Merge pull request #5509 from RussellAult/action-without-api

`fluxcd/flux2/action`: Determine latest version without using GitHub API
fluxcd/flux2/action: Determine latest version without using GitHub API
2026-03-01 11:16:56 +00:00 · 2025-09-30 07:23:03 +01:00 · 2025-09-30 07:19:32 +01:00 · 2025-09-28 21:12:32 +01:00 · 2025-09-28 19:59:27 +00:00 · 2025-09-26 11:04:46 +01:00
220 changed files with 3631 additions and 3091 deletions
--- a/.github/labels.yaml
+++ b/.github/labels.yaml
@@ -44,12 +44,12 @@
  description: Feature request proposals in the RFC format
  color: '#D621C3'
  aliases: ['area/RFC']
- name: backport:release/v2.3.x
-  description: To be backported to release/v2.3.x
-  color: '#ffd700'
 - name: backport:release/v2.4.x
  description: To be backported to release/v2.4.x
  color: '#ffd700'
 - name: backport:release/v2.5.x
  description: To be backported to release/v2.5.x
  color: '#ffd700'
+- name: backport:release/v2.6.x
+  description: To be backported to release/v2.6.x
+  color: '#ffd700'
--- a/.github/workflows/action.yaml
+++ b/.github/workflows/action.yaml
@@ -24,6 +24,6 @@ jobs:
    name: action on ${{ matrix.version }}
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup flux
        uses: ./action
--- a/.github/workflows/backport.yaml
+++ b/.github/workflows/backport.yaml
@@ -1,34 +1,13 @@
 name: backport
-
 on:
  pull_request_target:
    types: [closed, labeled]
-
-permissions: 
-  contents: read
-
+permissions: read-all
 jobs:
-  pull-request:
-    runs-on: ubuntu-latest
+  backport:
    permissions:
-      contents: write
-      pull-requests: write
-    if: github.event.pull_request.state == 'closed' && github.event.pull_request.merged && (github.event_name != 'labeled' || startsWith('backport:', github.event.label.name))
-    steps:
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-      - name: Create backport PRs
-        uses: korthout/backport-action@436145e922f9561fc5ea157ff406f21af2d6b363 # v3.2.0
-        # xref: https://github.com/korthout/backport-action#inputs
-        with:
-          # Use token to allow workflows to be triggered for the created PR
-          github_token: ${{ secrets.BOT_GITHUB_TOKEN }}
-          # Match labels with a pattern `backport:<target-branch>`
-          label_pattern: '^backport:([^ ]+)$'
-          # A bit shorter pull-request title than the default
-          pull_title: '[${target_branch}] ${pull_title}'
-          # Simpler PR description than default
-          pull_description: |-
-            Automated backport to `${target_branch}`, triggered by a label in #${pull_number}.
+      contents: write # for reading and creating branches.
+      pull-requests: write # for creating pull requests against release branches.
+    uses: fluxcd/gha-workflows/.github/workflows/backport.yaml@v0.4.0
+    secrets:
+      github-token: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/conformance.yaml
+++ b/.github/workflows/conformance.yaml
@@ -9,7 +9,7 @@ permissions:
  contents: read

 env:
-  GO_VERSION: 1.24.x
+  GO_VERSION: 1.25.x

 jobs:
  conform-kubernetes:
@@ -19,13 +19,13 @@ jobs:
      matrix:
        # Keep this list up-to-date with https://endoflife.date/kubernetes
        # Build images with https://github.com/fluxcd/flux-benchmark/actions/workflows/build-kind.yaml
-        KUBERNETES_VERSION: [1.31.5, 1.32.1, 1.33.0]
+        KUBERNETES_VERSION: [1.32.1, 1.33.0, 1.34.1]
      fail-fast: false
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version: ${{ env.GO_VERSION }}
          cache-dependency-path: |
@@ -42,7 +42,7 @@ jobs:
      - name: Setup Kubernetes
        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
        with:
-          version: v0.27.0
+          version: v0.30.0
          cluster_name: ${{ steps.prep.outputs.CLUSTER }}
          node_image: ghcr.io/fluxcd/kindest/node:v${{ matrix.KUBERNETES_VERSION }}-arm64
      - name: Run e2e tests
@@ -76,13 +76,13 @@ jobs:
      matrix:
        # Keep this list up-to-date with https://endoflife.date/kubernetes
        # Available versions can be found with "replicated cluster versions"
-        K3S_VERSION: [ 1.31.8, 1.32.4, 1.33.0 ]
+        K3S_VERSION: [ 1.32.8, 1.33.4 ]
      fail-fast: false
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version: ${{ env.GO_VERSION }}
          cache-dependency-path: |
@@ -97,7 +97,7 @@ jobs:
          KUBECONFIG_PATH="$(git rev-parse --show-toplevel)/bin/kubeconfig.yaml"
          echo "kubeconfig-path=${KUBECONFIG_PATH}" >> $GITHUB_OUTPUT
      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@7e9c75bbb6a47b08c194edefa11d1c436e5bdd9e # main
+        uses: fluxcd/pkg/actions/kustomize@bf02f0a2d612cc07e0892166369fa8f63246aabb # main
      - name: Build
        run: make build-dev
      - name: Create repository
@@ -169,13 +169,13 @@ jobs:
    strategy:
      matrix:
        # Keep this list up-to-date with https://endoflife.date/red-hat-openshift
-        OPENSHIFT_VERSION: [ 4.18.0-okd ]
+        OPENSHIFT_VERSION: [ 4.19.0-okd ]
      fail-fast: false
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
          go-version: ${{ env.GO_VERSION }}
          cache-dependency-path: |
@@ -190,7 +190,7 @@ jobs:
          KUBECONFIG_PATH="$(git rev-parse --show-toplevel)/bin/kubeconfig.yaml"
          echo "kubeconfig-path=${KUBECONFIG_PATH}" >> $GITHUB_OUTPUT
      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@7e9c75bbb6a47b08c194edefa11d1c436e5bdd9e # main
+        uses: fluxcd/pkg/actions/kustomize@bf02f0a2d612cc07e0892166369fa8f63246aabb # main
      - name: Build
        run: make build-dev
      - name: Create repository
--- a/.github/workflows/e2e-azure.yaml
+++ b/.github/workflows/e2e-azure.yaml
@@ -22,19 +22,18 @@ permissions:

 jobs:
  e2e-aks:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: ./tests/integration
-    # This job is currently disabled. Remove the false check when Azure subscription is enabled.
-    if: false && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
+    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
      - name: CheckoutD
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
-          go-version: 1.24.x
+          go-version: 1.25.x
          cache-dependency-path: tests/integration/go.sum
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
@@ -51,7 +50,7 @@ jobs:
      - name: Authenticate to Azure
        uses: Azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v1.4.6
        with:
-          creds: '{"clientId":"${{ secrets.AZ_ARM_CLIENT_ID }}","clientSecret":"${{ secrets.AZ_ARM_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZ_ARM_TENANT_ID }}"}'
+          creds: '{"clientId":"${{ secrets.ARM_CLIENT_ID }}","clientSecret":"${{ secrets.ARM_CLIENT_SECRET }}","subscriptionId":"${{ secrets.ARM_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.ARM_TENANT_ID }}"}'
      - name: Set dynamic variables in .env
        run: |
          cat > .env <<EOF
@@ -61,33 +60,35 @@ jobs:
        run: cat .env
      - name: Run Azure e2e tests
        env:
-          ARM_CLIENT_ID: ${{ secrets.AZ_ARM_CLIENT_ID }}
-          ARM_CLIENT_SECRET: ${{ secrets.AZ_ARM_CLIENT_SECRET }}
-          ARM_SUBSCRIPTION_ID: ${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}
-          ARM_TENANT_ID: ${{ secrets.AZ_ARM_TENANT_ID }}
+          ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
+          ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
+          ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
+          ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
          TF_VAR_azuredevops_org: ${{ secrets.TF_VAR_azuredevops_org }}
          TF_VAR_azuredevops_pat: ${{ secrets.TF_VAR_azuredevops_pat }}
-          TF_VAR_location: ${{ vars.TF_VAR_azure_location }}
-          GITREPO_SSH_CONTENTS: ${{ secrets.AZURE_GITREPO_SSH_CONTENTS }}
-          GITREPO_SSH_PUB_CONTENTS: ${{ secrets.AZURE_GITREPO_SSH_PUB_CONTENTS }}
+          TF_VAR_azure_location: ${{ vars.TF_VAR_azure_location }}
+          GITREPO_SSH_CONTENTS: ${{ secrets.GIT_SSH_IDENTITY }}
+          GITREPO_SSH_PUB_CONTENTS: ${{ secrets.GIT_SSH_IDENTITY_PUB }}
        run: |
          source .env
          mkdir -p ./build/ssh
-          touch ./build/ssh/key
-          echo $GITREPO_SSH_CONTENTS | base64 -d > build/ssh/key
+          cat <<EOF > build/ssh/key
+          $GITREPO_SSH_CONTENTS
+          EOF
          export GITREPO_SSH_PATH=build/ssh/key
-          touch ./build/ssh/key.pub
-          echo $GITREPO_SSH_PUB_CONTENTS | base64 -d > ./build/ssh/key.pub
+          cat <<EOF > build/ssh/key.pub
+          $GITREPO_SSH_PUB_CONTENTS
+          EOF
          export GITREPO_SSH_PUB_PATH=build/ssh/key.pub
          make test-azure
      - name: Ensure resource cleanup
        if: ${{ always() }}
        env:
-          ARM_CLIENT_ID: ${{ secrets.AZ_ARM_CLIENT_ID }}
-          ARM_CLIENT_SECRET: ${{ secrets.AZ_ARM_CLIENT_SECRET }}
-          ARM_SUBSCRIPTION_ID: ${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}
-          ARM_TENANT_ID: ${{ secrets.AZ_ARM_TENANT_ID }}
+          ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
+          ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
+          ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
+          ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
          TF_VAR_azuredevops_org: ${{ secrets.TF_VAR_azuredevops_org }}
          TF_VAR_azuredevops_pat: ${{ secrets.TF_VAR_azuredevops_pat }}
-          TF_VAR_location: ${{ vars.TF_VAR_azure_location }}
+          TF_VAR_azure_location: ${{ vars.TF_VAR_azure_location }}
        run: source .env && make destroy-azure
--- a/.github/workflows/e2e-bootstrap.yaml
+++ b/.github/workflows/e2e-bootstrap.yaml
@@ -17,27 +17,27 @@ jobs:
    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
-          go-version: 1.24.x
+          go-version: 1.25.x
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Setup Kubernetes
        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
        with:
-          version: v0.24.0
+          version: v0.30.0
          cluster_name: kind
          # The versions below should target the newest Kubernetes version
          # Keep this up-to-date with https://endoflife.date/kubernetes
-          node_image: ghcr.io/fluxcd/kindest/node:v1.33.0-amd64
+          node_image: ghcr.io/fluxcd/kindest/node:v1.32.1-amd64
          kubectl_version: v1.32.0
      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@7e9c75bbb6a47b08c194edefa11d1c436e5bdd9e # main
+        uses: fluxcd/pkg/actions/kustomize@bf02f0a2d612cc07e0892166369fa8f63246aabb # main
      - name: Setup yq
-        uses: fluxcd/pkg/actions/yq@7e9c75bbb6a47b08c194edefa11d1c436e5bdd9e # main
+        uses: fluxcd/pkg/actions/yq@bf02f0a2d612cc07e0892166369fa8f63246aabb # main
      - name: Build
        run: make build-dev
      - name: Set outputs
--- a/.github/workflows/e2e-gcp.yaml
+++ b/.github/workflows/e2e-gcp.yaml
@@ -22,18 +22,18 @@ permissions:

 jobs:
  e2e-gcp:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: ./tests/integration
    if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
-          go-version: 1.24.x
+          go-version: 1.25.x
          cache-dependency-path: tests/integration/go.sum
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
@@ -48,19 +48,19 @@ jobs:
        env:
          SOPS_VER: 3.7.1
      - name: Authenticate to Google Cloud
-        uses: google-github-actions/auth@ba79af03959ebeac9769e648f473a284504d9193 # v2.1.10
+        uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
        id: 'auth'
        with:
          credentials_json: '${{ secrets.FLUX2_E2E_GOOGLE_CREDENTIALS }}'
          token_format: 'access_token'
      - name: Setup gcloud
-        uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
+        uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
      - name: Setup QEMU
        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
      - name: Log into us-central1-docker.pkg.dev
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
        with:
          registry: us-central1-docker.pkg.dev
          username: oauth2accesstoken
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -23,30 +23,30 @@ jobs:
          - 5000:5000
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
-          go-version: 1.24.x
+          go-version: 1.25.x
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Setup Kubernetes
        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
        with:
-          version: v0.24.0
+          version: v0.30.0
          cluster_name: kind
          wait: 5s
          config: .github/kind/config.yaml # disable KIND-net
          # The versions below should target the oldest supported Kubernetes version
          # Keep this up-to-date with https://endoflife.date/kubernetes
-          node_image: ghcr.io/fluxcd/kindest/node:v1.31.5-amd64
+          node_image: ghcr.io/fluxcd/kindest/node:v1.32.1-amd64
          kubectl_version: v1.32.0
      - name: Setup Calico for network policy
        run: |
          kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.3/manifests/calico.yaml
      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@7e9c75bbb6a47b08c194edefa11d1c436e5bdd9e # main
+        uses: fluxcd/pkg/actions/kustomize@bf02f0a2d612cc07e0892166369fa8f63246aabb # main
      - name: Run tests
        run: make test
      - name: Run e2e tests
@@ -238,6 +238,9 @@ jobs:
      - name: flux check
        run: |
          ./bin/flux check
+      - name: flux migrate
+        run: |
+          ./bin/flux migrate
      - name: flux version
        run: |
          ./bin/flux version
--- a/.github/workflows/ossf.yaml
+++ b/.github/workflows/ossf.yaml
@@ -19,9 +19,9 @@ jobs:
      actions: read
      contents: read
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Run analysis
-        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
+        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
        with:
          results_file: results.sarif
          results_format: sarif
@@ -34,6 +34,6 @@ jobs:
          path: results.sarif
          retention-days: 5
      - name: Upload SARIF results
-        uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
+        uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
        with:
          sarif_file: results.sarif
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -20,33 +20,33 @@ jobs:
      packages: write # needed for ghcr access
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Unshallow
        run: git fetch --prune --unshallow
      - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
-          go-version: 1.24.x
+          go-version: 1.25.x
          cache: false
      - name: Setup QEMU
        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
      - name: Setup Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
      - name: Setup Syft
-        uses: anchore/sbom-action/download-syft@9f7302141466aa6482940f15371237e9d9f4c34a # v0.19.0
+        uses: anchore/sbom-action/download-syft@f8bdd1d8ac5e901a77a92f111440fdb1b593736b # v0.20.6
      - name: Setup Cosign
-        uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
+        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@7e9c75bbb6a47b08c194edefa11d1c436e5bdd9e # main
+        uses: fluxcd/pkg/actions/kustomize@bf02f0a2d612cc07e0892166369fa8f63246aabb # main
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
        with:
          registry: ghcr.io
          username: fluxcdbot
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Login to Docker Hub
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
        with:
          username: fluxcdbot
          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
@@ -59,7 +59,7 @@ jobs:
        run: |
          kustomize build manifests/crds > all-crds.yaml
      - name: Generate OpenAPI JSON schemas from CRDs
-        uses: fluxcd/pkg/actions/crdjsonschema@7e9c75bbb6a47b08c194edefa11d1c436e5bdd9e # main
+        uses: fluxcd/pkg/actions/crdjsonschema@bf02f0a2d612cc07e0892166369fa8f63246aabb # main
        with:
          crd: all-crds.yaml
          output: schemas
@@ -68,7 +68,7 @@ jobs:
          tar -czvf ./output/crd-schemas.tar.gz -C schemas .
      - name: Run GoReleaser
        id: run-goreleaser
-        uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
        with:
          version: latest
          args: release --skip=validate
@@ -99,9 +99,9 @@ jobs:
      id-token: write
      packages: write
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup Kustomize
-        uses: fluxcd/pkg/actions/kustomize@7e9c75bbb6a47b08c194edefa11d1c436e5bdd9e # main
+        uses: fluxcd/pkg/actions/kustomize@bf02f0a2d612cc07e0892166369fa8f63246aabb # main
      - name: Setup Flux CLI
        uses: ./action/
      - name: Prepare
@@ -110,13 +110,13 @@ jobs:
          VERSION=$(flux version --client | awk '{ print $NF }')
          echo "version=${VERSION}" >> $GITHUB_OUTPUT
      - name: Login to GHCR
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
        with:
          registry: ghcr.io
          username: fluxcdbot
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Login to DockerHub
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
        with:
          username: fluxcdbot
          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
@@ -144,7 +144,7 @@ jobs:
          --path="./flux-system" \
          --source=${{ github.repositoryUrl }} \
          --revision="${{ github.ref_name }}@sha1:${{ github.sha }}"
-      - uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
+      - uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
      - name: Sign manifests
        env:
          COSIGN_EXPERIMENTAL: 1
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@@ -1,5 +1,4 @@
 name: scan
-
 on:
  workflow_dispatch:
  push:
@@ -8,46 +7,13 @@ on:
    branches: [ 'main', 'release/**' ]
  schedule:
    - cron: '18 10 * * 3'
-
-permissions:
-  contents: read
-
+permissions: read-all
 jobs:
-  scan-fossa:
-    runs-on: ubuntu-latest
-    if: github.actor != 'dependabot[bot]'
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Run FOSSA scan and upload build data
-        uses: fossa-contrib/fossa-action@3d2ef181b1820d6dcd1972f86a767d18167fa19b # v3.0.1
-        with:
-          # FOSSA Push-Only API Token
-          fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
-          github-token: ${{ github.token }}
-
-  scan-codeql:
-    runs-on: ubuntu-latest
+  analyze:
    permissions:
-      security-events: write
-    if: github.actor != 'dependabot[bot]'
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
-        with:
-          go-version-file: 'go.mod'
-          cache-dependency-path: |
-            **/go.sum
-            **/go.mod
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
-        with:
-          languages: go
-          # xref: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-          # xref: https://codeql.github.com/codeql-query-help/go/
-          queries: security-and-quality
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
+      contents: read # for reading the repository code.
+      security-events: write # for uploading the CodeQL analysis results.
+    uses: fluxcd/gha-workflows/.github/workflows/code-scan.yaml@v0.4.0
+    secrets:
+      github-token: ${{ secrets.GITHUB_TOKEN }}
+      fossa-token: ${{ secrets.FOSSA_TOKEN }}
--- a/.github/workflows/sync-labels.yaml
+++ b/.github/workflows/sync-labels.yaml
@@ -6,23 +6,12 @@ on:
      - main
    paths:
      - .github/labels.yaml
-
-permissions:
-  contents: read
-
+permissions: read-all
 jobs:
-  labels:
-    name: Run sync
-    runs-on: ubuntu-latest
+  sync-labels:
    permissions:
-      issues: write
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: EndBug/label-sync@52074158190acb45f3077f9099fea818aa43f97a # v2.3.3
-        with:
-          # Configuration file
-          config-file: |
-            https://raw.githubusercontent.com/fluxcd/community/main/.github/standard-labels.yaml
-            .github/labels.yaml
-          # Strictly declarative
-          delete-other-labels: true
+      contents: read # for reading the labels file.
+      issues: write # for creating and updating labels.
+    uses: fluxcd/gha-workflows/.github/workflows/labels-sync.yaml@v0.4.0
+    secrets:
+      github-token: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/update.yaml
+++ b/.github/workflows/update.yaml
@@ -2,8 +2,6 @@ name: update

 on:
  workflow_dispatch:
-  schedule:
-    - cron: "0 * * * *"
  push:
    branches: [main]

@@ -18,24 +16,37 @@ jobs:
      pull-requests: write
    steps:
      - name: Check out code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
        with:
-          go-version: 1.24.x
+          go-version: 1.25.x
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Update component versions
        id: update
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          PR_BODY=$(mktemp)

          bump_version() {
-            local LATEST_VERSION=$(curl -s https://api.github.com/repos/fluxcd/$1/releases | jq -r 'sort_by(.published_at) | .[-1] | .tag_name')
+            local LATEST_VERSION=$(curl -s -H "Authorization: token ${GITHUB_TOKEN}" https://api.github.com/repos/fluxcd/$1/releases | jq -r 'sort_by(.published_at) | .[-1] | .tag_name')
+
+            if [[ "$LATEST_VERSION" == *"-rc"* ]]; then
+              echo "Skipping release candidate version for $1: $LATEST_VERSION"
+              return
+            fi
+
            local CTRL_VERSION=$(sed -n "s/.*$1\/releases\/download\/\(.*\)\/.*/\1/p;n" manifests/bases/$1/kustomization.yaml)
            local CRD_VERSION=$(sed -n "s/.*$1\/releases\/download\/\(.*\)\/.*/\1/p" manifests/crds/kustomization.yaml)
-            local MOD_VERSION=$(go list -m -f '{{ .Version }}' "github.com/fluxcd/$1/api")
+          
+            local API_PKG="github.com/fluxcd/$1/api"
+            if [[ "$1" == "source-watcher" ]]; then
+              API_PKG="github.com/fluxcd/$1/api/v2"
+            fi
+            local MOD_VERSION=$(go list -m -f '{{ .Version }}' "$API_PKG")

            local changed=false

@@ -50,7 +61,7 @@ jobs:
            fi

            if [[ "${MOD_VERSION}" != "${LATEST_VERSION}" ]]; then
-              go mod edit -require="github.com/fluxcd/$1/api@${LATEST_VERSION}"
+              go mod edit -require="$API_PKG@${LATEST_VERSION}"
              make tidy
              changed=true
            fi
@@ -69,6 +80,7 @@ jobs:
            bump_version notification-controller
            bump_version image-reflector-controller
            bump_version image-automation-controller
+            bump_version source-watcher

            # diff change
            git diff
--- a/6
+++ b/6
@@ -1,16 +1,16 @@
-FROM alpine:3.21 AS builder
+FROM alpine:3.22 AS builder

 RUN apk add --no-cache ca-certificates curl

 ARG ARCH=linux/amd64
-ARG KUBECTL_VER=1.33.0
+ARG KUBECTL_VER=1.34.0

 RUN curl -sL https://dl.k8s.io/release/v${KUBECTL_VER}/bin/${ARCH}/kubectl \
    -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl

 RUN kubectl version --client=true

-FROM alpine:3.21 AS flux-cli
+FROM alpine:3.22 AS flux-cli

 RUN apk add --no-cache ca-certificates

--- a/4
+++ b/4
@@ -17,8 +17,8 @@ rwildcard=$(foreach d,$(wildcard $(addsuffix *,$(1))),$(call rwildcard,$(d)/,$(2
 all: test build

 tidy:
-	go mod tidy -compat=1.24
-	cd tests/integration && go mod tidy -compat=1.24
+	go mod tidy -compat=1.25
+	cd tests/integration && go mod tidy -compat=1.25

 fmt:
 	go fmt ./...
--- a/action/action.yml
+++ b/action/action.yml
@@ -16,23 +16,24 @@ inputs:
    description: "Alternative location for the Flux binary, defaults to path relative to $RUNNER_TOOL_CACHE."
    required: false
  token:
-    description: "Token used to authentication against the GitHub.com API. Defaults to the token from the GitHub context of the workflow."
+    description: "Token used to authenticate against the GitHub.com API."
    required: false
 runs:
  using: composite
  steps:
    - name: "Download the binary to the runner's cache dir"
      shell: bash
+      env:
+        VERSION: "${{ inputs.version }}"
+        FLUX_TOOL_DIR: "${{ inputs.bindir }}"
+        TOKEN: "${{ inputs.token }}"
      run: |
-        VERSION=${{ inputs.version }}
-
-        TOKEN=${{ inputs.token }}
-        if [[ -z "$TOKEN" ]]; then
-          TOKEN=${{ github.token }}
-        fi
-
        if [[ -z "$VERSION" ]] || [[ "$VERSION" = "latest" ]]; then
+          if [[ "${TOKEN}" != '' ]]; then
            VERSION=$(curl -fsSL -H "Authorization: token ${TOKEN}" https://api.github.com/repos/fluxcd/flux2/releases/latest | grep tag_name | cut -d '"' -f 4)
+          else
+            VERSION=$(curl -w "%{url_effective}\n" -IsSL https://github.com/fluxcd/flux2/releases/latest -o /dev/null | sed 's$^.*/$$')
+          fi
        fi
        if [[ -z "$VERSION" ]]; then
          echo "Unable to determine Flux CLI version"
@@ -59,7 +60,6 @@ runs:
            FLUX_EXEC_FILE="${FLUX_EXEC_FILE}.exe"
        fi

-        FLUX_TOOL_DIR=${{ inputs.bindir }}
        if [[ -z "$FLUX_TOOL_DIR" ]]; then
          FLUX_TOOL_DIR="${RUNNER_TOOL_CACHE}/flux2/${VERSION}/${OS}/${ARCH}"
        fi
--- a/cmd/flux/artifact.go
+++ b/cmd/flux/artifact.go
@@ -0,0 +1,57 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	swapi "github.com/fluxcd/source-watcher/api/v2/v1beta1"
+)
+
+// swapi.ArtifactGenerator
+
+var artifactGeneratorType = apiType{
+	kind:         swapi.ArtifactGeneratorKind,
+	humanKind:    "artifactgenerator",
+	groupVersion: swapi.GroupVersion,
+}
+
+type artifactGeneratorAdapter struct {
+	*swapi.ArtifactGenerator
+}
+
+func (h artifactGeneratorAdapter) asClientObject() client.Object {
+	return h.ArtifactGenerator
+}
+
+func (h artifactGeneratorAdapter) deepCopyClientObject() client.Object {
+	return h.ArtifactGenerator.DeepCopy()
+}
+
+// swapi.ArtifactGeneratorList
+
+type artifactGeneratorListAdapter struct {
+	*swapi.ArtifactGeneratorList
+}
+
+func (h artifactGeneratorListAdapter) asClientList() client.ObjectList {
+	return h.ArtifactGeneratorList
+}
+
+func (h artifactGeneratorListAdapter) len() int {
+	return len(h.ArtifactGeneratorList.Items)
+}
--- a/cmd/flux/bootstrap.go
+++ b/cmd/flux/bootstrap.go
@@ -97,7 +97,7 @@ func init() {
 	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapArgs.defaultComponents, "components", rootArgs.defaults.Components,
 		"list of components, accepts comma-separated values")
 	bootstrapCmd.PersistentFlags().StringSliceVar(&bootstrapArgs.extraComponents, "components-extra", nil,
-		"list of components in addition to those supplied or defaulted, accepts values such as 'image-reflector-controller,image-automation-controller'")
+		"list of components in addition to those supplied or defaulted, accepts values such as 'image-reflector-controller,image-automation-controller,source-watcher'")

 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapArgs.registry, "registry", "ghcr.io/fluxcd",
 		"container registry where the Flux controller images are published")
--- a/cmd/flux/bootstrap_gitlab.go
+++ b/cmd/flux/bootstrap_gitlab.go
@@ -42,7 +42,7 @@ import (
 var bootstrapGitLabCmd = &cobra.Command{
 	Use:   "gitlab",
 	Short: "Deploy Flux on a cluster connected to a GitLab repository",
-	Long: `The bootstrap gitlab command creates the GitLab repository if it doesn't exists and
+	Long: `The bootstrap gitlab command creates the GitLab repository if it doesn't exist and
 commits the Flux manifests to the specified branch.
 Then it configures the target cluster to synchronize with that repository.
 If the Flux components are present on the cluster,
--- a/cmd/flux/check.go
+++ b/cmd/flux/check.go
@@ -60,7 +60,7 @@ type checkFlags struct {
 }

 var kubernetesConstraints = []string{
-	">=1.31.0-0",
+	">=1.32.0-0",
 }

 var checkArgs checkFlags
--- a/cmd/flux/create_helmrelease.go
+++ b/cmd/flux/create_helmrelease.go
@@ -94,6 +94,13 @@ var createHelmReleaseCmd = &cobra.Command{
    --source=HelmRepository/podinfo \
    --chart=podinfo

+  # Create a HelmRelease with custom storage namespace for hub-and-spoke model
+  flux create hr podinfo \
+    --target-namespace=production \
+    --storage-namespace=fluxcd-system \
+    --source=HelmRepository/podinfo \
+    --chart=podinfo
+
  # Create a HelmRelease using a source from a different namespace
  flux create hr podinfo \
    --namespace=default \
@@ -127,6 +134,7 @@ type helmReleaseFlags struct {
 	chartVersion        string
 	chartRef            string
 	targetNamespace     string
+	storageNamespace    string
 	createNamespace     bool
 	valuesFiles         []string
 	valuesFrom          []string
@@ -150,6 +158,7 @@ func init() {
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.chartVersion, "chart-version", "", "Helm chart version, accepts a semver range (ignored for charts from GitRepository sources)")
 	createHelmReleaseCmd.Flags().StringSliceVar(&helmReleaseArgs.dependsOn, "depends-on", nil, "HelmReleases that must be ready before this release can be installed, supported formats '<name>' and '<namespace>/<name>'")
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.targetNamespace, "target-namespace", "", "namespace to install this release, defaults to the HelmRelease namespace")
+	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.storageNamespace, "storage-namespace", "", "namespace to store the Helm release, defaults to the target namespace")
 	createHelmReleaseCmd.Flags().BoolVar(&helmReleaseArgs.createNamespace, "create-target-namespace", false, "create the target namespace if it does not exist")
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.saName, "service-account", "", "the name of the service account to impersonate when reconciling this HelmRelease")
 	createHelmReleaseCmd.Flags().StringVar(&helmReleaseArgs.reconcileStrategy, "reconcile-strategy", "ChartVersion", "the reconcile strategy for helm chart created by the helm release(accepted values: Revision and ChartRevision)")
@@ -165,6 +174,10 @@ func init() {
 func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]

+	if helmReleaseArgs.storageNamespace == "" && helmReleaseArgs.targetNamespace != "" {
+		helmReleaseArgs.storageNamespace = helmReleaseArgs.targetNamespace
+	}
+
 	if helmReleaseArgs.chart == "" && helmReleaseArgs.chartRef == "" {
 		return fmt.Errorf("chart or chart-ref is required")
 	}
@@ -191,15 +204,27 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 		},
 		Spec: helmv2.HelmReleaseSpec{
 			ReleaseName: helmReleaseArgs.name,
-			DependsOn:   utils.MakeDependsOn(helmReleaseArgs.dependsOn),
 			Interval: metav1.Duration{
 				Duration: createArgs.interval,
 			},
 			TargetNamespace:  helmReleaseArgs.targetNamespace,
+			StorageNamespace: helmReleaseArgs.storageNamespace,
 			Suspend:          false,
 		},
 	}

+	if len(helmReleaseArgs.dependsOn) > 0 {
+		ls := utils.MakeDependsOn(helmReleaseArgs.dependsOn)
+		hrDependsOn := make([]helmv2.DependencyReference, 0, len(ls))
+		for _, d := range ls {
+			hrDependsOn = append(hrDependsOn, helmv2.DependencyReference{
+				Name:      d.Name,
+				Namespace: d.Namespace,
+			})
+		}
+		helmRelease.Spec.DependsOn = hrDependsOn
+	}
+
 	switch {
 	case helmReleaseArgs.chart != "":
 		helmRelease.Spec.Chart = &helmv2.HelmChartTemplate{
@@ -234,7 +259,7 @@ func createHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {

 	if helmReleaseArgs.kubeConfigSecretRef != "" {
 		helmRelease.Spec.KubeConfig = &meta.KubeConfigReference{
-			SecretRef: meta.SecretKeyReference{
+			SecretRef: &meta.SecretKeyReference{
 				Name: helmReleaseArgs.kubeConfigSecretRef,
 			},
 		}
--- a/cmd/flux/create_image_policy.go
+++ b/cmd/flux/create_image_policy.go
@@ -29,18 +29,18 @@ import (

 	"github.com/fluxcd/pkg/apis/meta"

-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )

 var createImagePolicyCmd = &cobra.Command{
 	Use:   "policy [name]",
 	Short: "Create or update an ImagePolicy object",
-	Long: withPreviewNote(`The create image policy command generates an ImagePolicy resource.
+	Long: `The create image policy command generates an ImagePolicy resource.
 An ImagePolicy object calculates a "latest image" given an image
 repository and a policy, e.g., semver.

 The image that sorts highest according to the policy is recorded in
-the status of the object.`),
+the status of the object.`,
 	Example: `  # Create an ImagePolicy to select the latest stable release
  flux create image policy podinfo \
    --image-ref=podinfo \
@@ -81,12 +81,6 @@ func init() {
 	createImageCmd.AddCommand(createImagePolicyCmd)
 }

-// getObservedGeneration is implemented here, since it's not
-// (presently) needed elsewhere.
-func (obj imagePolicyAdapter) getObservedGeneration() int64 {
-	return obj.ImagePolicy.Status.ObservedGeneration
-}
-
 func createImagePolicyRun(cmd *cobra.Command, args []string) error {
 	objectName := args[0]

--- a/cmd/flux/create_image_repository.go
+++ b/cmd/flux/create_image_repository.go
@@ -26,14 +26,14 @@ import (

 	"github.com/fluxcd/pkg/apis/meta"

-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )

 var createImageRepositoryCmd = &cobra.Command{
 	Use:   "repository [name]",
 	Short: "Create or update an ImageRepository object",
-	Long: withPreviewNote(`The create image repository command generates an ImageRepository resource.
-An ImageRepository object specifies an image repository to scan.`),
+	Long: `The create image repository command generates an ImageRepository resource.
+An ImageRepository object specifies an image repository to scan.`,
 	Example: `  # Create an ImageRepository object to scan the alpine image repository:
  flux create image repository alpine-repo --image alpine --interval 20m

--- a/cmd/flux/create_image_update.go
+++ b/cmd/flux/create_image_update.go
@@ -22,16 +22,16 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )

 var createImageUpdateCmd = &cobra.Command{
 	Use:   "update [name]",
 	Short: "Create or update an ImageUpdateAutomation object",
-	Long: withPreviewNote(`The create image update command generates an ImageUpdateAutomation resource.
+	Long: `The create image update command generates an ImageUpdateAutomation resource.
 An ImageUpdateAutomation object specifies an automated update to images
-mentioned in YAMLs in a git repository.`),
+mentioned in YAMLs in a git repository.`,
 	Example: `  # Configure image updates for the main repository created by flux bootstrap
  flux create image update flux-system \
    --git-repo-ref=flux-system \
--- a/cmd/flux/create_kustomization.go
+++ b/cmd/flux/create_kustomization.go
@@ -153,7 +153,6 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 			Labels:    kslabels,
 		},
 		Spec: kustomizev1.KustomizationSpec{
-			DependsOn: utils.MakeDependsOn(kustomizationArgs.dependsOn),
 			Interval: metav1.Duration{
 				Duration: createArgs.interval,
 			},
@@ -169,9 +168,21 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 		},
 	}

+	if len(kustomizationArgs.dependsOn) > 0 {
+		ls := utils.MakeDependsOn(kustomizationArgs.dependsOn)
+		ksDependsOn := make([]kustomizev1.DependencyReference, 0, len(ls))
+		for _, d := range ls {
+			ksDependsOn = append(ksDependsOn, kustomizev1.DependencyReference{
+				Name:      d.Name,
+				Namespace: d.Namespace,
+			})
+		}
+		kustomization.Spec.DependsOn = ksDependsOn
+	}
+
 	if kustomizationArgs.kubeConfigSecretRef != "" {
 		kustomization.Spec.KubeConfig = &meta.KubeConfigReference{
-			SecretRef: meta.SecretKeyReference{
+			SecretRef: &meta.SecretKeyReference{
 				Name: kustomizationArgs.kubeConfigSecretRef,
 			},
 		}
--- a/cmd/flux/create_secret_git.go
+++ b/cmd/flux/create_secret_git.go
@@ -172,7 +172,7 @@ func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme)
 	}

-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateGit(opts)
 	if err != nil {
 		return err
 	}
--- a/cmd/flux/create_secret_github_app.go
+++ b/cmd/flux/create_secret_github_app.go
@@ -99,7 +99,7 @@ func createSecretGitHubAppCmdRun(cmd *cobra.Command, args []string) error {
 		opts.GitHubAppBaseURL = secretGitHubAppArgs.baseURL
 	}

-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateGitHubApp(opts)
 	if err != nil {
 		return err
 	}
--- a/cmd/flux/create_secret_helm.go
+++ b/cmd/flux/create_secret_helm.go
@@ -83,10 +83,12 @@ func createSecretHelmCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	var certFile, keyFile []byte
-	if secretHelmArgs.tlsCrtFile != "" && secretHelmArgs.tlsKeyFile != "" {
+	if secretHelmArgs.tlsCrtFile != "" {
 		if certFile, err = os.ReadFile(secretHelmArgs.tlsCrtFile); err != nil {
 			return fmt.Errorf("failed to read cert file: %w", err)
 		}
+	}
+	if secretHelmArgs.tlsKeyFile != "" {
 		if keyFile, err = os.ReadFile(secretHelmArgs.tlsKeyFile); err != nil {
 			return fmt.Errorf("failed to read key file: %w", err)
 		}
@@ -102,7 +104,7 @@ func createSecretHelmCmdRun(cmd *cobra.Command, args []string) error {
 		TLSCrt:    certFile,
 		TLSKey:    keyFile,
 	}
-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateHelm(opts)
 	if err != nil {
 		return err
 	}
--- a/cmd/flux/create_secret_notation.go
+++ b/cmd/flux/create_secret_notation.go
@@ -132,7 +132,7 @@ func createSecretNotationCmdRun(cmd *cobra.Command, args []string) error {
 		VerificationCrts: caCerts,
 		TrustPolicy:      policy,
 	}
-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateNotation(opts)
 	if err != nil {
 		return err
 	}
--- a/cmd/flux/create_secret_oci.go
+++ b/cmd/flux/create_secret_oci.go
@@ -92,7 +92,7 @@ func createSecretOCICmdRun(cmd *cobra.Command, args []string) error {
 		Username:  secretOCIArgs.username,
 	}

-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateOCI(opts)
 	if err != nil {
 		return err
 	}
--- a/cmd/flux/create_secret_proxy.go
+++ b/cmd/flux/create_secret_proxy.go
@@ -83,7 +83,7 @@ func createSecretProxyCmdRun(cmd *cobra.Command, args []string) error {
 		Username:  secretProxyArgs.username,
 		Password:  secretProxyArgs.password,
 	}
-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateProxy(opts)
 	if err != nil {
 		return err
 	}
--- a/cmd/flux/create_secret_tls.go
+++ b/cmd/flux/create_secret_tls.go
@@ -84,16 +84,18 @@ func createSecretTLSCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}

-	if secretTLSArgs.tlsCrtFile != "" && secretTLSArgs.tlsKeyFile != "" {
+	if secretTLSArgs.tlsCrtFile != "" {
 		if opts.TLSCrt, err = os.ReadFile(secretTLSArgs.tlsCrtFile); err != nil {
 			return fmt.Errorf("failed to read cert file: %w", err)
 		}
+	}
+	if secretTLSArgs.tlsKeyFile != "" {
 		if opts.TLSKey, err = os.ReadFile(secretTLSArgs.tlsKeyFile); err != nil {
 			return fmt.Errorf("failed to read key file: %w", err)
 		}
 	}

-	secret, err := sourcesecret.Generate(opts)
+	secret, err := sourcesecret.GenerateTLS(opts)
 	if err != nil {
 		return err
 	}
--- a/cmd/flux/create_source_bucket.go
+++ b/cmd/flux/create_source_bucket.go
@@ -19,7 +19,6 @@ package main
 import (
 	"context"
 	"fmt"
-	"os"
 	"strings"

 	"github.com/spf13/cobra"
@@ -114,12 +113,6 @@ func createSourceBucketCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}

-	tmpDir, err := os.MkdirTemp("", name)
-	if err != nil {
-		return err
-	}
-	defer os.RemoveAll(tmpDir)
-
 	var ignorePaths *string
 	if len(sourceBucketArgs.ignorePaths) > 0 {
 		ignorePathsStr := strings.Join(sourceBucketArgs.ignorePaths, "\n")
--- a/cmd/flux/create_source_git.go
+++ b/cmd/flux/create_source_git.go
@@ -63,6 +63,7 @@ type sourceGitFlags struct {
 	recurseSubmodules   bool
 	silent              bool
 	ignorePaths         []string
+	sparseCheckoutPaths []string
 }

 var createSourceGitCmd = &cobra.Command{
@@ -154,6 +155,7 @@ func init() {
 		"when enabled, configures the GitRepository source to initialize and include Git submodules in the artifact it produces")
 	createSourceGitCmd.Flags().BoolVarP(&sourceGitArgs.silent, "silent", "s", false, "assumes the deploy key is already setup, skips confirmation")
 	createSourceGitCmd.Flags().StringSliceVar(&sourceGitArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore in git resource (can specify multiple paths with commas: path1,path2)")
+	createSourceGitCmd.Flags().StringSliceVar(&sourceGitArgs.sparseCheckoutPaths, "sparse-checkout-paths", nil, "set paths to sparse checkout in git resource (can specify multiple paths with commas: path1,path2)")

 	createSourceCmd.AddCommand(createSourceGitCmd)
 }
@@ -189,12 +191,6 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("specifying a CA file is not supported for Git over SSH")
 	}

-	tmpDir, err := os.MkdirTemp("", name)
-	if err != nil {
-		return err
-	}
-	defer os.RemoveAll(tmpDir)
-
 	sourceLabels, err := parseLabels()
 	if err != nil {
 		return err
@@ -220,6 +216,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 			RecurseSubmodules: sourceGitArgs.recurseSubmodules,
 			Reference:         &sourcev1.GitRepositoryRef{},
 			Ignore:            ignorePaths,
+			SparseCheckout:    sourceGitArgs.sparseCheckoutPaths,
 		},
 	}

@@ -302,7 +299,7 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 			secretOpts.Username = sourceGitArgs.username
 			secretOpts.Password = sourceGitArgs.password
 		}
-		secret, err := sourcesecret.Generate(secretOpts)
+		secret, err := sourcesecret.GenerateGit(secretOpts)
 		if err != nil {
 			return err
 		}
--- a/cmd/flux/create_source_git_test.go
+++ b/cmd/flux/create_source_git_test.go
@@ -87,7 +87,7 @@ func (r *reconciler) conditionFunc() (bool, error) {
 }

 func TestCreateSourceGitExport(t *testing.T) {
-	var command = "create source git podinfo --url=https://github.com/stefanprodan/podinfo --branch=master --ignore-paths .cosign,non-existent-dir/ -n default --interval 1m --export --timeout=" + testTimeout.String()
+	var command = "create source git podinfo --url=https://github.com/stefanprodan/podinfo --branch=master --sparse-checkout-paths .cosign,non-existent-dir/ --ignore-paths .cosign,non-existent-dir/ -n default --interval 1m --export --timeout=" + testTimeout.String()

 	cases := []struct {
 		name   string
@@ -101,7 +101,7 @@ func TestCreateSourceGitExport(t *testing.T) {
 		},
 		{
 			name:   "no args",
-			args:   "create secret git",
+			args:   "create source git --url=https://github.com/stefanprodan/podinfo",
 			assert: assertError("name is required"),
 		},
 		{
@@ -204,12 +204,13 @@ func TestCreateSourceGit(t *testing.T) {
 					ObservedGeneration: repo.GetGeneration(),
 				}
 				apimeta.SetStatusCondition(&repo.Status.Conditions, newCondition)
-				repo.Status.Artifact = &sourcev1.Artifact{
+				repo.Status.Artifact = &meta.Artifact{
 					Path:     "some-path",
 					Revision: "v1",
 					LastUpdateTime: metav1.Time{
 						Time: time.Now(),
 					},
+					Digest: "sha256:1234567890abcdef",
 				}
 				repo.Status.ObservedGeneration = repo.GetGeneration()
 			},
--- a/cmd/flux/create_source_helm.go
+++ b/cmd/flux/create_source_helm.go
@@ -114,12 +114,6 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}

-	tmpDir, err := os.MkdirTemp("", name)
-	if err != nil {
-		return err
-	}
-	defer os.RemoveAll(tmpDir)
-
 	if _, err := url.Parse(sourceHelmArgs.url); err != nil {
 		return fmt.Errorf("url parse failed: %w", err)
 	}
@@ -202,7 +196,7 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 			TLSKey:       keyFile,
 			ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 		}
-		secret, err := sourcesecret.Generate(secretOpts)
+		secret, err := sourcesecret.GenerateHelm(secretOpts)
 		if err != nil {
 			return err
 		}
--- a/cmd/flux/create_tenant.go
+++ b/cmd/flux/create_tenant.go
@@ -21,7 +21,6 @@ import (
 	"context"
 	"fmt"

-	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
@@ -32,6 +31,8 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
+
+	"github.com/fluxcd/flux2/v2/internal/utils"
 )

 var createTenantCmd = &cobra.Command{
@@ -59,6 +60,7 @@ const (
 type tenantFlags struct {
 	namespaces  []string
 	clusterRole string
+	account     string
 }

 var tenantArgs tenantFlags
@@ -66,6 +68,7 @@ var tenantArgs tenantFlags
 func init() {
 	createTenantCmd.Flags().StringSliceVar(&tenantArgs.namespaces, "with-namespace", nil, "namespace belonging to this tenant")
 	createTenantCmd.Flags().StringVar(&tenantArgs.clusterRole, "cluster-role", "cluster-admin", "cluster role of the tenant role binding")
+	createTenantCmd.Flags().StringVar(&tenantArgs.account, "with-service-account", "", "service account belonging to this tenant")
 	createCmd.AddCommand(createTenantCmd)
 }

@@ -107,9 +110,17 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 		}
 		namespaces = append(namespaces, namespace)

+		accountName := tenant
+		if tenantArgs.account != "" {
+			accountName = tenantArgs.account
+		}
+		if err := validation.IsQualifiedName(accountName); len(err) > 0 {
+			return fmt.Errorf("invalid service-account name '%s': %v", accountName, err)
+		}
+
 		account := corev1.ServiceAccount{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      tenant,
+				Name:      accountName,
 				Namespace: ns,
 				Labels:    objLabels,
 			},
@@ -131,7 +142,7 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 				},
 				{
 					Kind:      "ServiceAccount",
-					Name:      tenant,
+					Name:      accountName,
 					Namespace: ns,
 				},
 			},
@@ -282,10 +293,10 @@ func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, rol
 	if err != nil {
 		return err
 	}
-
-	fmt.Println("---")
 	data = bytes.Replace(data, []byte("spec: {}\n"), []byte(""), 1)
-	fmt.Println(resourceToString(data))
+
+	printlnStdout("---")
+	printlnStdout(resourceToString(data))

 	account.TypeMeta = metav1.TypeMeta{
 		APIVersion: "v1",
@@ -295,10 +306,10 @@ func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, rol
 	if err != nil {
 		return err
 	}
-
-	fmt.Println("---")
 	data = bytes.Replace(data, []byte("spec: {}\n"), []byte(""), 1)
-	fmt.Println(resourceToString(data))
+
+	printlnStdout("---")
+	printlnStdout(resourceToString(data))

 	roleBinding.TypeMeta = metav1.TypeMeta{
 		APIVersion: "rbac.authorization.k8s.io/v1",
@@ -309,8 +320,8 @@ func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, rol
 		return err
 	}

-	fmt.Println("---")
-	fmt.Println(resourceToString(data))
+	printlnStdout("---")
+	printlnStdout(resourceToString(data))

 	return nil
 }
--- a/cmd/flux/create_tenant_test.go
+++ b/cmd/flux/create_tenant_test.go
@@ -0,0 +1,68 @@
+//go:build e2e
+// +build e2e
+
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"testing"
+)
+
+func TestCreateTenant(t *testing.T) {
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			name:   "no args",
+			args:   "create tenant",
+			assert: assertError("name is required"),
+		},
+		{
+			name:   "no namespace",
+			args:   "create tenant dev-team --cluster-role=cluster-admin",
+			assert: assertError("with-namespace is required"),
+		},
+		{
+			name:   "basic tenant",
+			args:   "create tenant dev-team --with-namespace=apps --cluster-role=cluster-admin --export",
+			assert: assertGoldenFile("./testdata/create_tenant/tenant-basic.yaml"),
+		},
+		{
+			name:   "tenant with custom serviceaccount",
+			args:   "create tenant dev-team --with-namespace=apps --cluster-role=cluster-admin --with-service-account=flux-tenant --export",
+			assert: assertGoldenFile("./testdata/create_tenant/tenant-with-service-account.yaml"),
+		},
+		{
+			name:   "tenant with custom cluster role",
+			args:   "create tenant dev-team --with-namespace=apps --cluster-role=custom-role --export",
+			assert: assertGoldenFile("./testdata/create_tenant/tenant-with-cluster-role.yaml"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args,
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}
--- a/cmd/flux/debug_helmrelease.go
+++ b/cmd/flux/debug_helmrelease.go
@@ -40,7 +40,10 @@ WARNING: This command will print sensitive information if Kubernetes Secrets are
  flux debug hr podinfo --show-status

  # Export the final values of a Helm release composed from referred ConfigMaps and Secrets
-  flux debug hr podinfo --show-values > values.yaml`,
+  flux debug hr podinfo --show-values > values.yaml
+
+  # Print the reconciliation history of a Helm release
+  flux debug hr podinfo --show-history`,
 	RunE:              debugHelmReleaseCmdRun,
 	Args:              cobra.ExactArgs(1),
 	ValidArgsFunction: resourceNamesCompletionFunc(helmv2.GroupVersion.WithKind(helmv2.HelmReleaseKind)),
@@ -49,6 +52,7 @@ WARNING: This command will print sensitive information if Kubernetes Secrets are
 type debugHelmReleaseFlags struct {
 	showStatus  bool
 	showValues  bool
+	showHistory bool
 }

 var debugHelmReleaseArgs debugHelmReleaseFlags
@@ -56,15 +60,25 @@ var debugHelmReleaseArgs debugHelmReleaseFlags
 func init() {
 	debugHelmReleaseCmd.Flags().BoolVar(&debugHelmReleaseArgs.showStatus, "show-status", false, "print the status of the Helm release")
 	debugHelmReleaseCmd.Flags().BoolVar(&debugHelmReleaseArgs.showValues, "show-values", false, "print the final values of the Helm release")
+	debugHelmReleaseCmd.Flags().BoolVar(&debugHelmReleaseArgs.showHistory, "show-history", false, "print the reconciliation history of the Helm release")
 	debugCmd.AddCommand(debugHelmReleaseCmd)
 }

 func debugHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]

-	if (!debugHelmReleaseArgs.showStatus && !debugHelmReleaseArgs.showValues) ||
-		(debugHelmReleaseArgs.showStatus && debugHelmReleaseArgs.showValues) {
-		return fmt.Errorf("either --show-status or --show-values must be set")
+	flagsSet := 0
+	if debugHelmReleaseArgs.showStatus {
+		flagsSet++
+	}
+	if debugHelmReleaseArgs.showValues {
+		flagsSet++
+	}
+	if debugHelmReleaseArgs.showHistory {
+		flagsSet++
+	}
+	if flagsSet != 1 {
+		return fmt.Errorf("exactly one of --show-status, --show-values, or --show-history must be set")
 	}

 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
@@ -109,5 +123,20 @@ func debugHelmReleaseCmdRun(cmd *cobra.Command, args []string) error {
 		rootCmd.Print(string(values))
 	}

+	if debugHelmReleaseArgs.showHistory {
+		if len(hr.Status.History) == 0 {
+			hr.Status.History = helmv2.Snapshots{}
+		}
+
+		history, err := yaml.Marshal(hr.Status.History)
+		if err != nil {
+			return err
+		}
+
+		rootCmd.Println("# History documentation: https://fluxcd.io/flux/components/helm/helmreleases/#history")
+		rootCmd.Print(string(history))
+		return nil
+	}
+
 	return nil
 }
--- a/cmd/flux/debug_helmrelease_test.go
+++ b/cmd/flux/debug_helmrelease_test.go
@@ -56,6 +56,18 @@ func TestDebugHelmRelease(t *testing.T) {
 			"testdata/debug_helmrelease/values-from.golden.yaml",
 			tmpl,
 		},
+		{
+			"debug history",
+			"debug helmrelease test-with-history --show-history --show-status=false",
+			"testdata/debug_helmrelease/history.golden.yaml",
+			tmpl,
+		},
+		{
+			"debug history empty",
+			"debug helmrelease test-values-inline --show-history --show-status=false",
+			"testdata/debug_helmrelease/history-empty.golden.yaml",
+			tmpl,
+		},
 	}

 	for _, tt := range cases {
--- a/cmd/flux/debug_kustomization.go
+++ b/cmd/flux/debug_kustomization.go
@@ -24,6 +24,7 @@ import (
 	"strings"

 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
+	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/kustomize"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -44,7 +45,10 @@ WARNING: This command will print sensitive information if Kubernetes Secrets are
  flux debug ks podinfo --show-status

  # Export the final variables used for post-build substitutions composed from referred ConfigMaps and Secrets
-  flux debug ks podinfo --show-vars > vars.env`,
+  flux debug ks podinfo --show-vars > vars.env
+
+  # Print the reconciliation history of a Flux Kustomization
+  flux debug ks podinfo --show-history`,
 	RunE:              debugKustomizationCmdRun,
 	Args:              cobra.ExactArgs(1),
 	ValidArgsFunction: resourceNamesCompletionFunc(kustomizev1.GroupVersion.WithKind(kustomizev1.KustomizationKind)),
@@ -53,6 +57,7 @@ WARNING: This command will print sensitive information if Kubernetes Secrets are
 type debugKustomizationFlags struct {
 	showStatus  bool
 	showVars    bool
+	showHistory bool
 }

 var debugKustomizationArgs debugKustomizationFlags
@@ -60,15 +65,25 @@ var debugKustomizationArgs debugKustomizationFlags
 func init() {
 	debugKustomizationCmd.Flags().BoolVar(&debugKustomizationArgs.showStatus, "show-status", false, "print the status of the Flux Kustomization")
 	debugKustomizationCmd.Flags().BoolVar(&debugKustomizationArgs.showVars, "show-vars", false, "print the final vars of the Flux Kustomization in dot env format")
+	debugKustomizationCmd.Flags().BoolVar(&debugKustomizationArgs.showHistory, "show-history", false, "print the reconciliation history of the Flux Kustomization")
 	debugCmd.AddCommand(debugKustomizationCmd)
 }

 func debugKustomizationCmdRun(cmd *cobra.Command, args []string) error {
 	name := args[0]

-	if (!debugKustomizationArgs.showStatus && !debugKustomizationArgs.showVars) ||
-		(debugKustomizationArgs.showStatus && debugKustomizationArgs.showVars) {
-		return fmt.Errorf("either --show-status or --show-vars must be set")
+	flagsSet := 0
+	if debugKustomizationArgs.showStatus {
+		flagsSet++
+	}
+	if debugKustomizationArgs.showVars {
+		flagsSet++
+	}
+	if debugKustomizationArgs.showHistory {
+		flagsSet++
+	}
+	if flagsSet != 1 {
+		return fmt.Errorf("exactly one of --show-status, --show-vars, or --show-history must be set")
 	}

 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
@@ -130,5 +145,20 @@ func debugKustomizationCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}

+	if debugKustomizationArgs.showHistory {
+		if len(ks.Status.History) == 0 {
+			ks.Status.History = meta.History{}
+		}
+
+		history, err := yaml.Marshal(ks.Status.History)
+		if err != nil {
+			return err
+		}
+
+		rootCmd.Println("# History documentation: https://fluxcd.io/flux/components/kustomize/kustomizations/#history")
+		rootCmd.Print(string(history))
+		return nil
+	}
+
 	return nil
 }
--- a/cmd/flux/debug_kustomization_test.go
+++ b/cmd/flux/debug_kustomization_test.go
@@ -55,6 +55,17 @@ func TestDebugKustomization(t *testing.T) {
 			"debug ks test-from --show-vars --show-status=false",
 			"testdata/debug_kustomization/vars-from.golden.env",
 			tmpl,
+		}, {
+			"debug history",
+			"debug ks test-with-history --show-history --show-status=false",
+			"testdata/debug_kustomization/history.golden.yaml",
+			tmpl,
+		},
+		{
+			"debug history empty",
+			"debug ks test --show-history --show-status=false",
+			"testdata/debug_kustomization/history-empty.golden.yaml",
+			tmpl,
 		},
 	}

--- a/cmd/flux/delete_image_policy.go
+++ b/cmd/flux/delete_image_policy.go
@@ -19,13 +19,13 @@ package main
 import (
 	"github.com/spf13/cobra"

-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )

 var deleteImagePolicyCmd = &cobra.Command{
 	Use:   "policy [name]",
 	Short: "Delete an ImagePolicy object",
-	Long:  withPreviewNote(`The delete image policy command deletes the given ImagePolicy from the cluster.`),
+	Long:  `The delete image policy command deletes the given ImagePolicy from the cluster.`,
 	Example: `  # Delete an image policy
  flux delete image policy alpine3.x`,
 	ValidArgsFunction: resourceNamesCompletionFunc(imagev1.GroupVersion.WithKind(imagev1.ImagePolicyKind)),
--- a/cmd/flux/delete_image_repository.go
+++ b/cmd/flux/delete_image_repository.go
@@ -19,13 +19,13 @@ package main
 import (
 	"github.com/spf13/cobra"

-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )

 var deleteImageRepositoryCmd = &cobra.Command{
 	Use:   "repository [name]",
 	Short: "Delete an ImageRepository object",
-	Long:  withPreviewNote("The delete image repository command deletes the given ImageRepository from the cluster."),
+	Long:  "The delete image repository command deletes the given ImageRepository from the cluster.",
 	Example: `  # Delete an image repository
  flux delete image repository alpine`,
 	ValidArgsFunction: resourceNamesCompletionFunc(imagev1.GroupVersion.WithKind(imagev1.ImageRepositoryKind)),
--- a/cmd/flux/delete_image_update.go
+++ b/cmd/flux/delete_image_update.go
@@ -19,13 +19,13 @@ package main
 import (
 	"github.com/spf13/cobra"

-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1"
 )

 var deleteImageUpdateCmd = &cobra.Command{
 	Use:   "update [name]",
 	Short: "Delete an ImageUpdateAutomation object",
-	Long:  withPreviewNote(`The delete image update command deletes the given ImageUpdateAutomation from the cluster.`),
+	Long:  `The delete image update command deletes the given ImageUpdateAutomation from the cluster.`,
 	Example: `  # Delete an image update automation
  flux delete image update latest-images`,
 	ValidArgsFunction: resourceNamesCompletionFunc(autov1.GroupVersion.WithKind(autov1.ImageUpdateAutomationKind)),
--- a/cmd/flux/diff_kustomization_test.go
+++ b/cmd/flux/diff_kustomization_test.go
@@ -27,6 +27,7 @@ import (

 	"github.com/fluxcd/flux2/v2/internal/build"
 	"github.com/fluxcd/pkg/ssa"
+	"github.com/fluxcd/pkg/ssa/normalize"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )

@@ -151,7 +152,7 @@ func createObjectFromFile(objectFile string, templateValues map[string]string, t
 		t.Fatalf("Error decoding yaml file '%s': %v", objectFile, err)
 	}

-	if err := ssa.SetNativeKindsDefaults(clientObjects); err != nil {
+	if err := normalize.UnstructuredList(clientObjects); err != nil {
 		t.Fatalf("Error setting native kinds defaults for '%s': %v", objectFile, err)
 	}

--- a/cmd/flux/events.go
+++ b/cmd/flux/events.go
@@ -20,7 +20,6 @@ package main
 import (
 	"context"
 	"fmt"
-	"os"
 	"sort"
 	"strings"
 	"time"
@@ -40,12 +39,13 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"

 	helmv2 "github.com/fluxcd/helm-controller/api/v2"
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
 	notificationv1b3 "github.com/fluxcd/notification-controller/api/v1beta3"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+	swapi "github.com/fluxcd/source-watcher/api/v2/v1beta1"

 	"github.com/fluxcd/flux2/v2/internal/utils"
 	"github.com/fluxcd/flux2/v2/pkg/printers"
@@ -112,7 +112,12 @@ func eventsCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	var diffRefNs bool
-	clientListOpts := []client.ListOption{client.InNamespace(*kubeconfigArgs.Namespace)}
+	// Build the base list options. When --all-namespaces is set we must NOT constrain the
+	// query to a single namespace, otherwise we silently return a partial result set.
+	clientListOpts := []client.ListOption{}
+	if !eventArgs.allNamespaces {
+		clientListOpts = append(clientListOpts, client.InNamespace(*kubeconfigArgs.Namespace))
+	}
 	var refListOpts [][]client.ListOption
 	if eventArgs.forSelector != "" {
 		kind, name := getKindNameFromSelector(eventArgs.forSelector)
@@ -246,7 +251,7 @@ func eventsCmdWatchRun(ctx context.Context, kubeclient client.WithWatch, listOpt
 			hdr = getHeaders(showNs)
 			firstIteration = false
 		}
-		return printers.TablePrinter(hdr).Print(os.Stdout, [][]string{rows})
+		return printers.TablePrinter(hdr).Print(rootCmd.OutOrStdout(), [][]string{rows})
 	}

 	for _, refOpts := range refListOpts {
@@ -450,6 +455,7 @@ var fluxKindMap = refMap{
 	sourcev1.HelmRepositoryKind:      {gvk: sourcev1.GroupVersion.WithKind(sourcev1.HelmRepositoryKind)},
 	autov1.ImageUpdateAutomationKind: {gvk: autov1.GroupVersion.WithKind(autov1.ImageUpdateAutomationKind)},
 	imagev1.ImageRepositoryKind:      {gvk: imagev1.GroupVersion.WithKind(imagev1.ImageRepositoryKind)},
+	swapi.ArtifactGeneratorKind:      {gvk: swapi.GroupVersion.WithKind(swapi.ArtifactGeneratorKind)},
 }

 func ignoreEvent(e corev1.Event) bool {
--- a/cmd/flux/events_test.go
+++ b/cmd/flux/events_test.go
@@ -140,7 +140,7 @@ spec:
  address: https://hooks.slack.com/services/mock
  type: slack
 ---
-apiVersion: image.toolkit.fluxcd.io/v1beta2
+apiVersion: image.toolkit.fluxcd.io/v1
 kind: ImagePolicy
 metadata:
  name: podinfo
--- a/cmd/flux/export.go
+++ b/cmd/flux/export.go
@@ -109,13 +109,13 @@ func (export exportCommand) run(cmd *cobra.Command, args []string) error {
 	return nil
 }

-func printExport(export interface{}) error {
+func printExport(export any) error {
 	data, err := yaml.Marshal(export)
 	if err != nil {
 		return err
 	}
-	rootCmd.Println("---")
-	rootCmd.Println(resourceToString(data))
+	printlnStdout("---")
+	printlnStdout(resourceToString(data))
 	return nil
 }

--- a/cmd/flux/export_artifact.go
+++ b/cmd/flux/export_artifact.go
@@ -0,0 +1,31 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var exportArtifactCmd = &cobra.Command{
+	Use:   "artifact",
+	Short: "Export artifact objects",
+	Long:  `The export artifact sub-commands export artifacts objects in YAML format.`,
+}
+
+func init() {
+	exportCmd.AddCommand(exportArtifactCmd)
+}
--- a/cmd/flux/export_artifact_generator.go
+++ b/cmd/flux/export_artifact_generator.go
@@ -0,0 +1,72 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	swapi "github.com/fluxcd/source-watcher/api/v2/v1beta1"
+)
+
+var exportArtifactGeneratorCmd = &cobra.Command{
+	Use:   "generator [name]",
+	Short: "Export ArtifactGenerator resources in YAML format",
+	Long:  "The export artifact generator command exports one or all ArtifactGenerator resources in YAML format.",
+	Example: `  # Export all ArtifactGenerator resources
+  flux export artifact generator --all > artifact-generators.yaml
+
+  # Export a specific generator
+  flux export artifact generator my-generator > my-generator.yaml`,
+	ValidArgsFunction: resourceNamesCompletionFunc(swapi.GroupVersion.WithKind(swapi.ArtifactGeneratorKind)),
+	RunE: exportCommand{
+		object: artifactGeneratorAdapter{&swapi.ArtifactGenerator{}},
+		list:   artifactGeneratorListAdapter{&swapi.ArtifactGeneratorList{}},
+	}.run,
+}
+
+func init() {
+	exportArtifactCmd.AddCommand(exportArtifactGeneratorCmd)
+}
+
+// Export returns an ArtifactGenerator value which has
+// extraneous information stripped out.
+func exportArtifactGenerator(item *swapi.ArtifactGenerator) interface{} {
+	gvk := swapi.GroupVersion.WithKind(swapi.ArtifactGeneratorKind)
+	export := swapi.ArtifactGenerator{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       gvk.Kind,
+			APIVersion: gvk.GroupVersion().String(),
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        item.Name,
+			Namespace:   item.Namespace,
+			Labels:      item.Labels,
+			Annotations: item.Annotations,
+		},
+		Spec: item.Spec,
+	}
+	return export
+}
+
+func (ex artifactGeneratorAdapter) export() interface{} {
+	return exportArtifactGenerator(ex.ArtifactGenerator)
+}
+
+func (ex artifactGeneratorListAdapter) exportItem(i int) interface{} {
+	return exportArtifactGenerator(&ex.ArtifactGeneratorList.Items[i])
+}
--- a/cmd/flux/export_image_policy.go
+++ b/cmd/flux/export_image_policy.go
@@ -20,13 +20,13 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )

 var exportImagePolicyCmd = &cobra.Command{
 	Use:   "policy [name]",
 	Short: "Export ImagePolicy resources in YAML format",
-	Long:  withPreviewNote("The export image policy command exports one or all ImagePolicy resources in YAML format."),
+	Long:  "The export image policy command exports one or all ImagePolicy resources in YAML format.",
 	Example: `  # Export all ImagePolicy resources
  flux export image policy --all > image-policies.yaml

--- a/cmd/flux/export_image_repository.go
+++ b/cmd/flux/export_image_repository.go
@@ -20,13 +20,13 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )

 var exportImageRepositoryCmd = &cobra.Command{
 	Use:   "repository [name]",
 	Short: "Export ImageRepository resources in YAML format",
-	Long:  withPreviewNote("The export image repository command exports one or all ImageRepository resources in YAML format."),
+	Long:  "The export image repository command exports one or all ImageRepository resources in YAML format.",
 	Example: `  # Export all ImageRepository resources
  flux export image repository --all > image-repositories.yaml

--- a/cmd/flux/export_image_update.go
+++ b/cmd/flux/export_image_update.go
@@ -20,13 +20,13 @@ import (
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1"
 )

 var exportImageUpdateCmd = &cobra.Command{
 	Use:   "update [name]",
 	Short: "Export ImageUpdateAutomation resources in YAML format",
-	Long:  withPreviewNote("The export image update command exports one or all ImageUpdateAutomation resources in YAML format."),
+	Long:  "The export image update command exports one or all ImageUpdateAutomation resources in YAML format.",
 	Example: `  # Export all ImageUpdateAutomation resources
  flux export image update --all > updates.yaml

--- a/cmd/flux/get_artifact.go
+++ b/cmd/flux/get_artifact.go
@@ -0,0 +1,32 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var getArtifactCmd = &cobra.Command{
+	Use:     "artifacts",
+	Aliases: []string{"artifact"},
+	Short:   "Get artifact object status",
+	Long:    `The get artifact sub-commands print the status of artifact objects.`,
+}
+
+func init() {
+	getCmd.AddCommand(getArtifactCmd)
+}
--- a/cmd/flux/get_artifact_generator.go
+++ b/cmd/flux/get_artifact_generator.go
@@ -0,0 +1,93 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+	"strconv"
+
+	"github.com/spf13/cobra"
+	"golang.org/x/text/cases"
+	"golang.org/x/text/language"
+	"k8s.io/apimachinery/pkg/runtime"
+
+	swapi "github.com/fluxcd/source-watcher/api/v2/v1beta1"
+)
+
+var getArtifactGeneratorCmd = &cobra.Command{
+	Use:     "generators",
+	Aliases: []string{"generator"},
+	Short:   "Get artifact generator statuses",
+	Long:    `The get artifact generator command prints the statuses of the resources.`,
+	Example: `  # List all ArtifactGenerators and their status
+  flux get artifact generators`,
+	ValidArgsFunction: resourceNamesCompletionFunc(swapi.GroupVersion.WithKind(swapi.ArtifactGeneratorKind)),
+	RunE: func(cmd *cobra.Command, args []string) error {
+		get := getCommand{
+			apiType: receiverType,
+			list:    artifactGeneratorListAdapter{&swapi.ArtifactGeneratorList{}},
+			funcMap: make(typeMap),
+		}
+
+		err := get.funcMap.registerCommand(get.apiType.kind, func(obj runtime.Object) (summarisable, error) {
+			o, ok := obj.(*swapi.ArtifactGenerator)
+			if !ok {
+				return nil, fmt.Errorf("impossible to cast type %#v generator", obj)
+			}
+
+			sink := artifactGeneratorListAdapter{&swapi.ArtifactGeneratorList{
+				Items: []swapi.ArtifactGenerator{
+					*o,
+				}}}
+			return sink, nil
+		})
+
+		if err != nil {
+			return err
+		}
+
+		if err := get.run(cmd, args); err != nil {
+			return err
+		}
+
+		return nil
+	},
+}
+
+func init() {
+	getArtifactCmd.AddCommand(getArtifactGeneratorCmd)
+}
+
+func (s artifactGeneratorListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
+	item := s.Items[i]
+	status, msg := statusAndMessage(item.Status.Conditions)
+	return append(nameColumns(&item, includeNamespace, includeKind),
+		cases.Title(language.English).String(strconv.FormatBool(item.IsDisabled())), status, msg)
+}
+
+func (s artifactGeneratorListAdapter) headers(includeNamespace bool) []string {
+	headers := []string{"Name", "Suspended", "Ready", "Message"}
+	if includeNamespace {
+		return append(namespaceHeader, headers...)
+	}
+	return headers
+}
+
+func (s artifactGeneratorListAdapter) statusSelectorMatches(i int, conditionType, conditionStatus string) bool {
+	item := s.Items[i]
+	return statusMatches(conditionType, conditionStatus, item.Status.Conditions)
+}
--- a/cmd/flux/get_image_all.go
+++ b/cmd/flux/get_image_all.go
@@ -19,14 +19,14 @@ package main
 import (
 	"github.com/spf13/cobra"

-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )

 var getImageAllCmd = &cobra.Command{
 	Use:   "all",
 	Short: "Get all image statuses",
-	Long:  withPreviewNote("The get image sub-commands print the statuses of all image objects."),
+	Long:  "The get image sub-commands print the statuses of all image objects.",
 	Example: `  # List all image objects in a namespace
  flux get images all --namespace=flux-system

--- a/cmd/flux/get_image_policy.go
+++ b/cmd/flux/get_image_policy.go
@@ -22,13 +22,13 @@ import (
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/runtime"

-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )

 var getImagePolicyCmd = &cobra.Command{
 	Use:   "policy",
 	Short: "Get ImagePolicy status",
-	Long:  withPreviewNote("The get image policy command prints the status of ImagePolicy objects."),
+	Long:  "The get image policy command prints the status of ImagePolicy objects.",
 	Example: `  # List all image policies and their status
  flux get image policy

@@ -74,11 +74,16 @@ func init() {
 func (s imagePolicyListAdapter) summariseItem(i int, includeNamespace bool, includeKind bool) []string {
 	item := s.Items[i]
 	status, msg := statusAndMessage(item.Status.Conditions)
-	return append(nameColumns(&item, includeNamespace, includeKind), item.Status.LatestImage, status, msg)
+	var image, tag string
+	if ref := item.Status.LatestRef; ref != nil {
+		image = ref.Name
+		tag = ref.Tag
+	}
+	return append(nameColumns(&item, includeNamespace, includeKind), image, tag, status, msg)
 }

 func (s imagePolicyListAdapter) headers(includeNamespace bool) []string {
-	headers := []string{"Name", "Latest image", "Ready", "Message"}
+	headers := []string{"Name", "Image", "Tag", "Ready", "Message"}
 	if includeNamespace {
 		return append(namespaceHeader, headers...)
 	}
--- a/cmd/flux/get_image_repository.go
+++ b/cmd/flux/get_image_repository.go
@@ -26,13 +26,13 @@ import (
 	"golang.org/x/text/language"
 	"k8s.io/apimachinery/pkg/runtime"

-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )

 var getImageRepositoryCmd = &cobra.Command{
 	Use:   "repository",
 	Short: "Get ImageRepository status",
-	Long:  withPreviewNote("The get image repository command prints the status of ImageRepository objects."),
+	Long:  "The get image repository command prints the status of ImageRepository objects.",
 	Example: `  # List all image repositories and their status
  flux get image repository

--- a/cmd/flux/get_image_update.go
+++ b/cmd/flux/get_image_update.go
@@ -26,13 +26,13 @@ import (
 	"golang.org/x/text/language"
 	"k8s.io/apimachinery/pkg/runtime"

-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1"
 )

 var getImageUpdateCmd = &cobra.Command{
 	Use:   "update",
 	Short: "Get ImageUpdateAutomation status",
-	Long:  withPreviewNote("The get image update command prints the status of ImageUpdateAutomation objects."),
+	Long:  "The get image update command prints the status of ImageUpdateAutomation objects.",
 	Example: `  # List all image update automation object and their status
  flux get image update

--- a/cmd/flux/image.go
+++ b/cmd/flux/image.go
@@ -17,10 +17,12 @@ limitations under the License.
 package main

 import (
+	"fmt"
+
 	"sigs.k8s.io/controller-runtime/pkg/client"

-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )

 // These are general-purpose adapters for attaching methods to, for
@@ -77,6 +79,34 @@ func (a imagePolicyAdapter) asClientObject() client.Object {
 	return a.ImagePolicy
 }

+func (a imagePolicyAdapter) deepCopyClientObject() client.Object {
+	return a.ImagePolicy.DeepCopy()
+}
+
+func (a imagePolicyAdapter) isStatic() bool {
+	return false
+}
+
+func (a imagePolicyAdapter) lastHandledReconcileRequest() string {
+	return a.Status.GetLastHandledReconcileRequest()
+}
+
+func (a imagePolicyAdapter) isSuspended() bool {
+	return a.Spec.Suspend
+}
+
+func (a imagePolicyAdapter) setSuspended() {
+	a.Spec.Suspend = true
+}
+
+func (a imagePolicyAdapter) successMessage() string {
+	return fmt.Sprintf("selected ref %s", a.Status.LatestRef.String())
+}
+
+func (a imagePolicyAdapter) setUnsuspended() {
+	a.Spec.Suspend = false
+}
+
 // imagev1.ImagePolicyList

 type imagePolicyListAdapter struct {
@@ -91,6 +121,18 @@ func (a imagePolicyListAdapter) len() int {
 	return len(a.ImagePolicyList.Items)
 }

+func (a imagePolicyListAdapter) resumeItem(i int) resumable {
+	return &imagePolicyAdapter{&a.ImagePolicyList.Items[i]}
+}
+
+func (obj imagePolicyAdapter) getObservedGeneration() int64 {
+	return obj.ImagePolicy.Status.ObservedGeneration
+}
+
+func (a imagePolicyListAdapter) item(i int) suspendable {
+	return &imagePolicyAdapter{&a.ImagePolicyList.Items[i]}
+}
+
 // autov1.ImageUpdateAutomation

 var imageUpdateAutomationType = apiType{
--- a/cmd/flux/image_test.go
+++ b/cmd/flux/image_test.go
@@ -53,6 +53,18 @@ func TestImageScanning(t *testing.T) {
 			"get image policy podinfo-regex",
 			"testdata/image/get_image_policy_regex.golden",
 		},
+		{
+			"suspend image policy podinfo-semver",
+			"testdata/image/suspend_image_policy.golden",
+		},
+		{
+			"resume image policy podinfo-semver",
+			"testdata/image/resume_image_policy.golden",
+		},
+		{
+			"reconcile image policy podinfo-semver",
+			"testdata/image/reconcile_image_policy.golden",
+		},
 	}

 	for _, tc := range cases {
--- a/cmd/flux/install.go
+++ b/cmd/flux/install.go
@@ -83,7 +83,7 @@ type installFlags struct {
 	force              bool
 }

-var installArgs = NewInstallFlags()
+var installArgs = newInstallFlags()

 func init() {
 	installCmd.Flags().BoolVar(&installArgs.export, "export", false,
@@ -93,7 +93,7 @@ func init() {
 	installCmd.Flags().StringSliceVar(&installArgs.defaultComponents, "components", rootArgs.defaults.Components,
 		"list of components, accepts comma-separated values")
 	installCmd.Flags().StringSliceVar(&installArgs.extraComponents, "components-extra", nil,
-		"list of components in addition to those supplied or defaulted, accepts values such as 'image-reflector-controller,image-automation-controller'")
+		"list of components in addition to those supplied or defaulted, accepts values such as 'image-reflector-controller,image-automation-controller,source-watcher'")
 	installCmd.Flags().StringVar(&installArgs.manifestsPath, "manifests", "", "path to the manifest directory")
 	installCmd.Flags().StringVar(&installArgs.registry, "registry", rootArgs.defaults.Registry,
 		"container registry where the toolkit images are published")
@@ -115,9 +115,14 @@ func init() {
 	rootCmd.AddCommand(installCmd)
 }

-func NewInstallFlags() installFlags {
+func newInstallFlags() installFlags {
 	return installFlags{
 		logLevel:           flags.LogLevel(rootArgs.defaults.LogLevel),
+		defaultComponents:  rootArgs.defaults.Components,
+		registry:           rootArgs.defaults.Registry,
+		watchAllNamespaces: rootArgs.defaults.WatchAllNamespaces,
+		networkPolicy:      rootArgs.defaults.NetworkPolicy,
+		clusterDomain:      rootArgs.defaults.ClusterDomain,
 	}
 }

@@ -195,10 +200,13 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 	}

 	if installArgs.export {
-		fmt.Print(manifest.Content)
-		return nil
+		_, err = rootCmd.OutOrStdout().Write([]byte(manifest.Content))
+		return err
 	} else if rootArgs.verbose {
-		fmt.Print(manifest.Content)
+		_, err = rootCmd.OutOrStdout().Write([]byte(manifest.Content))
+		if err != nil {
+			return err
+		}
 	}

 	logger.Successf("manifests build completed")
@@ -238,7 +246,7 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("install failed: %w", err)
 	}

-	fmt.Fprintln(os.Stderr, applyOutput)
+	rootCmd.Println(applyOutput)

 	if opts.ImagePullSecret != "" && opts.RegistryCredential != "" {
 		logger.Actionf("generating image pull secret %s", opts.ImagePullSecret)
@@ -250,7 +258,7 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 			Username:  credentials[0],
 			Password:  credentials[1],
 		}
-		imagePullSecret, err := sourcesecret.Generate(secretOpts)
+		imagePullSecret, err := sourcesecret.GenerateOCI(secretOpts)
 		if err != nil {
 			return fmt.Errorf("install failed: %w", err)
 		}
--- a/cmd/flux/install_test.go
+++ b/cmd/flux/install_test.go
@@ -1,5 +1,5 @@
 /*
-Copyright 2022 The Flux authors
+Copyright 2025 The Flux authors

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -16,7 +16,17 @@ limitations under the License.

 package main

-import "testing"
+import (
+	"strings"
+	"testing"
+
+	. "github.com/onsi/gomega"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+
+	ssautil "github.com/fluxcd/pkg/ssa/utils"
+
+	"github.com/fluxcd/flux2/v2/pkg/manifestgen/install"
+)

 func TestInstall(t *testing.T) {
 	// The pointer to kubeconfigArgs.Namespace is shared across
@@ -59,3 +69,43 @@ func TestInstall(t *testing.T) {
 		})
 	}
 }
+
+func TestInstall_ComponentsExtra(t *testing.T) {
+	g := NewWithT(t)
+	command := "install --export --components-extra=" +
+		strings.Join(install.MakeDefaultOptions().ComponentsExtra, ",")
+
+	output, err := executeCommand(command)
+	g.Expect(err).NotTo(HaveOccurred())
+
+	manifests, err := ssautil.ReadObjects(strings.NewReader(output))
+	g.Expect(err).NotTo(HaveOccurred())
+
+	foundImageAutomation := false
+	foundImageReflector := false
+	foundSourceWatcher := false
+	foundExternalArtifact := false
+	for _, obj := range manifests {
+		if obj.GetKind() == "Deployment" && obj.GetName() == "image-automation-controller" {
+			foundImageAutomation = true
+		}
+		if obj.GetKind() == "Deployment" && obj.GetName() == "image-reflector-controller" {
+			foundImageReflector = true
+		}
+		if obj.GetKind() == "Deployment" && obj.GetName() == "source-watcher" {
+			foundSourceWatcher = true
+		}
+		if obj.GetKind() == "Deployment" &&
+			(obj.GetName() == "kustomize-controller" || obj.GetName() == "helm-controller") {
+			containers, _, _ := unstructured.NestedSlice(obj.Object, "spec", "template", "spec", "containers")
+			g.Expect(containers).ToNot(BeEmpty())
+			args, _, _ := unstructured.NestedSlice(containers[0].(map[string]any), "args")
+			g.Expect(args).To(ContainElement("--feature-gates=ExternalArtifact=true"))
+			foundExternalArtifact = true
+		}
+	}
+	g.Expect(foundImageAutomation).To(BeTrue(), "image-automation-controller deployment not found")
+	g.Expect(foundImageReflector).To(BeTrue(), "image-reflector-controller deployment not found")
+	g.Expect(foundSourceWatcher).To(BeTrue(), "source-watcher deployment not found")
+	g.Expect(foundExternalArtifact).To(BeTrue(), "ExternalArtifact feature gate not found")
+}
--- a/cmd/flux/main.go
+++ b/cmd/flux/main.go
@@ -247,3 +247,8 @@ While we try our best to not introduce breaking changes, they may occur when
 we adapt to new features and/or find better ways to facilitate what it does.`
 	return fmt.Sprintf("%s\n\n%s", strings.TrimSpace(desc), previewNote)
 }
+
+// printlnStdout prints the given text to stdout with a newline.
+func printlnStdout(txt string) {
+	_, _ = rootCmd.OutOrStdout().Write([]byte(txt + "\n"))
+}
--- a/cmd/flux/main_test.go
+++ b/cmd/flux/main_test.go
@@ -447,6 +447,7 @@ func resetCmdArgs() {
 	imagePolicyArgs = imagePolicyFlags{}
 	imageRepoArgs = imageRepoFlags{}
 	imageUpdateArgs = imageUpdateFlags{}
+	installArgs = newInstallFlags()
 	kustomizationArgs = NewKustomizationFlags()
 	receiverArgs = receiverFlags{}
 	resumeArgs = ResumeFlags{}
--- a/cmd/flux/migrate.go
+++ b/cmd/flux/migrate.go
@@ -0,0 +1,184 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/spf13/cobra"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/client-go/util/retry"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/fluxcd/flux2/v2/internal/utils"
+)
+
+var migrateCmd = &cobra.Command{
+	Use:   "migrate",
+	Args:  cobra.NoArgs,
+	Short: "Migrate the Flux custom resources to their latest API version",
+	Long: `The migrate command must be run before a Flux minor version upgrade.
+The command migrates the Flux custom resources stored in Kubernetes etcd to their latest API version,
+ensuring the Flux components can continue to function correctly after the upgrade.
+`,
+	RunE: runMigrateCmd,
+}
+
+func init() {
+	rootCmd.AddCommand(migrateCmd)
+}
+
+func runMigrateCmd(cmd *cobra.Command, args []string) error {
+	logger.Actionf("starting migration of custom resources")
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+
+	cfg, err := utils.KubeConfig(kubeconfigArgs, kubeclientOptions)
+	if err != nil {
+		return fmt.Errorf("Kubernetes client initialization failed: %s", err.Error())
+	}
+
+	kubeClient, err := client.New(cfg, client.Options{Scheme: utils.NewScheme()})
+	if err != nil {
+		return err
+	}
+
+	migrator := NewMigrator(kubeClient, client.MatchingLabels{
+		"app.kubernetes.io/part-of": "flux",
+	})
+
+	if err := migrator.Run(ctx); err != nil {
+		return err
+	}
+
+	logger.Successf("custom resources migrated successfully")
+	return nil
+}
+
+type Migrator struct {
+	labelSelector client.MatchingLabels
+	kubeClient    client.Client
+}
+
+// NewMigrator creates a new Migrator instance with the specified label selector.
+func NewMigrator(kubeClient client.Client, labelSelector client.MatchingLabels) *Migrator {
+	return &Migrator{
+		labelSelector: labelSelector,
+		kubeClient:    kubeClient,
+	}
+}
+
+func (m *Migrator) Run(ctx context.Context) error {
+	crdList := &apiextensionsv1.CustomResourceDefinitionList{}
+
+	if err := m.kubeClient.List(ctx, crdList, m.labelSelector); err != nil {
+		return fmt.Errorf("failed to list CRDs: %w", err)
+	}
+
+	for _, crd := range crdList.Items {
+		if err := m.migrateCRD(ctx, crd.Name); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (m *Migrator) migrateCRD(ctx context.Context, name string) error {
+	crd := &apiextensionsv1.CustomResourceDefinition{}
+
+	if err := m.kubeClient.Get(ctx, client.ObjectKey{Name: name}, crd); err != nil {
+		return fmt.Errorf("failed to get CRD %s: %w", name, err)
+	}
+
+	// get the latest storage version for the CRD
+	storageVersion := m.getStorageVersion(crd)
+	if storageVersion == "" {
+		return fmt.Errorf("no storage version found for CRD %s", name)
+	}
+
+	// migrate all the resources for the CRD
+	err := retry.RetryOnConflict(retry.DefaultRetry, func() error {
+		return m.migrateCR(ctx, crd, storageVersion)
+	})
+	if err != nil {
+		return fmt.Errorf("failed to migrate resources for CRD %s: %w", name, err)
+	}
+
+	// set the CRD status to contain only the latest storage version
+	if len(crd.Status.StoredVersions) > 1 || crd.Status.StoredVersions[0] != storageVersion {
+		crd.Status.StoredVersions = []string{storageVersion}
+		if err := m.kubeClient.Status().Update(ctx, crd); err != nil {
+			return fmt.Errorf("failed to update CRD %s status: %w", crd.Name, err)
+		}
+		logger.Successf("%s migrated to storage version %s", crd.Name, storageVersion)
+	}
+	return nil
+}
+
+// migrateCR migrates all CRs for the given CRD to the specified version by patching them with an empty patch.
+func (m *Migrator) migrateCR(ctx context.Context, crd *apiextensionsv1.CustomResourceDefinition, version string) error {
+	list := &unstructured.UnstructuredList{}
+
+	apiVersion := crd.Spec.Group + "/" + version
+	listKind := crd.Spec.Names.ListKind
+
+	list.SetAPIVersion(apiVersion)
+	list.SetKind(listKind)
+
+	err := m.kubeClient.List(ctx, list, client.InNamespace(""))
+	if err != nil {
+		return fmt.Errorf("failed to list resources for CRD %s: %w", crd.Name, err)
+	}
+
+	if len(list.Items) == 0 {
+		return nil
+	}
+
+	for _, item := range list.Items {
+		// patch the resource with an empty patch to update the version
+		if err := m.kubeClient.Patch(
+			ctx,
+			&item,
+			client.RawPatch(client.Merge.Type(), []byte("{}")),
+		); err != nil && !apierrors.IsNotFound(err) {
+			return fmt.Errorf(" %s/%s/%s failed to migrate: %w",
+				item.GetKind(), item.GetNamespace(), item.GetName(), err)
+		}
+
+		logger.Successf("%s/%s/%s migrated to version %s",
+			item.GetKind(), item.GetNamespace(), item.GetName(), version)
+	}
+
+	return nil
+}
+
+// getStorageVersion retrieves the storage version of a CustomResourceDefinition.
+func (m *Migrator) getStorageVersion(crd *apiextensionsv1.CustomResourceDefinition) string {
+	var version string
+	for _, v := range crd.Spec.Versions {
+		if v.Storage {
+			version = v.Name
+			break
+		}
+	}
+
+	return version
+}
--- a/cmd/flux/oci.go
+++ b/cmd/flux/oci.go
@@ -18,7 +18,6 @@ package main

 import (
 	"context"
-	"errors"
 	"fmt"

 	"github.com/google/go-containerregistry/pkg/crane"
@@ -38,8 +37,5 @@ func loginWithProvider(ctx context.Context, url, provider string) (crane.Option,
 	if err != nil {
 		return nil, fmt.Errorf("could not login to provider %s with url %s: %w", provider, url, err)
 	}
-	if authenticator == nil {
-		return nil, errors.New("unsupported provider")
-	}
 	return crane.WithAuth(authenticator), nil
 }
--- a/cmd/flux/push_artifact.go
+++ b/cmd/flux/push_artifact.go
@@ -19,7 +19,6 @@ package main
 import (
 	"context"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"os"
 	"strings"
@@ -34,9 +33,6 @@ import (
 	"github.com/spf13/cobra"
 	"sigs.k8s.io/yaml"

-	"github.com/fluxcd/pkg/auth"
-	"github.com/fluxcd/pkg/auth/azure"
-	authutils "github.com/fluxcd/pkg/auth/utils"
 	"github.com/fluxcd/pkg/oci"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"

@@ -229,18 +225,11 @@ func pushArtifactCmdRun(cmd *cobra.Command, args []string) error {

 	if provider := pushArtifactArgs.provider.String(); provider != sourcev1.GenericOCIProvider {
 		logger.Actionf("logging in to registry with provider credentials")
-		var authOpts []auth.Option
-		if provider == azure.ProviderName {
-			authOpts = append(authOpts, auth.WithAllowShellOut())
-		}
-		authenticator, err = authutils.GetArtifactRegistryCredentials(ctx, provider, url, authOpts...)
+		authOpt, err := loginWithProvider(ctx, url, provider)
 		if err != nil {
 			return fmt.Errorf("error during login with provider: %w", err)
 		}
-		if authenticator == nil {
-			return errors.New("unsupported provider")
-		}
-		opts = append(opts, crane.WithAuth(authenticator))
+		opts = append(opts, authOpt)
 	}

 	if rootArgs.timeout != 0 {
@@ -261,7 +250,13 @@ func pushArtifactCmdRun(cmd *cobra.Command, args []string) error {
 				return err
 			}
 		}
-		transportOpts, err := oci.WithRetryTransport(ctx, ref, authenticator, backoff, []string{ref.Context().Scope(transport.PushScope)})
+		transportOpts, err := oci.WithRetryTransport(ctx,
+			ref,
+			authenticator,
+			backoff,
+			[]string{ref.Context().Scope(transport.PushScope)},
+			pushArtifactArgs.insecure,
+		)
 		if err != nil {
 			return fmt.Errorf("error setting up transport: %w", err)
 		}
--- a/cmd/flux/reconcile_image_policy.go
+++ b/cmd/flux/reconcile_image_policy.go
@@ -0,0 +1,40 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
+	"github.com/spf13/cobra"
+)
+
+var reconcileImagePolicyCmd = &cobra.Command{
+	Use:   "policy [name]",
+	Short: "Reconcile an ImagePolicy",
+	Long:  `The reconcile image policy command triggers a reconciliation of an ImagePolicy resource and waits for it to finish.`,
+	Example: `
+	# Trigger a reconciliation for an existing image policy called 'alpine'
+	flux reconcile image policy alpine`,
+	ValidArgsFunction: resourceNamesCompletionFunc(imagev1.GroupVersion.WithKind(imagev1.ImagePolicyKind)),
+	RunE: reconcileCommand{
+		apiType: imagePolicyType,
+		object:  imagePolicyAdapter{&imagev1.ImagePolicy{}},
+	}.run,
+}
+
+func init() {
+	reconcileImageCmd.AddCommand(reconcileImagePolicyCmd)
+}
--- a/cmd/flux/reconcile_image_repository.go
+++ b/cmd/flux/reconcile_image_repository.go
@@ -21,7 +21,7 @@ import (

 	"github.com/spf13/cobra"

-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )

 var reconcileImageRepositoryCmd = &cobra.Command{
--- a/cmd/flux/reconcile_image_updateauto.go
+++ b/cmd/flux/reconcile_image_updateauto.go
@@ -22,7 +22,7 @@ import (
 	"github.com/spf13/cobra"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"

-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1"
 	meta "github.com/fluxcd/pkg/apis/meta"
 )

--- a/cmd/flux/resume_image_policy.go
+++ b/cmd/flux/resume_image_policy.go
@@ -0,0 +1,40 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
+	"github.com/spf13/cobra"
+)
+
+var resumeImagePolicyCmd = &cobra.Command{
+	Use:   "policy [name]",
+	Short: "Resume an ImagePolicy",
+	Long:  `The resume image policy command resumes a suspended ImagePolicy resource.`,
+	Example: `
+	# Resume a suspended image policy called 'alpine'
+	flux resume image policy alpine`,
+	ValidArgsFunction: resourceNamesCompletionFunc(imagev1.GroupVersion.WithKind(imagev1.ImagePolicyKind)),
+	RunE: resumeCommand{
+		apiType: imagePolicyType,
+		list:    imagePolicyListAdapter{&imagev1.ImagePolicyList{}},
+	}.run,
+}
+
+func init() {
+	resumeImageCmd.AddCommand(resumeImagePolicyCmd)
+}
--- a/cmd/flux/resume_image_repository.go
+++ b/cmd/flux/resume_image_repository.go
@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"

-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )

 var resumeImageRepositoryCmd = &cobra.Command{
--- a/cmd/flux/resume_image_updateauto.go
+++ b/cmd/flux/resume_image_updateauto.go
@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"

-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1"
 )

 var resumeImageUpdateCmd = &cobra.Command{
--- a/cmd/flux/stats.go
+++ b/cmd/flux/stats.go
@@ -28,8 +28,8 @@ import (

 	"github.com/fluxcd/cli-utils/pkg/kstatus/status"
 	helmv2 "github.com/fluxcd/helm-controller/api/v2"
-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 	notificationv1 "github.com/fluxcd/notification-controller/api/v1"
 	notificationv1b3 "github.com/fluxcd/notification-controller/api/v1beta3"
--- a/cmd/flux/suspend_image_policy.go
+++ b/cmd/flux/suspend_image_policy.go
@@ -0,0 +1,37 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
+	"github.com/spf13/cobra"
+)
+
+var suspendImagePolicyCmd = &cobra.Command{
+	Use:               "policy [name]",
+	Short:             "Suspend an ImagePolicy",
+	Long:              `The suspend image policy command suspends the reconciliation of an ImagePolicy resource.`,
+	ValidArgsFunction: resourceNamesCompletionFunc(imagev1.GroupVersion.WithKind(imagev1.ImagePolicyKind)),
+	RunE: suspendCommand{
+		apiType: imagePolicyType,
+		list:    imagePolicyListAdapter{&imagev1.ImagePolicyList{}},
+	}.run,
+}
+
+func init() {
+	suspendImageCmd.AddCommand(suspendImagePolicyCmd)
+}
--- a/cmd/flux/suspend_image_repository.go
+++ b/cmd/flux/suspend_image_repository.go
@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"

-	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta2"
+	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1"
 )

 var suspendImageRepositoryCmd = &cobra.Command{
--- a/cmd/flux/suspend_image_updateauto.go
+++ b/cmd/flux/suspend_image_updateauto.go
@@ -19,7 +19,7 @@ package main
 import (
 	"github.com/spf13/cobra"

-	autov1 "github.com/fluxcd/image-automation-controller/api/v1beta2"
+	autov1 "github.com/fluxcd/image-automation-controller/api/v1"
 )

 var suspendImageUpdateCmd = &cobra.Command{
--- a/cmd/flux/testdata/check/check_pre.golden
+++ b/cmd/flux/testdata/check/check_pre.golden
@@ -1,3 +1,3 @@
 ► checking prerequisites
-✔ Kubernetes {{ .serverVersion }} >=1.31.0-0
+✔ Kubernetes {{ .serverVersion }} >=1.32.0-0
 ✔ prerequisites checks passed
--- a/cmd/flux/testdata/create_secret/githubapp/secret-with-baseurl.yaml
+++ b/cmd/flux/testdata/create_secret/githubapp/secret-with-baseurl.yaml
@@ -36,4 +36,5 @@ stringData:
    lbD102oXw9lUefVI0McyQIN9J58ewDC79AG7gU/fTSt6F75OeFLOJmoedQo33Y+s
    bUytJtOhHbLRNxwgalhjBUNWICrDktqJmumNOEOOPBqVz7RGwUg=
    -----END RSA PRIVATE KEY-----
+type: Opaque

--- a/cmd/flux/testdata/create_secret/githubapp/secret.yaml
+++ b/cmd/flux/testdata/create_secret/githubapp/secret.yaml
@@ -35,4 +35,5 @@ stringData:
    lbD102oXw9lUefVI0McyQIN9J58ewDC79AG7gU/fTSt6F75OeFLOJmoedQo33Y+s
    bUytJtOhHbLRNxwgalhjBUNWICrDktqJmumNOEOOPBqVz7RGwUg=
    -----END RSA PRIVATE KEY-----
+type: Opaque

--- a/cmd/flux/testdata/create_secret/helm/secret-helm.yaml
+++ b/cmd/flux/testdata/create_secret/helm/secret-helm.yaml
@@ -7,4 +7,5 @@ metadata:
 stringData:
  password: my-password
  username: my-username
+type: kubernetes.io/basic-auth

--- a/cmd/flux/testdata/create_secret/oci/create-secret.yaml
+++ b/cmd/flux/testdata/create_secret/oci/create-secret.yaml
@@ -5,6 +5,15 @@ metadata:
  name: ghcr
  namespace: my-namespace
 stringData:
-  .dockerconfigjson: '{"auths":{"ghcr.io":{"username":"stefanprodan","password":"password","auth":"c3RlZmFucHJvZGFuOnBhc3N3b3Jk"}}}'
+  .dockerconfigjson: |-
+    {
+      "auths": {
+        "ghcr.io": {
+          "username": "stefanprodan",
+          "password": "password",
+          "auth": "c3RlZmFucHJvZGFuOnBhc3N3b3Jk"
+        }
+      }
+    }
 type: kubernetes.io/dockerconfigjson

--- a/cmd/flux/testdata/create_secret/proxy/secret-proxy.yaml
+++ b/cmd/flux/testdata/create_secret/proxy/secret-proxy.yaml
@@ -8,4 +8,5 @@ stringData:
  address: https://my-proxy.com
  password: my-password
  username: my-username
+type: Opaque

--- a/cmd/flux/testdata/create_source_git/export.golden
+++ b/cmd/flux/testdata/create_source_git/export.golden
@@ -11,4 +11,7 @@ spec:
  interval: 1m0s
  ref:
    branch: master
+  sparseCheckout:
+  - .cosign
+  - non-existent-dir/
  url: https://github.com/stefanprodan/podinfo
--- a/cmd/flux/testdata/create_tenant/tenant-basic.yaml
+++ b/cmd/flux/testdata/create_tenant/tenant-basic.yaml
@@ -0,0 +1,34 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    toolkit.fluxcd.io/tenant: dev-team
+  name: apps
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    toolkit.fluxcd.io/tenant: dev-team
+  name: dev-team
+  namespace: apps
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    toolkit.fluxcd.io/tenant: dev-team
+  name: dev-team-reconciler
+  namespace: apps
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: gotk:apps:reconciler
+- kind: ServiceAccount
+  name: dev-team
+  namespace: apps
--- a/cmd/flux/testdata/create_tenant/tenant-with-cluster-role.yaml
+++ b/cmd/flux/testdata/create_tenant/tenant-with-cluster-role.yaml
@@ -0,0 +1,34 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    toolkit.fluxcd.io/tenant: dev-team
+  name: apps
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    toolkit.fluxcd.io/tenant: dev-team
+  name: dev-team
+  namespace: apps
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    toolkit.fluxcd.io/tenant: dev-team
+  name: dev-team-reconciler
+  namespace: apps
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: custom-role
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: gotk:apps:reconciler
+- kind: ServiceAccount
+  name: dev-team
+  namespace: apps
--- a/cmd/flux/testdata/create_tenant/tenant-with-service-account.yaml
+++ b/cmd/flux/testdata/create_tenant/tenant-with-service-account.yaml
@@ -0,0 +1,34 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    toolkit.fluxcd.io/tenant: dev-team
+  name: apps
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    toolkit.fluxcd.io/tenant: dev-team
+  name: flux-tenant
+  namespace: apps
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    toolkit.fluxcd.io/tenant: dev-team
+  name: dev-team-reconciler
+  namespace: apps
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: gotk:apps:reconciler
+- kind: ServiceAccount
+  name: flux-tenant
+  namespace: apps
--- a/cmd/flux/testdata/debug_helmrelease/history-empty.golden.yaml
+++ b/cmd/flux/testdata/debug_helmrelease/history-empty.golden.yaml
@@ -0,0 +1,2 @@
+# History documentation: https://fluxcd.io/flux/components/helm/helmreleases/#history
+[]
--- a/cmd/flux/testdata/debug_helmrelease/history.golden.yaml
+++ b/cmd/flux/testdata/debug_helmrelease/history.golden.yaml
@@ -0,0 +1,25 @@
+# History documentation: https://fluxcd.io/flux/components/helm/helmreleases/#history
+- appVersion: 6.0.0
+  chartName: podinfo
+  chartVersion: 6.0.0
+  configDigest: sha256:abc123
+  deleted: "2024-01-01T10:00:00Z"
+  digest: sha256:def456
+  firstDeployed: "2024-01-01T09:00:00Z"
+  lastDeployed: "2024-01-01T10:00:00Z"
+  name: test-with-history
+  namespace: {{ .fluxns }}
+  status: superseded
+  version: 1
+- appVersion: 6.1.0
+  chartName: podinfo
+  chartVersion: 6.1.0
+  configDigest: sha256:xyz789
+  deleted: null
+  digest: sha256:ghi012
+  firstDeployed: "2024-01-01T11:00:00Z"
+  lastDeployed: "2024-01-01T11:00:00Z"
+  name: test-with-history
+  namespace: {{ .fluxns }}
+  status: deployed
+  version: 2
--- a/cmd/flux/testdata/debug_helmrelease/objects.yaml
+++ b/cmd/flux/testdata/debug_helmrelease/objects.yaml
@@ -46,6 +46,47 @@ spec:
      name: none
      optional: true
 ---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: test-with-history
+  namespace: {{ .fluxns }}
+spec:
+  chartRef:
+    kind: OCIRepository
+    name: podinfo
+  interval: 5m0s
+  values:
+    image:
+      repository: stefanprodan/podinfo
+      tag: 5.0.0
+status:
+  observedGeneration: 1
+  history:
+    - name: test-with-history
+      namespace: {{ .fluxns }}
+      version: 1
+      configDigest: sha256:abc123
+      chartName: podinfo
+      chartVersion: 6.0.0
+      appVersion: 6.0.0
+      deleted: "2024-01-01T10:00:00Z"
+      digest: sha256:def456
+      firstDeployed: "2024-01-01T09:00:00Z"
+      lastDeployed: "2024-01-01T10:00:00Z"
+      status: superseded
+    - name: test-with-history
+      namespace: {{ .fluxns }}
+      version: 2
+      configDigest: sha256:xyz789
+      chartName: podinfo
+      chartVersion: 6.1.0
+      appVersion: 6.1.0
+      digest: sha256:ghi012
+      firstDeployed: "2024-01-01T11:00:00Z"
+      lastDeployed: "2024-01-01T11:00:00Z"
+      status: deployed
+---
 apiVersion: v1
 kind: ConfigMap
 metadata:
--- a/cmd/flux/testdata/debug_kustomization/history-empty.golden.yaml
+++ b/cmd/flux/testdata/debug_kustomization/history-empty.golden.yaml
@@ -0,0 +1,2 @@
+# History documentation: https://fluxcd.io/flux/components/kustomize/kustomizations/#history
+[]
--- a/cmd/flux/testdata/debug_kustomization/history.golden.yaml
+++ b/cmd/flux/testdata/debug_kustomization/history.golden.yaml
@@ -0,0 +1,17 @@
+# History documentation: https://fluxcd.io/flux/components/kustomize/kustomizations/#history
+- digest: sha256:def456
+  firstReconciled: "2024-01-01T09:00:00Z"
+  lastReconciled: "2024-01-01T10:00:00Z"
+  lastReconciledDuration: 300ms
+  lastReconciledStatus: success
+  metadata:
+    originRevision: abc123
+  totalReconciliations: 1
+- digest: sha256:ghi012
+  firstReconciled: "2024-02-01T09:00:00Z"
+  lastReconciled: "2024-02-01T10:00:00Z"
+  lastReconciledDuration: 500ms
+  lastReconciledStatus: failure
+  metadata:
+    originRevision: xyz789
+  totalReconciliations: 10
--- a/cmd/flux/testdata/debug_kustomization/objects.yaml
+++ b/cmd/flux/testdata/debug_kustomization/objects.yaml
@@ -44,6 +44,47 @@ spec:
      - kind: Secret
        name: test
 ---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: test-with-history
+  namespace: {{ .fluxns }}
+spec:
+  sourceRef:
+    kind: GitRepository
+    name: test
+  interval: 1m
+  path: "./"
+  prune: true
+  postBuild:
+   substitute:
+     TEST_OVERRIDE: "in-line"
+     TEST_INLINE: "in-line"
+   substituteFrom:
+     - kind: ConfigMap
+       name: test
+     - kind: Secret
+       name: test
+status:
+  observedGeneration: 1
+  history:
+    - digest: sha256:def456
+      firstReconciled: "2024-01-01T09:00:00Z"
+      lastReconciled: "2024-01-01T10:00:00Z"
+      lastReconciledDuration: 300ms
+      lastReconciledStatus: success
+      metadata:
+        originRevision: abc123
+      totalReconciliations: 1
+    - digest: sha256:ghi012
+      firstReconciled: "2024-02-01T09:00:00Z"
+      lastReconciled: "2024-02-01T10:00:00Z"
+      lastReconciledDuration: 500ms
+      lastReconciledStatus: failure
+      metadata:
+        originRevision: xyz789
+      totalReconciliations: 10
+---
 apiVersion: v1
 kind: ConfigMap
 metadata:
--- a/cmd/flux/testdata/export/image-policy.yaml
+++ b/cmd/flux/testdata/export/image-policy.yaml
@@ -1,5 +1,5 @@
 ---
-apiVersion: image.toolkit.fluxcd.io/v1beta2
+apiVersion: image.toolkit.fluxcd.io/v1
 kind: ImagePolicy
 metadata:
  name: flux-system
--- a/cmd/flux/testdata/export/image-repo.yaml
+++ b/cmd/flux/testdata/export/image-repo.yaml
@@ -1,5 +1,5 @@
 ---
-apiVersion: image.toolkit.fluxcd.io/v1beta2
+apiVersion: image.toolkit.fluxcd.io/v1
 kind: ImageRepository
 metadata:
  name: flux-system
--- a/cmd/flux/testdata/export/image-update.yaml
+++ b/cmd/flux/testdata/export/image-update.yaml
@@ -1,5 +1,5 @@
 ---
-apiVersion: image.toolkit.fluxcd.io/v1beta2
+apiVersion: image.toolkit.fluxcd.io/v1
 kind: ImageUpdateAutomation
 metadata:
  name: flux-system
--- a/cmd/flux/testdata/export/objects.yaml
+++ b/cmd/flux/testdata/export/objects.yaml
@@ -30,7 +30,7 @@ spec:
    - kind: "Kustomization"
      name: "*"
 ---
-apiVersion: image.toolkit.fluxcd.io/v1beta2
+apiVersion: image.toolkit.fluxcd.io/v1
 kind: ImageRepository
 metadata:
  name: flux-system
@@ -39,7 +39,7 @@ spec:
  image: ghcr.io/test/podinfo
  interval: 1m0s
 ---
-apiVersion: image.toolkit.fluxcd.io/v1beta2
+apiVersion: image.toolkit.fluxcd.io/v1
 kind: ImagePolicy
 metadata:
  name: flux-system
@@ -51,7 +51,7 @@ spec:
    semver:
      range: 5.0.x
 ---
-apiVersion: image.toolkit.fluxcd.io/v1beta2
+apiVersion: image.toolkit.fluxcd.io/v1
 kind: ImageUpdateAutomation
 metadata:
  name: flux-system
--- a/cmd/flux/testdata/get/objects.yaml
+++ b/cmd/flux/testdata/get/objects.yaml
@@ -25,6 +25,7 @@ status:
    revision: main@sha1:696f056df216eea4f9401adbee0ff744d4df390f
    path: "example"
    url: "example"
+    digest: sha1:696f056df216eea4f9401adbee0ff744d4df390f
  conditions:
    - lastTransitionTime: "2021-07-20T00:48:16Z"
      message: 'Fetched revision: main@sha1:696f056df216eea4f9401adbee0ff744d4df390f'
@@ -54,6 +55,7 @@ status:
    revision: main@sha1:696f056df216eea4f9401adbee0ff744d4df390f
    path: "example"
    url: "example"
+    digest: sha1:696f056df216eea4f9401adbee0ff744d4df390f
  conditions:
    - lastTransitionTime: "2021-07-20T00:48:16Z"
      message: 'Fetched revision: main@sha1:696f056df216eea4f9401adbee0ff744d4df390f'
@@ -83,6 +85,7 @@ status:
    revision: main@sha1:696f056df216eea4f9401adbee0ff744d4df390f
    path: "example"
    url: "example"
+    digest: sha1:696f056df216eea4f9401adbee0ff744d4df390f
  conditions:
    - lastTransitionTime: "2021-07-20T00:48:16Z"
      message: 'Fetched revision: main@sha1:696f056df216eea4f9401adbee0ff744d4df390f'
--- a/Show More
+++ b/Show More