Raffael Sahli · raffis · Aurel Canciu · dependabot[bot] · Max Jonas Werner · dependabot[bot]
--- a/.github/workflows/e2e-azure.yaml
+++ b/.github/workflows/e2e-azure.yaml
@@ -17,7 +17,7 @@ jobs:
      - name: Checkout
        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
      - name: Restore Go cache
-        uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d
+        uses: actions/cache@58c146cc91c5b9e778e71775dfe9bf1442ad9a12
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go1.18-${{ hashFiles('**/go.sum') }}

--- a/.github/workflows/e2e-bootstrap.yaml
+++ b/.github/workflows/e2e-bootstrap.yaml
@@ -18,7 +18,7 @@ jobs:
      - name: Checkout
        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
      - name: Restore Go cache
-        uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d
+        uses: actions/cache@58c146cc91c5b9e778e71775dfe9bf1442ad9a12
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go1.18-${{ hashFiles('**/go.sum') }}
@@ -29,10 +29,11 @@ jobs:
        with:
          go-version: 1.19.x
      - name: Setup Kubernetes
-        uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0
+        uses: helm/kind-action@d8ccf8fb623ce1bb360ae2f45f323d9d5c5e9f00 # v1.5.0
        with:
-          version: v0.16.0
-          image: kindest/node:v1.25.2@sha256:9be91e9e9cdf116809841fc77ebdb8845443c4c72fe5218f3ae9eb57fdb4bace
+          version: v0.17.0
+          cluster_name: kind
+          node_image: kindest/node:v1.25.2
      - name: Setup Kustomize
        uses: fluxcd/pkg//actions/kustomize@main
      - name: Build

--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -22,7 +22,7 @@ jobs:
      - name: Checkout
        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
      - name: Restore Go cache
-        uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d
+        uses: actions/cache@58c146cc91c5b9e778e71775dfe9bf1442ad9a12
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go1.18-${{ hashFiles('**/go.sum') }}
@@ -33,11 +33,12 @@ jobs:
        with:
          go-version: 1.19.x
      - name: Setup Kubernetes
-        uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0
+        uses: helm/kind-action@d8ccf8fb623ce1bb360ae2f45f323d9d5c5e9f00 # v1.5.0
        with:
-          version: v0.11.1
-          image: kindest/node:v1.23.13
+          version: v0.17.0
+          cluster_name: kind
          config: .github/kind/config.yaml # disable KIND-net
+          node_image: kindest/node:v1.23.13
      - name: Setup Calico for network policy
        run: |
          kubectl apply -f https://docs.projectcalico.org/v3.20/manifests/calico.yaml

--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -27,9 +27,9 @@ jobs:
        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2
      - name: Setup Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325  # v2
+        uses: docker/setup-buildx-action@15c905b16b06416d2086efa066dd8e3a35cc7f98  # v2
      - name: Setup Syft
-        uses: anchore/sbom-action/download-syft@06e109483e6aa305a2b2395eabae554e51530e1d # v0.13.1
+        uses: anchore/sbom-action/download-syft@07978da4bdb4faa726e52dfc6b1bed63d4b56479 # v0.13.3
      - name: Setup Cosign
        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
      - name: Setup Kustomize
@@ -73,7 +73,7 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1 # v3
+        uses: goreleaser/goreleaser-action@9754a253a8673b0ea869c2e863b4e975497efd0c # v3
        with:
          version: latest
          args: release --release-notes=output/notes.md --skip-validate

--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@@ -38,14 +38,14 @@ jobs:
        run: |
          make cmd/flux/.manifests.done
      - name: Run Snyk to check for vulnerabilities
-        uses: snyk/actions/golang@1cc9026f51d822442cb4b872d8d7ead8cc69a018 # v0.3.0
+        uses: snyk/actions/golang@e25b2e6f5658d1bb7a6671b113260f13134cc3af # v0.3.0
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --sarif-file-output=snyk.sarif
      - name: Upload result to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2
+        uses: github/codeql-action/upload-sarif@3ebbd71c74ef574dbc558c82f70e52732c8b44fe # v2
        with:
          sarif_file: snyk.sarif

@@ -62,10 +62,10 @@ jobs:
        with:
          go-version: 1.19.x
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2
+        uses: github/codeql-action/init@3ebbd71c74ef574dbc558c82f70e52732c8b44fe # v2
        with:
          languages: go
      - name: Autobuild
-        uses: github/codeql-action/autobuild@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2
+        uses: github/codeql-action/autobuild@3ebbd71c74ef574dbc558c82f70e52732c8b44fe # v2
      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2
+        uses: github/codeql-action/analyze@3ebbd71c74ef574dbc558c82f70e52732c8b44fe # v2
--- a/Dockerfile
+++ b/Dockerfile
-FROM alpine:3.16 as builder
+FROM alpine:3.17 as builder

 RUN apk add --no-cache ca-certificates curl

 ARG ARCH=linux/amd64
-ARG KUBECTL_VER=1.25.4
+ARG KUBECTL_VER=1.26.1

 RUN curl -sL https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VER}/bin/${ARCH}/kubectl \
    -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \
    kubectl version --client=true

-FROM alpine:3.16 as flux-cli
+FROM alpine:3.17 as flux-cli

 RUN apk add --no-cache ca-certificates


--- a/action/README.md
+++ b/action/README.md
@@ -35,6 +35,20 @@ You can download a specific version with:
          version: 0.32.0
 ```

+You can also authenticate against the GitHub API using GitHub Actions' `GITHUB_TOKEN` secret.
+
+For more information, please [read about the GitHub token secret](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret).
+
+```yaml
+    steps:
+      - name: Setup Flux CLI
+        uses: fluxcd/flux2/action@main
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+```
+
+This is useful if you are seeing failures on shared runners, those failures are usually API limits being hit.
+
 ### Automate Flux updates

 Example workflow for updating Flux's components generated with `flux bootstrap --path=clusters/production`:
@@ -52,7 +66,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Setup Flux CLI
        uses: fluxcd/flux2/action@main
      - name: Check for updates
@@ -62,9 +76,9 @@ jobs:
            --export > ./clusters/production/flux-system/gotk-components.yaml

          VERSION="$(flux -v)"
-          echo "::set-output name=flux_version::$VERSION"
+          echo "flux_version=$VERSION" >> $GITHUB_OUTPUT
      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v3
+        uses: peter-evans/create-pull-request@v4
        with:
            token: ${{ secrets.GITHUB_TOKEN }}
            branch: update-flux
@@ -120,18 +134,25 @@ jobs:
          flux tag artifact $OCI_REPO:$(git rev-parse --short HEAD) --tag staging
 ```

-Example workflow for publishing Kubernetes manifests bundled as OCI artifacts to Docker Hub:
+### Push and sign Kubernetes manifests to container registries
+
+Example workflow for publishing Kubernetes manifests bundled as OCI artifacts
+which are signed with Cosign and GitHub OIDC:

 ```yaml
-name: push-artifact-production
+name: push-sign-artifact

 on:
  push:
-    tags:
-      - '*'
+    branches:
+      - 'main'
+
+permissions:
+  packages: write # needed for ghcr.io access
+  id-token: write # needed for keyless signing

 env:
-  OCI_REPO: "oci://docker.io/my-org/app-config"
+  OCI_REPO: "oci://ghcr.io/my-org/manifests/${{ github.event.repository.name }}"

 jobs:
  kubernetes:
@@ -141,23 +162,24 @@ jobs:
        uses: actions/checkout@v3
      - name: Setup Flux CLI
        uses: fluxcd/flux2/action@main
-      - name: Login to Docker Hub
+      - name: Setup Cosign
+        uses: sigstore/cosign-installer@main
+      - name: Login to GHCR
        uses: docker/login-action@v2
        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: Generate manifests
-        run: |
-          kustomize build ./manifests/production > ./deploy/app.yaml
-      - name: Push manifests
-        run: |
-          flux push artifact $OCI_REPO:$(git tag --points-at HEAD) \
-            --path="./deploy" \
-            --source="$(git config --get remote.origin.url)" \
-            --revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)"
-      - name: Deploy manifests to production
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Push and sign manifests
        run: |
-          flux tag artifact $OCI_REPO:$(git tag --points-at HEAD) --tag production
+          digest_url=$(flux push artifact \
+          $OCI_REPO:$(git rev-parse --short HEAD) \
+          --path="./manifests" \
+          --source="$(git config --get remote.origin.url)" \
+          --revision="$(git branch --show-current)/$(git rev-parse HEAD)" |\
+          jq -r '. | .repository + "@" + .digest')
+
+          cosign sign $digest_url
 ```

 ### End-to-end testing
@@ -177,7 +199,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Setup Flux CLI
        uses: fluxcd/flux2/action@main
      - name: Setup Kubernetes Kind

--- a/action/action.yml
+++ b/action/action.yml
@@ -15,6 +15,9 @@ inputs:
  bindir:
    description: "Optional location of the Flux binary. Will not use sudo if set. Updates System Path."
    required: false
+  token:
+    description: "GitHub Token used to authentication against the API (generally only needed to prevent quota limit errors)"
+    required: false
 runs:
  using: composite
  steps:
@@ -23,20 +26,29 @@ runs:
      run: |
        ARCH=${{ inputs.arch }}
        VERSION=${{ inputs.version }}
+        TOKEN=${{ inputs.token }}
+
+        if [ -z "${VERSION}" ]; then
+          if [ -n "${TOKEN}" ]; then
+            VERSION_SLUG=$(curl https://api.github.com/repos/fluxcd/flux2/releases/latest --silent --location --header "Authorization: token ${TOKEN}" | grep tag_name)
+          else
+            # With no GITHUB_TOKEN you will experience occasional failures due to rate limiting
+            # Ref: https://github.com/fluxcd/flux2/issues/3509#issuecomment-1400820992
+            VERSION_SLUG=$(curl https://api.github.com/repos/fluxcd/flux2/releases/latest --silent --location | grep tag_name)
+          fi

-        if [ -z $VERSION ]; then
-          VERSION=$(curl https://api.github.com/repos/fluxcd/flux2/releases/latest -sL | grep tag_name | sed -E 's/.*"([^"]+)".*/\1/' | cut -c 2-)
+          VERSION=$(echo "${VERSION_SLUG}" | sed -E 's/.*"([^"]+)".*/\1/' | cut -c 2-)
        fi

        BIN_URL="https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_${ARCH}.tar.gz"
-        curl -sL ${BIN_URL} -o /tmp/flux.tar.gz
+        curl --silent --fail --location "${BIN_URL}" --output /tmp/flux.tar.gz
        mkdir -p /tmp/flux
        tar -C /tmp/flux/ -zxvf /tmp/flux.tar.gz
    - name: "Copy Flux binary to execute location"
      shell: bash
      run: |
        BINDIR=${{ inputs.bindir }}
-        if [ -z $BINDIR ]; then
+        if [ -z "${BINDIR}" ]; then
          sudo cp /tmp/flux/flux /usr/local/bin
        else
          cp /tmp/flux/flux "${BINDIR}"

--- a/cmd/flux/get.go
+++ b/cmd/flux/get.go
@@ -163,9 +163,16 @@ func (get getCommand) run(cmd *cobra.Command, args []string) error {

 	if get.list.len() == 0 {
 		if len(args) > 0 {
-			logger.Failuref("%s object '%s' not found in '%s' namespace", get.kind, args[0], *kubeconfigArgs.Namespace)
+			logger.Failuref("%s object '%s' not found in %s namespace",
+				get.kind,
+				args[0],
+				namespaceNameOrAny(getArgs.allNamespaces, *kubeconfigArgs.Namespace),
+			)
 		} else if !getAll {
-			logger.Failuref("no %s objects found in %s namespace", get.kind, *kubeconfigArgs.Namespace)
+			logger.Failuref("no %s objects found in %s namespace",
+				get.kind,
+				namespaceNameOrAny(getArgs.allNamespaces, *kubeconfigArgs.Namespace),
+			)
 		}
 		return nil
 	}
@@ -192,6 +199,13 @@ func (get getCommand) run(cmd *cobra.Command, args []string) error {
 	return nil
 }

+func namespaceNameOrAny(allNamespaces bool, namespaceName string) string {
+	if allNamespaces {
+		return "any"
+	}
+	return fmt.Sprintf("%q", namespaceName)
+}
+
 func getRowsToPrint(getAll bool, list summarisable) ([][]string, error) {
 	noFilter := true
 	var conditionType, conditionStatus string

--- a/cmd/flux/push_artifact.go
+++ b/cmd/flux/push_artifact.go
@@ -18,12 +18,15 @@ package main

 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"os"

 	"github.com/fluxcd/flux2/internal/flags"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	reg "github.com/google/go-containerregistry/pkg/name"
 	"github.com/spf13/cobra"
+	"sigs.k8s.io/yaml"

 	oci "github.com/fluxcd/pkg/oci/client"
 )
@@ -40,6 +43,16 @@ The command can read the credentials from '~/.docker/config.json' but they can a
 	--source="$(git config --get remote.origin.url)" \
 	--revision="$(git branch --show-current)/$(git rev-parse HEAD)"

+  # Push and sign artifact with cosign
+  digest_url = $(flux push artifact \
+	oci://ghcr.io/org/config/app:$(git rev-parse --short HEAD) \
+	--source="$(git config --get remote.origin.url)" \
+	--revision="$(git branch --show-current)/$(git rev-parse HEAD)" \
+	--path="./path/to/local/manifest.yaml" \
+	--output json | \
+	jq -r '. | .repository + "@" + .digest')
+  cosign sign $digest_url
+
  # Push manifests passed into stdin to GHCR
  kustomize build . | flux push artifact oci://ghcr.io/org/config/app:$(git rev-parse --short HEAD) -p - \ 
    --source="$(git config --get remote.origin.url)" \
@@ -85,6 +98,7 @@ type pushArtifactFlags struct {
 	creds       string
 	provider    flags.SourceOCIProvider
 	ignorePaths []string
+	output      string
 }

 var pushArtifactArgs = newPushArtifactFlags()
@@ -102,6 +116,8 @@ func init() {
 	pushArtifactCmd.Flags().StringVar(&pushArtifactArgs.creds, "creds", "", "credentials for OCI registry in the format <username>[:<password>] if --provider is generic")
 	pushArtifactCmd.Flags().Var(&pushArtifactArgs.provider, "provider", pushArtifactArgs.provider.Description())
 	pushArtifactCmd.Flags().StringSliceVar(&pushArtifactArgs.ignorePaths, "ignore-paths", excludeOCI, "set paths to ignore in .gitignore format")
+	pushArtifactCmd.Flags().StringVarP(&pushArtifactArgs.output, "output", "o", "",
+		"the format in which the artifact digest should be printed, can be 'json' or 'yaml'")

 	pushCmd.AddCommand(pushArtifactCmd)
 }
@@ -172,14 +188,54 @@ func pushArtifactCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}

-	logger.Actionf("pushing artifact to %s", url)
+	if pushArtifactArgs.output == "" {
+		logger.Actionf("pushing artifact to %s", url)
+	}

-	digest, err := ociClient.Push(ctx, url, path, meta, pushArtifactArgs.ignorePaths)
+	digestURL, err := ociClient.Push(ctx, url, path, meta, pushArtifactArgs.ignorePaths)
 	if err != nil {
 		return fmt.Errorf("pushing artifact failed: %w", err)
 	}

-	logger.Successf("artifact successfully pushed to %s", digest)
+	digest, err := reg.NewDigest(digestURL)
+	if err != nil {
+		return fmt.Errorf("artifact digest parsing failed: %w", err)
+	}
+
+	tag, err := reg.NewTag(url)
+	if err != nil {
+		return fmt.Errorf("artifact tag parsing failed: %w", err)
+	}
+
+	info := struct {
+		URL        string `json:"url"`
+		Repository string `json:"repository"`
+		Tag        string `json:"tag"`
+		Digest     string `json:"digest"`
+	}{
+		URL:        fmt.Sprintf("oci://%s", digestURL),
+		Repository: digest.Repository.Name(),
+		Tag:        tag.TagStr(),
+		Digest:     digest.DigestStr(),
+	}
+
+	switch pushArtifactArgs.output {
+	case "json":
+		marshalled, err := json.MarshalIndent(&info, "", "  ")
+		if err != nil {
+			return fmt.Errorf("artifact digest JSON conversion failed: %w", err)
+		}
+		marshalled = append(marshalled, "\n"...)
+		rootCmd.Print(string(marshalled))
+	case "yaml":
+		marshalled, err := yaml.Marshal(&info)
+		if err != nil {
+			return fmt.Errorf("artifact digest YAML conversion failed: %w", err)
+		}
+		rootCmd.Print(string(marshalled))
+	default:
+		logger.Successf("artifact successfully pushed to %s", digestURL)
+	}

 	return nil
 }
--- a/cmd/flux/tree_kustomization.go
+++ b/cmd/flux/tree_kustomization.go
@@ -26,18 +26,21 @@ import (
 	"io"
 	"strings"

-	"github.com/fluxcd/flux2/internal/tree"
-	"github.com/fluxcd/flux2/internal/utils"
-	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
-	"github.com/fluxcd/pkg/ssa"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"sigs.k8s.io/cli-utils/pkg/object"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
+
+	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
+	"github.com/fluxcd/pkg/ssa"
+
+	"github.com/fluxcd/flux2/internal/tree"
+	"github.com/fluxcd/flux2/internal/utils"
 )

 var treeKsCmd = &cobra.Command{
@@ -262,6 +265,7 @@ func getHelmReleaseInventory(ctx context.Context, objectKey client.ObjectKey, ku
 		b = b2
 	}

+	// extract objects from Helm storage
 	var rls hrStorage
 	if err := json.Unmarshal(b, &rls); err != nil {
 		return nil, fmt.Errorf("failed to decode the Helm storage object for HelmRelease '%s': %w", objectKey.String(), err)
@@ -272,5 +276,52 @@ func getHelmReleaseInventory(ctx context.Context, objectKey client.ObjectKey, ku
 		return nil, fmt.Errorf("failed to read the Helm storage object for HelmRelease '%s': %w", objectKey.String(), err)
 	}

-	return object.UnstructuredSetToObjMetadataSet(objects), nil
+	// set the namespace on namespaced objects
+	for _, obj := range objects {
+		if obj.GetNamespace() == "" {
+			if isNamespaced, _ := utils.IsAPINamespaced(obj, kubeClient.Scheme(), kubeClient.RESTMapper()); isNamespaced {
+				if hr.Spec.TargetNamespace != "" {
+					obj.SetNamespace(hr.Spec.TargetNamespace)
+				} else {
+					obj.SetNamespace(hr.GetNamespace())
+				}
+			}
+		}
+	}
+
+	result := object.UnstructuredSetToObjMetadataSet(objects)
+
+	// search for CRDs managed by the HelmRelease if installing or upgrading CRDs is enabled in spec
+	if (hr.Spec.Install != nil && len(hr.Spec.Install.CRDs) > 0 && hr.Spec.Install.CRDs != helmv2.Skip) ||
+		(hr.Spec.Upgrade != nil && len(hr.Spec.Upgrade.CRDs) > 0 && hr.Spec.Upgrade.CRDs != helmv2.Skip) {
+		selector := client.MatchingLabels{
+			fmt.Sprintf("%s/name", helmv2.GroupVersion.Group):      hr.GetName(),
+			fmt.Sprintf("%s/namespace", helmv2.GroupVersion.Group): hr.GetNamespace(),
+		}
+		crdKind := "CustomResourceDefinition"
+		var list apiextensionsv1.CustomResourceDefinitionList
+		if err := kubeClient.List(ctx, &list, selector); err == nil {
+			for _, crd := range list.Items {
+				found := false
+				for _, r := range result {
+					if r.Name == crd.GetName() && r.GroupKind.Kind == crdKind {
+						found = true
+						break
+					}
+				}
+
+				if !found {
+					result = append(result, object.ObjMetadata{
+						Name: crd.GetName(),
+						GroupKind: schema.GroupKind{
+							Group: apiextensionsv1.GroupName,
+							Kind:  crdKind,
+						},
+					})
+				}
+			}
+		}
+	}
+
+	return result, nil
 }
--- a/go.mod
+++ b/go.mod
@@ -4,52 +4,52 @@ go 1.18

 require (
 	github.com/Masterminds/semver/v3 v3.2.0
-	github.com/ProtonMail/go-crypto v0.0.0-20221026131551-cf6655e29de4
+	github.com/ProtonMail/go-crypto v0.0.0-20230127202215-f7f10de891d5
 	github.com/cyphar/filepath-securejoin v0.2.3
-	github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2
-	github.com/fluxcd/go-git-providers v0.12.0
+	github.com/distribution/distribution/v3 v3.0.0-20230131081513-cf87e8d07e8d
+	github.com/fluxcd/go-git-providers v0.13.0
 	github.com/fluxcd/go-git/v5 v5.0.0-20221219190809-2e5c9d01cfc4
-	github.com/fluxcd/helm-controller/api v0.28.1
-	github.com/fluxcd/image-automation-controller/api v0.28.0
-	github.com/fluxcd/image-reflector-controller/api v0.23.1
-	github.com/fluxcd/kustomize-controller/api v0.32.0
-	github.com/fluxcd/notification-controller/api v0.30.2
-	github.com/fluxcd/pkg/apis/meta v0.18.0
-	github.com/fluxcd/pkg/git v0.7.0
-	github.com/fluxcd/pkg/git/gogit v0.4.1
-	github.com/fluxcd/pkg/kustomize v0.12.0
-	github.com/fluxcd/pkg/oci v0.17.0
-	github.com/fluxcd/pkg/runtime v0.24.0
+	github.com/fluxcd/helm-controller/api v0.29.0
+	github.com/fluxcd/image-automation-controller/api v0.29.0
+	github.com/fluxcd/image-reflector-controller/api v0.24.0
+	github.com/fluxcd/kustomize-controller/api v0.33.0
+	github.com/fluxcd/notification-controller/api v0.31.0
+	github.com/fluxcd/pkg/apis/meta v0.19.0
+	github.com/fluxcd/pkg/git v0.8.0
+	github.com/fluxcd/pkg/git/gogit v0.5.0
+	github.com/fluxcd/pkg/kustomize v0.13.0
+	github.com/fluxcd/pkg/oci v0.18.0
+	github.com/fluxcd/pkg/runtime v0.27.0
 	github.com/fluxcd/pkg/sourceignore v0.3.0
-	github.com/fluxcd/pkg/ssa v0.22.0
+	github.com/fluxcd/pkg/ssa v0.23.0
 	github.com/fluxcd/pkg/ssh v0.7.0
 	github.com/fluxcd/pkg/untar v0.2.0
 	github.com/fluxcd/pkg/version v0.2.0
-	github.com/fluxcd/source-controller/api v0.33.0
+	github.com/fluxcd/source-controller/api v0.34.0
 	github.com/gonvenience/bunt v1.3.4
 	github.com/gonvenience/ytbx v1.4.4
 	github.com/google/go-cmp v0.5.9
-	github.com/google/go-containerregistry v0.12.1
+	github.com/google/go-containerregistry v0.13.0
 	github.com/homeport/dyff v1.5.6
 	github.com/lucasb-eyer/go-colorful v1.2.0
 	github.com/manifoldco/promptui v0.9.0
 	github.com/mattn/go-shellwords v1.0.12
 	github.com/olekukonko/tablewriter v0.0.5
-	github.com/onsi/gomega v1.24.2
+	github.com/onsi/gomega v1.26.0
 	github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5
 	github.com/spf13/cobra v1.6.1
 	github.com/spf13/pflag v1.0.5
 	github.com/theckman/yacspin v0.13.12
-	golang.org/x/crypto v0.4.0
-	golang.org/x/term v0.3.0
-	k8s.io/api v0.25.4
-	k8s.io/apiextensions-apiserver v0.25.4
-	k8s.io/apimachinery v0.25.4
-	k8s.io/cli-runtime v0.25.4
-	k8s.io/client-go v0.25.4
-	k8s.io/kubectl v0.25.4
+	golang.org/x/crypto v0.5.0
+	golang.org/x/term v0.4.0
+	k8s.io/api v0.26.1
+	k8s.io/apiextensions-apiserver v0.26.1
+	k8s.io/apimachinery v0.26.1
+	k8s.io/cli-runtime v0.26.1
+	k8s.io/client-go v0.26.1
+	k8s.io/kubectl v0.26.1
 	sigs.k8s.io/cli-utils v0.34.0
-	sigs.k8s.io/controller-runtime v0.13.1
+	sigs.k8s.io/controller-runtime v0.14.2
 	sigs.k8s.io/kustomize/api v0.12.1
 	sigs.k8s.io/kustomize/kyaml v0.13.9
 	sigs.k8s.io/yaml v1.3.0
@@ -62,35 +62,28 @@ replace golang.org/x/text => golang.org/x/text v0.4.0
 replace gopkg.in/yaml.v3 => gopkg.in/yaml.v3 v3.0.1

 require (
-	cloud.google.com/go v0.99.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.2.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.3.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.2.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.1.1 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
-	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
-	github.com/Azure/go-autorest/autorest v0.11.27 // indirect
-	github.com/Azure/go-autorest/autorest/adal v0.9.20 // indirect
-	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
-	github.com/Azure/go-autorest/logger v0.2.1 // indirect
-	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v0.7.0 // indirect
 	github.com/BurntSushi/toml v1.0.0 // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
 	github.com/Microsoft/go-winio v0.6.0 // indirect
 	github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d // indirect
 	github.com/acomagu/bufpipe v1.0.3 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.17.2 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.18.4 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.13.4 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.20 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.26 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.20 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.27 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ecr v1.17.22 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.20 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.11.26 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.9 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.17.6 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.17.3 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.18.10 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.13.10 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.21 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.27 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.21 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.28 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.18.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.21 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.12.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.18.2 // indirect
 	github.com/aws/smithy-go v1.13.5 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bshuster-repo/logrus-logstash-hook v1.0.0 // indirect
@@ -118,9 +111,9 @@ require (
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
 	github.com/fatih/color v1.13.0 // indirect
-	github.com/felixge/httpsnoop v1.0.1 // indirect
+	github.com/felixge/httpsnoop v1.0.3 // indirect
 	github.com/fluxcd/pkg/apis/acl v0.1.0 // indirect
-	github.com/fluxcd/pkg/apis/kustomize v0.7.0 // indirect
+	github.com/fluxcd/pkg/apis/kustomize v0.8.0 // indirect
 	github.com/fluxcd/pkg/tar v0.2.0 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
@@ -153,7 +146,7 @@ require (
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
-	github.com/hashicorp/go-retryablehttp v0.7.1 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.2 // indirect
 	github.com/hashicorp/golang-lru v0.5.4 // indirect
 	github.com/imdario/mergo v0.3.13 // indirect
 	github.com/inconshreveable/mousetrap v1.0.1 // indirect
@@ -192,7 +185,6 @@ require (
 	github.com/prometheus/common v0.37.0 // indirect
 	github.com/prometheus/procfs v0.8.0 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
-	github.com/russross/blackfriday v1.6.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/sergi/go-diff v1.2.0 // indirect
 	github.com/sirupsen/logrus v1.9.0 // indirect
@@ -208,12 +200,12 @@ require (
 	github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f // indirect
 	go.starlark.net v0.0.0-20221028183056-acb66ad56dd2 // indirect
 	golang.org/x/mod v0.7.0 // indirect
-	golang.org/x/net v0.4.0 // indirect
+	golang.org/x/net v0.5.0 // indirect
 	golang.org/x/oauth2 v0.2.0 // indirect
 	golang.org/x/sync v0.1.0 // indirect
-	golang.org/x/sys v0.3.0 // indirect
-	golang.org/x/text v0.5.0 // indirect
-	golang.org/x/time v0.2.0 // indirect
+	golang.org/x/sys v0.4.0 // indirect
+	golang.org/x/text v0.6.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
 	golang.org/x/tools v0.4.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
@@ -222,10 +214,10 @@ require (
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/component-base v0.25.4 // indirect
-	k8s.io/klog/v2 v2.80.1 // indirect
+	k8s.io/component-base v0.26.1 // indirect
+	k8s.io/klog/v2 v2.90.0 // indirect
 	k8s.io/kube-openapi v0.0.0-20221110221610-a28e98eb7c70 // indirect
-	k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2 // indirect
+	k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/install/README.md
+++ b/install/README.md
@@ -9,6 +9,9 @@ To install the latest release run:
 curl -s https://raw.githubusercontent.com/fluxcd/flux2/main/install/flux.sh | sudo bash
 ```

+**Note**: You may want to export the `GITHUB_TOKEN` environment variable using a [personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)
+to avoid GitHub API rate-limiting errors if executing the install script repeatedly during a short time frame.
+
 The install script does the following:
 * attempts to detect your OS
 * downloads and unpacks the release tar file in a temporary directory

--- a/install/flux.sh
+++ b/install/flux.sh
@@ -112,10 +112,10 @@ download() {

    case $DOWNLOADER in
        curl)
-            curl -o "$1" -sfL "$2"
+            curl -u user:$GITHUB_TOKEN -o "$1" -sfL "$2"
            ;;
        wget)
-            wget -qO "$1" "$2"
+            wget --auth-no-challenge --user=user --password=$GITHUB_TOKEN -qO "$1" "$2"
            ;;
        *)
            fatal "Incorrect executable '${DOWNLOADER}'"

--- a/internal/utils/objectutil.go
+++ b/internal/utils/objectutil.go
+/*
+Copyright 2023 The Flux authors
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// TODO: Remove this when
+// https://github.com/kubernetes-sigs/controller-runtime/blob/c783d2527a7da76332a2d8d563a6ca0b80c12122/pkg/client/apiutil/apimachinery.go#L76-L104
+// is included in a semver release.
+
+package utils
+
+import (
+	"errors"
+	"fmt"
+
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/client/apiutil"
+)
+
+// IsAPINamespaced returns true if the object is namespace scoped.
+// For unstructured objects the gvk is found from the object itself.
+func IsAPINamespaced(obj runtime.Object, scheme *runtime.Scheme, restmapper apimeta.RESTMapper) (bool, error) {
+	gvk, err := apiutil.GVKForObject(obj, scheme)
+	if err != nil {
+		return false, err
+	}
+
+	return IsAPINamespacedWithGVK(gvk, scheme, restmapper)
+}
+
+// IsAPINamespacedWithGVK returns true if the object having the provided
+// GVK is namespace scoped.
+func IsAPINamespacedWithGVK(gk schema.GroupVersionKind, scheme *runtime.Scheme, restmapper apimeta.RESTMapper) (bool, error) {
+	restmapping, err := restmapper.RESTMapping(schema.GroupKind{Group: gk.Group, Kind: gk.Kind})
+	if err != nil {
+		return false, fmt.Errorf("failed to get restmapping: %w", err)
+	}
+
+	scope := restmapping.Scope.Name()
+
+	if scope == "" {
+		return false, errors.New("scope cannot be identified, empty scope returned")
+	}
+
+	if scope != apimeta.RESTScopeNameRoot {
+		return true, nil
+	}
+	return false, nil
+}
--- a/internal/utils/utils.go
+++ b/internal/utils/utils.go
@@ -54,9 +54,6 @@ import (
 	"github.com/fluxcd/flux2/pkg/manifestgen/install"
 )

-type Utils struct {
-}
-
 type ExecMode string

 const (

--- a/manifests/bases/helm-controller/kustomization.yaml
+++ b/manifests/bases/helm-controller/kustomization.yaml
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- https://github.com/fluxcd/helm-controller/releases/download/v0.28.1/helm-controller.crds.yaml
- https://github.com/fluxcd/helm-controller/releases/download/v0.28.1/helm-controller.deployment.yaml
+- https://github.com/fluxcd/helm-controller/releases/download/v0.29.0/helm-controller.crds.yaml
+- https://github.com/fluxcd/helm-controller/releases/download/v0.29.0/helm-controller.deployment.yaml
 - account.yaml
 transformers:
 - labels.yaml

--- a/manifests/bases/image-automation-controller/kustomization.yaml
+++ b/manifests/bases/image-automation-controller/kustomization.yaml
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- https://github.com/fluxcd/image-automation-controller/releases/download/v0.28.0/image-automation-controller.crds.yaml
- https://github.com/fluxcd/image-automation-controller/releases/download/v0.28.0/image-automation-controller.deployment.yaml
+- https://github.com/fluxcd/image-automation-controller/releases/download/v0.29.0/image-automation-controller.crds.yaml
+- https://github.com/fluxcd/image-automation-controller/releases/download/v0.29.0/image-automation-controller.deployment.yaml
 - account.yaml
 transformers:
 - labels.yaml

--- a/manifests/bases/image-reflector-controller/kustomization.yaml
+++ b/manifests/bases/image-reflector-controller/kustomization.yaml
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.23.1/image-reflector-controller.crds.yaml
- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.23.1/image-reflector-controller.deployment.yaml
+- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.24.0/image-reflector-controller.crds.yaml
+- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.24.0/image-reflector-controller.deployment.yaml
 - account.yaml
 transformers:
 - labels.yaml