Fix: fix the typo error in vela top (#5983 )

[Backport release-1.8] Chore: add e2e ci env bootstrap & remove multlcluster legacy rollout ci #5926 (#5939 )
Fix: migrate CI to CNCF machines in release-x branch (#5952 )
2026-02-23 14:23:54 +00:00 · 2023-05-12 22:42:41 +08:00 · 2023-05-04 16:48:14 +08:00 · 2023-05-04 16:32:37 +08:00 · 2023-05-04 10:27:03 +08:00 · 2023-04-28 10:46:32 +08:00
951 changed files with 37616 additions and 61110 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1,7 +1,7 @@
 # This file is a github code protect rule follow the codeowners https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/creating-a-repository-on-github/about-code-owners#example-of-a-codeowners-file

-*                                  @barnettZQG @wonderflow @leejanee @Somefive @jefree-cat
-design/                            @barnettZQG @leejanee @wonderflow @Somefive @jefree-cat
+*                                  @barnettZQG @wonderflow @leejanee @Somefive @jefree-cat @FogDong
+design/                            @barnettZQG @leejanee @wonderflow @Somefive @jefree-cat @FogDong

 # Owner of Core Controllers
 pkg/controller/core.oam.dev       @Somefive @FogDong @barnettZQG @wonderflow
@@ -21,17 +21,19 @@ pkg/controller/common/rollout/     @wangyikewxgm @wonderflow
 runtime/rollout                    @wangyikewxgm @wonderflow

 # Owner of vela templates
-vela-templates/                     @Somefive @barnettZQG @wonderflow
+vela-templates/                     @Somefive @barnettZQG @wonderflow @FogDong

 # Owner of vela CLI
 references/cli/                     @Somefive @zzxwill @StevenLeiZhang @charlie0129 @chivalryq

-# Owner of vela APIServer
-pkg/apiserver/                     @barnettZQG @yangsoon @FogDong
-
 # Owner of vela addon framework
 pkg/addon/                         @wangyikewxgm @wonderflow @charlie0129

 # Owner of resource keeper and tracker
 pkg/resourcekeeper                 @Somefive @FogDong
 pkg/resourcetracker                @Somefive @FogDong
+
+.github/                           @chivalryq @wonderflow
+makefiles                          @chivalryq @wonderflow
+go.*                               @chivalryq @wonderflow
+
--- a/.github/bot.md
+++ b/.github/bot.md
@@ -1,6 +1,6 @@
 ### GitHub & kubevela automation

-The bot is configured via [issue-commands.json](https://github.com/kubevela/kubevela/blob/master/.github/workflows/issue-commands.json) 
+The bot is configured via [issue-commands.json](https://github.com/kubevela/kubevela/blob/master/.github/issue-commands.json) 
 and some other GitHub [workflows](https://github.com/kubevela/kubevela/blob/master/.github/workflows).
 By default, users with write access to the repo is allowed to use the comments, 
 the [userlist](https://github.com/kubevela/kubevela/blob/master/.github/comment.userlist) 
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,21 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "gomod" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "daily"
+    commit-message:
+      prefix: "Chore: "
+      include: "scope"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "Chore: "
+      include: "scope"      
--- a/.github/workflows/apiserver-test.yaml
+++ b/.github/workflows/apiserver-test.yaml
@@ -1,211 +0,0 @@
-name: VelaUX APIServer Test
-
-on:
-  push:
-    branches:
-      - master
-      - release-*
-      - apiserver
-    tags:
-      - v*
-  workflow_dispatch: { }
-  pull_request:
-    branches:
-      - master
-      - release-*
-      - apiserver
-
-env:
-  # Common versions
-  GO_VERSION: '1.19'
-  GOLANGCI_VERSION: 'v1.49'
-  K3D_IMAGE_VERSION: '[\"v1.20\",\"v1.24\"]'
-  K3D_IMAGE_VERSIONS: '[\"v1.20\",\"v1.24\"]'
-
-jobs:
-
-  detect-noop:
-    runs-on: ubuntu-20.04
-    outputs:
-      noop: ${{ steps.noop.outputs.should_skip }}
-    steps:
-      - name: Detect No-op Changes
-        id: noop
-        uses: fkirc/skip-duplicate-actions@v4.0.0
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
-          do_not_skip: '["workflow_dispatch", "schedule", "push"]'
-          concurrent_skipping: false
-
-  set-k8s-matrix:
-    runs-on: ubuntu-20.04
-    outputs:
-      matrix: ${{ steps.set-k8s-matrix.outputs.matrix }}
-    steps:
-      - id: set-k8s-matrix
-        run: |
-          if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
-            echo "pushing tag: ${{ github.ref_name }}"
-            echo "::set-output name=matrix::${{ env.K3D_IMAGE_VERSIONS }}"
-          else
-            echo "::set-output name=matrix::${{ env.K3D_IMAGE_VERSION }}"
-          fi
-
-  apiserver-unit-tests:
-    runs-on: ubuntu-20.04
-    needs: detect-noop
-    if: needs.detect-noop.outputs.noop != 'true'
-
-    steps:
-      - name: Set up Go
-        uses: actions/setup-go@v1
-        with:
-          go-version: ${{ env.GO_VERSION }}
-        id: go
-
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
-        with:
-          submodules: true
-
-      - name: Cache Go Dependencies
-        uses: actions/cache@v2
-        with:
-          path: .work/pkg
-          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
-          restore-keys: ${{ runner.os }}-pkg-
-
-      - name: Install ginkgo
-        run: |
-          sudo sed -i 's/azure\.//' /etc/apt/sources.list
-          sudo apt-get update
-          sudo apt-get install -y golang-ginkgo-dev
-
-      - name: Start MongoDB
-        uses: supercharge/mongodb-github-action@1.7.0
-        with:
-          mongodb-version: '5.0'
-
-      - name: install Kubebuilder
-        uses: RyanSiu1995/kubebuilder-action@v1.2
-        with:
-          version: 3.1.0
-          kubebuilderOnly: false
-          kubernetesVersion: v1.21.2
-
-      - name: Run api server unit test
-        run: make unit-test-apiserver
-
-      - name: Upload coverage report
-        uses: codecov/codecov-action@v1
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          file: ./coverage.txt
-          flags: apiserver-unittests
-          name: codecov-umbrella
-
-  apiserver-e2e-tests:
-    runs-on: aliyun
-    needs: [ detect-noop,set-k8s-matrix ]
-    if: needs.detect-noop.outputs.noop != 'true'
-    strategy:
-      matrix:
-        k8s-version: ${{ fromJson(needs.set-k8s-matrix.outputs.matrix) }}
-    concurrency:
-      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.k8s-version }}
-      cancel-in-progress: true
-
-    steps:
-      - name: Set up Go
-        uses: actions/setup-go@v1
-        with:
-          go-version: ${{ env.GO_VERSION }}
-        id: go
-
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
-        with:
-          submodules: true
-
-      - name: Get dependencies
-        run: |
-          go get -v -t -d ./...
-
-      - name: Tear down K3d if exist
-        run: |
-          k3d cluster delete || true
-          k3d cluster delete worker || true
-
-      - name: Calculate K3d args
-        run: |
-          EGRESS_ARG=""
-          if [[ "${{ matrix.k8s-version }}" == v1.24 ]]; then
-            EGRESS_ARG="--k3s-arg --egress-selector-mode=disabled@server:0"
-          fi
-          echo "EGRESS_ARG=${EGRESS_ARG}" >> $GITHUB_ENV 
-
-      - name: Setup K3d (Hub)
-        uses: nolar/setup-k3d-k3s@v1.0.8
-        with:
-          version: ${{ matrix.k8s-version }}
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          k3d-args: ${{ env.EGRESS_ARG }}
-
-
-      - name: Setup K3d (Worker)
-        uses: nolar/setup-k3d-k3s@v1.0.8
-        with:
-          version: ${{ matrix.k8s-version }}
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          k3d-name: worker
-          k3d-args: --kubeconfig-update-default=false --network=k3d-k3s-default ${{ env.EGRESS_ARG }}
-
-
-      - name: Kind Cluster (Worker)
-        run: |
-          internal_ip=$(docker network inspect k3d-k3s-default|jq ".[0].Containers"| jq -r '.[]| select(.Name=="k3d-worker-server-0")|.IPv4Address' | cut -d/ -f1)
-          k3d kubeconfig get worker > /tmp/worker.client.kubeconfig
-          cp /tmp/worker.client.kubeconfig /tmp/worker.kubeconfig
-          sed -i "s/0.0.0.0:[0-9]\+/$internal_ip:6443/"  /tmp/worker.kubeconfig
-
-      - name: Load image to k3d cluster
-        run: make image-load
-
-      - name: Cleanup for e2e tests
-        run: |
-          make vela-cli
-          make e2e-cleanup
-          make e2e-setup-core
-          bin/vela addon enable fluxcd
-          bin/vela addon enable vela-workflow
-          timeout 600s bash -c -- 'while true; do kubectl get ns flux-system; if [ $? -eq 0 ] ; then break; else sleep 5; fi;done'
-          kubectl wait --for=condition=Ready pod -l app.kubernetes.io/name=vela-core,app.kubernetes.io/instance=kubevela -n vela-system --timeout=600s
-          kubectl wait --for=condition=Ready pod -l app=source-controller -n flux-system --timeout=600s
-          kubectl wait --for=condition=Ready pod -l app=helm-controller -n flux-system --timeout=600s
-          kubectl wait --for=condition=Ready pod -l app.kubernetes.io/name=vela-workflow -n vela-system --timeout=600s
-
-      - name: Run api server e2e test
-        run: |
-          export ALIYUN_ACCESS_KEY_ID=${{ secrets.ALIYUN_ACCESS_KEY_ID }}
-          export ALIYUN_ACCESS_KEY_SECRET=${{ secrets.ALIYUN_ACCESS_KEY_SECRET }}
-          export GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
-          make e2e-apiserver-test
-
-      - name: Stop kubevela, get profile
-        run: make end-e2e-core
-
-      - name: Upload coverage report
-        uses: codecov/codecov-action@v1
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: /tmp/e2e_apiserver_test.out
-          flags: apiserver-e2etests
-          name: codecov-umbrella
-
-      - name: Clean e2e profile
-        run: rm /tmp/e2e-profile.out
-
-      - name: Cleanup image
-        if: ${{ always() }}
-        run: make image-cleanup
--- a/.github/workflows/back-port.yaml
+++ b/.github/workflows/back-port.yaml
@@ -4,19 +4,25 @@ on:
    types:
      - closed

+permissions:
+  contents: read
+
 jobs:
  # align with crossplane's choice https://github.com/crossplane/crossplane/blob/master/.github/workflows/backport.yml
  open-pr:
    runs-on: ubuntu-20.04
    if: github.event.pull_request.merged
+    permissions:
+      contents: write
+      pull-requests: write
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
        with:
          fetch-depth: 0

      - name: Open Backport PR
-        uses: zeebe-io/backport-action@v0.0.6
+        uses: zeebe-io/backport-action@a759fd2d7d3314c9bb57d97a0350a12e878d3c7a
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          github_workspace: ${{ github.workspace }}
--- a/.github/workflows/chart.yaml
+++ b/.github/workflows/chart.yaml
@@ -6,6 +6,9 @@ on:
      - "v*"
  workflow_dispatch: { }

+permissions:
+  contents: read
+
 env:
  BUCKET: ${{ secrets.OSS_BUCKET }}
  ENDPOINT: ${{ secrets.OSS_ENDPOINT }}
@@ -28,18 +31,18 @@ jobs:
      VELA_ROLLOUT_HELM_CHART_NAME: vela-rollout
    runs-on: ubuntu-20.04
    steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
      - name: Get git revision
        id: vars
        shell: bash
        run: |
-          echo "::set-output name=git_revision::$(git rev-parse --short HEAD)"
+          echo "git_revision=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
      - name: Install Helm
-        uses: azure/setup-helm@v1
+        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78
        with:
          version: v3.4.0
      - name: Setup node
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c
        with:
          node-version: '14'
      - name: Generate helm doc
@@ -56,7 +59,7 @@ jobs:
        id: get_version
        run: |
          VERSION=${GITHUB_REF#refs/tags/}
-          echo ::set-output name=VERSION::${VERSION}
+          echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
      - name: Tag helm chart image
        run: |
          image_tag=${{ steps.get_version.outputs.VERSION }}
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -4,27 +4,34 @@ on:
  push:
    branches: [ master, release-* ]

+permissions:
+  contents: read
+
 jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest

+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      security-events: write  # for github/codeql-action/autobuild to send a status report
+
    strategy:
      fail-fast: false
      matrix:
        language: [ 'go' ]

    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v2
+      - name: Checkout repository
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f

-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
-      with:
-        languages: ${{ matrix.language }}
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.37
+        with:
+          languages: ${{ matrix.language }}

-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.37

-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.37
--- a/.github/workflows/commit-lint.yml
+++ b/.github/workflows/commit-lint.yml
@@ -8,11 +8,14 @@ on:
      - labeled
      - unlabeled

+permissions:
+  pull-requests: read
+
 jobs:
  check:
    runs-on: ubuntu-latest
    steps:
-      - uses: thehanimo/pr-title-checker@v1.3.1
+      - uses: thehanimo/pr-title-checker@v1.3.7
        with:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          pass_on_octokit_error: true
--- a/.github/workflows/core-api-test.yml
+++ b/.github/workflows/core-api-test.yml
@@ -0,0 +1,40 @@
+name: core-api-test
+on:
+  pull_request:
+    paths:
+      - 'apis/**'
+      - 'pkg/oam/**'
+      - "hack/apis/**"
+    branches:
+      - master
+      - release-*
+
+permissions:
+  contents: read
+
+jobs:
+  core-api-test:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Set up Go 1.19
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9
+        env:
+          GO_VERSION: '1.19'
+        with:
+          go-version: ${{ env.GO_VERSION }}
+        id: go
+
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
+
+      - name: Get the version
+        id: get_version
+        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+
+      - name: Test build kubevela-core-api
+        env:
+          VERSION: ${{ steps.get_version.outputs.VERSION }}
+          COMMIT_ID: ${{ github.sha }}
+        run: |
+          bash ./hack/apis/clientgen.sh
+          bash ./hack/apis/sync.sh test
--- a/.github/workflows/definition-lint.yml
+++ b/.github/workflows/definition-lint.yml
@@ -11,6 +11,9 @@ on:
      - master
      - release-*

+permissions:
+  contents: read
+
 env:
  # Common versions
  GO_VERSION: '1.19'
@@ -20,17 +23,17 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
        with:
          submodules: true

      - name: Setup K3d
-        uses: nolar/setup-k3d-k3s@v1.0.9
+        uses: nolar/setup-k3d-k3s@293b8e5822a20bc0d5bcdd4826f1a665e72aba96
        with:
          version: v1.20
          github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -40,5 +43,5 @@ jobs:
          go build -o docgen hack/docgen/def/gen.go
          ./docgen --type=comp --force-example-doc --path=./comp-def-check.md
          ./docgen --type=trait --force-example-doc --path=./trait-def-check.md
-          ./docgen --type=wf --force-example-doc --path=./wf-def-check.md
+          ./docgen --type=wf --force-example-doc --path=./wf-def-check.md --def-dir=./vela-templates/definitions/internal/workflowstep/
          ./docgen --type=policy --force-example-doc --path=./policy-def-check.md
--- a/.github/workflows/e2e-multicluster-test.yml
+++ b/.github/workflows/e2e-multicluster-test.yml
@@ -13,62 +13,56 @@ on:
      - master
      - release-*

+permissions:
+  contents: read
+
 env:
  # Common versions
  GO_VERSION: '1.19'
-  GOLANGCI_VERSION: 'v1.49'
-  K3D_IMAGE_VERSION: '[\"v1.20\",\"v1.24\"]'
-  K3D_IMAGE_VERSIONS: '[\"v1.20\",\"v1.24\"]'

 jobs:

  detect-noop:
+    permissions:
+      actions: write
    runs-on: ubuntu-20.04
    outputs:
      noop: ${{ steps.noop.outputs.should_skip }}
    steps:
      - name: Detect No-op Changes
        id: noop
-        uses: fkirc/skip-duplicate-actions@v4.0.0
+        uses: fkirc/skip-duplicate-actions@12aca0a884f6137d619d6a8a09fcc3406ced5281
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
          do_not_skip: '["workflow_dispatch", "schedule", "push"]'
-          concurrent_skipping: false
-
-  set-k8s-matrix:
-    runs-on: ubuntu-20.04
-    outputs:
-      matrix: ${{ steps.set-k8s-matrix.outputs.matrix }}
-    steps:
-      - id: set-k8s-matrix
-        run: |
-          if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
-            echo "pushing tag: ${{ github.ref_name }}"
-            echo "::set-output name=matrix::${{ env.K3D_IMAGE_VERSIONS }}"
-          else
-            echo "::set-output name=matrix::${{ env.K3D_IMAGE_VERSION }}"
-          fi
-
+        continue-on-error: true

  e2e-multi-cluster-tests:
-    runs-on: aliyun
-    needs: [ detect-noop,set-k8s-matrix ]
+    runs-on: self-hosted
+    needs: [ detect-noop ]
    if: needs.detect-noop.outputs.noop != 'true'
    strategy:
      matrix:
-        k8s-version: ${{ fromJson(needs.set-k8s-matrix.outputs.matrix) }}
+        k8s-version: ["v1.20","v1.24"]
    concurrency:
      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.k8s-version }}
      cancel-in-progress: true

-
    steps:
      - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
+
+      - name: Install tools
+        run: |
+          sudo apt-get update
+          sudo apt-get install make gcc jq ca-certificates curl gnupg -y
+          snap install docker
+          snap install kubectl --classic
+          snap install helm --classic

      - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9
        with:
          go-version: ${{ env.GO_VERSION }}

@@ -90,14 +84,14 @@ jobs:
          echo "EGRESS_ARG=${EGRESS_ARG}" >> $GITHUB_ENV 

      - name: Setup K3d (Hub)
-        uses: nolar/setup-k3d-k3s@v1.0.8
+        uses: nolar/setup-k3d-k3s@293b8e5822a20bc0d5bcdd4826f1a665e72aba96
        with:
          version: ${{ matrix.k8s-version }}
          github-token: ${{ secrets.GITHUB_TOKEN }}
          k3d-args: ${{ env.EGRESS_ARG }}

      - name: Setup K3d (Worker)
-        uses: nolar/setup-k3d-k3s@v1.0.8
+        uses: nolar/setup-k3d-k3s@293b8e5822a20bc0d5bcdd4826f1a665e72aba96
        with:
          version: ${{ matrix.k8s-version }}
          github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -127,10 +121,11 @@ jobs:
          make e2e-multicluster-test

      - name: Stop kubevela, get profile
-        run: make end-e2e-core
+        run: |
+          make end-e2e-core-shards

      - name: Upload coverage report
-        uses: codecov/codecov-action@v1
+        uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          files: /tmp/e2e-profile.out,/tmp/e2e_multicluster_test.out
--- a/.github/workflows/e2e-rollout-test.yml
+++ b/.github/workflows/e2e-rollout-test.yml
@@ -13,50 +13,38 @@ on:
      - master
      - release-*

+permissions:
+  contents: read
+
 env:
  # Common versions
  GO_VERSION: '1.19'
-  GOLANGCI_VERSION: 'v1.49'
-  K3D_IMAGE_VERSION: '[\"v1.20\",\"v1.24\"]'
-  K3D_IMAGE_VERSIONS: '[\"v1.20\",\"v1.24\"]'

 jobs:

  detect-noop:
+    permissions:
+      actions: write
    runs-on: ubuntu-20.04
    outputs:
      noop: ${{ steps.noop.outputs.should_skip }}
    steps:
      - name: Detect No-op Changes
        id: noop
-        uses: fkirc/skip-duplicate-actions@v4.0.0
+        uses: fkirc/skip-duplicate-actions@12aca0a884f6137d619d6a8a09fcc3406ced5281
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
          do_not_skip: '["workflow_dispatch", "schedule", "push"]'
-          concurrent_skipping: false
-
-  set-k8s-matrix:
-    runs-on: ubuntu-20.04
-    outputs:
-      matrix: ${{ steps.set-k8s-matrix.outputs.matrix }}
-    steps:
-      - id: set-k8s-matrix
-        run: |
-          if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
-            echo "pushing tag: ${{ github.ref_name }}"
-            echo "::set-output name=matrix::${{ env.K3D_IMAGE_VERSIONS }}"
-          else
-            echo "::set-output name=matrix::${{ env.K3D_IMAGE_VERSION }}"
-          fi
+        continue-on-error: true

  e2e-rollout-tests:
-    runs-on: aliyun
-    needs: [ detect-noop,set-k8s-matrix ]
+    runs-on: self-hosted
+    needs: [ detect-noop ]
    if: needs.detect-noop.outputs.noop != 'true'
    strategy:
      matrix:
-        k8s-version: ${{ fromJson(needs.set-k8s-matrix.outputs.matrix) }}
+        k8s-version: ["v1.20","v1.24"]
    concurrency:
      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.k8s-version }}
      cancel-in-progress: true
@@ -64,16 +52,18 @@ jobs:

    steps:
      - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f

      - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Get dependencies
        run: |
          go get -v -t -d ./...
+          go install github.com/onsi/ginkgo/ginkgo
+          go get github.com/onsi/gomega/...

      - name: Tear down K3d if exist
        run: |
@@ -89,7 +79,7 @@ jobs:
          echo "EGRESS_ARG=${EGRESS_ARG}" >> $GITHUB_ENV 

      - name: Setup K3d
-        uses: nolar/setup-k3d-k3s@v1.0.8
+        uses: nolar/setup-k3d-k3s@293b8e5822a20bc0d5bcdd4826f1a665e72aba96
        with:
          version: ${{ matrix.k8s-version }}
          github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -113,7 +103,7 @@ jobs:
        run: make end-e2e

      - name: Upload coverage report
-        uses: codecov/codecov-action@v1
+        uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          files: /tmp/e2e-profile.out
--- a/.github/workflows/e2e-test.yml
+++ b/.github/workflows/e2e-test.yml
@@ -13,50 +13,38 @@ on:
      - master
      - release-*

+permissions:
+  contents: read
+
 env:
  # Common versions
  GO_VERSION: '1.19'
-  GOLANGCI_VERSION: 'v1.49'
-  K3D_IMAGE_VERSION: '[\"v1.20\",\"v1.24\"]'
-  K3D_IMAGE_VERSIONS: '[\"v1.20\",\"v1.24\"]'

 jobs:

  detect-noop:
+    permissions:
+      actions: write
    runs-on: ubuntu-20.04
    outputs:
      noop: ${{ steps.noop.outputs.should_skip }}
    steps:
      - name: Detect No-op Changes
        id: noop
-        uses: fkirc/skip-duplicate-actions@v4.0.0
+        uses: fkirc/skip-duplicate-actions@12aca0a884f6137d619d6a8a09fcc3406ced5281
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
          do_not_skip: '["workflow_dispatch", "schedule", "push"]'
-          concurrent_skipping: false
-
-  set-k8s-matrix:
-    runs-on: ubuntu-20.04
-    outputs:
-      matrix: ${{ steps.set-k8s-matrix.outputs.matrix }}
-    steps:
-      - id: set-k8s-matrix
-        run: |
-          if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
-            echo "pushing tag: ${{ github.ref_name }}"
-            echo "::set-output name=matrix::${{ env.K3D_IMAGE_VERSIONS }}"
-          else
-            echo "::set-output name=matrix::${{ env.K3D_IMAGE_VERSION }}"
-          fi
+        continue-on-error: true

  e2e-tests:
-    runs-on: aliyun
-    needs: [ detect-noop,set-k8s-matrix ]
+    runs-on: self-hosted
+    needs: [ detect-noop ]
    if: needs.detect-noop.outputs.noop != 'true'
    strategy:
      matrix:
-        k8s-version: ${{ fromJson(needs.set-k8s-matrix.outputs.matrix) }}
+        k8s-version: ["v1.20","v1.24"]
    concurrency:
      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.k8s-version }}
      cancel-in-progress: true
@@ -64,16 +52,26 @@ jobs:

    steps:
      - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
+
+      - name: Install tools
+        run: |
+          sudo apt-get update
+          sudo apt-get install make gcc jq ca-certificates curl gnupg -y
+          snap install docker
+          snap install kubectl --classic
+          snap install helm --classic

      - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Get dependencies
        run: |
          go get -v -t -d ./...
+          go install github.com/onsi/ginkgo/ginkgo
+          go get github.com/onsi/gomega/...

      - name: Tear down K3d if exist
        run: |
@@ -89,7 +87,7 @@ jobs:
          echo "EGRESS_ARG=${EGRESS_ARG}" >> $GITHUB_ENV 

      - name: Setup K3d
-        uses: nolar/setup-k3d-k3s@v1.0.8
+        uses: nolar/setup-k3d-k3s@293b8e5822a20bc0d5bcdd4826f1a665e72aba96
        with:
          version: ${{ matrix.k8s-version }}
          github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -120,7 +118,7 @@ jobs:
        run: make end-e2e

      - name: Upload coverage report
-        uses: codecov/codecov-action@v1
+        uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          files: /tmp/e2e-profile.out
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -11,6 +11,9 @@ on:
      - master
      - release-*

+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 env:
  # Common versions
  GO_VERSION: '1.19'
@@ -22,15 +25,17 @@ jobs:
    runs-on: ubuntu-20.04
    outputs:
      noop: ${{ steps.noop.outputs.should_skip }}
+    permissions:
+      actions: write
    steps:
      - name: Detect No-op Changes
        id: noop
-        uses: fkirc/skip-duplicate-actions@v4.0.0
+        uses: fkirc/skip-duplicate-actions@12aca0a884f6137d619d6a8a09fcc3406ced5281
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
          do_not_skip: '["workflow_dispatch", "schedule", "push"]'
-          concurrent_skipping: false
+        continue-on-error: true

  staticcheck:
    runs-on: ubuntu-20.04
@@ -39,27 +44,17 @@ jobs:

    steps:
      - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
        with:
          submodules: true

-      - name: Cache Go Dependencies
-        uses: actions/cache@v2
-        with:
-          path: .work/pkg
-          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
-          restore-keys: ${{ runner.os }}-pkg-
-
-      - name: Install StaticCheck
-        run: go install honnef.co/go/tools/cmd/staticcheck@2022.1
-
      - name: Static Check
-        run: staticcheck ./...
+        run: make staticcheck

      - name: License Header Check
        run: make check-license-header
@@ -68,74 +63,63 @@ jobs:
    runs-on: ubuntu-20.04
    needs: detect-noop
    if: needs.detect-noop.outputs.noop != 'true'
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests

    steps:
      - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
        with:
          submodules: true

-      - name: Cache Go Dependencies
-        uses: actions/cache@v2
-        with:
-          path: .work/pkg
-          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
-          restore-keys: ${{ runner.os }}-pkg-
-
      # This action uses its own setup-go, which always seems to use the latest
      # stable version of Go. We could run 'make lint' to ensure our desired Go
      # version, but we prefer this action because it leaves 'annotations' (i.e.
      # it comments on PRs to point out linter violations).
      - name: Lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@08e2f20817b15149a52b5b3ebe7de50aff2ba8c5 # v3.4.0
        with:
          version: ${{ env.GOLANGCI_VERSION }}

  check-diff:
-    runs-on: aliyun
+    runs-on: self-hosted
    needs: detect-noop
    if: needs.detect-noop.outputs.noop != 'true'

    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
        with:
          submodules: true

      - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Setup node
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c
        with:
          node-version: '14'

-      - name: Install StaticCheck
-        run: go install honnef.co/go/tools/cmd/staticcheck@2022.1
-
      - name: Cache Go Dependencies
-        uses: actions/cache@v2
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8
        with:
          path: .work/pkg
          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
          restore-keys: ${{ runner.os }}-pkg-

-      - name: Check code formatting
-        run: go install golang.org/x/tools/cmd/goimports && make fmt
-
      - name: Run cross-build
        run: make cross-build

      - name: Check Diff
        run: |
-          curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s v1.49.0
          export PATH=$(pwd)/bin/:$PATH
          make check-diff
              
@@ -149,17 +133,17 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
        with:
          submodules: true

      - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Cache Go Dependencies
-        uses: actions/cache@v2
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8
        with:
          path: .work/pkg
          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
@@ -173,3 +157,42 @@ jobs:
        run: |
          move .\bin\vela .\bin\vela.exe
          .\bin\vela.exe version
+
+  check-core-image-build:
+    runs-on: ubuntu-latest
+    needs: detect-noop
+    if: needs.detect-noop.outputs.noop != 'true'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
+        with:
+          submodules: true
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1
+      - name: Build Test for vela core
+        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0
+        with:
+          context: .
+          file: Dockerfile
+          platforms: linux/amd64,linux/arm64
+
+  check-cli-image-build:
+    runs-on: ubuntu-latest
+    needs: detect-noop
+    if: needs.detect-noop.outputs.noop != 'true'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
+        with:
+          submodules: true
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1
+      - name: Build Test for CLI
+        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0
+        with:
+          context: .
+          file: Dockerfile.cli
--- a/.github/workflows/issue-commands.yml
+++ b/.github/workflows/issue-commands.yml
@@ -5,18 +5,21 @@ on:
  issue_comment:
    types: [created]

+permissions:
+  contents: read
+
 jobs:
  bot:
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout Actions
-        uses: actions/checkout@v2
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
        with:
          repository: "oam-dev/kubevela-github-actions"
          path: ./actions
          ref: v0.4.2
      - name: Setup Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c
        with:
          node-version: '14'
          cache: 'npm'
@@ -32,10 +35,14 @@ jobs:
  backport:
    runs-on: ubuntu-22.04
    if: github.event.issue.pull_request && contains(github.event.comment.body, '/backport')
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
    steps:
      - name: Extract Command
        id: command
-        uses: xt0rted/slash-command-action@v1
+        uses: xt0rted/slash-command-action@bf51f8f5f4ea3d58abc7eca58f77104182b23e88
        with:
          repo-token: ${{ secrets.VELA_BOT_TOKEN }}
          command: backport
@@ -44,7 +51,7 @@ jobs:
          allow-edits: "false"
          permission-level: read
      - name: Handle Command
-        uses: actions/github-script@v4
+        uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975
        env:
          VERSION: ${{ steps.command.outputs.command-arguments }}
        with:
@@ -56,7 +63,7 @@ jobs:
              label = "backport " + version
            }
            // Add our backport label.
-            github.issues.addLabels({
+            github.rest.issues.addLabels({
              // Every pull request is an issue, but not every issue is a pull request.
              issue_number: context.issue.number,
              owner: context.repo.owner,
@@ -65,11 +72,11 @@ jobs:
            })
            console.log("Added '" + label + "' label.")
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
        with:
          fetch-depth: 0
      - name: Open Backport PR
-        uses: zeebe-io/backport-action@v0.0.8
+        uses: zeebe-io/backport-action@a759fd2d7d3314c9bb57d97a0350a12e878d3c7a
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          github_workspace: ${{ github.workspace }}
--- a/.github/workflows/license.yml
+++ b/.github/workflows/license.yml
@@ -9,13 +9,16 @@ on:
    branches:
      - master
      - release-*
+      -
+permissions:
+  contents: read

 jobs:
  license_check:
    runs-on: ubuntu-latest
    name: Check for unapproved licenses
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
      - name: Set up Ruby
        uses: ruby/setup-ruby@v1
        with:
--- a/.github/workflows/registry.yml
+++ b/.github/workflows/registry.yml
@@ -11,11 +11,16 @@ env:
  ACCESS_KEY: ${{ secrets.OSS_ACCESS_KEY }}
  ACCESS_KEY_SECRET: ${{ secrets.OSS_ACCESS_KEY_SECRET }}

+permissions:
+  contents: read
+
 jobs:
  publish-core-images:
+    permissions:
+      packages: write
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
      - name: Get the version
        id: get_version
        run: |
@@ -23,36 +28,36 @@ jobs:
          if [[ ${GITHUB_REF} == "refs/heads/master" ]]; then
            VERSION=latest
          fi
-          echo ::set-output name=VERSION::${VERSION}
+          echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
      - name: Get git revision
        id: vars
        shell: bash
        run: |
-          echo "::set-output name=git_revision::$(git rev-parse --short HEAD)"
+          echo "git_revision=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
      - name: Login ghcr.io
-        uses: docker/login-action@v1
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Login docker.io
-        uses: docker/login-action@v1
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
        with:
          registry: docker.io
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
      - name: Login Alibaba Cloud ACR
-        uses: docker/login-action@v1
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
        with:
          registry: ${{ secrets.ACR_DOMAIN }}
          username: ${{ secrets.ACR_USERNAME }}
          password: ${{ secrets.ACR_PASSWORD }}
-      - uses: docker/setup-qemu-action@v1
-      - uses: docker/setup-buildx-action@v1
+      - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
+      - uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1
        with:
          driver-opts: image=moby/buildkit:master

-      - uses: docker/build-push-action@v2
+      - uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0
        name: Build & Pushing vela-core for Dockerhub, GHCR and ACR
        with:
          context: .
@@ -71,7 +76,7 @@ jobs:
            ghcr.io/${{ github.repository_owner }}/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}
            ${{ secrets.ACR_DOMAIN }}/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}

-      - uses: docker/build-push-action@v2
+      - uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0
        name: Build & Pushing CLI for Dockerhub, GHCR and ACR
        with:
          context: .
@@ -91,9 +96,11 @@ jobs:
            ${{ secrets.ACR_DOMAIN }}/oamdev/vela-cli:${{ steps.get_version.outputs.VERSION }}

  publish-addon-images:
+    permissions:
+      packages: write
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
      - name: Get the version
        id: get_version
        run: |
@@ -101,55 +108,36 @@ jobs:
          if [[ ${GITHUB_REF} == "refs/heads/master" ]]; then
            VERSION=latest
          fi
-          echo ::set-output name=VERSION::${VERSION}
+          echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
      - name: Get git revision
        id: vars
        shell: bash
        run: |
-          echo "::set-output name=git_revision::$(git rev-parse --short HEAD)"
+          echo "git_revision=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
      - name: Login ghcr.io
-        uses: docker/login-action@v1
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Login docker.io
-        uses: docker/login-action@v1
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
        with:
          registry: docker.io
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
      - name: Login Alibaba Cloud ACR
-        uses: docker/login-action@v1
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
        with:
          registry: ${{ secrets.ACR_DOMAIN }}
          username: ${{ secrets.ACR_USERNAME }}
          password: ${{ secrets.ACR_PASSWORD }}
-      - uses: docker/setup-qemu-action@v1
-      - uses: docker/setup-buildx-action@v1
+      - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
+      - uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1
        with:
          driver-opts: image=moby/buildkit:master

-      - uses: docker/build-push-action@v2
-        name: Build & Pushing vela-apiserver for Dockerhub, GHCR and ACR
-        with:
-          context: .
-          file: Dockerfile.apiserver
-          labels: |-
-            org.opencontainers.image.source=https://github.com/${{ github.repository }}
-            org.opencontainers.image.revision=${{ github.sha }}
-          platforms: linux/amd64,linux/arm64
-          push: ${{ github.event_name != 'pull_request' }}
-          build-args: |
-            GITVERSION=git-${{ steps.vars.outputs.git_revision }}
-            VERSION=${{ steps.get_version.outputs.VERSION }}
-            GOPROXY=https://proxy.golang.org
-          tags: |-
-            docker.io/oamdev/vela-apiserver:${{ steps.get_version.outputs.VERSION }}
-            ghcr.io/${{ github.repository_owner }}/oamdev/vela-apiserver:${{ steps.get_version.outputs.VERSION }}
-            ${{ secrets.ACR_DOMAIN }}/oamdev/vela-apiserver:${{ steps.get_version.outputs.VERSION }}
-
-      - uses: docker/build-push-action@v2
+      - uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0
        name: Build & Pushing runtime rollout Dockerhub, GHCR and ACR
        with:
          context: .
@@ -175,7 +163,7 @@ jobs:
      CAPABILITY_ENDPOINT: oss-cn-beijing.aliyuncs.com
    runs-on: ubuntu-20.04
    steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
      - name: Install ossutil
        run: wget http://gosspublic.alicdn.com/ossutil/1.7.0/ossutil64 && chmod +x ossutil64 && mv ossutil64 ossutil
      - name: Configure Alibaba Cloud OSSUTIL
@@ -185,4 +173,4 @@ jobs:
      - name: rsync all capabilites
        run: rsync vela-templates/registry/auto-gen/* $CAPABILITY_DIR
      - name: sync local to cloud
-        run: ./ossutil --config-file .ossutilconfig sync $CAPABILITY_DIR oss://$CAPABILITY_BUCKET -f
+        run: ./ossutil --config-file .ossutilconfig sync $CAPABILITY_DIR oss://$CAPABILITY_BUCKET -f
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,121 +7,58 @@ on:
  workflow_dispatch: { }

 env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  BUCKET: ${{ secrets.CLI_OSS_BUCKET }}
  ENDPOINT: ${{ secrets.CLI_OSS_ENDPOINT }}
  ACCESS_KEY: ${{ secrets.CLI_OSS_ACCESS_KEY }}
  ACCESS_KEY_SECRET: ${{ secrets.CLI_OSS_ACCESS_KEY_SECRET }}

+permissions:
+  contents: read
+
 jobs:
  build:
+    permissions:
+      contents: write
+      actions: read
+      checks: write
+      issues: read
+      packages: write
+      pull-requests: read
+      repository-projects: read
+      statuses: read
    runs-on: ubuntu-latest
-    name: build
-    strategy:
-      matrix:
-        TARGETS: [ linux/amd64, darwin/amd64, windows/amd64, linux/arm64, darwin/arm64 ]
-    env:
-      VELA_VERSION_KEY: github.com/oam-dev/kubevela/version.VelaVersion
-      VELA_GITVERSION_KEY: github.com/oam-dev/kubevela/version.GitRevision
-      GO_BUILD_ENV: GO111MODULE=on CGO_ENABLED=0
-      DIST_DIRS: find * -type d -exec
+    name: goreleaser
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
+        with:
+          fetch-depth: 0
+      - run: git fetch --force --tags
      - name: Set up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9
        with:
          go-version: 1.19
-      - name: Get release
-        id: get_release
-        uses: bruceadams/get-release@v1.2.2
+          cache: true
+      - uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0
+        with:
+          distribution: goreleaser
+          version: 1.14.1
+          args: release --rm-dist --timeout 60m
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      # Since goreleaser haven't supported aliyun OSS, we need to upload the release manually
      - name: Get version
        run: echo "VELA_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
-      - name: Get matrix
-        id: get_matrix
-        run: |
-          TARGETS=${{matrix.TARGETS}}
-          echo ::set-output name=OS::${TARGETS%/*}
-          echo ::set-output name=ARCH::${TARGETS#*/}
-      - name: Get ldflags
-        id: get_ldflags
-        run: |
-          LDFLAGS="-s -w -X ${{ env.VELA_VERSION_KEY }}=${{ env.VELA_VERSION }} -X ${{ env.VELA_GITVERSION_KEY }}=git-$(git rev-parse --short HEAD)"
-          echo "LDFLAGS=${LDFLAGS}" >> $GITHUB_ENV
-      - name: Build
-        run: |
-          ${{ env.GO_BUILD_ENV }} GOOS=${{ steps.get_matrix.outputs.OS }} GOARCH=${{ steps.get_matrix.outputs.ARCH }} \
-            go build -ldflags "${{ env.LDFLAGS }}" \
-            -o _bin/vela/${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}/vela -v \
-            ./references/cmd/cli/main.go
-          ${{ env.GO_BUILD_ENV }} GOOS=${{ steps.get_matrix.outputs.OS }} GOARCH=${{ steps.get_matrix.outputs.ARCH }} \
-            go build -ldflags "${{ env.LDFLAGS }}" \
-            -o _bin/kubectl-vela/${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}/kubectl-vela -v \
-            ./cmd/plugin/main.go
-      - name: Compress
-        run: |
-          echo "\n## Release Info\nVERSION: ${{ env.VELA_VERSION }}" >> README.md && \
-          echo "GIT_COMMIT: ${GITHUB_SHA}\n" >> README.md && \
-          cd _bin/vela && \
-          ${{ env.DIST_DIRS }} cp ../../LICENSE {} \; && \
-          ${{ env.DIST_DIRS }} cp ../../README.md {} \; && \
-          ${{ env.DIST_DIRS }} tar -zcf vela-{}.tar.gz {} \; && \
-          ${{ env.DIST_DIRS }} zip -r vela-{}.zip {} \; && \
-          cd ../kubectl-vela && \
-          ${{ env.DIST_DIRS }} cp ../../LICENSE {} \; && \
-          ${{ env.DIST_DIRS }} cp ../../README.md {} \; && \
-          ${{ env.DIST_DIRS }} tar -zcf kubectl-vela-{}.tar.gz {} \; && \
-          ${{ env.DIST_DIRS }} zip -r kubectl-vela-{}.zip {} \; && \
-          cd .. && \
-          sha256sum vela/vela-* kubectl-vela/kubectl-vela-* >> sha256-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.txt \
-      - name: Upload Vela tar.gz
-        uses: actions/upload-release-asset@v1.0.2
-        with:
-          upload_url: ${{ steps.get_release.outputs.upload_url }}
-          asset_path: ./_bin/vela/vela-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.tar.gz
-          asset_name: vela-${{ env.VELA_VERSION }}-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.tar.gz
-          asset_content_type: binary/octet-stream
-      - name: Upload Vela zip
-        uses: actions/upload-release-asset@v1.0.2
-        with:
-          upload_url: ${{ steps.get_release.outputs.upload_url }}
-          asset_path: ./_bin/vela/vela-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.zip
-          asset_name: vela-${{ env.VELA_VERSION }}-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.zip
-          asset_content_type: binary/octet-stream
-      - name: Upload Kubectl-Vela tar.gz
-        uses: actions/upload-release-asset@v1.0.2
-        with:
-          upload_url: ${{ steps.get_release.outputs.upload_url }}
-          asset_path: ./_bin/kubectl-vela/kubectl-vela-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.tar.gz
-          asset_name: kubectl-vela-${{ env.VELA_VERSION }}-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.tar.gz
-          asset_content_type: binary/octet-stream
-      - name: Upload Kubectl-Vela zip
-        uses: actions/upload-release-asset@v1.0.2
-        with:
-          upload_url: ${{ steps.get_release.outputs.upload_url }}
-          asset_path: ./_bin/kubectl-vela/kubectl-vela-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.zip
-          asset_name: kubectl-vela-${{ env.VELA_VERSION }}-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.zip
-          asset_content_type: binary/octet-stream
-      - name: Post sha256
-        uses: actions/upload-artifact@v2
-        with:
-          name: sha256sums
-          path: ./_bin/sha256-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.txt
-          retention-days: 1
-      - name: clear the asset
-        run: |
-          rm -rf ./_bin/vela/${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}
-          mv ./_bin/vela/vela-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.tar.gz ./_bin/vela/vela-${{ env.VELA_VERSION }}-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.tar.gz
-          mv ./_bin/vela/vela-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.zip ./_bin/vela/vela-${{ env.VELA_VERSION }}-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.zip
      - name: Install ossutil
        run: wget http://gosspublic.alicdn.com/ossutil/1.7.0/ossutil64 && chmod +x ossutil64 && mv ossutil64 ossutil
      - name: Configure Alibaba Cloud OSSUTIL
-        run: ./ossutil --config-file .ossutilconfig config -i ${ACCESS_KEY} -k ${ACCESS_KEY_SECRET} -e ${ENDPOINT} -c .ossutilconfig
+        run: ./ossutil --config-file .ossutilconfig config -i ${ACCESS_KEY} -k ${ACCESS_KEY_SECRET} -e ${ENDPOINT}
+      - name: split files to be upload
+        run: mkdir -p ./dist/files_upload && mv ./dist/*.tar.gz ./dist/files_upload && mv ./dist/*.zip ./dist/files_upload
      - name: sync local to cloud
-        run: ./ossutil --config-file .ossutilconfig sync ./_bin/vela oss://$BUCKET/binary/vela/${{ env.VELA_VERSION }}
-      
+        run: ./ossutil --config-file .ossutilconfig sync ./dist/files_upload oss://$BUCKET/binary/vela/${{ env.VELA_VERSION }}
      - name: sync the latest version file
-        if: ${{ !contains(env.VELA_VERSION,'alpha') && !contains(env.VELA_VERSION,'beta') }}
+        if: ${{ !contains(env.VELA_VERSION,'alpha') && !contains(env.VELA_VERSION,'beta') && !contains(env.VELA_VERSION,'rc') }}
        run: |
          LATEST_VERSION=$(curl -fsSl https://static.kubevela.net/binary/vela/latest_version)
          verlte() {
@@ -130,48 +67,27 @@ jobs:
          verlte ${{ env.VELA_VERSION }} $LATEST_VERSION && echo "${{ env.VELA_VERSION }} <= $LATEST_VERSION, skip update" && exit 0
          echo ${{ env.VELA_VERSION }} > ./latest_version
          ./ossutil --config-file .ossutilconfig cp -u ./latest_version oss://$BUCKET/binary/vela/latest_version
-
-
  upload-plugin-homebrew:
+    permissions:
+      contents: write
+      actions: read
+      checks: write
+      issues: read
+      packages: write
+      pull-requests: read
+      repository-projects: read
+      statuses: read
    needs: build
    runs-on: ubuntu-latest
+    if: ${{ !contains(github.ref, 'alpha') && !contains(github.ref, 'beta') && !contains(github.ref, 'rc') }}
    name: upload-sha256sums
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
-      - name: Get release
-        id: get_release
-        uses: bruceadams/get-release@v1.2.2
-      - name: Download sha256sums
-        uses: actions/download-artifact@v2
-        with:
-          name: sha256sums
-          path: cli-artifacts
-      - name: Display structure of downloaded files
-        run: ls -R
-        working-directory: cli-artifacts
-      - name: Get version
-        run: echo "VELA_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
-      - shell: bash
-        working-directory: cli-artifacts
-        run: |
-          for file in *
-          do
-            sed -i "s/\/vela/-${{ env.VELA_VERSION }}/g" ${file}
-            sed -i "s/\/kubectl-vela/-${{ env.VELA_VERSION }}/g" ${file}
-            cat ${file} >> sha256sums.txt
-          done
-      - name: Upload Checksums
-        uses: actions/upload-release-asset@v1.0.2
-        with:
-          upload_url: ${{ steps.get_release.outputs.upload_url }}
-          asset_path: cli-artifacts/sha256sums.txt
-          asset_name: sha256sums.txt
-          asset_content_type: text/plain
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
      - name: Update kubectl plugin version in krew-index
-        uses: rajatjindal/krew-release-bot@v0.0.38
+        uses: rajatjindal/krew-release-bot@92da038bbf995803124a8e50ebd438b2f37bbbb0 # v0.0.43
      - name: Update Homebrew formula
-        uses: dawidd6/action-homebrew-bump-formula@v3
+        uses: dawidd6/action-homebrew-bump-formula@e9b43cd30eec6ea80777e7e22e1526beb1675c18 # v3.9.0
        with:
          token: ${{ secrets.HOMEBREW_TOKEN }}
          formula: kubevela
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -0,0 +1,60 @@
+name: Scorecards supply-chain security
+on:
+  schedule:
+    # Weekly on Saturdays.
+    - cron: '30 1 * * 6'
+  push:
+    branches: [ master ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecards analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Used to receive a badge. (Upcoming feature)
+      id-token: write
+      actions: read
+      contents: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # tag=v2.1.2
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecards on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Publish the results for public repositories to enable scorecard badges. For more details, see
+          # https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories, `publish_results` will automatically be set to `false`, regardless
+          # of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.37
+        with:
+          sarif_file: results.sarif
--- a/.github/workflows/sdk-test.yml
+++ b/.github/workflows/sdk-test.yml
@@ -0,0 +1,51 @@
+name: SDK Test
+
+on:
+  push:
+    tags:
+      - v*
+  workflow_dispatch: {}
+  pull_request:
+    paths:
+      - "vela-templates/definitions/**"
+      - "pkg/definition/gen_sdk/**"
+    branches:
+      - master
+      - release-*
+
+permissions:
+  contents: read
+
+env:
+  # Common versions
+  GO_VERSION: '1.19'
+  GOLANGCI_VERSION: 'v1.49'
+
+jobs:
+  sdk-tests:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
+
+      - name: Setup Go
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Install Go tools
+        run: |
+          make goimports
+          make golangci
+
+      - name: Build CLI
+        run: make vela-cli
+
+      - name: Build SDK
+        run: bin/vela def gen-api -f vela-templates/definitions/internal/ -o ./kubevela-go-sdk --package=github.com/kubevela-contrib/kubevela-go-sdk --init
+
+      - name: Validate SDK
+        run: |
+          cd kubevela-go-sdk
+          go mod tidy
+          golangci-lint run --timeout 5m -e "exported:" -e "dot-imports" ./...
--- a/.github/workflows/sync-api.yml
+++ b/.github/workflows/sync-api.yml
@@ -7,25 +7,27 @@ on:
    tags:
      - "v*"

+permissions:
+  contents: read
+
+env:
+  GO_VERSION: '1.19'
+
 jobs:
  sync-core-api:
    runs-on: ubuntu-20.04
    steps:
-      - name: Set up Go 1.17
-        uses: actions/setup-go@v1
-        env:
-          GO_VERSION: '1.19'
-          GOLANGCI_VERSION: 'v1.49'
+      - name: Set up Go
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9
        with:
          go-version: ${{ env.GO_VERSION }}
-        id: go

      - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f

      - name: Get the version
        id: get_version
-        run: echo ::set-output name=VERSION::${GITHUB_REF#refs/tags/}
+        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT

      - name: Sync to kubevela-core-api Repo
        env:
@@ -34,4 +36,4 @@ jobs:
          COMMIT_ID: ${{ github.sha }}
        run: |
          bash ./hack/apis/clientgen.sh
-          bash ./hack/apis/sync.sh
+          bash ./hack/apis/sync.sh sync
--- a/.github/workflows/sync-sdk.yaml
+++ b/.github/workflows/sync-sdk.yaml
@@ -0,0 +1,52 @@
+name: Sync SDK
+
+on:
+  push:
+    paths:
+      - vela-templates/definitions/internal/**
+      - pkg/definition/gen_sdk/**
+      - .github/workflows/sync-sdk.yaml
+    tags:
+      - "v*"
+    branches:
+      - master
+      - release-*
+permissions:
+  contents: read
+
+env:
+  GO_VERSION: '1.19'
+
+jobs:
+  sync_sdk:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Set up Go
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
+
+      - name: Get the version
+        id: get_version
+        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+
+      - name: Get dependencies
+        run: |
+          go get -v -t -d ./...
+
+      - name: Install Go tools
+        run: |
+          make goimports
+          
+      - name: Build CLI
+        run: make vela-cli
+
+      - name: Sync SDK to kubevela/kubevela-go-sdk
+        run: bash ./hack/sdk/sync.sh
+        env:
+          SSH_DEPLOY_KEY: ${{ secrets.GO_SDK_DEPLOY_KEY }}
+          VERSION: ${{ steps.get_version.outputs.VERSION }}
+          COMMIT_ID: ${{ github.sha }}
--- a/.github/workflows/timed-task.yml
+++ b/.github/workflows/timed-task.yml
@@ -2,9 +2,13 @@ name: Timed Task
 on:
  schedule:
    - cron: '* * * * *'
+
+permissions:
+  contents: read
+
 jobs:
  clean-image:
-    runs-on: aliyun
+    runs-on: self-hosted
    steps:
      - name: Cleanup image
        run: docker image prune -f
--- a/.github/workflows/trivy-scan.yml
+++ b/.github/workflows/trivy-scan.yml
@@ -4,13 +4,16 @@ on:
  pull_request:
    branches: [ master ]

+permissions:
+  contents: read
+
 jobs:
  images:
    name: Image Scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f

      - name: Build Vela Core image from Dockerfile
        run: |
@@ -24,7 +27,7 @@ jobs:
          output: 'trivy-results.sarif'

      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v1
+        uses: github/codeql-action/upload-sarif@v2
        if: always()
        with:
          sarif_file: 'trivy-results.sarif'
--- a/.github/workflows/unit-test.yml
+++ b/.github/workflows/unit-test.yml
@@ -5,32 +5,36 @@ on:
    branches:
      - master
      - release-*
-  workflow_dispatch: {}
+  workflow_dispatch: { }
  pull_request:
    branches:
      - master
      - release-*

+permissions:
+  contents: read
+
 env:
  # Common versions
  GO_VERSION: '1.19'
-  GOLANGCI_VERSION: 'v1.49'

 jobs:

  detect-noop:
+    permissions:
+      actions: write  # for fkirc/skip-duplicate-actions to skip or stop workflow runs
    runs-on: ubuntu-20.04
    outputs:
      noop: ${{ steps.noop.outputs.should_skip }}
    steps:
      - name: Detect No-op Changes
        id: noop
-        uses: fkirc/skip-duplicate-actions@v4.0.0
+        uses: fkirc/skip-duplicate-actions@12aca0a884f6137d619d6a8a09fcc3406ced5281
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
          do_not_skip: '["workflow_dispatch", "schedule", "push"]'
-          concurrent_skipping: false
+        continue-on-error: true

  unit-tests:
    runs-on: ubuntu-20.04
@@ -39,18 +43,17 @@ jobs:

    steps:
      - name: Set up Go
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9
        with:
          go-version: ${{ env.GO_VERSION }}
-        id: go

      - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
        with:
          submodules: true

      - name: Cache Go Dependencies
-        uses: actions/cache@v2
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8
        with:
          path: .work/pkg
          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
@@ -63,13 +66,14 @@ jobs:
          sudo apt-get install -y golang-ginkgo-dev

      - name: Setup K3d
-        uses: nolar/setup-k3d-k3s@v1.0.8
+        uses: nolar/setup-k3d-k3s@293b8e5822a20bc0d5bcdd4826f1a665e72aba96
        with:
          version: v1.20
          github-token: ${{ secrets.GITHUB_TOKEN }}

+        # TODO need update action version to resolve node 12 deprecated.
      - name: install Kubebuilder
-        uses: RyanSiu1995/kubebuilder-action@v1.2
+        uses: RyanSiu1995/kubebuilder-action@ff52bff1bae252239223476e5ab0d71d6ba02343
        with:
          version: 3.1.0
          kubebuilderOnly: false
@@ -79,7 +83,7 @@ jobs:
        run: make test

      - name: Upload coverage report
-        uses: codecov/codecov-action@v1
+        uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          file: ./coverage.txt
--- a/.gitignore
+++ b/.gitignore
@@ -53,3 +53,5 @@ git-page/
 # e2e rollout runtime image build
 runtime/rollout/e2e/tmp
 vela.json
+
+dist/
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -0,0 +1,76 @@
+# This is an example .goreleaser.yml file with some sensible defaults.
+# Make sure to check the documentation at https://goreleaser.com
+builds:
+  - id: vela-cli
+    binary: vela
+    goos:
+      - linux
+      - windows
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    main: ./references/cmd/cli/main.go
+    ldflags:
+      - -s -w -X github.com/oam-dev/kubevela/version.VelaVersion={{ .Version }} -X github.com/oam-dev/kubevela/version.GitRevision=git-{{.ShortCommit}}
+    env:
+      - CGO_ENABLED=0
+
+  - id: kubectl-vela
+    binary: kubectl-vela
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - windows
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    main: ./cmd/plugin/main.go
+    ldflags:
+      - -s -w -X github.com/oam-dev/kubevela/version.VelaVersion={{ .Version }} -X github.com/oam-dev/kubevela/version.GitRevision=git-{{.ShortCommit}}
+
+archives:
+  - format: tar.gz
+    id: vela-cli-tgz
+    wrap_in_directory: '{{ .Os }}-{{ .Arch }}'
+    builds:
+      - vela-cli
+    name_template: '{{ trimsuffix .ArtifactName ".exe" }}-{{ .Tag }}-{{ .Os }}-{{ .Arch }}'
+    files: [ LICENSE, README.md ]
+  - format: zip
+    id: vela-cli-zip
+    builds:
+      - vela-cli
+    wrap_in_directory: '{{ .Os }}-{{ .Arch }}'
+    name_template: '{{ trimsuffix .ArtifactName ".exe" }}-{{ .Tag }}-{{ .Os }}-{{ .Arch }}'
+    files: [ LICENSE, README.md ]
+  - format: tar.gz
+    id: plugin-tgz
+    builds:
+      - kubectl-vela
+    wrap_in_directory: '{{ .Os }}-{{ .Arch }}'
+    name_template: '{{ trimsuffix .ArtifactName ".exe" }}-{{ .Tag }}-{{ .Os }}-{{ .Arch }}'
+    files: [ LICENSE, README.md ]
+  - format: zip
+    id: plugin-zip
+    builds:
+      - kubectl-vela
+    wrap_in_directory: '{{ .Os }}-{{ .Arch }}'
+    name_template: '{{ trimsuffix .ArtifactName ".exe" }}-{{ .Tag }}-{{ .Os }}-{{ .Arch }}'
+    files: [ LICENSE, README.md ]
+
+checksum:
+  name_template: 'sha256sums.txt'
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - '^docs:'
+      - '^test:'
+
+# The lines beneath this are called `modelines`. See `:help modeline`
+# Feel free to remove those if you don't want/use them.
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+# vim: set ts=2 sw=2 tw=0 fo=cnqoj
--- a/.krew.yaml
+++ b/.krew.yaml
@@ -33,8 +33,8 @@ spec:
        arch: amd64
    {{addURIAndSha "https://github.com/oam-dev/kubevela/releases/download/{{ .TagName }}/kubectl-vela-{{ .TagName }}-windows-amd64.zip" .TagName }}
    files:
-    - from: "*/kubectl-vela"
-      to: "kubectl-vela.exe"
+    - from: "*/kubectl-vela.exe"
+      to: "."
    - from: "*/LICENSE"
      to: "."
    bin: "kubectl-vela.exe"
--- a/11
+++ b/11
@@ -1,6 +1,6 @@
 ARG BASE_IMAGE
 # Build the manager binary
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.19-alpine as builder
+FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.19-alpine@sha256:2381c1e5f8350a901597d633b2e517775eeac7a6682be39225a93b22cfd0f8bb as builder

 WORKDIR /workspace
 # Copy the Go Modules manifests
@@ -15,9 +15,8 @@ ENV GOPROXY=${GOPROXY:-https://goproxy.cn}
 # and so that source changes don't invalidate our downloaded layer
 RUN go mod download

-# Copy the go source
-COPY cmd/core/main.go main.go
-COPY cmd/apiserver/main.go cmd/apiserver/main.go
+# Copy the go source for building core
+COPY cmd/core/ cmd/core/
 COPY apis/ apis/
 COPY pkg/ pkg/
 COPY version/ version/
@@ -29,13 +28,13 @@ ARG VERSION
 ARG GITVERSION
 RUN GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} \
    go build -a -ldflags "-s -w -X github.com/oam-dev/kubevela/version.VelaVersion=${VERSION:-undefined} -X github.com/oam-dev/kubevela/version.GitRevision=${GITVERSION:-undefined}" \
-    -o manager-${TARGETARCH} main.go
+    -o manager-${TARGETARCH} cmd/core/main.go

 # Use alpine as base image due to the discussion in issue #1448
 # You can replace distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 # Overwrite `BASE_IMAGE` by passing `--build-arg=BASE_IMAGE=gcr.io/distroless/static:nonroot`
-FROM ${BASE_IMAGE:-alpine:3.15}
+FROM ${BASE_IMAGE:-alpine@sha256:e2e16842c9b54d985bf1ef9242a313f36b856181f188de21313820e177002501}
 # This is required by daemon connecting with cri
 RUN apk add --no-cache ca-certificates bash expat

--- a/Dockerfile.apiserver
+++ b/Dockerfile.apiserver
@@ -1,49 +0,0 @@
-ARG BASE_IMAGE
-# Build the manager binary
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.19-alpine as builder
-ARG GOPROXY
-ENV GOPROXY=${GOPROXY:-https://goproxy.cn}
-WORKDIR /workspace
-# Copy the Go Modules manifests
-COPY go.mod go.mod
-COPY go.sum go.sum
-# cache deps before building and copying source so that we don't need to re-download as much
-# and so that source changes don't invalidate our downloaded layer
-RUN go mod download
-
-# Copy the go source
-COPY cmd/core/main.go main.go
-COPY cmd/apiserver/main.go cmd/apiserver/main.go
-COPY apis/ apis/
-COPY pkg/ pkg/
-COPY version/ version/
-COPY references/ references/
-
-# Build
-ARG TARGETARCH
-ARG VERSION
-ARG GITVERSION
-
-RUN GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} \
-    go build -a -ldflags "-s -w -X github.com/oam-dev/kubevela/version.VelaVersion=${VERSION:-undefined} -X github.com/oam-dev/kubevela/version.GitRevision=${GITVERSION:-undefined}" \
-    -o apiserver-${TARGETARCH} cmd/apiserver/main.go
-
-# Use alpine as base image due to the discussion in issue #1448
-# You can replace distroless as minimal base image to package the manager binary
-# Refer to https://github.com/GoogleContainerTools/distroless for more details
-# Overwrite `BASE_IMAGE` by passing `--build-arg=BASE_IMAGE=gcr.io/distroless/static:nonroot`
-
-FROM ${BASE_IMAGE:-alpine:3.15}
-# This is required by daemon connecting with cri
-RUN apk add --no-cache ca-certificates bash expat
-
-WORKDIR /
-
-ARG TARGETARCH
-COPY --from=builder /workspace/apiserver-${TARGETARCH} /usr/local/bin/apiserver
-
-COPY entrypoint.sh /usr/local/bin/
-
-ENTRYPOINT ["entrypoint.sh"]
-
-CMD ["apiserver"]
--- a/Dockerfile.cli
+++ b/Dockerfile.cli
@@ -1,6 +1,6 @@
 ARG BASE_IMAGE
 # Build the cli binary
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.19-alpine as builder
+FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.19-alpine@sha256:2381c1e5f8350a901597d633b2e517775eeac7a6682be39225a93b22cfd0f8bb as builder
 ARG GOPROXY
 ENV GOPROXY=${GOPROXY:-https://goproxy.cn}
 WORKDIR /workspace
@@ -32,7 +32,7 @@ RUN GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH:-amd64} \
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 # Overwrite `BASE_IMAGE` by passing `--build-arg=BASE_IMAGE=gcr.io/distroless/static:nonroot`

-FROM ${BASE_IMAGE:-alpine:3.15}
+FROM ${BASE_IMAGE:-alpine:3.15@sha256:cf34c62ee8eb3fe8aa24c1fab45d7e9d12768d945c3f5a6fd6a63d901e898479}
 # This is required by daemon connecting with cri
 RUN apk add --no-cache ca-certificates bash expat

--- a/Dockerfile.e2e
+++ b/Dockerfile.e2e
@@ -1,6 +1,6 @@
 ARG BASE_IMAGE
 # Build the manager binary
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.19-alpine as builder
+FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.19-alpine@sha256:2381c1e5f8350a901597d633b2e517775eeac7a6682be39225a93b22cfd0f8bb as builder

 WORKDIR /workspace
 # Copy the Go Modules manifests
@@ -13,7 +13,6 @@ RUN go mod download
 # Copy the go source
 COPY cmd/core/main.go main.go
 COPY cmd/core/main_e2e_test.go main_e2e_test.go
-COPY cmd/apiserver/main.go cmd/apiserver/main.go
 COPY cmd/ cmd/
 COPY apis/ apis/
 COPY pkg/ pkg/
@@ -29,16 +28,12 @@ RUN  apk add gcc musl-dev libc-dev ;\
    GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} \
    go test -c -o manager-${TARGETARCH}  -cover -covermode=atomic -coverpkg ./... .

-RUN GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} \
-    go build -a -ldflags "-s -w -X github.com/oam-dev/kubevela/version.VelaVersion=${VERSION:-undefined} -X github.com/oam-dev/kubevela/version.GitRevision=${GITVERSION:-undefined}" \
-    -o apiserver-${TARGETARCH} cmd/apiserver/main.go
-
 # Use alpine as base image due to the discussion in issue #1448
 # You can replace distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 # Overwrite `BASE_IMAGE` by passing `--build-arg=BASE_IMAGE=gcr.io/distroless/static:nonroot`

-FROM ${BASE_IMAGE:-alpine:3.15}
+FROM ${BASE_IMAGE:-alpine:3.15@sha256:cf34c62ee8eb3fe8aa24c1fab45d7e9d12768d945c3f5a6fd6a63d901e898479}
 # This is required by daemon connecting with cri
 RUN apk add --no-cache ca-certificates bash expat

@@ -46,7 +41,6 @@ WORKDIR /

 ARG TARGETARCH
 COPY --from=builder /workspace/manager-${TARGETARCH} /usr/local/bin/manager
-COPY --from=builder /workspace/apiserver-${TARGETARCH} /usr/local/bin/apiserver

 COPY entrypoint.sh /usr/local/bin/

--- a/GOVERNANCE.md
+++ b/GOVERNANCE.md
@@ -1,16 +1 @@
-# Governance
-
-[Project maintainers](https://github.com/kubevela/community/blob/main/OWNERS.md#maintainers) are responsible for activities around maintaining and updating KubeVela.
-Final decisions on the project reside with the project maintainers.
-
-Maintainers **MUST** remain active. If they are unresponsive for >6 months,
-they will be automatically removed unless a [super-majority](https://en.wikipedia.org/wiki/Supermajority#Two-thirds_vote) of the other project maintainers agrees to extend the period to be greater than 6 months.
-
-New maintainers can be added to the project by a [super-majority](https://en.wikipedia.org/wiki/Supermajority#Two-thirds_vote) vote of the existing maintainers.
-A potential maintainer may be nominated by an existing maintainer.
-A vote is conducted in private between the current maintainers over the course of a one week voting period.
-At the end of the week, votes are counted and a pull request is made on the repo adding the new maintainer to the [CODEOWNERS](https://github.com/kubevela/kubevela/blob/master/.github/CODEOWNERS) file.
-
-A maintainer may step down by submitting an [issue](https://github.com/kubevela/kubevela/issues/new/choose) stating their intent.
-
-Changes to this governance document require a pull request with approval from a [super-majority](https://en.wikipedia.org/wiki/Supermajority#Two-thirds_vote) of the current maintainers.
+Refer to https://github.com/kubevela/community/blob/main/GOVERNANCE.md
--- a/23
+++ b/23
@@ -18,8 +18,6 @@ test-cli-gen:
 unit-test-core:
 	go test -coverprofile=coverage.txt $(shell go list ./pkg/... ./cmd/... ./apis/... | grep -v apiserver | grep -v applicationconfiguration)
 	go test $(shell go list ./references/... | grep -v apiserver)
-unit-test-apiserver:
-	go test -gcflags=all=-l -coverprofile=coverage.txt $(shell go list ./pkg/... ./cmd/...  | grep -E 'apiserver|velaql')

 # Build vela cli binary
 build: vela-cli kubectl-vela
@@ -39,16 +37,23 @@ fmt: goimports installcue
 	$(CUE) fmt ./pkg/stdlib/op.cue
 	$(CUE) fmt ./pkg/workflow/tasks/template/static/*
 # Run go vet against code
+
+sdk_fmt:
+	./hack/sdk/reviewable.sh
+
 vet:
-	go vet ./...
+	@$(INFO) go vet
+	@go vet $(shell go list ./...|grep -v scaffold)

 staticcheck: staticchecktool
-	$(STATICCHECK) ./...
+	@$(INFO) staticcheck
+	@$(STATICCHECK) $(shell go list ./...|grep -v scaffold)

 lint: golangci
-	$(GOLANGCILINT) run ./...
+	@$(INFO) lint
+	@$(GOLANGCILINT) run --skip-dirs 'scaffold'

-reviewable: manifests fmt vet lint staticcheck helm-doc-gen
+reviewable: manifests fmt vet lint staticcheck helm-doc-gen sdk_fmt
 	go mod tidy

 # Execute auto-gen code commands and ensure branch is clean.
@@ -61,9 +66,6 @@ check-diff: reviewable
 docker-push:
 	docker push $(VELA_CORE_IMAGE)

-build-swagger:
-	go run ./cmd/apiserver/main.go build-swagger ./docs/apidoc/swagger.json
-


 image-cleanup:
@@ -98,10 +100,9 @@ image-load-runtime-cluster:
 core-test:
 	go test ./pkg/... -coverprofile cover.out

-# Build vela core manager and apiserver binary
+# Build vela core manager binary
 manager:
 	$(GOBUILD_ENV) go build -o bin/manager -a -ldflags $(LDFLAGS) ./cmd/core/main.go
-	$(GOBUILD_ENV) go build -o bin/apiserver -a -ldflags $(LDFLAGS) ./cmd/apiserver/main.go

 vela-runtime-rollout-manager:
 	$(GOBUILD_ENV) go build -o ./runtime/rollout/bin/manager -a -ldflags $(LDFLAGS) ./runtime/rollout/cmd/main.go
--- a/README.md
+++ b/README.md
@@ -6,7 +6,7 @@
  </p>
 </div>

-![Build status](https://github.com/kubevela/kubevela/workflows/E2E/badge.svg)
+![Build status](https://github.com/kubevela/kubevela/workflows/Go/badge.svg)
 [![Go Report Card](https://goreportcard.com/badge/github.com/kubevela/kubevela)](https://goreportcard.com/report/github.com/kubevela/kubevela)
 ![Docker Pulls](https://img.shields.io/docker/pulls/oamdev/vela-core)
 [![codecov](https://codecov.io/gh/kubevela/kubevela/branch/master/graph/badge.svg)](https://codecov.io/gh/kubevela/kubevela)
@@ -16,6 +16,9 @@
 [![Twitter](https://img.shields.io/twitter/url?style=social&url=https%3A%2F%2Ftwitter.com%2Foam_dev)](https://twitter.com/oam_dev)
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/kubevela)](https://artifacthub.io/packages/search?repo=kubevela)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4602/badge)](https://bestpractices.coreinfrastructure.org/projects/4602)
+![E2E status](https://github.com/kubevela/kubevela/workflows/E2E%20Test/badge.svg)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/kubevela/kubevela/badge)](https://api.securityscorecards.dev/projects/github.com/kubevela/kubevela)
+[![](https://img.shields.io/badge/KubeVela-Check%20Your%20Contribution-orange)](https://opensource.alibaba.com/contribution_leaderboard/details?projectValue=kubevela)

 ## Introduction

@@ -27,17 +30,28 @@ KubeVela is a modern application delivery platform that makes deploying and oper

 KubeVela practices the "render, orchestrate, deploy" workflow with below highlighted values added to existing ecosystem:

-* Deployment as Code
+#### **Deployment as Code**

-Declare your deployment plan as workflow, run it automatically with any CI/CD or GitOps system, extend or re-program the workflow steps with CUE. No add-hoc scripts, no dirty glue code, just deploy. The deployment workflow in KubeVela is powered by [Open Application Model](https://oam.dev/).
+Declare your deployment plan as workflow, run it automatically with any CI/CD or GitOps system, extend or re-program the workflow steps with [CUE](https://cuelang.org/).
+No ad-hoc scripts, no dirty glue code, just deploy. The deployment workflow in KubeVela is powered by [Open Application Model](https://oam.dev/).

-* Built-in security and compliance building blocks
+#### **Built-in observability, multi-tenancy and security support**

-Choose from the wide range of LDAP integrations we provided out-of-box, enjoy multi-cluster authorization that is fully automated, pick and apply fine-grained RBAC modules and customize them per your own supply chain requirements.
+Choose from the wide range of LDAP integrations we provided out-of-box, enjoy enhanced [multi-tenancy and multi-cluster authorization and authentication](https://kubevela.net/docs/platform-engineers/auth/advance),
+pick and apply fine-grained RBAC modules and customize them per your own supply chain requirements.
+All delivery process has fully [automated observability dashboards](https://kubevela.net/docs/platform-engineers/operations/observability).

-* Multi-cloud/hybrid-environments app delivery as first-class citizen
+#### **Multi-cloud/hybrid-environments app delivery as first-class citizen**

-Progressive rollout across test/staging/production environments, automatic canary, blue-green and continuous verification, rich placement strategy across clusters and clouds, fully managed cloud environments provision.
+Natively supports multi-cluster/hybrid-cloud scenarios such as progressive rollout across test/staging/production environments,
+automatic canary, blue-green and continuous verification, rich placement strategy across clusters and clouds,
+along with automated cloud environments provision.
+
+#### **Lightweight but highly extensible architecture**
+
+Minimize your control plane deployment with only one pod and 0.5c1g resources to handle thousands of application delivery.
+Glue and orchestrate all your infrastructure capabilities as reusable modules with a highly extensible architecture
+and share the large growing community [addons](https://kubevela.net/docs/reference/addons/overview).

 ## Getting Started

--- a/apis/core.oam.dev/common/types.go
+++ b/apis/core.oam.dev/common/types.go
@@ -137,6 +137,9 @@ type Terraform struct {

 	// Region is cloud provider's region. It will override the region in the region field of ProviderReference
 	Region string `json:"customRegion,omitempty"`
+
+	// GitCredentialsSecretReference specifies the reference to the secret containing the git credentials
+	GitCredentialsSecretReference *corev1.SecretReference `json:"gitCredentialsSecretReference,omitempty"`
 }

 // A WorkloadTypeDescriptor refer to a Workload Type
@@ -574,3 +577,29 @@ type ReferredObjectList struct {
 	// +optional
 	Objects []ReferredObject `json:"objects,omitempty"`
 }
+
+// ContainerState defines the state of a container
+type ContainerState string
+
+const (
+	// ContainerRunning indicates the container is running
+	ContainerRunning ContainerState = "Running"
+	// ContainerWaiting indicates the container is waiting
+	ContainerWaiting ContainerState = "Waiting"
+	// ContainerTerminated indicates the container is terminated
+	ContainerTerminated ContainerState = "Terminated"
+)
+
+// ContainerStateToString convert the container state to string
+func ContainerStateToString(state corev1.ContainerState) string {
+	switch {
+	case state.Running != nil:
+		return "Running"
+	case state.Waiting != nil:
+		return "Waiting"
+	case state.Terminated != nil:
+		return "Terminated"
+	default:
+		return "Unknown"
+	}
+}
--- a/apis/core.oam.dev/common/types_test.go
+++ b/apis/core.oam.dev/common/types_test.go
@@ -58,3 +58,17 @@ func TestClusterObjectReference(t *testing.T) {
 	o2.Cluster = "c"
 	r.False(o2.Equal(o1))
 }
+
+func TestContainerStateToString(t *testing.T) {
+	r := require.New(t)
+	r.Equal("Waiting", ContainerStateToString(v1.ContainerState{
+		Waiting: &v1.ContainerStateWaiting{},
+	}))
+	r.Equal("Running", ContainerStateToString(v1.ContainerState{
+		Running: &v1.ContainerStateRunning{},
+	}))
+	r.Equal("Terminated", ContainerStateToString(v1.ContainerState{
+		Terminated: &v1.ContainerStateTerminated{},
+	}))
+	r.Equal("Unknown", ContainerStateToString(v1.ContainerState{}))
+}
--- a/apis/core.oam.dev/common/zz_generated.deepcopy.go
+++ b/apis/core.oam.dev/common/zz_generated.deepcopy.go
@@ -587,6 +587,11 @@ func (in *Terraform) DeepCopyInto(out *Terraform) {
 		*out = new(crossplane_runtime.Reference)
 		**out = **in
 	}
+	if in.GitCredentialsSecretReference != nil {
+		in, out := &in.GitCredentialsSecretReference, &out.GitCredentialsSecretReference
+		*out = new(v1.SecretReference)
+		**out = **in
+	}
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Terraform.
--- a/apis/core.oam.dev/v1alpha1/applyonce_policy_types.go
+++ b/apis/core.oam.dev/v1alpha1/applyonce_policy_types.go
@@ -59,8 +59,13 @@ type ApplyOnceStrategy struct {
 	ApplyOnceAffectStrategy ApplyOnceAffectStrategy `json:"affect"`
 }

+// Type the type name of the policy
+func (in *ApplyOncePolicySpec) Type() string {
+	return ApplyOncePolicyType
+}
+
 // FindStrategy find apply-once strategy for target resource
-func (in ApplyOncePolicySpec) FindStrategy(manifest *unstructured.Unstructured) *ApplyOnceStrategy {
+func (in *ApplyOncePolicySpec) FindStrategy(manifest *unstructured.Unstructured) *ApplyOnceStrategy {
 	if !in.Enable {
 		return nil
 	}
--- a/apis/core.oam.dev/v1alpha1/garbagecollect_policy_types.go
+++ b/apis/core.oam.dev/v1alpha1/garbagecollect_policy_types.go
@@ -18,10 +18,6 @@ package v1alpha1

 import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/utils/pointer"
-	"k8s.io/utils/strings/slices"
-
-	"github.com/oam-dev/kubevela/pkg/oam"
 )

 const (
@@ -57,59 +53,6 @@ type GarbageCollectPolicyRule struct {
 	Strategy GarbageCollectStrategy     `json:"strategy"`
 }

-// ResourcePolicyRuleSelector select the targets of the rule
-// if multiple conditions are specified, combination logic is AND
-type ResourcePolicyRuleSelector struct {
-	CompNames        []string `json:"componentNames,omitempty"`
-	CompTypes        []string `json:"componentTypes,omitempty"`
-	OAMResourceTypes []string `json:"oamTypes,omitempty"`
-	TraitTypes       []string `json:"traitTypes,omitempty"`
-	ResourceTypes    []string `json:"resourceTypes,omitempty"`
-	ResourceNames    []string `json:"resourceNames,omitempty"`
-}
-
-// Match check if current rule selector match the target resource
-// If at least one condition is matched and no other condition failed (could be empty), return true
-// Otherwise, return false
-func (in *ResourcePolicyRuleSelector) Match(manifest *unstructured.Unstructured) bool {
-	var compName, compType, oamType, traitType, resourceType, resourceName string
-	if labels := manifest.GetLabels(); labels != nil {
-		compName = labels[oam.LabelAppComponent]
-		compType = labels[oam.WorkloadTypeLabel]
-		oamType = labels[oam.LabelOAMResourceType]
-		traitType = labels[oam.TraitTypeLabel]
-	}
-	resourceType = manifest.GetKind()
-	resourceName = manifest.GetName()
-	match := func(src []string, val string) (found *bool) {
-		if len(src) == 0 {
-			return nil
-		}
-		return pointer.Bool(val != "" && slices.Contains(src, val))
-	}
-	conditions := []*bool{
-		match(in.CompNames, compName),
-		match(in.CompTypes, compType),
-		match(in.OAMResourceTypes, oamType),
-		match(in.TraitTypes, traitType),
-		match(in.ResourceTypes, resourceType),
-		match(in.ResourceNames, resourceName),
-	}
-	hasMatched := false
-	for _, cond := range conditions {
-		// if any non-empty condition failed, return false
-		if cond != nil && !*cond {
-			return false
-		}
-		// if condition succeed, record it
-		if cond != nil && *cond {
-			hasMatched = true
-		}
-	}
-	// if at least one condition is met, return true
-	return hasMatched
-}
-
 // GarbageCollectStrategy the strategy for target resource to recycle
 type GarbageCollectStrategy string

@@ -123,8 +66,13 @@ const (
 	GarbageCollectStrategyOnAppUpdate GarbageCollectStrategy = "onAppUpdate"
 )

+// Type the type name of the policy
+func (in *GarbageCollectPolicySpec) Type() string {
+	return GarbageCollectPolicyType
+}
+
 // FindStrategy find gc strategy for target resource
-func (in GarbageCollectPolicySpec) FindStrategy(manifest *unstructured.Unstructured) *GarbageCollectStrategy {
+func (in *GarbageCollectPolicySpec) FindStrategy(manifest *unstructured.Unstructured) *GarbageCollectStrategy {
 	for _, rule := range in.Rules {
 		if rule.Selector.Match(manifest) {
 			return &rule.Strategy
--- a/apis/core.oam.dev/v1alpha1/garbagecollect_policy_types_test.go
+++ b/apis/core.oam.dev/v1alpha1/garbagecollect_policy_types_test.go
--- a/apis/core.oam.dev/v1alpha1/policy_types.go
+++ b/apis/core.oam.dev/v1alpha1/policy_types.go
@@ -16,8 +16,6 @@ limitations under the License.

 package v1alpha1

-import "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-
 const (
 	// TopologyPolicyType refers to the type of topology policy
 	TopologyPolicyType = "topology"
@@ -25,8 +23,6 @@ const (
 	OverridePolicyType = "override"
 	// DebugPolicyType refers to the type of debug policy
 	DebugPolicyType = "debug"
-	// SharedResourcePolicyType refers to the type of shared resource policy
-	SharedResourcePolicyType = "shared-resource"
 	// ReplicationPolicyType refers to the type of replication policy
 	ReplicationPolicyType = "replication"
 )
@@ -64,26 +60,6 @@ type OverridePolicySpec struct {
 	Selector   []string            `json:"selector,omitempty"`
 }

-// SharedResourcePolicySpec defines the spec of shared-resource policy
-type SharedResourcePolicySpec struct {
-	Rules []SharedResourcePolicyRule `json:"rules"`
-}
-
-// SharedResourcePolicyRule defines the rule for sharing resources
-type SharedResourcePolicyRule struct {
-	Selector ResourcePolicyRuleSelector `json:"selector"`
-}
-
-// FindStrategy return if the target resource should be shared
-func (in SharedResourcePolicySpec) FindStrategy(manifest *unstructured.Unstructured) bool {
-	for _, rule := range in.Rules {
-		if rule.Selector.Match(manifest) {
-			return true
-		}
-	}
-	return false
-}
-
 // ReplicationPolicySpec defines the spec of replication policy
 // Override policy should be used together with replication policy to select the deployment target components
 type ReplicationPolicySpec struct {
--- a/apis/core.oam.dev/v1alpha1/readonly_policy_types.go
+++ b/apis/core.oam.dev/v1alpha1/readonly_policy_types.go
@@ -0,0 +1,49 @@
+/*
+Copyright 2022 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+
+const (
+	// ReadOnlyPolicyType refers to the type of read-only policy
+	ReadOnlyPolicyType = "read-only"
+)
+
+// ReadOnlyPolicySpec defines the spec of read-only policy
+type ReadOnlyPolicySpec struct {
+	Rules []ReadOnlyPolicyRule `json:"rules"`
+}
+
+// Type the type name of the policy
+func (in *ReadOnlyPolicySpec) Type() string {
+	return ReadOnlyPolicyType
+}
+
+// ReadOnlyPolicyRule defines the rule for read-only resources
+type ReadOnlyPolicyRule struct {
+	Selector ResourcePolicyRuleSelector `json:"selector"`
+}
+
+// FindStrategy return if the target resource is read-only
+func (in *ReadOnlyPolicySpec) FindStrategy(manifest *unstructured.Unstructured) bool {
+	for _, rule := range in.Rules {
+		if rule.Selector.Match(manifest) {
+			return true
+		}
+	}
+	return false
+}
--- a/apis/core.oam.dev/v1alpha1/register.go
+++ b/apis/core.oam.dev/v1alpha1/register.go
@@ -18,6 +18,7 @@ package v1alpha1

 import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	k8sscheme "k8s.io/client-go/kubernetes/scheme"
 	"sigs.k8s.io/controller-runtime/pkg/scheme"

 	workflowv1alpha1 "github.com/kubevela/workflow/api/v1alpha1"
@@ -57,4 +58,5 @@ var (
 func init() {
 	SchemeBuilder.Register(&Policy{}, &PolicyList{})
 	SchemeBuilder.Register(&workflowv1alpha1.Workflow{}, &workflowv1alpha1.WorkflowList{})
+	_ = SchemeBuilder.AddToScheme(k8sscheme.Scheme)
 }
--- a/apis/core.oam.dev/v1alpha1/resource_policy_types.go
+++ b/apis/core.oam.dev/v1alpha1/resource_policy_types.go
@@ -0,0 +1,78 @@
+/*
+Copyright 2022 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/utils/pointer"
+	stringslices "k8s.io/utils/strings/slices"
+
+	"github.com/oam-dev/kubevela/pkg/oam"
+)
+
+// ResourcePolicyRuleSelector select the targets of the rule
+// if multiple conditions are specified, combination logic is AND
+type ResourcePolicyRuleSelector struct {
+	CompNames        []string `json:"componentNames,omitempty"`
+	CompTypes        []string `json:"componentTypes,omitempty"`
+	OAMResourceTypes []string `json:"oamTypes,omitempty"`
+	TraitTypes       []string `json:"traitTypes,omitempty"`
+	ResourceTypes    []string `json:"resourceTypes,omitempty"`
+	ResourceNames    []string `json:"resourceNames,omitempty"`
+}
+
+// Match check if current rule selector match the target resource
+// If at least one condition is matched and no other condition failed (could be empty), return true
+// Otherwise, return false
+func (in *ResourcePolicyRuleSelector) Match(manifest *unstructured.Unstructured) bool {
+	var compName, compType, oamType, traitType, resourceType, resourceName string
+	if labels := manifest.GetLabels(); labels != nil {
+		compName = labels[oam.LabelAppComponent]
+		compType = labels[oam.WorkloadTypeLabel]
+		oamType = labels[oam.LabelOAMResourceType]
+		traitType = labels[oam.TraitTypeLabel]
+	}
+	resourceType = manifest.GetKind()
+	resourceName = manifest.GetName()
+	match := func(src []string, val string) (found *bool) {
+		if len(src) == 0 {
+			return nil
+		}
+		return pointer.Bool(val != "" && stringslices.Contains(src, val))
+	}
+	conditions := []*bool{
+		match(in.CompNames, compName),
+		match(in.CompTypes, compType),
+		match(in.OAMResourceTypes, oamType),
+		match(in.TraitTypes, traitType),
+		match(in.ResourceTypes, resourceType),
+		match(in.ResourceNames, resourceName),
+	}
+	hasMatched := false
+	for _, cond := range conditions {
+		// if any non-empty condition failed, return false
+		if cond != nil && !*cond {
+			return false
+		}
+		// if condition succeed, record it
+		if cond != nil && *cond {
+			hasMatched = true
+		}
+	}
+	// if at least one condition is met, return true
+	return hasMatched
+}
--- a/apis/core.oam.dev/v1alpha1/sharedresource_policy_types.go
+++ b/apis/core.oam.dev/v1alpha1/sharedresource_policy_types.go
@@ -0,0 +1,49 @@
+/*
+Copyright 2022 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+
+const (
+	// SharedResourcePolicyType refers to the type of shared resource policy
+	SharedResourcePolicyType = "shared-resource"
+)
+
+// SharedResourcePolicySpec defines the spec of shared-resource policy
+type SharedResourcePolicySpec struct {
+	Rules []SharedResourcePolicyRule `json:"rules"`
+}
+
+// Type the type name of the policy
+func (in *SharedResourcePolicySpec) Type() string {
+	return SharedResourcePolicyType
+}
+
+// SharedResourcePolicyRule defines the rule for sharing resources
+type SharedResourcePolicyRule struct {
+	Selector ResourcePolicyRuleSelector `json:"selector"`
+}
+
+// FindStrategy return if the target resource should be shared
+func (in *SharedResourcePolicySpec) FindStrategy(manifest *unstructured.Unstructured) bool {
+	for _, rule := range in.Rules {
+		if rule.Selector.Match(manifest) {
+			return true
+		}
+	}
+	return false
+}
--- a/apis/core.oam.dev/v1alpha1/sharedresource_policy_types_test.go
+++ b/apis/core.oam.dev/v1alpha1/sharedresource_policy_types_test.go
--- a/apis/core.oam.dev/v1alpha1/takeover_policy_types.go
+++ b/apis/core.oam.dev/v1alpha1/takeover_policy_types.go
@@ -0,0 +1,49 @@
+/*
+Copyright 2022 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+
+const (
+	// TakeOverPolicyType refers to the type of take-over policy
+	TakeOverPolicyType = "take-over"
+)
+
+// TakeOverPolicySpec defines the spec of take-over policy
+type TakeOverPolicySpec struct {
+	Rules []TakeOverPolicyRule `json:"rules"`
+}
+
+// Type the type name of the policy
+func (in *TakeOverPolicySpec) Type() string {
+	return TakeOverPolicyType
+}
+
+// TakeOverPolicyRule defines the rule for taking over resources
+type TakeOverPolicyRule struct {
+	Selector ResourcePolicyRuleSelector `json:"selector"`
+}
+
+// FindStrategy return if the target resource should be taken over
+func (in *TakeOverPolicySpec) FindStrategy(manifest *unstructured.Unstructured) bool {
+	for _, rule := range in.Rules {
+		if rule.Selector.Match(manifest) {
+			return true
+		}
+	}
+	return false
+}
--- a/apis/core.oam.dev/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/core.oam.dev/v1alpha1/zz_generated.deepcopy.go
@@ -585,6 +585,44 @@ func (in *PolicyList) DeepCopyObject() runtime.Object {
 	return nil
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReadOnlyPolicyRule) DeepCopyInto(out *ReadOnlyPolicyRule) {
+	*out = *in
+	in.Selector.DeepCopyInto(&out.Selector)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReadOnlyPolicyRule.
+func (in *ReadOnlyPolicyRule) DeepCopy() *ReadOnlyPolicyRule {
+	if in == nil {
+		return nil
+	}
+	out := new(ReadOnlyPolicyRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReadOnlyPolicySpec) DeepCopyInto(out *ReadOnlyPolicySpec) {
+	*out = *in
+	if in.Rules != nil {
+		in, out := &in.Rules, &out.Rules
+		*out = make([]ReadOnlyPolicyRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReadOnlyPolicySpec.
+func (in *ReadOnlyPolicySpec) DeepCopy() *ReadOnlyPolicySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ReadOnlyPolicySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RefObjectsComponentSpec) DeepCopyInto(out *RefObjectsComponentSpec) {
 	*out = *in
@@ -720,6 +758,44 @@ func (in *SharedResourcePolicySpec) DeepCopy() *SharedResourcePolicySpec {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TakeOverPolicyRule) DeepCopyInto(out *TakeOverPolicyRule) {
+	*out = *in
+	in.Selector.DeepCopyInto(&out.Selector)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TakeOverPolicyRule.
+func (in *TakeOverPolicyRule) DeepCopy() *TakeOverPolicyRule {
+	if in == nil {
+		return nil
+	}
+	out := new(TakeOverPolicyRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TakeOverPolicySpec) DeepCopyInto(out *TakeOverPolicySpec) {
+	*out = *in
+	if in.Rules != nil {
+		in, out := &in.Rules, &out.Rules
+		*out = make([]TakeOverPolicyRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TakeOverPolicySpec.
+func (in *TakeOverPolicySpec) DeepCopy() *TakeOverPolicySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(TakeOverPolicySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TopologyPolicySpec) DeepCopyInto(out *TopologyPolicySpec) {
 	*out = *in
--- a/apis/core.oam.dev/v1beta1/applicationrevision_types.go
+++ b/apis/core.oam.dev/v1beta1/applicationrevision_types.go
@@ -17,9 +17,11 @@
 package v1beta1

 import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"encoding/json"

+	"github.com/kubevela/pkg/util/compression"
 	workflowv1alpha1 "github.com/kubevela/workflow/api/v1alpha1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1alpha1"
@@ -29,17 +31,27 @@ import (

 // ApplicationRevisionSpec is the spec of ApplicationRevision
 type ApplicationRevisionSpec struct {
+	// ApplicationRevisionCompressibleFields represents all the fields that can be compressed.
+	ApplicationRevisionCompressibleFields `json:",inline"`
+
+	// Compression represents the compressed components in apprev in base64 (if compression is enabled).
+	Compression ApplicationRevisionCompression `json:"compression,omitempty"`
+}
+
+// ApplicationRevisionCompressibleFields represents all the fields that can be compressed.
+// So we can better organize them and compress only the compressible fields.
+type ApplicationRevisionCompressibleFields struct {
 	// Application records the snapshot of the created/modified Application
 	Application Application `json:"application"`

 	// ComponentDefinitions records the snapshot of the componentDefinitions related with the created/modified Application
-	ComponentDefinitions map[string]ComponentDefinition `json:"componentDefinitions,omitempty"`
+	ComponentDefinitions map[string]*ComponentDefinition `json:"componentDefinitions,omitempty"`

 	// WorkloadDefinitions records the snapshot of the workloadDefinitions related with the created/modified Application
 	WorkloadDefinitions map[string]WorkloadDefinition `json:"workloadDefinitions,omitempty"`

 	// TraitDefinitions records the snapshot of the traitDefinitions related with the created/modified Application
-	TraitDefinitions map[string]TraitDefinition `json:"traitDefinitions,omitempty"`
+	TraitDefinitions map[string]*TraitDefinition `json:"traitDefinitions,omitempty"`

 	// ScopeDefinitions records the snapshot of the scopeDefinitions related with the created/modified Application
 	ScopeDefinitions map[string]ScopeDefinition `json:"scopeDefinitions,omitempty"`
@@ -48,7 +60,7 @@ type ApplicationRevisionSpec struct {
 	PolicyDefinitions map[string]PolicyDefinition `json:"policyDefinitions,omitempty"`

 	// WorkflowStepDefinitions records the snapshot of the WorkflowStepDefinitions related with the created/modified Application
-	WorkflowStepDefinitions map[string]WorkflowStepDefinition `json:"workflowStepDefinitions,omitempty"`
+	WorkflowStepDefinitions map[string]*WorkflowStepDefinition `json:"workflowStepDefinitions,omitempty"`

 	// ScopeGVK records the apiVersion to GVK mapping
 	ScopeGVK map[string]metav1.GroupVersionKind `json:"scopeGVK,omitempty"`
@@ -64,12 +76,67 @@ type ApplicationRevisionSpec struct {
 	ReferredObjects []common.ReferredObject `json:"referredObjects,omitempty"`
 }

+// ApplicationRevisionCompression represents the compressed components in apprev in base64.
+type ApplicationRevisionCompression struct {
+	compression.CompressedText `json:",inline"`
+}
+
+// MarshalJSON serves the same purpose as the one in ResourceTrackerSpec.
+func (apprev *ApplicationRevisionSpec) MarshalJSON() ([]byte, error) {
+	type Alias ApplicationRevisionSpec
+	tmp := &struct {
+		*Alias
+	}{}
+
+	if apprev.Compression.Type == compression.Uncompressed {
+		tmp.Alias = (*Alias)(apprev)
+	} else {
+		cpy := apprev.DeepCopy()
+		err := cpy.Compression.EncodeFrom(cpy.ApplicationRevisionCompressibleFields)
+		cpy.ApplicationRevisionCompressibleFields = ApplicationRevisionCompressibleFields{
+			// Application needs to have components.
+			Application: Application{Spec: ApplicationSpec{Components: []common.ApplicationComponent{}}},
+		}
+		if err != nil {
+			return nil, err
+		}
+		tmp.Alias = (*Alias)(cpy)
+	}
+
+	return json.Marshal(tmp.Alias)
+}
+
+// UnmarshalJSON serves the same purpose as the one in ResourceTrackerSpec.
+func (apprev *ApplicationRevisionSpec) UnmarshalJSON(data []byte) error {
+	type Alias ApplicationRevisionSpec
+	tmp := &struct {
+		*Alias
+	}{}
+
+	if err := json.Unmarshal(data, tmp); err != nil {
+		return err
+	}
+
+	if tmp.Compression.Type != compression.Uncompressed {
+		err := tmp.Compression.DecodeTo(&tmp.ApplicationRevisionCompressibleFields)
+		if err != nil {
+			return err
+		}
+		tmp.Compression.Clean()
+	}
+
+	(*ApplicationRevisionSpec)(tmp.Alias).DeepCopyInto(apprev)
+	return nil
+}
+
 // ApplicationRevisionStatus is the status of ApplicationRevision
 type ApplicationRevisionStatus struct {
 	// Succeeded records if the workflow finished running with success
 	Succeeded bool `json:"succeeded"`
 	// Workflow the running status of the workflow
 	Workflow *common.WorkflowStatus `json:"workflow,omitempty"`
+	// Record the context values to the revision.
+	WorkflowContext map[string]string `json:"workflowContext,omitempty"`
 }

 // +kubebuilder:object:root=true
--- a/apis/core.oam.dev/v1beta1/applicationrevision_types_test.go
+++ b/apis/core.oam.dev/v1beta1/applicationrevision_types_test.go
@@ -0,0 +1,86 @@
+/*
+Copyright 2021 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"encoding/json"
+	"fmt"
+	"testing"
+
+	"github.com/kubevela/pkg/util/compression"
+	"github.com/stretchr/testify/assert"
+	"k8s.io/apimachinery/pkg/runtime"
+
+	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
+)
+
+func TestApplicationRevisionCompression(t *testing.T) {
+	// Fill data
+	spec := &ApplicationRevisionSpec{}
+	spec.Application = Application{Spec: ApplicationSpec{Components: []common.ApplicationComponent{{Name: "test-name"}}}}
+	spec.ComponentDefinitions = make(map[string]*ComponentDefinition)
+	spec.ComponentDefinitions["def"] = &ComponentDefinition{Spec: ComponentDefinitionSpec{PodSpecPath: "path"}}
+	spec.WorkloadDefinitions = make(map[string]WorkloadDefinition)
+	spec.WorkloadDefinitions["def"] = WorkloadDefinition{Spec: WorkloadDefinitionSpec{Reference: common.DefinitionReference{Name: "testdef"}}}
+	spec.TraitDefinitions = make(map[string]*TraitDefinition)
+	spec.TraitDefinitions["def"] = &TraitDefinition{Spec: TraitDefinitionSpec{ControlPlaneOnly: true}}
+	spec.ScopeDefinitions = make(map[string]ScopeDefinition)
+	spec.ScopeDefinitions["def"] = ScopeDefinition{Spec: ScopeDefinitionSpec{AllowComponentOverlap: true}}
+	spec.PolicyDefinitions = make(map[string]PolicyDefinition)
+	spec.PolicyDefinitions["def"] = PolicyDefinition{Spec: PolicyDefinitionSpec{ManageHealthCheck: true}}
+	spec.WorkflowStepDefinitions = make(map[string]*WorkflowStepDefinition)
+	spec.WorkflowStepDefinitions["def"] = &WorkflowStepDefinition{Spec: WorkflowStepDefinitionSpec{Reference: common.DefinitionReference{Name: "testname"}}}
+	spec.ReferredObjects = []common.ReferredObject{{RawExtension: runtime.RawExtension{Raw: []byte("123")}}}
+
+	testAppRev := &ApplicationRevision{Spec: *spec}
+
+	marshalAndUnmarshal := func(in *ApplicationRevision) (*ApplicationRevision, int) {
+		out := &ApplicationRevision{}
+		b, err := json.Marshal(in)
+		assert.NoError(t, err)
+		if in.Spec.Compression.Type != compression.Uncompressed {
+			assert.Contains(t, string(b), fmt.Sprintf("\"type\":\"%s\",\"data\":\"", in.Spec.Compression.Type))
+		}
+		err = json.Unmarshal(b, out)
+		assert.NoError(t, err)
+		assert.Equal(t, out.Spec.Compression.Type, in.Spec.Compression.Type)
+		assert.Equal(t, out.Spec.Compression.Data, "")
+		return out, len(b)
+	}
+
+	// uncompressed
+	testAppRev.Spec.Compression.SetType(compression.Uncompressed)
+	uncomp, uncompsize := marshalAndUnmarshal(testAppRev)
+
+	// zstd compressed
+	testAppRev.Spec.Compression.SetType(compression.Zstd)
+	zstdcomp, zstdsize := marshalAndUnmarshal(testAppRev)
+	// We will compare content later. Clear compression methods since it will interfere
+	// comparison and is verified earlier.
+	zstdcomp.Spec.Compression.SetType(compression.Uncompressed)
+
+	// gzip compressed
+	testAppRev.Spec.Compression.SetType(compression.Gzip)
+	gzipcomp, gzipsize := marshalAndUnmarshal(testAppRev)
+	gzipcomp.Spec.Compression.SetType(compression.Uncompressed)
+
+	assert.Equal(t, uncomp, zstdcomp)
+	assert.Equal(t, zstdcomp, gzipcomp)
+
+	assert.Less(t, zstdsize, uncompsize)
+	assert.Less(t, gzipsize, uncompsize)
+}
--- a/apis/core.oam.dev/v1beta1/register.go
+++ b/apis/core.oam.dev/v1beta1/register.go
@@ -20,6 +20,7 @@ import (
 	"reflect"

 	"k8s.io/apimachinery/pkg/runtime/schema"
+	k8sscheme "k8s.io/client-go/kubernetes/scheme"
 	"sigs.k8s.io/controller-runtime/pkg/scheme"

 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
@@ -133,6 +134,7 @@ func init() {
 	SchemeBuilder.Register(&Application{}, &ApplicationList{})
 	SchemeBuilder.Register(&ApplicationRevision{}, &ApplicationRevisionList{})
 	SchemeBuilder.Register(&ResourceTracker{}, &ResourceTrackerList{})
+	_ = SchemeBuilder.AddToScheme(k8sscheme.Scheme)
 }

 // Resource takes an unqualified resource and returns a Group qualified GroupResource
--- a/apis/core.oam.dev/v1beta1/resourcetracker_types.go
+++ b/apis/core.oam.dev/v1beta1/resourcetracker_types.go
@@ -29,11 +29,12 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"

+	"github.com/kubevela/pkg/util/compression"
+
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 	"github.com/oam-dev/kubevela/apis/interfaces"
 	velatypes "github.com/oam-dev/kubevela/apis/types"
 	"github.com/oam-dev/kubevela/pkg/oam"
-	"github.com/oam-dev/kubevela/pkg/utils/compression"
 	velaerr "github.com/oam-dev/kubevela/pkg/utils/errors"
 )

@@ -76,10 +77,9 @@ type ResourceTrackerSpec struct {
 	Compression           ResourceTrackerCompression `json:"compression,omitempty"`
 }

-// ResourceTrackerCompression the compression for ResourceTracker ManagedResources
+// ResourceTrackerCompression represents the compressed components in ResourceTracker.
 type ResourceTrackerCompression struct {
-	Type compression.Type `json:"type,omitempty"`
-	Data string           `json:"data,omitempty"`
+	compression.CompressedText `json:",inline"`
 }

 // MarshalJSON will encode ResourceTrackerSpec according to the compression type. If type specified,
@@ -88,30 +88,19 @@ type ResourceTrackerCompression struct {
 func (in *ResourceTrackerSpec) MarshalJSON() ([]byte, error) {
 	type Alias ResourceTrackerSpec
 	tmp := &struct{ *Alias }{}
-	switch in.Compression.Type {
-	case compression.Uncompressed:
+
+	if in.Compression.Type == compression.Uncompressed {
 		tmp.Alias = (*Alias)(in)
-	case compression.Gzip:
+	} else {
 		cpy := in.DeepCopy()
-		data, err := compression.GzipObjectToString(in.ManagedResources)
+		cpy.ManagedResources = nil
+		err := cpy.Compression.EncodeFrom(in.ManagedResources)
 		if err != nil {
 			return nil, err
 		}
-		cpy.ManagedResources = nil
-		cpy.Compression.Data = data
 		tmp.Alias = (*Alias)(cpy)
-	case compression.Zstd:
-		cpy := in.DeepCopy()
-		data, err := compression.ZstdObjectToString(in.ManagedResources)
-		if err != nil {
-			return nil, err
-		}
-		cpy.ManagedResources = nil
-		cpy.Compression.Data = data
-		tmp.Alias = (*Alias)(cpy)
-	default:
-		return nil, compression.NewUnsupportedCompressionTypeError(string(in.Compression.Type))
 	}
+
 	return json.Marshal(tmp.Alias)
 }

@@ -124,24 +113,16 @@ func (in *ResourceTrackerSpec) UnmarshalJSON(src []byte) error {
 	if err := json.Unmarshal(src, tmp); err != nil {
 		return err
 	}
-	switch tmp.Compression.Type {
-	case compression.Uncompressed:
-		break
-	case compression.Gzip:
+
+	if tmp.Compression.Type != compression.Uncompressed {
 		tmp.ManagedResources = []ManagedResource{}
-		if err := compression.GunzipStringToObject(tmp.Compression.Data, &tmp.ManagedResources); err != nil {
+		err := tmp.Compression.DecodeTo(&tmp.ManagedResources)
+		if err != nil {
 			return err
 		}
-		tmp.Compression.Data = ""
-	case compression.Zstd:
-		tmp.ManagedResources = []ManagedResource{}
-		if err := compression.UnZstdStringToObject(tmp.Compression.Data, &tmp.ManagedResources); err != nil {
-			return err
-		}
-		tmp.Compression.Data = ""
-	default:
-		return compression.NewUnsupportedCompressionTypeError(string(in.Compression.Type))
+		tmp.Compression.Clean()
 	}
+
 	(*ResourceTrackerSpec)(tmp.Alias).DeepCopyInto(in)
 	return nil
 }
--- a/apis/core.oam.dev/v1beta1/resourcetracker_types_test.go
+++ b/apis/core.oam.dev/v1beta1/resourcetracker_types_test.go
@@ -19,11 +19,12 @@ package v1beta1
 import (
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"os"
 	"strings"
 	"testing"
 	"time"

+	"github.com/kubevela/pkg/util/compression"
 	"github.com/stretchr/testify/require"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -34,7 +35,6 @@ import (

 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 	"github.com/oam-dev/kubevela/pkg/oam"
-	"github.com/oam-dev/kubevela/pkg/utils/compression"
 	"github.com/oam-dev/kubevela/pkg/utils/errors"
 )

@@ -205,14 +205,13 @@ func TestResourceTrackerCompression(t *testing.T) {
 		"../../../charts/vela-core/crds/core.oam.dev_componentdefinitions.yaml",
 		"../../../charts/vela-core/crds/core.oam.dev_workloaddefinitions.yaml",
 		"../../../charts/vela-core/crds/standard.oam.dev_rollouts.yaml",
-		"../../../charts/vela-core/templates/addon/fluxcd.yaml",
 		"../../../charts/vela-core/templates/kubevela-controller.yaml",
 		"../../../charts/vela-core/README.md",
 		"../../../pkg/velaql/providers/query/testdata/machinelearning.seldon.io_seldondeployments.yaml",
 		"../../../legacy/charts/vela-core-legacy/crds/standard.oam.dev_podspecworkloads.yaml",
 	}
 	for _, p := range paths {
-		b, err := ioutil.ReadFile(p)
+		b, err := os.ReadFile(p)
 		r.NoError(err)
 		data = append(data, string(b))
 	}
--- a/apis/core.oam.dev/v1beta1/zz_generated.deepcopy.go
+++ b/apis/core.oam.dev/v1beta1/zz_generated.deepcopy.go
@@ -136,6 +136,130 @@ func (in *ApplicationRevision) DeepCopyObject() runtime.Object {
 	return nil
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ApplicationRevisionCompressibleFields) DeepCopyInto(out *ApplicationRevisionCompressibleFields) {
+	*out = *in
+	in.Application.DeepCopyInto(&out.Application)
+	if in.ComponentDefinitions != nil {
+		in, out := &in.ComponentDefinitions, &out.ComponentDefinitions
+		*out = make(map[string]*ComponentDefinition, len(*in))
+		for key, val := range *in {
+			var outVal *ComponentDefinition
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(ComponentDefinition)
+				(*in).DeepCopyInto(*out)
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.WorkloadDefinitions != nil {
+		in, out := &in.WorkloadDefinitions, &out.WorkloadDefinitions
+		*out = make(map[string]WorkloadDefinition, len(*in))
+		for key, val := range *in {
+			(*out)[key] = *val.DeepCopy()
+		}
+	}
+	if in.TraitDefinitions != nil {
+		in, out := &in.TraitDefinitions, &out.TraitDefinitions
+		*out = make(map[string]*TraitDefinition, len(*in))
+		for key, val := range *in {
+			var outVal *TraitDefinition
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(TraitDefinition)
+				(*in).DeepCopyInto(*out)
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.ScopeDefinitions != nil {
+		in, out := &in.ScopeDefinitions, &out.ScopeDefinitions
+		*out = make(map[string]ScopeDefinition, len(*in))
+		for key, val := range *in {
+			(*out)[key] = *val.DeepCopy()
+		}
+	}
+	if in.PolicyDefinitions != nil {
+		in, out := &in.PolicyDefinitions, &out.PolicyDefinitions
+		*out = make(map[string]PolicyDefinition, len(*in))
+		for key, val := range *in {
+			(*out)[key] = *val.DeepCopy()
+		}
+	}
+	if in.WorkflowStepDefinitions != nil {
+		in, out := &in.WorkflowStepDefinitions, &out.WorkflowStepDefinitions
+		*out = make(map[string]*WorkflowStepDefinition, len(*in))
+		for key, val := range *in {
+			var outVal *WorkflowStepDefinition
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(WorkflowStepDefinition)
+				(*in).DeepCopyInto(*out)
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.ScopeGVK != nil {
+		in, out := &in.ScopeGVK, &out.ScopeGVK
+		*out = make(map[string]v1.GroupVersionKind, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.Policies != nil {
+		in, out := &in.Policies, &out.Policies
+		*out = make(map[string]core_oam_devv1alpha1.Policy, len(*in))
+		for key, val := range *in {
+			(*out)[key] = *val.DeepCopy()
+		}
+	}
+	if in.Workflow != nil {
+		in, out := &in.Workflow, &out.Workflow
+		*out = new(v1alpha1.Workflow)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ReferredObjects != nil {
+		in, out := &in.ReferredObjects, &out.ReferredObjects
+		*out = make([]common.ReferredObject, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationRevisionCompressibleFields.
+func (in *ApplicationRevisionCompressibleFields) DeepCopy() *ApplicationRevisionCompressibleFields {
+	if in == nil {
+		return nil
+	}
+	out := new(ApplicationRevisionCompressibleFields)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ApplicationRevisionCompression) DeepCopyInto(out *ApplicationRevisionCompression) {
+	*out = *in
+	out.CompressedText = in.CompressedText
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationRevisionCompression.
+func (in *ApplicationRevisionCompression) DeepCopy() *ApplicationRevisionCompression {
+	if in == nil {
+		return nil
+	}
+	out := new(ApplicationRevisionCompression)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ApplicationRevisionList) DeepCopyInto(out *ApplicationRevisionList) {
 	*out = *in
@@ -171,75 +295,8 @@ func (in *ApplicationRevisionList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ApplicationRevisionSpec) DeepCopyInto(out *ApplicationRevisionSpec) {
 	*out = *in
-	in.Application.DeepCopyInto(&out.Application)
-	if in.ComponentDefinitions != nil {
-		in, out := &in.ComponentDefinitions, &out.ComponentDefinitions
-		*out = make(map[string]ComponentDefinition, len(*in))
-		for key, val := range *in {
-			(*out)[key] = *val.DeepCopy()
-		}
-	}
-	if in.WorkloadDefinitions != nil {
-		in, out := &in.WorkloadDefinitions, &out.WorkloadDefinitions
-		*out = make(map[string]WorkloadDefinition, len(*in))
-		for key, val := range *in {
-			(*out)[key] = *val.DeepCopy()
-		}
-	}
-	if in.TraitDefinitions != nil {
-		in, out := &in.TraitDefinitions, &out.TraitDefinitions
-		*out = make(map[string]TraitDefinition, len(*in))
-		for key, val := range *in {
-			(*out)[key] = *val.DeepCopy()
-		}
-	}
-	if in.ScopeDefinitions != nil {
-		in, out := &in.ScopeDefinitions, &out.ScopeDefinitions
-		*out = make(map[string]ScopeDefinition, len(*in))
-		for key, val := range *in {
-			(*out)[key] = *val.DeepCopy()
-		}
-	}
-	if in.PolicyDefinitions != nil {
-		in, out := &in.PolicyDefinitions, &out.PolicyDefinitions
-		*out = make(map[string]PolicyDefinition, len(*in))
-		for key, val := range *in {
-			(*out)[key] = *val.DeepCopy()
-		}
-	}
-	if in.WorkflowStepDefinitions != nil {
-		in, out := &in.WorkflowStepDefinitions, &out.WorkflowStepDefinitions
-		*out = make(map[string]WorkflowStepDefinition, len(*in))
-		for key, val := range *in {
-			(*out)[key] = *val.DeepCopy()
-		}
-	}
-	if in.ScopeGVK != nil {
-		in, out := &in.ScopeGVK, &out.ScopeGVK
-		*out = make(map[string]v1.GroupVersionKind, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
-		}
-	}
-	if in.Policies != nil {
-		in, out := &in.Policies, &out.Policies
-		*out = make(map[string]core_oam_devv1alpha1.Policy, len(*in))
-		for key, val := range *in {
-			(*out)[key] = *val.DeepCopy()
-		}
-	}
-	if in.Workflow != nil {
-		in, out := &in.Workflow, &out.Workflow
-		*out = new(v1alpha1.Workflow)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.ReferredObjects != nil {
-		in, out := &in.ReferredObjects, &out.ReferredObjects
-		*out = make([]common.ReferredObject, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
+	in.ApplicationRevisionCompressibleFields.DeepCopyInto(&out.ApplicationRevisionCompressibleFields)
+	out.Compression = in.Compression
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationRevisionSpec.
@@ -260,6 +317,13 @@ func (in *ApplicationRevisionStatus) DeepCopyInto(out *ApplicationRevisionStatus
 		*out = new(common.WorkflowStatus)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.WorkflowContext != nil {
+		in, out := &in.WorkflowContext, &out.WorkflowContext
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationRevisionStatus.
@@ -654,6 +718,7 @@ func (in *ResourceTracker) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceTrackerCompression) DeepCopyInto(out *ResourceTrackerCompression) {
 	*out = *in
+	out.CompressedText = in.CompressedText
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceTrackerCompression.
--- a/apis/types/capability.go
+++ b/apis/types/capability.go
@@ -176,9 +176,8 @@ type Capability struct {
 	Namespace string `json:"namespace,omitempty"`

 	// Plugin Source
-	Source  *Source       `json:"source,omitempty"`
-	Install *Installation `json:"install,omitempty"`
-	CrdInfo *CRDInfo      `json:"crdInfo,omitempty"`
+	Source  *Source  `json:"source,omitempty"`
+	CrdInfo *CRDInfo `json:"crdInfo,omitempty"`

 	// Terraform
 	TerraformConfiguration string `json:"terraformConfiguration,omitempty"`
--- a/apis/types/componentmanifest.go
+++ b/apis/types/componentmanifest.go
@@ -28,9 +28,11 @@ type ComponentManifest struct {
 	RevisionName     string
 	RevisionHash     string
 	ExternalRevision string
+	// StandardWorkload contains K8s resource generated from "output" block of ComponentDefinition
 	StandardWorkload *unstructured.Unstructured
-	Traits           []*unstructured.Unstructured
-	Scopes           []*corev1.ObjectReference
+	// Traits contains both resources generated from "outputs" block of ComponentDefinition and resources generated from TraitDefinition
+	Traits []*unstructured.Unstructured
+	Scopes []*corev1.ObjectReference

 	// PackagedWorkloadResources contain all the workload related resources. It could be a Helm
 	// Release, Git Repo or anything that can package and run a workload.
--- a/apis/types/types.go
+++ b/apis/types/types.go
@@ -186,3 +186,17 @@ const (
 	// VelaCoreConfig is to mark application, config and its secret or Terraform provider lelong to a KubeVela config
 	VelaCoreConfig = "velacore-config"
 )
+
+const (
+	// LabelSourceOfTruth describes the source of this app
+	LabelSourceOfTruth = "app.oam.dev/source-of-truth"
+
+	// FromCR means the data source of truth is from k8s CR
+	FromCR = "from-k8s-resource"
+	// FromUX means the data source of truth is from velaux data store
+	FromUX = "from-velaux"
+	// FromInner means the data source of truth is from KubeVela inner usage
+	// the configuration that don't want to be synced
+	// the addon application should be synced, but set to readonly mode
+	FromInner = "from-inner-system"
+)
--- a/charts/vela-core/README.md
+++ b/charts/vela-core/README.md
@@ -41,16 +41,14 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai
 | Name                          | Description                                                                                   | Value     |
 | ----------------------------- | --------------------------------------------------------------------------------------------- | --------- |
 | `systemDefinitionNamespace`   | System definition namespace, if unspecified, will use built-in variable `.Release.Namespace`. | `nil`     |
-| `applicationRevisionLimit`    | Application revision limit                                                                    | `10`      |
-| `definitionRevisionLimit`     | Definition revision limit                                                                     | `20`      |
+| `applicationRevisionLimit`    | Application revision limit                                                                    | `2`       |
+| `definitionRevisionLimit`     | Definition revision limit                                                                     | `2`       |
 | `concurrentReconciles`        | concurrentReconciles is the concurrent reconcile number of the controller                     | `4`       |
 | `controllerArgs.reSyncPeriod` | The period for resync the applications                                                        | `5m`      |
 | `OAMSpecVer`                  | OAMSpecVer is the oam spec version controller want to setup                                   | `v0.3`    |
 | `disableCaps`                 | Disable capability                                                                            | `rollout` |
-| `enableFluxcdAddon`           | Whether to enable fluxcd addon                                                                | `false`   |
 | `dependCheckWait`             | dependCheckWait is the time to wait for ApplicationConfiguration's dependent-resource ready   | `30s`     |

-
 ### KubeVela workflow parameters

 | Name                                   | Description                                            | Value   |
@@ -60,7 +58,6 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai
 | `workflow.backoff.maxTime.failedState` | The max backoff time of workflow in a failed condition | `300`   |
 | `workflow.step.errorRetryTimes`        | The max retry times of a failed workflow step          | `10`    |

-
 ### KubeVela controller parameters

 | Name                        | Description                          | Value              |
@@ -78,45 +75,51 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai
 | `webhookService.port`       | KubeVela webhook service port        | `9443`             |
 | `healthCheck.port`          | KubeVela health check port           | `9440`             |

-
 ### KubeVela controller optimization parameters

-| Name                                              | Description                                                                                                                                                                          | Value   |
-| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------- |
-| `optimize.cachedGvks`                             | Optimize types of resources to be cached.                                                                                                                                            | `""`    |
-| `optimize.resourceTrackerListOp`                  | Optimize ResourceTracker List Op by adding index.                                                                                                                                    | `true`  |
-| `optimize.controllerReconcileLoopReduction`       | Optimize ApplicationController reconcile by reducing the number of loops to reconcile application.                                                                                   | `false` |
-| `optimize.markWithProb`                           | Optimize ResourceTracker GC by only run mark with probability. Side effect: outdated ResourceTracker might not be able to be removed immediately.                                    | `0.1`   |
-| `optimize.disableComponentRevision`               | Optimize componentRevision by disabling the creation and gc                                                                                                                          | `false` |
-| `optimize.disableApplicationRevision`             | Optimize ApplicationRevision by disabling the creation and gc.                                                                                                                       | `false` |
-| `optimize.disableWorkflowRecorder`                | Optimize workflow recorder by disabling the creation and gc.                                                                                                                         | `false` |
-| `optimize.enableInMemoryWorkflowContext`          | Optimize workflow by use in-memory context.                                                                                                                                          | `false` |
-| `optimize.disableResourceApplyDoubleCheck`        | Optimize workflow by ignoring resource double check after apply.                                                                                                                     | `false` |
-| `optimize.enableResourceTrackerDeleteOnlyTrigger` | Optimize resourcetracker by only trigger reconcile when resourcetracker is deleted.                                                                                                  | `true`  |
-| `featureGates.enableLegacyComponentRevision`      | if disabled, only component with rollout trait will create component revisions                                                                                                       | `false` |
-| `featureGates.gzipResourceTracker`                | if enabled, resourceTracker will be compressed using gzip before being stored                                                                                                        | `false` |
-| `featureGates.zstdResourceTracker`                | if enabled, resourceTracker will be compressed using zstd before being stored. It is much faster and more efficient than gzip. If both gzip and zstd are enabled, zstd will be used. | `false` |
-| `featureGates.applyOnce`                          | if enabled, the apply-once feature will be applied to all applications, no state-keep and no resource data storage in ResourceTracker                                                | `false` |
-| `featureGates.multiStageComponentApply`           | if enabled, the multiStageComponentApply feature will be combined with the stage field in TraitDefinition to complete the multi-stage apply.                                         | `false` |
-
+| Name                                                         | Description                                                                                                                                                                                                                      | Value   |
+| ------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `optimize.cachedGvks`                                        | Optimize types of resources to be cached.                                                                                                                                                                                        | `""`    |
+| `optimize.markWithProb`                                      | Optimize ResourceTracker GC by only run mark with probability. Side effect: outdated ResourceTracker might not be able to be removed immediately.                                                                                | `0.1`   |
+| `optimize.disableComponentRevision`                          | Optimize componentRevision by disabling the creation and gc                                                                                                                                                                      | `true`  |
+| `optimize.disableApplicationRevision`                        | Optimize ApplicationRevision by disabling the creation and gc.                                                                                                                                                                   | `false` |
+| `optimize.enableInMemoryWorkflowContext`                     | Optimize workflow by use in-memory context.                                                                                                                                                                                      | `false` |
+| `optimize.disableResourceApplyDoubleCheck`                   | Optimize workflow by ignoring resource double check after apply.                                                                                                                                                                 | `false` |
+| `optimize.enableResourceTrackerDeleteOnlyTrigger`            | Optimize resourcetracker by only trigger reconcile when resourcetracker is deleted.                                                                                                                                              | `true`  |
+| `featureGates.enableLegacyComponentRevision`                 | if disabled, only component with rollout trait will create component revisions                                                                                                                                                   | `false` |
+| `featureGates.gzipResourceTracker`                           | compress ResourceTracker using gzip (good) before being stored. This is reduces network throughput when dealing with huge ResourceTrackers.                                                                                      | `false` |
+| `featureGates.zstdResourceTracker`                           | compress ResourceTracker using zstd (fast and good) before being stored. This is reduces network throughput when dealing with huge ResourceTrackers. Note that zstd will be prioritized if you enable other compression options. | `true`  |
+| `featureGates.applyOnce`                                     | if enabled, the apply-once feature will be applied to all applications, no state-keep and no resource data storage in ResourceTracker                                                                                            | `false` |
+| `featureGates.multiStageComponentApply`                      | if enabled, the multiStageComponentApply feature will be combined with the stage field in TraitDefinition to complete the multi-stage apply.                                                                                     | `true`  |
+| `featureGates.gzipApplicationRevision`                       | compress apprev using gzip (good) before being stored. This is reduces network throughput when dealing with huge apprevs.                                                                                                        | `false` |
+| `featureGates.zstdApplicationRevision`                       | compress apprev using zstd (fast and good) before being stored. This is reduces network throughput when dealing with huge apprevs. Note that zstd will be prioritized if you enable other compression options.                   | `true`  |
+| `featureGates.preDispatchDryRun`                             | enable dryrun before dispatching resources. Enable this flag can help prevent unsuccessful dispatch resources entering resourcetracker and improve the user experiences of gc but at the cost of increasing network requests.    | `true`  |
+| `featureGates.validateComponentWhenSharding`                 | enable component validation in webhook when sharding mode enabled                                                                                                                                                                | `false` |
+| `featureGates.disableWebhookAutoSchedule`                    | disable auto schedule for application mutating webhook when sharding enabled                                                                                                                                                     | `false` |
+| `featureGates.disableBootstrapClusterInfo`                   | disable the cluster info bootstrap at the starting of the controller                                                                                                                                                             | `false` |
+| `featureGates.informerCacheFilterUnnecessaryFields`          | filter unnecessary fields for informer cache                                                                                                                                                                                     | `true`  |
+| `featureGates.sharedDefinitionStorageForApplicationRevision` | use definition cache to reduce duplicated definition storage for application revision, must be used with InformerCacheFilterUnnecessaryFields                                                                                    | `true`  |
+| `featureGates.disableWorkflowContextConfigMapCache`          | disable the workflow context's configmap informer cache                                                                                                                                                                          | `true`  |

 ### MultiCluster parameters

-| Name                                                        | Description                                     | Value                            |
-| ----------------------------------------------------------- | ----------------------------------------------- | -------------------------------- |
-| `multicluster.enabled`                                      | Whether to enable multi-cluster                 | `true`                           |
-| `multicluster.metrics.enabled`                              | Whether to enable multi-cluster metrics collect | `false`                          |
-| `multicluster.clusterGateway.replicaCount`                  | ClusterGateway replica count                    | `1`                              |
-| `multicluster.clusterGateway.port`                          | ClusterGateway port                             | `9443`                           |
-| `multicluster.clusterGateway.image.repository`              | ClusterGateway image repository                 | `oamdev/cluster-gateway`         |
-| `multicluster.clusterGateway.image.tag`                     | ClusterGateway image tag                        | `v1.4.0`                         |
-| `multicluster.clusterGateway.image.pullPolicy`              | ClusterGateway image pull policy                | `IfNotPresent`                   |
-| `multicluster.clusterGateway.resources.limits.cpu`          | ClusterGateway cpu limit                        | `100m`                           |
-| `multicluster.clusterGateway.resources.limits.memory`       | ClusterGateway memory limit                     | `200Mi`                          |
-| `multicluster.clusterGateway.secureTLS.enabled`             | Whether to enable secure TLS                    | `true`                           |
-| `multicluster.clusterGateway.secureTLS.certPath`            | Path to the certificate file                    | `/etc/k8s-cluster-gateway-certs` |
-| `multicluster.clusterGateway.secureTLS.certManager.enabled` | Whether to enable cert-manager                  | `false`                          |
-
+| Name                                                        | Description                                                                                 | Value                            |
+| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------- | -------------------------------- |
+| `multicluster.enabled`                                      | Whether to enable multi-cluster                                                             | `true`                           |
+| `multicluster.metrics.enabled`                              | Whether to enable multi-cluster metrics collect                                             | `false`                          |
+| `multicluster.clusterGateway.direct`                        | controller will connect to ClusterGateway directly instead of going to Kubernetes APIServer | `true`                           |
+| `multicluster.clusterGateway.replicaCount`                  | ClusterGateway replica count                                                                | `1`                              |
+| `multicluster.clusterGateway.port`                          | ClusterGateway port                                                                         | `9443`                           |
+| `multicluster.clusterGateway.image.repository`              | ClusterGateway image repository                                                             | `oamdev/cluster-gateway`         |
+| `multicluster.clusterGateway.image.tag`                     | ClusterGateway image tag                                                                    | `v1.8.0`                         |
+| `multicluster.clusterGateway.image.pullPolicy`              | ClusterGateway image pull policy                                                            | `IfNotPresent`                   |
+| `multicluster.clusterGateway.resources.requests.cpu`        | ClusterGateway cpu request                                                                  | `50m`                            |
+| `multicluster.clusterGateway.resources.requests.memory`     | ClusterGateway memory request                                                               | `20Mi`                           |
+| `multicluster.clusterGateway.resources.limits.cpu`          | ClusterGateway cpu limit                                                                    | `500m`                           |
+| `multicluster.clusterGateway.resources.limits.memory`       | ClusterGateway memory limit                                                                 | `200Mi`                          |
+| `multicluster.clusterGateway.secureTLS.enabled`             | Whether to enable secure TLS                                                                | `true`                           |
+| `multicluster.clusterGateway.secureTLS.certPath`            | Path to the certificate file                                                                | `/etc/k8s-cluster-gateway-certs` |
+| `multicluster.clusterGateway.secureTLS.certManager.enabled` | Whether to enable cert-manager                                                              | `false`                          |

 ### Test parameters

@@ -127,30 +130,31 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai
 | `test.k8s.repository` | Test k8s repository | `oamdev/alpine-k8s`  |
 | `test.k8s.tag`        | Test k8s tag        | `1.18.2`             |

-
 ### Common parameters

-| Name                          | Description                                                                                                                | Value                |
-| ----------------------------- | -------------------------------------------------------------------------------------------------------------------------- | -------------------- |
-| `imagePullSecrets`            | Image pull secrets                                                                                                         | `[]`                 |
-| `nameOverride`                | Override name                                                                                                              | `""`                 |
-| `fullnameOverride`            | Fullname override                                                                                                          | `""`                 |
-| `serviceAccount.create`       | Specifies whether a service account should be created                                                                      | `true`               |
-| `serviceAccount.annotations`  | Annotations to add to the service account                                                                                  | `{}`                 |
-| `serviceAccount.name`         | The name of the service account to use. If not set and create is true, a name is generated using the fullname template     | `nil`                |
-| `nodeSelector`                | Node selector                                                                                                              | `{}`                 |
-| `tolerations`                 | Tolerations                                                                                                                | `[]`                 |
-| `affinity`                    | Affinity                                                                                                                   | `{}`                 |
-| `rbac.create`                 | Specifies whether a RBAC role should be created                                                                            | `true`               |
-| `logDebug`                    | Enable debug logs for development purpose                                                                                  | `false`              |
-| `logFilePath`                 | If non-empty, write log files in this path                                                                                 | `""`                 |
-| `logFileMaxSize`              | Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. | `1024`               |
-| `kubeClient.qps`              | The qps for reconcile clients, default is 50                                                                               | `50`                 |
-| `kubeClient.burst`            | The burst for reconcile clients, default is 100                                                                            | `100`                |
-| `authentication.enabled`      | Enable authentication for application                                                                                      | `false`              |
-| `authentication.withUser`     | Application authentication will impersonate as the request User                                                            | `false`              |
-| `authentication.defaultUser`  | Application authentication will impersonate as the User if no user provided in Application                                 | `kubevela:vela-core` |
-| `authentication.groupPattern` | Application authentication will impersonate as the request Group that matches the pattern                                  | `kubevela:*`         |
+| Name                          | Description                                                                                                                                                        | Value                |
+| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------- |
+| `imagePullSecrets`            | Image pull secrets                                                                                                                                                 | `[]`                 |
+| `nameOverride`                | Override name                                                                                                                                                      | `""`                 |
+| `fullnameOverride`            | Fullname override                                                                                                                                                  | `""`                 |
+| `serviceAccount.create`       | Specifies whether a service account should be created                                                                                                              | `true`               |
+| `serviceAccount.annotations`  | Annotations to add to the service account                                                                                                                          | `{}`                 |
+| `serviceAccount.name`         | The name of the service account to use. If not set and create is true, a name is generated using the fullname template                                             | `nil`                |
+| `nodeSelector`                | Node selector                                                                                                                                                      | `{}`                 |
+| `tolerations`                 | Tolerations                                                                                                                                                        | `[]`                 |
+| `affinity`                    | Affinity                                                                                                                                                           | `{}`                 |
+| `rbac.create`                 | Specifies whether a RBAC role should be created                                                                                                                    | `true`               |
+| `logDebug`                    | Enable debug logs for development purpose                                                                                                                          | `false`              |
+| `logFilePath`                 | If non-empty, write log files in this path                                                                                                                         | `""`                 |
+| `logFileMaxSize`              | Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited.                                         | `1024`               |
+| `kubeClient.qps`              | The qps for reconcile clients                                                                                                                                      | `400`                |
+| `kubeClient.burst`            | The burst for reconcile clients                                                                                                                                    | `600`                |
+| `authentication.enabled`      | Enable authentication for application                                                                                                                              | `false`              |
+| `authentication.withUser`     | Application authentication will impersonate as the request User                                                                                                    | `true`               |
+| `authentication.defaultUser`  | Application authentication will impersonate as the User if no user provided in Application                                                                         | `kubevela:vela-core` |
+| `authentication.groupPattern` | Application authentication will impersonate as the request Group that matches the pattern                                                                          | `kubevela:*`         |
+| `sharding.enabled`            | When sharding enabled, the controller will run as master mode. Refer to https://github.com/kubevela/kubevela/blob/master/design/vela-core/sharding.md for details. | `false`              |
+| `sharding.schedulableShards`  | The shards available for scheduling. If empty, dynamic discovery will be used.                                                                                     | `""`                 |


 ## Uninstallation
--- a/charts/vela-core/crds/core.oam.dev_applicationrevisions.yaml
+++ b/charts/vela-core/crds/core.oam.dev_applicationrevisions.yaml
@@ -1,10 +1,9 @@
-
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.6.2
+    controller-gen.kubebuilder.io/version: v0.9.2
  name: applicationrevisions.core.oam.dev
 spec:
  group: core.oam.dev
@@ -214,6 +213,7 @@ spec:
                                        https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                                      type: string
                                  type: object
+                                  x-kubernetes-map-type: atomic
                              required:
                              - name
                              type: object
@@ -356,6 +356,7 @@ spec:
                                              info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                                            type: string
                                        type: object
+                                        x-kubernetes-map-type: atomic
                                    required:
                                    - name
                                    type: object
@@ -494,6 +495,7 @@ spec:
                              description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                              type: string
                          type: object
+                          x-kubernetes-map-type: atomic
                        type: array
                      components:
                        description: Components record the related Components created
@@ -502,30 +504,30 @@ spec:
                          description: "ObjectReference contains enough information
                            to let you inspect or modify the referred object. ---
                            New uses of this type are discouraged because of difficulty
-                            describing its usage when embedded in APIs.  1. Ignored
+                            describing its usage when embedded in APIs. 1. Ignored
                            fields.  It includes many fields which are not generally
                            honored.  For instance, ResourceVersion and FieldPath
-                            are both very rarely valid in actual usage.  2. Invalid
+                            are both very rarely valid in actual usage. 2. Invalid
                            usage help.  It is impossible to add specific help for
                            individual usage.  In most embedded usages, there are
-                            particular     restrictions like, \"must refer only to
-                            types A and B\" or \"UID not honored\" or \"name must
-                            be restricted\".     Those cannot be well described when
-                            embedded.  3. Inconsistent validation.  Because the usages
-                            are different, the validation rules are different by usage,
-                            which makes it hard for users to predict what will happen.
-                            \ 4. The fields are both imprecise and overly precise.
-                            \ Kind is not a precise mapping to a URL. This can produce
-                            ambiguity     during interpretation and require a REST
-                            mapping.  In most cases, the dependency is on the group,resource
-                            tuple     and the version of the actual struct is irrelevant.
-                            \ 5. We cannot easily change it.  Because this type is
-                            embedded in many locations, updates to this type     will
-                            affect numerous schemas.  Don't make new APIs embed an
-                            underspecified API type they do not control. \n Instead
-                            of using this type, create a locally provided and used
-                            type that is well-focused on your reference. For example,
-                            ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+                            particular restrictions like, \"must refer only to types
+                            A and B\" or \"UID not honored\" or \"name must be restricted\".
+                            Those cannot be well described when embedded. 3. Inconsistent
+                            validation.  Because the usages are different, the validation
+                            rules are different by usage, which makes it hard for
+                            users to predict what will happen. 4. The fields are both
+                            imprecise and overly precise.  Kind is not a precise mapping
+                            to a URL. This can produce ambiguity during interpretation
+                            and require a REST mapping.  In most cases, the dependency
+                            is on the group,resource tuple and the version of the
+                            actual struct is irrelevant. 5. We cannot easily change
+                            it.  Because this type is embedded in many locations,
+                            updates to this type will affect numerous schemas.  Don't
+                            make new APIs embed an underspecified API type they do
+                            not control. \n Instead of using this type, create a locally
+                            provided and used type that is well-focused on your reference.
+                            For example, ServiceReferences for admission registration:
+                            https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
                            ."
                          properties:
                            apiVersion:
@@ -563,6 +565,7 @@ spec:
                              description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                              type: string
                          type: object
+                          x-kubernetes-map-type: atomic
                        type: array
                      conditions:
                        description: Conditions of the resource.
@@ -663,32 +666,32 @@ spec:
                                  to let you inspect or modify the referred object.
                                  --- New uses of this type are discouraged because
                                  of difficulty describing its usage when embedded
-                                  in APIs.  1. Ignored fields.  It includes many fields
+                                  in APIs. 1. Ignored fields.  It includes many fields
                                  which are not generally honored.  For instance,
                                  ResourceVersion and FieldPath are both very rarely
-                                  valid in actual usage.  2. Invalid usage help.  It
+                                  valid in actual usage. 2. Invalid usage help.  It
                                  is impossible to add specific help for individual
                                  usage.  In most embedded usages, there are particular
-                                  \    restrictions like, \"must refer only to types
-                                  A and B\" or \"UID not honored\" or \"name must
-                                  be restricted\".     Those cannot be well described
-                                  when embedded.  3. Inconsistent validation.  Because
-                                  the usages are different, the validation rules are
-                                  different by usage, which makes it hard for users
-                                  to predict what will happen.  4. The fields are
-                                  both imprecise and overly precise.  Kind is not
-                                  a precise mapping to a URL. This can produce ambiguity
-                                  \    during interpretation and require a REST mapping.
-                                  \ In most cases, the dependency is on the group,resource
-                                  tuple     and the version of the actual struct is
-                                  irrelevant.  5. We cannot easily change it.  Because
-                                  this type is embedded in many locations, updates
-                                  to this type     will affect numerous schemas.  Don't
-                                  make new APIs embed an underspecified API type they
-                                  do not control. \n Instead of using this type, create
-                                  a locally provided and used type that is well-focused
-                                  on your reference. For example, ServiceReferences
-                                  for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+                                  restrictions like, \"must refer only to types A
+                                  and B\" or \"UID not honored\" or \"name must be
+                                  restricted\". Those cannot be well described when
+                                  embedded. 3. Inconsistent validation.  Because the
+                                  usages are different, the validation rules are different
+                                  by usage, which makes it hard for users to predict
+                                  what will happen. 4. The fields are both imprecise
+                                  and overly precise.  Kind is not a precise mapping
+                                  to a URL. This can produce ambiguity during interpretation
+                                  and require a REST mapping.  In most cases, the
+                                  dependency is on the group,resource tuple and the
+                                  version of the actual struct is irrelevant. 5. We
+                                  cannot easily change it.  Because this type is embedded
+                                  in many locations, updates to this type will affect
+                                  numerous schemas.  Don't make new APIs embed an
+                                  underspecified API type they do not control. \n
+                                  Instead of using this type, create a locally provided
+                                  and used type that is well-focused on your reference.
+                                  For example, ServiceReferences for admission registration:
+                                  https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
                                  ."
                                properties:
                                  apiVersion:
@@ -732,6 +735,7 @@ spec:
                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                                    type: string
                                type: object
+                                x-kubernetes-map-type: atomic
                              type: array
                            traits:
                              items:
@@ -779,31 +783,30 @@ spec:
                            description: "ObjectReference contains enough information
                              to let you inspect or modify the referred object. ---
                              New uses of this type are discouraged because of difficulty
-                              describing its usage when embedded in APIs.  1. Ignored
+                              describing its usage when embedded in APIs. 1. Ignored
                              fields.  It includes many fields which are not generally
                              honored.  For instance, ResourceVersion and FieldPath
-                              are both very rarely valid in actual usage.  2. Invalid
+                              are both very rarely valid in actual usage. 2. Invalid
                              usage help.  It is impossible to add specific help for
                              individual usage.  In most embedded usages, there are
-                              particular     restrictions like, \"must refer only
-                              to types A and B\" or \"UID not honored\" or \"name
-                              must be restricted\".     Those cannot be well described
-                              when embedded.  3. Inconsistent validation.  Because
-                              the usages are different, the validation rules are different
-                              by usage, which makes it hard for users to predict what
-                              will happen.  4. The fields are both imprecise and overly
-                              precise.  Kind is not a precise mapping to a URL. This
-                              can produce ambiguity     during interpretation and
-                              require a REST mapping.  In most cases, the dependency
-                              is on the group,resource tuple     and the version of
-                              the actual struct is irrelevant.  5. We cannot easily
-                              change it.  Because this type is embedded in many locations,
-                              updates to this type     will affect numerous schemas.
-                              \ Don't make new APIs embed an underspecified API type
-                              they do not control. \n Instead of using this type,
-                              create a locally provided and used type that is well-focused
-                              on your reference. For example, ServiceReferences for
-                              admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+                              particular restrictions like, \"must refer only to types
+                              A and B\" or \"UID not honored\" or \"name must be restricted\".
+                              Those cannot be well described when embedded. 3. Inconsistent
+                              validation.  Because the usages are different, the validation
+                              rules are different by usage, which makes it hard for
+                              users to predict what will happen. 4. The fields are
+                              both imprecise and overly precise.  Kind is not a precise
+                              mapping to a URL. This can produce ambiguity during
+                              interpretation and require a REST mapping.  In most
+                              cases, the dependency is on the group,resource tuple
+                              and the version of the actual struct is irrelevant.
+                              5. We cannot easily change it.  Because this type is
+                              embedded in many locations, updates to this type will
+                              affect numerous schemas.  Don't make new APIs embed
+                              an underspecified API type they do not control. \n Instead
+                              of using this type, create a locally provided and used
+                              type that is well-focused on your reference. For example,
+                              ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
                              ."
                            properties:
                              apiVersion:
@@ -842,6 +845,7 @@ spec:
                                description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                                type: string
                            type: object
+                            x-kubernetes-map-type: atomic
                          endTime:
                            format: date-time
                            nullable: true
@@ -1146,6 +1150,21 @@ spec:
                                    provisioned cloud resources will be deleted when
                                    CR is deleted
                                  type: boolean
+                                gitCredentialsSecretReference:
+                                  description: GitCredentialsSecretReference specifies
+                                    the reference to the secret containing the git
+                                    credentials
+                                  properties:
+                                    name:
+                                      description: name is unique within a namespace
+                                        to reference a secret resource.
+                                      type: string
+                                    namespace:
+                                      description: namespace defines the space within
+                                        which the secret name must be unique.
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
                                path:
                                  description: Path is the sub-directory of remote
                                    git repository. It's valid when remote is set
@@ -1581,6 +1600,21 @@ spec:
                                    provisioned cloud resources will be deleted when
                                    CR is deleted
                                  type: boolean
+                                gitCredentialsSecretReference:
+                                  description: GitCredentialsSecretReference specifies
+                                    the reference to the secret containing the git
+                                    credentials
+                                  properties:
+                                    name:
+                                      description: name is unique within a namespace
+                                        to reference a secret resource.
+                                      type: string
+                                    namespace:
+                                      description: namespace defines the space within
+                                        which the secret name must be unique.
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
                                path:
                                  description: Path is the sub-directory of remote
                                    git repository. It's valid when remote is set
@@ -1914,6 +1948,21 @@ spec:
                                    provisioned cloud resources will be deleted when
                                    CR is deleted
                                  type: boolean
+                                gitCredentialsSecretReference:
+                                  description: GitCredentialsSecretReference specifies
+                                    the reference to the secret containing the git
+                                    credentials
+                                  properties:
+                                    name:
+                                      description: name is unique within a namespace
+                                        to reference a secret resource.
+                                      type: string
+                                    namespace:
+                                      description: namespace defines the space within
+                                        which the secret name must be unique.
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
                                path:
                                  description: Path is the sub-directory of remote
                                    git repository. It's valid when remote is set
@@ -2114,6 +2163,8 @@ spec:
                            inputs:
                              description: StepInputs defines variable input of WorkflowStep
                              items:
+                                description: InputItem defines an input variable of
+                                  WorkflowStep
                                properties:
                                  from:
                                    type: string
@@ -2121,7 +2172,6 @@ spec:
                                    type: string
                                required:
                                - from
-                                - parameterKey
                                type: object
                              type: array
                            name:
@@ -2130,6 +2180,8 @@ spec:
                              description: StepOutputs defines output variable of
                                WorkflowStep
                              items:
+                                description: OutputItem defines an output variable
+                                  of WorkflowStep
                                properties:
                                  name:
                                    type: string
@@ -2236,6 +2288,8 @@ spec:
                                inputs:
                                  description: Inputs is the inputs of the step
                                  items:
+                                    description: InputItem defines an input variable
+                                      of WorkflowStep
                                    properties:
                                      from:
                                        type: string
@@ -2243,7 +2297,6 @@ spec:
                                        type: string
                                    required:
                                    - from
-                                    - parameterKey
                                    type: object
                                  type: array
                                meta:
@@ -2253,6 +2306,11 @@ spec:
                                    alias:
                                      type: string
                                  type: object
+                                mode:
+                                  description: Mode is only valid for sub steps, it
+                                    defines the mode of the sub steps
+                                  nullable: true
+                                  type: string
                                name:
                                  description: Name is the unique name of the workflow
                                    step.
@@ -2260,6 +2318,8 @@ spec:
                                outputs:
                                  description: Outputs is the outputs of the step
                                  items:
+                                    description: OutputItem defines an output variable
+                                      of WorkflowStep
                                    properties:
                                      name:
                                        type: string
@@ -2293,6 +2353,8 @@ spec:
                                      inputs:
                                        description: Inputs is the inputs of the step
                                        items:
+                                          description: InputItem defines an input
+                                            variable of WorkflowStep
                                          properties:
                                            from:
                                              type: string
@@ -2300,7 +2362,6 @@ spec:
                                              type: string
                                          required:
                                          - from
-                                          - parameterKey
                                          type: object
                                        type: array
                                      meta:
@@ -2318,6 +2379,8 @@ spec:
                                        description: Outputs is the outputs of the
                                          step
                                        items:
+                                          description: OutputItem defines an output
+                                            variable of WorkflowStep
                                          properties:
                                            name:
                                              type: string
@@ -2342,7 +2405,6 @@ spec:
                                          step.
                                        type: string
                                    required:
-                                    - name
                                    - type
                                    type: object
                                  type: array
@@ -2353,7 +2415,6 @@ spec:
                                  description: Type is the type of the workflow step.
                                  type: string
                              required:
-                              - name
                              - type
                              type: object
                            type: array
@@ -2410,6 +2471,7 @@ spec:
                              description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                              type: string
                          type: object
+                          x-kubernetes-map-type: atomic
                        type: array
                      components:
                        description: Components record the related Components created
@@ -2418,30 +2480,30 @@ spec:
                          description: "ObjectReference contains enough information
                            to let you inspect or modify the referred object. ---
                            New uses of this type are discouraged because of difficulty
-                            describing its usage when embedded in APIs.  1. Ignored
+                            describing its usage when embedded in APIs. 1. Ignored
                            fields.  It includes many fields which are not generally
                            honored.  For instance, ResourceVersion and FieldPath
-                            are both very rarely valid in actual usage.  2. Invalid
+                            are both very rarely valid in actual usage. 2. Invalid
                            usage help.  It is impossible to add specific help for
                            individual usage.  In most embedded usages, there are
-                            particular     restrictions like, \"must refer only to
-                            types A and B\" or \"UID not honored\" or \"name must
-                            be restricted\".     Those cannot be well described when
-                            embedded.  3. Inconsistent validation.  Because the usages
-                            are different, the validation rules are different by usage,
-                            which makes it hard for users to predict what will happen.
-                            \ 4. The fields are both imprecise and overly precise.
-                            \ Kind is not a precise mapping to a URL. This can produce
-                            ambiguity     during interpretation and require a REST
-                            mapping.  In most cases, the dependency is on the group,resource
-                            tuple     and the version of the actual struct is irrelevant.
-                            \ 5. We cannot easily change it.  Because this type is
-                            embedded in many locations, updates to this type     will
-                            affect numerous schemas.  Don't make new APIs embed an
-                            underspecified API type they do not control. \n Instead
-                            of using this type, create a locally provided and used
-                            type that is well-focused on your reference. For example,
-                            ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+                            particular restrictions like, \"must refer only to types
+                            A and B\" or \"UID not honored\" or \"name must be restricted\".
+                            Those cannot be well described when embedded. 3. Inconsistent
+                            validation.  Because the usages are different, the validation
+                            rules are different by usage, which makes it hard for
+                            users to predict what will happen. 4. The fields are both
+                            imprecise and overly precise.  Kind is not a precise mapping
+                            to a URL. This can produce ambiguity during interpretation
+                            and require a REST mapping.  In most cases, the dependency
+                            is on the group,resource tuple and the version of the
+                            actual struct is irrelevant. 5. We cannot easily change
+                            it.  Because this type is embedded in many locations,
+                            updates to this type will affect numerous schemas.  Don't
+                            make new APIs embed an underspecified API type they do
+                            not control. \n Instead of using this type, create a locally
+                            provided and used type that is well-focused on your reference.
+                            For example, ServiceReferences for admission registration:
+                            https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
                            ."
                          properties:
                            apiVersion:
@@ -2479,6 +2541,7 @@ spec:
                              description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                              type: string
                          type: object
+                          x-kubernetes-map-type: atomic
                        type: array
                      conditions:
                        description: Conditions of the resource.
@@ -2579,32 +2642,32 @@ spec:
                                  to let you inspect or modify the referred object.
                                  --- New uses of this type are discouraged because
                                  of difficulty describing its usage when embedded
-                                  in APIs.  1. Ignored fields.  It includes many fields
+                                  in APIs. 1. Ignored fields.  It includes many fields
                                  which are not generally honored.  For instance,
                                  ResourceVersion and FieldPath are both very rarely
-                                  valid in actual usage.  2. Invalid usage help.  It
+                                  valid in actual usage. 2. Invalid usage help.  It
                                  is impossible to add specific help for individual
                                  usage.  In most embedded usages, there are particular
-                                  \    restrictions like, \"must refer only to types
-                                  A and B\" or \"UID not honored\" or \"name must
-                                  be restricted\".     Those cannot be well described
-                                  when embedded.  3. Inconsistent validation.  Because
-                                  the usages are different, the validation rules are
-                                  different by usage, which makes it hard for users
-                                  to predict what will happen.  4. The fields are
-                                  both imprecise and overly precise.  Kind is not
-                                  a precise mapping to a URL. This can produce ambiguity
-                                  \    during interpretation and require a REST mapping.
-                                  \ In most cases, the dependency is on the group,resource
-                                  tuple     and the version of the actual struct is
-                                  irrelevant.  5. We cannot easily change it.  Because
-                                  this type is embedded in many locations, updates
-                                  to this type     will affect numerous schemas.  Don't
-                                  make new APIs embed an underspecified API type they
-                                  do not control. \n Instead of using this type, create
-                                  a locally provided and used type that is well-focused
-                                  on your reference. For example, ServiceReferences
-                                  for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+                                  restrictions like, \"must refer only to types A
+                                  and B\" or \"UID not honored\" or \"name must be
+                                  restricted\". Those cannot be well described when
+                                  embedded. 3. Inconsistent validation.  Because the
+                                  usages are different, the validation rules are different
+                                  by usage, which makes it hard for users to predict
+                                  what will happen. 4. The fields are both imprecise
+                                  and overly precise.  Kind is not a precise mapping
+                                  to a URL. This can produce ambiguity during interpretation
+                                  and require a REST mapping.  In most cases, the
+                                  dependency is on the group,resource tuple and the
+                                  version of the actual struct is irrelevant. 5. We
+                                  cannot easily change it.  Because this type is embedded
+                                  in many locations, updates to this type will affect
+                                  numerous schemas.  Don't make new APIs embed an
+                                  underspecified API type they do not control. \n
+                                  Instead of using this type, create a locally provided
+                                  and used type that is well-focused on your reference.
+                                  For example, ServiceReferences for admission registration:
+                                  https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
                                  ."
                                properties:
                                  apiVersion:
@@ -2648,6 +2711,7 @@ spec:
                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                                    type: string
                                type: object
+                                x-kubernetes-map-type: atomic
                              type: array
                            traits:
                              items:
@@ -2695,31 +2759,30 @@ spec:
                            description: "ObjectReference contains enough information
                              to let you inspect or modify the referred object. ---
                              New uses of this type are discouraged because of difficulty
-                              describing its usage when embedded in APIs.  1. Ignored
+                              describing its usage when embedded in APIs. 1. Ignored
                              fields.  It includes many fields which are not generally
                              honored.  For instance, ResourceVersion and FieldPath
-                              are both very rarely valid in actual usage.  2. Invalid
+                              are both very rarely valid in actual usage. 2. Invalid
                              usage help.  It is impossible to add specific help for
                              individual usage.  In most embedded usages, there are
-                              particular     restrictions like, \"must refer only
-                              to types A and B\" or \"UID not honored\" or \"name
-                              must be restricted\".     Those cannot be well described
-                              when embedded.  3. Inconsistent validation.  Because
-                              the usages are different, the validation rules are different
-                              by usage, which makes it hard for users to predict what
-                              will happen.  4. The fields are both imprecise and overly
-                              precise.  Kind is not a precise mapping to a URL. This
-                              can produce ambiguity     during interpretation and
-                              require a REST mapping.  In most cases, the dependency
-                              is on the group,resource tuple     and the version of
-                              the actual struct is irrelevant.  5. We cannot easily
-                              change it.  Because this type is embedded in many locations,
-                              updates to this type     will affect numerous schemas.
-                              \ Don't make new APIs embed an underspecified API type
-                              they do not control. \n Instead of using this type,
-                              create a locally provided and used type that is well-focused
-                              on your reference. For example, ServiceReferences for
-                              admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+                              particular restrictions like, \"must refer only to types
+                              A and B\" or \"UID not honored\" or \"name must be restricted\".
+                              Those cannot be well described when embedded. 3. Inconsistent
+                              validation.  Because the usages are different, the validation
+                              rules are different by usage, which makes it hard for
+                              users to predict what will happen. 4. The fields are
+                              both imprecise and overly precise.  Kind is not a precise
+                              mapping to a URL. This can produce ambiguity during
+                              interpretation and require a REST mapping.  In most
+                              cases, the dependency is on the group,resource tuple
+                              and the version of the actual struct is irrelevant.
+                              5. We cannot easily change it.  Because this type is
+                              embedded in many locations, updates to this type will
+                              affect numerous schemas.  Don't make new APIs embed
+                              an underspecified API type they do not control. \n Instead
+                              of using this type, create a locally provided and used
+                              type that is well-focused on your reference. For example,
+                              ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
                              ."
                            properties:
                              apiVersion:
@@ -2758,6 +2821,7 @@ spec:
                                description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                                type: string
                            type: object
+                            x-kubernetes-map-type: atomic
                          endTime:
                            format: date-time
                            nullable: true
@@ -3055,6 +3119,21 @@ spec:
                                    provisioned cloud resources will be deleted when
                                    CR is deleted
                                  type: boolean
+                                gitCredentialsSecretReference:
+                                  description: GitCredentialsSecretReference specifies
+                                    the reference to the secret containing the git
+                                    credentials
+                                  properties:
+                                    name:
+                                      description: name is unique within a namespace
+                                        to reference a secret resource.
+                                      type: string
+                                    namespace:
+                                      description: namespace defines the space within
+                                        which the secret name must be unique.
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
                                path:
                                  description: Path is the sub-directory of remote
                                    git repository. It's valid when remote is set
@@ -3201,6 +3280,16 @@ spec:
                description: ComponentDefinitions records the snapshot of the componentDefinitions
                  related with the created/modified Application
                type: object
+              compression:
+                description: Compression represents the compressed components in apprev
+                  in base64 (if compression is enabled).
+                properties:
+                  data:
+                    type: string
+                  type:
+                    description: Type the compression type
+                    type: string
+                type: object
              policies:
                additionalProperties:
                  description: Policy is the Schema for the policy API
@@ -3415,6 +3504,21 @@ spec:
                                    provisioned cloud resources will be deleted when
                                    CR is deleted
                                  type: boolean
+                                gitCredentialsSecretReference:
+                                  description: GitCredentialsSecretReference specifies
+                                    the reference to the secret containing the git
+                                    credentials
+                                  properties:
+                                    name:
+                                      description: name is unique within a namespace
+                                        to reference a secret resource.
+                                      type: string
+                                    namespace:
+                                      description: namespace defines the space within
+                                        which the secret name must be unique.
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
                                path:
                                  description: Path is the sub-directory of remote
                                    git repository. It's valid when remote is set
@@ -3842,6 +3946,21 @@ spec:
                                    provisioned cloud resources will be deleted when
                                    CR is deleted
                                  type: boolean
+                                gitCredentialsSecretReference:
+                                  description: GitCredentialsSecretReference specifies
+                                    the reference to the secret containing the git
+                                    credentials
+                                  properties:
+                                    name:
+                                      description: name is unique within a namespace
+                                        to reference a secret resource.
+                                      type: string
+                                    namespace:
+                                      description: namespace defines the space within
+                                        which the secret name must be unique.
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
                                path:
                                  description: Path is the sub-directory of remote
                                    git repository. It's valid when remote is set
@@ -4038,6 +4157,7 @@ spec:
                        inputs:
                          description: Inputs is the inputs of the step
                          items:
+                            description: InputItem defines an input variable of WorkflowStep
                            properties:
                              from:
                                type: string
@@ -4045,7 +4165,6 @@ spec:
                                type: string
                            required:
                            - from
-                            - parameterKey
                            type: object
                          type: array
                        meta:
@@ -4054,12 +4173,19 @@ spec:
                            alias:
                              type: string
                          type: object
+                        mode:
+                          description: Mode is only valid for sub steps, it defines
+                            the mode of the sub steps
+                          nullable: true
+                          type: string
                        name:
                          description: Name is the unique name of the workflow step.
                          type: string
                        outputs:
                          description: Outputs is the outputs of the step
                          items:
+                            description: OutputItem defines an output variable of
+                              WorkflowStep
                            properties:
                              name:
                                type: string
@@ -4090,6 +4216,8 @@ spec:
                              inputs:
                                description: Inputs is the inputs of the step
                                items:
+                                  description: InputItem defines an input variable
+                                    of WorkflowStep
                                  properties:
                                    from:
                                      type: string
@@ -4097,7 +4225,6 @@ spec:
                                      type: string
                                  required:
                                  - from
-                                  - parameterKey
                                  type: object
                                type: array
                              meta:
@@ -4114,6 +4241,8 @@ spec:
                              outputs:
                                description: Outputs is the outputs of the step
                                items:
+                                  description: OutputItem defines an output variable
+                                    of WorkflowStep
                                  properties:
                                    name:
                                      type: string
@@ -4135,7 +4264,6 @@ spec:
                                description: Type is the type of the workflow step.
                                type: string
                            required:
-                            - name
                            - type
                            type: object
                          type: array
@@ -4146,7 +4274,6 @@ spec:
                          description: Type is the type of the workflow step.
                          type: string
                      required:
-                      - name
                      - type
                      type: object
                    type: array
@@ -4315,6 +4442,21 @@ spec:
                                    provisioned cloud resources will be deleted when
                                    CR is deleted
                                  type: boolean
+                                gitCredentialsSecretReference:
+                                  description: GitCredentialsSecretReference specifies
+                                    the reference to the secret containing the git
+                                    credentials
+                                  properties:
+                                    name:
+                                      description: name is unique within a namespace
+                                        to reference a secret resource.
+                                      type: string
+                                    namespace:
+                                      description: namespace defines the space within
+                                        which the secret name must be unique.
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
                                path:
                                  description: Path is the sub-directory of remote
                                    git repository. It's valid when remote is set
@@ -4631,6 +4773,21 @@ spec:
                                    provisioned cloud resources will be deleted when
                                    CR is deleted
                                  type: boolean
+                                gitCredentialsSecretReference:
+                                  description: GitCredentialsSecretReference specifies
+                                    the reference to the secret containing the git
+                                    credentials
+                                  properties:
+                                    name:
+                                      description: name is unique within a namespace
+                                        to reference a secret resource.
+                                      type: string
+                                    namespace:
+                                      description: namespace defines the space within
+                                        which the secret name must be unique.
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
                                path:
                                  description: Path is the sub-directory of remote
                                    git repository. It's valid when remote is set
@@ -4757,28 +4914,27 @@ spec:
                    description: "ObjectReference contains enough information to let
                      you inspect or modify the referred object. --- New uses of this
                      type are discouraged because of difficulty describing its usage
-                      when embedded in APIs.  1. Ignored fields.  It includes many
+                      when embedded in APIs. 1. Ignored fields.  It includes many
                      fields which are not generally honored.  For instance, ResourceVersion
-                      and FieldPath are both very rarely valid in actual usage.  2.
+                      and FieldPath are both very rarely valid in actual usage. 2.
                      Invalid usage help.  It is impossible to add specific help for
                      individual usage.  In most embedded usages, there are particular
-                      \    restrictions like, \"must refer only to types A and B\"
-                      or \"UID not honored\" or \"name must be restricted\".     Those
-                      cannot be well described when embedded.  3. Inconsistent validation.
-                      \ Because the usages are different, the validation rules are
-                      different by usage, which makes it hard for users to predict
-                      what will happen.  4. The fields are both imprecise and overly
-                      precise.  Kind is not a precise mapping to a URL. This can produce
-                      ambiguity     during interpretation and require a REST mapping.
-                      \ In most cases, the dependency is on the group,resource tuple
-                      \    and the version of the actual struct is irrelevant.  5.
-                      We cannot easily change it.  Because this type is embedded in
-                      many locations, updates to this type     will affect numerous
-                      schemas.  Don't make new APIs embed an underspecified API type
-                      they do not control. \n Instead of using this type, create a
-                      locally provided and used type that is well-focused on your
-                      reference. For example, ServiceReferences for admission registration:
-                      https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+                      restrictions like, \"must refer only to types A and B\" or \"UID
+                      not honored\" or \"name must be restricted\". Those cannot be
+                      well described when embedded. 3. Inconsistent validation.  Because
+                      the usages are different, the validation rules are different
+                      by usage, which makes it hard for users to predict what will
+                      happen. 4. The fields are both imprecise and overly precise.
+                      \ Kind is not a precise mapping to a URL. This can produce ambiguity
+                      during interpretation and require a REST mapping.  In most cases,
+                      the dependency is on the group,resource tuple and the version
+                      of the actual struct is irrelevant. 5. We cannot easily change
+                      it.  Because this type is embedded in many locations, updates
+                      to this type will affect numerous schemas.  Don't make new APIs
+                      embed an underspecified API type they do not control. \n Instead
+                      of using this type, create a locally provided and used type
+                      that is well-focused on your reference. For example, ServiceReferences
+                      for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
                      ."
                    properties:
                      apiVersion:
@@ -4814,6 +4970,7 @@ spec:
                        description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                        type: string
                    type: object
+                    x-kubernetes-map-type: atomic
                  endTime:
                    format: date-time
                    nullable: true
@@ -4917,6 +5074,11 @@ spec:
                - suspend
                - terminated
                type: object
+              workflowContext:
+                additionalProperties:
+                  type: string
+                description: Record the context values to the revision.
+                type: object
            required:
            - succeeded
            type: object
@@ -4925,9 +5087,3 @@ spec:
    storage: true
    subresources:
      status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/charts/vela-core/crds/core.oam.dev_applications.yaml
+++ b/charts/vela-core/crds/core.oam.dev_applications.yaml
@@ -3,7 +3,7 @@ kind: CustomResourceDefinition
 metadata:
  annotations:
    cert-manager.io/inject-ca-from: vela-system/kubevela-vela-core-root-cert
-    controller-gen.kubebuilder.io/version: v0.6.2
+    controller-gen.kubebuilder.io/version: v0.9.2
  name: applications.core.oam.dev
 spec:
  group: core.oam.dev
@@ -178,6 +178,7 @@ spec:
                              description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                              type: string
                          type: object
+                          x-kubernetes-map-type: atomic
                      required:
                      - name
                      type: object
@@ -312,6 +313,7 @@ spec:
                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                                    type: string
                                type: object
+                                x-kubernetes-map-type: atomic
                            required:
                            - name
                            type: object
@@ -445,6 +447,7 @@ spec:
                      description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                      type: string
                  type: object
+                  x-kubernetes-map-type: atomic
                type: array
              components:
                description: Components record the related Components created by Application
@@ -453,27 +456,27 @@ spec:
                  description: "ObjectReference contains enough information to let
                    you inspect or modify the referred object. --- New uses of this
                    type are discouraged because of difficulty describing its usage
-                    when embedded in APIs.  1. Ignored fields.  It includes many fields
+                    when embedded in APIs. 1. Ignored fields.  It includes many fields
                    which are not generally honored.  For instance, ResourceVersion
-                    and FieldPath are both very rarely valid in actual usage.  2.
-                    Invalid usage help.  It is impossible to add specific help for
-                    individual usage.  In most embedded usages, there are particular
-                    \    restrictions like, \"must refer only to types A and B\" or
-                    \"UID not honored\" or \"name must be restricted\".     Those
-                    cannot be well described when embedded.  3. Inconsistent validation.
-                    \ Because the usages are different, the validation rules are different
-                    by usage, which makes it hard for users to predict what will happen.
-                    \ 4. The fields are both imprecise and overly precise.  Kind is
-                    not a precise mapping to a URL. This can produce ambiguity     during
-                    interpretation and require a REST mapping.  In most cases, the
-                    dependency is on the group,resource tuple     and the version
-                    of the actual struct is irrelevant.  5. We cannot easily change
-                    it.  Because this type is embedded in many locations, updates
-                    to this type     will affect numerous schemas.  Don't make new
-                    APIs embed an underspecified API type they do not control. \n
-                    Instead of using this type, create a locally provided and used
-                    type that is well-focused on your reference. For example, ServiceReferences
-                    for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+                    and FieldPath are both very rarely valid in actual usage. 2. Invalid
+                    usage help.  It is impossible to add specific help for individual
+                    usage.  In most embedded usages, there are particular restrictions
+                    like, \"must refer only to types A and B\" or \"UID not honored\"
+                    or \"name must be restricted\". Those cannot be well described
+                    when embedded. 3. Inconsistent validation.  Because the usages
+                    are different, the validation rules are different by usage, which
+                    makes it hard for users to predict what will happen. 4. The fields
+                    are both imprecise and overly precise.  Kind is not a precise
+                    mapping to a URL. This can produce ambiguity during interpretation
+                    and require a REST mapping.  In most cases, the dependency is
+                    on the group,resource tuple and the version of the actual struct
+                    is irrelevant. 5. We cannot easily change it.  Because this type
+                    is embedded in many locations, updates to this type will affect
+                    numerous schemas.  Don't make new APIs embed an underspecified
+                    API type they do not control. \n Instead of using this type, create
+                    a locally provided and used type that is well-focused on your
+                    reference. For example, ServiceReferences for admission registration:
+                    https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
                    ."
                  properties:
                    apiVersion:
@@ -509,6 +512,7 @@ spec:
                      description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                      type: string
                  type: object
+                  x-kubernetes-map-type: atomic
                type: array
              conditions:
                description: Conditions of the resource.
@@ -604,29 +608,29 @@ spec:
                        description: "ObjectReference contains enough information
                          to let you inspect or modify the referred object. --- New
                          uses of this type are discouraged because of difficulty
-                          describing its usage when embedded in APIs.  1. Ignored
-                          fields.  It includes many fields which are not generally
-                          honored.  For instance, ResourceVersion and FieldPath are
-                          both very rarely valid in actual usage.  2. Invalid usage
-                          help.  It is impossible to add specific help for individual
-                          usage.  In most embedded usages, there are particular     restrictions
+                          describing its usage when embedded in APIs. 1. Ignored fields.
+                          \ It includes many fields which are not generally honored.
+                          \ For instance, ResourceVersion and FieldPath are both very
+                          rarely valid in actual usage. 2. Invalid usage help.  It
+                          is impossible to add specific help for individual usage.
+                          \ In most embedded usages, there are particular restrictions
                          like, \"must refer only to types A and B\" or \"UID not
-                          honored\" or \"name must be restricted\".     Those cannot
-                          be well described when embedded.  3. Inconsistent validation.
+                          honored\" or \"name must be restricted\". Those cannot be
+                          well described when embedded. 3. Inconsistent validation.
                          \ Because the usages are different, the validation rules
                          are different by usage, which makes it hard for users to
-                          predict what will happen.  4. The fields are both imprecise
+                          predict what will happen. 4. The fields are both imprecise
                          and overly precise.  Kind is not a precise mapping to a
-                          URL. This can produce ambiguity     during interpretation
-                          and require a REST mapping.  In most cases, the dependency
-                          is on the group,resource tuple     and the version of the
-                          actual struct is irrelevant.  5. We cannot easily change
-                          it.  Because this type is embedded in many locations, updates
-                          to this type     will affect numerous schemas.  Don't make
-                          new APIs embed an underspecified API type they do not control.
-                          \n Instead of using this type, create a locally provided
-                          and used type that is well-focused on your reference. For
-                          example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+                          URL. This can produce ambiguity during interpretation and
+                          require a REST mapping.  In most cases, the dependency is
+                          on the group,resource tuple and the version of the actual
+                          struct is irrelevant. 5. We cannot easily change it.  Because
+                          this type is embedded in many locations, updates to this
+                          type will affect numerous schemas.  Don't make new APIs
+                          embed an underspecified API type they do not control. \n
+                          Instead of using this type, create a locally provided and
+                          used type that is well-focused on your reference. For example,
+                          ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
                          ."
                        properties:
                          apiVersion:
@@ -663,6 +667,7 @@ spec:
                            description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                            type: string
                        type: object
+                        x-kubernetes-map-type: atomic
                      type: array
                    traits:
                      items:
@@ -710,28 +715,27 @@ spec:
                    description: "ObjectReference contains enough information to let
                      you inspect or modify the referred object. --- New uses of this
                      type are discouraged because of difficulty describing its usage
-                      when embedded in APIs.  1. Ignored fields.  It includes many
+                      when embedded in APIs. 1. Ignored fields.  It includes many
                      fields which are not generally honored.  For instance, ResourceVersion
-                      and FieldPath are both very rarely valid in actual usage.  2.
+                      and FieldPath are both very rarely valid in actual usage. 2.
                      Invalid usage help.  It is impossible to add specific help for
                      individual usage.  In most embedded usages, there are particular
-                      \    restrictions like, \"must refer only to types A and B\"
-                      or \"UID not honored\" or \"name must be restricted\".     Those
-                      cannot be well described when embedded.  3. Inconsistent validation.
-                      \ Because the usages are different, the validation rules are
-                      different by usage, which makes it hard for users to predict
-                      what will happen.  4. The fields are both imprecise and overly
-                      precise.  Kind is not a precise mapping to a URL. This can produce
-                      ambiguity     during interpretation and require a REST mapping.
-                      \ In most cases, the dependency is on the group,resource tuple
-                      \    and the version of the actual struct is irrelevant.  5.
-                      We cannot easily change it.  Because this type is embedded in
-                      many locations, updates to this type     will affect numerous
-                      schemas.  Don't make new APIs embed an underspecified API type
-                      they do not control. \n Instead of using this type, create a
-                      locally provided and used type that is well-focused on your
-                      reference. For example, ServiceReferences for admission registration:
-                      https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+                      restrictions like, \"must refer only to types A and B\" or \"UID
+                      not honored\" or \"name must be restricted\". Those cannot be
+                      well described when embedded. 3. Inconsistent validation.  Because
+                      the usages are different, the validation rules are different
+                      by usage, which makes it hard for users to predict what will
+                      happen. 4. The fields are both imprecise and overly precise.
+                      \ Kind is not a precise mapping to a URL. This can produce ambiguity
+                      during interpretation and require a REST mapping.  In most cases,
+                      the dependency is on the group,resource tuple and the version
+                      of the actual struct is irrelevant. 5. We cannot easily change
+                      it.  Because this type is embedded in many locations, updates
+                      to this type will affect numerous schemas.  Don't make new APIs
+                      embed an underspecified API type they do not control. \n Instead
+                      of using this type, create a locally provided and used type
+                      that is well-focused on your reference. For example, ServiceReferences
+                      for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
                      ."
                    properties:
                      apiVersion:
@@ -767,6 +771,7 @@ spec:
                        description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                        type: string
                    type: object
+                    x-kubernetes-map-type: atomic
                  endTime:
                    format: date-time
                    nullable: true
@@ -929,6 +934,7 @@ spec:
                    inputs:
                      description: StepInputs defines variable input of WorkflowStep
                      items:
+                        description: InputItem defines an input variable of WorkflowStep
                        properties:
                          from:
                            type: string
@@ -936,7 +942,6 @@ spec:
                            type: string
                        required:
                        - from
-                        - parameterKey
                        type: object
                      type: array
                    name:
@@ -944,6 +949,7 @@ spec:
                    outputs:
                      description: StepOutputs defines output variable of WorkflowStep
                      items:
+                        description: OutputItem defines an output variable of WorkflowStep
                        properties:
                          name:
                            type: string
@@ -1046,6 +1052,7 @@ spec:
                        inputs:
                          description: Inputs is the inputs of the step
                          items:
+                            description: InputItem defines an input variable of WorkflowStep
                            properties:
                              from:
                                type: string
@@ -1053,7 +1060,6 @@ spec:
                                type: string
                            required:
                            - from
-                            - parameterKey
                            type: object
                          type: array
                        meta:
@@ -1062,12 +1068,19 @@ spec:
                            alias:
                              type: string
                          type: object
+                        mode:
+                          description: Mode is only valid for sub steps, it defines
+                            the mode of the sub steps
+                          nullable: true
+                          type: string
                        name:
                          description: Name is the unique name of the workflow step.
                          type: string
                        outputs:
                          description: Outputs is the outputs of the step
                          items:
+                            description: OutputItem defines an output variable of
+                              WorkflowStep
                            properties:
                              name:
                                type: string
@@ -1098,6 +1111,8 @@ spec:
                              inputs:
                                description: Inputs is the inputs of the step
                                items:
+                                  description: InputItem defines an input variable
+                                    of WorkflowStep
                                  properties:
                                    from:
                                      type: string
@@ -1105,7 +1120,6 @@ spec:
                                      type: string
                                  required:
                                  - from
-                                  - parameterKey
                                  type: object
                                type: array
                              meta:
@@ -1122,6 +1136,8 @@ spec:
                              outputs:
                                description: Outputs is the outputs of the step
                                items:
+                                  description: OutputItem defines an output variable
+                                    of WorkflowStep
                                  properties:
                                    name:
                                      type: string
@@ -1143,7 +1159,6 @@ spec:
                                description: Type is the type of the workflow step.
                                type: string
                            required:
-                            - name
                            - type
                            type: object
                          type: array
@@ -1154,7 +1169,6 @@ spec:
                          description: Type is the type of the workflow step.
                          type: string
                      required:
-                      - name
                      - type
                      type: object
                    type: array
@@ -1209,6 +1223,7 @@ spec:
                      description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                      type: string
                  type: object
+                  x-kubernetes-map-type: atomic
                type: array
              components:
                description: Components record the related Components created by Application
@@ -1217,27 +1232,27 @@ spec:
                  description: "ObjectReference contains enough information to let
                    you inspect or modify the referred object. --- New uses of this
                    type are discouraged because of difficulty describing its usage
-                    when embedded in APIs.  1. Ignored fields.  It includes many fields
+                    when embedded in APIs. 1. Ignored fields.  It includes many fields
                    which are not generally honored.  For instance, ResourceVersion
-                    and FieldPath are both very rarely valid in actual usage.  2.
-                    Invalid usage help.  It is impossible to add specific help for
-                    individual usage.  In most embedded usages, there are particular
-                    \    restrictions like, \"must refer only to types A and B\" or
-                    \"UID not honored\" or \"name must be restricted\".     Those
-                    cannot be well described when embedded.  3. Inconsistent validation.
-                    \ Because the usages are different, the validation rules are different
-                    by usage, which makes it hard for users to predict what will happen.
-                    \ 4. The fields are both imprecise and overly precise.  Kind is
-                    not a precise mapping to a URL. This can produce ambiguity     during
-                    interpretation and require a REST mapping.  In most cases, the
-                    dependency is on the group,resource tuple     and the version
-                    of the actual struct is irrelevant.  5. We cannot easily change
-                    it.  Because this type is embedded in many locations, updates
-                    to this type     will affect numerous schemas.  Don't make new
-                    APIs embed an underspecified API type they do not control. \n
-                    Instead of using this type, create a locally provided and used
-                    type that is well-focused on your reference. For example, ServiceReferences
-                    for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+                    and FieldPath are both very rarely valid in actual usage. 2. Invalid
+                    usage help.  It is impossible to add specific help for individual
+                    usage.  In most embedded usages, there are particular restrictions
+                    like, \"must refer only to types A and B\" or \"UID not honored\"
+                    or \"name must be restricted\". Those cannot be well described
+                    when embedded. 3. Inconsistent validation.  Because the usages
+                    are different, the validation rules are different by usage, which
+                    makes it hard for users to predict what will happen. 4. The fields
+                    are both imprecise and overly precise.  Kind is not a precise
+                    mapping to a URL. This can produce ambiguity during interpretation
+                    and require a REST mapping.  In most cases, the dependency is
+                    on the group,resource tuple and the version of the actual struct
+                    is irrelevant. 5. We cannot easily change it.  Because this type
+                    is embedded in many locations, updates to this type will affect
+                    numerous schemas.  Don't make new APIs embed an underspecified
+                    API type they do not control. \n Instead of using this type, create
+                    a locally provided and used type that is well-focused on your
+                    reference. For example, ServiceReferences for admission registration:
+                    https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
                    ."
                  properties:
                    apiVersion:
@@ -1273,6 +1288,7 @@ spec:
                      description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                      type: string
                  type: object
+                  x-kubernetes-map-type: atomic
                type: array
              conditions:
                description: Conditions of the resource.
@@ -1368,29 +1384,29 @@ spec:
                        description: "ObjectReference contains enough information
                          to let you inspect or modify the referred object. --- New
                          uses of this type are discouraged because of difficulty
-                          describing its usage when embedded in APIs.  1. Ignored
-                          fields.  It includes many fields which are not generally
-                          honored.  For instance, ResourceVersion and FieldPath are
-                          both very rarely valid in actual usage.  2. Invalid usage
-                          help.  It is impossible to add specific help for individual
-                          usage.  In most embedded usages, there are particular     restrictions
+                          describing its usage when embedded in APIs. 1. Ignored fields.
+                          \ It includes many fields which are not generally honored.
+                          \ For instance, ResourceVersion and FieldPath are both very
+                          rarely valid in actual usage. 2. Invalid usage help.  It
+                          is impossible to add specific help for individual usage.
+                          \ In most embedded usages, there are particular restrictions
                          like, \"must refer only to types A and B\" or \"UID not
-                          honored\" or \"name must be restricted\".     Those cannot
-                          be well described when embedded.  3. Inconsistent validation.
+                          honored\" or \"name must be restricted\". Those cannot be
+                          well described when embedded. 3. Inconsistent validation.
                          \ Because the usages are different, the validation rules
                          are different by usage, which makes it hard for users to
-                          predict what will happen.  4. The fields are both imprecise
+                          predict what will happen. 4. The fields are both imprecise
                          and overly precise.  Kind is not a precise mapping to a
-                          URL. This can produce ambiguity     during interpretation
-                          and require a REST mapping.  In most cases, the dependency
-                          is on the group,resource tuple     and the version of the
-                          actual struct is irrelevant.  5. We cannot easily change
-                          it.  Because this type is embedded in many locations, updates
-                          to this type     will affect numerous schemas.  Don't make
-                          new APIs embed an underspecified API type they do not control.
-                          \n Instead of using this type, create a locally provided
-                          and used type that is well-focused on your reference. For
-                          example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+                          URL. This can produce ambiguity during interpretation and
+                          require a REST mapping.  In most cases, the dependency is
+                          on the group,resource tuple and the version of the actual
+                          struct is irrelevant. 5. We cannot easily change it.  Because
+                          this type is embedded in many locations, updates to this
+                          type will affect numerous schemas.  Don't make new APIs
+                          embed an underspecified API type they do not control. \n
+                          Instead of using this type, create a locally provided and
+                          used type that is well-focused on your reference. For example,
+                          ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
                          ."
                        properties:
                          apiVersion:
@@ -1427,6 +1443,7 @@ spec:
                            description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                            type: string
                        type: object
+                        x-kubernetes-map-type: atomic
                      type: array
                    traits:
                      items:
@@ -1474,28 +1491,27 @@ spec:
                    description: "ObjectReference contains enough information to let
                      you inspect or modify the referred object. --- New uses of this
                      type are discouraged because of difficulty describing its usage
-                      when embedded in APIs.  1. Ignored fields.  It includes many
+                      when embedded in APIs. 1. Ignored fields.  It includes many
                      fields which are not generally honored.  For instance, ResourceVersion
-                      and FieldPath are both very rarely valid in actual usage.  2.
+                      and FieldPath are both very rarely valid in actual usage. 2.
                      Invalid usage help.  It is impossible to add specific help for
                      individual usage.  In most embedded usages, there are particular
-                      \    restrictions like, \"must refer only to types A and B\"
-                      or \"UID not honored\" or \"name must be restricted\".     Those
-                      cannot be well described when embedded.  3. Inconsistent validation.
-                      \ Because the usages are different, the validation rules are
-                      different by usage, which makes it hard for users to predict
-                      what will happen.  4. The fields are both imprecise and overly
-                      precise.  Kind is not a precise mapping to a URL. This can produce
-                      ambiguity     during interpretation and require a REST mapping.
-                      \ In most cases, the dependency is on the group,resource tuple
-                      \    and the version of the actual struct is irrelevant.  5.
-                      We cannot easily change it.  Because this type is embedded in
-                      many locations, updates to this type     will affect numerous
-                      schemas.  Don't make new APIs embed an underspecified API type
-                      they do not control. \n Instead of using this type, create a
-                      locally provided and used type that is well-focused on your
-                      reference. For example, ServiceReferences for admission registration:
-                      https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+                      restrictions like, \"must refer only to types A and B\" or \"UID
+                      not honored\" or \"name must be restricted\". Those cannot be
+                      well described when embedded. 3. Inconsistent validation.  Because
+                      the usages are different, the validation rules are different
+                      by usage, which makes it hard for users to predict what will
+                      happen. 4. The fields are both imprecise and overly precise.
+                      \ Kind is not a precise mapping to a URL. This can produce ambiguity
+                      during interpretation and require a REST mapping.  In most cases,
+                      the dependency is on the group,resource tuple and the version
+                      of the actual struct is irrelevant. 5. We cannot easily change
+                      it.  Because this type is embedded in many locations, updates
+                      to this type will affect numerous schemas.  Don't make new APIs
+                      embed an underspecified API type they do not control. \n Instead
+                      of using this type, create a locally provided and used type
+                      that is well-focused on your reference. For example, ServiceReferences
+                      for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
                      ."
                    properties:
                      apiVersion:
@@ -1531,6 +1547,7 @@ spec:
                        description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                        type: string
                    type: object
+                    x-kubernetes-map-type: atomic
                  endTime:
                    format: date-time
                    nullable: true
@@ -1640,9 +1657,3 @@ spec:
    storage: true
    subresources:
      status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/charts/vela-core/crds/core.oam.dev_componentdefinitions.yaml
+++ b/charts/vela-core/crds/core.oam.dev_componentdefinitions.yaml
@@ -1,10 +1,9 @@
-
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.6.2
+    controller-gen.kubebuilder.io/version: v0.9.2
  name: componentdefinitions.core.oam.dev
 spec:
  group: core.oam.dev
@@ -188,6 +187,20 @@ spec:
                        description: DeleteResource will determine whether provisioned
                          cloud resources will be deleted when CR is deleted
                        type: boolean
+                      gitCredentialsSecretReference:
+                        description: GitCredentialsSecretReference specifies the reference
+                          to the secret containing the git credentials
+                        properties:
+                          name:
+                            description: name is unique within a namespace to reference
+                              a secret resource.
+                            type: string
+                          namespace:
+                            description: namespace defines the space within which
+                              the secret name must be unique.
+                            type: string
+                        type: object
+                        x-kubernetes-map-type: atomic
                      path:
                        description: Path is the sub-directory of remote git repository.
                          It's valid when remote is set
@@ -501,6 +514,20 @@ spec:
                        description: DeleteResource will determine whether provisioned
                          cloud resources will be deleted when CR is deleted
                        type: boolean
+                      gitCredentialsSecretReference:
+                        description: GitCredentialsSecretReference specifies the reference
+                          to the secret containing the git credentials
+                        properties:
+                          name:
+                            description: name is unique within a namespace to reference
+                              a secret resource.
+                            type: string
+                          namespace:
+                            description: namespace defines the space within which
+                              the secret name must be unique.
+                            type: string
+                        type: object
+                        x-kubernetes-map-type: atomic
                      path:
                        description: Path is the sub-directory of remote git repository.
                          It's valid when remote is set
@@ -645,9 +672,3 @@ spec:
    storage: true
    subresources:
      status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/charts/vela-core/crds/core.oam.dev_definitionrevisions.yaml
+++ b/charts/vela-core/crds/core.oam.dev_definitionrevisions.yaml
@@ -1,10 +1,9 @@
-
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.6.2
+    controller-gen.kubebuilder.io/version: v0.9.2
  name: definitionrevisions.core.oam.dev
 spec:
  group: core.oam.dev
@@ -233,6 +232,20 @@ spec:
                                  provisioned cloud resources will be deleted when
                                  CR is deleted
                                type: boolean
+                              gitCredentialsSecretReference:
+                                description: GitCredentialsSecretReference specifies
+                                  the reference to the secret containing the git credentials
+                                properties:
+                                  name:
+                                    description: name is unique within a namespace
+                                      to reference a secret resource.
+                                    type: string
+                                  namespace:
+                                    description: namespace defines the space within
+                                      which the secret name must be unique.
+                                    type: string
+                                type: object
+                                x-kubernetes-map-type: atomic
                              path:
                                description: Path is the sub-directory of remote git
                                  repository. It's valid when remote is set
@@ -550,6 +563,20 @@ spec:
                                  provisioned cloud resources will be deleted when
                                  CR is deleted
                                type: boolean
+                              gitCredentialsSecretReference:
+                                description: GitCredentialsSecretReference specifies
+                                  the reference to the secret containing the git credentials
+                                properties:
+                                  name:
+                                    description: name is unique within a namespace
+                                      to reference a secret resource.
+                                    type: string
+                                  namespace:
+                                    description: namespace defines the space within
+                                      which the secret name must be unique.
+                                    type: string
+                                type: object
+                                x-kubernetes-map-type: atomic
                              path:
                                description: Path is the sub-directory of remote git
                                  repository. It's valid when remote is set
@@ -868,6 +895,20 @@ spec:
                                  provisioned cloud resources will be deleted when
                                  CR is deleted
                                type: boolean
+                              gitCredentialsSecretReference:
+                                description: GitCredentialsSecretReference specifies
+                                  the reference to the secret containing the git credentials
+                                properties:
+                                  name:
+                                    description: name is unique within a namespace
+                                      to reference a secret resource.
+                                    type: string
+                                  namespace:
+                                    description: namespace defines the space within
+                                      which the secret name must be unique.
+                                    type: string
+                                type: object
+                                x-kubernetes-map-type: atomic
                              path:
                                description: Path is the sub-directory of remote git
                                  repository. It's valid when remote is set
@@ -1161,6 +1202,20 @@ spec:
                                  provisioned cloud resources will be deleted when
                                  CR is deleted
                                type: boolean
+                              gitCredentialsSecretReference:
+                                description: GitCredentialsSecretReference specifies
+                                  the reference to the secret containing the git credentials
+                                properties:
+                                  name:
+                                    description: name is unique within a namespace
+                                      to reference a secret resource.
+                                    type: string
+                                  namespace:
+                                    description: namespace defines the space within
+                                      which the secret name must be unique.
+                                    type: string
+                                type: object
+                                x-kubernetes-map-type: atomic
                              path:
                                description: Path is the sub-directory of remote git
                                  repository. It's valid when remote is set
@@ -1279,9 +1334,3 @@ spec:
    served: true
    storage: true
    subresources: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/charts/vela-core/crds/core.oam.dev_envbindings.yaml
+++ b/charts/vela-core/crds/core.oam.dev_envbindings.yaml
@@ -1,319 +0,0 @@
-
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.6.2
-  name: envbindings.core.oam.dev
-spec:
-  group: core.oam.dev
-  names:
-    categories:
-    - oam
-    kind: EnvBinding
-    listKind: EnvBindingList
-    plural: envbindings
-    shortNames:
-    - envbind
-    singular: envbinding
-  scope: Namespaced
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .spec.engine
-      name: ENGINE
-      type: string
-    - jsonPath: .status.phase
-      name: PHASE
-      type: string
-    - jsonPath: .metadata.creationTimestamp
-      name: AGE
-      type: date
-    name: v1alpha1
-    schema:
-      openAPIV3Schema:
-        description: EnvBinding is the Schema for the EnvBinding API
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: A EnvBindingSpec defines the desired state of a EnvBinding.
-            properties:
-              appTemplate:
-                description: AppTemplate indicates the application template.
-                type: object
-                x-kubernetes-embedded-resource: true
-                x-kubernetes-preserve-unknown-fields: true
-              engine:
-                description: ClusterManagementEngine represents a multi-cluster management
-                  solution
-                type: string
-              envs:
-                items:
-                  description: EnvConfig is the configuration for different environments.
-                  properties:
-                    name:
-                      type: string
-                    patch:
-                      description: EnvPatch specify the parameter configuration for
-                        different environments
-                      properties:
-                        components:
-                          items:
-                            description: ApplicationComponent describe the component
-                              of application
-                            properties:
-                              dependsOn:
-                                items:
-                                  type: string
-                                type: array
-                              externalRevision:
-                                description: ExternalRevision specified the component
-                                  revisionName
-                                type: string
-                              inputs:
-                                description: StepInputs defines variable input of
-                                  WorkflowStep
-                                items:
-                                  properties:
-                                    from:
-                                      type: string
-                                    parameterKey:
-                                      type: string
-                                  required:
-                                  - from
-                                  - parameterKey
-                                  type: object
-                                type: array
-                              name:
-                                type: string
-                              outputs:
-                                description: StepOutputs defines output variable of
-                                  WorkflowStep
-                                items:
-                                  properties:
-                                    name:
-                                      type: string
-                                    valueFrom:
-                                      type: string
-                                  required:
-                                  - name
-                                  - valueFrom
-                                  type: object
-                                type: array
-                              properties:
-                                type: object
-                                x-kubernetes-preserve-unknown-fields: true
-                              scopes:
-                                additionalProperties:
-                                  type: string
-                                description: scopes in ApplicationComponent defines
-                                  the component-level scopes the format is <scope-type:scope-instance-name>
-                                  pairs, the key represents type of `ScopeDefinition`
-                                  while the value represent the name of scope instance.
-                                type: object
-                                x-kubernetes-preserve-unknown-fields: true
-                              traits:
-                                description: Traits define the trait of one component,
-                                  the type must be array to keep the order.
-                                items:
-                                  description: ApplicationTrait defines the trait
-                                    of application
-                                  properties:
-                                    properties:
-                                      type: object
-                                      x-kubernetes-preserve-unknown-fields: true
-                                    type:
-                                      type: string
-                                  required:
-                                  - type
-                                  type: object
-                                type: array
-                              type:
-                                type: string
-                            required:
-                            - name
-                            - type
-                            type: object
-                          type: array
-                      required:
-                      - components
-                      type: object
-                    placement:
-                      description: EnvPlacement defines the placement rules for an
-                        app.
-                      properties:
-                        clusterSelector:
-                          description: ClusterSelector defines the rules to select
-                            a Cluster resource. Either name or labels is needed.
-                          properties:
-                            labels:
-                              additionalProperties:
-                                type: string
-                              description: Labels defines the label selector to select
-                                the cluster.
-                              type: object
-                            name:
-                              description: Name is the name of the cluster.
-                              type: string
-                          type: object
-                        namespaceSelector:
-                          description: NamespaceSelector defines the rules to select
-                            a Namespace resource. Either name or labels is needed.
-                          properties:
-                            labels:
-                              additionalProperties:
-                                type: string
-                              description: Labels defines the label selector to select
-                                the namespace.
-                              type: object
-                            name:
-                              description: Name is the name of the namespace.
-                              type: string
-                          type: object
-                      type: object
-                    selector:
-                      description: EnvSelector defines which components should this
-                        env contains
-                      properties:
-                        components:
-                          items:
-                            type: string
-                          type: array
-                      type: object
-                  required:
-                  - name
-                  - patch
-                  type: object
-                type: array
-              outputResourcesTo:
-                description: OutputResourcesTo specifies the namespace and name of
-                  a ConfigMap which store the resources rendered after differentiated
-                  configuration
-                properties:
-                  name:
-                    description: Name of the secret.
-                    type: string
-                  namespace:
-                    description: Namespace of the secret.
-                    type: string
-                required:
-                - name
-                type: object
-            required:
-            - appTemplate
-            - envs
-            type: object
-          status:
-            description: A EnvBindingStatus is the status of EnvBinding
-            properties:
-              clusterDecisions:
-                items:
-                  description: ClusterDecision recorded the mapping of environment
-                    and cluster
-                  properties:
-                    cluster:
-                      type: string
-                    env:
-                      type: string
-                    namespace:
-                      type: string
-                  required:
-                  - env
-                  type: object
-                type: array
-              conditions:
-                description: Conditions of the resource.
-                items:
-                  description: A Condition that may apply to a resource.
-                  properties:
-                    lastTransitionTime:
-                      description: LastTransitionTime is the last time this condition
-                        transitioned from one status to another.
-                      format: date-time
-                      type: string
-                    message:
-                      description: A Message containing details about this condition's
-                        last transition from one status to another, if any.
-                      type: string
-                    reason:
-                      description: A Reason for this condition's last transition from
-                        one status to another.
-                      type: string
-                    status:
-                      description: Status of this condition; is it currently True,
-                        False, or Unknown?
-                      type: string
-                    type:
-                      description: Type of this condition. At most one of each condition
-                        type may apply to a resource at any point in time.
-                      type: string
-                  required:
-                  - lastTransitionTime
-                  - reason
-                  - status
-                  - type
-                  type: object
-                type: array
-              phase:
-                description: EnvBindingPhase is a label for the condition of a EnvBinding
-                  at the current time
-                type: string
-              resourceTracker:
-                description: ResourceTracker record the status of the ResourceTracker
-                properties:
-                  apiVersion:
-                    description: API version of the referent.
-                    type: string
-                  fieldPath:
-                    description: 'If referring to a piece of an object instead of
-                      an entire object, this string should contain a valid JSON/Go
-                      field access statement, such as desiredState.manifest.containers[2].
-                      For example, if the object reference is to a container within
-                      a pod, this would take on a value like: "spec.containers{name}"
-                      (where "name" refers to the name of the container that triggered
-                      the event) or if no container name is specified "spec.containers[2]"
-                      (container with index 2 in this pod). This syntax is chosen
-                      only to have some well-defined way of referencing a part of
-                      an object. TODO: this design is not final and this field is
-                      subject to change in the future.'
-                    type: string
-                  kind:
-                    description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-                    type: string
-                  name:
-                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
-                    type: string
-                  namespace:
-                    description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
-                    type: string
-                  resourceVersion:
-                    description: 'Specific resourceVersion to which this reference
-                      is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
-                    type: string
-                  uid:
-                    description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
-                    type: string
-                type: object
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/charts/vela-core/crds/core.oam.dev_healthscopes.yaml
+++ b/charts/vela-core/crds/core.oam.dev_healthscopes.yaml
@@ -1,10 +1,9 @@
-
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.6.2
+    controller-gen.kubebuilder.io/version: v0.9.2
  name: healthscopes.core.oam.dev
 spec:
  group: core.oam.dev
@@ -63,31 +62,31 @@ spec:
                                to let you inspect or modify the referred object.
                                --- New uses of this type are discouraged because
                                of difficulty describing its usage when embedded in
-                                APIs.  1. Ignored fields.  It includes many fields
+                                APIs. 1. Ignored fields.  It includes many fields
                                which are not generally honored.  For instance, ResourceVersion
                                and FieldPath are both very rarely valid in actual
-                                usage.  2. Invalid usage help.  It is impossible to
+                                usage. 2. Invalid usage help.  It is impossible to
                                add specific help for individual usage.  In most embedded
-                                usages, there are particular     restrictions like,
-                                \"must refer only to types A and B\" or \"UID not
-                                honored\" or \"name must be restricted\".     Those
-                                cannot be well described when embedded.  3. Inconsistent
-                                validation.  Because the usages are different, the
-                                validation rules are different by usage, which makes
-                                it hard for users to predict what will happen.  4.
-                                The fields are both imprecise and overly precise.
-                                \ Kind is not a precise mapping to a URL. This can
-                                produce ambiguity     during interpretation and require
-                                a REST mapping.  In most cases, the dependency is
-                                on the group,resource tuple     and the version of
-                                the actual struct is irrelevant.  5. We cannot easily
-                                change it.  Because this type is embedded in many
-                                locations, updates to this type     will affect numerous
-                                schemas.  Don't make new APIs embed an underspecified
-                                API type they do not control. \n Instead of using
-                                this type, create a locally provided and used type
-                                that is well-focused on your reference. For example,
-                                ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+                                usages, there are particular restrictions like, \"must
+                                refer only to types A and B\" or \"UID not honored\"
+                                or \"name must be restricted\". Those cannot be well
+                                described when embedded. 3. Inconsistent validation.
+                                \ Because the usages are different, the validation
+                                rules are different by usage, which makes it hard
+                                for users to predict what will happen. 4. The fields
+                                are both imprecise and overly precise.  Kind is not
+                                a precise mapping to a URL. This can produce ambiguity
+                                during interpretation and require a REST mapping.
+                                \ In most cases, the dependency is on the group,resource
+                                tuple and the version of the actual struct is irrelevant.
+                                5. We cannot easily change it.  Because this type
+                                is embedded in many locations, updates to this type
+                                will affect numerous schemas.  Don't make new APIs
+                                embed an underspecified API type they do not control.
+                                \n Instead of using this type, create a locally provided
+                                and used type that is well-focused on your reference.
+                                For example, ServiceReferences for admission registration:
+                                https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
                                ."
                              properties:
                                apiVersion:
@@ -127,36 +126,36 @@ spec:
                                  description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                                  type: string
                              type: object
+                              x-kubernetes-map-type: atomic
                            type: array
                          workload:
                            description: "ObjectReference contains enough information
                              to let you inspect or modify the referred object. ---
                              New uses of this type are discouraged because of difficulty
-                              describing its usage when embedded in APIs.  1. Ignored
+                              describing its usage when embedded in APIs. 1. Ignored
                              fields.  It includes many fields which are not generally
                              honored.  For instance, ResourceVersion and FieldPath
-                              are both very rarely valid in actual usage.  2. Invalid
+                              are both very rarely valid in actual usage. 2. Invalid
                              usage help.  It is impossible to add specific help for
                              individual usage.  In most embedded usages, there are
-                              particular     restrictions like, \"must refer only
-                              to types A and B\" or \"UID not honored\" or \"name
-                              must be restricted\".     Those cannot be well described
-                              when embedded.  3. Inconsistent validation.  Because
-                              the usages are different, the validation rules are different
-                              by usage, which makes it hard for users to predict what
-                              will happen.  4. The fields are both imprecise and overly
-                              precise.  Kind is not a precise mapping to a URL. This
-                              can produce ambiguity     during interpretation and
-                              require a REST mapping.  In most cases, the dependency
-                              is on the group,resource tuple     and the version of
-                              the actual struct is irrelevant.  5. We cannot easily
-                              change it.  Because this type is embedded in many locations,
-                              updates to this type     will affect numerous schemas.
-                              \ Don't make new APIs embed an underspecified API type
-                              they do not control. \n Instead of using this type,
-                              create a locally provided and used type that is well-focused
-                              on your reference. For example, ServiceReferences for
-                              admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+                              particular restrictions like, \"must refer only to types
+                              A and B\" or \"UID not honored\" or \"name must be restricted\".
+                              Those cannot be well described when embedded. 3. Inconsistent
+                              validation.  Because the usages are different, the validation
+                              rules are different by usage, which makes it hard for
+                              users to predict what will happen. 4. The fields are
+                              both imprecise and overly precise.  Kind is not a precise
+                              mapping to a URL. This can produce ambiguity during
+                              interpretation and require a REST mapping.  In most
+                              cases, the dependency is on the group,resource tuple
+                              and the version of the actual struct is irrelevant.
+                              5. We cannot easily change it.  Because this type is
+                              embedded in many locations, updates to this type will
+                              affect numerous schemas.  Don't make new APIs embed
+                              an underspecified API type they do not control. \n Instead
+                              of using this type, create a locally provided and used
+                              type that is well-focused on your reference. For example,
+                              ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
                              ."
                            properties:
                              apiVersion:
@@ -195,6 +194,7 @@ spec:
                                description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                                type: string
                            type: object
+                            x-kubernetes-map-type: atomic
                        type: object
                      type: array
                  type: object
@@ -216,27 +216,27 @@ spec:
                  description: "ObjectReference contains enough information to let
                    you inspect or modify the referred object. --- New uses of this
                    type are discouraged because of difficulty describing its usage
-                    when embedded in APIs.  1. Ignored fields.  It includes many fields
+                    when embedded in APIs. 1. Ignored fields.  It includes many fields
                    which are not generally honored.  For instance, ResourceVersion
-                    and FieldPath are both very rarely valid in actual usage.  2.
-                    Invalid usage help.  It is impossible to add specific help for
-                    individual usage.  In most embedded usages, there are particular
-                    \    restrictions like, \"must refer only to types A and B\" or
-                    \"UID not honored\" or \"name must be restricted\".     Those
-                    cannot be well described when embedded.  3. Inconsistent validation.
-                    \ Because the usages are different, the validation rules are different
-                    by usage, which makes it hard for users to predict what will happen.
-                    \ 4. The fields are both imprecise and overly precise.  Kind is
-                    not a precise mapping to a URL. This can produce ambiguity     during
-                    interpretation and require a REST mapping.  In most cases, the
-                    dependency is on the group,resource tuple     and the version
-                    of the actual struct is irrelevant.  5. We cannot easily change
-                    it.  Because this type is embedded in many locations, updates
-                    to this type     will affect numerous schemas.  Don't make new
-                    APIs embed an underspecified API type they do not control. \n
-                    Instead of using this type, create a locally provided and used
-                    type that is well-focused on your reference. For example, ServiceReferences
-                    for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+                    and FieldPath are both very rarely valid in actual usage. 2. Invalid
+                    usage help.  It is impossible to add specific help for individual
+                    usage.  In most embedded usages, there are particular restrictions
+                    like, \"must refer only to types A and B\" or \"UID not honored\"
+                    or \"name must be restricted\". Those cannot be well described
+                    when embedded. 3. Inconsistent validation.  Because the usages
+                    are different, the validation rules are different by usage, which
+                    makes it hard for users to predict what will happen. 4. The fields
+                    are both imprecise and overly precise.  Kind is not a precise
+                    mapping to a URL. This can produce ambiguity during interpretation
+                    and require a REST mapping.  In most cases, the dependency is
+                    on the group,resource tuple and the version of the actual struct
+                    is irrelevant. 5. We cannot easily change it.  Because this type
+                    is embedded in many locations, updates to this type will affect
+                    numerous schemas.  Don't make new APIs embed an underspecified
+                    API type they do not control. \n Instead of using this type, create
+                    a locally provided and used type that is well-focused on your
+                    reference. For example, ServiceReferences for admission registration:
+                    https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
                    ."
                  properties:
                    apiVersion:
@@ -272,6 +272,7 @@ spec:
                      description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                      type: string
                  type: object
+                  x-kubernetes-map-type: atomic
                type: array
            required:
            - workloadRefs
@@ -308,31 +309,30 @@ spec:
                            description: "ObjectReference contains enough information
                              to let you inspect or modify the referred object. ---
                              New uses of this type are discouraged because of difficulty
-                              describing its usage when embedded in APIs.  1. Ignored
+                              describing its usage when embedded in APIs. 1. Ignored
                              fields.  It includes many fields which are not generally
                              honored.  For instance, ResourceVersion and FieldPath
-                              are both very rarely valid in actual usage.  2. Invalid
+                              are both very rarely valid in actual usage. 2. Invalid
                              usage help.  It is impossible to add specific help for
                              individual usage.  In most embedded usages, there are
-                              particular     restrictions like, \"must refer only
-                              to types A and B\" or \"UID not honored\" or \"name
-                              must be restricted\".     Those cannot be well described
-                              when embedded.  3. Inconsistent validation.  Because
-                              the usages are different, the validation rules are different
-                              by usage, which makes it hard for users to predict what
-                              will happen.  4. The fields are both imprecise and overly
-                              precise.  Kind is not a precise mapping to a URL. This
-                              can produce ambiguity     during interpretation and
-                              require a REST mapping.  In most cases, the dependency
-                              is on the group,resource tuple     and the version of
-                              the actual struct is irrelevant.  5. We cannot easily
-                              change it.  Because this type is embedded in many locations,
-                              updates to this type     will affect numerous schemas.
-                              \ Don't make new APIs embed an underspecified API type
-                              they do not control. \n Instead of using this type,
-                              create a locally provided and used type that is well-focused
-                              on your reference. For example, ServiceReferences for
-                              admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+                              particular restrictions like, \"must refer only to types
+                              A and B\" or \"UID not honored\" or \"name must be restricted\".
+                              Those cannot be well described when embedded. 3. Inconsistent
+                              validation.  Because the usages are different, the validation
+                              rules are different by usage, which makes it hard for
+                              users to predict what will happen. 4. The fields are
+                              both imprecise and overly precise.  Kind is not a precise
+                              mapping to a URL. This can produce ambiguity during
+                              interpretation and require a REST mapping.  In most
+                              cases, the dependency is on the group,resource tuple
+                              and the version of the actual struct is irrelevant.
+                              5. We cannot easily change it.  Because this type is
+                              embedded in many locations, updates to this type will
+                              affect numerous schemas.  Don't make new APIs embed
+                              an underspecified API type they do not control. \n Instead
+                              of using this type, create a locally provided and used
+                              type that is well-focused on your reference. For example,
+                              ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
                              ."
                            properties:
                              apiVersion:
@@ -371,6 +371,7 @@ spec:
                                description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                                type: string
                            type: object
+                            x-kubernetes-map-type: atomic
                          traits:
                            items:
                              description: TraitHealthCondition represents informative
@@ -464,29 +465,28 @@ spec:
                      description: "ObjectReference contains enough information to
                        let you inspect or modify the referred object. --- New uses
                        of this type are discouraged because of difficulty describing
-                        its usage when embedded in APIs.  1. Ignored fields.  It includes
+                        its usage when embedded in APIs. 1. Ignored fields.  It includes
                        many fields which are not generally honored.  For instance,
                        ResourceVersion and FieldPath are both very rarely valid in
-                        actual usage.  2. Invalid usage help.  It is impossible to
+                        actual usage. 2. Invalid usage help.  It is impossible to
                        add specific help for individual usage.  In most embedded
-                        usages, there are particular     restrictions like, \"must
-                        refer only to types A and B\" or \"UID not honored\" or \"name
-                        must be restricted\".     Those cannot be well described when
-                        embedded.  3. Inconsistent validation.  Because the usages
-                        are different, the validation rules are different by usage,
-                        which makes it hard for users to predict what will happen.
-                        \ 4. The fields are both imprecise and overly precise.  Kind
-                        is not a precise mapping to a URL. This can produce ambiguity
-                        \    during interpretation and require a REST mapping.  In
-                        most cases, the dependency is on the group,resource tuple
-                        \    and the version of the actual struct is irrelevant.  5.
-                        We cannot easily change it.  Because this type is embedded
-                        in many locations, updates to this type     will affect numerous
-                        schemas.  Don't make new APIs embed an underspecified API
-                        type they do not control. \n Instead of using this type, create
-                        a locally provided and used type that is well-focused on your
-                        reference. For example, ServiceReferences for admission registration:
-                        https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+                        usages, there are particular restrictions like, \"must refer
+                        only to types A and B\" or \"UID not honored\" or \"name must
+                        be restricted\". Those cannot be well described when embedded.
+                        3. Inconsistent validation.  Because the usages are different,
+                        the validation rules are different by usage, which makes it
+                        hard for users to predict what will happen. 4. The fields
+                        are both imprecise and overly precise.  Kind is not a precise
+                        mapping to a URL. This can produce ambiguity during interpretation
+                        and require a REST mapping.  In most cases, the dependency
+                        is on the group,resource tuple and the version of the actual
+                        struct is irrelevant. 5. We cannot easily change it.  Because
+                        this type is embedded in many locations, updates to this type
+                        will affect numerous schemas.  Don't make new APIs embed an
+                        underspecified API type they do not control. \n Instead of
+                        using this type, create a locally provided and used type that
+                        is well-focused on your reference. For example, ServiceReferences
+                        for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
                        ."
                      properties:
                        apiVersion:
@@ -523,6 +523,7 @@ spec:
                          description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                          type: string
                      type: object
+                      x-kubernetes-map-type: atomic
                    traits:
                      items:
                        description: TraitHealthCondition represents informative health
@@ -583,9 +584,3 @@ spec:
    storage: true
    subresources:
      status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/charts/vela-core/crds/core.oam.dev_policies.yaml
+++ b/charts/vela-core/crds/core.oam.dev_policies.yaml
@@ -1,10 +1,9 @@
-
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.6.2
+    controller-gen.kubebuilder.io/version: v0.9.2
  name: policies.core.oam.dev
 spec:
  group: core.oam.dev
@@ -49,9 +48,3 @@ spec:
    served: true
    storage: true
    subresources: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/charts/vela-core/crds/core.oam.dev_policydefinitions.yaml
+++ b/charts/vela-core/crds/core.oam.dev_policydefinitions.yaml
@@ -1,10 +1,9 @@
-
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.6.2
+    controller-gen.kubebuilder.io/version: v0.9.2
  name: policydefinitions.core.oam.dev
 spec:
  group: core.oam.dev
@@ -161,6 +160,20 @@ spec:
                        description: DeleteResource will determine whether provisioned
                          cloud resources will be deleted when CR is deleted
                        type: boolean
+                      gitCredentialsSecretReference:
+                        description: GitCredentialsSecretReference specifies the reference
+                          to the secret containing the git credentials
+                        properties:
+                          name:
+                            description: name is unique within a namespace to reference
+                              a secret resource.
+                            type: string
+                          namespace:
+                            description: namespace defines the space within which
+                              the secret name must be unique.
+                            type: string
+                        type: object
+                        x-kubernetes-map-type: atomic
                      path:
                        description: Path is the sub-directory of remote git repository.
                          It's valid when remote is set
@@ -271,9 +284,3 @@ spec:
    storage: true
    subresources:
      status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/charts/vela-core/crds/core.oam.dev_resourcetrackers.yaml
+++ b/charts/vela-core/crds/core.oam.dev_resourcetrackers.yaml
@@ -1,10 +1,9 @@
-
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.6.2
+    controller-gen.kubebuilder.io/version: v0.9.2
  name: resourcetrackers.core.oam.dev
 spec:
  group: core.oam.dev
@@ -57,8 +56,8 @@ spec:
                format: int64
                type: integer
              compression:
-                description: ResourceTrackerCompression the compression for ResourceTracker
-                  ManagedResources
+                description: ResourceTrackerCompression represents the compressed
+                  components in ResourceTracker.
                properties:
                  data:
                    type: string
@@ -123,6 +122,7 @@ spec:
                      description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                      type: string
                  type: object
+                  x-kubernetes-map-type: atomic
                type: array
              type:
                description: ResourceTrackerType defines the type of resourceTracker
@@ -177,6 +177,7 @@ spec:
                      description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                      type: string
                  type: object
+                  x-kubernetes-map-type: atomic
                type: array
            type: object
        type: object
@@ -184,9 +185,3 @@ spec:
    storage: true
    subresources:
      status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/charts/vela-core/crds/core.oam.dev_scopedefinitions.yaml
+++ b/charts/vela-core/crds/core.oam.dev_scopedefinitions.yaml
@@ -1,10 +1,9 @@
-
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.6.2
+    controller-gen.kubebuilder.io/version: v0.9.2
  name: scopedefinitions.core.oam.dev
 spec:
  group: core.oam.dev
@@ -145,9 +144,3 @@ spec:
    served: true
    storage: true
    subresources: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/charts/vela-core/crds/core.oam.dev_traitdefinitions.yaml
+++ b/charts/vela-core/crds/core.oam.dev_traitdefinitions.yaml
@@ -1,10 +1,9 @@
-
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.6.2
+    controller-gen.kubebuilder.io/version: v0.9.2
  name: traitdefinitions.core.oam.dev
 spec:
  group: core.oam.dev
@@ -197,6 +196,20 @@ spec:
                        description: DeleteResource will determine whether provisioned
                          cloud resources will be deleted when CR is deleted
                        type: boolean
+                      gitCredentialsSecretReference:
+                        description: GitCredentialsSecretReference specifies the reference
+                          to the secret containing the git credentials
+                        properties:
+                          name:
+                            description: name is unique within a namespace to reference
+                              a secret resource.
+                            type: string
+                          namespace:
+                            description: namespace defines the space within which
+                              the secret name must be unique.
+                            type: string
+                        type: object
+                        x-kubernetes-map-type: atomic
                      path:
                        description: Path is the sub-directory of remote git repository.
                          It's valid when remote is set
@@ -511,6 +524,20 @@ spec:
                        description: DeleteResource will determine whether provisioned
                          cloud resources will be deleted when CR is deleted
                        type: boolean
+                      gitCredentialsSecretReference:
+                        description: GitCredentialsSecretReference specifies the reference
+                          to the secret containing the git credentials
+                        properties:
+                          name:
+                            description: name is unique within a namespace to reference
+                              a secret resource.
+                            type: string
+                          namespace:
+                            description: namespace defines the space within which
+                              the secret name must be unique.
+                            type: string
+                        type: object
+                        x-kubernetes-map-type: atomic
                      path:
                        description: Path is the sub-directory of remote git repository.
                          It's valid when remote is set
@@ -644,9 +671,3 @@ spec:
    storage: true
    subresources:
      status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/charts/vela-core/crds/core.oam.dev_workflowstepdefinitions.yaml
+++ b/charts/vela-core/crds/core.oam.dev_workflowstepdefinitions.yaml
@@ -1,10 +1,9 @@
-
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.6.2
+    controller-gen.kubebuilder.io/version: v0.9.2
  name: workflowstepdefinitions.core.oam.dev
 spec:
  group: core.oam.dev
@@ -158,6 +157,20 @@ spec:
                        description: DeleteResource will determine whether provisioned
                          cloud resources will be deleted when CR is deleted
                        type: boolean
+                      gitCredentialsSecretReference:
+                        description: GitCredentialsSecretReference specifies the reference
+                          to the secret containing the git credentials
+                        properties:
+                          name:
+                            description: name is unique within a namespace to reference
+                              a secret resource.
+                            type: string
+                          namespace:
+                            description: namespace defines the space within which
+                              the secret name must be unique.
+                            type: string
+                        type: object
+                        x-kubernetes-map-type: atomic
                      path:
                        description: Path is the sub-directory of remote git repository.
                          It's valid when remote is set
@@ -268,9 +281,3 @@ spec:
    storage: true
    subresources:
      status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/charts/vela-core/crds/core.oam.dev_workloaddefinitions.yaml
+++ b/charts/vela-core/crds/core.oam.dev_workloaddefinitions.yaml
@@ -1,10 +1,9 @@
-
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.6.2
+    controller-gen.kubebuilder.io/version: v0.9.2
  name: workloaddefinitions.core.oam.dev
 spec:
  group: core.oam.dev
@@ -202,6 +201,20 @@ spec:
                        description: DeleteResource will determine whether provisioned
                          cloud resources will be deleted when CR is deleted
                        type: boolean
+                      gitCredentialsSecretReference:
+                        description: GitCredentialsSecretReference specifies the reference
+                          to the secret containing the git credentials
+                        properties:
+                          name:
+                            description: name is unique within a namespace to reference
+                              a secret resource.
+                            type: string
+                          namespace:
+                            description: namespace defines the space within which
+                              the secret name must be unique.
+                            type: string
+                        type: object
+                        x-kubernetes-map-type: atomic
                      path:
                        description: Path is the sub-directory of remote git repository.
                          It's valid when remote is set
@@ -492,6 +505,20 @@ spec:
                        description: DeleteResource will determine whether provisioned
                          cloud resources will be deleted when CR is deleted
                        type: boolean
+                      gitCredentialsSecretReference:
+                        description: GitCredentialsSecretReference specifies the reference
+                          to the secret containing the git credentials
+                        properties:
+                          name:
+                            description: name is unique within a namespace to reference
+                              a secret resource.
+                            type: string
+                          namespace:
+                            description: namespace defines the space within which
+                              the secret name must be unique.
+                            type: string
+                        type: object
+                        x-kubernetes-map-type: atomic
                      path:
                        description: Path is the sub-directory of remote git repository.
                          It's valid when remote is set
@@ -596,9 +623,3 @@ spec:
    served: true
    storage: true
    subresources: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/charts/vela-core/crds/standard.oam.dev_rollouts.yaml
+++ b/charts/vela-core/crds/standard.oam.dev_rollouts.yaml
@@ -1,10 +1,9 @@
-
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.6.2
+    controller-gen.kubebuilder.io/version: v0.9.2
  name: rollouts.standard.oam.dev
 spec:
  group: standard.oam.dev
@@ -140,6 +139,7 @@ spec:
                              description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                              type: string
                          type: object
+                          x-kubernetes-map-type: atomic
                      required:
                      - name
                      type: object
@@ -274,6 +274,7 @@ spec:
                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
                                    type: string
                                type: object
+                                x-kubernetes-map-type: atomic
                            required:
                            - name
                            type: object
@@ -474,9 +475,3 @@ spec:
    storage: true
    subresources:
      status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/charts/vela-core/templates/addon/fluxcd-def.yaml
+++ b/charts/vela-core/templates/addon/fluxcd-def.yaml
@@ -1,270 +0,0 @@
-{{- if .Values.enableFluxcdAddon -}}
-apiVersion: core.oam.dev/v1beta1
-kind: Application
-metadata:
-  labels:
-    addons.oam.dev/name: fluxcd-def
-  name: addon-fluxcd-def
-  namespace: {{ .Release.Namespace }}
-  annotations:
-    "helm.sh/resource-policy": keep
-spec:
-  components:
-    - name: fluxc-def-resources
-      properties:
-        objects:
-          - apiVersion: core.oam.dev/v1beta1
-            kind: ComponentDefinition
-            metadata:
-              annotations:
-                definition.oam.dev/description: helm release is a group of K8s resources
-                  from either git repository or helm repo
-              name: helm
-              namespace: {{.Values.systemDefinitionNamespace}}
-            spec:
-              schematic:
-                cue:
-                  template: "output: {\n\tapiVersion: \"source.toolkit.fluxcd.io/v1beta1\"\n\tmetadata:
-                {\n\t\tname: context.name\n\t}\n\tif parameter.repoType == \"git\"
-                {\n\t\tkind: \"GitRepository\"\n\t\tspec: {\n\t\t\turl: parameter.url\n\t\t\tif
-                parameter.git.branch != _|_ {\n\t\t\t\tref: branch: parameter.git.branch\n\t\t\t}\n\t\t\t_secret\n\t\t\t_sourceCommonArgs\n\t\t}\n\t}\n\tif
-                parameter.repoType == \"oss\" {\n\t\tkind: \"Bucket\"\n\t\tspec: {\n\t\t\tendpoint:
-                \  parameter.url\n\t\t\tbucketName: parameter.oss.bucketName\n\t\t\tprovider:
-                \  parameter.oss.provider\n\t\t\tif parameter.oss.region != _|_ {\n\t\t\t\tregion:
-                parameter.oss.region\n\t\t\t}\n\t\t\t_secret\n\t\t\t_sourceCommonArgs\n\t\t}\n\t}\n\tif
-                parameter.repoType == \"helm\" {\n\t\tkind: \"HelmRepository\"\n\t\tspec:
-                {\n\t\t\turl: parameter.url\n\t\t\t_secret\n\t\t\t_sourceCommonArgs\n\t\t}\n\t}\n}\n\noutputs:
-                release: {\n\tapiVersion: \"helm.toolkit.fluxcd.io/v2beta1\"\n\tkind:
-                \      \"HelmRelease\"\n\tmetadata: {\n\t\tname: context.name\n\t}\n\tspec:
-                {\n\t\ttimeout: parameter.installTimeout\n\t\tinterval: parameter.interval\n\t\tchart:
-                {\n\t\t\tspec: {\n\t\t\t\tchart:   parameter.chart\n\t\t\t\tversion:
-                parameter.version\n\t\t\t\tsourceRef: {\n\t\t\t\t\tif parameter.repoType
-                == \"git\" {\n\t\t\t\t\t\tkind: \"GitRepository\"\n\t\t\t\t\t}\n\t\t\t\t\tif
-                parameter.repoType == \"helm\" {\n\t\t\t\t\t\tkind: \"HelmRepository\"\n\t\t\t\t\t}\n\t\t\t\t\tif
-                parameter.repoType == \"oss\" {\n\t\t\t\t\t\tkind: \"Bucket\"\n\t\t\t\t\t}\n\t\t\t\t\tname:
-                \     context.name\n\t\t\t\t}\n\t\t\t\tinterval: parameter.interval\n\t\t\t}\n\t\t}\n\t\tif
-                parameter.targetNamespace != _|_ {\n\t\t\ttargetNamespace: parameter.targetNamespace\n\t\t}\n\t\tif
-                parameter.releaseName != _|_ {\n\t\t\treleaseName: parameter.releaseName\n\t\t}\n\t\tif
-                parameter.values != _|_ {\n\t\t\tvalues: parameter.values\n\t\t}\n\t}\n}\n\n_secret:
-                {\n\tif parameter.secretRef != _|_ {\n\t\tsecretRef: {\n\t\t\tname:
-                parameter.secretRef\n\t\t}\n\t}\n}\n\n_sourceCommonArgs: {\n\tinterval:
-                parameter.pullInterval\n\tif parameter.timeout != _|_ {\n\t\ttimeout:
-                parameter.timeout\n\t}\n}\n\nparameter: {\n\trepoType: *\"helm\" |
-                \"git\" | \"oss\"\n\t// +usage=The interval at which to check for
-                repository/bucket and relese updates, default to 5m\n\tpullInterval:
-                *\"5m\" | string\n        // +usage=The  Interval at which to reconcile
-                the Helm release, default to 30s\n        interval: *\"30s\" | string\n\t//
-                +usage=The Git or Helm repository URL, OSS endpoint, accept HTTP/S
-                or SSH address as git url,\n\turl: string\n\t// +usage=The name of
-                the secret containing authentication credentials\n\tsecretRef?: string\n\t//
-                +usage=The timeout for operations like download index/clone repository,
-                optional\n\ttimeout?: string\n\t// +usage=The timeout for operation
-                `helm install`, optional\n\tinstallTimeout: *\"10m\" | string\n\n\tgit?:
-                {\n\t\t// +usage=The Git reference to checkout and monitor for changes,
-                defaults to master branch\n\t\tbranch: string\n\t}\n\toss?: {\n\t\t//
-                +usage=The bucket's name, required if repoType is oss\n\t\tbucketName:
-                string\n\t\t// +usage=\"generic\" for Minio, Amazon S3, Google Cloud
-                Storage, Alibaba Cloud OSS, \"aws\" for retrieve credentials from
-                the EC2 service when credentials not specified, default \"generic\"\n\t\tprovider:
-                *\"generic\" | \"aws\"\n\t\t// +usage=The bucket region, optional\n\t\tregion?:
-                string\n\t}\n\n\t// +usage=1.The relative path to helm chart for git/oss
-                source. 2. chart name for helm resource 3. relative path for chart
-                package(e.g. ./charts/podinfo-1.2.3.tgz)\n\tchart: string\n\t// +usage=Chart
-                version\n\tversion: *\"*\" | string\n\t// +usage=The namespace for
-                helm chart, optional\n\ttargetNamespace?: string\n\t// +usage=The
-                release name\n\treleaseName?: string\n\t// +usage=Chart values\n\tvalues?:
-                #nestedmap\n}\n\n#nestedmap: {\n\t...\n}\n"
-              status:
-                customStatus: "repoMessage:    string\nreleaseMessage: string\nif context.output.status
-              == _|_ {\n\trepoMessage:    \"Fetching repository\"\n\treleaseMessage:
-              \"Wating repository ready\"\n}\nif context.output.status != _|_ {\n\trepoStatus:
-              context.output.status\n\tif repoStatus.conditions[0][\"type\"] != \"Ready\"
-              {\n\t\trepoMessage: \"Fetch repository fail\"\n\t}\n\tif repoStatus.conditions[0][\"type\"]
-              == \"Ready\" {\n\t\trepoMessage: \"Fetch repository successfully\"\n\t}\n\n\tif
-              context.outputs.release.status == _|_ {\n\t\treleaseMessage: \"Creating
-              helm release\"\n\t}\n\tif context.outputs.release.status != _|_ {\n\t\tif
-              context.outputs.release.status.conditions[0][\"message\"] == \"Release
-              reconciliation succeeded\" {\n\t\t\treleaseMessage: \"Create helm release
-              successfully\"\n\t\t}\n\t\tif context.outputs.release.status.conditions[0][\"message\"]
-              != \"Release reconciliation succeeded\" {\n\t\t\treleaseBasicMessage:
-              \"Delivery helm release in progress, message: \" + context.outputs.release.status.conditions[0][\"message\"]\n\t\t\tif
-              len(context.outputs.release.status.conditions) == 1 {\n\t\t\t\treleaseMessage:
-              releaseBasicMessage\n\t\t\t}\n\t\t\tif len(context.outputs.release.status.conditions)
-              > 1 {\n\t\t\t\treleaseMessage: releaseBasicMessage + \", \" + context.outputs.release.status.conditions[1][\"message\"]\n\t\t\t}\n\t\t}\n\t}\n\n}\nmessage:
-              repoMessage + \", \" + releaseMessage"
-                healthPolicy: 'isHealth: len(context.outputs.release.status.conditions)
-              != 0 && context.outputs.release.status.conditions[0]["status"]=="True"'
-              workload:
-                type: autodetects.core.oam.dev
-          - apiVersion: core.oam.dev/v1beta1
-            kind: TraitDefinition
-            metadata:
-              annotations:
-                definition.oam.dev/description: A list of JSON6902 patch to selected target
-              name: kustomize-json-patch
-              namespace: {{.Values.systemDefinitionNamespace}}
-            spec:
-              schematic:
-                cue:
-                  template: "patch: {\n\tspec: {\n\t\tpatchesJson6902: parameter.patchesJson\n\t}\n}\n\nparameter:
-                {\n\t// +usage=A list of JSON6902 patch.\n\tpatchesJson: [...#jsonPatchItem]\n}\n\n//
-                +usage=Contains a JSON6902 patch\n#jsonPatchItem: {\n\ttarget: #selector\n\tpatch:
-                [...{\n\t\t// +usage=operation to perform\n\t\top: string | \"add\"
-                | \"remove\" | \"replace\" | \"move\" | \"copy\" | \"test\"\n\t\t//
-                +usage=operate path e.g. /foo/bar\n\t\tpath: string\n\t\t// +usage=specify
-                source path when op is copy/move\n\t\tfrom?:  string\n\t\t// +usage=specify
-                opraation value when op is test/add/replace\n\t\tvalue?: string\n\t}]\n}\n\n//
-                +usage=Selector specifies a set of resources\n#selector: {\n\tgroup?:
-                \             string\n\tversion?:            string\n\tkind?:               string\n\tnamespace?:
-                \         string\n\tname?:               string\n\tannotationSelector?:
-                string\n\tlabelSelector?:      string\n}\n"
-          - apiVersion: core.oam.dev/v1beta1
-            kind: TraitDefinition
-            metadata:
-              annotations:
-                definition.oam.dev/description: A list of StrategicMerge or JSON6902 patch
-                  to selected target
-              name: kustomize-patch
-              namespace: {{.Values.systemDefinitionNamespace}}
-            spec:
-              schematic:
-                cue:
-                  template: "patch: {\n\tspec: {\n\t\tpatches: parameter.patches\n\t}\n}\nparameter:
-                {\n\t// +usage=a list of StrategicMerge or JSON6902 patch to selected
-                target\n\tpatches: [...#patchItem]\n}\n\n// +usage=Contains a strategicMerge
-                or JSON6902 patch\n#patchItem: {\n\t// +usage=Inline patch string,
-                in yaml style\n\tpatch: string\n\t// +usage=Specify the target the
-                patch should be applied to\n\ttarget: #selector\n}\n\n// +usage=Selector
-                specifies a set of resources\n#selector: {\n\tgroup?:              string\n\tversion?:
-                \           string\n\tkind?:               string\n\tnamespace?:          string\n\tname?:
-                \              string\n\tannotationSelector?: string\n\tlabelSelector?:
-                \     string\n}\n"
-          - apiVersion: core.oam.dev/v1beta1
-            kind: ComponentDefinition
-            metadata:
-              annotations:
-                definition.oam.dev/description: kustomize can fetching, building, updating
-                  and applying Kustomize manifests from git repo.
-              name: kustomize
-              namespace: {{.Values.systemDefinitionNamespace}}
-            spec:
-              schematic:
-                cue:
-                  template: "output: {\n\tapiVersion: \"kustomize.toolkit.fluxcd.io/v1beta1\"\n\tkind:
-                \      \"Kustomization\"\n\tmetadata: {\n\t\tname: context.name\n
-                \   namespace: context.namespace\n\t}\n\tspec: {\n\t\tinterval: parameter.pullInterval\n\t\tsourceRef:
-                {\n\t\t\tif parameter.repoType == \"git\" {\n\t\t\t\tkind: \"GitRepository\"\n\t\t\t}\n\t\t\tif
-                parameter.repoType == \"oss\" {\n\t\t\t\tkind: \"Bucket\"\n\t\t\t}\n\t\t\tname:
-                \     context.name\n\t\t\tnamespace: context.namespace\n\t\t}\n\t\tpath:
-                \      parameter.path\n\t\tprune:      true\n\t\tvalidation: \"client\"\n\t}\n}\n\noutputs:
-                {\n  repo: {\n\t  apiVersion: \"source.toolkit.fluxcd.io/v1beta1\"\n\t
-                \ metadata: {\n\t\t  name: context.name\n      namespace: context.namespace\n\t
-                \ }\n\t  if parameter.repoType == \"git\" {\n\t\t  kind: \"GitRepository\"\n\t\t
-                \ spec: {\n\t\t\t  url: parameter.url\n\t\t\t  if parameter.git.branch
-                != _|_ {\n\t\t\t\t  ref: branch: parameter.git.branch\n\t\t\t  }\n
-                \       if parameter.git.provider != _|_ {\n          if parameter.git.provider
-                == \"GitHub\" {\n            gitImplementation: \"go-git\"\n          }\n
-                \         if parameter.git.provider == \"AzureDevOps\" {\n            gitImplementation:
-                \"libgit2\"\n          }\n        }\n\t\t\t  _secret\n\t\t\t  _sourceCommonArgs\n\t\t
-                \ }\n\t  }\n\t  if parameter.repoType == \"oss\" {\n\t\t  kind: \"Bucket\"\n\t\t
-                \ spec: {\n\t\t\t  endpoint:   parameter.url\n\t\t\t  bucketName:
-                parameter.oss.bucketName\n\t\t\t  provider:   parameter.oss.provider\n\t\t\t
-                \ if parameter.oss.region != _|_ {\n\t\t\t\t  region: parameter.oss.region\n\t\t\t
-                \ }\n\t\t\t  _secret\n\t\t\t  _sourceCommonArgs\n\t\t  }\n\t  }\n
-                \ }\n\n  if parameter.imageRepository != _|_ {\n    imageRepo: {\n
-                \     apiVersion: \"image.toolkit.fluxcd.io/v1beta1\"\n      kind:
-                \"ImageRepository\"\n\t    metadata: {\n\t\t    name: context.name\n
-                \       namespace: context.namespace\n\t    }\n      spec: {\n        image:
-                parameter.imageRepository.image\n        interval: parameter.pullInterval\n
-                \       if parameter.imageRepository.secretRef != _|_ {\n          secretRef:
-                name: parameter.imageRepository.secretRef\n        }\n      }\n    }\n\n
-                \   imagePolicy: {\n      apiVersion: \"image.toolkit.fluxcd.io/v1beta1\"\n
-                \     kind: \"ImagePolicy\"\n\t    metadata: {\n\t\t    name: context.name\n
-                \       namespace: context.namespace\n\t    }\n      spec: {\n        imageRepositoryRef:
-                name: context.name\n        policy: parameter.imageRepository.policy\n
-                \       if parameter.imageRepository.filterTags != _|_ {\n          filterTags:
-                parameter.imageRepository.filterTags\n        }\n      }\n    }\n\n
-                \   imageUpdate: {\n      apiVersion: \"image.toolkit.fluxcd.io/v1beta1\"\n
-                \     kind: \"ImageUpdateAutomation\"\n\t    metadata: {\n\t\t    name:
-                context.name\n        namespace: context.namespace\n\t    }\n      spec:
-                {\n        interval: parameter.pullInterval\n        sourceRef: {\n
-                \         kind: \"GitRepository\"\n          name: context.name\n
-                \       }\n        git: {\n          checkout: ref: branch: parameter.git.branch\n
-                \         commit: {\n            author: {\n              email: \"kubevelabot@users.noreply.github.com\"\n
-                \             name: \"kubevelabot\"\n            }\n            if
-                parameter.imageRepository.commitMessage != _|_ {\n              messageTemplate:
-                \"Update image automatically.\\n\" + parameter.imageRepository.commitMessage\n
-                \           }\n            if parameter.imageRepository.commitMessage
-                == _|_ {\n              messageTemplate: \"Update image automatically.\"\n
-                \           }\n          }\n          push: branch: parameter.git.branch\n
-                \       }\n        update: {\n          path:\tparameter.path\n          strategy:
-                \"Setters\"\n        }\n      }\n    }\n  }\n}\n\n_secret: {\n\tif
-                parameter.secretRef != _|_ {\n\t\tsecretRef: {\n\t\t\tname: parameter.secretRef\n\t\t}\n\t}\n}\n\n_sourceCommonArgs:
-                {\n\tinterval: parameter.pullInterval\n\tif parameter.timeout != _|_
-                {\n\t\ttimeout: parameter.timeout\n\t}\n}\n\nparameter: {\n\trepoType:
-                *\"git\" | \"oss\"\n  // +usage=The image repository for automatically
-                update image to git\n  imageRepository?: {\n    // +usage=The image
-                url\n    image: string\n    // +usage=The name of the secret containing
-                authentication credentials\n    secretRef?: string\n    // +usage=Policy
-                gives the particulars of the policy to be followed in selecting the
-                most recent image.\n    policy: {\n      // +usage=Alphabetical set
-                of rules to use for alphabetical ordering of the tags.\n      alphabetical?:
-                {\n        // +usage=Order specifies the sorting order of the tags.\n
-                \       // +usage=Given the letters of the alphabet as tags, ascending
-                order would select Z, and descending order would select A.\n        order?:
-                \"asc\" | \"desc\"\n      }\n      // +usage=Numerical set of rules
-                to use for numerical ordering of the tags.\n      numerical?: {\n
-                \       // +usage=Order specifies the sorting order of the tags.\n
-                \       // +usage=Given the integer values from 0 to 9 as tags, ascending
-                order would select 9, and descending order would select 0.\n        order:
-                \"asc\" | \"desc\"\n      }\n      // +usage=SemVer gives a semantic
-                version range to check against the tags available.\n      semver?:
-                {\n        // +usage=Range gives a semver range for the image tag;
-                the highest version within the range that's a tag yields the latest
-                image.\n        range: string\n      }\n    }\n    // +usage=FilterTags
-                enables filtering for only a subset of tags based on a set of rules.
-                If no rules are provided, all the tags from the repository will be
-                ordered and compared.\n    filterTags?: {\n      // +usage=Extract
-                allows a capture group to be extracted from the specified regular
-                expression pattern, useful before tag evaluation.\n      extract?:
-                string\n      // +usage=Pattern specifies a regular expression pattern
-                used to filter for image tags.\n      pattern?: string\n    }\n    //
-                +usage=The image url\n    commitMessage?: string\n  }\n\t// +usage=The
-                interval at which to check for repository/bucket and release updates,
-                default to 5m\n\tpullInterval: *\"5m\" | string\n\t// +usage=The Git
-                or Helm repository URL, OSS endpoint, accept HTTP/S or SSH address
-                as git url,\n\turl: string\n\t// +usage=The name of the secret containing
-                authentication credentials\n\tsecretRef?: string\n\t// +usage=The
-                timeout for operations like download index/clone repository, optional\n\ttimeout?:
-                string\n\tgit?: {\n\t\t// +usage=The Git reference to checkout and
-                monitor for changes, defaults to master branch\n\t\tbranch: string\n
-                \   // +usage=Determines which git client library to use. Defaults
-                to GitHub, it will pick go-git. AzureDevOps will pick libgit2.\n    provider?:
-                *\"GitHub\" | \"AzureDevOps\"\n\t}\n\toss?: {\n\t\t// +usage=The bucket's
-                name, required if repoType is oss\n\t\tbucketName: string\n\t\t//
-                +usage=\"generic\" for Minio, Amazon S3, Google Cloud Storage, Alibaba
-                Cloud OSS, \"aws\" for retrieve credentials from the EC2 service when
-                credentials not specified, default \"generic\"\n\t\tprovider: *\"generic\"
-                | \"aws\"\n\t\t// +usage=The bucket region, optional\n\t\tregion?:
-                string\n\t}\n\t//+usage=Path to the directory containing the kustomization.yaml
-                file, or the set of plain YAMLs a kustomization.yaml should be generated
-                for.\n\tpath: string\n}"
-              workload:
-                type: autodetects.core.oam.dev
-          - apiVersion: core.oam.dev/v1beta1
-            kind: TraitDefinition
-            metadata:
-              annotations:
-                definition.oam.dev/description: A list of strategic merge to kustomize
-                  config
-              name: kustomize-strategy-merge
-              namespace: {{.Values.systemDefinitionNamespace}}
-            spec:
-              schematic:
-                cue:
-                  template: "patch: {\n\tspec: {\n\t\tpatchesStrategicMerge: parameter.patchesStrategicMerge\n\t}\n}\n\nparameter:
-                {\n\t// +usage=a list of strategicmerge, defined as inline yaml objects.\n\tpatchesStrategicMerge:
-                [...#nestedmap]\n}\n\n#nestedmap: {\n\t...\n}\n"
-      type: k8s-objects
-
-  {{- end }}
--- a/charts/vela-core/templates/addon/fluxcd.yaml
+++ b/charts/vela-core/templates/addon/fluxcd.yaml
--- a/charts/vela-core/templates/cluster-gateway/cluster-gateway.yaml
+++ b/charts/vela-core/templates/cluster-gateway/cluster-gateway.yaml
@@ -13,6 +13,11 @@ spec:
    {{- include "kubevela-cluster-gateway.selectorLabels" . | nindent 6 }}
  template:
    metadata:
+      annotations:
+        prometheus.io/path: /metrics
+        prometheus.io/port: "9443"
+        prometheus.io/scrape: "true"
+        prometheus.io/scheme: "https"
      labels:
      {{- include "kubevela-cluster-gateway.selectorLabels" . | nindent 8 }}
    spec:
@@ -32,24 +37,32 @@ spec:
            - "--secure-port={{ .Values.multicluster.clusterGateway.port }}"
            - "--secret-namespace={{ .Release.Namespace }}"
            - "--feature-gates=APIPriorityAndFairness=false,ClientIdentityPenetration={{ .Values.authentication.enabled }}"
+            - "--cluster-gateway-proxy-config=/etc/proxy-config/config.yaml"
            {{- if .Values.multicluster.clusterGateway.secureTLS.enabled }}
            - "--tls-cert-file={{ .Values.multicluster.clusterGateway.secureTLS.certPath }}/tls.crt"
            - "--tls-private-key-file={{ .Values.multicluster.clusterGateway.secureTLS.certPath }}/tls.key"
            {{- end }}
+            - "--authorization-always-allow-paths=/healthz,/readyz,/livez,/metrics"
          image: {{ .Values.imageRegistry }}{{ .Values.multicluster.clusterGateway.image.repository }}:{{ .Values.multicluster.clusterGateway.image.tag }}
          imagePullPolicy: {{ .Values.multicluster.clusterGateway.image.pullPolicy }}
          resources:
          {{- toYaml .Values.multicluster.clusterGateway.resources | nindent 12 }}
          ports:
            - containerPort: {{ .Values.multicluster.clusterGateway.port }}
-          {{ if .Values.multicluster.clusterGateway.secureTLS.enabled }}
          volumeMounts:
+            - mountPath: /etc/proxy-config
+              name: proxy-config
+          {{ if .Values.multicluster.clusterGateway.secureTLS.enabled }}
            - mountPath: {{ .Values.multicluster.clusterGateway.secureTLS.certPath }}
              name: tls-cert-vol
              readOnly: true
          {{- end }}
-      {{ if .Values.multicluster.clusterGateway.secureTLS.enabled }}
      volumes:
+        - configMap:
+            defaultMode: 420
+            name: {{ .Release.Name }}-cluster-gateway-proxy-config
+          name: proxy-config
+      {{ if .Values.multicluster.clusterGateway.secureTLS.enabled }}
        - name: tls-cert-vol
          secret:
            defaultMode: 420
@@ -59,10 +72,19 @@ spec:
      nodeSelector:
      {{- toYaml . | nindent 8 }}
      {{- end }}
-      {{- with .Values.affinity }}
      affinity:
-      {{- toYaml . | nindent 8 }}
-      {{- end }}
+      {{ if .Values.affinity }}
+        {{- toYaml .Values.affinity | nindent 8 }}
+      {{ else }}
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - podAffinityTerm:
+                labelSelector:
+                  matchLabels:
+                    {{- include "kubevela-cluster-gateway.selectorLabels" . | nindent 20 }}
+                topologyKey: kubernetes.io/hostname
+              weight: 100
+      {{ end }}
      {{- with .Values.tolerations }}
      tolerations:
      {{- toYaml . | nindent 8 }}
@@ -74,6 +96,23 @@ spec:
      maxUnavailable: 1
 ---
 apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-cluster-gateway-proxy-config
+  namespace: {{ .Release.Namespace }}
+data:
+  config.yaml: |
+    apiVersion: cluster.core.oam.dev/v1alpha1
+    kind: ClusterGatewayProxyConfiguration
+    spec:
+      clientIdentityExchanger:
+        rules:
+          - name: super-user
+            source:
+              group: kubevela:ux
+            type: PrivilegedIdentityExchanger
+---
+apiVersion: v1
 kind: Service
 metadata:
  name: {{ .Release.Name }}-cluster-gateway-service
--- a/charts/vela-core/templates/defwithtemplate/apply-application-in-parallel.yaml
+++ b/charts/vela-core/templates/defwithtemplate/apply-application-in-parallel.yaml
@@ -1,5 +1,5 @@
 # Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
-# Definition source cue file: vela-templates/definitions/internal/apply-application-in-parallel.cue
+# Definition source cue file: vela-templates/definitions/deprecated/apply-application-in-parallel.cue
 apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
--- a/charts/vela-core/templates/defwithtemplate/apply-application.yaml
+++ b/charts/vela-core/templates/defwithtemplate/apply-application.yaml
@@ -1,9 +1,10 @@
 # Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
-# Definition source cue file: vela-templates/definitions/internal/apply-application.cue
+# Definition source cue file: vela-templates/definitions/deprecated/apply-application.cue
 apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Application Delivery
    definition.oam.dev/description: Apply application for your workflow steps, it has no arguments, should be used for custom steps before or after application applied.
  labels:
    custom.definition.oam.dev/deprecated: "true"
--- a/charts/vela-core/templates/defwithtemplate/apply-component.yaml
+++ b/charts/vela-core/templates/defwithtemplate/apply-component.yaml
@@ -4,10 +4,10 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Application Delivery
    definition.oam.dev/description: Apply a specific component and its corresponding traits in application
  labels:
    custom.definition.oam.dev/scope: Application
-    custom.definition.oam.dev/ui-hidden: "true"
  name: apply-component
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
--- a/charts/vela-core/templates/defwithtemplate/apply-deployment.yaml
+++ b/charts/vela-core/templates/defwithtemplate/apply-deployment.yaml
@@ -0,0 +1,56 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/apply-deployment.cue
+apiVersion: core.oam.dev/v1beta1
+kind: WorkflowStepDefinition
+metadata:
+  annotations:
+    custom.definition.oam.dev/category: Resource Management
+    definition.oam.dev/alias: ""
+    definition.oam.dev/description: Apply deployment with specified image and cmd.
+  name: apply-deployment
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        import (
+        	"strconv"
+        	"strings"
+        	"vela/op"
+        )
+
+        output: op.#Apply & {
+        	cluster: parameter.cluster
+        	value: {
+        		apiVersion: "apps/v1"
+        		kind:       "Deployment"
+        		metadata: {
+        			name:      context.stepName
+        			namespace: context.namespace
+        		}
+        		spec: {
+        			selector: matchLabels: "workflow.oam.dev/step-name": "\(context.name)-\(context.stepName)"
+        			replicas: parameter.replicas
+        			template: {
+        				metadata: labels: "workflow.oam.dev/step-name": "\(context.name)-\(context.stepName)"
+        				spec: containers: [{
+        					name:  context.stepName
+        					image: parameter.image
+        					if parameter["cmd"] != _|_ {
+        						command: parameter.cmd
+        					}
+        				}]
+        			}
+        		}
+        	}
+        }
+        wait: op.#ConditionalWait & {
+        	continue: output.value.status.readyReplicas == parameter.replicas
+        }
+        parameter: {
+        	image:    string
+        	replicas: *1 | int
+        	cluster:  *"" | string
+        	cmd?: [...string]
+        }
+
--- a/charts/vela-core/templates/defwithtemplate/apply-object.yaml
+++ b/charts/vela-core/templates/defwithtemplate/apply-object.yaml
@@ -4,9 +4,8 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Resource Management
    definition.oam.dev/description: Apply raw kubernetes objects for your workflow steps
-  labels:
-    custom.definition.oam.dev/ui-hidden: "true"
  name: apply-object
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
--- a/charts/vela-core/templates/defwithtemplate/apply-remaining.yaml
+++ b/charts/vela-core/templates/defwithtemplate/apply-remaining.yaml
@@ -1,9 +1,10 @@
 # Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
-# Definition source cue file: vela-templates/definitions/internal/apply-remaining.cue
+# Definition source cue file: vela-templates/definitions/deprecated/apply-remaining.cue
 apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Application Delivery
    definition.oam.dev/description: Apply remaining components and traits
  labels:
    custom.definition.oam.dev/deprecated: "true"
--- a/charts/vela-core/templates/defwithtemplate/apply-terraform-config.yaml
+++ b/charts/vela-core/templates/defwithtemplate/apply-terraform-config.yaml
@@ -0,0 +1,91 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/apply-terraform-config.cue
+apiVersion: core.oam.dev/v1beta1
+kind: WorkflowStepDefinition
+metadata:
+  annotations:
+    custom.definition.oam.dev/category: Terraform
+    definition.oam.dev/alias: ""
+    definition.oam.dev/description: Apply terraform configuration in the step
+  name: apply-terraform-config
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        import (
+        	"vela/op"
+        )
+
+        apply: op.#Apply & {
+        	value: {
+        		apiVersion: "terraform.core.oam.dev/v1beta2"
+        		kind:       "Configuration"
+        		metadata: {
+        			name:      "\(context.name)-\(context.stepName)"
+        			namespace: context.namespace
+        		}
+        		spec: {
+        			deleteResource: parameter.deleteResource
+        			variable:       parameter.variable
+        			forceDelete:    parameter.forceDelete
+        			if parameter.source.path != _|_ {
+        				path: parameter.source.path
+        			}
+        			if parameter.source.remote != _|_ {
+        				remote: parameter.source.remote
+        			}
+        			if parameter.source.hcl != _|_ {
+        				hcl: parameter.source.hcl
+        			}
+        			if parameter.providerRef != _|_ {
+        				providerRef: parameter.providerRef
+        			}
+        			if parameter.jobEnv != _|_ {
+        				jobEnv: parameter.jobEnv
+        			}
+        			if parameter.writeConnectionSecretToRef != _|_ {
+        				writeConnectionSecretToRef: parameter.writeConnectionSecretToRef
+        			}
+        			if parameter.region != _|_ {
+        				region: parameter.region
+        			}
+        		}
+        	}
+        }
+        check: op.#ConditionalWait & {
+        	continue: apply.value.status != _|_ && apply.value.status.apply != _|_ && apply.value.status.apply.state == "Available"
+        }
+        parameter: {
+        	// +usage=specify the source of the terraform configuration
+        	source: close({
+        		// +usage=directly specify the hcl of the terraform configuration
+        		hcl: string
+        	}) | close({
+        		// +usage=specify the remote url of the terraform configuration
+        		remote: *"https://github.com/kubevela-contrib/terraform-modules.git" | string
+        		// +usage=specify the path of the terraform configuration
+        		path?: string
+        	})
+        	// +usage=whether to delete resource
+        	deleteResource: *true | bool
+        	// +usage=the variable in the configuration
+        	variable: {...}
+        	// +usage=this specifies the namespace and name of a secret to which any connection details for this managed resource should be written.
+        	writeConnectionSecretToRef?: {
+        		name:      string
+        		namespace: *context.namespace | string
+        	}
+        	// +usage=providerRef specifies the reference to Provider
+        	providerRef?: {
+        		name:      string
+        		namespace: *context.namespace | string
+        	}
+        	// +usage=region is cloud provider's region. It will override the region in the region field of providerRef
+        	region?: string
+        	// +usage=the envs for job
+        	jobEnv?: {...}
+        	// +usae=forceDelete will force delete Configuration no matter which state it is or whether it has provisioned some resources
+        	forceDelete: *false | bool
+        }
+
--- a/charts/vela-core/templates/defwithtemplate/apply-terraform-provider.yaml
+++ b/charts/vela-core/templates/defwithtemplate/apply-terraform-provider.yaml
@@ -0,0 +1,144 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/apply-terraform-provider.cue
+apiVersion: core.oam.dev/v1beta1
+kind: WorkflowStepDefinition
+metadata:
+  annotations:
+    custom.definition.oam.dev/category: Terraform
+    definition.oam.dev/alias: ""
+    definition.oam.dev/description: Apply terraform provider config
+  name: apply-terraform-provider
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        import (
+        	"vela/op"
+        	"strings"
+        )
+
+        config: op.#CreateConfig & {
+        	name:      "\(context.name)-\(context.stepName)"
+        	namespace: context.namespace
+        	template:  "terraform-\(parameter.type)"
+        	config: {
+        		name: parameter.name
+        		if parameter.type == "alibaba" {
+        			ALICLOUD_ACCESS_KEY: parameter.accessKey
+        			ALICLOUD_SECRET_KEY: parameter.secretKey
+        			ALICLOUD_REGION:     parameter.region
+        		}
+        		if parameter.type == "aws" {
+        			AWS_ACCESS_KEY_ID:     parameter.accessKey
+        			AWS_SECRET_ACCESS_KEY: parameter.secretKey
+        			AWS_DEFAULT_REGION:    parameter.region
+        			AWS_SESSION_TOKEN:     parameter.token
+        		}
+        		if parameter.type == "azure" {
+        			ARM_CLIENT_ID:       parameter.clientID
+        			ARM_CLIENT_SECRET:   parameter.clientSecret
+        			ARM_SUBSCRIPTION_ID: parameter.subscriptionID
+        			ARM_TENANT_ID:       parameter.tenantID
+        		}
+        		if parameter.type == "baidu" {
+        			BAIDUCLOUD_ACCESS_KEY: parameter.accessKey
+        			BAIDUCLOUD_SECRET_KEY: parameter.secretKey
+        			BAIDUCLOUD_REGION:     parameter.region
+        		}
+        		if parameter.type == "ec" {
+        			EC_API_KEY: parameter.apiKey
+        		}
+        		if parameter.type == "gcp" {
+        			GOOGLE_CREDENTIALS: parameter.credentials
+        			GOOGLE_REGION:      parameter.region
+        			GOOGLE_PROJECT:     parameter.project
+        		}
+        		if parameter.type == "tencent" {
+        			TENCENTCLOUD_SECRET_ID:  parameter.secretID
+        			TENCENTCLOUD_SECRET_KEY: parameter.secretKey
+        			TENCENTCLOUD_REGION:     parameter.region
+        		}
+        		if parameter.type == "ucloud" {
+        			UCLOUD_PRIVATE_KEY: parameter.privateKey
+        			UCLOUD_PUBLIC_KEY:  parameter.publicKey
+        			UCLOUD_PROJECT_ID:  parameter.projectID
+        			UCLOUD_REGION:      parameter.region
+        		}
+        	}
+        }
+        read: op.#Read & {
+        	value: {
+        		apiVersion: "terraform.core.oam.dev/v1beta1"
+        		kind:       "Provider"
+        		metadata: {
+        			name:      parameter.name
+        			namespace: context.namespace
+        		}
+        	}
+        }
+        check: op.#ConditionalWait & {
+        	if read.value.status != _|_ {
+        		continue: read.value.status.state == "ready"
+        	}
+        	if read.value.status == _|_ {
+        		continue: false
+        	}
+        }
+        providerBasic: {
+        	accessKey: string
+        	secretKey: string
+        	region:    string
+        }
+        #AlibabaProvider: {
+        	providerBasic
+        	type: "alibaba"
+        	name: *"alibaba-provider" | string
+        }
+        #AWSProvider: {
+        	providerBasic
+        	token: *"" | string
+        	type:  "aws"
+        	name:  *"aws-provider" | string
+        }
+        #AzureProvider: {
+        	subscriptionID: string
+        	tenantID:       string
+        	clientID:       string
+        	clientSecret:   string
+        	name:           *"azure-provider" | string
+        }
+        #BaiduProvider: {
+        	providerBasic
+        	type: "baidu"
+        	name: *"baidu-provider" | string
+        }
+        #ECProvider: {
+        	type:   "ec"
+        	apiKey: *"" | string
+        	name:   *"ec-provider" | string
+        }
+        #GCPProvider: {
+        	credentials: string
+        	region:      string
+        	project:     string
+        	type:        "gcp"
+        	name:        *"gcp-provider" | string
+        }
+        #TencentProvider: {
+        	secretID:  string
+        	secretKey: string
+        	region:    string
+        	type:      "tencent"
+        	name:      *"tencent-provider" | string
+        }
+        #UCloudProvider: {
+        	publicKey:  string
+        	privateKey: string
+        	projectID:  string
+        	region:     string
+        	type:       "ucloud"
+        	name:       *"ucloud-provider" | string
+        }
+        parameter: *#AlibabaProvider | #AWSProvider | #AzureProvider | #BaiduProvider | #ECProvider | #GCPProvider | #TencentProvider | #UCloudProvider
+
--- a/charts/vela-core/templates/defwithtemplate/build-push-image.yaml
+++ b/charts/vela-core/templates/defwithtemplate/build-push-image.yaml
@@ -0,0 +1,158 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/build-push-image.cue
+apiVersion: core.oam.dev/v1beta1
+kind: WorkflowStepDefinition
+metadata:
+  annotations:
+    custom.definition.oam.dev/category: CI Integration
+    definition.oam.dev/alias: ""
+    definition.oam.dev/description: Build and push image from git url
+  name: build-push-image
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        import (
+        	"vela/op"
+        	"encoding/json"
+        	"strings"
+        )
+
+        url: {
+        	if parameter.context.git != _|_ {
+        		address: strings.TrimPrefix(parameter.context.git, "git://")
+        		value:   "git://\(address)#refs/heads/\(parameter.context.branch)"
+        	}
+        	if parameter.context.git == _|_ {
+        		value: parameter.context
+        	}
+        }
+        kaniko: op.#Apply & {
+        	value: {
+        		apiVersion: "v1"
+        		kind:       "Pod"
+        		metadata: {
+        			name:      "\(context.name)-\(context.stepSessionID)-kaniko"
+        			namespace: context.namespace
+        		}
+        		spec: {
+        			containers: [
+        				{
+        					args: [
+        						"--dockerfile=\(parameter.dockerfile)",
+        						"--context=\(url.value)",
+        						"--destination=\(parameter.image)",
+        						"--verbosity=\(parameter.verbosity)",
+        						if parameter.platform != _|_ {
+        							"--customPlatform=\(parameter.platform)"
+        						},
+        						if parameter.buildArgs != _|_ for arg in parameter.buildArgs {
+        							"--build-arg=\(arg)"
+        						},
+        					]
+        					image: parameter.kanikoExecutor
+        					name:  "kaniko"
+        					if parameter.credentials != _|_ && parameter.credentials.image != _|_ {
+        						volumeMounts: [
+        							{
+        								mountPath: "/kaniko/.docker/"
+        								name:      parameter.credentials.image.name
+        							},
+        						]
+        					}
+        					if parameter.credentials != _|_ && parameter.credentials.git != _|_ {
+        						env: [
+        							{
+        								name: "GIT_TOKEN"
+        								valueFrom: secretKeyRef: {
+        									key:  parameter.credentials.git.key
+        									name: parameter.credentials.git.name
+        								}
+        							},
+        						]
+        					}
+        				},
+        			]
+        			if parameter.credentials != _|_ && parameter.credentials.image != _|_ {
+        				volumes: [
+        					{
+        						name: parameter.credentials.image.name
+        						secret: {
+        							defaultMode: 420
+        							items: [
+        								{
+        									key:  parameter.credentials.image.key
+        									path: "config.json"
+        								},
+        							]
+        							secretName: parameter.credentials.image.name
+        						}
+        					},
+        				]
+        			}
+        			restartPolicy: "Never"
+        		}
+        	}
+        }
+        log: op.#Log & {
+        	source: resources: [{
+        		name:      "\(context.name)-\(context.stepSessionID)-kaniko"
+        		namespace: context.namespace
+        	}]
+        }
+        read: op.#Read & {
+        	value: {
+        		apiVersion: "v1"
+        		kind:       "Pod"
+        		metadata: {
+        			name:      "\(context.name)-\(context.stepSessionID)-kaniko"
+        			namespace: context.namespace
+        		}
+        	}
+        }
+        wait: op.#ConditionalWait & {
+        	continue: read.value.status != _|_ && read.value.status.phase == "Succeeded"
+        }
+        #secret: {
+        	name: string
+        	key:  string
+        }
+        #git: {
+        	git:    string
+        	branch: *"master" | string
+        }
+        parameter: {
+        	// +usage=Specify the kaniko executor image, default to oamdev/kaniko-executor:v1.9.1
+        	kanikoExecutor: *"oamdev/kaniko-executor:v1.9.1" | string
+        	// +usage=Specify the context to build image, you can use context with git and branch or directly specify the context, please refer to https://github.com/GoogleContainerTools/kaniko#kaniko-build-contexts
+        	context: #git | string
+        	// +usage=Specify the dockerfile
+        	dockerfile: *"./Dockerfile" | string
+        	// +usage=Specify the image
+        	image: string
+        	// +usage=Specify the platform to build
+        	platform?: string
+        	// +usage=Specify the build args
+        	buildArgs?: [...string]
+        	// +usage=Specify the credentials to access git and image registry
+        	credentials?: {
+        		// +usage=Specify the credentials to access git
+        		git?: {
+        			// +usage=Specify the secret name
+        			name: string
+        			// +usage=Specify the secret key
+        			key: string
+        		}
+        		// +usage=Specify the credentials to access image registry
+        		image?: {
+        			// +usage=Specify the secret name
+        			name: string
+        			// +usage=Specify the secret key
+        			key: *".dockerconfigjson" | string
+        		}
+        	}
+        	// +usage=Specify the verbosity level
+        	verbosity: *"info" | "panic" | "fatal" | "error" | "warn" | "debug" | "trace"
+        }
+
--- a/charts/vela-core/templates/defwithtemplate/check-metrics.yaml
+++ b/charts/vela-core/templates/defwithtemplate/check-metrics.yaml
@@ -0,0 +1,56 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/check-metrics.cue
+apiVersion: core.oam.dev/v1beta1
+kind: WorkflowStepDefinition
+metadata:
+  annotations:
+    custom.definition.oam.dev/category: Application Delivery
+    definition.oam.dev/description: Verify application's metrics
+  labels:
+    custom.definition.oam.dev/catalog: Delivery
+  name: check-metrics
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        import (
+        	"vela/op"
+        )
+
+        check: op.#PromCheck & {
+        	query:          parameter.query
+        	metricEndpoint: parameter.metricEndpoint
+        	condition:      parameter.condition
+        	stepID:         context.stepSessionID
+        	duration:       parameter.duration
+        	failDuration:   parameter.failDuration
+        }
+        fail: op.#Steps & {
+        	if check.failed != _|_ {
+        		if check.failed == true {
+        			breakWorkflow: op.#Fail & {
+        				message: check.message
+        			}
+        		}
+        	}
+        }
+        wait: op.#ConditionalWait & {
+        	continue: check.result
+        	if check.message != _|_ {
+        		message: check.message
+        	}
+        }
+        parameter: {
+        	// +usage=Query is a raw prometheus query to perform
+        	query: string
+        	// +usage=The HTTP address and port of the prometheus server
+        	metricEndpoint?: "http://prometheus-server.o11y-system.svc:9090" | string
+        	// +usage=Condition is an expression which determines if a measurement is considered successful. eg: >=0.95
+        	condition: string
+        	// +usage=Duration defines the duration of time required for this step to be considered successful.
+        	duration?: *"5m" | string
+        	// +usage=FailDuration is the duration of time that, if the check fails, will result in the step being marked as failed.
+        	failDuration?: *"2m" | string
+        }
+
--- a/charts/vela-core/templates/defwithtemplate/clean-jobs.yaml
+++ b/charts/vela-core/templates/defwithtemplate/clean-jobs.yaml
@@ -0,0 +1,61 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/clean-jobs.cue
+apiVersion: core.oam.dev/v1beta1
+kind: WorkflowStepDefinition
+metadata:
+  annotations:
+    custom.definition.oam.dev/category: Resource Management
+    definition.oam.dev/description: clean applied jobs in the cluster
+  name: clean-jobs
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        import (
+        	"vela/op"
+        )
+
+        parameter: {
+        	labelselector?: {...}
+        	namespace: *context.namespace | string
+        }
+        cleanJobs: op.#Delete & {
+        	value: {
+        		apiVersion: "batch/v1"
+        		kind:       "Job"
+        		metadata: {
+        			name:      context.name
+        			namespace: parameter.namespace
+        		}
+        	}
+        	filter: {
+        		namespace: parameter.namespace
+        		if parameter.labelselector != _|_ {
+        			matchingLabels: parameter.labelselector
+        		}
+        		if parameter.labelselector == _|_ {
+        			matchingLabels: "workflow.oam.dev/name": context.name
+        		}
+        	}
+        }
+        cleanPods: op.#Delete & {
+        	value: {
+        		apiVersion: "v1"
+        		kind:       "pod"
+        		metadata: {
+        			name:      context.name
+        			namespace: parameter.namespace
+        		}
+        	}
+        	filter: {
+        		namespace: parameter.namespace
+        		if parameter.labelselector != _|_ {
+        			matchingLabels: parameter.labelselector
+        		}
+        		if parameter.labelselector == _|_ {
+        			matchingLabels: "workflow.oam.dev/name": context.name
+        		}
+        	}
+        }
+
--- a/charts/vela-core/templates/defwithtemplate/collect-service-endpoints.yaml
+++ b/charts/vela-core/templates/defwithtemplate/collect-service-endpoints.yaml
@@ -4,6 +4,7 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Application Delivery
    definition.oam.dev/description: Collect service endpoints for the application.
  name: collect-service-endpoints
  namespace: {{ include "systemDefinitionNamespace" . }}
--- a/charts/vela-core/templates/defwithtemplate/container-image.yaml
+++ b/charts/vela-core/templates/defwithtemplate/container-image.yaml
@@ -72,7 +72,7 @@ spec:
        		}]
        	}
        }
-        parameter: *#PatchParams | close({
+        parameter: #PatchParams | close({
        	// +usage=Specify the container image for multiple containers
        	containers: [...#PatchParams]
        })
--- a/charts/vela-core/templates/defwithtemplate/create-config.yaml
+++ b/charts/vela-core/templates/defwithtemplate/create-config.yaml
@@ -4,6 +4,7 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Config Management
    definition.oam.dev/description: Create or update a config
  name: create-config
  namespace: {{ include "systemDefinitionNamespace" . }}
--- a/charts/vela-core/templates/defwithtemplate/cron-task.yaml
+++ b/charts/vela-core/templates/defwithtemplate/cron-task.yaml
@@ -12,8 +12,13 @@ spec:
    cue:
      template: |
        output: {
-        	apiVersion: "batch/v1beta1"
-        	kind:       "CronJob"
+        	if context.clusterVersion.minor < 25 {
+        		apiVersion: "batch/v1beta1"
+        	}
+        	if context.clusterVersion.minor >= 25 {
+        		apiVersion: "batch/v1"
+        	}
+        	kind: "CronJob"
        	spec: {
        		schedule:                   parameter.schedule
        		concurrencyPolicy:          parameter.concurrencyPolicy
@@ -313,8 +318,5 @@ spec:
        	failureThreshold: *3 | int
        }
  workload:
-    definition:
-      apiVersion: batch/v1beta1
-      kind: CronJob
-    type: cronjobs.batch
+    type: autodetects.core.oam.dev

--- a/charts/vela-core/templates/defwithtemplate/delete-config.yaml
+++ b/charts/vela-core/templates/defwithtemplate/delete-config.yaml
@@ -4,6 +4,7 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Config Management
    definition.oam.dev/description: Delete a config
  name: delete-config
  namespace: {{ include "systemDefinitionNamespace" . }}
--- a/charts/vela-core/templates/defwithtemplate/depends-on-app.yaml
+++ b/charts/vela-core/templates/defwithtemplate/depends-on-app.yaml
@@ -4,9 +4,8 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Application Delivery
    definition.oam.dev/description: Wait for the specified Application to complete.
-  labels:
-    custom.definition.oam.dev/ui-hidden: "true"
  name: depends-on-app
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
--- a/charts/vela-core/templates/defwithtemplate/deploy-cloud-resource.yaml
+++ b/charts/vela-core/templates/defwithtemplate/deploy-cloud-resource.yaml
@@ -4,6 +4,7 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Application Delivery
    definition.oam.dev/description: Deploy cloud resource and deliver secret to multi clusters.
  labels:
    custom.definition.oam.dev/scope: Application
--- a/charts/vela-core/templates/defwithtemplate/deploy.yaml
+++ b/charts/vela-core/templates/defwithtemplate/deploy.yaml
@@ -4,6 +4,7 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Application Delivery
    definition.oam.dev/description: A powerful and unified deploy step for components multi-cluster delivery with policies.
  labels:
    custom.definition.oam.dev/scope: Application
@@ -26,7 +27,7 @@ spec:
        	//+usage=If set to false, the workflow will suspend automatically before this step, default to be true.
        	auto: *true | bool
        	//+usage=Declare the policies that used for this deployment. If not specified, the components will be deployed to the hub cluster.
-        	policies?: [...string]
+        	policies: *[] | [...string]
        	//+usage=Maximum number of concurrent delivered components.
        	parallelism: *5 | int
        	//+usage=If set false, this step will apply the components with the terraform workload.
--- a/charts/vela-core/templates/defwithtemplate/deploy2env.yaml
+++ b/charts/vela-core/templates/defwithtemplate/deploy2env.yaml
@@ -1,5 +1,5 @@
 # Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
-# Definition source cue file: vela-templates/definitions/internal/deploy2env.cue
+# Definition source cue file: vela-templates/definitions/deprecated/deploy2env.cue
 apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
--- a/charts/vela-core/templates/defwithtemplate/deploy2runtime.yaml
+++ b/charts/vela-core/templates/defwithtemplate/deploy2runtime.yaml
@@ -1,5 +1,5 @@
 # Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
-# Definition source cue file: vela-templates/definitions/internal/deploy2runtime.cue
+# Definition source cue file: vela-templates/definitions/deprecated/deploy2runtime.cue
 apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
--- a/charts/vela-core/templates/defwithtemplate/export-data.yaml
+++ b/charts/vela-core/templates/defwithtemplate/export-data.yaml
@@ -4,7 +4,10 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Application Delivery
    definition.oam.dev/description: Export data to clusters specified by topology.
+  labels:
+    custom.definition.oam.dev/scope: Application
  name: export-data
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
--- a/charts/vela-core/templates/defwithtemplate/export-service.yaml
+++ b/charts/vela-core/templates/defwithtemplate/export-service.yaml
@@ -4,7 +4,10 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Application Delivery
    definition.oam.dev/description: Export service to clusters specified by topology.
+  labels:
+    custom.definition.oam.dev/scope: Application
  name: export-service
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
--- a/charts/vela-core/templates/defwithtemplate/export2config.yaml
+++ b/charts/vela-core/templates/defwithtemplate/export2config.yaml
@@ -4,9 +4,8 @@ apiVersion: core.oam.dev/v1beta1
 kind: WorkflowStepDefinition
 metadata:
  annotations:
+    custom.definition.oam.dev/category: Resource Management
    definition.oam.dev/description: Export data to specified Kubernetes ConfigMap in your workflow.
-  labels:
-    custom.definition.oam.dev/ui-hidden: "true"
  name: export2config
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
--- a/Show More
+++ b/Show More