fix(cli): uses DrySource revision for app diff/manifests with sourceHydrator (#23817 ) (#24670 )

Signed-off-by: Aditya Raj <adityaraj10600@gmail.com>
chore(deps): bump tj-actions/changed-files from 47.0.5 to 47.0.6 (#27470 )
2026-04-21 17:07:16 +00:00 · 2026-04-21 12:51:39 -04:00 · 2026-04-21 12:12:31 -04:00 · 2026-04-20 21:41:33 -10:00 · 2026-04-20 19:15:35 -04:00 · 2026-04-20 22:17:34 +00:00
1628 changed files with 1232614 additions and 58344 deletions
--- a/.github/ISSUE_TEMPLATE/release.md
+++ b/.github/ISSUE_TEMPLATE/release.md
@ -9,18 +9,79 @@ assignees: ''
 Target RC1 date: ___. __, ____
 Target GA date: ___. __, ____

- - [ ] 1wk before feature freeze post in #argo-contributors that PRs must be merged by DD-MM-YYYY to be included in the release - ask approvers to drop items from milestone they can’t merge
+## RC1 Release Checklist
+
+ - [ ] 1wk before feature freeze post in #argo-contributors that PRs must be merged by DD-MM-YYYY to be included in the release - ask approvers to drop items from milestone they can't merge
 - [ ] At least two days before RC1 date, draft RC blog post and submit it for review (or delegate this task)
- - [ ] Cut RC1 (or delegate this task to an Approver and coordinate timing)
- - [ ] Create new release branch
+ - [ ] Create new release branch (or delegate this task to an Approver)
    - [ ] Add the release branch to ReadTheDocs
-    - [ ] Confirm that tweet and blog post are ready
-    - [ ] Trigger the release
-    - [ ] After the release is finished, publish tweet and blog post
-    - [ ] Post in #argo-cd and #argo-announcements with lots of emojis announcing the release and requesting help testing
- - [ ] Monitor support channels for issues, cherry-picking bugfixes and docs fixes as appropriate (or delegate this task to an Approver and coordinate timing)
- - [ ] At release date, evaluate if any bugs justify delaying the release. If not, cut the release (or delegate this task to an Approver and coordinate timing)
- - [ ] If unreleased changes are on the release branch for {current minor version minus 3}, cut a final patch release for that series (or delegate this task to an Approver and coordinate timing)
- - [ ] After the release, post in #argo-cd that the {current minor version minus 3} has reached EOL (example: https://cloud-native.slack.com/archives/C01TSERG0KZ/p1667336234059729)
+ - [ ] Cut RC1 (or delegate this task to an Approver and coordinate timing)
+    - [ ] Run the [Init ArgoCD Release workflow](https://github.com/argoproj/argo-cd/actions/workflows/init-release.yaml) from the release branch
+    - [ ] Review and merge the generated version bump PR
+    - [ ] Run `./hack/trigger-release.sh` to push the release tag
+    - [ ] Monitor the [Publish ArgoCD Release workflow](https://github.com/argoproj/argo-cd/actions/workflows/release.yaml)
+    - [ ] Verify the release on [GitHub releases](https://github.com/argoproj/argo-cd/releases)
+    - [ ] Verify the container image on [Quay.io](https://quay.io/repository/argoproj/argocd?tab=tags)
+    - [ ] Confirm the new version appears in [Read the Docs](https://argo-cd.readthedocs.io/)
+    - [ ] Verify the docs release build in https://app.readthedocs.org/projects/argo-cd/ succeeded and retry if failed (requires an Approver with admin creds to readthedocs)
+ - [ ] Announce RC1 release
+   - [ ] Confirm that tweet and blog post are ready
+   - [ ] Publish tweet and blog post
+   - [ ] Post in #argo-cd and #argo-announcements requesting help testing:
+     ```
+     :mega: Argo CD v{MAJOR}.{MINOR}.{PATCH}-rc{RC_NUMBER} is OUT NOW! :argocd::tada:
+     
+     Please go through the following resources to know more about the release:
+     
+     Release notes: https://github.com/argoproj/argo-cd/releases/tag/v{VERSION}
+     Blog: {BLOG_POST_URL}
+     
+     We'd love your help testing this release candidate! Please try it out in your environments and report any issues you find. This helps us ensure a stable GA release.
+     
+     Thanks to all the folks who spent their time contributing to this release in any way possible!
+     ```
+ - [ ] Monitor support channels for issues, cherry-picking bugfixes and docs fixes as appropriate during the RC period (or delegate this task to an Approver and coordinate timing)
+ - [ ] After creating the RC, open a documentation PR for the next minor version using [this](../../docs/operator-manual/templates/minor_version_upgrade.md) template.
+
+## GA Release Checklist
+
+ - [ ] At GA release date, evaluate if any bugs justify delaying the release
+ - [ ] Prepare for EOL version (version that is 3 releases old)
+    - [ ] If unreleased changes are on the release branch for {current minor version minus 3}, cut a final patch release for that series (or delegate this task to an Approver and coordinate timing)
+    - [ ] Edit the final patch release on GitHub and add the following notice at the top:
+     ```markdown
+     > [!IMPORTANT]
+     > **END OF LIFE NOTICE**
+     > 
+     > This is the final release of the {EOL_SERIES} release series. As of {GA_DATE}, this version has reached end of life and will no longer receive bug fixes or security updates.
+     > 
+     > **Action Required**: Please upgrade to a [supported version](https://argo-cd.readthedocs.io/en/stable/operator-manual/upgrading/overview/) (v{SUPPORTED_VERSION_1}, v{SUPPORTED_VERSION_2}, or v{NEW_VERSION}).
+     ```
+ - [ ] Cut GA release (or delegate this task to an Approver and coordinate timing)
+    - [ ] Run the [Init ArgoCD Release workflow](https://github.com/argoproj/argo-cd/actions/workflows/init-release.yaml) from the release branch
+    - [ ] Review and merge the generated version bump PR
+    - [ ] Run `./hack/trigger-release.sh` to push the release tag
+    - [ ] Monitor the [Publish ArgoCD Release workflow](https://github.com/argoproj/argo-cd/actions/workflows/release.yaml)
+    - [ ] Verify the release on [GitHub releases](https://github.com/argoproj/argo-cd/releases)
+    - [ ] Verify the container image on [Quay.io](https://quay.io/repository/argoproj/argocd?tab=tags)
+    - [ ] Verify the `stable` tag has been updated
+    - [ ] Confirm the new version appears in [Read the Docs](https://argo-cd.readthedocs.io/)
+    - [ ] Verify the docs release build in https://app.readthedocs.org/projects/argo-cd/ succeeded and retry if failed (requires an Approver with admin creds to readthedocs)
+ - [ ] Announce GA release with EOL notice
+   - [ ] Confirm that tweet and blog post are ready
+   - [ ] Publish tweet and blog post
+   - [ ] Post in #argo-cd and #argo-announcements announcing the release and EOL:
+     ```
+     :mega: Argo CD v{MAJOR}.{MINOR} is OUT NOW! :argocd::tada:
+     
+     Please go through the following resources to know more about the release:
+     
+     Upgrade instructions: https://argo-cd.readthedocs.io/en/latest/operator-manual/upgrading/{PREV_MINOR}-{MAJOR}.{MINOR}/
+     Blog: {BLOG_POST_URL}
+     
+     :warning: IMPORTANT: With the release of Argo CD v{MAJOR}.{MINOR}, support for Argo CD v{EOL_VERSION} has officially reached End of Life (EOL).
+     
+     Thanks to all the folks who spent their time contributing to this release in any way possible!
+     ```
 - [ ] (For the next release champion) Review the [items scheduled for the next release](https://github.com/orgs/argoproj/projects/25). If any item does not have an assignee who can commit to finish the feature, move it to the next release.
- - [ ] (For the next release champion) Schedule a time mid-way through the release cycle to review items again.
+ - [ ] (For the next release champion) Schedule a time mid-way through the release cycle to review items again.
--- a/.github/configs/renovate-config.js
+++ b/.github/configs/renovate-config.js
@ -4,12 +4,14 @@ module.exports = {
    autodiscover: false,
    allowPostUpgradeCommandTemplating: true,
    allowedPostUpgradeCommands: ["make mockgen"],
+    binarySource: 'install',
    extends: [
        "github>argoproj/argo-cd//renovate-presets/commons.json5",
        "github>argoproj/argo-cd//renovate-presets/custom-managers/shell.json5",
        "github>argoproj/argo-cd//renovate-presets/custom-managers/yaml.json5",
        "github>argoproj/argo-cd//renovate-presets/fix/disable-all-updates.json5",
        "github>argoproj/argo-cd//renovate-presets/devtool.json5",
-        "github>argoproj/argo-cd//renovate-presets/docs.json5"
+        "github>argoproj/argo-cd//renovate-presets/docs.json5",
+        "group:aws-sdk-go-v2Monorepo"
    ]
 }
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -8,6 +8,9 @@ updates:
    ignore:
    - dependency-name: k8s.io/*
    groups:
+      aws-sdk-v2:
+        patterns:
+          - "github.com/aws/aws-sdk-go-v2*"
      otel:
        patterns:
          - "go.opentelemetry.io/*"
--- a/.github/pr-title-checker-config.json
+++ b/.github/pr-title-checker-config.json
@ -1,15 +1,15 @@
 {
-    "LABEL": {
-      "name": "title needs formatting",
-      "color": "EEEEEE"
-    },
-    "CHECKS": {
-      "prefixes": ["[Bot] docs: "],
-      "regexp": "^(feat|fix|docs|test|ci|chore)!?(\\(.*\\))?!?:.*"
-    },
-    "MESSAGES": {
-      "success": "PR title is valid",
-      "failure": "PR title is invalid",
-      "notice": "PR Title needs to pass regex '^(feat|fix|docs|test|ci|chore)!?(\\(.*\\))?!?:.*"
-    }
+  "LABEL": {
+    "name": "title needs formatting",
+    "color": "EEEEEE"
+  },
+  "CHECKS": {
+    "prefixes": ["[Bot] docs: "],
+    "regexp": "^(refactor|feat|fix|docs|test|ci|chore|revert)!?(\\(.*\\))?!?:.*"
+  },
+  "MESSAGES": {
+    "success": "PR title is valid",
+    "failure": "PR title is invalid",
+    "notice": "PR Title needs to pass regex '^(refactor|feat|fix|docs|test|ci|chore)!?(\\(.*\\))?!?:.*"
  }
+}
--- a/.github/workflows/README.md
+++ b/.github/workflows/README.md
@ -11,6 +11,7 @@
 | release.yaml       | Build images, cli-binaries, provenances, and post actions      |
 | scorecard.yaml     | Generate scorecard for supply-chain security                   |
 | update-snyk.yaml   | Scheduled snyk reports                                         |
+| stale.yaml         | Labels stale issues and PRs                                    |

 # Reusable workflows

--- a/.github/workflows/bump-major-version.yaml
+++ b/.github/workflows/bump-major-version.yaml
@ -4,16 +4,26 @@ on:

 permissions: {}

+env:
+  # a workaround to disable harden runner
+  STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
+
 jobs:
  prepare-release:
    permissions:
      contents: write  # for peter-evans/create-pull-request to create branch
      pull-requests: write  # for peter-evans/create-pull-request to create a PR
    name: Automatically update major version
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
+
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694  # v4.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
@ -37,7 +47,7 @@ jobs:
        working-directory: /home/runner/go/src/github.com/argoproj/argo-cd

      - name: Setup Golang
-        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Add ~/go/bin to PATH
@ -74,7 +84,7 @@ jobs:
          rsync -a --exclude=.git /home/runner/go/src/github.com/argoproj/argo-cd/ ../argo-cd

      - name: Create pull request
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e  # v7.0.8
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0  # v8.1.0
        with:
          commit-message: "Bump major version to ${{ steps.get-target-version.outputs.TARGET_VERSION }}"
          title: "Bump major version to ${{ steps.get-target-version.outputs.TARGET_VERSION }}"
@ -86,4 +96,4 @@ jobs:
            - [ ] Add an upgrade guide to the docs for this version
          branch: bump-major-version
          branch-suffix: random
-          signoff: true
+          signoff: true
--- a/.github/workflows/cherry-pick-single.yml
+++ b/.github/workflows/cherry-pick-single.yml
@ -25,20 +25,30 @@ on:
      CHERRYPICK_APP_PRIVATE_KEY:
        required: true

+env:
+  # a workaround to disable harden runner
+  STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
+
 jobs:
  cherry-pick:
    name: Cherry Pick to ${{ inputs.version_number }}
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
+
      - name: Generate a token
        id: generate-token
-        uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
        with:
          app-id: ${{ secrets.CHERRYPICK_APP_ID }}
          private-key: ${{ secrets.CHERRYPICK_APP_PRIVATE_KEY }}

      - name: Checkout repository
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694  # v4.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
          fetch-depth: 0
          token: ${{ steps.generate-token.outputs.token }}
@ -66,6 +76,7 @@ jobs:

          # Create new branch for cherry-pick
          CHERRY_PICK_BRANCH="cherry-pick-${{ inputs.pr_number }}-to-${TARGET_BRANCH}"
+
          git checkout -b "$CHERRY_PICK_BRANCH" "origin/$TARGET_BRANCH"

          # Perform cherry-pick
@ -75,12 +86,17 @@ jobs:
            # Extract Signed-off-by from the cherry-pick commit
            SIGNOFF=$(git log -1 --pretty=format:"%B" | grep -E '^Signed-off-by:' || echo "")

-            # Push the new branch
-            git push origin "$CHERRY_PICK_BRANCH"
+            # Push the new branch. Force push to ensure that in case the original cherry-pick branch is stale, 
+            # that the current state of the $TARGET_BRANCH + cherry-pick gets in $CHERRY_PICK_BRANCH.
+            git push origin -f "$CHERRY_PICK_BRANCH"

            # Save data for PR creation
            echo "branch_name=$CHERRY_PICK_BRANCH" >> "$GITHUB_OUTPUT"
-            echo "signoff=$SIGNOFF" >> "$GITHUB_OUTPUT"
+            {
+              echo "signoff<<EOF"
+              echo "$SIGNOFF"
+              echo "EOF"
+            } >> "$GITHUB_OUTPUT"
            echo "target_branch=$TARGET_BRANCH" >> "$GITHUB_OUTPUT"
          else
            echo "❌ Cherry-pick failed due to conflicts"
@ -91,11 +107,17 @@ jobs:
      - name: Create Pull Request
        run: |
          # Create cherry-pick PR
-          gh pr create \
-            --title "${{ inputs.pr_title }} (cherry-pick #${{ inputs.pr_number }} for ${{ inputs.version_number }})" \
-            --body "Cherry-picked ${{ inputs.pr_title }} (#${{ inputs.pr_number }})
+          TITLE="${PR_TITLE} (cherry-pick #${{ inputs.pr_number }} for ${{ inputs.version_number }})"
+          BODY=$(cat <<EOF
+          Cherry-picked ${PR_TITLE} (#${{ inputs.pr_number }})

-          ${{ steps.cherry-pick.outputs.signoff }}" \
+          ${{ steps.cherry-pick.outputs.signoff }}
+          EOF
+          )
+
+          gh pr create \
+            --title "$TITLE" \
+            --body "$BODY" \
            --base "${{ steps.cherry-pick.outputs.target_branch }}" \
            --head "${{ steps.cherry-pick.outputs.branch_name }}"

@ -103,12 +125,13 @@ jobs:
          gh pr comment ${{ inputs.pr_number }} \
            --body "🍒 Cherry-pick PR created for ${{ inputs.version_number }}: #$(gh pr list --head ${{ steps.cherry-pick.outputs.branch_name }} --json number --jq '.[0].number')"
        env:
+          PR_TITLE: ${{ inputs.pr_title }}
          GH_TOKEN: ${{ steps.generate-token.outputs.token }}

      - name: Comment on failure
        if: failure()
        run: |
          gh pr comment ${{ inputs.pr_number }} \
-            --body "❌ Cherry-pick failed for ${{ inputs.version_number }}. Please check the workflow logs for details."
+            --body "❌ Cherry-pick failed for ${{ inputs.version_number }}. Please check the [workflow logs](https://github.com/argoproj/argo-cd/actions/runs/${{ github.run_id }}) for details."
        env:
-          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
--- a/.github/workflows/cherry-pick.yml
+++ b/.github/workflows/cherry-pick.yml
@ -6,6 +6,10 @@ on:
      - master
    types: ["labeled", "closed"]

+env:
+  # a workaround to disable harden runner
+  STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
+    
 jobs:
  find-labels:
    name: Find Cherry Pick Labels
@ -14,10 +18,16 @@ jobs:
        (github.event.action == 'labeled' && startsWith(github.event.label.name, 'cherry-pick/')) ||
        (github.event.action == 'closed' && contains(toJSON(github.event.pull_request.labels.*.name), 'cherry-pick/'))
      )
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
    outputs:
      labels: ${{ steps.extract-labels.outputs.labels }}
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
+
      - name: Extract cherry-pick labels
        id: extract-labels
        run: |
@ -50,4 +60,4 @@ jobs:
      pr_title: ${{ github.event.pull_request.title }}
    secrets:
      CHERRYPICK_APP_ID: ${{ vars.CHERRYPICK_APP_ID }}
-      CHERRYPICK_APP_PRIVATE_KEY: ${{ secrets.CHERRYPICK_APP_PRIVATE_KEY }}
+      CHERRYPICK_APP_PRIVATE_KEY: ${{ secrets.CHERRYPICK_APP_PRIVATE_KEY }}
--- a/.github/workflows/ci-build.yaml
+++ b/.github/workflows/ci-build.yaml
@ -14,7 +14,9 @@ on:
 env:
  # Golang version to use across CI steps
  # renovate: datasource=golang-version packageName=golang
-  GOLANG_VERSION: '1.25.6'
+  GOLANG_VERSION: '1.26.2'
+  # a workaround to disable harden runner
+  STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@ -25,14 +27,19 @@ permissions:

 jobs:
  changes:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
    outputs:
      backend: ${{ steps.filter.outputs.backend_any_changed }}
      frontend: ${{ steps.filter.outputs.frontend_any_changed }}
      docs: ${{ steps.filter.outputs.docs_any_changed }}
    steps:
-      - uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
-      - uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        id: filter
        with:
          # Any file which is not under docs/, ui/ or is not a markdown file is counted as a backend file
@ -50,14 +57,19 @@ jobs:
  check-go:
    name: Ensure Go modules synchronicity
    if: ${{ needs.changes.outputs.backend == 'true' }}
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    needs:
      - changes
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup Golang
-        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Download all Go modules
@ -67,26 +79,34 @@ jobs:
        run: |
          go mod tidy
          git diff --exit-code -- .
-
  build-go:
    name: Build & cache Go code
    if: ${{ needs.changes.outputs.backend == 'true' }}
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    needs:
      - changes
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup Golang
-        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
-      - name: Restore go build cache
-        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      - name: Restore go build and module cache
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
-          path: ~/.cache/go-build
-          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
-      - name: Download all Go modules
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-build-v1-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-build-v1-
+      - name: Download Go modules
        run: |
          go mod download
      - name: Compile all packages
@ -98,27 +118,32 @@ jobs:
      pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
    name: Lint Go code
    if: ${{ needs.changes.outputs.backend == 'true' }}
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    needs:
      - changes
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup Golang
-        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
+        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
        with:
-          # renovate: datasource=go packageName=github.com/golangci/golangci-lint versioning=regex:^v(?<major>\d+)\.(?<minor>\d+)\.(?<patch>\d+)?$
-          version: v2.4.0
+          # renovate: datasource=go packageName=github.com/golangci/golangci-lint/v2 versioning=regex:^v(?<major>\d+)\.(?<minor>\d+)\.(?<patch>\d+)?$
+          version: v2.11.4
          args: --verbose

  test-go:
    name: Run unit tests for Go packages
    if: ${{ needs.changes.outputs.backend == 'true' }}
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    needs:
      - build-go
      - changes
@ -126,14 +151,19 @@ jobs:
      GITHUB_TOKEN: ${{ secrets.E2E_TEST_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
      GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
      - name: Create checkout directory
        run: mkdir -p ~/go/src/github.com/argoproj
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Create symlink in GOPATH
        run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
      - name: Setup Golang
-        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Install required packages
@ -152,11 +182,15 @@ jobs:
      - name: Add /usr/local/bin to PATH
        run: |
          echo "/usr/local/bin" >> $GITHUB_PATH
-      - name: Restore go build cache
-        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      - name: Restore go build and module cache
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
-          path: ~/.cache/go-build
-          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-build-v1-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-build-v1-
      - name: Install all tools required for building & testing
        run: |
          make install-test-tools-local
@ -168,13 +202,13 @@ jobs:
        run: |
          git config --global user.name "John Doe"
          git config --global user.email "john.doe@example.com"
-      - name: Download and vendor all required packages
+      - name: Download Go modules
        run: |
          go mod download
      - name: Run all unit tests
        run: make test-local
      - name: Generate test results artifacts
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: test-results
          path: test-results
@ -182,7 +216,7 @@ jobs:
  test-go-race:
    name: Run unit tests with -race for Go packages
    if: ${{ needs.changes.outputs.backend == 'true' }}
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    needs:
      - build-go
      - changes
@ -190,14 +224,19 @@ jobs:
      GITHUB_TOKEN: ${{ secrets.E2E_TEST_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
      GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit    
      - name: Create checkout directory
        run: mkdir -p ~/go/src/github.com/argoproj
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Create symlink in GOPATH
        run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
      - name: Setup Golang
-        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Install required packages
@ -216,11 +255,15 @@ jobs:
      - name: Add /usr/local/bin to PATH
        run: |
          echo "/usr/local/bin" >> $GITHUB_PATH
-      - name: Restore go build cache
-        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      - name: Restore go build and module cache
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
-          path: ~/.cache/go-build
-          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-build-v1-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-build-v1-
      - name: Install all tools required for building & testing
        run: |
          make install-test-tools-local
@ -232,13 +275,13 @@ jobs:
        run: |
          git config --global user.name "John Doe"
          git config --global user.email "john.doe@example.com"
-      - name: Download and vendor all required packages
+      - name: Download Go modules
        run: |
          go mod download
      - name: Run all unit tests
        run: make test-race-local
      - name: Generate test results artifacts
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: race-results
          path: test-results/
@ -246,20 +289,26 @@ jobs:
  codegen:
    name: Check changes to generated code
    if: ${{ needs.changes.outputs.backend == 'true' || needs.changes.outputs.docs == 'true'}}
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    needs:
      - changes
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit      
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup Golang
-        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
      - name: Create symlink in GOPATH
+        # generalizing repo name for forks:  ${{ github.event.repository.name }}
        run: |
          mkdir -p ~/go/src/github.com/argoproj
-          cp -a ../argo-cd ~/go/src/github.com/argoproj
+          cp -a ../${{ github.event.repository.name }} ~/go/src/github.com/argoproj
      - name: Add ~/go/bin to PATH
        run: |
          echo "/home/runner/go/bin" >> $GITHUB_PATH
@ -271,12 +320,14 @@ jobs:
          # We need to vendor go modules for codegen yet
          go mod download
          go mod vendor -v
-        working-directory: /home/runner/go/src/github.com/argoproj/argo-cd
+        # generalizing repo name for forks:  ${{ github.event.repository.name }}
+        working-directory: /home/runner/go/src/github.com/argoproj/${{ github.event.repository.name }}
      - name: Install toolchain for codegen
        run: |
          make install-codegen-tools-local
          make install-go-tools-local
-        working-directory: /home/runner/go/src/github.com/argoproj/argo-cd
+        # generalizing repo name for forks:  ${{ github.event.repository.name }}
+        working-directory: /home/runner/go/src/github.com/argoproj/${{ github.event.repository.name }}
        # We install kustomize in the dist directory
      - name: Add dist to PATH
        run: |
@ -287,41 +338,48 @@ jobs:
          export GOPATH=$(go env GOPATH)
          git checkout -- go.mod go.sum
          make codegen-local
-        working-directory: /home/runner/go/src/github.com/argoproj/argo-cd
+        # generalizing repo name for forks:  ${{ github.event.repository.name }}
+        working-directory: /home/runner/go/src/github.com/argoproj/${{ github.event.repository.name }}
      - name: Check nothing has changed
        run: |
          set -xo pipefail
          git diff --exit-code -- . ':!go.sum' ':!go.mod' ':!assets/swagger.json' | tee codegen.patch
-        working-directory: /home/runner/go/src/github.com/argoproj/argo-cd
+        # generalizing repo name for forks:  ${{ github.event.repository.name }}
+        working-directory: /home/runner/go/src/github.com/argoproj/${{ github.event.repository.name }}

  build-ui:
    name: Build, test & lint UI code
    # We run UI logic for backend changes so that we have a complete set of coverage documents to send to codecov.
    if: ${{ needs.changes.outputs.backend == 'true' || needs.changes.outputs.frontend == 'true' }}
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    needs:
      - changes
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit      
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Install pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+        with:
+          package_json_file: ui/package.json
      - name: Setup NodeJS
-        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          # renovate: datasource=node-version packageName=node versioning=node
-          node-version: '22.9.0'
-      - name: Restore node dependency cache
-        id: cache-dependencies
-        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
-        with:
-          path: ui/node_modules
-          key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
+          node-version: '24.14.1'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
      - name: Install node dependencies
        run: |
-          cd ui && yarn install --frozen-lockfile --ignore-optional --non-interactive
+          cd ui && pnpm i --frozen-lockfile
      - name: Build UI code
        run: |
-          yarn test
-          yarn build
+          pnpm test
+          pnpm build
        env:
          NODE_ENV: production
          NODE_ONLINE_ENV: online
@ -330,13 +388,13 @@ jobs:
          CODECOV_TOKEN: ${{ github.ref == 'refs/heads/master' && secrets.CODECOV_TOKEN || '' }}
        working-directory: ui/
      - name: Run ESLint
-        run: yarn lint
+        run: pnpm lint
        working-directory: ui/

  shellcheck:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
    steps:
-      - uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - run: |
          sudo apt-get install shellcheck
          shellcheck -e SC2059 -e SC2154 -e SC2034 -e SC2016 -e SC1091 $(find . -type f -name '*.sh' | grep -v './ui/node_modules') | tee sc.log
@ -345,7 +403,7 @@ jobs:
  analyze:
    name: Process & analyze test artifacts
    if: ${{ needs.changes.outputs.backend == 'true' || needs.changes.outputs.frontend == 'true' }}
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    needs:
      - test-go
      - build-ui
@ -353,27 +411,24 @@ jobs:
      - test-e2e
    env:
      sonar_secret: ${{ secrets.SONAR_TOKEN }}
+      codecov_secret: ${{ secrets.CODECOV_TOKEN }}
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit      
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
-      - name: Restore node dependency cache
-        id: cache-dependencies
-        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
-        with:
-          path: ui/node_modules
-          key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
-      - name: Remove other node_modules directory
-        run: |
-          rm -rf ui/node_modules/argo-ui/node_modules
      - name: Get e2e code coverage
-        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: e2e-code-coverage
          path: e2e-code-coverage
      - name: Get unit test code coverage
-        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: test-results
          path: test-results
@ -385,52 +440,52 @@ jobs:
        run: |
          go tool covdata percent -i=test-results,e2e-code-coverage/applicationset-controller,e2e-code-coverage/repo-server,e2e-code-coverage/app-controller,e2e-code-coverage/commit-server -o test-results/full-coverage.out
      - name: Upload code coverage information to codecov.io
-        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+        # Only run when the workflow is for upstream (PR target or push is in argoproj/argo-cd).
+        if: github.repository == 'argoproj/argo-cd'
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
        with:
          files: test-results/full-coverage.out
          fail_ci_if_error: true
        env:
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
      - name: Upload test results to Codecov
-        if: github.ref == 'refs/heads/master' && github.event_name == 'push' && github.repository == 'argoproj/argo-cd'
-        uses: codecov/test-results-action@47f89e9acb64b76debcd5ea40642d25a4adced9f # v1.1.1
+        # Codecov uploads test results to Codecov.io on upstream master branch.
+        if: github.repository == 'argoproj/argo-cd' && github.ref == 'refs/heads/master' && github.event_name == 'push'
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
        with:
-          file: test-results/junit.xml
+          files: test-results/junit.xml
          fail_ci_if_error: true
          token: ${{ secrets.CODECOV_TOKEN }}
+          report_type: test_results
      - name: Perform static code analysis using SonarCloud
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        uses: SonarSource/sonarqube-scan-action@1a6d90ebcb0e6a6b1d87e37ba693fe453195ae25 # v5.3.1
+        uses: SonarSource/sonarqube-scan-action@299e4b793aaa83bf2aba7c9c14bedbb485688ec4 # v7.1.0
        if: env.sonar_secret != ''
  test-e2e:
    name: Run end-to-end tests
    if: ${{ needs.changes.outputs.backend == 'true' }}
-    runs-on: oracle-vm-16cpu-64gb-x86-64
+    runs-on: ${{ github.repository == 'argoproj/argo-cd' && 'oracle-vm-16cpu-64gb-x86-64' || 'ubuntu-24.04' }}
    strategy:
      fail-fast: false
      matrix:
        # latest: true means that this version mush upload the coverage report to codecov.io
        # We designate the latest version because we only collect code coverage for that version.
        k3s:
-          - version: v1.34.2
+          - version: v1.35.0
            latest: true
+          - version: v1.34.2
+            latest: false
          - version: v1.33.1
            latest: false
          - version: v1.32.1
            latest: false
-          - version: v1.31.0
-            latest: false
    needs:
      - build-go
      - changes
    env:
-      GOPATH: /home/ubuntu/go
      ARGOCD_FAKE_IN_CLUSTER: 'true'
-      ARGOCD_SSH_DATA_PATH: '/tmp/argo-e2e/app/config/ssh'
-      ARGOCD_TLS_DATA_PATH: '/tmp/argo-e2e/app/config/tls'
-      ARGOCD_E2E_SSH_KNOWN_HOSTS: '../fixture/certs/ssh_known_hosts'
      ARGOCD_E2E_K3S: 'true'
      ARGOCD_IN_CI: 'true'
      ARGOCD_E2E_APISERVER_PORT: '8088'
@ -439,6 +494,11 @@ jobs:
      GITHUB_TOKEN: ${{ secrets.E2E_TEST_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
      GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit      
      - name: Free Disk Space (Ubuntu)
        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be
        with:
@ -447,11 +507,23 @@ jobs:
          swap-storage: false
          tool-cache: false
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup Golang
-        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
+      - name: Set GOPATH
+        run: |
+          echo "GOPATH=$HOME/go" >> $GITHUB_ENV
+      - name: Setup NodeJS
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          # renovate: datasource=node-version packageName=node versioning=node
+          node-version: '24.14.1'
+      - name: Install pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+        with:
+          package_json_file: ui/package.json
      - name: GH actions workaround - Kill XSP4 process
        run: |
          sudo pkill mono || true
@ -462,29 +534,35 @@ jobs:
          set -x
          curl -sfL https://get.k3s.io | sh -
          sudo chmod -R a+rw /etc/rancher/k3s
-          sudo mkdir -p $HOME/.kube && sudo chown -R ubuntu $HOME/.kube
+          sudo mkdir -p $HOME/.kube && sudo chown -R $(whoami) $HOME/.kube
          sudo k3s kubectl config view --raw > $HOME/.kube/config
-          sudo chown ubuntu $HOME/.kube/config
+          sudo chown $(whoami) $HOME/.kube/config
          sudo chmod go-r $HOME/.kube/config
          kubectl version
-      - name: Restore go build cache
-        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      - name: Restore go build and module cache
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
-          path: ~/.cache/go-build
-          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-build-v1-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-build-v1-
      - name: Add ~/go/bin to PATH
        run: |
-          echo "/home/ubuntu/go/bin" >> $GITHUB_PATH
+          echo "$HOME/go/bin" >> $GITHUB_PATH
      - name: Add /usr/local/bin to PATH
        run: |
          echo "/usr/local/bin" >> $GITHUB_PATH
      - name: Add ./dist to PATH
        run: |
          echo "$(pwd)/dist" >> $GITHUB_PATH
-      - name: Download Go dependencies
+      - name: Download Go modules
        run: |
          go mod download
-          go install github.com/mattn/goreman@latest
+      - name: Install goreman
+        run: |
+          go install github.com/mattn/goreman@v0.3.17
      - name: Install all tools required for building & testing
        run: |
          make install-test-tools-local
@ -494,13 +572,13 @@ jobs:
          git config --global user.email "john.doe@example.com"
      - name: Pull Docker image required for tests
        run: |
-          docker pull ghcr.io/dexidp/dex:v2.43.0
+          docker pull ghcr.io/dexidp/dex:v2.45.0
          docker pull argoproj/argo-cd-ci-builder:v1.0.0
-          docker pull redis:8.2.2-alpine
+          docker pull redis:8.2.3-alpine
      - name: Create target directory for binaries in the build-process
        run: |
          mkdir -p dist
-          chown ubuntu dist
+          chown $(whoami) dist
      - name: Run E2E server and wait for it being available
        timeout-minutes: 30
        run: |
@ -526,13 +604,13 @@ jobs:
          goreman run stop-all || echo "goreman trouble"
          sleep 30
      - name: Upload e2e coverage report
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: e2e-code-coverage
          path: /tmp/coverage
        if: ${{ matrix.k3s.latest }}
      - name: Upload e2e-server logs
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: e2e-server-k8s${{ matrix.k3s.version }}.log
          path: /tmp/e2e-server.log
@ -550,8 +628,13 @@ jobs:
    needs:
      - test-e2e
      - changes
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit      
      - run: |
          result="${{ needs.test-e2e.result }}"
          # mark as successful even if skipped
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -6,7 +6,18 @@ on:
    branches-ignore:
      - 'dependabot/**'
      - 'cherry-pick-*'
+      
+    # Skip CodeQL for documentation-only changes
+    paths-ignore:
+      - '**.md'
+      - 'docs/**'
+
  pull_request:
+    # Skip CodeQL for documentation-only changes
+    paths-ignore:
+      - '*.md'
+      - '**/*.md'
+      - 'docs/assets/**'
  schedule:
    - cron: '0 19 * * 0'

@ -17,6 +28,10 @@ concurrency:
 permissions:
  contents: read

+env:
+  # a workaround to disable harden runner
+  STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
+  
 jobs:
  CodeQL-Build:
    permissions:
@ -26,20 +41,26 @@ jobs:
    if: github.repository == 'argoproj/argo-cd' || vars.enable_codeql

    # CodeQL runs on ubuntu-latest and windows-latest
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    steps:
+    - name: Harden the runner (Audit all outbound calls)
+      if: ${{ vars.disable_harden_runner != 'true' }}
+      uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+      with:
+        egress-policy: audit
+
    - name: Checkout repository
-      uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

    # Use correct go version. https://github.com/github/codeql-action/issues/1842#issuecomment-1704398087
    - name: Setup Golang
-      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
      with:
        go-version-file: go.mod
      
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@8fcfedf57053e09257688fce7a0beeb18b1b9ae3 # v2.17.2
+      uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
      # Override language selection by uncommenting this and choosing your languages
      # with:
      #   languages: go, javascript, csharp, python, cpp, java
@ -47,7 +68,7 @@ jobs:
    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
-      uses: github/codeql-action/autobuild@8fcfedf57053e09257688fce7a0beeb18b1b9ae3 # v2.17.2
+      uses: github/codeql-action/autobuild@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2

    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 https://git.io/JvXDl
@ -61,4 +82,4 @@ jobs:
    #   make release

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@8fcfedf57053e09257688fce7a0beeb18b1b9ae3 # v2.17.2
+      uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
--- a/.github/workflows/image-reuse.yaml
+++ b/.github/workflows/image-reuse.yaml
@ -45,38 +45,58 @@ on:

 permissions: {}

+env:
+  # a workaround to disable harden runner
+  STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
+
 jobs:
  publish:
    permissions:
      contents: read
      packages: write # Used to push images to `ghcr.io` if used.
      id-token: write # Needed to create an OIDC token for keyless signing
-    runs-on: ubuntu-22.04
-    outputs:
+    runs-on: ubuntu-24.04
+    outputs:  
      image-digest: ${{ steps.image.outputs.digest }}
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
+
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
        if: ${{ github.ref_type == 'tag'}}

      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        if: ${{ github.ref_type != 'tag'}}

      - name: Setup Golang
-        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ inputs.go-version }}
          cache: false

      - name: Install cosign
-        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1

-      - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
-      - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+        with:
+          image: tonistiigi/binfmt@sha256:d3b963f787999e6c0219a48dba02978769286ff61a5f4d26245cb6a6e5567ea3 #qemu-v10.0.4
+
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        with:
+          # buildkit v0.28.1
+          driver-opts: |
+            image=moby/buildkit@sha256:a82d1ab899cda51aade6fe818d71e4b58c4079e047a0cf29dbb93b2b0465ea69
+            

      - name: Setup tags for container image as a CSV type
        run: |
@ -103,7 +123,7 @@ jobs:
            echo 'EOF' >> $GITHUB_ENV

      - name: Login to Quay.io
-        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: quay.io
          username: ${{ secrets.quay_username }}
@ -111,7 +131,7 @@ jobs:
        if: ${{ inputs.quay_image_name && inputs.push }}

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: ${{ secrets.ghcr_username }}
@ -119,7 +139,7 @@ jobs:
        if: ${{ inputs.ghcr_image_name && inputs.push }}

      - name: Login to dockerhub Container Registry
-        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.docker_username }}
          password: ${{ secrets.docker_password }}
@ -142,7 +162,7 @@ jobs:

      - name: Build and push container image
        id: image
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f #v7.1.0
        with:
          context: .
          platforms: ${{ inputs.platforms }}
--- a/.github/workflows/image.yaml
+++ b/.github/workflows/image.yaml
@ -15,20 +15,63 @@ concurrency:

 permissions: {}

+env:
+  # a workaround to disable harden runner
+  STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
+
 jobs:
  set-vars:
    permissions:
      contents: read
-    if: github.repository == 'argoproj/argo-cd'
-    runs-on: ubuntu-22.04
+    # Always run to calculate variables - other jobs check outputs
+    runs-on: ubuntu-24.04
    outputs:
      image-tag: ${{ steps.image.outputs.tag}}
      platforms: ${{ steps.platforms.outputs.platforms }}
+      image_namespace: ${{ steps.image.outputs.image_namespace }}
+      image_repository: ${{ steps.image.outputs.image_repository }}
+      quay_image_name: ${{ steps.image.outputs.quay_image_name }}
+      ghcr_image_name: ${{ steps.image.outputs.ghcr_image_name }}
+      ghcr_provenance_image: ${{ steps.image.outputs.ghcr_provenance_image }}
+      allow_ghcr_publish: ${{ steps.image.outputs.allow_ghcr_publish }}
    steps:
-      - uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit

-      - name: Set image tag for ghcr
-        run: echo "tag=$(cat ./VERSION)-${GITHUB_SHA::8}" >> $GITHUB_OUTPUT
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Set image tag and names
+        run: |
+          # Calculate image tag
+          TAG="$(cat ./VERSION)-${GITHUB_SHA::8}"
+          echo "tag=$TAG" >> $GITHUB_OUTPUT
+          
+          # Calculate image names with defaults
+          IMAGE_NAMESPACE="${{ vars.IMAGE_NAMESPACE || 'argoproj' }}"
+          IMAGE_REPOSITORY="${{ vars.IMAGE_REPOSITORY || 'argocd' }}"
+          GHCR_NAMESPACE="${{ vars.GHCR_NAMESPACE || github.repository }}"
+          GHCR_REPOSITORY="${{ vars.GHCR_REPOSITORY || 'argocd' }}"
+          
+          echo "image_namespace=$IMAGE_NAMESPACE" >> $GITHUB_OUTPUT
+          echo "image_repository=$IMAGE_REPOSITORY" >> $GITHUB_OUTPUT
+          
+          # Construct image name
+          echo "quay_image_name=quay.io/$IMAGE_NAMESPACE/$IMAGE_REPOSITORY:latest" >> $GITHUB_OUTPUT
+          
+          ALLOW_GHCR_PUBLISH=false
+          if [[ "${{ github.repository }}" == "argoproj/argo-cd" || "$GHCR_NAMESPACE" != argoproj/* ]]; then
+            ALLOW_GHCR_PUBLISH=true
+            echo "ghcr_image_name=ghcr.io/$GHCR_NAMESPACE/$GHCR_REPOSITORY:$TAG" >> $GITHUB_OUTPUT
+            echo "ghcr_provenance_image=ghcr.io/$GHCR_NAMESPACE/$GHCR_REPOSITORY" >> $GITHUB_OUTPUT
+          else
+            echo "GhCR publish skipped: refusing to push to namespace '$GHCR_NAMESPACE'. Please override GHCR_* for forks." >&2
+            echo "ghcr_image_name=" >> $GITHUB_OUTPUT
+            echo "ghcr_provenance_image=" >> $GITHUB_OUTPUT
+          fi
+          echo "allow_ghcr_publish=$ALLOW_GHCR_PUBLISH" >> $GITHUB_OUTPUT
        id: image

      - name: Determine image platforms to use
@ -48,12 +91,12 @@ jobs:
      contents: read
      packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
      id-token: write # for creating OIDC tokens for signing.
-    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name != 'push' }}
+    if: ${{ (github.repository == 'argoproj/argo-cd' || needs.set-vars.outputs.image_namespace != 'argoproj') && github.event_name != 'push' }}
    uses: ./.github/workflows/image-reuse.yaml
    with:
      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
      # renovate: datasource=golang-version packageName=golang
-      go-version: 1.25.6
+      go-version: 1.26.2
      platforms: ${{ needs.set-vars.outputs.platforms }}
      push: false

@ -63,14 +106,14 @@ jobs:
      contents: read
      packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
      id-token: write # for creating OIDC tokens for signing.
-    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
+    if: ${{ (github.repository == 'argoproj/argo-cd' || needs.set-vars.outputs.image_namespace != 'argoproj') && github.event_name == 'push' }}
    uses: ./.github/workflows/image-reuse.yaml
    with:
-      quay_image_name: quay.io/argoproj/argocd:latest
-      ghcr_image_name: ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }}
+      quay_image_name: ${{ needs.set-vars.outputs.quay_image_name }}
+      ghcr_image_name: ${{ needs.set-vars.outputs.ghcr_image_name }}
      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
      # renovate: datasource=golang-version packageName=golang
-      go-version: 1.25.6
+      go-version: 1.26.2
      platforms: ${{ needs.set-vars.outputs.platforms }}
      push: true
    secrets:
@ -81,16 +124,17 @@ jobs:

  build-and-publish-provenance: # Push attestations to GHCR, latest image is polluting quay.io
    needs:
+      - set-vars
      - build-and-publish
    permissions:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
-    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
+    if: ${{ (github.repository == 'argoproj/argo-cd' || needs.set-vars.outputs.image_namespace != 'argoproj') && github.event_name == 'push' && needs.set-vars.outputs.allow_ghcr_publish == 'true'}}
    # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
    with:
-      image: ghcr.io/argoproj/argo-cd/argocd
+      image: ${{ needs.set-vars.outputs.ghcr_provenance_image }}
      digest: ${{ needs.build-and-publish.outputs.image-digest }}
      registry-username: ${{ github.actor }}
    secrets:
@ -104,9 +148,9 @@ jobs:
      contents: write # for git to push upgrade commit if not already deployed
      packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    steps:
-      - uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - run: git clone "https://$TOKEN@github.com/argoproj/argoproj-deployments"
        env:
          TOKEN: ${{ secrets.TOKEN }}
--- a/.github/workflows/init-release.yaml
+++ b/.github/workflows/init-release.yaml
@ -14,16 +14,32 @@ on:

 permissions: {}

+env:
+  # a workaround to disable harden runner
+  STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
+
 jobs:
  prepare-release:
    permissions:
      contents: write  # for peter-evans/create-pull-request to create branch
      pull-requests: write  # for peter-evans/create-pull-request to create a PR
    name: Automatically generate version and manifests on ${{ inputs.TARGET_BRANCH }}
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
+    env:
+      # Calculate image names with defaults, this will be used in the make manifests-local command
+      # to generate the correct image name in the manifests
+      IMAGE_REGISTRY: ${{ vars.IMAGE_REGISTRY || 'quay.io' }}
+      IMAGE_NAMESPACE: ${{ vars.IMAGE_NAMESPACE || 'argoproj' }}
+      IMAGE_REPOSITORY: ${{ vars.IMAGE_REPOSITORY || 'argocd' }}
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
+
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694  # v4.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
@ -64,7 +80,7 @@ jobs:
          git stash pop

      - name: Create pull request
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e  # v7.0.8
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0  # v8.1.0
        with:
          commit-message: "Bump version to ${{ inputs.TARGET_VERSION }}"
          title: "Bump version to ${{ inputs.TARGET_VERSION }} on ${{ inputs.TARGET_BRANCH }} branch"
--- a/.github/workflows/pr-title-check.yml
+++ b/.github/workflows/pr-title-check.yml
@ -1,13 +1,15 @@
 name: "Lint PR"

 on:
-  pull_request_target:
+  pull_request:
    types: [opened, edited, reopened, synchronize]

-# IMPORTANT: No checkout actions, scripts, or builds should be added to this workflow. Permissions should always be used
-# with extreme caution. https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
 permissions: {}

+env:
+  # a workaround to disable harden runner
+  STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
+
 # PR updates can happen in quick succession leading to this
 # workflow being trigger a number of times. This limits it
 # to one run per PR.
@ -21,8 +23,14 @@ jobs:
      contents: read
      pull-requests: read
    name: Validate PR Title
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
+
      - uses: thehanimo/pr-title-checker@7fbfe05602bdd86f926d3fb3bccb6f3aed43bc70 # v1.4.3
        with:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -11,21 +11,24 @@ permissions: {}

 env:
  # renovate: datasource=golang-version packageName=golang
-  GOLANG_VERSION: '1.25.6' # Note: go-version must also be set in job argocd-image.with.go-version
-
+  GOLANG_VERSION: '1.26.2' # Note: go-version must also be set in job argocd-image.with.go-version  
+  # a workaround to disable harden runner
+  STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
+  
 jobs:
  argocd-image:
+    needs: [setup-variables]
    permissions:
      contents: read
      id-token: write # for creating OIDC tokens for signing.
      packages: write # used to push images to `ghcr.io` if used.
-    if: github.repository == 'argoproj/argo-cd'
+    if: github.repository == 'argoproj/argo-cd' || needs.setup-variables.outputs.allow_fork_release == 'true'
    uses: ./.github/workflows/image-reuse.yaml
    with:
-      quay_image_name: quay.io/argoproj/argocd:${{ github.ref_name }}
+      quay_image_name: ${{ needs.setup-variables.outputs.quay_image_name }}
      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
      # renovate: datasource=golang-version packageName=golang
-      go-version: 1.25.6
+      go-version: 1.26.2
      platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
      push: true
    secrets:
@ -34,14 +37,25 @@ jobs:

  setup-variables:
    name: Setup Release Variables
-    if: github.repository == 'argoproj/argo-cd'
-    runs-on: ubuntu-22.04
+    if: github.repository == 'argoproj/argo-cd' || (github.repository_owner != 'argoproj' && vars.ENABLE_FORK_RELEASES == 'true' && vars.IMAGE_NAMESPACE && vars.IMAGE_NAMESPACE != 'argoproj')
+    runs-on: ubuntu-24.04
    outputs:
      is_pre_release: ${{ steps.var.outputs.is_pre_release }}
      is_latest_release: ${{ steps.var.outputs.is_latest_release }}
+      enable_fork_releases: ${{ steps.var.outputs.enable_fork_releases }}
+      image_namespace: ${{ steps.var.outputs.image_namespace }}
+      image_repository: ${{ steps.var.outputs.image_repository }}
+      quay_image_name: ${{ steps.var.outputs.quay_image_name }}
+      provenance_image: ${{ steps.var.outputs.provenance_image }}
+      allow_fork_release: ${{ steps.var.outputs.allow_fork_release }}
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
@ -67,18 +81,36 @@ jobs:
          fi
          echo "is_pre_release=$PRE_RELEASE" >> $GITHUB_OUTPUT
          echo "is_latest_release=$IS_LATEST" >> $GITHUB_OUTPUT
+          
+          # Calculate configuration with defaults
+          ENABLE_FORK_RELEASES="${{ vars.ENABLE_FORK_RELEASES || 'false' }}"
+          IMAGE_NAMESPACE="${{ vars.IMAGE_NAMESPACE || 'argoproj' }}"
+          IMAGE_REPOSITORY="${{ vars.IMAGE_REPOSITORY || 'argocd' }}"
+          
+          echo "enable_fork_releases=$ENABLE_FORK_RELEASES" >> $GITHUB_OUTPUT
+          
+          echo "image_namespace=$IMAGE_NAMESPACE" >> $GITHUB_OUTPUT
+          echo "image_repository=$IMAGE_REPOSITORY" >> $GITHUB_OUTPUT
+          echo "quay_image_name=quay.io/$IMAGE_NAMESPACE/$IMAGE_REPOSITORY:${{ github.ref_name }}" >> $GITHUB_OUTPUT
+          echo "provenance_image=quay.io/$IMAGE_NAMESPACE/$IMAGE_REPOSITORY" >> $GITHUB_OUTPUT
+          
+          ALLOW_FORK_RELEASE=false
+          if [[ "${{ github.repository_owner }}" != "argoproj" && "$ENABLE_FORK_RELEASES" == "true" && "$IMAGE_NAMESPACE" != "argoproj" && "${{ github.ref }}" == refs/tags/* ]]; then
+            ALLOW_FORK_RELEASE=true
+          fi
+          echo "allow_fork_release=$ALLOW_FORK_RELEASE" >> $GITHUB_OUTPUT

  argocd-image-provenance:
-    needs: [argocd-image]
+    needs: [setup-variables, argocd-image]
    permissions:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
    # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
-    if: github.repository == 'argoproj/argo-cd'
+    if: github.repository == 'argoproj/argo-cd' || needs.setup-variables.outputs.allow_fork_release == 'true'
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
    with:
-      image: quay.io/argoproj/argocd
+      image: ${{ needs.setup-variables.outputs.provenance_image }}
      digest: ${{ needs.argocd-image.outputs.image-digest }}
    secrets:
      registry-username: ${{ secrets.RELEASE_QUAY_USERNAME }}
@ -91,15 +123,15 @@ jobs:
      - argocd-image-provenance
    permissions:
      contents: write # used for uploading assets
-    if: github.repository == 'argoproj/argo-cd'
-    runs-on: ubuntu-22.04
+    if: github.repository == 'argoproj/argo-cd' || needs.setup-variables.outputs.allow_fork_release == 'true'
+    runs-on: ubuntu-24.04
    env:
      GORELEASER_MAKE_LATEST: ${{ needs.setup-variables.outputs.is_latest_release }}
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
@ -108,7 +140,7 @@ jobs:
        run: git fetch --force --tags

      - name: Setup Golang
-        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
          cache: false
@ -134,15 +166,17 @@ jobs:
          tool-cache: false

      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
+        uses: goreleaser/goreleaser-action@e24998b8b67b290c2fa8b7c14fcfa7de2c5c9b8c # v7.1.0
        id: run-goreleaser
        with:
-          version: latest
+          version: v2.14.3
          args: release --clean --timeout 55m
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          KUBECTL_VERSION: ${{ env.KUBECTL_VERSION }}
          GIT_TREE_STATE: ${{ env.GIT_TREE_STATE }}
+          # Used to determine the current repository in the goreleaser config to display correct manifest links
+          GORELEASER_CURRENT_REPOSITORY: ${{ github.repository }}

      - name: Generate subject for provenance
        id: hash
@ -159,12 +193,12 @@ jobs:
          echo "hashes=$hashes" >> $GITHUB_OUTPUT

  goreleaser-provenance:
-    needs: [goreleaser]
+    needs: [goreleaser, setup-variables]
    permissions:
      actions: read # for detecting the Github Actions environment
      id-token: write # Needed for provenance signing and ID
      contents: write #  Needed for release uploads
-    if: github.repository == 'argoproj/argo-cd'
+    if: github.repository == 'argoproj/argo-cd' || needs.setup-variables.outputs.allow_fork_release == 'true'
    # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
    with:
@ -177,21 +211,27 @@ jobs:
    needs:
      - argocd-image
      - goreleaser
+      - setup-variables
    permissions:
      contents: write # Needed for release uploads
    outputs:
      hashes: ${{ steps.sbom-hash.outputs.hashes }}
-    if: github.repository == 'argoproj/argo-cd'
-    runs-on: ubuntu-22.04
+    if: github.repository == 'argoproj/argo-cd' || needs.setup-variables.outputs.allow_fork_release == 'true'
+    runs-on: ubuntu-24.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}

+      - name: Install pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+        with:
+          package_json_file: ui/package.json
+
      - name: Setup Golang
-        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ env.GOLANG_VERSION }}
          cache: false
@ -203,28 +243,37 @@ jobs:
          SPDX_GEN_VERSION: v0.0.13
          # defines the sigs.k8s.io/bom version to use.
          SIGS_BOM_VERSION: v0.2.1
-          # comma delimited list of project relative folders to inspect for package
-          # managers (gomod, yarn, npm).
-          PROJECT_FOLDERS: '.,./ui'
          # full qualified name of the docker image to be inspected
-          DOCKER_IMAGE: quay.io/argoproj/argocd:${{ github.ref_name }}
+          DOCKER_IMAGE: ${{ needs.setup-variables.outputs.quay_image_name }}
        run: |
-          yarn install --cwd ./ui
+          set -euo pipefail
+          pnpm install --dir ./ui --frozen-lockfile
          go install github.com/spdx/spdx-sbom-generator/cmd/generator@$SPDX_GEN_VERSION
          go install sigs.k8s.io/bom/cmd/bom@$SIGS_BOM_VERSION

-          # Generate SPDX for project dependencies analyzing package managers
-          for folder in $(echo $PROJECT_FOLDERS | sed "s/,/ /g")
-          do
-            generator -p $folder -o /tmp
-          done
+          generator -p . -o /tmp

-          # Generate SPDX for binaries analyzing the docker image
-          if [[ ! -z $DOCKER_IMAGE ]]; then
-            bom generate -o /tmp/bom-docker-image.spdx -i $DOCKER_IMAGE
+          # When ui/ should use in-repo pnpm for `pnpm sbom` (11+):
+          #   1. In ui/package.json set "packageManager" to a pnpm 11+ release (e.g. pnpm@11.0.0), then from ./ui run
+          #      `pnpm install` and commit the resulting ui/pnpm-lock.yaml so release CI's pnpm/action-setup matches.
+          #   2. Delete hack/generate-ui-pnpm-sbom.sh and remove the ./hack/generate-ui-pnpm-sbom.sh line below.
+          #   3. Uncomment:
+          # pnpm --dir ./ui sbom --sbom-format spdx --prod > /tmp/bom-ui-pnpm.spdx.json
+          ./hack/generate-ui-pnpm-sbom.sh --write /tmp/bom-ui-pnpm.spdx.json
+
+          if [[ -n "${DOCKER_IMAGE:-}" ]]; then
+            bom generate -o /tmp/bom-docker-image.spdx -i "${DOCKER_IMAGE}"
          fi

-          cd /tmp && tar -zcf sbom.tar.gz *.spdx
+          cd /tmp
+          shopt -s nullglob
+          spdx_files=( *.spdx )
+          shopt -u nullglob
+          if [[ ${#spdx_files[@]} -eq 0 ]]; then
+            echo "No .spdx files produced under /tmp"
+            exit 1
+          fi
+          tar -zcf sbom.tar.gz "${spdx_files[@]}" bom-ui-pnpm.spdx.json

      - name: Generate SBOM hash
        shell: bash
@ -236,7 +285,7 @@ jobs:
          echo "hashes=$(sha256sum /tmp/sbom.tar.gz | base64 -w0)" >> "$GITHUB_OUTPUT"

      - name: Upload SBOM
-        uses: softprops/action-gh-release@6cbd405e2c4e67a21c47fa9e383d020e4e28b836 # v2.3.3
+        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
@ -244,12 +293,12 @@ jobs:
            /tmp/sbom.tar.gz

  sbom-provenance:
-    needs: [generate-sbom]
+    needs: [generate-sbom, setup-variables]
    permissions:
      actions: read # for detecting the Github Actions environment
      id-token: write # Needed for provenance signing and ID
      contents: write #  Needed for release uploads
-    if: github.repository == 'argoproj/argo-cd'
+    if: github.repository == 'argoproj/argo-cd' || needs.setup-variables.outputs.allow_fork_release == 'true'
    # Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
    with:
@ -266,13 +315,13 @@ jobs:
    permissions:
      contents: write # Needed to push commit to update stable tag
      pull-requests: write # Needed to create PR for VERSION update.
-    if: github.repository == 'argoproj/argo-cd'
-    runs-on: ubuntu-22.04
+    if: github.repository == 'argoproj/argo-cd' || needs.setup-variables.outputs.allow_fork_release == 'true'
+    runs-on: ubuntu-24.04
    env:
      TAG_STABLE: ${{ needs.setup-variables.outputs.is_latest_release }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
@ -316,7 +365,7 @@ jobs:
        if: ${{ env.UPDATE_VERSION == 'true' }}

      - name: Create PR to update VERSION on master branch
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
        with:
          commit-message: Bump version in master
          title: 'chore: Bump version in master'
--- a/.github/workflows/renovate.yaml
+++ b/.github/workflows/renovate.yaml
@ -7,32 +7,56 @@ on:
 permissions:
  contents: read

+env:
+  # a workaround to disable harden runner
+  STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
+  
 jobs:
  renovate:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    if: github.repository == 'argoproj/argo-cd'
    steps:
+      - name: Harden the runner (Block unknown outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: block
+          disable-sudo-and-containers: "false" # renovatebot runs in `docker run`
+          allowed-endpoints: >
+            github.com:443
+            api.github.com:443
+            raw.githubusercontent.com:443
+            release-assets.githubusercontent.com:443
+            ghcr.io:443
+            pkg-containers.githubusercontent.com:443
+            hub.docker.com:443
+            proxy.golang.org:443
+            nodejs.org:443
+            pypi.org:443
+            get.helm.sh
+            registry.npmjs.org
+
      - name: Get token
        id: get_token
-        uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3
        with:
          app-id: ${{ vars.RENOVATE_APP_ID }}
          private-key: ${{ secrets.RENOVATE_APP_PRIVATE_KEY }}

      - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1
-
-      # Some codegen commands require Go to be setup
-      - name: Setup Golang
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-        with:
-          # renovate: datasource=golang-version packageName=golang
-          go-version: 1.25.6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2

+      # Renovate do not pin their docker image versions to SHA, so
+      # when bumping renovate action version please check if renovate image
+      # has been updated (see it's numeric version in action.yaml)
+      # and update `renovate-version` parameter accordingly
      - name: Self-hosted Renovate
-        uses: renovatebot/github-action@f8af9272cd94a4637c29f60dea8731afd3134473 #43.0.12
+        uses: renovatebot/github-action@83ec54fee49ab67d9cd201084c1ff325b4b462e4 #46.1.10
        with:
          configurationFile: .github/configs/renovate-config.js
          token: '${{ steps.get_token.outputs.token }}'
+          renovate-image: "ghcr.io/renovatebot/renovate@sha256"
+          renovate-version: "5dfeab680f40edd2713b8fcae574824e60d2c831b8d89cc965e51621894c7084" #43
        env:
          LOG_LEVEL: 'debug'
          RENOVATE_REPOSITORIES: '${{ github.repository }}'
--- a/.github/workflows/scorecard.yaml
+++ b/.github/workflows/scorecard.yaml
@ -17,7 +17,7 @@ permissions: read-all
 jobs:
  analysis:
    name: Scorecards analysis
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    permissions:
      # Needed to upload the results to code-scanning dashboard.
      security-events: write
@ -29,13 +29,19 @@ jobs:
    if: github.repository == 'argoproj/argo-cd'

    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
+
      - name: "Checkout code"
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: "Run analysis"
-        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
        with:
          results_file: results.sarif
          results_format: sarif
@ -54,7 +60,7 @@ jobs:
      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
      - name: "Upload artifact"
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: SARIF file
          path: results.sarif
@ -62,6 +68,6 @@ jobs:

      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@8fcfedf57053e09257688fce7a0beeb18b1b9ae3 # v2.17.2
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
        with:
          sarif_file: results.sarif
--- a/.github/workflows/stale.yaml
+++ b/.github/workflows/stale.yaml
@ -0,0 +1,46 @@
+name: "Label stale issues and PRs"
+on:
+  schedule:
+    - cron: "0 0 * * *" #Runs midnight 12AM UTC
+
+#Added Recommended permissions
+permissions:
+  issues: write
+  pull-requests: write
+
+env:
+  # a workaround to disable harden runner
+  STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
+  
+jobs:
+  stale:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Harden the runner (Block unknown outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: block
+          disable-sudo-and-containers: "true"
+          allowed-endpoints: >
+            api.github.com:443
+
+      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+
+          stale-issue-message: >
+            This issue has been marked as stale because it has had no activity for 90 days. Please comment if this is still relevant.
+
+          stale-pr-message: >
+            This pull request has been marked as stale because it has had no activity for 90 days. Please comment if this is still relevant.
+
+          days-before-stale: 90
+          days-before-close: -1   # Auto-close diabled
+
+          exempt-issue-labels: >
+            bug, security, breaking/high, breaking/medium, breaking/low
+
+          # General configuration
+          operations-per-run: 200
+          remove-stale-when-updated: true #Remove stale label when issue/pr is updated
--- a/.github/workflows/update-snyk.yaml
+++ b/.github/workflows/update-snyk.yaml
@ -7,6 +7,10 @@ on:
 permissions:
  contents: read

+env:
+  # a workaround to disable harden runner
+  STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
+
 jobs:
  snyk-report:
    permissions:
@ -14,10 +18,16 @@ jobs:
      pull-requests: write
    if: github.repository == 'argoproj/argo-cd'
    name: Update Snyk report in the docs directory
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        if: ${{ vars.disable_harden_runner != 'true' }}
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
+          agent-enabled: "false"
      - name: Checkout code
-        uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Build reports
--- a/.gitignore
+++ b/.gitignore
@ -16,6 +16,8 @@ coverage.out
 test-results
 .scannerwork
 .scratch
+# pnpm SBOM helper (hack/generate-ui-pnpm-sbom.sh) download cache — remove this line when that script is deleted.
+hack/.cache/
 node_modules/
 .kube/
 ./test/cmp/*.sock
@ -24,6 +26,9 @@ node_modules/
 .*.swp
 rerunreport.txt

+# AI tools support
+CLAUDE.local.md
+
 # ignore built binaries
 cmd/argocd/argocd
 cmd/argocd-application-controller/argocd-application-controller
--- a/.golangci.yaml
+++ b/.golangci.yaml
@ -22,6 +22,8 @@ linters:
    - govet
    - importas
    - misspell
+    - modernize
+    - noctx
    - perfsprint
    - revive
    - staticcheck
@ -120,6 +122,13 @@ linters:
        - pkg: github.com/argoproj/argo-cd/v3/util/io
          alias: utilio

+    modernize:
+      disable:
+        # Suggest replacing omitempty with omitzero for struct fields.
+        - omitzero
+        # Simplify code by using go1.26's new(expr). - generates lots of false positives.
+        - newexpr
+
    nolintlint:
      require-specific: true

@ -136,16 +145,19 @@ linters:
      strconcat: true

    revive:
+      enable-all-rules: false
+      enable-default-rules: true
+      max-open-files: 2048
      # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md
      rules:
-        - name: bool-literal-in-expr
-
        - name: blank-imports
          disabled: true

+        - name: bool-literal-in-expr
+
        - name: context-as-argument
          arguments:
-            - allowTypesBefore: '*testing.T,testing.TB'
+            - allow-types-before: '*testing.T,testing.TB'

        - name: context-keys-type
          disabled: true
@ -157,14 +169,11 @@ linters:

        - name: early-return
          arguments:
-            - preserveScope
+            - preserve-scope

        - name: empty-block
          disabled: true

-        - name: error-naming
-          disabled: true
-
        - name: error-return

        - name: error-strings
@ -172,6 +181,9 @@ linters:

        - name: errorf

+        - name: exported
+          disabled: true
+
        - name: identical-branches

        - name: if-return
@ -180,7 +192,7 @@ linters:

        - name: indent-error-flow
          arguments:
-            - preserveScope
+            - preserve-scope

        - name: modifies-parameter

@ -197,7 +209,7 @@ linters:

        - name: superfluous-else
          arguments:
-            - preserveScope
+            - preserve-scope

        - name: time-equal

@ -207,6 +219,8 @@ linters:
        - name: unexported-return
          disabled: true

+        - name: unnecessary-format
+
        - name: unnecessary-stmt

        - name: unreachable-code
@ -223,8 +237,8 @@ linters:
          arguments:
            - - ID
            - - VM
-            - - skipPackageNameChecks: true
-                upperCaseConst: true
+            - - skip-initialism-name-checks: true
+                upper-case-const: true

    staticcheck:
      checks:
@ -246,7 +260,4 @@ linters:
    usetesting:
      os-mkdir-temp: false

-output:
-  show-stats: false
-
 version: "2"
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -66,14 +66,14 @@ release:

    ```shell
    kubectl create namespace argocd
-    kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/{{.Tag}}/manifests/install.yaml
+    kubectl apply -n argocd --server-side --force-conflicts -f https://raw.githubusercontent.com/{{ .Env.GORELEASER_CURRENT_REPOSITORY }}/{{.Tag}}/manifests/install.yaml
    ```

    ### HA:

    ```shell
    kubectl create namespace argocd
-    kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/{{.Tag}}/manifests/ha/install.yaml
+    kubectl apply -n argocd --server-side --force-conflicts -f https://raw.githubusercontent.com/{{ .Env.GORELEASER_CURRENT_REPOSITORY }}/{{.Tag}}/manifests/ha/install.yaml
    ```

    ## Release Signatures and Provenance
@ -87,7 +87,7 @@ release:

    If upgrading from a different minor version, be sure to read the [upgrading](https://argo-cd.readthedocs.io/en/stable/operator-manual/upgrading/overview/) documentation.
  footer: |
-    **Full Changelog**: https://github.com/argoproj/argo-cd/compare/{{ .PreviousTag }}...{{ .Tag }}
+    **Full Changelog**: https://github.com/{{ .Env.GORELEASER_CURRENT_REPOSITORY }}/compare/{{ .PreviousTag }}...{{ .Tag }}

    <a href="https://argoproj.github.io/cd/"><img src="https://raw.githubusercontent.com/argoproj/argo-site/master/content/pages/cd/gitops-cd.png" width="25%" ></a>

--- a/.mockery.yaml
+++ b/.mockery.yaml
@ -1,11 +1,6 @@
 dir: '{{.InterfaceDir}}/mocks'
-structname: '{{.InterfaceName}}'
 filename: '{{.InterfaceName}}.go'
-pkgname: mocks
-
-template-data:
-  unroll-variadic: true
-
+include-auto-generated: true # Needed since mockery 3.6.1
 packages:
  github.com/argoproj/argo-cd/v3/applicationset/generators:
    interfaces:
@ -14,11 +9,10 @@ packages:
    interfaces:
      Repos: {}
  github.com/argoproj/argo-cd/v3/applicationset/services/scm_provider:
-    config:
-      dir: applicationset/services/scm_provider/aws_codecommit/mocks
    interfaces:
      AWSCodeCommitClient: {}
      AWSTaggingClient: {}
+      AzureDevOpsClientFactory: {}
  github.com/argoproj/argo-cd/v3/applicationset/utils:
    interfaces:
      Renderer: {}
@ -38,6 +32,9 @@ packages:
  github.com/argoproj/argo-cd/v3/pkg/apiclient/cluster:
    interfaces:
      ClusterServiceServer: {}
+  github.com/argoproj/argo-cd/v3/pkg/apiclient/project:
+    interfaces:
+      ProjectServiceClient: {}
  github.com/argoproj/argo-cd/v3/pkg/apiclient/session:
    interfaces:
      SessionServiceClient: {}
@ -47,9 +44,9 @@ packages:
      AppProjectInterface: {}
  github.com/argoproj/argo-cd/v3/reposerver/apiclient:
    interfaces:
-      RepoServerService_GenerateManifestWithFilesClient: {}
      RepoServerServiceClient: {}
-  github.com/argoproj/argo-cd/v3/server/application:
+      RepoServerService_GenerateManifestWithFilesClient: {}
+  github.com/argoproj/argo-cd/v3/server/broadcast:
    interfaces:
      Broadcaster: {}
  github.com/argoproj/argo-cd/v3/server/extension:
@ -63,26 +60,37 @@ packages:
  github.com/argoproj/argo-cd/v3/util/db:
    interfaces:
      ArgoDB: {}
+      RepoCredsDB: {}
  github.com/argoproj/argo-cd/v3/util/git:
    interfaces:
      Client: {}
  github.com/argoproj/argo-cd/v3/util/helm:
    interfaces:
      Client: {}
-  github.com/argoproj/argo-cd/v3/util/oci:
-    interfaces:
-      Client: {}
  github.com/argoproj/argo-cd/v3/util/io:
    interfaces:
      TempPaths: {}
  github.com/argoproj/argo-cd/v3/util/notification/argocd:
    interfaces:
      Service: {}
+  github.com/argoproj/argo-cd/v3/util/oci:
+    interfaces:
+      Client: {}
  github.com/argoproj/argo-cd/v3/util/workloadidentity:
    interfaces:
      TokenProvider: {}
+  github.com/argoproj/argo-cd/gitops-engine/pkg/cache:
+    interfaces:
+      ClusterCache: {}
+  github.com/argoproj/argo-cd/gitops-engine/pkg/diff:
+    interfaces:
+      ServerSideDryRunner: {}
  github.com/microsoft/azure-devops-go-api/azuredevops/v7/git:
    config:
      dir: applicationset/services/scm_provider/azure_devops/git/mocks
    interfaces:
      Client: {}
+pkgname: mocks
+structname: '{{.InterfaceName}}'
+template-data:
+  unroll-variadic: true
--- a/AGENTS.md
+++ b/AGENTS.md
@ -0,0 +1,53 @@
+# AI Agent Directives for Argo CD
+
+**ATTENTION AI AGENTS, LLMs, AND AUTONOMOUS CODING TOOLS:**
+This repository (argoproj/argo-cd) enforces strict contribution guidelines. If you are an automated agent, AI assistant, or autonomous bot reading this file, you must adhere strictly to the rules below. Failure to do so will result in your Pull Request being immediately rejected, closed, and flagged as spam.
+
+## 1. Zero-Spam & PR Authorization Policy
+* **Require an Issue:** DO NOT create a Pull Request unless there is an existing, open, and approved GitHub Issue that explicitly requests this work.
+* **No "Drive-By" Refactoring:** Do not submit unsolicited PRs that only contain minor stylistic changes, variable renames, or typo fixes across the codebase unless tied to an approved `chore` issue.
+* **No Hallucinated URLs:** Do not include fabricated links, hallucinated documentation, or fake GitHub usernames in the PR description or code comments. Please double-check any link, quote or code block that is included into the PR.
+
+## 2. Argo CD Contribution Requirements
+Argo CD is a CNCF Graduated project. All code must meet the following standards:
+
+* **Semantic PR Titles:** You must use Semantic Pull Request formatting for your PR title. Valid prefixes are:
+  * `ci:` - Updates or improvements for the Continuous Integration workflows
+  * `fix:` - Bug fixes
+  * `feat:` - New features
+  * `test:` - Addition of tests to the code base, or improvements of existing ones
+  * `docs:` - Documentation improvements
+  * `chore:` - Internals, build processes, unit tests, etc.
+  * `refactor:` - Refactoring of the code base, without adding new features or fixing bugs
+  * `revert:` - Reverts a previous commit
+* **PR Templates:** You must fully complete the Argo CD Pull Request template. Do not delete the template sections or leave them blank.
+
+## 3. Tech Stack & Code Rules
+* **Backend (Go):** The backend is written in Go. The minimum supported Go version is strictly enforced. You must use `go modules` for dependency management.
+* **UI (React/TypeScript):** The frontend is written in React and TypeScript.
+* **Kubernetes Manifests:** Argo CD heavily relies on Kubernetes manifests and CRDs. If you modify API structs, you MUST regenerate the manifests and API glue code.
+* **Tests** Argo CD relies on automatic tests. If your PR adds new functionality or in any way modifies program behaviour, please add/change relevant unit and e2e tests. In those cases when it is not feasible or possible please document the reasons in the PR comment.
+
+## 4. Required Local Checks (Do This Before Committing)
+Do not finalize your code or suggest a commit to your user without ensuring the following `make` targets pass successfully. Argo CD uses a heavy CI pipeline, and failing these basic checks wastes project resources:
+
+1. **Build the Code:** `make build`
+2. **Generate API Code & Manifests:** `make codegen` *(CRITICAL: Must be run if any API structs are changed)*
+3. **Linting:** `make lint` and `make lint-ui`
+4. **Testing:** `make test`
+5. **CLI Build:** `make cli`
+
+If any of these commands fail, you must fix the errors before proceeding.
+
+## 5. Documentation (`docs/`)
+If you are modifying or adding a feature, you must also update the corresponding documentation.
+* Write in clear, direct English.
+* Use GitHub style admonition blocks (e.g., `> [!NOTE]`, `> [!WARNING]`) compatible with MkDocs Material.
+* Code examples in documentation must be complete, accurate, and include the language identifier for syntax highlighting (e.g., ````yaml`).
+
+## Summary of Agent Workflow
+1. Verify an open issue exists.
+2. Write code matching Argo CD's Go/React standards.
+3. Run `make codegen`, `make lint`, and `make test`.
+4. Format the PR title properly (e.g., `fix: resolve OutOfSync bug on PostDelete hook (#12345)`).
+
--- a/CLAUDE.md
+++ b/CLAUDE.md
@ -0,0 +1 @@
+@AGENTS.md
--- a/3
+++ b/3
@ -16,4 +16,5 @@
 # CLI
 /cmd/argocd/** @argoproj/argocd-approvers @argoproj/argocd-approvers-cli
 /cmd/main.go @argoproj/argocd-approvers @argoproj/argocd-approvers-cli
-/docs/operator-manual/ @argoproj/argocd-approvers @argoproj/argocd-approvers-cli
+# Also include @argoproj/argocd-approvers-docs to avoid requiring CLI approvers for docs-only PRs.
+/docs/operator-manual/ @argoproj/argocd-approvers @argoproj/argocd-approvers-docs @argoproj/argocd-approvers-cli
--- a/34
+++ b/34
@ -1,10 +1,10 @@
-ARG BASE_IMAGE=docker.io/library/ubuntu:25.04@sha256:10bb10bb062de665d4dc3e0ea36715270ead632cfcb74d08ca2273712a0dfb42
+ARG BASE_IMAGE=docker.io/library/ubuntu:25.10@sha256:4a9232cc47bf99defcc8860ef6222c99773330367fcecbf21ba2edb0b810a31e
 ####################################################################################################
 # Builder image
 # Initial stage which pulls prepares build dependencies and CLI tooling we need for our final image
 # Also used as the image in CI jobs so needs all dependencies
 ####################################################################################################
-FROM docker.io/library/golang:1.25.6@sha256:fc24d3881a021e7b968a4610fc024fba749f98fe5c07d4f28e6cfa14dc65a84c AS builder
+FROM docker.io/library/golang:1.26.2@sha256:5f3787b7f902c07c7ec4f3aa91a301a3eda8133aa32661a3b3a3a86ab3a68a36 AS builder

 WORKDIR /tmp

@ -16,7 +16,6 @@ RUN apt-get update && apt-get install --no-install-recommends -y \
    unzip \
    fcgiwrap \
    git \
-    git-lfs \
    make \
    wget \
    gcc \
@ -29,7 +28,8 @@ COPY hack/install.sh hack/tool-versions.sh ./
 COPY hack/installers installers

 RUN ./install.sh helm && \
-    INSTALL_PATH=/usr/local/bin ./install.sh kustomize
+    INSTALL_PATH=/usr/local/bin ./install.sh kustomize && \
+    ./install.sh git-lfs

 ####################################################################################################
 # Argo CD Base - used as the base for both the release and dev argocd images
@ -50,10 +50,10 @@ RUN groupadd -g $ARGOCD_USER_ID argocd && \
    chmod g=u /home/argocd && \
    apt-get update && \
    apt-get dist-upgrade -y && \
-    apt-get install -y \
-    git git-lfs tini gpg tzdata connect-proxy && \
+    apt-get install --no-install-recommends -y \
+    git tini ca-certificates gpg gpg-agent tzdata connect-proxy openssh-client && \
    apt-get clean && \
-    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /usr/share/doc/*

 COPY hack/gpg-wrapper.sh \
    hack/git-verify-wrapper.sh \
@ -61,6 +61,7 @@ COPY hack/gpg-wrapper.sh \
    /usr/local/bin/
 COPY --from=builder /usr/local/bin/helm /usr/local/bin/helm
 COPY --from=builder /usr/local/bin/kustomize /usr/local/bin/kustomize
+COPY --from=builder /usr/local/bin/git-lfs /usr/local/bin/git-lfs

 # keep uid_entrypoint.sh for backward compatibility
 RUN ln -s /usr/local/bin/entrypoint.sh /usr/local/bin/uid_entrypoint.sh
@ -79,35 +80,42 @@ RUN mkdir -p tls && \

 ENV USER=argocd

+# Disable gRPC service config lookups via DNS TXT records to prevent excessive
+# DNS queries for _grpc_config.<hostname> which can cause timeouts in dual-stack
+# environments. This can be overridden via argocd-cmd-params-cm ConfigMap.
+# See https://github.com/argoproj/argo-cd/issues/24991
+ENV GRPC_ENABLE_TXT_SERVICE_CONFIG=false
+
 USER $ARGOCD_USER_ID
 WORKDIR /home/argocd

 ####################################################################################################
 # Argo CD UI stage
 ####################################################################################################
-FROM --platform=$BUILDPLATFORM docker.io/library/node:23.0.0@sha256:e643c0b70dca9704dff42e12b17f5b719dbe4f95e6392fc2dfa0c5f02ea8044d AS argocd-ui
+FROM --platform=$BUILDPLATFORM docker.io/library/node:24.14.1@sha256:80fc934952c8f1b2b4d39907af7211f8a9fff1a4c2cf673fb49099292c251cec AS argocd-ui

 WORKDIR /src
-COPY ["ui/package.json", "ui/yarn.lock", "./"]
+COPY ["ui/package.json", "ui/pnpm-lock.yaml", "./"]

-RUN yarn install --network-timeout 200000 && \
-    yarn cache clean
+RUN npm install -g corepack@0.34.6 && corepack enable && pnpm install --frozen-lockfile

 COPY ["ui/", "."]

 ARG ARGO_VERSION=latest
 ENV ARGO_VERSION=$ARGO_VERSION
 ARG TARGETARCH
-RUN HOST_ARCH=$TARGETARCH NODE_ENV='production' NODE_ONLINE_ENV='online' NODE_OPTIONS=--max_old_space_size=8192 yarn build
+RUN HOST_ARCH=$TARGETARCH NODE_ENV='production' NODE_ONLINE_ENV='online' NODE_OPTIONS=--max_old_space_size=8192 pnpm build

 ####################################################################################################
 # Argo CD Build stage which performs the actual build of Argo CD binaries
 ####################################################################################################
-FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.25.6@sha256:fc24d3881a021e7b968a4610fc024fba749f98fe5c07d4f28e6cfa14dc65a84c AS argocd-build
+FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.26.2@sha256:5f3787b7f902c07c7ec4f3aa91a301a3eda8133aa32661a3b3a3a86ab3a68a36 AS argocd-build

 WORKDIR /go/src/github.com/argoproj/argo-cd

 COPY go.* ./
+RUN mkdir -p gitops-engine
+COPY gitops-engine/go.* ./gitops-engine
 RUN go mod download

 # Perform the build
--- a/Dockerfile.tilt
+++ b/Dockerfile.tilt
@ -1,4 +1,4 @@
-FROM docker.io/library/golang:1.25.6@sha256:fc24d3881a021e7b968a4610fc024fba749f98fe5c07d4f28e6cfa14dc65a84c
+FROM docker.io/library/golang:1.26.2@sha256:5f3787b7f902c07c7ec4f3aa91a301a3eda8133aa32661a3b3a3a86ab3a68a36

 ENV DEBIAN_FRONTEND=noninteractive

@ -11,7 +11,6 @@ RUN apt-get update && apt-get install --no-install-recommends -y \
    unzip \
    fcgiwrap \
    git \
-    git-lfs \
    make \
    wget \
    gcc \
@ -28,7 +27,8 @@ COPY hack/install.sh hack/tool-versions.sh ./
 COPY hack/installers installers

 RUN ./install.sh helm && \
-    INSTALL_PATH=/usr/local/bin ./install.sh kustomize
+    INSTALL_PATH=/usr/local/bin ./install.sh kustomize && \
+    ./install.sh git-lfs

 COPY hack/gpg-wrapper.sh \
    hack/git-verify-wrapper.sh \
--- a/Dockerfile.ui.tilt
+++ b/Dockerfile.ui.tilt
@ -1,9 +1,10 @@
-FROM node:20
+FROM node:24.14.1@sha256:80fc934952c8f1b2b4d39907af7211f8a9fff1a4c2cf673fb49099292c251cec

 WORKDIR /app/ui

 COPY ui /app/ui

-RUN yarn install --frozen-lockfile
+RUN npm install -g corepack@0.34.6 && corepack enable && pnpm install --frozen-lockfile
+
+ENTRYPOINT ["pnpm", "start"]

-ENTRYPOINT ["yarn", "start"]
--- a/MAINTAINERS.md
+++ b/MAINTAINERS.md
@ -0,0 +1,43 @@
+# Argo CD Maintainers
+
+This document lists the maintainers of the Argo CD project.
+
+## Maintainers
+
+| Maintainer                | GitHub ID                                               | Project Roles        | Affiliation                                     |
+|---------------------------|---------------------------------------------------------|----------------------|-------------------------------------------------|
+| Zach Aller                | [zachaller](https://github.com/zachaller)               | Reviewer             | [Intuit](https://www.github.com/intuit/)        |
+| Leonardo Luz Almeida      | [leoluz](https://github.com/leoluz)                     | Approver             | [Intuit](https://www.github.com/intuit/)        |
+| Chetan Banavikalmutt      | [chetan-rns](https://github.com/chetan-rns)             | Reviewer             | [Red Hat](https://redhat.com/)                  |
+| Keith Chong               | [keithchong](https://github.com/keithchong)             | Approver             | [Red Hat](https://redhat.com/)                  |
+| Alex Collins              | [alexec](https://github.com/alexec)                     | Approver             | [Intuit](https://www.github.com/intuit/)        |
+| Michael Crenshaw          | [crenshaw-dev](https://github.com/crenshaw-dev)         | Lead                 | [Intuit](https://www.github.com/intuit/)        |
+| Soumya Ghosh Dastidar     | [gdsoumya](https://github.com/gdsoumya)                 | Approver             | [Akuity](https://akuity.io/)                    |
+| Eugene Doudine              | [dudinea](https://github.com/dudinea)                 | Reviewer             | [Octopus Deploy](https://octopus.com/)          |
+| Jann Fischer              | [jannfis](https://github.com/jannfis)                   | Approver             | [Red Hat](https://redhat.com/)                  |
+| Dan Garfield              | [todaywasawesome](https://github.com/todaywasawesome)   | Approver(docs)       | [Octopus Deploy](https://octopus.com/)          |
+| Alexandre Gaudreault      | [agaudreault](https://github.com/agaudreault)           | Approver             | [Intuit](https://www.github.com/intuit/)        |
+| Christian Hernandez       | [christianh814](https://github.com/christianh814)       | Reviewer(docs)       | [Akuity](https://akuity.io/)                    |
+| Peter Jiang               | [pjiang-dev](https://github.com/pjiang-dev)             | Approver(docs)       | [Intuit](https://www.intuit.com/)               |
+| Andrii Korotkov           | [andrii-korotkov](https://github.com/andrii-korotkov)   | Reviewer             | [Verkada](https://www.verkada.com/)             |
+| Pasha Kostohrys           | [pasha-codefresh](https://github.com/pasha-codefresh)   | Approver             | [Octopus Deploy](https://octopus.com/)          |
+| Nitish Kumar              | [nitishfy](https://github.com/nitishfy)                 | Approver(cli,docs)   | [Akuity](https://akuity.io/)                    |
+| Justin Marquis            | [34fathombelow](https://github.com/34fathombelow)       | Approver(docs/ci)    | [Akuity](https://akuity.io/)                    |
+| Alexander Matyushentsev   | [alexmt](https://github.com/alexmt)                     | Lead                 | [Akuity](https://akuity.io/)                    |
+| Nicholas Morey            | [morey-tech](https://github.com/morey-tech)             | Reviewer(docs)       | [Akuity](https://akuity.io/)                    |
+| Papapetrou Patroklos      | [ppapapetrou76](https://github.com/ppapapetrou76)       | Approver(docs,cli)   | [Octopus Deploy](https://octopus.com/)          |
+| Blake Pettersson          | [blakepettersson](https://github.com/blakepettersson)   | Approver             | [Akuity](https://akuity.io/)                    |
+| Ishita Sequeira           | [ishitasequeira](https://github.com/ishitasequeira)     | Approver             | [Red Hat](https://redhat.com/)                  |
+| Ashutosh Singh            | [ashutosh16](https://github.com/ashutosh16)             | Approver(docs)       | [Intuit](https://www.github.com/intuit/)        |
+| Linghao Su                | [linghaoSu](https://github.com/linghaoSu)               | Reviewer             | [DaoCloud](https://daocloud.io)                 |
+| Jesse Suen                | [jessesuen](https://github.com/jessesuen)               | Approver             | [Akuity](https://akuity.io/)                    |
+| Yuan Tang                 | [terrytangyuan](https://github.com/terrytangyuan)       | Reviewer             | [Red Hat](https://redhat.com/)                  |
+| William Tam               | [wtam2018](https://github.com/wtam2018)                 | Reviewer             | [Red Hat](https://redhat.com/)                  |
+| Ryan Umstead              | [rumstead](https://github.com/rumstead)                 | Approver             | [Black Rock](https://www.github.com/blackrock/) |
+| Regina Voloshin           | [reggie-k](https://github.com/reggie-k)                 | Approver             | [Octopus Deploy](https://octopus.com/)          |
+| Hong Wang                 | [wanghong230](https://github.com/wanghong230)           | Reviewer             | [Akuity](https://akuity.io/)                    |
+| Jonathan West             | [jgwest](https://github.com/jgwest)                     | Approver             | [Red Hat](https://redhat.com/)                  |
+| Jaewoo Choi               | [choejwoo](https://github.com/choejwoo)                 | Reviewer             | [Hyundai-Autoever](https://www.hyundai-autoever.com/eng/)        |
+| Alexy Mantha              | [alexymantha](https://github.com/alexymantha)           | Reviewer             | GoTo                                                              |
+| Kanika Rana               | [ranakan19](https://github.com/ranakan19)               | Reviewer             | [Red Hat](https://redhat.com/)                                    |
+| Jonathan Winters          | [jwinters01](https://github.com/jwinters01)             | Reviewer             | [Intuit](https://www.github.com/intuit/)                          |
--- a/123
+++ b/123
@ -56,8 +56,8 @@ endif

 ARGOCD_PROCFILE?=Procfile

-# pointing to python 3.7 to match https://github.com/argoproj/argo-cd/blob/master/.readthedocs.yml
-MKDOCS_DOCKER_IMAGE?=python:3.7-alpine
+# pointing to python 3.12 to match https://github.com/argoproj/argo-cd/blob/master/.readthedocs.yaml
+MKDOCS_DOCKER_IMAGE?=python:3.12-alpine
 MKDOCS_RUN_ARGS?=

 # Configuration for building argocd-test-tools image
@ -74,17 +74,17 @@ ARGOCD_E2E_APISERVER_PORT?=8080
 ARGOCD_E2E_REPOSERVER_PORT?=8081
 ARGOCD_E2E_REDIS_PORT?=6379
 ARGOCD_E2E_DEX_PORT?=5556
-ARGOCD_E2E_YARN_HOST?=localhost
+ARGOCD_E2E_JS_HOST?=localhost
 ARGOCD_E2E_DISABLE_AUTH?=
+ARGOCD_E2E_DIR?=/tmp/argo-e2e

 ARGOCD_E2E_TEST_TIMEOUT?=90m
+ARGOCD_E2E_RERUN_FAILS?=5

 ARGOCD_IN_CI?=false
 ARGOCD_TEST_E2E?=true
 ARGOCD_BIN_MODE?=true

-ARGOCD_LINT_GOGC?=20
-
 # Depending on where we are (legacy or non-legacy pwd), we need to use
 # different Docker volume mounts for our source tree
 LEGACY_PATH=$(GOPATH)/src/github.com/argoproj/argo-cd
@ -113,7 +113,7 @@ define run-in-test-server
 		-e GOCACHE=/tmp/go-build-cache \
 		-e ARGOCD_IN_CI=$(ARGOCD_IN_CI) \
 		-e ARGOCD_E2E_TEST=$(ARGOCD_E2E_TEST) \
-		-e ARGOCD_E2E_YARN_HOST=$(ARGOCD_E2E_YARN_HOST) \
+		-e ARGOCD_E2E_JS_HOST=$(ARGOCD_E2E_JS_HOST) \
 		-e ARGOCD_E2E_DISABLE_AUTH=$(ARGOCD_E2E_DISABLE_AUTH) \
 		-e ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} \
 		-e ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} \
@ -144,7 +144,6 @@ define run-in-test-client
 		-e ARGOCD_E2E_K3S=$(ARGOCD_E2E_K3S) \
 		-e GITHUB_TOKEN \
 		-e GOCACHE=/tmp/go-build-cache \
-		-e ARGOCD_LINT_GOGC=$(ARGOCD_LINT_GOGC) \
 		-v ${DOCKER_SRC_MOUNT} \
 		-v ${GOPATH}/pkg/mod:/go/pkg/mod${VOLUME_MOUNT} \
 		-v ${GOCACHE}:/tmp/go-build-cache${VOLUME_MOUNT} \
@ -198,19 +197,40 @@ endif

 ifneq (${GIT_TAG},)
 IMAGE_TAG=${GIT_TAG}
-LDFLAGS += -X ${PACKAGE}.gitTag=${GIT_TAG}
+override LDFLAGS += -X ${PACKAGE}.gitTag=${GIT_TAG}
 else
 IMAGE_TAG?=latest
 endif

+# defaults for building images and manifests
 ifeq (${DOCKER_PUSH},true)
 ifndef IMAGE_NAMESPACE
 $(error IMAGE_NAMESPACE must be set to push images (e.g. IMAGE_NAMESPACE=argoproj))
 endif
 endif

+# Consruct prefix for docker image
+# Note: keeping same logic as in hacks/update_manifests.sh
+ifdef IMAGE_REGISTRY
 ifdef IMAGE_NAMESPACE
+IMAGE_PREFIX=${IMAGE_REGISTRY}/${IMAGE_NAMESPACE}/
+else
+$(error IMAGE_NAMESPACE must be set when IMAGE_REGISTRY is set (e.g. IMAGE_NAMESPACE=argoproj))
+endif
+else
+ifdef IMAGE_NAMESPACE
+# for backwards compatibility with the old way like IMAGE_NAMESPACE='quay.io/argoproj'
 IMAGE_PREFIX=${IMAGE_NAMESPACE}/
+else
+# Neither namespace nor registry given - apply the default values
+IMAGE_REGISTRY="quay.io"
+IMAGE_NAMESPACE="argoproj"
+IMAGE_PREFIX=${IMAGE_REGISTRY}/${IMAGE_NAMESPACE}/
+endif
+endif
+
+ifndef IMAGE_REPOSITORY
+IMAGE_REPOSITORY=argocd
 endif

 .PHONY: all
@ -261,8 +281,12 @@ clidocsgen:
 actionsdocsgen:
 	hack/generate-actions-list.sh

+.PHONY: resourceiconsgen
+resourceiconsgen:
+	hack/generate-icons-typescript.sh
+
 .PHONY: codegen-local
-codegen-local: mod-vendor-local mockgen gogen protogen clientgen openapigen clidocsgen actionsdocsgen manifests-local notification-docs notification-catalog
+codegen-local: mod-vendor-local mockgen gogen protogen clientgen openapigen clidocsgen actionsdocsgen resourceiconsgen manifests-local notification-docs notification-catalog
 	rm -rf vendor/

 .PHONY: codegen-local-fast
@ -304,12 +328,11 @@ endif
 .PHONY: manifests-local
 manifests-local:
 	./hack/update-manifests.sh
-
 .PHONY: manifests
 manifests: test-tools-image
-	$(call run-in-test-client,make manifests-local IMAGE_NAMESPACE='${IMAGE_NAMESPACE}' IMAGE_TAG='${IMAGE_TAG}')
-
+	$(call run-in-test-client,make manifests-local IMAGE_REGISTRY='${IMAGE_REGISTRY}' IMAGE_NAMESPACE='${IMAGE_NAMESPACE}' IMAGE_REPOSITORY='${IMAGE_REPOSITORY}' IMAGE_TAG='${IMAGE_TAG}')
 # consolidated binary for cli, util, server, repo-server, controller
+
 .PHONY: argocd-all
 argocd-all: clean-debug
 	CGO_ENABLED=${CGO_FLAG} GOOS=${GOOS} GOARCH=${GOARCH} GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${BIN_NAME} ./cmd
@ -330,7 +353,7 @@ controller:
 build-ui:
 	DOCKER_BUILDKIT=1 $(DOCKER) build -t argocd-ui --platform=$(TARGET_ARCH) --target argocd-ui .
 	find ./ui/dist -type f -not -name gitkeep -delete
-	$(DOCKER) run -v ${CURRENT_DIR}/ui/dist/app:/tmp/app --rm -t argocd-ui sh -c 'cp -r ./dist/app/* /tmp/app/'
+	$(DOCKER) run -u $(CONTAINER_UID):$(CONTAINER_GID) -v ${CURRENT_DIR}/ui/dist/app:/tmp/app --rm -t argocd-ui sh -c 'cp -r ./dist/app/* /tmp/app/'

 .PHONY: image
 ifeq ($(DEV_IMAGE), true)
@ -340,23 +363,23 @@ ifeq ($(DEV_IMAGE), true)
 IMAGE_TAG="dev-$(shell git describe --always --dirty)"
 image: build-ui
 	DOCKER_BUILDKIT=1 $(DOCKER) build --platform=$(TARGET_ARCH) -t argocd-base --target argocd-base .
-	CGO_ENABLED=${CGO_FLAG} GOOS=linux GOARCH=amd64 GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd ./cmd
+	GOOS=linux GOARCH=$(TARGET_ARCH:linux/%=%) GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd ./cmd
 	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-server
 	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-application-controller
 	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-repo-server
 	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-cmp-server
 	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-dex
 	cp Dockerfile.dev dist
-	DOCKER_BUILDKIT=1 $(DOCKER) build --platform=$(TARGET_ARCH) -t $(IMAGE_PREFIX)argocd:$(IMAGE_TAG) -f dist/Dockerfile.dev dist
+	DOCKER_BUILDKIT=1 $(DOCKER) build --platform=$(TARGET_ARCH) -t $(IMAGE_PREFIX)$(IMAGE_REPOSITORY):$(IMAGE_TAG) -f dist/Dockerfile.dev dist
 else
 image:
-	DOCKER_BUILDKIT=1 $(DOCKER) build -t $(IMAGE_PREFIX)argocd:$(IMAGE_TAG) --platform=$(TARGET_ARCH) .
+	DOCKER_BUILDKIT=1 $(DOCKER) build -t $(IMAGE_PREFIX)$(IMAGE_REPOSITORY):$(IMAGE_TAG) --platform=$(TARGET_ARCH) .
 endif
-	@if [ "$(DOCKER_PUSH)" = "true" ] ; then $(DOCKER) push $(IMAGE_PREFIX)argocd:$(IMAGE_TAG) ; fi
+	@if [ "$(DOCKER_PUSH)" = "true" ] ; then $(DOCKER) push $(IMAGE_PREFIX)$(IMAGE_REPOSITORY):$(IMAGE_TAG) ; fi

 .PHONY: armimage
 armimage:
-	$(DOCKER) build -t $(IMAGE_PREFIX)argocd:$(IMAGE_TAG)-arm .
+	$(DOCKER) build -t $(IMAGE_PREFIX)(IMAGE_REPOSITORY):$(IMAGE_TAG)-arm .

 .PHONY: builder-image
 builder-image:
@ -388,9 +411,7 @@ lint: test-tools-image
 .PHONY: lint-local
 lint-local:
 	golangci-lint --version
-	# NOTE: If you get a "Killed" OOM message, try reducing the value of GOGC
-	# See https://github.com/golangci/golangci-lint#memory-usage-of-golangci-lint
-	GOGC=$(ARGOCD_LINT_GOGC) GOMAXPROCS=2 golangci-lint run --fix --verbose
+	golangci-lint run --fix --verbose

 .PHONY: lint-ui
 lint-ui: test-tools-image
@ -398,7 +419,7 @@ lint-ui: test-tools-image

 .PHONY: lint-ui-local
 lint-ui-local:
-	cd ui && yarn lint
+	cd ui && pnpm lint

 # Build all Go code
 .PHONY: build
@ -422,12 +443,24 @@ test: test-tools-image

 # Run all unit tests (local version)
 .PHONY: test-local
-test-local:
+test-local: test-gitops-engine
+# run if TEST_MODULE is empty or does not point to gitops-engine tests
+ifneq ($(if $(TEST_MODULE),,ALL)$(filter-out github.com/argoproj/argo-cd/gitops-engine% ./gitops-engine%,$(TEST_MODULE)),)
 	if test "$(TEST_MODULE)" = ""; then \
 		DIST_DIR=${DIST_DIR} RERUN_FAILS=0 PACKAGES=`go list ./... | grep -v 'test/e2e'` ./hack/test.sh -args -test.gocoverdir="$(PWD)/test-results"; \
 	else \
 		DIST_DIR=${DIST_DIR} RERUN_FAILS=0 PACKAGES="$(TEST_MODULE)" ./hack/test.sh -args -test.gocoverdir="$(PWD)/test-results" "$(TEST_MODULE)"; \
 	fi
+endif
+
+# Run gitops-engine unit tests
+.PHONY: test-gitops-engine
+test-gitops-engine:
+# run if TEST_MODULE is empty or points to gitops-engine tests
+ifneq ($(if $(TEST_MODULE),,ALL)$(filter github.com/argoproj/argo-cd/gitops-engine% ./gitops-engine%,$(TEST_MODULE)),)
+	mkdir -p $(PWD)/test-results
+	cd gitops-engine && go test -race -cover ./... -args -test.gocoverdir="$(PWD)/test-results"
+endif

 .PHONY: test-race
 test-race: test-tools-image
@ -454,7 +487,7 @@ test-e2e:
 test-e2e-local: cli-local
 	# NO_PROXY ensures all tests don't go out through a proxy if one is configured on the test system
 	export GO111MODULE=off
-	DIST_DIR=${DIST_DIR} RERUN_FAILS=5 PACKAGES="./test/e2e" ARGOCD_E2E_RECORD=${ARGOCD_E2E_RECORD} ARGOCD_CONFIG_DIR=$(HOME)/.config/argocd-e2e ARGOCD_GPG_ENABLED=true NO_PROXY=* ./hack/test.sh -timeout $(ARGOCD_E2E_TEST_TIMEOUT) -v -args -test.gocoverdir="$(PWD)/test-results"
+	ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS=$${ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS:-true}  DIST_DIR=${DIST_DIR} RERUN_FAILS=$(ARGOCD_E2E_RERUN_FAILS) PACKAGES="./test/e2e" ARGOCD_E2E_RECORD=${ARGOCD_E2E_RECORD} ARGOCD_CONFIG_DIR=$(HOME)/.config/argocd-e2e ARGOCD_GPG_ENABLED=true NO_PROXY=* ./hack/test.sh -timeout $(ARGOCD_E2E_TEST_TIMEOUT) -v -args -test.gocoverdir="$(PWD)/test-results"

 # Spawns a shell in the test server container for debugging purposes
 debug-test-server: test-tools-image
@ -478,13 +511,13 @@ start-e2e-local: mod-vendor-local dep-ui-local cli-local
 	kubectl create ns argocd-e2e-external || true
 	kubectl create ns argocd-e2e-external-2 || true
 	kubectl config set-context --current --namespace=argocd-e2e
-	kustomize build test/manifests/base | kubectl apply -f -
+	kustomize build test/manifests/base | kubectl apply --server-side --force-conflicts -f -
 	kubectl apply -f https://raw.githubusercontent.com/open-cluster-management/api/a6845f2ebcb186ec26b832f60c988537a58f3859/cluster/v1alpha1/0000_04_clusters.open-cluster-management.io_placementdecisions.crd.yaml
 	# Create GPG keys and source directories
-	if test -d /tmp/argo-e2e/app/config/gpg; then rm -rf /tmp/argo-e2e/app/config/gpg/*; fi
-	mkdir -p /tmp/argo-e2e/app/config/gpg/keys && chmod 0700 /tmp/argo-e2e/app/config/gpg/keys
-	mkdir -p /tmp/argo-e2e/app/config/gpg/source && chmod 0700 /tmp/argo-e2e/app/config/gpg/source
-	mkdir -p /tmp/argo-e2e/app/config/plugin && chmod 0700 /tmp/argo-e2e/app/config/plugin
+	if test -d $(ARGOCD_E2E_DIR)/app/config/gpg; then rm -rf $(ARGOCD_E2E_DIR)/app/config/gpg/*; fi
+	mkdir -p $(ARGOCD_E2E_DIR)/app/config/gpg/keys && chmod 0700 $(ARGOCD_E2E_DIR)/app/config/gpg/keys
+	mkdir -p $(ARGOCD_E2E_DIR)/app/config/gpg/source && chmod 0700 $(ARGOCD_E2E_DIR)/app/config/gpg/source
+	mkdir -p $(ARGOCD_E2E_DIR)/app/config/plugin && chmod 0700 $(ARGOCD_E2E_DIR)/app/config/plugin
 	# create folders to hold go coverage results for each component
 	mkdir -p /tmp/coverage/app-controller
 	mkdir -p /tmp/coverage/api-server
@ -493,13 +526,15 @@ start-e2e-local: mod-vendor-local dep-ui-local cli-local
 	mkdir -p /tmp/coverage/notification
 	mkdir -p /tmp/coverage/commit-server
 	# set paths for locally managed ssh known hosts and tls certs data
-	ARGOCD_SSH_DATA_PATH=/tmp/argo-e2e/app/config/ssh \
-	ARGOCD_TLS_DATA_PATH=/tmp/argo-e2e/app/config/tls \
-	ARGOCD_GPG_DATA_PATH=/tmp/argo-e2e/app/config/gpg/source \
-	ARGOCD_GNUPGHOME=/tmp/argo-e2e/app/config/gpg/keys \
+	ARGOCD_E2E_DIR=$(ARGOCD_E2E_DIR) \
+	ARGOCD_SSH_DATA_PATH=$(ARGOCD_E2E_DIR)/app/config/ssh \
+	ARGOCD_TLS_DATA_PATH=$(ARGOCD_E2E_DIR)/app/config/tls \
+	ARGOCD_GPG_DATA_PATH=$(ARGOCD_E2E_DIR)/app/config/gpg/source \
+	ARGOCD_GNUPGHOME=$(ARGOCD_E2E_DIR)/app/config/gpg/keys \
 	ARGOCD_GPG_ENABLED=$(ARGOCD_GPG_ENABLED) \
-	ARGOCD_PLUGINCONFIGFILEPATH=/tmp/argo-e2e/app/config/plugin \
-	ARGOCD_PLUGINSOCKFILEPATH=/tmp/argo-e2e/app/config/plugin \
+	ARGOCD_PLUGINCONFIGFILEPATH=$(ARGOCD_E2E_DIR)/app/config/plugin \
+	ARGOCD_PLUGINSOCKFILEPATH=$(ARGOCD_E2E_DIR)/app/config/plugin \
+	ARGOCD_GIT_CONFIG=$(PWD)/test/e2e/fixture/gitconfig \
 	ARGOCD_E2E_DISABLE_AUTH=false \
 	ARGOCD_ZJWT_FEATURE_FLAG=always \
 	ARGOCD_IN_CI=$(ARGOCD_IN_CI) \
@ -576,7 +611,7 @@ build-docs-local:

 .PHONY: build-docs
 build-docs:
-	$(DOCKER) run ${MKDOCS_RUN_ARGS} --rm -it -v ${CURRENT_DIR}:/docs -w /docs --entrypoint "" ${MKDOCS_DOCKER_IMAGE} sh -c 'pip install mkdocs; pip install $$(mkdocs get-deps); mkdocs build'
+	$(DOCKER) run ${MKDOCS_RUN_ARGS} --rm -it -v ${CURRENT_DIR}:/docs -w /docs --entrypoint "" ${MKDOCS_DOCKER_IMAGE} sh -c 'pip install -r docs/requirements.txt; mkdocs build'

 .PHONY: serve-docs-local
 serve-docs-local:
@ -584,7 +619,7 @@ serve-docs-local:

 .PHONY: serve-docs
 serve-docs:
-	$(DOCKER) run ${MKDOCS_RUN_ARGS} --rm -it -p 8000:8000 -v ${CURRENT_DIR}:/docs -w /docs --entrypoint "" ${MKDOCS_DOCKER_IMAGE} sh -c 'pip install mkdocs; pip install $$(mkdocs get-deps); mkdocs serve -a $$(ip route get 1 | awk '\''{print $$7}'\''):8000'
+	$(DOCKER) run ${MKDOCS_RUN_ARGS} --rm -it -p 8000:8000 -v ${CURRENT_DIR}:/docs -w /docs --entrypoint "" ${MKDOCS_DOCKER_IMAGE} sh -c 'pip install -r docs/requirements.txt; mkdocs serve -a $$(ip route get 1 | awk '\''{print $$7}'\''):8000'

 # Verify that kubectl can connect to your K8s cluster from Docker
 .PHONY: verify-kube-connect
@ -629,15 +664,15 @@ dep-ui: test-tools-image

 .PHONY: dep-ui-local
 dep-ui-local:
-	cd ui && yarn install --frozen-lockfile
+	cd ui && pnpm install --frozen-lockfile

-.PHONY: run-yarn
-run-yarn: test-tools-image
-	$(call run-in-test-client,make 'YARN_COMMAND=$(YARN_COMMAND)' run-yarn-local)
+.PHONY: run-pnpm
+run-pnpm: test-tools-image
+	$(call run-in-test-client,make 'PNPM_COMMAND=$(PNPM_COMMAND)' run-pnpm-local)

-.PHONY: run-yarn-local
-run-yarn-local:
-	cd ui && yarn $(YARN_COMMAND)
+.PHONY: run-pnpm-local
+run-pnpm-local:
+	cd ui && pnpm $(PNPM_COMMAND)

 start-test-k8s:
 	go run ./hack/k8s
--- a/12
+++ b/12
@ -1,14 +1,14 @@
 controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/app-controller} HOSTNAME=testappcontroller-1  FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-application-controller $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --commit-server localhost:${ARGOCD_E2E_COMMITSERVER_PORT:-8086} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --server-side-diff-enabled=${ARGOCD_APPLICATION_CONTROLLER_SERVER_SIDE_DIFF:-'false'} --hydrator-enabled=${ARGOCD_HYDRATOR_ENABLED:='false'}"
 api-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/api-server} FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-server $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --hydrator-enabled=${ARGOCD_HYDRATOR_ENABLED:='false'}"
-dex: sh -c "ARGOCD_BINARY_NAME=argocd-dex go run github.com/argoproj/argo-cd/v3/cmd gendexcfg -o `pwd`/dist/dex.yaml && (test -f dist/dex.yaml || { echo 'Failed to generate dex configuration'; exit 1; }) && docker run --rm -p ${ARGOCD_E2E_DEX_PORT:-5556}:${ARGOCD_E2E_DEX_PORT:-5556} -v `pwd`/dist/dex.yaml:/dex.yaml ghcr.io/dexidp/dex:$(grep "image: ghcr.io/dexidp/dex" manifests/base/dex/argocd-dex-server-deployment.yaml | cut -d':' -f3) dex serve /dex.yaml"
+dex: sh -c "ARGOCD_BINARY_NAME=argocd-dex go run github.com/argoproj/argo-cd/v3/cmd gendexcfg -o `pwd`/dist/dex.yaml && (test -f dist/dex.yaml || { echo 'Failed to generate dex configuration'; exit 1; }) && docker run --rm -p ${ARGOCD_E2E_DEX_PORT:-5556}:${ARGOCD_E2E_DEX_PORT:-5556} -v `pwd`/dist/dex.yaml:/dex.yaml ghcr.io/dexidp/dex:$(grep "image: ghcr.io/dexidp/dex:v2.45.0" manifests/base/dex/argocd-dex-server-deployment.yaml | cut -d':' -f3) dex serve /dex.yaml"
 redis: hack/start-redis-with-password.sh
-repo-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/repo-server} FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_GNUPGHOME=${ARGOCD_GNUPGHOME:-/tmp/argocd-local/gpg/keys} ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp}  ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-repo-server ARGOCD_GPG_ENABLED=${ARGOCD_GPG_ENABLED:-false} $COMMAND --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --otlp-address=${ARGOCD_OTLP_ADDRESS}"
+repo-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "export PATH=\$(pwd)/dist:\$PATH && [ -n \"\$ARGOCD_GIT_CONFIG\" ] && export GIT_CONFIG_GLOBAL=\$ARGOCD_GIT_CONFIG && export GIT_CONFIG_NOSYSTEM=1; GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/repo-server} FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_GNUPGHOME=${ARGOCD_GNUPGHOME:-/tmp/argocd-local/gpg/keys} ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp}  ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-repo-server ARGOCD_GPG_ENABLED=${ARGOCD_GPG_ENABLED:-false} $COMMAND --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --otlp-address=${ARGOCD_OTLP_ADDRESS}"
 cmp-server: [ "$ARGOCD_E2E_TEST" = 'true' ] && exit 0 || [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_BINARY_NAME=argocd-cmp-server ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp} $COMMAND --config-dir-path ./test/cmp --loglevel debug --otlp-address=${ARGOCD_OTLP_ADDRESS}"
 commit-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/commit-server} FORCE_LOG_COLORS=1 ARGOCD_BINARY_NAME=argocd-commit-server $COMMAND --loglevel debug --port ${ARGOCD_E2E_COMMITSERVER_PORT:-8086}"
-ui: sh -c 'cd ui && ${ARGOCD_E2E_YARN_CMD:-yarn} start'
+ui: sh -c 'cd ui && ${ARGOCD_E2E_PNPM_CMD:-pnpm} start'
 git-server: test/fixture/testrepos/start-git.sh
 helm-registry: test/fixture/testrepos/start-helm-registry.sh
 oci-registry: test/fixture/testrepos/start-authenticated-helm-registry.sh
-dev-mounter: [[ "$ARGOCD_E2E_TEST" != "true" ]] && go run hack/dev-mounter/main.go --configmap argocd-ssh-known-hosts-cm=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} --configmap argocd-tls-certs-cm=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} --configmap argocd-gpg-keys-cm=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source}
-applicationset-controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/applicationset-controller} FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-applicationset-controller $COMMAND --loglevel debug --metrics-addr localhost:12345 --probe-addr localhost:12346 --argocd-repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081}"
-notification: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/notification} FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_BINARY_NAME=argocd-notifications $COMMAND --loglevel debug --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --self-service-notification-enabled=${ARGOCD_NOTIFICATION_CONTROLLER_SELF_SERVICE_NOTIFICATION_ENABLED:-'false'}"
+dev-mounter: [ "$ARGOCD_E2E_TEST" != "true" ] && go run hack/dev-mounter/main.go --configmap argocd-ssh-known-hosts-cm=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} --configmap argocd-tls-certs-cm=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} --configmap argocd-gpg-keys-cm=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source}
+applicationset-controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/applicationset-controller} FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-applicationset-controller ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS=${ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS:-true} $COMMAND --loglevel debug --metrics-addr localhost:12345 --probe-addr localhost:12346 --argocd-repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081}"
+notification: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/notification} FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_BINARY_NAME=argocd-notifications $COMMAND --loglevel debug --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --self-service-notification-enabled=${ARGOCD_NOTIFICATION_CONTROLLER_SELF_SERVICE_NOTIFICATION_ENABLED:-'false'}"
--- a/README.md
+++ b/README.md
@ -13,12 +13,13 @@
 [![Twitter Follow](https://img.shields.io/twitter/follow/argoproj?style=social)](https://twitter.com/argoproj)
 [![Slack](https://img.shields.io/badge/slack-argoproj-brightgreen.svg?logo=slack)](https://argoproj.github.io/community/join-slack)
 [![LinkedIn](https://img.shields.io/badge/LinkedIn-argoproj-blue.svg?logo=linkedin)](https://www.linkedin.com/company/argoproj/)
+[![Bluesky](https://img.shields.io/badge/Bluesky-argoproj-blue.svg?style=social&logo=bluesky)](https://bsky.app/profile/argoproj.bsky.social)

 # Argo CD - Declarative Continuous Delivery for Kubernetes

 ## What is Argo CD?

-Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes.
+Argo CD is a declarative GitOps continuous delivery tool for Kubernetes.

 ![Argo CD UI](docs/assets/argocd-ui.gif)

@ -44,7 +45,7 @@ Check live demo at https://cd.apps.argoproj.io/.

 You can reach the Argo CD community and developers via the following channels:

-* Q & A : [Github Discussions](https://github.com/argoproj/argo-cd/discussions)
+* Q & A : [GitHub Discussions](https://github.com/argoproj/argo-cd/discussions)
 * Chat : [The #argo-cd Slack channel](https://argoproj.github.io/community/join-slack)
 * Contributors Office Hours: [Every Thursday](https://calendar.google.com/calendar/u/0/embed?src=argoproj@gmail.com) | [Agenda](https://docs.google.com/document/d/1xkoFkVviB70YBzSEa4bDnu-rUZ1sIFtwKKG1Uw8XsY8)
 * User Community meeting: [First Wednesday of the month](https://calendar.google.com/calendar/u/0/embed?src=argoproj@gmail.com) | [Agenda](https://docs.google.com/document/d/1ttgw98MO45Dq7ZUHpIiOIEfbyeitKHNfMjbY5dLLMKQ)
--- a/SECURITY-INSIGHTS.yml
+++ b/SECURITY-INSIGHTS.yml
@ -3,9 +3,9 @@ header:
  expiration-date: '2024-10-31T00:00:00.000Z' # One year from initial release.
  last-updated: '2023-10-27'
  last-reviewed: '2023-10-27'
-  commit-hash: 320f46f06beaf75f9c406e3a47e2e09d36e2047a
+  commit-hash: d91a2ab3bf1b1143fb273fa06f54073fc78f41f1
  project-url: https://github.com/argoproj/argo-cd
-  project-release: v3.2.0
+  project-release: v3.5.0
  changelog: https://github.com/argoproj/argo-cd/releases
  license: https://github.com/argoproj/argo-cd/blob/master/LICENSE
 project-lifecycle:
--- a/SECURITY.md
+++ b/SECURITY.md
@ -48,6 +48,23 @@ otherwise very intrusive, and there's a workaround available, we may decide to
 provide a forward-fix only, e.g. to be released the next minor release, instead
 of releasing it within a patch branch for the currently supported releases.

+## Dependency Upgrade Policy
+
+Argo CD relies on certain binaries and libraries that might appear in security scanners.
+
+Upgrading certain dependencies, such as Helm, Kustomize, and git, may have negative impacts
+on users, as they may include breaking changes or changes in behavior. For this reason,
+we will only upgrade to new patch versions within the same minor version series within
+a supported Argo CD version. For example, if we are currently on Helm 3.12.0 and Argo CD
+3.4.0, we will only upgrade to Helm 3.12.x within Argo CD 3.4.x, and not to Helm 3.13.0 
+or later.
+
+If there is a critical, _exploitable_ vulnerability in a dependency that will not be fixed
+in a patch release, we will evaluate the impact of the vulnerability and the risk of not
+upgrading the dependency. We ask that, if you believe a version bump is justified, please
+open an issue _describing how the vulnerability is exploitable in the context of Argo CD_,
+and we will evaluate it and decide whether or not to upgrade the dependency.
+
 ## Reporting a Vulnerability

 If you find a security related bug in Argo CD, we kindly ask you for responsible
@ -63,24 +80,7 @@ We will publish security advisories using the
 feature to keep our community well-informed, and will credit you for your
 findings (unless you prefer to stay anonymous, of course).

-There are two ways to report a vulnerability to the Argo CD team:
-
-* By opening a draft GitHub security advisory: https://github.com/argoproj/argo-cd/security/advisories/new
-* By e-mail to the following address: cncf-argo-security@lists.cncf.io
-
-## Internet Bug Bounty collaboration
-
-We're happy to announce that the Argo project is collaborating with the great
-folks over at
-[Hacker One](https://hackerone.com/) and their
-[Internet Bug Bounty program](https://hackerone.com/ibb)
-to reward the awesome people who find security vulnerabilities in the four
-main Argo projects (CD, Events, Rollouts and Workflows) and then work with
-us to fix and disclose them in a responsible manner.
-
-If you report a vulnerability to us as outlined in this security policy, we
-will work together with you to find out whether your finding is eligible for
-claiming a bounty, and also on how to claim it.
+To report a vulnerability to the Argo CD team a draft GitHub security advisory: https://github.com/argoproj/argo-cd/security/advisories/new

 ## Securing your Argo CD Instance

--- a/34
+++ b/34
@ -1,6 +1,10 @@
 load('ext://restart_process', 'docker_build_with_restart')
 load('ext://uibutton', 'cmd_button', 'location')

+# tilt version should be >= v0.37.0 for k8s_server_side_apply tilt-dev/tilt#6680
+update_settings(
+  k8s_server_side_apply="true",
+)
 # add ui button in web ui to run make codegen-local (top nav)
 cmd_button(
    'make codegen-local',
@ -52,6 +56,7 @@ local_resource(
    'build',
    'CGO_ENABLED=0 GOOS=linux GOARCH=' + arch + ' go build -gcflags="all=-N -l" -mod=readonly -o .tilt-bin/argocd_linux cmd/main.go',
    deps = code_deps,
+    ignore = ['**/*_test.go'],
    allow_parallel=True,
 )

@ -60,7 +65,7 @@ k8s_yaml(kustomize('manifests/dev-tilt'))

 # build dev image
 docker_build_with_restart(
-    'argocd', 
+    'quay.io/argoproj/argocd:latest', 
    context='.',
    dockerfile='Dockerfile.tilt',
    entrypoint=[
@ -123,6 +128,7 @@ k8s_resource(
        '9345:2345',
        '8083:8083'
    ],
+    resource_deps=['build']
 )

 # track crds
@ -148,6 +154,7 @@ k8s_resource(
        '9346:2345',
        '8084:8084'
    ],
+    resource_deps=['build']
 )

 # track argocd-redis resources and port forward
@ -162,6 +169,7 @@ k8s_resource(
    port_forwards=[
        '6379:6379',
    ],
+    resource_deps=['build']
 )

 # track argocd-applicationset-controller resources
@ -180,6 +188,7 @@ k8s_resource(
        '8085:8080',
        '7000:7000'
    ],
+    resource_deps=['build']
 )

 # track argocd-application-controller resources
@ -197,6 +206,7 @@ k8s_resource(
        '9348:2345',
        '8086:8082',
    ],
+    resource_deps=['build']
 )

 # track argocd-notifications-controller resources
@ -214,6 +224,7 @@ k8s_resource(
        '9349:2345',
        '8087:9001',
    ],
+    resource_deps=['build']
 )

 # track argocd-dex-server resources
@ -225,6 +236,7 @@ k8s_resource(
        'argocd-dex-server:role',
        'argocd-dex-server:rolebinding',
    ],
+    resource_deps=['build']
 )

 # track argocd-commit-server resources
@ -239,6 +251,19 @@ k8s_resource(
        '8088:8087',
        '8089:8086',
    ],
+    resource_deps=['build']
+)
+
+# ui dependencies
+local_resource(
+    'node-modules',
+    'pnpm install',
+    dir='ui',
+    deps = [
+        'ui/package.json',
+        'ui/pnpm-lock.yaml',
+    ],
+    allow_parallel=True,
 )

 # docker for ui
@ -246,11 +271,11 @@ docker_build(
    'argocd-ui',
    context='.',
    dockerfile='Dockerfile.ui.tilt',
-    entrypoint=['sh', '-c', 'cd /app/ui && yarn start'], 
+    entrypoint=['sh', '-c', 'cd /app/ui && pnpm start'],
    only=['ui'],
    live_update=[
        sync('ui', '/app/ui'),
-        run('sh -c "cd /app/ui && yarn install --frozen-lockfile"', trigger=['/app/ui/package.json', '/app/ui/yarn.lock']),
+        run('sh -c "cd /app/ui && pnpm install --frozen-lockfile"', trigger=['/app/ui/package.json', '/app/ui/pnpm-lock.yaml']),
    ],
 )

@ -260,6 +285,7 @@ k8s_resource(
    port_forwards=[
        '4000:4000',
    ],
+    resource_deps=['node-modules'],
 )

 # linting
@ -278,6 +304,7 @@ local_resource(
        'ui',
    ],
    allow_parallel=True,
+    resource_deps=['node-modules'],
 )

 local_resource(
@ -287,5 +314,6 @@ local_resource(
        'go.mod',
        'go.sum',
    ],
+    allow_parallel=True,
 )

--- a/USERS.md
+++ b/USERS.md
@ -7,7 +7,7 @@ Currently, the following organizations are **officially** using Argo CD:

 1. [100ms](https://www.100ms.ai/)
 1. [127Labs](https://127labs.com/)
-1. [3Rein](https://www.3rein.com/)
+1. [3Rein](https://3reinmedia.com/)
 1. [42 School](https://42.fr/)
 1. [4data](https://4data.ch/)
 1. [7shifts](https://www.7shifts.com/)
@ -31,7 +31,8 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [ANSTO - Australian Synchrotron](https://www.synchrotron.org.au/)
 1. [Ant Group](https://www.antgroup.com/)
 1. [AppDirect](https://www.appdirect.com)
-1. [Arctiq Inc.](https://www.arctiq.ca)
+1. [Arcadia](https://arcadia.io/)
+1. [Arctiq Inc.](https://arctiq.com/)
 1. [Artemis Health by Nomi Health](https://www.artemishealth.com/)
 1. [Arturia](https://www.arturia.com)
 1. [ARZ Allgemeines Rechenzentrum GmbH](https://www.arz.at/)
@ -63,6 +64,8 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Camptocamp](https://camptocamp.com)
 1. [Candis](https://www.candis.io)
 1. [Capital One](https://www.capitalone.com)
+1. [Capptain LTD](https://capptain.co/)
+1. [Car & Classic](https://www.carandclassic.com)
 1. [CARFAX Europe](https://www.carfax.eu)
 1. [CARFAX](https://www.carfax.com)
 1. [Carrefour Group](https://www.carrefour.com)
@ -73,6 +76,8 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Chargetrip](https://chargetrip.com)
 1. [Chime](https://www.chime.com)
 1. [Chronicle Labs](https://chroniclelabs.org)
+1. [C.H.Robinson ](https://www.chrobinson.com)
+1. [Circle](https://circle.com/)
 1. [Cisco ET&I](https://eti.cisco.com/)
 1. [Close](https://www.close.com/)
 1. [Cloud Posse](https://www.cloudposse.com/)
@ -85,6 +90,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Codefresh](https://www.codefresh.io/)
 1. [Codility](https://www.codility.com/)
 1. [Cognizant](https://www.cognizant.com/)
+1. [Collins Aerospace](https://www.collinsaerospace.com/)
 1. [Commonbond](https://commonbond.co/)
 1. [Compatio.AI](https://compatio.ai/)
 1. [Contlo](https://contlo.com/)
@ -98,6 +104,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Datarisk](https://www.datarisk.io/)
 1. [Daydream](https://daydream.ing)
 1. [Deloitte](https://www.deloitte.com/)
+1. [Dematic](https://www.dematic.com)
 1. [Deutsche Telekom AG](https://telekom.com)
 1. [Deutsche Bank AG](https://www.deutsche-bank.de/)
 1. [Devopsi - Poland Software/DevOps Consulting](https://devopsi.pl/)
@ -106,6 +113,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [DigitalOcean](https://www.digitalocean.com)
 1. [Divar](https://divar.ir)
 1. [Divistant](https://divistant.com)
+2. [DocNetwork](https://docnetwork.org/)
 1. [Dott](https://ridedott.com)
 1. [Doubble](https://www.doubble.app)
 1. [Doximity](https://www.doximity.com/)
@ -120,6 +128,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [enigmo](https://enigmo.co.jp/)
 1. [Envoy](https://envoy.com/)
 1. [eSave](https://esave.es/)
+1. [Expedia](https://www.expedia.com)
 1. [Factorial](https://factorialhr.com/)
 1. [Farfetch](https://www.farfetch.com)
 1. [Faro](https://www.faro.com/)
@ -141,14 +150,14 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Getir](https://getir.com)
 1. [GetYourGuide](https://www.getyourguide.com/)
 1. [Gitpod](https://www.gitpod.io)
-1. [Gllue](https://gllue.com)
+1. [Gllue](https://www.gllue.com/)
 1. [gloat](https://gloat.com/)
 1. [GLOBIS](https://globis.com)
 1. [Glovo](https://www.glovoapp.com)
 1. [GlueOps](https://glueops.dev)
 1. [GMETRI](https://gmetri.com/)
 1. [Gojek](https://www.gojek.io/)
-1. [GoTo Financial](https://gotofinancial.com/)
+1. [GoTo Financial](https://www.gotocompany.com/en/products/goto-financial)
 1. [GoTo](https://www.goto.com/)
 1. [Greenpass](https://www.greenpass.com.br/)
 1. [Gridfuse](https://gridfuse.com/)
@ -159,7 +168,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Healy](https://www.healyworld.net)
 1. [Helio](https://helio.exchange)
 1. [hetao101](https://www.hetao101.com/)
-1. [Hetki](https://hetki.ai)
+1. [Hetki](https://hetki.io/)
 1. [hipages](https://hipages.com.au/)
 1. [Hiya](https://hiya.com)
 1. [Honestbank](https://honestbank.com)
@ -171,7 +180,8 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Icelandair](https://www.icelandair.com)
 1. [IFS](https://www.ifs.com)
 1. [IITS-Consulting](https://iits-consulting.de)
-1. [IllumiDesk](https://www.illumidesk.com)
+1. [IllumiDesk](https://illumichat.com/)
+1. [Imagine Learning](https://www.imaginelearning.com/)
 1. [imaware](https://imaware.health)
 1. [Indeed](https://indeed.com)
 1. [Index Exchange](https://www.indexexchange.com/)
@ -180,6 +190,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Instruqt](https://www.instruqt.com)
 1. [Intel](https://www.intel.com)
 1. [Intuit](https://www.intuit.com/)
+1. [IQVIA](https://www.iqvia.com/)
 1. [Jellysmack](https://www.jellysmack.com)
 1. [Joblift](https://joblift.com/)
 1. [JovianX](https://www.jovianx.com/)
@ -201,10 +212,11 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Kurly](https://www.kurly.com/)
 1. [Kvist](https://kvistsolutions.com)
 1. [Kyriba](https://www.kyriba.com/)
+1. [Lattice](https://lattice.com)
 1. [LeFigaro](https://www.lefigaro.fr/)
 1. [Lely](https://www.lely.com/)
 1. [LexisNexis](https://www.lexisnexis.com/)
-1. [Lian Chu Securities](https://lczq.com)
+1. [Lian Chu Securities](https://www.lczq.com/)
 1. [Liatrio](https://www.liatrio.com)
 1. [Lightricks](https://www.lightricks.com/)
 1. [Loom](https://www.loom.com/)
@ -230,13 +242,16 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Mission Lane](https://missionlane.com)
 1. [mixi Group](https://mixi.co.jp/)
 1. [Moengage](https://www.moengage.com/)
+1. [Mollie](https://www.mollie.com/)
 1. [Money Forward](https://corp.moneyforward.com/en/)
+1. [MongoDB](https://www.mongodb.com/)
 1. [MOO Print](https://www.moo.com/)
 1. [Mozilla](https://www.mozilla.org)
 1. [MTN Group](https://www.mtn.com/)
 1. [Municipality of The Hague](https://www.denhaag.nl/)
 1. [My Job Glasses](https://myjobglasses.com)
-1. [Natura &Co](https://naturaeco.com/)
+1. [Natura &Co](https://ri.natura.com.br/)
+1. [Netease Cloud Music](https://music.163.com/)
 1. [Nethopper](https://nethopper.io)
 1. [New Relic](https://newrelic.com/)
 1. [Nextbasket](https://nextbasket.com)
@ -266,7 +281,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Orbital Insight](https://orbitalinsight.com/)
 1. [Oscar Health Insurance](https://hioscar.com/)
 1. [Outpost24](https://outpost24.com/)
-1. [p3r](https://www.p3r.one/)
+1. [p3r](https://persona.atlus.com/p3r/)
 1. [Packlink](https://www.packlink.com/)
 1. [PagerDuty](https://www.pagerduty.com/)
 1. [Pandosearch](https://www.pandosearch.com/en/home)
@ -284,6 +299,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Pismo](https://pismo.io/)
 1. [PITS Globale Datenrettungsdienste](https://www.pitsdatenrettung.de/)
 1. [Platform9 Systems](https://platform9.com/)
+1. [Playground Tech](https://playgroundgroup.io)
 1. [Polarpoint.io](https://polarpoint.io)
 1. [Pollinate](https://www.pollinate.global)
 1. [PostFinance](https://github.com/postfinance)
@ -309,7 +325,8 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Relex Solutions](https://www.relexsolutions.com/)
 1. [RightRev](https://rightrev.com/)
 1. [Rijkswaterstaat](https://www.rijkswaterstaat.nl/en)
-1. [Rise](https://www.risecard.eu/)
+1. Rise
+1. [RISK IDENT](https://riskident.com/)
 1. [Riskified](https://www.riskified.com/)
 1. [Robotinfra](https://www.robotinfra.com)
 1. [Rocket.Chat](https://rocket.chat)
@ -319,6 +336,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Salad Technologies](https://salad.com/)
 1. [Saloodo! GmbH](https://www.saloodo.com)
 1. [Sap Labs](http://sap.com)
+1. [SAP Signavio](https://www.signavio.com)
 1. [Sauce Labs](https://saucelabs.com/)
 1. [Schneider Electric](https://www.se.com)
 1. [Schwarz IT](https://jobs.schwarz/it-mission)
@ -366,6 +384,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Tailor Brands](https://www.tailorbrands.com)
 1. [Tamkeen Technologies](https://tamkeentech.sa/)
 1. [TBC Bank](https://tbcbank.ge/)
+1. [Techcom Securities](https://www.tcbs.com.vn/)
 1. [Techcombank](https://www.techcombank.com.vn/trang-chu)
 1. [Technacy](https://www.technacy.it/)
 1. [Telavita](https://www.telavita.com.br/)
@ -376,6 +395,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Ticketmaster](https://ticketmaster.com)
 1. [Tiger Analytics](https://www.tigeranalytics.com/)
 1. [Tigera](https://www.tigera.io/)
+1. [Topicus.Education](https://topicus.nl/en/sectors/education)
 1. [Toss](https://toss.im/en)
 1. [Trendyol](https://www.trendyol.com/)
 1. [tru.ID](https://tru.id)
@ -405,18 +425,18 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [VSHN - The DevOps Company](https://vshn.ch/)
 1. [Wakacje.pl](https://www.wakacje.pl/)
 1. [Walkbase](https://www.walkbase.com/)
-1. [Webstores](https://www.webstores.nl)
+1. [Webstores](https://www.friday.nl/)
 1. [Wehkamp](https://www.wehkamp.nl/)
 1. [WeMaintain](https://www.wemaintain.com/)
 1. [WeMo Scooter](https://www.wemoscooter.com/)
 1. [Whitehat Berlin](https://whitehat.berlin) by Guido Maria Serra +Fenaroli
-1. [Witick](https://witick.io/)
+1. [Witick](https://www.witik.io/en/)
 1. [Wolffun Game](https://www.wolffungame.com/)
 1. [WooliesX](https://wooliesx.com.au/)
 1. [Woolworths Group](https://www.woolworthsgroup.com.au/)
 1. [WSpot](https://www.wspot.com.br/)
 1. [X3M ads](https://x3mads.com)
-1. [Yieldlab](https://www.yieldlab.de/)
+1. [Yieldlab](https://virtualminds.com/)
 1. [Youverify](https://youverify.co/)
 1. [Yubo](https://www.yubo.live/)
 1. [Yuno](https://y.uno/)
--- a/2
+++ b/2
@ -1 +1 @@
-3.2.9
+3.5.0
--- a/applicationset/controllers/applicationset_controller.go
+++ b/applicationset/controllers/applicationset_controller.go
--- a/applicationset/controllers/applicationset_controller_test.go
+++ b/applicationset/controllers/applicationset_controller_test.go
--- a/applicationset/controllers/requeue_after_test.go
+++ b/applicationset/controllers/requeue_after_test.go
@ -19,6 +19,7 @@ import (
 	appsetmetrics "github.com/argoproj/argo-cd/v3/applicationset/metrics"
 	"github.com/argoproj/argo-cd/v3/applicationset/services/mocks"
 	argov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v3/util/settings"
 )

 func TestRequeueAfter(t *testing.T) {
@ -57,12 +58,17 @@ func TestRequeueAfter(t *testing.T) {
 	}
 	fakeDynClient := dynfake.NewSimpleDynamicClientWithCustomListKinds(runtime.NewScheme(), gvrToListKind, duckType)
 	scmConfig := generators.NewSCMConfig("", []string{""}, true, true, nil, true)
+	clusterInformer, err := settings.NewClusterInformer(appClientset, "argocd")
+	require.NoError(t, err)
+
+	defer startAndSyncInformer(t, clusterInformer)()
+
 	terminalGenerators := map[string]generators.Generator{
 		"List":                    generators.NewListGenerator(),
-		"Clusters":                generators.NewClusterGenerator(ctx, k8sClient, appClientset, "argocd"),
+		"Clusters":                generators.NewClusterGenerator(k8sClient, "argocd"),
 		"Git":                     generators.NewGitGenerator(mockServer, "namespace"),
 		"SCMProvider":             generators.NewSCMProviderGenerator(fake.NewClientBuilder().WithObjects(&corev1.Secret{}).Build(), scmConfig),
-		"ClusterDecisionResource": generators.NewDuckTypeGenerator(ctx, fakeDynClient, appClientset, "argocd"),
+		"ClusterDecisionResource": generators.NewDuckTypeGenerator(ctx, fakeDynClient, appClientset, "argocd", clusterInformer),
 		"PullRequest":             generators.NewPullRequestGenerator(k8sClient, scmConfig),
 	}

--- a/applicationset/controllers/template/patch_test.go
+++ b/applicationset/controllers/template/patch_test.go
@ -96,7 +96,7 @@ func Test_ApplyTemplatePatch(t *testing.T) {
 					},
 					SyncPolicy: &appv1.SyncPolicy{
 						Automated: &appv1.SyncPolicyAutomated{
-							Prune: true,
+							Prune: new(true),
 						},
 					},
 				},
@ -172,7 +172,7 @@ spec:
 					},
 					SyncPolicy: &appv1.SyncPolicy{
 						Automated: &appv1.SyncPolicyAutomated{
-							Prune: true,
+							Prune: new(true),
 						},
 					},
 				},
--- a/applicationset/controllers/template/template_test.go
+++ b/applicationset/controllers/template/template_test.go
@ -86,28 +86,28 @@ func TestGenerateApplications(t *testing.T) {
 		}

 		t.Run(cc.name, func(t *testing.T) {
-			generatorMock := genmock.Generator{}
+			generatorMock := &genmock.Generator{}
 			generator := v1alpha1.ApplicationSetGenerator{
 				List: &v1alpha1.ListGenerator{},
 			}

-			generatorMock.On("GenerateParams", &generator, mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).
+			generatorMock.EXPECT().GenerateParams(&generator, mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).
 				Return(cc.params, cc.generateParamsError)

-			generatorMock.On("GetTemplate", &generator).
+			generatorMock.EXPECT().GetTemplate(&generator).
 				Return(&v1alpha1.ApplicationSetTemplate{})

-			rendererMock := rendmock.Renderer{}
+			rendererMock := &rendmock.Renderer{}

 			var expectedApps []v1alpha1.Application

 			if cc.generateParamsError == nil {
 				for _, p := range cc.params {
 					if cc.rendererError != nil {
-						rendererMock.On("RenderTemplateParams", GetTempApplication(cc.template), mock.AnythingOfType("*v1alpha1.ApplicationSetSyncPolicy"), p, false, []string(nil)).
+						rendererMock.EXPECT().RenderTemplateParams(GetTempApplication(cc.template), mock.AnythingOfType("*v1alpha1.ApplicationSetSyncPolicy"), p, false, []string(nil)).
 							Return(nil, cc.rendererError)
 					} else {
-						rendererMock.On("RenderTemplateParams", GetTempApplication(cc.template), mock.AnythingOfType("*v1alpha1.ApplicationSetSyncPolicy"), p, false, []string(nil)).
+						rendererMock.EXPECT().RenderTemplateParams(GetTempApplication(cc.template), mock.AnythingOfType("*v1alpha1.ApplicationSetSyncPolicy"), p, false, []string(nil)).
 							Return(&app, nil)
 						expectedApps = append(expectedApps, app)
 					}
@ -115,9 +115,9 @@ func TestGenerateApplications(t *testing.T) {
 			}

 			generators := map[string]generators.Generator{
-				"List": &generatorMock,
+				"List": generatorMock,
 			}
-			renderer := &rendererMock
+			renderer := rendererMock

 			got, reason, err := GenerateApplications(log.NewEntry(log.StandardLogger()), v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
@ -200,26 +200,26 @@ func TestMergeTemplateApplications(t *testing.T) {
 		cc := c

 		t.Run(cc.name, func(t *testing.T) {
-			generatorMock := genmock.Generator{}
+			generatorMock := &genmock.Generator{}
 			generator := v1alpha1.ApplicationSetGenerator{
 				List: &v1alpha1.ListGenerator{},
 			}

-			generatorMock.On("GenerateParams", &generator, mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).
+			generatorMock.EXPECT().GenerateParams(&generator, mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).
 				Return(cc.params, nil)

-			generatorMock.On("GetTemplate", &generator).
+			generatorMock.EXPECT().GetTemplate(&generator).
 				Return(&cc.overrideTemplate)

-			rendererMock := rendmock.Renderer{}
+			rendererMock := &rendmock.Renderer{}

-			rendererMock.On("RenderTemplateParams", GetTempApplication(cc.expectedMerged), mock.AnythingOfType("*v1alpha1.ApplicationSetSyncPolicy"), cc.params[0], false, []string(nil)).
+			rendererMock.EXPECT().RenderTemplateParams(GetTempApplication(cc.expectedMerged), mock.AnythingOfType("*v1alpha1.ApplicationSetSyncPolicy"), cc.params[0], false, []string(nil)).
 				Return(&cc.expectedApps[0], nil)

 			generators := map[string]generators.Generator{
-				"List": &generatorMock,
+				"List": generatorMock,
 			}
-			renderer := &rendererMock
+			renderer := rendererMock

 			got, _, _ := GenerateApplications(log.NewEntry(log.StandardLogger()), v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
@ -312,19 +312,19 @@ func TestGenerateAppsUsingPullRequestGenerator(t *testing.T) {
 		},
 	} {
 		t.Run(cases.name, func(t *testing.T) {
-			generatorMock := genmock.Generator{}
+			generatorMock := &genmock.Generator{}
 			generator := v1alpha1.ApplicationSetGenerator{
 				PullRequest: &v1alpha1.PullRequestGenerator{},
 			}

-			generatorMock.On("GenerateParams", &generator, mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).
+			generatorMock.EXPECT().GenerateParams(&generator, mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).
 				Return(cases.params, nil)

-			generatorMock.On("GetTemplate", &generator).
-				Return(&cases.template, nil)
+			generatorMock.EXPECT().GetTemplate(&generator).
+				Return(&cases.template)

 			generators := map[string]generators.Generator{
-				"PullRequest": &generatorMock,
+				"PullRequest": generatorMock,
 			}
 			renderer := &utils.Render{}

--- a/applicationset/generators/cluster.go
+++ b/applicationset/generators/cluster.go
@ -9,7 +9,6 @@ import (

 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/kubernetes"
 	"sigs.k8s.io/controller-runtime/pkg/client"

 	"github.com/argoproj/argo-cd/v3/applicationset/utils"
@ -22,19 +21,15 @@ var _ Generator = (*ClusterGenerator)(nil)
 // ClusterGenerator generates Applications for some or all clusters registered with ArgoCD.
 type ClusterGenerator struct {
 	client.Client
-	ctx       context.Context
-	clientset kubernetes.Interface
 	// namespace is the Argo CD namespace
 	namespace string
 }

 var render = &utils.Render{}

-func NewClusterGenerator(ctx context.Context, c client.Client, clientset kubernetes.Interface, namespace string) Generator {
+func NewClusterGenerator(c client.Client, namespace string) Generator {
 	g := &ClusterGenerator{
 		Client:    c,
-		ctx:       ctx,
-		clientset: clientset,
 		namespace: namespace,
 	}
 	return g
@ -64,16 +59,7 @@ func (g *ClusterGenerator) GenerateParams(appSetGenerator *argoappsetv1alpha1.Ap
 	// - Since local clusters do not have secrets, they do not have labels to match against
 	ignoreLocalClusters := len(appSetGenerator.Clusters.Selector.MatchExpressions) > 0 || len(appSetGenerator.Clusters.Selector.MatchLabels) > 0

-	// ListCluster will include the local cluster in the list of clusters
-	clustersFromArgoCD, err := utils.ListClusters(g.ctx, g.clientset, g.namespace)
-	if err != nil {
-		return nil, fmt.Errorf("error listing clusters: %w", err)
-	}
-
-	if clustersFromArgoCD == nil {
-		return nil, nil
-	}
-
+	// Get cluster secrets using the cached controller-runtime client
 	clusterSecrets, err := g.getSecretsByClusterName(logCtx, appSetGenerator)
 	if err != nil {
 		return nil, fmt.Errorf("error getting cluster secrets: %w", err)
@ -82,32 +68,14 @@ func (g *ClusterGenerator) GenerateParams(appSetGenerator *argoappsetv1alpha1.Ap
 	paramHolder := &paramHolder{isFlatMode: appSetGenerator.Clusters.FlatList}
 	logCtx.Debugf("Using flat mode = %t for cluster generator", paramHolder.isFlatMode)

-	secretsFound := []corev1.Secret{}
-	for _, cluster := range clustersFromArgoCD {
-		// If there is a secret for this cluster, then it's a non-local cluster, so it will be
-		// handled by the next step.
-		if secretForCluster, exists := clusterSecrets[cluster.Name]; exists {
-			secretsFound = append(secretsFound, secretForCluster)
-		} else if !ignoreLocalClusters {
-			// If there is no secret for the cluster, it's the local cluster, so handle it here.
-			params := map[string]any{}
-			params["name"] = cluster.Name
-			params["nameNormalized"] = cluster.Name
-			params["server"] = cluster.Server
-			params["project"] = ""
-
-			err = appendTemplatedValues(appSetGenerator.Clusters.Values, params, appSet.Spec.GoTemplate, appSet.Spec.GoTemplateOptions)
-			if err != nil {
-				return nil, fmt.Errorf("error appending templated values for local cluster: %w", err)
-			}
-
-			paramHolder.append(params)
-			logCtx.WithField("cluster", "local cluster").Info("matched local cluster")
-		}
+	// Convert map values to slice to check for an in-cluster secret
+	secretsList := make([]corev1.Secret, 0, len(clusterSecrets))
+	for _, secret := range clusterSecrets {
+		secretsList = append(secretsList, secret)
 	}

 	// For each matching cluster secret (non-local clusters only)
-	for _, cluster := range secretsFound {
+	for _, cluster := range clusterSecrets {
 		params := g.getClusterParameters(cluster, appSet)

 		err = appendTemplatedValues(appSetGenerator.Clusters.Values, params, appSet.Spec.GoTemplate, appSet.Spec.GoTemplateOptions)
@ -119,6 +87,23 @@ func (g *ClusterGenerator) GenerateParams(appSetGenerator *argoappsetv1alpha1.Ap
 		logCtx.WithField("cluster", cluster.Name).Debug("matched cluster secret")
 	}

+	// Add the in-cluster last if it doesn't have a secret, and we're not ignoring in-cluster
+	if !ignoreLocalClusters && !utils.SecretsContainInClusterCredentials(secretsList) {
+		params := map[string]any{}
+		params["name"] = argoappsetv1alpha1.KubernetesInClusterName
+		params["nameNormalized"] = argoappsetv1alpha1.KubernetesInClusterName
+		params["server"] = argoappsetv1alpha1.KubernetesInternalAPIServerAddr
+		params["project"] = ""
+
+		err = appendTemplatedValues(appSetGenerator.Clusters.Values, params, appSet.Spec.GoTemplate, appSet.Spec.GoTemplateOptions)
+		if err != nil {
+			return nil, fmt.Errorf("error appending templated values for local cluster: %w", err)
+		}
+
+		paramHolder.append(params)
+		logCtx.WithField("cluster", "local cluster").Info("matched local cluster")
+	}
+
 	return paramHolder.consolidate(), nil
 }

@ -186,7 +171,7 @@ func (g *ClusterGenerator) getSecretsByClusterName(log *log.Entry, appSetGenerat
 		return nil, fmt.Errorf("error converting label selector: %w", err)
 	}

-	if err := g.List(context.Background(), clusterSecretList, client.MatchingLabelsSelector{Selector: secretSelector}); err != nil {
+	if err := g.List(context.Background(), clusterSecretList, client.InNamespace(g.namespace), client.MatchingLabelsSelector{Selector: secretSelector}); err != nil {
 		return nil, err
 	}
 	log.Debugf("clusters matching labels: %d", len(clusterSecretList.Items))
--- a/applicationset/generators/cluster_test.go
+++ b/applicationset/generators/cluster_test.go
@ -7,12 +7,9 @@ import (

 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"

-	kubefake "k8s.io/client-go/kubernetes/fake"
-
 	"github.com/argoproj/argo-cd/v3/applicationset/utils"
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"

@ -299,23 +296,15 @@ func TestGenerateParams(t *testing.T) {
 		},
 	}

-	// convert []client.Object to []runtime.Object, for use by kubefake package
-	runtimeClusters := []runtime.Object{}
-	for _, clientCluster := range clusters {
-		runtimeClusters = append(runtimeClusters, clientCluster)
-	}
-
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			appClientset := kubefake.NewSimpleClientset(runtimeClusters...)
-
 			fakeClient := fake.NewClientBuilder().WithObjects(clusters...).Build()
 			cl := &possiblyErroringFakeCtrlRuntimeClient{
 				fakeClient,
 				testCase.clientError,
 			}

-			clusterGenerator := NewClusterGenerator(t.Context(), cl, appClientset, "namespace")
+			clusterGenerator := NewClusterGenerator(cl, "namespace")

 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
@ -336,12 +325,25 @@ func TestGenerateParams(t *testing.T) {
 				require.EqualError(t, err, testCase.expectedError.Error())
 			} else {
 				require.NoError(t, err)
-				assert.ElementsMatch(t, testCase.expected, got)
+				assertEqualParamsFlat(t, testCase.expected, got, testCase.isFlatMode)
 			}
 		})
 	}
 }

+func assertEqualParamsFlat(t *testing.T, expected, got []map[string]any, isFlatMode bool) {
+	t.Helper()
+	if isFlatMode && len(expected) == 1 && len(got) == 1 {
+		expectedClusters, ok1 := expected[0]["clusters"].([]map[string]any)
+		gotClusters, ok2 := got[0]["clusters"].([]map[string]any)
+		if ok1 && ok2 {
+			assert.ElementsMatch(t, expectedClusters, gotClusters)
+			return
+		}
+	}
+	assert.ElementsMatch(t, expected, got)
+}
+
 func TestGenerateParamsGoTemplate(t *testing.T) {
 	clusters := []client.Object{
 		&corev1.Secret{
@ -837,23 +839,15 @@ func TestGenerateParamsGoTemplate(t *testing.T) {
 		},
 	}

-	// convert []client.Object to []runtime.Object, for use by kubefake package
-	runtimeClusters := []runtime.Object{}
-	for _, clientCluster := range clusters {
-		runtimeClusters = append(runtimeClusters, clientCluster)
-	}
-
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			appClientset := kubefake.NewSimpleClientset(runtimeClusters...)
-
 			fakeClient := fake.NewClientBuilder().WithObjects(clusters...).Build()
 			cl := &possiblyErroringFakeCtrlRuntimeClient{
 				fakeClient,
 				testCase.clientError,
 			}

-			clusterGenerator := NewClusterGenerator(t.Context(), cl, appClientset, "namespace")
+			clusterGenerator := NewClusterGenerator(cl, "namespace")

 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
@ -876,7 +870,7 @@ func TestGenerateParamsGoTemplate(t *testing.T) {
 				require.EqualError(t, err, testCase.expectedError.Error())
 			} else {
 				require.NoError(t, err)
-				assert.ElementsMatch(t, testCase.expected, got)
+				assertEqualParamsFlat(t, testCase.expected, got, testCase.isFlatMode)
 			}
 		})
 	}
--- a/applicationset/generators/duck_type.go
+++ b/applicationset/generators/duck_type.go
@ -19,24 +19,27 @@ import (

 	"github.com/argoproj/argo-cd/v3/applicationset/utils"
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v3/util/settings"
 )

 var _ Generator = (*DuckTypeGenerator)(nil)

 // DuckTypeGenerator generates Applications for some or all clusters registered with ArgoCD.
 type DuckTypeGenerator struct {
-	ctx       context.Context
-	dynClient dynamic.Interface
-	clientset kubernetes.Interface
-	namespace string // namespace is the Argo CD namespace
+	ctx             context.Context
+	dynClient       dynamic.Interface
+	clientset       kubernetes.Interface
+	namespace       string // namespace is the Argo CD namespace
+	clusterInformer *settings.ClusterInformer
 }

-func NewDuckTypeGenerator(ctx context.Context, dynClient dynamic.Interface, clientset kubernetes.Interface, namespace string) Generator {
+func NewDuckTypeGenerator(ctx context.Context, dynClient dynamic.Interface, clientset kubernetes.Interface, namespace string, clusterInformer *settings.ClusterInformer) Generator {
 	g := &DuckTypeGenerator{
-		ctx:       ctx,
-		dynClient: dynClient,
-		clientset: clientset,
-		namespace: namespace,
+		ctx:             ctx,
+		dynClient:       dynClient,
+		clientset:       clientset,
+		namespace:       namespace,
+		clusterInformer: clusterInformer,
 	}
 	return g
 }
@ -65,8 +68,7 @@ func (g *DuckTypeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.A
 		return nil, ErrEmptyAppSetGenerator
 	}

-	// ListCluster from Argo CD's util/db package will include the local cluster in the list of clusters
-	clustersFromArgoCD, err := utils.ListClusters(g.ctx, g.clientset, g.namespace)
+	clustersFromArgoCD, err := utils.ListClusters(g.clusterInformer)
 	if err != nil {
 		return nil, fmt.Errorf("error listing clusters: %w", err)
 	}
--- a/applicationset/generators/duck_type_test.go
+++ b/applicationset/generators/duck_type_test.go
@ -11,11 +11,13 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
-	dynfake "k8s.io/client-go/dynamic/fake"
+	"k8s.io/client-go/dynamic/fake"
 	kubefake "k8s.io/client-go/kubernetes/fake"
 	"sigs.k8s.io/controller-runtime/pkg/client"

 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v3/test"
+	"github.com/argoproj/argo-cd/v3/util/settings"
 )

 const (
@ -290,9 +292,14 @@ func TestGenerateParamsForDuckType(t *testing.T) {
 				Resource: "ducks",
 			}: "DuckList"}

-			fakeDynClient := dynfake.NewSimpleDynamicClientWithCustomListKinds(runtime.NewScheme(), gvrToListKind, testCase.resource)
+			fakeDynClient := fake.NewSimpleDynamicClientWithCustomListKinds(runtime.NewScheme(), gvrToListKind, testCase.resource)

-			duckTypeGenerator := NewDuckTypeGenerator(t.Context(), fakeDynClient, appClientset, "namespace")
+			clusterInformer, err := settings.NewClusterInformer(appClientset, "namespace")
+			require.NoError(t, err)
+
+			defer test.StartInformer(clusterInformer)()
+
+			duckTypeGenerator := NewDuckTypeGenerator(t.Context(), fakeDynClient, appClientset, "namespace", clusterInformer)

 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
@ -586,9 +593,14 @@ func TestGenerateParamsForDuckTypeGoTemplate(t *testing.T) {
 				Resource: "ducks",
 			}: "DuckList"}

-			fakeDynClient := dynfake.NewSimpleDynamicClientWithCustomListKinds(runtime.NewScheme(), gvrToListKind, testCase.resource)
+			fakeDynClient := fake.NewSimpleDynamicClientWithCustomListKinds(runtime.NewScheme(), gvrToListKind, testCase.resource)

-			duckTypeGenerator := NewDuckTypeGenerator(t.Context(), fakeDynClient, appClientset, "namespace")
+			clusterInformer, err := settings.NewClusterInformer(appClientset, "namespace")
+			require.NoError(t, err)
+
+			defer test.StartInformer(clusterInformer)()
+
+			duckTypeGenerator := NewDuckTypeGenerator(t.Context(), fakeDynClient, appClientset, "namespace", clusterInformer)

 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
--- a/applicationset/generators/generator_spec_processor.go
+++ b/applicationset/generators/generator_spec_processor.go
@ -124,7 +124,7 @@ func GetRelevantGenerators(requestedGenerator *argoprojiov1alpha1.ApplicationSet
 }

 func flattenParameters(in map[string]any) (map[string]string, error) {
-	flat, err := flatten.Flatten(in, "", flatten.DotStyle)
+	flat, err := flatten.Flatten(normalizeMapForFlatten(in), "", flatten.DotStyle)
 	if err != nil {
 		return nil, fmt.Errorf("error flatenning parameters: %w", err)
 	}
@ -137,6 +137,31 @@ func flattenParameters(in map[string]any) (map[string]string, error) {
 	return out, nil
 }

+// normalizeMapForFlatten recursively converts map[string]string values to
+// map[string]interface{} so that flatten.Flatten can recurse into them.
+// flatten.Flatten only recurses into map[string]interface{} and []interface{};
+// map[string]string is treated as an opaque leaf, causing individual keys
+// (e.g. metadata.labels.environment) to be absent from the flat output and
+// silently breaking post-generator selector matching in GoTemplate mode.
+func normalizeMapForFlatten(in map[string]any) map[string]any {
+	out := make(map[string]any, len(in))
+	for k, v := range in {
+		switch cast := v.(type) {
+		case map[string]string:
+			inner := make(map[string]any, len(cast))
+			for ik, iv := range cast {
+				inner[ik] = iv
+			}
+			out[k] = inner
+		case map[string]any:
+			out[k] = normalizeMapForFlatten(cast)
+		default:
+			out[k] = v
+		}
+	}
+	return out
+}
+
 func mergeGeneratorTemplate(g Generator, requestedGenerator *argoprojiov1alpha1.ApplicationSetGenerator, applicationSetTemplate argoprojiov1alpha1.ApplicationSetTemplate) (argoprojiov1alpha1.ApplicationSetTemplate, error) {
 	// Make a copy of the value from `GetTemplate()` before merge, rather than copying directly into
 	// the provided parameter (which will touch the original resource object returned by client-go)
--- a/applicationset/generators/generator_spec_processor_test.go
+++ b/applicationset/generators/generator_spec_processor_test.go
@ -1,7 +1,6 @@
 package generators

 import (
-	"context"
 	"testing"

 	log "github.com/sirupsen/logrus"
@ -16,8 +15,6 @@ import (

 	"github.com/stretchr/testify/mock"
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-	kubefake "k8s.io/client-go/kubernetes/fake"
 	crtclient "sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 )
@ -252,6 +249,231 @@ func TestTransForm(t *testing.T) {
 	}
 }

+func TestTransFormGoTemplate(t *testing.T) {
+	testCases := []struct {
+		name     string
+		selector *metav1.LabelSelector
+		values   map[string]string
+		expected []map[string]any
+	}{
+		{
+			name: "server filter",
+			selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{"server": "https://production-01.example.com"},
+			},
+			expected: []map[string]any{{
+				"name":           "production_01/west",
+				"nameNormalized": "production-01-west",
+				"server":         "https://production-01.example.com",
+				"project":        "",
+				"metadata": map[string]any{
+					"labels": map[string]string{
+						"argocd.argoproj.io/secret-type": "cluster",
+						"environment":                    "production",
+						"org":                            "bar",
+					},
+					"annotations": map[string]string{
+						"foo.argoproj.io": "production",
+					},
+				},
+			}},
+		},
+		{
+			name: "label MatchLabels",
+			selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{"metadata.labels.environment": "staging"},
+			},
+			expected: []map[string]any{{
+				"name":           "staging-01",
+				"nameNormalized": "staging-01",
+				"server":         "https://staging-01.example.com",
+				"project":        "",
+				"metadata": map[string]any{
+					"labels": map[string]string{
+						"argocd.argoproj.io/secret-type": "cluster",
+						"environment":                    "staging",
+						"org":                            "foo",
+					},
+					"annotations": map[string]string{
+						"foo.argoproj.io": "staging",
+					},
+				},
+			}},
+		},
+		{
+			name: "label NotIn matchExpression",
+			selector: &metav1.LabelSelector{
+				MatchExpressions: []metav1.LabelSelectorRequirement{
+					{
+						Key:      "metadata.labels.environment",
+						Operator: metav1.LabelSelectorOpNotIn,
+						Values:   []string{"staging"},
+					},
+				},
+			},
+			// staging-01 is excluded; production-01, some-really-long-server-url, and
+			// in-cluster (no labels) are all included because NotIn vacuously passes
+			// when the key is absent.
+			expected: []map[string]any{
+				{
+					"name":           "production_01/west",
+					"nameNormalized": "production-01-west",
+					"server":         "https://production-01.example.com",
+					"project":        "",
+					"metadata": map[string]any{
+						"labels": map[string]string{
+							"argocd.argoproj.io/secret-type": "cluster",
+							"environment":                    "production",
+							"org":                            "bar",
+						},
+						"annotations": map[string]string{
+							"foo.argoproj.io": "production",
+						},
+					},
+				},
+				{
+					"name":           "some-really-long-server-url",
+					"nameNormalized": "some-really-long-server-url",
+					"server":         "https://some-really-long-url-that-will-exceed-63-characters.com",
+					"project":        "",
+					"metadata": map[string]any{
+						"labels": map[string]string{
+							"argocd.argoproj.io/secret-type": "cluster",
+							"environment":                    "production",
+							"org":                            "bar",
+						},
+						"annotations": map[string]string{
+							"foo.argoproj.io": "production",
+						},
+					},
+				},
+				{
+					// in-cluster (local cluster) has no labels; NotIn vacuously passes.
+					"name":           "in-cluster",
+					"nameNormalized": "in-cluster",
+					"server":         "https://kubernetes.default.svc",
+					"project":        "",
+				},
+			},
+		},
+		{
+			name: "slash key in label",
+			selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{"metadata.labels.argocd.argoproj.io/secret-type": "cluster"},
+			},
+			expected: []map[string]any{
+				{
+					"name":           "staging-01",
+					"nameNormalized": "staging-01",
+					"server":         "https://staging-01.example.com",
+					"project":        "",
+					"metadata": map[string]any{
+						"labels": map[string]string{
+							"argocd.argoproj.io/secret-type": "cluster",
+							"environment":                    "staging",
+							"org":                            "foo",
+						},
+						"annotations": map[string]string{
+							"foo.argoproj.io": "staging",
+						},
+					},
+				},
+				{
+					"name":           "production_01/west",
+					"nameNormalized": "production-01-west",
+					"server":         "https://production-01.example.com",
+					"project":        "",
+					"metadata": map[string]any{
+						"labels": map[string]string{
+							"argocd.argoproj.io/secret-type": "cluster",
+							"environment":                    "production",
+							"org":                            "bar",
+						},
+						"annotations": map[string]string{
+							"foo.argoproj.io": "production",
+						},
+					},
+				},
+				{
+					"name":           "some-really-long-server-url",
+					"nameNormalized": "some-really-long-server-url",
+					"server":         "https://some-really-long-url-that-will-exceed-63-characters.com",
+					"project":        "",
+					"metadata": map[string]any{
+						"labels": map[string]string{
+							"argocd.argoproj.io/secret-type": "cluster",
+							"environment":                    "production",
+							"org":                            "bar",
+						},
+						"annotations": map[string]string{
+							"foo.argoproj.io": "production",
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "values filter",
+			selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{"values.env": "staging"},
+			},
+			values: map[string]string{"env": "{{.metadata.labels.environment}}"},
+			expected: []map[string]any{{
+				"name":           "staging-01",
+				"nameNormalized": "staging-01",
+				"server":         "https://staging-01.example.com",
+				"project":        "",
+				"metadata": map[string]any{
+					"labels": map[string]string{
+						"argocd.argoproj.io/secret-type": "cluster",
+						"environment":                    "staging",
+						"org":                            "foo",
+					},
+					"annotations": map[string]string{
+						"foo.argoproj.io": "staging",
+					},
+				},
+				"values": map[string]string{
+					"env": "staging",
+				},
+			}},
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			testGenerators := map[string]Generator{
+				"Clusters": getMockClusterGenerator(),
+			}
+
+			applicationSetInfo := argov1alpha1.ApplicationSet{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "set",
+				},
+				Spec: argov1alpha1.ApplicationSetSpec{
+					GoTemplate: true,
+				},
+			}
+
+			results, err := Transform(
+				argov1alpha1.ApplicationSetGenerator{
+					Selector: testCase.selector,
+					Clusters: &argov1alpha1.ClusterGenerator{
+						Selector: metav1.LabelSelector{},
+						Template: argov1alpha1.ApplicationSetTemplate{},
+						Values:   testCase.values,
+					},
+				},
+				testGenerators,
+				emptyTemplate(),
+				&applicationSetInfo, nil, nil)
+
+			require.NoError(t, err)
+			assert.ElementsMatch(t, testCase.expected, results[0].Params)
+		})
+	}
+}
+
 func emptyTemplate() argov1alpha1.ApplicationSetTemplate {
 	return argov1alpha1.ApplicationSetTemplate{
 		Spec: argov1alpha1.ApplicationSpec{
@ -335,20 +557,14 @@ func getMockClusterGenerator() Generator {
 			Type: corev1.SecretType("Opaque"),
 		},
 	}
-	runtimeClusters := []runtime.Object{}
-	for _, clientCluster := range clusters {
-		runtimeClusters = append(runtimeClusters, clientCluster)
-	}
-	appClientset := kubefake.NewSimpleClientset(runtimeClusters...)
-
 	fakeClient := fake.NewClientBuilder().WithObjects(clusters...).Build()
-	return NewClusterGenerator(context.Background(), fakeClient, appClientset, "namespace")
+	return NewClusterGenerator(fakeClient, "namespace")
 }

 func getMockGitGenerator() Generator {
-	argoCDServiceMock := mocks.Repos{}
-	argoCDServiceMock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything).Return([]string{"app1", "app2", "app_3", "p1/app4"}, nil)
-	gitGenerator := NewGitGenerator(&argoCDServiceMock, "namespace")
+	argoCDServiceMock := &mocks.Repos{}
+	argoCDServiceMock.EXPECT().GetDirectories(mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return([]string{"app1", "app2", "app_3", "p1/app4"}, nil)
+	gitGenerator := NewGitGenerator(argoCDServiceMock, "namespace")
 	return gitGenerator
 }

@ -537,7 +753,7 @@ func TestInterpolateGeneratorError(t *testing.T) {
 		{name: "Error templating", args: args{
 			requestedGenerator: &argov1alpha1.ApplicationSetGenerator{Git: &argov1alpha1.GitGenerator{
 				RepoURL:  "foo",
-				Files:    []argov1alpha1.GitFileGeneratorItem{{Path: "bar/"}},
+				Files:    []argov1alpha1.GitFileGeneratorItem{{Path: "path/{{ index .rmap (default .override .test) }}"}},
 				Revision: "main",
 				Values: map[string]string{
 					"git_test":  "{{ toPrettyJson . }}",
@ -551,7 +767,7 @@ func TestInterpolateGeneratorError(t *testing.T) {
 			},
 			useGoTemplate:     true,
 			goTemplateOptions: []string{},
-		}, want: argov1alpha1.ApplicationSetGenerator{}, expectedErrStr: "failed to replace parameters in generator: failed to execute go template {{ index .rmap (default .override .test) }}: template: :1:3: executing \"\" at <index .rmap (default .override .test)>: error calling index: index of untyped nil"},
+		}, want: argov1alpha1.ApplicationSetGenerator{}, expectedErrStr: "failed to replace parameters in generator: failed to execute go template path/{{ index .rmap (default .override .test) }}: template: base:1:8: executing \"base\" at <index .rmap (default .override .test)>: error calling index: index of untyped nil"},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@ -565,3 +781,178 @@ func TestInterpolateGeneratorError(t *testing.T) {
 		})
 	}
 }
+
+func TestInterpolateGeneratorValuesHandling(t *testing.T) {
+	applicationSetTemplate := argov1alpha1.ApplicationSetTemplate{
+		ApplicationSetTemplateMeta: argov1alpha1.ApplicationSetTemplateMeta{
+			Labels:      map[string]string{},
+			Annotations: map[string]string{},
+			Finalizers:  []string{},
+		},
+		Spec: argov1alpha1.ApplicationSpec{
+			IgnoreDifferences: argov1alpha1.IgnoreDifferences{},
+			Info:              []argov1alpha1.Info{},
+			Sources:           argov1alpha1.ApplicationSources{},
+		},
+	}
+	type args struct {
+		requestedGenerator *argov1alpha1.ApplicationSetGenerator
+		params             map[string]any
+		useGoTemplate      bool
+		goTemplateOptions  []string
+	}
+	tests := []struct {
+		name           string
+		args           args
+		want           argov1alpha1.ApplicationSetGenerator
+		expectedErrStr string
+	}{
+		{
+			name: "Generator with values set",
+			args: args{
+				requestedGenerator: &argov1alpha1.ApplicationSetGenerator{
+					Git: &argov1alpha1.GitGenerator{
+						RepoURL:  "https://somewhere.com/per-cluster/{{.name}}.git",
+						Files:    []argov1alpha1.GitFileGeneratorItem{{Path: "somedir/*"}},
+						Revision: "main",
+						Values: map[string]string{
+							"appname": "{{ .path.basenameNormalized }}",
+						},
+						Template: applicationSetTemplate,
+					},
+				},
+				params: map[string]any{
+					"name":   "in-cluster",
+					"server": "https://kubernetes.default.svc",
+				},
+				useGoTemplate:     true,
+				goTemplateOptions: []string{},
+			},
+			want: argov1alpha1.ApplicationSetGenerator{
+				Git: &argov1alpha1.GitGenerator{
+					RepoURL:  "https://somewhere.com/per-cluster/in-cluster.git",
+					Files:    []argov1alpha1.GitFileGeneratorItem{{Path: "somedir/*"}},
+					Revision: "main",
+					Values: map[string]string{
+						// must stay not interpolated
+						"appname": "{{ .path.basenameNormalized }}",
+					},
+					Directories: []argov1alpha1.GitDirectoryGeneratorItem{},
+					Template:    applicationSetTemplate,
+				},
+			},
+			expectedErrStr: "",
+		},
+		{
+			name: "Generator with no values set",
+			args: args{
+				requestedGenerator: &argov1alpha1.ApplicationSetGenerator{
+					Git: &argov1alpha1.GitGenerator{
+						RepoURL:  "https://somewhere.com/per-cluster/{{.name}}.git",
+						Files:    []argov1alpha1.GitFileGeneratorItem{{Path: "somedir/*"}},
+						Revision: "main",
+						Values:   map[string]string{},
+						Template: applicationSetTemplate,
+					},
+				},
+				params: map[string]any{
+					"name":   "in-cluster",
+					"server": "https://kubernetes.default.svc",
+				},
+				useGoTemplate:     true,
+				goTemplateOptions: []string{},
+			},
+			want: argov1alpha1.ApplicationSetGenerator{
+				Git: &argov1alpha1.GitGenerator{
+					RepoURL:     "https://somewhere.com/per-cluster/in-cluster.git",
+					Files:       []argov1alpha1.GitFileGeneratorItem{{Path: "somedir/*"}},
+					Revision:    "main",
+					Values:      map[string]string{},
+					Directories: []argov1alpha1.GitDirectoryGeneratorItem{},
+					Template:    applicationSetTemplate,
+				},
+			},
+			expectedErrStr: "",
+		},
+		{
+			name: "Generator with values set without go templates",
+			args: args{
+				requestedGenerator: &argov1alpha1.ApplicationSetGenerator{
+					Git: &argov1alpha1.GitGenerator{
+						RepoURL:  "https://somewhere.com/per-cluster/{{name}}.git",
+						Files:    []argov1alpha1.GitFileGeneratorItem{{Path: "somedir/*"}},
+						Revision: "main",
+						Values: map[string]string{
+							"appname": "{{ .path.basenameNormalized }}",
+						},
+						Template: applicationSetTemplate,
+					},
+				},
+				params: map[string]any{
+					"name":   "in-cluster",
+					"server": "https://kubernetes.default.svc",
+				},
+				useGoTemplate: false,
+			},
+			want: argov1alpha1.ApplicationSetGenerator{
+				Git: &argov1alpha1.GitGenerator{
+					RepoURL:  "https://somewhere.com/per-cluster/in-cluster.git",
+					Files:    []argov1alpha1.GitFileGeneratorItem{{Path: "somedir/*"}},
+					Revision: "main",
+					Values: map[string]string{
+						"appname": "{{ .path.basenameNormalized }}",
+					},
+					Directories: []argov1alpha1.GitDirectoryGeneratorItem{},
+					Template:    applicationSetTemplate,
+				},
+			},
+			expectedErrStr: "",
+		},
+		{
+			name: "Generator without values set and no go templates",
+			args: args{
+				requestedGenerator: &argov1alpha1.ApplicationSetGenerator{
+					Git: &argov1alpha1.GitGenerator{
+						RepoURL:  "https://somewhere.com/per-cluster/{{name}}.git",
+						Files:    []argov1alpha1.GitFileGeneratorItem{{Path: "somedir/*"}},
+						Revision: "main",
+						Values:   map[string]string{},
+						Template: applicationSetTemplate,
+					},
+				},
+				params: map[string]any{
+					"name":   "in-cluster",
+					"server": "https://kubernetes.default.svc",
+				},
+				useGoTemplate: false,
+			},
+			want: argov1alpha1.ApplicationSetGenerator{
+				Git: &argov1alpha1.GitGenerator{
+					RepoURL:     "https://somewhere.com/per-cluster/in-cluster.git",
+					Files:       []argov1alpha1.GitFileGeneratorItem{{Path: "somedir/*"}},
+					Revision:    "main",
+					Values:      map[string]string{},
+					Directories: []argov1alpha1.GitDirectoryGeneratorItem{},
+					Template:    applicationSetTemplate,
+				},
+			},
+			expectedErrStr: "",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := InterpolateGenerator(tt.args.requestedGenerator, tt.args.params, tt.args.useGoTemplate, tt.args.goTemplateOptions)
+			if tt.expectedErrStr != "" {
+				require.EqualError(t, err, tt.expectedErrStr)
+			} else {
+				require.NoError(t, err)
+			}
+			assert.Equal(t, tt.want.Git.Values, got.Git.Values)
+			assert.Equal(t, tt.want.Git.Revision, got.Git.Revision)
+			assert.Equal(t, tt.want.Git.RepoURL, got.Git.RepoURL)
+			assert.Equal(t, tt.want.Git.Files, got.Git.Files)
+			assert.Equal(t, tt.want.Git.Directories, got.Git.Directories)
+			assert.Equal(t, tt.want.Git.Template, got.Git.Template)
+		})
+	}
+}
--- a/applicationset/generators/git.go
+++ b/applicationset/generators/git.go
@ -3,6 +3,7 @@ package generators
 import (
 	"context"
 	"fmt"
+	"maps"
 	"path"
 	"sort"
 	"strconv"
@ -168,9 +169,7 @@ func (g *GitGenerator) generateParamsForGitFiles(appSetGenerator *argoprojiov1al
 		if err != nil {
 			return nil, err
 		}
-		for absPath, content := range retrievedFiles {
-			fileContentMap[absPath] = content
-		}
+		maps.Copy(fileContentMap, retrievedFiles)
 	}

 	// Now remove files matching any exclude pattern
@ -242,9 +241,7 @@ func (g *GitGenerator) generateParamsFromGitFile(filePath string, fileContent []
 		params := map[string]any{}

 		if useGoTemplate {
-			for k, v := range objectFound {
-				params[k] = v
-			}
+			maps.Copy(params, objectFound)

 			paramPath := map[string]any{}

@ -316,7 +313,7 @@ func (g *GitGenerator) filterApps(directories []argoprojiov1alpha1.GitDirectoryG
 				appExclude = true
 			}
 		}
-		// Whenever there is a path with exclude: true it wont be included, even if it is included in a different path pattern
+		// Whenever there is a path with exclude: true it won't be included, even if it is included in a different path pattern
 		if appInclude && !appExclude {
 			res = append(res, appPath)
 		}
--- a/applicationset/generators/git_test.go
+++ b/applicationset/generators/git_test.go
@ -9,7 +9,6 @@ import (
 	"github.com/stretchr/testify/require"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"

 	"github.com/argoproj/argo-cd/v3/applicationset/services/mocks"
@ -111,13 +110,18 @@ foo:
 		{
 			name: "file parameters are added to params with go template",
 			args: args{
-				filePath:      "path/dir/file_name.yaml",
-				fileContent:   defaultContent,
-				values:        map[string]string{},
+				filePath:    "path/dir/file_name.yaml",
+				fileContent: defaultContent,
+				values: map[string]string{
+					"somekey": "{{.path.basename}}",
+				},
 				useGoTemplate: true,
 			},
 			want: []map[string]any{
 				{
+					"values": map[string]string{
+						"somekey": "dir",
+					},
 					"foo": map[string]any{
 						"bar": "baz",
 					},
@ -165,6 +169,41 @@ foo:
 				},
 			},
 		},
+		{
+			name: "path parameter are prefixed with go template and values",
+			args: args{
+				filePath:    "path/dir/file_name.yaml",
+				fileContent: defaultContent,
+				values: map[string]string{
+					"somekey": "{{.myRepo.path.basename}}",
+				},
+				useGoTemplate:   true,
+				pathParamPrefix: "myRepo",
+			},
+			want: []map[string]any{
+				{
+					"foo": map[string]any{
+						"bar": "baz",
+					},
+					"myRepo": map[string]any{
+						"path": map[string]any{
+							"path":               "path/dir",
+							"basename":           "dir",
+							"filename":           "file_name.yaml",
+							"basenameNormalized": "dir",
+							"filenameNormalized": "file-name.yaml",
+							"segments": []string{
+								"path",
+								"dir",
+							},
+						},
+					},
+					"values": map[string]string{
+						"somekey": "dir",
+					},
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@ -320,11 +359,11 @@ func TestGitGenerateParamsFromDirectories(t *testing.T) {
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()

-			argoCDServiceMock := mocks.Repos{}
+			argoCDServiceMock := mocks.NewRepos(t)

-			argoCDServiceMock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)
+			argoCDServiceMock.EXPECT().GetDirectories(mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)

-			gitGenerator := NewGitGenerator(&argoCDServiceMock, "")
+			gitGenerator := NewGitGenerator(argoCDServiceMock, "")
 			applicationSetInfo := v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@ -357,8 +396,6 @@ func TestGitGenerateParamsFromDirectories(t *testing.T) {
 				require.NoError(t, err)
 				assert.Equal(t, testCaseCopy.expected, got)
 			}
-
-			argoCDServiceMock.AssertExpectations(t)
 		})
 	}
 }
@ -623,11 +660,11 @@ func TestGitGenerateParamsFromDirectoriesGoTemplate(t *testing.T) {
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()

-			argoCDServiceMock := mocks.Repos{}
+			argoCDServiceMock := mocks.NewRepos(t)

-			argoCDServiceMock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)
+			argoCDServiceMock.EXPECT().GetDirectories(mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)

-			gitGenerator := NewGitGenerator(&argoCDServiceMock, "")
+			gitGenerator := NewGitGenerator(argoCDServiceMock, "")
 			applicationSetInfo := v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@ -660,8 +697,6 @@ func TestGitGenerateParamsFromDirectoriesGoTemplate(t *testing.T) {
 				require.NoError(t, err)
 				assert.Equal(t, testCaseCopy.expected, got)
 			}
-
-			argoCDServiceMock.AssertExpectations(t)
 		})
 	}
 }
@ -1000,11 +1035,11 @@ cluster:
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()

-			argoCDServiceMock := mocks.Repos{}
-			argoCDServiceMock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).
+			argoCDServiceMock := mocks.NewRepos(t)
+			argoCDServiceMock.EXPECT().GetFiles(mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).
 				Return(testCaseCopy.repoFileContents, testCaseCopy.repoPathsError)

-			gitGenerator := NewGitGenerator(&argoCDServiceMock, "")
+			gitGenerator := NewGitGenerator(argoCDServiceMock, "")
 			applicationSetInfo := v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@ -1036,8 +1071,6 @@ cluster:
 				require.NoError(t, err)
 				assert.ElementsMatch(t, testCaseCopy.expected, got)
 			}
-
-			argoCDServiceMock.AssertExpectations(t)
 		})
 	}
 }
@ -1331,7 +1364,7 @@ env: testing
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()

-			argoCDServiceMock := mocks.Repos{}
+			argoCDServiceMock := mocks.NewRepos(t)

 			// IMPORTANT: we try to get the files from the repo server that matches the patterns
 			// If we find those files also satisfy the exclude pattern, we remove them from map
@ -1339,18 +1372,16 @@ env: testing
 			// With the below mock setup, we make sure that if the GetFiles() function gets called
 			// for a include or exclude pattern, it should always return the includeFiles or excludeFiles.
 			for _, pattern := range testCaseCopy.excludePattern {
-				argoCDServiceMock.
-					On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
+				argoCDServiceMock.EXPECT().GetFiles(mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
 					Return(testCaseCopy.excludeFiles, testCaseCopy.repoPathsError)
 			}

 			for _, pattern := range testCaseCopy.includePattern {
-				argoCDServiceMock.
-					On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
+				argoCDServiceMock.EXPECT().GetFiles(mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
 					Return(testCaseCopy.includeFiles, testCaseCopy.repoPathsError)
 			}

-			gitGenerator := NewGitGenerator(&argoCDServiceMock, "")
+			gitGenerator := NewGitGenerator(argoCDServiceMock, "")
 			applicationSetInfo := v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@ -1382,8 +1413,6 @@ env: testing
 				require.NoError(t, err)
 				assert.ElementsMatch(t, testCaseCopy.expected, got)
 			}
-
-			argoCDServiceMock.AssertExpectations(t)
 		})
 	}
 }
@ -1672,7 +1701,7 @@ env: testing
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()

-			argoCDServiceMock := mocks.Repos{}
+			argoCDServiceMock := mocks.NewRepos(t)

 			// IMPORTANT: we try to get the files from the repo server that matches the patterns
 			// If we find those files also satisfy the exclude pattern, we remove them from map
@ -1680,18 +1709,16 @@ env: testing
 			// With the below mock setup, we make sure that if the GetFiles() function gets called
 			// for a include or exclude pattern, it should always return the includeFiles or excludeFiles.
 			for _, pattern := range testCaseCopy.excludePattern {
-				argoCDServiceMock.
-					On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
+				argoCDServiceMock.EXPECT().GetFiles(mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
 					Return(testCaseCopy.excludeFiles, testCaseCopy.repoPathsError)
 			}

 			for _, pattern := range testCaseCopy.includePattern {
-				argoCDServiceMock.
-					On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
+				argoCDServiceMock.EXPECT().GetFiles(mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
 					Return(testCaseCopy.includeFiles, testCaseCopy.repoPathsError)
 			}

-			gitGenerator := NewGitGenerator(&argoCDServiceMock, "")
+			gitGenerator := NewGitGenerator(argoCDServiceMock, "")
 			applicationSetInfo := v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@ -1723,8 +1750,6 @@ env: testing
 				require.NoError(t, err)
 				assert.ElementsMatch(t, testCaseCopy.expected, got)
 			}
-
-			argoCDServiceMock.AssertExpectations(t)
 		})
 	}
 }
@ -1908,25 +1933,23 @@ func TestGitGeneratorParamsFromFilesWithExcludeOptionGoTemplate(t *testing.T) {
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()

-			argoCDServiceMock := mocks.Repos{}
+			argoCDServiceMock := mocks.NewRepos(t)
 			// IMPORTANT: we try to get the files from the repo server that matches the patterns
 			// If we find those files also satisfy the exclude pattern, we remove them from map
 			// This is generally done by the g.repos.GetFiles() function.
 			// With the below mock setup, we make sure that if the GetFiles() function gets called
 			// for a include or exclude pattern, it should always return the includeFiles or excludeFiles.
 			for _, pattern := range testCaseCopy.excludePattern {
-				argoCDServiceMock.
-					On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
+				argoCDServiceMock.EXPECT().GetFiles(mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
 					Return(testCaseCopy.excludeFiles, testCaseCopy.repoPathsError)
 			}

 			for _, pattern := range testCaseCopy.includePattern {
-				argoCDServiceMock.
-					On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
+				argoCDServiceMock.EXPECT().GetFiles(mock.Anything, mock.Anything, mock.Anything, mock.Anything, pattern, mock.Anything, mock.Anything).
 					Return(testCaseCopy.includeFiles, testCaseCopy.repoPathsError)
 			}

-			gitGenerator := NewGitGenerator(&argoCDServiceMock, "")
+			gitGenerator := NewGitGenerator(argoCDServiceMock, "")
 			applicationSetInfo := v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@ -1958,8 +1981,6 @@ func TestGitGeneratorParamsFromFilesWithExcludeOptionGoTemplate(t *testing.T) {
 				require.NoError(t, err)
 				assert.ElementsMatch(t, testCaseCopy.expected, got)
 			}
-
-			argoCDServiceMock.AssertExpectations(t)
 		})
 	}
 }
@ -2279,11 +2300,11 @@ cluster:
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()

-			argoCDServiceMock := mocks.Repos{}
-			argoCDServiceMock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).
+			argoCDServiceMock := mocks.NewRepos(t)
+			argoCDServiceMock.EXPECT().GetFiles(mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).
 				Return(testCaseCopy.repoFileContents, testCaseCopy.repoPathsError)

-			gitGenerator := NewGitGenerator(&argoCDServiceMock, "")
+			gitGenerator := NewGitGenerator(argoCDServiceMock, "")
 			applicationSetInfo := v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@ -2315,8 +2336,6 @@ cluster:
 				require.NoError(t, err)
 				assert.ElementsMatch(t, testCaseCopy.expected, got)
 			}
-
-			argoCDServiceMock.AssertExpectations(t)
 		})
 	}
 }
@ -2443,7 +2462,7 @@ func TestGitGenerator_GenerateParams(t *testing.T) {
 				},
 			},
 			expected:        []map[string]any{{"path": "app1", "path.basename": "app1", "path.basenameNormalized": "app1", "path[0]": "app1", "values.foo": "bar"}},
-			expectedProject: ptr.To("project"),
+			expectedProject: new("project"),
 			expectedError:   nil,
 		},
 		{
@ -2477,12 +2496,12 @@ func TestGitGenerator_GenerateParams(t *testing.T) {
 				},
 			},
 			expected:        []map[string]any{{"path": "app1", "path.basename": "app1", "path.basenameNormalized": "app1", "path[0]": "app1", "values.foo": "bar"}},
-			expectedProject: ptr.To(""),
+			expectedProject: new(""),
 			expectedError:   nil,
 		},
 	}
 	for _, testCase := range cases {
-		argoCDServiceMock := mocks.Repos{}
+		argoCDServiceMock := mocks.NewRepos(t)

 		if testCase.callGetDirectories {
 			var project any
@ -2492,9 +2511,9 @@ func TestGitGenerator_GenerateParams(t *testing.T) {
 				project = mock.Anything
 			}

-			argoCDServiceMock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything, project, mock.Anything, mock.Anything).Return(testCase.repoApps, testCase.repoPathsError)
+			argoCDServiceMock.EXPECT().GetDirectories(mock.Anything, mock.Anything, mock.Anything, project, mock.Anything, mock.Anything).Return(testCase.repoApps, testCase.repoPathsError)
 		}
-		gitGenerator := NewGitGenerator(&argoCDServiceMock, "argocd")
+		gitGenerator := NewGitGenerator(argoCDServiceMock, "argocd")

 		scheme := runtime.NewScheme()
 		err := v1alpha1.AddToScheme(scheme)
@ -2510,7 +2529,5 @@ func TestGitGenerator_GenerateParams(t *testing.T) {
 			require.NoError(t, err)
 			assert.Equal(t, testCase.expected, got)
 		}
-
-		argoCDServiceMock.AssertExpectations(t)
 	}
 }
--- a/applicationset/generators/matrix_test.go
+++ b/applicationset/generators/matrix_test.go
@ -8,16 +8,15 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
-	kubefake "k8s.io/client-go/kubernetes/fake"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"

-	"github.com/argoproj/argo-cd/v3/applicationset/services/mocks"
-
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"

+	generatorsMock "github.com/argoproj/argo-cd/v3/applicationset/generators/mocks"
+	servicesMocks "github.com/argoproj/argo-cd/v3/applicationset/services/mocks"
 	"github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 )

@ -136,7 +135,7 @@ func TestMatrixGenerate(t *testing.T) {
 		testCaseCopy := testCase // Since tests may run in parallel

 		t.Run(testCaseCopy.name, func(t *testing.T) {
-			genMock := &generatorMock{}
+			genMock := &generatorsMock.Generator{}
 			appSet := &v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@ -149,7 +148,7 @@ func TestMatrixGenerate(t *testing.T) {
 					Git:  g.Git,
 					List: g.List,
 				}
-				genMock.On("GenerateParams", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet, mock.Anything).Return([]map[string]any{
+				genMock.EXPECT().GenerateParams(mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet, mock.Anything).Return([]map[string]any{
 					{
 						"path":                    "app1",
 						"path.basename":           "app1",
@ -162,7 +161,7 @@ func TestMatrixGenerate(t *testing.T) {
 					},
 				}, nil)

-				genMock.On("GetTemplate", &gitGeneratorSpec).
+				genMock.EXPECT().GetTemplate(&gitGeneratorSpec).
 					Return(&v1alpha1.ApplicationSetTemplate{})
 			}

@ -343,7 +342,7 @@ func TestMatrixGenerateGoTemplate(t *testing.T) {
 		testCaseCopy := testCase // Since tests may run in parallel

 		t.Run(testCaseCopy.name, func(t *testing.T) {
-			genMock := &generatorMock{}
+			genMock := &generatorsMock.Generator{}
 			appSet := &v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@ -358,7 +357,7 @@ func TestMatrixGenerateGoTemplate(t *testing.T) {
 					Git:  g.Git,
 					List: g.List,
 				}
-				genMock.On("GenerateParams", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet, mock.Anything).Return([]map[string]any{
+				genMock.EXPECT().GenerateParams(mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet, mock.Anything).Return([]map[string]any{
 					{
 						"path": map[string]string{
 							"path":               "app1",
@ -375,7 +374,7 @@ func TestMatrixGenerateGoTemplate(t *testing.T) {
 					},
 				}, nil)

-				genMock.On("GetTemplate", &gitGeneratorSpec).
+				genMock.EXPECT().GetTemplate(&gitGeneratorSpec).
 					Return(&v1alpha1.ApplicationSetTemplate{})
 			}

@ -507,7 +506,7 @@ func TestMatrixGetRequeueAfter(t *testing.T) {
 		testCaseCopy := testCase // Since tests may run in parallel

 		t.Run(testCaseCopy.name, func(t *testing.T) {
-			mock := &generatorMock{}
+			mock := &generatorsMock.Generator{}

 			for _, g := range testCaseCopy.baseGenerators {
 				gitGeneratorSpec := v1alpha1.ApplicationSetGenerator{
@ -517,7 +516,7 @@ func TestMatrixGetRequeueAfter(t *testing.T) {
 					SCMProvider:             g.SCMProvider,
 					ClusterDecisionResource: g.ClusterDecisionResource,
 				}
-				mock.On("GetRequeueAfter", &gitGeneratorSpec).Return(testCaseCopy.gitGetRequeueAfter, nil)
+				mock.EXPECT().GetRequeueAfter(&gitGeneratorSpec).Return(testCaseCopy.gitGetRequeueAfter)
 			}

 			matrixGenerator := NewMatrixGenerator(
@ -624,33 +623,27 @@ func TestInterpolatedMatrixGenerate(t *testing.T) {
 			Type: corev1.SecretType("Opaque"),
 		},
 	}
-	// convert []client.Object to []runtime.Object, for use by kubefake package
-	runtimeClusters := []runtime.Object{}
-	for _, clientCluster := range clusters {
-		runtimeClusters = append(runtimeClusters, clientCluster)
-	}

 	for _, testCase := range testCases {
 		testCaseCopy := testCase // Since tests may run in parallel

 		t.Run(testCaseCopy.name, func(t *testing.T) {
-			genMock := &generatorMock{}
+			genMock := &generatorsMock.Generator{}
 			appSet := &v1alpha1.ApplicationSet{}

-			appClientset := kubefake.NewSimpleClientset(runtimeClusters...)
 			fakeClient := fake.NewClientBuilder().WithObjects(clusters...).Build()
 			cl := &possiblyErroringFakeCtrlRuntimeClient{
 				fakeClient,
 				testCase.clientError,
 			}
-			clusterGenerator := NewClusterGenerator(t.Context(), cl, appClientset, "namespace")
+			clusterGenerator := NewClusterGenerator(cl, "namespace")

 			for _, g := range testCaseCopy.baseGenerators {
 				gitGeneratorSpec := v1alpha1.ApplicationSetGenerator{
 					Git:      g.Git,
 					Clusters: g.Clusters,
 				}
-				genMock.On("GenerateParams", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet).Return([]map[string]any{
+				genMock.EXPECT().GenerateParams(mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet, mock.Anything).Return([]map[string]any{
 					{
 						"path":                    "examples/git-generator-files-discovery/cluster-config/dev/config.json",
 						"path.basename":           "dev",
@ -662,7 +655,7 @@ func TestInterpolatedMatrixGenerate(t *testing.T) {
 						"path.basenameNormalized": "prod",
 					},
 				}, nil)
-				genMock.On("GetTemplate", &gitGeneratorSpec).
+				genMock.EXPECT().GetTemplate(&gitGeneratorSpec).
 					Return(&v1alpha1.ApplicationSetTemplate{})
 			}
 			matrixGenerator := NewMatrixGenerator(
@ -803,37 +796,31 @@ func TestInterpolatedMatrixGenerateGoTemplate(t *testing.T) {
 			Type: corev1.SecretType("Opaque"),
 		},
 	}
-	// convert []client.Object to []runtime.Object, for use by kubefake package
-	runtimeClusters := []runtime.Object{}
-	for _, clientCluster := range clusters {
-		runtimeClusters = append(runtimeClusters, clientCluster)
-	}

 	for _, testCase := range testCases {
 		testCaseCopy := testCase // Since tests may run in parallel

 		t.Run(testCaseCopy.name, func(t *testing.T) {
-			genMock := &generatorMock{}
+			genMock := &generatorsMock.Generator{}
 			appSet := &v1alpha1.ApplicationSet{
 				Spec: v1alpha1.ApplicationSetSpec{
 					GoTemplate: true,
 				},
 			}

-			appClientset := kubefake.NewSimpleClientset(runtimeClusters...)
 			fakeClient := fake.NewClientBuilder().WithObjects(clusters...).Build()
 			cl := &possiblyErroringFakeCtrlRuntimeClient{
 				fakeClient,
 				testCase.clientError,
 			}
-			clusterGenerator := NewClusterGenerator(t.Context(), cl, appClientset, "namespace")
+			clusterGenerator := NewClusterGenerator(cl, "namespace")

 			for _, g := range testCaseCopy.baseGenerators {
 				gitGeneratorSpec := v1alpha1.ApplicationSetGenerator{
 					Git:      g.Git,
 					Clusters: g.Clusters,
 				}
-				genMock.On("GenerateParams", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet).Return([]map[string]any{
+				genMock.EXPECT().GenerateParams(mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet, mock.Anything).Return([]map[string]any{
 					{
 						"path": map[string]string{
 							"path":               "examples/git-generator-files-discovery/cluster-config/dev/config.json",
@ -849,7 +836,7 @@ func TestInterpolatedMatrixGenerateGoTemplate(t *testing.T) {
 						},
 					},
 				}, nil)
-				genMock.On("GetTemplate", &gitGeneratorSpec).
+				genMock.EXPECT().GetTemplate(&gitGeneratorSpec).
 					Return(&v1alpha1.ApplicationSetTemplate{})
 			}
 			matrixGenerator := NewMatrixGenerator(
@ -969,7 +956,7 @@ func TestMatrixGenerateListElementsYaml(t *testing.T) {
 		testCaseCopy := testCase // Since tests may run in parallel

 		t.Run(testCaseCopy.name, func(t *testing.T) {
-			genMock := &generatorMock{}
+			genMock := &generatorsMock.Generator{}
 			appSet := &v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@ -984,7 +971,7 @@ func TestMatrixGenerateListElementsYaml(t *testing.T) {
 					Git:  g.Git,
 					List: g.List,
 				}
-				genMock.On("GenerateParams", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet).Return([]map[string]any{{
+				genMock.EXPECT().GenerateParams(mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), appSet, mock.Anything).Return([]map[string]any{{
 					"foo": map[string]any{
 						"bar": []any{
 							map[string]any{
@ -1009,7 +996,7 @@ func TestMatrixGenerateListElementsYaml(t *testing.T) {
 						},
 					},
 				}}, nil)
-				genMock.On("GetTemplate", &gitGeneratorSpec).
+				genMock.EXPECT().GetTemplate(&gitGeneratorSpec).
 					Return(&v1alpha1.ApplicationSetTemplate{})
 			}

@ -1037,28 +1024,6 @@ func TestMatrixGenerateListElementsYaml(t *testing.T) {
 	}
 }

-type generatorMock struct {
-	mock.Mock
-}
-
-func (g *generatorMock) GetTemplate(appSetGenerator *v1alpha1.ApplicationSetGenerator) *v1alpha1.ApplicationSetTemplate {
-	args := g.Called(appSetGenerator)
-
-	return args.Get(0).(*v1alpha1.ApplicationSetTemplate)
-}
-
-func (g *generatorMock) GenerateParams(appSetGenerator *v1alpha1.ApplicationSetGenerator, appSet *v1alpha1.ApplicationSet, _ client.Client) ([]map[string]any, error) {
-	args := g.Called(appSetGenerator, appSet)
-
-	return args.Get(0).([]map[string]any), args.Error(1)
-}
-
-func (g *generatorMock) GetRequeueAfter(appSetGenerator *v1alpha1.ApplicationSetGenerator) time.Duration {
-	args := g.Called(appSetGenerator)
-
-	return args.Get(0).(time.Duration)
-}
-
 func TestGitGenerator_GenerateParams_list_x_git_matrix_generator(t *testing.T) {
 	// Given a matrix generator over a list generator and a git files generator, the nested git files generator should
 	// be treated as a files generator, and it should produce parameters.
@ -1072,11 +1037,11 @@ func TestGitGenerator_GenerateParams_list_x_git_matrix_generator(t *testing.T) {
 	// Now instead of checking for nil, we check whether the field is a non-empty slice. This test prevents a regression
 	// of that bug.

-	listGeneratorMock := &generatorMock{}
-	listGeneratorMock.On("GenerateParams", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).Return([]map[string]any{
+	listGeneratorMock := &generatorsMock.Generator{}
+	listGeneratorMock.EXPECT().GenerateParams(mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).Return([]map[string]any{
 		{"some": "value"},
 	}, nil)
-	listGeneratorMock.On("GetTemplate", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator")).Return(&v1alpha1.ApplicationSetTemplate{})
+	listGeneratorMock.EXPECT().GetTemplate(mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator")).Return(&v1alpha1.ApplicationSetTemplate{})

 	gitGeneratorSpec := &v1alpha1.GitGenerator{
 		RepoURL: "https://git.example.com",
@ -1085,10 +1050,10 @@ func TestGitGenerator_GenerateParams_list_x_git_matrix_generator(t *testing.T) {
 		},
 	}

-	repoServiceMock := &mocks.Repos{}
-	repoServiceMock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(map[string][]byte{
+	repoServiceMock := &servicesMocks.Repos{}
+	repoServiceMock.EXPECT().GetFiles(mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(map[string][]byte{
 		"some/path.json": []byte("test: content"),
-	}, nil)
+	}, nil).Maybe()
 	gitGenerator := NewGitGenerator(repoServiceMock, "")

 	matrixGenerator := NewMatrixGenerator(map[string]Generator{
@ -1135,3 +1100,85 @@ func TestGitGenerator_GenerateParams_list_x_git_matrix_generator(t *testing.T) {
 		"test":                    "content",
 	}}, params)
 }
+
+func TestGitGenerator_GenerateParams_list_x_git_matrix_generator_go_templates_values(t *testing.T) {
+	// Given a matrix generator over a list generator and a git  generator with values,
+	// that contain a template that refers to got generator output parameters.
+	// This tests for a specific bug where the second generator in the matrix
+	// failed to evaluate value templates that referred to generator output parameters.
+
+	listGeneratorMock := &generatorsMock.Generator{}
+	listGeneratorMock.EXPECT().GenerateParams(mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).Return([]map[string]any{
+		{"some": "value"},
+	}, nil)
+	listGeneratorMock.EXPECT().GetTemplate(mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator")).Return(&v1alpha1.ApplicationSetTemplate{})
+
+	gitGeneratorSpec := &v1alpha1.GitGenerator{
+		RepoURL: "https://git.example.com",
+		Files: []v1alpha1.GitFileGeneratorItem{
+			{Path: "some/path.json"},
+		},
+		Values: map[string]string{
+			"foo": "{{.path.basename}}",
+		},
+	}
+
+	repoServiceMock := &servicesMocks.Repos{}
+	repoServiceMock.EXPECT().GetFiles(mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(map[string][]byte{
+		"some/path.json": []byte("test: content"),
+	}, nil).Maybe()
+	gitGenerator := NewGitGenerator(repoServiceMock, "")
+
+	matrixGenerator := NewMatrixGenerator(map[string]Generator{
+		"List": listGeneratorMock,
+		"Git":  gitGenerator,
+	})
+
+	matrixGeneratorSpec := &v1alpha1.MatrixGenerator{
+		Generators: []v1alpha1.ApplicationSetNestedGenerator{
+			{
+				List: &v1alpha1.ListGenerator{
+					Elements: []apiextensionsv1.JSON{
+						{
+							Raw: []byte(`{"some": "value"}`),
+						},
+					},
+				},
+			},
+			{
+				Git: gitGeneratorSpec,
+			},
+		},
+	}
+
+	scheme := runtime.NewScheme()
+	err := v1alpha1.AddToScheme(scheme)
+	require.NoError(t, err)
+	appProject := v1alpha1.AppProject{}
+
+	client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(&appProject).Build()
+
+	params, err := matrixGenerator.GenerateParams(&v1alpha1.ApplicationSetGenerator{
+		Matrix: matrixGeneratorSpec,
+	}, &v1alpha1.ApplicationSet{
+		Spec: v1alpha1.ApplicationSetSpec{
+			GoTemplate: true,
+		},
+	}, client)
+	require.NoError(t, err)
+	assert.Equal(t, []map[string]any{{
+		"path": map[string]any{
+			"basename":           "some",
+			"basenameNormalized": "some",
+			"filename":           "path.json",
+			"filenameNormalized": "path.json",
+			"path":               "some",
+			"segments":           []string{"some"},
+		},
+		"some": "value",
+		"test": "content",
+		"values": map[string]string{
+			"foo": "some",
+		},
+	}}, params)
+}
--- a/applicationset/generators/plugin.go
+++ b/applicationset/generators/plugin.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"maps"
 	"strconv"
 	"strings"
 	"time"
@ -115,9 +116,7 @@ func (g *PluginGenerator) generateParams(appSetGenerator *argoprojiov1alpha1.App
 		params := map[string]any{}

 		if useGoTemplate {
-			for k, v := range objectFound {
-				params[k] = v
-			}
+			maps.Copy(params, objectFound)
 		} else {
 			flat, err := flatten.Flatten(objectFound, "", flatten.DotStyle)
 			if err != nil {
--- a/applicationset/generators/pull_request.go
+++ b/applicationset/generators/pull_request.go
@ -96,18 +96,12 @@ func (g *PullRequestGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 	var shortSHALength int
 	var shortSHALength7 int
 	for _, pull := range pulls {
-		shortSHALength = 8
-		if len(pull.HeadSHA) < 8 {
-			shortSHALength = len(pull.HeadSHA)
-		}
+		shortSHALength = min(len(pull.HeadSHA), 8)

-		shortSHALength7 = 7
-		if len(pull.HeadSHA) < 7 {
-			shortSHALength7 = len(pull.HeadSHA)
-		}
+		shortSHALength7 = min(len(pull.HeadSHA), 7)

 		paramMap := map[string]any{
-			"number":             strconv.Itoa(pull.Number),
+			"number":             strconv.FormatInt(pull.Number, 10),
 			"title":              pull.Title,
 			"branch":             pull.Branch,
 			"branch_slug":        slug.Make(pull.Branch),
@ -243,9 +237,9 @@ func (g *PullRequestGenerator) github(ctx context.Context, cfg *argoprojiov1alph
 		}

 		if g.enableGitHubAPIMetrics {
-			return pullrequest.NewGithubAppService(*auth, cfg.API, cfg.Owner, cfg.Repo, cfg.Labels, httpClient)
+			return pullrequest.NewGithubAppService(ctx, *auth, cfg.API, cfg.Owner, cfg.Repo, cfg.Labels, httpClient)
 		}
-		return pullrequest.NewGithubAppService(*auth, cfg.API, cfg.Owner, cfg.Repo, cfg.Labels)
+		return pullrequest.NewGithubAppService(ctx, *auth, cfg.API, cfg.Owner, cfg.Repo, cfg.Labels)
 	}

 	// always default to token, even if not set (public access)
--- a/applicationset/generators/scm_provider.go
+++ b/applicationset/generators/scm_provider.go
@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"slices"
 	"strings"
 	"time"

@ -105,10 +106,8 @@ func ScmProviderAllowed(applicationSetInfo *argoprojiov1alpha1.ApplicationSet, g
 		return nil
 	}

-	for _, allowedScmProvider := range allowedScmProviders {
-		if url == allowedScmProvider {
-			return nil
-		}
+	if slices.Contains(allowedScmProviders, url) {
+		return nil
 	}

 	log.WithFields(log.Fields{
@ -165,7 +164,7 @@ func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 		if err != nil {
 			return nil, fmt.Errorf("error fetching Gitlab token: %w", err)
 		}
-		provider, err = scm_provider.NewGitlabProvider(providerConfig.Group, token, providerConfig.API, providerConfig.AllBranches, providerConfig.IncludeSubgroups, providerConfig.WillIncludeSharedProjects(), providerConfig.Insecure, g.scmRootCAPath, providerConfig.Topic, caCerts)
+		provider, err = scm_provider.NewGitlabProvider(providerConfig.Group, token, providerConfig.API, providerConfig.AllBranches, providerConfig.IncludeSubgroups, providerConfig.WillIncludeSharedProjects(), providerConfig.IncludeArchivedRepos, providerConfig.Insecure, g.scmRootCAPath, providerConfig.Topic, caCerts)
 		if err != nil {
 			return nil, fmt.Errorf("error initializing Gitlab service: %w", err)
 		}
@ -174,7 +173,7 @@ func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 		if err != nil {
 			return nil, fmt.Errorf("error fetching Gitea token: %w", err)
 		}
-		provider, err = scm_provider.NewGiteaProvider(providerConfig.Gitea.Owner, token, providerConfig.Gitea.API, providerConfig.Gitea.AllBranches, providerConfig.Gitea.Insecure)
+		provider, err = scm_provider.NewGiteaProvider(providerConfig.Gitea.Owner, token, providerConfig.Gitea.API, providerConfig.Gitea.AllBranches, providerConfig.Gitea.Insecure, providerConfig.Gitea.ExcludeArchivedRepos)
 		if err != nil {
 			return nil, fmt.Errorf("error initializing Gitea service: %w", err)
 		}
@ -244,15 +243,9 @@ func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 	var shortSHALength int
 	var shortSHALength7 int
 	for _, repo := range repos {
-		shortSHALength = 8
-		if len(repo.SHA) < 8 {
-			shortSHALength = len(repo.SHA)
-		}
+		shortSHALength = min(len(repo.SHA), 8)

-		shortSHALength7 = 7
-		if len(repo.SHA) < 7 {
-			shortSHALength7 = len(repo.SHA)
-		}
+		shortSHALength7 = min(len(repo.SHA), 7)

 		params := map[string]any{
 			"organization":     repo.Organization,
@ -296,9 +289,9 @@ func (g *SCMProviderGenerator) githubProvider(ctx context.Context, github *argop
 		}

 		if g.enableGitHubAPIMetrics {
-			return scm_provider.NewGithubAppProviderFor(*auth, github.Organization, github.API, github.AllBranches, httpClient)
+			return scm_provider.NewGithubAppProviderFor(ctx, *auth, github.Organization, github.API, github.AllBranches, github.ExcludeArchivedRepos, httpClient)
 		}
-		return scm_provider.NewGithubAppProviderFor(*auth, github.Organization, github.API, github.AllBranches)
+		return scm_provider.NewGithubAppProviderFor(ctx, *auth, github.Organization, github.API, github.AllBranches, github.ExcludeArchivedRepos)
 	}

 	token, err := utils.GetSecretRef(ctx, g.client, github.TokenRef, applicationSetInfo.Namespace, g.tokenRefStrictMode)
@ -307,7 +300,7 @@ func (g *SCMProviderGenerator) githubProvider(ctx context.Context, github *argop
 	}

 	if g.enableGitHubAPIMetrics {
-		return scm_provider.NewGithubProvider(github.Organization, token, github.API, github.AllBranches, httpClient)
+		return scm_provider.NewGithubProvider(github.Organization, token, github.API, github.AllBranches, github.ExcludeArchivedRepos, httpClient)
 	}
-	return scm_provider.NewGithubProvider(github.Organization, token, github.API, github.AllBranches)
+	return scm_provider.NewGithubProvider(github.Organization, token, github.API, github.AllBranches, github.ExcludeArchivedRepos)
 }
--- a/applicationset/generators/utils.go
+++ b/applicationset/generators/utils.go
@ -8,15 +8,16 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"

 	"github.com/argoproj/argo-cd/v3/applicationset/services"
+	"github.com/argoproj/argo-cd/v3/util/settings"
 )

-func GetGenerators(ctx context.Context, c client.Client, k8sClient kubernetes.Interface, controllerNamespace string, argoCDService services.Repos, dynamicClient dynamic.Interface, scmConfig SCMConfig) map[string]Generator {
+func GetGenerators(ctx context.Context, c client.Client, k8sClient kubernetes.Interface, controllerNamespace string, argoCDService services.Repos, dynamicClient dynamic.Interface, scmConfig SCMConfig, clusterInformer *settings.ClusterInformer) map[string]Generator {
 	terminalGenerators := map[string]Generator{
 		"List":                    NewListGenerator(),
-		"Clusters":                NewClusterGenerator(ctx, c, k8sClient, controllerNamespace),
+		"Clusters":                NewClusterGenerator(c, controllerNamespace),
 		"Git":                     NewGitGenerator(argoCDService, controllerNamespace),
 		"SCMProvider":             NewSCMProviderGenerator(c, scmConfig),
-		"ClusterDecisionResource": NewDuckTypeGenerator(ctx, dynamicClient, k8sClient, controllerNamespace),
+		"ClusterDecisionResource": NewDuckTypeGenerator(ctx, dynamicClient, k8sClient, controllerNamespace, clusterInformer),
 		"PullRequest":             NewPullRequestGenerator(c, scmConfig),
 		"Plugin":                  NewPluginGenerator(c, controllerNamespace),
 	}
--- a/applicationset/generators/value_interpolation.go
+++ b/applicationset/generators/value_interpolation.go
@ -2,6 +2,7 @@ package generators

 import (
 	"fmt"
+	"maps"
 )

 func appendTemplatedValues(values map[string]string, params map[string]any, useGoTemplate bool, goTemplateOptions []string) error {
@ -26,9 +27,7 @@ func appendTemplatedValues(values map[string]string, params map[string]any, useG
 		}
 	}

-	for key, value := range tmp {
-		params[key] = value
-	}
+	maps.Copy(params, tmp)

 	return nil
 }
--- a/applicationset/metrics/metrics_test.go
+++ b/applicationset/metrics/metrics_test.go
@ -151,9 +151,9 @@ spec:
 func newFakeAppsets(fakeAppsetYAML string) []argoappv1.ApplicationSet {
 	var results []argoappv1.ApplicationSet

-	appsetRawYamls := strings.Split(fakeAppsetYAML, "---")
+	appsetRawYamls := strings.SplitSeq(fakeAppsetYAML, "---")

-	for _, appsetRawYaml := range appsetRawYamls {
+	for appsetRawYaml := range appsetRawYamls {
 		var appset argoappv1.ApplicationSet
 		err := yaml.Unmarshal([]byte(appsetRawYaml), &appset)
 		if err != nil {
@ -174,7 +174,7 @@ func TestApplicationsetCollector(t *testing.T) {
 	appsetCollector := newAppsetCollector(utils.NewAppsetLister(client), collectedLabels, filter)

 	metrics.Registry.MustRegister(appsetCollector)
-	req, err := http.NewRequest(http.MethodGet, "/metrics", http.NoBody)
+	req, err := http.NewRequestWithContext(t.Context(), http.MethodGet, "/metrics", http.NoBody)
 	require.NoError(t, err)
 	rr := httptest.NewRecorder()
 	handler := promhttp.HandlerFor(metrics.Registry, promhttp.HandlerOpts{})
@ -216,7 +216,7 @@ func TestObserveReconcile(t *testing.T) {

 	appsetMetrics := NewApplicationsetMetrics(utils.NewAppsetLister(client), collectedLabels, filter)

-	req, err := http.NewRequest(http.MethodGet, "/metrics", http.NoBody)
+	req, err := http.NewRequestWithContext(t.Context(), http.MethodGet, "/metrics", http.NoBody)
 	require.NoError(t, err)
 	rr := httptest.NewRecorder()
 	handler := promhttp.HandlerFor(metrics.Registry, promhttp.HandlerOpts{})
--- a/applicationset/services/github_metrics_test.go
+++ b/applicationset/services/github_metrics_test.go
@ -97,7 +97,9 @@ func TestGitHubMetrics_CollectorApproach_Success(t *testing.T) {
 		),
 	}

-	req, _ := http.NewRequest(http.MethodGet, ts.URL+URL, http.NoBody)
+	ctx := t.Context()
+
+	req, _ := http.NewRequestWithContext(ctx, http.MethodGet, ts.URL+URL, http.NoBody)
 	resp, err := client.Do(req)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@ -109,7 +111,11 @@ func TestGitHubMetrics_CollectorApproach_Success(t *testing.T) {
 	server := httptest.NewServer(handler)
 	defer server.Close()

-	resp, err = http.Get(server.URL)
+	req, err = http.NewRequestWithContext(ctx, http.MethodGet, server.URL, http.NoBody)
+	if err != nil {
+		t.Fatalf("failed to create request: %v", err)
+	}
+	resp, err = http.DefaultClient.Do(req)
 	if err != nil {
 		t.Fatalf("failed to scrape metrics: %v", err)
 	}
@ -151,15 +157,23 @@ func TestGitHubMetrics_CollectorApproach_NoRateLimitMetricsOnNilResponse(t *test
 			metrics:        metrics,
 		},
 	}
+	ctx := t.Context()

-	req, _ := http.NewRequest(http.MethodGet, URL, http.NoBody)
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, URL, http.NoBody)
+	if err != nil {
+		t.Fatalf("failed to create request: %v", err)
+	}
 	_, _ = client.Do(req)

 	handler := promhttp.HandlerFor(reg, promhttp.HandlerOpts{})
 	server := httptest.NewServer(handler)
 	defer server.Close()

-	resp, err := http.Get(server.URL)
+	req, err = http.NewRequestWithContext(ctx, http.MethodGet, server.URL, http.NoBody)
+	if err != nil {
+		t.Fatalf("failed to create request: %v", err)
+	}
+	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
 		t.Fatalf("failed to scrape metrics: %v", err)
 	}
--- a/applicationset/services/internal/github_app/client.go
+++ b/applicationset/services/internal/github_app/client.go
@ -1,6 +1,8 @@
 package github_app

 import (
+	"context"
+	"errors"
 	"fmt"
 	"net/http"

@ -8,40 +10,65 @@ import (
 	"github.com/google/go-github/v69/github"

 	"github.com/argoproj/argo-cd/v3/applicationset/services/github_app_auth"
-	appsetutils "github.com/argoproj/argo-cd/v3/applicationset/utils"
+	"github.com/argoproj/argo-cd/v3/util/git"
 )

-func getOptionalHTTPClientAndTransport(optionalHTTPClient ...*http.Client) (*http.Client, http.RoundTripper) {
-	httpClient := appsetutils.GetOptionalHTTPClient(optionalHTTPClient...)
-	if len(optionalHTTPClient) > 0 && optionalHTTPClient[0] != nil && optionalHTTPClient[0].Transport != nil {
-		// will either use the provided custom httpClient and it's transport
-		return httpClient, optionalHTTPClient[0].Transport
+// getInstallationClient creates a new GitHub client with the specified installation ID.
+// It also returns a ghinstallation.Transport, which can be used for git requests.
+func getInstallationClient(g github_app_auth.Authentication, url string, httpClient ...*http.Client) (*github.Client, error) {
+	if g.InstallationId <= 0 {
+		return nil, errors.New("installation ID is required for github")
 	}
-	// or the default httpClient and transport
-	return httpClient, http.DefaultTransport
-}

-// Client builds a github client for the given app authentication.
-func Client(g github_app_auth.Authentication, url string, optionalHTTPClient ...*http.Client) (*github.Client, error) {
-	httpClient, transport := getOptionalHTTPClientAndTransport(optionalHTTPClient...)
+	// Use provided HTTP client's transport or default
+	var transport http.RoundTripper
+	if len(httpClient) > 0 && httpClient[0] != nil && httpClient[0].Transport != nil {
+		transport = httpClient[0].Transport
+	} else {
+		transport = http.DefaultTransport
+	}

-	rt, err := ghinstallation.New(transport, g.Id, g.InstallationId, []byte(g.PrivateKey))
+	itr, err := ghinstallation.New(transport, g.Id, g.InstallationId, []byte(g.PrivateKey))
 	if err != nil {
-		return nil, fmt.Errorf("failed to create github app install: %w", err)
+		return nil, fmt.Errorf("failed to create GitHub installation transport: %w", err)
 	}
+
 	if url == "" {
 		url = g.EnterpriseBaseURL
 	}
+
 	var client *github.Client
-	httpClient.Transport = rt
 	if url == "" {
-		client = github.NewClient(httpClient)
-	} else {
-		rt.BaseURL = url
-		client, err = github.NewClient(httpClient).WithEnterpriseURLs(url, url)
-		if err != nil {
-			return nil, fmt.Errorf("failed to create github enterprise client: %w", err)
-		}
+		client = github.NewClient(&http.Client{Transport: itr})
+		return client, nil
+	}
+
+	itr.BaseURL = url
+	client, err = github.NewClient(&http.Client{Transport: itr}).WithEnterpriseURLs(url, url)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create GitHub enterprise client: %w", err)
 	}
 	return client, nil
 }
+
+// Client builds a github client for the given app authentication.
+func Client(ctx context.Context, g github_app_auth.Authentication, url, org string, optionalHTTPClient ...*http.Client) (*github.Client, error) {
+	if url == "" {
+		url = g.EnterpriseBaseURL
+	}
+
+	// If an installation ID is already provided, use it directly.
+	if g.InstallationId != 0 {
+		return getInstallationClient(g, url, optionalHTTPClient...)
+	}
+
+	// Auto-discover installation ID using shared utility
+	// Pass optional HTTP client for metrics tracking
+	installationId, err := git.DiscoverGitHubAppInstallationID(ctx, g.Id, g.PrivateKey, url, org, optionalHTTPClient...)
+	if err != nil {
+		return nil, err
+	}
+
+	g.InstallationId = installationId
+	return getInstallationClient(g, url, optionalHTTPClient...)
+}
--- a/applicationset/services/pull_request/azure_devops.go
+++ b/applicationset/services/pull_request/azure_devops.go
@ -3,6 +3,7 @@ package pull_request
 import (
 	"context"
 	"fmt"
+	"slices"
 	"strings"

 	"github.com/microsoft/azure-devops-go-api/azuredevops/v7"
@ -107,7 +108,7 @@ func (a *AzureDevOpsService) List(ctx context.Context) ([]*PullRequest, error) {

 		if *pr.Repository.Name == a.repo {
 			pullRequests = append(pullRequests, &PullRequest{
-				Number:       *pr.PullRequestId,
+				Number:       int64(*pr.PullRequestId),
 				Title:        *pr.Title,
 				Branch:       strings.Replace(*pr.SourceRefName, "refs/heads/", "", 1),
 				TargetBranch: strings.Replace(*pr.TargetRefName, "refs/heads/", "", 1),
@ -136,13 +137,7 @@ func convertLabels(tags *[]core.WebApiTagDefinition) []string {
 // containAzureDevOpsLabels returns true if gotLabels contains expectedLabels
 func containAzureDevOpsLabels(expectedLabels []string, gotLabels []string) bool {
 	for _, expected := range expectedLabels {
-		found := false
-		for _, got := range gotLabels {
-			if expected == got {
-				found = true
-				break
-			}
-		}
+		found := slices.Contains(gotLabels, expected)
 		if !found {
 			return false
 		}
--- a/applicationset/services/pull_request/azure_devops_test.go
+++ b/applicationset/services/pull_request/azure_devops_test.go
@ -1,7 +1,6 @@
 package pull_request

 import (
-	"context"
 	"errors"
 	"testing"

@ -13,51 +12,9 @@ import (
 	"github.com/stretchr/testify/require"

 	azureMock "github.com/argoproj/argo-cd/v3/applicationset/services/scm_provider/azure_devops/git/mocks"
+	"github.com/argoproj/argo-cd/v3/applicationset/services/scm_provider/mocks"
 )

-func createBoolPtr(x bool) *bool {
-	return &x
-}
-
-func createStringPtr(x string) *string {
-	return &x
-}
-
-func createIntPtr(x int) *int {
-	return &x
-}
-
-func createLabelsPtr(x []core.WebApiTagDefinition) *[]core.WebApiTagDefinition {
-	return &x
-}
-
-func createUniqueNamePtr(x string) *string {
-	return &x
-}
-
-type AzureClientFactoryMock struct {
-	mock *mock.Mock
-}
-
-func (m *AzureClientFactoryMock) GetClient(ctx context.Context) (git.Client, error) {
-	args := m.mock.Called(ctx)
-
-	var client git.Client
-	c := args.Get(0)
-	if c != nil {
-		client = c.(git.Client)
-	}
-
-	var err error
-	if len(args) > 1 {
-		if e, ok := args.Get(1).(error); ok {
-			err = e
-		}
-	}
-
-	return client, err
-}
-
 func TestListPullRequest(t *testing.T) {
 	teamProject := "myorg_project"
 	repoName := "myorg_project_repo"
@ -69,19 +26,19 @@ func TestListPullRequest(t *testing.T) {

 	pullRequestMock := []git.GitPullRequest{
 		{
-			PullRequestId: createIntPtr(prID),
-			Title:         createStringPtr(prTitle),
-			SourceRefName: createStringPtr("refs/heads/feature-branch"),
-			TargetRefName: createStringPtr("refs/heads/main"),
+			PullRequestId: new(prID),
+			Title:         new(prTitle),
+			SourceRefName: new("refs/heads/feature-branch"),
+			TargetRefName: new("refs/heads/main"),
 			LastMergeSourceCommit: &git.GitCommitRef{
-				CommitId: createStringPtr(prHeadSha),
+				CommitId: new(prHeadSha),
 			},
 			Labels: &[]core.WebApiTagDefinition{},
 			Repository: &git.GitRepository{
-				Name: createStringPtr(repoName),
+				Name: new(repoName),
 			},
 			CreatedBy: &webapi.IdentityRef{
-				UniqueName: createUniqueNamePtr(uniqueName + "@example.com"),
+				UniqueName: new(uniqueName + "@example.com"),
 			},
 		},
 	}
@ -91,10 +48,10 @@ func TestListPullRequest(t *testing.T) {
 		SearchCriteria: &git.GitPullRequestSearchCriteria{},
 	}

-	gitClientMock := azureMock.Client{}
-	clientFactoryMock := &AzureClientFactoryMock{mock: &mock.Mock{}}
-	clientFactoryMock.mock.On("GetClient", mock.Anything).Return(&gitClientMock, nil)
-	gitClientMock.On("GetPullRequestsByProject", ctx, args).Return(&pullRequestMock, nil)
+	gitClientMock := &azureMock.Client{}
+	clientFactoryMock := &mocks.AzureDevOpsClientFactory{}
+	clientFactoryMock.EXPECT().GetClient(mock.Anything).Return(gitClientMock, nil)
+	gitClientMock.EXPECT().GetPullRequestsByProject(mock.Anything, args).Return(&pullRequestMock, nil)

 	provider := AzureDevOpsService{
 		clientFactory: clientFactoryMock,
@ -110,7 +67,7 @@ func TestListPullRequest(t *testing.T) {
 	assert.Equal(t, "main", list[0].TargetBranch)
 	assert.Equal(t, prHeadSha, list[0].HeadSHA)
 	assert.Equal(t, "feat(123)", list[0].Title)
-	assert.Equal(t, prID, list[0].Number)
+	assert.Equal(t, int64(prID), list[0].Number)
 	assert.Equal(t, uniqueName, list[0].Author)
 }

@ -122,27 +79,27 @@ func TestConvertLabes(t *testing.T) {
 	}{
 		{
 			name:           "empty labels",
-			gotLabels:      createLabelsPtr([]core.WebApiTagDefinition{}),
+			gotLabels:      &[]core.WebApiTagDefinition{},
 			expectedLabels: []string{},
 		},
 		{
 			name:           "nil labels",
-			gotLabels:      createLabelsPtr(nil),
+			gotLabels:      nil,
 			expectedLabels: []string{},
 		},
 		{
 			name: "one label",
-			gotLabels: createLabelsPtr([]core.WebApiTagDefinition{
-				{Name: createStringPtr("label1"), Active: createBoolPtr(true)},
-			}),
+			gotLabels: &[]core.WebApiTagDefinition{
+				{Name: new("label1"), Active: new(true)},
+			},
 			expectedLabels: []string{"label1"},
 		},
 		{
 			name: "two label",
-			gotLabels: createLabelsPtr([]core.WebApiTagDefinition{
-				{Name: createStringPtr("label1"), Active: createBoolPtr(true)},
-				{Name: createStringPtr("label2"), Active: createBoolPtr(true)},
-			}),
+			gotLabels: &[]core.WebApiTagDefinition{
+				{Name: new("label1"), Active: new(true)},
+				{Name: new("label2"), Active: new(true)},
+			},
 			expectedLabels: []string{"label1", "label2"},
 		},
 	}
@ -239,18 +196,18 @@ func TestBuildURL(t *testing.T) {

 func TestAzureDevOpsListReturnsRepositoryNotFoundError(t *testing.T) {
 	args := git.GetPullRequestsByProjectArgs{
-		Project:        createStringPtr("nonexistent"),
+		Project:        new("nonexistent"),
 		SearchCriteria: &git.GitPullRequestSearchCriteria{},
 	}

 	pullRequestMock := []git.GitPullRequest{}

-	gitClientMock := azureMock.Client{}
-	clientFactoryMock := &AzureClientFactoryMock{mock: &mock.Mock{}}
-	clientFactoryMock.mock.On("GetClient", mock.Anything).Return(&gitClientMock, nil)
+	gitClientMock := &azureMock.Client{}
+	clientFactoryMock := &mocks.AzureDevOpsClientFactory{}
+	clientFactoryMock.EXPECT().GetClient(mock.Anything).Return(gitClientMock, nil)

 	// Mock the GetPullRequestsByProject to return an error containing "404"
-	gitClientMock.On("GetPullRequestsByProject", t.Context(), args).Return(&pullRequestMock,
+	gitClientMock.EXPECT().GetPullRequestsByProject(mock.Anything, args).Return(&pullRequestMock,
 		errors.New("The following project does not exist:"))

 	provider := AzureDevOpsService{
--- a/applicationset/services/pull_request/bitbucket_cloud.go
+++ b/applicationset/services/pull_request/bitbucket_cloud.go
@ -81,7 +81,10 @@ func NewBitbucketCloudServiceBasicAuth(baseURL, username, password, owner, repos
 		return nil, fmt.Errorf("error parsing base url of %s for %s/%s: %w", baseURL, owner, repositorySlug, err)
 	}

-	bitbucketClient := bitbucket.NewBasicAuth(username, password)
+	bitbucketClient, err := bitbucket.NewBasicAuth(username, password)
+	if err != nil {
+		return nil, fmt.Errorf("error creating BitBucket Cloud client with basic auth: %w", err)
+	}
 	bitbucketClient.SetApiBaseURL(*url)

 	return &BitbucketCloudService{
@ -97,14 +100,13 @@ func NewBitbucketCloudServiceBearerToken(baseURL, bearerToken, owner, repository
 		return nil, fmt.Errorf("error parsing base url of %s for %s/%s: %w", baseURL, owner, repositorySlug, err)
 	}

-	bitbucketClient := bitbucket.NewOAuthbearerToken(bearerToken)
+	bitbucketClient, err := bitbucket.NewOAuthbearerToken(bearerToken)
+	if err != nil {
+		return nil, fmt.Errorf("error creating BitBucket Cloud client with oauth bearer token: %w", err)
+	}
 	bitbucketClient.SetApiBaseURL(*url)

-	return &BitbucketCloudService{
-		client:         bitbucketClient,
-		owner:          owner,
-		repositorySlug: repositorySlug,
-	}, nil
+	return &BitbucketCloudService{client: bitbucketClient, owner: owner, repositorySlug: repositorySlug}, nil
 }

 func NewBitbucketCloudServiceNoAuth(baseURL, owner, repositorySlug string) (PullRequestService, error) {
@ -154,7 +156,7 @@ func (b *BitbucketCloudService) List(_ context.Context) ([]*PullRequest, error)

 	for _, pull := range pulls {
 		pullRequests = append(pullRequests, &PullRequest{
-			Number:       pull.ID,
+			Number:       int64(pull.ID),
 			Title:        pull.Title,
 			Branch:       pull.Source.Branch.Name,
 			TargetBranch: pull.Destination.Branch.Name,
--- a/applicationset/services/pull_request/bitbucket_cloud_test.go
+++ b/applicationset/services/pull_request/bitbucket_cloud_test.go
@ -89,7 +89,7 @@ func TestListPullRequestBearerTokenCloud(t *testing.T) {
 	pullRequests, err := ListPullRequests(t.Context(), svc, []v1alpha1.PullRequestGeneratorFilter{})
 	require.NoError(t, err)
 	assert.Len(t, pullRequests, 1)
-	assert.Equal(t, 101, pullRequests[0].Number)
+	assert.Equal(t, int64(101), pullRequests[0].Number)
 	assert.Equal(t, "feat(foo-bar)", pullRequests[0].Title)
 	assert.Equal(t, "feature/foo-bar", pullRequests[0].Branch)
 	assert.Equal(t, "1a8dd249c04a", pullRequests[0].HeadSHA)
@ -107,7 +107,7 @@ func TestListPullRequestNoAuthCloud(t *testing.T) {
 	pullRequests, err := ListPullRequests(t.Context(), svc, []v1alpha1.PullRequestGeneratorFilter{})
 	require.NoError(t, err)
 	assert.Len(t, pullRequests, 1)
-	assert.Equal(t, 101, pullRequests[0].Number)
+	assert.Equal(t, int64(101), pullRequests[0].Number)
 	assert.Equal(t, "feat(foo-bar)", pullRequests[0].Title)
 	assert.Equal(t, "feature/foo-bar", pullRequests[0].Branch)
 	assert.Equal(t, "1a8dd249c04a", pullRequests[0].HeadSHA)
@ -125,7 +125,7 @@ func TestListPullRequestBasicAuthCloud(t *testing.T) {
 	pullRequests, err := ListPullRequests(t.Context(), svc, []v1alpha1.PullRequestGeneratorFilter{})
 	require.NoError(t, err)
 	assert.Len(t, pullRequests, 1)
-	assert.Equal(t, 101, pullRequests[0].Number)
+	assert.Equal(t, int64(101), pullRequests[0].Number)
 	assert.Equal(t, "feat(foo-bar)", pullRequests[0].Title)
 	assert.Equal(t, "feature/foo-bar", pullRequests[0].Branch)
 	assert.Equal(t, "1a8dd249c04a", pullRequests[0].HeadSHA)
--- a/applicationset/services/pull_request/bitbucket_server.go
+++ b/applicationset/services/pull_request/bitbucket_server.go
@ -82,7 +82,7 @@ func (b *BitbucketService) List(_ context.Context) ([]*PullRequest, error) {

 		for _, pull := range pulls {
 			pullRequests = append(pullRequests, &PullRequest{
-				Number:       pull.ID,
+				Number:       int64(pull.ID),
 				Title:        pull.Title,
 				Branch:       pull.FromRef.DisplayID, // ID: refs/heads/main DisplayID: main
 				TargetBranch: pull.ToRef.DisplayID,
--- a/applicationset/services/pull_request/bitbucket_server_test.go
+++ b/applicationset/services/pull_request/bitbucket_server_test.go
@ -68,7 +68,7 @@ func TestListPullRequestNoAuth(t *testing.T) {
 	pullRequests, err := ListPullRequests(t.Context(), svc, []v1alpha1.PullRequestGeneratorFilter{})
 	require.NoError(t, err)
 	assert.Len(t, pullRequests, 1)
-	assert.Equal(t, 101, pullRequests[0].Number)
+	assert.Equal(t, int64(101), pullRequests[0].Number)
 	assert.Equal(t, "feat(ABC) : 123", pullRequests[0].Title)
 	assert.Equal(t, "feature-ABC-123", pullRequests[0].Branch)
 	assert.Equal(t, "master", pullRequests[0].TargetBranch)
@ -211,7 +211,7 @@ func TestListPullRequestBasicAuth(t *testing.T) {
 	pullRequests, err := ListPullRequests(t.Context(), svc, []v1alpha1.PullRequestGeneratorFilter{})
 	require.NoError(t, err)
 	assert.Len(t, pullRequests, 1)
-	assert.Equal(t, 101, pullRequests[0].Number)
+	assert.Equal(t, int64(101), pullRequests[0].Number)
 	assert.Equal(t, "feature-ABC-123", pullRequests[0].Branch)
 	assert.Equal(t, "cb3cf2e4d1517c83e720d2585b9402dbef71f992", pullRequests[0].HeadSHA)
 }
@ -228,7 +228,7 @@ func TestListPullRequestBearerAuth(t *testing.T) {
 	pullRequests, err := ListPullRequests(t.Context(), svc, []v1alpha1.PullRequestGeneratorFilter{})
 	require.NoError(t, err)
 	assert.Len(t, pullRequests, 1)
-	assert.Equal(t, 101, pullRequests[0].Number)
+	assert.Equal(t, int64(101), pullRequests[0].Number)
 	assert.Equal(t, "feat(ABC) : 123", pullRequests[0].Title)
 	assert.Equal(t, "feature-ABC-123", pullRequests[0].Branch)
 	assert.Equal(t, "cb3cf2e4d1517c83e720d2585b9402dbef71f992", pullRequests[0].HeadSHA)
@ -268,7 +268,6 @@ func TestListPullRequestTLS(t *testing.T) {
 	}

 	for _, test := range tests {
-		test := test
 		t.Run(test.name, func(t *testing.T) {
 			ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 				defaultHandler(t)(w, r)
--- a/applicationset/services/pull_request/gitea.go
+++ b/applicationset/services/pull_request/gitea.go
@ -68,7 +68,7 @@ func (g *GiteaService) List(ctx context.Context) ([]*PullRequest, error) {
 			continue
 		}
 		list = append(list, &PullRequest{
-			Number:       int(pr.Index),
+			Number:       int64(pr.Index),
 			Title:        pr.Title,
 			Branch:       pr.Head.Ref,
 			TargetBranch: pr.Base.Ref,
@ -83,7 +83,7 @@ func (g *GiteaService) List(ctx context.Context) ([]*PullRequest, error) {
 // containLabels returns true if gotLabels contains expectedLabels
 func giteaContainLabels(expectedLabels []string, gotLabels []*gitea.Label) bool {
 	gotLabelNamesMap := make(map[string]bool)
-	for i := 0; i < len(gotLabels); i++ {
+	for i := range gotLabels {
 		gotLabelNamesMap[gotLabels[i].Name] = true
 	}
 	for _, expected := range expectedLabels {
--- a/applicationset/services/pull_request/gitea_test.go
+++ b/applicationset/services/pull_request/gitea_test.go
@ -303,7 +303,7 @@ func TestGiteaList(t *testing.T) {
 	prs, err := host.List(t.Context())
 	require.NoError(t, err)
 	assert.Len(t, prs, 1)
-	assert.Equal(t, 1, prs[0].Number)
+	assert.Equal(t, int64(1), prs[0].Number)
 	assert.Equal(t, "add an empty file", prs[0].Title)
 	assert.Equal(t, "test", prs[0].Branch)
 	assert.Equal(t, "main", prs[0].TargetBranch)
--- a/applicationset/services/pull_request/github.go
+++ b/applicationset/services/pull_request/github.go
@ -76,7 +76,7 @@ func (g *GithubService) List(ctx context.Context) ([]*PullRequest, error) {
 				continue
 			}
 			pullRequests = append(pullRequests, &PullRequest{
-				Number:       *pull.Number,
+				Number:       int64(*pull.Number),
 				Title:        *pull.Title,
 				Branch:       *pull.Head.Ref,
 				TargetBranch: *pull.Base.Ref,
--- a/applicationset/services/pull_request/github_app.go
+++ b/applicationset/services/pull_request/github_app.go
@ -1,6 +1,7 @@
 package pull_request

 import (
+	"context"
 	"net/http"

 	"github.com/argoproj/argo-cd/v3/applicationset/services/github_app_auth"
@ -8,9 +9,9 @@ import (
 	appsetutils "github.com/argoproj/argo-cd/v3/applicationset/utils"
 )

-func NewGithubAppService(g github_app_auth.Authentication, url, owner, repo string, labels []string, optionalHTTPClient ...*http.Client) (PullRequestService, error) {
+func NewGithubAppService(ctx context.Context, g github_app_auth.Authentication, url, owner, repo string, labels []string, optionalHTTPClient ...*http.Client) (PullRequestService, error) {
 	httpClient := appsetutils.GetOptionalHTTPClient(optionalHTTPClient...)
-	client, err := github_app.Client(g, url, httpClient)
+	client, err := github_app.Client(ctx, g, url, owner, httpClient)
 	if err != nil {
 		return nil, err
 	}
--- a/applicationset/services/pull_request/github_test.go
+++ b/applicationset/services/pull_request/github_test.go
@ -10,10 +10,6 @@ import (
 	"github.com/stretchr/testify/require"
 )

-func toPtr(s string) *string {
-	return &s
-}
-
 func TestContainLabels(t *testing.T) {
 	cases := []struct {
 		Name       string
@ -25,9 +21,9 @@ func TestContainLabels(t *testing.T) {
 			Name:   "Match labels",
 			Labels: []string{"label1", "label2"},
 			PullLabels: []*github.Label{
-				{Name: toPtr("label1")},
-				{Name: toPtr("label2")},
-				{Name: toPtr("label3")},
+				{Name: new("label1")},
+				{Name: new("label2")},
+				{Name: new("label3")},
 			},
 			Expect: true,
 		},
@ -35,9 +31,9 @@ func TestContainLabels(t *testing.T) {
 			Name:   "Not match labels",
 			Labels: []string{"label1", "label4"},
 			PullLabels: []*github.Label{
-				{Name: toPtr("label1")},
-				{Name: toPtr("label2")},
-				{Name: toPtr("label3")},
+				{Name: new("label1")},
+				{Name: new("label2")},
+				{Name: new("label3")},
 			},
 			Expect: false,
 		},
@ -45,9 +41,9 @@ func TestContainLabels(t *testing.T) {
 			Name:   "No specify",
 			Labels: []string{},
 			PullLabels: []*github.Label{
-				{Name: toPtr("label1")},
-				{Name: toPtr("label2")},
-				{Name: toPtr("label3")},
+				{Name: new("label1")},
+				{Name: new("label2")},
+				{Name: new("label3")},
 			},
 			Expect: true,
 		},
@ -70,9 +66,9 @@ func TestGetGitHubPRLabelNames(t *testing.T) {
 		{
 			Name: "PR has labels",
 			PullLabels: []*github.Label{
-				{Name: toPtr("label1")},
-				{Name: toPtr("label2")},
-				{Name: toPtr("label3")},
+				{Name: new("label1")},
+				{Name: new("label2")},
+				{Name: new("label3")},
 			},
 			ExpectedResult: []string{"label1", "label2", "label3"},
 		},
--- a/applicationset/services/pull_request/gitlab.go
+++ b/applicationset/services/pull_request/gitlab.go
@ -61,11 +61,15 @@ func (g *GitLabService) List(ctx context.Context) ([]*PullRequest, error) {
 		var labelsList gitlab.LabelOptions = g.labels
 		labels = &labelsList
 	}
-	opts := &gitlab.ListProjectMergeRequestsOptions{
+
+	snippetsListOptions := gitlab.ExploreSnippetsOptions{
 		ListOptions: gitlab.ListOptions{
 			PerPage: 100,
 		},
-		Labels: labels,
+	}
+	opts := &gitlab.ListProjectMergeRequestsOptions{
+		ListOptions: snippetsListOptions.ListOptions,
+		Labels:      labels,
 	}

 	if g.pullRequestState != "" {
--- a/applicationset/services/pull_request/gitlab_test.go
+++ b/applicationset/services/pull_request/gitlab_test.go
@ -78,7 +78,7 @@ func TestList(t *testing.T) {
 	prs, err := svc.List(t.Context())
 	require.NoError(t, err)
 	assert.Len(t, prs, 1)
-	assert.Equal(t, 15442, prs[0].Number)
+	assert.Equal(t, int64(15442), prs[0].Number)
 	assert.Equal(t, "Draft: Use structured logging for DB load balancer", prs[0].Title)
 	assert.Equal(t, "use-structured-logging-for-db-load-balancer", prs[0].Branch)
 	assert.Equal(t, "master", prs[0].TargetBranch)
@ -158,7 +158,6 @@ func TestListWithStateTLS(t *testing.T) {
 	}

 	for _, test := range tests {
-		test := test
 		t.Run(test.name, func(t *testing.T) {
 			ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 				writeMRListResponse(t, w)
--- a/applicationset/services/pull_request/interface.go
+++ b/applicationset/services/pull_request/interface.go
@ -7,7 +7,8 @@ import (

 type PullRequest struct {
 	// Number is a number that will be the ID of the pull request.
-	Number int
+	// Gitlab uses int64 for the pull request number.
+	Number int64
 	// Title of the pull request.
 	Title string
 	// Branch is the name of the branch from which the pull request originated.
--- a/applicationset/services/pull_request/utils_test.go
+++ b/applicationset/services/pull_request/utils_test.go
@ -9,10 +9,6 @@ import (
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 )

-func strp(s string) *string {
-	return &s
-}
-
 func TestFilterBranchMatchBadRegexp(t *testing.T) {
 	provider, _ := NewFakeService(
 		t.Context(),
@ -30,7 +26,7 @@ func TestFilterBranchMatchBadRegexp(t *testing.T) {
 	)
 	filters := []argoprojiov1alpha1.PullRequestGeneratorFilter{
 		{
-			BranchMatch: strp("("),
+			BranchMatch: new("("),
 		},
 	}
 	_, err := ListPullRequests(t.Context(), provider, filters)
@ -78,7 +74,7 @@ func TestFilterBranchMatch(t *testing.T) {
 	)
 	filters := []argoprojiov1alpha1.PullRequestGeneratorFilter{
 		{
-			BranchMatch: strp("w"),
+			BranchMatch: new("w"),
 		},
 	}
 	pullRequests, err := ListPullRequests(t.Context(), provider, filters)
@ -128,7 +124,7 @@ func TestFilterTargetBranchMatch(t *testing.T) {
 	)
 	filters := []argoprojiov1alpha1.PullRequestGeneratorFilter{
 		{
-			TargetBranchMatch: strp("1"),
+			TargetBranchMatch: new("1"),
 		},
 	}
 	pullRequests, err := ListPullRequests(t.Context(), provider, filters)
@ -178,7 +174,7 @@ func TestFilterTitleMatch(t *testing.T) {
 	)
 	filters := []argoprojiov1alpha1.PullRequestGeneratorFilter{
 		{
-			TitleMatch: strp("\\[filter]"),
+			TitleMatch: new("\\[filter]"),
 		},
 	}
 	pullRequests, err := ListPullRequests(t.Context(), provider, filters)
@ -228,10 +224,10 @@ func TestMultiFilterOrWithTitle(t *testing.T) {
 	)
 	filters := []argoprojiov1alpha1.PullRequestGeneratorFilter{
 		{
-			TitleMatch: strp("\\[filter]"),
+			TitleMatch: new("\\[filter]"),
 		},
 		{
-			TitleMatch: strp("- filter"),
+			TitleMatch: new("- filter"),
 		},
 	}
 	pullRequests, err := ListPullRequests(t.Context(), provider, filters)
@ -282,10 +278,10 @@ func TestMultiFilterOr(t *testing.T) {
 	)
 	filters := []argoprojiov1alpha1.PullRequestGeneratorFilter{
 		{
-			BranchMatch: strp("w"),
+			BranchMatch: new("w"),
 		},
 		{
-			BranchMatch: strp("r"),
+			BranchMatch: new("r"),
 		},
 	}
 	pullRequests, err := ListPullRequests(t.Context(), provider, filters)
@ -345,19 +341,19 @@ func TestMultiFilterOrWithTargetBranchFilterOrWithTitleFilter(t *testing.T) {
 	)
 	filters := []argoprojiov1alpha1.PullRequestGeneratorFilter{
 		{
-			BranchMatch:       strp("w"),
-			TargetBranchMatch: strp("1"),
+			BranchMatch:       new("w"),
+			TargetBranchMatch: new("1"),
 		},
 		{
-			BranchMatch:       strp("r"),
-			TargetBranchMatch: strp("3"),
+			BranchMatch:       new("r"),
+			TargetBranchMatch: new("3"),
 		},
 		{
-			TitleMatch: strp("two"),
+			TitleMatch: new("two"),
 		},
 		{
-			BranchMatch: strp("five"),
-			TitleMatch:  strp("PR title is different than branch name"),
+			BranchMatch: new("five"),
+			TitleMatch:  new("PR title is different than branch name"),
 		},
 	}
 	pullRequests, err := ListPullRequests(t.Context(), provider, filters)
--- a/applicationset/services/scm_provider/aws_codecommit.go
+++ b/applicationset/services/scm_provider/aws_codecommit.go
@ -10,16 +10,19 @@ import (
 	"slices"
 	"strings"

-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/arn"
-	"github.com/aws/aws-sdk-go/aws/awserr"
-	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
-	"github.com/aws/aws-sdk-go/aws/request"
-	"github.com/aws/aws-sdk-go/aws/session"
-	"github.com/aws/aws-sdk-go/service/codecommit"
-	"github.com/aws/aws-sdk-go/service/resourcegroupstaggingapi"
+	rgsatypes "github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi/types"
+	"github.com/aws/aws-sdk-go-v2/service/sts"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/aws/arn"
+	"github.com/aws/aws-sdk-go-v2/credentials/stscreds"
+	"github.com/aws/aws-sdk-go-v2/service/codecommit"
+	codecommittypes "github.com/aws/aws-sdk-go-v2/service/codecommit/types"
+	"github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi"
 	log "github.com/sirupsen/logrus"

+	"github.com/aws/aws-sdk-go-v2/config"
+
 	application "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 )

@ -32,16 +35,16 @@ const (
 // AWSCodeCommitClient is a lean facade to the codecommitiface.CodeCommitAPI
 // it helps to reduce the mockery generated code.
 type AWSCodeCommitClient interface {
-	ListRepositoriesWithContext(aws.Context, *codecommit.ListRepositoriesInput, ...request.Option) (*codecommit.ListRepositoriesOutput, error)
-	GetRepositoryWithContext(aws.Context, *codecommit.GetRepositoryInput, ...request.Option) (*codecommit.GetRepositoryOutput, error)
-	ListBranchesWithContext(aws.Context, *codecommit.ListBranchesInput, ...request.Option) (*codecommit.ListBranchesOutput, error)
-	GetFolderWithContext(aws.Context, *codecommit.GetFolderInput, ...request.Option) (*codecommit.GetFolderOutput, error)
+	ListRepositories(context.Context, *codecommit.ListRepositoriesInput, ...func(*codecommit.Options)) (*codecommit.ListRepositoriesOutput, error)
+	GetRepository(context.Context, *codecommit.GetRepositoryInput, ...func(*codecommit.Options)) (*codecommit.GetRepositoryOutput, error)
+	ListBranches(context.Context, *codecommit.ListBranchesInput, ...func(*codecommit.Options)) (*codecommit.ListBranchesOutput, error)
+	GetFolder(context.Context, *codecommit.GetFolderInput, ...func(*codecommit.Options)) (*codecommit.GetFolderOutput, error)
 }

 // AWSTaggingClient is a lean facade to the resourcegroupstaggingapiiface.ResourceGroupsTaggingAPIAPI
 // it helps to reduce the mockery generated code.
 type AWSTaggingClient interface {
-	GetResourcesWithContext(aws.Context, *resourcegroupstaggingapi.GetResourcesInput, ...request.Option) (*resourcegroupstaggingapi.GetResourcesOutput, error)
+	GetResources(context.Context, *resourcegroupstaggingapi.GetResourcesInput, ...func(*resourcegroupstaggingapi.Options)) (*resourcegroupstaggingapi.GetResourcesOutput, error)
 }

 type AWSCodeCommitProvider struct {
@ -73,7 +76,7 @@ func (p *AWSCodeCommitProvider) ListRepos(ctx context.Context, cloneProtocol str
 	}

 	for _, repoName := range repoNames {
-		repo, err := p.codeCommitClient.GetRepositoryWithContext(ctx, &codecommit.GetRepositoryInput{
+		repo, err := p.codeCommitClient.GetRepository(ctx, &codecommit.GetRepositoryInput{
 			RepositoryName: aws.String(repoName),
 		})
 		if err != nil {
@ -85,7 +88,7 @@ func (p *AWSCodeCommitProvider) ListRepos(ctx context.Context, cloneProtocol str
 			log.Warnf("codecommit returned invalid response for repository %s, skipped", repoName)
 			continue
 		}
-		if aws.StringValue(repo.RepositoryMetadata.DefaultBranch) == "" {
+		if aws.ToString(repo.RepositoryMetadata.DefaultBranch) == "" {
 			// if a codecommit repo doesn't have default branch, it's uninitialized. not going to bother with it.
 			log.Warnf("repository %s does not have default branch, skipped", repoName)
 			continue
@ -94,11 +97,11 @@ func (p *AWSCodeCommitProvider) ListRepos(ctx context.Context, cloneProtocol str
 		switch cloneProtocol {
 		// default to SSH if unspecified (i.e. if "").
 		case "", "ssh":
-			url = aws.StringValue(repo.RepositoryMetadata.CloneUrlSsh)
+			url = aws.ToString(repo.RepositoryMetadata.CloneUrlSsh)
 		case "https":
-			url = aws.StringValue(repo.RepositoryMetadata.CloneUrlHttp)
+			url = aws.ToString(repo.RepositoryMetadata.CloneUrlHttp)
 		case "https-fips":
-			url, err = getCodeCommitFIPSEndpoint(aws.StringValue(repo.RepositoryMetadata.CloneUrlHttp))
+			url, err = getCodeCommitFIPSEndpoint(aws.ToString(repo.RepositoryMetadata.CloneUrlHttp))
 			if err != nil {
 				return nil, fmt.Errorf("https-fips is provided but repoUrl can't be transformed to FIPS endpoint: %w", err)
 			}
@ -108,13 +111,13 @@ func (p *AWSCodeCommitProvider) ListRepos(ctx context.Context, cloneProtocol str
 		repos = append(repos, &Repository{
 			// there's no "organization" level at codecommit.
 			// we are just using AWS accountId for now.
-			Organization: aws.StringValue(repo.RepositoryMetadata.AccountId),
-			Repository:   aws.StringValue(repo.RepositoryMetadata.RepositoryName),
+			Organization: aws.ToString(repo.RepositoryMetadata.AccountId),
+			Repository:   aws.ToString(repo.RepositoryMetadata.RepositoryName),
 			URL:          url,
-			Branch:       aws.StringValue(repo.RepositoryMetadata.DefaultBranch),
+			Branch:       aws.ToString(repo.RepositoryMetadata.DefaultBranch),
 			// we could propagate repo tag keys, but without value not sure if it's any useful.
 			Labels:       []string{},
-			RepositoryId: aws.StringValue(repo.RepositoryMetadata.RepositoryId),
+			RepositoryId: aws.ToString(repo.RepositoryMetadata.RepositoryId),
 		})
 	}

@ -142,13 +145,9 @@ func (p *AWSCodeCommitProvider) RepoHasPath(ctx context.Context, repo *Repositor
 		FolderPath:      aws.String(parentPath),
 		RepositoryName:  aws.String(repo.Repository),
 	}
-	output, err := p.codeCommitClient.GetFolderWithContext(ctx, input)
+	output, err := p.codeCommitClient.GetFolder(ctx, input)
 	if err != nil {
-		if hasAwsError(err,
-			codecommit.ErrCodeRepositoryDoesNotExistException,
-			codecommit.ErrCodeCommitDoesNotExistException,
-			codecommit.ErrCodeFolderDoesNotExistException,
-		) {
+		if hasAwsError(err) {
 			return false, nil
 		}
 		// unhandled exception, propagate out
@ -157,22 +156,22 @@ func (p *AWSCodeCommitProvider) RepoHasPath(ctx context.Context, repo *Repositor

 	// anything that matches.
 	for _, submodule := range output.SubModules {
-		if basePath == aws.StringValue(submodule.RelativePath) {
+		if basePath == aws.ToString(submodule.RelativePath) {
 			return true, nil
 		}
 	}
 	for _, subpath := range output.SubFolders {
-		if basePath == aws.StringValue(subpath.RelativePath) {
+		if basePath == aws.ToString(subpath.RelativePath) {
 			return true, nil
 		}
 	}
 	for _, subpath := range output.Files {
-		if basePath == aws.StringValue(subpath.RelativePath) {
+		if basePath == aws.ToString(subpath.RelativePath) {
 			return true, nil
 		}
 	}
 	for _, subpath := range output.SymbolicLinks {
-		if basePath == aws.StringValue(subpath.RelativePath) {
+		if basePath == aws.ToString(subpath.RelativePath) {
 			return true, nil
 		}
 	}
@ -182,7 +181,7 @@ func (p *AWSCodeCommitProvider) RepoHasPath(ctx context.Context, repo *Repositor
 func (p *AWSCodeCommitProvider) GetBranches(ctx context.Context, repo *Repository) ([]*Repository, error) {
 	repos := make([]*Repository, 0)
 	if !p.allBranches {
-		output, err := p.codeCommitClient.GetRepositoryWithContext(ctx, &codecommit.GetRepositoryInput{
+		output, err := p.codeCommitClient.GetRepository(ctx, &codecommit.GetRepositoryInput{
 			RepositoryName: aws.String(repo.Repository),
 		})
 		if err != nil {
@ -192,7 +191,7 @@ func (p *AWSCodeCommitProvider) GetBranches(ctx context.Context, repo *Repositor
 			Organization: repo.Organization,
 			Repository:   repo.Repository,
 			URL:          repo.URL,
-			Branch:       aws.StringValue(output.RepositoryMetadata.DefaultBranch),
+			Branch:       aws.ToString(output.RepositoryMetadata.DefaultBranch),
 			RepositoryId: repo.RepositoryId,
 			Labels:       repo.Labels,
 			// getting SHA of the branch requires a separate GetBranch call.
@ -204,7 +203,7 @@ func (p *AWSCodeCommitProvider) GetBranches(ctx context.Context, repo *Repositor
 			RepositoryName: aws.String(repo.Repository),
 		}
 		for {
-			output, err := p.codeCommitClient.ListBranchesWithContext(ctx, input)
+			output, err := p.codeCommitClient.ListBranches(ctx, input)
 			if err != nil {
 				return nil, err
 			}
@ -213,7 +212,7 @@ func (p *AWSCodeCommitProvider) GetBranches(ctx context.Context, repo *Repositor
 					Organization: repo.Organization,
 					Repository:   repo.Repository,
 					URL:          repo.URL,
-					Branch:       aws.StringValue(branch),
+					Branch:       branch,
 					RepositoryId: repo.RepositoryId,
 					Labels:       repo.Labels,
 					// getting SHA of the branch requires a separate GetBranch call.
@ -222,7 +221,7 @@ func (p *AWSCodeCommitProvider) GetBranches(ctx context.Context, repo *Repositor
 				})
 			}
 			input.NextToken = output.NextToken
-			if aws.StringValue(output.NextToken) == "" {
+			if aws.ToString(output.NextToken) == "" {
 				break
 			}
 		}
@ -241,32 +240,32 @@ func (p *AWSCodeCommitProvider) listRepoNames(ctx context.Context) ([]string, er
 		listReposInput := &codecommit.ListRepositoriesInput{}
 		var output *codecommit.ListRepositoriesOutput
 		for {
-			output, err = p.codeCommitClient.ListRepositoriesWithContext(ctx, listReposInput)
+			output, err = p.codeCommitClient.ListRepositories(ctx, listReposInput)
 			if err != nil {
 				break
 			}
 			for _, repo := range output.Repositories {
-				repoNames = append(repoNames, aws.StringValue(repo.RepositoryName))
+				repoNames = append(repoNames, aws.ToString(repo.RepositoryName))
 			}
 			listReposInput.NextToken = output.NextToken
-			if aws.StringValue(output.NextToken) == "" {
+			if aws.ToString(output.NextToken) == "" {
 				break
 			}
 		}
 	} else {
 		log.Debugf("tag filer is specified, calling tagging api to list repos")
 		discoveryInput := &resourcegroupstaggingapi.GetResourcesInput{
-			ResourceTypeFilters: aws.StringSlice([]string{resourceTypeCodeCommitRepository}),
+			ResourceTypeFilters: []string{resourceTypeCodeCommitRepository},
 			TagFilters:          tagFilters,
 		}
 		var output *resourcegroupstaggingapi.GetResourcesOutput
 		for {
-			output, err = p.taggingClient.GetResourcesWithContext(ctx, discoveryInput)
+			output, err = p.taggingClient.GetResources(ctx, discoveryInput)
 			if err != nil {
 				break
 			}
 			for _, resource := range output.ResourceTagMappingList {
-				repoArn := aws.StringValue(resource.ResourceARN)
+				repoArn := aws.ToString(resource.ResourceARN)
 				log.Debugf("discovered codecommit repo with arn %s", repoArn)
 				repoName, extractErr := getCodeCommitRepoName(repoArn)
 				if extractErr != nil {
@ -276,7 +275,7 @@ func (p *AWSCodeCommitProvider) listRepoNames(ctx context.Context) ([]string, er
 				repoNames = append(repoNames, repoName)
 			}
 			discoveryInput.PaginationToken = output.PaginationToken
-			if aws.StringValue(output.PaginationToken) == "" {
+			if aws.ToString(output.PaginationToken) == "" {
 				break
 			}
 		}
@ -284,19 +283,20 @@ func (p *AWSCodeCommitProvider) listRepoNames(ctx context.Context) ([]string, er
 	return repoNames, err
 }

-func (p *AWSCodeCommitProvider) getTagFilters() []*resourcegroupstaggingapi.TagFilter {
-	filters := make(map[string]*resourcegroupstaggingapi.TagFilter)
+// getTagFilters filters by tag
+func (p *AWSCodeCommitProvider) getTagFilters() []rgsatypes.TagFilter {
+	filters := make(map[string]rgsatypes.TagFilter)
 	for _, tagFilter := range p.tagFilters {
-		filter, hasKey := filters[tagFilter.Key]
-		if !hasKey {
-			filter = &resourcegroupstaggingapi.TagFilter{
+		filter := filters[tagFilter.Key]
+		if filter.Key == nil {
+			filter = rgsatypes.TagFilter{
 				Key: aws.String(tagFilter.Key),
 			}
-			filters[tagFilter.Key] = filter
 		}
 		if tagFilter.Value != "" {
-			filter.Values = append(filter.Values, aws.String(tagFilter.Value))
+			filter.Values = append(filter.Values, tagFilter.Value)
 		}
+		filters[tagFilter.Key] = filter
 	}
 	return slices.Collect(maps.Values(filters))
 }
@ -326,12 +326,15 @@ func getCodeCommitFIPSEndpoint(repoURL string) (string, error) {
 	return strings.Replace(repoURL, prefixGitURLHTTPS, prefixGitURLHTTPSFIPS, 1), nil
 }

-func hasAwsError(err error, codes ...string) bool {
-	var awsErr awserr.Error
-	if errors.As(err, &awsErr) {
-		return slices.Contains(codes, awsErr.Code())
-	}
-	return false
+func hasAwsError(err error) bool {
+	// Check for common CodeCommit exceptions using SDK v2 typed errors
+	var repoNotFound *codecommittypes.RepositoryDoesNotExistException
+	var commitNotFound *codecommittypes.CommitDoesNotExistException
+	var folderNotFound *codecommittypes.FolderDoesNotExistException
+
+	return errors.As(err, &repoNotFound) ||
+		errors.As(err, &commitNotFound) ||
+		errors.As(err, &folderNotFound)
 }

 // toAbsolutePath transforms a path input to absolute path, as required by AWS CodeCommit
@ -343,37 +346,32 @@ func toAbsolutePath(path string) string {
 	return filepath.ToSlash(filepath.Join("/", path)) //nolint:gocritic // Prepend slash to have an absolute path
 }

-func createAWSDiscoveryClients(_ context.Context, role string, region string) (*resourcegroupstaggingapi.ResourceGroupsTaggingAPI, *codecommit.CodeCommit, error) {
-	podSession, err := session.NewSession()
-	if err != nil {
-		return nil, nil, fmt.Errorf("error creating new AWS pod session: %w", err)
-	}
-	discoverySession := podSession
-	// assume role if provided - this allows cross account CodeCommit repo discovery.
-	if role != "" {
-		log.Debugf("role %s is provided for AWS CodeCommit discovery", role)
-		assumeRoleCreds := stscreds.NewCredentials(podSession, role)
-		discoverySession, err = session.NewSession(&aws.Config{
-			Credentials: assumeRoleCreds,
-		})
-		if err != nil {
-			return nil, nil, fmt.Errorf("error creating new AWS discovery session: %w", err)
-		}
-	} else {
-		log.Debugf("role is not provided for AWS CodeCommit discovery, using pod role")
-	}
-	// use region explicitly if provided  - this allows cross region CodeCommit repo discovery.
+// createAWSDiscoveryClients creates AWS clients
+func createAWSDiscoveryClients(ctx context.Context, role string, region string) (*resourcegroupstaggingapi.Client, *codecommit.Client, error) {
+	var configOpts []func(*config.LoadOptions) error
 	if region != "" {
 		log.Debugf("region %s is provided for AWS CodeCommit discovery", region)
-		discoverySession = discoverySession.Copy(&aws.Config{
-			Region: aws.String(region),
-		})
+		configOpts = append(configOpts, config.WithRegion(region))
 	} else {
 		log.Debugf("region is not provided for AWS CodeCommit discovery, using pod region")
 	}
+	// Load the default config based on config options
+	cfg, err := config.LoadDefaultConfig(ctx, configOpts...)
+	if err != nil {
+		return nil, nil, fmt.Errorf("error loading default config: %w", err)
+	}
+	client := sts.NewFromConfig(cfg)
+	// assume role if provided - this allows cross account CodeCommit repo discovery.
+	if role != "" {
+		log.Debugf("role %s is provided for AWS CodeCommit discovery", role)
+		assumeRoleCreds := stscreds.NewAssumeRoleProvider(client, role)
+		cfg.Credentials = aws.NewCredentialsCache(assumeRoleCreds)
+	} else {
+		log.Debugf("role is not provided for AWS CodeCommit discovery, using pod role")
+	}

-	taggingClient := resourcegroupstaggingapi.New(discoverySession)
-	codeCommitClient := codecommit.New(discoverySession)
+	taggingClient := resourcegroupstaggingapi.NewFromConfig(cfg)
+	codeCommitClient := codecommit.NewFromConfig(cfg)

 	return taggingClient, codeCommitClient, nil
 }
--- a/applicationset/services/scm_provider/aws_codecommit/mocks/AWSCodeCommitClient.go
+++ b/applicationset/services/scm_provider/aws_codecommit/mocks/AWSCodeCommitClient.go
@ -1,387 +0,0 @@
-// Code generated by mockery; DO NOT EDIT.
-// github.com/vektra/mockery
-// template: testify
-
-package mocks
-
-import (
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/request"
-	"github.com/aws/aws-sdk-go/service/codecommit"
-	mock "github.com/stretchr/testify/mock"
-)
-
-// NewAWSCodeCommitClient creates a new instance of AWSCodeCommitClient. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewAWSCodeCommitClient(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *AWSCodeCommitClient {
-	mock := &AWSCodeCommitClient{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
-
-// AWSCodeCommitClient is an autogenerated mock type for the AWSCodeCommitClient type
-type AWSCodeCommitClient struct {
-	mock.Mock
-}
-
-type AWSCodeCommitClient_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *AWSCodeCommitClient) EXPECT() *AWSCodeCommitClient_Expecter {
-	return &AWSCodeCommitClient_Expecter{mock: &_m.Mock}
-}
-
-// GetFolderWithContext provides a mock function for the type AWSCodeCommitClient
-func (_mock *AWSCodeCommitClient) GetFolderWithContext(v aws.Context, getFolderInput *codecommit.GetFolderInput, options ...request.Option) (*codecommit.GetFolderOutput, error) {
-	// request.Option
-	_va := make([]interface{}, len(options))
-	for _i := range options {
-		_va[_i] = options[_i]
-	}
-	var _ca []interface{}
-	_ca = append(_ca, v, getFolderInput)
-	_ca = append(_ca, _va...)
-	ret := _mock.Called(_ca...)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetFolderWithContext")
-	}
-
-	var r0 *codecommit.GetFolderOutput
-	var r1 error
-	if returnFunc, ok := ret.Get(0).(func(aws.Context, *codecommit.GetFolderInput, ...request.Option) (*codecommit.GetFolderOutput, error)); ok {
-		return returnFunc(v, getFolderInput, options...)
-	}
-	if returnFunc, ok := ret.Get(0).(func(aws.Context, *codecommit.GetFolderInput, ...request.Option) *codecommit.GetFolderOutput); ok {
-		r0 = returnFunc(v, getFolderInput, options...)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*codecommit.GetFolderOutput)
-		}
-	}
-	if returnFunc, ok := ret.Get(1).(func(aws.Context, *codecommit.GetFolderInput, ...request.Option) error); ok {
-		r1 = returnFunc(v, getFolderInput, options...)
-	} else {
-		r1 = ret.Error(1)
-	}
-	return r0, r1
-}
-
-// AWSCodeCommitClient_GetFolderWithContext_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetFolderWithContext'
-type AWSCodeCommitClient_GetFolderWithContext_Call struct {
-	*mock.Call
-}
-
-// GetFolderWithContext is a helper method to define mock.On call
-//   - v aws.Context
-//   - getFolderInput *codecommit.GetFolderInput
-//   - options ...request.Option
-func (_e *AWSCodeCommitClient_Expecter) GetFolderWithContext(v interface{}, getFolderInput interface{}, options ...interface{}) *AWSCodeCommitClient_GetFolderWithContext_Call {
-	return &AWSCodeCommitClient_GetFolderWithContext_Call{Call: _e.mock.On("GetFolderWithContext",
-		append([]interface{}{v, getFolderInput}, options...)...)}
-}
-
-func (_c *AWSCodeCommitClient_GetFolderWithContext_Call) Run(run func(v aws.Context, getFolderInput *codecommit.GetFolderInput, options ...request.Option)) *AWSCodeCommitClient_GetFolderWithContext_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		var arg0 aws.Context
-		if args[0] != nil {
-			arg0 = args[0].(aws.Context)
-		}
-		var arg1 *codecommit.GetFolderInput
-		if args[1] != nil {
-			arg1 = args[1].(*codecommit.GetFolderInput)
-		}
-		var arg2 []request.Option
-		variadicArgs := make([]request.Option, len(args)-2)
-		for i, a := range args[2:] {
-			if a != nil {
-				variadicArgs[i] = a.(request.Option)
-			}
-		}
-		arg2 = variadicArgs
-		run(
-			arg0,
-			arg1,
-			arg2...,
-		)
-	})
-	return _c
-}
-
-func (_c *AWSCodeCommitClient_GetFolderWithContext_Call) Return(getFolderOutput *codecommit.GetFolderOutput, err error) *AWSCodeCommitClient_GetFolderWithContext_Call {
-	_c.Call.Return(getFolderOutput, err)
-	return _c
-}
-
-func (_c *AWSCodeCommitClient_GetFolderWithContext_Call) RunAndReturn(run func(v aws.Context, getFolderInput *codecommit.GetFolderInput, options ...request.Option) (*codecommit.GetFolderOutput, error)) *AWSCodeCommitClient_GetFolderWithContext_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetRepositoryWithContext provides a mock function for the type AWSCodeCommitClient
-func (_mock *AWSCodeCommitClient) GetRepositoryWithContext(v aws.Context, getRepositoryInput *codecommit.GetRepositoryInput, options ...request.Option) (*codecommit.GetRepositoryOutput, error) {
-	// request.Option
-	_va := make([]interface{}, len(options))
-	for _i := range options {
-		_va[_i] = options[_i]
-	}
-	var _ca []interface{}
-	_ca = append(_ca, v, getRepositoryInput)
-	_ca = append(_ca, _va...)
-	ret := _mock.Called(_ca...)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetRepositoryWithContext")
-	}
-
-	var r0 *codecommit.GetRepositoryOutput
-	var r1 error
-	if returnFunc, ok := ret.Get(0).(func(aws.Context, *codecommit.GetRepositoryInput, ...request.Option) (*codecommit.GetRepositoryOutput, error)); ok {
-		return returnFunc(v, getRepositoryInput, options...)
-	}
-	if returnFunc, ok := ret.Get(0).(func(aws.Context, *codecommit.GetRepositoryInput, ...request.Option) *codecommit.GetRepositoryOutput); ok {
-		r0 = returnFunc(v, getRepositoryInput, options...)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*codecommit.GetRepositoryOutput)
-		}
-	}
-	if returnFunc, ok := ret.Get(1).(func(aws.Context, *codecommit.GetRepositoryInput, ...request.Option) error); ok {
-		r1 = returnFunc(v, getRepositoryInput, options...)
-	} else {
-		r1 = ret.Error(1)
-	}
-	return r0, r1
-}
-
-// AWSCodeCommitClient_GetRepositoryWithContext_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetRepositoryWithContext'
-type AWSCodeCommitClient_GetRepositoryWithContext_Call struct {
-	*mock.Call
-}
-
-// GetRepositoryWithContext is a helper method to define mock.On call
-//   - v aws.Context
-//   - getRepositoryInput *codecommit.GetRepositoryInput
-//   - options ...request.Option
-func (_e *AWSCodeCommitClient_Expecter) GetRepositoryWithContext(v interface{}, getRepositoryInput interface{}, options ...interface{}) *AWSCodeCommitClient_GetRepositoryWithContext_Call {
-	return &AWSCodeCommitClient_GetRepositoryWithContext_Call{Call: _e.mock.On("GetRepositoryWithContext",
-		append([]interface{}{v, getRepositoryInput}, options...)...)}
-}
-
-func (_c *AWSCodeCommitClient_GetRepositoryWithContext_Call) Run(run func(v aws.Context, getRepositoryInput *codecommit.GetRepositoryInput, options ...request.Option)) *AWSCodeCommitClient_GetRepositoryWithContext_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		var arg0 aws.Context
-		if args[0] != nil {
-			arg0 = args[0].(aws.Context)
-		}
-		var arg1 *codecommit.GetRepositoryInput
-		if args[1] != nil {
-			arg1 = args[1].(*codecommit.GetRepositoryInput)
-		}
-		var arg2 []request.Option
-		variadicArgs := make([]request.Option, len(args)-2)
-		for i, a := range args[2:] {
-			if a != nil {
-				variadicArgs[i] = a.(request.Option)
-			}
-		}
-		arg2 = variadicArgs
-		run(
-			arg0,
-			arg1,
-			arg2...,
-		)
-	})
-	return _c
-}
-
-func (_c *AWSCodeCommitClient_GetRepositoryWithContext_Call) Return(getRepositoryOutput *codecommit.GetRepositoryOutput, err error) *AWSCodeCommitClient_GetRepositoryWithContext_Call {
-	_c.Call.Return(getRepositoryOutput, err)
-	return _c
-}
-
-func (_c *AWSCodeCommitClient_GetRepositoryWithContext_Call) RunAndReturn(run func(v aws.Context, getRepositoryInput *codecommit.GetRepositoryInput, options ...request.Option) (*codecommit.GetRepositoryOutput, error)) *AWSCodeCommitClient_GetRepositoryWithContext_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// ListBranchesWithContext provides a mock function for the type AWSCodeCommitClient
-func (_mock *AWSCodeCommitClient) ListBranchesWithContext(v aws.Context, listBranchesInput *codecommit.ListBranchesInput, options ...request.Option) (*codecommit.ListBranchesOutput, error) {
-	// request.Option
-	_va := make([]interface{}, len(options))
-	for _i := range options {
-		_va[_i] = options[_i]
-	}
-	var _ca []interface{}
-	_ca = append(_ca, v, listBranchesInput)
-	_ca = append(_ca, _va...)
-	ret := _mock.Called(_ca...)
-
-	if len(ret) == 0 {
-		panic("no return value specified for ListBranchesWithContext")
-	}
-
-	var r0 *codecommit.ListBranchesOutput
-	var r1 error
-	if returnFunc, ok := ret.Get(0).(func(aws.Context, *codecommit.ListBranchesInput, ...request.Option) (*codecommit.ListBranchesOutput, error)); ok {
-		return returnFunc(v, listBranchesInput, options...)
-	}
-	if returnFunc, ok := ret.Get(0).(func(aws.Context, *codecommit.ListBranchesInput, ...request.Option) *codecommit.ListBranchesOutput); ok {
-		r0 = returnFunc(v, listBranchesInput, options...)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*codecommit.ListBranchesOutput)
-		}
-	}
-	if returnFunc, ok := ret.Get(1).(func(aws.Context, *codecommit.ListBranchesInput, ...request.Option) error); ok {
-		r1 = returnFunc(v, listBranchesInput, options...)
-	} else {
-		r1 = ret.Error(1)
-	}
-	return r0, r1
-}
-
-// AWSCodeCommitClient_ListBranchesWithContext_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListBranchesWithContext'
-type AWSCodeCommitClient_ListBranchesWithContext_Call struct {
-	*mock.Call
-}
-
-// ListBranchesWithContext is a helper method to define mock.On call
-//   - v aws.Context
-//   - listBranchesInput *codecommit.ListBranchesInput
-//   - options ...request.Option
-func (_e *AWSCodeCommitClient_Expecter) ListBranchesWithContext(v interface{}, listBranchesInput interface{}, options ...interface{}) *AWSCodeCommitClient_ListBranchesWithContext_Call {
-	return &AWSCodeCommitClient_ListBranchesWithContext_Call{Call: _e.mock.On("ListBranchesWithContext",
-		append([]interface{}{v, listBranchesInput}, options...)...)}
-}
-
-func (_c *AWSCodeCommitClient_ListBranchesWithContext_Call) Run(run func(v aws.Context, listBranchesInput *codecommit.ListBranchesInput, options ...request.Option)) *AWSCodeCommitClient_ListBranchesWithContext_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		var arg0 aws.Context
-		if args[0] != nil {
-			arg0 = args[0].(aws.Context)
-		}
-		var arg1 *codecommit.ListBranchesInput
-		if args[1] != nil {
-			arg1 = args[1].(*codecommit.ListBranchesInput)
-		}
-		var arg2 []request.Option
-		variadicArgs := make([]request.Option, len(args)-2)
-		for i, a := range args[2:] {
-			if a != nil {
-				variadicArgs[i] = a.(request.Option)
-			}
-		}
-		arg2 = variadicArgs
-		run(
-			arg0,
-			arg1,
-			arg2...,
-		)
-	})
-	return _c
-}
-
-func (_c *AWSCodeCommitClient_ListBranchesWithContext_Call) Return(listBranchesOutput *codecommit.ListBranchesOutput, err error) *AWSCodeCommitClient_ListBranchesWithContext_Call {
-	_c.Call.Return(listBranchesOutput, err)
-	return _c
-}
-
-func (_c *AWSCodeCommitClient_ListBranchesWithContext_Call) RunAndReturn(run func(v aws.Context, listBranchesInput *codecommit.ListBranchesInput, options ...request.Option) (*codecommit.ListBranchesOutput, error)) *AWSCodeCommitClient_ListBranchesWithContext_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// ListRepositoriesWithContext provides a mock function for the type AWSCodeCommitClient
-func (_mock *AWSCodeCommitClient) ListRepositoriesWithContext(v aws.Context, listRepositoriesInput *codecommit.ListRepositoriesInput, options ...request.Option) (*codecommit.ListRepositoriesOutput, error) {
-	// request.Option
-	_va := make([]interface{}, len(options))
-	for _i := range options {
-		_va[_i] = options[_i]
-	}
-	var _ca []interface{}
-	_ca = append(_ca, v, listRepositoriesInput)
-	_ca = append(_ca, _va...)
-	ret := _mock.Called(_ca...)
-
-	if len(ret) == 0 {
-		panic("no return value specified for ListRepositoriesWithContext")
-	}
-
-	var r0 *codecommit.ListRepositoriesOutput
-	var r1 error
-	if returnFunc, ok := ret.Get(0).(func(aws.Context, *codecommit.ListRepositoriesInput, ...request.Option) (*codecommit.ListRepositoriesOutput, error)); ok {
-		return returnFunc(v, listRepositoriesInput, options...)
-	}
-	if returnFunc, ok := ret.Get(0).(func(aws.Context, *codecommit.ListRepositoriesInput, ...request.Option) *codecommit.ListRepositoriesOutput); ok {
-		r0 = returnFunc(v, listRepositoriesInput, options...)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*codecommit.ListRepositoriesOutput)
-		}
-	}
-	if returnFunc, ok := ret.Get(1).(func(aws.Context, *codecommit.ListRepositoriesInput, ...request.Option) error); ok {
-		r1 = returnFunc(v, listRepositoriesInput, options...)
-	} else {
-		r1 = ret.Error(1)
-	}
-	return r0, r1
-}
-
-// AWSCodeCommitClient_ListRepositoriesWithContext_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListRepositoriesWithContext'
-type AWSCodeCommitClient_ListRepositoriesWithContext_Call struct {
-	*mock.Call
-}
-
-// ListRepositoriesWithContext is a helper method to define mock.On call
-//   - v aws.Context
-//   - listRepositoriesInput *codecommit.ListRepositoriesInput
-//   - options ...request.Option
-func (_e *AWSCodeCommitClient_Expecter) ListRepositoriesWithContext(v interface{}, listRepositoriesInput interface{}, options ...interface{}) *AWSCodeCommitClient_ListRepositoriesWithContext_Call {
-	return &AWSCodeCommitClient_ListRepositoriesWithContext_Call{Call: _e.mock.On("ListRepositoriesWithContext",
-		append([]interface{}{v, listRepositoriesInput}, options...)...)}
-}
-
-func (_c *AWSCodeCommitClient_ListRepositoriesWithContext_Call) Run(run func(v aws.Context, listRepositoriesInput *codecommit.ListRepositoriesInput, options ...request.Option)) *AWSCodeCommitClient_ListRepositoriesWithContext_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		var arg0 aws.Context
-		if args[0] != nil {
-			arg0 = args[0].(aws.Context)
-		}
-		var arg1 *codecommit.ListRepositoriesInput
-		if args[1] != nil {
-			arg1 = args[1].(*codecommit.ListRepositoriesInput)
-		}
-		var arg2 []request.Option
-		variadicArgs := make([]request.Option, len(args)-2)
-		for i, a := range args[2:] {
-			if a != nil {
-				variadicArgs[i] = a.(request.Option)
-			}
-		}
-		arg2 = variadicArgs
-		run(
-			arg0,
-			arg1,
-			arg2...,
-		)
-	})
-	return _c
-}
-
-func (_c *AWSCodeCommitClient_ListRepositoriesWithContext_Call) Return(listRepositoriesOutput *codecommit.ListRepositoriesOutput, err error) *AWSCodeCommitClient_ListRepositoriesWithContext_Call {
-	_c.Call.Return(listRepositoriesOutput, err)
-	return _c
-}
-
-func (_c *AWSCodeCommitClient_ListRepositoriesWithContext_Call) RunAndReturn(run func(v aws.Context, listRepositoriesInput *codecommit.ListRepositoriesInput, options ...request.Option) (*codecommit.ListRepositoriesOutput, error)) *AWSCodeCommitClient_ListRepositoriesWithContext_Call {
-	_c.Call.Return(run)
-	return _c
-}
--- a/applicationset/services/scm_provider/aws_codecommit/mocks/AWSTaggingClient.go
+++ b/applicationset/services/scm_provider/aws_codecommit/mocks/AWSTaggingClient.go
@ -1,126 +0,0 @@
-// Code generated by mockery; DO NOT EDIT.
-// github.com/vektra/mockery
-// template: testify
-
-package mocks
-
-import (
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/request"
-	"github.com/aws/aws-sdk-go/service/resourcegroupstaggingapi"
-	mock "github.com/stretchr/testify/mock"
-)
-
-// NewAWSTaggingClient creates a new instance of AWSTaggingClient. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewAWSTaggingClient(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *AWSTaggingClient {
-	mock := &AWSTaggingClient{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
-
-// AWSTaggingClient is an autogenerated mock type for the AWSTaggingClient type
-type AWSTaggingClient struct {
-	mock.Mock
-}
-
-type AWSTaggingClient_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *AWSTaggingClient) EXPECT() *AWSTaggingClient_Expecter {
-	return &AWSTaggingClient_Expecter{mock: &_m.Mock}
-}
-
-// GetResourcesWithContext provides a mock function for the type AWSTaggingClient
-func (_mock *AWSTaggingClient) GetResourcesWithContext(v aws.Context, getResourcesInput *resourcegroupstaggingapi.GetResourcesInput, options ...request.Option) (*resourcegroupstaggingapi.GetResourcesOutput, error) {
-	// request.Option
-	_va := make([]interface{}, len(options))
-	for _i := range options {
-		_va[_i] = options[_i]
-	}
-	var _ca []interface{}
-	_ca = append(_ca, v, getResourcesInput)
-	_ca = append(_ca, _va...)
-	ret := _mock.Called(_ca...)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetResourcesWithContext")
-	}
-
-	var r0 *resourcegroupstaggingapi.GetResourcesOutput
-	var r1 error
-	if returnFunc, ok := ret.Get(0).(func(aws.Context, *resourcegroupstaggingapi.GetResourcesInput, ...request.Option) (*resourcegroupstaggingapi.GetResourcesOutput, error)); ok {
-		return returnFunc(v, getResourcesInput, options...)
-	}
-	if returnFunc, ok := ret.Get(0).(func(aws.Context, *resourcegroupstaggingapi.GetResourcesInput, ...request.Option) *resourcegroupstaggingapi.GetResourcesOutput); ok {
-		r0 = returnFunc(v, getResourcesInput, options...)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*resourcegroupstaggingapi.GetResourcesOutput)
-		}
-	}
-	if returnFunc, ok := ret.Get(1).(func(aws.Context, *resourcegroupstaggingapi.GetResourcesInput, ...request.Option) error); ok {
-		r1 = returnFunc(v, getResourcesInput, options...)
-	} else {
-		r1 = ret.Error(1)
-	}
-	return r0, r1
-}
-
-// AWSTaggingClient_GetResourcesWithContext_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetResourcesWithContext'
-type AWSTaggingClient_GetResourcesWithContext_Call struct {
-	*mock.Call
-}
-
-// GetResourcesWithContext is a helper method to define mock.On call
-//   - v aws.Context
-//   - getResourcesInput *resourcegroupstaggingapi.GetResourcesInput
-//   - options ...request.Option
-func (_e *AWSTaggingClient_Expecter) GetResourcesWithContext(v interface{}, getResourcesInput interface{}, options ...interface{}) *AWSTaggingClient_GetResourcesWithContext_Call {
-	return &AWSTaggingClient_GetResourcesWithContext_Call{Call: _e.mock.On("GetResourcesWithContext",
-		append([]interface{}{v, getResourcesInput}, options...)...)}
-}
-
-func (_c *AWSTaggingClient_GetResourcesWithContext_Call) Run(run func(v aws.Context, getResourcesInput *resourcegroupstaggingapi.GetResourcesInput, options ...request.Option)) *AWSTaggingClient_GetResourcesWithContext_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		var arg0 aws.Context
-		if args[0] != nil {
-			arg0 = args[0].(aws.Context)
-		}
-		var arg1 *resourcegroupstaggingapi.GetResourcesInput
-		if args[1] != nil {
-			arg1 = args[1].(*resourcegroupstaggingapi.GetResourcesInput)
-		}
-		var arg2 []request.Option
-		variadicArgs := make([]request.Option, len(args)-2)
-		for i, a := range args[2:] {
-			if a != nil {
-				variadicArgs[i] = a.(request.Option)
-			}
-		}
-		arg2 = variadicArgs
-		run(
-			arg0,
-			arg1,
-			arg2...,
-		)
-	})
-	return _c
-}
-
-func (_c *AWSTaggingClient_GetResourcesWithContext_Call) Return(getResourcesOutput *resourcegroupstaggingapi.GetResourcesOutput, err error) *AWSTaggingClient_GetResourcesWithContext_Call {
-	_c.Call.Return(getResourcesOutput, err)
-	return _c
-}
-
-func (_c *AWSTaggingClient_GetResourcesWithContext_Call) RunAndReturn(run func(v aws.Context, getResourcesInput *resourcegroupstaggingapi.GetResourcesInput, options ...request.Option) (*resourcegroupstaggingapi.GetResourcesOutput, error)) *AWSTaggingClient_GetResourcesWithContext_Call {
-	_c.Call.Return(run)
-	return _c
-}
--- a/applicationset/services/scm_provider/aws_codecommit_test.go
+++ b/applicationset/services/scm_provider/aws_codecommit_test.go
@ -5,14 +5,17 @@ import (
 	"sort"
 	"testing"

-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/service/codecommit"
-	"github.com/aws/aws-sdk-go/service/resourcegroupstaggingapi"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/codecommit"
+	codecommittypes "github.com/aws/aws-sdk-go-v2/service/codecommit/types"
+	"github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi"
+	rgsatypes "github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi/types"
 	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"

-	"github.com/argoproj/argo-cd/v3/applicationset/services/scm_provider/aws_codecommit/mocks"
+	"github.com/argoproj/argo-cd/v3/applicationset/services/scm_provider/mocks"
 	"github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 )

@ -34,7 +37,7 @@ func TestAWSCodeCommitListRepos(t *testing.T) {
 		repositories           []*awsCodeCommitTestRepository
 		cloneProtocol          string
 		tagFilters             []*v1alpha1.TagFilter
-		expectTagFilters       []*resourcegroupstaggingapi.TagFilter
+		expectTagFilters       []rgsatypes.TagFilter
 		listRepositoryError    error
 		expectOverallError     bool
 		expectListAtCodeCommit bool
@ -57,8 +60,8 @@ func TestAWSCodeCommitListRepos(t *testing.T) {
 				{Key: "key1", Value: "value2"},
 				{Key: "key2"},
 			},
-			expectTagFilters: []*resourcegroupstaggingapi.TagFilter{
-				{Key: aws.String("key1"), Values: aws.StringSlice([]string{"value1", "value2"})},
+			expectTagFilters: []rgsatypes.TagFilter{
+				{Key: aws.String("key1"), Values: []string{"value1", "value2"}},
 				{Key: aws.String("key2")},
 			},
 			expectOverallError:     false,
@ -80,7 +83,7 @@ func TestAWSCodeCommitListRepos(t *testing.T) {
 			tagFilters: []*v1alpha1.TagFilter{
 				{Key: "key1"},
 			},
-			expectTagFilters: []*resourcegroupstaggingapi.TagFilter{
+			expectTagFilters: []rgsatypes.TagFilter{
 				{Key: aws.String("key1")},
 			},
 			expectOverallError:     false,
@ -160,12 +163,12 @@ func TestAWSCodeCommitListRepos(t *testing.T) {
 			codeCommitClient := mocks.NewAWSCodeCommitClient(t)
 			taggingClient := mocks.NewAWSTaggingClient(t)
 			ctx := t.Context()
-			codecommitRepoNameIdPairs := make([]*codecommit.RepositoryNameIdPair, 0)
-			resourceTaggings := make([]*resourcegroupstaggingapi.ResourceTagMapping, 0)
+			codecommitRepoNameIdPairs := make([]codecommittypes.RepositoryNameIdPair, 0)
+			resourceTaggings := make([]rgsatypes.ResourceTagMapping, 0)
 			validRepositories := make([]*awsCodeCommitTestRepository, 0)

 			for _, repo := range testCase.repositories {
-				repoMetadata := &codecommit.RepositoryMetadata{
+				repoMetadata := &codecommittypes.RepositoryMetadata{
 					AccountId:      aws.String(repo.accountId),
 					Arn:            aws.String(repo.arn),
 					CloneUrlHttp:   aws.String("https://git-codecommit.us-east-1.amazonaws.com/v1/repos/" + repo.name),
@ -177,14 +180,13 @@ func TestAWSCodeCommitListRepos(t *testing.T) {
 				if repo.getRepositoryNilMetadata {
 					repoMetadata = nil
 				}
-				codeCommitClient.
-					On("GetRepositoryWithContext", ctx, &codecommit.GetRepositoryInput{RepositoryName: aws.String(repo.name)}).
-					Return(&codecommit.GetRepositoryOutput{RepositoryMetadata: repoMetadata}, repo.getRepositoryError)
-				codecommitRepoNameIdPairs = append(codecommitRepoNameIdPairs, &codecommit.RepositoryNameIdPair{
+				codeCommitClient.EXPECT().GetRepository(mock.Anything, &codecommit.GetRepositoryInput{RepositoryName: aws.String(repo.name)}).
+					Return(&codecommit.GetRepositoryOutput{RepositoryMetadata: repoMetadata}, repo.getRepositoryError).Maybe()
+				codecommitRepoNameIdPairs = append(codecommitRepoNameIdPairs, codecommittypes.RepositoryNameIdPair{
 					RepositoryId:   aws.String(repo.id),
 					RepositoryName: aws.String(repo.name),
 				})
-				resourceTaggings = append(resourceTaggings, &resourcegroupstaggingapi.ResourceTagMapping{
+				resourceTaggings = append(resourceTaggings, rgsatypes.ResourceTagMapping{
 					ResourceARN: aws.String(repo.arn),
 				})
 				if repo.valid {
@ -193,20 +195,18 @@ func TestAWSCodeCommitListRepos(t *testing.T) {
 			}

 			if testCase.expectListAtCodeCommit {
-				codeCommitClient.
-					On("ListRepositoriesWithContext", ctx, &codecommit.ListRepositoriesInput{}).
+				codeCommitClient.EXPECT().ListRepositories(mock.Anything, &codecommit.ListRepositoriesInput{}).
 					Return(&codecommit.ListRepositoriesOutput{
 						Repositories: codecommitRepoNameIdPairs,
-					}, testCase.listRepositoryError)
+					}, testCase.listRepositoryError).Maybe()
 			} else {
-				taggingClient.
-					On("GetResourcesWithContext", ctx, mock.MatchedBy(equalIgnoringTagFilterOrder(&resourcegroupstaggingapi.GetResourcesInput{
-						TagFilters:          testCase.expectTagFilters,
-						ResourceTypeFilters: aws.StringSlice([]string{resourceTypeCodeCommitRepository}),
-					}))).
+				taggingClient.EXPECT().GetResources(mock.Anything, mock.MatchedBy(equalIgnoringTagFilterOrder(&resourcegroupstaggingapi.GetResourcesInput{
+					TagFilters:          testCase.expectTagFilters,
+					ResourceTypeFilters: []string{resourceTypeCodeCommitRepository},
+				}))).
 					Return(&resourcegroupstaggingapi.GetResourcesOutput{
 						ResourceTagMappingList: resourceTaggings,
-					}, testCase.listRepositoryError)
+					}, testCase.listRepositoryError).Maybe()
 			}

 			provider := &AWSCodeCommitProvider{
@ -252,7 +252,7 @@ func TestAWSCodeCommitRepoHasPath(t *testing.T) {
 			path:                  "lib/config.yaml",
 			expectedGetFolderPath: "/lib",
 			getFolderOutput: &codecommit.GetFolderOutput{
-				Files: []*codecommit.File{
+				Files: []codecommittypes.File{
 					{RelativePath: aws.String("config.yaml")},
 				},
 			},
@ -264,7 +264,7 @@ func TestAWSCodeCommitRepoHasPath(t *testing.T) {
 			path:                  "lib/config",
 			expectedGetFolderPath: "/lib",
 			getFolderOutput: &codecommit.GetFolderOutput{
-				SubFolders: []*codecommit.Folder{
+				SubFolders: []codecommittypes.Folder{
 					{RelativePath: aws.String("config")},
 				},
 			},
@ -276,7 +276,7 @@ func TestAWSCodeCommitRepoHasPath(t *testing.T) {
 			path:                  "/lib/submodule/",
 			expectedGetFolderPath: "/lib",
 			getFolderOutput: &codecommit.GetFolderOutput{
-				SubModules: []*codecommit.SubModule{
+				SubModules: []codecommittypes.SubModule{
 					{RelativePath: aws.String("submodule")},
 				},
 			},
@ -288,7 +288,7 @@ func TestAWSCodeCommitRepoHasPath(t *testing.T) {
 			path:                  "./lib/service.json",
 			expectedGetFolderPath: "/lib",
 			getFolderOutput: &codecommit.GetFolderOutput{
-				SymbolicLinks: []*codecommit.SymbolicLink{
+				SymbolicLinks: []codecommittypes.SymbolicLink{
 					{RelativePath: aws.String("service.json")},
 				},
 			},
@ -300,16 +300,16 @@ func TestAWSCodeCommitRepoHasPath(t *testing.T) {
 			path:                  "no-match.json",
 			expectedGetFolderPath: "/",
 			getFolderOutput: &codecommit.GetFolderOutput{
-				Files: []*codecommit.File{
+				Files: []codecommittypes.File{
 					{RelativePath: aws.String("config.yaml")},
 				},
-				SubFolders: []*codecommit.Folder{
+				SubFolders: []codecommittypes.Folder{
 					{RelativePath: aws.String("config")},
 				},
-				SubModules: []*codecommit.SubModule{
+				SubModules: []codecommittypes.SubModule{
 					{RelativePath: aws.String("submodule")},
 				},
-				SymbolicLinks: []*codecommit.SymbolicLink{
+				SymbolicLinks: []codecommittypes.SymbolicLink{
 					{RelativePath: aws.String("service.json")},
 				},
 			},
@ -320,7 +320,7 @@ func TestAWSCodeCommitRepoHasPath(t *testing.T) {
 			name:                  "RepoHasPath when parent folder not found",
 			path:                  "lib/submodule",
 			expectedGetFolderPath: "/lib",
-			getFolderError:        &codecommit.FolderDoesNotExistException{},
+			getFolderError:        &codecommittypes.FolderDoesNotExistException{},
 			expectOverallError:    false,
 		},
 		{
@ -350,13 +350,12 @@ func TestAWSCodeCommitRepoHasPath(t *testing.T) {
 			taggingClient := mocks.NewAWSTaggingClient(t)
 			ctx := t.Context()
 			if testCase.expectedGetFolderPath != "" {
-				codeCommitClient.
-					On("GetFolderWithContext", ctx, &codecommit.GetFolderInput{
-						CommitSpecifier: aws.String(branch),
-						FolderPath:      aws.String(testCase.expectedGetFolderPath),
-						RepositoryName:  aws.String(repoName),
-					}).
-					Return(testCase.getFolderOutput, testCase.getFolderError)
+				codeCommitClient.EXPECT().GetFolder(mock.Anything, &codecommit.GetFolderInput{
+					CommitSpecifier: aws.String(branch),
+					FolderPath:      aws.String(testCase.expectedGetFolderPath),
+					RepositoryName:  aws.String(repoName),
+				}).
+					Return(testCase.getFolderOutput, testCase.getFolderError).Maybe()
 			}
 			provider := &AWSCodeCommitProvider{
 				codeCommitClient: codeCommitClient,
@ -423,18 +422,18 @@ func TestAWSCodeCommitGetBranches(t *testing.T) {
 			taggingClient := mocks.NewAWSTaggingClient(t)
 			ctx := t.Context()
 			if testCase.allBranches {
-				codeCommitClient.
-					On("ListBranchesWithContext", ctx, &codecommit.ListBranchesInput{
-						RepositoryName: aws.String(name),
-					}).
-					Return(&codecommit.ListBranchesOutput{Branches: aws.StringSlice(testCase.branches)}, testCase.apiError)
+				branches := make([]string, len(testCase.branches))
+				copy(branches, testCase.branches)
+				codeCommitClient.EXPECT().ListBranches(mock.Anything, &codecommit.ListBranchesInput{
+					RepositoryName: aws.String(name),
+				}).
+					Return(&codecommit.ListBranchesOutput{Branches: branches}, testCase.apiError).Maybe()
 			} else {
-				codeCommitClient.
-					On("GetRepositoryWithContext", ctx, &codecommit.GetRepositoryInput{RepositoryName: aws.String(name)}).
-					Return(&codecommit.GetRepositoryOutput{RepositoryMetadata: &codecommit.RepositoryMetadata{
+				codeCommitClient.EXPECT().GetRepository(mock.Anything, &codecommit.GetRepositoryInput{RepositoryName: aws.String(name)}).
+					Return(&codecommit.GetRepositoryOutput{RepositoryMetadata: &codecommittypes.RepositoryMetadata{
 						AccountId:     aws.String(organization),
 						DefaultBranch: aws.String(defaultBranch),
-					}}, testCase.apiError)
+					}}, testCase.apiError).Maybe()
 			}
 			provider := &AWSCodeCommitProvider{
 				codeCommitClient: codeCommitClient,
@ -476,8 +475,22 @@ func TestAWSCodeCommitGetBranches(t *testing.T) {
 func equalIgnoringTagFilterOrder(expected *resourcegroupstaggingapi.GetResourcesInput) func(*resourcegroupstaggingapi.GetResourcesInput) bool {
 	return func(actual *resourcegroupstaggingapi.GetResourcesInput) bool {
 		sort.Slice(actual.TagFilters, func(i, j int) bool {
-			return *actual.TagFilters[i].Key < *actual.TagFilters[j].Key
+			keyI := ""
+			keyJ := ""
+			if actual.TagFilters[i].Key != nil {
+				keyI = *actual.TagFilters[i].Key
+			}
+			if actual.TagFilters[j].Key != nil {
+				keyJ = *actual.TagFilters[j].Key
+			}
+			return keyI < keyJ
 		})
-		return cmp.Equal(expected, actual)
+		// Ignore unexported fields in AWS SDK v2 types
+		return cmp.Equal(expected, actual,
+			cmpopts.IgnoreUnexported(
+				rgsatypes.TagFilter{},
+				resourcegroupstaggingapi.GetResourcesInput{},
+			),
+		)
 	}
 }
--- a/applicationset/services/scm_provider/azure_devops_test.go
+++ b/applicationset/services/scm_provider/azure_devops_test.go
@ -1,7 +1,6 @@
 package scm_provider

 import (
-	"context"
 	"errors"
 	"fmt"
 	"testing"
@ -10,18 +9,14 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 	"github.com/stretchr/testify/require"
-	"k8s.io/utils/ptr"

 	"github.com/microsoft/azure-devops-go-api/azuredevops/v7"
 	azureGit "github.com/microsoft/azure-devops-go-api/azuredevops/v7/git"

 	azureMock "github.com/argoproj/argo-cd/v3/applicationset/services/scm_provider/azure_devops/git/mocks"
+	"github.com/argoproj/argo-cd/v3/applicationset/services/scm_provider/mocks"
 )

-func s(input string) *string {
-	return ptr.To(input)
-}
-
 func TestAzureDevopsRepoHasPath(t *testing.T) {
 	organization := "myorg"
 	teamProject := "myorg_project"
@ -51,12 +46,12 @@ func TestAzureDevopsRepoHasPath(t *testing.T) {
 		{
 			name:             "RepoHasPath when no path found returns false",
 			pathFound:        false,
-			azureDevopsError: azuredevops.WrappedError{TypeKey: s(AzureDevOpsErrorsTypeKeyValues.GitItemNotFound)},
+			azureDevopsError: azuredevops.WrappedError{TypeKey: new(AzureDevOpsErrorsTypeKeyValues.GitItemNotFound)},
 		},
 		{
 			name:             "RepoHasPath when unknown Azure DevOps WrappedError occurs returns error",
 			pathFound:        false,
-			azureDevopsError: azuredevops.WrappedError{TypeKey: s("OtherAzureDevopsException")},
+			azureDevopsError: azuredevops.WrappedError{TypeKey: new("OtherAzureDevopsException")},
 			returnError:      true,
 			errorMessage:     "failed to check for path existence",
 		},
@ -78,13 +73,13 @@ func TestAzureDevopsRepoHasPath(t *testing.T) {

 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			gitClientMock := azureMock.Client{}
+			gitClientMock := &azureMock.Client{}

-			clientFactoryMock := &AzureClientFactoryMock{mock: &mock.Mock{}}
-			clientFactoryMock.mock.On("GetClient", mock.Anything).Return(&gitClientMock, testCase.clientError)
+			clientFactoryMock := &mocks.AzureDevOpsClientFactory{}
+			clientFactoryMock.EXPECT().GetClient(mock.Anything).Return(gitClientMock, testCase.clientError)

 			repoId := &uuid
-			gitClientMock.On("GetItem", ctx, azureGit.GetItemArgs{Project: &teamProject, Path: &path, VersionDescriptor: &azureGit.GitVersionDescriptor{Version: &branchName}, RepositoryId: repoId}).Return(nil, testCase.azureDevopsError)
+			gitClientMock.EXPECT().GetItem(mock.Anything, azureGit.GetItemArgs{Project: &teamProject, Path: &path, VersionDescriptor: &azureGit.GitVersionDescriptor{Version: &branchName}, RepositoryId: repoId}).Return(nil, testCase.azureDevopsError)

 			provider := AzureDevOpsProvider{organization: organization, teamProject: teamProject, clientFactory: clientFactoryMock}

@ -124,12 +119,12 @@ func TestGetDefaultBranchOnDisabledRepo(t *testing.T) {
 	}{
 		{
 			name:              "azure devops error when disabled repo causes empty return value",
-			azureDevOpsError:  azuredevops.WrappedError{TypeKey: s(AzureDevOpsErrorsTypeKeyValues.GitRepositoryNotFound)},
+			azureDevOpsError:  azuredevops.WrappedError{TypeKey: new(AzureDevOpsErrorsTypeKeyValues.GitRepositoryNotFound)},
 			shouldReturnError: false,
 		},
 		{
 			name:              "azure devops error with unknown error type returns error",
-			azureDevOpsError:  azuredevops.WrappedError{TypeKey: s("OtherError")},
+			azureDevOpsError:  azuredevops.WrappedError{TypeKey: new("OtherError")},
 			shouldReturnError: true,
 		},
 		{
@ -143,12 +138,12 @@ func TestGetDefaultBranchOnDisabledRepo(t *testing.T) {
 		t.Run(testCase.name, func(t *testing.T) {
 			uuid := uuid.New().String()

-			gitClientMock := azureMock.Client{}
+			gitClientMock := azureMock.NewClient(t)

-			clientFactoryMock := &AzureClientFactoryMock{mock: &mock.Mock{}}
-			clientFactoryMock.mock.On("GetClient", mock.Anything).Return(&gitClientMock, nil)
+			clientFactoryMock := &mocks.AzureDevOpsClientFactory{}
+			clientFactoryMock.EXPECT().GetClient(mock.Anything).Return(gitClientMock, nil)

-			gitClientMock.On("GetBranch", ctx, azureGit.GetBranchArgs{RepositoryId: &repoName, Project: &teamProject, Name: &defaultBranch}).Return(nil, testCase.azureDevOpsError)
+			gitClientMock.EXPECT().GetBranch(mock.Anything, azureGit.GetBranchArgs{RepositoryId: &repoName, Project: &teamProject, Name: &defaultBranch}).Return(nil, testCase.azureDevOpsError)

 			repo := &Repository{Organization: organization, Repository: repoName, RepositoryId: uuid, Branch: defaultBranch}

@ -162,8 +157,6 @@ func TestGetDefaultBranchOnDisabledRepo(t *testing.T) {
 			}

 			assert.Empty(t, branches)
-
-			gitClientMock.AssertExpectations(t)
 		})
 	}
 }
@ -183,12 +176,12 @@ func TestGetAllBranchesOnDisabledRepo(t *testing.T) {
 	}{
 		{
 			name:              "azure devops error when disabled repo causes empty return value",
-			azureDevOpsError:  azuredevops.WrappedError{TypeKey: s(AzureDevOpsErrorsTypeKeyValues.GitRepositoryNotFound)},
+			azureDevOpsError:  azuredevops.WrappedError{TypeKey: new(AzureDevOpsErrorsTypeKeyValues.GitRepositoryNotFound)},
 			shouldReturnError: false,
 		},
 		{
 			name:              "azure devops error with unknown error type returns error",
-			azureDevOpsError:  azuredevops.WrappedError{TypeKey: s("OtherError")},
+			azureDevOpsError:  azuredevops.WrappedError{TypeKey: new("OtherError")},
 			shouldReturnError: true,
 		},
 		{
@ -202,12 +195,12 @@ func TestGetAllBranchesOnDisabledRepo(t *testing.T) {
 		t.Run(testCase.name, func(t *testing.T) {
 			uuid := uuid.New().String()

-			gitClientMock := azureMock.Client{}
+			gitClientMock := azureMock.NewClient(t)

-			clientFactoryMock := &AzureClientFactoryMock{mock: &mock.Mock{}}
-			clientFactoryMock.mock.On("GetClient", mock.Anything).Return(&gitClientMock, nil)
+			clientFactoryMock := &mocks.AzureDevOpsClientFactory{}
+			clientFactoryMock.EXPECT().GetClient(mock.Anything).Return(gitClientMock, nil)

-			gitClientMock.On("GetBranches", ctx, azureGit.GetBranchesArgs{RepositoryId: &repoName, Project: &teamProject}).Return(nil, testCase.azureDevOpsError)
+			gitClientMock.EXPECT().GetBranches(mock.Anything, azureGit.GetBranchesArgs{RepositoryId: &repoName, Project: &teamProject}).Return(nil, testCase.azureDevOpsError)

 			repo := &Repository{Organization: organization, Repository: repoName, RepositoryId: uuid, Branch: defaultBranch}

@ -221,8 +214,6 @@ func TestGetAllBranchesOnDisabledRepo(t *testing.T) {
 			}

 			assert.Empty(t, branches)
-
-			gitClientMock.AssertExpectations(t)
 		})
 	}
 }
@ -238,15 +229,15 @@ func TestAzureDevOpsGetDefaultBranchStripsRefsName(t *testing.T) {
 		strippedBranchName := "somebranch"
 		defaultBranch := fmt.Sprintf("refs/heads/%v", strippedBranchName)

-		branchReturn := &azureGit.GitBranchStats{Name: &strippedBranchName, Commit: &azureGit.GitCommitRef{CommitId: s("abc123233223")}}
+		branchReturn := &azureGit.GitBranchStats{Name: &strippedBranchName, Commit: &azureGit.GitCommitRef{CommitId: new("abc123233223")}}
 		repo := &Repository{Organization: organization, Repository: repoName, RepositoryId: uuid, Branch: defaultBranch}

-		gitClientMock := azureMock.Client{}
+		gitClientMock := &azureMock.Client{}

-		clientFactoryMock := &AzureClientFactoryMock{mock: &mock.Mock{}}
-		clientFactoryMock.mock.On("GetClient", mock.Anything).Return(&gitClientMock, nil)
+		clientFactoryMock := &mocks.AzureDevOpsClientFactory{}
+		clientFactoryMock.EXPECT().GetClient(mock.Anything).Return(gitClientMock, nil)

-		gitClientMock.On("GetBranch", ctx, azureGit.GetBranchArgs{RepositoryId: &repoName, Project: &teamProject, Name: &strippedBranchName}).Return(branchReturn, nil)
+		gitClientMock.EXPECT().GetBranch(mock.Anything, azureGit.GetBranchArgs{RepositoryId: &repoName, Project: &teamProject, Name: &strippedBranchName}).Return(branchReturn, nil).Maybe()

 		provider := AzureDevOpsProvider{organization: organization, teamProject: teamProject, clientFactory: clientFactoryMock, allBranches: false}
 		branches, err := provider.GetBranches(ctx, repo)
@ -277,7 +268,7 @@ func TestAzureDevOpsGetBranchesDefultBranchOnly(t *testing.T) {
 	}{
 		{
 			name:           "GetBranches AllBranches false when single branch returned returns branch",
-			expectedBranch: &azureGit.GitBranchStats{Name: &defaultBranch, Commit: &azureGit.GitCommitRef{CommitId: s("abc123233223")}},
+			expectedBranch: &azureGit.GitBranchStats{Name: &defaultBranch, Commit: &azureGit.GitCommitRef{CommitId: new("abc123233223")}},
 		},
 		{
 			name:                "GetBranches AllBranches false when request fails returns error and empty result",
@ -289,18 +280,18 @@ func TestAzureDevOpsGetBranchesDefultBranchOnly(t *testing.T) {
 		},
 		{
 			name:           "GetBranches AllBranches false when branch returned with long commit SHA",
-			expectedBranch: &azureGit.GitBranchStats{Name: &defaultBranch, Commit: &azureGit.GitCommitRef{CommitId: s("53863052ADF24229AB72154B4D83DAB7")}},
+			expectedBranch: &azureGit.GitBranchStats{Name: &defaultBranch, Commit: &azureGit.GitCommitRef{CommitId: new("53863052ADF24229AB72154B4D83DAB7")}},
 		},
 	}

 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			gitClientMock := azureMock.Client{}
+			gitClientMock := &azureMock.Client{}

-			clientFactoryMock := &AzureClientFactoryMock{mock: &mock.Mock{}}
-			clientFactoryMock.mock.On("GetClient", mock.Anything).Return(&gitClientMock, testCase.clientError)
+			clientFactoryMock := &mocks.AzureDevOpsClientFactory{}
+			clientFactoryMock.EXPECT().GetClient(mock.Anything).Return(gitClientMock, testCase.clientError)

-			gitClientMock.On("GetBranch", ctx, azureGit.GetBranchArgs{RepositoryId: &repoName, Project: &teamProject, Name: &defaultBranch}).Return(testCase.expectedBranch, testCase.getBranchesAPIError)
+			gitClientMock.EXPECT().GetBranch(mock.Anything, azureGit.GetBranchArgs{RepositoryId: &repoName, Project: &teamProject, Name: &defaultBranch}).Return(testCase.expectedBranch, testCase.getBranchesAPIError)

 			repo := &Repository{Organization: organization, Repository: repoName, RepositoryId: uuid, Branch: defaultBranch}

@ -348,7 +339,7 @@ func TestAzureDevopsGetBranches(t *testing.T) {
 	}{
 		{
 			name:             "GetBranches when single branch returned returns this branch info",
-			expectedBranches: &[]azureGit.GitBranchStats{{Name: s("feature-feat1"), Commit: &azureGit.GitCommitRef{CommitId: s("abc123233223")}}},
+			expectedBranches: &[]azureGit.GitBranchStats{{Name: new("feature-feat1"), Commit: &azureGit.GitCommitRef{CommitId: new("abc123233223")}}},
 			allBranches:      true,
 		},
 		{
@ -369,9 +360,9 @@ func TestAzureDevopsGetBranches(t *testing.T) {
 		{
 			name: "GetBranches when multiple branches returned returns branch info for all branches",
 			expectedBranches: &[]azureGit.GitBranchStats{
-				{Name: s("feature-feat1"), Commit: &azureGit.GitCommitRef{CommitId: s("abc123233223")}},
-				{Name: s("feature/feat2"), Commit: &azureGit.GitCommitRef{CommitId: s("4334")}},
-				{Name: s("feature/feat2"), Commit: &azureGit.GitCommitRef{CommitId: s("53863052ADF24229AB72154B4D83DAB7")}},
+				{Name: new("feature-feat1"), Commit: &azureGit.GitCommitRef{CommitId: new("abc123233223")}},
+				{Name: new("feature/feat2"), Commit: &azureGit.GitCommitRef{CommitId: new("4334")}},
+				{Name: new("feature/feat2"), Commit: &azureGit.GitCommitRef{CommitId: new("53863052ADF24229AB72154B4D83DAB7")}},
 			},
 			allBranches: true,
 		},
@ -379,12 +370,12 @@ func TestAzureDevopsGetBranches(t *testing.T) {

 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			gitClientMock := azureMock.Client{}
+			gitClientMock := &azureMock.Client{}

-			clientFactoryMock := &AzureClientFactoryMock{mock: &mock.Mock{}}
-			clientFactoryMock.mock.On("GetClient", mock.Anything).Return(&gitClientMock, testCase.clientError)
+			clientFactoryMock := &mocks.AzureDevOpsClientFactory{}
+			clientFactoryMock.EXPECT().GetClient(mock.Anything).Return(gitClientMock, testCase.clientError)

-			gitClientMock.On("GetBranches", ctx, azureGit.GetBranchesArgs{RepositoryId: &repoName, Project: &teamProject}).Return(testCase.expectedBranches, testCase.getBranchesAPIError)
+			gitClientMock.EXPECT().GetBranches(mock.Anything, azureGit.GetBranchesArgs{RepositoryId: &repoName, Project: &teamProject}).Return(testCase.expectedBranches, testCase.getBranchesAPIError)

 			repo := &Repository{Organization: organization, Repository: repoName, RepositoryId: uuid}

@ -427,7 +418,6 @@ func TestGetAzureDevopsRepositories(t *testing.T) {
 	teamProject := "myorg_project"

 	uuid := uuid.New()
-	ctx := t.Context()

 	repoId := &uuid

@ -439,12 +429,12 @@ func TestGetAzureDevopsRepositories(t *testing.T) {
 	}{
 		{
 			name:                  "ListRepos when single repo found returns repo info",
-			repositories:          []azureGit.GitRepository{{Name: s("repo1"), DefaultBranch: s("main"), RemoteUrl: s("https://remoteurl.u"), Id: repoId}},
+			repositories:          []azureGit.GitRepository{{Name: new("repo1"), DefaultBranch: new("main"), RemoteUrl: new("https://remoteurl.u"), Id: repoId}},
 			expectedNumberOfRepos: 1,
 		},
 		{
 			name:         "ListRepos when repo has no default branch returns empty list",
-			repositories: []azureGit.GitRepository{{Name: s("repo2"), RemoteUrl: s("https://remoteurl.u"), Id: repoId}},
+			repositories: []azureGit.GitRepository{{Name: new("repo2"), RemoteUrl: new("https://remoteurl.u"), Id: repoId}},
 		},
 		{
 			name:                 "ListRepos when Azure DevOps request fails returns error",
@ -452,24 +442,24 @@ func TestGetAzureDevopsRepositories(t *testing.T) {
 		},
 		{
 			name:         "ListRepos when repo has no name returns empty list",
-			repositories: []azureGit.GitRepository{{DefaultBranch: s("main"), RemoteUrl: s("https://remoteurl.u"), Id: repoId}},
+			repositories: []azureGit.GitRepository{{DefaultBranch: new("main"), RemoteUrl: new("https://remoteurl.u"), Id: repoId}},
 		},
 		{
 			name:         "ListRepos when repo has no remote URL returns empty list",
-			repositories: []azureGit.GitRepository{{DefaultBranch: s("main"), Name: s("repo_name"), Id: repoId}},
+			repositories: []azureGit.GitRepository{{DefaultBranch: new("main"), Name: new("repo_name"), Id: repoId}},
 		},
 		{
 			name:         "ListRepos when repo has no ID returns empty list",
-			repositories: []azureGit.GitRepository{{DefaultBranch: s("main"), Name: s("repo_name"), RemoteUrl: s("https://remoteurl.u")}},
+			repositories: []azureGit.GitRepository{{DefaultBranch: new("main"), Name: new("repo_name"), RemoteUrl: new("https://remoteurl.u")}},
 		},
 		{
 			name: "ListRepos when multiple repos returned returns list of eligible repos only",
 			repositories: []azureGit.GitRepository{
-				{Name: s("returned1"), DefaultBranch: s("main"), RemoteUrl: s("https://remoteurl.u"), Id: repoId},
-				{Name: s("missing_default_branch"), RemoteUrl: s("https://remoteurl.u"), Id: repoId},
-				{DefaultBranch: s("missing_name"), RemoteUrl: s("https://remoteurl.u"), Id: repoId},
-				{Name: s("missing_remote_url"), DefaultBranch: s("main"), Id: repoId},
-				{Name: s("missing_id"), DefaultBranch: s("main"), RemoteUrl: s("https://remoteurl.u")},
+				{Name: new("returned1"), DefaultBranch: new("main"), RemoteUrl: new("https://remoteurl.u"), Id: repoId},
+				{Name: new("missing_default_branch"), RemoteUrl: new("https://remoteurl.u"), Id: repoId},
+				{DefaultBranch: new("missing_name"), RemoteUrl: new("https://remoteurl.u"), Id: repoId},
+				{Name: new("missing_remote_url"), DefaultBranch: new("main"), Id: repoId},
+				{Name: new("missing_id"), DefaultBranch: new("main"), RemoteUrl: new("https://remoteurl.u")},
 			},
 			expectedNumberOfRepos: 1,
 		},
@ -477,15 +467,15 @@ func TestGetAzureDevopsRepositories(t *testing.T) {

 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			gitClientMock := azureMock.Client{}
-			gitClientMock.On("GetRepositories", ctx, azureGit.GetRepositoriesArgs{Project: s(teamProject)}).Return(&testCase.repositories, testCase.getRepositoriesError)
+			gitClientMock := azureMock.NewClient(t)
+			gitClientMock.EXPECT().GetRepositories(mock.Anything, azureGit.GetRepositoriesArgs{Project: new(teamProject)}).Return(&testCase.repositories, testCase.getRepositoriesError)

-			clientFactoryMock := &AzureClientFactoryMock{mock: &mock.Mock{}}
-			clientFactoryMock.mock.On("GetClient", mock.Anything).Return(&gitClientMock)
+			clientFactoryMock := &mocks.AzureDevOpsClientFactory{}
+			clientFactoryMock.EXPECT().GetClient(mock.Anything).Return(gitClientMock, nil)

 			provider := AzureDevOpsProvider{organization: organization, teamProject: teamProject, clientFactory: clientFactoryMock}

-			repositories, err := provider.ListRepos(ctx, "https")
+			repositories, err := provider.ListRepos(t.Context(), "https")

 			if testCase.getRepositoriesError != nil {
 				require.Error(t, err, "Expected an error from test case %v", testCase.name)
@ -497,31 +487,6 @@ func TestGetAzureDevopsRepositories(t *testing.T) {
 				assert.NotEmpty(t, repositories)
 				assert.Len(t, repositories, testCase.expectedNumberOfRepos)
 			}
-
-			gitClientMock.AssertExpectations(t)
 		})
 	}
 }
-
-type AzureClientFactoryMock struct {
-	mock *mock.Mock
-}
-
-func (m *AzureClientFactoryMock) GetClient(ctx context.Context) (azureGit.Client, error) {
-	args := m.mock.Called(ctx)
-
-	var client azureGit.Client
-	c := args.Get(0)
-	if c != nil {
-		client = c.(azureGit.Client)
-	}
-
-	var err error
-	if len(args) > 1 {
-		if e, ok := args.Get(1).(error); ok {
-			err = e
-		}
-	}
-
-	return client, err
-}
--- a/applicationset/services/scm_provider/bitbucket_cloud.go
+++ b/applicationset/services/scm_provider/bitbucket_cloud.go
@ -30,7 +30,7 @@ func (c *ExtendedClient) GetContents(repo *Repository, path string) (bool, error
 	urlStr += fmt.Sprintf("/repositories/%s/%s/src/%s/%s?format=meta", c.owner, repo.Repository, repo.SHA, path)
 	body := strings.NewReader("")

-	req, err := http.NewRequest(http.MethodGet, urlStr, body)
+	req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, urlStr, body)
 	if err != nil {
 		return false, err
 	}
@ -53,8 +53,12 @@ func (c *ExtendedClient) GetContents(repo *Repository, path string) (bool, error
 var _ SCMProviderService = &BitBucketCloudProvider{}

 func NewBitBucketCloudProvider(owner string, user string, password string, allBranches bool) (*BitBucketCloudProvider, error) {
+	bitbucketClient, err := bitbucket.NewBasicAuth(user, password)
+	if err != nil {
+		return nil, fmt.Errorf("error creating BitBucket Cloud client with basic auth: %w", err)
+	}
 	client := &ExtendedClient{
-		bitbucket.NewBasicAuth(user, password),
+		bitbucketClient,
 		user,
 		password,
 		owner,
--- a/applicationset/services/scm_provider/bitbucket_server_test.go
+++ b/applicationset/services/scm_provider/bitbucket_server_test.go
@ -445,7 +445,6 @@ func TestListReposTLS(t *testing.T) {
 	}

 	for _, test := range tests {
-		test := test
 		t.Run(test.name, func(t *testing.T) {
 			ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 				defaultHandler(t)(w, r)
--- a/applicationset/services/scm_provider/gitea.go
+++ b/applicationset/services/scm_provider/gitea.go
@ -12,14 +12,15 @@ import (
 )

 type GiteaProvider struct {
-	client      *gitea.Client
-	owner       string
-	allBranches bool
+	client               *gitea.Client
+	owner                string
+	allBranches          bool
+	excludeArchivedRepos bool
 }

 var _ SCMProviderService = &GiteaProvider{}

-func NewGiteaProvider(owner, token, url string, allBranches, insecure bool) (*GiteaProvider, error) {
+func NewGiteaProvider(owner, token, url string, allBranches, insecure, excludeArchivedRepos bool) (*GiteaProvider, error) {
 	if token == "" {
 		token = os.Getenv("GITEA_TOKEN")
 	}
@ -40,9 +41,10 @@ func NewGiteaProvider(owner, token, url string, allBranches, insecure bool) (*Gi
 		return nil, fmt.Errorf("error creating a new gitea client: %w", err)
 	}
 	return &GiteaProvider{
-		client:      client,
-		owner:       owner,
-		allBranches: allBranches,
+		client:               client,
+		owner:                owner,
+		allBranches:          allBranches,
+		excludeArchivedRepos: excludeArchivedRepos,
 	}, nil
 }

@ -114,6 +116,11 @@ func (g *GiteaProvider) ListRepos(_ context.Context, cloneProtocol string) ([]*R
 		for _, label := range giteaLabels {
 			labels = append(labels, label.Name)
 		}
+
+		if g.excludeArchivedRepos && repo.Archived {
+			continue
+		}
+
 		repos = append(repos, &Repository{
 			Organization: g.owner,
 			Repository:   repo.Name,
--- a/applicationset/services/scm_provider/gitea_test.go
+++ b/applicationset/services/scm_provider/gitea_test.go
@ -100,17 +100,96 @@ func giteaMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 					"mirror_interval": "",
 					"mirror_updated": "0001-01-01T00:00:00Z",
 					"repo_transfer": null
-				}]`)
+				},
+				{
+					"id": 21619,
+					"owner": {
+						"id": 31480,
+						"login": "test-argocd",
+						"full_name": "",
+						"email": "",
+						"avatar_url": "https://gitea.com/avatars/22d1b1d3f61abf95951c4a958731d848",
+						"language": "",
+						"is_admin": false,
+						"last_login": "0001-01-01T00:00:00Z",
+						"created": "2022-04-06T02:28:06+08:00",
+						"restricted": false,
+						"active": false,
+						"prohibit_login": false,
+						"location": "",
+						"website": "",
+						"description": "",
+						"visibility": "public",
+						"followers_count": 0,
+						"following_count": 0,
+						"starred_repos_count": 0,
+						"username": "test-argocd"
+					},
+					"name": "another-repo",
+					"full_name": "test-argocd/another-repo",
+					"description": "",
+					"empty": false,
+					"private": false,
+					"fork": false,
+					"template": false,
+					"parent": null,
+					"mirror": false,
+					"size": 28,
+					"language": "",
+					"languages_url": "https://gitea.com/api/v1/repos/test-argocd/another-repo/languages",
+					"html_url": "https://gitea.com/test-argocd/another-repo",
+					"ssh_url": "git@gitea.com:test-argocd/another-repo.git",
+					"clone_url": "https://gitea.com/test-argocd/another-repo.git",
+					"original_url": "",
+					"website": "",
+					"stars_count": 0,
+					"forks_count": 0,
+					"watchers_count": 1,
+					"open_issues_count": 0,
+					"open_pr_counter": 1,
+					"release_counter": 0,
+					"default_branch": "main",
+					"archived": true,
+					"created_at": "2022-04-06T02:32:09+08:00",
+					"updated_at": "2022-04-06T02:33:12+08:00",
+					"permissions": {
+						"admin": false,
+						"push": false,
+						"pull": true
+					},
+					"has_issues": true,
+					"internal_tracker": {
+						"enable_time_tracker": true,
+						"allow_only_contributors_to_track_time": true,
+						"enable_issue_dependencies": true
+					},
+					"has_wiki": true,
+					"has_pull_requests": true,
+					"has_projects": true,
+					"ignore_whitespace_conflicts": false,
+					"allow_merge_commits": true,
+					"allow_rebase": true,
+					"allow_rebase_explicit": true,
+					"allow_squash_merge": true,
+					"default_merge_style": "merge",
+					"avatar_url": "",
+					"internal": false,
+					"mirror_interval": "",
+					"mirror_updated": "0001-01-01T00:00:00Z",
+					"repo_transfer": null
+				}
+
+				]`)
 			if err != nil {
 				t.Fail()
 			}
-		case "/api/v1/repos/test-argocd/pr-test/branches/main":
+		case "/api/v1/repos/test-argocd/another-repo/branches/main":
 			_, err := io.WriteString(w, `{
 				"name": "main",
 				"commit": {
-					"id": "72687815ccba81ef014a96201cc2e846a68789d8",
+					"id": "1fa33898cf84e89836863e3a5e76eee45777b4b0",
 					"message": "initial commit\n",
-					"url": "https://gitea.com/test-argocd/pr-test/commit/72687815ccba81ef014a96201cc2e846a68789d8",
+					"url": "https://gitea.com/test-argocd/pr-test/commit/1fa33898cf84e89836863e3a5e76eee45777b4b0",
 					"author": {
 						"name": "Dan Molik",
 						"email": "dan@danmolik.com",
@ -144,13 +223,209 @@ func giteaMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 			if err != nil {
 				t.Fail()
 			}
+		case "/api/v1/repos/test-argocd/pr-test/branches/test":
+			_, err := io.WriteString(w, `{
+				"name": "test",
+				"commit": {
+					"id": "28c3b329933f6fefd9b55225535123bbffec5a46",
+					"message": "initial commit\n",
+					"url": "https://gitea.com/test-argocd/pr-test/commit/28c3b329933f6fefd9b55225535123bbffec5a46",
+					"author": {
+						"name": "Dan Molik",
+						"email": "dan@danmolik.com",
+						"username": "graytshirt"
+					},
+					"committer": {
+						"name": "Dan Molik",
+						"email": "dan@danmolik.com",
+						"username": "graytshirt"
+					},
+					"verification": {
+						"verified": false,
+						"reason": "gpg.error.no_gpg_keys_found",
+						"signature": "-----BEGIN PGP SIGNATURE-----\n\niQEzBAABCAAdFiEEXYAkwEBRpXzXgHFWlgCr7m50zBMFAmJMiqUACgkQlgCr7m50\nzBPSmQgAiVVEIxC42tuks4iGFNURrtYvypZAEIc+hJgt2kBpmdCrAphYPeAj+Wtr\n9KT7dDscCZIba2wx39HEXO2S7wNCXESvAzrA8rdfbXjR4L2miZ1urfBkEoqK5i/F\noblWGuAyjurX4KPa2ARROd0H4AXxt6gNAXaFPgZO+xXCyNKZfad/lkEP1AiPRknD\nvTTMbEkIzFHK9iVwZ9DORGpfF1wnLzxWmMfhYatZnBgFNnoeJNtFhCJo05rHBgqc\nqVZWXt1iF7nysBoXSzyx1ZAsmBr/Qerkuj0nonh0aPVa6NKJsdmeJyPX4zXXoi6E\ne/jpxX2UQJkpFezg3IjUpvE5FvIiYg==\n=3Af2\n-----END PGP SIGNATURE-----\n",
+						"signer": null,
+						"payload": "tree 64d47c7fc6e31dcf00654223ec4ab749dd0a464e\nauthor Dan Molik \u003cdan@danmolik.com\u003e 1649183391 -0400\ncommitter Dan Molik \u003cdan@danmolik.com\u003e 1649183391 -0400\n\ninitial commit\n"
+					},
+					"timestamp": "2022-04-05T14:29:51-04:00",
+					"added": null,
+					"removed": null,
+					"modified": null
+				},
+				"protected": false,
+				"required_approvals": 0,
+				"enable_status_check": false,
+				"status_check_contexts": [],
+				"user_can_push": false,
+				"user_can_merge": false,
+				"effective_branch_protection_name": ""
+			}`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v1/repos/test-argocd/another-repo/branches/test":
+			_, err := io.WriteString(w, `{
+				"name": "test",
+				"commit": {
+					"id": "32cdcf613b259a9439ceabd4d1745d43f163ea70",
+					"message": "initial commit\n",
+					"url": "https://gitea.com/test-argocd/another-repo/commit/32cdcf613b259a9439ceabd4d1745d43f163ea70",
+					"author": {
+						"name": "Dan Molik",
+						"email": "dan@danmolik.com",
+						"username": "graytshirt"
+					},
+					"committer": {
+						"name": "Dan Molik",
+						"email": "dan@danmolik.com",
+						"username": "graytshirt"
+					},
+					"verification": {
+						"verified": false,
+						"reason": "gpg.error.no_gpg_keys_found",
+						"signature": "-----BEGIN PGP SIGNATURE-----\n\niQEzBAABCAAdFiEEXYAkwEBRpXzXgHFWlgCr7m50zBMFAmJMiqUACgkQlgCr7m50\nzBPSmQgAiVVEIxC42tuks4iGFNURrtYvypZAEIc+hJgt2kBpmdCrAphYPeAj+Wtr\n9KT7dDscCZIba2wx39HEXO2S7wNCXESvAzrA8rdfbXjR4L2miZ1urfBkEoqK5i/F\noblWGuAyjurX4KPa2ARROd0H4AXxt6gNAXaFPgZO+xXCyNKZfad/lkEP1AiPRknD\nvTTMbEkIzFHK9iVwZ9DORGpfF1wnLzxWmMfhYatZnBgFNnoeJNtFhCJo05rHBgqc\nqVZWXt1iF7nysBoXSzyx1ZAsmBr/Qerkuj0nonh0aPVa6NKJsdmeJyPX4zXXoi6E\ne/jpxX2UQJkpFezg3IjUpvE5FvIiYg==\n=3Af2\n-----END PGP SIGNATURE-----\n",
+						"signer": null,
+						"payload": "tree 64d47c7fc6e31dcf00654223ec4ab749dd0a464e\nauthor Dan Molik \u003cdan@danmolik.com\u003e 1649183391 -0400\ncommitter Dan Molik \u003cdan@danmolik.com\u003e 1649183391 -0400\n\ninitial commit\n"
+					},
+					"timestamp": "2022-04-05T14:29:51-04:00",
+					"added": null,
+					"removed": null,
+					"modified": null
+				},
+				"protected": false,
+				"required_approvals": 0,
+				"enable_status_check": false,
+				"status_check_contexts": [],
+				"user_can_push": false,
+				"user_can_merge": false,
+				"effective_branch_protection_name": ""
+			}`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v1/repos/test-argocd/pr-test/branches/main":
+			_, err := io.WriteString(w, `{
+				"name": "main",
+				"commit": {
+					"id": "75f6fceff80f6aaf12b65a2cf6a89190b866625b",
+					"message": "initial commit\n",
+					"url": "https://gitea.com/test-argocd/pr-test/commit/75f6fceff80f6aaf12b65a2cf6a89190b866625b",
+					"author": {
+						"name": "Dan Molik",
+						"email": "dan@danmolik.com",
+						"username": "graytshirt"
+					},
+					"committer": {
+						"name": "Dan Molik",
+						"email": "dan@danmolik.com",
+						"username": "graytshirt"
+					},
+					"verification": {
+						"verified": false,
+						"reason": "gpg.error.no_gpg_keys_found",
+						"signature": "-----BEGIN PGP SIGNATURE-----\n\niQEzBAABCAAdFiEEXYAkwEBRpXzXgHFWlgCr7m50zBMFAmJMiqUACgkQlgCr7m50\nzBPSmQgAiVVEIxC42tuks4iGFNURrtYvypZAEIc+hJgt2kBpmdCrAphYPeAj+Wtr\n9KT7dDscCZIba2wx39HEXO2S7wNCXESvAzrA8rdfbXjR4L2miZ1urfBkEoqK5i/F\noblWGuAyjurX4KPa2ARROd0H4AXxt6gNAXaFPgZO+xXCyNKZfad/lkEP1AiPRknD\nvTTMbEkIzFHK9iVwZ9DORGpfF1wnLzxWmMfhYatZnBgFNnoeJNtFhCJo05rHBgqc\nqVZWXt1iF7nysBoXSzyx1ZAsmBr/Qerkuj0nonh0aPVa6NKJsdmeJyPX4zXXoi6E\ne/jpxX2UQJkpFezg3IjUpvE5FvIiYg==\n=3Af2\n-----END PGP SIGNATURE-----\n",
+						"signer": null,
+						"payload": "tree 64d47c7fc6e31dcf00654223ec4ab749dd0a464e\nauthor Dan Molik \u003cdan@danmolik.com\u003e 1649183391 -0400\ncommitter Dan Molik \u003cdan@danmolik.com\u003e 1649183391 -0400\n\ninitial commit\n"
+					},
+					"timestamp": "2022-04-05T14:29:51-04:00",
+					"added": null,
+					"removed": null,
+					"modified": null
+				},
+				"protected": false,
+				"required_approvals": 0,
+				"enable_status_check": false,
+				"status_check_contexts": [],
+				"user_can_push": false,
+				"user_can_merge": false,
+				"effective_branch_protection_name": ""
+			}`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v1/repos/test-argocd/another-repo/branches?limit=0&page=1":
+			_, err := io.WriteString(w, `[{
+				"name": "main",
+				"commit": {
+					"id": "1fa33898cf84e89836863e3a5e76eee45777b4b0",
+					"message": "initial commit\n",
+					"url": "https://gitea.com/test-argocd/pr-test/commit/1fa33898cf84e89836863e3a5e76eee45777b4b0",
+					"author": {
+						"name": "Dan Molik",
+						"email": "dan@danmolik.com",
+						"username": "graytshirt"
+					},
+					"committer": {
+						"name": "Dan Molik",
+						"email": "dan@danmolik.com",
+						"username": "graytshirt"
+					},
+					"verification": {
+						"verified": false,
+						"reason": "gpg.error.no_gpg_keys_found",
+						"signature": "-----BEGIN PGP SIGNATURE-----\n\niQEzBAABCAAdFiEEXYAkwEBRpXzXgHFWlgCr7m50zBMFAmJMiqUACgkQlgCr7m50\nzBPSmQgAiVVEIxC42tuks4iGFNURrtYvypZAEIc+hJgt2kBpmdCrAphYPeAj+Wtr\n9KT7dDscCZIba2wx39HEXO2S7wNCXESvAzrA8rdfbXjR4L2miZ1urfBkEoqK5i/F\noblWGuAyjurX4KPa2ARROd0H4AXxt6gNAXaFPgZO+xXCyNKZfad/lkEP1AiPRknD\nvTTMbEkIzFHK9iVwZ9DORGpfF1wnLzxWmMfhYatZnBgFNnoeJNtFhCJo05rHBgqc\nqVZWXt1iF7nysBoXSzyx1ZAsmBr/Qerkuj0nonh0aPVa6NKJsdmeJyPX4zXXoi6E\ne/jpxX2UQJkpFezg3IjUpvE5FvIiYg==\n=3Af2\n-----END PGP SIGNATURE-----\n",
+						"signer": null,
+						"payload": "tree 64d47c7fc6e31dcf00654223ec4ab749dd0a464e\nauthor Dan Molik \u003cdan@danmolik.com\u003e 1649183391 -0400\ncommitter Dan Molik \u003cdan@danmolik.com\u003e 1649183391 -0400\n\ninitial commit\n"
+					},
+					"timestamp": "2022-04-05T14:29:51-04:00",
+					"added": null,
+					"removed": null,
+					"modified": null
+				},
+				"protected": false,
+				"required_approvals": 0,
+				"enable_status_check": false,
+				"status_check_contexts": [],
+				"user_can_push": false,
+				"user_can_merge": false,
+				"effective_branch_protection_name": ""
+			},
+			{
+				"name": "test",
+				"commit": {
+					"id": "32cdcf613b259a9439ceabd4d1745d43f163ea70",
+					"message": "add an empty file\n",
+					"url": "https://gitea.com/test-argocd/pr-test/commit/32cdcf613b259a9439ceabd4d1745d43f163ea70",
+					"author": {
+						"name": "Dan Molik",
+						"email": "dan@danmolik.com",
+						"username": "graytshirt"
+					},
+					"committer": {
+						"name": "Dan Molik",
+						"email": "dan@danmolik.com",
+						"username": "graytshirt"
+					},
+					"verification": {
+						"verified": false,
+						"reason": "gpg.error.no_gpg_keys_found",
+						"signature": "-----BEGIN PGP SIGNATURE-----\n\niQEzBAABCAAdFiEEXYAkwEBRpXzXgHFWlgCr7m50zBMFAmJMiugACgkQlgCr7m50\nzBN+7wgAkCHD3KfX3Ffkqv2qPwqgHNYM1bA6Hmffzhv0YeD9jWCI3tp0JulP4iFZ\ncQ7jqx9xP9tCQMSFCaijLRHaE6Js1xrVtf0OKRkbpdlvkyrIM3sQhqyQgAsISrDG\nLzSqeoQQjglzeWESYh2Tjn1CgqQNKjI6LLepSwvF1pIeV4pJpJobaEbIfTgStdzM\nWEk8o0I+EZaYqK0C0vU9N0LK/LR/jnlaHsb4OUjvk+S7lRjZwBkrsg7P/QsqtCVd\nw5nkxDiCx1J58zKMnQ7ZinJEK9A5WYdnMYc6aBn7ARgZrblXPPBkkKUhEv3ZSPeW\nKv9i4GQy838xkVSTFkHNj1+a5o6zEA==\n=JiFw\n-----END PGP SIGNATURE-----\n",
+						"signer": null,
+						"payload": "tree cdddf3e1d6a8a7e6899a044d0e1bc73bf798e2f5\nparent 72687815ccba81ef014a96201cc2e846a68789d8\nauthor Dan Molik \u003cdan@danmolik.com\u003e 1649183458 -0400\ncommitter Dan Molik \u003cdan@danmolik.com\u003e 1649183458 -0400\n\nadd an empty file\n"
+					},
+					"timestamp": "2022-04-05T14:30:58-04:00",
+					"added": null,
+					"removed": null,
+					"modified": null
+				},
+				"protected": false,
+				"required_approvals": 0,
+				"enable_status_check": false,
+				"status_check_contexts": [],
+				"user_can_push": false,
+				"user_can_merge": false,
+				"effective_branch_protection_name": ""
+			}]`)
+			if err != nil {
+				t.Fail()
+			}
 		case "/api/v1/repos/test-argocd/pr-test/branches?limit=0&page=1":
 			_, err := io.WriteString(w, `[{
 				"name": "main",
 				"commit": {
-					"id": "72687815ccba81ef014a96201cc2e846a68789d8",
+					"id": "75f6fceff80f6aaf12b65a2cf6a89190b866625b",
 					"message": "initial commit\n",
-					"url": "https://gitea.com/test-argocd/pr-test/commit/72687815ccba81ef014a96201cc2e846a68789d8",
+					"url": "https://gitea.com/test-argocd/pr-test/commit/75f6fceff80f6aaf12b65a2cf6a89190b866625b",
 					"author": {
 						"name": "Dan Molik",
 						"email": "dan@danmolik.com",
@ -183,9 +458,9 @@ func giteaMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 			}, {
 				"name": "test",
 				"commit": {
-					"id": "7bbaf62d92ddfafd9cc8b340c619abaec32bc09f",
+					"id": "28c3b329933f6fefd9b55225535123bbffec5a46",
 					"message": "add an empty file\n",
-					"url": "https://gitea.com/test-argocd/pr-test/commit/7bbaf62d92ddfafd9cc8b340c619abaec32bc09f",
+					"url": "https://gitea.com/test-argocd/pr-test/commit/28c3b329933f6fefd9b55225535123bbffec5a46",
 					"author": {
 						"name": "Dan Molik",
 						"email": "dan@danmolik.com",
@ -261,40 +536,270 @@ func giteaMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {

 func TestGiteaListRepos(t *testing.T) {
 	cases := []struct {
-		name, proto, url                        string
+		name, proto                             string
 		hasError, allBranches, includeSubgroups bool
+		excludeArchivedRepos                    bool
 		branches                                []string
+		expectedRepos                           []*Repository
 		filters                                 []v1alpha1.SCMProviderGeneratorFilter
 	}{
 		{
-			name:        "blank protocol",
-			allBranches: false,
-			url:         "git@gitea.com:test-argocd/pr-test.git",
-			branches:    []string{"main"},
+			name:                 "blank protocol",
+			allBranches:          false,
+			excludeArchivedRepos: false,
+			filters:              []v1alpha1.SCMProviderGeneratorFilter{},
+
+			branches: []string{"main"},
+			expectedRepos: []*Repository{
+				{
+					Organization: "test-argocd",
+					Repository:   "pr-test",
+					Branch:       "main",
+					URL:          "git@gitea.com:test-argocd/pr-test.git",
+					SHA:          "75f6fceff80f6aaf12b65a2cf6a89190b866625b",
+					RepositoryId: 21618,
+					Labels:       []string{},
+				},
+				{
+					Organization: "test-argocd",
+					Repository:   "another-repo",
+					Branch:       "main",
+					URL:          "git@gitea.com:test-argocd/another-repo.git",
+					SHA:          "1fa33898cf84e89836863e3a5e76eee45777b4b0",
+					RepositoryId: 21619,
+					Labels:       []string{},
+				},
+			},
 		},
 		{
-			name:        "ssh protocol",
-			allBranches: false,
-			proto:       "ssh",
-			url:         "git@gitea.com:test-argocd/pr-test.git",
+			name:                 "ssh protocol",
+			allBranches:          false,
+			excludeArchivedRepos: false,
+			filters:              []v1alpha1.SCMProviderGeneratorFilter{},
+
+			proto: "ssh",
+			expectedRepos: []*Repository{
+				{
+					Organization: "test-argocd",
+					Repository:   "pr-test",
+					Branch:       "main",
+					URL:          "git@gitea.com:test-argocd/pr-test.git",
+					SHA:          "75f6fceff80f6aaf12b65a2cf6a89190b866625b",
+					RepositoryId: 21618,
+					Labels:       []string{},
+				},
+				{
+					Organization: "test-argocd",
+					Repository:   "another-repo",
+					Branch:       "main",
+					URL:          "git@gitea.com:test-argocd/another-repo.git",
+					SHA:          "1fa33898cf84e89836863e3a5e76eee45777b4b0",
+					RepositoryId: 21619,
+					Labels:       []string{},
+				},
+			},
 		},
 		{
-			name:        "https protocol",
-			allBranches: false,
-			proto:       "https",
-			url:         "https://gitea.com/test-argocd/pr-test",
+			name:                 "https protocol",
+			allBranches:          false,
+			excludeArchivedRepos: false,
+			filters:              []v1alpha1.SCMProviderGeneratorFilter{},
+
+			proto: "https",
+			expectedRepos: []*Repository{
+				{
+					Organization: "test-argocd",
+					Repository:   "pr-test",
+					Branch:       "main",
+					URL:          "https://gitea.com/test-argocd/pr-test",
+					SHA:          "75f6fceff80f6aaf12b65a2cf6a89190b866625b",
+					RepositoryId: 21618,
+					Labels:       []string{},
+				},
+				{
+					Organization: "test-argocd",
+					Repository:   "another-repo",
+					Branch:       "main",
+					URL:          "https://gitea.com/test-argocd/another-repo",
+					SHA:          "1fa33898cf84e89836863e3a5e76eee45777b4b0",
+					RepositoryId: 21619,
+					Labels:       []string{},
+				},
+			},
 		},
 		{
-			name:        "other protocol",
-			allBranches: false,
-			proto:       "other",
-			hasError:    true,
+			name:                 "other protocol",
+			allBranches:          false,
+			excludeArchivedRepos: false,
+			filters:              []v1alpha1.SCMProviderGeneratorFilter{},
+
+			proto:         "other",
+			hasError:      true,
+			expectedRepos: []*Repository{},
 		},
 		{
-			name:        "all branches",
-			allBranches: true,
-			url:         "git@gitea.com:test-argocd/pr-test.git",
-			branches:    []string{"main"},
+			name:                 "all branches including archived repos",
+			allBranches:          true,
+			excludeArchivedRepos: false,
+			filters:              []v1alpha1.SCMProviderGeneratorFilter{},
+
+			expectedRepos: []*Repository{
+				{
+					Organization: "test-argocd",
+					Repository:   "pr-test",
+					Branch:       "main",
+					URL:          "git@gitea.com:test-argocd/pr-test.git",
+					SHA:          "75f6fceff80f6aaf12b65a2cf6a89190b866625b",
+					Labels:       []string{},
+					RepositoryId: 21618,
+				},
+				{
+					Organization: "test-argocd",
+					Repository:   "another-repo",
+					Branch:       "main",
+					URL:          "git@gitea.com:test-argocd/another-repo.git",
+					SHA:          "1fa33898cf84e89836863e3a5e76eee45777b4b0",
+					Labels:       []string{},
+					RepositoryId: 21619,
+				},
+				{
+					Organization: "test-argocd",
+					Repository:   "pr-test",
+					Branch:       "test",
+					URL:          "git@gitea.com:test-argocd/pr-test.git",
+					SHA:          "28c3b329933f6fefd9b55225535123bbffec5a46",
+					Labels:       []string{},
+					RepositoryId: 21618,
+				},
+				{
+					Organization: "test-argocd",
+					Repository:   "another-repo",
+					Branch:       "test",
+					URL:          "git@gitea.com:test-argocd/another-repo.git",
+					SHA:          "32cdcf613b259a9439ceabd4d1745d43f163ea70",
+					Labels:       []string{},
+					RepositoryId: 21619,
+				},
+			},
+		},
+		{
+			name:                 "all branches",
+			allBranches:          true,
+			excludeArchivedRepos: false,
+			filters:              []v1alpha1.SCMProviderGeneratorFilter{},
+
+			expectedRepos: []*Repository{
+				{
+					Organization: "test-argocd",
+					Repository:   "pr-test",
+					Branch:       "main",
+					URL:          "git@gitea.com:test-argocd/pr-test.git",
+					SHA:          "75f6fceff80f6aaf12b65a2cf6a89190b866625b",
+					Labels:       []string{},
+					RepositoryId: 21618,
+				},
+				{
+					Organization: "test-argocd",
+					Repository:   "another-repo",
+					Branch:       "main",
+					URL:          "git@gitea.com:test-argocd/another-repo.git",
+					SHA:          "1fa33898cf84e89836863e3a5e76eee45777b4b0",
+					Labels:       []string{},
+					RepositoryId: 21619,
+				},
+				{
+					Organization: "test-argocd",
+					Repository:   "pr-test",
+					Branch:       "test",
+					URL:          "git@gitea.com:test-argocd/pr-test.git",
+					SHA:          "28c3b329933f6fefd9b55225535123bbffec5a46",
+					Labels:       []string{},
+					RepositoryId: 21618,
+				},
+				{
+					Organization: "test-argocd",
+					Repository:   "another-repo",
+					Branch:       "test",
+					URL:          "git@gitea.com:test-argocd/another-repo.git",
+					SHA:          "32cdcf613b259a9439ceabd4d1745d43f163ea70",
+					Labels:       []string{},
+					RepositoryId: 21619,
+				},
+			},
+		},
+		{
+			name:                 "all branches",
+			allBranches:          true,
+			excludeArchivedRepos: false,
+			filters:              []v1alpha1.SCMProviderGeneratorFilter{},
+
+			branches: []string{"main"},
+			expectedRepos: []*Repository{
+				{
+					Organization: "test-argocd",
+					Repository:   "pr-test",
+					Branch:       "main",
+					URL:          "git@gitea.com:test-argocd/pr-test.git",
+					SHA:          "75f6fceff80f6aaf12b65a2cf6a89190b866625b",
+					Labels:       []string{},
+					RepositoryId: 21618,
+				},
+				{
+					Organization: "test-argocd",
+					Repository:   "another-repo",
+					Branch:       "main",
+					URL:          "git@gitea.com:test-argocd/another-repo.git",
+					SHA:          "1fa33898cf84e89836863e3a5e76eee45777b4b0",
+					Labels:       []string{},
+					RepositoryId: 21619,
+				},
+				{
+					Organization: "test-argocd",
+					Repository:   "pr-test",
+					Branch:       "test",
+					URL:          "git@gitea.com:test-argocd/pr-test.git",
+					SHA:          "28c3b329933f6fefd9b55225535123bbffec5a46",
+					Labels:       []string{},
+					RepositoryId: 21618,
+				},
+				{
+					Organization: "test-argocd",
+					Repository:   "another-repo",
+					Branch:       "test",
+					URL:          "git@gitea.com:test-argocd/another-repo.git",
+					SHA:          "32cdcf613b259a9439ceabd4d1745d43f163ea70",
+					Labels:       []string{},
+					RepositoryId: 21619,
+				},
+			},
+		},
+		{
+			name:                 "all branches with no archived repos",
+			allBranches:          true,
+			excludeArchivedRepos: true,
+			filters:              []v1alpha1.SCMProviderGeneratorFilter{},
+
+			branches: []string{"main"},
+			expectedRepos: []*Repository{
+				{
+					Organization: "test-argocd",
+					Repository:   "pr-test",
+					Branch:       "main",
+					URL:          "git@gitea.com:test-argocd/pr-test.git",
+					SHA:          "75f6fceff80f6aaf12b65a2cf6a89190b866625b",
+					Labels:       []string{},
+					RepositoryId: 21618,
+				},
+				{
+					Organization: "test-argocd",
+					Repository:   "pr-test",
+					Branch:       "test",
+					URL:          "git@gitea.com:test-argocd/pr-test.git",
+					SHA:          "28c3b329933f6fefd9b55225535123bbffec5a46",
+					Labels:       []string{},
+					RepositoryId: 21618,
+				},
+			},
 		},
 	}
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@ -303,26 +808,19 @@ func TestGiteaListRepos(t *testing.T) {
 	defer ts.Close()
 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {
-			provider, _ := NewGiteaProvider("test-argocd", "", ts.URL, c.allBranches, false)
+			provider, _ := NewGiteaProvider("test-argocd", "", ts.URL, c.allBranches, false, c.excludeArchivedRepos)
 			rawRepos, err := ListRepos(t.Context(), provider, c.filters, c.proto)
+
 			if c.hasError {
 				require.Error(t, err)
 			} else {
 				require.NoError(t, err)
-				// Just check that this one project shows up. Not a great test but better thing nothing?
 				repos := []*Repository{}
-				branches := []string{}
-				for _, r := range rawRepos {
-					if r.Repository == "pr-test" {
-						repos = append(repos, r)
-						branches = append(branches, r.Branch)
-					}
-				}
+				repos = append(rawRepos, repos...)
+
 				assert.NotEmpty(t, repos)
-				assert.Equal(t, c.url, repos[0].URL)
-				for _, b := range c.branches {
-					assert.Contains(t, branches, b)
-				}
+				assert.Len(t, repos, len(c.expectedRepos))
+				assert.ElementsMatch(t, c.expectedRepos, repos)
 			}
 		})
 	}
@ -333,7 +831,7 @@ func TestGiteaHasPath(t *testing.T) {
 		giteaMockHandler(t)(w, r)
 	}))
 	defer ts.Close()
-	host, _ := NewGiteaProvider("gitea", "", ts.URL, false, false)
+	host, _ := NewGiteaProvider("gitea", "", ts.URL, false, false, false)
 	repo := &Repository{
 		Organization: "gitea",
 		Repository:   "go-sdk",
--- a/applicationset/services/scm_provider/github.go
+++ b/applicationset/services/scm_provider/github.go
@ -12,14 +12,15 @@ import (
 )

 type GithubProvider struct {
-	client       *github.Client
-	organization string
-	allBranches  bool
+	client               *github.Client
+	organization         string
+	allBranches          bool
+	excludeArchivedRepos bool
 }

 var _ SCMProviderService = &GithubProvider{}

-func NewGithubProvider(organization string, token string, url string, allBranches bool, optionalHTTPClient ...*http.Client) (*GithubProvider, error) {
+func NewGithubProvider(organization string, token string, url string, allBranches bool, excludeArchivedRepos bool, optionalHTTPClient ...*http.Client) (*GithubProvider, error) {
 	// Undocumented environment variable to set a default token, to be used in testing to dodge anonymous rate limits.
 	if token == "" {
 		token = os.Getenv("GITHUB_TOKEN")
@ -45,7 +46,7 @@ func NewGithubProvider(organization string, token string, url string, allBranche
 			return nil, err
 		}
 	}
-	return &GithubProvider{client: client, organization: organization, allBranches: allBranches}, nil
+	return &GithubProvider{client: client, organization: organization, allBranches: allBranches, excludeArchivedRepos: excludeArchivedRepos}, nil
 }

 func (g *GithubProvider) GetBranches(ctx context.Context, repo *Repository) ([]*Repository, error) {
@ -90,6 +91,11 @@ func (g *GithubProvider) ListRepos(ctx context.Context, cloneProtocol string) ([
 			default:
 				return nil, fmt.Errorf("unknown clone protocol for GitHub %v", cloneProtocol)
 			}
+
+			if g.excludeArchivedRepos && githubRepo.GetArchived() {
+				continue
+			}
+
 			repos = append(repos, &Repository{
 				Organization: githubRepo.Owner.GetLogin(),
 				Repository:   githubRepo.GetName(),
--- a/applicationset/services/scm_provider/github_app.go
+++ b/applicationset/services/scm_provider/github_app.go
@ -1,6 +1,7 @@
 package scm_provider

 import (
+	"context"
 	"net/http"

 	"github.com/argoproj/argo-cd/v3/applicationset/services/github_app_auth"
@ -8,11 +9,11 @@ import (
 	appsetutils "github.com/argoproj/argo-cd/v3/applicationset/utils"
 )

-func NewGithubAppProviderFor(g github_app_auth.Authentication, organization string, url string, allBranches bool, optionalHTTPClient ...*http.Client) (*GithubProvider, error) {
+func NewGithubAppProviderFor(ctx context.Context, g github_app_auth.Authentication, organization string, url string, allBranches bool, excludeArchivedRepos bool, optionalHTTPClient ...*http.Client) (*GithubProvider, error) {
 	httpClient := appsetutils.GetOptionalHTTPClient(optionalHTTPClient...)
-	client, err := github_app.Client(g, url, httpClient)
+	client, err := github_app.Client(ctx, g, url, organization, httpClient)
 	if err != nil {
 		return nil, err
 	}
-	return &GithubProvider{client: client, organization: organization, allBranches: allBranches}, nil
+	return &GithubProvider{client: client, organization: organization, allBranches: allBranches, excludeArchivedRepos: excludeArchivedRepos}, nil
 }
--- a/applicationset/services/scm_provider/github_test.go
+++ b/applicationset/services/scm_provider/github_test.go
@ -122,6 +122,110 @@ func githubMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 					"pull": true
 				  },
 				  "template_repository": null
+				},
+				{
+				  "id": 1296270,
+				  "node_id": "MDEwOlJlcGsddRvcnkxMjk2MjY5",
+				  "name": "another-repo",
+				  "full_name": "argoproj/another-repo",
+				  "owner": {
+					"login": "argoproj",
+					"id": 1,
+					"node_id": "MDQ6VXNlcjE=",
+					"avatar_url": "https://github.com/images/error/argoproj_happy.gif",
+					"gravatar_id": "",
+					"url": "https://api.github.com/users/argoproj",
+					"html_url": "https://github.com/argoproj",
+					"followers_url": "https://api.github.com/users/argoproj/followers",
+					"following_url": "https://api.github.com/users/argoproj/following{/other_user}",
+					"gists_url": "https://api.github.com/users/argoproj/gists{/gist_id}",
+					"starred_url": "https://api.github.com/users/argoproj/starred{/owner}{/repo}",
+					"subscriptions_url": "https://api.github.com/users/argoproj/subscriptions",
+					"organizations_url": "https://api.github.com/users/argoproj/orgs",
+					"repos_url": "https://api.github.com/users/argoproj/repos",
+					"events_url": "https://api.github.com/users/argoproj/events{/privacy}",
+					"received_events_url": "https://api.github.com/users/argoproj/received_events",
+					"type": "User",
+					"site_admin": false
+				  },
+				  "private": false,
+				  "html_url": "https://github.com/argoproj/another-repo",
+				  "description": "This your first repo!",
+				  "fork": false,
+				  "url": "https://api.github.com/repos/argoproj/another-repo",
+				  "archive_url": "https://api.github.com/repos/argoproj/another-repo/{archive_format}{/ref}",
+				  "assignees_url": "https://api.github.com/repos/argoproj/another-repo/assignees{/user}",
+				  "blobs_url": "https://api.github.com/repos/argoproj/another-repo/git/blobs{/sha}",
+				  "branches_url": "https://api.github.com/repos/argoproj/another-repo/branches{/branch}",
+				  "collaborators_url": "https://api.github.com/repos/argoproj/another-repo/collaborators{/collaborator}",
+				  "comments_url": "https://api.github.com/repos/argoproj/another-repo/comments{/number}",
+				  "commits_url": "https://api.github.com/repos/argoproj/another-repo/commits{/sha}",
+				  "compare_url": "https://api.github.com/repos/argoproj/another-repo/compare/{base}...{head}",
+				  "contents_url": "https://api.github.com/repos/argoproj/another-repo/contents/{path}",
+				  "contributors_url": "https://api.github.com/repos/argoproj/another-repo/contributors",
+				  "deployments_url": "https://api.github.com/repos/argoproj/another-repo/deployments",
+				  "downloads_url": "https://api.github.com/repos/argoproj/another-repo/downloads",
+				  "events_url": "https://api.github.com/repos/argoproj/another-repo/events",
+				  "forks_url": "https://api.github.com/repos/argoproj/another-repo/forks",
+				  "git_commits_url": "https://api.github.com/repos/argoproj/another-repo/git/commits{/sha}",
+				  "git_refs_url": "https://api.github.com/repos/argoproj/another-repo/git/refs{/sha}",
+				  "git_tags_url": "https://api.github.com/repos/argoproj/another-repo/git/tags{/sha}",
+				  "git_url": "git:github.com/argoproj/another-repo.git",
+				  "issue_comment_url": "https://api.github.com/repos/argoproj/another-repo/issues/comments{/number}",
+				  "issue_events_url": "https://api.github.com/repos/argoproj/another-repo/issues/events{/number}",
+				  "issues_url": "https://api.github.com/repos/argoproj/another-repo/issues{/number}",
+				  "keys_url": "https://api.github.com/repos/argoproj/another-repo/keys{/key_id}",
+				  "labels_url": "https://api.github.com/repos/argoproj/another-repo/labels{/name}",
+				  "languages_url": "https://api.github.com/repos/argoproj/another-repo/languages",
+				  "merges_url": "https://api.github.com/repos/argoproj/another-repo/merges",
+				  "milestones_url": "https://api.github.com/repos/argoproj/another-repo/milestones{/number}",
+				  "notifications_url": "https://api.github.com/repos/argoproj/another-repo/notifications{?since,all,participating}",
+				  "pulls_url": "https://api.github.com/repos/argoproj/another-repo/pulls{/number}",
+				  "releases_url": "https://api.github.com/repos/argoproj/another-repo/releases{/id}",
+				  "ssh_url": "git@github.com:argoproj/another-repo.git",
+				  "stargazers_url": "https://api.github.com/repos/argoproj/another-repo/stargazers",
+				  "statuses_url": "https://api.github.com/repos/argoproj/another-repo/statuses/{sha}",
+				  "subscribers_url": "https://api.github.com/repos/argoproj/another-repo/subscribers",
+				  "subscription_url": "https://api.github.com/repos/argoproj/another-repo/subscription",
+				  "tags_url": "https://api.github.com/repos/argoproj/another-repo/tags",
+				  "teams_url": "https://api.github.com/repos/argoproj/another-repo/teams",
+				  "trees_url": "https://api.github.com/repos/argoproj/another-repo/git/trees{/sha}",
+				  "clone_url": "https://github.com/argoproj/another-repo.git",
+				  "mirror_url": "git:git.example.com/argoproj/another-repo",
+				  "hooks_url": "https://api.github.com/repos/argoproj/another-repo/hooks",
+				  "svn_url": "https://svn.github.com/argoproj/another-repo",
+				  "homepage": "https://github.com",
+				  "language": null,
+				  "forks_count": 9,
+				  "stargazers_count": 80,
+				  "watchers_count": 80,
+				  "size": 108,
+				  "default_branch": "master",
+				  "open_issues_count": 0,
+				  "is_template": false,
+				  "topics": [
+					"argoproj",
+					"atom",
+					"electron",
+					"api"
+				  ],
+				  "has_issues": true,
+				  "has_projects": true,
+				  "has_wiki": true,
+				  "has_pages": false,
+				  "has_downloads": true,
+				  "archived": true,
+				  "disabled": false,
+				  "visibility": "public",
+				  "pushed_at": "2011-01-26T19:06:43Z",
+				  "created_at": "2011-01-26T19:01:12Z",
+				  "updated_at": "2011-01-26T19:14:43Z",
+				  "permissions": {
+					"admin": false,
+					"push": false,
+					"pull": true
+				  },
+				  "template_repository": null
 				}
 			  ]`)
 			if err != nil {
@ -146,12 +250,55 @@ func githubMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 					}
 				  },
 				  "protection_url": "https://api.github.com/repos/argoproj/hello-world/branches/master/protection"
+				},
+				{
+				  "name": "test",
+				  "commit": {
+					"sha": "80a6e93f16e8093e24091b03c614362df3fb9b92",
+					"url": "https://api.github.com/repos/argoproj/argo-cd/commits/80a6e93f16e8093e24091b03c614362df3fb9b92"
+				  },
+				  "protected": true,
+				  "protection": {
+					"required_status_checks": {
+					  "enforcement_level": "non_admins",
+					  "contexts": [
+						"ci-test",
+						"linter"
+					  ]
+					}
+				  },
+				  "protection_url": "https://api.github.com/repos/argoproj/hello-world/branches/master/protection"
 				}
 			  ]
 			`)
 			if err != nil {
 				t.Fail()
 			}
+		case "/api/v3/repos/argoproj/another-repo/branches?per_page=100":
+			_, err := io.WriteString(w, `[
+				{
+				  "name": "main",
+				  "commit": {
+					"sha": "19b016818bc0e0a44ddeaab345838a2a6c97fa67",
+					"url": "https://api.github.com/repos/argoproj/another-repo/commits/19b016818bc0e0a44ddeaab345838a2a6c97fa67"
+				  },
+				  "protected": true,
+				  "protection": {
+					"required_status_checks": {
+					  "enforcement_level": "non_admins",
+					  "contexts": [
+						"ci-test",
+						"linter"
+					  ]
+					}
+				  },
+				  "protection_url": "https://api.github.com/repos/argoproj/hello-world/branches/master/protection"
+					}
+			  ]
+			`)
+			if err != nil {
+				t.Fail()
+			}
 		case "/api/v3/repos/argoproj/argo-cd/contents/pkg?ref=master":
 			_, err := io.WriteString(w, `{
 				"type": "file",
@ -196,6 +343,50 @@ func githubMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 			if err != nil {
 				t.Fail()
 			}
+		case "/api/v3/repos/argoproj/argo-cd/branches/test":
+			_, err := io.WriteString(w, `{
+				"name": "test",
+				"commit": {
+				  "sha": "80a6e93f16e8093e24091b03c614362df3fb9b92",
+				  "url": "https://api.github.com/repos/octocat/Hello-World/commits/80a6e93f16e8093e24091b03c614362df3fb9b92"
+				},
+				"protected": true,
+				"protection": {
+				  "required_status_checks": {
+					"enforcement_level": "non_admins",
+					"contexts": [
+					  "ci-test",
+					  "linter"
+					]
+				  }
+				},
+				"protection_url": "https://api.github.com/repos/octocat/hello-world/branches/test/protection"
+			  }`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v3/repos/argoproj/another-repo/branches/main":
+			_, err := io.WriteString(w, `{
+					"name": "main",
+					"commit": {
+						"sha": "19b016818bc0e0a44ddeaab345838a2a6c97fa67",
+						"url": "https://api.github.com/repos/octocat/Hello-World/commits/c5b97d5ae6c19d5c5df71a34c7fbeeda2479ccbc"
+					},
+					"protected": true,
+					"protection": {
+						"required_status_checks": {
+						"enforcement_level": "non_admins",
+						"contexts": [
+							"ci-test",
+							"linter"
+						]
+						}
+					},
+					"protection_url": "https://api.github.com/repos/octocat/hello-world/branches/master/protection"
+					}`)
+			if err != nil {
+				t.Fail()
+			}
 		default:
 			w.WriteHeader(http.StatusNotFound)
 		}
@ -203,37 +394,276 @@ func githubMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 }

 func TestGithubListRepos(t *testing.T) {
+	idptr := func(i int64) *int64 {
+		return &i
+	}
+	// Test cases for ListRepos
 	cases := []struct {
-		name, proto, url      string
+		name, proto           string
 		hasError, allBranches bool
-		branches              []string
+		excludeArchivedRepos  bool
+		expectedRepos         []*Repository
 		filters               []v1alpha1.SCMProviderGeneratorFilter
 	}{
 		{
-			name:     "blank protocol",
-			url:      "git@github.com:argoproj/argo-cd.git",
-			branches: []string{"master"},
+			name:                 "blank protocol",
+			allBranches:          true,
+			excludeArchivedRepos: false,
+			expectedRepos: []*Repository{
+				{
+					Organization: "argoproj",
+					Repository:   "argo-cd",
+					Branch:       "master",
+					URL:          "git@github.com:argoproj/argo-cd.git",
+					SHA:          "c5b97d5ae6c19d5c5df71a34c7fbeeda2479ccbc",
+					Labels: []string{
+						"argoproj",
+						"atom",
+						"electron",
+						"api",
+					},
+					RepositoryId: idptr(1296269),
+				},
+				{
+					Organization: "argoproj",
+					Repository:   "argo-cd",
+					Branch:       "test",
+					URL:          "git@github.com:argoproj/argo-cd.git",
+					SHA:          "80a6e93f16e8093e24091b03c614362df3fb9b92",
+					Labels: []string{
+						"argoproj",
+						"atom",
+						"electron",
+						"api",
+					},
+					RepositoryId: idptr(1296269),
+				},
+				{
+					Organization: "argoproj",
+					Repository:   "another-repo",
+					Branch:       "main",
+					URL:          "git@github.com:argoproj/another-repo.git",
+					SHA:          "19b016818bc0e0a44ddeaab345838a2a6c97fa67",
+					Labels: []string{
+						"argoproj",
+						"atom",
+						"electron",
+						"api",
+					},
+					RepositoryId: idptr(1296270),
+				},
+			},
+			filters: []v1alpha1.SCMProviderGeneratorFilter{
+				{},
+			},
 		},
 		{
-			name:  "ssh protocol",
-			proto: "ssh",
-			url:   "git@github.com:argoproj/argo-cd.git",
+			name:                 "ssh protocol",
+			proto:                "ssh",
+			allBranches:          true,
+			excludeArchivedRepos: false,
+			expectedRepos: []*Repository{
+				{
+					Organization: "argoproj",
+					Repository:   "argo-cd",
+					Branch:       "master",
+					URL:          "git@github.com:argoproj/argo-cd.git",
+					SHA:          "c5b97d5ae6c19d5c5df71a34c7fbeeda2479ccbc",
+					Labels: []string{
+						"argoproj",
+						"atom",
+						"electron",
+						"api",
+					},
+					RepositoryId: idptr(1296269),
+				},
+				{
+					Organization: "argoproj",
+					Repository:   "argo-cd",
+					Branch:       "test",
+					URL:          "git@github.com:argoproj/argo-cd.git",
+					SHA:          "80a6e93f16e8093e24091b03c614362df3fb9b92",
+					Labels: []string{
+						"argoproj",
+						"atom",
+						"electron",
+						"api",
+					},
+					RepositoryId: idptr(1296269),
+				},
+				{
+					Organization: "argoproj",
+					Repository:   "another-repo",
+					Branch:       "main",
+					URL:          "git@github.com:argoproj/another-repo.git",
+					SHA:          "19b016818bc0e0a44ddeaab345838a2a6c97fa67",
+					Labels: []string{
+						"argoproj",
+						"atom",
+						"electron",
+						"api",
+					},
+					RepositoryId: idptr(1296270),
+				},
+			},
+			filters: []v1alpha1.SCMProviderGeneratorFilter{
+				{},
+			},
 		},
 		{
-			name:  "https protocol",
-			proto: "https",
-			url:   "https://github.com/argoproj/argo-cd.git",
+			name:                 "https protocol",
+			proto:                "https",
+			allBranches:          true,
+			excludeArchivedRepos: false,
+			expectedRepos: []*Repository{
+				{
+					Organization: "argoproj",
+					Repository:   "argo-cd",
+					Branch:       "master",
+					URL:          "https://github.com/argoproj/argo-cd.git",
+					SHA:          "c5b97d5ae6c19d5c5df71a34c7fbeeda2479ccbc",
+					Labels: []string{
+						"argoproj",
+						"atom",
+						"electron",
+						"api",
+					},
+					RepositoryId: idptr(1296269),
+				},
+				{
+					Organization: "argoproj",
+					Repository:   "argo-cd",
+					Branch:       "test",
+					URL:          "https://github.com/argoproj/argo-cd.git",
+					SHA:          "80a6e93f16e8093e24091b03c614362df3fb9b92",
+					Labels: []string{
+						"argoproj",
+						"atom",
+						"electron",
+						"api",
+					},
+					RepositoryId: idptr(1296269),
+				},
+				{
+					Organization: "argoproj",
+					Repository:   "another-repo",
+					Branch:       "main",
+					URL:          "https://github.com/argoproj/another-repo.git",
+					SHA:          "19b016818bc0e0a44ddeaab345838a2a6c97fa67",
+					Labels: []string{
+						"argoproj",
+						"atom",
+						"electron",
+						"api",
+					},
+					RepositoryId: idptr(1296270),
+				},
+			},
+			filters: []v1alpha1.SCMProviderGeneratorFilter{
+				{},
+			},
 		},
 		{
-			name:     "other protocol",
-			proto:    "other",
-			hasError: true,
+			name:                 "other protocol",
+			proto:                "other",
+			hasError:             true,
+			excludeArchivedRepos: false,
+			expectedRepos:        []*Repository{},
+			filters: []v1alpha1.SCMProviderGeneratorFilter{
+				{},
+			},
 		},
 		{
-			name:        "all branches",
-			allBranches: true,
-			url:         "git@github.com:argoproj/argo-cd.git",
-			branches:    []string{"master"},
+			name:                 "all branches with archived repos",
+			allBranches:          true,
+			proto:                "ssh",
+			excludeArchivedRepos: false,
+			expectedRepos: []*Repository{
+				{
+					Organization: "argoproj",
+					Repository:   "argo-cd",
+					Branch:       "master",
+					URL:          "git@github.com:argoproj/argo-cd.git",
+					SHA:          "c5b97d5ae6c19d5c5df71a34c7fbeeda2479ccbc",
+					Labels: []string{
+						"argoproj",
+						"atom",
+						"electron",
+						"api",
+					},
+					RepositoryId: idptr(1296269),
+				},
+				{
+					Organization: "argoproj",
+					Repository:   "argo-cd",
+					Branch:       "test",
+					URL:          "git@github.com:argoproj/argo-cd.git",
+					SHA:          "80a6e93f16e8093e24091b03c614362df3fb9b92",
+					Labels: []string{
+						"argoproj",
+						"atom",
+						"electron",
+						"api",
+					},
+					RepositoryId: idptr(1296269),
+				},
+				{
+					Organization: "argoproj",
+					Repository:   "another-repo",
+					Branch:       "main",
+					URL:          "git@github.com:argoproj/another-repo.git",
+					SHA:          "19b016818bc0e0a44ddeaab345838a2a6c97fa67",
+					Labels: []string{
+						"argoproj",
+						"atom",
+						"electron",
+						"api",
+					},
+					RepositoryId: idptr(1296270),
+				},
+			},
+			filters: []v1alpha1.SCMProviderGeneratorFilter{
+				{},
+			},
+		},
+		{
+			name:                 "test repo all branches without archived repos",
+			allBranches:          true,
+			excludeArchivedRepos: true,
+			proto:                "https",
+			expectedRepos: []*Repository{
+				{
+					Organization: "argoproj",
+					Repository:   "argo-cd",
+					Branch:       "master",
+					URL:          "https://github.com/argoproj/argo-cd.git",
+					SHA:          "c5b97d5ae6c19d5c5df71a34c7fbeeda2479ccbc",
+					Labels: []string{
+						"argoproj",
+						"atom",
+						"electron",
+						"api",
+					},
+					RepositoryId: idptr(1296269),
+				},
+				{
+					Organization: "argoproj",
+					Repository:   "argo-cd",
+					Branch:       "test",
+					URL:          "https://github.com/argoproj/argo-cd.git",
+					SHA:          "80a6e93f16e8093e24091b03c614362df3fb9b92",
+					Labels: []string{
+						"argoproj",
+						"atom",
+						"electron",
+						"api",
+					},
+					RepositoryId: idptr(1296269),
+				},
+			},
+			filters: []v1alpha1.SCMProviderGeneratorFilter{
+				{},
+			},
 		},
 	}
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@ -242,26 +672,18 @@ func TestGithubListRepos(t *testing.T) {
 	defer ts.Close()
 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {
-			provider, _ := NewGithubProvider("argoproj", "", ts.URL, c.allBranches)
+			provider, _ := NewGithubProvider("argoproj", "", ts.URL, c.allBranches, c.excludeArchivedRepos)
 			rawRepos, err := ListRepos(t.Context(), provider, c.filters, c.proto)
 			if c.hasError {
 				require.Error(t, err)
 			} else {
 				require.NoError(t, err)
-				// Just check that this one project shows up. Not a great test but better thing nothing?
 				repos := []*Repository{}
-				branches := []string{}
-				for _, r := range rawRepos {
-					if r.Repository == "argo-cd" {
-						repos = append(repos, r)
-						branches = append(branches, r.Branch)
-					}
-				}
+				repos = append(rawRepos, repos...)
+
 				assert.NotEmpty(t, repos)
-				assert.Equal(t, c.url, repos[0].URL)
-				for _, b := range c.branches {
-					assert.Contains(t, branches, b)
-				}
+				assert.Len(t, repos, len(c.expectedRepos))
+				assert.ElementsMatch(t, c.expectedRepos, repos)
 			}
 		})
 	}
@ -280,7 +702,7 @@ func TestGithubHasPath(t *testing.T) {
 		githubMockHandler(t)(w, r)
 	}))
 	defer ts.Close()
-	host, _ := NewGithubProvider("argoproj", "", ts.URL, false)
+	host, _ := NewGithubProvider("argoproj", "", ts.URL, false, false)
 	repo := &Repository{
 		Organization: "argoproj",
 		Repository:   "argo-cd",
@ -300,7 +722,7 @@ func TestGithubGetBranches(t *testing.T) {
 		githubMockHandler(t)(w, r)
 	}))
 	defer ts.Close()
-	host, _ := NewGithubProvider("argoproj", "", ts.URL, false)
+	host, _ := NewGithubProvider("argoproj", "", ts.URL, false, false)
 	repo := &Repository{
 		Organization: "argoproj",
 		Repository:   "argo-cd",
@ -328,6 +750,6 @@ func TestGithubGetBranches(t *testing.T) {
 		require.NoError(t, err)
 	} else {
 		// considering master  branch to  exist.
-		assert.Len(t, repos, 1)
+		assert.Len(t, repos, 2)
 	}
 }
--- a/applicationset/services/scm_provider/gitlab.go
+++ b/applicationset/services/scm_provider/gitlab.go
@ -19,12 +19,13 @@ type GitlabProvider struct {
 	allBranches           bool
 	includeSubgroups      bool
 	includeSharedProjects bool
+	includeArchivedRepos  bool
 	topic                 string
 }

 var _ SCMProviderService = &GitlabProvider{}

-func NewGitlabProvider(organization string, token string, url string, allBranches, includeSubgroups, includeSharedProjects, insecure bool, scmRootCAPath, topic string, caCerts []byte) (*GitlabProvider, error) {
+func NewGitlabProvider(organization string, token string, url string, allBranches, includeSubgroups, includeSharedProjects, includeArchivedRepos, insecure bool, scmRootCAPath, topic string, caCerts []byte) (*GitlabProvider, error) {
 	// Undocumented environment variable to set a default token, to be used in testing to dodge anonymous rate limits.
 	if token == "" {
 		token = os.Getenv("GITLAB_TOKEN")
@ -51,7 +52,15 @@ func NewGitlabProvider(organization string, token string, url string, allBranche
 		}
 	}

-	return &GitlabProvider{client: client, organization: organization, allBranches: allBranches, includeSubgroups: includeSubgroups, includeSharedProjects: includeSharedProjects, topic: topic}, nil
+	return &GitlabProvider{
+		client:                client,
+		organization:          organization,
+		allBranches:           allBranches,
+		includeSubgroups:      includeSubgroups,
+		includeSharedProjects: includeSharedProjects,
+		includeArchivedRepos:  includeArchivedRepos,
+		topic:                 topic,
+	}, nil
 }

 func (g *GitlabProvider) GetBranches(ctx context.Context, repo *Repository) ([]*Repository, error) {
@ -76,13 +85,23 @@ func (g *GitlabProvider) GetBranches(ctx context.Context, repo *Repository) ([]*
 }

 func (g *GitlabProvider) ListRepos(_ context.Context, cloneProtocol string) ([]*Repository, error) {
+	snippetsListOptions := gitlab.ExploreSnippetsOptions{
+		ListOptions: gitlab.ListOptions{
+			PerPage: 100,
+		},
+	}
 	opt := &gitlab.ListGroupProjectsOptions{
-		ListOptions:      gitlab.ListOptions{PerPage: 100},
+		ListOptions:      snippetsListOptions.ListOptions,
 		IncludeSubGroups: &g.includeSubgroups,
 		WithShared:       &g.includeSharedProjects,
 		Topic:            &g.topic,
 	}

+	// gitlab does not include Archived repos by default
+	if g.includeArchivedRepos {
+		opt.Archived = gitlab.Ptr(true)
+	}
+
 	repos := []*Repository{}
 	for {
 		gitlabRepos, resp, err := g.client.Groups.ListGroupProjects(g.organization, opt)
@ -173,8 +192,13 @@ func (g *GitlabProvider) listBranches(_ context.Context, repo *Repository) ([]gi
 		return branches, nil
 	}
 	// Otherwise, scrape the ListBranches API.
+	snippetsListOptions := gitlab.ExploreSnippetsOptions{
+		ListOptions: gitlab.ListOptions{
+			PerPage: 100,
+		},
+	}
 	opt := &gitlab.ListBranchesOptions{
-		ListOptions: gitlab.ListOptions{PerPage: 100},
+		ListOptions: snippetsListOptions.ListOptions,
 	}
 	for {
 		gitlabBranches, resp, err := g.client.Branches.ListBranches(repo.RepositoryId, opt)
--- a/applicationset/services/scm_provider/gitlab_test.go
+++ b/applicationset/services/scm_provider/gitlab_test.go
@ -3,7 +3,6 @@ package scm_provider
 import (
 	"crypto/x509"
 	"encoding/pem"
-	"fmt"
 	"io"
 	"net/http"
 	"net/http/httptest"
@ -19,12 +18,9 @@ func gitlabMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 	t.Helper()
 	return func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
-		fmt.Println(r.RequestURI)
 		switch r.RequestURI {
 		case "/api/v4":
-			fmt.Println("here1")
-		case "/api/v4/groups/test-argocd-proton/projects?include_subgroups=false&per_page=100", "/api/v4/groups/test-argocd-proton/projects?include_subgroups=false&per_page=100&topic=&with_shared=false":
-			fmt.Println("here")
+		case "/api/v4/groups/test-argocd-proton/projects?include_subgroups=false&per_page=100", "/api/v4/groups/test-argocd-proton/projects?include_subgroups=false&per_page=100&topic=&with_shared=false", "/api/v4/groups/test-argocd-proton/projects?archived=false&include_subgroups=false&per_page=100", "/api/v4/groups/test-argocd-proton/projects?archived=false&include_subgroups=false&per_page=100&topic=&with_shared=false":
 			_, err := io.WriteString(w, `[{
 				"id": 27084533,
 				"description": "",
@ -151,8 +147,253 @@ func gitlabMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 			if err != nil {
 				t.Fail()
 			}
+		case "/api/v4/groups/test-argocd-proton/projects?archived=true&include_subgroups=false&per_page=100", "/api/v4/groups/test-argocd-proton/projects?archived=true&include_subgroups=false&per_page=100&topic=&with_shared=false":
+			_, err := io.WriteString(w, `[{
+				"id": 27084533,
+				"description": "",
+				"name": "argocd",
+				"name_with_namespace": "test argocd proton / argocd",
+				"path": "argocd",
+				"path_with_namespace": "test-argocd-proton/argocd",
+				"created_at": "2021-06-01T17:30:44.724Z",
+				"default_branch": "master",
+				"tag_list": [],
+				"topics": [],
+				"ssh_url_to_repo": "git@gitlab.com:test-argocd-proton/argocd.git",
+				"http_url_to_repo": "https://gitlab.com/test-argocd-proton/argocd.git",
+				"web_url": "https://gitlab.com/test-argocd-proton/argocd",
+				"readme_url": null,
+				"avatar_url": null,
+				"forks_count": 0,
+				"star_count": 0,
+				"last_activity_at": "2021-06-04T08:19:51.656Z",
+				"namespace": {
+					"id": 12258515,
+					"name": "test argocd proton",
+					"path": "test-argocd-proton",
+					"kind": "gro* Connection #0 to host gitlab.com left intact up ",
+					"full_path ": "test - argocd - proton ",
+					"parent_id ": null,
+					"avatar_url ": null,
+					"web_url ": "https: //gitlab.com/groups/test-argocd-proton"
+				},
+				"container_registry_image_prefix": "registry.gitlab.com/test-argocd-proton/argocd",
+				"_links": {
+					"self": "https://gitlab.com/api/v4/projects/27084533",
+					"issues": "https://gitlab.com/api/v4/projects/27084533/issues",
+					"merge_requests": "https://gitlab.com/api/v4/projects/27084533/merge_requests",
+					"repo_branches": "https://gitlab.com/api/v4/projects/27084533/repository/branches",
+					"labels": "https://gitlab.com/api/v4/projects/27084533/labels",
+					"events": "https://gitlab.com/api/v4/projects/27084533/events",
+					"members": "https://gitlab.com/api/v4/projects/27084533/members",
+					"cluster_agents": "https://gitlab.com/api/v4/projects/27084533/cluster_agents"
+				},
+				"packages_enabled": true,
+				"empty_repo": false,
+				"archived": false,
+				"visibility": "public",
+				"resolve_outdated_diff_discussions": false,
+				"container_expiration_policy": {
+					"cadence": "1d",
+					"enabled": false,
+					"keep_n": 10,
+					"older_than": "90d",
+					"name_regex": ".*",
+					"name_regex_keep": null,
+					"next_run_at": "2021-06-02T17:30:44.740Z"
+				},
+				"issues_enabled": true,
+				"merge_requests_enabled": true,
+				"wiki_enabled": true,
+				"jobs_enabled": true,
+				"snippets_enabled": true,
+				"container_registry_enabled": true,
+				"service_desk_enabled": true,
+				"can_create_merge_request_in": false,
+				"issues_access_level": "enabled",
+				"repository_access_level": "enabled",
+				"merge_requests_access_level": "enabled",
+				"forking_access_level": "enabled",
+				"wiki_access_level": "enabled",
+				"builds_access_level": "enabled",
+				"snippets_access_level": "enabled",
+				"pages_access_level": "enabled",
+				"operations_access_level": "enabled",
+				"analytics_access_level": "enabled",
+				"container_registry_access_level": "enabled",
+				"security_and_compliance_access_level": "private",
+				"emails_disabled": null,
+				"shared_runners_enabled": true,
+				"lfs_enabled": true,
+				"creator_id": 2378866,
+				"import_status": "none",
+				"open_issues_count": 0,
+				"ci_default_git_depth": 50,
+				"ci_forward_deployment_enabled": true,
+				"ci_job_token_scope_enabled": false,
+				"public_jobs": true,
+				"build_timeout": 3600,
+				"auto_cancel_pending_pipelines": "enabled",
+				"ci_config_path": "",
+				"shared_with_groups": [],
+				"only_allow_merge_if_pipeline_succeeds": false,
+				"allow_merge_on_skipped_pipeline": null,
+				"restrict_user_defined_variables": false,
+				"request_access_enabled": true,
+				"only_allow_merge_if_all_discussions_are_resolved": false,
+				"remove_source_branch_after_merge": true,
+				"printing_merge_request_link_enabled": true,
+				"merge_method": "merge",
+				"squash_option": "default_off",
+				"suggestion_commit_message": null,
+				"merge_commit_template": null,
+				"squash_commit_template": null,
+				"auto_devops_enabled": false,
+				"auto_devops_deploy_strategy": "continuous",
+				"autoclose_referenced_issues": true,
+				"keep_latest_artifact": true,
+				"runner_token_expiration_interval": null,
+				"approvals_before_merge": 0,
+				"mirror": false,
+				"external_authorization_classification_label": "",
+				"marked_for_deletion_at": null,
+				"marked_for_deletion_on": null,
+				"requirements_enabled": true,
+				"requirements_access_level": "enabled",
+				"security_and_compliance_enabled": false,
+				"compliance_frameworks": [],
+				"issues_template": null,
+				"merge_requests_template": null,
+				"merge_pipelines_enabled": false,
+				"merge_trains_enabled": false
+			},
+			{
+				"id": 56522142,
+				"description": "",
+				"name": "another-repo",
+				"name_with_namespace": "test argocd proton / another-repo",
+				"path": "another-repo",
+				"path_with_namespace": "test-argocd-proton/another-repo",
+				"created_at": "2022-09-13T12:10:14.722Z",
+				"default_branch": "master",
+				"tag_list": [
+					"test-topic"
+				],
+				"topics": [
+					"test-topic"
+				],
+				"ssh_url_to_repo": "git@gitlab.com:test-argocd-proton/another-repo.git",
+				"http_url_to_repo": "https://gitlab.com/test-argocd-proton/another-repo.git",
+				"web_url": "https://gitlab.com/test-argocd-proton/another-repo",
+				"readme_url": null,
+				"avatar_url": null,
+				"forks_count": 0,
+				"star_count": 0,
+				"last_activity_at": "2021-06-04T08:19:51.656Z",
+				"namespace": {
+					"id": 12258515,
+					"name": "test argocd proton",
+					"path": "test-argocd-proton",
+					"kind": "gro* Connection #0 to host gitlab.com left intact up ",
+					"full_path ": "test - argocd - proton ",
+					"parent_id ": null,
+					"avatar_url ": null,
+					"web_url ": "https: //gitlab.com/groups/test-argocd-proton"
+				},
+				"container_registry_image_prefix": "registry.gitlab.com/test-argocd-proton/another-repo",
+				"_links": {
+					"self": "https://gitlab.com/api/v4/projects/56522142",
+					"issues": "https://gitlab.com/api/v4/projects/56522142/issues",
+					"merge_requests": "https://gitlab.com/api/v4/projects/56522142/merge_requests",
+					"repo_branches": "https://gitlab.com/api/v4/projects/56522142/repository/branches",
+					"labels": "https://gitlab.com/api/v4/projects/56522142/labels",
+					"events": "https://gitlab.com/api/v4/projects/56522142/events",
+					"members": "https://gitlab.com/api/v4/projects/56522142/members",
+					"cluster_agents": "https://gitlab.com/api/v4/projects/56522142/cluster_agents"
+				},
+				"packages_enabled": true,
+				"empty_repo": false,
+				"archived": true,
+				"visibility": "public",
+				"resolve_outdated_diff_discussions": false,
+				"container_expiration_policy": {
+					"cadence": "1d",
+					"enabled": false,
+					"keep_n": 10,
+					"older_than": "90d",
+					"name_regex": ".*",
+					"name_regex_keep": null,
+					"next_run_at": "2021-06-02T17:30:44.740Z"
+				},
+				"issues_enabled": true,
+				"merge_requests_enabled": true,
+				"wiki_enabled": true,
+				"jobs_enabled": true,
+				"snippets_enabled": true,
+				"container_registry_enabled": true,
+				"service_desk_enabled": true,
+				"can_create_merge_request_in": false,
+				"issues_access_level": "enabled",
+				"repository_access_level": "enabled",
+				"merge_requests_access_level": "enabled",
+				"forking_access_level": "enabled",
+				"wiki_access_level": "enabled",
+				"builds_access_level": "enabled",
+				"snippets_access_level": "enabled",
+				"pages_access_level": "enabled",
+				"operations_access_level": "enabled",
+				"analytics_access_level": "enabled",
+				"container_registry_access_level": "enabled",
+				"security_and_compliance_access_level": "private",
+				"emails_disabled": null,
+				"shared_runners_enabled": true,
+				"lfs_enabled": true,
+				"creator_id": 2378866,
+				"import_status": "none",
+				"open_issues_count": 0,
+				"ci_default_git_depth": 50,
+				"ci_forward_deployment_enabled": true,
+				"ci_job_token_scope_enabled": false,
+				"public_jobs": true,
+				"build_timeout": 3600,
+				"auto_cancel_pending_pipelines": "enabled",
+				"ci_config_path": "",
+				"shared_with_groups": [],
+				"only_allow_merge_if_pipeline_succeeds": false,
+				"allow_merge_on_skipped_pipeline": null,
+				"restrict_user_defined_variables": false,
+				"request_access_enabled": true,
+				"only_allow_merge_if_all_discussions_are_resolved": false,
+				"remove_source_branch_after_merge": true,
+				"printing_merge_request_link_enabled": true,
+				"merge_method": "merge",
+				"squash_option": "default_off",
+				"suggestion_commit_message": null,
+				"merge_commit_template": null,
+				"squash_commit_template": null,
+				"auto_devops_enabled": false,
+				"auto_devops_deploy_strategy": "continuous",
+				"autoclose_referenced_issues": true,
+				"keep_latest_artifact": true,
+				"runner_token_expiration_interval": null,
+				"approvals_before_merge": 0,
+				"mirror": false,
+				"external_authorization_classification_label": "",
+				"marked_for_deletion_at": null,
+				"marked_for_deletion_on": null,
+				"requirements_enabled": true,
+				"requirements_access_level": "enabled",
+				"security_and_compliance_enabled": false,
+				"compliance_frameworks": [],
+				"issues_template": null,
+				"merge_requests_template": null,
+				"merge_pipelines_enabled": false,
+				"merge_trains_enabled": false
+			}]`)
+			if err != nil {
+				t.Fail()
+			}
 		case "/api/v4/groups/test-argocd-proton/projects?include_subgroups=true&per_page=100&topic=&with_shared=false":
-			fmt.Println("here")
 			_, err := io.WriteString(w, `[{
 				"id": 27084533,
 				"description": "",
@ -406,7 +647,6 @@ func gitlabMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 				t.Fail()
 			}
 		case "/api/v4/groups/test-argocd-proton/projects?include_subgroups=false&per_page=100&topic=specific-topic&with_shared=false":
-			fmt.Println("here")
 			_, err := io.WriteString(w, `[{
 				"id": 27084533,
 				"description": "",
@ -537,7 +777,6 @@ func gitlabMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 				t.Fail()
 			}
 		case "/api/v4/groups/test-argocd-proton/projects?include_subgroups=true&per_page=100&topic=&with_shared=true":
-			fmt.Println("here")
 			_, err := io.WriteString(w, `[{
 				"id": 27084533,
 				"description": "",
@ -796,7 +1035,6 @@ func gitlabMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 				t.Fail()
 			}
 		case "/api/v4/projects/27084533/repository/branches/master":
-			fmt.Println("returning")
 			_, err := io.WriteString(w, `{
 				"name": "master",
 				"commit": {
@ -826,6 +1064,36 @@ func gitlabMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 			if err != nil {
 				t.Fail()
 			}
+		case "/api/v4/projects/56522142/repository/branches/master":
+			_, err := io.WriteString(w, `{
+				"name": "master",
+				"commit": {
+					"id": "9998d7999fc99dd0fd578650b58b244fc63f6b53",
+					"short_id": "9998d799",
+					"created_at": "2023-08-04T08:14:14.000+00:00",
+					"parent_ids": ["5d9d50be1ef949ad28674e238c7e12a17b1e9706", "99482e001731640b4123cf177e51c696f08a3005"],
+					"title": "Merge branch 'pipeline-4547911429' into 'master'",
+					"message": "Merge branch 'pipeline-4547911429' into 'master'\n\n[testapp-ci] manifests/demo/test-app.yaml: release v1.2.0\n\nSee merge request test-argocd-proton/argocd!3",
+					"author_name": "Martin Vozník",
+					"author_email": "martin@voznik.cz",
+					"authored_date": "2023-08-04T08:14:14.000+00:00",
+					"committer_name": "Martin Vozník",
+					"committer_email": "martin@voznik.cz",
+					"committed_date": "2023-08-04T08:14:14.000+00:00",
+					"trailers": {},
+					"web_url": "https://gitlab.com/test-argocd-proton/argocd/-/commit/9998d7999fc99dd0fd578650b58b244fc63f6b53"
+				},
+				"merged": false,
+				"protected": true,
+				"developers_can_push": false,
+				"developers_can_merge": false,
+				"can_push": false,
+				"default": true,
+				"web_url": "https://gitlab.com/test-argocd-proton/argocd/-/tree/master"
+			}`)
+			if err != nil {
+				t.Fail()
+			}
 		case "/api/v4/projects/27084533/repository/branches?per_page=100":
 			_, err := io.WriteString(w, `[{
 				"name": "master",
@ -991,8 +1259,62 @@ func gitlabMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 			if err != nil {
 				t.Fail()
 			}
+		case "/api/v4/projects/56522142/repository/branches?per_page=100":
+			_, err := io.WriteString(w, `[{
+				"name": "master",
+				"commit": {
+					"id": "8898d8889fc99dd0fd578650b58b244fc63f6b58",
+					"short_id": "8898d801",
+					"created_at": "2021-06-04T08:24:44.000+00:00",
+					"parent_ids": null,
+					"title": "Merge branch 'pipeline-1317911429' into 'master'",
+					"message": "Merge branch 'pipeline-1317911429' into 'master'",
+					"author_name": "Martin Vozník",
+					"author_email": "martin@voznik.cz",
+					"authored_date": "2021-06-04T08:24:44.000+00:00",
+					"committer_name": "Martin Vozník",
+					"committer_email": "martin@voznik.cz",
+					"committed_date": "2021-06-04T08:24:44.000+00:00",
+					"trailers": null,
+					"web_url": "https://gitlab.com/test-argocd-proton/subgroup/argocd-subgroup/-/commit/8898d7999fc99dd0fd578650b58b244fc63f6b53"
+				},
+				"merged": false,
+				"protected": true,
+				"developers_can_push": false,
+				"developers_can_merge": false,
+				"can_push": false,
+				"default": true,
+				"web_url": "https://gitlab.com/test-argocd-proton/subgroup/argocd-subgroup/-/tree/master"
+			}, {
+				"name": "pipeline-2310077506",
+				"commit": {
+					"id": "0f92540e5f396ba960adea4ed0aa905baf3f73d1",
+					"short_id": "0f92540e",
+					"created_at": "2021-06-01T18:39:59.000+00:00",
+					"parent_ids": null,
+					"title": "[testapp-ci] manifests/demo/test-app.yaml: release v1.0.1",
+					"message": "[testapp-ci] manifests/demo/test-app.yaml: release v1.0.1",
+					"author_name": "ci-test-app",
+					"author_email": "mvoznik+cicd@protonmail.com",
+					"authored_date": "2021-06-01T18:39:59.000+00:00",
+					"committer_name": "ci-test-app",
+					"committer_email": "mvoznik+cicd@protonmail.com",
+					"committed_date": "2021-06-01T18:39:59.000+00:00",
+					"trailers": null,
+					"web_url": "https://gitlab.com/test-argocd-proton/subgroup/argocd-subgroup/-/commit/0f92540e5f396ba960adea4ed0aa905baf3f73d1"
+				},
+				"merged": false,
+				"protected": false,
+				"developers_can_push": false,
+				"developers_can_merge": false,
+				"can_push": false,
+				"default": false,
+				"web_url": "https://gitlab.com/test-argocd-proton/subgroup/argocd-subgroup/-/tree/pipeline-1310077506"
+			}]`)
+			if err != nil {
+				t.Fail()
+			}
 		case "/api/v4/projects/test-argocd-proton%2Fargocd":
-			fmt.Println("auct")
 			_, err := io.WriteString(w, `{
 				"id": 27084533,
 				"description": "",
@ -1079,35 +1401,94 @@ func gitlabMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {

 func TestGitlabListRepos(t *testing.T) {
 	cases := []struct {
-		name, proto, url, topic                                                  string
-		hasError, allBranches, includeSubgroups, includeSharedProjects, insecure bool
-		branches                                                                 []string
-		filters                                                                  []v1alpha1.SCMProviderGeneratorFilter
+		name, proto, topic                                                                             string
+		hasError, allBranches, includeSubgroups, includeSharedProjects, includeArchivedRepos, insecure bool
+		branches                                                                                       []string
+		expectedRepos                                                                                  []*Repository
+		filters                                                                                        []v1alpha1.SCMProviderGeneratorFilter
 	}{
 		{
-			name:     "blank protocol",
-			url:      "git@gitlab.com:test-argocd-proton/argocd.git",
+			name:                 "blank protocol",
+			allBranches:          false,
+			includeArchivedRepos: false,
+			filters:              []v1alpha1.SCMProviderGeneratorFilter{},
+
 			branches: []string{"master"},
-		},
-		{
-			name:  "ssh protocol",
-			proto: "ssh",
-			url:   "git@gitlab.com:test-argocd-proton/argocd.git",
-		},
-		{
-			name:  "labelmatch",
-			proto: "ssh",
-			url:   "git@gitlab.com:test-argocd-proton/argocd.git",
-			filters: []v1alpha1.SCMProviderGeneratorFilter{
+			expectedRepos: []*Repository{
 				{
-					LabelMatch: strp("test-topic"),
+					Organization: "",
+					Repository:   "argocd",
+					Branch:       "master",
+					URL:          "git@gitlab.com:test-argocd-proton/argocd.git",
+					SHA:          "8898d7999fc99dd0fd578650b58b244fc63f6b53",
+					RepositoryId: int64(27084533),
+					Labels:       []string{"test-topic"},
 				},
 			},
 		},
 		{
-			name:  "https protocol",
-			proto: "https",
-			url:   "https://gitlab.com/test-argocd-proton/argocd.git",
+			name:                 "ssh protocol",
+			proto:                "ssh",
+			allBranches:          false,
+			includeArchivedRepos: false,
+			filters:              []v1alpha1.SCMProviderGeneratorFilter{},
+
+			branches: []string{"master"},
+			expectedRepos: []*Repository{
+				{
+					Organization: "",
+					Repository:   "argocd",
+					Branch:       "master",
+					URL:          "git@gitlab.com:test-argocd-proton/argocd.git",
+					SHA:          "8898d7999fc99dd0fd578650b58b244fc63f6b53",
+					RepositoryId: int64(27084533),
+					Labels:       []string{"test-topic"},
+				},
+			},
+		},
+		{
+			name:                 "https protocol",
+			proto:                "https",
+			allBranches:          false,
+			includeArchivedRepos: false,
+			filters:              []v1alpha1.SCMProviderGeneratorFilter{},
+
+			branches: []string{"master"},
+			expectedRepos: []*Repository{
+				{
+					Organization: "",
+					Repository:   "argocd",
+					Branch:       "master",
+					URL:          "https://gitlab.com/test-argocd-proton/argocd.git",
+					SHA:          "8898d7999fc99dd0fd578650b58b244fc63f6b53",
+					RepositoryId: int64(27084533),
+					Labels:       []string{"test-topic"},
+				},
+			},
+		},
+		{
+			name:                 "labelmatch",
+			proto:                "ssh",
+			allBranches:          false,
+			includeArchivedRepos: false,
+			filters: []v1alpha1.SCMProviderGeneratorFilter{
+				{
+					LabelMatch: new("test-topic"),
+				},
+			},
+
+			branches: []string{"master"},
+			expectedRepos: []*Repository{
+				{
+					Organization: "",
+					Repository:   "argocd",
+					Branch:       "master",
+					URL:          "git@gitlab.com:test-argocd-proton/argocd.git",
+					SHA:          "8898d7999fc99dd0fd578650b58b244fc63f6b53",
+					RepositoryId: int64(27084533),
+					Labels:       []string{"test-topic"},
+				},
+			},
 		},
 		{
 			name:     "other protocol",
@ -1115,34 +1496,133 @@ func TestGitlabListRepos(t *testing.T) {
 			hasError: true,
 		},
 		{
-			name:        "all branches",
-			allBranches: true,
-			url:         "git@gitlab.com:test-argocd-proton/argocd.git",
-			branches:    []string{"master"},
+			name:                 "all branches",
+			allBranches:          true,
+			includeArchivedRepos: false,
+			filters:              []v1alpha1.SCMProviderGeneratorFilter{},
+
+			branches: []string{"master"},
+			expectedRepos: []*Repository{
+				{
+					Organization: "",
+					Repository:   "argocd",
+					Branch:       "master",
+					URL:          "git@gitlab.com:test-argocd-proton/argocd.git",
+					SHA:          "8898d7999fc99dd0fd578650b58b244fc63f6b53",
+					RepositoryId: int64(27084533),
+					Labels:       []string{"test-topic"},
+				},
+			},
 		},
 		{
 			name:                  "all subgroups",
 			allBranches:           true,
-			url:                   "git@gitlab.com:test-argocd-proton/argocd.git",
 			branches:              []string{"master"},
 			includeSharedProjects: false,
 			includeSubgroups:      true,
+			includeArchivedRepos:  false,
+			filters:               []v1alpha1.SCMProviderGeneratorFilter{},
+
+			expectedRepos: []*Repository{
+				{
+					Organization: "",
+					Repository:   "argocd",
+					Branch:       "master",
+					URL:          "git@gitlab.com:test-argocd-proton/argocd.git",
+					SHA:          "8898d7999fc99dd0fd578650b58b244fc63f6b53",
+					RepositoryId: int64(27084533),
+					Labels:       []string{"test-topic", "specific-topic"},
+				},
+				{
+					Organization: "",
+					Repository:   "argocd-subgroup",
+					Branch:       "master",
+					URL:          "git@gitlab.com:test-argocd-proton/subgroup/argocd-subgroup.git",
+					SHA:          "8898d7999fc99dd0fd578650b58b244fc63f6b58",
+					RepositoryId: int64(27084538),
+					Labels:       []string{"test-topic"},
+				},
+			},
 		},
 		{
 			name:                  "all subgroups and shared projects",
 			allBranches:           true,
-			url:                   "git@gitlab.com:test-argocd-proton/argocd.git",
 			branches:              []string{"master"},
 			includeSharedProjects: true,
 			includeSubgroups:      true,
+			includeArchivedRepos:  false,
+			filters:               []v1alpha1.SCMProviderGeneratorFilter{},
+
+			expectedRepos: []*Repository{
+				{
+					Organization: "",
+					Repository:   "argocd",
+					Branch:       "master",
+					URL:          "git@gitlab.com:test-argocd-proton/argocd.git",
+					SHA:          "8898d7999fc99dd0fd578650b58b244fc63f6b53",
+					RepositoryId: int64(27084533),
+					Labels:       []string{"test-topic"},
+				},
+				{
+					Organization: "",
+					Repository:   "shared-argocd",
+					Branch:       "master",
+					URL:          "git@gitlab.com:test-shared-argocd-proton/shared-argocd.git",
+					SHA:          "8898d7999fc99dd0fd578650b58b244fc63f6b53",
+					RepositoryId: int64(27084534),
+					Labels:       []string{"test-topic"},
+				},
+			},
 		},
 		{
-			name:             "specific topic",
-			allBranches:      true,
-			url:              "git@gitlab.com:test-argocd-proton/argocd.git",
-			branches:         []string{"master"},
-			includeSubgroups: false,
-			topic:            "specific-topic",
+			name:                 "specific topic",
+			allBranches:          true,
+			branches:             []string{"master"},
+			includeSubgroups:     false,
+			topic:                "specific-topic",
+			includeArchivedRepos: false,
+			filters:              []v1alpha1.SCMProviderGeneratorFilter{},
+
+			expectedRepos: []*Repository{
+				{
+					Organization: "",
+					Repository:   "argocd",
+					Branch:       "master",
+					URL:          "git@gitlab.com:test-argocd-proton/argocd.git",
+					SHA:          "8898d7999fc99dd0fd578650b58b244fc63f6b53",
+					RepositoryId: int64(27084533),
+					Labels:       []string{"test-topic", "specific-topic"},
+				},
+			},
+		},
+		{
+			name:                 "all branches with archived repos",
+			allBranches:          true,
+			branches:             []string{"master"},
+			includeSubgroups:     false,
+			includeArchivedRepos: true,
+			filters:              []v1alpha1.SCMProviderGeneratorFilter{},
+
+			expectedRepos: []*Repository{
+				{
+					Organization: "",
+					Repository:   "argocd",
+					Branch:       "master",
+					URL:          "git@gitlab.com:test-argocd-proton/argocd.git",
+					SHA:          "8898d7999fc99dd0fd578650b58b244fc63f6b53",
+					RepositoryId: int64(27084533),
+					Labels:       []string{},
+				},
+				{
+					Organization: "",
+					Repository:   "another-repo",
+					Branch:       "master",
+					URL:          "git@gitlab.com:test-argocd-proton/another-repo.git",
+					SHA:          "8898d8889fc99dd0fd578650b58b244fc63f6b58",
+					RepositoryId: int64(56522142),
+					Labels:       []string{"test-topic"},
+				},
+			},
 		},
 	}
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@ -1150,28 +1630,24 @@ func TestGitlabListRepos(t *testing.T) {
 	}))
 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {
-			provider, _ := NewGitlabProvider("test-argocd-proton", "", ts.URL, c.allBranches, c.includeSubgroups, c.includeSharedProjects, c.insecure, "", c.topic, nil)
+			provider, _ := NewGitlabProvider("test-argocd-proton", "", ts.URL, c.allBranches, c.includeSubgroups, c.includeSharedProjects, c.includeArchivedRepos, c.insecure, "", c.topic, nil)
 			rawRepos, err := ListRepos(t.Context(), provider, c.filters, c.proto)
 			if c.hasError {
 				require.Error(t, err)
 			} else {
 				require.NoError(t, err)
-				// Just check that this one project shows up. Not a great test but better than nothing?
+
 				repos := []*Repository{}
 				uniqueRepos := map[string]int{}
-				branches := []string{}
+
 				for _, r := range rawRepos {
-					if r.Repository == "argocd" {
+					if _, ok := uniqueRepos[r.Repository]; !ok {
 						repos = append(repos, r)
-						branches = append(branches, r.Branch)
 					}
 					uniqueRepos[r.Repository]++
 				}
 				assert.NotEmpty(t, repos)
-				assert.Equal(t, c.url, repos[0].URL)
-				for _, b := range c.branches {
-					assert.Contains(t, branches, b)
-				}
+
 				// In case of listing subgroups, validate the number of returned projects
 				if c.includeSubgroups || c.includeSharedProjects {
 					assert.Len(t, uniqueRepos, 2)
@ -1180,6 +1656,8 @@ func TestGitlabListRepos(t *testing.T) {
 				if c.topic != "" {
 					assert.Len(t, uniqueRepos, 1)
 				}
+				assert.Len(t, repos, len(c.expectedRepos))
+				assert.ElementsMatch(t, c.expectedRepos, repos)
 			}
 		})
 	}
@ -1189,7 +1667,7 @@ func TestGitlabHasPath(t *testing.T) {
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		gitlabMockHandler(t)(w, r)
 	}))
-	host, _ := NewGitlabProvider("test-argocd-proton", "", ts.URL, false, true, true, false, "", "", nil)
+	host, _ := NewGitlabProvider("test-argocd-proton", "", ts.URL, false, true, true, false, false, "", "", nil)
 	repo := &Repository{
 		Organization: "test-argocd-proton",
 		Repository:   "argocd",
@ -1245,10 +1723,10 @@ func TestGitlabGetBranches(t *testing.T) {
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		gitlabMockHandler(t)(w, r)
 	}))
-	host, _ := NewGitlabProvider("test-argocd-proton", "", ts.URL, false, true, true, false, "", "", nil)
+	host, _ := NewGitlabProvider("test-argocd-proton", "", ts.URL, false, true, true, false, false, "", "", nil)

 	repo := &Repository{
-		RepositoryId: 27084533,
+		RepositoryId: int64(27084533),
 		Branch:       "master",
 	}
 	t.Run("branch exists", func(t *testing.T) {
@ -1258,7 +1736,7 @@ func TestGitlabGetBranches(t *testing.T) {
 	})

 	repo2 := &Repository{
-		RepositoryId: 27084533,
+		RepositoryId: int64(27084533),
 		Branch:       "foo",
 	}
 	t.Run("unknown branch", func(t *testing.T) {
@ -1301,7 +1779,6 @@ func TestGetBranchesTLS(t *testing.T) {
 	}

 	for _, test := range tests {
-		test := test
 		t.Run(test.name, func(t *testing.T) {
 			ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 				gitlabMockHandler(t)(w, r)
@ -1322,10 +1799,10 @@ func TestGetBranchesTLS(t *testing.T) {
 				}
 			}

-			host, err := NewGitlabProvider("test-argocd-proton", "", ts.URL, false, true, true, test.tlsInsecure, "", "", certs)
+			host, err := NewGitlabProvider("test-argocd-proton", "", ts.URL, false, true, true, false, test.tlsInsecure, "", "", certs)
 			require.NoError(t, err)
 			repo := &Repository{
-				RepositoryId: 27084533,
+				RepositoryId: int64(27084533),
 				Branch:       "master",
 			}
 			_, err = host.GetBranches(t.Context(), repo)
--- a/applicationset/services/scm_provider/mocks/AWSCodeCommitClient.go
+++ b/applicationset/services/scm_provider/mocks/AWSCodeCommitClient.go
@ -0,0 +1,387 @@
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package mocks
+
+import (
+	"context"
+
+	"github.com/aws/aws-sdk-go-v2/service/codecommit"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewAWSCodeCommitClient creates a new instance of AWSCodeCommitClient. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewAWSCodeCommitClient(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *AWSCodeCommitClient {
+	mock := &AWSCodeCommitClient{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// AWSCodeCommitClient is an autogenerated mock type for the AWSCodeCommitClient type
+type AWSCodeCommitClient struct {
+	mock.Mock
+}
+
+type AWSCodeCommitClient_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *AWSCodeCommitClient) EXPECT() *AWSCodeCommitClient_Expecter {
+	return &AWSCodeCommitClient_Expecter{mock: &_m.Mock}
+}
+
+// GetFolder provides a mock function for the type AWSCodeCommitClient
+func (_mock *AWSCodeCommitClient) GetFolder(context1 context.Context, getFolderInput *codecommit.GetFolderInput, fns ...func(*codecommit.Options)) (*codecommit.GetFolderOutput, error) {
+	// func(*codecommit.Options)
+	_va := make([]interface{}, len(fns))
+	for _i := range fns {
+		_va[_i] = fns[_i]
+	}
+	var _ca []interface{}
+	_ca = append(_ca, context1, getFolderInput)
+	_ca = append(_ca, _va...)
+	ret := _mock.Called(_ca...)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetFolder")
+	}
+
+	var r0 *codecommit.GetFolderOutput
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *codecommit.GetFolderInput, ...func(*codecommit.Options)) (*codecommit.GetFolderOutput, error)); ok {
+		return returnFunc(context1, getFolderInput, fns...)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *codecommit.GetFolderInput, ...func(*codecommit.Options)) *codecommit.GetFolderOutput); ok {
+		r0 = returnFunc(context1, getFolderInput, fns...)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*codecommit.GetFolderOutput)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *codecommit.GetFolderInput, ...func(*codecommit.Options)) error); ok {
+		r1 = returnFunc(context1, getFolderInput, fns...)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// AWSCodeCommitClient_GetFolder_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetFolder'
+type AWSCodeCommitClient_GetFolder_Call struct {
+	*mock.Call
+}
+
+// GetFolder is a helper method to define mock.On call
+//   - context1 context.Context
+//   - getFolderInput *codecommit.GetFolderInput
+//   - fns ...func(*codecommit.Options)
+func (_e *AWSCodeCommitClient_Expecter) GetFolder(context1 interface{}, getFolderInput interface{}, fns ...interface{}) *AWSCodeCommitClient_GetFolder_Call {
+	return &AWSCodeCommitClient_GetFolder_Call{Call: _e.mock.On("GetFolder",
+		append([]interface{}{context1, getFolderInput}, fns...)...)}
+}
+
+func (_c *AWSCodeCommitClient_GetFolder_Call) Run(run func(context1 context.Context, getFolderInput *codecommit.GetFolderInput, fns ...func(*codecommit.Options))) *AWSCodeCommitClient_GetFolder_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *codecommit.GetFolderInput
+		if args[1] != nil {
+			arg1 = args[1].(*codecommit.GetFolderInput)
+		}
+		var arg2 []func(*codecommit.Options)
+		variadicArgs := make([]func(*codecommit.Options), len(args)-2)
+		for i, a := range args[2:] {
+			if a != nil {
+				variadicArgs[i] = a.(func(*codecommit.Options))
+			}
+		}
+		arg2 = variadicArgs
+		run(
+			arg0,
+			arg1,
+			arg2...,
+		)
+	})
+	return _c
+}
+
+func (_c *AWSCodeCommitClient_GetFolder_Call) Return(getFolderOutput *codecommit.GetFolderOutput, err error) *AWSCodeCommitClient_GetFolder_Call {
+	_c.Call.Return(getFolderOutput, err)
+	return _c
+}
+
+func (_c *AWSCodeCommitClient_GetFolder_Call) RunAndReturn(run func(context1 context.Context, getFolderInput *codecommit.GetFolderInput, fns ...func(*codecommit.Options)) (*codecommit.GetFolderOutput, error)) *AWSCodeCommitClient_GetFolder_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetRepository provides a mock function for the type AWSCodeCommitClient
+func (_mock *AWSCodeCommitClient) GetRepository(context1 context.Context, getRepositoryInput *codecommit.GetRepositoryInput, fns ...func(*codecommit.Options)) (*codecommit.GetRepositoryOutput, error) {
+	// func(*codecommit.Options)
+	_va := make([]interface{}, len(fns))
+	for _i := range fns {
+		_va[_i] = fns[_i]
+	}
+	var _ca []interface{}
+	_ca = append(_ca, context1, getRepositoryInput)
+	_ca = append(_ca, _va...)
+	ret := _mock.Called(_ca...)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetRepository")
+	}
+
+	var r0 *codecommit.GetRepositoryOutput
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *codecommit.GetRepositoryInput, ...func(*codecommit.Options)) (*codecommit.GetRepositoryOutput, error)); ok {
+		return returnFunc(context1, getRepositoryInput, fns...)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *codecommit.GetRepositoryInput, ...func(*codecommit.Options)) *codecommit.GetRepositoryOutput); ok {
+		r0 = returnFunc(context1, getRepositoryInput, fns...)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*codecommit.GetRepositoryOutput)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *codecommit.GetRepositoryInput, ...func(*codecommit.Options)) error); ok {
+		r1 = returnFunc(context1, getRepositoryInput, fns...)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// AWSCodeCommitClient_GetRepository_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetRepository'
+type AWSCodeCommitClient_GetRepository_Call struct {
+	*mock.Call
+}
+
+// GetRepository is a helper method to define mock.On call
+//   - context1 context.Context
+//   - getRepositoryInput *codecommit.GetRepositoryInput
+//   - fns ...func(*codecommit.Options)
+func (_e *AWSCodeCommitClient_Expecter) GetRepository(context1 interface{}, getRepositoryInput interface{}, fns ...interface{}) *AWSCodeCommitClient_GetRepository_Call {
+	return &AWSCodeCommitClient_GetRepository_Call{Call: _e.mock.On("GetRepository",
+		append([]interface{}{context1, getRepositoryInput}, fns...)...)}
+}
+
+func (_c *AWSCodeCommitClient_GetRepository_Call) Run(run func(context1 context.Context, getRepositoryInput *codecommit.GetRepositoryInput, fns ...func(*codecommit.Options))) *AWSCodeCommitClient_GetRepository_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *codecommit.GetRepositoryInput
+		if args[1] != nil {
+			arg1 = args[1].(*codecommit.GetRepositoryInput)
+		}
+		var arg2 []func(*codecommit.Options)
+		variadicArgs := make([]func(*codecommit.Options), len(args)-2)
+		for i, a := range args[2:] {
+			if a != nil {
+				variadicArgs[i] = a.(func(*codecommit.Options))
+			}
+		}
+		arg2 = variadicArgs
+		run(
+			arg0,
+			arg1,
+			arg2...,
+		)
+	})
+	return _c
+}
+
+func (_c *AWSCodeCommitClient_GetRepository_Call) Return(getRepositoryOutput *codecommit.GetRepositoryOutput, err error) *AWSCodeCommitClient_GetRepository_Call {
+	_c.Call.Return(getRepositoryOutput, err)
+	return _c
+}
+
+func (_c *AWSCodeCommitClient_GetRepository_Call) RunAndReturn(run func(context1 context.Context, getRepositoryInput *codecommit.GetRepositoryInput, fns ...func(*codecommit.Options)) (*codecommit.GetRepositoryOutput, error)) *AWSCodeCommitClient_GetRepository_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ListBranches provides a mock function for the type AWSCodeCommitClient
+func (_mock *AWSCodeCommitClient) ListBranches(context1 context.Context, listBranchesInput *codecommit.ListBranchesInput, fns ...func(*codecommit.Options)) (*codecommit.ListBranchesOutput, error) {
+	// func(*codecommit.Options)
+	_va := make([]interface{}, len(fns))
+	for _i := range fns {
+		_va[_i] = fns[_i]
+	}
+	var _ca []interface{}
+	_ca = append(_ca, context1, listBranchesInput)
+	_ca = append(_ca, _va...)
+	ret := _mock.Called(_ca...)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ListBranches")
+	}
+
+	var r0 *codecommit.ListBranchesOutput
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *codecommit.ListBranchesInput, ...func(*codecommit.Options)) (*codecommit.ListBranchesOutput, error)); ok {
+		return returnFunc(context1, listBranchesInput, fns...)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *codecommit.ListBranchesInput, ...func(*codecommit.Options)) *codecommit.ListBranchesOutput); ok {
+		r0 = returnFunc(context1, listBranchesInput, fns...)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*codecommit.ListBranchesOutput)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *codecommit.ListBranchesInput, ...func(*codecommit.Options)) error); ok {
+		r1 = returnFunc(context1, listBranchesInput, fns...)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// AWSCodeCommitClient_ListBranches_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListBranches'
+type AWSCodeCommitClient_ListBranches_Call struct {
+	*mock.Call
+}
+
+// ListBranches is a helper method to define mock.On call
+//   - context1 context.Context
+//   - listBranchesInput *codecommit.ListBranchesInput
+//   - fns ...func(*codecommit.Options)
+func (_e *AWSCodeCommitClient_Expecter) ListBranches(context1 interface{}, listBranchesInput interface{}, fns ...interface{}) *AWSCodeCommitClient_ListBranches_Call {
+	return &AWSCodeCommitClient_ListBranches_Call{Call: _e.mock.On("ListBranches",
+		append([]interface{}{context1, listBranchesInput}, fns...)...)}
+}
+
+func (_c *AWSCodeCommitClient_ListBranches_Call) Run(run func(context1 context.Context, listBranchesInput *codecommit.ListBranchesInput, fns ...func(*codecommit.Options))) *AWSCodeCommitClient_ListBranches_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *codecommit.ListBranchesInput
+		if args[1] != nil {
+			arg1 = args[1].(*codecommit.ListBranchesInput)
+		}
+		var arg2 []func(*codecommit.Options)
+		variadicArgs := make([]func(*codecommit.Options), len(args)-2)
+		for i, a := range args[2:] {
+			if a != nil {
+				variadicArgs[i] = a.(func(*codecommit.Options))
+			}
+		}
+		arg2 = variadicArgs
+		run(
+			arg0,
+			arg1,
+			arg2...,
+		)
+	})
+	return _c
+}
+
+func (_c *AWSCodeCommitClient_ListBranches_Call) Return(listBranchesOutput *codecommit.ListBranchesOutput, err error) *AWSCodeCommitClient_ListBranches_Call {
+	_c.Call.Return(listBranchesOutput, err)
+	return _c
+}
+
+func (_c *AWSCodeCommitClient_ListBranches_Call) RunAndReturn(run func(context1 context.Context, listBranchesInput *codecommit.ListBranchesInput, fns ...func(*codecommit.Options)) (*codecommit.ListBranchesOutput, error)) *AWSCodeCommitClient_ListBranches_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ListRepositories provides a mock function for the type AWSCodeCommitClient
+func (_mock *AWSCodeCommitClient) ListRepositories(context1 context.Context, listRepositoriesInput *codecommit.ListRepositoriesInput, fns ...func(*codecommit.Options)) (*codecommit.ListRepositoriesOutput, error) {
+	// func(*codecommit.Options)
+	_va := make([]interface{}, len(fns))
+	for _i := range fns {
+		_va[_i] = fns[_i]
+	}
+	var _ca []interface{}
+	_ca = append(_ca, context1, listRepositoriesInput)
+	_ca = append(_ca, _va...)
+	ret := _mock.Called(_ca...)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ListRepositories")
+	}
+
+	var r0 *codecommit.ListRepositoriesOutput
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *codecommit.ListRepositoriesInput, ...func(*codecommit.Options)) (*codecommit.ListRepositoriesOutput, error)); ok {
+		return returnFunc(context1, listRepositoriesInput, fns...)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *codecommit.ListRepositoriesInput, ...func(*codecommit.Options)) *codecommit.ListRepositoriesOutput); ok {
+		r0 = returnFunc(context1, listRepositoriesInput, fns...)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*codecommit.ListRepositoriesOutput)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *codecommit.ListRepositoriesInput, ...func(*codecommit.Options)) error); ok {
+		r1 = returnFunc(context1, listRepositoriesInput, fns...)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// AWSCodeCommitClient_ListRepositories_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListRepositories'
+type AWSCodeCommitClient_ListRepositories_Call struct {
+	*mock.Call
+}
+
+// ListRepositories is a helper method to define mock.On call
+//   - context1 context.Context
+//   - listRepositoriesInput *codecommit.ListRepositoriesInput
+//   - fns ...func(*codecommit.Options)
+func (_e *AWSCodeCommitClient_Expecter) ListRepositories(context1 interface{}, listRepositoriesInput interface{}, fns ...interface{}) *AWSCodeCommitClient_ListRepositories_Call {
+	return &AWSCodeCommitClient_ListRepositories_Call{Call: _e.mock.On("ListRepositories",
+		append([]interface{}{context1, listRepositoriesInput}, fns...)...)}
+}
+
+func (_c *AWSCodeCommitClient_ListRepositories_Call) Run(run func(context1 context.Context, listRepositoriesInput *codecommit.ListRepositoriesInput, fns ...func(*codecommit.Options))) *AWSCodeCommitClient_ListRepositories_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *codecommit.ListRepositoriesInput
+		if args[1] != nil {
+			arg1 = args[1].(*codecommit.ListRepositoriesInput)
+		}
+		var arg2 []func(*codecommit.Options)
+		variadicArgs := make([]func(*codecommit.Options), len(args)-2)
+		for i, a := range args[2:] {
+			if a != nil {
+				variadicArgs[i] = a.(func(*codecommit.Options))
+			}
+		}
+		arg2 = variadicArgs
+		run(
+			arg0,
+			arg1,
+			arg2...,
+		)
+	})
+	return _c
+}
+
+func (_c *AWSCodeCommitClient_ListRepositories_Call) Return(listRepositoriesOutput *codecommit.ListRepositoriesOutput, err error) *AWSCodeCommitClient_ListRepositories_Call {
+	_c.Call.Return(listRepositoriesOutput, err)
+	return _c
+}
+
+func (_c *AWSCodeCommitClient_ListRepositories_Call) RunAndReturn(run func(context1 context.Context, listRepositoriesInput *codecommit.ListRepositoriesInput, fns ...func(*codecommit.Options)) (*codecommit.ListRepositoriesOutput, error)) *AWSCodeCommitClient_ListRepositories_Call {
+	_c.Call.Return(run)
+	return _c
+}
--- a/applicationset/services/scm_provider/mocks/AWSTaggingClient.go
+++ b/applicationset/services/scm_provider/mocks/AWSTaggingClient.go
@ -0,0 +1,126 @@
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package mocks
+
+import (
+	"context"
+
+	"github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewAWSTaggingClient creates a new instance of AWSTaggingClient. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewAWSTaggingClient(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *AWSTaggingClient {
+	mock := &AWSTaggingClient{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// AWSTaggingClient is an autogenerated mock type for the AWSTaggingClient type
+type AWSTaggingClient struct {
+	mock.Mock
+}
+
+type AWSTaggingClient_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *AWSTaggingClient) EXPECT() *AWSTaggingClient_Expecter {
+	return &AWSTaggingClient_Expecter{mock: &_m.Mock}
+}
+
+// GetResources provides a mock function for the type AWSTaggingClient
+func (_mock *AWSTaggingClient) GetResources(context1 context.Context, getResourcesInput *resourcegroupstaggingapi.GetResourcesInput, fns ...func(*resourcegroupstaggingapi.Options)) (*resourcegroupstaggingapi.GetResourcesOutput, error) {
+	// func(*resourcegroupstaggingapi.Options)
+	_va := make([]interface{}, len(fns))
+	for _i := range fns {
+		_va[_i] = fns[_i]
+	}
+	var _ca []interface{}
+	_ca = append(_ca, context1, getResourcesInput)
+	_ca = append(_ca, _va...)
+	ret := _mock.Called(_ca...)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetResources")
+	}
+
+	var r0 *resourcegroupstaggingapi.GetResourcesOutput
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *resourcegroupstaggingapi.GetResourcesInput, ...func(*resourcegroupstaggingapi.Options)) (*resourcegroupstaggingapi.GetResourcesOutput, error)); ok {
+		return returnFunc(context1, getResourcesInput, fns...)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *resourcegroupstaggingapi.GetResourcesInput, ...func(*resourcegroupstaggingapi.Options)) *resourcegroupstaggingapi.GetResourcesOutput); ok {
+		r0 = returnFunc(context1, getResourcesInput, fns...)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*resourcegroupstaggingapi.GetResourcesOutput)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *resourcegroupstaggingapi.GetResourcesInput, ...func(*resourcegroupstaggingapi.Options)) error); ok {
+		r1 = returnFunc(context1, getResourcesInput, fns...)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// AWSTaggingClient_GetResources_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetResources'
+type AWSTaggingClient_GetResources_Call struct {
+	*mock.Call
+}
+
+// GetResources is a helper method to define mock.On call
+//   - context1 context.Context
+//   - getResourcesInput *resourcegroupstaggingapi.GetResourcesInput
+//   - fns ...func(*resourcegroupstaggingapi.Options)
+func (_e *AWSTaggingClient_Expecter) GetResources(context1 interface{}, getResourcesInput interface{}, fns ...interface{}) *AWSTaggingClient_GetResources_Call {
+	return &AWSTaggingClient_GetResources_Call{Call: _e.mock.On("GetResources",
+		append([]interface{}{context1, getResourcesInput}, fns...)...)}
+}
+
+func (_c *AWSTaggingClient_GetResources_Call) Run(run func(context1 context.Context, getResourcesInput *resourcegroupstaggingapi.GetResourcesInput, fns ...func(*resourcegroupstaggingapi.Options))) *AWSTaggingClient_GetResources_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *resourcegroupstaggingapi.GetResourcesInput
+		if args[1] != nil {
+			arg1 = args[1].(*resourcegroupstaggingapi.GetResourcesInput)
+		}
+		var arg2 []func(*resourcegroupstaggingapi.Options)
+		variadicArgs := make([]func(*resourcegroupstaggingapi.Options), len(args)-2)
+		for i, a := range args[2:] {
+			if a != nil {
+				variadicArgs[i] = a.(func(*resourcegroupstaggingapi.Options))
+			}
+		}
+		arg2 = variadicArgs
+		run(
+			arg0,
+			arg1,
+			arg2...,
+		)
+	})
+	return _c
+}
+
+func (_c *AWSTaggingClient_GetResources_Call) Return(getResourcesOutput *resourcegroupstaggingapi.GetResourcesOutput, err error) *AWSTaggingClient_GetResources_Call {
+	_c.Call.Return(getResourcesOutput, err)
+	return _c
+}
+
+func (_c *AWSTaggingClient_GetResources_Call) RunAndReturn(run func(context1 context.Context, getResourcesInput *resourcegroupstaggingapi.GetResourcesInput, fns ...func(*resourcegroupstaggingapi.Options)) (*resourcegroupstaggingapi.GetResourcesOutput, error)) *AWSTaggingClient_GetResources_Call {
+	_c.Call.Return(run)
+	return _c
+}
--- a/applicationset/services/scm_provider/mocks/AzureDevOpsClientFactory.go
+++ b/applicationset/services/scm_provider/mocks/AzureDevOpsClientFactory.go
@ -0,0 +1,101 @@
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package mocks
+
+import (
+	"context"
+
+	"github.com/microsoft/azure-devops-go-api/azuredevops/v7/git"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewAzureDevOpsClientFactory creates a new instance of AzureDevOpsClientFactory. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewAzureDevOpsClientFactory(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *AzureDevOpsClientFactory {
+	mock := &AzureDevOpsClientFactory{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// AzureDevOpsClientFactory is an autogenerated mock type for the AzureDevOpsClientFactory type
+type AzureDevOpsClientFactory struct {
+	mock.Mock
+}
+
+type AzureDevOpsClientFactory_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *AzureDevOpsClientFactory) EXPECT() *AzureDevOpsClientFactory_Expecter {
+	return &AzureDevOpsClientFactory_Expecter{mock: &_m.Mock}
+}
+
+// GetClient provides a mock function for the type AzureDevOpsClientFactory
+func (_mock *AzureDevOpsClientFactory) GetClient(ctx context.Context) (git.Client, error) {
+	ret := _mock.Called(ctx)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetClient")
+	}
+
+	var r0 git.Client
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context) (git.Client, error)); ok {
+		return returnFunc(ctx)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context) git.Client); ok {
+		r0 = returnFunc(ctx)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(git.Client)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context) error); ok {
+		r1 = returnFunc(ctx)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// AzureDevOpsClientFactory_GetClient_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetClient'
+type AzureDevOpsClientFactory_GetClient_Call struct {
+	*mock.Call
+}
+
+// GetClient is a helper method to define mock.On call
+//   - ctx context.Context
+func (_e *AzureDevOpsClientFactory_Expecter) GetClient(ctx interface{}) *AzureDevOpsClientFactory_GetClient_Call {
+	return &AzureDevOpsClientFactory_GetClient_Call{Call: _e.mock.On("GetClient", ctx)}
+}
+
+func (_c *AzureDevOpsClientFactory_GetClient_Call) Run(run func(ctx context.Context)) *AzureDevOpsClientFactory_GetClient_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *AzureDevOpsClientFactory_GetClient_Call) Return(client git.Client, err error) *AzureDevOpsClientFactory_GetClient_Call {
+	_c.Call.Return(client, err)
+	return _c
+}
+
+func (_c *AzureDevOpsClientFactory_GetClient_Call) RunAndReturn(run func(ctx context.Context) (git.Client, error)) *AzureDevOpsClientFactory_GetClient_Call {
+	_c.Call.Return(run)
+	return _c
+}
--- a/applicationset/services/scm_provider/utils.go
+++ b/applicationset/services/scm_provider/utils.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"regexp"
+	"slices"
 	"strings"

 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
@ -58,13 +59,7 @@ func matchFilter(ctx context.Context, provider SCMProviderService, repo *Reposit
 	}

 	if filter.LabelMatch != nil {
-		found := false
-		for _, label := range repo.Labels {
-			if filter.LabelMatch.MatchString(label) {
-				found = true
-				break
-			}
-		}
+		found := slices.ContainsFunc(repo.Labels, filter.LabelMatch.MatchString)
 		if !found {
 			return false, nil
 		}
--- a/applicationset/services/scm_provider/utils_test.go
+++ b/applicationset/services/scm_provider/utils_test.go
@ -10,10 +10,6 @@ import (
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 )

-func strp(s string) *string {
-	return &s
-}
-
 func TestFilterRepoMatch(t *testing.T) {
 	provider := &MockProvider{
 		Repos: []*Repository{
@ -33,7 +29,7 @@ func TestFilterRepoMatch(t *testing.T) {
 	}
 	filters := []argoprojiov1alpha1.SCMProviderGeneratorFilter{
 		{
-			RepositoryMatch: strp("n|hr"),
+			RepositoryMatch: new("n|hr"),
 		},
 	}
 	repos, err := ListRepos(t.Context(), provider, filters, "")
@ -62,7 +58,7 @@ func TestFilterLabelMatch(t *testing.T) {
 	}
 	filters := []argoprojiov1alpha1.SCMProviderGeneratorFilter{
 		{
-			LabelMatch: strp("^prod-.*$"),
+			LabelMatch: new("^prod-.*$"),
 		},
 	}
 	repos, err := ListRepos(t.Context(), provider, filters, "")
@ -131,7 +127,7 @@ func TestFilterRepoMatchBadRegexp(t *testing.T) {
 	}
 	filters := []argoprojiov1alpha1.SCMProviderGeneratorFilter{
 		{
-			RepositoryMatch: strp("("),
+			RepositoryMatch: new("("),
 		},
 	}
 	_, err := ListRepos(t.Context(), provider, filters, "")
@ -148,7 +144,7 @@ func TestFilterLabelMatchBadRegexp(t *testing.T) {
 	}
 	filters := []argoprojiov1alpha1.SCMProviderGeneratorFilter{
 		{
-			LabelMatch: strp("("),
+			LabelMatch: new("("),
 		},
 	}
 	_, err := ListRepos(t.Context(), provider, filters, "")
@ -182,7 +178,7 @@ func TestFilterBranchMatch(t *testing.T) {
 	}
 	filters := []argoprojiov1alpha1.SCMProviderGeneratorFilter{
 		{
-			BranchMatch: strp("w"),
+			BranchMatch: new("w"),
 		},
 	}
 	repos, err := ListRepos(t.Context(), provider, filters, "")
@ -213,8 +209,8 @@ func TestMultiFilterAnd(t *testing.T) {
 	}
 	filters := []argoprojiov1alpha1.SCMProviderGeneratorFilter{
 		{
-			RepositoryMatch: strp("w"),
-			LabelMatch:      strp("^prod-.*$"),
+			RepositoryMatch: new("w"),
+			LabelMatch:      new("^prod-.*$"),
 		},
 	}
 	repos, err := ListRepos(t.Context(), provider, filters, "")
@ -242,10 +238,10 @@ func TestMultiFilterOr(t *testing.T) {
 	}
 	filters := []argoprojiov1alpha1.SCMProviderGeneratorFilter{
 		{
-			RepositoryMatch: strp("e"),
+			RepositoryMatch: new("e"),
 		},
 		{
-			LabelMatch: strp("^prod-.*$"),
+			LabelMatch: new("^prod-.*$"),
 		},
 	}
 	repos, err := ListRepos(t.Context(), provider, filters, "")
--- a/applicationset/services/util_test.go
+++ b/applicationset/services/util_test.go
@ -1,7 +1,6 @@
 package services

 import (
-	"context"
 	"crypto/tls"
 	"net/http"
 	"testing"
@ -12,7 +11,7 @@ import (
 )

 func TestSetupBitbucketClient(t *testing.T) {
-	ctx := context.Background()
+	ctx := t.Context()
 	cfg := &bitbucketv1.Configuration{}

 	// Act
--- a/applicationset/utils/client.go
+++ b/applicationset/utils/client.go
@ -0,0 +1,137 @@
+package utils
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"reflect"
+	"sync"
+	"unsafe"
+
+	log "github.com/sirupsen/logrus"
+	k8scache "k8s.io/client-go/tools/cache"
+	ctrlcache "sigs.k8s.io/controller-runtime/pkg/cache"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	application "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
+)
+
+// NewCacheSyncingClient returns a client that wraps the given client and syncs the cache after each Create, Update, Patch, or Delete operation on Application objects.
+func NewCacheSyncingClient(c client.Client, cache ctrlcache.Cache) client.Client {
+	res := &cacheSyncingClient{Client: c, storesByNs: make(map[string]k8scache.Store)}
+	// The k8s controller runtime's cache does not expose a way to get the underlying store, so we have to use reflection to access it.
+	// This is necessary to keep the cache in sync with the client operations.
+	field := reflect.ValueOf(cache).Elem().FieldByName("namespaceToCache")
+	if field.Kind() == reflect.Map {
+		namespaceToCache := *(*map[string]ctrlcache.Cache)(unsafe.Pointer(field.UnsafeAddr()))
+		res.getNSCache = func(_ context.Context, obj client.Object) (ctrlcache.Cache, error) {
+			res, ok := namespaceToCache[obj.GetNamespace()]
+			if !ok {
+				return nil, fmt.Errorf("cache for namespace %s not found", obj.GetNamespace())
+			}
+			return res, nil
+		}
+	} else {
+		res.getNSCache = func(_ context.Context, _ client.Object) (ctrlcache.Cache, error) {
+			return cache, nil
+		}
+	}
+	return res
+}
+
+type cacheSyncingClient struct {
+	client.Client
+	getNSCache func(ctx context.Context, obj client.Object) (ctrlcache.Cache, error)
+
+	storesByNs     map[string]k8scache.Store
+	storesByNsLock sync.RWMutex
+}
+
+func (c *cacheSyncingClient) getStore(ctx context.Context, obj client.Object) (k8scache.Store, error) {
+	c.storesByNsLock.RLock()
+	store, ok := c.storesByNs[obj.GetNamespace()]
+	c.storesByNsLock.RUnlock()
+	if ok {
+		return store, nil
+	}
+
+	store, err := c.retrieveStore(ctx, obj)
+	if err != nil {
+		return nil, err
+	}
+
+	c.storesByNsLock.Lock()
+	c.storesByNs[obj.GetNamespace()] = store
+	c.storesByNsLock.Unlock()
+
+	return store, nil
+}
+
+func (c *cacheSyncingClient) retrieveStore(ctx context.Context, obj client.Object) (k8scache.Store, error) {
+	nsCache, err := c.getNSCache(ctx, obj)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get namespace cache: %w", err)
+	}
+
+	informer, err := nsCache.GetInformerForKind(ctx, application.ApplicationSchemaGroupVersionKind)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get informer: %w", err)
+	}
+	indexInformer, ok := informer.(k8scache.SharedIndexInformer)
+	if !ok {
+		return nil, errors.New("informer is not a SharedIndexInformer")
+	}
+
+	return indexInformer.GetStore(), nil
+}
+
+func (c *cacheSyncingClient) execAndSyncCache(ctx context.Context, op func() error, obj client.Object, deleteObj bool) error {
+	// execute the operation first and only sync cache if it succeeds
+	if err := op(); err != nil {
+		return err
+	}
+	// sync cache for applications only
+	if _, ok := obj.(*application.Application); !ok {
+		return nil
+	}
+
+	logger := log.WithField("namespace", obj.GetNamespace()).WithField("name", obj.GetName())
+	store, err := c.getStore(ctx, obj)
+	if err != nil {
+		logger.Errorf("failed to get cache store: %v", err)
+	} else {
+		if deleteObj {
+			err = store.Delete(obj)
+		} else {
+			err = store.Update(obj)
+		}
+	}
+	if err != nil {
+		logger.Errorf("failed to sync cache for object: %v", err)
+	}
+	return nil
+}
+
+func (c *cacheSyncingClient) Create(ctx context.Context, obj client.Object, opts ...client.CreateOption) error {
+	return c.execAndSyncCache(ctx, func() error {
+		return c.Client.Create(ctx, obj, opts...)
+	}, obj, false)
+}
+
+func (c *cacheSyncingClient) Update(ctx context.Context, obj client.Object, opts ...client.UpdateOption) error {
+	return c.execAndSyncCache(ctx, func() error {
+		return c.Client.Update(ctx, obj, opts...)
+	}, obj, false)
+}
+
+func (c *cacheSyncingClient) Patch(ctx context.Context, obj client.Object, patch client.Patch, opts ...client.PatchOption) error {
+	return c.execAndSyncCache(ctx, func() error {
+		return c.Client.Patch(ctx, obj, patch, opts...)
+	}, obj, false)
+}
+
+func (c *cacheSyncingClient) Delete(ctx context.Context, obj client.Object, opts ...client.DeleteOption) error {
+	return c.execAndSyncCache(ctx, func() error {
+		return c.Client.Delete(ctx, obj, opts...)
+	}, obj, true)
+}
--- a/applicationset/utils/client_test.go
+++ b/applicationset/utils/client_test.go
@ -0,0 +1,111 @@
+package utils
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	k8scache "k8s.io/client-go/tools/cache"
+	ctrlcache "sigs.k8s.io/controller-runtime/pkg/cache"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+
+	application "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
+)
+
+type fakeMultiNamespaceCache struct {
+	//nolint:unused
+	namespaceToCache map[string]ctrlcache.Cache
+
+	ctrlcache.Cache
+	k8scache.SharedIndexInformer
+
+	Store k8scache.Store
+}
+
+func (f *fakeMultiNamespaceCache) GetInformerForKind(_ context.Context, _ schema.GroupVersionKind, _ ...ctrlcache.InformerGetOption) (ctrlcache.Informer, error) {
+	return f, nil
+}
+
+func (f *fakeMultiNamespaceCache) GetStore() k8scache.Store {
+	return f.Store
+}
+
+func newClient(objs ...client.Object) (*cacheSyncingClient, k8scache.Store, error) {
+	scheme := runtime.NewScheme()
+	if err := application.AddToScheme(scheme); err != nil {
+		return nil, nil, err
+	}
+
+	store := k8scache.NewStore(func(obj any) (string, error) {
+		return obj.(client.Object).GetName(), nil
+	})
+	for _, obj := range objs {
+		if err := store.Add(obj); err != nil {
+			return nil, nil, err
+		}
+	}
+	c := &cacheSyncingClient{
+		Client:     fake.NewClientBuilder().WithScheme(scheme).WithObjects(objs...).Build(),
+		storesByNs: map[string]k8scache.Store{},
+		getNSCache: func(_ context.Context, _ client.Object) (ctrlcache.Cache, error) {
+			return &fakeMultiNamespaceCache{Store: store}, nil
+		},
+	}
+	return c, store, nil
+}
+
+func TestCreateSyncsCache(t *testing.T) {
+	c, store, err := newClient()
+	require.NoError(t, err)
+
+	app := &application.Application{
+		ObjectMeta: metav1.ObjectMeta{Name: "test", Namespace: "argocd"},
+	}
+	require.NoError(t, c.Create(context.Background(), app))
+
+	require.Contains(t, store.List(), app)
+}
+
+func TestUpdateSyncsCache(t *testing.T) {
+	app := &application.Application{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "argocd",
+			Labels:    map[string]string{"foo": "bar"},
+		},
+	}
+	c, store, err := newClient(app)
+	require.NoError(t, err)
+
+	updatedApp := app.DeepCopy()
+	updatedApp.Labels["foo"] = "bar-UPDATED"
+	require.NoError(t, c.Update(context.Background(), updatedApp))
+
+	updated, _, err := store.GetByKey("test")
+	require.NoError(t, err)
+	require.Equal(t, "bar-UPDATED", updated.(*application.Application).Labels["foo"])
+}
+
+func TestDeleteSyncsCache(t *testing.T) {
+	app := &application.Application{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "argocd",
+			Labels:    map[string]string{"foo": "bar"},
+		},
+	}
+	c, store, err := newClient(app)
+	require.NoError(t, err)
+
+	require.NoError(t, c.Delete(context.Background(), app))
+
+	require.Empty(t, store.List())
+}
+
+func TestNewClientDoesNotCrashWithMultiNamespaceCache(_ *testing.T) {
+	_ = NewCacheSyncingClient(nil, &fakeMultiNamespaceCache{})
+}
--- a/applicationset/utils/clusterUtils.go
+++ b/applicationset/utils/clusterUtils.go
@ -1,15 +1,12 @@
 package utils

 import (
-	"context"
 	"fmt"

-	"github.com/argoproj/argo-cd/v3/common"
-	appv1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/v3/util/db"
+	corev1 "k8s.io/api/core/v1"

-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/kubernetes"
+	appv1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v3/util/settings"
 )

 // ClusterSpecifier contains only the name and server URL of a cluster. We use this struct to avoid partially-populating
@ -19,42 +16,44 @@ type ClusterSpecifier struct {
 	Server string
 }

-func ListClusters(ctx context.Context, clientset kubernetes.Interface, namespace string) ([]ClusterSpecifier, error) {
-	clusterSecretsList, err := clientset.CoreV1().Secrets(namespace).List(ctx,
-		metav1.ListOptions{LabelSelector: common.LabelKeySecretType + "=" + common.LabelValueSecretTypeCluster})
-	if err != nil {
-		return nil, err
-	}
-
-	if clusterSecretsList == nil {
-		return nil, nil
-	}
-
-	clusterSecrets := clusterSecretsList.Items
-
-	clusterList := make([]ClusterSpecifier, len(clusterSecrets))
-
-	hasInClusterCredentials := false
-	for i, clusterSecret := range clusterSecrets {
-		cluster, err := db.SecretToCluster(&clusterSecret)
-		if err != nil || cluster == nil {
-			return nil, fmt.Errorf("unable to convert cluster secret to cluster object '%s': %w", clusterSecret.Name, err)
+// SecretsContainInClusterCredentials checks if any of the provided secrets represent the in-cluster configuration.
+func SecretsContainInClusterCredentials(secrets []corev1.Secret) bool {
+	for _, secret := range secrets {
+		if string(secret.Data["server"]) == appv1.KubernetesInternalAPIServerAddr {
+			return true
 		}
-		clusterList[i] = ClusterSpecifier{
+	}
+	return false
+}
+
+// ListClusters returns a list of cluster specifiers using the ClusterInformer.
+func ListClusters(clusterInformer *settings.ClusterInformer) ([]ClusterSpecifier, error) {
+	clusters, err := clusterInformer.ListClusters()
+	if err != nil {
+		return nil, fmt.Errorf("error listing clusters: %w", err)
+	}
+	// len of clusters +1 for the in cluster secret
+	clusterList := make([]ClusterSpecifier, 0, len(clusters)+1)
+	hasInCluster := false
+
+	for _, cluster := range clusters {
+		clusterList = append(clusterList, ClusterSpecifier{
 			Name:   cluster.Name,
 			Server: cluster.Server,
-		}
+		})
 		if cluster.Server == appv1.KubernetesInternalAPIServerAddr {
-			hasInClusterCredentials = true
+			hasInCluster = true
 		}
 	}
-	if !hasInClusterCredentials {
+
+	if !hasInCluster {
 		// There was no secret for the in-cluster config, so we add it here. We don't fully-populate the Cluster struct,
 		// since only the name and server fields are used by the generator.
 		clusterList = append(clusterList, ClusterSpecifier{
-			Name:   "in-cluster",
+			Name:   appv1.KubernetesInClusterName,
 			Server: appv1.KubernetesInternalAPIServerAddr,
 		})
 	}
+
 	return clusterList, nil
 }
--- a/applicationset/utils/createOrUpdate.go
+++ b/applicationset/utils/createOrUpdate.go
@ -24,6 +24,43 @@ import (
 	"github.com/argoproj/argo-cd/v3/util/argo/normalizers"
 )

+var appEquality = conversion.EqualitiesOrDie(
+	func(a, b resource.Quantity) bool {
+		// Ignore formatting, only care that numeric value stayed the same.
+		// TODO: if we decide it's important, it should be safe to start comparing the format.
+		//
+		// Uninitialized quantities are equivalent to 0 quantities.
+		return a.Cmp(b) == 0
+	},
+	func(a, b metav1.MicroTime) bool {
+		return a.UTC().Equal(b.UTC())
+	},
+	func(a, b metav1.Time) bool {
+		return a.UTC().Equal(b.UTC())
+	},
+	func(a, b labels.Selector) bool {
+		return a.String() == b.String()
+	},
+	func(a, b fields.Selector) bool {
+		return a.String() == b.String()
+	},
+	func(a, b argov1alpha1.ApplicationDestination) bool {
+		return a.Namespace == b.Namespace && a.Name == b.Name && a.Server == b.Server
+	},
+)
+
+// BuildIgnoreDiffConfig constructs a DiffConfig from the ApplicationSet's ignoreDifferences rules.
+// Returns nil when ignoreDifferences is empty.
+func BuildIgnoreDiffConfig(ignoreDifferences argov1alpha1.ApplicationSetIgnoreDifferences, ignoreNormalizerOpts normalizers.IgnoreNormalizerOpts) (argodiff.DiffConfig, error) {
+	if len(ignoreDifferences) == 0 {
+		return nil, nil
+	}
+	return argodiff.NewDiffConfigBuilder().
+		WithDiffSettings(ignoreDifferences.ToApplicationIgnoreDifferences(), nil, false, ignoreNormalizerOpts).
+		WithNoCache().
+		Build()
+}
+
 // CreateOrUpdate overrides "sigs.k8s.io/controller-runtime" function
 // in sigs.k8s.io/controller-runtime/pkg/controller/controllerutil/controllerutil.go
 // to add equality for argov1alpha1.ApplicationDestination
@ -34,10 +71,15 @@ import (
 // cluster. The object's desired state must be reconciled with the existing
 // state inside the passed in callback MutateFn.
 //
+// diffConfig must be built once per reconcile cycle via BuildIgnoreDiffConfig and may be nil
+// when there are no ignoreDifferences rules. obj.Spec must already be normalized by the caller
+// via NormalizeApplicationSpec before this function is called; the live object fetched from the
+// cluster is normalized internally.
+//
 // The MutateFn is called regardless of creating or updating an object.
 //
 // It returns the executed operation and an error.
-func CreateOrUpdate(ctx context.Context, logCtx *log.Entry, c client.Client, ignoreAppDifferences argov1alpha1.ApplicationSetIgnoreDifferences, ignoreNormalizerOpts normalizers.IgnoreNormalizerOpts, obj *argov1alpha1.Application, f controllerutil.MutateFn) (controllerutil.OperationResult, error) {
+func CreateOrUpdate(ctx context.Context, logCtx *log.Entry, c client.Client, diffConfig argodiff.DiffConfig, obj *argov1alpha1.Application, f controllerutil.MutateFn) (controllerutil.OperationResult, error) {
 	key := client.ObjectKeyFromObject(obj)
 	if err := c.Get(ctx, key, obj); err != nil {
 		if !errors.IsNotFound(err) {
@ -59,43 +101,18 @@ func CreateOrUpdate(ctx context.Context, logCtx *log.Entry, c client.Client, ign
 		return controllerutil.OperationResultNone, err
 	}

+	// Normalize the live spec to avoid spurious diffs from unimportant differences (e.g. nil vs
+	// empty SyncPolicy). obj.Spec is already normalized by the caller; only the live side needs it.
+	normalizedLive.Spec = *argo.NormalizeApplicationSpec(&normalizedLive.Spec)
+
 	// Apply ignoreApplicationDifferences rules to remove ignored fields from both the live and the desired state. This
 	// prevents those differences from appearing in the diff and therefore in the patch.
-	err := applyIgnoreDifferences(ignoreAppDifferences, normalizedLive, obj, ignoreNormalizerOpts)
+	err := applyIgnoreDifferences(diffConfig, normalizedLive, obj)
 	if err != nil {
 		return controllerutil.OperationResultNone, fmt.Errorf("failed to apply ignore differences: %w", err)
 	}

-	// Normalize to avoid diffing on unimportant differences.
-	normalizedLive.Spec = *argo.NormalizeApplicationSpec(&normalizedLive.Spec)
-	obj.Spec = *argo.NormalizeApplicationSpec(&obj.Spec)
-
-	equality := conversion.EqualitiesOrDie(
-		func(a, b resource.Quantity) bool {
-			// Ignore formatting, only care that numeric value stayed the same.
-			// TODO: if we decide it's important, it should be safe to start comparing the format.
-			//
-			// Uninitialized quantities are equivalent to 0 quantities.
-			return a.Cmp(b) == 0
-		},
-		func(a, b metav1.MicroTime) bool {
-			return a.UTC().Equal(b.UTC())
-		},
-		func(a, b metav1.Time) bool {
-			return a.UTC().Equal(b.UTC())
-		},
-		func(a, b labels.Selector) bool {
-			return a.String() == b.String()
-		},
-		func(a, b fields.Selector) bool {
-			return a.String() == b.String()
-		},
-		func(a, b argov1alpha1.ApplicationDestination) bool {
-			return a.Namespace == b.Namespace && a.Name == b.Name && a.Server == b.Server
-		},
-	)
-
-	if equality.DeepEqual(normalizedLive, obj) {
+	if appEquality.DeepEqual(normalizedLive, obj) {
 		return controllerutil.OperationResultNone, nil
 	}

@ -135,19 +152,13 @@ func mutate(f controllerutil.MutateFn, key client.ObjectKey, obj client.Object)
 }

 // applyIgnoreDifferences applies the ignore differences rules to the found application. It modifies the applications in place.
-func applyIgnoreDifferences(applicationSetIgnoreDifferences argov1alpha1.ApplicationSetIgnoreDifferences, found *argov1alpha1.Application, generatedApp *argov1alpha1.Application, ignoreNormalizerOpts normalizers.IgnoreNormalizerOpts) error {
-	if len(applicationSetIgnoreDifferences) == 0 {
+// diffConfig may be nil, in which case this is a no-op.
+func applyIgnoreDifferences(diffConfig argodiff.DiffConfig, found *argov1alpha1.Application, generatedApp *argov1alpha1.Application) error {
+	if diffConfig == nil {
 		return nil
 	}

 	generatedAppCopy := generatedApp.DeepCopy()
-	diffConfig, err := argodiff.NewDiffConfigBuilder().
-		WithDiffSettings(applicationSetIgnoreDifferences.ToApplicationIgnoreDifferences(), nil, false, ignoreNormalizerOpts).
-		WithNoCache().
-		Build()
-	if err != nil {
-		return fmt.Errorf("failed to build diff config: %w", err)
-	}
 	unstructuredFound, err := appToUnstructured(found)
 	if err != nil {
 		return fmt.Errorf("failed to convert found application to unstructured: %w", err)
--- a/applicationset/utils/createOrUpdate_test.go
+++ b/applicationset/utils/createOrUpdate_test.go
@ -5,7 +5,7 @@ import (

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"gopkg.in/yaml.v3"
+	"go.yaml.in/yaml/v3"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

 	"github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
@ -216,7 +216,6 @@ spec:
 	}

 	for _, tc := range testCases {
-		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 			foundApp := v1alpha1.Application{TypeMeta: appMeta}
@ -225,7 +224,9 @@ spec:
 			generatedApp := v1alpha1.Application{TypeMeta: appMeta}
 			err = yaml.Unmarshal([]byte(tc.generatedApp), &generatedApp)
 			require.NoError(t, err, tc.generatedApp)
-			err = applyIgnoreDifferences(tc.ignoreDifferences, &foundApp, &generatedApp, normalizers.IgnoreNormalizerOpts{})
+			diffConfig, err := BuildIgnoreDiffConfig(tc.ignoreDifferences, normalizers.IgnoreNormalizerOpts{})
+			require.NoError(t, err)
+			err = applyIgnoreDifferences(diffConfig, &foundApp, &generatedApp)
 			require.NoError(t, err)
 			yamlFound, err := yaml.Marshal(tc.foundApp)
 			require.NoError(t, err)
--- a/Show more
+++ b/Show more
 @ -1 +1 @@
 .2.9
 .5.0