClient struct {
+	client.Client
+	pageSize int
+}
+
+func (c *paginatedClient) List(ctx context.Context, list client.ObjectList, opts ...client.ListOption) error {
+	listOpts := &client.ListOptions{}
+	listOpts.ApplyOptions(opts)
+
+	// Fetch all results from the underlying client (without Limit/Continue).
+	stripped := make([]client.ListOption, 0, len(opts))
+	for _, o := range opts {
+		if _, ok := o.(client.Limit); ok {
+			continue
+		}
+		if _, ok := o.(client.Continue); ok {
+			continue
+		}
+		stripped = append(stripped, o)
+	}
+	if err := c.Client.List(ctx, list, stripped...); err != nil {
+		return err
+	}
+
+	items, err := meta.ExtractList(list)
+	if err != nil {
+		return err
+	}
+
+	// Determine the page window based on the Continue token.
+	start := 0
+	if listOpts.Continue != "" {
+		n, err := strconv.Atoi(listOpts.Continue)
+		if err != nil {
+			return fmt.Errorf("invalid continue token: %w", err)
+		}
+		start = n
+	}
+	if start > len(items) {
+		start = len(items)
+	}
+
+	end := start + c.pageSize
+	if end > len(items) {
+		end = len(items)
+	}
+
+	page := items[start:end]
+	if err := meta.SetList(list, page); err != nil {
+		return err
+	}
+
+	// Set the Continue token when there are more pages.
+	listAccessor, err := meta.ListAccessor(list)
+	if err != nil {
+		return err
+	}
+	if end < len(items) {
+		listAccessor.SetContinue(strconv.Itoa(end))
+	} else {
+		listAccessor.SetContinue("")
+	}
+
+	return nil
+}
+
+func Test_addEventsToList_pagination(t *testing.T) {
+	g := NewWithT(t)
+	objs, err := ssautil.ReadObjects(strings.NewReader(objects))
+	g.Expect(err).To(Not(HaveOccurred()))
+
+	builder := fake.NewClientBuilder().WithScheme(utils.NewScheme())
+	for _, obj := range objs {
+		builder = builder.WithObjects(obj)
+	}
+
+	eventList := &corev1.EventList{}
+	for _, obj := range objs {
+		infoEvent := createEvent(obj, eventv1.EventSeverityInfo, "Info Message", "Info Reason")
+		warningEvent := createEvent(obj, eventv1.EventSeverityError, "Error Message", "Error Reason")
+		eventList.Items = append(eventList.Items, infoEvent, warningEvent)
+	}
+	builder = builder.WithLists(eventList)
+	c := builder.Build()
+
+	totalEvents := len(eventList.Items)
+	g.Expect(totalEvents).To(BeNumerically(">", 2), "need more than 2 events to test pagination")
+
+	// Wrap the client to paginate at 2 items per page, forcing multiple
+	// round-trips through FollowContinue.
+	pc := &paginatedClient{Client: c, pageSize: 2}
+
+	el := &corev1.EventList{}
+	err = addEventsToList(context.Background(), pc, el, nil)
+	g.Expect(err).To(Not(HaveOccurred()))
+	g.Expect(el.Items).To(HaveLen(totalEvents),
+		"addEventsToList should collect all events across paginated responses")
+}
+
 func kindNameIndexer(obj client.Object) []string {
 	e, ok := obj.(*corev1.Event)
 	if !ok {

cmd/flux/export.go

@@ -109,13 +109,13 @@ func (export exportCommand) run(cmd *cobra.Command, args []string) error {
 	return nil
 }
 
-func printExport(export interface{}) error {
+func printExport(export any) error {
 	data, err := yaml.Marshal(export)
 	if err != nil {
 		return err
 	}
-	rootCmd.Println("---")
-	rootCmd.Println(resourceToString(data))
+	printlnStdout("---")
+	printlnStdout(resourceToString(data))
 	return nil
 }
 

cmd/flux/export_artifact.go

@@ -0,0 +1,31 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var exportArtifactCmd = &cobra.Command{
+	Use:   "artifact",
+	Short: "Export artifact objects",
+	Long:  `The export artifact sub-commands export artifacts objects in YAML format.`,
+}
+
+func init() {
+	exportCmd.AddCommand(exportArtifactCmd)
+}

cmd/flux/export_artifact_generator.go

@@ -0,0 +1,72 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	swapi "github.com/fluxcd/source-watcher/api/v2/v1beta1"
+)
+
+var exportArtifactGeneratorCmd = &cobra.Command{
+	Use:   "generator [name]",
+	Short: "Export ArtifactGenerator resources in YAML format",
+	Long:  "The export artifact generator command exports one or all ArtifactGenerator resources in YAML format.",
+	Example: `  # Export all ArtifactGenerator resources
+  flux export artifact generator --all > artifact-generators.yaml
+
+  # Export a specific generator
+  flux export artifact generator my-generator > my-generator.yaml`,
+	ValidArgsFunction: resourceNamesCompletionFunc(swapi.GroupVersion.WithKind(swapi.ArtifactGeneratorKind)),
+	RunE: exportCommand{
+		object: artifactGeneratorAdapter{&swapi.ArtifactGenerator{}},
+		list:   artifactGeneratorListAdapter{&swapi.ArtifactGeneratorList{}},
+	}.run,
+}
+
+func init() {
+	exportArtifactCmd.AddCommand(exportArtifactGeneratorCmd)
+}
+
+// Export returns an ArtifactGenerator value which has
+// extraneous information stripped out.
+func exportArtifactGenerator(item *swapi.ArtifactGenerator) interface{} {
+	gvk := swapi.GroupVersion.WithKind(swapi.ArtifactGeneratorKind)
+	export := swapi.ArtifactGenerator{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       gvk.Kind,
+			APIVersion: gvk.GroupVersion().String(),
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        item.Name,
+			Namespace:   item.Namespace,
+			Labels:      item.Labels,
+			Annotations: item.Annotations,
+		},
+		Spec: item.Spec,
+	}
+	return export
+}
+
+func (ex artifactGeneratorAdapter) export() interface{} {
+	return exportArtifactGenerator(ex.ArtifactGenerator)
+}
+
+func (ex artifactGeneratorListAdapter) exportItem(i int) interface{} {
+	return exportArtifactGenerator(&ex.ArtifactGeneratorList.Items[i])
+}

cmd/flux/export_image_policy.go

@@ -20,13 +20,13 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )
 
 var exportImagePolicyCmd = &cobra.Command{
 	Use:   "policy [name]",
 	Short: "Export ImagePolicy resources in YAML format",
-	Long:  withPreviewNote("The export image policy command exports one or all ImagePolicy resources in YAML format."),
+	Long:  "The export image policy command exports one or all ImagePolicy resources in YAML format.",
 	Example: `  # Export all ImagePolicy resources
   flux export image policy --all > image-policies.yaml
 

cmd/flux/export_image_repository.go

@@ -20,13 +20,13 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )
 
 var exportImageRepositoryCmd = &cobra.Command{
 	Use:   "repository [name]",
 	Short: "Export ImageRepository resources in YAML format",
-	Long:  withPreviewNote("The export image repository command exports one or all ImageRepository resources in YAML format."),
+	Long:  "The export image repository command exports one or all ImageRepository resources in YAML format.",
 	Example: `  # Export all ImageRepository resources
   flux export image repository --all > image-repositories.yaml
 

cmd/flux/export_image_update.go

@@ -20,13 +20,13 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1"
 )
 
 var exportImageUpdateCmd = &cobra.Command{
 	Use:   "update [name]",
 	Short: "Export ImageUpdateAutomation resources in YAML format",
-	Long:  withPreviewNote("The export image update command exports one or all ImageUpdateAutomation resources in YAML format."),
+	Long:  "The export image update command exports one or all ImageUpdateAutomation resources in YAML format.",
 	Example: `  # Export all ImageUpdateAutomation resources
   flux export image update --all > updates.yaml
 

cmd/flux/export_source_external.go

@@ -0,0 +1,84 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+)
+
+var exportSourceExternalCmd = &cobra.Command{
+	Use:   "external [name]",
+	Short: "Export ExternalArtifact sources in YAML format",
+	Long:  "The export source external command exports one or all ExternalArtifact sources in YAML format.",
+	Example: `  # Export all ExternalArtifact sources
+  flux export source external --all > sources.yaml
+
+  # Export a specific ExternalArtifact
+  flux export source external my-artifact > source.yaml`,
+	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.ExternalArtifactKind)),
+	RunE: exportWithSecretCommand{
+		list:   externalArtifactListAdapter{&sourcev1.ExternalArtifactList{}},
+		object: externalArtifactAdapter{&sourcev1.ExternalArtifact{}},
+	}.run,
+}
+
+func init() {
+	exportSourceCmd.AddCommand(exportSourceExternalCmd)
+}
+
+func exportExternalArtifact(source *sourcev1.ExternalArtifact) any {
+	gvk := sourcev1.GroupVersion.WithKind(sourcev1.ExternalArtifactKind)
+	export := sourcev1.ExternalArtifact{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       gvk.Kind,
+			APIVersion: gvk.GroupVersion().String(),
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        source.Name,
+			Namespace:   source.Namespace,
+			Labels:      source.Labels,
+			Annotations: source.Annotations,
+		},
+		Spec: source.Spec,
+	}
+	return export
+}
+
+func getExternalArtifactSecret(source *sourcev1.ExternalArtifact) *types.NamespacedName {
+	// ExternalArtifact does not have a secretRef in its spec, this satisfies the interface
+	return nil
+}
+
+func (ex externalArtifactAdapter) secret() *types.NamespacedName {
+	return getExternalArtifactSecret(ex.ExternalArtifact)
+}
+
+func (ex externalArtifactListAdapter) secretItem(i int) *types.NamespacedName {
+	return getExternalArtifactSecret(&ex.ExternalArtifactList.Items[i])
+}
+
+func (ex externalArtifactAdapter) export() any {
+	return exportExternalArtifact(ex.ExternalArtifact)
+}
+
+func (ex externalArtifactListAdapter) exportItem(i int) any {
+	return exportExternalArtifact(&ex.ExternalArtifactList.Items[i])
+}

cmd/flux/export_source_oci.go

@@ -21,7 +21,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )
 
 var exportSourceOCIRepositoryCmd = &cobra.Command{

cmd/flux/export_test.go

@@ -110,6 +110,12 @@ func TestExport(t *testing.T) {
 			"testdata/export/bucket.yaml",
 			tmpl,
 		},
+		{
+			"source external",
+			"export source external flux-system",
+			"testdata/export/external-artifact.yaml",
+			tmpl,
+		},
 	}
 
 	for _, tt := range cases {

cmd/flux/get.go

@@ -184,13 +184,13 @@ func (get getCommand) run(cmd *cobra.Command, args []string) error {
 
 	if get.list.len() == 0 {
 		if len(args) > 0 {
-			logger.Failuref("%s object '%s' not found in %s namespace",
+			return fmt.Errorf("%s object '%s' not found in %s namespace",
 				get.kind,
 				args[0],
 				namespaceNameOrAny(getArgs.allNamespaces, *kubeconfigArgs.Namespace),
 			)
 		} else if !getAll {
-			logger.Failuref("no %s objects found in %s namespace",
+			return fmt.Errorf("no %s objects found in %s namespace",
 				get.kind,
 				namespaceNameOrAny(getArgs.allNamespaces, *kubeconfigArgs.Namespace),
 			)

cmd/flux/get_all.go

@@ -87,7 +87,7 @@ var getAllCmd = &cobra.Command{
 
 func logError(err error) {
 	if !apimeta.IsNoMatchError(err) {
-		logger.Failuref(err.Error())
+		logger.Failuref("%s", err.Error())
 	}
 }
 

cmd/flux/get_artifact.go

@@ -0,0 +1,32 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var getArtifactCmd = &cobra.Command{
+	Use:     "artifacts",
+	Aliases: []string{"artifact"},
+	Short:   "Get artifact object status",
+	Long:    `The get artifact sub-commands print the status of artifact objects.`,
+}
+
+func init() {
+	getCmd.AddCommand(getArtifactCmd)
+}

cmd/flux/get_artifact_generator.go

@@ -0,0 +1,93 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+	"strconv"
+
+	"github.com/spf13/cobra"
+	"golang.org/x/text/cases"
+	"golang.org/x/text/language"
+	"k8s.io/apimachinery/pkg/runtime"
+
+	swapi "github.com/fluxcd/source-watcher/api/v2/v1beta1"
+)
+
+var getArtifactGeneratorCmd = &cobra.Command{
+	Use:     "generators",
+	Aliases: []string{"generator"},
+	Short:   "Get artifact generator statuses",
+	Long:    `The get artifact generator command prints the statuses of the resources.`,
+	Example: `  # List all ArtifactGenerators and their status
+  flux get artifact generators`,
+	ValidArgsFunction: resourceNamesCompletionFunc(swapi.GroupVersion.WithKind(swapi.ArtifactGeneratorKind)),
+	RunE: func(cmd *cobra.Command, args []string) error {
+		get := getCommand{
+			apiType: receiverType,
+			list:    artifactGeneratorListAdapter{&swapi.ArtifactGeneratorList{}},
+			funcMap: make(typeMap),
+		}
+
+		err := get.funcMap.registerCommand(get.apiType.kind, func(obj runtime.Object) (summarisable, error) {
+			o, ok := obj.(*swapi.ArtifactGenerator)
+			if !ok {
+				return nil, fmt.Errorf("impossible to cast type %#v generator", obj)
+			}
+
+			sink := artifactGeneratorListAdapter{&swapi.ArtifactGeneratorList{
+				Items: []swapi.ArtifactGenerator{
+					*o,
+				}}}
+			return sink, nil
+		})
+
+		if err != nil {
+			return err
+		}
+
+		if err := get.run(cmd, args); err != nil {
+			return err
+		}
+
+		return nil
+	},
+}
+
+func init() {
+	getArtifactCmd.AddCommand(getArtifactGeneratorCmd)
+}
+
+func (s artifactGeneratorListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
+	item := s.Items[i]
+	status, msg := statusAndMessage(item.Status.Conditions)
+	return append(nameColumns(&item, includeNamespace, includeKind),
+		cases.Title(language.English).String(strconv.FormatBool(item.IsDisabled())), status, msg)
+}
+
+func (s artifactGeneratorListAdapter) headers(includeNamespace bool) []string {
+	headers := []string{"Name", "Suspended", "Ready", "Message"}
+	if includeNamespace {
+		return append(namespaceHeader, headers...)
+	}
+	return headers
+}
+
+func (s artifactGeneratorListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
+	item := s.Items[i]
+	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
+}

cmd/flux/get_image_all.go

@@ -19,14 +19,14 @@ package main
 import (
 	"github.com/spf13/cobra"
 
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )
 
 var getImageAllCmd = &cobra.Command{
 	Use:   "all",
 	Short: "Get all image statuses",
-	Long:  withPreviewNote("The get image sub-commands print the statuses of all image objects."),
+	Long:  "The get image sub-commands print the statuses of all image objects.",
 	Example: `  # List all image objects in a namespace
   flux get images all --namespace=flux-system
 
@@ -55,7 +55,7 @@ var getImageAllCmd = &cobra.Command{
 
 		for _, c := range allImageCmd {
 			if err := c.run(cmd, args); err != nil {
-				logger.Failuref(err.Error())
+				logger.Failuref("%s", err.Error())
 			}
 		}
 

cmd/flux/get_image_policy.go

@@ -22,13 +22,13 @@ import (
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/runtime"
 
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )
 
 var getImagePolicyCmd = &cobra.Command{
 	Use:   "policy",
 	Short: "Get ImagePolicy status",
-	Long:  withPreviewNote("The get image policy command prints the status of ImagePolicy objects."),
+	Long:  "The get image policy command prints the status of ImagePolicy objects.",
 	Example: `  # List all image policies and their status
   flux get image policy
 
@@ -74,11 +74,16 @@ func init() {
 func (s imagePolicyListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
 	item := s.Items[i]
 	status, msg := statusAndMessage(item.Status.Conditions)
-	return append(nameColumns(&item, includeNamespace, includeKind), item.Status.LatestImage, status, msg)
+	var image, tag string
+	if ref := item.Status.LatestRef; ref != nil {
+		image = ref.Name
+		tag = ref.Tag
+	}
+	return append(nameColumns(&item, includeNamespace, includeKind), image, tag, status, msg)
 }
 
 func (s imagePolicyListAdapter) headers(includeNamespace bool) []string {
-	headers := []string{"Name", "Latest image", "Ready", "Message"}
+	headers := []string{"Name", "Image", "Tag", "Ready", "Message"}
 	if includeNamespace {
 		return append(namespaceHeader, headers...)
 	}

cmd/flux/get_image_repository.go

@@ -26,13 +26,13 @@ import (
 	"golang.org/x/text/language"
 	"k8s.io/apimachinery/pkg/runtime"
 
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )
 
 var getImageRepositoryCmd = &cobra.Command{
 	Use:   "repository",
 	Short: "Get ImageRepository status",
-	Long:  withPreviewNote("The get image repository command prints the status of ImageRepository objects."),
+	Long:  "The get image repository command prints the status of ImageRepository objects.",
 	Example: `  # List all image repositories and their status
   flux get image repository
 

cmd/flux/get_image_update.go

@@ -26,13 +26,13 @@ import (
 	"golang.org/x/text/language"
 	"k8s.io/apimachinery/pkg/runtime"
 
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1"
 )
 
 var getImageUpdateCmd = &cobra.Command{
 	Use:   "update",
 	Short: "Get ImageUpdateAutomation status",
-	Long:  withPreviewNote("The get image update command prints the status of ImageUpdateAutomation objects."),
+	Long:  "The get image update command prints the status of ImageUpdateAutomation objects.",
 	Example: `  # List all image update automation object and their status
   flux get image update
 

cmd/flux/get_source_all.go

@@ -21,7 +21,6 @@ import (
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
-	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 
 var getSourceAllCmd = &cobra.Command{
@@ -42,7 +41,7 @@ var getSourceAllCmd = &cobra.Command{
 		var allSourceCmd = []getCommand{
 			{
 				apiType: ociRepositoryType,
-				list:    &ociRepositoryListAdapter{&sourcev1b2.OCIRepositoryList{}},
+				list:    &ociRepositoryListAdapter{&sourcev1.OCIRepositoryList{}},
 			},
 			{
 				apiType: bucketType,
@@ -60,12 +59,16 @@ var getSourceAllCmd = &cobra.Command{
 				apiType: helmChartType,
 				list:    &helmChartListAdapter{&sourcev1.HelmChartList{}},
 			},
+			{
+				apiType: externalArtifactType,
+				list:    &externalArtifactListAdapter{&sourcev1.ExternalArtifactList{}},
+			},
 		}
 
 		for _, c := range allSourceCmd {
 			if err := c.run(cmd, args); err != nil {
 				if !apimeta.IsNoMatchError(err) {
-					logger.Failuref(err.Error())
+					logger.Failuref("%s", err.Error())
 				}
 			}
 		}

cmd/flux/get_source_external.go

@@ -0,0 +1,108 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/runtime"
+
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+
+	"github.com/fluxcd/flux2/v2/internal/utils"
+)
+
+var getSourceExternalCmd = &cobra.Command{
+	Use:   "external",
+	Short: "Get ExternalArtifact source statuses",
+	Long:  `The get sources external command prints the status of the ExternalArtifact sources.`,
+	Example: `  # List all ExternalArtifacts and their status
+  flux get sources external
+
+  # List ExternalArtifacts from all namespaces
+  flux get sources external --all-namespaces`,
+	ValidArgsFunction: resourceNamesCompletionFunc(sourcev1.GroupVersion.WithKind(sourcev1.ExternalArtifactKind)),
+	RunE: func(cmd *cobra.Command, args []string) error {
+		get := getCommand{
+			apiType: externalArtifactType,
+			list:    &externalArtifactListAdapter{&sourcev1.ExternalArtifactList{}},
+			funcMap: make(typeMap),
+		}
+
+		err := get.funcMap.registerCommand(get.apiType.kind, func(obj runtime.Object) (summarisable, error) {
+			o, ok := obj.(*sourcev1.ExternalArtifact)
+			if !ok {
+				return nil, fmt.Errorf("impossible to cast type %#v to ExternalArtifact", obj)
+			}
+
+			sink := &externalArtifactListAdapter{&sourcev1.ExternalArtifactList{
+				Items: []sourcev1.ExternalArtifact{
+					*o,
+				}}}
+			return sink, nil
+		})
+
+		if err != nil {
+			return err
+		}
+
+		if err := get.run(cmd, args); err != nil {
+			return err
+		}
+
+		return nil
+	},
+}
+
+func init() {
+	getSourceCmd.AddCommand(getSourceExternalCmd)
+}
+
+func (a *externalArtifactListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
+	item := a.Items[i]
+	var revision string
+	if item.Status.Artifact != nil {
+		revision = item.Status.Artifact.Revision
+	}
+	status, msg := statusAndMessage(item.Status.Conditions)
+	revision = utils.TruncateHex(revision)
+	msg = utils.TruncateHex(msg)
+
+	var source string
+	if item.Spec.SourceRef != nil {
+		source = fmt.Sprintf("%s/%s/%s",
+			item.Spec.SourceRef.Kind,
+			item.Spec.SourceRef.Namespace,
+			item.Spec.SourceRef.Name)
+	}
+	return append(nameColumns(&item, includeNamespace, includeKind),
+		revision, source, status, msg)
+}
+
+func (a externalArtifactListAdapter) headers(includeNamespace bool) []string {
+	headers := []string{"Name", "Revision", "Source", "Ready", "Message"}
+	if includeNamespace {
+		headers = append([]string{"Namespace"}, headers...)
+	}
+	return headers
+}
+
+func (a externalArtifactListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
+	item := a.Items[i]
+	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
+}

cmd/flux/get_source_oci.go

@@ -25,7 +25,7 @@ import (
 	"golang.org/x/text/language"
 	"k8s.io/apimachinery/pkg/runtime"
 
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 
 	"github.com/fluxcd/flux2/v2/internal/utils"
 )

cmd/flux/get_test.go

@@ -19,7 +19,10 @@ limitations under the License.
 
 package main
 
-import "testing"
+import (
+	"fmt"
+	"testing"
+)
 
 func Test_GetCmd(t *testing.T) {
 	tmpl := map[string]string{
@@ -59,3 +62,76 @@ func Test_GetCmd(t *testing.T) {
 		})
 	}
 }
+
+func Test_GetCmdErrors(t *testing.T) {
+	tmpl := map[string]string{
+		"fluxns": allocateNamespace("flux-system"),
+	}
+	testEnv.CreateObjectFile("./testdata/get/objects.yaml", tmpl, t)
+
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			name:   "specific object not found",
+			args:   "get kustomization non-existent-resource -n " + tmpl["fluxns"],
+			assert: assertError(fmt.Sprintf("Kustomization object 'non-existent-resource' not found in \"%s\" namespace", tmpl["fluxns"])),
+		},
+		{
+			name:   "no objects found in namespace",
+			args:   "get helmrelease -n " + tmpl["fluxns"],
+			assert: assertError(fmt.Sprintf("no HelmRelease objects found in \"%s\" namespace", tmpl["fluxns"])),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args,
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}
+
+func Test_GetCmdSuccess(t *testing.T) {
+	tmpl := map[string]string{
+		"fluxns": allocateNamespace("flux-system"),
+	}
+	testEnv.CreateObjectFile("./testdata/get/objects.yaml", tmpl, t)
+
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			name:   "list sources git",
+			args:   "get sources git -n " + tmpl["fluxns"],
+			assert: assertSuccess(),
+		},
+		{
+			name:   "get help",
+			args:   "get --help",
+			assert: assertSuccess(),
+		},
+		{
+			name:   "get with all namespaces flag",
+			args:   "get sources git -A",
+			assert: assertSuccess(),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args,
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}

cmd/flux/image.go

@@ -17,10 +17,12 @@ limitations under the License.
 package main
 
 import (
+	"fmt"
+
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )
 
 // These are general-purpose adapters for attaching methods to, for
@@ -77,6 +79,34 @@ func (a imagePolicyAdapter) asClientObject() client.Object {
 	return a.ImagePolicy
 }
 
+func (a imagePolicyAdapter) deepCopyClientObject() client.Object {
+	return a.ImagePolicy.DeepCopy()
+}
+
+func (a imagePolicyAdapter) isStatic() bool {
+	return false
+}
+
+func (a imagePolicyAdapter) lastHandledReconcileRequest() string {
+	return a.Status.GetLastHandledReconcileRequest()
+}
+
+func (a imagePolicyAdapter) isSuspended() bool {
+	return a.Spec.Suspend
+}
+
+func (a imagePolicyAdapter) setSuspended() {
+	a.Spec.Suspend = true
+}
+
+func (a imagePolicyAdapter) successMessage() string {
+	return fmt.Sprintf("selected ref %s", a.Status.LatestRef.String())
+}
+
+func (a imagePolicyAdapter) setUnsuspended() {
+	a.Spec.Suspend = false
+}
+
 // imagev1.ImagePolicyList
 
 type imagePolicyListAdapter struct {
@@ -91,6 +121,18 @@ func (a imagePolicyListAdapter) len() int {
 	return len(a.ImagePolicyList.Items)
 }
 
+func (a imagePolicyListAdapter) resumeItem(i int) resumable {
+	return &imagePolicyAdapter{&a.ImagePolicyList.Items[i]}
+}
+
+func (obj imagePolicyAdapter) getObservedGeneration() int64 {
+	return obj.ImagePolicy.Status.ObservedGeneration
+}
+
+func (a imagePolicyListAdapter) item(i int) suspendable {
+	return &imagePolicyAdapter{&a.ImagePolicyList.Items[i]}
+}
+
 // autov1.ImageUpdateAutomation
 
 var imageUpdateAutomationType = apiType{

cmd/flux/image_test.go

@@ -38,7 +38,7 @@ func TestImageScanning(t *testing.T) {
 			"testdata/image/create_image_repository.golden",
 		},
 		{
-			"create image policy podinfo-semver --image-ref=podinfo --interval=10m --select-semver=5.0.x",
+			"create image policy podinfo-semver --image-ref=podinfo --interval=10m --reflect-digest=Always --select-semver=5.0.x",
 			"testdata/image/create_image_policy.golden",
 		},
 		{
@@ -46,13 +46,25 @@ func TestImageScanning(t *testing.T) {
 			"testdata/image/get_image_policy_semver.golden",
 		},
 		{
-			`create image policy podinfo-regex --image-ref=podinfo --interval=10m --select-semver=">4.0.0" --filter-regex="5\.0\.0"`,
+			`create image policy podinfo-regex --image-ref=podinfo --select-semver=">4.0.0" --filter-regex="5\.0\.0"`,
 			"testdata/image/create_image_policy.golden",
 		},
 		{
 			"get image policy podinfo-regex",
 			"testdata/image/get_image_policy_regex.golden",
 		},
+		{
+			"suspend image policy podinfo-semver",
+			"testdata/image/suspend_image_policy.golden",
+		},
+		{
+			"resume image policy podinfo-semver",
+			"testdata/image/resume_image_policy.golden",
+		},
+		{
+			"reconcile image policy podinfo-semver",
+			"testdata/image/reconcile_image_policy.golden",
+		},
 	}
 
 	for _, tc := range cases {

cmd/flux/install.go

@@ -83,7 +83,7 @@ type installFlags struct {
 	force              bool
 }
 
-var installArgs = NewInstallFlags()
+var installArgs = newInstallFlags()
 
 func init() {
 	installCmd.Flags().BoolVar(&installArgs.export, "export", false,
@@ -93,7 +93,7 @@ func init() {
 	installCmd.Flags().StringSliceVar(&installArgs.defaultComponents, "components", rootArgs.defaults.Components,
 		"list of components, accepts comma-separated values")
 	installCmd.Flags().StringSliceVar(&installArgs.extraComponents, "components-extra", nil,
-		"list of components in addition to those supplied or defaulted, accepts values such as 'image-reflector-controller,image-automation-controller'")
+		"list of components in addition to those supplied or defaulted, accepts values such as 'image-reflector-controller,image-automation-controller,source-watcher'")
 	installCmd.Flags().StringVar(&installArgs.manifestsPath, "manifests", "", "path to the manifest directory")
 	installCmd.Flags().StringVar(&installArgs.registry, "registry", rootArgs.defaults.Registry,
 		"container registry where the toolkit images are published")
@@ -115,9 +115,14 @@ func init() {
 	rootCmd.AddCommand(installCmd)
 }
 
-func NewInstallFlags() installFlags {
+func newInstallFlags() installFlags {
 	return installFlags{
-		logLevel: flags.LogLevel(rootArgs.defaults.LogLevel),
+		logLevel:           flags.LogLevel(rootArgs.defaults.LogLevel),
+		defaultComponents:  rootArgs.defaults.Components,
+		registry:           rootArgs.defaults.Registry,
+		watchAllNamespaces: rootArgs.defaults.WatchAllNamespaces,
+		networkPolicy:      rootArgs.defaults.NetworkPolicy,
+		clusterDomain:      rootArgs.defaults.ClusterDomain,
 	}
 }
 
@@ -195,10 +200,13 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	if installArgs.export {
-		fmt.Print(manifest.Content)
-		return nil
+		_, err = rootCmd.OutOrStdout().Write([]byte(manifest.Content))
+		return err
 	} else if rootArgs.verbose {
-		fmt.Print(manifest.Content)
+		_, err = rootCmd.OutOrStdout().Write([]byte(manifest.Content))
+		if err != nil {
+			return err
+		}
 	}
 
 	logger.Successf("manifests build completed")
@@ -238,7 +246,7 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("install failed: %w", err)
 	}
 
-	fmt.Fprintln(os.Stderr, applyOutput)
+	rootCmd.Println(applyOutput)
 
 	if opts.ImagePullSecret != "" && opts.RegistryCredential != "" {
 		logger.Actionf("generating image pull secret %s", opts.ImagePullSecret)
@@ -250,7 +258,7 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 			Username:  credentials[0],
 			Password:  credentials[1],
 		}
-		imagePullSecret, err := sourcesecret.Generate(secretOpts)
+		imagePullSecret, err := sourcesecret.GenerateOCI(secretOpts)
 		if err != nil {
 			return fmt.Errorf("install failed: %w", err)
 		}

cmd/flux/install_test.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2022 The Flux authors
+Copyright 2025 The Flux authors
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -16,7 +16,17 @@ limitations under the License.
 
 package main
 
-import "testing"
+import (
+	"strings"
+	"testing"
+
+	. "github.com/onsi/gomega"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+
+	ssautil "github.com/fluxcd/pkg/ssa/utils"
+
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
+)
 
 func TestInstall(t *testing.T) {
 	// The pointer to kubeconfigArgs.Namespace is shared across
@@ -59,3 +69,43 @@ func TestInstall(t *testing.T) {
 		})
 	}
 }
+
+func TestInstall_ComponentsExtra(t *testing.T) {
+	g := NewWithT(t)
+	command := "install --export --components-extra=" +
+		strings.Join(install.MakeDefaultOptions().ComponentsExtra, ",")
+
+	output, err := executeCommand(command)
+	g.Expect(err).NotTo(HaveOccurred())
+
+	manifests, err := ssautil.ReadObjects(strings.NewReader(output))
+	g.Expect(err).NotTo(HaveOccurred())
+
+	foundImageAutomation := false
+	foundImageReflector := false
+	foundSourceWatcher := false
+	foundExternalArtifact := false
+	for _, obj := range manifests {
+		if obj.GetKind() == "Deployment" && obj.GetName() == "image-automation-controller" {
+			foundImageAutomation = true
+		}
+		if obj.GetKind() == "Deployment" && obj.GetName() == "image-reflector-controller" {
+			foundImageReflector = true
+		}
+		if obj.GetKind() == "Deployment" && obj.GetName() == "source-watcher" {
+			foundSourceWatcher = true
+		}
+		if obj.GetKind() == "Deployment" &&
+			(obj.GetName() == "kustomize-controller" || obj.GetName() == "helm-controller") {
+			containers, _, _ := unstructured.NestedSlice(obj.Object, "spec", "template", "spec", "containers")
+			g.Expect(containers).ToNot(BeEmpty())
+			args, _, _ := unstructured.NestedSlice(containers[0].(map[string]any), "args")
+			g.Expect(args).To(ContainElement("--feature-gates=ExternalArtifact=true"))
+			foundExternalArtifact = true
+		}
+	}
+	g.Expect(foundImageAutomation).To(BeTrue(), "image-automation-controller deployment not found")
+	g.Expect(foundImageReflector).To(BeTrue(), "image-reflector-controller deployment not found")
+	g.Expect(foundSourceWatcher).To(BeTrue(), "source-watcher deployment not found")
+	g.Expect(foundExternalArtifact).To(BeTrue(), "ExternalArtifact feature gate not found")
+}

cmd/flux/list_artifact.go

@@ -20,10 +20,11 @@ import (
 	"context"
 	"fmt"
 
+	"github.com/google/go-containerregistry/pkg/crane"
 	"github.com/spf13/cobra"
 
-	oci "github.com/fluxcd/pkg/oci/client"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	"github.com/fluxcd/pkg/oci"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 
 	"github.com/fluxcd/flux2/v2/internal/flags"
 	"github.com/fluxcd/flux2/v2/pkg/printers"
@@ -34,6 +35,7 @@ type listArtifactFlags struct {
 	regexFilter  string
 	creds        string
 	provider     flags.SourceOCIProvider
+	insecure     bool
 }
 
 var listArtifactArgs = newListArtifactFlags()
@@ -47,10 +49,10 @@ func newListArtifactFlags() listArtifactFlags {
 var listArtifactsCmd = &cobra.Command{
 	Use:   "artifacts",
 	Short: "list artifacts",
-	Long: withPreviewNote(`The list command fetches the tags and their metadata from a remote OCI repository.
-The command can read the credentials from '~/.docker/config.json' but they can also be passed with --creds. It can also login to a supported provider with the --provider flag.`),
+	Long: `The list command fetches the tags and their metadata from a remote OCI repository.
+The command can read the credentials from '~/.docker/config.json' but they can also be passed with --creds. It can also login to a supported provider with the --provider flag.`,
 	Example: `  # List the artifacts stored in an OCI repository
-  flux list artifact oci://ghcr.io/org/config/app
+  flux list artifacts oci://ghcr.io/org/config/app
 `,
 	RunE: listArtifactsCmdRun,
 }
@@ -60,6 +62,7 @@ func init() {
 	listArtifactsCmd.Flags().StringVar(&listArtifactArgs.regexFilter, "filter-regex", "", "filter tags returned from the oci repository using regex")
 	listArtifactsCmd.Flags().StringVar(&listArtifactArgs.creds, "creds", "", "credentials for OCI registry in the format <username>[:<password>] if --provider is generic")
 	listArtifactsCmd.Flags().Var(&listArtifactArgs.provider, "provider", listArtifactArgs.provider.Description())
+	listArtifactsCmd.Flags().BoolVar(&listArtifactArgs.insecure, "insecure-registry", false, "allows the remote artifacts list to be fetched without TLS")
 
 	listCmd.AddCommand(listArtifactsCmd)
 }
@@ -78,7 +81,22 @@ func listArtifactsCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	ociClient := oci.NewClient(oci.DefaultOptions())
+	ociOpts := oci.DefaultOptions()
+
+	if listArtifactArgs.provider.String() != sourcev1.GenericOCIProvider {
+		logger.Actionf("logging in to registry with provider credentials")
+		ociOpt, _, err := loginWithProvider(ctx, url, listArtifactArgs.provider.String())
+		if err != nil {
+			return fmt.Errorf("error during login with provider: %w", err)
+		}
+		ociOpts = append(ociOpts, ociOpt)
+	}
+
+	if listArtifactArgs.insecure {
+		ociOpts = append(ociOpts, crane.Insecure)
+	}
+
+	ociClient := oci.NewClient(ociOpts)
 
 	if listArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && listArtifactArgs.creds != "" {
 		logger.Actionf("logging in to registry with credentials")
@@ -87,18 +105,6 @@ func listArtifactsCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}
 
-	if listArtifactArgs.provider.String() != sourcev1.GenericOCIProvider {
-		logger.Actionf("logging in to registry with provider credentials")
-		ociProvider, err := listArtifactArgs.provider.ToOCIProvider()
-		if err != nil {
-			return fmt.Errorf("provider not supported: %w", err)
-		}
-
-		if err := ociClient.LoginWithProvider(ctx, url, ociProvider); err != nil {
-			return fmt.Errorf("error during login with provider: %w", err)
-		}
-	}
-
 	opts := oci.ListOptions{
 		RegexFilter:  listArtifactArgs.regexFilter,
 		SemverFilter: listArtifactArgs.semverFilter,

cmd/flux/main.go

@@ -180,7 +180,7 @@ func main() {
 
 	// This is required because controller-runtime expects its consumers to
 	// set a logger through log.SetLogger within 30 seconds of the program's
-	// initalization. If not set, the entire debug stack is printed as an
+	// initialization. If not set, the entire debug stack is printed as an
 	// error, see: https://github.com/kubernetes-sigs/controller-runtime/blob/ed8be90/pkg/log/log.go#L59
 	// Since we have our own logging and don't care about controller-runtime's
 	// logger, we configure it's logger to do nothing.
@@ -225,7 +225,9 @@ func configureDefaultNamespace() {
 func readPasswordFromStdin(prompt string) (string, error) {
 	var out string
 	var err error
-	fmt.Fprint(os.Stdout, prompt)
+	if _, err := fmt.Fprint(os.Stdout, prompt); err != nil {
+		return "", fmt.Errorf("failed to write prompt: %w", err)
+	}
 	stdinFD := int(os.Stdin.Fd())
 	if term.IsTerminal(stdinFD) {
 		var inBytes []byte
@@ -247,3 +249,8 @@ While we try our best to not introduce breaking changes, they may occur when
 we adapt to new features and/or find better ways to facilitate what it does.`
 	return fmt.Sprintf("%s\n\n%s", strings.TrimSpace(desc), previewNote)
 }
+
+// printlnStdout prints the given text to stdout with a newline.
+func printlnStdout(txt string) {
+	_, _ = rootCmd.OutOrStdout().Write([]byte(txt + "\n"))
+}

cmd/flux/main_test.go

@@ -447,12 +447,14 @@ func resetCmdArgs() {
 	imagePolicyArgs = imagePolicyFlags{}
 	imageRepoArgs = imageRepoFlags{}
 	imageUpdateArgs = imageUpdateFlags{}
+	installArgs = newInstallFlags()
 	kustomizationArgs = NewKustomizationFlags()
 	receiverArgs = receiverFlags{}
 	resumeArgs = ResumeFlags{}
 	rhrArgs = reconcileHelmReleaseFlags{}
 	rksArgs = reconcileKsFlags{}
 	secretGitArgs = NewSecretGitFlags()
+	secretGitHubAppArgs = secretGitHubAppFlags{}
 	secretProxyArgs = secretProxyFlags{}
 	secretHelmArgs = secretHelmFlags{}
 	secretTLSArgs = secretTLSFlags{}

cmd/flux/migrate.go

@@ -0,0 +1,702 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/fluxcd/pkg/ssa"
+	"github.com/manifoldco/promptui"
+	"github.com/spf13/cobra"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/util/retry"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
+	imageautov1 "github.com/fluxcd/image-automation-controller/api/v1"
+	imageautov1b2 "github.com/fluxcd/image-automation-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
+	imagev1b2 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
+	notificationv1b3 "github.com/fluxcd/notification-controller/api/v1beta3"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+	swv1b1 "github.com/fluxcd/source-watcher/api/v2/v1beta1"
+
+	"github.com/fluxcd/flux2/v2/internal/utils"
+)
+
+// APIVersions holds the mapping of GroupKinds to their respective
+// latest API versions for a specific Flux version.
+type APIVersions struct {
+	FluxVersion    string
+	LatestVersions map[schema.GroupKind]string
+}
+
+// TODO: Update this mapping when new Flux minor versions are released!
+// latestAPIVersions contains the latest API versions for each GroupKind
+// for each supported Flux version. The number of latest minor versions
+// we maintain here must match what's documented here:
+//
+// https://fluxcd.io/flux/releases/#supported-releases
+var latestAPIVersions = []APIVersions{
+	{
+		FluxVersion:    "2.8",
+		LatestVersions: flux27LatestAPIVersions,
+	},
+	{
+		FluxVersion:    "2.7",
+		LatestVersions: flux27LatestAPIVersions,
+	},
+	{
+		FluxVersion:    "2.6",
+		LatestVersions: flux26LatestAPIVersions,
+	},
+}
+
+var flux27LatestAPIVersions = map[schema.GroupKind]string{
+	// source-controller
+	{Group: sourcev1.GroupVersion.Group, Kind: sourcev1.BucketKind}:           sourcev1.GroupVersion.Version,
+	{Group: sourcev1.GroupVersion.Group, Kind: sourcev1.GitRepositoryKind}:    sourcev1.GroupVersion.Version,
+	{Group: sourcev1.GroupVersion.Group, Kind: sourcev1.OCIRepositoryKind}:    sourcev1.GroupVersion.Version,
+	{Group: sourcev1.GroupVersion.Group, Kind: sourcev1.HelmRepositoryKind}:   sourcev1.GroupVersion.Version,
+	{Group: sourcev1.GroupVersion.Group, Kind: sourcev1.HelmChartKind}:        sourcev1.GroupVersion.Version,
+	{Group: sourcev1.GroupVersion.Group, Kind: sourcev1.ExternalArtifactKind}: sourcev1.GroupVersion.Version,
+
+	// kustomize-controller
+	{Group: kustomizev1.GroupVersion.Group, Kind: kustomizev1.KustomizationKind}: kustomizev1.GroupVersion.Version,
+
+	// helm-controller
+	{Group: helmv2.GroupVersion.Group, Kind: helmv2.HelmReleaseKind}: helmv2.GroupVersion.Version,
+
+	// notification-controller
+	{Group: notificationv1.GroupVersion.Group, Kind: notificationv1.ReceiverKind}:     notificationv1.GroupVersion.Version,
+	{Group: notificationv1b3.GroupVersion.Group, Kind: notificationv1b3.AlertKind}:    notificationv1b3.GroupVersion.Version,
+	{Group: notificationv1b3.GroupVersion.Group, Kind: notificationv1b3.ProviderKind}: notificationv1b3.GroupVersion.Version,
+
+	// image-reflector-controller
+	{Group: imagev1.GroupVersion.Group, Kind: imagev1.ImageRepositoryKind}: imagev1.GroupVersion.Version,
+	{Group: imagev1.GroupVersion.Group, Kind: imagev1.ImagePolicyKind}:     imagev1.GroupVersion.Version,
+
+	// image-automation-controller
+	{Group: imageautov1.GroupVersion.Group, Kind: imageautov1.ImageUpdateAutomationKind}: imageautov1.GroupVersion.Version,
+
+	// source-watcher
+	{Group: swv1b1.GroupVersion.Group, Kind: swv1b1.ArtifactGeneratorKind}: swv1b1.GroupVersion.Version,
+}
+
+var flux26LatestAPIVersions = map[schema.GroupKind]string{
+	// source-controller
+	{Group: sourcev1.GroupVersion.Group, Kind: sourcev1.BucketKind}:           sourcev1.GroupVersion.Version,
+	{Group: sourcev1.GroupVersion.Group, Kind: sourcev1.GitRepositoryKind}:    sourcev1.GroupVersion.Version,
+	{Group: sourcev1.GroupVersion.Group, Kind: sourcev1.OCIRepositoryKind}:    sourcev1.GroupVersion.Version,
+	{Group: sourcev1.GroupVersion.Group, Kind: sourcev1.HelmRepositoryKind}:   sourcev1.GroupVersion.Version,
+	{Group: sourcev1.GroupVersion.Group, Kind: sourcev1.HelmChartKind}:        sourcev1.GroupVersion.Version,
+	{Group: sourcev1.GroupVersion.Group, Kind: sourcev1.ExternalArtifactKind}: sourcev1.GroupVersion.Version,
+
+	// kustomize-controller
+	{Group: kustomizev1.GroupVersion.Group, Kind: kustomizev1.KustomizationKind}: kustomizev1.GroupVersion.Version,
+
+	// helm-controller
+	{Group: helmv2.GroupVersion.Group, Kind: helmv2.HelmReleaseKind}: helmv2.GroupVersion.Version,
+
+	// notification-controller
+	{Group: notificationv1.GroupVersion.Group, Kind: notificationv1.ReceiverKind}:     notificationv1.GroupVersion.Version,
+	{Group: notificationv1b3.GroupVersion.Group, Kind: notificationv1b3.AlertKind}:    notificationv1b3.GroupVersion.Version,
+	{Group: notificationv1b3.GroupVersion.Group, Kind: notificationv1b3.ProviderKind}: notificationv1b3.GroupVersion.Version,
+
+	// image-reflector-controller
+	{Group: imagev1b2.GroupVersion.Group, Kind: imagev1b2.ImageRepositoryKind}: imagev1b2.GroupVersion.Version,
+	{Group: imagev1b2.GroupVersion.Group, Kind: imagev1b2.ImagePolicyKind}:     imagev1b2.GroupVersion.Version,
+
+	// image-automation-controller
+	{Group: imageautov1b2.GroupVersion.Group, Kind: imageautov1b2.ImageUpdateAutomationKind}: imageautov1b2.GroupVersion.Version,
+}
+
+var migrateCmd = &cobra.Command{
+	Use:   "migrate",
+	Args:  cobra.NoArgs,
+	Short: "Migrate the Flux custom resources to their latest API version",
+	Long: `The migrate command must be run before a Flux minor version upgrade.
+
+The command has two modes of operation:
+
+- Cluster mode (default): migrates all the Flux custom resources stored in Kubernetes etcd to their latest API version.
+- File system mode (-f): migrates the Flux custom resources defined in the manifests located in the specified path.
+`,
+	Example: `  # Migrate all the Flux custom resources in the cluster.
+  # This uses the current kubeconfig context and requires cluster-admin permissions.
+  flux migrate
+
+  # Migrate all the Flux custom resources in a Git repository
+  # checked out in the current working directory.
+  flux migrate -f .
+
+  # Migrate all Flux custom resources defined in YAML and Helm YAML template files.
+  flux migrate -f . --extensions=.yml,.yaml,.tpl
+
+  # Migrate the Flux custom resources to the latest API versions of Flux 2.6.
+  flux migrate -f . --version=2.6
+
+  # Migrate the Flux custom resources defined in a multi-document YAML manifest file.
+  flux migrate -f path/to/manifest.yaml
+
+  # Simulate the migration without making any changes.
+  flux migrate -f . --dry-run
+
+  # Run the migration skipping confirmation prompts.
+  flux migrate -f . --yes
+`,
+	RunE: runMigrateCmd,
+}
+
+var migrateFlags struct {
+	yes        bool
+	dryRun     bool
+	path       string
+	version    string
+	extensions []string
+}
+
+func init() {
+	rootCmd.AddCommand(migrateCmd)
+
+	migrateCmd.Flags().StringVarP(&migrateFlags.path, "path", "f", "",
+		"the path to the directory containing the manifests to migrate")
+	migrateCmd.Flags().StringSliceVarP(&migrateFlags.extensions, "extensions", "e", []string{".yaml", ".yml"},
+		"the file extensions to consider when migrating manifests, only applicable with --path")
+	migrateCmd.Flags().StringVarP(&migrateFlags.version, "version", "v", "",
+		"the target Flux minor version to migrate manifests to, only applicable with --path (defaults to the version of the CLI)")
+	migrateCmd.Flags().BoolVarP(&migrateFlags.yes, "yes", "y", false,
+		"skip confirmation prompts when migrating manifests, only applicable with --path")
+	migrateCmd.Flags().BoolVar(&migrateFlags.dryRun, "dry-run", false,
+		"simulate the migration of manifests without making any changes, only applicable with --path")
+}
+
+func runMigrateCmd(*cobra.Command, []string) error {
+	if migrateFlags.path == "" {
+		return migrateCluster()
+	}
+	return migrateFileSystem()
+}
+
+func migrateCluster() error {
+	logger.Actionf("starting migration of custom resources")
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	cfg, err := utils.KubeConfig(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return fmt.Errorf("the Kubernetes client initialization failed: %w", err)
+	}
+
+	kubeClient, err := client.New(cfg, client.Options{Scheme: utils.NewScheme()})
+	if err != nil {
+		return err
+	}
+
+	migrator := NewClusterMigrator(kubeClient, client.MatchingLabels{
+		"app.kubernetes.io/part-of": "flux",
+	})
+
+	if err := migrator.Run(ctx); err != nil {
+		return err
+	}
+
+	logger.Successf("custom resources migrated successfully")
+	return nil
+}
+
+func migrateFileSystem() error {
+	pathRoot, err := os.OpenRoot(".")
+	if err != nil {
+		return fmt.Errorf("failed to open filesystem at the current working directory: %w", err)
+	}
+	defer pathRoot.Close()
+
+	fileSystem := &osFS{pathRoot.FS()}
+	yes := migrateFlags.yes
+	dryRun := migrateFlags.dryRun
+	path := migrateFlags.path
+	extensions := migrateFlags.extensions
+	var latestVersions map[schema.GroupKind]string
+
+	// Determine latest API versions based on the Flux version.
+	if migrateFlags.version == "" {
+		latestVersions = latestAPIVersions[0].LatestVersions
+	} else {
+		supportedVersions := make([]string, 0, len(latestAPIVersions))
+		for _, v := range latestAPIVersions {
+			if v.FluxVersion == migrateFlags.version {
+				latestVersions = v.LatestVersions
+				break
+			}
+			supportedVersions = append(supportedVersions, v.FluxVersion)
+		}
+		if latestVersions == nil {
+			return fmt.Errorf("version %s is not supported, supported versions are: %s",
+				migrateFlags.version, strings.Join(supportedVersions, ", "))
+		}
+	}
+
+	return NewFileSystemMigrator(fileSystem, yes, dryRun, path, extensions, latestVersions).Run()
+}
+
+// ClusterMigrator migrates all the CRs in the cluster for the CRDs matching the label selector.
+type ClusterMigrator struct {
+	labelSelector client.MatchingLabels
+	kubeClient    client.Client
+}
+
+// NewClusterMigrator creates a new ClusterMigrator instance with the specified label selector.
+func NewClusterMigrator(kubeClient client.Client, labelSelector client.MatchingLabels) *ClusterMigrator {
+	return &ClusterMigrator{
+		labelSelector: labelSelector,
+		kubeClient:    kubeClient,
+	}
+}
+
+func (c *ClusterMigrator) Run(ctx context.Context) error {
+	crdList := &apiextensionsv1.CustomResourceDefinitionList{}
+
+	if err := c.kubeClient.List(ctx, crdList, c.labelSelector); err != nil {
+		return fmt.Errorf("failed to list CRDs: %w", err)
+	}
+
+	for _, crd := range crdList.Items {
+		if err := c.migrateCRD(ctx, crd.Name); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (c *ClusterMigrator) migrateCRD(ctx context.Context, name string) error {
+	crd := &apiextensionsv1.CustomResourceDefinition{}
+
+	if err := c.kubeClient.Get(ctx, client.ObjectKey{Name: name}, crd); err != nil {
+		return fmt.Errorf("failed to get CRD %s: %w", name, err)
+	}
+
+	// get the latest storage version for the CRD
+	storageVersion := c.getStorageVersion(crd)
+	if storageVersion == "" {
+		return fmt.Errorf("no storage version found for CRD %s", name)
+	}
+
+	// migrate all the resources for the CRD
+	err := retry.RetryOnConflict(retry.DefaultRetry, func() error {
+		return c.migrateCR(ctx, crd, storageVersion)
+	})
+	if err != nil {
+		return fmt.Errorf("failed to migrate resources for CRD %s: %w", name, err)
+	}
+
+	// set the CRD status to contain only the latest storage version
+	if len(crd.Status.StoredVersions) > 1 || crd.Status.StoredVersions[0] != storageVersion {
+		crd.Status.StoredVersions = []string{storageVersion}
+		if err := c.kubeClient.Status().Update(ctx, crd); err != nil {
+			return fmt.Errorf("failed to update CRD %s status: %w", crd.Name, err)
+		}
+		logger.Successf("%s migrated to storage version %s", crd.Name, storageVersion)
+	}
+	return nil
+}
+
+// migrateCR migrates all CRs for the given CRD to the specified version by patching them.
+func (c *ClusterMigrator) migrateCR(ctx context.Context, crd *apiextensionsv1.CustomResourceDefinition, version string) error {
+	list := &unstructured.UnstructuredList{}
+
+	apiVersion := crd.Spec.Group + "/" + version
+	listKind := crd.Spec.Names.ListKind
+
+	list.SetAPIVersion(apiVersion)
+	list.SetKind(listKind)
+
+	err := c.kubeClient.List(ctx, list, client.InNamespace(""))
+	if err != nil {
+		return fmt.Errorf("failed to list resources for CRD %s: %w", crd.Name, err)
+	}
+
+	if len(list.Items) == 0 {
+		return nil
+	}
+
+	for _, item := range list.Items {
+		patches, err := ssa.PatchMigrateToVersion(&item, apiVersion)
+		if err != nil {
+			return fmt.Errorf("failed to create migration patch for %s/%s/%s: %w",
+				item.GetKind(), item.GetNamespace(), item.GetName(), err)
+		}
+
+		if len(patches) == 0 {
+			// patch the resource with an empty patch to update the version
+			if err := c.kubeClient.Patch(
+				ctx,
+				&item,
+				client.RawPatch(client.Merge.Type(), []byte("{}")),
+			); err != nil && !apierrors.IsNotFound(err) {
+				return fmt.Errorf(" %s/%s/%s failed to migrate: %w",
+					item.GetKind(), item.GetNamespace(), item.GetName(), err)
+			}
+		} else {
+			// patch the resource to migrate the managed fields to the latest apiVersion
+			rawPatch, err := json.Marshal(patches)
+			if err != nil {
+				return fmt.Errorf("failed to marshal migration patch for %s/%s/%s: %w",
+					item.GetKind(), item.GetNamespace(), item.GetName(), err)
+			}
+			if err := c.kubeClient.Patch(
+				ctx,
+				&item,
+				client.RawPatch(types.JSONPatchType, rawPatch),
+			); err != nil && !apierrors.IsNotFound(err) {
+				return fmt.Errorf(" %s/%s/%s failed to migrate managed fields: %w",
+					item.GetKind(), item.GetNamespace(), item.GetName(), err)
+			}
+		}
+
+		logger.Successf("%s/%s/%s migrated to version %s",
+			item.GetKind(), item.GetNamespace(), item.GetName(), version)
+	}
+
+	return nil
+}
+
+// getStorageVersion retrieves the storage version of a CustomResourceDefinition.
+func (c *ClusterMigrator) getStorageVersion(crd *apiextensionsv1.CustomResourceDefinition) string {
+	var version string
+	for _, v := range crd.Spec.Versions {
+		if v.Storage {
+			version = v.Name
+			break
+		}
+	}
+
+	return version
+}
+
+// WritableFS extends fs.FS with a WriteFile method.
+type WritableFS interface {
+	fs.FS
+	WriteFile(name string, data []byte, perm os.FileMode) error
+}
+
+// osFS is a WritableFS implementation that uses the file system of the OS.
+type osFS struct {
+	fs.FS
+}
+
+func (o *osFS) WriteFile(name string, data []byte, perm os.FileMode) error {
+	return os.WriteFile(name, data, perm)
+}
+
+// FileSystemMigrator migrates all the CRs found in the manifests located in the specified path.
+type FileSystemMigrator struct {
+	fileSystem     WritableFS
+	yes            bool
+	dryRun         bool
+	path           string
+	extensions     []string
+	latestVersions map[schema.GroupKind]string
+}
+
+// FileAPIUpgrades represents the API upgrades detected in a specific manifest file.
+type FileAPIUpgrades struct {
+	File     string
+	Upgrades []APIUpgrade
+}
+
+// APIUpgrade represents an upgrade of a specific API version in a manifest file.
+type APIUpgrade struct {
+	Line       int
+	Kind       string
+	OldVersion string
+	NewVersion string
+}
+
+// NewFileSystemMigrator creates a new FileSystemMigrator instance with the specified flags.
+func NewFileSystemMigrator(fileSystem WritableFS, yes, dryRun bool, path string,
+	extensions []string, latestVersions map[schema.GroupKind]string) *FileSystemMigrator {
+	return &FileSystemMigrator{
+		fileSystem:     fileSystem,
+		yes:            yes,
+		dryRun:         dryRun,
+		path:           filepath.Clean(path), // convert dir/ to dir to avoid error when walking
+		extensions:     extensions,
+		latestVersions: latestVersions,
+	}
+}
+
+func (f *FileSystemMigrator) Run() error {
+	logger.Actionf("starting migration of custom resources")
+
+	// List and filter files.
+	files, err := f.listFiles()
+	if err != nil {
+		return err
+	}
+
+	// Detect upgrades.
+	upgrades, err := f.detectUpgrades(files)
+	if err != nil {
+		return err
+	}
+	if len(upgrades) == 0 {
+		logger.Successf("no custom resources found that require migration")
+		return nil
+	}
+	if f.dryRun {
+		logger.Successf("dry-run mode enabled, no changes will be made")
+		return nil
+	}
+
+	// Confirm upgrades.
+	if !f.yes {
+		prompt := promptui.Prompt{
+			Label:     "Are you sure you want to proceed with the above upgrades", // Already prints "? [y/N]"
+			IsConfirm: true,
+		}
+		if _, err := prompt.Run(); err != nil {
+			return err
+		}
+	}
+
+	// Migrate files.
+	for _, fileUpgrades := range upgrades {
+		if err := f.migrateFile(&fileUpgrades); err != nil {
+			return err
+		}
+		logger.Successf("file %s migrated successfully", fileUpgrades.File)
+	}
+
+	logger.Successf("custom resources migrated successfully")
+	return nil
+}
+
+func (f *FileSystemMigrator) listFiles() ([]string, error) {
+	fileInfo, err := fs.Stat(f.fileSystem, f.path)
+	if err != nil {
+		return nil, fmt.Errorf("failed to stat path %s: %w", f.path, err)
+	}
+	if fileInfo.IsDir() {
+		return f.listDirectoryFiles()
+	}
+	if err := f.validateSingleFile(); err != nil {
+		return nil, err
+	}
+	return []string{f.path}, nil
+}
+
+func (f *FileSystemMigrator) listDirectoryFiles() ([]string, error) {
+	var files []string
+	err := fs.WalkDir(f.fileSystem, f.path, func(path string, dirEntry fs.DirEntry, err error) error {
+		if err != nil {
+			return err
+		}
+		if !f.matchesExtensions(path) {
+			return nil
+		}
+		fileInfo, err := dirEntry.Info()
+		if err != nil {
+			return err
+		}
+		if fileInfo.Mode().IsRegular() {
+			files = append(files, path)
+		} else if !fileInfo.IsDir() {
+			logger.Warningf("skipping irregular file %s", path)
+		}
+		return nil
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to walk directory %s: %w", f.path, err)
+	}
+	return files, nil
+}
+
+func (f *FileSystemMigrator) validateSingleFile() error {
+	if !f.matchesExtensions(f.path) {
+		return fmt.Errorf("file %s does not match the specified extensions: %v",
+			f.path, strings.Join(f.extensions, ", "))
+	}
+
+	// Check if it's irregular by walking the parent directory.
+	var irregular bool
+	err := fs.WalkDir(f.fileSystem, filepath.Dir(f.path), func(path string, dirEntry fs.DirEntry, err error) error {
+		if err != nil {
+			return err
+		}
+		if path != f.path {
+			return nil
+		}
+		fileInfo, err := dirEntry.Info()
+		if err != nil {
+			return err
+		}
+		if !fileInfo.Mode().IsRegular() {
+			irregular = true
+		}
+		return nil
+	})
+	if err != nil {
+		return fmt.Errorf("failed to validate file %s: %w", f.path, err)
+	}
+	if irregular {
+		return fmt.Errorf("file %s is irregular", f.path)
+	}
+	return nil
+}
+
+func (f *FileSystemMigrator) matchesExtensions(file string) bool {
+	for _, ext := range f.extensions {
+		if strings.HasSuffix(file, ext) {
+			return true
+		}
+	}
+	return false
+}
+
+func (f *FileSystemMigrator) detectUpgrades(files []string) ([]FileAPIUpgrades, error) {
+	var upgrades []FileAPIUpgrades
+	for _, file := range files {
+		fileUpgrades, err := f.detectFileUpgrades(file)
+		if err != nil {
+			return nil, err
+		}
+		if len(fileUpgrades) == 0 {
+			continue
+		}
+		fu := FileAPIUpgrades{
+			File:     file,
+			Upgrades: fileUpgrades,
+		}
+		upgrades = append(upgrades, fu)
+		f.printDetectedUpgrades(&fu)
+	}
+	return upgrades, nil
+}
+
+func (f *FileSystemMigrator) detectFileUpgrades(file string) ([]APIUpgrade, error) {
+	b, err := fs.ReadFile(f.fileSystem, file)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read file %s: %w", file, err)
+	}
+	lines := strings.Split(string(b), "\n")
+
+	var fileUpgrades []APIUpgrade
+	for line, apiVersionLine := range lines {
+		// Parse apiVersion.
+		const apiVersionPrefix = "apiVersion: "
+		idx := strings.Index(apiVersionLine, apiVersionPrefix)
+		if idx == -1 {
+			continue
+		}
+		apiVersionValuePrefix := strings.TrimSpace(apiVersionLine[idx+len(apiVersionPrefix):])
+		apiVersion := strings.Split(apiVersionValuePrefix, " ")[0]
+		gv, err := schema.ParseGroupVersion(apiVersion)
+		if err != nil {
+			logger.Warningf("%s:%d: %v", file, line+1, err)
+			continue
+		}
+
+		// Parse kind.
+		if line+1 >= len(lines) {
+			continue
+		}
+		kindLine := lines[line+1]
+		const kindPrefix = "kind: "
+		idx = strings.Index(kindLine, kindPrefix)
+		if idx == -1 {
+			continue
+		}
+		kindValuePrefix := strings.TrimSpace(kindLine[idx+len(kindPrefix):])
+		kind := strings.Split(kindValuePrefix, " ")[0]
+
+		// Build GroupKind.
+		gk := schema.GroupKind{
+			Group: gv.Group,
+			Kind:  kind,
+		}
+
+		// Check if there's a newer version for the GroupKind.
+		latestVersion, ok := f.latestVersions[gk]
+		if !ok || latestVersion == gv.Version {
+			continue
+		}
+
+		// Record the upgrade.
+		fileUpgrades = append(fileUpgrades, APIUpgrade{
+			Line:       line,
+			Kind:       kind,
+			OldVersion: gv.Version,
+			NewVersion: latestVersion,
+		})
+	}
+	return fileUpgrades, nil
+}
+
+func (f *FileSystemMigrator) printDetectedUpgrades(fileUpgrades *FileAPIUpgrades) {
+	for _, upgrade := range fileUpgrades.Upgrades {
+		logger.Generatef("%s:%d: %s %s -> %s",
+			fileUpgrades.File,
+			upgrade.Line+1,
+			upgrade.Kind,
+			upgrade.OldVersion,
+			upgrade.NewVersion)
+	}
+}
+
+func (f *FileSystemMigrator) migrateFile(fileUpgrades *FileAPIUpgrades) error {
+	// Read file and map lines.
+	b, err := fs.ReadFile(f.fileSystem, fileUpgrades.File)
+	if err != nil {
+		return fmt.Errorf("failed to read file %s: %w", fileUpgrades.File, err)
+	}
+	lines := strings.Split(string(b), "\n")
+
+	// Apply upgrades to lines.
+	for _, upgrade := range fileUpgrades.Upgrades {
+		line := lines[upgrade.Line]
+		line = strings.Replace(line, upgrade.OldVersion, upgrade.NewVersion, 1)
+		lines[upgrade.Line] = line
+	}
+
+	// Read file info to preserve permissions.
+	fileInfo, err := fs.Stat(f.fileSystem, fileUpgrades.File)
+	if err != nil {
+		return fmt.Errorf("failed to stat file %s: %w", fileUpgrades.File, err)
+	}
+
+	// Write file with preserved permissions.
+	b = []byte(strings.Join(lines, "\n"))
+	if err := f.fileSystem.WriteFile(fileUpgrades.File, b, fileInfo.Mode()); err != nil {
+		return fmt.Errorf("failed to write file %s: %w", fileUpgrades.File, err)
+	}
+
+	return nil
+}

cmd/flux/migrate_test.go

@@ -0,0 +1,161 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"bytes"
+	"io/fs"
+	"os"
+	"testing"
+
+	. "github.com/onsi/gomega"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+type writeToMemoryFS struct {
+	fs.FS
+
+	writtenFiles map[string][]byte
+}
+
+func (m *writeToMemoryFS) WriteFile(name string, data []byte, perm os.FileMode) error {
+	m.writtenFiles[name] = data
+	return nil
+}
+
+type writtenFile struct {
+	file       string
+	goldenFile string
+}
+
+func TestFileSystemMigrator(t *testing.T) {
+	for _, tt := range []struct {
+		name         string
+		path         string
+		outputGolden string
+		writtenFiles []writtenFile
+		err          string
+	}{
+		{
+			name: "errors out for single file that is a symlink",
+			path: "testdata/migrate/file-system/single-file-link.yaml",
+			err:  "file testdata/migrate/file-system/single-file-link.yaml is irregular",
+		},
+		{
+			name: "errors out for single file with wrong extension",
+			path: "testdata/migrate/file-system/single-file-wrong-ext.json",
+			err:  "file testdata/migrate/file-system/single-file-wrong-ext.json does not match the specified extensions: .yaml, .yml",
+		},
+		{
+			name:         "migrate single file",
+			path:         "testdata/migrate/file-system/single-file.yaml",
+			outputGolden: "testdata/migrate/file-system/single-file.yaml.output.golden",
+			writtenFiles: []writtenFile{
+				{
+					file:       "testdata/migrate/file-system/single-file.yaml",
+					goldenFile: "testdata/migrate/file-system/single-file.yaml.golden",
+				},
+			},
+		},
+		{
+			name:         "migrate files in directory",
+			path:         "testdata/migrate/file-system/dir",
+			outputGolden: "testdata/migrate/file-system/dir.output.golden",
+			writtenFiles: []writtenFile{
+				{
+					file:       "testdata/migrate/file-system/dir/some-dir/another-file.yaml",
+					goldenFile: "testdata/migrate/file-system/dir.golden/some-dir/another-file.yaml",
+				},
+				{
+					file:       "testdata/migrate/file-system/dir/some-dir/another-file.yml",
+					goldenFile: "testdata/migrate/file-system/dir.golden/some-dir/another-file.yml",
+				},
+				{
+					file:       "testdata/migrate/file-system/dir/some-file.yaml",
+					goldenFile: "testdata/migrate/file-system/dir.golden/some-file.yaml",
+				},
+				{
+					file:       "testdata/migrate/file-system/dir/some-file.yml",
+					goldenFile: "testdata/migrate/file-system/dir.golden/some-file.yml",
+				},
+			},
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			// Store logger, replace with test logger, and restore at the end of the test.
+			var testLogger bytes.Buffer
+			oldLogger := logger
+			logger = stderrLogger{&testLogger}
+			t.Cleanup(func() { logger = oldLogger })
+
+			// Open current working directory as root and build write-to-memory filesystem.
+			pathRoot, err := os.OpenRoot(".")
+			g.Expect(err).ToNot(HaveOccurred())
+			t.Cleanup(func() { pathRoot.Close() })
+			fileSystem := &writeToMemoryFS{
+				FS:           pathRoot.FS(),
+				writtenFiles: make(map[string][]byte),
+			}
+
+			// Prepare other inputs.
+			const yes = true
+			const dryRun = false
+			extensions := []string{".yaml", ".yml"}
+			latestVersions := map[schema.GroupKind]string{
+				{Group: "image.toolkit.fluxcd.io", Kind: "ImageRepository"}:       "v1",
+				{Group: "image.toolkit.fluxcd.io", Kind: "ImagePolicy"}:           "v1",
+				{Group: "image.toolkit.fluxcd.io", Kind: "ImageUpdateAutomation"}: "v1",
+			}
+
+			// Run migration.
+			err = NewFileSystemMigrator(fileSystem, yes, dryRun, tt.path, extensions, latestVersions).Run()
+			if tt.err != "" {
+				g.Expect(err).To(HaveOccurred())
+				g.Expect(err.Error()).To(Equal(tt.err))
+				return
+			}
+			g.Expect(err).ToNot(HaveOccurred())
+
+			// Assert logger output.
+			b, err := os.ReadFile(tt.outputGolden)
+			g.Expect(err).ToNot(HaveOccurred())
+			g.Expect(string(b)).To(Equal(testLogger.String()),
+				"logger output does not match golden file %s", tt.outputGolden)
+
+			// Assert which files were written.
+			writtenFiles := make([]string, 0, len(fileSystem.writtenFiles))
+			for name := range fileSystem.writtenFiles {
+				writtenFiles = append(writtenFiles, name)
+			}
+			expectedWrittenFiles := make([]string, 0, len(tt.writtenFiles))
+			for _, wf := range tt.writtenFiles {
+				expectedWrittenFiles = append(expectedWrittenFiles, wf.file)
+			}
+			g.Expect(writtenFiles).To(ConsistOf(expectedWrittenFiles))
+
+			// Assert contents of written files.
+			for _, wf := range tt.writtenFiles {
+				b, err := os.ReadFile(wf.goldenFile)
+				g.Expect(err).ToNot(HaveOccurred())
+				g.Expect(string(fileSystem.writtenFiles[wf.file])).To(Equal(string(b)),
+					"file %s does not match golden file %s", wf.file, wf.goldenFile)
+			}
+		})
+	}
+}

cmd/flux/oci.go

@@ -0,0 +1,42 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/google/go-containerregistry/pkg/authn"
+	"github.com/google/go-containerregistry/pkg/crane"
+
+	"github.com/fluxcd/pkg/auth"
+	"github.com/fluxcd/pkg/auth/azure"
+	authutils "github.com/fluxcd/pkg/auth/utils"
+)
+
+// loginWithProvider gets a crane authentication option for the given provider and URL.
+func loginWithProvider(ctx context.Context, url, provider string) (crane.Option, authn.Authenticator, error) {
+	var opts []auth.Option
+	if provider == azure.ProviderName {
+		opts = append(opts, auth.WithAllowShellOut())
+	}
+	authenticator, err := authutils.GetArtifactRegistryCredentials(ctx, provider, url, opts...)
+	if err != nil {
+		return nil, nil, fmt.Errorf("could not login to provider %s with url %s: %w", provider, url, err)
+	}
+	return crane.WithAuth(authenticator), authenticator, nil
+}

cmd/flux/pull_artifact.go

@@ -21,19 +21,20 @@ import (
 	"fmt"
 	"os"
 
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	"github.com/google/go-containerregistry/pkg/crane"
 	"github.com/spf13/cobra"
 
-	"github.com/fluxcd/flux2/v2/internal/flags"
+	"github.com/fluxcd/pkg/oci"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 
-	oci "github.com/fluxcd/pkg/oci/client"
+	"github.com/fluxcd/flux2/v2/internal/flags"
 )
 
 var pullArtifactCmd = &cobra.Command{
 	Use:   "artifact",
 	Short: "Pull artifact",
-	Long: withPreviewNote(`The pull artifact command downloads and extracts the OCI artifact content to the given path.
-The command can read the credentials from '~/.docker/config.json' but they can also be passed with --creds. It can also login to a supported provider with the --provider flag.`),
+	Long: `The pull artifact command downloads and extracts the OCI artifact content to the given path.
+The command can read the credentials from '~/.docker/config.json' but they can also be passed with --creds. It can also login to a supported provider with the --provider flag.`,
 	Example: `  # Pull an OCI artifact created by flux from GHCR
   flux pull artifact oci://ghcr.io/org/manifests/app:v0.0.1 --output ./path/to/local/manifests
 `,
@@ -43,6 +44,7 @@ The command can read the credentials from '~/.docker/config.json' but they can a
 type pullArtifactFlags struct {
 	output   string
 	creds    string
+	insecure bool
 	provider flags.SourceOCIProvider
 }
 
@@ -58,6 +60,7 @@ func init() {
 	pullArtifactCmd.Flags().StringVarP(&pullArtifactArgs.output, "output", "o", "", "path where the artifact content should be extracted.")
 	pullArtifactCmd.Flags().StringVar(&pullArtifactArgs.creds, "creds", "", "credentials for OCI registry in the format <username>[:<password>] if --provider is generic")
 	pullArtifactCmd.Flags().Var(&pullArtifactArgs.provider, "provider", sourceOCIRepositoryArgs.provider.Description())
+	pullArtifactCmd.Flags().BoolVar(&pullArtifactArgs.insecure, "insecure-registry", false, "allows artifacts to be pulled without TLS")
 	pullCmd.AddCommand(pullArtifactCmd)
 }
 
@@ -83,7 +86,22 @@ func pullArtifactCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	ociClient := oci.NewClient(oci.DefaultOptions())
+	opts := oci.DefaultOptions()
+
+	if pullArtifactArgs.insecure {
+		opts = append(opts, crane.Insecure)
+	}
+
+	if pullArtifactArgs.provider.String() != sourcev1.GenericOCIProvider {
+		logger.Actionf("logging in to registry with provider credentials")
+		opt, _, err := loginWithProvider(ctx, url, pullArtifactArgs.provider.String())
+		if err != nil {
+			return fmt.Errorf("error during login with provider: %w", err)
+		}
+		opts = append(opts, opt)
+	}
+
+	ociClient := oci.NewClient(opts)
 
 	if pullArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && pullArtifactArgs.creds != "" {
 		logger.Actionf("logging in to registry with credentials")
@@ -92,18 +110,6 @@ func pullArtifactCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}
 
-	if pullArtifactArgs.provider.String() != sourcev1.GenericOCIProvider {
-		logger.Actionf("logging in to registry with provider credentials")
-		ociProvider, err := pullArtifactArgs.provider.ToOCIProvider()
-		if err != nil {
-			return fmt.Errorf("provider not supported: %w", err)
-		}
-
-		if err := ociClient.LoginWithProvider(ctx, url, ociProvider); err != nil {
-			return fmt.Errorf("error during login with provider: %w", err)
-		}
-	}
-
 	logger.Actionf("pulling artifact from %s", url)
 
 	meta, err := ociClient.Pull(ctx, url, pullArtifactArgs.output)

cmd/flux/push_artifact.go

@@ -34,9 +34,7 @@ import (
 	"sigs.k8s.io/yaml"
 
 	"github.com/fluxcd/pkg/oci"
-	"github.com/fluxcd/pkg/oci/auth/login"
-	"github.com/fluxcd/pkg/oci/client"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 
 	"github.com/fluxcd/flux2/v2/internal/flags"
 )
@@ -44,8 +42,8 @@ import (
 var pushArtifactCmd = &cobra.Command{
 	Use:   "artifact",
 	Short: "Push artifact",
-	Long: withPreviewNote(`The push artifact command creates a tarball from the given directory or the single file and uploads the artifact to an OCI repository.
-The command can read the credentials from '~/.docker/config.json' but they can also be passed with --creds. It can also login to a supported provider with the --provider flag.`),
+	Long: `The push artifact command creates a tarball from the given directory or the single file and uploads the artifact to an OCI repository.
+The command can read the credentials from '~/.docker/config.json' but they can also be passed with --creds. It can also login to a supported provider with the --provider flag.`,
 	Example: `  # Push manifests to GHCR using the short Git SHA as the OCI artifact tag
   echo $GITHUB_PAT | docker login ghcr.io --username flux --password-stdin
   flux push artifact oci://ghcr.io/org/config/app:$(git rev-parse --short HEAD) \
@@ -115,6 +113,7 @@ type pushArtifactFlags struct {
 	output       string
 	debug        bool
 	reproducible bool
+	insecure     bool
 }
 
 var pushArtifactArgs = newPushArtifactFlags()
@@ -137,6 +136,7 @@ func init() {
 		"the format in which the artifact digest should be printed, can be 'json' or 'yaml'")
 	pushArtifactCmd.Flags().BoolVarP(&pushArtifactArgs.debug, "debug", "", false, "display logs from underlying library")
 	pushArtifactCmd.Flags().BoolVar(&pushArtifactArgs.reproducible, "reproducible", false, "ensure reproducible image digests by setting the created timestamp to '1970-01-01T00:00:00Z'")
+	pushArtifactCmd.Flags().BoolVar(&pushArtifactArgs.insecure, "insecure-registry", false, "allows artifacts to be pushed without TLS")
 
 	pushCmd.AddCommand(pushArtifactCmd)
 }
@@ -159,7 +159,7 @@ func pushArtifactCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("invalid path %q", pushArtifactArgs.path)
 	}
 
-	url, err := client.ParseArtifactURL(ociURL)
+	url, err := oci.ParseArtifactURL(ociURL)
 	if err != nil {
 		return err
 	}
@@ -198,7 +198,7 @@ func pushArtifactCmdRun(cmd *cobra.Command, args []string) error {
 		logs.Warn.SetOutput(os.Stderr)
 	}
 
-	meta := client.Metadata{
+	meta := oci.Metadata{
 		Source:      pushArtifactArgs.source,
 		Revision:    pushArtifactArgs.revision,
 		Annotations: annotations,
@@ -212,29 +212,25 @@ func pushArtifactCmdRun(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
 
-	var auth authn.Authenticator
-	opts := client.DefaultOptions()
+	var authenticator authn.Authenticator
+	opts := oci.DefaultOptions()
 	if pushArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && pushArtifactArgs.creds != "" {
 		logger.Actionf("logging in to registry with credentials")
-		auth, err = client.GetAuthFromCredentials(pushArtifactArgs.creds)
+		authenticator, err = oci.GetAuthFromCredentials(pushArtifactArgs.creds)
 		if err != nil {
 			return fmt.Errorf("could not login with credentials: %w", err)
 		}
-		opts = append(opts, crane.WithAuth(auth))
+		opts = append(opts, crane.WithAuth(authenticator))
 	}
 
-	if pushArtifactArgs.provider.String() != sourcev1.GenericOCIProvider {
+	if provider := pushArtifactArgs.provider.String(); provider != sourcev1.GenericOCIProvider {
 		logger.Actionf("logging in to registry with provider credentials")
-		ociProvider, err := pushArtifactArgs.provider.ToOCIProvider()
-		if err != nil {
-			return fmt.Errorf("provider not supported: %w", err)
-		}
-
-		auth, err = login.NewManager().Login(ctx, url, ref, getProviderLoginOption(ociProvider))
+		var opt crane.Option
+		opt, authenticator, err = loginWithProvider(ctx, url, provider)
 		if err != nil {
 			return fmt.Errorf("error during login with provider: %w", err)
 		}
-		opts = append(opts, crane.WithAuth(auth))
+		opts = append(opts, opt)
 	}
 
 	if rootArgs.timeout != 0 {
@@ -249,27 +245,37 @@ func pushArtifactCmdRun(cmd *cobra.Command, args []string) error {
 			Cap:   rootArgs.timeout,
 		}
 
-		if auth == nil {
-			auth, err = authn.DefaultKeychain.Resolve(ref.Context())
+		if authenticator == nil {
+			authenticator, err = authn.DefaultKeychain.Resolve(ref.Context())
 			if err != nil {
 				return err
 			}
 		}
-		transportOpts, err := client.WithRetryTransport(ctx, ref, auth, backoff, []string{ref.Context().Scope(transport.PushScope)})
+		transportOpts, err := oci.WithRetryTransport(ctx,
+			ref,
+			authenticator,
+			backoff,
+			[]string{ref.Context().Scope(transport.PushScope)},
+			pushArtifactArgs.insecure,
+		)
 		if err != nil {
 			return fmt.Errorf("error setting up transport: %w", err)
 		}
-		opts = append(opts, transportOpts, client.WithRetryBackOff(backoff))
+		opts = append(opts, transportOpts, oci.WithRetryBackOff(backoff))
 	}
 
 	if pushArtifactArgs.output == "" {
 		logger.Actionf("pushing artifact to %s", url)
 	}
 
-	ociClient := client.NewClient(opts)
+	if pushArtifactArgs.insecure {
+		opts = append(opts, crane.Insecure)
+	}
+
+	ociClient := oci.NewClient(opts)
 	digestURL, err := ociClient.Push(ctx, url, path,
-		client.WithPushMetadata(meta),
-		client.WithPushIgnorePaths(pushArtifactArgs.ignorePaths...),
+		oci.WithPushMetadata(meta),
+		oci.WithPushIgnorePaths(pushArtifactArgs.ignorePaths...),
 	)
 	if err != nil {
 		return fmt.Errorf("pushing artifact failed: %w", err)
@@ -317,16 +323,3 @@ func pushArtifactCmdRun(cmd *cobra.Command, args []string) error {
 
 	return nil
 }
-
-func getProviderLoginOption(provider oci.Provider) login.ProviderOptions {
-	var opts login.ProviderOptions
-	switch provider {
-	case oci.ProviderAzure:
-		opts.AzureAutoLogin = true
-	case oci.ProviderAWS:
-		opts.AwsAutoLogin = true
-	case oci.ProviderGCP:
-		opts.GcpAutoLogin = true
-	}
-	return opts
-}

cmd/flux/readiness.go

@@ -108,7 +108,7 @@ func isObjectReady(obj client.Object, statusType objectStatusType) (bool, error)
 	case kstatus.InProgressStatus:
 		return false, nil
 	default:
-		return false, fmt.Errorf(result.Message)
+		return false, fmt.Errorf("%s", result.Message)
 	}
 }
 

cmd/flux/reconcile.go

@@ -132,7 +132,7 @@ func (reconcile reconcileCommand) run(cmd *cobra.Command, args []string) error {
 	if readyCond.Status != metav1.ConditionTrue {
 		return fmt.Errorf("%s reconciliation failed: '%s'", reconcile.kind, readyCond.Message)
 	}
-	logger.Successf(reconcile.object.successMessage())
+	logger.Successf("%s", reconcile.object.successMessage())
 	return nil
 }
 

cmd/flux/reconcile_helmrelease.go

@@ -20,11 +20,9 @@ import (
 	"fmt"
 
 	"github.com/spf13/cobra"
-	"k8s.io/apimachinery/pkg/types"
 
 	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
-	sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 
 var reconcileHrCmd = &cobra.Command{
@@ -68,7 +66,7 @@ func (obj helmReleaseAdapter) reconcileSource() bool {
 	return rhrArgs.syncHrWithSource
 }
 
-func (obj helmReleaseAdapter) getSource() (reconcileSource, types.NamespacedName) {
+func (obj helmReleaseAdapter) getSource() (reconcileSource, sourceReference) {
 	var (
 		name string
 		ns   string
@@ -79,21 +77,26 @@ func (obj helmReleaseAdapter) getSource() (reconcileSource, types.NamespacedName
 		if ns == "" {
 			ns = obj.Namespace
 		}
-		namespacedName := types.NamespacedName{
-			Name:      name,
-			Namespace: ns,
+		srcRef := sourceReference{
+			kind:      obj.Spec.ChartRef.Kind,
+			name:      name,
+			namespace: ns,
 		}
-		if obj.Spec.ChartRef.Kind == sourcev1.HelmChartKind {
+		switch obj.Spec.ChartRef.Kind {
+		case sourcev1.HelmChartKind:
 			return reconcileWithSourceCommand{
 				apiType: helmChartType,
 				object:  helmChartAdapter{&sourcev1.HelmChart{}},
 				force:   true,
-			}, namespacedName
+			}, srcRef
+		case sourcev1.OCIRepositoryKind:
+			return reconcileCommand{
+				apiType: ociRepositoryType,
+				object:  ociRepositoryAdapter{&sourcev1.OCIRepository{}},
+			}, srcRef
+		default:
+			return nil, srcRef
 		}
-		return reconcileCommand{
-			apiType: ociRepositoryType,
-			object:  ociRepositoryAdapter{&sourcev1b2.OCIRepository{}},
-		}, namespacedName
 	default:
 		// default case assumes the HelmRelease is using a HelmChartTemplate
 		ns = obj.Spec.Chart.Spec.SourceRef.Namespace
@@ -105,9 +108,10 @@ func (obj helmReleaseAdapter) getSource() (reconcileSource, types.NamespacedName
 				apiType: helmChartType,
 				object:  helmChartAdapter{&sourcev1.HelmChart{}},
 				force:   true,
-			}, types.NamespacedName{
-				Name:      name,
-				Namespace: ns,
+			}, sourceReference{
+				kind:      sourcev1.HelmChartKind,
+				name:      name,
+				namespace: ns,
 			}
 	}
 }