Merge pull request #5779 from fluxcd/update-components-release/v2.8.x

Update toolkit components

.github/labels.yaml

@@ -44,12 +44,12 @@
   description: Feature request proposals in the RFC format
   color: '#D621C3'
   aliases: ['area/RFC']
+- name: backport:release/v2.5.x
+  description: To be backported to release/v2.5.x
+  color: '#ffd700'
 - name: backport:release/v2.6.x
   description: To be backported to release/v2.6.x
   color: '#ffd700'
 - name: backport:release/v2.7.x
   description: To be backported to release/v2.7.x
   color: '#ffd700'
-- name: backport:release/v2.8.x
-  description: To be backported to release/v2.8.x
-  color: '#ffd700'

.github/workflows/upgrade-fluxcd-pkg.yaml

@@ -3,9 +3,6 @@ name: upgrade-fluxcd-pkg
 on:
   workflow_dispatch:
 
-permissions:
-  contents: read
-
 jobs:
   upgrade-fluxcd-pkg:
     uses: fluxcd/gha-workflows/.github/workflows/upgrade-fluxcd-pkg.yaml@v0.9.0

cmd/flux/build_artifact.go

@@ -22,7 +22,6 @@ import (
 	"fmt"
 	"io"
 	"os"
-	"path/filepath"
 	"strings"
 
 	"github.com/spf13/cobra"
@@ -49,10 +48,9 @@ from the given directory or a single manifest file.`,
 }
 
 type buildArtifactFlags struct {
-	output          string
-	path            string
-	ignorePaths     []string
-	resolveSymlinks bool
+	output      string
+	path        string
+	ignorePaths []string
 }
 
 var excludeOCI = append(strings.Split(sourceignore.ExcludeVCS, ","), strings.Split(sourceignore.ExcludeExt, ",")...)
@@ -63,7 +61,6 @@ func init() {
 	buildArtifactCmd.Flags().StringVarP(&buildArtifactArgs.path, "path", "p", "", "Path to the directory where the Kubernetes manifests are located.")
 	buildArtifactCmd.Flags().StringVarP(&buildArtifactArgs.output, "output", "o", "artifact.tgz", "Path to where the artifact tgz file should be written.")
 	buildArtifactCmd.Flags().StringSliceVar(&buildArtifactArgs.ignorePaths, "ignore-paths", excludeOCI, "set paths to ignore in .gitignore format")
-	buildArtifactCmd.Flags().BoolVar(&buildArtifactArgs.resolveSymlinks, "resolve-symlinks", false, "resolve symlinks by copying their targets into the artifact")
 
 	buildCmd.AddCommand(buildArtifactCmd)
 }
@@ -88,15 +85,6 @@ func buildArtifactCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("invalid path '%s', must point to an existing directory or file", path)
 	}
 
-	if buildArtifactArgs.resolveSymlinks {
-		resolved, cleanupDir, err := resolveSymlinks(path)
-		if err != nil {
-			return fmt.Errorf("resolving symlinks failed: %w", err)
-		}
-		defer os.RemoveAll(cleanupDir)
-		path = resolved
-	}
-
 	logger.Actionf("building artifact from %s", path)
 
 	ociClient := oci.NewClient(oci.DefaultOptions())
@@ -108,141 +96,6 @@ func buildArtifactCmdRun(cmd *cobra.Command, args []string) error {
 	return nil
 }
 
-// resolveSymlinks creates a temporary directory with symlinks resolved to their
-// real file contents. This allows building artifacts from symlink trees (e.g.,
-// those created by Nix) where the actual files live outside the source directory.
-// It returns the resolved path and the temporary directory path for cleanup.
-func resolveSymlinks(srcPath string) (string, string, error) {
-	absPath, err := filepath.Abs(srcPath)
-	if err != nil {
-		return "", "", err
-	}
-
-	info, err := os.Stat(absPath)
-	if err != nil {
-		return "", "", err
-	}
-
-	// For a single file, resolve the symlink and return the path to the
-	// copied file within the temp dir, preserving file semantics for callers.
-	if !info.IsDir() {
-		resolved, err := filepath.EvalSymlinks(absPath)
-		if err != nil {
-			return "", "", fmt.Errorf("resolving symlink for %s: %w", absPath, err)
-		}
-		tmpDir, err := os.MkdirTemp("", "flux-artifact-*")
-		if err != nil {
-			return "", "", err
-		}
-		dst := filepath.Join(tmpDir, filepath.Base(absPath))
-		if err := copyFile(resolved, dst); err != nil {
-			os.RemoveAll(tmpDir)
-			return "", "", err
-		}
-		return dst, tmpDir, nil
-	}
-
-	tmpDir, err := os.MkdirTemp("", "flux-artifact-*")
-	if err != nil {
-		return "", "", err
-	}
-
-	visited := make(map[string]bool)
-	if err := copyDir(absPath, tmpDir, visited); err != nil {
-		os.RemoveAll(tmpDir)
-		return "", "", err
-	}
-
-	return tmpDir, tmpDir, nil
-}
-
-// copyDir recursively copies the contents of srcDir to dstDir, resolving any
-// symlinks encountered along the way. The visited map tracks resolved real
-// directory paths to detect and break symlink cycles.
-func copyDir(srcDir, dstDir string, visited map[string]bool) error {
-	real, err := filepath.EvalSymlinks(srcDir)
-	if err != nil {
-		return fmt.Errorf("resolving symlink %s: %w", srcDir, err)
-	}
-	abs, err := filepath.Abs(real)
-	if err != nil {
-		return fmt.Errorf("getting absolute path for %s: %w", real, err)
-	}
-	if visited[abs] {
-		return nil // break the cycle
-	}
-	visited[abs] = true
-
-	entries, err := os.ReadDir(srcDir)
-	if err != nil {
-		return err
-	}
-
-	for _, entry := range entries {
-		srcPath := filepath.Join(srcDir, entry.Name())
-		dstPath := filepath.Join(dstDir, entry.Name())
-
-		// Resolve symlinks to get the real path and info.
-		realPath, err := filepath.EvalSymlinks(srcPath)
-		if err != nil {
-			return fmt.Errorf("resolving symlink %s: %w", srcPath, err)
-		}
-		realInfo, err := os.Stat(realPath)
-		if err != nil {
-			return fmt.Errorf("stat resolved path %s: %w", realPath, err)
-		}
-
-		if realInfo.IsDir() {
-			if err := os.MkdirAll(dstPath, realInfo.Mode()); err != nil {
-				return err
-			}
-			// Recursively copy the resolved directory contents.
-			if err := copyDir(realPath, dstPath, visited); err != nil {
-				return err
-			}
-			continue
-		}
-
-		if !realInfo.Mode().IsRegular() {
-			continue
-		}
-
-		if err := copyFile(realPath, dstPath); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func copyFile(src, dst string) error {
-	srcInfo, err := os.Stat(src)
-	if err != nil {
-		return err
-	}
-
-	in, err := os.Open(src)
-	if err != nil {
-		return err
-	}
-	defer in.Close()
-
-	if err := os.MkdirAll(filepath.Dir(dst), 0o755); err != nil {
-		return err
-	}
-
-	out, err := os.OpenFile(dst, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, srcInfo.Mode())
-	if err != nil {
-		return err
-	}
-	defer out.Close()
-
-	if _, err := io.Copy(out, in); err != nil {
-		return err
-	}
-	return out.Close()
-}
-
 func saveReaderToFile(reader io.Reader) (string, error) {
 	b, err := io.ReadAll(bufio.NewReader(reader))
 	if err != nil {

cmd/flux/build_artifact_test.go

@@ -18,7 +18,6 @@ package main
 
 import (
 	"os"
-	"path/filepath"
 	"strings"
 	"testing"
 
@@ -69,113 +68,3 @@ data:
 
 	}
 }
-
-func Test_resolveSymlinks(t *testing.T) {
-	g := NewWithT(t)
-
-	// Create source directory with a real file
-	srcDir := t.TempDir()
-	realFile := filepath.Join(srcDir, "real.yaml")
-	g.Expect(os.WriteFile(realFile, []byte("apiVersion: v1\nkind: Namespace\nmetadata:\n  name: test\n"), 0o644)).To(Succeed())
-
-	// Create a directory with symlinks pointing to files outside it
-	symlinkDir := t.TempDir()
-	symlinkFile := filepath.Join(symlinkDir, "linked.yaml")
-	g.Expect(os.Symlink(realFile, symlinkFile)).To(Succeed())
-
-	// Also add a regular file in the symlink dir
-	regularFile := filepath.Join(symlinkDir, "regular.yaml")
-	g.Expect(os.WriteFile(regularFile, []byte("apiVersion: v1\nkind: ConfigMap\n"), 0o644)).To(Succeed())
-
-	// Create a symlinked subdirectory
-	subDir := filepath.Join(srcDir, "subdir")
-	g.Expect(os.MkdirAll(subDir, 0o755)).To(Succeed())
-	g.Expect(os.WriteFile(filepath.Join(subDir, "nested.yaml"), []byte("nested"), 0o644)).To(Succeed())
-	g.Expect(os.Symlink(subDir, filepath.Join(symlinkDir, "linkeddir"))).To(Succeed())
-
-	// Resolve symlinks
-	resolved, cleanupDir, err := resolveSymlinks(symlinkDir)
-	g.Expect(err).To(BeNil())
-	t.Cleanup(func() { os.RemoveAll(cleanupDir) })
-
-	// Verify the regular file was copied
-	content, err := os.ReadFile(filepath.Join(resolved, "regular.yaml"))
-	g.Expect(err).To(BeNil())
-	g.Expect(string(content)).To(Equal("apiVersion: v1\nkind: ConfigMap\n"))
-
-	// Verify the symlinked file was resolved and copied
-	content, err = os.ReadFile(filepath.Join(resolved, "linked.yaml"))
-	g.Expect(err).To(BeNil())
-	g.Expect(string(content)).To(ContainSubstring("kind: Namespace"))
-
-	// Verify that the resolved file is a regular file, not a symlink
-	info, err := os.Lstat(filepath.Join(resolved, "linked.yaml"))
-	g.Expect(err).To(BeNil())
-	g.Expect(info.Mode().IsRegular()).To(BeTrue())
-
-	// Verify that the symlinked directory was resolved and its contents were copied
-	content, err = os.ReadFile(filepath.Join(resolved, "linkeddir", "nested.yaml"))
-	g.Expect(err).To(BeNil())
-	g.Expect(string(content)).To(Equal("nested"))
-
-	// Verify that the file inside the symlinked directory is a regular file
-	info, err = os.Lstat(filepath.Join(resolved, "linkeddir", "nested.yaml"))
-	g.Expect(err).To(BeNil())
-	g.Expect(info.Mode().IsRegular()).To(BeTrue())
-}
-
-func Test_resolveSymlinks_singleFile(t *testing.T) {
-	g := NewWithT(t)
-
-	// Create a real file
-	srcDir := t.TempDir()
-	realFile := filepath.Join(srcDir, "manifest.yaml")
-	g.Expect(os.WriteFile(realFile, []byte("kind: ConfigMap"), 0o644)).To(Succeed())
-
-	// Create a symlink to the real file
-	linkDir := t.TempDir()
-	linkFile := filepath.Join(linkDir, "link.yaml")
-	g.Expect(os.Symlink(realFile, linkFile)).To(Succeed())
-
-	// Resolve the single symlinked file
-	resolved, cleanupDir, err := resolveSymlinks(linkFile)
-	g.Expect(err).To(BeNil())
-	t.Cleanup(func() { os.RemoveAll(cleanupDir) })
-
-	// The returned path should be a file, not a directory
-	info, err := os.Stat(resolved)
-	g.Expect(err).To(BeNil())
-	g.Expect(info.IsDir()).To(BeFalse())
-
-	// Verify contents
-	content, err := os.ReadFile(resolved)
-	g.Expect(err).To(BeNil())
-	g.Expect(string(content)).To(Equal("kind: ConfigMap"))
-}
-
-func Test_resolveSymlinks_cycle(t *testing.T) {
-	g := NewWithT(t)
-
-	// Create a directory with a symlink cycle: dir/link -> dir
-	dir := t.TempDir()
-	g.Expect(os.WriteFile(filepath.Join(dir, "file.yaml"), []byte("data"), 0o644)).To(Succeed())
-	g.Expect(os.Symlink(dir, filepath.Join(dir, "cycle"))).To(Succeed())
-
-	// resolveSymlinks should not infinite-loop
-	resolved, cleanupDir, err := resolveSymlinks(dir)
-	g.Expect(err).To(BeNil())
-	t.Cleanup(func() { os.RemoveAll(cleanupDir) })
-
-	// The file should be copied
-	content, err := os.ReadFile(filepath.Join(resolved, "file.yaml"))
-	g.Expect(err).To(BeNil())
-	g.Expect(string(content)).To(Equal("data"))
-
-	// The cycle directory should exist but not cause infinite nesting
-	_, err = os.Stat(filepath.Join(resolved, "cycle"))
-	g.Expect(err).To(BeNil())
-
-	// There should NOT be deeply nested cycle/cycle/cycle/... paths
-	_, err = os.Stat(filepath.Join(resolved, "cycle", "cycle", "cycle"))
-	g.Expect(os.IsNotExist(err)).To(BeTrue())
-}

cmd/flux/push_artifact.go

@@ -103,18 +103,17 @@ The command can read the credentials from '~/.docker/config.json' but they can a
 }
 
 type pushArtifactFlags struct {
-	path            string
-	source          string
-	revision        string
-	creds           string
-	provider        flags.SourceOCIProvider
-	ignorePaths     []string
-	annotations     []string
-	output          string
-	debug           bool
-	reproducible    bool
-	insecure        bool
-	resolveSymlinks bool
+	path         string
+	source       string
+	revision     string
+	creds        string
+	provider     flags.SourceOCIProvider
+	ignorePaths  []string
+	annotations  []string
+	output       string
+	debug        bool
+	reproducible bool
+	insecure     bool
 }
 
 var pushArtifactArgs = newPushArtifactFlags()
@@ -138,7 +137,6 @@ func init() {
 	pushArtifactCmd.Flags().BoolVarP(&pushArtifactArgs.debug, "debug", "", false, "display logs from underlying library")
 	pushArtifactCmd.Flags().BoolVar(&pushArtifactArgs.reproducible, "reproducible", false, "ensure reproducible image digests by setting the created timestamp to '1970-01-01T00:00:00Z'")
 	pushArtifactCmd.Flags().BoolVar(&pushArtifactArgs.insecure, "insecure-registry", false, "allows artifacts to be pushed without TLS")
-	pushArtifactCmd.Flags().BoolVar(&pushArtifactArgs.resolveSymlinks, "resolve-symlinks", false, "resolve symlinks by copying their targets into the artifact")
 
 	pushCmd.AddCommand(pushArtifactCmd)
 }
@@ -185,15 +183,6 @@ func pushArtifactCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("invalid path '%s', must point to an existing directory or file: %w", path, err)
 	}
 
-	if pushArtifactArgs.resolveSymlinks {
-		resolved, cleanupDir, err := resolveSymlinks(path)
-		if err != nil {
-			return fmt.Errorf("resolving symlinks failed: %w", err)
-		}
-		defer os.RemoveAll(cleanupDir)
-		path = resolved
-	}
-
 	annotations := map[string]string{}
 	for _, annotation := range pushArtifactArgs.annotations {
 		kv := strings.Split(annotation, "=")

cmd/flux/reconcile.go

@@ -152,14 +152,7 @@ func reconciliationHandled(kubeClient client.Client, namespacedName types.Namesp
 			return false, err
 		}
 
-		switch result.Status {
-		case kstatus.CurrentStatus:
-			return true, nil
-		case kstatus.InProgressStatus:
-			return false, nil
-		default:
-			return false, fmt.Errorf("%s", result.Message)
-		}
+		return result.Status == kstatus.CurrentStatus, nil
 	}
 }
 

cmd/flux/resume.go

@@ -126,17 +126,6 @@ func (resume resumeCommand) run(cmd *cobra.Command, args []string) error {
 
 	resume.printMessage(reconcileResps)
 
-	// Return an error if any reconciliation failed
-	var failedCount int
-	for _, r := range reconcileResps {
-		if r.resumable != nil && r.err != nil {
-			failedCount++
-		}
-	}
-	if failedCount > 0 {
-		return fmt.Errorf("reconciliation failed for %d %s(s)", failedCount, resume.kind)
-	}
-
 	return nil
 }
 

docs/release/release-notes-template.md

@@ -26,8 +26,6 @@ The following template can be used for the GitHub release page:
 
 <!-- Text describing the most important changes in this release -->
 
-ℹ️ Please follow the [Upgrade Procedure for Flux v2.7+](https://github.com/fluxcd/flux2/discussions/5572) for a smooth upgrade from Flux v2.6 to the latest version.
-
 ### Fixes and improvements
 
 <!-- List of fixes and improvements to the controllers and CLI -->
@@ -38,7 +36,7 @@ The following template can be used for the GitHub release page:
 
 ## Components changelog
 
-- <name>-controller [v<version>](https://github.com/fluxcd/<name>-controller/blob/<version>/CHANGELOG.md)
+- <name>-controller [v<version>](https://github.com/fluxcd/<name>-controller/blob/<version>/CHANGELOG.md
 
 ## CLI changelog
 

go.mod

@@ -17,20 +17,20 @@ require (
 	github.com/fluxcd/image-reflector-controller/api v1.1.1
 	github.com/fluxcd/kustomize-controller/api v1.8.2
 	github.com/fluxcd/notification-controller/api v1.8.2
-	github.com/fluxcd/pkg/apis/event v0.25.0
-	github.com/fluxcd/pkg/apis/meta v1.26.0
-	github.com/fluxcd/pkg/auth v0.40.0
-	github.com/fluxcd/pkg/chartutil v1.23.0
+	github.com/fluxcd/pkg/apis/event v0.24.1
+	github.com/fluxcd/pkg/apis/meta v1.25.1
+	github.com/fluxcd/pkg/auth v0.38.4
+	github.com/fluxcd/pkg/chartutil v1.22.1
 	github.com/fluxcd/pkg/envsubst v1.5.0
-	github.com/fluxcd/pkg/git v0.46.0
-	github.com/fluxcd/pkg/kustomize v1.28.0
-	github.com/fluxcd/pkg/oci v0.63.0
-	github.com/fluxcd/pkg/runtime v0.103.0
+	github.com/fluxcd/pkg/git v0.43.1
+	github.com/fluxcd/pkg/kustomize v1.27.1
+	github.com/fluxcd/pkg/oci v0.60.1
+	github.com/fluxcd/pkg/runtime v0.100.4
 	github.com/fluxcd/pkg/sourceignore v0.17.0
-	github.com/fluxcd/pkg/ssa v0.70.0
+	github.com/fluxcd/pkg/ssa v0.67.3
 	github.com/fluxcd/pkg/ssh v0.24.0
 	github.com/fluxcd/pkg/tar v0.17.0
-	github.com/fluxcd/pkg/version v0.14.0
+	github.com/fluxcd/pkg/version v0.12.0
 	github.com/fluxcd/source-controller/api v1.8.1
 	github.com/fluxcd/source-watcher/api/v2 v2.1.1
 	github.com/go-git/go-git/v5 v5.16.5
@@ -128,7 +128,7 @@ require (
 	github.com/fatih/color v1.18.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fluxcd/pkg/apis/acl v0.9.0 // indirect
-	github.com/fluxcd/pkg/apis/kustomize v1.16.0 // indirect
+	github.com/fluxcd/pkg/apis/kustomize v1.15.1 // indirect
 	github.com/fluxcd/pkg/cache v0.13.0 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect

go.sum

@@ -186,40 +186,40 @@ github.com/fluxcd/notification-controller/api v1.8.2 h1:TDrXohUC5Gh3BF+v2ux9/zEG
 github.com/fluxcd/notification-controller/api v1.8.2/go.mod h1:ozgJGQPy0dG5eOsLZlwAr6n0q/y6+TWd1fGOtavlXJA=
 github.com/fluxcd/pkg/apis/acl v0.9.0 h1:wBpgsKT+jcyZEcM//OmZr9RiF8klL3ebrDp2u2ThsnA=
 github.com/fluxcd/pkg/apis/acl v0.9.0/go.mod h1:TttNS+gocsGLwnvmgVi3/Yscwqrjc17+vhgYfqkfrV4=
-github.com/fluxcd/pkg/apis/event v0.25.0 h1:zdwytvDhG+fk+Ywl5DOtv7TklkrVgM21WHm1f+YhleE=
-github.com/fluxcd/pkg/apis/event v0.25.0/go.mod h1:TlK8HWYrTwl0raqBRC+ROoNpYW5fdVnwcwOBOx5Kzw8=
-github.com/fluxcd/pkg/apis/kustomize v1.16.0 h1:PhWXEhqQqsisIpwp1/wHvTvo+MO+GGzsBPoN0ZnRE3Y=
-github.com/fluxcd/pkg/apis/kustomize v1.16.0/go.mod h1:IZOy4CCtR/hxMGb7erK1RfbGnczVv4/dRBoVD37AywI=
-github.com/fluxcd/pkg/apis/meta v1.26.0 h1:dxP1FfBpTCYso6odzRcltVnnRuBb2VyhhgV0VX9YbUE=
-github.com/fluxcd/pkg/apis/meta v1.26.0/go.mod h1:c7o6mJGLCMvNrfdinGZehkrdZuFT9vZdZNrn66DtVD0=
-github.com/fluxcd/pkg/auth v0.40.0 h1:p6Kw6KH+z8oRqngKhmTt8ILKD/rC+8tP87a//kLZhi8=
-github.com/fluxcd/pkg/auth v0.40.0/go.mod h1:Oq/hIEKUMTbL2bv5blf+EhC/jXXJLsOjIMtJj/AtG3Y=
+github.com/fluxcd/pkg/apis/event v0.24.1 h1:TClVdn02aiq3sAl9BuzLjjTIxm3JJ83fJ9nchtBa4qg=
+github.com/fluxcd/pkg/apis/event v0.24.1/go.mod h1:TlK8HWYrTwl0raqBRC+ROoNpYW5fdVnwcwOBOx5Kzw8=
+github.com/fluxcd/pkg/apis/kustomize v1.15.1 h1:t9QZh+3ZS8EKmlxrnnbcKZcGTrg8FDvMF1T8BHMCuqI=
+github.com/fluxcd/pkg/apis/kustomize v1.15.1/go.mod h1:IZOy4CCtR/hxMGb7erK1RfbGnczVv4/dRBoVD37AywI=
+github.com/fluxcd/pkg/apis/meta v1.25.1 h1:WG1GIC/SOz0GjxT0uVuO6AMicQ3yFsk6bDozCnq+fto=
+github.com/fluxcd/pkg/apis/meta v1.25.1/go.mod h1:c7o6mJGLCMvNrfdinGZehkrdZuFT9vZdZNrn66DtVD0=
+github.com/fluxcd/pkg/auth v0.38.4 h1:xVsJ1rakUm5zS2tOKguZOQc5g6wLgCNxW2a9exidd4M=
+github.com/fluxcd/pkg/auth v0.38.4/go.mod h1:KTXOh770ukcyQfC8NavEFzm110ORSQRan0v/kjzgFXs=
 github.com/fluxcd/pkg/cache v0.13.0 h1:MqtlgOwIVcGKKgV422e39O+KFSVMWuExKeRaMDBjJlk=
 github.com/fluxcd/pkg/cache v0.13.0/go.mod h1:0xRZ1hitrIFQ6pl68ke2wZLbIqA2VLzY78HpDo9DVxs=
-github.com/fluxcd/pkg/chartutil v1.23.0 h1:ohstQEVnrBIbN85FGu83hnmAohLl0PdOoPlsM6+cjyI=
-github.com/fluxcd/pkg/chartutil v1.23.0/go.mod h1:kFhmD6DwBgRsvC1ilINsomargMi2WbqvSndWQLikkLc=
+github.com/fluxcd/pkg/chartutil v1.22.1 h1:ufI9LJ4d5T79h9ruBQRoRcSmuI/KkcwEqWdxu/9Xub8=
+github.com/fluxcd/pkg/chartutil v1.22.1/go.mod h1:4/2mpNLyfox3uey++hG21AePPsMWekdhSWAtSdDiubQ=
 github.com/fluxcd/pkg/envsubst v1.5.0 h1:S07mo+MkGhptdHA4pRze5HPKlc8tHxKswNdcMZi1WDY=
 github.com/fluxcd/pkg/envsubst v1.5.0/go.mod h1:c3a8DYI855sZUubHFYQbjfjop6Wu4/zg1cLyf7SnCes=
-github.com/fluxcd/pkg/git v0.46.0 h1:QMh0+ZzQ2jO6rIGj4ffR5trZ8g/cxvt8cVajReJ8Iyw=
-github.com/fluxcd/pkg/git v0.46.0/go.mod h1:iHcIjx9c8zye3PQiajTJYxgOMRiy7WCs+hfLKDswpfI=
-github.com/fluxcd/pkg/gittestserver v0.26.0 h1:+RZrCzFRsE+d5WaqAoqaPCEgcgv/jZp6+f7DS0+Ynb8=
-github.com/fluxcd/pkg/gittestserver v0.26.0/go.mod h1:7fybYb0yej1fFNiF1ohs0Jr0XzyaZQ/cRh3AFEoCtuc=
-github.com/fluxcd/pkg/kustomize v1.28.0 h1:0RuFVczJRabbt8frHZ/ql8aqte6BOOKk274O09l6/hE=
-github.com/fluxcd/pkg/kustomize v1.28.0/go.mod h1:cW08mnngSP8MJYb6mDmMvxH8YjNATdiML0udb37dk+M=
-github.com/fluxcd/pkg/oci v0.63.0 h1:ZPKTT2C+gWYjhP63xC76iTPdYE9w3ABcsDq77uhAgwo=
-github.com/fluxcd/pkg/oci v0.63.0/go.mod h1:qMPz4njvm6hJzdyGSb8ydSqrapXxTQwJonxHIsdeXSQ=
-github.com/fluxcd/pkg/runtime v0.103.0 h1:J5y5GPhWdkyqIUBlaI1FP2N02TtZmsjbWhhZubuTSFk=
-github.com/fluxcd/pkg/runtime v0.103.0/go.mod h1:mbo2f3azo3yVQgm7XZGxQB6/2zvzQ5Wgtd8TjRRwwAw=
+github.com/fluxcd/pkg/git v0.43.1 h1:lw29P44wueKzQk79KnYyvisfw//cxg0S4cDeTYx+Slo=
+github.com/fluxcd/pkg/git v0.43.1/go.mod h1:3R/AjCe7ee7FqWcAG+2IiuJPOCxrGHF4SCGkuvKS6OQ=
+github.com/fluxcd/pkg/gittestserver v0.25.1 h1:40Ridmy1xKxBM9ItDn012R4VKmaoDqzvGaC5g7xv+mw=
+github.com/fluxcd/pkg/gittestserver v0.25.1/go.mod h1:7fybYb0yej1fFNiF1ohs0Jr0XzyaZQ/cRh3AFEoCtuc=
+github.com/fluxcd/pkg/kustomize v1.27.1 h1:BLOBNLb2N5ObttZA8XJhZ2NqNY1ZjBqQtTpNlIx8/L4=
+github.com/fluxcd/pkg/kustomize v1.27.1/go.mod h1:A2RQTe9woDPiwJDWFlkoP4oF9eX9DeXr89FEkKnSObk=
+github.com/fluxcd/pkg/oci v0.60.1 h1:mT6WBX+MBIcczzEnw/W4cfXyt5JSRNhRoB/UnJ72K6M=
+github.com/fluxcd/pkg/oci v0.60.1/go.mod h1:w2FGseUl3WGjwRMH/3h6MTI4gKahcBQtnGbn/TQVA34=
+github.com/fluxcd/pkg/runtime v0.100.4 h1:rwvbeoeWN0BTJORJBISJJEkWn6DVfmWwynFl2GseWns=
+github.com/fluxcd/pkg/runtime v0.100.4/go.mod h1:M6LjRJ1hIe2s6E2ykFfae1Xy/rLvOFQf2QquMKmN350=
 github.com/fluxcd/pkg/sourceignore v0.17.0 h1:Z72nruRMhC15zIEpWoDrAcJcJ1El6QDnP/aRDfE4WOA=
 github.com/fluxcd/pkg/sourceignore v0.17.0/go.mod h1:3e/VmYLId0pI/H5sK7W9Ibif+j0Ahns9RxNjDMtTTfY=
-github.com/fluxcd/pkg/ssa v0.70.0 h1:IBylYPiTK1IEdCC2DvjKXIhwQcbd5VufXA9WS3zO+tE=
-github.com/fluxcd/pkg/ssa v0.70.0/go.mod h1:6igtlt7/zF+nNFQpa5ZAkkvtpL6o36NRU39/PqqC+Bg=
+github.com/fluxcd/pkg/ssa v0.67.3 h1:mjuhH5fNOYstkF6jB7EeaWmfnt5T272Cup8ZD9O8YBQ=
+github.com/fluxcd/pkg/ssa v0.67.3/go.mod h1:6igtlt7/zF+nNFQpa5ZAkkvtpL6o36NRU39/PqqC+Bg=
 github.com/fluxcd/pkg/ssh v0.24.0 h1:hrPlxs0hhXf32DRqs68VbsXs0XfQMphyRVIk0rYYJa4=
 github.com/fluxcd/pkg/ssh v0.24.0/go.mod h1:xWammEqalrpurpcMiixJRXtynRQtBEoqheyU5F/vWrg=
 github.com/fluxcd/pkg/tar v0.17.0 h1:uNxbFXy8ly8C7fJ8D7w3rjTNJFrb4Hp1aY/30XkfvxY=
 github.com/fluxcd/pkg/tar v0.17.0/go.mod h1:b1xyIRYDD0ket4SV5u0UXYv+ZdN/O/HmIO5jZQdHQls=
-github.com/fluxcd/pkg/version v0.14.0 h1:T3llSc8sUnsuFrW5ng2ePSfXwGXUKv0YG9QXf0ErhWw=
-github.com/fluxcd/pkg/version v0.14.0/go.mod h1:YHdg/78kzf+kCqS+SqSOiUxum5AjxlixiqwpX6AUZB8=
+github.com/fluxcd/pkg/version v0.12.0 h1:MGbdbNf2D5wazMqAkNPn+Lh5j+oY0gxQJFTGyet5Hfc=
+github.com/fluxcd/pkg/version v0.12.0/go.mod h1:YHdg/78kzf+kCqS+SqSOiUxum5AjxlixiqwpX6AUZB8=
 github.com/fluxcd/source-controller/api v1.8.1 h1:49HiJF5mNEdZTwueQMRahTVts35B+xhN5CsuOAL9gQ0=
 github.com/fluxcd/source-controller/api v1.8.1/go.mod h1:HgZ6NSH1cyOE2jRoNwln1xEwr9ETvrLeiy1o4O04vQM=
 github.com/fluxcd/source-watcher/api/v2 v2.1.1 h1:1LfT50ty+78MKKbschAZl28QbVqIyjaNq17KmW5wPJI=

rfcs/0010-multi-tenant-workload-identity/README.md

@@ -1,10 +1,15 @@
 # RFC-0010 Multi-Tenant Workload Identity
 
-**Status:** implemented
+**Status:** implementable
+
+<!--
+Status represents the current state of the RFC.
+Must be one of `provisional`, `implementable`, `implemented`, `deferred`, `rejected`, `withdrawn`, or `replaced`.
+-->
 
 **Creation date:** 2025-02-22
 
-**Last update:** 2026-03-13
+**Last update:** 2025-04-29
 
 ## Summary
 
@@ -1415,11 +1420,10 @@ options to call `gcp.NewTokenSource()` and feed this token source to the
   `HelmRepository` and `HelmChart`, as well as for SOPS decryption
   in the `Kustomization` API and Azure Event Hubs in the
   `Provider` API.
-* In Flux 2.7 object-level workload identity was introduced for all
-  the remaining APIs that support cloud providers, i.e. `Bucket`,
-  `GitRepository` and `ImageUpdateAutomation`, and also all the
-  remaining types for the `Provider` API, i.e. `azuredevops` and
-  `googlepubsub`. In addition, support for controller and
-  object-level workload identity was introduced for the
-  `Kustomization` and `HelmRelease` APIs for remote cluster
-  access.
+
+<!--
+Major milestones in the lifecycle of the RFC such as:
+- The first Flux release where an initial version of the RFC was available.
+- The version of Flux where the RFC graduated to general availability.
+- The version of Flux where the RFC was retired or superseded.
+-->

rfcs/0011-opentelemetry-tracing/README.md

@@ -1,10 +1,15 @@
 # RFC-0011: OpenTelemetry Tracing
 
-**Status:** implemented
+**Status:** provisional
+
+<!--
+Status represents the current state of the RFC.
+Must be one of `provisional`, `implementable`, `implemented`, `deferred`, `rejected`, `withdrawn`, or `replaced`.
+-->
 
 **Creation date:** 2025-04-24
 
-**Last update:** 2026-03-13
+**Last update:** 2025-08-13
 
 ## Summary
 The aim is to be able to collect traces via OpenTelemetry (OTel) across all Flux related objects, such as HelmReleases, Kustomizations and among others. These may be sent towards a tracing provider where may be potentially stored and visualized. Flux does not have any responsibility on storing and visualizing those, it keeps being completely stateless. Thereby, being seamless for the user, the implementation is going to be part of the already existing `Alert` API Type. Therefore, `EventSources` is going to discriminate the events belonging to the specific sources, which are going to be looked up to and send them out towards the `Provider` set. In this way, it could facilitate the observability and monitoring of Flux related objects.
@@ -205,4 +210,9 @@ This design ensures trace continuity even in challenging distributed environment
 
 ## Implementation History
 
-* RFC implemented and generally available in Flux [v2.7.0](https://github.com/fluxcd/flux2/releases/tag/v2.7.0)
+<!--
+Major milestones in the lifecycle of the RFC such as:
+- The first Flux release where an initial version of the RFC was available.
+- The version of Flux where the RFC graduated to general availability.
+- The version of Flux where the RFC was retired or superseded.
+-->

rfcs/0012-external-artifact/README.md

@@ -1,10 +1,10 @@
 # RFC-0012 External Artifact
 
-**Status:** implemented
+**Status:** provisional
 
 **Creation date:** 2025-04-08
 
-**Last update:** 2026-03-13
+**Last update:** 2025-09-03
 
 ## Summary
 
@@ -319,4 +319,9 @@ control the adoption of the `ExternalArtifact` feature in their clusters.
 
 ## Implementation History
 
-* RFC implemented and generally available in Flux [v2.7.0](https://github.com/fluxcd/flux2/releases/tag/v2.7.0)
+<!--
+Major milestones in the lifecycle of the RFC such as:
+- The first Flux release where an initial version of the RFC was available.
+- The version of Flux where the RFC graduated to general availability.
+- The version of Flux where the RFC was retired or superseded.
+-->

tests/integration/go.mod

@@ -11,10 +11,10 @@ require (
 	github.com/fluxcd/image-reflector-controller/api v1.0.4
 	github.com/fluxcd/kustomize-controller/api v1.7.3
 	github.com/fluxcd/notification-controller/api v1.7.5
-	github.com/fluxcd/pkg/apis/event v0.25.0
-	github.com/fluxcd/pkg/apis/meta v1.26.0
-	github.com/fluxcd/pkg/git v0.46.0
-	github.com/fluxcd/pkg/runtime v0.103.0
+	github.com/fluxcd/pkg/apis/event v0.24.1
+	github.com/fluxcd/pkg/apis/meta v1.25.1
+	github.com/fluxcd/pkg/git v0.43.1
+	github.com/fluxcd/pkg/runtime v0.100.4
 	github.com/fluxcd/source-controller/api v1.7.4
 	github.com/fluxcd/test-infra/tftestenv v0.0.0-20250626232827-e0ca9c3f8d7b
 	github.com/go-git/go-git/v5 v5.16.5
@@ -66,9 +66,9 @@ require (
 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fluxcd/pkg/apis/acl v0.9.0 // indirect
-	github.com/fluxcd/pkg/apis/kustomize v1.16.0 // indirect
+	github.com/fluxcd/pkg/apis/kustomize v1.15.1 // indirect
 	github.com/fluxcd/pkg/ssh v0.24.0 // indirect
-	github.com/fluxcd/pkg/version v0.14.0 // indirect
+	github.com/fluxcd/pkg/version v0.12.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.7.0 // indirect

tests/integration/go.sum

@@ -136,22 +136,22 @@ github.com/fluxcd/notification-controller/api v1.7.5 h1:6CO5bKyjodiK9exQFOdBcz0X
 github.com/fluxcd/notification-controller/api v1.7.5/go.mod h1:IciwSg8Q0pVtdbsyDyEXx/MxBKWeagxAazpm64C8oCE=
 github.com/fluxcd/pkg/apis/acl v0.9.0 h1:wBpgsKT+jcyZEcM//OmZr9RiF8klL3ebrDp2u2ThsnA=
 github.com/fluxcd/pkg/apis/acl v0.9.0/go.mod h1:TttNS+gocsGLwnvmgVi3/Yscwqrjc17+vhgYfqkfrV4=
-github.com/fluxcd/pkg/apis/event v0.25.0 h1:zdwytvDhG+fk+Ywl5DOtv7TklkrVgM21WHm1f+YhleE=
-github.com/fluxcd/pkg/apis/event v0.25.0/go.mod h1:TlK8HWYrTwl0raqBRC+ROoNpYW5fdVnwcwOBOx5Kzw8=
-github.com/fluxcd/pkg/apis/kustomize v1.16.0 h1:PhWXEhqQqsisIpwp1/wHvTvo+MO+GGzsBPoN0ZnRE3Y=
-github.com/fluxcd/pkg/apis/kustomize v1.16.0/go.mod h1:IZOy4CCtR/hxMGb7erK1RfbGnczVv4/dRBoVD37AywI=
-github.com/fluxcd/pkg/apis/meta v1.26.0 h1:dxP1FfBpTCYso6odzRcltVnnRuBb2VyhhgV0VX9YbUE=
-github.com/fluxcd/pkg/apis/meta v1.26.0/go.mod h1:c7o6mJGLCMvNrfdinGZehkrdZuFT9vZdZNrn66DtVD0=
-github.com/fluxcd/pkg/git v0.46.0 h1:QMh0+ZzQ2jO6rIGj4ffR5trZ8g/cxvt8cVajReJ8Iyw=
-github.com/fluxcd/pkg/git v0.46.0/go.mod h1:iHcIjx9c8zye3PQiajTJYxgOMRiy7WCs+hfLKDswpfI=
-github.com/fluxcd/pkg/gittestserver v0.26.0 h1:+RZrCzFRsE+d5WaqAoqaPCEgcgv/jZp6+f7DS0+Ynb8=
-github.com/fluxcd/pkg/gittestserver v0.26.0/go.mod h1:7fybYb0yej1fFNiF1ohs0Jr0XzyaZQ/cRh3AFEoCtuc=
-github.com/fluxcd/pkg/runtime v0.103.0 h1:J5y5GPhWdkyqIUBlaI1FP2N02TtZmsjbWhhZubuTSFk=
-github.com/fluxcd/pkg/runtime v0.103.0/go.mod h1:mbo2f3azo3yVQgm7XZGxQB6/2zvzQ5Wgtd8TjRRwwAw=
+github.com/fluxcd/pkg/apis/event v0.24.1 h1:TClVdn02aiq3sAl9BuzLjjTIxm3JJ83fJ9nchtBa4qg=
+github.com/fluxcd/pkg/apis/event v0.24.1/go.mod h1:TlK8HWYrTwl0raqBRC+ROoNpYW5fdVnwcwOBOx5Kzw8=
+github.com/fluxcd/pkg/apis/kustomize v1.15.1 h1:t9QZh+3ZS8EKmlxrnnbcKZcGTrg8FDvMF1T8BHMCuqI=
+github.com/fluxcd/pkg/apis/kustomize v1.15.1/go.mod h1:IZOy4CCtR/hxMGb7erK1RfbGnczVv4/dRBoVD37AywI=
+github.com/fluxcd/pkg/apis/meta v1.25.1 h1:WG1GIC/SOz0GjxT0uVuO6AMicQ3yFsk6bDozCnq+fto=
+github.com/fluxcd/pkg/apis/meta v1.25.1/go.mod h1:c7o6mJGLCMvNrfdinGZehkrdZuFT9vZdZNrn66DtVD0=
+github.com/fluxcd/pkg/git v0.43.1 h1:lw29P44wueKzQk79KnYyvisfw//cxg0S4cDeTYx+Slo=
+github.com/fluxcd/pkg/git v0.43.1/go.mod h1:3R/AjCe7ee7FqWcAG+2IiuJPOCxrGHF4SCGkuvKS6OQ=
+github.com/fluxcd/pkg/gittestserver v0.25.1 h1:40Ridmy1xKxBM9ItDn012R4VKmaoDqzvGaC5g7xv+mw=
+github.com/fluxcd/pkg/gittestserver v0.25.1/go.mod h1:7fybYb0yej1fFNiF1ohs0Jr0XzyaZQ/cRh3AFEoCtuc=
+github.com/fluxcd/pkg/runtime v0.100.4 h1:rwvbeoeWN0BTJORJBISJJEkWn6DVfmWwynFl2GseWns=
+github.com/fluxcd/pkg/runtime v0.100.4/go.mod h1:M6LjRJ1hIe2s6E2ykFfae1Xy/rLvOFQf2QquMKmN350=
 github.com/fluxcd/pkg/ssh v0.24.0 h1:hrPlxs0hhXf32DRqs68VbsXs0XfQMphyRVIk0rYYJa4=
 github.com/fluxcd/pkg/ssh v0.24.0/go.mod h1:xWammEqalrpurpcMiixJRXtynRQtBEoqheyU5F/vWrg=
-github.com/fluxcd/pkg/version v0.14.0 h1:T3llSc8sUnsuFrW5ng2ePSfXwGXUKv0YG9QXf0ErhWw=
-github.com/fluxcd/pkg/version v0.14.0/go.mod h1:YHdg/78kzf+kCqS+SqSOiUxum5AjxlixiqwpX6AUZB8=
+github.com/fluxcd/pkg/version v0.12.0 h1:MGbdbNf2D5wazMqAkNPn+Lh5j+oY0gxQJFTGyet5Hfc=
+github.com/fluxcd/pkg/version v0.12.0/go.mod h1:YHdg/78kzf+kCqS+SqSOiUxum5AjxlixiqwpX6AUZB8=
 github.com/fluxcd/source-controller/api v1.7.4 h1:+EOVnRA9LmLxOx7J273l7IOEU39m+Slt/nQGBy69ygs=
 github.com/fluxcd/source-controller/api v1.7.4/go.mod h1:ruf49LEgZRBfcP+eshl2n9SX1MfHayCcViAIGnZcaDY=
 github.com/fluxcd/test-infra/tftestenv v0.0.0-20250626232827-e0ca9c3f8d7b h1:FSPtvaVgL8azcyweqLmD71elAw4vozuXH/QvsJQ7tg0=