fix(cli): uses DrySource revision for app diff/manifests with sourceHydrator (#23817 ) (#24670 )

Signed-off-by: Aditya Raj <adityaraj10600@gmail.com>
chore(deps): bump tj-actions/changed-files from 47.0.5 to 47.0.6 (#27470 )
2026-04-21 17:07:16 +00:00 · 2026-04-21 12:51:39 -04:00 · 2026-04-21 12:12:31 -04:00 · 2026-04-20 21:41:33 -10:00 · 2026-04-20 19:15:35 -04:00 · 2026-04-20 22:17:34 +00:00
1075 changed files with 1053511 additions and 55573 deletions
--- a/.github/ISSUE_TEMPLATE/release.md
+++ b/.github/ISSUE_TEMPLATE/release.md
@ -41,6 +41,7 @@ Target GA date: ___. __, ____
     Thanks to all the folks who spent their time contributing to this release in any way possible!
     ```
 - [ ] Monitor support channels for issues, cherry-picking bugfixes and docs fixes as appropriate during the RC period (or delegate this task to an Approver and coordinate timing)
+ - [ ] After creating the RC, open a documentation PR for the next minor version using [this](../../docs/operator-manual/templates/minor_version_upgrade.md) template.

 ## GA Release Checklist

--- a/.github/configs/renovate-config.js
+++ b/.github/configs/renovate-config.js
@ -4,12 +4,14 @@ module.exports = {
    autodiscover: false,
    allowPostUpgradeCommandTemplating: true,
    allowedPostUpgradeCommands: ["make mockgen"],
+    binarySource: 'install',
    extends: [
        "github>argoproj/argo-cd//renovate-presets/commons.json5",
        "github>argoproj/argo-cd//renovate-presets/custom-managers/shell.json5",
        "github>argoproj/argo-cd//renovate-presets/custom-managers/yaml.json5",
        "github>argoproj/argo-cd//renovate-presets/fix/disable-all-updates.json5",
        "github>argoproj/argo-cd//renovate-presets/devtool.json5",
-        "github>argoproj/argo-cd//renovate-presets/docs.json5"
+        "github>argoproj/argo-cd//renovate-presets/docs.json5",
+        "group:aws-sdk-go-v2Monorepo"
    ]
 }
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -8,6 +8,9 @@ updates:
    ignore:
    - dependency-name: k8s.io/*
    groups:
+      aws-sdk-v2:
+        patterns:
+          - "github.com/aws/aws-sdk-go-v2*"
      otel:
        patterns:
          - "go.opentelemetry.io/*"
--- a/.github/pr-title-checker-config.json
+++ b/.github/pr-title-checker-config.json
@ -1,15 +1,15 @@
 {
-    "LABEL": {
-      "name": "title needs formatting",
-      "color": "EEEEEE"
-    },
-    "CHECKS": {
-      "prefixes": ["[Bot] docs: "],
-      "regexp": "^(feat|fix|docs|test|ci|chore)!?(\\(.*\\))?!?:.*"
-    },
-    "MESSAGES": {
-      "success": "PR title is valid",
-      "failure": "PR title is invalid",
-      "notice": "PR Title needs to pass regex '^(feat|fix|docs|test|ci|chore)!?(\\(.*\\))?!?:.*"
-    }
+  "LABEL": {
+    "name": "title needs formatting",
+    "color": "EEEEEE"
+  },
+  "CHECKS": {
+    "prefixes": ["[Bot] docs: "],
+    "regexp": "^(refactor|feat|fix|docs|test|ci|chore|revert)!?(\\(.*\\))?!?:.*"
+  },
+  "MESSAGES": {
+    "success": "PR title is valid",
+    "failure": "PR title is invalid",
+    "notice": "PR Title needs to pass regex '^(refactor|feat|fix|docs|test|ci|chore)!?(\\(.*\\))?!?:.*"
  }
+}
--- a/.github/workflows/README.md
+++ b/.github/workflows/README.md
@ -11,6 +11,7 @@
 | release.yaml       | Build images, cli-binaries, provenances, and post actions      |
 | scorecard.yaml     | Generate scorecard for supply-chain security                   |
 | update-snyk.yaml   | Scheduled snyk reports                                         |
+| stale.yaml         | Labels stale issues and PRs                                    |

 # Reusable workflows

--- a/.github/workflows/bump-major-version.yaml
+++ b/.github/workflows/bump-major-version.yaml
@ -4,16 +4,26 @@ on:

 permissions: {}

+env:
+  # a workaround to disable harden runner
+  STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
+
 jobs:
  prepare-release:
    permissions:
      contents: write  # for peter-evans/create-pull-request to create branch
      pull-requests: write  # for peter-evans/create-pull-request to create a PR
    name: Automatically update major version
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
+
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
@ -37,7 +47,7 @@ jobs:
        working-directory: /home/runner/go/src/github.com/argoproj/argo-cd

      - name: Setup Golang
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Add ~/go/bin to PATH
@ -74,7 +84,7 @@ jobs:
          rsync -a --exclude=.git /home/runner/go/src/github.com/argoproj/argo-cd/ ../argo-cd

      - name: Create pull request
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725  # v8.0.0
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0  # v8.1.0
        with:
          commit-message: "Bump major version to ${{ steps.get-target-version.outputs.TARGET_VERSION }}"
          title: "Bump major version to ${{ steps.get-target-version.outputs.TARGET_VERSION }}"
@ -86,4 +96,4 @@ jobs:
            - [ ] Add an upgrade guide to the docs for this version
          branch: bump-major-version
          branch-suffix: random
-          signoff: true
+          signoff: true
--- a/.github/workflows/cherry-pick-single.yml
+++ b/.github/workflows/cherry-pick-single.yml
@ -25,20 +25,30 @@ on:
      CHERRYPICK_APP_PRIVATE_KEY:
        required: true

+env:
+  # a workaround to disable harden runner
+  STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
+
 jobs:
  cherry-pick:
    name: Cherry Pick to ${{ inputs.version_number }}
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
+
      - name: Generate a token
        id: generate-token
-        uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
        with:
          app-id: ${{ secrets.CHERRYPICK_APP_ID }}
          private-key: ${{ secrets.CHERRYPICK_APP_PRIVATE_KEY }}

      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
          fetch-depth: 0
          token: ${{ steps.generate-token.outputs.token }}
@ -66,6 +76,7 @@ jobs:

          # Create new branch for cherry-pick
          CHERRY_PICK_BRANCH="cherry-pick-${{ inputs.pr_number }}-to-${TARGET_BRANCH}"
+
          git checkout -b "$CHERRY_PICK_BRANCH" "origin/$TARGET_BRANCH"

          # Perform cherry-pick
@ -75,12 +86,17 @@ jobs:
            # Extract Signed-off-by from the cherry-pick commit
            SIGNOFF=$(git log -1 --pretty=format:"%B" | grep -E '^Signed-off-by:' || echo "")

-            # Push the new branch
-            git push origin "$CHERRY_PICK_BRANCH"
+            # Push the new branch. Force push to ensure that in case the original cherry-pick branch is stale, 
+            # that the current state of the $TARGET_BRANCH + cherry-pick gets in $CHERRY_PICK_BRANCH.
+            git push origin -f "$CHERRY_PICK_BRANCH"

            # Save data for PR creation
            echo "branch_name=$CHERRY_PICK_BRANCH" >> "$GITHUB_OUTPUT"
-            echo "signoff=$SIGNOFF" >> "$GITHUB_OUTPUT"
+            {
+              echo "signoff<<EOF"
+              echo "$SIGNOFF"
+              echo "EOF"
+            } >> "$GITHUB_OUTPUT"
            echo "target_branch=$TARGET_BRANCH" >> "$GITHUB_OUTPUT"
          else
            echo "❌ Cherry-pick failed due to conflicts"
--- a/.github/workflows/cherry-pick.yml
+++ b/.github/workflows/cherry-pick.yml
@ -6,6 +6,10 @@ on:
      - master
    types: ["labeled", "closed"]

+env:
+  # a workaround to disable harden runner
+  STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
+    
 jobs:
  find-labels:
    name: Find Cherry Pick Labels
@ -14,10 +18,16 @@ jobs:
        (github.event.action == 'labeled' && startsWith(github.event.label.name, 'cherry-pick/')) ||
        (github.event.action == 'closed' && contains(toJSON(github.event.pull_request.labels.*.name), 'cherry-pick/'))
      )
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
    outputs:
      labels: ${{ steps.extract-labels.outputs.labels }}
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
+
      - name: Extract cherry-pick labels
        id: extract-labels
        run: |
@ -50,4 +60,4 @@ jobs:
      pr_title: ${{ github.event.pull_request.title }}
    secrets:
      CHERRYPICK_APP_ID: ${{ vars.CHERRYPICK_APP_ID }}
-      CHERRYPICK_APP_PRIVATE_KEY: ${{ secrets.CHERRYPICK_APP_PRIVATE_KEY }}
+      CHERRYPICK_APP_PRIVATE_KEY: ${{ secrets.CHERRYPICK_APP_PRIVATE_KEY }}
--- a/.github/workflows/ci-build.yaml
+++ b/.github/workflows/ci-build.yaml
@ -14,7 +14,9 @@ on:
 env:
  # Golang version to use across CI steps
  # renovate: datasource=golang-version packageName=golang
-  GOLANG_VERSION: '1.25.3'
+  GOLANG_VERSION: '1.26.2'
+  # a workaround to disable harden runner
+  STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@ -25,14 +27,19 @@ permissions:

 jobs:
  changes:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
    outputs:
      backend: ${{ steps.filter.outputs.backend_any_changed }}
      frontend: ${{ steps.filter.outputs.frontend_any_changed }}
      docs: ${{ steps.filter.outputs.docs_any_changed }}
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      - uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        id: filter
        with:
          # Any file which is not under docs/, ui/ or is not a markdown file is counted as a backend file
@ -50,14 +57,19 @@ jobs:
  check-go:
    name: Ensure Go modules synchronicity
    if: ${{ needs.changes.outputs.backend == 'true' }}
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    needs:
      - changes
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup Golang
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Download all Go modules
@ -70,22 +82,31 @@ jobs:
  build-go:
    name: Build & cache Go code
    if: ${{ needs.changes.outputs.backend == 'true' }}
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    needs:
      - changes
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup Golang
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
-      - name: Restore go build cache
-        uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v5.0.0
+      - name: Restore go build and module cache
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
-          path: ~/.cache/go-build
-          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
-      - name: Download all Go modules
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-build-v1-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-build-v1-
+      - name: Download Go modules
        run: |
          go mod download
      - name: Compile all packages
@ -97,27 +118,32 @@ jobs:
      pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
    name: Lint Go code
    if: ${{ needs.changes.outputs.backend == 'true' }}
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    needs:
      - changes
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup Golang
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Run golangci-lint
        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
        with:
-          # renovate: datasource=go packageName=github.com/golangci/golangci-lint versioning=regex:^v(?<major>\d+)\.(?<minor>\d+)\.(?<patch>\d+)?$
-          version: v2.5.0
+          # renovate: datasource=go packageName=github.com/golangci/golangci-lint/v2 versioning=regex:^v(?<major>\d+)\.(?<minor>\d+)\.(?<patch>\d+)?$
+          version: v2.11.4
          args: --verbose

  test-go:
    name: Run unit tests for Go packages
    if: ${{ needs.changes.outputs.backend == 'true' }}
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    needs:
      - build-go
      - changes
@ -125,14 +151,19 @@ jobs:
      GITHUB_TOKEN: ${{ secrets.E2E_TEST_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
      GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
      - name: Create checkout directory
        run: mkdir -p ~/go/src/github.com/argoproj
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Create symlink in GOPATH
        run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
      - name: Setup Golang
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Install required packages
@ -151,11 +182,15 @@ jobs:
      - name: Add /usr/local/bin to PATH
        run: |
          echo "/usr/local/bin" >> $GITHUB_PATH
-      - name: Restore go build cache
-        uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v5.0.0
+      - name: Restore go build and module cache
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
-          path: ~/.cache/go-build
-          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-build-v1-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-build-v1-
      - name: Install all tools required for building & testing
        run: |
          make install-test-tools-local
@ -167,13 +202,13 @@ jobs:
        run: |
          git config --global user.name "John Doe"
          git config --global user.email "john.doe@example.com"
-      - name: Download and vendor all required packages
+      - name: Download Go modules
        run: |
          go mod download
      - name: Run all unit tests
        run: make test-local
      - name: Generate test results artifacts
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: test-results
          path: test-results
@ -181,7 +216,7 @@ jobs:
  test-go-race:
    name: Run unit tests with -race for Go packages
    if: ${{ needs.changes.outputs.backend == 'true' }}
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    needs:
      - build-go
      - changes
@ -189,14 +224,19 @@ jobs:
      GITHUB_TOKEN: ${{ secrets.E2E_TEST_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
      GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit    
      - name: Create checkout directory
        run: mkdir -p ~/go/src/github.com/argoproj
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Create symlink in GOPATH
-        run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd 
+        run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
      - name: Setup Golang
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Install required packages
@ -215,11 +255,15 @@ jobs:
      - name: Add /usr/local/bin to PATH
        run: |
          echo "/usr/local/bin" >> $GITHUB_PATH
-      - name: Restore go build cache
-        uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v5.0.0
+      - name: Restore go build and module cache
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
-          path: ~/.cache/go-build
-          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-build-v1-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-build-v1-
      - name: Install all tools required for building & testing
        run: |
          make install-test-tools-local
@ -231,13 +275,13 @@ jobs:
        run: |
          git config --global user.name "John Doe"
          git config --global user.email "john.doe@example.com"
-      - name: Download and vendor all required packages
+      - name: Download Go modules
        run: |
          go mod download
      - name: Run all unit tests
        run: make test-race-local
      - name: Generate test results artifacts
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: race-results
          path: test-results/
@ -245,14 +289,19 @@ jobs:
  codegen:
    name: Check changes to generated code
    if: ${{ needs.changes.outputs.backend == 'true' || needs.changes.outputs.docs == 'true'}}
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    needs:
      - changes
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit      
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup Golang
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Create symlink in GOPATH
@ -271,13 +320,13 @@ jobs:
          # We need to vendor go modules for codegen yet
          go mod download
          go mod vendor -v
-        # generalizing repo name for forks:  ${{ github.event.repository.name }}  
-        working-directory: /home/runner/go/src/github.com/argoproj/${{ github.event.repository.name }}  
+        # generalizing repo name for forks:  ${{ github.event.repository.name }}
+        working-directory: /home/runner/go/src/github.com/argoproj/${{ github.event.repository.name }}
      - name: Install toolchain for codegen
        run: |
          make install-codegen-tools-local
          make install-go-tools-local
-        # generalizing repo name for forks:  ${{ github.event.repository.name }}  
+        # generalizing repo name for forks:  ${{ github.event.repository.name }}
        working-directory: /home/runner/go/src/github.com/argoproj/${{ github.event.repository.name }}
        # We install kustomize in the dist directory
      - name: Add dist to PATH
@ -302,30 +351,35 @@ jobs:
    name: Build, test & lint UI code
    # We run UI logic for backend changes so that we have a complete set of coverage documents to send to codecov.
    if: ${{ needs.changes.outputs.backend == 'true' || needs.changes.outputs.frontend == 'true' }}
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    needs:
      - changes
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit      
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Install pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+        with:
+          package_json_file: ui/package.json
      - name: Setup NodeJS
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          # renovate: datasource=node-version packageName=node versioning=node
-          node-version: '22.9.0'
-      - name: Restore node dependency cache
-        id: cache-dependencies
-        uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v5.0.0
-        with:
-          path: ui/node_modules
-          key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
+          node-version: '24.14.1'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
      - name: Install node dependencies
        run: |
-          cd ui && yarn install --frozen-lockfile --ignore-optional --non-interactive
+          cd ui && pnpm i --frozen-lockfile
      - name: Build UI code
        run: |
-          yarn test
-          yarn build
+          pnpm test
+          pnpm build
        env:
          NODE_ENV: production
          NODE_ONLINE_ENV: online
@ -334,13 +388,13 @@ jobs:
          CODECOV_TOKEN: ${{ github.ref == 'refs/heads/master' && secrets.CODECOV_TOKEN || '' }}
        working-directory: ui/
      - name: Run ESLint
-        run: yarn lint
+        run: pnpm lint
        working-directory: ui/

  shellcheck:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - run: |
          sudo apt-get install shellcheck
          shellcheck -e SC2059 -e SC2154 -e SC2034 -e SC2016 -e SC1091 $(find . -type f -name '*.sh' | grep -v './ui/node_modules') | tee sc.log
@ -349,7 +403,7 @@ jobs:
  analyze:
    name: Process & analyze test artifacts
    if: ${{ needs.changes.outputs.backend == 'true' || needs.changes.outputs.frontend == 'true' }}
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    needs:
      - test-go
      - build-ui
@ -357,27 +411,24 @@ jobs:
      - test-e2e
    env:
      sonar_secret: ${{ secrets.SONAR_TOKEN }}
+      codecov_secret: ${{ secrets.CODECOV_TOKEN }}
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit      
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
-      - name: Restore node dependency cache
-        id: cache-dependencies
-        uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v5.0.0
-        with:
-          path: ui/node_modules
-          key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
-      - name: Remove other node_modules directory
-        run: |
-          rm -rf ui/node_modules/argo-ui/node_modules
      - name: Get e2e code coverage
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: e2e-code-coverage
          path: e2e-code-coverage
      - name: Get unit test code coverage
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: test-results
          path: test-results
@ -389,51 +440,52 @@ jobs:
        run: |
          go tool covdata percent -i=test-results,e2e-code-coverage/applicationset-controller,e2e-code-coverage/repo-server,e2e-code-coverage/app-controller,e2e-code-coverage/commit-server -o test-results/full-coverage.out
      - name: Upload code coverage information to codecov.io
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        # Only run when the workflow is for upstream (PR target or push is in argoproj/argo-cd).
+        if: github.repository == 'argoproj/argo-cd'
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
        with:
          files: test-results/full-coverage.out
          fail_ci_if_error: true
        env:
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
      - name: Upload test results to Codecov
-        if: github.ref == 'refs/heads/master' && github.event_name == 'push' && github.repository == 'argoproj/argo-cd'
-        uses: codecov/test-results-action@47f89e9acb64b76debcd5ea40642d25a4adced9f # v1.1.1
+        # Codecov uploads test results to Codecov.io on upstream master branch.
+        if: github.repository == 'argoproj/argo-cd' && github.ref == 'refs/heads/master' && github.event_name == 'push'
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
        with:
-          file: test-results/junit.xml
+          files: test-results/junit.xml
          fail_ci_if_error: true
          token: ${{ secrets.CODECOV_TOKEN }}
+          report_type: test_results
      - name: Perform static code analysis using SonarCloud
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        uses: SonarSource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 # v7.0.0
+        uses: SonarSource/sonarqube-scan-action@299e4b793aaa83bf2aba7c9c14bedbb485688ec4 # v7.1.0
        if: env.sonar_secret != ''
  test-e2e:
    name: Run end-to-end tests
    if: ${{ needs.changes.outputs.backend == 'true' }}
-    runs-on: ${{ github.repository == 'argoproj/argo-cd' && 'oracle-vm-16cpu-64gb-x86-64' || 'ubuntu-22.04' }}
+    runs-on: ${{ github.repository == 'argoproj/argo-cd' && 'oracle-vm-16cpu-64gb-x86-64' || 'ubuntu-24.04' }}
    strategy:
      fail-fast: false
      matrix:
        # latest: true means that this version mush upload the coverage report to codecov.io
        # We designate the latest version because we only collect code coverage for that version.
        k3s:
-          - version: v1.33.1
+          - version: v1.35.0
            latest: true
+          - version: v1.34.2
+            latest: false
+          - version: v1.33.1
+            latest: false
          - version: v1.32.1
            latest: false
-          - version: v1.31.0
-            latest: false
-          - version: v1.30.4
-            latest: false
    needs:
      - build-go
      - changes
    env:
      ARGOCD_FAKE_IN_CLUSTER: 'true'
-      ARGOCD_SSH_DATA_PATH: '/tmp/argo-e2e/app/config/ssh'
-      ARGOCD_TLS_DATA_PATH: '/tmp/argo-e2e/app/config/tls'
-      ARGOCD_E2E_SSH_KNOWN_HOSTS: '../fixture/certs/ssh_known_hosts'
      ARGOCD_E2E_K3S: 'true'
      ARGOCD_IN_CI: 'true'
      ARGOCD_E2E_APISERVER_PORT: '8088'
@ -442,6 +494,11 @@ jobs:
      GITHUB_TOKEN: ${{ secrets.E2E_TEST_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
      GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit      
      - name: Free Disk Space (Ubuntu)
        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be
        with:
@ -450,14 +507,23 @@ jobs:
          swap-storage: false
          tool-cache: false
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup Golang
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Set GOPATH
        run: |
          echo "GOPATH=$HOME/go" >> $GITHUB_ENV
+      - name: Setup NodeJS
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          # renovate: datasource=node-version packageName=node versioning=node
+          node-version: '24.14.1'
+      - name: Install pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+        with:
+          package_json_file: ui/package.json
      - name: GH actions workaround - Kill XSP4 process
        run: |
          sudo pkill mono || true
@ -473,11 +539,15 @@ jobs:
          sudo chown $(whoami) $HOME/.kube/config
          sudo chmod go-r $HOME/.kube/config
          kubectl version
-      - name: Restore go build cache
-        uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v5.0.0
+      - name: Restore go build and module cache
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
-          path: ~/.cache/go-build
-          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-build-v1-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-build-v1-
      - name: Add ~/go/bin to PATH
        run: |
          echo "$HOME/go/bin" >> $GITHUB_PATH
@ -487,10 +557,12 @@ jobs:
      - name: Add ./dist to PATH
        run: |
          echo "$(pwd)/dist" >> $GITHUB_PATH
-      - name: Download Go dependencies
+      - name: Download Go modules
        run: |
          go mod download
-          go install github.com/mattn/goreman@latest
+      - name: Install goreman
+        run: |
+          go install github.com/mattn/goreman@v0.3.17
      - name: Install all tools required for building & testing
        run: |
          make install-test-tools-local
@ -500,7 +572,7 @@ jobs:
          git config --global user.email "john.doe@example.com"
      - name: Pull Docker image required for tests
        run: |
-          docker pull ghcr.io/dexidp/dex:v2.43.0
+          docker pull ghcr.io/dexidp/dex:v2.45.0
          docker pull argoproj/argo-cd-ci-builder:v1.0.0
          docker pull redis:8.2.3-alpine
      - name: Create target directory for binaries in the build-process
@ -532,13 +604,13 @@ jobs:
          goreman run stop-all || echo "goreman trouble"
          sleep 30
      - name: Upload e2e coverage report
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: e2e-code-coverage
          path: /tmp/coverage
        if: ${{ matrix.k3s.latest }}
      - name: Upload e2e-server logs
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: e2e-server-k8s${{ matrix.k3s.version }}.log
          path: /tmp/e2e-server.log
@ -556,8 +628,13 @@ jobs:
    needs:
      - test-e2e
      - changes
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit      
      - run: |
          result="${{ needs.test-e2e.result }}"
          # mark as successful even if skipped
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -6,7 +6,18 @@ on:
    branches-ignore:
      - 'dependabot/**'
      - 'cherry-pick-*'
+      
+    # Skip CodeQL for documentation-only changes
+    paths-ignore:
+      - '**.md'
+      - 'docs/**'
+
  pull_request:
+    # Skip CodeQL for documentation-only changes
+    paths-ignore:
+      - '*.md'
+      - '**/*.md'
+      - 'docs/assets/**'
  schedule:
    - cron: '0 19 * * 0'

@ -17,6 +28,10 @@ concurrency:
 permissions:
  contents: read

+env:
+  # a workaround to disable harden runner
+  STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
+  
 jobs:
  CodeQL-Build:
    permissions:
@ -26,20 +41,26 @@ jobs:
    if: github.repository == 'argoproj/argo-cd' || vars.enable_codeql

    # CodeQL runs on ubuntu-latest and windows-latest
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    steps:
+    - name: Harden the runner (Audit all outbound calls)
+      if: ${{ vars.disable_harden_runner != 'true' }}
+      uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+      with:
+        egress-policy: audit
+
    - name: Checkout repository
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

    # Use correct go version. https://github.com/github/codeql-action/issues/1842#issuecomment-1704398087
    - name: Setup Golang
-      uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
      with:
        go-version-file: go.mod
      
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@8fcfedf57053e09257688fce7a0beeb18b1b9ae3 # v2.17.2
+      uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
      # Override language selection by uncommenting this and choosing your languages
      # with:
      #   languages: go, javascript, csharp, python, cpp, java
@ -47,7 +68,7 @@ jobs:
    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
-      uses: github/codeql-action/autobuild@8fcfedf57053e09257688fce7a0beeb18b1b9ae3 # v2.17.2
+      uses: github/codeql-action/autobuild@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2

    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 https://git.io/JvXDl
@ -61,4 +82,4 @@ jobs:
    #   make release

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@8fcfedf57053e09257688fce7a0beeb18b1b9ae3 # v2.17.2
+      uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
--- a/.github/workflows/image-reuse.yaml
+++ b/.github/workflows/image-reuse.yaml
@ -45,38 +45,58 @@ on:

 permissions: {}

+env:
+  # a workaround to disable harden runner
+  STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
+
 jobs:
  publish:
    permissions:
      contents: read
      packages: write # Used to push images to `ghcr.io` if used.
      id-token: write # Needed to create an OIDC token for keyless signing
-    runs-on: ubuntu-22.04
-    outputs:
+    runs-on: ubuntu-24.04
+    outputs:  
      image-digest: ${{ steps.image.outputs.digest }}
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
+
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
        if: ${{ github.ref_type == 'tag'}}

      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        if: ${{ github.ref_type != 'tag'}}

      - name: Setup Golang
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version }}
          cache: false

      - name: Install cosign
-        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1

-      - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
-      - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+        with:
+          image: tonistiigi/binfmt@sha256:d3b963f787999e6c0219a48dba02978769286ff61a5f4d26245cb6a6e5567ea3 #qemu-v10.0.4
+
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        with:
+          # buildkit v0.28.1
+          driver-opts: |
+            image=moby/buildkit@sha256:a82d1ab899cda51aade6fe818d71e4b58c4079e047a0cf29dbb93b2b0465ea69
+            

      - name: Setup tags for container image as a CSV type
        run: |
@ -103,7 +123,7 @@ jobs:
            echo 'EOF' >> $GITHUB_ENV

      - name: Login to Quay.io
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: quay.io
          username: ${{ secrets.quay_username }}
@ -111,7 +131,7 @@ jobs:
        if: ${{ inputs.quay_image_name && inputs.push }}

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: ${{ secrets.ghcr_username }}
@ -119,7 +139,7 @@ jobs:
        if: ${{ inputs.ghcr_image_name && inputs.push }}

      - name: Login to dockerhub Container Registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.docker_username }}
          password: ${{ secrets.docker_password }}
@ -142,7 +162,7 @@ jobs:

      - name: Build and push container image
        id: image
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f #v7.1.0
        with:
          context: .
          platforms: ${{ inputs.platforms }}
--- a/.github/workflows/image.yaml
+++ b/.github/workflows/image.yaml
@ -15,12 +15,16 @@ concurrency:

 permissions: {}

+env:
+  # a workaround to disable harden runner
+  STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
+
 jobs:
  set-vars:
    permissions:
      contents: read
    # Always run to calculate variables - other jobs check outputs
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    outputs:
      image-tag: ${{ steps.image.outputs.tag}}
      platforms: ${{ steps.platforms.outputs.platforms }}
@ -31,7 +35,13 @@ jobs:
      ghcr_provenance_image: ${{ steps.image.outputs.ghcr_provenance_image }}
      allow_ghcr_publish: ${{ steps.image.outputs.allow_ghcr_publish }}
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Set image tag and names
        run: |
@ -86,7 +96,7 @@ jobs:
    with:
      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
      # renovate: datasource=golang-version packageName=golang
-      go-version: 1.25.3
+      go-version: 1.26.2
      platforms: ${{ needs.set-vars.outputs.platforms }}
      push: false

@ -103,7 +113,7 @@ jobs:
      ghcr_image_name: ${{ needs.set-vars.outputs.ghcr_image_name }}
      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
      # renovate: datasource=golang-version packageName=golang
-      go-version: 1.25.3
+      go-version: 1.26.2
      platforms: ${{ needs.set-vars.outputs.platforms }}
      push: true
    secrets:
@ -138,9 +148,9 @@ jobs:
      contents: write # for git to push upgrade commit if not already deployed
      packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - run: git clone "https://$TOKEN@github.com/argoproj/argoproj-deployments"
        env:
          TOKEN: ${{ secrets.TOKEN }}
--- a/.github/workflows/init-release.yaml
+++ b/.github/workflows/init-release.yaml
@ -14,13 +14,17 @@ on:

 permissions: {}

+env:
+  # a workaround to disable harden runner
+  STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
+
 jobs:
  prepare-release:
    permissions:
      contents: write  # for peter-evans/create-pull-request to create branch
      pull-requests: write  # for peter-evans/create-pull-request to create a PR
    name: Automatically generate version and manifests on ${{ inputs.TARGET_BRANCH }}
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    env:
      # Calculate image names with defaults, this will be used in the make manifests-local command
      # to generate the correct image name in the manifests
@ -28,8 +32,14 @@ jobs:
      IMAGE_NAMESPACE: ${{ vars.IMAGE_NAMESPACE || 'argoproj' }}
      IMAGE_REPOSITORY: ${{ vars.IMAGE_REPOSITORY || 'argocd' }}
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
+
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
@ -70,7 +80,7 @@ jobs:
          git stash pop

      - name: Create pull request
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725  # v8.0.0
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0  # v8.1.0
        with:
          commit-message: "Bump version to ${{ inputs.TARGET_VERSION }}"
          title: "Bump version to ${{ inputs.TARGET_VERSION }} on ${{ inputs.TARGET_BRANCH }} branch"
--- a/.github/workflows/pr-title-check.yml
+++ b/.github/workflows/pr-title-check.yml
@ -1,13 +1,15 @@
 name: "Lint PR"

 on:
-  pull_request_target:
+  pull_request:
    types: [opened, edited, reopened, synchronize]

-# IMPORTANT: No checkout actions, scripts, or builds should be added to this workflow. Permissions should always be used
-# with extreme caution. https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
 permissions: {}

+env:
+  # a workaround to disable harden runner
+  STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
+
 # PR updates can happen in quick succession leading to this
 # workflow being trigger a number of times. This limits it
 # to one run per PR.
@ -21,8 +23,14 @@ jobs:
      contents: read
      pull-requests: read
    name: Validate PR Title
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
+
      - uses: thehanimo/pr-title-checker@7fbfe05602bdd86f926d3fb3bccb6f3aed43bc70 # v1.4.3
        with:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -11,8 +11,10 @@ permissions: {}

 env:
  # renovate: datasource=golang-version packageName=golang
-  GOLANG_VERSION: '1.25.3' # Note: go-version must also be set in job argocd-image.with.go-version
-
+  GOLANG_VERSION: '1.26.2' # Note: go-version must also be set in job argocd-image.with.go-version  
+  # a workaround to disable harden runner
+  STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
+  
 jobs:
  argocd-image:
    needs: [setup-variables]
@ -26,7 +28,7 @@ jobs:
      quay_image_name: ${{ needs.setup-variables.outputs.quay_image_name }}
      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
      # renovate: datasource=golang-version packageName=golang
-      go-version: 1.25.3
+      go-version: 1.26.2
      platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
      push: true
    secrets:
@ -36,7 +38,7 @@ jobs:
  setup-variables:
    name: Setup Release Variables
    if: github.repository == 'argoproj/argo-cd' || (github.repository_owner != 'argoproj' && vars.ENABLE_FORK_RELEASES == 'true' && vars.IMAGE_NAMESPACE && vars.IMAGE_NAMESPACE != 'argoproj')
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    outputs:
      is_pre_release: ${{ steps.var.outputs.is_pre_release }}
      is_latest_release: ${{ steps.var.outputs.is_latest_release }}
@ -47,8 +49,13 @@ jobs:
      provenance_image: ${{ steps.var.outputs.provenance_image }}
      allow_fork_release: ${{ steps.var.outputs.allow_fork_release }}
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
@ -117,14 +124,14 @@ jobs:
    permissions:
      contents: write # used for uploading assets
    if: github.repository == 'argoproj/argo-cd' || needs.setup-variables.outputs.allow_fork_release == 'true'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    env:
      GORELEASER_MAKE_LATEST: ${{ needs.setup-variables.outputs.is_latest_release }}
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
@ -133,7 +140,7 @@ jobs:
        run: git fetch --force --tags

      - name: Setup Golang
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
          cache: false
@ -159,10 +166,10 @@ jobs:
          tool-cache: false

      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
+        uses: goreleaser/goreleaser-action@e24998b8b67b290c2fa8b7c14fcfa7de2c5c9b8c # v7.1.0
        id: run-goreleaser
        with:
-          version: latest
+          version: v2.14.3
          args: release --clean --timeout 55m
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@ -210,16 +217,21 @@ jobs:
    outputs:
      hashes: ${{ steps.sbom-hash.outputs.hashes }}
    if: github.repository == 'argoproj/argo-cd' || needs.setup-variables.outputs.allow_fork_release == 'true'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}

+      - name: Install pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+        with:
+          package_json_file: ui/package.json
+
      - name: Setup Golang
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
          cache: false
@ -231,28 +243,37 @@ jobs:
          SPDX_GEN_VERSION: v0.0.13
          # defines the sigs.k8s.io/bom version to use.
          SIGS_BOM_VERSION: v0.2.1
-          # comma delimited list of project relative folders to inspect for package
-          # managers (gomod, yarn, npm).
-          PROJECT_FOLDERS: '.,./ui'
          # full qualified name of the docker image to be inspected
          DOCKER_IMAGE: ${{ needs.setup-variables.outputs.quay_image_name }}
        run: |
-          yarn install --cwd ./ui
+          set -euo pipefail
+          pnpm install --dir ./ui --frozen-lockfile
          go install github.com/spdx/spdx-sbom-generator/cmd/generator@$SPDX_GEN_VERSION
          go install sigs.k8s.io/bom/cmd/bom@$SIGS_BOM_VERSION

-          # Generate SPDX for project dependencies analyzing package managers
-          for folder in $(echo $PROJECT_FOLDERS | sed "s/,/ /g")
-          do
-            generator -p $folder -o /tmp
-          done
+          generator -p . -o /tmp

-          # Generate SPDX for binaries analyzing the docker image
-          if [[ ! -z $DOCKER_IMAGE ]]; then
-            bom generate -o /tmp/bom-docker-image.spdx -i $DOCKER_IMAGE
+          # When ui/ should use in-repo pnpm for `pnpm sbom` (11+):
+          #   1. In ui/package.json set "packageManager" to a pnpm 11+ release (e.g. pnpm@11.0.0), then from ./ui run
+          #      `pnpm install` and commit the resulting ui/pnpm-lock.yaml so release CI's pnpm/action-setup matches.
+          #   2. Delete hack/generate-ui-pnpm-sbom.sh and remove the ./hack/generate-ui-pnpm-sbom.sh line below.
+          #   3. Uncomment:
+          # pnpm --dir ./ui sbom --sbom-format spdx --prod > /tmp/bom-ui-pnpm.spdx.json
+          ./hack/generate-ui-pnpm-sbom.sh --write /tmp/bom-ui-pnpm.spdx.json
+
+          if [[ -n "${DOCKER_IMAGE:-}" ]]; then
+            bom generate -o /tmp/bom-docker-image.spdx -i "${DOCKER_IMAGE}"
          fi

-          cd /tmp && tar -zcf sbom.tar.gz *.spdx
+          cd /tmp
+          shopt -s nullglob
+          spdx_files=( *.spdx )
+          shopt -u nullglob
+          if [[ ${#spdx_files[@]} -eq 0 ]]; then
+            echo "No .spdx files produced under /tmp"
+            exit 1
+          fi
+          tar -zcf sbom.tar.gz "${spdx_files[@]}" bom-ui-pnpm.spdx.json

      - name: Generate SBOM hash
        shell: bash
@ -264,7 +285,7 @@ jobs:
          echo "hashes=$(sha256sum /tmp/sbom.tar.gz | base64 -w0)" >> "$GITHUB_OUTPUT"

      - name: Upload SBOM
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
@ -295,12 +316,12 @@ jobs:
      contents: write # Needed to push commit to update stable tag
      pull-requests: write # Needed to create PR for VERSION update.
    if: github.repository == 'argoproj/argo-cd' || needs.setup-variables.outputs.allow_fork_release == 'true'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    env:
      TAG_STABLE: ${{ needs.setup-variables.outputs.is_latest_release }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
@ -344,7 +365,7 @@ jobs:
        if: ${{ env.UPDATE_VERSION == 'true' }}

      - name: Create PR to update VERSION on master branch
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
        with:
          commit-message: Bump version in master
          title: 'chore: Bump version in master'
--- a/.github/workflows/renovate.yaml
+++ b/.github/workflows/renovate.yaml
@ -7,33 +7,56 @@ on:
 permissions:
  contents: read

+env:
+  # a workaround to disable harden runner
+  STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
+  
 jobs:
  renovate:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
    if: github.repository == 'argoproj/argo-cd'
    steps:
+      - name: Harden the runner (Block unknown outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: block
+          disable-sudo-and-containers: "false" # renovatebot runs in `docker run`
+          allowed-endpoints: >
+            github.com:443
+            api.github.com:443
+            raw.githubusercontent.com:443
+            release-assets.githubusercontent.com:443
+            ghcr.io:443
+            pkg-containers.githubusercontent.com:443
+            hub.docker.com:443
+            proxy.golang.org:443
+            nodejs.org:443
+            pypi.org:443
+            get.helm.sh
+            registry.npmjs.org
+
      - name: Get token
        id: get_token
-        uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3
        with:
          app-id: ${{ vars.RENOVATE_APP_ID }}
          private-key: ${{ secrets.RENOVATE_APP_PRIVATE_KEY }}

      - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1
-
-      # Some codegen commands require Go to be setup
-      - name: Setup Golang
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
-        with:
-          # renovate: datasource=golang-version packageName=golang
-          go-version: 1.25.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2

+      # Renovate do not pin their docker image versions to SHA, so
+      # when bumping renovate action version please check if renovate image
+      # has been updated (see it's numeric version in action.yaml)
+      # and update `renovate-version` parameter accordingly
      - name: Self-hosted Renovate
-        uses: renovatebot/github-action@5712c6a41dea6cdf32c72d92a763bd417e6606aa #44.0.5
+        uses: renovatebot/github-action@83ec54fee49ab67d9cd201084c1ff325b4b462e4 #46.1.10
        with:
          configurationFile: .github/configs/renovate-config.js
          token: '${{ steps.get_token.outputs.token }}'
+          renovate-image: "ghcr.io/renovatebot/renovate@sha256"
+          renovate-version: "5dfeab680f40edd2713b8fcae574824e60d2c831b8d89cc965e51621894c7084" #43
        env:
          LOG_LEVEL: 'debug'
          RENOVATE_REPOSITORIES: '${{ github.repository }}'
--- a/.github/workflows/scorecard.yaml
+++ b/.github/workflows/scorecard.yaml
@ -17,7 +17,7 @@ permissions: read-all
 jobs:
  analysis:
    name: Scorecards analysis
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    permissions:
      # Needed to upload the results to code-scanning dashboard.
      security-events: write
@ -29,8 +29,14 @@ jobs:
    if: github.repository == 'argoproj/argo-cd'

    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
+
      - name: "Checkout code"
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

@ -54,7 +60,7 @@ jobs:
      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
      - name: "Upload artifact"
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: SARIF file
          path: results.sarif
@ -62,6 +68,6 @@ jobs:

      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@8fcfedf57053e09257688fce7a0beeb18b1b9ae3 # v2.17.2
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
        with:
          sarif_file: results.sarif
--- a/.github/workflows/stale.yaml
+++ b/.github/workflows/stale.yaml
@ -0,0 +1,46 @@
+name: "Label stale issues and PRs"
+on:
+  schedule:
+    - cron: "0 0 * * *" #Runs midnight 12AM UTC
+
+#Added Recommended permissions
+permissions:
+  issues: write
+  pull-requests: write
+
+env:
+  # a workaround to disable harden runner
+  STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
+  
+jobs:
+  stale:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Harden the runner (Block unknown outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: block
+          disable-sudo-and-containers: "true"
+          allowed-endpoints: >
+            api.github.com:443
+
+      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+
+          stale-issue-message: >
+            This issue has been marked as stale because it has had no activity for 90 days. Please comment if this is still relevant.
+
+          stale-pr-message: >
+            This pull request has been marked as stale because it has had no activity for 90 days. Please comment if this is still relevant.
+
+          days-before-stale: 90
+          days-before-close: -1   # Auto-close diabled
+
+          exempt-issue-labels: >
+            bug, security, breaking/high, breaking/medium, breaking/low
+
+          # General configuration
+          operations-per-run: 200
+          remove-stale-when-updated: true #Remove stale label when issue/pr is updated
--- a/.github/workflows/update-snyk.yaml
+++ b/.github/workflows/update-snyk.yaml
@ -7,6 +7,10 @@ on:
 permissions:
  contents: read

+env:
+  # a workaround to disable harden runner
+  STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
+
 jobs:
  snyk-report:
    permissions:
@ -14,10 +18,16 @@ jobs:
      pull-requests: write
    if: github.repository == 'argoproj/argo-cd'
    name: Update Snyk report in the docs directory
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
+          agent-enabled: "false"
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Build reports
--- a/.gitignore
+++ b/.gitignore
@ -16,6 +16,8 @@ coverage.out
 test-results
 .scannerwork
 .scratch
+# pnpm SBOM helper (hack/generate-ui-pnpm-sbom.sh) download cache — remove this line when that script is deleted.
+hack/.cache/
 node_modules/
 .kube/
 ./test/cmp/*.sock
@ -24,6 +26,9 @@ node_modules/
 .*.swp
 rerunreport.txt

+# AI tools support
+CLAUDE.local.md
+
 # ignore built binaries
 cmd/argocd/argocd
 cmd/argocd-application-controller/argocd-application-controller
--- a/.golangci.yaml
+++ b/.golangci.yaml
@ -22,6 +22,7 @@ linters:
    - govet
    - importas
    - misspell
+    - modernize
    - noctx
    - perfsprint
    - revive
@ -121,6 +122,13 @@ linters:
        - pkg: github.com/argoproj/argo-cd/v3/util/io
          alias: utilio

+    modernize:
+      disable:
+        # Suggest replacing omitempty with omitzero for struct fields.
+        - omitzero
+        # Simplify code by using go1.26's new(expr). - generates lots of false positives.
+        - newexpr
+
    nolintlint:
      require-specific: true

@ -137,16 +145,19 @@ linters:
      strconcat: true

    revive:
+      enable-all-rules: false
+      enable-default-rules: true
+      max-open-files: 2048
      # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md
      rules:
-        - name: bool-literal-in-expr
-
        - name: blank-imports
          disabled: true

+        - name: bool-literal-in-expr
+
        - name: context-as-argument
          arguments:
-            - allowTypesBefore: '*testing.T,testing.TB'
+            - allow-types-before: '*testing.T,testing.TB'

        - name: context-keys-type
          disabled: true
@ -158,14 +169,11 @@ linters:

        - name: early-return
          arguments:
-            - preserveScope
+            - preserve-scope

        - name: empty-block
          disabled: true

-        - name: error-naming
-          disabled: true
-
        - name: error-return

        - name: error-strings
@ -173,6 +181,9 @@ linters:

        - name: errorf

+        - name: exported
+          disabled: true
+
        - name: identical-branches

        - name: if-return
@ -181,7 +192,7 @@ linters:

        - name: indent-error-flow
          arguments:
-            - preserveScope
+            - preserve-scope

        - name: modifies-parameter

@ -198,7 +209,7 @@ linters:

        - name: superfluous-else
          arguments:
-            - preserveScope
+            - preserve-scope

        - name: time-equal

@ -208,6 +219,8 @@ linters:
        - name: unexported-return
          disabled: true

+        - name: unnecessary-format
+
        - name: unnecessary-stmt

        - name: unreachable-code
@ -224,8 +237,8 @@ linters:
          arguments:
            - - ID
            - - VM
-            - - skipPackageNameChecks: true
-                upperCaseConst: true
+            - - skip-initialism-name-checks: true
+                upper-case-const: true

    staticcheck:
      checks:
@ -247,7 +260,4 @@ linters:
    usetesting:
      os-mkdir-temp: false

-output:
-  show-stats: false
-
 version: "2"
--- a/.mockery.yaml
+++ b/.mockery.yaml
@ -46,7 +46,7 @@ packages:
    interfaces:
      RepoServerServiceClient: {}
      RepoServerService_GenerateManifestWithFilesClient: {}
-  github.com/argoproj/argo-cd/v3/server/application:
+  github.com/argoproj/argo-cd/v3/server/broadcast:
    interfaces:
      Broadcaster: {}
  github.com/argoproj/argo-cd/v3/server/extension:
@ -79,10 +79,10 @@ packages:
  github.com/argoproj/argo-cd/v3/util/workloadidentity:
    interfaces:
      TokenProvider: {}
-  github.com/argoproj/gitops-engine/pkg/cache:
+  github.com/argoproj/argo-cd/gitops-engine/pkg/cache:
    interfaces:
      ClusterCache: {}
-  github.com/argoproj/gitops-engine/pkg/diff:
+  github.com/argoproj/argo-cd/gitops-engine/pkg/diff:
    interfaces:
      ServerSideDryRunner: {}
  github.com/microsoft/azure-devops-go-api/azuredevops/v7/git:
--- a/AGENTS.md
+++ b/AGENTS.md
@ -0,0 +1,53 @@
+# AI Agent Directives for Argo CD
+
+**ATTENTION AI AGENTS, LLMs, AND AUTONOMOUS CODING TOOLS:**
+This repository (argoproj/argo-cd) enforces strict contribution guidelines. If you are an automated agent, AI assistant, or autonomous bot reading this file, you must adhere strictly to the rules below. Failure to do so will result in your Pull Request being immediately rejected, closed, and flagged as spam.
+
+## 1. Zero-Spam & PR Authorization Policy
+* **Require an Issue:** DO NOT create a Pull Request unless there is an existing, open, and approved GitHub Issue that explicitly requests this work.
+* **No "Drive-By" Refactoring:** Do not submit unsolicited PRs that only contain minor stylistic changes, variable renames, or typo fixes across the codebase unless tied to an approved `chore` issue.
+* **No Hallucinated URLs:** Do not include fabricated links, hallucinated documentation, or fake GitHub usernames in the PR description or code comments. Please double-check any link, quote or code block that is included into the PR.
+
+## 2. Argo CD Contribution Requirements
+Argo CD is a CNCF Graduated project. All code must meet the following standards:
+
+* **Semantic PR Titles:** You must use Semantic Pull Request formatting for your PR title. Valid prefixes are:
+  * `ci:` - Updates or improvements for the Continuous Integration workflows
+  * `fix:` - Bug fixes
+  * `feat:` - New features
+  * `test:` - Addition of tests to the code base, or improvements of existing ones
+  * `docs:` - Documentation improvements
+  * `chore:` - Internals, build processes, unit tests, etc.
+  * `refactor:` - Refactoring of the code base, without adding new features or fixing bugs
+  * `revert:` - Reverts a previous commit
+* **PR Templates:** You must fully complete the Argo CD Pull Request template. Do not delete the template sections or leave them blank.
+
+## 3. Tech Stack & Code Rules
+* **Backend (Go):** The backend is written in Go. The minimum supported Go version is strictly enforced. You must use `go modules` for dependency management.
+* **UI (React/TypeScript):** The frontend is written in React and TypeScript.
+* **Kubernetes Manifests:** Argo CD heavily relies on Kubernetes manifests and CRDs. If you modify API structs, you MUST regenerate the manifests and API glue code.
+* **Tests** Argo CD relies on automatic tests. If your PR adds new functionality or in any way modifies program behaviour, please add/change relevant unit and e2e tests. In those cases when it is not feasible or possible please document the reasons in the PR comment.
+
+## 4. Required Local Checks (Do This Before Committing)
+Do not finalize your code or suggest a commit to your user without ensuring the following `make` targets pass successfully. Argo CD uses a heavy CI pipeline, and failing these basic checks wastes project resources:
+
+1. **Build the Code:** `make build`
+2. **Generate API Code & Manifests:** `make codegen` *(CRITICAL: Must be run if any API structs are changed)*
+3. **Linting:** `make lint` and `make lint-ui`
+4. **Testing:** `make test`
+5. **CLI Build:** `make cli`
+
+If any of these commands fail, you must fix the errors before proceeding.
+
+## 5. Documentation (`docs/`)
+If you are modifying or adding a feature, you must also update the corresponding documentation.
+* Write in clear, direct English.
+* Use GitHub style admonition blocks (e.g., `> [!NOTE]`, `> [!WARNING]`) compatible with MkDocs Material.
+* Code examples in documentation must be complete, accurate, and include the language identifier for syntax highlighting (e.g., ````yaml`).
+
+## Summary of Agent Workflow
+1. Verify an open issue exists.
+2. Write code matching Argo CD's Go/React standards.
+3. Run `make codegen`, `make lint`, and `make test`.
+4. Format the PR title properly (e.g., `fix: resolve OutOfSync bug on PostDelete hook (#12345)`).
+
--- a/CLAUDE.md
+++ b/CLAUDE.md
@ -0,0 +1 @@
+@AGENTS.md
--- a/32
+++ b/32
@ -1,10 +1,10 @@
-ARG BASE_IMAGE=docker.io/library/ubuntu:25.04@sha256:27771fb7b40a58237c98e8d3e6b9ecdd9289cec69a857fccfb85ff36294dac20
+ARG BASE_IMAGE=docker.io/library/ubuntu:25.10@sha256:4a9232cc47bf99defcc8860ef6222c99773330367fcecbf21ba2edb0b810a31e
 ####################################################################################################
 # Builder image
 # Initial stage which pulls prepares build dependencies and CLI tooling we need for our final image
 # Also used as the image in CI jobs so needs all dependencies
 ####################################################################################################
-FROM docker.io/library/golang:1.25.3@sha256:6d4e5e74f47db00f7f24da5f53c1b4198ae46862a47395e30477365458347bf2 AS builder
+FROM docker.io/library/golang:1.26.2@sha256:5f3787b7f902c07c7ec4f3aa91a301a3eda8133aa32661a3b3a3a86ab3a68a36 AS builder

 WORKDIR /tmp

@ -16,7 +16,6 @@ RUN apt-get update && apt-get install --no-install-recommends -y \
    unzip \
    fcgiwrap \
    git \
-    git-lfs \
    make \
    wget \
    gcc \
@ -29,7 +28,8 @@ COPY hack/install.sh hack/tool-versions.sh ./
 COPY hack/installers installers

 RUN ./install.sh helm && \
-    INSTALL_PATH=/usr/local/bin ./install.sh kustomize
+    INSTALL_PATH=/usr/local/bin ./install.sh kustomize && \
+    ./install.sh git-lfs

 ####################################################################################################
 # Argo CD Base - used as the base for both the release and dev argocd images
@ -50,10 +50,10 @@ RUN groupadd -g $ARGOCD_USER_ID argocd && \
    chmod g=u /home/argocd && \
    apt-get update && \
    apt-get dist-upgrade -y && \
-    apt-get install -y \
-    git git-lfs tini gpg tzdata connect-proxy && \
+    apt-get install --no-install-recommends -y \
+    git tini ca-certificates gpg gpg-agent tzdata connect-proxy openssh-client && \
    apt-get clean && \
-    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /usr/share/doc/*

 COPY hack/gpg-wrapper.sh \
    hack/git-verify-wrapper.sh \
@ -61,6 +61,7 @@ COPY hack/gpg-wrapper.sh \
    /usr/local/bin/
 COPY --from=builder /usr/local/bin/helm /usr/local/bin/helm
 COPY --from=builder /usr/local/bin/kustomize /usr/local/bin/kustomize
+COPY --from=builder /usr/local/bin/git-lfs /usr/local/bin/git-lfs

 # keep uid_entrypoint.sh for backward compatibility
 RUN ln -s /usr/local/bin/entrypoint.sh /usr/local/bin/uid_entrypoint.sh
@ -79,31 +80,36 @@ RUN mkdir -p tls && \

 ENV USER=argocd

+# Disable gRPC service config lookups via DNS TXT records to prevent excessive
+# DNS queries for _grpc_config.<hostname> which can cause timeouts in dual-stack
+# environments. This can be overridden via argocd-cmd-params-cm ConfigMap.
+# See https://github.com/argoproj/argo-cd/issues/24991
+ENV GRPC_ENABLE_TXT_SERVICE_CONFIG=false
+
 USER $ARGOCD_USER_ID
 WORKDIR /home/argocd

 ####################################################################################################
 # Argo CD UI stage
 ####################################################################################################
-FROM --platform=$BUILDPLATFORM docker.io/library/node:23.0.0@sha256:9d09fa506f5b8465c5221cbd6f980e29ae0ce9a3119e2b9bc0842e6a3f37bb59 AS argocd-ui
+FROM --platform=$BUILDPLATFORM docker.io/library/node:24.14.1@sha256:80fc934952c8f1b2b4d39907af7211f8a9fff1a4c2cf673fb49099292c251cec AS argocd-ui

 WORKDIR /src
-COPY ["ui/package.json", "ui/yarn.lock", "./"]
+COPY ["ui/package.json", "ui/pnpm-lock.yaml", "./"]

-RUN yarn install --network-timeout 200000 && \
-    yarn cache clean
+RUN npm install -g corepack@0.34.6 && corepack enable && pnpm install --frozen-lockfile

 COPY ["ui/", "."]

 ARG ARGO_VERSION=latest
 ENV ARGO_VERSION=$ARGO_VERSION
 ARG TARGETARCH
-RUN HOST_ARCH=$TARGETARCH NODE_ENV='production' NODE_ONLINE_ENV='online' NODE_OPTIONS=--max_old_space_size=8192 yarn build
+RUN HOST_ARCH=$TARGETARCH NODE_ENV='production' NODE_ONLINE_ENV='online' NODE_OPTIONS=--max_old_space_size=8192 pnpm build

 ####################################################################################################
 # Argo CD Build stage which performs the actual build of Argo CD binaries
 ####################################################################################################
-FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.25.3@sha256:6d4e5e74f47db00f7f24da5f53c1b4198ae46862a47395e30477365458347bf2 AS argocd-build
+FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.26.2@sha256:5f3787b7f902c07c7ec4f3aa91a301a3eda8133aa32661a3b3a3a86ab3a68a36 AS argocd-build

 WORKDIR /go/src/github.com/argoproj/argo-cd

--- a/Dockerfile.tilt
+++ b/Dockerfile.tilt
@ -1,4 +1,4 @@
-FROM docker.io/library/golang:1.25.3@sha256:6d4e5e74f47db00f7f24da5f53c1b4198ae46862a47395e30477365458347bf2
+FROM docker.io/library/golang:1.26.2@sha256:5f3787b7f902c07c7ec4f3aa91a301a3eda8133aa32661a3b3a3a86ab3a68a36

 ENV DEBIAN_FRONTEND=noninteractive

@ -11,7 +11,6 @@ RUN apt-get update && apt-get install --no-install-recommends -y \
    unzip \
    fcgiwrap \
    git \
-    git-lfs \
    make \
    wget \
    gcc \
@ -28,7 +27,8 @@ COPY hack/install.sh hack/tool-versions.sh ./
 COPY hack/installers installers

 RUN ./install.sh helm && \
-    INSTALL_PATH=/usr/local/bin ./install.sh kustomize
+    INSTALL_PATH=/usr/local/bin ./install.sh kustomize && \
+    ./install.sh git-lfs

 COPY hack/gpg-wrapper.sh \
    hack/git-verify-wrapper.sh \
--- a/Dockerfile.ui.tilt
+++ b/Dockerfile.ui.tilt
@ -1,9 +1,10 @@
-FROM node:20
+FROM node:24.14.1@sha256:80fc934952c8f1b2b4d39907af7211f8a9fff1a4c2cf673fb49099292c251cec

 WORKDIR /app/ui

 COPY ui /app/ui

-RUN yarn install
+RUN npm install -g corepack@0.34.6 && corepack enable && pnpm install --frozen-lockfile
+
+ENTRYPOINT ["pnpm", "start"]

-ENTRYPOINT ["yarn", "start"]
--- a/MAINTAINERS.md
+++ b/MAINTAINERS.md
@ -0,0 +1,43 @@
+# Argo CD Maintainers
+
+This document lists the maintainers of the Argo CD project.
+
+## Maintainers
+
+| Maintainer                | GitHub ID                                               | Project Roles        | Affiliation                                     |
+|---------------------------|---------------------------------------------------------|----------------------|-------------------------------------------------|
+| Zach Aller                | [zachaller](https://github.com/zachaller)               | Reviewer             | [Intuit](https://www.github.com/intuit/)        |
+| Leonardo Luz Almeida      | [leoluz](https://github.com/leoluz)                     | Approver             | [Intuit](https://www.github.com/intuit/)        |
+| Chetan Banavikalmutt      | [chetan-rns](https://github.com/chetan-rns)             | Reviewer             | [Red Hat](https://redhat.com/)                  |
+| Keith Chong               | [keithchong](https://github.com/keithchong)             | Approver             | [Red Hat](https://redhat.com/)                  |
+| Alex Collins              | [alexec](https://github.com/alexec)                     | Approver             | [Intuit](https://www.github.com/intuit/)        |
+| Michael Crenshaw          | [crenshaw-dev](https://github.com/crenshaw-dev)         | Lead                 | [Intuit](https://www.github.com/intuit/)        |
+| Soumya Ghosh Dastidar     | [gdsoumya](https://github.com/gdsoumya)                 | Approver             | [Akuity](https://akuity.io/)                    |
+| Eugene Doudine              | [dudinea](https://github.com/dudinea)                 | Reviewer             | [Octopus Deploy](https://octopus.com/)          |
+| Jann Fischer              | [jannfis](https://github.com/jannfis)                   | Approver             | [Red Hat](https://redhat.com/)                  |
+| Dan Garfield              | [todaywasawesome](https://github.com/todaywasawesome)   | Approver(docs)       | [Octopus Deploy](https://octopus.com/)          |
+| Alexandre Gaudreault      | [agaudreault](https://github.com/agaudreault)           | Approver             | [Intuit](https://www.github.com/intuit/)        |
+| Christian Hernandez       | [christianh814](https://github.com/christianh814)       | Reviewer(docs)       | [Akuity](https://akuity.io/)                    |
+| Peter Jiang               | [pjiang-dev](https://github.com/pjiang-dev)             | Approver(docs)       | [Intuit](https://www.intuit.com/)               |
+| Andrii Korotkov           | [andrii-korotkov](https://github.com/andrii-korotkov)   | Reviewer             | [Verkada](https://www.verkada.com/)             |
+| Pasha Kostohrys           | [pasha-codefresh](https://github.com/pasha-codefresh)   | Approver             | [Octopus Deploy](https://octopus.com/)          |
+| Nitish Kumar              | [nitishfy](https://github.com/nitishfy)                 | Approver(cli,docs)   | [Akuity](https://akuity.io/)                    |
+| Justin Marquis            | [34fathombelow](https://github.com/34fathombelow)       | Approver(docs/ci)    | [Akuity](https://akuity.io/)                    |
+| Alexander Matyushentsev   | [alexmt](https://github.com/alexmt)                     | Lead                 | [Akuity](https://akuity.io/)                    |
+| Nicholas Morey            | [morey-tech](https://github.com/morey-tech)             | Reviewer(docs)       | [Akuity](https://akuity.io/)                    |
+| Papapetrou Patroklos      | [ppapapetrou76](https://github.com/ppapapetrou76)       | Approver(docs,cli)   | [Octopus Deploy](https://octopus.com/)          |
+| Blake Pettersson          | [blakepettersson](https://github.com/blakepettersson)   | Approver             | [Akuity](https://akuity.io/)                    |
+| Ishita Sequeira           | [ishitasequeira](https://github.com/ishitasequeira)     | Approver             | [Red Hat](https://redhat.com/)                  |
+| Ashutosh Singh            | [ashutosh16](https://github.com/ashutosh16)             | Approver(docs)       | [Intuit](https://www.github.com/intuit/)        |
+| Linghao Su                | [linghaoSu](https://github.com/linghaoSu)               | Reviewer             | [DaoCloud](https://daocloud.io)                 |
+| Jesse Suen                | [jessesuen](https://github.com/jessesuen)               | Approver             | [Akuity](https://akuity.io/)                    |
+| Yuan Tang                 | [terrytangyuan](https://github.com/terrytangyuan)       | Reviewer             | [Red Hat](https://redhat.com/)                  |
+| William Tam               | [wtam2018](https://github.com/wtam2018)                 | Reviewer             | [Red Hat](https://redhat.com/)                  |
+| Ryan Umstead              | [rumstead](https://github.com/rumstead)                 | Approver             | [Black Rock](https://www.github.com/blackrock/) |
+| Regina Voloshin           | [reggie-k](https://github.com/reggie-k)                 | Approver             | [Octopus Deploy](https://octopus.com/)          |
+| Hong Wang                 | [wanghong230](https://github.com/wanghong230)           | Reviewer             | [Akuity](https://akuity.io/)                    |
+| Jonathan West             | [jgwest](https://github.com/jgwest)                     | Approver             | [Red Hat](https://redhat.com/)                  |
+| Jaewoo Choi               | [choejwoo](https://github.com/choejwoo)                 | Reviewer             | [Hyundai-Autoever](https://www.hyundai-autoever.com/eng/)        |
+| Alexy Mantha              | [alexymantha](https://github.com/alexymantha)           | Reviewer             | GoTo                                                              |
+| Kanika Rana               | [ranakan19](https://github.com/ranakan19)               | Reviewer             | [Red Hat](https://redhat.com/)                                    |
+| Jonathan Winters          | [jwinters01](https://github.com/jwinters01)             | Reviewer             | [Intuit](https://www.github.com/intuit/)                          |
--- a/99
+++ b/99
@ -74,17 +74,17 @@ ARGOCD_E2E_APISERVER_PORT?=8080
 ARGOCD_E2E_REPOSERVER_PORT?=8081
 ARGOCD_E2E_REDIS_PORT?=6379
 ARGOCD_E2E_DEX_PORT?=5556
-ARGOCD_E2E_YARN_HOST?=localhost
+ARGOCD_E2E_JS_HOST?=localhost
 ARGOCD_E2E_DISABLE_AUTH?=
+ARGOCD_E2E_DIR?=/tmp/argo-e2e

 ARGOCD_E2E_TEST_TIMEOUT?=90m
+ARGOCD_E2E_RERUN_FAILS?=5

 ARGOCD_IN_CI?=false
 ARGOCD_TEST_E2E?=true
 ARGOCD_BIN_MODE?=true

-ARGOCD_LINT_GOGC?=20
-
 # Depending on where we are (legacy or non-legacy pwd), we need to use
 # different Docker volume mounts for our source tree
 LEGACY_PATH=$(GOPATH)/src/github.com/argoproj/argo-cd
@ -113,7 +113,7 @@ define run-in-test-server
 		-e GOCACHE=/tmp/go-build-cache \
 		-e ARGOCD_IN_CI=$(ARGOCD_IN_CI) \
 		-e ARGOCD_E2E_TEST=$(ARGOCD_E2E_TEST) \
-		-e ARGOCD_E2E_YARN_HOST=$(ARGOCD_E2E_YARN_HOST) \
+		-e ARGOCD_E2E_JS_HOST=$(ARGOCD_E2E_JS_HOST) \
 		-e ARGOCD_E2E_DISABLE_AUTH=$(ARGOCD_E2E_DISABLE_AUTH) \
 		-e ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} \
 		-e ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} \
@ -144,7 +144,6 @@ define run-in-test-client
 		-e ARGOCD_E2E_K3S=$(ARGOCD_E2E_K3S) \
 		-e GITHUB_TOKEN \
 		-e GOCACHE=/tmp/go-build-cache \
-		-e ARGOCD_LINT_GOGC=$(ARGOCD_LINT_GOGC) \
 		-v ${DOCKER_SRC_MOUNT} \
 		-v ${GOPATH}/pkg/mod:/go/pkg/mod${VOLUME_MOUNT} \
 		-v ${GOCACHE}:/tmp/go-build-cache${VOLUME_MOUNT} \
@ -203,18 +202,35 @@ else
 IMAGE_TAG?=latest
 endif

+# defaults for building images and manifests
 ifeq (${DOCKER_PUSH},true)
 ifndef IMAGE_NAMESPACE
 $(error IMAGE_NAMESPACE must be set to push images (e.g. IMAGE_NAMESPACE=argoproj))
 endif
 endif

+# Consruct prefix for docker image
+# Note: keeping same logic as in hacks/update_manifests.sh
+ifdef IMAGE_REGISTRY
 ifdef IMAGE_NAMESPACE
+IMAGE_PREFIX=${IMAGE_REGISTRY}/${IMAGE_NAMESPACE}/
+else
+$(error IMAGE_NAMESPACE must be set when IMAGE_REGISTRY is set (e.g. IMAGE_NAMESPACE=argoproj))
+endif
+else
+ifdef IMAGE_NAMESPACE
+# for backwards compatibility with the old way like IMAGE_NAMESPACE='quay.io/argoproj'
 IMAGE_PREFIX=${IMAGE_NAMESPACE}/
+else
+# Neither namespace nor registry given - apply the default values
+IMAGE_REGISTRY="quay.io"
+IMAGE_NAMESPACE="argoproj"
+IMAGE_PREFIX=${IMAGE_REGISTRY}/${IMAGE_NAMESPACE}/
+endif
 endif

-ifndef IMAGE_REGISTRY
-IMAGE_REGISTRY="quay.io"
+ifndef IMAGE_REPOSITORY
+IMAGE_REPOSITORY=argocd
 endif

 .PHONY: all
@ -337,7 +353,7 @@ controller:
 build-ui:
 	DOCKER_BUILDKIT=1 $(DOCKER) build -t argocd-ui --platform=$(TARGET_ARCH) --target argocd-ui .
 	find ./ui/dist -type f -not -name gitkeep -delete
-	$(DOCKER) run -v ${CURRENT_DIR}/ui/dist/app:/tmp/app --rm -t argocd-ui sh -c 'cp -r ./dist/app/* /tmp/app/'
+	$(DOCKER) run -u $(CONTAINER_UID):$(CONTAINER_GID) -v ${CURRENT_DIR}/ui/dist/app:/tmp/app --rm -t argocd-ui sh -c 'cp -r ./dist/app/* /tmp/app/'

 .PHONY: image
 ifeq ($(DEV_IMAGE), true)
@ -347,23 +363,23 @@ ifeq ($(DEV_IMAGE), true)
 IMAGE_TAG="dev-$(shell git describe --always --dirty)"
 image: build-ui
 	DOCKER_BUILDKIT=1 $(DOCKER) build --platform=$(TARGET_ARCH) -t argocd-base --target argocd-base .
-	CGO_ENABLED=${CGO_FLAG} GOOS=linux GOARCH=amd64 GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd ./cmd
+	GOOS=linux GOARCH=$(TARGET_ARCH:linux/%=%) GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd ./cmd
 	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-server
 	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-application-controller
 	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-repo-server
 	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-cmp-server
 	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-dex
 	cp Dockerfile.dev dist
-	DOCKER_BUILDKIT=1 $(DOCKER) build --platform=$(TARGET_ARCH) -t $(IMAGE_PREFIX)argocd:$(IMAGE_TAG) -f dist/Dockerfile.dev dist
+	DOCKER_BUILDKIT=1 $(DOCKER) build --platform=$(TARGET_ARCH) -t $(IMAGE_PREFIX)$(IMAGE_REPOSITORY):$(IMAGE_TAG) -f dist/Dockerfile.dev dist
 else
 image:
-	DOCKER_BUILDKIT=1 $(DOCKER) build -t $(IMAGE_PREFIX)argocd:$(IMAGE_TAG) --platform=$(TARGET_ARCH) .
+	DOCKER_BUILDKIT=1 $(DOCKER) build -t $(IMAGE_PREFIX)$(IMAGE_REPOSITORY):$(IMAGE_TAG) --platform=$(TARGET_ARCH) .
 endif
-	@if [ "$(DOCKER_PUSH)" = "true" ] ; then $(DOCKER) push $(IMAGE_PREFIX)argocd:$(IMAGE_TAG) ; fi
+	@if [ "$(DOCKER_PUSH)" = "true" ] ; then $(DOCKER) push $(IMAGE_PREFIX)$(IMAGE_REPOSITORY):$(IMAGE_TAG) ; fi

 .PHONY: armimage
 armimage:
-	$(DOCKER) build -t $(IMAGE_PREFIX)argocd:$(IMAGE_TAG)-arm .
+	$(DOCKER) build -t $(IMAGE_PREFIX)(IMAGE_REPOSITORY):$(IMAGE_TAG)-arm .

 .PHONY: builder-image
 builder-image:
@ -395,9 +411,7 @@ lint: test-tools-image
 .PHONY: lint-local
 lint-local:
 	golangci-lint --version
-	# NOTE: If you get a "Killed" OOM message, try reducing the value of GOGC
-	# See https://github.com/golangci/golangci-lint#memory-usage-of-golangci-lint
-	GOGC=$(ARGOCD_LINT_GOGC) GOMAXPROCS=2 golangci-lint run --fix --verbose
+	golangci-lint run --fix --verbose

 .PHONY: lint-ui
 lint-ui: test-tools-image
@ -405,7 +419,7 @@ lint-ui: test-tools-image

 .PHONY: lint-ui-local
 lint-ui-local:
-	cd ui && yarn lint
+	cd ui && pnpm lint

 # Build all Go code
 .PHONY: build
@ -429,12 +443,24 @@ test: test-tools-image

 # Run all unit tests (local version)
 .PHONY: test-local
-test-local:
+test-local: test-gitops-engine
+# run if TEST_MODULE is empty or does not point to gitops-engine tests
+ifneq ($(if $(TEST_MODULE),,ALL)$(filter-out github.com/argoproj/argo-cd/gitops-engine% ./gitops-engine%,$(TEST_MODULE)),)
 	if test "$(TEST_MODULE)" = ""; then \
 		DIST_DIR=${DIST_DIR} RERUN_FAILS=0 PACKAGES=`go list ./... | grep -v 'test/e2e'` ./hack/test.sh -args -test.gocoverdir="$(PWD)/test-results"; \
 	else \
 		DIST_DIR=${DIST_DIR} RERUN_FAILS=0 PACKAGES="$(TEST_MODULE)" ./hack/test.sh -args -test.gocoverdir="$(PWD)/test-results" "$(TEST_MODULE)"; \
 	fi
+endif
+
+# Run gitops-engine unit tests
+.PHONY: test-gitops-engine
+test-gitops-engine:
+# run if TEST_MODULE is empty or points to gitops-engine tests
+ifneq ($(if $(TEST_MODULE),,ALL)$(filter github.com/argoproj/argo-cd/gitops-engine% ./gitops-engine%,$(TEST_MODULE)),)
+	mkdir -p $(PWD)/test-results
+	cd gitops-engine && go test -race -cover ./... -args -test.gocoverdir="$(PWD)/test-results"
+endif

 .PHONY: test-race
 test-race: test-tools-image
@ -461,7 +487,7 @@ test-e2e:
 test-e2e-local: cli-local
 	# NO_PROXY ensures all tests don't go out through a proxy if one is configured on the test system
 	export GO111MODULE=off
-	DIST_DIR=${DIST_DIR} RERUN_FAILS=5 PACKAGES="./test/e2e" ARGOCD_E2E_RECORD=${ARGOCD_E2E_RECORD} ARGOCD_CONFIG_DIR=$(HOME)/.config/argocd-e2e ARGOCD_GPG_ENABLED=true NO_PROXY=* ./hack/test.sh -timeout $(ARGOCD_E2E_TEST_TIMEOUT) -v -args -test.gocoverdir="$(PWD)/test-results"
+	ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS=$${ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS:-true}  DIST_DIR=${DIST_DIR} RERUN_FAILS=$(ARGOCD_E2E_RERUN_FAILS) PACKAGES="./test/e2e" ARGOCD_E2E_RECORD=${ARGOCD_E2E_RECORD} ARGOCD_CONFIG_DIR=$(HOME)/.config/argocd-e2e ARGOCD_GPG_ENABLED=true NO_PROXY=* ./hack/test.sh -timeout $(ARGOCD_E2E_TEST_TIMEOUT) -v -args -test.gocoverdir="$(PWD)/test-results"

 # Spawns a shell in the test server container for debugging purposes
 debug-test-server: test-tools-image
@ -485,13 +511,13 @@ start-e2e-local: mod-vendor-local dep-ui-local cli-local
 	kubectl create ns argocd-e2e-external || true
 	kubectl create ns argocd-e2e-external-2 || true
 	kubectl config set-context --current --namespace=argocd-e2e
-	kustomize build test/manifests/base | kubectl apply --server-side -f -
+	kustomize build test/manifests/base | kubectl apply --server-side --force-conflicts -f -
 	kubectl apply -f https://raw.githubusercontent.com/open-cluster-management/api/a6845f2ebcb186ec26b832f60c988537a58f3859/cluster/v1alpha1/0000_04_clusters.open-cluster-management.io_placementdecisions.crd.yaml
 	# Create GPG keys and source directories
-	if test -d /tmp/argo-e2e/app/config/gpg; then rm -rf /tmp/argo-e2e/app/config/gpg/*; fi
-	mkdir -p /tmp/argo-e2e/app/config/gpg/keys && chmod 0700 /tmp/argo-e2e/app/config/gpg/keys
-	mkdir -p /tmp/argo-e2e/app/config/gpg/source && chmod 0700 /tmp/argo-e2e/app/config/gpg/source
-	mkdir -p /tmp/argo-e2e/app/config/plugin && chmod 0700 /tmp/argo-e2e/app/config/plugin
+	if test -d $(ARGOCD_E2E_DIR)/app/config/gpg; then rm -rf $(ARGOCD_E2E_DIR)/app/config/gpg/*; fi
+	mkdir -p $(ARGOCD_E2E_DIR)/app/config/gpg/keys && chmod 0700 $(ARGOCD_E2E_DIR)/app/config/gpg/keys
+	mkdir -p $(ARGOCD_E2E_DIR)/app/config/gpg/source && chmod 0700 $(ARGOCD_E2E_DIR)/app/config/gpg/source
+	mkdir -p $(ARGOCD_E2E_DIR)/app/config/plugin && chmod 0700 $(ARGOCD_E2E_DIR)/app/config/plugin
 	# create folders to hold go coverage results for each component
 	mkdir -p /tmp/coverage/app-controller
 	mkdir -p /tmp/coverage/api-server
@ -500,13 +526,15 @@ start-e2e-local: mod-vendor-local dep-ui-local cli-local
 	mkdir -p /tmp/coverage/notification
 	mkdir -p /tmp/coverage/commit-server
 	# set paths for locally managed ssh known hosts and tls certs data
-	ARGOCD_SSH_DATA_PATH=/tmp/argo-e2e/app/config/ssh \
-	ARGOCD_TLS_DATA_PATH=/tmp/argo-e2e/app/config/tls \
-	ARGOCD_GPG_DATA_PATH=/tmp/argo-e2e/app/config/gpg/source \
-	ARGOCD_GNUPGHOME=/tmp/argo-e2e/app/config/gpg/keys \
+	ARGOCD_E2E_DIR=$(ARGOCD_E2E_DIR) \
+	ARGOCD_SSH_DATA_PATH=$(ARGOCD_E2E_DIR)/app/config/ssh \
+	ARGOCD_TLS_DATA_PATH=$(ARGOCD_E2E_DIR)/app/config/tls \
+	ARGOCD_GPG_DATA_PATH=$(ARGOCD_E2E_DIR)/app/config/gpg/source \
+	ARGOCD_GNUPGHOME=$(ARGOCD_E2E_DIR)/app/config/gpg/keys \
 	ARGOCD_GPG_ENABLED=$(ARGOCD_GPG_ENABLED) \
-	ARGOCD_PLUGINCONFIGFILEPATH=/tmp/argo-e2e/app/config/plugin \
-	ARGOCD_PLUGINSOCKFILEPATH=/tmp/argo-e2e/app/config/plugin \
+	ARGOCD_PLUGINCONFIGFILEPATH=$(ARGOCD_E2E_DIR)/app/config/plugin \
+	ARGOCD_PLUGINSOCKFILEPATH=$(ARGOCD_E2E_DIR)/app/config/plugin \
+	ARGOCD_GIT_CONFIG=$(PWD)/test/e2e/fixture/gitconfig \
 	ARGOCD_E2E_DISABLE_AUTH=false \
 	ARGOCD_ZJWT_FEATURE_FLAG=always \
 	ARGOCD_IN_CI=$(ARGOCD_IN_CI) \
@ -634,8 +662,17 @@ install-go-tools-local:
 dep-ui: test-tools-image
 	$(call run-in-test-client,make dep-ui-local)

+.PHONY: dep-ui-local
 dep-ui-local:
-	cd ui && yarn install
+	cd ui && pnpm install --frozen-lockfile
+
+.PHONY: run-pnpm
+run-pnpm: test-tools-image
+	$(call run-in-test-client,make 'PNPM_COMMAND=$(PNPM_COMMAND)' run-pnpm-local)
+
+.PHONY: run-pnpm-local
+run-pnpm-local:
+	cd ui && pnpm $(PNPM_COMMAND)

 start-test-k8s:
 	go run ./hack/k8s
--- a/10
+++ b/10
@ -1,14 +1,14 @@
 controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/app-controller} HOSTNAME=testappcontroller-1  FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-application-controller $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --commit-server localhost:${ARGOCD_E2E_COMMITSERVER_PORT:-8086} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --server-side-diff-enabled=${ARGOCD_APPLICATION_CONTROLLER_SERVER_SIDE_DIFF:-'false'} --hydrator-enabled=${ARGOCD_HYDRATOR_ENABLED:='false'}"
 api-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/api-server} FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-server $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --hydrator-enabled=${ARGOCD_HYDRATOR_ENABLED:='false'}"
-dex: sh -c "ARGOCD_BINARY_NAME=argocd-dex go run github.com/argoproj/argo-cd/v3/cmd gendexcfg -o `pwd`/dist/dex.yaml && (test -f dist/dex.yaml || { echo 'Failed to generate dex configuration'; exit 1; }) && docker run --rm -p ${ARGOCD_E2E_DEX_PORT:-5556}:${ARGOCD_E2E_DEX_PORT:-5556} -v `pwd`/dist/dex.yaml:/dex.yaml ghcr.io/dexidp/dex:$(grep "image: ghcr.io/dexidp/dex" manifests/base/dex/argocd-dex-server-deployment.yaml | cut -d':' -f3) dex serve /dex.yaml"
+dex: sh -c "ARGOCD_BINARY_NAME=argocd-dex go run github.com/argoproj/argo-cd/v3/cmd gendexcfg -o `pwd`/dist/dex.yaml && (test -f dist/dex.yaml || { echo 'Failed to generate dex configuration'; exit 1; }) && docker run --rm -p ${ARGOCD_E2E_DEX_PORT:-5556}:${ARGOCD_E2E_DEX_PORT:-5556} -v `pwd`/dist/dex.yaml:/dex.yaml ghcr.io/dexidp/dex:$(grep "image: ghcr.io/dexidp/dex:v2.45.0" manifests/base/dex/argocd-dex-server-deployment.yaml | cut -d':' -f3) dex serve /dex.yaml"
 redis: hack/start-redis-with-password.sh
-repo-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/repo-server} FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_GNUPGHOME=${ARGOCD_GNUPGHOME:-/tmp/argocd-local/gpg/keys} ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp}  ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-repo-server ARGOCD_GPG_ENABLED=${ARGOCD_GPG_ENABLED:-false} $COMMAND --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --otlp-address=${ARGOCD_OTLP_ADDRESS}"
+repo-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "export PATH=\$(pwd)/dist:\$PATH && [ -n \"\$ARGOCD_GIT_CONFIG\" ] && export GIT_CONFIG_GLOBAL=\$ARGOCD_GIT_CONFIG && export GIT_CONFIG_NOSYSTEM=1; GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/repo-server} FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_GNUPGHOME=${ARGOCD_GNUPGHOME:-/tmp/argocd-local/gpg/keys} ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp}  ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-repo-server ARGOCD_GPG_ENABLED=${ARGOCD_GPG_ENABLED:-false} $COMMAND --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --otlp-address=${ARGOCD_OTLP_ADDRESS}"
 cmp-server: [ "$ARGOCD_E2E_TEST" = 'true' ] && exit 0 || [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_BINARY_NAME=argocd-cmp-server ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp} $COMMAND --config-dir-path ./test/cmp --loglevel debug --otlp-address=${ARGOCD_OTLP_ADDRESS}"
 commit-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/commit-server} FORCE_LOG_COLORS=1 ARGOCD_BINARY_NAME=argocd-commit-server $COMMAND --loglevel debug --port ${ARGOCD_E2E_COMMITSERVER_PORT:-8086}"
-ui: sh -c 'cd ui && ${ARGOCD_E2E_YARN_CMD:-yarn} start'
+ui: sh -c 'cd ui && ${ARGOCD_E2E_PNPM_CMD:-pnpm} start'
 git-server: test/fixture/testrepos/start-git.sh
 helm-registry: test/fixture/testrepos/start-helm-registry.sh
 oci-registry: test/fixture/testrepos/start-authenticated-helm-registry.sh
 dev-mounter: [ "$ARGOCD_E2E_TEST" != "true" ] && go run hack/dev-mounter/main.go --configmap argocd-ssh-known-hosts-cm=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} --configmap argocd-tls-certs-cm=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} --configmap argocd-gpg-keys-cm=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source}
-applicationset-controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/applicationset-controller} FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-applicationset-controller $COMMAND --loglevel debug --metrics-addr localhost:12345 --probe-addr localhost:12346 --argocd-repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081}"
-notification: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/notification} FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_BINARY_NAME=argocd-notifications $COMMAND --loglevel debug --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --self-service-notification-enabled=${ARGOCD_NOTIFICATION_CONTROLLER_SELF_SERVICE_NOTIFICATION_ENABLED:-'false'}"
+applicationset-controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/applicationset-controller} FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-applicationset-controller ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS=${ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS:-true} $COMMAND --loglevel debug --metrics-addr localhost:12345 --probe-addr localhost:12346 --argocd-repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081}"
+notification: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/notification} FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_BINARY_NAME=argocd-notifications $COMMAND --loglevel debug --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --self-service-notification-enabled=${ARGOCD_NOTIFICATION_CONTROLLER_SELF_SERVICE_NOTIFICATION_ENABLED:-'false'}"
--- a/README.md
+++ b/README.md
@ -13,12 +13,13 @@
 [![Twitter Follow](https://img.shields.io/twitter/follow/argoproj?style=social)](https://twitter.com/argoproj)
 [![Slack](https://img.shields.io/badge/slack-argoproj-brightgreen.svg?logo=slack)](https://argoproj.github.io/community/join-slack)
 [![LinkedIn](https://img.shields.io/badge/LinkedIn-argoproj-blue.svg?logo=linkedin)](https://www.linkedin.com/company/argoproj/)
+[![Bluesky](https://img.shields.io/badge/Bluesky-argoproj-blue.svg?style=social&logo=bluesky)](https://bsky.app/profile/argoproj.bsky.social)

 # Argo CD - Declarative Continuous Delivery for Kubernetes

 ## What is Argo CD?

-Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes.
+Argo CD is a declarative GitOps continuous delivery tool for Kubernetes.

 ![Argo CD UI](docs/assets/argocd-ui.gif)

@ -44,7 +45,7 @@ Check live demo at https://cd.apps.argoproj.io/.

 You can reach the Argo CD community and developers via the following channels:

-* Q & A : [Github Discussions](https://github.com/argoproj/argo-cd/discussions)
+* Q & A : [GitHub Discussions](https://github.com/argoproj/argo-cd/discussions)
 * Chat : [The #argo-cd Slack channel](https://argoproj.github.io/community/join-slack)
 * Contributors Office Hours: [Every Thursday](https://calendar.google.com/calendar/u/0/embed?src=argoproj@gmail.com) | [Agenda](https://docs.google.com/document/d/1xkoFkVviB70YBzSEa4bDnu-rUZ1sIFtwKKG1Uw8XsY8)
 * User Community meeting: [First Wednesday of the month](https://calendar.google.com/calendar/u/0/embed?src=argoproj@gmail.com) | [Agenda](https://docs.google.com/document/d/1ttgw98MO45Dq7ZUHpIiOIEfbyeitKHNfMjbY5dLLMKQ)
--- a/SECURITY-INSIGHTS.yml
+++ b/SECURITY-INSIGHTS.yml
@ -3,9 +3,9 @@ header:
  expiration-date: '2024-10-31T00:00:00.000Z' # One year from initial release.
  last-updated: '2023-10-27'
  last-reviewed: '2023-10-27'
-  commit-hash: 06ef059f9fc7cf9da2dfaef2a505ee1e3c693485
+  commit-hash: d91a2ab3bf1b1143fb273fa06f54073fc78f41f1
  project-url: https://github.com/argoproj/argo-cd
-  project-release: v3.3.0
+  project-release: v3.5.0
  changelog: https://github.com/argoproj/argo-cd/releases
  license: https://github.com/argoproj/argo-cd/blob/master/LICENSE
 project-lifecycle:
--- a/SECURITY.md
+++ b/SECURITY.md
@ -48,6 +48,23 @@ otherwise very intrusive, and there's a workaround available, we may decide to
 provide a forward-fix only, e.g. to be released the next minor release, instead
 of releasing it within a patch branch for the currently supported releases.

+## Dependency Upgrade Policy
+
+Argo CD relies on certain binaries and libraries that might appear in security scanners.
+
+Upgrading certain dependencies, such as Helm, Kustomize, and git, may have negative impacts
+on users, as they may include breaking changes or changes in behavior. For this reason,
+we will only upgrade to new patch versions within the same minor version series within
+a supported Argo CD version. For example, if we are currently on Helm 3.12.0 and Argo CD
+3.4.0, we will only upgrade to Helm 3.12.x within Argo CD 3.4.x, and not to Helm 3.13.0 
+or later.
+
+If there is a critical, _exploitable_ vulnerability in a dependency that will not be fixed
+in a patch release, we will evaluate the impact of the vulnerability and the risk of not
+upgrading the dependency. We ask that, if you believe a version bump is justified, please
+open an issue _describing how the vulnerability is exploitable in the context of Argo CD_,
+and we will evaluate it and decide whether or not to upgrade the dependency.
+
 ## Reporting a Vulnerability

 If you find a security related bug in Argo CD, we kindly ask you for responsible
@ -63,24 +80,7 @@ We will publish security advisories using the
 feature to keep our community well-informed, and will credit you for your
 findings (unless you prefer to stay anonymous, of course).

-There are two ways to report a vulnerability to the Argo CD team:
-
-* By opening a draft GitHub security advisory: https://github.com/argoproj/argo-cd/security/advisories/new
-* By e-mail to the following address: cncf-argo-security@lists.cncf.io
-
-## Internet Bug Bounty collaboration
-
-We're happy to announce that the Argo project is collaborating with the great
-folks over at
-[Hacker One](https://hackerone.com/) and their
-[Internet Bug Bounty program](https://hackerone.com/ibb)
-to reward the awesome people who find security vulnerabilities in the four
-main Argo projects (CD, Events, Rollouts and Workflows) and then work with
-us to fix and disclose them in a responsible manner.
-
-If you report a vulnerability to us as outlined in this security policy, we
-will work together with you to find out whether your finding is eligible for
-claiming a bounty, and also on how to claim it.
+To report a vulnerability to the Argo CD team a draft GitHub security advisory: https://github.com/argoproj/argo-cd/security/advisories/new

 ## Securing your Argo CD Instance

--- a/15
+++ b/15
@ -1,6 +1,10 @@
 load('ext://restart_process', 'docker_build_with_restart')
 load('ext://uibutton', 'cmd_button', 'location')

+# tilt version should be >= v0.37.0 for k8s_server_side_apply tilt-dev/tilt#6680
+update_settings(
+  k8s_server_side_apply="true",
+)
 # add ui button in web ui to run make codegen-local (top nav)
 cmd_button(
    'make codegen-local',
@ -52,6 +56,7 @@ local_resource(
    'build',
    'CGO_ENABLED=0 GOOS=linux GOARCH=' + arch + ' go build -gcflags="all=-N -l" -mod=readonly -o .tilt-bin/argocd_linux cmd/main.go',
    deps = code_deps,
+    ignore = ['**/*_test.go'],
    allow_parallel=True,
 )

@ -60,7 +65,7 @@ k8s_yaml(kustomize('manifests/dev-tilt'))

 # build dev image
 docker_build_with_restart(
-    'argocd', 
+    'quay.io/argoproj/argocd:latest', 
    context='.',
    dockerfile='Dockerfile.tilt',
    entrypoint=[
@ -252,11 +257,11 @@ k8s_resource(
 # ui dependencies
 local_resource(
    'node-modules',
-    'yarn',
+    'pnpm install',
    dir='ui',
    deps = [
        'ui/package.json',
-        'ui/yarn.lock',
+        'ui/pnpm-lock.yaml',
    ],
    allow_parallel=True,
 )
@ -266,11 +271,11 @@ docker_build(
    'argocd-ui',
    context='.',
    dockerfile='Dockerfile.ui.tilt',
-    entrypoint=['sh', '-c', 'cd /app/ui && yarn start'], 
+    entrypoint=['sh', '-c', 'cd /app/ui && pnpm start'],
    only=['ui'],
    live_update=[
        sync('ui', '/app/ui'),
-        run('sh -c "cd /app/ui && yarn install"', trigger=['/app/ui/package.json', '/app/ui/yarn.lock']),
+        run('sh -c "cd /app/ui && pnpm install --frozen-lockfile"', trigger=['/app/ui/package.json', '/app/ui/pnpm-lock.yaml']),
    ],
 )

--- a/USERS.md
+++ b/USERS.md
@ -7,7 +7,7 @@ Currently, the following organizations are **officially** using Argo CD:

 1. [100ms](https://www.100ms.ai/)
 1. [127Labs](https://127labs.com/)
-1. [3Rein](https://www.3rein.com/)
+1. [3Rein](https://3reinmedia.com/)
 1. [42 School](https://42.fr/)
 1. [4data](https://4data.ch/)
 1. [7shifts](https://www.7shifts.com/)
@ -31,8 +31,8 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [ANSTO - Australian Synchrotron](https://www.synchrotron.org.au/)
 1. [Ant Group](https://www.antgroup.com/)
 1. [AppDirect](https://www.appdirect.com)
-1. [Arcadia](https://www.arcadia.io)
-1. [Arctiq Inc.](https://www.arctiq.ca)
+1. [Arcadia](https://arcadia.io/)
+1. [Arctiq Inc.](https://arctiq.com/)
 1. [Artemis Health by Nomi Health](https://www.artemishealth.com/)
 1. [Arturia](https://www.arturia.com)
 1. [ARZ Allgemeines Rechenzentrum GmbH](https://www.arz.at/)
@ -65,6 +65,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Candis](https://www.candis.io)
 1. [Capital One](https://www.capitalone.com)
 1. [Capptain LTD](https://capptain.co/)
+1. [Car & Classic](https://www.carandclassic.com)
 1. [CARFAX Europe](https://www.carfax.eu)
 1. [CARFAX](https://www.carfax.com)
 1. [Carrefour Group](https://www.carrefour.com)
@ -75,6 +76,8 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Chargetrip](https://chargetrip.com)
 1. [Chime](https://www.chime.com)
 1. [Chronicle Labs](https://chroniclelabs.org)
+1. [C.H.Robinson ](https://www.chrobinson.com)
+1. [Circle](https://circle.com/)
 1. [Cisco ET&I](https://eti.cisco.com/)
 1. [Close](https://www.close.com/)
 1. [Cloud Posse](https://www.cloudposse.com/)
@ -147,14 +150,14 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Getir](https://getir.com)
 1. [GetYourGuide](https://www.getyourguide.com/)
 1. [Gitpod](https://www.gitpod.io)
-1. [Gllue](https://gllue.com)
+1. [Gllue](https://www.gllue.com/)
 1. [gloat](https://gloat.com/)
 1. [GLOBIS](https://globis.com)
 1. [Glovo](https://www.glovoapp.com)
 1. [GlueOps](https://glueops.dev)
 1. [GMETRI](https://gmetri.com/)
 1. [Gojek](https://www.gojek.io/)
-1. [GoTo Financial](https://gotofinancial.com/)
+1. [GoTo Financial](https://www.gotocompany.com/en/products/goto-financial)
 1. [GoTo](https://www.goto.com/)
 1. [Greenpass](https://www.greenpass.com.br/)
 1. [Gridfuse](https://gridfuse.com/)
@ -165,7 +168,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Healy](https://www.healyworld.net)
 1. [Helio](https://helio.exchange)
 1. [hetao101](https://www.hetao101.com/)
-1. [Hetki](https://hetki.ai)
+1. [Hetki](https://hetki.io/)
 1. [hipages](https://hipages.com.au/)
 1. [Hiya](https://hiya.com)
 1. [Honestbank](https://honestbank.com)
@ -177,7 +180,8 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Icelandair](https://www.icelandair.com)
 1. [IFS](https://www.ifs.com)
 1. [IITS-Consulting](https://iits-consulting.de)
-1. [IllumiDesk](https://www.illumidesk.com)
+1. [IllumiDesk](https://illumichat.com/)
+1. [Imagine Learning](https://www.imaginelearning.com/)
 1. [imaware](https://imaware.health)
 1. [Indeed](https://indeed.com)
 1. [Index Exchange](https://www.indexexchange.com/)
@ -208,10 +212,11 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Kurly](https://www.kurly.com/)
 1. [Kvist](https://kvistsolutions.com)
 1. [Kyriba](https://www.kyriba.com/)
+1. [Lattice](https://lattice.com)
 1. [LeFigaro](https://www.lefigaro.fr/)
 1. [Lely](https://www.lely.com/)
 1. [LexisNexis](https://www.lexisnexis.com/)
-1. [Lian Chu Securities](https://lczq.com)
+1. [Lian Chu Securities](https://www.lczq.com/)
 1. [Liatrio](https://www.liatrio.com)
 1. [Lightricks](https://www.lightricks.com/)
 1. [Loom](https://www.loom.com/)
@ -237,6 +242,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Mission Lane](https://missionlane.com)
 1. [mixi Group](https://mixi.co.jp/)
 1. [Moengage](https://www.moengage.com/)
+1. [Mollie](https://www.mollie.com/)
 1. [Money Forward](https://corp.moneyforward.com/en/)
 1. [MongoDB](https://www.mongodb.com/)
 1. [MOO Print](https://www.moo.com/)
@ -244,7 +250,8 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [MTN Group](https://www.mtn.com/)
 1. [Municipality of The Hague](https://www.denhaag.nl/)
 1. [My Job Glasses](https://myjobglasses.com)
-1. [Natura &Co](https://naturaeco.com/)
+1. [Natura &Co](https://ri.natura.com.br/)
+1. [Netease Cloud Music](https://music.163.com/)
 1. [Nethopper](https://nethopper.io)
 1. [New Relic](https://newrelic.com/)
 1. [Nextbasket](https://nextbasket.com)
@ -274,7 +281,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Orbital Insight](https://orbitalinsight.com/)
 1. [Oscar Health Insurance](https://hioscar.com/)
 1. [Outpost24](https://outpost24.com/)
-1. [p3r](https://www.p3r.one/)
+1. [p3r](https://persona.atlus.com/p3r/)
 1. [Packlink](https://www.packlink.com/)
 1. [PagerDuty](https://www.pagerduty.com/)
 1. [Pandosearch](https://www.pandosearch.com/en/home)
@ -292,6 +299,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Pismo](https://pismo.io/)
 1. [PITS Globale Datenrettungsdienste](https://www.pitsdatenrettung.de/)
 1. [Platform9 Systems](https://platform9.com/)
+1. [Playground Tech](https://playgroundgroup.io)
 1. [Polarpoint.io](https://polarpoint.io)
 1. [Pollinate](https://www.pollinate.global)
 1. [PostFinance](https://github.com/postfinance)
@ -328,6 +336,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Salad Technologies](https://salad.com/)
 1. [Saloodo! GmbH](https://www.saloodo.com)
 1. [Sap Labs](http://sap.com)
+1. [SAP Signavio](https://www.signavio.com)
 1. [Sauce Labs](https://saucelabs.com/)
 1. [Schneider Electric](https://www.se.com)
 1. [Schwarz IT](https://jobs.schwarz/it-mission)
@ -375,6 +384,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Tailor Brands](https://www.tailorbrands.com)
 1. [Tamkeen Technologies](https://tamkeentech.sa/)
 1. [TBC Bank](https://tbcbank.ge/)
+1. [Techcom Securities](https://www.tcbs.com.vn/)
 1. [Techcombank](https://www.techcombank.com.vn/trang-chu)
 1. [Technacy](https://www.technacy.it/)
 1. [Telavita](https://www.telavita.com.br/)
@ -415,18 +425,18 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [VSHN - The DevOps Company](https://vshn.ch/)
 1. [Wakacje.pl](https://www.wakacje.pl/)
 1. [Walkbase](https://www.walkbase.com/)
-1. [Webstores](https://www.webstores.nl)
+1. [Webstores](https://www.friday.nl/)
 1. [Wehkamp](https://www.wehkamp.nl/)
 1. [WeMaintain](https://www.wemaintain.com/)
 1. [WeMo Scooter](https://www.wemoscooter.com/)
 1. [Whitehat Berlin](https://whitehat.berlin) by Guido Maria Serra +Fenaroli
-1. [Witick](https://witick.io/)
+1. [Witick](https://www.witik.io/en/)
 1. [Wolffun Game](https://www.wolffungame.com/)
 1. [WooliesX](https://wooliesx.com.au/)
 1. [Woolworths Group](https://www.woolworthsgroup.com.au/)
 1. [WSpot](https://www.wspot.com.br/)
 1. [X3M ads](https://x3mads.com)
-1. [Yieldlab](https://www.yieldlab.de/)
+1. [Yieldlab](https://virtualminds.com/)
 1. [Youverify](https://youverify.co/)
 1. [Yubo](https://www.yubo.live/)
 1. [Yuno](https://y.uno/)
--- a/2
+++ b/2
@ -1 +1 @@
-3.3.0
+3.5.0
--- a/applicationset/controllers/applicationset_controller.go
+++ b/applicationset/controllers/applicationset_controller.go
@ -20,14 +20,17 @@ import (
 	"fmt"
 	"reflect"
 	"runtime/debug"
+	"slices"
 	"sort"
 	"strconv"
 	"strings"
+	"sync"
 	"time"

 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	log "github.com/sirupsen/logrus"
+	"golang.org/x/sync/errgroup"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -37,7 +40,6 @@ import (
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/record"
 	"k8s.io/client-go/util/retry"
-	"k8s.io/utils/ptr"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@ -47,7 +49,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"

-	"github.com/argoproj/gitops-engine/pkg/health"
+	"github.com/argoproj/argo-cd/gitops-engine/pkg/health"

 	"github.com/argoproj/argo-cd/v3/applicationset/controllers/template"
 	"github.com/argoproj/argo-cd/v3/applicationset/generators"
@ -57,6 +59,7 @@ import (
 	"github.com/argoproj/argo-cd/v3/common"
 	applog "github.com/argoproj/argo-cd/v3/util/app/log"
 	"github.com/argoproj/argo-cd/v3/util/db"
+	"github.com/argoproj/argo-cd/v3/util/settings"

 	argov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 	argoutil "github.com/argoproj/argo-cd/v3/util/argo"
@ -73,6 +76,9 @@ const (
 	ReconcileRequeueOnValidationError = time.Minute * 3
 	ReverseDeletionOrder              = "Reverse"
 	AllAtOnceDeletionOrder            = "AllAtOnce"
+	revisionAndSpecChangedMsg         = "Application has pending changes (revision and spec differ), setting status to Waiting"
+	revisionChangedMsg                = "Application has pending changes, setting status to Waiting"
+	specChangedMsg                    = "Application has pending changes (spec differs), setting status to Waiting"
 )

 var defaultPreservedFinalizers = []string{
@ -102,14 +108,16 @@ type ApplicationSetReconciler struct {
 	Policy               argov1alpha1.ApplicationsSyncPolicy
 	EnablePolicyOverride bool
 	utils.Renderer
-	ArgoCDNamespace            string
-	ApplicationSetNamespaces   []string
-	EnableProgressiveSyncs     bool
-	SCMRootCAPath              string
-	GlobalPreservedAnnotations []string
-	GlobalPreservedLabels      []string
-	Metrics                    *metrics.ApplicationsetMetrics
-	MaxResourcesStatusCount    int
+	ArgoCDNamespace              string
+	ApplicationSetNamespaces     []string
+	EnableProgressiveSyncs       bool
+	SCMRootCAPath                string
+	GlobalPreservedAnnotations   []string
+	GlobalPreservedLabels        []string
+	Metrics                      *metrics.ApplicationsetMetrics
+	MaxResourcesStatusCount      int
+	ClusterInformer              *settings.ClusterInformer
+	ConcurrentApplicationUpdates int
 }

 // +kubebuilder:rbac:groups=argoproj.io,resources=applicationsets,verbs=get;list;watch;create;update;patch;delete
@ -241,11 +249,6 @@ func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		return ctrl.Result{}, fmt.Errorf("failed to get current applications for application set: %w", err)
 	}

-	err = r.updateResourcesStatus(ctx, logCtx, &applicationSetInfo, currentApplications)
-	if err != nil {
-		return ctrl.Result{}, fmt.Errorf("failed to get update resources status for application set: %w", err)
-	}
-
 	// appSyncMap tracks which apps will be synced during this reconciliation.
 	appSyncMap := map[string]bool{}

@ -369,6 +372,16 @@ func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		}
 	}

+	// Update resources status after create/update/delete so it reflects the actual cluster state.
+	currentApplications, err = r.getCurrentApplications(ctx, applicationSetInfo)
+	if err != nil {
+		return ctrl.Result{}, fmt.Errorf("failed to get current applications for application set: %w", err)
+	}
+	err = r.updateResourcesStatus(ctx, logCtx, &applicationSetInfo, currentApplications)
+	if err != nil {
+		return ctrl.Result{}, fmt.Errorf("failed to update resources status for application set: %w", err)
+	}
+
 	if applicationSetInfo.RefreshRequired() {
 		delete(applicationSetInfo.Annotations, common.AnnotationApplicationSetRefresh)
 		err := r.Update(ctx, &applicationSetInfo)
@ -669,8 +682,9 @@ func (r *ApplicationSetReconciler) SetupWithManager(mgr ctrl.Manager, enableProg
 		Watches(
 			&corev1.Secret{},
 			&clusterSecretEventHandler{
-				Client: mgr.GetClient(),
-				Log:    log.WithField("type", "createSecretEventHandler"),
+				Client:                   mgr.GetClient(),
+				Log:                      log.WithField("type", "createSecretEventHandler"),
+				ApplicationSetNamespaces: r.ApplicationSetNamespaces,
 			}).
 		Complete(r)
 }
@ -680,108 +694,133 @@ func (r *ApplicationSetReconciler) SetupWithManager(mgr ctrl.Manager, enableProg
 // - For existing application, it will call update
 // The function also adds owner reference to all applications, and uses it to delete them.
 func (r *ApplicationSetReconciler) createOrUpdateInCluster(ctx context.Context, logCtx *log.Entry, applicationSet argov1alpha1.ApplicationSet, desiredApplications []argov1alpha1.Application) error {
-	var firstError error
-	// Creates or updates the application in appList
-	for _, generatedApp := range desiredApplications {
-		appLog := logCtx.WithFields(applog.GetAppLogFields(&generatedApp))
+	// Build the diff config once per reconcile.
+	// Diff config is per applicationset, so generate it once for all applications
+	diffConfig, err := utils.BuildIgnoreDiffConfig(applicationSet.Spec.IgnoreApplicationDifferences, normalizers.IgnoreNormalizerOpts{})
+	if err != nil {
+		return fmt.Errorf("failed to build ignore diff config: %w", err)
+	}

+	g, ctx := errgroup.WithContext(ctx)
+	concurrency := r.concurrency()
+	g.SetLimit(concurrency)
+
+	var appErrorsMu sync.Mutex
+	appErrors := map[string]error{}
+
+	for _, generatedApp := range desiredApplications {
 		// Normalize to avoid fighting with the application controller.
 		generatedApp.Spec = *argoutil.NormalizeApplicationSpec(&generatedApp.Spec)
+		g.Go(func() error {
+			appLog := logCtx.WithFields(applog.GetAppLogFields(&generatedApp))

-		found := &argov1alpha1.Application{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      generatedApp.Name,
-				Namespace: generatedApp.Namespace,
-			},
-			TypeMeta: metav1.TypeMeta{
-				Kind:       application.ApplicationKind,
-				APIVersion: "argoproj.io/v1alpha1",
-			},
-		}
-
-		action, err := utils.CreateOrUpdate(ctx, appLog, r.Client, applicationSet.Spec.IgnoreApplicationDifferences, normalizers.IgnoreNormalizerOpts{}, found, func() error {
-			// Copy only the Application/ObjectMeta fields that are significant, from the generatedApp
-			found.Spec = generatedApp.Spec
-
-			// allow setting the Operation field to trigger a sync operation on an Application
-			if generatedApp.Operation != nil {
-				found.Operation = generatedApp.Operation
+			found := &argov1alpha1.Application{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      generatedApp.Name,
+					Namespace: generatedApp.Namespace,
+				},
+				TypeMeta: metav1.TypeMeta{
+					Kind:       application.ApplicationKind,
+					APIVersion: "argoproj.io/v1alpha1",
+				},
 			}

-			preservedAnnotations := make([]string, 0)
-			preservedLabels := make([]string, 0)
+			action, err := utils.CreateOrUpdate(ctx, appLog, r.Client, diffConfig, found, func() error {
+				// Copy only the Application/ObjectMeta fields that are significant, from the generatedApp
+				found.Spec = generatedApp.Spec

-			if applicationSet.Spec.PreservedFields != nil {
-				preservedAnnotations = append(preservedAnnotations, applicationSet.Spec.PreservedFields.Annotations...)
-				preservedLabels = append(preservedLabels, applicationSet.Spec.PreservedFields.Labels...)
-			}
-
-			if len(r.GlobalPreservedAnnotations) > 0 {
-				preservedAnnotations = append(preservedAnnotations, r.GlobalPreservedAnnotations...)
-			}
-
-			if len(r.GlobalPreservedLabels) > 0 {
-				preservedLabels = append(preservedLabels, r.GlobalPreservedLabels...)
-			}
-
-			// Preserve specially treated argo cd annotations:
-			// * https://github.com/argoproj/applicationset/issues/180
-			// * https://github.com/argoproj/argo-cd/issues/10500
-			preservedAnnotations = append(preservedAnnotations, defaultPreservedAnnotations...)
-
-			for _, key := range preservedAnnotations {
-				if state, exists := found.Annotations[key]; exists {
-					if generatedApp.Annotations == nil {
-						generatedApp.Annotations = map[string]string{}
-					}
-					generatedApp.Annotations[key] = state
+				// allow setting the Operation field to trigger a sync operation on an Application
+				if generatedApp.Operation != nil {
+					found.Operation = generatedApp.Operation
 				}
-			}

-			for _, key := range preservedLabels {
-				if state, exists := found.Labels[key]; exists {
-					if generatedApp.Labels == nil {
-						generatedApp.Labels = map[string]string{}
-					}
-					generatedApp.Labels[key] = state
+				preservedAnnotations := make([]string, 0)
+				preservedLabels := make([]string, 0)
+
+				if applicationSet.Spec.PreservedFields != nil {
+					preservedAnnotations = append(preservedAnnotations, applicationSet.Spec.PreservedFields.Annotations...)
+					preservedLabels = append(preservedLabels, applicationSet.Spec.PreservedFields.Labels...)
 				}
-			}

-			// Preserve deleting finalizers and avoid diff conflicts
-			for _, finalizer := range defaultPreservedFinalizers {
-				for _, f := range found.Finalizers {
-					// For finalizers, use prefix matching in case it contains "/" stages
-					if strings.HasPrefix(f, finalizer) {
-						generatedApp.Finalizers = append(generatedApp.Finalizers, f)
+				if len(r.GlobalPreservedAnnotations) > 0 {
+					preservedAnnotations = append(preservedAnnotations, r.GlobalPreservedAnnotations...)
+				}
+
+				if len(r.GlobalPreservedLabels) > 0 {
+					preservedLabels = append(preservedLabels, r.GlobalPreservedLabels...)
+				}
+
+				// Preserve specially treated argo cd annotations:
+				// * https://github.com/argoproj/applicationset/issues/180
+				// * https://github.com/argoproj/argo-cd/issues/10500
+				preservedAnnotations = append(preservedAnnotations, defaultPreservedAnnotations...)
+
+				for _, key := range preservedAnnotations {
+					if state, exists := found.Annotations[key]; exists {
+						if generatedApp.Annotations == nil {
+							generatedApp.Annotations = map[string]string{}
+						}
+						generatedApp.Annotations[key] = state
 					}
 				}
+
+				for _, key := range preservedLabels {
+					if state, exists := found.Labels[key]; exists {
+						if generatedApp.Labels == nil {
+							generatedApp.Labels = map[string]string{}
+						}
+						generatedApp.Labels[key] = state
+					}
+				}
+
+				// Preserve deleting finalizers and avoid diff conflicts
+				for _, finalizer := range defaultPreservedFinalizers {
+					for _, f := range found.Finalizers {
+						// For finalizers, use prefix matching in case it contains "/" stages
+						if strings.HasPrefix(f, finalizer) {
+							generatedApp.Finalizers = append(generatedApp.Finalizers, f)
+						}
+					}
+				}
+
+				found.Annotations = generatedApp.Annotations
+				found.Labels = generatedApp.Labels
+				found.Finalizers = generatedApp.Finalizers
+
+				return controllerutil.SetControllerReference(&applicationSet, found, r.Scheme)
+			})
+			if err != nil {
+				appLog.WithError(err).WithField("action", action).Errorf("failed to %s Application", action)
+				// If the context was canceled or its deadline exceeded, return the error so it propagates through g.Wait().
+				if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
+					return err
+				}
+				// For backwards compatibility with sequential behavior: continue processing other applications
+				// but record the error keyed by app name so we can deterministically return the error from
+				// the lexicographically first failing app, regardless of goroutine scheduling order.
+				appErrorsMu.Lock()
+				appErrors[generatedApp.Name] = err
+				appErrorsMu.Unlock()
+				return nil
 			}

-			found.Annotations = generatedApp.Annotations
-			found.Labels = generatedApp.Labels
-			found.Finalizers = generatedApp.Finalizers
-
-			return controllerutil.SetControllerReference(&applicationSet, found, r.Scheme)
+			if action != controllerutil.OperationResultNone {
+				// Don't pollute etcd with "unchanged Application" events
+				r.Recorder.Eventf(&applicationSet, corev1.EventTypeNormal, fmt.Sprint(action), "%s Application %q", action, generatedApp.Name)
+				appLog.Logf(log.InfoLevel, "%s Application", action)
+			} else {
+				// "unchanged Application" can be inferred by Reconcile Complete with no action being listed
+				// Or enable debug logging
+				appLog.Logf(log.DebugLevel, "%s Application", action)
+			}
+			return nil
 		})
-		if err != nil {
-			appLog.WithError(err).WithField("action", action).Errorf("failed to %s Application", action)
-			if firstError == nil {
-				firstError = err
-			}
-			continue
-		}
-
-		if action != controllerutil.OperationResultNone {
-			// Don't pollute etcd with "unchanged Application" events
-			r.Recorder.Eventf(&applicationSet, corev1.EventTypeNormal, fmt.Sprint(action), "%s Application %q", action, generatedApp.Name)
-			appLog.Logf(log.InfoLevel, "%s Application", action)
-		} else {
-			// "unchanged Application" can be inferred by Reconcile Complete with no action being listed
-			// Or enable debug logging
-			appLog.Logf(log.DebugLevel, "%s Application", action)
-		}
 	}
-	return firstError
+
+	if err := g.Wait(); errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
+		return err
+	}
+	return firstAppError(appErrors)
 }

 // createInCluster will filter from the desiredApplications only the application that needs to be created
@ -824,7 +863,7 @@ func (r *ApplicationSetReconciler) getCurrentApplications(ctx context.Context, a
 // deleteInCluster will delete Applications that are currently on the cluster, but not in appList.
 // The function must be called after all generators had been called and generated applications
 func (r *ApplicationSetReconciler) deleteInCluster(ctx context.Context, logCtx *log.Entry, applicationSet argov1alpha1.ApplicationSet, desiredApplications []argov1alpha1.Application) error {
-	clusterList, err := utils.ListClusters(ctx, r.KubeClientset, r.ArgoCDNamespace)
+	clusterList, err := utils.ListClusters(r.ClusterInformer)
 	if err != nil {
 		return fmt.Errorf("error listing clusters: %w", err)
 	}
@ -841,36 +880,84 @@ func (r *ApplicationSetReconciler) deleteInCluster(ctx context.Context, logCtx *
 		m[app.Name] = true
 	}

-	// Delete apps that are not in m[string]bool
-	var firstError error
-	for _, app := range current {
-		logCtx = logCtx.WithFields(applog.GetAppLogFields(&app))
-		_, exists := m[app.Name]
+	g, ctx := errgroup.WithContext(ctx)
+	concurrency := r.concurrency()
+	g.SetLimit(concurrency)

-		if !exists {
+	var appErrorsMu sync.Mutex
+	appErrors := map[string]error{}
+
+	// Delete apps that are not in m[string]bool
+	for _, app := range current {
+		_, exists := m[app.Name]
+		if exists {
+			continue
+		}
+		appLogCtx := logCtx.WithFields(applog.GetAppLogFields(&app))
+		g.Go(func() error {
 			// Removes the Argo CD resources finalizer if the application contains an invalid target (eg missing cluster)
-			err := r.removeFinalizerOnInvalidDestination(ctx, applicationSet, &app, clusterList, logCtx)
+			err := r.removeFinalizerOnInvalidDestination(ctx, applicationSet, &app, clusterList, appLogCtx)
 			if err != nil {
-				logCtx.WithError(err).Error("failed to update Application")
-				if firstError != nil {
-					firstError = err
+				appLogCtx.WithError(err).Error("failed to update Application")
+				// If the context was canceled or its deadline exceeded, return the error so it propagates through g.Wait().
+				if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
+					return err
 				}
-				continue
+				// For backwards compatibility with sequential behavior: continue processing other applications
+				// but record the error keyed by app name so we can deterministically return the error from
+				// the lexicographically first failing app, regardless of goroutine scheduling order.
+				appErrorsMu.Lock()
+				appErrors[app.Name] = err
+				appErrorsMu.Unlock()
+				return nil
 			}

 			err = r.Delete(ctx, &app)
 			if err != nil {
-				logCtx.WithError(err).Error("failed to delete Application")
-				if firstError != nil {
-					firstError = err
+				appLogCtx.WithError(err).Error("failed to delete Application")
+				// If the context was canceled or its deadline exceeded, return the error so it propagates through g.Wait().
+				if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
+					return err
 				}
-				continue
+				appErrorsMu.Lock()
+				appErrors[app.Name] = err
+				appErrorsMu.Unlock()
+				return nil
 			}
 			r.Recorder.Eventf(&applicationSet, corev1.EventTypeNormal, "Deleted", "Deleted Application %q", app.Name)
-			logCtx.Log(log.InfoLevel, "Deleted application")
-		}
+			appLogCtx.Log(log.InfoLevel, "Deleted application")
+			return nil
+		})
 	}
-	return firstError
+
+	if err := g.Wait(); errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
+		return err
+	}
+	return firstAppError(appErrors)
+}
+
+// concurrency returns the configured number of concurrent application updates, defaulting to 1.
+func (r *ApplicationSetReconciler) concurrency() int {
+	if r.ConcurrentApplicationUpdates <= 0 {
+		return 1
+	}
+	return r.ConcurrentApplicationUpdates
+}
+
+// firstAppError returns the error associated with the lexicographically smallest application name
+// in the provided map. This gives a deterministic result when multiple goroutines may have
+// recorded errors concurrently, matching the behavior of the original sequential loop where the
+// first application in iteration order would determine the returned error.
+func firstAppError(appErrors map[string]error) error {
+	if len(appErrors) == 0 {
+		return nil
+	}
+	names := make([]string, 0, len(appErrors))
+	for name := range appErrors {
+		names = append(names, name)
+	}
+	sort.Strings(names)
+	return appErrors[names[0]]
 }

 // removeFinalizerOnInvalidDestination removes the Argo CD resources finalizer if the application contains an invalid target (eg missing cluster)
@ -959,7 +1046,7 @@ func (r *ApplicationSetReconciler) removeOwnerReferencesOnDeleteAppSet(ctx conte
 func (r *ApplicationSetReconciler) performProgressiveSyncs(ctx context.Context, logCtx *log.Entry, appset argov1alpha1.ApplicationSet, applications []argov1alpha1.Application, desiredApplications []argov1alpha1.Application) (map[string]bool, error) {
 	appDependencyList, appStepMap := r.buildAppDependencyList(logCtx, appset, desiredApplications)

-	_, err := r.updateApplicationSetApplicationStatus(ctx, logCtx, &appset, applications, appStepMap)
+	_, err := r.updateApplicationSetApplicationStatus(ctx, logCtx, &appset, applications, desiredApplications, appStepMap)
 	if err != nil {
 		return nil, fmt.Errorf("failed to update applicationset app status: %w", err)
 	}
@ -1043,12 +1130,10 @@ func labelMatchedExpression(logCtx *log.Entry, val string, matchExpression argov
 	// if operator == NotIn, default to true
 	valueMatched := matchExpression.Operator == "NotIn"

-	for _, value := range matchExpression.Values {
-		if val == value {
-			// first "In" match returns true
-			// first "NotIn" match returns false
-			return matchExpression.Operator == "In"
-		}
+	if slices.Contains(matchExpression.Values, val) {
+		// first "In" match returns true
+		// first "NotIn" match returns false
+		return matchExpression.Operator == "In"
 	}
 	return valueMatched
 }
@ -1138,10 +1223,16 @@ func getAppStep(appName string, appStepMap map[string]int) int {
 }

 // check the status of each Application's status and promote Applications to the next status if needed
-func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatus(ctx context.Context, logCtx *log.Entry, applicationSet *argov1alpha1.ApplicationSet, applications []argov1alpha1.Application, appStepMap map[string]int) ([]argov1alpha1.ApplicationSetApplicationStatus, error) {
+func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatus(ctx context.Context, logCtx *log.Entry, applicationSet *argov1alpha1.ApplicationSet, applications []argov1alpha1.Application, desiredApplications []argov1alpha1.Application, appStepMap map[string]int) ([]argov1alpha1.ApplicationSetApplicationStatus, error) {
 	now := metav1.Now()
 	appStatuses := make([]argov1alpha1.ApplicationSetApplicationStatus, 0, len(applications))

+	// Build a map of desired applications for quick lookup
+	desiredAppsMap := make(map[string]*argov1alpha1.Application)
+	for i := range desiredApplications {
+		desiredAppsMap[desiredApplications[i].Name] = &desiredApplications[i]
+	}
+
 	for _, app := range applications {
 		appHealthStatus := app.Status.Health.Status
 		appSyncStatus := app.Status.Sync.Status
@ -1176,10 +1267,27 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatus(ctx con
 		newAppStatus := currentAppStatus.DeepCopy()
 		newAppStatus.Step = strconv.Itoa(getAppStep(newAppStatus.Application, appStepMap))

-		if !reflect.DeepEqual(currentAppStatus.TargetRevisions, app.Status.GetRevisions()) {
-			// A new version is available in the application and we need to re-sync the application
+		revisionsChanged := !reflect.DeepEqual(currentAppStatus.TargetRevisions, app.Status.GetRevisions())
+
+		// Check if the desired Application spec differs from the current Application spec
+		specChanged := false
+		if desiredApp, ok := desiredAppsMap[app.Name]; ok {
+			// Compare the desired spec with the current spec to detect non-Git changes
+			// This will catch changes to generator parameters like image tags, helm values, etc.
+			specChanged = !cmp.Equal(desiredApp.Spec, app.Spec, cmpopts.EquateEmpty(), cmpopts.EquateComparable(argov1alpha1.ApplicationDestination{}))
+		}
+
+		if revisionsChanged || specChanged {
 			newAppStatus.TargetRevisions = app.Status.GetRevisions()
-			newAppStatus.Message = "Application has pending changes, setting status to Waiting"
+
+			switch {
+			case revisionsChanged && specChanged:
+				newAppStatus.Message = revisionAndSpecChangedMsg
+			case revisionsChanged:
+				newAppStatus.Message = revisionChangedMsg
+			default:
+				newAppStatus.Message = specChangedMsg
+			}
 			newAppStatus.Status = argov1alpha1.ProgressiveSyncWaiting
 			newAppStatus.LastTransitionTime = &now
 		}
@ -1580,8 +1688,8 @@ func (r *ApplicationSetReconciler) syncDesiredApplications(logCtx *log.Entry, ap

 		// ensure that Applications generated with RollingSync do not have an automated sync policy, since the AppSet controller will handle triggering the sync operation instead
 		if desiredApplications[i].Spec.SyncPolicy != nil && desiredApplications[i].Spec.SyncPolicy.IsAutomatedSyncEnabled() {
-			pruneEnabled = desiredApplications[i].Spec.SyncPolicy.Automated.Prune
-			desiredApplications[i].Spec.SyncPolicy.Automated.Enabled = ptr.To(false)
+			pruneEnabled = desiredApplications[i].Spec.SyncPolicy.Automated.GetPrune()
+			desiredApplications[i].Spec.SyncPolicy.Automated.Enabled = new(false)
 		}

 		appSetStatusPending := false
--- a/applicationset/controllers/applicationset_controller_test.go
+++ b/applicationset/controllers/applicationset_controller_test.go
--- a/applicationset/controllers/clustereventhandler.go
+++ b/applicationset/controllers/clustereventhandler.go
@ -14,6 +14,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/event"

+	"github.com/argoproj/argo-cd/v3/applicationset/utils"
 	"github.com/argoproj/argo-cd/v3/common"
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 )
@ -22,8 +23,9 @@ import (
 // requeue any related ApplicationSets.
 type clusterSecretEventHandler struct {
 	// handler.EnqueueRequestForOwner
-	Log    log.FieldLogger
-	Client client.Client
+	Log                      log.FieldLogger
+	Client                   client.Client
+	ApplicationSetNamespaces []string
 }

 func (h *clusterSecretEventHandler) Create(ctx context.Context, e event.CreateEvent, q workqueue.TypedRateLimitingInterface[reconcile.Request]) {
@ -68,6 +70,10 @@ func (h *clusterSecretEventHandler) queueRelatedAppGenerators(ctx context.Contex

 	h.Log.WithField("count", len(appSetList.Items)).Info("listed ApplicationSets")
 	for _, appSet := range appSetList.Items {
+		if !utils.IsNamespaceAllowed(h.ApplicationSetNamespaces, appSet.GetNamespace()) {
+			// Ignore it as not part of the allowed list of namespaces in which to watch Appsets
+			continue
+		}
 		foundClusterGenerator := false
 		for _, generator := range appSet.Spec.Generators {
 			if generator.Clusters != nil {
--- a/applicationset/controllers/clustereventhandler_test.go
+++ b/applicationset/controllers/clustereventhandler_test.go
@ -137,7 +137,7 @@ func TestClusterEventHandler(t *testing.T) {
 				{
 					ObjectMeta: metav1.ObjectMeta{
 						Name:      "my-app-set",
-						Namespace: "another-namespace",
+						Namespace: "argocd",
 					},
 					Spec: argov1alpha1.ApplicationSetSpec{
 						Generators: []argov1alpha1.ApplicationSetGenerator{
@ -171,9 +171,37 @@ func TestClusterEventHandler(t *testing.T) {
 				},
 			},
 			expectedRequests: []reconcile.Request{
-				{NamespacedName: types.NamespacedName{Namespace: "another-namespace", Name: "my-app-set"}},
+				{NamespacedName: types.NamespacedName{Namespace: "argocd", Name: "my-app-set"}},
 			},
 		},
+		{
+			name: "cluster generators in other namespaces should not match",
+			items: []argov1alpha1.ApplicationSet{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "my-app-set",
+						Namespace: "my-namespace-not-allowed",
+					},
+					Spec: argov1alpha1.ApplicationSetSpec{
+						Generators: []argov1alpha1.ApplicationSetGenerator{
+							{
+								Clusters: &argov1alpha1.ClusterGenerator{},
+							},
+						},
+					},
+				},
+			},
+			secret: corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "argocd",
+					Name:      "my-secret",
+					Labels: map[string]string{
+						argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
+					},
+				},
+			},
+			expectedRequests: []reconcile.Request{},
+		},
 		{
 			name: "non-argo cd secret should not match",
 			items: []argov1alpha1.ApplicationSet{
@ -552,8 +580,9 @@ func TestClusterEventHandler(t *testing.T) {
 			fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithLists(&appSetList).Build()

 			handler := &clusterSecretEventHandler{
-				Client: fakeClient,
-				Log:    log.WithField("type", "createSecretEventHandler"),
+				Client:                   fakeClient,
+				Log:                      log.WithField("type", "createSecretEventHandler"),
+				ApplicationSetNamespaces: []string{"argocd"},
 			}

 			mockAddRateLimitingInterface := mockAddRateLimitingInterface{}
--- a/applicationset/controllers/requeue_after_test.go
+++ b/applicationset/controllers/requeue_after_test.go
@ -19,6 +19,7 @@ import (
 	appsetmetrics "github.com/argoproj/argo-cd/v3/applicationset/metrics"
 	"github.com/argoproj/argo-cd/v3/applicationset/services/mocks"
 	argov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v3/util/settings"
 )

 func TestRequeueAfter(t *testing.T) {
@ -57,12 +58,17 @@ func TestRequeueAfter(t *testing.T) {
 	}
 	fakeDynClient := dynfake.NewSimpleDynamicClientWithCustomListKinds(runtime.NewScheme(), gvrToListKind, duckType)
 	scmConfig := generators.NewSCMConfig("", []string{""}, true, true, nil, true)
+	clusterInformer, err := settings.NewClusterInformer(appClientset, "argocd")
+	require.NoError(t, err)
+
+	defer startAndSyncInformer(t, clusterInformer)()
+
 	terminalGenerators := map[string]generators.Generator{
 		"List":                    generators.NewListGenerator(),
-		"Clusters":                generators.NewClusterGenerator(ctx, k8sClient, appClientset, "argocd"),
+		"Clusters":                generators.NewClusterGenerator(k8sClient, "argocd"),
 		"Git":                     generators.NewGitGenerator(mockServer, "namespace"),
 		"SCMProvider":             generators.NewSCMProviderGenerator(fake.NewClientBuilder().WithObjects(&corev1.Secret{}).Build(), scmConfig),
-		"ClusterDecisionResource": generators.NewDuckTypeGenerator(ctx, fakeDynClient, appClientset, "argocd"),
+		"ClusterDecisionResource": generators.NewDuckTypeGenerator(ctx, fakeDynClient, appClientset, "argocd", clusterInformer),
 		"PullRequest":             generators.NewPullRequestGenerator(k8sClient, scmConfig),
 	}

--- a/applicationset/controllers/template/patch_test.go
+++ b/applicationset/controllers/template/patch_test.go
@ -96,7 +96,7 @@ func Test_ApplyTemplatePatch(t *testing.T) {
 					},
 					SyncPolicy: &appv1.SyncPolicy{
 						Automated: &appv1.SyncPolicyAutomated{
-							Prune: true,
+							Prune: new(true),
 						},
 					},
 				},
@ -172,7 +172,7 @@ spec:
 					},
 					SyncPolicy: &appv1.SyncPolicy{
 						Automated: &appv1.SyncPolicyAutomated{
-							Prune: true,
+							Prune: new(true),
 						},
 					},
 				},
--- a/applicationset/generators/cluster.go
+++ b/applicationset/generators/cluster.go
@ -9,7 +9,6 @@ import (

 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/kubernetes"
 	"sigs.k8s.io/controller-runtime/pkg/client"

 	"github.com/argoproj/argo-cd/v3/applicationset/utils"
@ -22,19 +21,15 @@ var _ Generator = (*ClusterGenerator)(nil)
 // ClusterGenerator generates Applications for some or all clusters registered with ArgoCD.
 type ClusterGenerator struct {
 	client.Client
-	ctx       context.Context
-	clientset kubernetes.Interface
 	// namespace is the Argo CD namespace
 	namespace string
 }

 var render = &utils.Render{}

-func NewClusterGenerator(ctx context.Context, c client.Client, clientset kubernetes.Interface, namespace string) Generator {
+func NewClusterGenerator(c client.Client, namespace string) Generator {
 	g := &ClusterGenerator{
 		Client:    c,
-		ctx:       ctx,
-		clientset: clientset,
 		namespace: namespace,
 	}
 	return g
@ -64,16 +59,7 @@ func (g *ClusterGenerator) GenerateParams(appSetGenerator *argoappsetv1alpha1.Ap
 	// - Since local clusters do not have secrets, they do not have labels to match against
 	ignoreLocalClusters := len(appSetGenerator.Clusters.Selector.MatchExpressions) > 0 || len(appSetGenerator.Clusters.Selector.MatchLabels) > 0

-	// ListCluster will include the local cluster in the list of clusters
-	clustersFromArgoCD, err := utils.ListClusters(g.ctx, g.clientset, g.namespace)
-	if err != nil {
-		return nil, fmt.Errorf("error listing clusters: %w", err)
-	}
-
-	if clustersFromArgoCD == nil {
-		return nil, nil
-	}
-
+	// Get cluster secrets using the cached controller-runtime client
 	clusterSecrets, err := g.getSecretsByClusterName(logCtx, appSetGenerator)
 	if err != nil {
 		return nil, fmt.Errorf("error getting cluster secrets: %w", err)
@ -82,32 +68,14 @@ func (g *ClusterGenerator) GenerateParams(appSetGenerator *argoappsetv1alpha1.Ap
 	paramHolder := &paramHolder{isFlatMode: appSetGenerator.Clusters.FlatList}
 	logCtx.Debugf("Using flat mode = %t for cluster generator", paramHolder.isFlatMode)

-	secretsFound := []corev1.Secret{}
-	for _, cluster := range clustersFromArgoCD {
-		// If there is a secret for this cluster, then it's a non-local cluster, so it will be
-		// handled by the next step.
-		if secretForCluster, exists := clusterSecrets[cluster.Name]; exists {
-			secretsFound = append(secretsFound, secretForCluster)
-		} else if !ignoreLocalClusters {
-			// If there is no secret for the cluster, it's the local cluster, so handle it here.
-			params := map[string]any{}
-			params["name"] = cluster.Name
-			params["nameNormalized"] = cluster.Name
-			params["server"] = cluster.Server
-			params["project"] = ""
-
-			err = appendTemplatedValues(appSetGenerator.Clusters.Values, params, appSet.Spec.GoTemplate, appSet.Spec.GoTemplateOptions)
-			if err != nil {
-				return nil, fmt.Errorf("error appending templated values for local cluster: %w", err)
-			}
-
-			paramHolder.append(params)
-			logCtx.WithField("cluster", "local cluster").Info("matched local cluster")
-		}
+	// Convert map values to slice to check for an in-cluster secret
+	secretsList := make([]corev1.Secret, 0, len(clusterSecrets))
+	for _, secret := range clusterSecrets {
+		secretsList = append(secretsList, secret)
 	}

 	// For each matching cluster secret (non-local clusters only)
-	for _, cluster := range secretsFound {
+	for _, cluster := range clusterSecrets {
 		params := g.getClusterParameters(cluster, appSet)

 		err = appendTemplatedValues(appSetGenerator.Clusters.Values, params, appSet.Spec.GoTemplate, appSet.Spec.GoTemplateOptions)
@ -119,6 +87,23 @@ func (g *ClusterGenerator) GenerateParams(appSetGenerator *argoappsetv1alpha1.Ap
 		logCtx.WithField("cluster", cluster.Name).Debug("matched cluster secret")
 	}

+	// Add the in-cluster last if it doesn't have a secret, and we're not ignoring in-cluster
+	if !ignoreLocalClusters && !utils.SecretsContainInClusterCredentials(secretsList) {
+		params := map[string]any{}
+		params["name"] = argoappsetv1alpha1.KubernetesInClusterName
+		params["nameNormalized"] = argoappsetv1alpha1.KubernetesInClusterName
+		params["server"] = argoappsetv1alpha1.KubernetesInternalAPIServerAddr
+		params["project"] = ""
+
+		err = appendTemplatedValues(appSetGenerator.Clusters.Values, params, appSet.Spec.GoTemplate, appSet.Spec.GoTemplateOptions)
+		if err != nil {
+			return nil, fmt.Errorf("error appending templated values for local cluster: %w", err)
+		}
+
+		paramHolder.append(params)
+		logCtx.WithField("cluster", "local cluster").Info("matched local cluster")
+	}
+
 	return paramHolder.consolidate(), nil
 }

@ -186,7 +171,7 @@ func (g *ClusterGenerator) getSecretsByClusterName(log *log.Entry, appSetGenerat
 		return nil, fmt.Errorf("error converting label selector: %w", err)
 	}

-	if err := g.List(context.Background(), clusterSecretList, client.MatchingLabelsSelector{Selector: secretSelector}); err != nil {
+	if err := g.List(context.Background(), clusterSecretList, client.InNamespace(g.namespace), client.MatchingLabelsSelector{Selector: secretSelector}); err != nil {
 		return nil, err
 	}
 	log.Debugf("clusters matching labels: %d", len(clusterSecretList.Items))
--- a/applicationset/generators/cluster_test.go
+++ b/applicationset/generators/cluster_test.go
@ -7,12 +7,9 @@ import (

 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"

-	kubefake "k8s.io/client-go/kubernetes/fake"
-
 	"github.com/argoproj/argo-cd/v3/applicationset/utils"
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"

@ -299,23 +296,15 @@ func TestGenerateParams(t *testing.T) {
 		},
 	}

-	// convert []client.Object to []runtime.Object, for use by kubefake package
-	runtimeClusters := []runtime.Object{}
-	for _, clientCluster := range clusters {
-		runtimeClusters = append(runtimeClusters, clientCluster)
-	}
-
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			appClientset := kubefake.NewSimpleClientset(runtimeClusters...)
-
 			fakeClient := fake.NewClientBuilder().WithObjects(clusters...).Build()
 			cl := &possiblyErroringFakeCtrlRuntimeClient{
 				fakeClient,
 				testCase.clientError,
 			}

-			clusterGenerator := NewClusterGenerator(t.Context(), cl, appClientset, "namespace")
+			clusterGenerator := NewClusterGenerator(cl, "namespace")

 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
@ -336,12 +325,25 @@ func TestGenerateParams(t *testing.T) {
 				require.EqualError(t, err, testCase.expectedError.Error())
 			} else {
 				require.NoError(t, err)
-				assert.ElementsMatch(t, testCase.expected, got)
+				assertEqualParamsFlat(t, testCase.expected, got, testCase.isFlatMode)
 			}
 		})
 	}
 }

+func assertEqualParamsFlat(t *testing.T, expected, got []map[string]any, isFlatMode bool) {
+	t.Helper()
+	if isFlatMode && len(expected) == 1 && len(got) == 1 {
+		expectedClusters, ok1 := expected[0]["clusters"].([]map[string]any)
+		gotClusters, ok2 := got[0]["clusters"].([]map[string]any)
+		if ok1 && ok2 {
+			assert.ElementsMatch(t, expectedClusters, gotClusters)
+			return
+		}
+	}
+	assert.ElementsMatch(t, expected, got)
+}
+
 func TestGenerateParamsGoTemplate(t *testing.T) {
 	clusters := []client.Object{
 		&corev1.Secret{
@ -837,23 +839,15 @@ func TestGenerateParamsGoTemplate(t *testing.T) {
 		},
 	}

-	// convert []client.Object to []runtime.Object, for use by kubefake package
-	runtimeClusters := []runtime.Object{}
-	for _, clientCluster := range clusters {
-		runtimeClusters = append(runtimeClusters, clientCluster)
-	}
-
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			appClientset := kubefake.NewSimpleClientset(runtimeClusters...)
-
 			fakeClient := fake.NewClientBuilder().WithObjects(clusters...).Build()
 			cl := &possiblyErroringFakeCtrlRuntimeClient{
 				fakeClient,
 				testCase.clientError,
 			}

-			clusterGenerator := NewClusterGenerator(t.Context(), cl, appClientset, "namespace")
+			clusterGenerator := NewClusterGenerator(cl, "namespace")

 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
@ -876,7 +870,7 @@ func TestGenerateParamsGoTemplate(t *testing.T) {
 				require.EqualError(t, err, testCase.expectedError.Error())
 			} else {
 				require.NoError(t, err)
-				assert.ElementsMatch(t, testCase.expected, got)
+				assertEqualParamsFlat(t, testCase.expected, got, testCase.isFlatMode)
 			}
 		})
 	}
--- a/applicationset/generators/duck_type.go
+++ b/applicationset/generators/duck_type.go
@ -19,24 +19,27 @@ import (

 	"github.com/argoproj/argo-cd/v3/applicationset/utils"
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v3/util/settings"
 )

 var _ Generator = (*DuckTypeGenerator)(nil)

 // DuckTypeGenerator generates Applications for some or all clusters registered with ArgoCD.
 type DuckTypeGenerator struct {
-	ctx       context.Context
-	dynClient dynamic.Interface
-	clientset kubernetes.Interface
-	namespace string // namespace is the Argo CD namespace
+	ctx             context.Context
+	dynClient       dynamic.Interface
+	clientset       kubernetes.Interface
+	namespace       string // namespace is the Argo CD namespace
+	clusterInformer *settings.ClusterInformer
 }

-func NewDuckTypeGenerator(ctx context.Context, dynClient dynamic.Interface, clientset kubernetes.Interface, namespace string) Generator {
+func NewDuckTypeGenerator(ctx context.Context, dynClient dynamic.Interface, clientset kubernetes.Interface, namespace string, clusterInformer *settings.ClusterInformer) Generator {
 	g := &DuckTypeGenerator{
-		ctx:       ctx,
-		dynClient: dynClient,
-		clientset: clientset,
-		namespace: namespace,
+		ctx:             ctx,
+		dynClient:       dynClient,
+		clientset:       clientset,
+		namespace:       namespace,
+		clusterInformer: clusterInformer,
 	}
 	return g
 }
@ -65,8 +68,7 @@ func (g *DuckTypeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.A
 		return nil, ErrEmptyAppSetGenerator
 	}

-	// ListCluster from Argo CD's util/db package will include the local cluster in the list of clusters
-	clustersFromArgoCD, err := utils.ListClusters(g.ctx, g.clientset, g.namespace)
+	clustersFromArgoCD, err := utils.ListClusters(g.clusterInformer)
 	if err != nil {
 		return nil, fmt.Errorf("error listing clusters: %w", err)
 	}
--- a/applicationset/generators/duck_type_test.go
+++ b/applicationset/generators/duck_type_test.go
@ -11,11 +11,13 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
-	dynfake "k8s.io/client-go/dynamic/fake"
+	"k8s.io/client-go/dynamic/fake"
 	kubefake "k8s.io/client-go/kubernetes/fake"
 	"sigs.k8s.io/controller-runtime/pkg/client"

 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v3/test"
+	"github.com/argoproj/argo-cd/v3/util/settings"
 )

 const (
@ -290,9 +292,14 @@ func TestGenerateParamsForDuckType(t *testing.T) {
 				Resource: "ducks",
 			}: "DuckList"}

-			fakeDynClient := dynfake.NewSimpleDynamicClientWithCustomListKinds(runtime.NewScheme(), gvrToListKind, testCase.resource)
+			fakeDynClient := fake.NewSimpleDynamicClientWithCustomListKinds(runtime.NewScheme(), gvrToListKind, testCase.resource)

-			duckTypeGenerator := NewDuckTypeGenerator(t.Context(), fakeDynClient, appClientset, "namespace")
+			clusterInformer, err := settings.NewClusterInformer(appClientset, "namespace")
+			require.NoError(t, err)
+
+			defer test.StartInformer(clusterInformer)()
+
+			duckTypeGenerator := NewDuckTypeGenerator(t.Context(), fakeDynClient, appClientset, "namespace", clusterInformer)

 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
@ -586,9 +593,14 @@ func TestGenerateParamsForDuckTypeGoTemplate(t *testing.T) {
 				Resource: "ducks",
 			}: "DuckList"}

-			fakeDynClient := dynfake.NewSimpleDynamicClientWithCustomListKinds(runtime.NewScheme(), gvrToListKind, testCase.resource)
+			fakeDynClient := fake.NewSimpleDynamicClientWithCustomListKinds(runtime.NewScheme(), gvrToListKind, testCase.resource)

-			duckTypeGenerator := NewDuckTypeGenerator(t.Context(), fakeDynClient, appClientset, "namespace")
+			clusterInformer, err := settings.NewClusterInformer(appClientset, "namespace")
+			require.NoError(t, err)
+
+			defer test.StartInformer(clusterInformer)()
+
+			duckTypeGenerator := NewDuckTypeGenerator(t.Context(), fakeDynClient, appClientset, "namespace", clusterInformer)

 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
--- a/applicationset/generators/generator_spec_processor.go
+++ b/applicationset/generators/generator_spec_processor.go
@ -124,7 +124,7 @@ func GetRelevantGenerators(requestedGenerator *argoprojiov1alpha1.ApplicationSet
 }

 func flattenParameters(in map[string]any) (map[string]string, error) {
-	flat, err := flatten.Flatten(in, "", flatten.DotStyle)
+	flat, err := flatten.Flatten(normalizeMapForFlatten(in), "", flatten.DotStyle)
 	if err != nil {
 		return nil, fmt.Errorf("error flatenning parameters: %w", err)
 	}
@ -137,6 +137,31 @@ func flattenParameters(in map[string]any) (map[string]string, error) {
 	return out, nil
 }

+// normalizeMapForFlatten recursively converts map[string]string values to
+// map[string]interface{} so that flatten.Flatten can recurse into them.
+// flatten.Flatten only recurses into map[string]interface{} and []interface{};
+// map[string]string is treated as an opaque leaf, causing individual keys
+// (e.g. metadata.labels.environment) to be absent from the flat output and
+// silently breaking post-generator selector matching in GoTemplate mode.
+func normalizeMapForFlatten(in map[string]any) map[string]any {
+	out := make(map[string]any, len(in))
+	for k, v := range in {
+		switch cast := v.(type) {
+		case map[string]string:
+			inner := make(map[string]any, len(cast))
+			for ik, iv := range cast {
+				inner[ik] = iv
+			}
+			out[k] = inner
+		case map[string]any:
+			out[k] = normalizeMapForFlatten(cast)
+		default:
+			out[k] = v
+		}
+	}
+	return out
+}
+
 func mergeGeneratorTemplate(g Generator, requestedGenerator *argoprojiov1alpha1.ApplicationSetGenerator, applicationSetTemplate argoprojiov1alpha1.ApplicationSetTemplate) (argoprojiov1alpha1.ApplicationSetTemplate, error) {
 	// Make a copy of the value from `GetTemplate()` before merge, rather than copying directly into
 	// the provided parameter (which will touch the original resource object returned by client-go)
--- a/applicationset/generators/generator_spec_processor_test.go
+++ b/applicationset/generators/generator_spec_processor_test.go
@ -1,7 +1,6 @@
 package generators

 import (
-	"context"
 	"testing"

 	log "github.com/sirupsen/logrus"
@ -16,8 +15,6 @@ import (

 	"github.com/stretchr/testify/mock"
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-	kubefake "k8s.io/client-go/kubernetes/fake"
 	crtclient "sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 )
@ -223,7 +220,7 @@ func TestTransForm(t *testing.T) {
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
 			testGenerators := map[string]Generator{
-				"Clusters": getMockClusterGenerator(t.Context()),
+				"Clusters": getMockClusterGenerator(),
 			}

 			applicationSetInfo := argov1alpha1.ApplicationSet{
@ -252,6 +249,231 @@ func TestTransForm(t *testing.T) {
 	}
 }

+func TestTransFormGoTemplate(t *testing.T) {
+	testCases := []struct {
+		name     string
+		selector *metav1.LabelSelector
+		values   map[string]string
+		expected []map[string]any
+	}{
+		{
+			name: "server filter",
+			selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{"server": "https://production-01.example.com"},
+			},
+			expected: []map[string]any{{
+				"name":           "production_01/west",
+				"nameNormalized": "production-01-west",
+				"server":         "https://production-01.example.com",
+				"project":        "",
+				"metadata": map[string]any{
+					"labels": map[string]string{
+						"argocd.argoproj.io/secret-type": "cluster",
+						"environment":                    "production",
+						"org":                            "bar",
+					},
+					"annotations": map[string]string{
+						"foo.argoproj.io": "production",
+					},
+				},
+			}},
+		},
+		{
+			name: "label MatchLabels",
+			selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{"metadata.labels.environment": "staging"},
+			},
+			expected: []map[string]any{{
+				"name":           "staging-01",
+				"nameNormalized": "staging-01",
+				"server":         "https://staging-01.example.com",
+				"project":        "",
+				"metadata": map[string]any{
+					"labels": map[string]string{
+						"argocd.argoproj.io/secret-type": "cluster",
+						"environment":                    "staging",
+						"org":                            "foo",
+					},
+					"annotations": map[string]string{
+						"foo.argoproj.io": "staging",
+					},
+				},
+			}},
+		},
+		{
+			name: "label NotIn matchExpression",
+			selector: &metav1.LabelSelector{
+				MatchExpressions: []metav1.LabelSelectorRequirement{
+					{
+						Key:      "metadata.labels.environment",
+						Operator: metav1.LabelSelectorOpNotIn,
+						Values:   []string{"staging"},
+					},
+				},
+			},
+			// staging-01 is excluded; production-01, some-really-long-server-url, and
+			// in-cluster (no labels) are all included because NotIn vacuously passes
+			// when the key is absent.
+			expected: []map[string]any{
+				{
+					"name":           "production_01/west",
+					"nameNormalized": "production-01-west",
+					"server":         "https://production-01.example.com",
+					"project":        "",
+					"metadata": map[string]any{
+						"labels": map[string]string{
+							"argocd.argoproj.io/secret-type": "cluster",
+							"environment":                    "production",
+							"org":                            "bar",
+						},
+						"annotations": map[string]string{
+							"foo.argoproj.io": "production",
+						},
+					},
+				},
+				{
+					"name":           "some-really-long-server-url",
+					"nameNormalized": "some-really-long-server-url",
+					"server":         "https://some-really-long-url-that-will-exceed-63-characters.com",
+					"project":        "",
+					"metadata": map[string]any{
+						"labels": map[string]string{
+							"argocd.argoproj.io/secret-type": "cluster",
+							"environment":                    "production",
+							"org":                            "bar",
+						},
+						"annotations": map[string]string{
+							"foo.argoproj.io": "production",
+						},
+					},
+				},
+				{
+					// in-cluster (local cluster) has no labels; NotIn vacuously passes.
+					"name":           "in-cluster",
+					"nameNormalized": "in-cluster",
+					"server":         "https://kubernetes.default.svc",
+					"project":        "",
+				},
+			},
+		},
+		{
+			name: "slash key in label",
+			selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{"metadata.labels.argocd.argoproj.io/secret-type": "cluster"},
+			},
+			expected: []map[string]any{
+				{
+					"name":           "staging-01",
+					"nameNormalized": "staging-01",
+					"server":         "https://staging-01.example.com",
+					"project":        "",
+					"metadata": map[string]any{
+						"labels": map[string]string{
+							"argocd.argoproj.io/secret-type": "cluster",
+							"environment":                    "staging",
+							"org":                            "foo",
+						},
+						"annotations": map[string]string{
+							"foo.argoproj.io": "staging",
+						},
+					},
+				},
+				{
+					"name":           "production_01/west",
+					"nameNormalized": "production-01-west",
+					"server":         "https://production-01.example.com",
+					"project":        "",
+					"metadata": map[string]any{
+						"labels": map[string]string{
+							"argocd.argoproj.io/secret-type": "cluster",
+							"environment":                    "production",
+							"org":                            "bar",
+						},
+						"annotations": map[string]string{
+							"foo.argoproj.io": "production",
+						},
+					},
+				},
+				{
+					"name":           "some-really-long-server-url",
+					"nameNormalized": "some-really-long-server-url",
+					"server":         "https://some-really-long-url-that-will-exceed-63-characters.com",
+					"project":        "",
+					"metadata": map[string]any{
+						"labels": map[string]string{
+							"argocd.argoproj.io/secret-type": "cluster",
+							"environment":                    "production",
+							"org":                            "bar",
+						},
+						"annotations": map[string]string{
+							"foo.argoproj.io": "production",
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "values filter",
+			selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{"values.env": "staging"},
+			},
+			values: map[string]string{"env": "{{.metadata.labels.environment}}"},
+			expected: []map[string]any{{
+				"name":           "staging-01",
+				"nameNormalized": "staging-01",
+				"server":         "https://staging-01.example.com",
+				"project":        "",
+				"metadata": map[string]any{
+					"labels": map[string]string{
+						"argocd.argoproj.io/secret-type": "cluster",
+						"environment":                    "staging",
+						"org":                            "foo",
+					},
+					"annotations": map[string]string{
+						"foo.argoproj.io": "staging",
+					},
+				},
+				"values": map[string]string{
+					"env": "staging",
+				},
+			}},
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			testGenerators := map[string]Generator{
+				"Clusters": getMockClusterGenerator(),
+			}
+
+			applicationSetInfo := argov1alpha1.ApplicationSet{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "set",
+				},
+				Spec: argov1alpha1.ApplicationSetSpec{
+					GoTemplate: true,
+				},
+			}
+
+			results, err := Transform(
+				argov1alpha1.ApplicationSetGenerator{
+					Selector: testCase.selector,
+					Clusters: &argov1alpha1.ClusterGenerator{
+						Selector: metav1.LabelSelector{},
+						Template: argov1alpha1.ApplicationSetTemplate{},
+						Values:   testCase.values,
+					},
+				},
+				testGenerators,
+				emptyTemplate(),
+				&applicationSetInfo, nil, nil)
+
+			require.NoError(t, err)
+			assert.ElementsMatch(t, testCase.expected, results[0].Params)
+		})
+	}
+}
+
 func emptyTemplate() argov1alpha1.ApplicationSetTemplate {
 	return argov1alpha1.ApplicationSetTemplate{
 		Spec: argov1alpha1.ApplicationSpec{
@ -260,7 +482,7 @@ func emptyTemplate() argov1alpha1.ApplicationSetTemplate {
 	}
 }

-func getMockClusterGenerator(ctx context.Context) Generator {
+func getMockClusterGenerator() Generator {
 	clusters := []crtclient.Object{
 		&corev1.Secret{
 			TypeMeta: metav1.TypeMeta{
@ -335,14 +557,8 @@ func getMockClusterGenerator(ctx context.Context) Generator {
 			Type: corev1.SecretType("Opaque"),
 		},
 	}
-	runtimeClusters := []runtime.Object{}
-	for _, clientCluster := range clusters {
-		runtimeClusters = append(runtimeClusters, clientCluster)
-	}
-	appClientset := kubefake.NewSimpleClientset(runtimeClusters...)
-
 	fakeClient := fake.NewClientBuilder().WithObjects(clusters...).Build()
-	return NewClusterGenerator(ctx, fakeClient, appClientset, "namespace")
+	return NewClusterGenerator(fakeClient, "namespace")
 }

 func getMockGitGenerator() Generator {
@ -354,7 +570,7 @@ func getMockGitGenerator() Generator {

 func TestGetRelevantGenerators(t *testing.T) {
 	testGenerators := map[string]Generator{
-		"Clusters": getMockClusterGenerator(t.Context()),
+		"Clusters": getMockClusterGenerator(),
 		"Git":      getMockGitGenerator(),
 	}

@ -537,7 +753,7 @@ func TestInterpolateGeneratorError(t *testing.T) {
 		{name: "Error templating", args: args{
 			requestedGenerator: &argov1alpha1.ApplicationSetGenerator{Git: &argov1alpha1.GitGenerator{
 				RepoURL:  "foo",
-				Files:    []argov1alpha1.GitFileGeneratorItem{{Path: "bar/"}},
+				Files:    []argov1alpha1.GitFileGeneratorItem{{Path: "path/{{ index .rmap (default .override .test) }}"}},
 				Revision: "main",
 				Values: map[string]string{
 					"git_test":  "{{ toPrettyJson . }}",
@ -551,7 +767,7 @@ func TestInterpolateGeneratorError(t *testing.T) {
 			},
 			useGoTemplate:     true,
 			goTemplateOptions: []string{},
-		}, want: argov1alpha1.ApplicationSetGenerator{}, expectedErrStr: "failed to replace parameters in generator: failed to execute go template {{ index .rmap (default .override .test) }}: template: base:1:3: executing \"base\" at <index .rmap (default .override .test)>: error calling index: index of untyped nil"},
+		}, want: argov1alpha1.ApplicationSetGenerator{}, expectedErrStr: "failed to replace parameters in generator: failed to execute go template path/{{ index .rmap (default .override .test) }}: template: base:1:8: executing \"base\" at <index .rmap (default .override .test)>: error calling index: index of untyped nil"},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@ -565,3 +781,178 @@ func TestInterpolateGeneratorError(t *testing.T) {
 		})
 	}
 }
+
+func TestInterpolateGeneratorValuesHandling(t *testing.T) {
+	applicationSetTemplate := argov1alpha1.ApplicationSetTemplate{
+		ApplicationSetTemplateMeta: argov1alpha1.ApplicationSetTemplateMeta{
+			Labels:      map[string]string{},
+			Annotations: map[string]string{},
+			Finalizers:  []string{},
+		},
+		Spec: argov1alpha1.ApplicationSpec{
+			IgnoreDifferences: argov1alpha1.IgnoreDifferences{},
+			Info:              []argov1alpha1.Info{},
+			Sources:           argov1alpha1.ApplicationSources{},
+		},
+	}
+	type args struct {
+		requestedGenerator *argov1alpha1.ApplicationSetGenerator
+		params             map[string]any
+		useGoTemplate      bool
+		goTemplateOptions  []string
+	}
+	tests := []struct {
+		name           string
+		args           args
+		want           argov1alpha1.ApplicationSetGenerator
+		expectedErrStr string
+	}{
+		{
+			name: "Generator with values set",
+			args: args{
+				requestedGenerator: &argov1alpha1.ApplicationSetGenerator{
+					Git: &argov1alpha1.GitGenerator{
+						RepoURL:  "https://somewhere.com/per-cluster/{{.name}}.git",
+						Files:    []argov1alpha1.GitFileGeneratorItem{{Path: "somedir/*"}},
+						Revision: "main",
+						Values: map[string]string{
+							"appname": "{{ .path.basenameNormalized }}",
+						},
+						Template: applicationSetTemplate,
+					},
+				},
+				params: map[string]any{
+					"name":   "in-cluster",
+					"server": "https://kubernetes.default.svc",
+				},
+				useGoTemplate:     true,
+				goTemplateOptions: []string{},
+			},
+			want: argov1alpha1.ApplicationSetGenerator{
+				Git: &argov1alpha1.GitGenerator{
+					RepoURL:  "https://somewhere.com/per-cluster/in-cluster.git",
+					Files:    []argov1alpha1.GitFileGeneratorItem{{Path: "somedir/*"}},
+					Revision: "main",
+					Values: map[string]string{
+						// must stay not interpolated
+						"appname": "{{ .path.basenameNormalized }}",
+					},
+					Directories: []argov1alpha1.GitDirectoryGeneratorItem{},
+					Template:    applicationSetTemplate,
+				},
+			},
+			expectedErrStr: "",
+		},
+		{
+			name: "Generator with no values set",
+			args: args{
+				requestedGenerator: &argov1alpha1.ApplicationSetGenerator{
+					Git: &argov1alpha1.GitGenerator{
+						RepoURL:  "https://somewhere.com/per-cluster/{{.name}}.git",
+						Files:    []argov1alpha1.GitFileGeneratorItem{{Path: "somedir/*"}},
+						Revision: "main",
+						Values:   map[string]string{},
+						Template: applicationSetTemplate,
+					},
+				},
+				params: map[string]any{
+					"name":   "in-cluster",
+					"server": "https://kubernetes.default.svc",
+				},
+				useGoTemplate:     true,
+				goTemplateOptions: []string{},
+			},
+			want: argov1alpha1.ApplicationSetGenerator{
+				Git: &argov1alpha1.GitGenerator{
+					RepoURL:     "https://somewhere.com/per-cluster/in-cluster.git",
+					Files:       []argov1alpha1.GitFileGeneratorItem{{Path: "somedir/*"}},
+					Revision:    "main",
+					Values:      map[string]string{},
+					Directories: []argov1alpha1.GitDirectoryGeneratorItem{},
+					Template:    applicationSetTemplate,
+				},
+			},
+			expectedErrStr: "",
+		},
+		{
+			name: "Generator with values set without go templates",
+			args: args{
+				requestedGenerator: &argov1alpha1.ApplicationSetGenerator{
+					Git: &argov1alpha1.GitGenerator{
+						RepoURL:  "https://somewhere.com/per-cluster/{{name}}.git",
+						Files:    []argov1alpha1.GitFileGeneratorItem{{Path: "somedir/*"}},
+						Revision: "main",
+						Values: map[string]string{
+							"appname": "{{ .path.basenameNormalized }}",
+						},
+						Template: applicationSetTemplate,
+					},
+				},
+				params: map[string]any{
+					"name":   "in-cluster",
+					"server": "https://kubernetes.default.svc",
+				},
+				useGoTemplate: false,
+			},
+			want: argov1alpha1.ApplicationSetGenerator{
+				Git: &argov1alpha1.GitGenerator{
+					RepoURL:  "https://somewhere.com/per-cluster/in-cluster.git",
+					Files:    []argov1alpha1.GitFileGeneratorItem{{Path: "somedir/*"}},
+					Revision: "main",
+					Values: map[string]string{
+						"appname": "{{ .path.basenameNormalized }}",
+					},
+					Directories: []argov1alpha1.GitDirectoryGeneratorItem{},
+					Template:    applicationSetTemplate,
+				},
+			},
+			expectedErrStr: "",
+		},
+		{
+			name: "Generator without values set and no go templates",
+			args: args{
+				requestedGenerator: &argov1alpha1.ApplicationSetGenerator{
+					Git: &argov1alpha1.GitGenerator{
+						RepoURL:  "https://somewhere.com/per-cluster/{{name}}.git",
+						Files:    []argov1alpha1.GitFileGeneratorItem{{Path: "somedir/*"}},
+						Revision: "main",
+						Values:   map[string]string{},
+						Template: applicationSetTemplate,
+					},
+				},
+				params: map[string]any{
+					"name":   "in-cluster",
+					"server": "https://kubernetes.default.svc",
+				},
+				useGoTemplate: false,
+			},
+			want: argov1alpha1.ApplicationSetGenerator{
+				Git: &argov1alpha1.GitGenerator{
+					RepoURL:     "https://somewhere.com/per-cluster/in-cluster.git",
+					Files:       []argov1alpha1.GitFileGeneratorItem{{Path: "somedir/*"}},
+					Revision:    "main",
+					Values:      map[string]string{},
+					Directories: []argov1alpha1.GitDirectoryGeneratorItem{},
+					Template:    applicationSetTemplate,
+				},
+			},
+			expectedErrStr: "",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := InterpolateGenerator(tt.args.requestedGenerator, tt.args.params, tt.args.useGoTemplate, tt.args.goTemplateOptions)
+			if tt.expectedErrStr != "" {
+				require.EqualError(t, err, tt.expectedErrStr)
+			} else {
+				require.NoError(t, err)
+			}
+			assert.Equal(t, tt.want.Git.Values, got.Git.Values)
+			assert.Equal(t, tt.want.Git.Revision, got.Git.Revision)
+			assert.Equal(t, tt.want.Git.RepoURL, got.Git.RepoURL)
+			assert.Equal(t, tt.want.Git.Files, got.Git.Files)
+			assert.Equal(t, tt.want.Git.Directories, got.Git.Directories)
+			assert.Equal(t, tt.want.Git.Template, got.Git.Template)
+		})
+	}
+}
--- a/applicationset/generators/git.go
+++ b/applicationset/generators/git.go
@ -3,6 +3,7 @@ package generators
 import (
 	"context"
 	"fmt"
+	"maps"
 	"path"
 	"sort"
 	"strconv"
@ -168,9 +169,7 @@ func (g *GitGenerator) generateParamsForGitFiles(appSetGenerator *argoprojiov1al
 		if err != nil {
 			return nil, err
 		}
-		for absPath, content := range retrievedFiles {
-			fileContentMap[absPath] = content
-		}
+		maps.Copy(fileContentMap, retrievedFiles)
 	}

 	// Now remove files matching any exclude pattern
@ -242,9 +241,7 @@ func (g *GitGenerator) generateParamsFromGitFile(filePath string, fileContent []
 		params := map[string]any{}

 		if useGoTemplate {
-			for k, v := range objectFound {
-				params[k] = v
-			}
+			maps.Copy(params, objectFound)

 			paramPath := map[string]any{}

@ -316,7 +313,7 @@ func (g *GitGenerator) filterApps(directories []argoprojiov1alpha1.GitDirectoryG
 				appExclude = true
 			}
 		}
-		// Whenever there is a path with exclude: true it wont be included, even if it is included in a different path pattern
+		// Whenever there is a path with exclude: true it won't be included, even if it is included in a different path pattern
 		if appInclude && !appExclude {
 			res = append(res, appPath)
 		}
--- a/applicationset/generators/git_test.go
+++ b/applicationset/generators/git_test.go
@ -9,7 +9,6 @@ import (
 	"github.com/stretchr/testify/require"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"

 	"github.com/argoproj/argo-cd/v3/applicationset/services/mocks"
@ -111,13 +110,18 @@ foo:
 		{
 			name: "file parameters are added to params with go template",
 			args: args{
-				filePath:      "path/dir/file_name.yaml",
-				fileContent:   defaultContent,
-				values:        map[string]string{},
+				filePath:    "path/dir/file_name.yaml",
+				fileContent: defaultContent,
+				values: map[string]string{
+					"somekey": "{{.path.basename}}",
+				},
 				useGoTemplate: true,
 			},
 			want: []map[string]any{
 				{
+					"values": map[string]string{
+						"somekey": "dir",
+					},
 					"foo": map[string]any{
 						"bar": "baz",
 					},
@ -165,6 +169,41 @@ foo:
 				},
 			},
 		},
+		{
+			name: "path parameter are prefixed with go template and values",
+			args: args{
+				filePath:    "path/dir/file_name.yaml",
+				fileContent: defaultContent,
+				values: map[string]string{
+					"somekey": "{{.myRepo.path.basename}}",
+				},
+				useGoTemplate:   true,
+				pathParamPrefix: "myRepo",
+			},
+			want: []map[string]any{
+				{
+					"foo": map[string]any{
+						"bar": "baz",
+					},
+					"myRepo": map[string]any{
+						"path": map[string]any{
+							"path":               "path/dir",
+							"basename":           "dir",
+							"filename":           "file_name.yaml",
+							"basenameNormalized": "dir",
+							"filenameNormalized": "file-name.yaml",
+							"segments": []string{
+								"path",
+								"dir",
+							},
+						},
+					},
+					"values": map[string]string{
+						"somekey": "dir",
+					},
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@ -2423,7 +2462,7 @@ func TestGitGenerator_GenerateParams(t *testing.T) {
 				},
 			},
 			expected:        []map[string]any{{"path": "app1", "path.basename": "app1", "path.basenameNormalized": "app1", "path[0]": "app1", "values.foo": "bar"}},
-			expectedProject: ptr.To("project"),
+			expectedProject: new("project"),
 			expectedError:   nil,
 		},
 		{
@ -2457,7 +2496,7 @@ func TestGitGenerator_GenerateParams(t *testing.T) {
 				},
 			},
 			expected:        []map[string]any{{"path": "app1", "path.basename": "app1", "path.basenameNormalized": "app1", "path[0]": "app1", "values.foo": "bar"}},
-			expectedProject: ptr.To(""),
+			expectedProject: new(""),
 			expectedError:   nil,
 		},
 	}
--- a/applicationset/generators/matrix_test.go
+++ b/applicationset/generators/matrix_test.go
@ -8,7 +8,6 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
-	kubefake "k8s.io/client-go/kubernetes/fake"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"

@ -624,11 +623,6 @@ func TestInterpolatedMatrixGenerate(t *testing.T) {
 			Type: corev1.SecretType("Opaque"),
 		},
 	}
-	// convert []client.Object to []runtime.Object, for use by kubefake package
-	runtimeClusters := []runtime.Object{}
-	for _, clientCluster := range clusters {
-		runtimeClusters = append(runtimeClusters, clientCluster)
-	}

 	for _, testCase := range testCases {
 		testCaseCopy := testCase // Since tests may run in parallel
@ -637,13 +631,12 @@ func TestInterpolatedMatrixGenerate(t *testing.T) {
 			genMock := &generatorsMock.Generator{}
 			appSet := &v1alpha1.ApplicationSet{}

-			appClientset := kubefake.NewSimpleClientset(runtimeClusters...)
 			fakeClient := fake.NewClientBuilder().WithObjects(clusters...).Build()
 			cl := &possiblyErroringFakeCtrlRuntimeClient{
 				fakeClient,
 				testCase.clientError,
 			}
-			clusterGenerator := NewClusterGenerator(t.Context(), cl, appClientset, "namespace")
+			clusterGenerator := NewClusterGenerator(cl, "namespace")

 			for _, g := range testCaseCopy.baseGenerators {
 				gitGeneratorSpec := v1alpha1.ApplicationSetGenerator{
@ -803,11 +796,6 @@ func TestInterpolatedMatrixGenerateGoTemplate(t *testing.T) {
 			Type: corev1.SecretType("Opaque"),
 		},
 	}
-	// convert []client.Object to []runtime.Object, for use by kubefake package
-	runtimeClusters := []runtime.Object{}
-	for _, clientCluster := range clusters {
-		runtimeClusters = append(runtimeClusters, clientCluster)
-	}

 	for _, testCase := range testCases {
 		testCaseCopy := testCase // Since tests may run in parallel
@ -820,13 +808,12 @@ func TestInterpolatedMatrixGenerateGoTemplate(t *testing.T) {
 				},
 			}

-			appClientset := kubefake.NewSimpleClientset(runtimeClusters...)
 			fakeClient := fake.NewClientBuilder().WithObjects(clusters...).Build()
 			cl := &possiblyErroringFakeCtrlRuntimeClient{
 				fakeClient,
 				testCase.clientError,
 			}
-			clusterGenerator := NewClusterGenerator(t.Context(), cl, appClientset, "namespace")
+			clusterGenerator := NewClusterGenerator(cl, "namespace")

 			for _, g := range testCaseCopy.baseGenerators {
 				gitGeneratorSpec := v1alpha1.ApplicationSetGenerator{
@ -1113,3 +1100,85 @@ func TestGitGenerator_GenerateParams_list_x_git_matrix_generator(t *testing.T) {
 		"test":                    "content",
 	}}, params)
 }
+
+func TestGitGenerator_GenerateParams_list_x_git_matrix_generator_go_templates_values(t *testing.T) {
+	// Given a matrix generator over a list generator and a git  generator with values,
+	// that contain a template that refers to got generator output parameters.
+	// This tests for a specific bug where the second generator in the matrix
+	// failed to evaluate value templates that referred to generator output parameters.
+
+	listGeneratorMock := &generatorsMock.Generator{}
+	listGeneratorMock.EXPECT().GenerateParams(mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).Return([]map[string]any{
+		{"some": "value"},
+	}, nil)
+	listGeneratorMock.EXPECT().GetTemplate(mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator")).Return(&v1alpha1.ApplicationSetTemplate{})
+
+	gitGeneratorSpec := &v1alpha1.GitGenerator{
+		RepoURL: "https://git.example.com",
+		Files: []v1alpha1.GitFileGeneratorItem{
+			{Path: "some/path.json"},
+		},
+		Values: map[string]string{
+			"foo": "{{.path.basename}}",
+		},
+	}
+
+	repoServiceMock := &servicesMocks.Repos{}
+	repoServiceMock.EXPECT().GetFiles(mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(map[string][]byte{
+		"some/path.json": []byte("test: content"),
+	}, nil).Maybe()
+	gitGenerator := NewGitGenerator(repoServiceMock, "")
+
+	matrixGenerator := NewMatrixGenerator(map[string]Generator{
+		"List": listGeneratorMock,
+		"Git":  gitGenerator,
+	})
+
+	matrixGeneratorSpec := &v1alpha1.MatrixGenerator{
+		Generators: []v1alpha1.ApplicationSetNestedGenerator{
+			{
+				List: &v1alpha1.ListGenerator{
+					Elements: []apiextensionsv1.JSON{
+						{
+							Raw: []byte(`{"some": "value"}`),
+						},
+					},
+				},
+			},
+			{
+				Git: gitGeneratorSpec,
+			},
+		},
+	}
+
+	scheme := runtime.NewScheme()
+	err := v1alpha1.AddToScheme(scheme)
+	require.NoError(t, err)
+	appProject := v1alpha1.AppProject{}
+
+	client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(&appProject).Build()
+
+	params, err := matrixGenerator.GenerateParams(&v1alpha1.ApplicationSetGenerator{
+		Matrix: matrixGeneratorSpec,
+	}, &v1alpha1.ApplicationSet{
+		Spec: v1alpha1.ApplicationSetSpec{
+			GoTemplate: true,
+		},
+	}, client)
+	require.NoError(t, err)
+	assert.Equal(t, []map[string]any{{
+		"path": map[string]any{
+			"basename":           "some",
+			"basenameNormalized": "some",
+			"filename":           "path.json",
+			"filenameNormalized": "path.json",
+			"path":               "some",
+			"segments":           []string{"some"},
+		},
+		"some": "value",
+		"test": "content",
+		"values": map[string]string{
+			"foo": "some",
+		},
+	}}, params)
+}
--- a/applicationset/generators/plugin.go
+++ b/applicationset/generators/plugin.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"maps"
 	"strconv"
 	"strings"
 	"time"
@ -115,9 +116,7 @@ func (g *PluginGenerator) generateParams(appSetGenerator *argoprojiov1alpha1.App
 		params := map[string]any{}

 		if useGoTemplate {
-			for k, v := range objectFound {
-				params[k] = v
-			}
+			maps.Copy(params, objectFound)
 		} else {
 			flat, err := flatten.Flatten(objectFound, "", flatten.DotStyle)
 			if err != nil {
--- a/applicationset/generators/pull_request.go
+++ b/applicationset/generators/pull_request.go
@ -96,15 +96,9 @@ func (g *PullRequestGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 	var shortSHALength int
 	var shortSHALength7 int
 	for _, pull := range pulls {
-		shortSHALength = 8
-		if len(pull.HeadSHA) < 8 {
-			shortSHALength = len(pull.HeadSHA)
-		}
+		shortSHALength = min(len(pull.HeadSHA), 8)

-		shortSHALength7 = 7
-		if len(pull.HeadSHA) < 7 {
-			shortSHALength7 = len(pull.HeadSHA)
-		}
+		shortSHALength7 = min(len(pull.HeadSHA), 7)

 		paramMap := map[string]any{
 			"number":             strconv.FormatInt(pull.Number, 10),
--- a/applicationset/generators/scm_provider.go
+++ b/applicationset/generators/scm_provider.go
@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"slices"
 	"strings"
 	"time"

@ -105,10 +106,8 @@ func ScmProviderAllowed(applicationSetInfo *argoprojiov1alpha1.ApplicationSet, g
 		return nil
 	}

-	for _, allowedScmProvider := range allowedScmProviders {
-		if url == allowedScmProvider {
-			return nil
-		}
+	if slices.Contains(allowedScmProviders, url) {
+		return nil
 	}

 	log.WithFields(log.Fields{
@ -165,7 +164,7 @@ func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 		if err != nil {
 			return nil, fmt.Errorf("error fetching Gitlab token: %w", err)
 		}
-		provider, err = scm_provider.NewGitlabProvider(providerConfig.Group, token, providerConfig.API, providerConfig.AllBranches, providerConfig.IncludeSubgroups, providerConfig.WillIncludeSharedProjects(), providerConfig.Insecure, g.scmRootCAPath, providerConfig.Topic, caCerts)
+		provider, err = scm_provider.NewGitlabProvider(providerConfig.Group, token, providerConfig.API, providerConfig.AllBranches, providerConfig.IncludeSubgroups, providerConfig.WillIncludeSharedProjects(), providerConfig.IncludeArchivedRepos, providerConfig.Insecure, g.scmRootCAPath, providerConfig.Topic, caCerts)
 		if err != nil {
 			return nil, fmt.Errorf("error initializing Gitlab service: %w", err)
 		}
@ -174,7 +173,7 @@ func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 		if err != nil {
 			return nil, fmt.Errorf("error fetching Gitea token: %w", err)
 		}
-		provider, err = scm_provider.NewGiteaProvider(providerConfig.Gitea.Owner, token, providerConfig.Gitea.API, providerConfig.Gitea.AllBranches, providerConfig.Gitea.Insecure)
+		provider, err = scm_provider.NewGiteaProvider(providerConfig.Gitea.Owner, token, providerConfig.Gitea.API, providerConfig.Gitea.AllBranches, providerConfig.Gitea.Insecure, providerConfig.Gitea.ExcludeArchivedRepos)
 		if err != nil {
 			return nil, fmt.Errorf("error initializing Gitea service: %w", err)
 		}
@ -244,15 +243,9 @@ func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 	var shortSHALength int
 	var shortSHALength7 int
 	for _, repo := range repos {
-		shortSHALength = 8
-		if len(repo.SHA) < 8 {
-			shortSHALength = len(repo.SHA)
-		}
+		shortSHALength = min(len(repo.SHA), 8)

-		shortSHALength7 = 7
-		if len(repo.SHA) < 7 {
-			shortSHALength7 = len(repo.SHA)
-		}
+		shortSHALength7 = min(len(repo.SHA), 7)

 		params := map[string]any{
 			"organization":     repo.Organization,
@ -296,9 +289,9 @@ func (g *SCMProviderGenerator) githubProvider(ctx context.Context, github *argop
 		}

 		if g.enableGitHubAPIMetrics {
-			return scm_provider.NewGithubAppProviderFor(ctx, *auth, github.Organization, github.API, github.AllBranches, httpClient)
+			return scm_provider.NewGithubAppProviderFor(ctx, *auth, github.Organization, github.API, github.AllBranches, github.ExcludeArchivedRepos, httpClient)
 		}
-		return scm_provider.NewGithubAppProviderFor(ctx, *auth, github.Organization, github.API, github.AllBranches)
+		return scm_provider.NewGithubAppProviderFor(ctx, *auth, github.Organization, github.API, github.AllBranches, github.ExcludeArchivedRepos)
 	}

 	token, err := utils.GetSecretRef(ctx, g.client, github.TokenRef, applicationSetInfo.Namespace, g.tokenRefStrictMode)
@ -307,7 +300,7 @@ func (g *SCMProviderGenerator) githubProvider(ctx context.Context, github *argop
 	}

 	if g.enableGitHubAPIMetrics {
-		return scm_provider.NewGithubProvider(github.Organization, token, github.API, github.AllBranches, httpClient)
+		return scm_provider.NewGithubProvider(github.Organization, token, github.API, github.AllBranches, github.ExcludeArchivedRepos, httpClient)
 	}
-	return scm_provider.NewGithubProvider(github.Organization, token, github.API, github.AllBranches)
+	return scm_provider.NewGithubProvider(github.Organization, token, github.API, github.AllBranches, github.ExcludeArchivedRepos)
 }
--- a/applicationset/generators/utils.go
+++ b/applicationset/generators/utils.go
@ -8,15 +8,16 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"

 	"github.com/argoproj/argo-cd/v3/applicationset/services"
+	"github.com/argoproj/argo-cd/v3/util/settings"
 )

-func GetGenerators(ctx context.Context, c client.Client, k8sClient kubernetes.Interface, controllerNamespace string, argoCDService services.Repos, dynamicClient dynamic.Interface, scmConfig SCMConfig) map[string]Generator {
+func GetGenerators(ctx context.Context, c client.Client, k8sClient kubernetes.Interface, controllerNamespace string, argoCDService services.Repos, dynamicClient dynamic.Interface, scmConfig SCMConfig, clusterInformer *settings.ClusterInformer) map[string]Generator {
 	terminalGenerators := map[string]Generator{
 		"List":                    NewListGenerator(),
-		"Clusters":                NewClusterGenerator(ctx, c, k8sClient, controllerNamespace),
+		"Clusters":                NewClusterGenerator(c, controllerNamespace),
 		"Git":                     NewGitGenerator(argoCDService, controllerNamespace),
 		"SCMProvider":             NewSCMProviderGenerator(c, scmConfig),
-		"ClusterDecisionResource": NewDuckTypeGenerator(ctx, dynamicClient, k8sClient, controllerNamespace),
+		"ClusterDecisionResource": NewDuckTypeGenerator(ctx, dynamicClient, k8sClient, controllerNamespace, clusterInformer),
 		"PullRequest":             NewPullRequestGenerator(c, scmConfig),
 		"Plugin":                  NewPluginGenerator(c, controllerNamespace),
 	}
--- a/applicationset/generators/value_interpolation.go
+++ b/applicationset/generators/value_interpolation.go
@ -2,6 +2,7 @@ package generators

 import (
 	"fmt"
+	"maps"
 )

 func appendTemplatedValues(values map[string]string, params map[string]any, useGoTemplate bool, goTemplateOptions []string) error {
@ -26,9 +27,7 @@ func appendTemplatedValues(values map[string]string, params map[string]any, useG
 		}
 	}

-	for key, value := range tmp {
-		params[key] = value
-	}
+	maps.Copy(params, tmp)

 	return nil
 }
--- a/applicationset/metrics/metrics_test.go
+++ b/applicationset/metrics/metrics_test.go
@ -151,9 +151,9 @@ spec:
 func newFakeAppsets(fakeAppsetYAML string) []argoappv1.ApplicationSet {
 	var results []argoappv1.ApplicationSet

-	appsetRawYamls := strings.Split(fakeAppsetYAML, "---")
+	appsetRawYamls := strings.SplitSeq(fakeAppsetYAML, "---")

-	for _, appsetRawYaml := range appsetRawYamls {
+	for appsetRawYaml := range appsetRawYamls {
 		var appset argoappv1.ApplicationSet
 		err := yaml.Unmarshal([]byte(appsetRawYaml), &appset)
 		if err != nil {
--- a/applicationset/services/pull_request/azure_devops.go
+++ b/applicationset/services/pull_request/azure_devops.go
@ -3,6 +3,7 @@ package pull_request
 import (
 	"context"
 	"fmt"
+	"slices"
 	"strings"

 	"github.com/microsoft/azure-devops-go-api/azuredevops/v7"
@ -136,13 +137,7 @@ func convertLabels(tags *[]core.WebApiTagDefinition) []string {
 // containAzureDevOpsLabels returns true if gotLabels contains expectedLabels
 func containAzureDevOpsLabels(expectedLabels []string, gotLabels []string) bool {
 	for _, expected := range expectedLabels {
-		found := false
-		for _, got := range gotLabels {
-			if expected == got {
-				found = true
-				break
-			}
-		}
+		found := slices.Contains(gotLabels, expected)
 		if !found {
 			return false
 		}
--- a/applicationset/services/pull_request/azure_devops_test.go
+++ b/applicationset/services/pull_request/azure_devops_test.go
@ -15,26 +15,6 @@ import (
 	"github.com/argoproj/argo-cd/v3/applicationset/services/scm_provider/mocks"
 )

-func createBoolPtr(x bool) *bool {
-	return &x
-}
-
-func createStringPtr(x string) *string {
-	return &x
-}
-
-func createIntPtr(x int) *int {
-	return &x
-}
-
-func createLabelsPtr(x []core.WebApiTagDefinition) *[]core.WebApiTagDefinition {
-	return &x
-}
-
-func createUniqueNamePtr(x string) *string {
-	return &x
-}
-
 func TestListPullRequest(t *testing.T) {
 	teamProject := "myorg_project"
 	repoName := "myorg_project_repo"
@ -46,19 +26,19 @@ func TestListPullRequest(t *testing.T) {

 	pullRequestMock := []git.GitPullRequest{
 		{
-			PullRequestId: createIntPtr(prID),
-			Title:         createStringPtr(prTitle),
-			SourceRefName: createStringPtr("refs/heads/feature-branch"),
-			TargetRefName: createStringPtr("refs/heads/main"),
+			PullRequestId: new(prID),
+			Title:         new(prTitle),
+			SourceRefName: new("refs/heads/feature-branch"),
+			TargetRefName: new("refs/heads/main"),
 			LastMergeSourceCommit: &git.GitCommitRef{
-				CommitId: createStringPtr(prHeadSha),
+				CommitId: new(prHeadSha),
 			},
 			Labels: &[]core.WebApiTagDefinition{},
 			Repository: &git.GitRepository{
-				Name: createStringPtr(repoName),
+				Name: new(repoName),
 			},
 			CreatedBy: &webapi.IdentityRef{
-				UniqueName: createUniqueNamePtr(uniqueName + "@example.com"),
+				UniqueName: new(uniqueName + "@example.com"),
 			},
 		},
 	}
@ -99,27 +79,27 @@ func TestConvertLabes(t *testing.T) {
 	}{
 		{
 			name:           "empty labels",
-			gotLabels:      createLabelsPtr([]core.WebApiTagDefinition{}),
+			gotLabels:      &[]core.WebApiTagDefinition{},
 			expectedLabels: []string{},
 		},
 		{
 			name:           "nil labels",
-			gotLabels:      createLabelsPtr(nil),
+			gotLabels:      nil,
 			expectedLabels: []string{},
 		},
 		{
 			name: "one label",
-			gotLabels: createLabelsPtr([]core.WebApiTagDefinition{
-				{Name: createStringPtr("label1"), Active: createBoolPtr(true)},
-			}),
+			gotLabels: &[]core.WebApiTagDefinition{
+				{Name: new("label1"), Active: new(true)},
+			},
 			expectedLabels: []string{"label1"},
 		},
 		{
 			name: "two label",
-			gotLabels: createLabelsPtr([]core.WebApiTagDefinition{
-				{Name: createStringPtr("label1"), Active: createBoolPtr(true)},
-				{Name: createStringPtr("label2"), Active: createBoolPtr(true)},
-			}),
+			gotLabels: &[]core.WebApiTagDefinition{
+				{Name: new("label1"), Active: new(true)},
+				{Name: new("label2"), Active: new(true)},
+			},
 			expectedLabels: []string{"label1", "label2"},
 		},
 	}
@ -216,7 +196,7 @@ func TestBuildURL(t *testing.T) {

 func TestAzureDevOpsListReturnsRepositoryNotFoundError(t *testing.T) {
 	args := git.GetPullRequestsByProjectArgs{
-		Project:        createStringPtr("nonexistent"),
+		Project:        new("nonexistent"),
 		SearchCriteria: &git.GitPullRequestSearchCriteria{},
 	}

--- a/applicationset/services/pull_request/bitbucket_server_test.go
+++ b/applicationset/services/pull_request/bitbucket_server_test.go
@ -268,7 +268,6 @@ func TestListPullRequestTLS(t *testing.T) {
 	}

 	for _, test := range tests {
-		test := test
 		t.Run(test.name, func(t *testing.T) {
 			ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 				defaultHandler(t)(w, r)
--- a/applicationset/services/pull_request/gitea.go
+++ b/applicationset/services/pull_request/gitea.go
@ -83,7 +83,7 @@ func (g *GiteaService) List(ctx context.Context) ([]*PullRequest, error) {
 // containLabels returns true if gotLabels contains expectedLabels
 func giteaContainLabels(expectedLabels []string, gotLabels []*gitea.Label) bool {
 	gotLabelNamesMap := make(map[string]bool)
-	for i := 0; i < len(gotLabels); i++ {
+	for i := range gotLabels {
 		gotLabelNamesMap[gotLabels[i].Name] = true
 	}
 	for _, expected := range expectedLabels {
--- a/applicationset/services/pull_request/github_test.go
+++ b/applicationset/services/pull_request/github_test.go
@ -10,10 +10,6 @@ import (
 	"github.com/stretchr/testify/require"
 )

-func toPtr(s string) *string {
-	return &s
-}
-
 func TestContainLabels(t *testing.T) {
 	cases := []struct {
 		Name       string
@ -25,9 +21,9 @@ func TestContainLabels(t *testing.T) {
 			Name:   "Match labels",
 			Labels: []string{"label1", "label2"},
 			PullLabels: []*github.Label{
-				{Name: toPtr("label1")},
-				{Name: toPtr("label2")},
-				{Name: toPtr("label3")},
+				{Name: new("label1")},
+				{Name: new("label2")},
+				{Name: new("label3")},
 			},
 			Expect: true,
 		},
@ -35,9 +31,9 @@ func TestContainLabels(t *testing.T) {
 			Name:   "Not match labels",
 			Labels: []string{"label1", "label4"},
 			PullLabels: []*github.Label{
-				{Name: toPtr("label1")},
-				{Name: toPtr("label2")},
-				{Name: toPtr("label3")},
+				{Name: new("label1")},
+				{Name: new("label2")},
+				{Name: new("label3")},
 			},
 			Expect: false,
 		},
@ -45,9 +41,9 @@ func TestContainLabels(t *testing.T) {
 			Name:   "No specify",
 			Labels: []string{},
 			PullLabels: []*github.Label{
-				{Name: toPtr("label1")},
-				{Name: toPtr("label2")},
-				{Name: toPtr("label3")},
+				{Name: new("label1")},
+				{Name: new("label2")},
+				{Name: new("label3")},
 			},
 			Expect: true,
 		},
@ -70,9 +66,9 @@ func TestGetGitHubPRLabelNames(t *testing.T) {
 		{
 			Name: "PR has labels",
 			PullLabels: []*github.Label{
-				{Name: toPtr("label1")},
-				{Name: toPtr("label2")},
-				{Name: toPtr("label3")},
+				{Name: new("label1")},
+				{Name: new("label2")},
+				{Name: new("label3")},
 			},
 			ExpectedResult: []string{"label1", "label2", "label3"},
 		},
--- a/applicationset/services/pull_request/gitlab_test.go
+++ b/applicationset/services/pull_request/gitlab_test.go
@ -158,7 +158,6 @@ func TestListWithStateTLS(t *testing.T) {
 	}

 	for _, test := range tests {
-		test := test
 		t.Run(test.name, func(t *testing.T) {
 			ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 				writeMRListResponse(t, w)
--- a/applicationset/services/pull_request/utils_test.go
+++ b/applicationset/services/pull_request/utils_test.go
@ -9,10 +9,6 @@ import (
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 )

-func strp(s string) *string {
-	return &s
-}
-
 func TestFilterBranchMatchBadRegexp(t *testing.T) {
 	provider, _ := NewFakeService(
 		t.Context(),
@ -30,7 +26,7 @@ func TestFilterBranchMatchBadRegexp(t *testing.T) {
 	)
 	filters := []argoprojiov1alpha1.PullRequestGeneratorFilter{
 		{
-			BranchMatch: strp("("),
+			BranchMatch: new("("),
 		},
 	}
 	_, err := ListPullRequests(t.Context(), provider, filters)
@ -78,7 +74,7 @@ func TestFilterBranchMatch(t *testing.T) {
 	)
 	filters := []argoprojiov1alpha1.PullRequestGeneratorFilter{
 		{
-			BranchMatch: strp("w"),
+			BranchMatch: new("w"),
 		},
 	}
 	pullRequests, err := ListPullRequests(t.Context(), provider, filters)
@ -128,7 +124,7 @@ func TestFilterTargetBranchMatch(t *testing.T) {
 	)
 	filters := []argoprojiov1alpha1.PullRequestGeneratorFilter{
 		{
-			TargetBranchMatch: strp("1"),
+			TargetBranchMatch: new("1"),
 		},
 	}
 	pullRequests, err := ListPullRequests(t.Context(), provider, filters)
@ -178,7 +174,7 @@ func TestFilterTitleMatch(t *testing.T) {
 	)
 	filters := []argoprojiov1alpha1.PullRequestGeneratorFilter{
 		{
-			TitleMatch: strp("\\[filter]"),
+			TitleMatch: new("\\[filter]"),
 		},
 	}
 	pullRequests, err := ListPullRequests(t.Context(), provider, filters)
@ -228,10 +224,10 @@ func TestMultiFilterOrWithTitle(t *testing.T) {
 	)
 	filters := []argoprojiov1alpha1.PullRequestGeneratorFilter{
 		{
-			TitleMatch: strp("\\[filter]"),
+			TitleMatch: new("\\[filter]"),
 		},
 		{
-			TitleMatch: strp("- filter"),
+			TitleMatch: new("- filter"),
 		},
 	}
 	pullRequests, err := ListPullRequests(t.Context(), provider, filters)
@ -282,10 +278,10 @@ func TestMultiFilterOr(t *testing.T) {
 	)
 	filters := []argoprojiov1alpha1.PullRequestGeneratorFilter{
 		{
-			BranchMatch: strp("w"),
+			BranchMatch: new("w"),
 		},
 		{
-			BranchMatch: strp("r"),
+			BranchMatch: new("r"),
 		},
 	}
 	pullRequests, err := ListPullRequests(t.Context(), provider, filters)
@ -345,19 +341,19 @@ func TestMultiFilterOrWithTargetBranchFilterOrWithTitleFilter(t *testing.T) {
 	)
 	filters := []argoprojiov1alpha1.PullRequestGeneratorFilter{
 		{
-			BranchMatch:       strp("w"),
-			TargetBranchMatch: strp("1"),
+			BranchMatch:       new("w"),
+			TargetBranchMatch: new("1"),
 		},
 		{
-			BranchMatch:       strp("r"),
-			TargetBranchMatch: strp("3"),
+			BranchMatch:       new("r"),
+			TargetBranchMatch: new("3"),
 		},
 		{
-			TitleMatch: strp("two"),
+			TitleMatch: new("two"),
 		},
 		{
-			BranchMatch: strp("five"),
-			TitleMatch:  strp("PR title is different than branch name"),
+			BranchMatch: new("five"),
+			TitleMatch:  new("PR title is different than branch name"),
 		},
 	}
 	pullRequests, err := ListPullRequests(t.Context(), provider, filters)
--- a/applicationset/services/scm_provider/aws_codecommit.go
+++ b/applicationset/services/scm_provider/aws_codecommit.go
@ -10,16 +10,19 @@ import (
 	"slices"
 	"strings"

-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/arn"
-	"github.com/aws/aws-sdk-go/aws/awserr"
-	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
-	"github.com/aws/aws-sdk-go/aws/request"
-	"github.com/aws/aws-sdk-go/aws/session"
-	"github.com/aws/aws-sdk-go/service/codecommit"
-	"github.com/aws/aws-sdk-go/service/resourcegroupstaggingapi"
+	rgsatypes "github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi/types"
+	"github.com/aws/aws-sdk-go-v2/service/sts"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/aws/arn"
+	"github.com/aws/aws-sdk-go-v2/credentials/stscreds"
+	"github.com/aws/aws-sdk-go-v2/service/codecommit"
+	codecommittypes "github.com/aws/aws-sdk-go-v2/service/codecommit/types"
+	"github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi"
 	log "github.com/sirupsen/logrus"

+	"github.com/aws/aws-sdk-go-v2/config"
+
 	application "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 )

@ -32,16 +35,16 @@ const (
 // AWSCodeCommitClient is a lean facade to the codecommitiface.CodeCommitAPI
 // it helps to reduce the mockery generated code.
 type AWSCodeCommitClient interface {
-	ListRepositoriesWithContext(aws.Context, *codecommit.ListRepositoriesInput, ...request.Option) (*codecommit.ListRepositoriesOutput, error)
-	GetRepositoryWithContext(aws.Context, *codecommit.GetRepositoryInput, ...request.Option) (*codecommit.GetRepositoryOutput, error)
-	ListBranchesWithContext(aws.Context, *codecommit.ListBranchesInput, ...request.Option) (*codecommit.ListBranchesOutput, error)
-	GetFolderWithContext(aws.Context, *codecommit.GetFolderInput, ...request.Option) (*codecommit.GetFolderOutput, error)
+	ListRepositories(context.Context, *codecommit.ListRepositoriesInput, ...func(*codecommit.Options)) (*codecommit.ListRepositoriesOutput, error)
+	GetRepository(context.Context, *codecommit.GetRepositoryInput, ...func(*codecommit.Options)) (*codecommit.GetRepositoryOutput, error)
+	ListBranches(context.Context, *codecommit.ListBranchesInput, ...func(*codecommit.Options)) (*codecommit.ListBranchesOutput, error)
+	GetFolder(context.Context, *codecommit.GetFolderInput, ...func(*codecommit.Options)) (*codecommit.GetFolderOutput, error)
 }

 // AWSTaggingClient is a lean facade to the resourcegroupstaggingapiiface.ResourceGroupsTaggingAPIAPI
 // it helps to reduce the mockery generated code.
 type AWSTaggingClient interface {
-	GetResourcesWithContext(aws.Context, *resourcegroupstaggingapi.GetResourcesInput, ...request.Option) (*resourcegroupstaggingapi.GetResourcesOutput, error)
+	GetResources(context.Context, *resourcegroupstaggingapi.GetResourcesInput, ...func(*resourcegroupstaggingapi.Options)) (*resourcegroupstaggingapi.GetResourcesOutput, error)
 }

 type AWSCodeCommitProvider struct {
@ -73,7 +76,7 @@ func (p *AWSCodeCommitProvider) ListRepos(ctx context.Context, cloneProtocol str
 	}

 	for _, repoName := range repoNames {
-		repo, err := p.codeCommitClient.GetRepositoryWithContext(ctx, &codecommit.GetRepositoryInput{
+		repo, err := p.codeCommitClient.GetRepository(ctx, &codecommit.GetRepositoryInput{
 			RepositoryName: aws.String(repoName),
 		})
 		if err != nil {
@ -85,7 +88,7 @@ func (p *AWSCodeCommitProvider) ListRepos(ctx context.Context, cloneProtocol str
 			log.Warnf("codecommit returned invalid response for repository %s, skipped", repoName)
 			continue
 		}
-		if aws.StringValue(repo.RepositoryMetadata.DefaultBranch) == "" {
+		if aws.ToString(repo.RepositoryMetadata.DefaultBranch) == "" {
 			// if a codecommit repo doesn't have default branch, it's uninitialized. not going to bother with it.
 			log.Warnf("repository %s does not have default branch, skipped", repoName)
 			continue
@ -94,11 +97,11 @@ func (p *AWSCodeCommitProvider) ListRepos(ctx context.Context, cloneProtocol str
 		switch cloneProtocol {
 		// default to SSH if unspecified (i.e. if "").
 		case "", "ssh":
-			url = aws.StringValue(repo.RepositoryMetadata.CloneUrlSsh)
+			url = aws.ToString(repo.RepositoryMetadata.CloneUrlSsh)
 		case "https":
-			url = aws.StringValue(repo.RepositoryMetadata.CloneUrlHttp)
+			url = aws.ToString(repo.RepositoryMetadata.CloneUrlHttp)
 		case "https-fips":
-			url, err = getCodeCommitFIPSEndpoint(aws.StringValue(repo.RepositoryMetadata.CloneUrlHttp))
+			url, err = getCodeCommitFIPSEndpoint(aws.ToString(repo.RepositoryMetadata.CloneUrlHttp))
 			if err != nil {
 				return nil, fmt.Errorf("https-fips is provided but repoUrl can't be transformed to FIPS endpoint: %w", err)
 			}
@ -108,13 +111,13 @@ func (p *AWSCodeCommitProvider) ListRepos(ctx context.Context, cloneProtocol str
 		repos = append(repos, &Repository{
 			// there's no "organization" level at codecommit.
 			// we are just using AWS accountId for now.
-			Organization: aws.StringValue(repo.RepositoryMetadata.AccountId),
-			Repository:   aws.StringValue(repo.RepositoryMetadata.RepositoryName),
+			Organization: aws.ToString(repo.RepositoryMetadata.AccountId),
+			Repository:   aws.ToString(repo.RepositoryMetadata.RepositoryName),
 			URL:          url,
-			Branch:       aws.StringValue(repo.RepositoryMetadata.DefaultBranch),
+			Branch:       aws.ToString(repo.RepositoryMetadata.DefaultBranch),
 			// we could propagate repo tag keys, but without value not sure if it's any useful.
 			Labels:       []string{},
-			RepositoryId: aws.StringValue(repo.RepositoryMetadata.RepositoryId),
+			RepositoryId: aws.ToString(repo.RepositoryMetadata.RepositoryId),
 		})
 	}

@ -142,13 +145,9 @@ func (p *AWSCodeCommitProvider) RepoHasPath(ctx context.Context, repo *Repositor
 		FolderPath:      aws.String(parentPath),
 		RepositoryName:  aws.String(repo.Repository),
 	}
-	output, err := p.codeCommitClient.GetFolderWithContext(ctx, input)
+	output, err := p.codeCommitClient.GetFolder(ctx, input)
 	if err != nil {
-		if hasAwsError(err,
-			codecommit.ErrCodeRepositoryDoesNotExistException,
-			codecommit.ErrCodeCommitDoesNotExistException,
-			codecommit.ErrCodeFolderDoesNotExistException,
-		) {
+		if hasAwsError(err) {
 			return false, nil
 		}
 		// unhandled exception, propagate out
@ -157,22 +156,22 @@ func (p *AWSCodeCommitProvider) RepoHasPath(ctx context.Context, repo *Repositor

 	// anything that matches.
 	for _, submodule := range output.SubModules {
-		if basePath == aws.StringValue(submodule.RelativePath) {
+		if basePath == aws.ToString(submodule.RelativePath) {
 			return true, nil
 		}
 	}
 	for _, subpath := range output.SubFolders {
-		if basePath == aws.StringValue(subpath.RelativePath) {
+		if basePath == aws.ToString(subpath.RelativePath) {
 			return true, nil
 		}
 	}
 	for _, subpath := range output.Files {
-		if basePath == aws.StringValue(subpath.RelativePath) {
+		if basePath == aws.ToString(subpath.RelativePath) {
 			return true, nil
 		}
 	}
 	for _, subpath := range output.SymbolicLinks {
-		if basePath == aws.StringValue(subpath.RelativePath) {
+		if basePath == aws.ToString(subpath.RelativePath) {
 			return true, nil
 		}
 	}
@ -182,7 +181,7 @@ func (p *AWSCodeCommitProvider) RepoHasPath(ctx context.Context, repo *Repositor
 func (p *AWSCodeCommitProvider) GetBranches(ctx context.Context, repo *Repository) ([]*Repository, error) {
 	repos := make([]*Repository, 0)
 	if !p.allBranches {
-		output, err := p.codeCommitClient.GetRepositoryWithContext(ctx, &codecommit.GetRepositoryInput{
+		output, err := p.codeCommitClient.GetRepository(ctx, &codecommit.GetRepositoryInput{
 			RepositoryName: aws.String(repo.Repository),
 		})
 		if err != nil {
@ -192,7 +191,7 @@ func (p *AWSCodeCommitProvider) GetBranches(ctx context.Context, repo *Repositor
 			Organization: repo.Organization,
 			Repository:   repo.Repository,
 			URL:          repo.URL,
-			Branch:       aws.StringValue(output.RepositoryMetadata.DefaultBranch),
+			Branch:       aws.ToString(output.RepositoryMetadata.DefaultBranch),
 			RepositoryId: repo.RepositoryId,
 			Labels:       repo.Labels,
 			// getting SHA of the branch requires a separate GetBranch call.
@ -204,7 +203,7 @@ func (p *AWSCodeCommitProvider) GetBranches(ctx context.Context, repo *Repositor
 			RepositoryName: aws.String(repo.Repository),
 		}
 		for {
-			output, err := p.codeCommitClient.ListBranchesWithContext(ctx, input)
+			output, err := p.codeCommitClient.ListBranches(ctx, input)
 			if err != nil {
 				return nil, err
 			}
@ -213,7 +212,7 @@ func (p *AWSCodeCommitProvider) GetBranches(ctx context.Context, repo *Repositor
 					Organization: repo.Organization,
 					Repository:   repo.Repository,
 					URL:          repo.URL,
-					Branch:       aws.StringValue(branch),
+					Branch:       branch,
 					RepositoryId: repo.RepositoryId,
 					Labels:       repo.Labels,
 					// getting SHA of the branch requires a separate GetBranch call.
@ -222,7 +221,7 @@ func (p *AWSCodeCommitProvider) GetBranches(ctx context.Context, repo *Repositor
 				})
 			}
 			input.NextToken = output.NextToken
-			if aws.StringValue(output.NextToken) == "" {
+			if aws.ToString(output.NextToken) == "" {
 				break
 			}
 		}
@ -241,32 +240,32 @@ func (p *AWSCodeCommitProvider) listRepoNames(ctx context.Context) ([]string, er
 		listReposInput := &codecommit.ListRepositoriesInput{}
 		var output *codecommit.ListRepositoriesOutput
 		for {
-			output, err = p.codeCommitClient.ListRepositoriesWithContext(ctx, listReposInput)
+			output, err = p.codeCommitClient.ListRepositories(ctx, listReposInput)
 			if err != nil {
 				break
 			}
 			for _, repo := range output.Repositories {
-				repoNames = append(repoNames, aws.StringValue(repo.RepositoryName))
+				repoNames = append(repoNames, aws.ToString(repo.RepositoryName))
 			}
 			listReposInput.NextToken = output.NextToken
-			if aws.StringValue(output.NextToken) == "" {
+			if aws.ToString(output.NextToken) == "" {
 				break
 			}
 		}
 	} else {
 		log.Debugf("tag filer is specified, calling tagging api to list repos")
 		discoveryInput := &resourcegroupstaggingapi.GetResourcesInput{
-			ResourceTypeFilters: aws.StringSlice([]string{resourceTypeCodeCommitRepository}),
+			ResourceTypeFilters: []string{resourceTypeCodeCommitRepository},
 			TagFilters:          tagFilters,
 		}
 		var output *resourcegroupstaggingapi.GetResourcesOutput
 		for {
-			output, err = p.taggingClient.GetResourcesWithContext(ctx, discoveryInput)
+			output, err = p.taggingClient.GetResources(ctx, discoveryInput)
 			if err != nil {
 				break
 			}
 			for _, resource := range output.ResourceTagMappingList {
-				repoArn := aws.StringValue(resource.ResourceARN)
+				repoArn := aws.ToString(resource.ResourceARN)
 				log.Debugf("discovered codecommit repo with arn %s", repoArn)
 				repoName, extractErr := getCodeCommitRepoName(repoArn)
 				if extractErr != nil {
@ -276,7 +275,7 @@ func (p *AWSCodeCommitProvider) listRepoNames(ctx context.Context) ([]string, er
 				repoNames = append(repoNames, repoName)
 			}
 			discoveryInput.PaginationToken = output.PaginationToken
-			if aws.StringValue(output.PaginationToken) == "" {
+			if aws.ToString(output.PaginationToken) == "" {
 				break
 			}
 		}
@ -284,19 +283,20 @@ func (p *AWSCodeCommitProvider) listRepoNames(ctx context.Context) ([]string, er
 	return repoNames, err
 }

-func (p *AWSCodeCommitProvider) getTagFilters() []*resourcegroupstaggingapi.TagFilter {
-	filters := make(map[string]*resourcegroupstaggingapi.TagFilter)
+// getTagFilters filters by tag
+func (p *AWSCodeCommitProvider) getTagFilters() []rgsatypes.TagFilter {
+	filters := make(map[string]rgsatypes.TagFilter)
 	for _, tagFilter := range p.tagFilters {
-		filter, hasKey := filters[tagFilter.Key]
-		if !hasKey {
-			filter = &resourcegroupstaggingapi.TagFilter{
+		filter := filters[tagFilter.Key]
+		if filter.Key == nil {
+			filter = rgsatypes.TagFilter{
 				Key: aws.String(tagFilter.Key),
 			}
-			filters[tagFilter.Key] = filter
 		}
 		if tagFilter.Value != "" {
-			filter.Values = append(filter.Values, aws.String(tagFilter.Value))
+			filter.Values = append(filter.Values, tagFilter.Value)
 		}
+		filters[tagFilter.Key] = filter
 	}
 	return slices.Collect(maps.Values(filters))
 }
@ -326,12 +326,15 @@ func getCodeCommitFIPSEndpoint(repoURL string) (string, error) {
 	return strings.Replace(repoURL, prefixGitURLHTTPS, prefixGitURLHTTPSFIPS, 1), nil
 }

-func hasAwsError(err error, codes ...string) bool {
-	var awsErr awserr.Error
-	if errors.As(err, &awsErr) {
-		return slices.Contains(codes, awsErr.Code())
-	}
-	return false
+func hasAwsError(err error) bool {
+	// Check for common CodeCommit exceptions using SDK v2 typed errors
+	var repoNotFound *codecommittypes.RepositoryDoesNotExistException
+	var commitNotFound *codecommittypes.CommitDoesNotExistException
+	var folderNotFound *codecommittypes.FolderDoesNotExistException
+
+	return errors.As(err, &repoNotFound) ||
+		errors.As(err, &commitNotFound) ||
+		errors.As(err, &folderNotFound)
 }

 // toAbsolutePath transforms a path input to absolute path, as required by AWS CodeCommit
@ -343,37 +346,32 @@ func toAbsolutePath(path string) string {
 	return filepath.ToSlash(filepath.Join("/", path)) //nolint:gocritic // Prepend slash to have an absolute path
 }

-func createAWSDiscoveryClients(_ context.Context, role string, region string) (*resourcegroupstaggingapi.ResourceGroupsTaggingAPI, *codecommit.CodeCommit, error) {
-	podSession, err := session.NewSession()
-	if err != nil {
-		return nil, nil, fmt.Errorf("error creating new AWS pod session: %w", err)
-	}
-	discoverySession := podSession
-	// assume role if provided - this allows cross account CodeCommit repo discovery.
-	if role != "" {
-		log.Debugf("role %s is provided for AWS CodeCommit discovery", role)
-		assumeRoleCreds := stscreds.NewCredentials(podSession, role)
-		discoverySession, err = session.NewSession(&aws.Config{
-			Credentials: assumeRoleCreds,
-		})
-		if err != nil {
-			return nil, nil, fmt.Errorf("error creating new AWS discovery session: %w", err)
-		}
-	} else {
-		log.Debugf("role is not provided for AWS CodeCommit discovery, using pod role")
-	}
-	// use region explicitly if provided  - this allows cross region CodeCommit repo discovery.
+// createAWSDiscoveryClients creates AWS clients
+func createAWSDiscoveryClients(ctx context.Context, role string, region string) (*resourcegroupstaggingapi.Client, *codecommit.Client, error) {
+	var configOpts []func(*config.LoadOptions) error
 	if region != "" {
 		log.Debugf("region %s is provided for AWS CodeCommit discovery", region)
-		discoverySession = discoverySession.Copy(&aws.Config{
-			Region: aws.String(region),
-		})
+		configOpts = append(configOpts, config.WithRegion(region))
 	} else {
 		log.Debugf("region is not provided for AWS CodeCommit discovery, using pod region")
 	}
+	// Load the default config based on config options
+	cfg, err := config.LoadDefaultConfig(ctx, configOpts...)
+	if err != nil {
+		return nil, nil, fmt.Errorf("error loading default config: %w", err)
+	}
+	client := sts.NewFromConfig(cfg)
+	// assume role if provided - this allows cross account CodeCommit repo discovery.
+	if role != "" {
+		log.Debugf("role %s is provided for AWS CodeCommit discovery", role)
+		assumeRoleCreds := stscreds.NewAssumeRoleProvider(client, role)
+		cfg.Credentials = aws.NewCredentialsCache(assumeRoleCreds)
+	} else {
+		log.Debugf("role is not provided for AWS CodeCommit discovery, using pod role")
+	}

-	taggingClient := resourcegroupstaggingapi.New(discoverySession)
-	codeCommitClient := codecommit.New(discoverySession)
+	taggingClient := resourcegroupstaggingapi.NewFromConfig(cfg)
+	codeCommitClient := codecommit.NewFromConfig(cfg)

 	return taggingClient, codeCommitClient, nil
 }
--- a/applicationset/services/scm_provider/aws_codecommit_test.go
+++ b/applicationset/services/scm_provider/aws_codecommit_test.go
@ -5,10 +5,13 @@ import (
 	"sort"
 	"testing"

-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/service/codecommit"
-	"github.com/aws/aws-sdk-go/service/resourcegroupstaggingapi"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/codecommit"
+	codecommittypes "github.com/aws/aws-sdk-go-v2/service/codecommit/types"
+	"github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi"
+	rgsatypes "github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi/types"
 	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"

@ -34,7 +37,7 @@ func TestAWSCodeCommitListRepos(t *testing.T) {
 		repositories           []*awsCodeCommitTestRepository
 		cloneProtocol          string
 		tagFilters             []*v1alpha1.TagFilter
-		expectTagFilters       []*resourcegroupstaggingapi.TagFilter
+		expectTagFilters       []rgsatypes.TagFilter
 		listRepositoryError    error
 		expectOverallError     bool
 		expectListAtCodeCommit bool
@ -57,8 +60,8 @@ func TestAWSCodeCommitListRepos(t *testing.T) {
 				{Key: "key1", Value: "value2"},
 				{Key: "key2"},
 			},
-			expectTagFilters: []*resourcegroupstaggingapi.TagFilter{
-				{Key: aws.String("key1"), Values: aws.StringSlice([]string{"value1", "value2"})},
+			expectTagFilters: []rgsatypes.TagFilter{
+				{Key: aws.String("key1"), Values: []string{"value1", "value2"}},
 				{Key: aws.String("key2")},
 			},
 			expectOverallError:     false,
@ -80,7 +83,7 @@ func TestAWSCodeCommitListRepos(t *testing.T) {
 			tagFilters: []*v1alpha1.TagFilter{
 				{Key: "key1"},
 			},
-			expectTagFilters: []*resourcegroupstaggingapi.TagFilter{
+			expectTagFilters: []rgsatypes.TagFilter{
 				{Key: aws.String("key1")},
 			},
 			expectOverallError:     false,
@ -160,12 +163,12 @@ func TestAWSCodeCommitListRepos(t *testing.T) {
 			codeCommitClient := mocks.NewAWSCodeCommitClient(t)
 			taggingClient := mocks.NewAWSTaggingClient(t)
 			ctx := t.Context()
-			codecommitRepoNameIdPairs := make([]*codecommit.RepositoryNameIdPair, 0)
-			resourceTaggings := make([]*resourcegroupstaggingapi.ResourceTagMapping, 0)
+			codecommitRepoNameIdPairs := make([]codecommittypes.RepositoryNameIdPair, 0)
+			resourceTaggings := make([]rgsatypes.ResourceTagMapping, 0)
 			validRepositories := make([]*awsCodeCommitTestRepository, 0)

 			for _, repo := range testCase.repositories {
-				repoMetadata := &codecommit.RepositoryMetadata{
+				repoMetadata := &codecommittypes.RepositoryMetadata{
 					AccountId:      aws.String(repo.accountId),
 					Arn:            aws.String(repo.arn),
 					CloneUrlHttp:   aws.String("https://git-codecommit.us-east-1.amazonaws.com/v1/repos/" + repo.name),
@ -177,13 +180,13 @@ func TestAWSCodeCommitListRepos(t *testing.T) {
 				if repo.getRepositoryNilMetadata {
 					repoMetadata = nil
 				}
-				codeCommitClient.EXPECT().GetRepositoryWithContext(mock.Anything, &codecommit.GetRepositoryInput{RepositoryName: aws.String(repo.name)}).
+				codeCommitClient.EXPECT().GetRepository(mock.Anything, &codecommit.GetRepositoryInput{RepositoryName: aws.String(repo.name)}).
 					Return(&codecommit.GetRepositoryOutput{RepositoryMetadata: repoMetadata}, repo.getRepositoryError).Maybe()
-				codecommitRepoNameIdPairs = append(codecommitRepoNameIdPairs, &codecommit.RepositoryNameIdPair{
+				codecommitRepoNameIdPairs = append(codecommitRepoNameIdPairs, codecommittypes.RepositoryNameIdPair{
 					RepositoryId:   aws.String(repo.id),
 					RepositoryName: aws.String(repo.name),
 				})
-				resourceTaggings = append(resourceTaggings, &resourcegroupstaggingapi.ResourceTagMapping{
+				resourceTaggings = append(resourceTaggings, rgsatypes.ResourceTagMapping{
 					ResourceARN: aws.String(repo.arn),
 				})
 				if repo.valid {
@ -192,14 +195,14 @@ func TestAWSCodeCommitListRepos(t *testing.T) {
 			}

 			if testCase.expectListAtCodeCommit {
-				codeCommitClient.EXPECT().ListRepositoriesWithContext(mock.Anything, &codecommit.ListRepositoriesInput{}).
+				codeCommitClient.EXPECT().ListRepositories(mock.Anything, &codecommit.ListRepositoriesInput{}).
 					Return(&codecommit.ListRepositoriesOutput{
 						Repositories: codecommitRepoNameIdPairs,
 					}, testCase.listRepositoryError).Maybe()
 			} else {
-				taggingClient.EXPECT().GetResourcesWithContext(mock.Anything, mock.MatchedBy(equalIgnoringTagFilterOrder(&resourcegroupstaggingapi.GetResourcesInput{
+				taggingClient.EXPECT().GetResources(mock.Anything, mock.MatchedBy(equalIgnoringTagFilterOrder(&resourcegroupstaggingapi.GetResourcesInput{
 					TagFilters:          testCase.expectTagFilters,
-					ResourceTypeFilters: aws.StringSlice([]string{resourceTypeCodeCommitRepository}),
+					ResourceTypeFilters: []string{resourceTypeCodeCommitRepository},
 				}))).
 					Return(&resourcegroupstaggingapi.GetResourcesOutput{
 						ResourceTagMappingList: resourceTaggings,
@ -249,7 +252,7 @@ func TestAWSCodeCommitRepoHasPath(t *testing.T) {
 			path:                  "lib/config.yaml",
 			expectedGetFolderPath: "/lib",
 			getFolderOutput: &codecommit.GetFolderOutput{
-				Files: []*codecommit.File{
+				Files: []codecommittypes.File{
 					{RelativePath: aws.String("config.yaml")},
 				},
 			},
@ -261,7 +264,7 @@ func TestAWSCodeCommitRepoHasPath(t *testing.T) {
 			path:                  "lib/config",
 			expectedGetFolderPath: "/lib",
 			getFolderOutput: &codecommit.GetFolderOutput{
-				SubFolders: []*codecommit.Folder{
+				SubFolders: []codecommittypes.Folder{
 					{RelativePath: aws.String("config")},
 				},
 			},
@ -273,7 +276,7 @@ func TestAWSCodeCommitRepoHasPath(t *testing.T) {
 			path:                  "/lib/submodule/",
 			expectedGetFolderPath: "/lib",
 			getFolderOutput: &codecommit.GetFolderOutput{
-				SubModules: []*codecommit.SubModule{
+				SubModules: []codecommittypes.SubModule{
 					{RelativePath: aws.String("submodule")},
 				},
 			},
@ -285,7 +288,7 @@ func TestAWSCodeCommitRepoHasPath(t *testing.T) {
 			path:                  "./lib/service.json",
 			expectedGetFolderPath: "/lib",
 			getFolderOutput: &codecommit.GetFolderOutput{
-				SymbolicLinks: []*codecommit.SymbolicLink{
+				SymbolicLinks: []codecommittypes.SymbolicLink{
 					{RelativePath: aws.String("service.json")},
 				},
 			},
@ -297,16 +300,16 @@ func TestAWSCodeCommitRepoHasPath(t *testing.T) {
 			path:                  "no-match.json",
 			expectedGetFolderPath: "/",
 			getFolderOutput: &codecommit.GetFolderOutput{
-				Files: []*codecommit.File{
+				Files: []codecommittypes.File{
 					{RelativePath: aws.String("config.yaml")},
 				},
-				SubFolders: []*codecommit.Folder{
+				SubFolders: []codecommittypes.Folder{
 					{RelativePath: aws.String("config")},
 				},
-				SubModules: []*codecommit.SubModule{
+				SubModules: []codecommittypes.SubModule{
 					{RelativePath: aws.String("submodule")},
 				},
-				SymbolicLinks: []*codecommit.SymbolicLink{
+				SymbolicLinks: []codecommittypes.SymbolicLink{
 					{RelativePath: aws.String("service.json")},
 				},
 			},
@ -317,7 +320,7 @@ func TestAWSCodeCommitRepoHasPath(t *testing.T) {
 			name:                  "RepoHasPath when parent folder not found",
 			path:                  "lib/submodule",
 			expectedGetFolderPath: "/lib",
-			getFolderError:        &codecommit.FolderDoesNotExistException{},
+			getFolderError:        &codecommittypes.FolderDoesNotExistException{},
 			expectOverallError:    false,
 		},
 		{
@ -347,7 +350,7 @@ func TestAWSCodeCommitRepoHasPath(t *testing.T) {
 			taggingClient := mocks.NewAWSTaggingClient(t)
 			ctx := t.Context()
 			if testCase.expectedGetFolderPath != "" {
-				codeCommitClient.EXPECT().GetFolderWithContext(mock.Anything, &codecommit.GetFolderInput{
+				codeCommitClient.EXPECT().GetFolder(mock.Anything, &codecommit.GetFolderInput{
 					CommitSpecifier: aws.String(branch),
 					FolderPath:      aws.String(testCase.expectedGetFolderPath),
 					RepositoryName:  aws.String(repoName),
@ -419,13 +422,15 @@ func TestAWSCodeCommitGetBranches(t *testing.T) {
 			taggingClient := mocks.NewAWSTaggingClient(t)
 			ctx := t.Context()
 			if testCase.allBranches {
-				codeCommitClient.EXPECT().ListBranchesWithContext(mock.Anything, &codecommit.ListBranchesInput{
+				branches := make([]string, len(testCase.branches))
+				copy(branches, testCase.branches)
+				codeCommitClient.EXPECT().ListBranches(mock.Anything, &codecommit.ListBranchesInput{
 					RepositoryName: aws.String(name),
 				}).
-					Return(&codecommit.ListBranchesOutput{Branches: aws.StringSlice(testCase.branches)}, testCase.apiError).Maybe()
+					Return(&codecommit.ListBranchesOutput{Branches: branches}, testCase.apiError).Maybe()
 			} else {
-				codeCommitClient.EXPECT().GetRepositoryWithContext(mock.Anything, &codecommit.GetRepositoryInput{RepositoryName: aws.String(name)}).
-					Return(&codecommit.GetRepositoryOutput{RepositoryMetadata: &codecommit.RepositoryMetadata{
+				codeCommitClient.EXPECT().GetRepository(mock.Anything, &codecommit.GetRepositoryInput{RepositoryName: aws.String(name)}).
+					Return(&codecommit.GetRepositoryOutput{RepositoryMetadata: &codecommittypes.RepositoryMetadata{
 						AccountId:     aws.String(organization),
 						DefaultBranch: aws.String(defaultBranch),
 					}}, testCase.apiError).Maybe()
@ -470,8 +475,22 @@ func TestAWSCodeCommitGetBranches(t *testing.T) {
 func equalIgnoringTagFilterOrder(expected *resourcegroupstaggingapi.GetResourcesInput) func(*resourcegroupstaggingapi.GetResourcesInput) bool {
 	return func(actual *resourcegroupstaggingapi.GetResourcesInput) bool {
 		sort.Slice(actual.TagFilters, func(i, j int) bool {
-			return *actual.TagFilters[i].Key < *actual.TagFilters[j].Key
+			keyI := ""
+			keyJ := ""
+			if actual.TagFilters[i].Key != nil {
+				keyI = *actual.TagFilters[i].Key
+			}
+			if actual.TagFilters[j].Key != nil {
+				keyJ = *actual.TagFilters[j].Key
+			}
+			return keyI < keyJ
 		})
-		return cmp.Equal(expected, actual)
+		// Ignore unexported fields in AWS SDK v2 types
+		return cmp.Equal(expected, actual,
+			cmpopts.IgnoreUnexported(
+				rgsatypes.TagFilter{},
+				resourcegroupstaggingapi.GetResourcesInput{},
+			),
+		)
 	}
 }
--- a/applicationset/services/scm_provider/azure_devops_test.go
+++ b/applicationset/services/scm_provider/azure_devops_test.go
@ -9,7 +9,6 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 	"github.com/stretchr/testify/require"
-	"k8s.io/utils/ptr"

 	"github.com/microsoft/azure-devops-go-api/azuredevops/v7"
 	azureGit "github.com/microsoft/azure-devops-go-api/azuredevops/v7/git"
@ -18,10 +17,6 @@ import (
 	"github.com/argoproj/argo-cd/v3/applicationset/services/scm_provider/mocks"
 )

-func s(input string) *string {
-	return ptr.To(input)
-}
-
 func TestAzureDevopsRepoHasPath(t *testing.T) {
 	organization := "myorg"
 	teamProject := "myorg_project"
@ -51,12 +46,12 @@ func TestAzureDevopsRepoHasPath(t *testing.T) {
 		{
 			name:             "RepoHasPath when no path found returns false",
 			pathFound:        false,
-			azureDevopsError: azuredevops.WrappedError{TypeKey: s(AzureDevOpsErrorsTypeKeyValues.GitItemNotFound)},
+			azureDevopsError: azuredevops.WrappedError{TypeKey: new(AzureDevOpsErrorsTypeKeyValues.GitItemNotFound)},
 		},
 		{
 			name:             "RepoHasPath when unknown Azure DevOps WrappedError occurs returns error",
 			pathFound:        false,
-			azureDevopsError: azuredevops.WrappedError{TypeKey: s("OtherAzureDevopsException")},
+			azureDevopsError: azuredevops.WrappedError{TypeKey: new("OtherAzureDevopsException")},
 			returnError:      true,
 			errorMessage:     "failed to check for path existence",
 		},
@ -124,12 +119,12 @@ func TestGetDefaultBranchOnDisabledRepo(t *testing.T) {
 	}{
 		{
 			name:              "azure devops error when disabled repo causes empty return value",
-			azureDevOpsError:  azuredevops.WrappedError{TypeKey: s(AzureDevOpsErrorsTypeKeyValues.GitRepositoryNotFound)},
+			azureDevOpsError:  azuredevops.WrappedError{TypeKey: new(AzureDevOpsErrorsTypeKeyValues.GitRepositoryNotFound)},
 			shouldReturnError: false,
 		},
 		{
 			name:              "azure devops error with unknown error type returns error",
-			azureDevOpsError:  azuredevops.WrappedError{TypeKey: s("OtherError")},
+			azureDevOpsError:  azuredevops.WrappedError{TypeKey: new("OtherError")},
 			shouldReturnError: true,
 		},
 		{
@ -181,12 +176,12 @@ func TestGetAllBranchesOnDisabledRepo(t *testing.T) {
 	}{
 		{
 			name:              "azure devops error when disabled repo causes empty return value",
-			azureDevOpsError:  azuredevops.WrappedError{TypeKey: s(AzureDevOpsErrorsTypeKeyValues.GitRepositoryNotFound)},
+			azureDevOpsError:  azuredevops.WrappedError{TypeKey: new(AzureDevOpsErrorsTypeKeyValues.GitRepositoryNotFound)},
 			shouldReturnError: false,
 		},
 		{
 			name:              "azure devops error with unknown error type returns error",
-			azureDevOpsError:  azuredevops.WrappedError{TypeKey: s("OtherError")},
+			azureDevOpsError:  azuredevops.WrappedError{TypeKey: new("OtherError")},
 			shouldReturnError: true,
 		},
 		{
@ -234,7 +229,7 @@ func TestAzureDevOpsGetDefaultBranchStripsRefsName(t *testing.T) {
 		strippedBranchName := "somebranch"
 		defaultBranch := fmt.Sprintf("refs/heads/%v", strippedBranchName)

-		branchReturn := &azureGit.GitBranchStats{Name: &strippedBranchName, Commit: &azureGit.GitCommitRef{CommitId: s("abc123233223")}}
+		branchReturn := &azureGit.GitBranchStats{Name: &strippedBranchName, Commit: &azureGit.GitCommitRef{CommitId: new("abc123233223")}}
 		repo := &Repository{Organization: organization, Repository: repoName, RepositoryId: uuid, Branch: defaultBranch}

 		gitClientMock := &azureMock.Client{}
@ -273,7 +268,7 @@ func TestAzureDevOpsGetBranchesDefultBranchOnly(t *testing.T) {
 	}{
 		{
 			name:           "GetBranches AllBranches false when single branch returned returns branch",
-			expectedBranch: &azureGit.GitBranchStats{Name: &defaultBranch, Commit: &azureGit.GitCommitRef{CommitId: s("abc123233223")}},
+			expectedBranch: &azureGit.GitBranchStats{Name: &defaultBranch, Commit: &azureGit.GitCommitRef{CommitId: new("abc123233223")}},
 		},
 		{
 			name:                "GetBranches AllBranches false when request fails returns error and empty result",
@ -285,7 +280,7 @@ func TestAzureDevOpsGetBranchesDefultBranchOnly(t *testing.T) {
 		},
 		{
 			name:           "GetBranches AllBranches false when branch returned with long commit SHA",
-			expectedBranch: &azureGit.GitBranchStats{Name: &defaultBranch, Commit: &azureGit.GitCommitRef{CommitId: s("53863052ADF24229AB72154B4D83DAB7")}},
+			expectedBranch: &azureGit.GitBranchStats{Name: &defaultBranch, Commit: &azureGit.GitCommitRef{CommitId: new("53863052ADF24229AB72154B4D83DAB7")}},
 		},
 	}

@ -344,7 +339,7 @@ func TestAzureDevopsGetBranches(t *testing.T) {
 	}{
 		{
 			name:             "GetBranches when single branch returned returns this branch info",
-			expectedBranches: &[]azureGit.GitBranchStats{{Name: s("feature-feat1"), Commit: &azureGit.GitCommitRef{CommitId: s("abc123233223")}}},
+			expectedBranches: &[]azureGit.GitBranchStats{{Name: new("feature-feat1"), Commit: &azureGit.GitCommitRef{CommitId: new("abc123233223")}}},
 			allBranches:      true,
 		},
 		{
@ -365,9 +360,9 @@ func TestAzureDevopsGetBranches(t *testing.T) {
 		{
 			name: "GetBranches when multiple branches returned returns branch info for all branches",
 			expectedBranches: &[]azureGit.GitBranchStats{
-				{Name: s("feature-feat1"), Commit: &azureGit.GitCommitRef{CommitId: s("abc123233223")}},
-				{Name: s("feature/feat2"), Commit: &azureGit.GitCommitRef{CommitId: s("4334")}},
-				{Name: s("feature/feat2"), Commit: &azureGit.GitCommitRef{CommitId: s("53863052ADF24229AB72154B4D83DAB7")}},
+				{Name: new("feature-feat1"), Commit: &azureGit.GitCommitRef{CommitId: new("abc123233223")}},
+				{Name: new("feature/feat2"), Commit: &azureGit.GitCommitRef{CommitId: new("4334")}},
+				{Name: new("feature/feat2"), Commit: &azureGit.GitCommitRef{CommitId: new("53863052ADF24229AB72154B4D83DAB7")}},
 			},
 			allBranches: true,
 		},
@ -434,12 +429,12 @@ func TestGetAzureDevopsRepositories(t *testing.T) {
 	}{
 		{
 			name:                  "ListRepos when single repo found returns repo info",
-			repositories:          []azureGit.GitRepository{{Name: s("repo1"), DefaultBranch: s("main"), RemoteUrl: s("https://remoteurl.u"), Id: repoId}},
+			repositories:          []azureGit.GitRepository{{Name: new("repo1"), DefaultBranch: new("main"), RemoteUrl: new("https://remoteurl.u"), Id: repoId}},
 			expectedNumberOfRepos: 1,
 		},
 		{
 			name:         "ListRepos when repo has no default branch returns empty list",
-			repositories: []azureGit.GitRepository{{Name: s("repo2"), RemoteUrl: s("https://remoteurl.u"), Id: repoId}},
+			repositories: []azureGit.GitRepository{{Name: new("repo2"), RemoteUrl: new("https://remoteurl.u"), Id: repoId}},
 		},
 		{
 			name:                 "ListRepos when Azure DevOps request fails returns error",
@ -447,24 +442,24 @@ func TestGetAzureDevopsRepositories(t *testing.T) {
 		},
 		{
 			name:         "ListRepos when repo has no name returns empty list",
-			repositories: []azureGit.GitRepository{{DefaultBranch: s("main"), RemoteUrl: s("https://remoteurl.u"), Id: repoId}},
+			repositories: []azureGit.GitRepository{{DefaultBranch: new("main"), RemoteUrl: new("https://remoteurl.u"), Id: repoId}},
 		},
 		{
 			name:         "ListRepos when repo has no remote URL returns empty list",
-			repositories: []azureGit.GitRepository{{DefaultBranch: s("main"), Name: s("repo_name"), Id: repoId}},
+			repositories: []azureGit.GitRepository{{DefaultBranch: new("main"), Name: new("repo_name"), Id: repoId}},
 		},
 		{
 			name:         "ListRepos when repo has no ID returns empty list",
-			repositories: []azureGit.GitRepository{{DefaultBranch: s("main"), Name: s("repo_name"), RemoteUrl: s("https://remoteurl.u")}},
+			repositories: []azureGit.GitRepository{{DefaultBranch: new("main"), Name: new("repo_name"), RemoteUrl: new("https://remoteurl.u")}},
 		},
 		{
 			name: "ListRepos when multiple repos returned returns list of eligible repos only",
 			repositories: []azureGit.GitRepository{
-				{Name: s("returned1"), DefaultBranch: s("main"), RemoteUrl: s("https://remoteurl.u"), Id: repoId},
-				{Name: s("missing_default_branch"), RemoteUrl: s("https://remoteurl.u"), Id: repoId},
-				{DefaultBranch: s("missing_name"), RemoteUrl: s("https://remoteurl.u"), Id: repoId},
-				{Name: s("missing_remote_url"), DefaultBranch: s("main"), Id: repoId},
-				{Name: s("missing_id"), DefaultBranch: s("main"), RemoteUrl: s("https://remoteurl.u")},
+				{Name: new("returned1"), DefaultBranch: new("main"), RemoteUrl: new("https://remoteurl.u"), Id: repoId},
+				{Name: new("missing_default_branch"), RemoteUrl: new("https://remoteurl.u"), Id: repoId},
+				{DefaultBranch: new("missing_name"), RemoteUrl: new("https://remoteurl.u"), Id: repoId},
+				{Name: new("missing_remote_url"), DefaultBranch: new("main"), Id: repoId},
+				{Name: new("missing_id"), DefaultBranch: new("main"), RemoteUrl: new("https://remoteurl.u")},
 			},
 			expectedNumberOfRepos: 1,
 		},
@ -473,7 +468,7 @@ func TestGetAzureDevopsRepositories(t *testing.T) {
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
 			gitClientMock := azureMock.NewClient(t)
-			gitClientMock.EXPECT().GetRepositories(mock.Anything, azureGit.GetRepositoriesArgs{Project: s(teamProject)}).Return(&testCase.repositories, testCase.getRepositoriesError)
+			gitClientMock.EXPECT().GetRepositories(mock.Anything, azureGit.GetRepositoriesArgs{Project: new(teamProject)}).Return(&testCase.repositories, testCase.getRepositoriesError)

 			clientFactoryMock := &mocks.AzureDevOpsClientFactory{}
 			clientFactoryMock.EXPECT().GetClient(mock.Anything).Return(gitClientMock, nil)
--- a/applicationset/services/scm_provider/bitbucket_server_test.go
+++ b/applicationset/services/scm_provider/bitbucket_server_test.go
@ -445,7 +445,6 @@ func TestListReposTLS(t *testing.T) {
 	}

 	for _, test := range tests {
-		test := test
 		t.Run(test.name, func(t *testing.T) {
 			ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 				defaultHandler(t)(w, r)
--- a/applicationset/services/scm_provider/gitea.go
+++ b/applicationset/services/scm_provider/gitea.go
@ -12,14 +12,15 @@ import (
 )

 type GiteaProvider struct {
-	client      *gitea.Client
-	owner       string
-	allBranches bool
+	client               *gitea.Client
+	owner                string
+	allBranches          bool
+	excludeArchivedRepos bool
 }

 var _ SCMProviderService = &GiteaProvider{}

-func NewGiteaProvider(owner, token, url string, allBranches, insecure bool) (*GiteaProvider, error) {
+func NewGiteaProvider(owner, token, url string, allBranches, insecure, excludeArchivedRepos bool) (*GiteaProvider, error) {
 	if token == "" {
 		token = os.Getenv("GITEA_TOKEN")
 	}
@ -40,9 +41,10 @@ func NewGiteaProvider(owner, token, url string, allBranches, insecure bool) (*Gi
 		return nil, fmt.Errorf("error creating a new gitea client: %w", err)
 	}
 	return &GiteaProvider{
-		client:      client,
-		owner:       owner,
-		allBranches: allBranches,
+		client:               client,
+		owner:                owner,
+		allBranches:          allBranches,
+		excludeArchivedRepos: excludeArchivedRepos,
 	}, nil
 }

@ -114,6 +116,11 @@ func (g *GiteaProvider) ListRepos(_ context.Context, cloneProtocol string) ([]*R
 		for _, label := range giteaLabels {
 			labels = append(labels, label.Name)
 		}
+
+		if g.excludeArchivedRepos && repo.Archived {
+			continue
+		}
+
 		repos = append(repos, &Repository{
 			Organization: g.owner,
 			Repository:   repo.Name,
--- a/applicationset/services/scm_provider/gitea_test.go
+++ b/applicationset/services/scm_provider/gitea_test.go
@ -100,17 +100,96 @@ func giteaMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 					"mirror_interval": "",
 					"mirror_updated": "0001-01-01T00:00:00Z",
 					"repo_transfer": null
-				}]`)
+				},
+				{
+					"id": 21619,
+					"owner": {
+						"id": 31480,
+						"login": "test-argocd",
+						"full_name": "",
+						"email": "",
+						"avatar_url": "https://gitea.com/avatars/22d1b1d3f61abf95951c4a958731d848",
+						"language": "",
+						"is_admin": false,
+						"last_login": "0001-01-01T00:00:00Z",
+						"created": "2022-04-06T02:28:06+08:00",
+						"restricted": false,
+						"active": false,
+						"prohibit_login": false,
+						"location": "",
+						"website": "",
+						"description": "",
+						"visibility": "public",
+						"followers_count": 0,
+						"following_count": 0,
+						"starred_repos_count": 0,
+						"username": "test-argocd"
+					},
+					"name": "another-repo",
+					"full_name": "test-argocd/another-repo",
+					"description": "",
+					"empty": false,
+					"private": false,
+					"fork": false,
+					"template": false,
+					"parent": null,
+					"mirror": false,
+					"size": 28,
+					"language": "",
+					"languages_url": "https://gitea.com/api/v1/repos/test-argocd/another-repo/languages",
+					"html_url": "https://gitea.com/test-argocd/another-repo",
+					"ssh_url": "git@gitea.com:test-argocd/another-repo.git",
+					"clone_url": "https://gitea.com/test-argocd/another-repo.git",
+					"original_url": "",
+					"website": "",
+					"stars_count": 0,
+					"forks_count": 0,
+					"watchers_count": 1,
+					"open_issues_count": 0,
+					"open_pr_counter": 1,
+					"release_counter": 0,
+					"default_branch": "main",
+					"archived": true,
+					"created_at": "2022-04-06T02:32:09+08:00",
+					"updated_at": "2022-04-06T02:33:12+08:00",
+					"permissions": {
+						"admin": false,
+						"push": false,
+						"pull": true
+					},
+					"has_issues": true,
+					"internal_tracker": {
+						"enable_time_tracker": true,
+						"allow_only_contributors_to_track_time": true,
+						"enable_issue_dependencies": true
+					},
+					"has_wiki": true,
+					"has_pull_requests": true,
+					"has_projects": true,
+					"ignore_whitespace_conflicts": false,
+					"allow_merge_commits": true,
+					"allow_rebase": true,
+					"allow_rebase_explicit": true,
+					"allow_squash_merge": true,
+					"default_merge_style": "merge",
+					"avatar_url": "",
+					"internal": false,
+					"mirror_interval": "",
+					"mirror_updated": "0001-01-01T00:00:00Z",
+					"repo_transfer": null
+				}
+
+				]`)
 			if err != nil {
 				t.Fail()
 			}
-		case "/api/v1/repos/test-argocd/pr-test/branches/main":
+		case "/api/v1/repos/test-argocd/another-repo/branches/main":
 			_, err := io.WriteString(w, `{
 				"name": "main",
 				"commit": {
-					"id": "72687815ccba81ef014a96201cc2e846a68789d8",
+					"id": "1fa33898cf84e89836863e3a5e76eee45777b4b0",
 					"message": "initial commit\n",
-					"url": "https://gitea.com/test-argocd/pr-test/commit/72687815ccba81ef014a96201cc2e846a68789d8",
+					"url": "https://gitea.com/test-argocd/pr-test/commit/1fa33898cf84e89836863e3a5e76eee45777b4b0",
 					"author": {
 						"name": "Dan Molik",
 						"email": "dan@danmolik.com",
@ -144,13 +223,209 @@ func giteaMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 			if err != nil {
 				t.Fail()
 			}
+		case "/api/v1/repos/test-argocd/pr-test/branches/test":
+			_, err := io.WriteString(w, `{
+				"name": "test",
+				"commit": {
+					"id": "28c3b329933f6fefd9b55225535123bbffec5a46",
+					"message": "initial commit\n",
+					"url": "https://gitea.com/test-argocd/pr-test/commit/28c3b329933f6fefd9b55225535123bbffec5a46",
+					"author": {
+						"name": "Dan Molik",
+						"email": "dan@danmolik.com",
+						"username": "graytshirt"
+					},
+					"committer": {
+						"name": "Dan Molik",
+						"email": "dan@danmolik.com",
+						"username": "graytshirt"
+					},
+					"verification": {
+						"verified": false,
+						"reason": "gpg.error.no_gpg_keys_found",
+						"signature": "-----BEGIN PGP SIGNATURE-----\n\niQEzBAABCAAdFiEEXYAkwEBRpXzXgHFWlgCr7m50zBMFAmJMiqUACgkQlgCr7m50\nzBPSmQgAiVVEIxC42tuks4iGFNURrtYvypZAEIc+hJgt2kBpmdCrAphYPeAj+Wtr\n9KT7dDscCZIba2wx39HEXO2S7wNCXESvAzrA8rdfbXjR4L2miZ1urfBkEoqK5i/F\noblWGuAyjurX4KPa2ARROd0H4AXxt6gNAXaFPgZO+xXCyNKZfad/lkEP1AiPRknD\nvTTMbEkIzFHK9iVwZ9DORGpfF1wnLzxWmMfhYatZnBgFNnoeJNtFhCJo05rHBgqc\nqVZWXt1iF7nysBoXSzyx1ZAsmBr/Qerkuj0nonh0aPVa6NKJsdmeJyPX4zXXoi6E\ne/jpxX2UQJkpFezg3IjUpvE5FvIiYg==\n=3Af2\n-----END PGP SIGNATURE-----\n",
+						"signer": null,
+						"payload": "tree 64d47c7fc6e31dcf00654223ec4ab749dd0a464e\nauthor Dan Molik \u003cdan@danmolik.com\u003e 1649183391 -0400\ncommitter Dan Molik \u003cdan@danmolik.com\u003e 1649183391 -0400\n\ninitial commit\n"
+					},
+					"timestamp": "2022-04-05T14:29:51-04:00",
+					"added": null,
+					"removed": null,
+					"modified": null
+				},
+				"protected": false,
+				"required_approvals": 0,
+				"enable_status_check": false,
+				"status_check_contexts": [],
+				"user_can_push": false,
+				"user_can_merge": false,
+				"effective_branch_protection_name": ""
+			}`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v1/repos/test-argocd/another-repo/branches/test":
+			_, err := io.WriteString(w, `{
+				"name": "test",
+				"commit": {
+					"id": "32cdcf613b259a9439ceabd4d1745d43f163ea70",
+					"message": "initial commit\n",
+					"url": "https://gitea.com/test-argocd/another-repo/commit/32cdcf613b259a9439ceabd4d1745d43f163ea70",
+					"author": {
+						"name": "Dan Molik",
+						"email": "dan@danmolik.com",
+						"username": "graytshirt"
+					},
+					"committer": {
+						"name": "Dan Molik",
+						"email": "dan@danmolik.com",
+						"username": "graytshirt"
+					},
+					"verification": {
+						"verified": false,
+						"reason": "gpg.error.no_gpg_keys_found",
+						"signature": "-----BEGIN PGP SIGNATURE-----\n\niQEzBAABCAAdFiEEXYAkwEBRpXzXgHFWlgCr7m50zBMFAmJMiqUACgkQlgCr7m50\nzBPSmQgAiVVEIxC42tuks4iGFNURrtYvypZAEIc+hJgt2kBpmdCrAphYPeAj+Wtr\n9KT7dDscCZIba2wx39HEXO2S7wNCXESvAzrA8rdfbXjR4L2miZ1urfBkEoqK5i/F\noblWGuAyjurX4KPa2ARROd0H4AXxt6gNAXaFPgZO+xXCyNKZfad/lkEP1AiPRknD\nvTTMbEkIzFHK9iVwZ9DORGpfF1wnLzxWmMfhYatZnBgFNnoeJNtFhCJo05rHBgqc\nqVZWXt1iF7nysBoXSzyx1ZAsmBr/Qerkuj0nonh0aPVa6NKJsdmeJyPX4zXXoi6E\ne/jpxX2UQJkpFezg3IjUpvE5FvIiYg==\n=3Af2\n-----END PGP SIGNATURE-----\n",
+						"signer": null,
+						"payload": "tree 64d47c7fc6e31dcf00654223ec4ab749dd0a464e\nauthor Dan Molik \u003cdan@danmolik.com\u003e 1649183391 -0400\ncommitter Dan Molik \u003cdan@danmolik.com\u003e 1649183391 -0400\n\ninitial commit\n"
+					},
+					"timestamp": "2022-04-05T14:29:51-04:00",
+					"added": null,
+					"removed": null,
+					"modified": null
+				},
+				"protected": false,
+				"required_approvals": 0,
+				"enable_status_check": false,
+				"status_check_contexts": [],
+				"user_can_push": false,
+				"user_can_merge": false,
+				"effective_branch_protection_name": ""
+			}`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v1/repos/test-argocd/pr-test/branches/main":
+			_, err := io.WriteString(w, `{
+				"name": "main",
+				"commit": {
+					"id": "75f6fceff80f6aaf12b65a2cf6a89190b866625b",
+					"message": "initial commit\n",
+					"url": "https://gitea.com/test-argocd/pr-test/commit/75f6fceff80f6aaf12b65a2cf6a89190b866625b",
+					"author": {
+						"name": "Dan Molik",
+						"email": "dan@danmolik.com",
+						"username": "graytshirt"
+					},
+					"committer": {
+						"name": "Dan Molik",
+						"email": "dan@danmolik.com",
+						"username": "graytshirt"
+					},
+					"verification": {
+						"verified": false,
+						"reason": "gpg.error.no_gpg_keys_found",
+						"signature": "-----BEGIN PGP SIGNATURE-----\n\niQEzBAABCAAdFiEEXYAkwEBRpXzXgHFWlgCr7m50zBMFAmJMiqUACgkQlgCr7m50\nzBPSmQgAiVVEIxC42tuks4iGFNURrtYvypZAEIc+hJgt2kBpmdCrAphYPeAj+Wtr\n9KT7dDscCZIba2wx39HEXO2S7wNCXESvAzrA8rdfbXjR4L2miZ1urfBkEoqK5i/F\noblWGuAyjurX4KPa2ARROd0H4AXxt6gNAXaFPgZO+xXCyNKZfad/lkEP1AiPRknD\nvTTMbEkIzFHK9iVwZ9DORGpfF1wnLzxWmMfhYatZnBgFNnoeJNtFhCJo05rHBgqc\nqVZWXt1iF7nysBoXSzyx1ZAsmBr/Qerkuj0nonh0aPVa6NKJsdmeJyPX4zXXoi6E\ne/jpxX2UQJkpFezg3IjUpvE5FvIiYg==\n=3Af2\n-----END PGP SIGNATURE-----\n",
+						"signer": null,
+						"payload": "tree 64d47c7fc6e31dcf00654223ec4ab749dd0a464e\nauthor Dan Molik \u003cdan@danmolik.com\u003e 1649183391 -0400\ncommitter Dan Molik \u003cdan@danmolik.com\u003e 1649183391 -0400\n\ninitial commit\n"
+					},
+					"timestamp": "2022-04-05T14:29:51-04:00",
+					"added": null,
+					"removed": null,
+					"modified": null
+				},
+				"protected": false,
+				"required_approvals": 0,
+				"enable_status_check": false,
+				"status_check_contexts": [],
+				"user_can_push": false,
+				"user_can_merge": false,
+				"effective_branch_protection_name": ""
+			}`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v1/repos/test-argocd/another-repo/branches?limit=0&page=1":
+			_, err := io.WriteString(w, `[{
+				"name": "main",
+				"commit": {
+					"id": "1fa33898cf84e89836863e3a5e76eee45777b4b0",
+					"message": "initial commit\n",
+					"url": "https://gitea.com/test-argocd/pr-test/commit/1fa33898cf84e89836863e3a5e76eee45777b4b0",
+					"author": {
+						"name": "Dan Molik",
+						"email": "dan@danmolik.com",
+						"username": "graytshirt"
+					},
+					"committer": {
+						"name": "Dan Molik",
+						"email": "dan@danmolik.com",
+						"username": "graytshirt"
+					},
+					"verification": {
+						"verified": false,
+						"reason": "gpg.error.no_gpg_keys_found",
+						"signature": "-----BEGIN PGP SIGNATURE-----\n\niQEzBAABCAAdFiEEXYAkwEBRpXzXgHFWlgCr7m50zBMFAmJMiqUACgkQlgCr7m50\nzBPSmQgAiVVEIxC42tuks4iGFNURrtYvypZAEIc+hJgt2kBpmdCrAphYPeAj+Wtr\n9KT7dDscCZIba2wx39HEXO2S7wNCXESvAzrA8rdfbXjR4L2miZ1urfBkEoqK5i/F\noblWGuAyjurX4KPa2ARROd0H4AXxt6gNAXaFPgZO+xXCyNKZfad/lkEP1AiPRknD\nvTTMbEkIzFHK9iVwZ9DORGpfF1wnLzxWmMfhYatZnBgFNnoeJNtFhCJo05rHBgqc\nqVZWXt1iF7nysBoXSzyx1ZAsmBr/Qerkuj0nonh0aPVa6NKJsdmeJyPX4zXXoi6E\ne/jpxX2UQJkpFezg3IjUpvE5FvIiYg==\n=3Af2\n-----END PGP SIGNATURE-----\n",
+						"signer": null,
+						"payload": "tree 64d47c7fc6e31dcf00654223ec4ab749dd0a464e\nauthor Dan Molik \u003cdan@danmolik.com\u003e 1649183391 -0400\ncommitter Dan Molik \u003cdan@danmolik.com\u003e 1649183391 -0400\n\ninitial commit\n"
+					},
+					"timestamp": "2022-04-05T14:29:51-04:00",
+					"added": null,
+					"removed": null,
+					"modified": null
+				},
+				"protected": false,
+				"required_approvals": 0,
+				"enable_status_check": false,
+				"status_check_contexts": [],
+				"user_can_push": false,
+				"user_can_merge": false,
+				"effective_branch_protection_name": ""
+			},
+			{
+				"name": "test",
+				"commit": {
+					"id": "32cdcf613b259a9439ceabd4d1745d43f163ea70",
+					"message": "add an empty file\n",
+					"url": "https://gitea.com/test-argocd/pr-test/commit/32cdcf613b259a9439ceabd4d1745d43f163ea70",
+					"author": {
+						"name": "Dan Molik",
+						"email": "dan@danmolik.com",
+						"username": "graytshirt"
+					},
+					"committer": {
+						"name": "Dan Molik",
+						"email": "dan@danmolik.com",
+						"username": "graytshirt"
+					},
+					"verification": {
+						"verified": false,
+						"reason": "gpg.error.no_gpg_keys_found",
+						"signature": "-----BEGIN PGP SIGNATURE-----\n\niQEzBAABCAAdFiEEXYAkwEBRpXzXgHFWlgCr7m50zBMFAmJMiugACgkQlgCr7m50\nzBN+7wgAkCHD3KfX3Ffkqv2qPwqgHNYM1bA6Hmffzhv0YeD9jWCI3tp0JulP4iFZ\ncQ7jqx9xP9tCQMSFCaijLRHaE6Js1xrVtf0OKRkbpdlvkyrIM3sQhqyQgAsISrDG\nLzSqeoQQjglzeWESYh2Tjn1CgqQNKjI6LLepSwvF1pIeV4pJpJobaEbIfTgStdzM\nWEk8o0I+EZaYqK0C0vU9N0LK/LR/jnlaHsb4OUjvk+S7lRjZwBkrsg7P/QsqtCVd\nw5nkxDiCx1J58zKMnQ7ZinJEK9A5WYdnMYc6aBn7ARgZrblXPPBkkKUhEv3ZSPeW\nKv9i4GQy838xkVSTFkHNj1+a5o6zEA==\n=JiFw\n-----END PGP SIGNATURE-----\n",
+						"signer": null,
+						"payload": "tree cdddf3e1d6a8a7e6899a044d0e1bc73bf798e2f5\nparent 72687815ccba81ef014a96201cc2e846a68789d8\nauthor Dan Molik \u003cdan@danmolik.com\u003e 1649183458 -0400\ncommitter Dan Molik \u003cdan@danmolik.com\u003e 1649183458 -0400\n\nadd an empty file\n"
+					},
+					"timestamp": "2022-04-05T14:30:58-04:00",
+					"added": null,
+					"removed": null,
+					"modified": null
+				},
+				"protected": false,
+				"required_approvals": 0,
+				"enable_status_check": false,
+				"status_check_contexts": [],
+				"user_can_push": false,
+				"user_can_merge": false,
+				"effective_branch_protection_name": ""
+			}]`)
+			if err != nil {
+				t.Fail()
+			}
 		case "/api/v1/repos/test-argocd/pr-test/branches?limit=0&page=1":
 			_, err := io.WriteString(w, `[{
 				"name": "main",
 				"commit": {
-					"id": "72687815ccba81ef014a96201cc2e846a68789d8",
+					"id": "75f6fceff80f6aaf12b65a2cf6a89190b866625b",
 					"message": "initial commit\n",
-					"url": "https://gitea.com/test-argocd/pr-test/commit/72687815ccba81ef014a96201cc2e846a68789d8",
+					"url": "https://gitea.com/test-argocd/pr-test/commit/75f6fceff80f6aaf12b65a2cf6a89190b866625b",
 					"author": {
 						"name": "Dan Molik",
 						"email": "dan@danmolik.com",
@ -183,9 +458,9 @@ func giteaMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 			}, {
 				"name": "test",
 				"commit": {
-					"id": "7bbaf62d92ddfafd9cc8b340c619abaec32bc09f",
+					"id": "28c3b329933f6fefd9b55225535123bbffec5a46",
 					"message": "add an empty file\n",
-					"url": "https://gitea.com/test-argocd/pr-test/commit/7bbaf62d92ddfafd9cc8b340c619abaec32bc09f",
+					"url": "https://gitea.com/test-argocd/pr-test/commit/28c3b329933f6fefd9b55225535123bbffec5a46",
 					"author": {
 						"name": "Dan Molik",
 						"email": "dan@danmolik.com",
@ -261,40 +536,270 @@ func giteaMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {

 func TestGiteaListRepos(t *testing.T) {
 	cases := []struct {
-		name, proto, url                        string
+		name, proto                             string
 		hasError, allBranches, includeSubgroups bool
+		excludeArchivedRepos                    bool
 		branches                                []string
+		expectedRepos                           []*Repository
 		filters                                 []v1alpha1.SCMProviderGeneratorFilter
 	}{
 		{
-			name:        "blank protocol",
-			allBranches: false,
-			url:         "git@gitea.com:test-argocd/pr-test.git",
-			branches:    []string{"main"},
+			name:                 "blank protocol",
+			allBranches:          false,
+			excludeArchivedRepos: false,
+			filters:              []v1alpha1.SCMProviderGeneratorFilter{},
+
+			branches: []string{"main"},
+			expectedRepos: []*Repository{
+				{
+					Organization: "test-argocd",
+					Repository:   "pr-test",
+					Branch:       "main",
+					URL:          "git@gitea.com:test-argocd/pr-test.git",
+					SHA:          "75f6fceff80f6aaf12b65a2cf6a89190b866625b",
+					RepositoryId: 21618,
+					Labels:       []string{},
+				},
+				{
+					Organization: "test-argocd",
+					Repository:   "another-repo",
+					Branch:       "main",
+					URL:          "git@gitea.com:test-argocd/another-repo.git",
+					SHA:          "1fa33898cf84e89836863e3a5e76eee45777b4b0",
+					RepositoryId: 21619,
+					Labels:       []string{},
+				},
+			},
 		},
 		{
-			name:        "ssh protocol",
-			allBranches: false,
-			proto:       "ssh",
-			url:         "git@gitea.com:test-argocd/pr-test.git",
+			name:                 "ssh protocol",
+			allBranches:          false,
+			excludeArchivedRepos: false,
+			filters:              []v1alpha1.SCMProviderGeneratorFilter{},
+
+			proto: "ssh",
+			expectedRepos: []*Repository{
+				{
+					Organization: "test-argocd",
+					Repository:   "pr-test",
+					Branch:       "main",
+					URL:          "git@gitea.com:test-argocd/pr-test.git",
+					SHA:          "75f6fceff80f6aaf12b65a2cf6a89190b866625b",
+					RepositoryId: 21618,
+					Labels:       []string{},
+				},
+				{
+					Organization: "test-argocd",
+					Repository:   "another-repo",
+					Branch:       "main",
+					URL:          "git@gitea.com:test-argocd/another-repo.git",
+					SHA:          "1fa33898cf84e89836863e3a5e76eee45777b4b0",
+					RepositoryId: 21619,
+					Labels:       []string{},
+				},
+			},
 		},
 		{
-			name:        "https protocol",
-			allBranches: false,
-			proto:       "https",
-			url:         "https://gitea.com/test-argocd/pr-test",
+			name:                 "https protocol",
+			allBranches:          false,
+			excludeArchivedRepos: false,
+			filters:              []v1alpha1.SCMProviderGeneratorFilter{},
+
+			proto: "https",
+			expectedRepos: []*Repository{
+				{
+					Organization: "test-argocd",
+					Repository:   "pr-test",
+					Branch:       "main",
+					URL:          "https://gitea.com/test-argocd/pr-test",
+					SHA:          "75f6fceff80f6aaf12b65a2cf6a89190b866625b",
+					RepositoryId: 21618,
+					Labels:       []string{},
+				},
+				{
+					Organization: "test-argocd",
+					Repository:   "another-repo",
+					Branch:       "main",
+					URL:          "https://gitea.com/test-argocd/another-repo",
+					SHA:          "1fa33898cf84e89836863e3a5e76eee45777b4b0",
+					RepositoryId: 21619,
+					Labels:       []string{},
+				},
+			},
 		},
 		{
-			name:        "other protocol",
-			allBranches: false,
-			proto:       "other",
-			hasError:    true,
+			name:                 "other protocol",
+			allBranches:          false,
+			excludeArchivedRepos: false,
+			filters:              []v1alpha1.SCMProviderGeneratorFilter{},
+
+			proto:         "other",
+			hasError:      true,
+			expectedRepos: []*Repository{},
 		},
 		{
-			name:        "all branches",
-			allBranches: true,
-			url:         "git@gitea.com:test-argocd/pr-test.git",
-			branches:    []string{"main"},
+			name:                 "all branches including archived repos",
+			allBranches:          true,
+			excludeArchivedRepos: false,
+			filters:              []v1alpha1.SCMProviderGeneratorFilter{},
+
+			expectedRepos: []*Repository{
+				{
+					Organization: "test-argocd",
+					Repository:   "pr-test",
+					Branch:       "main",
+					URL:          "git@gitea.com:test-argocd/pr-test.git",
+					SHA:          "75f6fceff80f6aaf12b65a2cf6a89190b866625b",
+					Labels:       []string{},
+					RepositoryId: 21618,
+				},
+				{
+					Organization: "test-argocd",
+					Repository:   "another-repo",
+					Branch:       "main",
+					URL:          "git@gitea.com:test-argocd/another-repo.git",
+					SHA:          "1fa33898cf84e89836863e3a5e76eee45777b4b0",
+					Labels:       []string{},
+					RepositoryId: 21619,
+				},
+				{
+					Organization: "test-argocd",
+					Repository:   "pr-test",
+					Branch:       "test",
+					URL:          "git@gitea.com:test-argocd/pr-test.git",
+					SHA:          "28c3b329933f6fefd9b55225535123bbffec5a46",
+					Labels:       []string{},
+					RepositoryId: 21618,
+				},
+				{
+					Organization: "test-argocd",
+					Repository:   "another-repo",
+					Branch:       "test",
+					URL:          "git@gitea.com:test-argocd/another-repo.git",
+					SHA:          "32cdcf613b259a9439ceabd4d1745d43f163ea70",
+					Labels:       []string{},
+					RepositoryId: 21619,
+				},
+			},
+		},
+		{
+			name:                 "all branches",
+			allBranches:          true,
+			excludeArchivedRepos: false,
+			filters:              []v1alpha1.SCMProviderGeneratorFilter{},
+
+			expectedRepos: []*Repository{
+				{
+					Organization: "test-argocd",
+					Repository:   "pr-test",
+					Branch:       "main",
+					URL:          "git@gitea.com:test-argocd/pr-test.git",
+					SHA:          "75f6fceff80f6aaf12b65a2cf6a89190b866625b",
+					Labels:       []string{},
+					RepositoryId: 21618,
+				},
+				{
+					Organization: "test-argocd",
+					Repository:   "another-repo",
+					Branch:       "main",
+					URL:          "git@gitea.com:test-argocd/another-repo.git",
+					SHA:          "1fa33898cf84e89836863e3a5e76eee45777b4b0",
+					Labels:       []string{},
+					RepositoryId: 21619,
+				},
+				{
+					Organization: "test-argocd",
+					Repository:   "pr-test",
+					Branch:       "test",
+					URL:          "git@gitea.com:test-argocd/pr-test.git",
+					SHA:          "28c3b329933f6fefd9b55225535123bbffec5a46",
+					Labels:       []string{},
+					RepositoryId: 21618,
+				},
+				{
+					Organization: "test-argocd",
+					Repository:   "another-repo",
+					Branch:       "test",
+					URL:          "git@gitea.com:test-argocd/another-repo.git",
+					SHA:          "32cdcf613b259a9439ceabd4d1745d43f163ea70",
+					Labels:       []string{},
+					RepositoryId: 21619,
+				},
+			},
+		},
+		{
+			name:                 "all branches",
+			allBranches:          true,
+			excludeArchivedRepos: false,
+			filters:              []v1alpha1.SCMProviderGeneratorFilter{},
+
+			branches: []string{"main"},
+			expectedRepos: []*Repository{
+				{
+					Organization: "test-argocd",
+					Repository:   "pr-test",
+					Branch:       "main",
+					URL:          "git@gitea.com:test-argocd/pr-test.git",
+					SHA:          "75f6fceff80f6aaf12b65a2cf6a89190b866625b",
+					Labels:       []string{},
+					RepositoryId: 21618,
+				},
+				{
+					Organization: "test-argocd",
+					Repository:   "another-repo",
+					Branch:       "main",
+					URL:          "git@gitea.com:test-argocd/another-repo.git",
+					SHA:          "1fa33898cf84e89836863e3a5e76eee45777b4b0",
+					Labels:       []string{},
+					RepositoryId: 21619,
+				},
+				{
+					Organization: "test-argocd",
+					Repository:   "pr-test",
+					Branch:       "test",
+					URL:          "git@gitea.com:test-argocd/pr-test.git",
+					SHA:          "28c3b329933f6fefd9b55225535123bbffec5a46",
+					Labels:       []string{},
+					RepositoryId: 21618,
+				},
+				{
+					Organization: "test-argocd",
+					Repository:   "another-repo",
+					Branch:       "test",
+					URL:          "git@gitea.com:test-argocd/another-repo.git",
+					SHA:          "32cdcf613b259a9439ceabd4d1745d43f163ea70",
+					Labels:       []string{},
+					RepositoryId: 21619,
+				},
+			},
+		},
+		{
+			name:                 "all branches with no archived repos",
+			allBranches:          true,
+			excludeArchivedRepos: true,
+			filters:              []v1alpha1.SCMProviderGeneratorFilter{},
+
+			branches: []string{"main"},
+			expectedRepos: []*Repository{
+				{
+					Organization: "test-argocd",
+					Repository:   "pr-test",
+					Branch:       "main",
+					URL:          "git@gitea.com:test-argocd/pr-test.git",
+					SHA:          "75f6fceff80f6aaf12b65a2cf6a89190b866625b",
+					Labels:       []string{},
+					RepositoryId: 21618,
+				},
+				{
+					Organization: "test-argocd",
+					Repository:   "pr-test",
+					Branch:       "test",
+					URL:          "git@gitea.com:test-argocd/pr-test.git",
+					SHA:          "28c3b329933f6fefd9b55225535123bbffec5a46",
+					Labels:       []string{},
+					RepositoryId: 21618,
+				},
+			},
 		},
 	}
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@ -303,26 +808,19 @@ func TestGiteaListRepos(t *testing.T) {
 	defer ts.Close()
 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {
-			provider, _ := NewGiteaProvider("test-argocd", "", ts.URL, c.allBranches, false)
+			provider, _ := NewGiteaProvider("test-argocd", "", ts.URL, c.allBranches, false, c.excludeArchivedRepos)
 			rawRepos, err := ListRepos(t.Context(), provider, c.filters, c.proto)
+
 			if c.hasError {
 				require.Error(t, err)
 			} else {
 				require.NoError(t, err)
-				// Just check that this one project shows up. Not a great test but better thing nothing?
 				repos := []*Repository{}
-				branches := []string{}
-				for _, r := range rawRepos {
-					if r.Repository == "pr-test" {
-						repos = append(repos, r)
-						branches = append(branches, r.Branch)
-					}
-				}
+				repos = append(rawRepos, repos...)
+
 				assert.NotEmpty(t, repos)
-				assert.Equal(t, c.url, repos[0].URL)
-				for _, b := range c.branches {
-					assert.Contains(t, branches, b)
-				}
+				assert.Len(t, repos, len(c.expectedRepos))
+				assert.ElementsMatch(t, c.expectedRepos, repos)
 			}
 		})
 	}
@ -333,7 +831,7 @@ func TestGiteaHasPath(t *testing.T) {
 		giteaMockHandler(t)(w, r)
 	}))
 	defer ts.Close()
-	host, _ := NewGiteaProvider("gitea", "", ts.URL, false, false)
+	host, _ := NewGiteaProvider("gitea", "", ts.URL, false, false, false)
 	repo := &Repository{
 		Organization: "gitea",
 		Repository:   "go-sdk",
--- a/applicationset/services/scm_provider/github.go
+++ b/applicationset/services/scm_provider/github.go
@ -12,14 +12,15 @@ import (
 )

 type GithubProvider struct {
-	client       *github.Client
-	organization string
-	allBranches  bool
+	client               *github.Client
+	organization         string
+	allBranches          bool
+	excludeArchivedRepos bool
 }

 var _ SCMProviderService = &GithubProvider{}

-func NewGithubProvider(organization string, token string, url string, allBranches bool, optionalHTTPClient ...*http.Client) (*GithubProvider, error) {
+func NewGithubProvider(organization string, token string, url string, allBranches bool, excludeArchivedRepos bool, optionalHTTPClient ...*http.Client) (*GithubProvider, error) {
 	// Undocumented environment variable to set a default token, to be used in testing to dodge anonymous rate limits.
 	if token == "" {
 		token = os.Getenv("GITHUB_TOKEN")
@ -45,7 +46,7 @@ func NewGithubProvider(organization string, token string, url string, allBranche
 			return nil, err
 		}
 	}
-	return &GithubProvider{client: client, organization: organization, allBranches: allBranches}, nil
+	return &GithubProvider{client: client, organization: organization, allBranches: allBranches, excludeArchivedRepos: excludeArchivedRepos}, nil
 }

 func (g *GithubProvider) GetBranches(ctx context.Context, repo *Repository) ([]*Repository, error) {
@ -90,6 +91,11 @@ func (g *GithubProvider) ListRepos(ctx context.Context, cloneProtocol string) ([
 			default:
 				return nil, fmt.Errorf("unknown clone protocol for GitHub %v", cloneProtocol)
 			}
+
+			if g.excludeArchivedRepos && githubRepo.GetArchived() {
+				continue
+			}
+
 			repos = append(repos, &Repository{
 				Organization: githubRepo.Owner.GetLogin(),
 				Repository:   githubRepo.GetName(),
--- a/applicationset/services/scm_provider/github_app.go
+++ b/applicationset/services/scm_provider/github_app.go
@ -9,11 +9,11 @@ import (
 	appsetutils "github.com/argoproj/argo-cd/v3/applicationset/utils"
 )

-func NewGithubAppProviderFor(ctx context.Context, g github_app_auth.Authentication, organization string, url string, allBranches bool, optionalHTTPClient ...*http.Client) (*GithubProvider, error) {
+func NewGithubAppProviderFor(ctx context.Context, g github_app_auth.Authentication, organization string, url string, allBranches bool, excludeArchivedRepos bool, optionalHTTPClient ...*http.Client) (*GithubProvider, error) {
 	httpClient := appsetutils.GetOptionalHTTPClient(optionalHTTPClient...)
 	client, err := github_app.Client(ctx, g, url, organization, httpClient)
 	if err != nil {
 		return nil, err
 	}
-	return &GithubProvider{client: client, organization: organization, allBranches: allBranches}, nil
+	return &GithubProvider{client: client, organization: organization, allBranches: allBranches, excludeArchivedRepos: excludeArchivedRepos}, nil
 }
--- a/applicationset/services/scm_provider/github_test.go
+++ b/applicationset/services/scm_provider/github_test.go
@ -122,6 +122,110 @@ func githubMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 					"pull": true
 				  },
 				  "template_repository": null
+				},
+				{
+				  "id": 1296270,
+				  "node_id": "MDEwOlJlcGsddRvcnkxMjk2MjY5",
+				  "name": "another-repo",
+				  "full_name": "argoproj/another-repo",
+				  "owner": {
+					"login": "argoproj",
+					"id": 1,
+					"node_id": "MDQ6VXNlcjE=",
+					"avatar_url": "https://github.com/images/error/argoproj_happy.gif",
+					"gravatar_id": "",
+					"url": "https://api.github.com/users/argoproj",
+					"html_url": "https://github.com/argoproj",
+					"followers_url": "https://api.github.com/users/argoproj/followers",
+					"following_url": "https://api.github.com/users/argoproj/following{/other_user}",
+					"gists_url": "https://api.github.com/users/argoproj/gists{/gist_id}",
+					"starred_url": "https://api.github.com/users/argoproj/starred{/owner}{/repo}",
+					"subscriptions_url": "https://api.github.com/users/argoproj/subscriptions",
+					"organizations_url": "https://api.github.com/users/argoproj/orgs",
+					"repos_url": "https://api.github.com/users/argoproj/repos",
+					"events_url": "https://api.github.com/users/argoproj/events{/privacy}",
+					"received_events_url": "https://api.github.com/users/argoproj/received_events",
+					"type": "User",
+					"site_admin": false
+				  },
+				  "private": false,
+				  "html_url": "https://github.com/argoproj/another-repo",
+				  "description": "This your first repo!",
+				  "fork": false,
+				  "url": "https://api.github.com/repos/argoproj/another-repo",
+				  "archive_url": "https://api.github.com/repos/argoproj/another-repo/{archive_format}{/ref}",
+				  "assignees_url": "https://api.github.com/repos/argoproj/another-repo/assignees{/user}",
+				  "blobs_url": "https://api.github.com/repos/argoproj/another-repo/git/blobs{/sha}",
+				  "branches_url": "https://api.github.com/repos/argoproj/another-repo/branches{/branch}",
+				  "collaborators_url": "https://api.github.com/repos/argoproj/another-repo/collaborators{/collaborator}",
+				  "comments_url": "https://api.github.com/repos/argoproj/another-repo/comments{/number}",
+				  "commits_url": "https://api.github.com/repos/argoproj/another-repo/commits{/sha}",
+				  "compare_url": "https://api.github.com/repos/argoproj/another-repo/compare/{base}...{head}",
+				  "contents_url": "https://api.github.com/repos/argoproj/another-repo/contents/{path}",
+				  "contributors_url": "https://api.github.com/repos/argoproj/another-repo/contributors",
+				  "deployments_url": "https://api.github.com/repos/argoproj/another-repo/deployments",
+				  "downloads_url": "https://api.github.com/repos/argoproj/another-repo/downloads",
+				  "events_url": "https://api.github.com/repos/argoproj/another-repo/events",
+				  "forks_url": "https://api.github.com/repos/argoproj/another-repo/forks",
+				  "git_commits_url": "https://api.github.com/repos/argoproj/another-repo/git/commits{/sha}",
+				  "git_refs_url": "https://api.github.com/repos/argoproj/another-repo/git/refs{/sha}",
+				  "git_tags_url": "https://api.github.com/repos/argoproj/another-repo/git/tags{/sha}",
+				  "git_url": "git:github.com/argoproj/another-repo.git",
+				  "issue_comment_url": "https://api.github.com/repos/argoproj/another-repo/issues/comments{/number}",
+				  "issue_events_url": "https://api.github.com/repos/argoproj/another-repo/issues/events{/number}",
+				  "issues_url": "https://api.github.com/repos/argoproj/another-repo/issues{/number}",
+				  "keys_url": "https://api.github.com/repos/argoproj/another-repo/keys{/key_id}",
+				  "labels_url": "https://api.github.com/repos/argoproj/another-repo/labels{/name}",
+				  "languages_url": "https://api.github.com/repos/argoproj/another-repo/languages",
+				  "merges_url": "https://api.github.com/repos/argoproj/another-repo/merges",
+				  "milestones_url": "https://api.github.com/repos/argoproj/another-repo/milestones{/number}",
+				  "notifications_url": "https://api.github.com/repos/argoproj/another-repo/notifications{?since,all,participating}",
+				  "pulls_url": "https://api.github.com/repos/argoproj/another-repo/pulls{/number}",
+				  "releases_url": "https://api.github.com/repos/argoproj/another-repo/releases{/id}",
+				  "ssh_url": "git@github.com:argoproj/another-repo.git",
+				  "stargazers_url": "https://api.github.com/repos/argoproj/another-repo/stargazers",
+				  "statuses_url": "https://api.github.com/repos/argoproj/another-repo/statuses/{sha}",
+				  "subscribers_url": "https://api.github.com/repos/argoproj/another-repo/subscribers",
+				  "subscription_url": "https://api.github.com/repos/argoproj/another-repo/subscription",
+				  "tags_url": "https://api.github.com/repos/argoproj/another-repo/tags",
+				  "teams_url": "https://api.github.com/repos/argoproj/another-repo/teams",
+				  "trees_url": "https://api.github.com/repos/argoproj/another-repo/git/trees{/sha}",
+				  "clone_url": "https://github.com/argoproj/another-repo.git",
+				  "mirror_url": "git:git.example.com/argoproj/another-repo",
+				  "hooks_url": "https://api.github.com/repos/argoproj/another-repo/hooks",
+				  "svn_url": "https://svn.github.com/argoproj/another-repo",
+				  "homepage": "https://github.com",
+				  "language": null,
+				  "forks_count": 9,
+				  "stargazers_count": 80,
+				  "watchers_count": 80,
+				  "size": 108,
+				  "default_branch": "master",
+				  "open_issues_count": 0,
+				  "is_template": false,
+				  "topics": [
+					"argoproj",
+					"atom",
+					"electron",
+					"api"
+				  ],
+				  "has_issues": true,
+				  "has_projects": true,
+				  "has_wiki": true,
+				  "has_pages": false,
+				  "has_downloads": true,
+				  "archived": true,
+				  "disabled": false,
+				  "visibility": "public",
+				  "pushed_at": "2011-01-26T19:06:43Z",
+				  "created_at": "2011-01-26T19:01:12Z",
+				  "updated_at": "2011-01-26T19:14:43Z",
+				  "permissions": {
+					"admin": false,
+					"push": false,
+					"pull": true
+				  },
+				  "template_repository": null
 				}
 			  ]`)
 			if err != nil {
@ -146,12 +250,55 @@ func githubMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 					}
 				  },
 				  "protection_url": "https://api.github.com/repos/argoproj/hello-world/branches/master/protection"
+				},
+				{
+				  "name": "test",
+				  "commit": {
+					"sha": "80a6e93f16e8093e24091b03c614362df3fb9b92",
+					"url": "https://api.github.com/repos/argoproj/argo-cd/commits/80a6e93f16e8093e24091b03c614362df3fb9b92"
+				  },
+				  "protected": true,
+				  "protection": {
+					"required_status_checks": {
+					  "enforcement_level": "non_admins",
+					  "contexts": [
+						"ci-test",
+						"linter"
+					  ]
+					}
+				  },
+				  "protection_url": "https://api.github.com/repos/argoproj/hello-world/branches/master/protection"
 				}
 			  ]
 			`)
 			if err != nil {
 				t.Fail()
 			}
+		case "/api/v3/repos/argoproj/another-repo/branches?per_page=100":
+			_, err := io.WriteString(w, `[
+				{
+				  "name": "main",
+				  "commit": {
+					"sha": "19b016818bc0e0a44ddeaab345838a2a6c97fa67",
+					"url": "https://api.github.com/repos/argoproj/another-repo/commits/19b016818bc0e0a44ddeaab345838a2a6c97fa67"
+				  },
+				  "protected": true,
+				  "protection": {
+					"required_status_checks": {
+					  "enforcement_level": "non_admins",
+					  "contexts": [
+						"ci-test",
+						"linter"
+					  ]
+					}
+				  },
+				  "protection_url": "https://api.github.com/repos/argoproj/hello-world/branches/master/protection"
+					}
+			  ]
+			`)
+			if err != nil {
+				t.Fail()
+			}
 		case "/api/v3/repos/argoproj/argo-cd/contents/pkg?ref=master":
 			_, err := io.WriteString(w, `{
 				"type": "file",
@ -196,6 +343,50 @@ func githubMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 			if err != nil {
 				t.Fail()
 			}
+		case "/api/v3/repos/argoproj/argo-cd/branches/test":
+			_, err := io.WriteString(w, `{
+				"name": "test",
+				"commit": {
+				  "sha": "80a6e93f16e8093e24091b03c614362df3fb9b92",
+				  "url": "https://api.github.com/repos/octocat/Hello-World/commits/80a6e93f16e8093e24091b03c614362df3fb9b92"
+				},
+				"protected": true,
+				"protection": {
+				  "required_status_checks": {
+					"enforcement_level": "non_admins",
+					"contexts": [
+					  "ci-test",
+					  "linter"
+					]
+				  }
+				},
+				"protection_url": "https://api.github.com/repos/octocat/hello-world/branches/test/protection"
+			  }`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v3/repos/argoproj/another-repo/branches/main":
+			_, err := io.WriteString(w, `{
+					"name": "main",
+					"commit": {
+						"sha": "19b016818bc0e0a44ddeaab345838a2a6c97fa67",
+						"url": "https://api.github.com/repos/octocat/Hello-World/commits/c5b97d5ae6c19d5c5df71a34c7fbeeda2479ccbc"
+					},
+					"protected": true,
+					"protection": {
+						"required_status_checks": {
+						"enforcement_level": "non_admins",
+						"contexts": [
+							"ci-test",
+							"linter"
+						]
+						}
+					},
+					"protection_url": "https://api.github.com/repos/octocat/hello-world/branches/master/protection"
+					}`)
+			if err != nil {
+				t.Fail()
+			}
 		default:
 			w.WriteHeader(http.StatusNotFound)
 		}
@ -203,37 +394,276 @@ func githubMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 }

 func TestGithubListRepos(t *testing.T) {
+	idptr := func(i int64) *int64 {
+		return &i
+	}
+	// Test cases for ListRepos
 	cases := []struct {
-		name, proto, url      string
+		name, proto           string
 		hasError, allBranches bool
-		branches              []string
+		excludeArchivedRepos  bool
+		expectedRepos         []*Repository
 		filters               []v1alpha1.SCMProviderGeneratorFilter
 	}{
 		{
-			name:     "blank protocol",
-			url:      "git@github.com:argoproj/argo-cd.git",
-			branches: []string{"master"},
+			name:                 "blank protocol",
+			allBranches:          true,
+			excludeArchivedRepos: false,
+			expectedRepos: []*Repository{
+				{
+					Organization: "argoproj",
+					Repository:   "argo-cd",
+					Branch:       "master",
+					URL:          "git@github.com:argoproj/argo-cd.git",
+					SHA:          "c5b97d5ae6c19d5c5df71a34c7fbeeda2479ccbc",
+					Labels: []string{
+						"argoproj",
+						"atom",
+						"electron",
+						"api",
+					},
+					RepositoryId: idptr(1296269),
+				},
+				{
+					Organization: "argoproj",
+					Repository:   "argo-cd",
+					Branch:       "test",
+					URL:          "git@github.com:argoproj/argo-cd.git",
+					SHA:          "80a6e93f16e8093e24091b03c614362df3fb9b92",
+					Labels: []string{
+						"argoproj",
+						"atom",
+						"electron",
+						"api",
+					},
+					RepositoryId: idptr(1296269),
+				},
+				{
+					Organization: "argoproj",
+					Repository:   "another-repo",
+					Branch:       "main",
+					URL:          "git@github.com:argoproj/another-repo.git",
+					SHA:          "19b016818bc0e0a44ddeaab345838a2a6c97fa67",
+					Labels: []string{
+						"argoproj",
+						"atom",
+						"electron",
+						"api",
+					},
+					RepositoryId: idptr(1296270),
+				},
+			},
+			filters: []v1alpha1.SCMProviderGeneratorFilter{
+				{},
+			},
 		},
 		{
-			name:  "ssh protocol",
-			proto: "ssh",
-			url:   "git@github.com:argoproj/argo-cd.git",
+			name:                 "ssh protocol",
+			proto:                "ssh",
+			allBranches:          true,
+			excludeArchivedRepos: false,
+			expectedRepos: []*Repository{
+				{
+					Organization: "argoproj",
+					Repository:   "argo-cd",
+					Branch:       "master",
+					URL:          "git@github.com:argoproj/argo-cd.git",
+					SHA:          "c5b97d5ae6c19d5c5df71a34c7fbeeda2479ccbc",
+					Labels: []string{
+						"argoproj",
+						"atom",
+						"electron",
+						"api",
+					},
+					RepositoryId: idptr(1296269),
+				},
+				{
+					Organization: "argoproj",
+					Repository:   "argo-cd",
+					Branch:       "test",
+					URL:          "git@github.com:argoproj/argo-cd.git",
+					SHA:          "80a6e93f16e8093e24091b03c614362df3fb9b92",
+					Labels: []string{
+						"argoproj",
+						"atom",
+						"electron",
+						"api",
+					},
+					RepositoryId: idptr(1296269),
+				},
+				{
+					Organization: "argoproj",
+					Repository:   "another-repo",
+					Branch:       "main",
+					URL:          "git@github.com:argoproj/another-repo.git",
+					SHA:          "19b016818bc0e0a44ddeaab345838a2a6c97fa67",
+					Labels: []string{
+						"argoproj",
+						"atom",
+						"electron",
+						"api",
+					},
+					RepositoryId: idptr(1296270),
+				},
+			},
+			filters: []v1alpha1.SCMProviderGeneratorFilter{
+				{},
+			},
 		},
 		{
-			name:  "https protocol",
-			proto: "https",
-			url:   "https://github.com/argoproj/argo-cd.git",
+			name:                 "https protocol",
+			proto:                "https",
+			allBranches:          true,
+			excludeArchivedRepos: false,
+			expectedRepos: []*Repository{
+				{
+					Organization: "argoproj",
+					Repository:   "argo-cd",
+					Branch:       "master",
+					URL:          "https://github.com/argoproj/argo-cd.git",
+					SHA:          "c5b97d5ae6c19d5c5df71a34c7fbeeda2479ccbc",
+					Labels: []string{
+						"argoproj",
+						"atom",
+						"electron",
+						"api",
+					},
+					RepositoryId: idptr(1296269),
+				},
+				{
+					Organization: "argoproj",
+					Repository:   "argo-cd",
+					Branch:       "test",
+					URL:          "https://github.com/argoproj/argo-cd.git",
+					SHA:          "80a6e93f16e8093e24091b03c614362df3fb9b92",
+					Labels: []string{
+						"argoproj",
+						"atom",
+						"electron",
+						"api",
+					},
+					RepositoryId: idptr(1296269),
+				},
+				{
+					Organization: "argoproj",
+					Repository:   "another-repo",
+					Branch:       "main",
+					URL:          "https://github.com/argoproj/another-repo.git",
+					SHA:          "19b016818bc0e0a44ddeaab345838a2a6c97fa67",
+					Labels: []string{
+						"argoproj",
+						"atom",
+						"electron",
+						"api",
+					},
+					RepositoryId: idptr(1296270),
+				},
+			},
+			filters: []v1alpha1.SCMProviderGeneratorFilter{
+				{},
+			},
 		},
 		{
-			name:     "other protocol",
-			proto:    "other",
-			hasError: true,
+			name:                 "other protocol",
+			proto:                "other",
+			hasError:             true,
+			excludeArchivedRepos: false,
+			expectedRepos:        []*Repository{},
+			filters: []v1alpha1.SCMProviderGeneratorFilter{
+				{},
+			},
 		},
 		{
-			name:        "all branches",
-			allBranches: true,
-			url:         "git@github.com:argoproj/argo-cd.git",
-			branches:    []string{"master"},
+			name:                 "all branches with archived repos",
+			allBranches:          true,
+			proto:                "ssh",
+			excludeArchivedRepos: false,
+			expectedRepos: []*Repository{
+				{
+					Organization: "argoproj",
+					Repository:   "argo-cd",
+					Branch:       "master",
+					URL:          "git@github.com:argoproj/argo-cd.git",
+					SHA:          "c5b97d5ae6c19d5c5df71a34c7fbeeda2479ccbc",
+					Labels: []string{
+						"argoproj",
+						"atom",
+						"electron",
+						"api",
+					},
+					RepositoryId: idptr(1296269),
+				},
+				{
+					Organization: "argoproj",
+					Repository:   "argo-cd",
+					Branch:       "test",
+					URL:          "git@github.com:argoproj/argo-cd.git",
+					SHA:          "80a6e93f16e8093e24091b03c614362df3fb9b92",
+					Labels: []string{
+						"argoproj",
+						"atom",
+						"electron",
+						"api",
+					},
+					RepositoryId: idptr(1296269),
+				},
+				{
+					Organization: "argoproj",
+					Repository:   "another-repo",
+					Branch:       "main",
+					URL:          "git@github.com:argoproj/another-repo.git",
+					SHA:          "19b016818bc0e0a44ddeaab345838a2a6c97fa67",
+					Labels: []string{
+						"argoproj",
+						"atom",
+						"electron",
+						"api",
+					},
+					RepositoryId: idptr(1296270),
+				},
+			},
+			filters: []v1alpha1.SCMProviderGeneratorFilter{
+				{},
+			},
+		},
+		{
+			name:                 "test repo all branches without archived repos",
+			allBranches:          true,
+			excludeArchivedRepos: true,
+			proto:                "https",
+			expectedRepos: []*Repository{
+				{
+					Organization: "argoproj",
+					Repository:   "argo-cd",
+					Branch:       "master",
+					URL:          "https://github.com/argoproj/argo-cd.git",
+					SHA:          "c5b97d5ae6c19d5c5df71a34c7fbeeda2479ccbc",
+					Labels: []string{
+						"argoproj",
+						"atom",
+						"electron",
+						"api",
+					},
+					RepositoryId: idptr(1296269),
+				},
+				{
+					Organization: "argoproj",
+					Repository:   "argo-cd",
+					Branch:       "test",
+					URL:          "https://github.com/argoproj/argo-cd.git",
+					SHA:          "80a6e93f16e8093e24091b03c614362df3fb9b92",
+					Labels: []string{
+						"argoproj",
+						"atom",
+						"electron",
+						"api",
+					},
+					RepositoryId: idptr(1296269),
+				},
+			},
+			filters: []v1alpha1.SCMProviderGeneratorFilter{
+				{},
+			},
 		},
 	}
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@ -242,26 +672,18 @@ func TestGithubListRepos(t *testing.T) {
 	defer ts.Close()
 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {
-			provider, _ := NewGithubProvider("argoproj", "", ts.URL, c.allBranches)
+			provider, _ := NewGithubProvider("argoproj", "", ts.URL, c.allBranches, c.excludeArchivedRepos)
 			rawRepos, err := ListRepos(t.Context(), provider, c.filters, c.proto)
 			if c.hasError {
 				require.Error(t, err)
 			} else {
 				require.NoError(t, err)
-				// Just check that this one project shows up. Not a great test but better thing nothing?
 				repos := []*Repository{}
-				branches := []string{}
-				for _, r := range rawRepos {
-					if r.Repository == "argo-cd" {
-						repos = append(repos, r)
-						branches = append(branches, r.Branch)
-					}
-				}
+				repos = append(rawRepos, repos...)
+
 				assert.NotEmpty(t, repos)
-				assert.Equal(t, c.url, repos[0].URL)
-				for _, b := range c.branches {
-					assert.Contains(t, branches, b)
-				}
+				assert.Len(t, repos, len(c.expectedRepos))
+				assert.ElementsMatch(t, c.expectedRepos, repos)
 			}
 		})
 	}
@ -280,7 +702,7 @@ func TestGithubHasPath(t *testing.T) {
 		githubMockHandler(t)(w, r)
 	}))
 	defer ts.Close()
-	host, _ := NewGithubProvider("argoproj", "", ts.URL, false)
+	host, _ := NewGithubProvider("argoproj", "", ts.URL, false, false)
 	repo := &Repository{
 		Organization: "argoproj",
 		Repository:   "argo-cd",
@ -300,7 +722,7 @@ func TestGithubGetBranches(t *testing.T) {
 		githubMockHandler(t)(w, r)
 	}))
 	defer ts.Close()
-	host, _ := NewGithubProvider("argoproj", "", ts.URL, false)
+	host, _ := NewGithubProvider("argoproj", "", ts.URL, false, false)
 	repo := &Repository{
 		Organization: "argoproj",
 		Repository:   "argo-cd",
@ -328,6 +750,6 @@ func TestGithubGetBranches(t *testing.T) {
 		require.NoError(t, err)
 	} else {
 		// considering master  branch to  exist.
-		assert.Len(t, repos, 1)
+		assert.Len(t, repos, 2)
 	}
 }
--- a/applicationset/services/scm_provider/gitlab.go
+++ b/applicationset/services/scm_provider/gitlab.go
@ -19,12 +19,13 @@ type GitlabProvider struct {
 	allBranches           bool
 	includeSubgroups      bool
 	includeSharedProjects bool
+	includeArchivedRepos  bool
 	topic                 string
 }

 var _ SCMProviderService = &GitlabProvider{}

-func NewGitlabProvider(organization string, token string, url string, allBranches, includeSubgroups, includeSharedProjects, insecure bool, scmRootCAPath, topic string, caCerts []byte) (*GitlabProvider, error) {
+func NewGitlabProvider(organization string, token string, url string, allBranches, includeSubgroups, includeSharedProjects, includeArchivedRepos, insecure bool, scmRootCAPath, topic string, caCerts []byte) (*GitlabProvider, error) {
 	// Undocumented environment variable to set a default token, to be used in testing to dodge anonymous rate limits.
 	if token == "" {
 		token = os.Getenv("GITLAB_TOKEN")
@ -51,7 +52,15 @@ func NewGitlabProvider(organization string, token string, url string, allBranche
 		}
 	}

-	return &GitlabProvider{client: client, organization: organization, allBranches: allBranches, includeSubgroups: includeSubgroups, includeSharedProjects: includeSharedProjects, topic: topic}, nil
+	return &GitlabProvider{
+		client:                client,
+		organization:          organization,
+		allBranches:           allBranches,
+		includeSubgroups:      includeSubgroups,
+		includeSharedProjects: includeSharedProjects,
+		includeArchivedRepos:  includeArchivedRepos,
+		topic:                 topic,
+	}, nil
 }

 func (g *GitlabProvider) GetBranches(ctx context.Context, repo *Repository) ([]*Repository, error) {
@ -88,6 +97,11 @@ func (g *GitlabProvider) ListRepos(_ context.Context, cloneProtocol string) ([]*
 		Topic:            &g.topic,
 	}

+	// gitlab does not include Archived repos by default
+	if g.includeArchivedRepos {
+		opt.Archived = gitlab.Ptr(true)
+	}
+
 	repos := []*Repository{}
 	for {
 		gitlabRepos, resp, err := g.client.Groups.ListGroupProjects(g.organization, opt)
--- a/applicationset/services/scm_provider/gitlab_test.go
+++ b/applicationset/services/scm_provider/gitlab_test.go
@ -3,7 +3,6 @@ package scm_provider
 import (
 	"crypto/x509"
 	"encoding/pem"
-	"fmt"
 	"io"
 	"net/http"
 	"net/http/httptest"
@ -19,12 +18,9 @@ func gitlabMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 	t.Helper()
 	return func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
-		fmt.Println(r.RequestURI)
 		switch r.RequestURI {
 		case "/api/v4":
-			fmt.Println("here1")
-		case "/api/v4/groups/test-argocd-proton/projects?include_subgroups=false&per_page=100", "/api/v4/groups/test-argocd-proton/projects?include_subgroups=false&per_page=100&topic=&with_shared=false":
-			fmt.Println("here")
+		case "/api/v4/groups/test-argocd-proton/projects?include_subgroups=false&per_page=100", "/api/v4/groups/test-argocd-proton/projects?include_subgroups=false&per_page=100&topic=&with_shared=false", "/api/v4/groups/test-argocd-proton/projects?archived=false&include_subgroups=false&per_page=100", "/api/v4/groups/test-argocd-proton/projects?archived=false&include_subgroups=false&per_page=100&topic=&with_shared=false":
 			_, err := io.WriteString(w, `[{
 				"id": 27084533,
 				"description": "",
@ -151,8 +147,253 @@ func gitlabMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 			if err != nil {
 				t.Fail()
 			}
+		case "/api/v4/groups/test-argocd-proton/projects?archived=true&include_subgroups=false&per_page=100", "/api/v4/groups/test-argocd-proton/projects?archived=true&include_subgroups=false&per_page=100&topic=&with_shared=false":
+			_, err := io.WriteString(w, `[{
+				"id": 27084533,
+				"description": "",
+				"name": "argocd",
+				"name_with_namespace": "test argocd proton / argocd",
+				"path": "argocd",
+				"path_with_namespace": "test-argocd-proton/argocd",
+				"created_at": "2021-06-01T17:30:44.724Z",
+				"default_branch": "master",
+				"tag_list": [],
+				"topics": [],
+				"ssh_url_to_repo": "git@gitlab.com:test-argocd-proton/argocd.git",
+				"http_url_to_repo": "https://gitlab.com/test-argocd-proton/argocd.git",
+				"web_url": "https://gitlab.com/test-argocd-proton/argocd",
+				"readme_url": null,
+				"avatar_url": null,
+				"forks_count": 0,
+				"star_count": 0,
+				"last_activity_at": "2021-06-04T08:19:51.656Z",
+				"namespace": {
+					"id": 12258515,
+					"name": "test argocd proton",
+					"path": "test-argocd-proton",
+					"kind": "gro* Connection #0 to host gitlab.com left intact up ",
+					"full_path ": "test - argocd - proton ",
+					"parent_id ": null,
+					"avatar_url ": null,
+					"web_url ": "https: //gitlab.com/groups/test-argocd-proton"
+				},
+				"container_registry_image_prefix": "registry.gitlab.com/test-argocd-proton/argocd",
+				"_links": {
+					"self": "https://gitlab.com/api/v4/projects/27084533",
+					"issues": "https://gitlab.com/api/v4/projects/27084533/issues",
+					"merge_requests": "https://gitlab.com/api/v4/projects/27084533/merge_requests",
+					"repo_branches": "https://gitlab.com/api/v4/projects/27084533/repository/branches",
+					"labels": "https://gitlab.com/api/v4/projects/27084533/labels",
+					"events": "https://gitlab.com/api/v4/projects/27084533/events",
+					"members": "https://gitlab.com/api/v4/projects/27084533/members",
+					"cluster_agents": "https://gitlab.com/api/v4/projects/27084533/cluster_agents"
+				},
+				"packages_enabled": true,
+				"empty_repo": false,
+				"archived": false,
+				"visibility": "public",
+				"resolve_outdated_diff_discussions": false,
+				"container_expiration_policy": {
+					"cadence": "1d",
+					"enabled": false,
+					"keep_n": 10,
+					"older_than": "90d",
+					"name_regex": ".*",
+					"name_regex_keep": null,
+					"next_run_at": "2021-06-02T17:30:44.740Z"
+				},
+				"issues_enabled": true,
+				"merge_requests_enabled": true,
+				"wiki_enabled": true,
+				"jobs_enabled": true,
+				"snippets_enabled": true,
+				"container_registry_enabled": true,
+				"service_desk_enabled": true,
+				"can_create_merge_request_in": false,
+				"issues_access_level": "enabled",
+				"repository_access_level": "enabled",
+				"merge_requests_access_level": "enabled",
+				"forking_access_level": "enabled",
+				"wiki_access_level": "enabled",
+				"builds_access_level": "enabled",
+				"snippets_access_level": "enabled",
+				"pages_access_level": "enabled",
+				"operations_access_level": "enabled",
+				"analytics_access_level": "enabled",
+				"container_registry_access_level": "enabled",
+				"security_and_compliance_access_level": "private",
+				"emails_disabled": null,
+				"shared_runners_enabled": true,
+				"lfs_enabled": true,
+				"creator_id": 2378866,
+				"import_status": "none",
+				"open_issues_count": 0,
+				"ci_default_git_depth": 50,
+				"ci_forward_deployment_enabled": true,
+				"ci_job_token_scope_enabled": false,
+				"public_jobs": true,
+				"build_timeout": 3600,
+				"auto_cancel_pending_pipelines": "enabled",
+				"ci_config_path": "",
+				"shared_with_groups": [],
+				"only_allow_merge_if_pipeline_succeeds": false,
+				"allow_merge_on_skipped_pipeline": null,
+				"restrict_user_defined_variables": false,
+				"request_access_enabled": true,
+				"only_allow_merge_if_all_discussions_are_resolved": false,
+				"remove_source_branch_after_merge": true,
+				"printing_merge_request_link_enabled": true,
+				"merge_method": "merge",
+				"squash_option": "default_off",
+				"suggestion_commit_message": null,
+				"merge_commit_template": null,
+				"squash_commit_template": null,
+				"auto_devops_enabled": false,
+				"auto_devops_deploy_strategy": "continuous",
+				"autoclose_referenced_issues": true,
+				"keep_latest_artifact": true,
+				"runner_token_expiration_interval": null,
+				"approvals_before_merge": 0,
+				"mirror": false,
+				"external_authorization_classification_label": "",
+				"marked_for_deletion_at": null,
+				"marked_for_deletion_on": null,
+				"requirements_enabled": true,
+				"requirements_access_level": "enabled",
+				"security_and_compliance_enabled": false,
+				"compliance_frameworks": [],
+				"issues_template": null,
+				"merge_requests_template": null,
+				"merge_pipelines_enabled": false,
+				"merge_trains_enabled": false
+			},
+			{
+				"id": 56522142,
+				"description": "",
+				"name": "another-repo",
+				"name_with_namespace": "test argocd proton / another-repo",
+				"path": "another-repo",
+				"path_with_namespace": "test-argocd-proton/another-repo",
+				"created_at": "2022-09-13T12:10:14.722Z",
+				"default_branch": "master",
+				"tag_list": [
+					"test-topic"
+				],
+				"topics": [
+					"test-topic"
+				],
+				"ssh_url_to_repo": "git@gitlab.com:test-argocd-proton/another-repo.git",
+				"http_url_to_repo": "https://gitlab.com/test-argocd-proton/another-repo.git",
+				"web_url": "https://gitlab.com/test-argocd-proton/another-repo",
+				"readme_url": null,
+				"avatar_url": null,
+				"forks_count": 0,
+				"star_count": 0,
+				"last_activity_at": "2021-06-04T08:19:51.656Z",
+				"namespace": {
+					"id": 12258515,
+					"name": "test argocd proton",
+					"path": "test-argocd-proton",
+					"kind": "gro* Connection #0 to host gitlab.com left intact up ",
+					"full_path ": "test - argocd - proton ",
+					"parent_id ": null,
+					"avatar_url ": null,
+					"web_url ": "https: //gitlab.com/groups/test-argocd-proton"
+				},
+				"container_registry_image_prefix": "registry.gitlab.com/test-argocd-proton/another-repo",
+				"_links": {
+					"self": "https://gitlab.com/api/v4/projects/56522142",
+					"issues": "https://gitlab.com/api/v4/projects/56522142/issues",
+					"merge_requests": "https://gitlab.com/api/v4/projects/56522142/merge_requests",
+					"repo_branches": "https://gitlab.com/api/v4/projects/56522142/repository/branches",
+					"labels": "https://gitlab.com/api/v4/projects/56522142/labels",
+					"events": "https://gitlab.com/api/v4/projects/56522142/events",
+					"members": "https://gitlab.com/api/v4/projects/56522142/members",
+					"cluster_agents": "https://gitlab.com/api/v4/projects/56522142/cluster_agents"
+				},
+				"packages_enabled": true,
+				"empty_repo": false,
+				"archived": true,
+				"visibility": "public",
+				"resolve_outdated_diff_discussions": false,
+				"container_expiration_policy": {
+					"cadence": "1d",
+					"enabled": false,
+					"keep_n": 10,
+					"older_than": "90d",
+					"name_regex": ".*",
+					"name_regex_keep": null,
+					"next_run_at": "2021-06-02T17:30:44.740Z"
+				},
+				"issues_enabled": true,
+				"merge_requests_enabled": true,
+				"wiki_enabled": true,
+				"jobs_enabled": true,
+				"snippets_enabled": true,
+				"container_registry_enabled": true,
+				"service_desk_enabled": true,
+				"can_create_merge_request_in": false,
+				"issues_access_level": "enabled",
+				"repository_access_level": "enabled",
+				"merge_requests_access_level": "enabled",
+				"forking_access_level": "enabled",
+				"wiki_access_level": "enabled",
+				"builds_access_level": "enabled",
+				"snippets_access_level": "enabled",
+				"pages_access_level": "enabled",
+				"operations_access_level": "enabled",
+				"analytics_access_level": "enabled",
+				"container_registry_access_level": "enabled",
+				"security_and_compliance_access_level": "private",
+				"emails_disabled": null,
+				"shared_runners_enabled": true,
+				"lfs_enabled": true,
+				"creator_id": 2378866,
+				"import_status": "none",
+				"open_issues_count": 0,
+				"ci_default_git_depth": 50,
+				"ci_forward_deployment_enabled": true,
+				"ci_job_token_scope_enabled": false,
+				"public_jobs": true,
+				"build_timeout": 3600,
+				"auto_cancel_pending_pipelines": "enabled",
+				"ci_config_path": "",
+				"shared_with_groups": [],
+				"only_allow_merge_if_pipeline_succeeds": false,
+				"allow_merge_on_skipped_pipeline": null,
+				"restrict_user_defined_variables": false,
+				"request_access_enabled": true,
+				"only_allow_merge_if_all_discussions_are_resolved": false,
+				"remove_source_branch_after_merge": true,
+				"printing_merge_request_link_enabled": true,
+				"merge_method": "merge",
+				"squash_option": "default_off",
+				"suggestion_commit_message": null,
+				"merge_commit_template": null,
+				"squash_commit_template": null,
+				"auto_devops_enabled": false,
+				"auto_devops_deploy_strategy": "continuous",
+				"autoclose_referenced_issues": true,
+				"keep_latest_artifact": true,
+				"runner_token_expiration_interval": null,
+				"approvals_before_merge": 0,
+				"mirror": false,
+				"external_authorization_classification_label": "",
+				"marked_for_deletion_at": null,
+				"marked_for_deletion_on": null,
+				"requirements_enabled": true,
+				"requirements_access_level": "enabled",
+				"security_and_compliance_enabled": false,
+				"compliance_frameworks": [],
+				"issues_template": null,
+				"merge_requests_template": null,
+				"merge_pipelines_enabled": false,
+				"merge_trains_enabled": false
+			}]`)
+			if err != nil {
+				t.Fail()
+			}
 		case "/api/v4/groups/test-argocd-proton/projects?include_subgroups=true&per_page=100&topic=&with_shared=false":
-			fmt.Println("here")
 			_, err := io.WriteString(w, `[{
 				"id": 27084533,
 				"description": "",
@ -406,7 +647,6 @@ func gitlabMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 				t.Fail()
 			}
 		case "/api/v4/groups/test-argocd-proton/projects?include_subgroups=false&per_page=100&topic=specific-topic&with_shared=false":
-			fmt.Println("here")
 			_, err := io.WriteString(w, `[{
 				"id": 27084533,
 				"description": "",
@ -537,7 +777,6 @@ func gitlabMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 				t.Fail()
 			}
 		case "/api/v4/groups/test-argocd-proton/projects?include_subgroups=true&per_page=100&topic=&with_shared=true":
-			fmt.Println("here")
 			_, err := io.WriteString(w, `[{
 				"id": 27084533,
 				"description": "",
@ -796,7 +1035,6 @@ func gitlabMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 				t.Fail()
 			}
 		case "/api/v4/projects/27084533/repository/branches/master":
-			fmt.Println("returning")
 			_, err := io.WriteString(w, `{
 				"name": "master",
 				"commit": {
@ -826,6 +1064,36 @@ func gitlabMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 			if err != nil {
 				t.Fail()
 			}
+		case "/api/v4/projects/56522142/repository/branches/master":
+			_, err := io.WriteString(w, `{
+				"name": "master",
+				"commit": {
+					"id": "9998d7999fc99dd0fd578650b58b244fc63f6b53",
+					"short_id": "9998d799",
+					"created_at": "2023-08-04T08:14:14.000+00:00",
+					"parent_ids": ["5d9d50be1ef949ad28674e238c7e12a17b1e9706", "99482e001731640b4123cf177e51c696f08a3005"],
+					"title": "Merge branch 'pipeline-4547911429' into 'master'",
+					"message": "Merge branch 'pipeline-4547911429' into 'master'\n\n[testapp-ci] manifests/demo/test-app.yaml: release v1.2.0\n\nSee merge request test-argocd-proton/argocd!3",
+					"author_name": "Martin Vozník",
+					"author_email": "martin@voznik.cz",
+					"authored_date": "2023-08-04T08:14:14.000+00:00",
+					"committer_name": "Martin Vozník",
+					"committer_email": "martin@voznik.cz",
+					"committed_date": "2023-08-04T08:14:14.000+00:00",
+					"trailers": {},
+					"web_url": "https://gitlab.com/test-argocd-proton/argocd/-/commit/9998d7999fc99dd0fd578650b58b244fc63f6b53"
+				},
+				"merged": false,
+				"protected": true,
+				"developers_can_push": false,
+				"developers_can_merge": false,
+				"can_push": false,
+				"default": true,
+				"web_url": "https://gitlab.com/test-argocd-proton/argocd/-/tree/master"
+			}`)
+			if err != nil {
+				t.Fail()
+			}
 		case "/api/v4/projects/27084533/repository/branches?per_page=100":
 			_, err := io.WriteString(w, `[{
 				"name": "master",
@ -991,8 +1259,62 @@ func gitlabMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 			if err != nil {
 				t.Fail()
 			}
+		case "/api/v4/projects/56522142/repository/branches?per_page=100":
+			_, err := io.WriteString(w, `[{
+				"name": "master",
+				"commit": {
+					"id": "8898d8889fc99dd0fd578650b58b244fc63f6b58",
+					"short_id": "8898d801",
+					"created_at": "2021-06-04T08:24:44.000+00:00",
+					"parent_ids": null,
+					"title": "Merge branch 'pipeline-1317911429' into 'master'",
+					"message": "Merge branch 'pipeline-1317911429' into 'master'",
+					"author_name": "Martin Vozník",
+					"author_email": "martin@voznik.cz",
+					"authored_date": "2021-06-04T08:24:44.000+00:00",
+					"committer_name": "Martin Vozník",
+					"committer_email": "martin@voznik.cz",
+					"committed_date": "2021-06-04T08:24:44.000+00:00",
+					"trailers": null,
+					"web_url": "https://gitlab.com/test-argocd-proton/subgroup/argocd-subgroup/-/commit/8898d7999fc99dd0fd578650b58b244fc63f6b53"
+				},
+				"merged": false,
+				"protected": true,
+				"developers_can_push": false,
+				"developers_can_merge": false,
+				"can_push": false,
+				"default": true,
+				"web_url": "https://gitlab.com/test-argocd-proton/subgroup/argocd-subgroup/-/tree/master"
+			}, {
+				"name": "pipeline-2310077506",
+				"commit": {
+					"id": "0f92540e5f396ba960adea4ed0aa905baf3f73d1",
+					"short_id": "0f92540e",
+					"created_at": "2021-06-01T18:39:59.000+00:00",
+					"parent_ids": null,
+					"title": "[testapp-ci] manifests/demo/test-app.yaml: release v1.0.1",
+					"message": "[testapp-ci] manifests/demo/test-app.yaml: release v1.0.1",
+					"author_name": "ci-test-app",
+					"author_email": "mvoznik+cicd@protonmail.com",
+					"authored_date": "2021-06-01T18:39:59.000+00:00",
+					"committer_name": "ci-test-app",
+					"committer_email": "mvoznik+cicd@protonmail.com",
+					"committed_date": "2021-06-01T18:39:59.000+00:00",
+					"trailers": null,
+					"web_url": "https://gitlab.com/test-argocd-proton/subgroup/argocd-subgroup/-/commit/0f92540e5f396ba960adea4ed0aa905baf3f73d1"
+				},
+				"merged": false,
+				"protected": false,
+				"developers_can_push": false,
+				"developers_can_merge": false,
+				"can_push": false,
+				"default": false,
+				"web_url": "https://gitlab.com/test-argocd-proton/subgroup/argocd-subgroup/-/tree/pipeline-1310077506"
+			}]`)
+			if err != nil {
+				t.Fail()
+			}
 		case "/api/v4/projects/test-argocd-proton%2Fargocd":
-			fmt.Println("auct")
 			_, err := io.WriteString(w, `{
 				"id": 27084533,
 				"description": "",
@ -1079,35 +1401,94 @@ func gitlabMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {

 func TestGitlabListRepos(t *testing.T) {
 	cases := []struct {
-		name, proto, url, topic                                                  string
-		hasError, allBranches, includeSubgroups, includeSharedProjects, insecure bool
-		branches                                                                 []string
-		filters                                                                  []v1alpha1.SCMProviderGeneratorFilter
+		name, proto, topic                                                                             string
+		hasError, allBranches, includeSubgroups, includeSharedProjects, includeArchivedRepos, insecure bool
+		branches                                                                                       []string
+		expectedRepos                                                                                  []*Repository
+		filters                                                                                        []v1alpha1.SCMProviderGeneratorFilter
 	}{
 		{
-			name:     "blank protocol",
-			url:      "git@gitlab.com:test-argocd-proton/argocd.git",
+			name:                 "blank protocol",
+			allBranches:          false,
+			includeArchivedRepos: false,
+			filters:              []v1alpha1.SCMProviderGeneratorFilter{},
+
 			branches: []string{"master"},
-		},
-		{
-			name:  "ssh protocol",
-			proto: "ssh",
-			url:   "git@gitlab.com:test-argocd-proton/argocd.git",
-		},
-		{
-			name:  "labelmatch",
-			proto: "ssh",
-			url:   "git@gitlab.com:test-argocd-proton/argocd.git",
-			filters: []v1alpha1.SCMProviderGeneratorFilter{
+			expectedRepos: []*Repository{
 				{
-					LabelMatch: strp("test-topic"),
+					Organization: "",
+					Repository:   "argocd",
+					Branch:       "master",
+					URL:          "git@gitlab.com:test-argocd-proton/argocd.git",
+					SHA:          "8898d7999fc99dd0fd578650b58b244fc63f6b53",
+					RepositoryId: int64(27084533),
+					Labels:       []string{"test-topic"},
 				},
 			},
 		},
 		{
-			name:  "https protocol",
-			proto: "https",
-			url:   "https://gitlab.com/test-argocd-proton/argocd.git",
+			name:                 "ssh protocol",
+			proto:                "ssh",
+			allBranches:          false,
+			includeArchivedRepos: false,
+			filters:              []v1alpha1.SCMProviderGeneratorFilter{},
+
+			branches: []string{"master"},
+			expectedRepos: []*Repository{
+				{
+					Organization: "",
+					Repository:   "argocd",
+					Branch:       "master",
+					URL:          "git@gitlab.com:test-argocd-proton/argocd.git",
+					SHA:          "8898d7999fc99dd0fd578650b58b244fc63f6b53",
+					RepositoryId: int64(27084533),
+					Labels:       []string{"test-topic"},
+				},
+			},
+		},
+		{
+			name:                 "https protocol",
+			proto:                "https",
+			allBranches:          false,
+			includeArchivedRepos: false,
+			filters:              []v1alpha1.SCMProviderGeneratorFilter{},
+
+			branches: []string{"master"},
+			expectedRepos: []*Repository{
+				{
+					Organization: "",
+					Repository:   "argocd",
+					Branch:       "master",
+					URL:          "https://gitlab.com/test-argocd-proton/argocd.git",
+					SHA:          "8898d7999fc99dd0fd578650b58b244fc63f6b53",
+					RepositoryId: int64(27084533),
+					Labels:       []string{"test-topic"},
+				},
+			},
+		},
+		{
+			name:                 "labelmatch",
+			proto:                "ssh",
+			allBranches:          false,
+			includeArchivedRepos: false,
+			filters: []v1alpha1.SCMProviderGeneratorFilter{
+				{
+					LabelMatch: new("test-topic"),
+				},
+			},
+
+			branches: []string{"master"},
+			expectedRepos: []*Repository{
+				{
+					Organization: "",
+					Repository:   "argocd",
+					Branch:       "master",
+					URL:          "git@gitlab.com:test-argocd-proton/argocd.git",
+					SHA:          "8898d7999fc99dd0fd578650b58b244fc63f6b53",
+					RepositoryId: int64(27084533),
+					Labels:       []string{"test-topic"},
+				},
+			},
 		},
 		{
 			name:     "other protocol",
@ -1115,34 +1496,133 @@ func TestGitlabListRepos(t *testing.T) {
 			hasError: true,
 		},
 		{
-			name:        "all branches",
-			allBranches: true,
-			url:         "git@gitlab.com:test-argocd-proton/argocd.git",
-			branches:    []string{"master"},
+			name:                 "all branches",
+			allBranches:          true,
+			includeArchivedRepos: false,
+			filters:              []v1alpha1.SCMProviderGeneratorFilter{},
+
+			branches: []string{"master"},
+			expectedRepos: []*Repository{
+				{
+					Organization: "",
+					Repository:   "argocd",
+					Branch:       "master",
+					URL:          "git@gitlab.com:test-argocd-proton/argocd.git",
+					SHA:          "8898d7999fc99dd0fd578650b58b244fc63f6b53",
+					RepositoryId: int64(27084533),
+					Labels:       []string{"test-topic"},
+				},
+			},
 		},
 		{
 			name:                  "all subgroups",
 			allBranches:           true,
-			url:                   "git@gitlab.com:test-argocd-proton/argocd.git",
 			branches:              []string{"master"},
 			includeSharedProjects: false,
 			includeSubgroups:      true,
+			includeArchivedRepos:  false,
+			filters:               []v1alpha1.SCMProviderGeneratorFilter{},
+
+			expectedRepos: []*Repository{
+				{
+					Organization: "",
+					Repository:   "argocd",
+					Branch:       "master",
+					URL:          "git@gitlab.com:test-argocd-proton/argocd.git",
+					SHA:          "8898d7999fc99dd0fd578650b58b244fc63f6b53",
+					RepositoryId: int64(27084533),
+					Labels:       []string{"test-topic", "specific-topic"},
+				},
+				{
+					Organization: "",
+					Repository:   "argocd-subgroup",
+					Branch:       "master",
+					URL:          "git@gitlab.com:test-argocd-proton/subgroup/argocd-subgroup.git",
+					SHA:          "8898d7999fc99dd0fd578650b58b244fc63f6b58",
+					RepositoryId: int64(27084538),
+					Labels:       []string{"test-topic"},
+				},
+			},
 		},
 		{
 			name:                  "all subgroups and shared projects",
 			allBranches:           true,
-			url:                   "git@gitlab.com:test-argocd-proton/argocd.git",
 			branches:              []string{"master"},
 			includeSharedProjects: true,
 			includeSubgroups:      true,
+			includeArchivedRepos:  false,
+			filters:               []v1alpha1.SCMProviderGeneratorFilter{},
+
+			expectedRepos: []*Repository{
+				{
+					Organization: "",
+					Repository:   "argocd",
+					Branch:       "master",
+					URL:          "git@gitlab.com:test-argocd-proton/argocd.git",
+					SHA:          "8898d7999fc99dd0fd578650b58b244fc63f6b53",
+					RepositoryId: int64(27084533),
+					Labels:       []string{"test-topic"},
+				},
+				{
+					Organization: "",
+					Repository:   "shared-argocd",
+					Branch:       "master",
+					URL:          "git@gitlab.com:test-shared-argocd-proton/shared-argocd.git",
+					SHA:          "8898d7999fc99dd0fd578650b58b244fc63f6b53",
+					RepositoryId: int64(27084534),
+					Labels:       []string{"test-topic"},
+				},
+			},
 		},
 		{
-			name:             "specific topic",
-			allBranches:      true,
-			url:              "git@gitlab.com:test-argocd-proton/argocd.git",
-			branches:         []string{"master"},
-			includeSubgroups: false,
-			topic:            "specific-topic",
+			name:                 "specific topic",
+			allBranches:          true,
+			branches:             []string{"master"},
+			includeSubgroups:     false,
+			topic:                "specific-topic",
+			includeArchivedRepos: false,
+			filters:              []v1alpha1.SCMProviderGeneratorFilter{},
+
+			expectedRepos: []*Repository{
+				{
+					Organization: "",
+					Repository:   "argocd",
+					Branch:       "master",
+					URL:          "git@gitlab.com:test-argocd-proton/argocd.git",
+					SHA:          "8898d7999fc99dd0fd578650b58b244fc63f6b53",
+					RepositoryId: int64(27084533),
+					Labels:       []string{"test-topic", "specific-topic"},
+				},
+			},
+		},
+		{
+			name:                 "all branches with archived repos",
+			allBranches:          true,
+			branches:             []string{"master"},
+			includeSubgroups:     false,
+			includeArchivedRepos: true,
+			filters:              []v1alpha1.SCMProviderGeneratorFilter{},
+
+			expectedRepos: []*Repository{
+				{
+					Organization: "",
+					Repository:   "argocd",
+					Branch:       "master",
+					URL:          "git@gitlab.com:test-argocd-proton/argocd.git",
+					SHA:          "8898d7999fc99dd0fd578650b58b244fc63f6b53",
+					RepositoryId: int64(27084533),
+					Labels:       []string{},
+				},
+				{
+					Organization: "",
+					Repository:   "another-repo",
+					Branch:       "master",
+					URL:          "git@gitlab.com:test-argocd-proton/another-repo.git",
+					SHA:          "8898d8889fc99dd0fd578650b58b244fc63f6b58",
+					RepositoryId: int64(56522142),
+					Labels:       []string{"test-topic"},
+				},
+			},
 		},
 	}
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@ -1150,28 +1630,24 @@ func TestGitlabListRepos(t *testing.T) {
 	}))
 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {
-			provider, _ := NewGitlabProvider("test-argocd-proton", "", ts.URL, c.allBranches, c.includeSubgroups, c.includeSharedProjects, c.insecure, "", c.topic, nil)
+			provider, _ := NewGitlabProvider("test-argocd-proton", "", ts.URL, c.allBranches, c.includeSubgroups, c.includeSharedProjects, c.includeArchivedRepos, c.insecure, "", c.topic, nil)
 			rawRepos, err := ListRepos(t.Context(), provider, c.filters, c.proto)
 			if c.hasError {
 				require.Error(t, err)
 			} else {
 				require.NoError(t, err)
-				// Just check that this one project shows up. Not a great test but better than nothing?
+
 				repos := []*Repository{}
 				uniqueRepos := map[string]int{}
-				branches := []string{}
+
 				for _, r := range rawRepos {
-					if r.Repository == "argocd" {
+					if _, ok := uniqueRepos[r.Repository]; !ok {
 						repos = append(repos, r)
-						branches = append(branches, r.Branch)
 					}
 					uniqueRepos[r.Repository]++
 				}
 				assert.NotEmpty(t, repos)
-				assert.Equal(t, c.url, repos[0].URL)
-				for _, b := range c.branches {
-					assert.Contains(t, branches, b)
-				}
+
 				// In case of listing subgroups, validate the number of returned projects
 				if c.includeSubgroups || c.includeSharedProjects {
 					assert.Len(t, uniqueRepos, 2)
@ -1180,6 +1656,8 @@ func TestGitlabListRepos(t *testing.T) {
 				if c.topic != "" {
 					assert.Len(t, uniqueRepos, 1)
 				}
+				assert.Len(t, repos, len(c.expectedRepos))
+				assert.ElementsMatch(t, c.expectedRepos, repos)
 			}
 		})
 	}
@ -1189,7 +1667,7 @@ func TestGitlabHasPath(t *testing.T) {
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		gitlabMockHandler(t)(w, r)
 	}))
-	host, _ := NewGitlabProvider("test-argocd-proton", "", ts.URL, false, true, true, false, "", "", nil)
+	host, _ := NewGitlabProvider("test-argocd-proton", "", ts.URL, false, true, true, false, false, "", "", nil)
 	repo := &Repository{
 		Organization: "test-argocd-proton",
 		Repository:   "argocd",
@ -1245,10 +1723,10 @@ func TestGitlabGetBranches(t *testing.T) {
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		gitlabMockHandler(t)(w, r)
 	}))
-	host, _ := NewGitlabProvider("test-argocd-proton", "", ts.URL, false, true, true, false, "", "", nil)
+	host, _ := NewGitlabProvider("test-argocd-proton", "", ts.URL, false, true, true, false, false, "", "", nil)

 	repo := &Repository{
-		RepositoryId: 27084533,
+		RepositoryId: int64(27084533),
 		Branch:       "master",
 	}
 	t.Run("branch exists", func(t *testing.T) {
@ -1258,7 +1736,7 @@ func TestGitlabGetBranches(t *testing.T) {
 	})

 	repo2 := &Repository{
-		RepositoryId: 27084533,
+		RepositoryId: int64(27084533),
 		Branch:       "foo",
 	}
 	t.Run("unknown branch", func(t *testing.T) {
@ -1301,7 +1779,6 @@ func TestGetBranchesTLS(t *testing.T) {
 	}

 	for _, test := range tests {
-		test := test
 		t.Run(test.name, func(t *testing.T) {
 			ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 				gitlabMockHandler(t)(w, r)
@ -1322,10 +1799,10 @@ func TestGetBranchesTLS(t *testing.T) {
 				}
 			}

-			host, err := NewGitlabProvider("test-argocd-proton", "", ts.URL, false, true, true, test.tlsInsecure, "", "", certs)
+			host, err := NewGitlabProvider("test-argocd-proton", "", ts.URL, false, true, true, false, test.tlsInsecure, "", "", certs)
 			require.NoError(t, err)
 			repo := &Repository{
-				RepositoryId: 27084533,
+				RepositoryId: int64(27084533),
 				Branch:       "master",
 			}
 			_, err = host.GetBranches(t.Context(), repo)
--- a/applicationset/services/scm_provider/mocks/AWSCodeCommitClient.go
+++ b/applicationset/services/scm_provider/mocks/AWSCodeCommitClient.go
@ -5,9 +5,9 @@
 package mocks

 import (
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/request"
-	"github.com/aws/aws-sdk-go/service/codecommit"
+	"context"
+
+	"github.com/aws/aws-sdk-go-v2/service/codecommit"
 	mock "github.com/stretchr/testify/mock"
 )

@ -38,71 +38,71 @@ func (_m *AWSCodeCommitClient) EXPECT() *AWSCodeCommitClient_Expecter {
 	return &AWSCodeCommitClient_Expecter{mock: &_m.Mock}
 }

-// GetFolderWithContext provides a mock function for the type AWSCodeCommitClient
-func (_mock *AWSCodeCommitClient) GetFolderWithContext(v aws.Context, getFolderInput *codecommit.GetFolderInput, options ...request.Option) (*codecommit.GetFolderOutput, error) {
-	// request.Option
-	_va := make([]interface{}, len(options))
-	for _i := range options {
-		_va[_i] = options[_i]
+// GetFolder provides a mock function for the type AWSCodeCommitClient
+func (_mock *AWSCodeCommitClient) GetFolder(context1 context.Context, getFolderInput *codecommit.GetFolderInput, fns ...func(*codecommit.Options)) (*codecommit.GetFolderOutput, error) {
+	// func(*codecommit.Options)
+	_va := make([]interface{}, len(fns))
+	for _i := range fns {
+		_va[_i] = fns[_i]
 	}
 	var _ca []interface{}
-	_ca = append(_ca, v, getFolderInput)
+	_ca = append(_ca, context1, getFolderInput)
 	_ca = append(_ca, _va...)
 	ret := _mock.Called(_ca...)

 	if len(ret) == 0 {
-		panic("no return value specified for GetFolderWithContext")
+		panic("no return value specified for GetFolder")
 	}

 	var r0 *codecommit.GetFolderOutput
 	var r1 error
-	if returnFunc, ok := ret.Get(0).(func(aws.Context, *codecommit.GetFolderInput, ...request.Option) (*codecommit.GetFolderOutput, error)); ok {
-		return returnFunc(v, getFolderInput, options...)
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *codecommit.GetFolderInput, ...func(*codecommit.Options)) (*codecommit.GetFolderOutput, error)); ok {
+		return returnFunc(context1, getFolderInput, fns...)
 	}
-	if returnFunc, ok := ret.Get(0).(func(aws.Context, *codecommit.GetFolderInput, ...request.Option) *codecommit.GetFolderOutput); ok {
-		r0 = returnFunc(v, getFolderInput, options...)
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *codecommit.GetFolderInput, ...func(*codecommit.Options)) *codecommit.GetFolderOutput); ok {
+		r0 = returnFunc(context1, getFolderInput, fns...)
 	} else {
 		if ret.Get(0) != nil {
 			r0 = ret.Get(0).(*codecommit.GetFolderOutput)
 		}
 	}
-	if returnFunc, ok := ret.Get(1).(func(aws.Context, *codecommit.GetFolderInput, ...request.Option) error); ok {
-		r1 = returnFunc(v, getFolderInput, options...)
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *codecommit.GetFolderInput, ...func(*codecommit.Options)) error); ok {
+		r1 = returnFunc(context1, getFolderInput, fns...)
 	} else {
 		r1 = ret.Error(1)
 	}
 	return r0, r1
 }

-// AWSCodeCommitClient_GetFolderWithContext_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetFolderWithContext'
-type AWSCodeCommitClient_GetFolderWithContext_Call struct {
+// AWSCodeCommitClient_GetFolder_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetFolder'
+type AWSCodeCommitClient_GetFolder_Call struct {
 	*mock.Call
 }

-// GetFolderWithContext is a helper method to define mock.On call
-//   - v aws.Context
+// GetFolder is a helper method to define mock.On call
+//   - context1 context.Context
 //   - getFolderInput *codecommit.GetFolderInput
-//   - options ...request.Option
-func (_e *AWSCodeCommitClient_Expecter) GetFolderWithContext(v interface{}, getFolderInput interface{}, options ...interface{}) *AWSCodeCommitClient_GetFolderWithContext_Call {
-	return &AWSCodeCommitClient_GetFolderWithContext_Call{Call: _e.mock.On("GetFolderWithContext",
-		append([]interface{}{v, getFolderInput}, options...)...)}
+//   - fns ...func(*codecommit.Options)
+func (_e *AWSCodeCommitClient_Expecter) GetFolder(context1 interface{}, getFolderInput interface{}, fns ...interface{}) *AWSCodeCommitClient_GetFolder_Call {
+	return &AWSCodeCommitClient_GetFolder_Call{Call: _e.mock.On("GetFolder",
+		append([]interface{}{context1, getFolderInput}, fns...)...)}
 }

-func (_c *AWSCodeCommitClient_GetFolderWithContext_Call) Run(run func(v aws.Context, getFolderInput *codecommit.GetFolderInput, options ...request.Option)) *AWSCodeCommitClient_GetFolderWithContext_Call {
+func (_c *AWSCodeCommitClient_GetFolder_Call) Run(run func(context1 context.Context, getFolderInput *codecommit.GetFolderInput, fns ...func(*codecommit.Options))) *AWSCodeCommitClient_GetFolder_Call {
 	_c.Call.Run(func(args mock.Arguments) {
-		var arg0 aws.Context
+		var arg0 context.Context
 		if args[0] != nil {
-			arg0 = args[0].(aws.Context)
+			arg0 = args[0].(context.Context)
 		}
 		var arg1 *codecommit.GetFolderInput
 		if args[1] != nil {
 			arg1 = args[1].(*codecommit.GetFolderInput)
 		}
-		var arg2 []request.Option
-		variadicArgs := make([]request.Option, len(args)-2)
+		var arg2 []func(*codecommit.Options)
+		variadicArgs := make([]func(*codecommit.Options), len(args)-2)
 		for i, a := range args[2:] {
 			if a != nil {
-				variadicArgs[i] = a.(request.Option)
+				variadicArgs[i] = a.(func(*codecommit.Options))
 			}
 		}
 		arg2 = variadicArgs
@ -115,81 +115,81 @@ func (_c *AWSCodeCommitClient_GetFolderWithContext_Call) Run(run func(v aws.Cont
 	return _c
 }

-func (_c *AWSCodeCommitClient_GetFolderWithContext_Call) Return(getFolderOutput *codecommit.GetFolderOutput, err error) *AWSCodeCommitClient_GetFolderWithContext_Call {
+func (_c *AWSCodeCommitClient_GetFolder_Call) Return(getFolderOutput *codecommit.GetFolderOutput, err error) *AWSCodeCommitClient_GetFolder_Call {
 	_c.Call.Return(getFolderOutput, err)
 	return _c
 }

-func (_c *AWSCodeCommitClient_GetFolderWithContext_Call) RunAndReturn(run func(v aws.Context, getFolderInput *codecommit.GetFolderInput, options ...request.Option) (*codecommit.GetFolderOutput, error)) *AWSCodeCommitClient_GetFolderWithContext_Call {
+func (_c *AWSCodeCommitClient_GetFolder_Call) RunAndReturn(run func(context1 context.Context, getFolderInput *codecommit.GetFolderInput, fns ...func(*codecommit.Options)) (*codecommit.GetFolderOutput, error)) *AWSCodeCommitClient_GetFolder_Call {
 	_c.Call.Return(run)
 	return _c
 }

-// GetRepositoryWithContext provides a mock function for the type AWSCodeCommitClient
-func (_mock *AWSCodeCommitClient) GetRepositoryWithContext(v aws.Context, getRepositoryInput *codecommit.GetRepositoryInput, options ...request.Option) (*codecommit.GetRepositoryOutput, error) {
-	// request.Option
-	_va := make([]interface{}, len(options))
-	for _i := range options {
-		_va[_i] = options[_i]
+// GetRepository provides a mock function for the type AWSCodeCommitClient
+func (_mock *AWSCodeCommitClient) GetRepository(context1 context.Context, getRepositoryInput *codecommit.GetRepositoryInput, fns ...func(*codecommit.Options)) (*codecommit.GetRepositoryOutput, error) {
+	// func(*codecommit.Options)
+	_va := make([]interface{}, len(fns))
+	for _i := range fns {
+		_va[_i] = fns[_i]
 	}
 	var _ca []interface{}
-	_ca = append(_ca, v, getRepositoryInput)
+	_ca = append(_ca, context1, getRepositoryInput)
 	_ca = append(_ca, _va...)
 	ret := _mock.Called(_ca...)

 	if len(ret) == 0 {
-		panic("no return value specified for GetRepositoryWithContext")
+		panic("no return value specified for GetRepository")
 	}

 	var r0 *codecommit.GetRepositoryOutput
 	var r1 error
-	if returnFunc, ok := ret.Get(0).(func(aws.Context, *codecommit.GetRepositoryInput, ...request.Option) (*codecommit.GetRepositoryOutput, error)); ok {
-		return returnFunc(v, getRepositoryInput, options...)
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *codecommit.GetRepositoryInput, ...func(*codecommit.Options)) (*codecommit.GetRepositoryOutput, error)); ok {
+		return returnFunc(context1, getRepositoryInput, fns...)
 	}
-	if returnFunc, ok := ret.Get(0).(func(aws.Context, *codecommit.GetRepositoryInput, ...request.Option) *codecommit.GetRepositoryOutput); ok {
-		r0 = returnFunc(v, getRepositoryInput, options...)
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *codecommit.GetRepositoryInput, ...func(*codecommit.Options)) *codecommit.GetRepositoryOutput); ok {
+		r0 = returnFunc(context1, getRepositoryInput, fns...)
 	} else {
 		if ret.Get(0) != nil {
 			r0 = ret.Get(0).(*codecommit.GetRepositoryOutput)
 		}
 	}
-	if returnFunc, ok := ret.Get(1).(func(aws.Context, *codecommit.GetRepositoryInput, ...request.Option) error); ok {
-		r1 = returnFunc(v, getRepositoryInput, options...)
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *codecommit.GetRepositoryInput, ...func(*codecommit.Options)) error); ok {
+		r1 = returnFunc(context1, getRepositoryInput, fns...)
 	} else {
 		r1 = ret.Error(1)
 	}
 	return r0, r1
 }

-// AWSCodeCommitClient_GetRepositoryWithContext_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetRepositoryWithContext'
-type AWSCodeCommitClient_GetRepositoryWithContext_Call struct {
+// AWSCodeCommitClient_GetRepository_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetRepository'
+type AWSCodeCommitClient_GetRepository_Call struct {
 	*mock.Call
 }

-// GetRepositoryWithContext is a helper method to define mock.On call
-//   - v aws.Context
+// GetRepository is a helper method to define mock.On call
+//   - context1 context.Context
 //   - getRepositoryInput *codecommit.GetRepositoryInput
-//   - options ...request.Option
-func (_e *AWSCodeCommitClient_Expecter) GetRepositoryWithContext(v interface{}, getRepositoryInput interface{}, options ...interface{}) *AWSCodeCommitClient_GetRepositoryWithContext_Call {
-	return &AWSCodeCommitClient_GetRepositoryWithContext_Call{Call: _e.mock.On("GetRepositoryWithContext",
-		append([]interface{}{v, getRepositoryInput}, options...)...)}
+//   - fns ...func(*codecommit.Options)
+func (_e *AWSCodeCommitClient_Expecter) GetRepository(context1 interface{}, getRepositoryInput interface{}, fns ...interface{}) *AWSCodeCommitClient_GetRepository_Call {
+	return &AWSCodeCommitClient_GetRepository_Call{Call: _e.mock.On("GetRepository",
+		append([]interface{}{context1, getRepositoryInput}, fns...)...)}
 }

-func (_c *AWSCodeCommitClient_GetRepositoryWithContext_Call) Run(run func(v aws.Context, getRepositoryInput *codecommit.GetRepositoryInput, options ...request.Option)) *AWSCodeCommitClient_GetRepositoryWithContext_Call {
+func (_c *AWSCodeCommitClient_GetRepository_Call) Run(run func(context1 context.Context, getRepositoryInput *codecommit.GetRepositoryInput, fns ...func(*codecommit.Options))) *AWSCodeCommitClient_GetRepository_Call {
 	_c.Call.Run(func(args mock.Arguments) {
-		var arg0 aws.Context
+		var arg0 context.Context
 		if args[0] != nil {
-			arg0 = args[0].(aws.Context)
+			arg0 = args[0].(context.Context)
 		}
 		var arg1 *codecommit.GetRepositoryInput
 		if args[1] != nil {
 			arg1 = args[1].(*codecommit.GetRepositoryInput)
 		}
-		var arg2 []request.Option
-		variadicArgs := make([]request.Option, len(args)-2)
+		var arg2 []func(*codecommit.Options)
+		variadicArgs := make([]func(*codecommit.Options), len(args)-2)
 		for i, a := range args[2:] {
 			if a != nil {
-				variadicArgs[i] = a.(request.Option)
+				variadicArgs[i] = a.(func(*codecommit.Options))
 			}
 		}
 		arg2 = variadicArgs
@ -202,81 +202,81 @@ func (_c *AWSCodeCommitClient_GetRepositoryWithContext_Call) Run(run func(v aws.
 	return _c
 }

-func (_c *AWSCodeCommitClient_GetRepositoryWithContext_Call) Return(getRepositoryOutput *codecommit.GetRepositoryOutput, err error) *AWSCodeCommitClient_GetRepositoryWithContext_Call {
+func (_c *AWSCodeCommitClient_GetRepository_Call) Return(getRepositoryOutput *codecommit.GetRepositoryOutput, err error) *AWSCodeCommitClient_GetRepository_Call {
 	_c.Call.Return(getRepositoryOutput, err)
 	return _c
 }

-func (_c *AWSCodeCommitClient_GetRepositoryWithContext_Call) RunAndReturn(run func(v aws.Context, getRepositoryInput *codecommit.GetRepositoryInput, options ...request.Option) (*codecommit.GetRepositoryOutput, error)) *AWSCodeCommitClient_GetRepositoryWithContext_Call {
+func (_c *AWSCodeCommitClient_GetRepository_Call) RunAndReturn(run func(context1 context.Context, getRepositoryInput *codecommit.GetRepositoryInput, fns ...func(*codecommit.Options)) (*codecommit.GetRepositoryOutput, error)) *AWSCodeCommitClient_GetRepository_Call {
 	_c.Call.Return(run)
 	return _c
 }

-// ListBranchesWithContext provides a mock function for the type AWSCodeCommitClient
-func (_mock *AWSCodeCommitClient) ListBranchesWithContext(v aws.Context, listBranchesInput *codecommit.ListBranchesInput, options ...request.Option) (*codecommit.ListBranchesOutput, error) {
-	// request.Option
-	_va := make([]interface{}, len(options))
-	for _i := range options {
-		_va[_i] = options[_i]
+// ListBranches provides a mock function for the type AWSCodeCommitClient
+func (_mock *AWSCodeCommitClient) ListBranches(context1 context.Context, listBranchesInput *codecommit.ListBranchesInput, fns ...func(*codecommit.Options)) (*codecommit.ListBranchesOutput, error) {
+	// func(*codecommit.Options)
+	_va := make([]interface{}, len(fns))
+	for _i := range fns {
+		_va[_i] = fns[_i]
 	}
 	var _ca []interface{}
-	_ca = append(_ca, v, listBranchesInput)
+	_ca = append(_ca, context1, listBranchesInput)
 	_ca = append(_ca, _va...)
 	ret := _mock.Called(_ca...)

 	if len(ret) == 0 {
-		panic("no return value specified for ListBranchesWithContext")
+		panic("no return value specified for ListBranches")
 	}

 	var r0 *codecommit.ListBranchesOutput
 	var r1 error
-	if returnFunc, ok := ret.Get(0).(func(aws.Context, *codecommit.ListBranchesInput, ...request.Option) (*codecommit.ListBranchesOutput, error)); ok {
-		return returnFunc(v, listBranchesInput, options...)
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *codecommit.ListBranchesInput, ...func(*codecommit.Options)) (*codecommit.ListBranchesOutput, error)); ok {
+		return returnFunc(context1, listBranchesInput, fns...)
 	}
-	if returnFunc, ok := ret.Get(0).(func(aws.Context, *codecommit.ListBranchesInput, ...request.Option) *codecommit.ListBranchesOutput); ok {
-		r0 = returnFunc(v, listBranchesInput, options...)
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *codecommit.ListBranchesInput, ...func(*codecommit.Options)) *codecommit.ListBranchesOutput); ok {
+		r0 = returnFunc(context1, listBranchesInput, fns...)
 	} else {
 		if ret.Get(0) != nil {
 			r0 = ret.Get(0).(*codecommit.ListBranchesOutput)
 		}
 	}
-	if returnFunc, ok := ret.Get(1).(func(aws.Context, *codecommit.ListBranchesInput, ...request.Option) error); ok {
-		r1 = returnFunc(v, listBranchesInput, options...)
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *codecommit.ListBranchesInput, ...func(*codecommit.Options)) error); ok {
+		r1 = returnFunc(context1, listBranchesInput, fns...)
 	} else {
 		r1 = ret.Error(1)
 	}
 	return r0, r1
 }

-// AWSCodeCommitClient_ListBranchesWithContext_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListBranchesWithContext'
-type AWSCodeCommitClient_ListBranchesWithContext_Call struct {
+// AWSCodeCommitClient_ListBranches_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListBranches'
+type AWSCodeCommitClient_ListBranches_Call struct {
 	*mock.Call
 }

-// ListBranchesWithContext is a helper method to define mock.On call
-//   - v aws.Context
+// ListBranches is a helper method to define mock.On call
+//   - context1 context.Context
 //   - listBranchesInput *codecommit.ListBranchesInput
-//   - options ...request.Option
-func (_e *AWSCodeCommitClient_Expecter) ListBranchesWithContext(v interface{}, listBranchesInput interface{}, options ...interface{}) *AWSCodeCommitClient_ListBranchesWithContext_Call {
-	return &AWSCodeCommitClient_ListBranchesWithContext_Call{Call: _e.mock.On("ListBranchesWithContext",
-		append([]interface{}{v, listBranchesInput}, options...)...)}
+//   - fns ...func(*codecommit.Options)
+func (_e *AWSCodeCommitClient_Expecter) ListBranches(context1 interface{}, listBranchesInput interface{}, fns ...interface{}) *AWSCodeCommitClient_ListBranches_Call {
+	return &AWSCodeCommitClient_ListBranches_Call{Call: _e.mock.On("ListBranches",
+		append([]interface{}{context1, listBranchesInput}, fns...)...)}
 }

-func (_c *AWSCodeCommitClient_ListBranchesWithContext_Call) Run(run func(v aws.Context, listBranchesInput *codecommit.ListBranchesInput, options ...request.Option)) *AWSCodeCommitClient_ListBranchesWithContext_Call {
+func (_c *AWSCodeCommitClient_ListBranches_Call) Run(run func(context1 context.Context, listBranchesInput *codecommit.ListBranchesInput, fns ...func(*codecommit.Options))) *AWSCodeCommitClient_ListBranches_Call {
 	_c.Call.Run(func(args mock.Arguments) {
-		var arg0 aws.Context
+		var arg0 context.Context
 		if args[0] != nil {
-			arg0 = args[0].(aws.Context)
+			arg0 = args[0].(context.Context)
 		}
 		var arg1 *codecommit.ListBranchesInput
 		if args[1] != nil {
 			arg1 = args[1].(*codecommit.ListBranchesInput)
 		}
-		var arg2 []request.Option
-		variadicArgs := make([]request.Option, len(args)-2)
+		var arg2 []func(*codecommit.Options)
+		variadicArgs := make([]func(*codecommit.Options), len(args)-2)
 		for i, a := range args[2:] {
 			if a != nil {
-				variadicArgs[i] = a.(request.Option)
+				variadicArgs[i] = a.(func(*codecommit.Options))
 			}
 		}
 		arg2 = variadicArgs
@ -289,81 +289,81 @@ func (_c *AWSCodeCommitClient_ListBranchesWithContext_Call) Run(run func(v aws.C
 	return _c
 }

-func (_c *AWSCodeCommitClient_ListBranchesWithContext_Call) Return(listBranchesOutput *codecommit.ListBranchesOutput, err error) *AWSCodeCommitClient_ListBranchesWithContext_Call {
+func (_c *AWSCodeCommitClient_ListBranches_Call) Return(listBranchesOutput *codecommit.ListBranchesOutput, err error) *AWSCodeCommitClient_ListBranches_Call {
 	_c.Call.Return(listBranchesOutput, err)
 	return _c
 }

-func (_c *AWSCodeCommitClient_ListBranchesWithContext_Call) RunAndReturn(run func(v aws.Context, listBranchesInput *codecommit.ListBranchesInput, options ...request.Option) (*codecommit.ListBranchesOutput, error)) *AWSCodeCommitClient_ListBranchesWithContext_Call {
+func (_c *AWSCodeCommitClient_ListBranches_Call) RunAndReturn(run func(context1 context.Context, listBranchesInput *codecommit.ListBranchesInput, fns ...func(*codecommit.Options)) (*codecommit.ListBranchesOutput, error)) *AWSCodeCommitClient_ListBranches_Call {
 	_c.Call.Return(run)
 	return _c
 }

-// ListRepositoriesWithContext provides a mock function for the type AWSCodeCommitClient
-func (_mock *AWSCodeCommitClient) ListRepositoriesWithContext(v aws.Context, listRepositoriesInput *codecommit.ListRepositoriesInput, options ...request.Option) (*codecommit.ListRepositoriesOutput, error) {
-	// request.Option
-	_va := make([]interface{}, len(options))
-	for _i := range options {
-		_va[_i] = options[_i]
+// ListRepositories provides a mock function for the type AWSCodeCommitClient
+func (_mock *AWSCodeCommitClient) ListRepositories(context1 context.Context, listRepositoriesInput *codecommit.ListRepositoriesInput, fns ...func(*codecommit.Options)) (*codecommit.ListRepositoriesOutput, error) {
+	// func(*codecommit.Options)
+	_va := make([]interface{}, len(fns))
+	for _i := range fns {
+		_va[_i] = fns[_i]
 	}
 	var _ca []interface{}
-	_ca = append(_ca, v, listRepositoriesInput)
+	_ca = append(_ca, context1, listRepositoriesInput)
 	_ca = append(_ca, _va...)
 	ret := _mock.Called(_ca...)

 	if len(ret) == 0 {
-		panic("no return value specified for ListRepositoriesWithContext")
+		panic("no return value specified for ListRepositories")
 	}

 	var r0 *codecommit.ListRepositoriesOutput
 	var r1 error
-	if returnFunc, ok := ret.Get(0).(func(aws.Context, *codecommit.ListRepositoriesInput, ...request.Option) (*codecommit.ListRepositoriesOutput, error)); ok {
-		return returnFunc(v, listRepositoriesInput, options...)
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *codecommit.ListRepositoriesInput, ...func(*codecommit.Options)) (*codecommit.ListRepositoriesOutput, error)); ok {
+		return returnFunc(context1, listRepositoriesInput, fns...)
 	}
-	if returnFunc, ok := ret.Get(0).(func(aws.Context, *codecommit.ListRepositoriesInput, ...request.Option) *codecommit.ListRepositoriesOutput); ok {
-		r0 = returnFunc(v, listRepositoriesInput, options...)
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *codecommit.ListRepositoriesInput, ...func(*codecommit.Options)) *codecommit.ListRepositoriesOutput); ok {
+		r0 = returnFunc(context1, listRepositoriesInput, fns...)
 	} else {
 		if ret.Get(0) != nil {
 			r0 = ret.Get(0).(*codecommit.ListRepositoriesOutput)
 		}
 	}
-	if returnFunc, ok := ret.Get(1).(func(aws.Context, *codecommit.ListRepositoriesInput, ...request.Option) error); ok {
-		r1 = returnFunc(v, listRepositoriesInput, options...)
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *codecommit.ListRepositoriesInput, ...func(*codecommit.Options)) error); ok {
+		r1 = returnFunc(context1, listRepositoriesInput, fns...)
 	} else {
 		r1 = ret.Error(1)
 	}
 	return r0, r1
 }

-// AWSCodeCommitClient_ListRepositoriesWithContext_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListRepositoriesWithContext'
-type AWSCodeCommitClient_ListRepositoriesWithContext_Call struct {
+// AWSCodeCommitClient_ListRepositories_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListRepositories'
+type AWSCodeCommitClient_ListRepositories_Call struct {
 	*mock.Call
 }

-// ListRepositoriesWithContext is a helper method to define mock.On call
-//   - v aws.Context
+// ListRepositories is a helper method to define mock.On call
+//   - context1 context.Context
 //   - listRepositoriesInput *codecommit.ListRepositoriesInput
-//   - options ...request.Option
-func (_e *AWSCodeCommitClient_Expecter) ListRepositoriesWithContext(v interface{}, listRepositoriesInput interface{}, options ...interface{}) *AWSCodeCommitClient_ListRepositoriesWithContext_Call {
-	return &AWSCodeCommitClient_ListRepositoriesWithContext_Call{Call: _e.mock.On("ListRepositoriesWithContext",
-		append([]interface{}{v, listRepositoriesInput}, options...)...)}
+//   - fns ...func(*codecommit.Options)
+func (_e *AWSCodeCommitClient_Expecter) ListRepositories(context1 interface{}, listRepositoriesInput interface{}, fns ...interface{}) *AWSCodeCommitClient_ListRepositories_Call {
+	return &AWSCodeCommitClient_ListRepositories_Call{Call: _e.mock.On("ListRepositories",
+		append([]interface{}{context1, listRepositoriesInput}, fns...)...)}
 }

-func (_c *AWSCodeCommitClient_ListRepositoriesWithContext_Call) Run(run func(v aws.Context, listRepositoriesInput *codecommit.ListRepositoriesInput, options ...request.Option)) *AWSCodeCommitClient_ListRepositoriesWithContext_Call {
+func (_c *AWSCodeCommitClient_ListRepositories_Call) Run(run func(context1 context.Context, listRepositoriesInput *codecommit.ListRepositoriesInput, fns ...func(*codecommit.Options))) *AWSCodeCommitClient_ListRepositories_Call {
 	_c.Call.Run(func(args mock.Arguments) {
-		var arg0 aws.Context
+		var arg0 context.Context
 		if args[0] != nil {
-			arg0 = args[0].(aws.Context)
+			arg0 = args[0].(context.Context)
 		}
 		var arg1 *codecommit.ListRepositoriesInput
 		if args[1] != nil {
 			arg1 = args[1].(*codecommit.ListRepositoriesInput)
 		}
-		var arg2 []request.Option
-		variadicArgs := make([]request.Option, len(args)-2)
+		var arg2 []func(*codecommit.Options)
+		variadicArgs := make([]func(*codecommit.Options), len(args)-2)
 		for i, a := range args[2:] {
 			if a != nil {
-				variadicArgs[i] = a.(request.Option)
+				variadicArgs[i] = a.(func(*codecommit.Options))
 			}
 		}
 		arg2 = variadicArgs
@ -376,12 +376,12 @@ func (_c *AWSCodeCommitClient_ListRepositoriesWithContext_Call) Run(run func(v a
 	return _c
 }

-func (_c *AWSCodeCommitClient_ListRepositoriesWithContext_Call) Return(listRepositoriesOutput *codecommit.ListRepositoriesOutput, err error) *AWSCodeCommitClient_ListRepositoriesWithContext_Call {
+func (_c *AWSCodeCommitClient_ListRepositories_Call) Return(listRepositoriesOutput *codecommit.ListRepositoriesOutput, err error) *AWSCodeCommitClient_ListRepositories_Call {
 	_c.Call.Return(listRepositoriesOutput, err)
 	return _c
 }

-func (_c *AWSCodeCommitClient_ListRepositoriesWithContext_Call) RunAndReturn(run func(v aws.Context, listRepositoriesInput *codecommit.ListRepositoriesInput, options ...request.Option) (*codecommit.ListRepositoriesOutput, error)) *AWSCodeCommitClient_ListRepositoriesWithContext_Call {
+func (_c *AWSCodeCommitClient_ListRepositories_Call) RunAndReturn(run func(context1 context.Context, listRepositoriesInput *codecommit.ListRepositoriesInput, fns ...func(*codecommit.Options)) (*codecommit.ListRepositoriesOutput, error)) *AWSCodeCommitClient_ListRepositories_Call {
 	_c.Call.Return(run)
 	return _c
 }
--- a/applicationset/services/scm_provider/mocks/AWSTaggingClient.go
+++ b/applicationset/services/scm_provider/mocks/AWSTaggingClient.go
@ -5,9 +5,9 @@
 package mocks

 import (
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/request"
-	"github.com/aws/aws-sdk-go/service/resourcegroupstaggingapi"
+	"context"
+
+	"github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi"
 	mock "github.com/stretchr/testify/mock"
 )

@ -38,71 +38,71 @@ func (_m *AWSTaggingClient) EXPECT() *AWSTaggingClient_Expecter {
 	return &AWSTaggingClient_Expecter{mock: &_m.Mock}
 }

-// GetResourcesWithContext provides a mock function for the type AWSTaggingClient
-func (_mock *AWSTaggingClient) GetResourcesWithContext(v aws.Context, getResourcesInput *resourcegroupstaggingapi.GetResourcesInput, options ...request.Option) (*resourcegroupstaggingapi.GetResourcesOutput, error) {
-	// request.Option
-	_va := make([]interface{}, len(options))
-	for _i := range options {
-		_va[_i] = options[_i]
+// GetResources provides a mock function for the type AWSTaggingClient
+func (_mock *AWSTaggingClient) GetResources(context1 context.Context, getResourcesInput *resourcegroupstaggingapi.GetResourcesInput, fns ...func(*resourcegroupstaggingapi.Options)) (*resourcegroupstaggingapi.GetResourcesOutput, error) {
+	// func(*resourcegroupstaggingapi.Options)
+	_va := make([]interface{}, len(fns))
+	for _i := range fns {
+		_va[_i] = fns[_i]
 	}
 	var _ca []interface{}
-	_ca = append(_ca, v, getResourcesInput)
+	_ca = append(_ca, context1, getResourcesInput)
 	_ca = append(_ca, _va...)
 	ret := _mock.Called(_ca...)

 	if len(ret) == 0 {
-		panic("no return value specified for GetResourcesWithContext")
+		panic("no return value specified for GetResources")
 	}

 	var r0 *resourcegroupstaggingapi.GetResourcesOutput
 	var r1 error
-	if returnFunc, ok := ret.Get(0).(func(aws.Context, *resourcegroupstaggingapi.GetResourcesInput, ...request.Option) (*resourcegroupstaggingapi.GetResourcesOutput, error)); ok {
-		return returnFunc(v, getResourcesInput, options...)
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *resourcegroupstaggingapi.GetResourcesInput, ...func(*resourcegroupstaggingapi.Options)) (*resourcegroupstaggingapi.GetResourcesOutput, error)); ok {
+		return returnFunc(context1, getResourcesInput, fns...)
 	}
-	if returnFunc, ok := ret.Get(0).(func(aws.Context, *resourcegroupstaggingapi.GetResourcesInput, ...request.Option) *resourcegroupstaggingapi.GetResourcesOutput); ok {
-		r0 = returnFunc(v, getResourcesInput, options...)
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *resourcegroupstaggingapi.GetResourcesInput, ...func(*resourcegroupstaggingapi.Options)) *resourcegroupstaggingapi.GetResourcesOutput); ok {
+		r0 = returnFunc(context1, getResourcesInput, fns...)
 	} else {
 		if ret.Get(0) != nil {
 			r0 = ret.Get(0).(*resourcegroupstaggingapi.GetResourcesOutput)
 		}
 	}
-	if returnFunc, ok := ret.Get(1).(func(aws.Context, *resourcegroupstaggingapi.GetResourcesInput, ...request.Option) error); ok {
-		r1 = returnFunc(v, getResourcesInput, options...)
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *resourcegroupstaggingapi.GetResourcesInput, ...func(*resourcegroupstaggingapi.Options)) error); ok {
+		r1 = returnFunc(context1, getResourcesInput, fns...)
 	} else {
 		r1 = ret.Error(1)
 	}
 	return r0, r1
 }

-// AWSTaggingClient_GetResourcesWithContext_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetResourcesWithContext'
-type AWSTaggingClient_GetResourcesWithContext_Call struct {
+// AWSTaggingClient_GetResources_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetResources'
+type AWSTaggingClient_GetResources_Call struct {
 	*mock.Call
 }

-// GetResourcesWithContext is a helper method to define mock.On call
-//   - v aws.Context
+// GetResources is a helper method to define mock.On call
+//   - context1 context.Context
 //   - getResourcesInput *resourcegroupstaggingapi.GetResourcesInput
-//   - options ...request.Option
-func (_e *AWSTaggingClient_Expecter) GetResourcesWithContext(v interface{}, getResourcesInput interface{}, options ...interface{}) *AWSTaggingClient_GetResourcesWithContext_Call {
-	return &AWSTaggingClient_GetResourcesWithContext_Call{Call: _e.mock.On("GetResourcesWithContext",
-		append([]interface{}{v, getResourcesInput}, options...)...)}
+//   - fns ...func(*resourcegroupstaggingapi.Options)
+func (_e *AWSTaggingClient_Expecter) GetResources(context1 interface{}, getResourcesInput interface{}, fns ...interface{}) *AWSTaggingClient_GetResources_Call {
+	return &AWSTaggingClient_GetResources_Call{Call: _e.mock.On("GetResources",
+		append([]interface{}{context1, getResourcesInput}, fns...)...)}
 }

-func (_c *AWSTaggingClient_GetResourcesWithContext_Call) Run(run func(v aws.Context, getResourcesInput *resourcegroupstaggingapi.GetResourcesInput, options ...request.Option)) *AWSTaggingClient_GetResourcesWithContext_Call {
+func (_c *AWSTaggingClient_GetResources_Call) Run(run func(context1 context.Context, getResourcesInput *resourcegroupstaggingapi.GetResourcesInput, fns ...func(*resourcegroupstaggingapi.Options))) *AWSTaggingClient_GetResources_Call {
 	_c.Call.Run(func(args mock.Arguments) {
-		var arg0 aws.Context
+		var arg0 context.Context
 		if args[0] != nil {
-			arg0 = args[0].(aws.Context)
+			arg0 = args[0].(context.Context)
 		}
 		var arg1 *resourcegroupstaggingapi.GetResourcesInput
 		if args[1] != nil {
 			arg1 = args[1].(*resourcegroupstaggingapi.GetResourcesInput)
 		}
-		var arg2 []request.Option
-		variadicArgs := make([]request.Option, len(args)-2)
+		var arg2 []func(*resourcegroupstaggingapi.Options)
+		variadicArgs := make([]func(*resourcegroupstaggingapi.Options), len(args)-2)
 		for i, a := range args[2:] {
 			if a != nil {
-				variadicArgs[i] = a.(request.Option)
+				variadicArgs[i] = a.(func(*resourcegroupstaggingapi.Options))
 			}
 		}
 		arg2 = variadicArgs
@ -115,12 +115,12 @@ func (_c *AWSTaggingClient_GetResourcesWithContext_Call) Run(run func(v aws.Cont
 	return _c
 }

-func (_c *AWSTaggingClient_GetResourcesWithContext_Call) Return(getResourcesOutput *resourcegroupstaggingapi.GetResourcesOutput, err error) *AWSTaggingClient_GetResourcesWithContext_Call {
+func (_c *AWSTaggingClient_GetResources_Call) Return(getResourcesOutput *resourcegroupstaggingapi.GetResourcesOutput, err error) *AWSTaggingClient_GetResources_Call {
 	_c.Call.Return(getResourcesOutput, err)
 	return _c
 }

-func (_c *AWSTaggingClient_GetResourcesWithContext_Call) RunAndReturn(run func(v aws.Context, getResourcesInput *resourcegroupstaggingapi.GetResourcesInput, options ...request.Option) (*resourcegroupstaggingapi.GetResourcesOutput, error)) *AWSTaggingClient_GetResourcesWithContext_Call {
+func (_c *AWSTaggingClient_GetResources_Call) RunAndReturn(run func(context1 context.Context, getResourcesInput *resourcegroupstaggingapi.GetResourcesInput, fns ...func(*resourcegroupstaggingapi.Options)) (*resourcegroupstaggingapi.GetResourcesOutput, error)) *AWSTaggingClient_GetResources_Call {
 	_c.Call.Return(run)
 	return _c
 }
--- a/applicationset/services/scm_provider/utils.go
+++ b/applicationset/services/scm_provider/utils.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"regexp"
+	"slices"
 	"strings"

 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
@ -58,13 +59,7 @@ func matchFilter(ctx context.Context, provider SCMProviderService, repo *Reposit
 	}

 	if filter.LabelMatch != nil {
-		found := false
-		for _, label := range repo.Labels {
-			if filter.LabelMatch.MatchString(label) {
-				found = true
-				break
-			}
-		}
+		found := slices.ContainsFunc(repo.Labels, filter.LabelMatch.MatchString)
 		if !found {
 			return false, nil
 		}
--- a/applicationset/services/scm_provider/utils_test.go
+++ b/applicationset/services/scm_provider/utils_test.go
@ -10,10 +10,6 @@ import (
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 )

-func strp(s string) *string {
-	return &s
-}
-
 func TestFilterRepoMatch(t *testing.T) {
 	provider := &MockProvider{
 		Repos: []*Repository{
@ -33,7 +29,7 @@ func TestFilterRepoMatch(t *testing.T) {
 	}
 	filters := []argoprojiov1alpha1.SCMProviderGeneratorFilter{
 		{
-			RepositoryMatch: strp("n|hr"),
+			RepositoryMatch: new("n|hr"),
 		},
 	}
 	repos, err := ListRepos(t.Context(), provider, filters, "")
@ -62,7 +58,7 @@ func TestFilterLabelMatch(t *testing.T) {
 	}
 	filters := []argoprojiov1alpha1.SCMProviderGeneratorFilter{
 		{
-			LabelMatch: strp("^prod-.*$"),
+			LabelMatch: new("^prod-.*$"),
 		},
 	}
 	repos, err := ListRepos(t.Context(), provider, filters, "")
@ -131,7 +127,7 @@ func TestFilterRepoMatchBadRegexp(t *testing.T) {
 	}
 	filters := []argoprojiov1alpha1.SCMProviderGeneratorFilter{
 		{
-			RepositoryMatch: strp("("),
+			RepositoryMatch: new("("),
 		},
 	}
 	_, err := ListRepos(t.Context(), provider, filters, "")
@ -148,7 +144,7 @@ func TestFilterLabelMatchBadRegexp(t *testing.T) {
 	}
 	filters := []argoprojiov1alpha1.SCMProviderGeneratorFilter{
 		{
-			LabelMatch: strp("("),
+			LabelMatch: new("("),
 		},
 	}
 	_, err := ListRepos(t.Context(), provider, filters, "")
@ -182,7 +178,7 @@ func TestFilterBranchMatch(t *testing.T) {
 	}
 	filters := []argoprojiov1alpha1.SCMProviderGeneratorFilter{
 		{
-			BranchMatch: strp("w"),
+			BranchMatch: new("w"),
 		},
 	}
 	repos, err := ListRepos(t.Context(), provider, filters, "")
@ -213,8 +209,8 @@ func TestMultiFilterAnd(t *testing.T) {
 	}
 	filters := []argoprojiov1alpha1.SCMProviderGeneratorFilter{
 		{
-			RepositoryMatch: strp("w"),
-			LabelMatch:      strp("^prod-.*$"),
+			RepositoryMatch: new("w"),
+			LabelMatch:      new("^prod-.*$"),
 		},
 	}
 	repos, err := ListRepos(t.Context(), provider, filters, "")
@ -242,10 +238,10 @@ func TestMultiFilterOr(t *testing.T) {
 	}
 	filters := []argoprojiov1alpha1.SCMProviderGeneratorFilter{
 		{
-			RepositoryMatch: strp("e"),
+			RepositoryMatch: new("e"),
 		},
 		{
-			LabelMatch: strp("^prod-.*$"),
+			LabelMatch: new("^prod-.*$"),
 		},
 	}
 	repos, err := ListRepos(t.Context(), provider, filters, "")
--- a/applicationset/utils/client.go
+++ b/applicationset/utils/client.go
@ -0,0 +1,137 @@
+package utils
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"reflect"
+	"sync"
+	"unsafe"
+
+	log "github.com/sirupsen/logrus"
+	k8scache "k8s.io/client-go/tools/cache"
+	ctrlcache "sigs.k8s.io/controller-runtime/pkg/cache"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	application "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
+)
+
+// NewCacheSyncingClient returns a client that wraps the given client and syncs the cache after each Create, Update, Patch, or Delete operation on Application objects.
+func NewCacheSyncingClient(c client.Client, cache ctrlcache.Cache) client.Client {
+	res := &cacheSyncingClient{Client: c, storesByNs: make(map[string]k8scache.Store)}
+	// The k8s controller runtime's cache does not expose a way to get the underlying store, so we have to use reflection to access it.
+	// This is necessary to keep the cache in sync with the client operations.
+	field := reflect.ValueOf(cache).Elem().FieldByName("namespaceToCache")
+	if field.Kind() == reflect.Map {
+		namespaceToCache := *(*map[string]ctrlcache.Cache)(unsafe.Pointer(field.UnsafeAddr()))
+		res.getNSCache = func(_ context.Context, obj client.Object) (ctrlcache.Cache, error) {
+			res, ok := namespaceToCache[obj.GetNamespace()]
+			if !ok {
+				return nil, fmt.Errorf("cache for namespace %s not found", obj.GetNamespace())
+			}
+			return res, nil
+		}
+	} else {
+		res.getNSCache = func(_ context.Context, _ client.Object) (ctrlcache.Cache, error) {
+			return cache, nil
+		}
+	}
+	return res
+}
+
+type cacheSyncingClient struct {
+	client.Client
+	getNSCache func(ctx context.Context, obj client.Object) (ctrlcache.Cache, error)
+
+	storesByNs     map[string]k8scache.Store
+	storesByNsLock sync.RWMutex
+}
+
+func (c *cacheSyncingClient) getStore(ctx context.Context, obj client.Object) (k8scache.Store, error) {
+	c.storesByNsLock.RLock()
+	store, ok := c.storesByNs[obj.GetNamespace()]
+	c.storesByNsLock.RUnlock()
+	if ok {
+		return store, nil
+	}
+
+	store, err := c.retrieveStore(ctx, obj)
+	if err != nil {
+		return nil, err
+	}
+
+	c.storesByNsLock.Lock()
+	c.storesByNs[obj.GetNamespace()] = store
+	c.storesByNsLock.Unlock()
+
+	return store, nil
+}
+
+func (c *cacheSyncingClient) retrieveStore(ctx context.Context, obj client.Object) (k8scache.Store, error) {
+	nsCache, err := c.getNSCache(ctx, obj)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get namespace cache: %w", err)
+	}
+
+	informer, err := nsCache.GetInformerForKind(ctx, application.ApplicationSchemaGroupVersionKind)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get informer: %w", err)
+	}
+	indexInformer, ok := informer.(k8scache.SharedIndexInformer)
+	if !ok {
+		return nil, errors.New("informer is not a SharedIndexInformer")
+	}
+
+	return indexInformer.GetStore(), nil
+}
+
+func (c *cacheSyncingClient) execAndSyncCache(ctx context.Context, op func() error, obj client.Object, deleteObj bool) error {
+	// execute the operation first and only sync cache if it succeeds
+	if err := op(); err != nil {
+		return err
+	}
+	// sync cache for applications only
+	if _, ok := obj.(*application.Application); !ok {
+		return nil
+	}
+
+	logger := log.WithField("namespace", obj.GetNamespace()).WithField("name", obj.GetName())
+	store, err := c.getStore(ctx, obj)
+	if err != nil {
+		logger.Errorf("failed to get cache store: %v", err)
+	} else {
+		if deleteObj {
+			err = store.Delete(obj)
+		} else {
+			err = store.Update(obj)
+		}
+	}
+	if err != nil {
+		logger.Errorf("failed to sync cache for object: %v", err)
+	}
+	return nil
+}
+
+func (c *cacheSyncingClient) Create(ctx context.Context, obj client.Object, opts ...client.CreateOption) error {
+	return c.execAndSyncCache(ctx, func() error {
+		return c.Client.Create(ctx, obj, opts...)
+	}, obj, false)
+}
+
+func (c *cacheSyncingClient) Update(ctx context.Context, obj client.Object, opts ...client.UpdateOption) error {
+	return c.execAndSyncCache(ctx, func() error {
+		return c.Client.Update(ctx, obj, opts...)
+	}, obj, false)
+}
+
+func (c *cacheSyncingClient) Patch(ctx context.Context, obj client.Object, patch client.Patch, opts ...client.PatchOption) error {
+	return c.execAndSyncCache(ctx, func() error {
+		return c.Client.Patch(ctx, obj, patch, opts...)
+	}, obj, false)
+}
+
+func (c *cacheSyncingClient) Delete(ctx context.Context, obj client.Object, opts ...client.DeleteOption) error {
+	return c.execAndSyncCache(ctx, func() error {
+		return c.Client.Delete(ctx, obj, opts...)
+	}, obj, true)
+}
--- a/applicationset/utils/client_test.go
+++ b/applicationset/utils/client_test.go
@ -0,0 +1,111 @@
+package utils
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	k8scache "k8s.io/client-go/tools/cache"
+	ctrlcache "sigs.k8s.io/controller-runtime/pkg/cache"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+
+	application "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
+)
+
+type fakeMultiNamespaceCache struct {
+	//nolint:unused
+	namespaceToCache map[string]ctrlcache.Cache
+
+	ctrlcache.Cache
+	k8scache.SharedIndexInformer
+
+	Store k8scache.Store
+}
+
+func (f *fakeMultiNamespaceCache) GetInformerForKind(_ context.Context, _ schema.GroupVersionKind, _ ...ctrlcache.InformerGetOption) (ctrlcache.Informer, error) {
+	return f, nil
+}
+
+func (f *fakeMultiNamespaceCache) GetStore() k8scache.Store {
+	return f.Store
+}
+
+func newClient(objs ...client.Object) (*cacheSyncingClient, k8scache.Store, error) {
+	scheme := runtime.NewScheme()
+	if err := application.AddToScheme(scheme); err != nil {
+		return nil, nil, err
+	}
+
+	store := k8scache.NewStore(func(obj any) (string, error) {
+		return obj.(client.Object).GetName(), nil
+	})
+	for _, obj := range objs {
+		if err := store.Add(obj); err != nil {
+			return nil, nil, err
+		}
+	}
+	c := &cacheSyncingClient{
+		Client:     fake.NewClientBuilder().WithScheme(scheme).WithObjects(objs...).Build(),
+		storesByNs: map[string]k8scache.Store{},
+		getNSCache: func(_ context.Context, _ client.Object) (ctrlcache.Cache, error) {
+			return &fakeMultiNamespaceCache{Store: store}, nil
+		},
+	}
+	return c, store, nil
+}
+
+func TestCreateSyncsCache(t *testing.T) {
+	c, store, err := newClient()
+	require.NoError(t, err)
+
+	app := &application.Application{
+		ObjectMeta: metav1.ObjectMeta{Name: "test", Namespace: "argocd"},
+	}
+	require.NoError(t, c.Create(context.Background(), app))
+
+	require.Contains(t, store.List(), app)
+}
+
+func TestUpdateSyncsCache(t *testing.T) {
+	app := &application.Application{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "argocd",
+			Labels:    map[string]string{"foo": "bar"},
+		},
+	}
+	c, store, err := newClient(app)
+	require.NoError(t, err)
+
+	updatedApp := app.DeepCopy()
+	updatedApp.Labels["foo"] = "bar-UPDATED"
+	require.NoError(t, c.Update(context.Background(), updatedApp))
+
+	updated, _, err := store.GetByKey("test")
+	require.NoError(t, err)
+	require.Equal(t, "bar-UPDATED", updated.(*application.Application).Labels["foo"])
+}
+
+func TestDeleteSyncsCache(t *testing.T) {
+	app := &application.Application{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "argocd",
+			Labels:    map[string]string{"foo": "bar"},
+		},
+	}
+	c, store, err := newClient(app)
+	require.NoError(t, err)
+
+	require.NoError(t, c.Delete(context.Background(), app))
+
+	require.Empty(t, store.List())
+}
+
+func TestNewClientDoesNotCrashWithMultiNamespaceCache(_ *testing.T) {
+	_ = NewCacheSyncingClient(nil, &fakeMultiNamespaceCache{})
+}
--- a/applicationset/utils/clusterUtils.go
+++ b/applicationset/utils/clusterUtils.go
@ -1,15 +1,12 @@
 package utils

 import (
-	"context"
 	"fmt"

-	"github.com/argoproj/argo-cd/v3/common"
-	appv1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/v3/util/db"
+	corev1 "k8s.io/api/core/v1"

-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/kubernetes"
+	appv1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v3/util/settings"
 )

 // ClusterSpecifier contains only the name and server URL of a cluster. We use this struct to avoid partially-populating
@ -19,42 +16,44 @@ type ClusterSpecifier struct {
 	Server string
 }

-func ListClusters(ctx context.Context, clientset kubernetes.Interface, namespace string) ([]ClusterSpecifier, error) {
-	clusterSecretsList, err := clientset.CoreV1().Secrets(namespace).List(ctx,
-		metav1.ListOptions{LabelSelector: common.LabelKeySecretType + "=" + common.LabelValueSecretTypeCluster})
-	if err != nil {
-		return nil, err
-	}
-
-	if clusterSecretsList == nil {
-		return nil, nil
-	}
-
-	clusterSecrets := clusterSecretsList.Items
-
-	clusterList := make([]ClusterSpecifier, len(clusterSecrets))
-
-	hasInClusterCredentials := false
-	for i, clusterSecret := range clusterSecrets {
-		cluster, err := db.SecretToCluster(&clusterSecret)
-		if err != nil || cluster == nil {
-			return nil, fmt.Errorf("unable to convert cluster secret to cluster object '%s': %w", clusterSecret.Name, err)
+// SecretsContainInClusterCredentials checks if any of the provided secrets represent the in-cluster configuration.
+func SecretsContainInClusterCredentials(secrets []corev1.Secret) bool {
+	for _, secret := range secrets {
+		if string(secret.Data["server"]) == appv1.KubernetesInternalAPIServerAddr {
+			return true
 		}
-		clusterList[i] = ClusterSpecifier{
+	}
+	return false
+}
+
+// ListClusters returns a list of cluster specifiers using the ClusterInformer.
+func ListClusters(clusterInformer *settings.ClusterInformer) ([]ClusterSpecifier, error) {
+	clusters, err := clusterInformer.ListClusters()
+	if err != nil {
+		return nil, fmt.Errorf("error listing clusters: %w", err)
+	}
+	// len of clusters +1 for the in cluster secret
+	clusterList := make([]ClusterSpecifier, 0, len(clusters)+1)
+	hasInCluster := false
+
+	for _, cluster := range clusters {
+		clusterList = append(clusterList, ClusterSpecifier{
 			Name:   cluster.Name,
 			Server: cluster.Server,
-		}
+		})
 		if cluster.Server == appv1.KubernetesInternalAPIServerAddr {
-			hasInClusterCredentials = true
+			hasInCluster = true
 		}
 	}
-	if !hasInClusterCredentials {
+
+	if !hasInCluster {
 		// There was no secret for the in-cluster config, so we add it here. We don't fully-populate the Cluster struct,
 		// since only the name and server fields are used by the generator.
 		clusterList = append(clusterList, ClusterSpecifier{
-			Name:   "in-cluster",
+			Name:   appv1.KubernetesInClusterName,
 			Server: appv1.KubernetesInternalAPIServerAddr,
 		})
 	}
+
 	return clusterList, nil
 }
--- a/applicationset/utils/createOrUpdate.go
+++ b/applicationset/utils/createOrUpdate.go
@ -24,6 +24,43 @@ import (
 	"github.com/argoproj/argo-cd/v3/util/argo/normalizers"
 )

+var appEquality = conversion.EqualitiesOrDie(
+	func(a, b resource.Quantity) bool {
+		// Ignore formatting, only care that numeric value stayed the same.
+		// TODO: if we decide it's important, it should be safe to start comparing the format.
+		//
+		// Uninitialized quantities are equivalent to 0 quantities.
+		return a.Cmp(b) == 0
+	},
+	func(a, b metav1.MicroTime) bool {
+		return a.UTC().Equal(b.UTC())
+	},
+	func(a, b metav1.Time) bool {
+		return a.UTC().Equal(b.UTC())
+	},
+	func(a, b labels.Selector) bool {
+		return a.String() == b.String()
+	},
+	func(a, b fields.Selector) bool {
+		return a.String() == b.String()
+	},
+	func(a, b argov1alpha1.ApplicationDestination) bool {
+		return a.Namespace == b.Namespace && a.Name == b.Name && a.Server == b.Server
+	},
+)
+
+// BuildIgnoreDiffConfig constructs a DiffConfig from the ApplicationSet's ignoreDifferences rules.
+// Returns nil when ignoreDifferences is empty.
+func BuildIgnoreDiffConfig(ignoreDifferences argov1alpha1.ApplicationSetIgnoreDifferences, ignoreNormalizerOpts normalizers.IgnoreNormalizerOpts) (argodiff.DiffConfig, error) {
+	if len(ignoreDifferences) == 0 {
+		return nil, nil
+	}
+	return argodiff.NewDiffConfigBuilder().
+		WithDiffSettings(ignoreDifferences.ToApplicationIgnoreDifferences(), nil, false, ignoreNormalizerOpts).
+		WithNoCache().
+		Build()
+}
+
 // CreateOrUpdate overrides "sigs.k8s.io/controller-runtime" function
 // in sigs.k8s.io/controller-runtime/pkg/controller/controllerutil/controllerutil.go
 // to add equality for argov1alpha1.ApplicationDestination
@ -34,10 +71,15 @@ import (
 // cluster. The object's desired state must be reconciled with the existing
 // state inside the passed in callback MutateFn.
 //
+// diffConfig must be built once per reconcile cycle via BuildIgnoreDiffConfig and may be nil
+// when there are no ignoreDifferences rules. obj.Spec must already be normalized by the caller
+// via NormalizeApplicationSpec before this function is called; the live object fetched from the
+// cluster is normalized internally.
+//
 // The MutateFn is called regardless of creating or updating an object.
 //
 // It returns the executed operation and an error.
-func CreateOrUpdate(ctx context.Context, logCtx *log.Entry, c client.Client, ignoreAppDifferences argov1alpha1.ApplicationSetIgnoreDifferences, ignoreNormalizerOpts normalizers.IgnoreNormalizerOpts, obj *argov1alpha1.Application, f controllerutil.MutateFn) (controllerutil.OperationResult, error) {
+func CreateOrUpdate(ctx context.Context, logCtx *log.Entry, c client.Client, diffConfig argodiff.DiffConfig, obj *argov1alpha1.Application, f controllerutil.MutateFn) (controllerutil.OperationResult, error) {
 	key := client.ObjectKeyFromObject(obj)
 	if err := c.Get(ctx, key, obj); err != nil {
 		if !errors.IsNotFound(err) {
@ -59,43 +101,18 @@ func CreateOrUpdate(ctx context.Context, logCtx *log.Entry, c client.Client, ign
 		return controllerutil.OperationResultNone, err
 	}

+	// Normalize the live spec to avoid spurious diffs from unimportant differences (e.g. nil vs
+	// empty SyncPolicy). obj.Spec is already normalized by the caller; only the live side needs it.
+	normalizedLive.Spec = *argo.NormalizeApplicationSpec(&normalizedLive.Spec)
+
 	// Apply ignoreApplicationDifferences rules to remove ignored fields from both the live and the desired state. This
 	// prevents those differences from appearing in the diff and therefore in the patch.
-	err := applyIgnoreDifferences(ignoreAppDifferences, normalizedLive, obj, ignoreNormalizerOpts)
+	err := applyIgnoreDifferences(diffConfig, normalizedLive, obj)
 	if err != nil {
 		return controllerutil.OperationResultNone, fmt.Errorf("failed to apply ignore differences: %w", err)
 	}

-	// Normalize to avoid diffing on unimportant differences.
-	normalizedLive.Spec = *argo.NormalizeApplicationSpec(&normalizedLive.Spec)
-	obj.Spec = *argo.NormalizeApplicationSpec(&obj.Spec)
-
-	equality := conversion.EqualitiesOrDie(
-		func(a, b resource.Quantity) bool {
-			// Ignore formatting, only care that numeric value stayed the same.
-			// TODO: if we decide it's important, it should be safe to start comparing the format.
-			//
-			// Uninitialized quantities are equivalent to 0 quantities.
-			return a.Cmp(b) == 0
-		},
-		func(a, b metav1.MicroTime) bool {
-			return a.UTC().Equal(b.UTC())
-		},
-		func(a, b metav1.Time) bool {
-			return a.UTC().Equal(b.UTC())
-		},
-		func(a, b labels.Selector) bool {
-			return a.String() == b.String()
-		},
-		func(a, b fields.Selector) bool {
-			return a.String() == b.String()
-		},
-		func(a, b argov1alpha1.ApplicationDestination) bool {
-			return a.Namespace == b.Namespace && a.Name == b.Name && a.Server == b.Server
-		},
-	)
-
-	if equality.DeepEqual(normalizedLive, obj) {
+	if appEquality.DeepEqual(normalizedLive, obj) {
 		return controllerutil.OperationResultNone, nil
 	}

@ -135,19 +152,13 @@ func mutate(f controllerutil.MutateFn, key client.ObjectKey, obj client.Object)
 }

 // applyIgnoreDifferences applies the ignore differences rules to the found application. It modifies the applications in place.
-func applyIgnoreDifferences(applicationSetIgnoreDifferences argov1alpha1.ApplicationSetIgnoreDifferences, found *argov1alpha1.Application, generatedApp *argov1alpha1.Application, ignoreNormalizerOpts normalizers.IgnoreNormalizerOpts) error {
-	if len(applicationSetIgnoreDifferences) == 0 {
+// diffConfig may be nil, in which case this is a no-op.
+func applyIgnoreDifferences(diffConfig argodiff.DiffConfig, found *argov1alpha1.Application, generatedApp *argov1alpha1.Application) error {
+	if diffConfig == nil {
 		return nil
 	}

 	generatedAppCopy := generatedApp.DeepCopy()
-	diffConfig, err := argodiff.NewDiffConfigBuilder().
-		WithDiffSettings(applicationSetIgnoreDifferences.ToApplicationIgnoreDifferences(), nil, false, ignoreNormalizerOpts).
-		WithNoCache().
-		Build()
-	if err != nil {
-		return fmt.Errorf("failed to build diff config: %w", err)
-	}
 	unstructuredFound, err := appToUnstructured(found)
 	if err != nil {
 		return fmt.Errorf("failed to convert found application to unstructured: %w", err)
--- a/applicationset/utils/createOrUpdate_test.go
+++ b/applicationset/utils/createOrUpdate_test.go
@ -5,7 +5,7 @@ import (

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"gopkg.in/yaml.v3"
+	"go.yaml.in/yaml/v3"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

 	"github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
@ -216,7 +216,6 @@ spec:
 	}

 	for _, tc := range testCases {
-		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 			foundApp := v1alpha1.Application{TypeMeta: appMeta}
@ -225,7 +224,9 @@ spec:
 			generatedApp := v1alpha1.Application{TypeMeta: appMeta}
 			err = yaml.Unmarshal([]byte(tc.generatedApp), &generatedApp)
 			require.NoError(t, err, tc.generatedApp)
-			err = applyIgnoreDifferences(tc.ignoreDifferences, &foundApp, &generatedApp, normalizers.IgnoreNormalizerOpts{})
+			diffConfig, err := BuildIgnoreDiffConfig(tc.ignoreDifferences, normalizers.IgnoreNormalizerOpts{})
+			require.NoError(t, err)
+			err = applyIgnoreDifferences(diffConfig, &foundApp, &generatedApp)
 			require.NoError(t, err)
 			yamlFound, err := yaml.Marshal(tc.foundApp)
 			require.NoError(t, err)
--- a/applicationset/utils/selector.go
+++ b/applicationset/utils/selector.go
@ -2,6 +2,7 @@ package utils

 import (
 	"fmt"
+	"slices"
 	"sort"
 	"strconv"
 	"strings"
@ -207,12 +208,7 @@ type Requirement struct {
 }

 func (r *Requirement) hasValue(value string) bool {
-	for i := range r.strValues {
-		if r.strValues[i] == value {
-			return true
-		}
-	}
-	return false
+	return slices.Contains(r.strValues, value)
 }

 func (r *Requirement) Matches(ls labels.Labels) bool {
--- a/applicationset/utils/utils.go
+++ b/applicationset/utils/utils.go
@ -90,7 +90,7 @@ func ConvertYAMLToJSON(str string) (string, error) {

 // This function is in charge of searching all String fields of the object recursively and apply templating
 // thanks to https://gist.github.com/randallmlough/1fd78ec8a1034916ca52281e3b886dc7
-func (r *Render) deeplyReplace(destination, original reflect.Value, replaceMap map[string]any, useGoTemplate bool, goTemplateOptions []string) error {
+func (r *Render) deeplyReplaceWithFilter(destination, original reflect.Value, replaceMap map[string]any, useGoTemplate bool, goTemplateOptions []string, filter func(destination, original, parent reflect.Value, field reflect.StructField) (bool, error)) error {
 	switch original.Kind() {
 	// The first cases handle nested structures and translate them recursively
 	// If it is a pointer we need to unwrap and call once again
@ -110,7 +110,7 @@ func (r *Render) deeplyReplace(destination, original reflect.Value, replaceMap m
 			copyUnexported(destination, original)
 		}
 		// Unwrap the newly created pointer
-		if err := r.deeplyReplace(destination.Elem(), originalValue, replaceMap, useGoTemplate, goTemplateOptions); err != nil {
+		if err := r.deeplyReplaceWithFilter(destination.Elem(), originalValue, replaceMap, useGoTemplate, goTemplateOptions, filter); err != nil {
 			// Not wrapping the error, since this is a recursive function. Avoids excessively long error messages.
 			return err
 		}
@ -131,7 +131,7 @@ func (r *Render) deeplyReplace(destination, original reflect.Value, replaceMap m
 			reflectValue := reflect.New(reflectType)

 			copyValue := reflectValue.Elem()
-			if err := r.deeplyReplace(copyValue, originalValue, replaceMap, useGoTemplate, goTemplateOptions); err != nil {
+			if err := r.deeplyReplaceWithFilter(copyValue, originalValue, replaceMap, useGoTemplate, goTemplateOptions, filter); err != nil {
 				// Not wrapping the error, since this is a recursive function. Avoids excessively long error messages.
 				return err
 			}
@ -142,6 +142,16 @@ func (r *Render) deeplyReplace(destination, original reflect.Value, replaceMap m
 	case reflect.Struct:
 		for i := 0; i < original.NumField(); i++ {
 			currentType := fmt.Sprintf("%s.%s", original.Type().Field(i).Name, original.Type().PkgPath())
+			if filter != nil {
+				matched, filterErr := filter(destination.Field(i), original.Field(i), original,
+					original.Type().Field(i))
+				if matched {
+					if filterErr != nil {
+						return filterErr
+					}
+					continue
+				}
+			}
 			// specific case time
 			if currentType == "time.Time" {
 				destination.Field(i).Set(original.Field(i))
@ -158,7 +168,7 @@ func (r *Render) deeplyReplace(destination, original reflect.Value, replaceMap m
 				}
 				jsonOriginal := reflect.ValueOf(&unmarshaled)
 				jsonCopy := reflect.New(jsonOriginal.Type()).Elem()
-				err = r.deeplyReplace(jsonCopy, jsonOriginal, replaceMap, useGoTemplate, goTemplateOptions)
+				err = r.deeplyReplaceWithFilter(jsonCopy, jsonOriginal, replaceMap, useGoTemplate, goTemplateOptions, filter)
 				if err != nil {
 					return fmt.Errorf("failed to deeply replace JSON field contents: %w", err)
 				}
@ -168,7 +178,7 @@ func (r *Render) deeplyReplace(destination, original reflect.Value, replaceMap m
 					return fmt.Errorf("failed to marshal templated JSON field: %w", err)
 				}
 				destination.Field(i).Set(reflect.ValueOf(data))
-			} else if err := r.deeplyReplace(destination.Field(i), original.Field(i), replaceMap, useGoTemplate, goTemplateOptions); err != nil {
+			} else if err := r.deeplyReplaceWithFilter(destination.Field(i), original.Field(i), replaceMap, useGoTemplate, goTemplateOptions, filter); err != nil {
 				// Not wrapping the error, since this is a recursive function. Avoids excessively long error messages.
 				return err
 			}
@ -183,7 +193,7 @@ func (r *Render) deeplyReplace(destination, original reflect.Value, replaceMap m
 		}

 		for i := 0; i < original.Len(); i++ {
-			if err := r.deeplyReplace(destination.Index(i), original.Index(i), replaceMap, useGoTemplate, goTemplateOptions); err != nil {
+			if err := r.deeplyReplaceWithFilter(destination.Index(i), original.Index(i), replaceMap, useGoTemplate, goTemplateOptions, filter); err != nil {
 				// Not wrapping the error, since this is a recursive function. Avoids excessively long error messages.
 				return err
 			}
@ -204,7 +214,7 @@ func (r *Render) deeplyReplace(destination, original reflect.Value, replaceMap m
 			// New gives us a pointer, but again we want the value
 			copyValue := reflect.New(originalValue.Type()).Elem()

-			if err := r.deeplyReplace(copyValue, originalValue, replaceMap, useGoTemplate, goTemplateOptions); err != nil {
+			if err := r.deeplyReplaceWithFilter(copyValue, originalValue, replaceMap, useGoTemplate, goTemplateOptions, filter); err != nil {
 				// Not wrapping the error, since this is a recursive function. Avoids excessively long error messages.
 				return err
 			}
@ -249,6 +259,10 @@ func (r *Render) deeplyReplace(destination, original reflect.Value, replaceMap m
 	return nil
 }

+func (r *Render) deeplyReplace(destination, original reflect.Value, replaceMap map[string]any, useGoTemplate bool, goTemplateOptions []string) error {
+	return r.deeplyReplaceWithFilter(destination, original, replaceMap, useGoTemplate, goTemplateOptions, nil)
+}
+
 // isNillable returns true if the value is something which may be set to nil. This function is meant to guard against a
 // panic from calling IsNil on a non-pointer type.
 func isNillable(v reflect.Value) bool {
@ -290,6 +304,27 @@ func (r *Render) RenderTemplateParams(tmpl *argoappsv1.Application, syncPolicy *
 	return replacedTmpl, nil
 }

+// Generator types that have Value field
+var filteredGeneratorTypes = getFilteredGeneratorTypes()
+
+// find generator types that have Values field
+func getFilteredGeneratorTypes() map[string]bool {
+	result := map[string]bool{}
+	t := reflect.TypeFor[argoappsv1.ApplicationSetGenerator]()
+	for field := range t.Fields() {
+		genPtrType := field.Type
+		if genPtrType.Kind() == reflect.Ptr && strings.HasSuffix(genPtrType.String(), "Generator") {
+			genType := genPtrType.Elem()
+			for field := range genType.Fields() {
+				if field.Name == "Values" && field.Type.String() == "map[string]string" {
+					result[genType.Name()] = true
+				}
+			}
+		}
+	}
+	return result
+}
+
 func (r *Render) RenderGeneratorParams(gen *argoappsv1.ApplicationSetGenerator, params map[string]any, useGoTemplate bool, goTemplateOptions []string) (*argoappsv1.ApplicationSetGenerator, error) {
 	if gen == nil {
 		return nil, errors.New("generator is empty")
@ -302,7 +337,17 @@ func (r *Render) RenderGeneratorParams(gen *argoappsv1.ApplicationSetGenerator,
 	original := reflect.ValueOf(gen)
 	destination := reflect.New(original.Type()).Elem()

-	if err := r.deeplyReplace(destination, original, params, useGoTemplate, goTemplateOptions); err != nil {
+	filter := func(destination, original, parent reflect.Value, field reflect.StructField) (bool, error) {
+		if field.Name == "Values" && field.Type.String() == "map[string]string" && filteredGeneratorTypes[parent.Type().Name()] {
+			if !destination.CanSet() {
+				return false, fmt.Errorf("cannot copy %s.Values, this cannot happen", parent.Type().Name())
+			}
+			destination.Set(original)
+			return true, nil
+		}
+		return false, nil
+	}
+	if err := r.deeplyReplaceWithFilter(destination, original, params, useGoTemplate, goTemplateOptions, filter); err != nil {
 		return nil, fmt.Errorf("failed to replace parameters in generator: %w", err)
 	}

@ -388,8 +433,7 @@ func invalidGenerators(applicationSetInfo *argoappsv1.ApplicationSet) (bool, map
 	for index, generator := range applicationSetInfo.Spec.Generators {
 		v := reflect.Indirect(reflect.ValueOf(generator))
 		found := false
-		for i := 0; i < v.NumField(); i++ {
-			field := v.Field(i)
+		for _, field := range v.Fields() {
 			if !field.CanInterface() {
 				continue
 			}
--- a/applicationset/utils/utils_test.go
+++ b/applicationset/utils/utils_test.go
@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"os"
 	"path"
+	"strings"
 	"testing"
 	"time"

@ -1390,3 +1391,12 @@ WkBKOclmOV2xlTVuPw==
 		})
 	}
 }
+
+func Test_getFilteredGeneratorTypes(t *testing.T) {
+	generators := getFilteredGeneratorTypes()
+	assert.Less(t, 1, len(generators))
+	for name, val := range generators {
+		assert.True(t, val)
+		assert.True(t, strings.HasSuffix(name, "Generator"))
+	}
+}
--- a/applicationset/webhook/webhook.go
+++ b/applicationset/webhook/webhook.go
@ -107,10 +107,8 @@ func NewWebhookHandler(webhookParallelism int, argocdSettingsMgr *argosettings.S

 func (h *WebhookHandler) startWorkerPool(webhookParallelism int) {
 	compLog := log.WithField("component", "applicationset-webhook")
-	for i := 0; i < webhookParallelism; i++ {
-		h.Add(1)
-		go func() {
-			defer h.Done()
+	for range webhookParallelism {
+		h.Go(func() {
 			for {
 				payload, ok := <-h.queue
 				if !ok {
@ -118,7 +116,7 @@ func (h *WebhookHandler) startWorkerPool(webhookParallelism int) {
 				}
 				guard.RecoverAndLog(func() { h.HandleEvent(payload) }, compLog, panicMsgAppSet)
 			}
-		}()
+		})
 	}
 }

--- a/applicationset/webhook/webhook_test.go
+++ b/applicationset/webhook/webhook_test.go
@ -233,7 +233,7 @@ func TestWebhookHandler(t *testing.T) {
 			h, err := NewWebhookHandler(webhookParallelism, set, fc, mockGenerators())
 			require.NoError(t, err)

-			req := httptest.NewRequest(http.MethodPost, "/api/webhook", http.NoBody)
+			req := httptest.NewRequestWithContext(t.Context(), http.MethodPost, "/api/webhook", http.NoBody)
 			req.Header.Set(test.headerKey, test.headerValue)
 			eventJSON, err := os.ReadFile(filepath.Join("testdata", test.payloadFile))
 			require.NoError(t, err)
@ -609,7 +609,7 @@ func fakeAppWithMatrixAndNestedGitGenerator(name, namespace, repo string) *v1alp
 							},
 							{
 								Matrix: &apiextensionsv1.JSON{
-									Raw: []byte(fmt.Sprintf(`{
+									Raw: fmt.Appendf(nil, `{
 										"Generators": [
 											{
 												"List": {
@ -626,7 +626,7 @@ func fakeAppWithMatrixAndNestedGitGenerator(name, namespace, repo string) *v1alp
 												}
 											}
 										]
-									}`, repo)),
+									}`, repo),
 								},
 							},
 						},
@ -707,7 +707,7 @@ func fakeAppWithMergeAndNestedGitGenerator(name, namespace, repo string) *v1alph
 							},
 							{
 								Merge: &apiextensionsv1.JSON{
-									Raw: []byte(fmt.Sprintf(`{
+									Raw: fmt.Appendf(nil, `{
 										"MergeKeys": ["server"],
 										"Generators": [
 											{
@ -719,7 +719,7 @@ func fakeAppWithMergeAndNestedGitGenerator(name, namespace, repo string) *v1alph
 												}
 											}
 										]
-									}`, repo)),
+									}`, repo),
 								},
 							},
 						},
--- a/assets/swagger.json
+++ b/assets/swagger.json
@ -2265,6 +2265,44 @@
        }
      }
    },
+    "/api/v1/applicationsets/{name}/events": {
+      "get": {
+        "tags": [
+          "ApplicationSetService"
+        ],
+        "summary": "ListResourceEvents returns a list of event resources",
+        "operationId": "ApplicationSetService_ListResourceEvents",
+        "parameters": [
+          {
+            "type": "string",
+            "description": "the applicationsets's name",
+            "name": "name",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "string",
+            "description": "The application set namespace. Default empty is argocd control plane namespace.",
+            "name": "appsetNamespace",
+            "in": "query"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1EventList"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/runtimeError"
+            }
+          }
+        }
+      }
+    },
    "/api/v1/applicationsets/{name}/resource-tree": {
      "get": {
        "tags": [
@ -4001,6 +4039,30 @@
            "description": "Whether https should be disabled for an OCI repo.",
            "name": "insecureOciForceHttp",
            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "Azure Service Principal Client ID.",
+            "name": "azureServicePrincipalClientId",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "Azure Service Principal Client Secret.",
+            "name": "azureServicePrincipalClientSecret",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "Azure Service Principal Tenant ID.",
+            "name": "azureServicePrincipalTenantId",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "Azure Active Directory Endpoint.",
+            "name": "azureActiveDirectoryEndpoint",
+            "in": "query"
          }
        ],
        "responses": {
@ -4347,6 +4409,69 @@
        }
      }
    },
+    "/api/v1/stream/applicationsets": {
+      "get": {
+        "tags": [
+          "ApplicationSetService"
+        ],
+        "operationId": "ApplicationSetService_Watch",
+        "parameters": [
+          {
+            "type": "string",
+            "name": "name",
+            "in": "query"
+          },
+          {
+            "type": "array",
+            "items": {
+              "type": "string"
+            },
+            "collectionFormat": "multi",
+            "name": "projects",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "name": "selector",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "name": "appSetNamespace",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "when specified with a watch call, shows changes that occur after that particular version of a resource.",
+            "name": "resourceVersion",
+            "in": "query"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.(streaming responses)",
+            "schema": {
+              "type": "object",
+              "title": "Stream result of v1alpha1ApplicationSetWatchEvent",
+              "properties": {
+                "error": {
+                  "$ref": "#/definitions/runtimeStreamError"
+                },
+                "result": {
+                  "$ref": "#/definitions/v1alpha1ApplicationSetWatchEvent"
+                }
+              }
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/runtimeError"
+            }
+          }
+        }
+      }
+    },
    "/api/v1/write-repocreds": {
      "get": {
        "tags": [
@ -4845,6 +4970,30 @@
            "description": "Whether https should be disabled for an OCI repo.",
            "name": "insecureOciForceHttp",
            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "Azure Service Principal Client ID.",
+            "name": "azureServicePrincipalClientId",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "Azure Service Principal Client Secret.",
+            "name": "azureServicePrincipalClientSecret",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "Azure Service Principal Tenant ID.",
+            "name": "azureServicePrincipalTenantId",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "Azure Active Directory Endpoint.",
+            "name": "azureActiveDirectoryEndpoint",
+            "in": "query"
          }
        ],
        "responses": {
@ -7261,7 +7410,7 @@
      "type": "object",
      "properties": {
        "applyNestedSelectors": {
-          "description": "ApplyNestedSelectors enables selectors defined within the generators of two level-nested matrix or merge generators\nDeprecated: This field is ignored, and the behavior is always enabled. The field will be removed in a future\nversion of the ApplicationSet CRD.",
+          "description": "ApplyNestedSelectors enables selectors defined within the generators of two level-nested matrix or merge generators.\n\nDeprecated: This field is ignored, and the behavior is always enabled. The field will be removed in a future\nversion of the ApplicationSet CRD.",
          "type": "boolean"
        },
        "generators": {
@ -7319,6 +7468,9 @@
            "$ref": "#/definitions/v1alpha1ApplicationSetCondition"
          }
        },
+        "health": {
+          "$ref": "#/definitions/v1alpha1HealthStatus"
+        },
        "resources": {
          "description": "Resources is a list of Applications resources managed by this application set.",
          "type": "array",
@ -7418,6 +7570,19 @@
        }
      }
    },
+    "v1alpha1ApplicationSetWatchEvent": {
+      "description": "ApplicationSetWatchEvent contains information about application change.",
+      "type": "object",
+      "properties": {
+        "applicationSet": {
+          "$ref": "#/definitions/v1alpha1ApplicationSet"
+        },
+        "type": {
+          "type": "string",
+          "title": "Type represents the Kubernetes watch event type. The protobuf tag uses\ncasttype to ensure the generated Go code keeps this field as\nwatch.EventType (a strong Go type) instead of falling back to a plain string"
+        }
+      }
+    },
    "v1alpha1ApplicationSource": {
      "type": "object",
      "title": "ApplicationSource contains all required information about the source of an application",
@ -7654,11 +7819,11 @@
        },
        "namePrefix": {
          "type": "string",
-          "title": "NamePrefix is a prefix appended to resources for Kustomize apps"
+          "title": "NamePrefix overrides the namePrefix in the kustomization.yaml for Kustomize apps"
        },
        "nameSuffix": {
          "type": "string",
-          "title": "NameSuffix is a suffix appended to resources for Kustomize apps"
+          "title": "NameSuffix overrides the nameSuffix in the kustomization.yaml for Kustomize apps"
        },
        "namespace": {
          "type": "string",
@ -9402,6 +9567,22 @@
      "type": "object",
      "title": "RepoCreds holds the definition for repository credentials",
      "properties": {
+        "azureActiveDirectoryEndpoint": {
+          "type": "string",
+          "title": "AzureActiveDirectoryEndpoint specifies the Azure Active Directory endpoint used for Service Principal authentication. If empty will default to https://login.microsoftonline.com"
+        },
+        "azureServicePrincipalClientId": {
+          "type": "string",
+          "title": "AzureServicePrincipalClientId specifies the client ID of the Azure Service Principal used to access the repo"
+        },
+        "azureServicePrincipalClientSecret": {
+          "type": "string",
+          "title": "AzureServicePrincipalClientSecret specifies the client secret of the Azure Service Principal used to access the repo"
+        },
+        "azureServicePrincipalTenantId": {
+          "type": "string",
+          "title": "AzureServicePrincipalTenantId specifies the tenant ID of the Azure Service Principal used to access the repo"
+        },
        "bearerToken": {
          "type": "string",
          "title": "BearerToken contains the bearer token used for Git BitBucket Data Center auth at the repo server"
@ -9501,6 +9682,22 @@
      "type": "object",
      "title": "Repository is a repository holding application configurations",
      "properties": {
+        "azureActiveDirectoryEndpoint": {
+          "type": "string",
+          "title": "AzureActiveDirectoryEndpoint specifies the Azure Active Directory endpoint used for Service Principal authentication. If empty will default to https://login.microsoftonline.com"
+        },
+        "azureServicePrincipalClientId": {
+          "type": "string",
+          "title": "AzureServicePrincipalClientId specifies the client ID of the Azure Service Principal used to access the repo"
+        },
+        "azureServicePrincipalClientSecret": {
+          "type": "string",
+          "title": "AzureServicePrincipalClientSecret specifies the client secret of the Azure Service Principal used to access the repo"
+        },
+        "azureServicePrincipalTenantId": {
+          "type": "string",
+          "title": "AzureServicePrincipalTenantId specifies the tenant ID of the Azure Service Principal used to access the repo"
+        },
        "bearerToken": {
          "type": "string",
          "title": "BearerToken contains the bearer token used for Git BitBucket Data Center auth at the repo server"
@ -9610,6 +9807,10 @@
        "username": {
          "type": "string",
          "title": "Username contains the user name used for authenticating at the remote repository"
+        },
+        "webhookManifestCacheWarmDisabled": {
+          "description": "WebhookManifestCacheWarmDisabled disables manifest cache warming during webhook processing for this repository.\nWhen set, webhook handlers will only trigger reconciliation for affected applications and skip Redis cache\noperations for unaffected ones. Recommended for large monorepos with plain YAML manifests.",
+          "type": "boolean"
        }
      }
    },
@ -9715,7 +9916,7 @@
      "type": "object",
      "properties": {
        "diff": {
-          "description": "Diff contains the JSON patch representing the difference between the live and target resource.\nDeprecated: Use NormalizedLiveState and PredictedLiveState instead to compute differences.",
+          "description": "Diff contains the JSON patch representing the difference between the live and target resource.\n\nDeprecated: Use NormalizedLiveState and PredictedLiveState instead to compute differences.",
          "type": "string"
        },
        "group": {
@ -10297,6 +10498,10 @@
          "description": "The Gitea URL to talk to. For example https://gitea.mydomain.com/.",
          "type": "string"
        },
+        "excludeArchivedRepos": {
+          "description": "Exclude repositories that are archived.",
+          "type": "boolean"
+        },
        "insecure": {
          "type": "boolean",
          "title": "Allow self-signed TLS / Certificates; default: false"
@ -10326,6 +10531,10 @@
          "description": "AppSecretName is a reference to a GitHub App repo-creds secret.",
          "type": "string"
        },
+        "excludeArchivedRepos": {
+          "description": "Exclude repositories that are archived.",
+          "type": "boolean"
+        },
        "organization": {
          "description": "GitHub org to scan. Required.",
          "type": "string"
@ -10354,6 +10563,10 @@
          "description": "Gitlab group to scan. Required.  You can use either the project id (recommended) or the full namespaced path.",
          "type": "string"
        },
+        "includeArchivedRepos": {
+          "description": "Include repositories that are archived.",
+          "type": "boolean"
+        },
        "includeSharedProjects": {
          "type": "boolean",
          "title": "When recursing through subgroups, also include shared Projects (true) or scan only the subgroups under same path (false).  Defaults to \"true\""
@ -10722,6 +10935,10 @@
          "type": "string",
          "title": "Schedule is the time the window will begin, specified in cron format"
        },
+        "syncOverrun": {
+          "type": "boolean",
+          "title": "SyncOverrun allows ongoing syncs to continue in two scenarios:\nFor deny windows: allows syncs that started before the deny window became active to continue running\nFor allow windows: allows syncs that started during the allow window to continue after the window ends"
+        },
        "timeZone": {
          "type": "string",
          "title": "TimeZone of the sync that will be applied to the schedule"
--- a/cmd/argocd-application-controller/commands/argocd_application_controller.go
+++ b/cmd/argocd-application-controller/commands/argocd_application_controller.go
@ -41,8 +41,6 @@ import (
 )

 const (
-	// CLIName is the name of the CLI
-	cliName = common.ApplicationController
 	// Default time in seconds for application resync period
 	defaultAppResyncPeriod = 120
 	// Default time in seconds for application resync period jitter
@ -99,7 +97,7 @@ func NewCommand() *cobra.Command {
 		hydratorEnabled bool
 	)
 	command := cobra.Command{
-		Use:               cliName,
+		Use:               common.CommandApplicationController,
 		Short:             "Run ArgoCD Application Controller",
 		Long:              "ArgoCD application controller is a Kubernetes controller that continuously monitors running applications and compares the current, live state against the desired target state (as specified in the repo). This command runs Application Controller in the foreground.  It can be configured by following options.",
 		DisableAutoGenTag: true,
--- a/cmd/argocd-applicationset-controller/commands/applicationset_controller.go
+++ b/cmd/argocd-applicationset-controller/commands/applicationset_controller.go
@ -32,6 +32,7 @@ import (
 	"k8s.io/client-go/kubernetes"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
+	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/clientcmd"
 	ctrlcache "sigs.k8s.io/controller-runtime/pkg/cache"
 	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
@ -48,10 +49,6 @@ import (

 var gitSubmoduleEnabled = env.ParseBoolFromEnv(common.EnvGitSubmoduleEnabled, true)

-const (
-	cliName = common.ApplicationSetController
-)
-
 func NewCommand() *cobra.Command {
 	var (
 		clientConfig                 clientcmd.ClientConfig
@ -81,12 +78,14 @@ func NewCommand() *cobra.Command {
 		webhookParallelism           int
 		tokenRefStrictMode           bool
 		maxResourcesStatusCount      int
+		cacheSyncPeriod              time.Duration
+		concurrentApplicationUpdates int
 	)
 	scheme := runtime.NewScheme()
 	_ = clientgoscheme.AddToScheme(scheme)
 	_ = appv1alpha1.AddToScheme(scheme)
 	command := cobra.Command{
-		Use:               cliName,
+		Use:               common.CommandApplicationSetController,
 		Short:             "Starts Argo CD ApplicationSet controller",
 		DisableAutoGenTag: true,
 		RunE: func(c *cobra.Command, _ []string) error {
@ -142,13 +141,11 @@ func NewCommand() *cobra.Command {
 				os.Exit(1)
 			}

-			var cacheOpt ctrlcache.Options
+			cacheOpt := ctrlcache.Options{SyncPeriod: &cacheSyncPeriod}

 			if watchedNamespace != "" {
-				cacheOpt = ctrlcache.Options{
-					DefaultNamespaces: map[string]ctrlcache.Config{
-						watchedNamespace: {},
-					},
+				cacheOpt.DefaultNamespaces = map[string]ctrlcache.Config{
+					watchedNamespace: {},
 				}
 			}

@ -193,6 +190,18 @@ func NewCommand() *cobra.Command {
 			argoSettingsMgr := argosettings.NewSettingsManager(ctx, k8sClient, namespace)
 			argoCDDB := db.NewDB(namespace, argoSettingsMgr, k8sClient)

+			clusterInformer, err := argosettings.NewClusterInformer(k8sClient, namespace)
+			if err != nil {
+				log.Error(err, "unable to create cluster informer")
+				os.Exit(1)
+			}
+			go clusterInformer.Run(ctx.Done())
+
+			if !cache.WaitForCacheSync(ctx.Done(), clusterInformer.HasSynced) {
+				log.Error("Timed out waiting for cluster cache to sync")
+				os.Exit(1)
+			}
+
 			scmConfig := generators.NewSCMConfig(scmRootCAPath, allowedScmProviders, enableScmProviders, enableGitHubAPIMetrics, github_app.NewAuthCredentials(argoCDDB.(db.RepoCredsDB)), tokenRefStrictMode)

 			tlsConfig := apiclient.TLSConfiguration{
@ -212,7 +221,7 @@ func NewCommand() *cobra.Command {
 			repoClientset := apiclient.NewRepoServerClientset(argocdRepoServer, repoServerTimeoutSeconds, tlsConfig)
 			argoCDService := services.NewArgoCDService(argoCDDB, gitSubmoduleEnabled, repoClientset, enableNewGitFileGlobbing)

-			topLevelGenerators := generators.GetGenerators(ctx, mgr.GetClient(), k8sClient, namespace, argoCDService, dynamicClient, scmConfig)
+			topLevelGenerators := generators.GetGenerators(ctx, mgr.GetClient(), k8sClient, namespace, argoCDService, dynamicClient, scmConfig, clusterInformer)

 			// start a webhook server that listens to incoming webhook payloads
 			webhookHandler, err := webhook.NewWebhookHandler(webhookParallelism, argoSettingsMgr, mgr.GetClient(), topLevelGenerators)
@ -231,23 +240,25 @@ func NewCommand() *cobra.Command {
 				})

 			if err = (&controllers.ApplicationSetReconciler{
-				Generators:                 topLevelGenerators,
-				Client:                     mgr.GetClient(),
-				Scheme:                     mgr.GetScheme(),
-				Recorder:                   mgr.GetEventRecorderFor("applicationset-controller"),
-				Renderer:                   &utils.Render{},
-				Policy:                     policyObj,
-				EnablePolicyOverride:       enablePolicyOverride,
-				KubeClientset:              k8sClient,
-				ArgoDB:                     argoCDDB,
-				ArgoCDNamespace:            namespace,
-				ApplicationSetNamespaces:   applicationSetNamespaces,
-				EnableProgressiveSyncs:     enableProgressiveSyncs,
-				SCMRootCAPath:              scmRootCAPath,
-				GlobalPreservedAnnotations: globalPreservedAnnotations,
-				GlobalPreservedLabels:      globalPreservedLabels,
-				Metrics:                    &metrics,
-				MaxResourcesStatusCount:    maxResourcesStatusCount,
+				Generators:                   topLevelGenerators,
+				Client:                       utils.NewCacheSyncingClient(mgr.GetClient(), mgr.GetCache()),
+				Scheme:                       mgr.GetScheme(),
+				Recorder:                     mgr.GetEventRecorderFor("applicationset-controller"),
+				Renderer:                     &utils.Render{},
+				Policy:                       policyObj,
+				EnablePolicyOverride:         enablePolicyOverride,
+				KubeClientset:                k8sClient,
+				ArgoDB:                       argoCDDB,
+				ArgoCDNamespace:              namespace,
+				ApplicationSetNamespaces:     applicationSetNamespaces,
+				EnableProgressiveSyncs:       enableProgressiveSyncs,
+				SCMRootCAPath:                scmRootCAPath,
+				GlobalPreservedAnnotations:   globalPreservedAnnotations,
+				GlobalPreservedLabels:        globalPreservedLabels,
+				Metrics:                      &metrics,
+				MaxResourcesStatusCount:      maxResourcesStatusCount,
+				ClusterInformer:              clusterInformer,
+				ConcurrentApplicationUpdates: concurrentApplicationUpdates,
 			}).SetupWithManager(mgr, enableProgressiveSyncs, maxConcurrentReconciliations); err != nil {
 				log.Error(err, "unable to create controller", "controller", "ApplicationSet")
 				os.Exit(1)
@ -292,7 +303,9 @@ func NewCommand() *cobra.Command {
 	command.Flags().IntVar(&webhookParallelism, "webhook-parallelism-limit", env.ParseNumFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_WEBHOOK_PARALLELISM_LIMIT", 50, 1, 1000), "Number of webhook requests processed concurrently")
 	command.Flags().StringSliceVar(&metricsAplicationsetLabels, "metrics-applicationset-labels", []string{}, "List of Application labels that will be added to the argocd_applicationset_labels metric")
 	command.Flags().BoolVar(&enableGitHubAPIMetrics, "enable-github-api-metrics", env.ParseBoolFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_GITHUB_API_METRICS", false), "Enable GitHub API metrics for generators that use the GitHub API")
-	command.Flags().IntVar(&maxResourcesStatusCount, "max-resources-status-count", env.ParseNumFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_MAX_RESOURCES_STATUS_COUNT", 0, 0, math.MaxInt), "Max number of resources stored in appset status.")
+	command.Flags().IntVar(&maxResourcesStatusCount, "max-resources-status-count", env.ParseNumFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_MAX_RESOURCES_STATUS_COUNT", 5000, 0, math.MaxInt), "Max number of resources stored in appset status.")
+	command.Flags().DurationVar(&cacheSyncPeriod, "cache-sync-period", env.ParseDurationFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_CACHE_SYNC_PERIOD", time.Hour*10, 0, time.Hour*24), "Period at which the manager client cache is forcefully resynced with the Kubernetes API server. 0 disables periodic resync.")
+	command.Flags().IntVar(&concurrentApplicationUpdates, "concurrent-application-updates", env.ParseNumFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_CONCURRENT_APPLICATION_UPDATES", 1, 1, 200), "Number of concurrent Application create/update/delete operations per ApplicationSet reconcile.")

 	return &command
 }
--- a/cmd/argocd-applicationset-controller/commands/applicationset_controller_test.go
+++ b/cmd/argocd-applicationset-controller/commands/applicationset_controller_test.go
@ -0,0 +1,28 @@
+package command
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewCommand_ConcurrentApplicationUpdatesFlag(t *testing.T) {
+	cmd := NewCommand()
+
+	flag := cmd.Flags().Lookup("concurrent-application-updates")
+	require.NotNil(t, flag, "expected --concurrent-application-updates flag to be registered")
+	assert.Equal(t, "int", flag.Value.Type())
+	assert.Equal(t, "1", flag.DefValue, "default should be 1")
+}
+
+func TestNewCommand_ConcurrentApplicationUpdatesFlagValue(t *testing.T) {
+	cmd := NewCommand()
+
+	err := cmd.Flags().Set("concurrent-application-updates", "5")
+	require.NoError(t, err)
+
+	val, err := cmd.Flags().GetInt("concurrent-application-updates")
+	require.NoError(t, err)
+	assert.Equal(t, 5, val)
+}
--- a/cmd/argocd-cmp-server/commands/argocd_cmp_server.go
+++ b/cmd/argocd-cmp-server/commands/argocd_cmp_server.go
@ -18,11 +18,6 @@ import (
 	traceutil "github.com/argoproj/argo-cd/v3/util/trace"
 )

-const (
-	// CLIName is the name of the CLI
-	cliName = "argocd-cmp-server"
-)
-
 func NewCommand() *cobra.Command {
 	var (
 		configFilePath string
@ -32,7 +27,7 @@ func NewCommand() *cobra.Command {
 		otlpAttrs      []string
 	)
 	command := cobra.Command{
-		Use:               cliName,
+		Use:               common.CommandCMPServer,
 		Short:             "Run ArgoCD ConfigManagementPlugin Server",
 		Long:              "ArgoCD ConfigManagementPlugin Server is an internal service which runs as sidecar container in reposerver deployment. The following configuration options are available:",
 		DisableAutoGenTag: true,
--- a/cmd/argocd-commit-server/commands/argocd_commit_server.go
+++ b/cmd/argocd-commit-server/commands/argocd_commit_server.go
@ -35,7 +35,7 @@ func NewCommand() *cobra.Command {
 		metricsHost string
 	)
 	command := &cobra.Command{
-		Use:   "argocd-commit-server",
+		Use:   common.CommandCommitServer,
 		Short: "Run Argo CD Commit Server",
 		Long:  "Argo CD Commit Server is an internal service which commits and pushes hydrated manifests to git. This command runs Commit Server in the foreground.",
 		RunE: func(cmd *cobra.Command, _ []string) error {
@ -91,13 +91,11 @@ func NewCommand() *cobra.Command {
 			sigCh := make(chan os.Signal, 1)
 			signal.Notify(sigCh, os.Interrupt, syscall.SIGTERM)
 			wg := sync.WaitGroup{}
-			wg.Add(1)
-			go func() {
+			wg.Go(func() {
 				s := <-sigCh
 				log.Printf("got signal %v, attempting graceful shutdown", s)
 				grpc.GracefulStop()
-				wg.Done()
-			}()
+			})

 			log.Println("starting grpc server")
 			err = grpc.Serve(listener)
--- a/cmd/argocd-dex/commands/argocd_dex.go
+++ b/cmd/argocd-dex/commands/argocd_dex.go
@ -25,13 +25,9 @@ import (
 	"github.com/argoproj/argo-cd/v3/util/tls"
 )

-const (
-	cliName = "argocd-dex"
-)
-
 func NewCommand() *cobra.Command {
 	command := &cobra.Command{
-		Use:               cliName,
+		Use:               common.CommandDex,
 		Short:             "argocd-dex tools used by Argo CD",
 		Long:              "argocd-dex has internal utility tools used by Argo CD",
 		DisableAutoGenTag: true,
--- a/cmd/argocd-git-ask-pass/commands/argocd_git_ask_pass.go
+++ b/cmd/argocd-git-ask-pass/commands/argocd_git_ask_pass.go
@ -9,20 +9,16 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"

+	"github.com/argoproj/argo-cd/v3/common"
 	"github.com/argoproj/argo-cd/v3/util/askpass"
 	"github.com/argoproj/argo-cd/v3/util/errors"
 	grpc_util "github.com/argoproj/argo-cd/v3/util/grpc"
 	utilio "github.com/argoproj/argo-cd/v3/util/io"
 )

-const (
-	// cliName is the name of the CLI
-	cliName = "argocd-git-ask-pass"
-)
-
 func NewCommand() *cobra.Command {
 	command := cobra.Command{
-		Use:               cliName,
+		Use:               common.CommandGitAskPass,
 		Short:             "Argo CD git credential helper",
 		DisableAutoGenTag: true,
 		Run: func(c *cobra.Command, _ []string) {
--- a/cmd/argocd-k8s-auth/commands/argocd_k8s_auth.go
+++ b/cmd/argocd-k8s-auth/commands/argocd_k8s_auth.go
@ -2,15 +2,13 @@ package commands

 import (
 	"github.com/spf13/cobra"
-)

-const (
-	cliName = "argocd-k8s-auth"
+	"github.com/argoproj/argo-cd/v3/common"
 )

 func NewCommand() *cobra.Command {
 	command := &cobra.Command{
-		Use:               cliName,
+		Use:               common.CommandK8sAuth,
 		Short:             "argocd-k8s-auth a set of commands to generate k8s auth token",
 		DisableAutoGenTag: true,
 		Run: func(c *cobra.Command, args []string) {
--- a/cmd/argocd-k8s-auth/commands/aws.go
+++ b/cmd/argocd-k8s-auth/commands/aws.go
@ -6,12 +6,14 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
+	"strconv"
 	"time"

-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
-	"github.com/aws/aws-sdk-go/aws/session"
-	"github.com/aws/aws-sdk-go/service/sts"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/credentials/stscreds"
+	"github.com/aws/aws-sdk-go-v2/service/sts"
+	smithyhttp "github.com/aws/smithy-go/transport/http"
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	clientauthv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
@ -58,13 +60,13 @@ func newAWSCommand() *cobra.Command {
 	return command
 }

-type getSignedRequestFunc func(clusterName, roleARN string, profile string) (string, error)
+type getSignedRequestFunc func(ctx context.Context, clusterName, roleARN string, profile string) (string, error)

 func getSignedRequestWithRetry(ctx context.Context, timeout, interval time.Duration, clusterName, roleARN string, profile string, fn getSignedRequestFunc) (string, error) {
 	ctx, cancel := context.WithTimeout(ctx, timeout)
 	defer cancel()
 	for {
-		signed, err := fn(clusterName, roleARN, profile)
+		signed, err := fn(ctx, clusterName, roleARN, profile)
 		if err == nil {
 			return signed, nil
 		}
@ -76,25 +78,53 @@ func getSignedRequestWithRetry(ctx context.Context, timeout, interval time.Durat
 	}
 }

-func getSignedRequest(clusterName, roleARN string, profile string) (string, error) {
-	sess, err := session.NewSessionWithOptions(session.Options{
-		Profile: profile,
-	})
+func getSignedRequest(ctx context.Context, clusterName, roleARN string, profile string) (string, error) {
+	cfg, err := loadAWSConfig(ctx, profile)
 	if err != nil {
-		return "", fmt.Errorf("error creating new AWS session: %w", err)
+		return "", err
 	}
-	stsAPI := sts.New(sess)
+	return getSignedRequestWithConfig(ctx, clusterName, roleARN, cfg)
+}
+
+func loadAWSConfig(ctx context.Context, profile string) (aws.Config, error) {
+	var opts []func(*config.LoadOptions) error
+	if profile != "" {
+		opts = append(opts, config.WithSharedConfigProfile(profile))
+	}
+	cfg, err := config.LoadDefaultConfig(ctx, opts...)
+	if err != nil {
+		return aws.Config{}, fmt.Errorf("error loading AWS configuration: %w", err)
+	}
+	return cfg, nil
+}
+
+// getSignedRequestWithConfig presigns GetCallerIdentity using the given config. Used by getSignedRequest and by tests
+// that inject a config with static credentials to exercise the roleARN path without real AWS credentials.
+func getSignedRequestWithConfig(ctx context.Context, clusterName, roleARN string, cfg aws.Config) (string, error) {
+	// Use PresignOptions.ClientOptions + SetHeaderValue (same as aws-iam-authenticator) so the
+	// canonical request matches what EKS sends when validating. Build middleware can produce
+	// a different canonical form and thus an invalid signature for EKS.
+	// See kubernetes-sigs/aws-iam-authenticator pkg/token/token.go GetWithSTS().
+	client := sts.NewFromConfig(cfg)
 	if roleARN != "" {
-		creds := stscreds.NewCredentials(sess, roleARN)
-		stsAPI = sts.New(sess, &aws.Config{Credentials: creds})
+		appCreds := stscreds.NewAssumeRoleProvider(client, roleARN)
+		cfg.Credentials = aws.NewCredentialsCache(appCreds)
+		client = sts.NewFromConfig(cfg)
 	}
-	request, _ := stsAPI.GetCallerIdentityRequest(&sts.GetCallerIdentityInput{})
-	request.HTTPRequest.Header.Add(clusterIDHeader, clusterName)
-	signed, err := request.Presign(requestPresignParam)
+
+	presignClient := sts.NewPresignClient(client)
+	presigned, err := presignClient.PresignGetCallerIdentity(ctx, &sts.GetCallerIdentityInput{},
+		func(presignOptions *sts.PresignOptions) {
+			presignOptions.ClientOptions = append(presignOptions.ClientOptions, func(stsOptions *sts.Options) {
+				stsOptions.APIOptions = append(stsOptions.APIOptions,
+					smithyhttp.SetHeaderValue(clusterIDHeader, clusterName),
+					smithyhttp.SetHeaderValue("X-Amz-Expires", strconv.Itoa(requestPresignParam)))
+			})
+		})
 	if err != nil {
 		return "", fmt.Errorf("error presigning AWS request: %w", err)
 	}
-	return signed, nil
+	return presigned.URL, nil
 }

 func formatJSON(token string, expiration time.Time) string {
--- a/cmd/argocd-k8s-auth/commands/aws_test.go
+++ b/cmd/argocd-k8s-auth/commands/aws_test.go
@ -1,14 +1,60 @@
 package commands

 import (
+	"context"
 	"errors"
 	"testing"
 	"time"

+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/credentials"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

+func TestGetSignedRequest(t *testing.T) {
+	t.Parallel()
+
+	t.Run("returns error when context is cancelled", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithCancel(context.Background())
+		cancel()
+
+		url, err := getSignedRequest(ctx, "my-cluster", "", "")
+
+		require.ErrorIs(t, err, context.Canceled)
+		assert.Empty(t, url)
+	})
+
+	t.Run("returns error for non-existent profile", func(t *testing.T) {
+		t.Parallel()
+		ctx := context.Background()
+		profile := "argocd-k8s-auth-test-nonexistent-profile-12345"
+
+		url, err := getSignedRequest(ctx, "my-cluster", "", profile)
+
+		require.Error(t, err)
+		assert.Empty(t, url)
+		assert.Contains(t, err.Error(), "configuration", "error should mention configuration load failed")
+	})
+
+	t.Run("returns error when roleARN is provided and assume role fails", func(t *testing.T) {
+		t.Parallel()
+		ctx := context.Background()
+		cfg, err := config.LoadDefaultConfig(ctx,
+			config.WithCredentialsProvider(credentials.NewStaticCredentialsProvider("test", "test", "")),
+			config.WithRegion("us-east-1"),
+		)
+		require.NoError(t, err)
+
+		url, err := getSignedRequestWithConfig(ctx, "my-cluster", "arn:aws:iam::123456789012:role/NonExistentRole", cfg)
+
+		require.Error(t, err)
+		assert.Empty(t, url)
+		assert.Contains(t, err.Error(), "presigning", "error should mention presigning failed when assume role is used")
+	})
+}
+
 func TestGetSignedRequestWithRetry(t *testing.T) {
 	t.Parallel()

@ -72,7 +118,7 @@ type signedRequestMock struct {
 	returnFunc            func(m *signedRequestMock) (string, error)
 }

-func (m *signedRequestMock) getSignedRequestMock(_, _ string, _ string) (string, error) {
+func (m *signedRequestMock) getSignedRequestMock(_ context.Context, _, _ string, _ string) (string, error) {
 	m.getSignedRequestCalls++
 	return m.returnFunc(m)
 }
--- a/Show more
+++ b/Show more
 @ -1 +1 @@
 .3.0
 .5.0