Feat: Implement array builder and enhance CUE generation for X-Definitions (#7039 )

* feat: implement array builder and enhance CUE generation with conditional outputs Signed-off-by: Amit Singh <singhamitch@outlook.com> Co-authored-by: Amit Singh <singhamitch@outlook.com> Co-authored-by: Amit Singh <singhamitch@outlook.com> Signed-off-by: Amit Singh <singhamitch@outlook.com> * feat: enhance CUE generation for struct fields and add support for array element types Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Co-authored-by: Amit Singh <singhamitch@outlook.com> Signed-off-by: Amit Singh <singhamitch@outlook.com> * feat: refactor CUE generation logic for struct fields and streamline resource output handling Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> --------- Signed-off-by: Amit Singh <singhamitch@outlook.com> Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com> Co-authored-by: Amit Singh <singhamitch@outlook.com>
Feat: Defkit implementation (#7037 )
2026-02-14 18:10:21 +00:00 · 2026-02-12 14:27:56 +00:00 · 2026-02-10 15:00:44 +00:00 · 2026-02-04 09:41:38 +00:00 · 2026-01-27 09:30:58 +00:00 · 2026-01-23 18:03:09 +00:00
1976 changed files with 173417 additions and 190356 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1,37 +1,35 @@
 # This file is a github code protect rule follow the codeowners https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/creating-a-repository-on-github/about-code-owners#example-of-a-codeowners-file

-*                                  @barnettZQG @wonderflow @leejanee @Somefive @jefree-cat
-design/                            @barnettZQG @leejanee @wonderflow @Somefive @jefree-cat
+*                                  @barnettZQG @wonderflow @leejanee @Somefive @jefree-cat @FogDong @wangyikewxgm @chivalryq @anoop2811 @briankane @jguionnet
+design/                            @barnettZQG @leejanee @wonderflow @Somefive @jefree-cat @FogDong @anoop2811 @briankane @jguionnet

 # Owner of Core Controllers
-pkg/controller/core.oam.dev       @Somefive @FogDong @barnettZQG @wonderflow
+pkg/controller/core.oam.dev       @Somefive @FogDong @barnettZQG @wonderflow @wangyikewxgm @chivalryq @anoop2811 @briankane @jguionnet

 # Owner of Standard Controllers
-pkg/controller/standard.oam.dev   @wangyikewxgm @barnettZQG @wonderflow
+pkg/controller/standard.oam.dev   @wangyikewxgm @barnettZQG @wonderflow @Somefive @anoop2811 @FogDong @briankane @jguionnet

 # Owner of CUE
-pkg/cue                            @leejanee @FogDong @Somefive
-pkg/stdlib                         @leejanee @FogDong @Somefive
+pkg/cue                            @leejanee @FogDong @Somefive @anoop2811 @briankane @jguionnet
+pkg/stdlib                         @leejanee @FogDong @Somefive @anoop2811 @briankane @jguionnet

 # Owner of Workflow
-pkg/workflow                       @leejanee @FogDong @Somefive
-
-# Owner of rollout
-pkg/controller/common/rollout/     @wangyikewxgm @wonderflow
-runtime/rollout                    @wangyikewxgm @wonderflow
+pkg/workflow                       @leejanee @FogDong @Somefive @wangyikewxgm @chivalryq @anoop2811 @briankane @jguionnet

 # Owner of vela templates
-vela-templates/                     @Somefive @barnettZQG @wonderflow
+vela-templates/                     @Somefive @barnettZQG @wonderflow @FogDong @wangyikewxgm @chivalryq @anoop2811 @briankane @jguionnet

 # Owner of vela CLI
-references/cli/                     @Somefive @zzxwill @StevenLeiZhang @charlie0129 @chivalryq
-
-# Owner of vela APIServer
-pkg/apiserver/                     @barnettZQG @yangsoon @FogDong
+references/cli/                     @Somefive @StevenLeiZhang @charlie0129 @wangyikewxgm @chivalryq @anoop2811 @FogDong @briankane @jguionnet

 # Owner of vela addon framework
-pkg/addon/                         @wangyikewxgm @wonderflow @charlie0129
+pkg/addon/                         @wangyikewxgm @wonderflow @charlie0129 @anoop2811 @FogDong @briankane @jguionnet

 # Owner of resource keeper and tracker
-pkg/resourcekeeper                 @Somefive @FogDong
-pkg/resourcetracker                @Somefive @FogDong
+pkg/resourcekeeper                 @Somefive @FogDong @chivalryq @anoop2811 @briankane @jguionnet
+pkg/resourcetracker                @Somefive @FogDong @chivalryq @anoop2811 @briankane @jguionnet
+
+.github/                           @chivalryq @wonderflow @Somefive @FogDong @wangyikewxgm @anoop2811 @briankane @jguionnet
+makefiles                          @chivalryq @wonderflow @Somefive @FogDong @wangyikewxgm @anoop2811 @briankane @jguionnet
+go.*                               @chivalryq @wonderflow @Somefive @FogDong @wangyikewxgm @anoop2811 @briankane @jguionnet
+
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,6 +1,8 @@

 ### Description of your changes

+copilot:all
+
 <!--

 Briefly describe what this pull request does. We love pull requests that resolve an open KubeVela issue. If yours does, you
--- a/.github/actions/deploy-current-branch/README.md
+++ b/.github/actions/deploy-current-branch/README.md
@@ -0,0 +1,35 @@
+# Deploy Current Branch Action
+
+This GitHub composite action builds a Docker image from the current branch commit and deploys it to a KubeVela cluster for development testing.
+
+## What it does
+
+- Generates a unique image tag from the latest commit hash
+- Builds and loads the Docker image into a KinD cluster
+- Applies KubeVela CRDs for upgrade safety
+- Upgrades the KubeVela Helm release to use the local development image
+- Verifies deployment status and the running image version
+
+## Usage
+
+```yaml
+- name: Deploy Current Branch
+  uses: ./path/to/this/action
+```
+
+## Requirements
+
+- Docker, Helm, kubectl, and KinD must be available in your runner environment
+- Kubernetes cluster access
+- `charts/vela-core/crds` directory with CRDs
+- Valid Helm chart at `charts/vela-core`
+
+## Steps performed
+
+1. **Generate commit hash for image tag**
+2. **Build & load Docker image into KinD**
+3. **Pre-apply chart CRDs**
+4. **Upgrade KubeVela using local image**
+5. **Verify deployment and image version**
+
+---
--- a/.github/actions/deploy-current-branch/action.yaml
+++ b/.github/actions/deploy-current-branch/action.yaml
@@ -0,0 +1,89 @@
+name: 'Deploy Current Branch'
+description: 'Builds Docker image from current branch commit and deploys it to KubeVela cluster for development testing'
+
+runs:
+  using: "composite"
+  steps:
+    # ========================================================================
+    # Git Commit Hash Generation
+    # Generate unique image tag from current branch's latest commit
+    # ========================================================================
+    - name: Get commit hash
+      id: commit_hash
+      shell: bash
+      run: |
+        COMMIT_HASH="git-$(git rev-parse --short HEAD)"
+        echo "Using commit hash: $COMMIT_HASH"
+        echo "COMMIT_HASH=$COMMIT_HASH" >> $GITHUB_ENV
+
+    # ========================================================================
+    # Docker Image Build and Cluster Loading
+    # Build development image from current code and load into KinD cluster
+    # ========================================================================
+    - name: Build and load Docker image
+      shell: bash
+      run: |
+        echo "Building development image: vela-core-test:${{ env.COMMIT_HASH }}"
+
+        mkdir -p $HOME/tmp/
+
+        docker build --no-cache \
+          -t vela-core-test:${{ env.COMMIT_HASH }} \
+          -f Dockerfile .
+
+        echo "Loading image into KinD cluster..."
+        TMPDIR=$HOME/tmp/ kind load docker-image vela-core-test:${{ env.COMMIT_HASH }}
+
+    # ========================================================================
+    # Custom Resource Definitions Application
+    # Pre-apply CRDs to ensure upgrade compatibility and prevent conflicts
+    # ========================================================================
+    - name: Pre-apply CRDs from target chart (upgrade-safe)
+      shell: bash
+      run: |
+        CRD_DIR="charts/vela-core/crds"
+
+        echo "Applying CRDs idempotently..."
+        kubectl apply -f "${CRD_DIR}"
+
+    # ========================================================================
+    # KubeVela Helm Chart Upgrade
+    # Upgrade existing installation to use locally built development image
+    # ========================================================================
+    - name: Upgrade KubeVela to development image
+      shell: bash
+      run: |
+        echo "Upgrading KubeVela to development version..."
+        helm upgrade kubevela ./charts/vela-core \
+          --namespace vela-system \
+          --set image.repository=vela-core-test \
+          --set image.tag=${{ env.COMMIT_HASH }} \
+          --set image.pullPolicy=IfNotPresent \
+          --timeout 5m \
+          --wait \
+          --debug
+
+    # ========================================================================
+    # Deployment Status Verification
+    # Verify successful upgrade and confirm correct image deployment
+    # ========================================================================
+    - name: Verify deployment status
+      shell: bash
+      run: |
+        echo "=== DEPLOYMENT VERIFICATION ==="
+        echo "Verifying upgrade to local development image..."
+
+        echo "--- Pod Status ---"
+        kubectl get pods -n vela-system
+
+        echo "--- Deployment Rollout ---"
+        kubectl rollout status deployment/kubevela-vela-core \
+          -n vela-system \
+          --timeout=300s
+
+        echo "--- Deployed Image Version ---"
+        kubectl get deployment kubevela-vela-core \
+          -n vela-system \
+          -o yaml | grep "image:" | head -1
+
+        echo "Deployment verification completed successfully!"
--- a/.github/actions/deploy-latest-release/README.md
+++ b/.github/actions/deploy-latest-release/README.md
@@ -0,0 +1,32 @@
+# Install Latest KubeVela Release Action
+
+This GitHub composite action installs the latest stable KubeVela release from the official Helm repository and verifies its deployment status.
+
+## What it does
+
+- Discovers the latest stable KubeVela release tag from GitHub
+- Adds and updates the official KubeVela Helm chart repository
+- Installs KubeVela into the `vela-system` namespace (using Helm)
+- Verifies pod status and deployment rollout for successful installation
+
+## Usage
+
+```yaml
+- name: Install Latest KubeVela Release
+  uses: ./path/to/this/action
+```
+
+## Requirements
+
+- Helm, kubectl, jq, and curl must be available in your runner environment
+- Kubernetes cluster access
+
+## Steps performed
+
+1. **Release Tag Discovery:** Fetches latest stable tag (without `v` prefix)
+2. **Helm Repo Setup:** Adds/updates KubeVela Helm chart repo
+3. **Install KubeVela:** Installs latest release in the `vela-system` namespace
+4. **Status Verification:** Checks pod status and rollout for readiness
+
+---
+
--- a/.github/actions/deploy-latest-release/action.yaml
+++ b/.github/actions/deploy-latest-release/action.yaml
@@ -0,0 +1,68 @@
+name: 'Install Latest KubeVela Release'
+description: 'Installs the latest stable KubeVela release from official Helm repository with status verification'
+
+runs:
+  using: "composite"
+  steps:
+    # ========================================================================
+    # Latest Release Tag Discovery
+    # Fetch current stable release version from GitHub API
+    # ========================================================================
+    - name: Get latest KubeVela release tag (no v prefix)
+      id: get_latest_tag
+      shell: bash
+      run: |
+        TAG=$(curl -s https://api.github.com/repos/kubevela/kubevela/releases/latest | \
+              jq -r ".tag_name" | \
+              awk '{sub(/^v/, ""); print}')
+        echo "LATEST_TAG=$TAG" >> $GITHUB_ENV
+        echo "Discovered latest release: $TAG"
+
+    # ========================================================================
+    # Helm Repository Configuration
+    # Add and update official KubeVela chart repository
+    # ========================================================================
+    - name: Add KubeVela Helm repo
+      shell: bash
+      run: |
+        echo "Adding KubeVela Helm repository..."
+        helm repo add kubevela https://kubevela.github.io/charts
+        helm repo update
+        echo "Helm repository configuration completed"
+
+    # ========================================================================
+    # KubeVela Stable Release Installation
+    # Deploy latest stable version to vela-system namespace
+    # ========================================================================
+    - name: Install KubeVela ${{ env.LATEST_TAG }}
+      shell: bash
+      run: |
+        echo "Installing KubeVela version: ${{ env.LATEST_TAG }}"
+        helm install \
+          --create-namespace \
+          -n vela-system \
+          kubevela kubevela/vela-core \
+          --version ${{ env.LATEST_TAG }} \
+          --timeout 10m \
+          --wait
+        echo "KubeVela installation completed"
+
+    # ========================================================================
+    # Installation Status Verification
+    # Verify successful deployment and readiness of KubeVela components
+    # ========================================================================
+    - name: Post-install status
+      shell: bash
+      run: |
+        echo "=== INSTALLATION VERIFICATION ==="
+        echo "Verifying KubeVela deployment status..."
+
+        echo "--- Pod Status ---"
+        kubectl get pods -n vela-system
+
+        echo "--- Deployment Rollout ---"
+        kubectl rollout status deployment/kubevela-vela-core \
+          -n vela-system \
+          --timeout=300s
+
+        echo "KubeVela installation verification completed successfully!"
--- a/.github/actions/e2e-test/README.md
+++ b/.github/actions/e2e-test/README.md
@@ -0,0 +1,51 @@
+# Kubevela K8s Upgrade E2E Test Action
+
+A comprehensive GitHub composite action for running KubeVela Kubernetes upgrade end-to-end (E2E) tests with complete environment setup, multiple test suites, and failure diagnostics.
+
+
+> **Note**: This action requires the `GO_VERSION` environment variable to be set in your workflow.
+
+## Quick Start
+
+### Basic Usage
+
+```yaml
+name: E2E Tests
+on: [push, pull_request]
+
+jobs:
+  e2e-tests:
+    runs-on: ubuntu-latest
+    env:
+      GO_VERSION: '1.23.8'
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        
+      - name: Run KubeVela E2E Tests
+        uses: ./.github/actions/upgrade-e2e-test
+```
+
+## Test Flow Diagram
+
+```
+┌─────────────────┐    ┌──────────────────┐    ┌─────────────────┐
+│ Environment     │    │ E2E Environment  │    │ Test Execution  │
+│ Setup           │───▶│ Preparation      │───▶│ (3 Suites)      │
+│                 │    │                  │    │                 │
+│ • Install tools │    │ • Cleanup        │    │ • API tests     │
+│ • Setup Go      │    │ • Core setup     │    │ • Addon tests   │
+│ • Dependencies  │    │ • Helm tests     │    │ • General tests │
+│ • Build project │    │                  │    │                 │
+└─────────────────┘    └──────────────────┘    └─────────────────┘
+                                                        │
+                                                        ▼
+                                                ┌─────────────────┐
+                                                │ Diagnostics     │
+                                                │ (On Failure)    │
+                                                │                 │
+                                                │ • Cluster logs  │
+                                                │ • System events │
+                                                │ • Test artifacts│
+                                                └─────────────────┘
+```
--- a/.github/actions/e2e-test/action.yaml
+++ b/.github/actions/e2e-test/action.yaml
@@ -0,0 +1,100 @@
+name: 'Kubevela K8s Upgrade e2e Test'
+description: 'Runs Kubevela K8s upgrade e2e tests, uploads coverage, and collects diagnostics on failure.'
+
+inputs:
+  codecov-token:
+    description: 'Codecov token for uploading coverage reports'
+    required: false
+    default: ''
+  codecov-enable:
+    description: 'Enable codecov coverage upload'
+    required: false
+    default: 'false'
+
+runs:
+  using: "composite"
+  steps:
+    # ========================================================================
+    # Environment Setup
+    # ========================================================================
+    - name: Configure environment setup
+      uses: ./.github/actions/env-setup
+      with:
+        install-ginkgo: 'true'
+        install-setup-envtest: 'false'
+        install-kustomize: 'false'
+
+    - name: Build project
+      shell: bash
+      run: make
+
+    # ========================================================================
+    # E2E Test Environment Preparation
+    # ========================================================================
+    - name: Prepare e2e environment
+      shell: bash
+      run: |
+        echo "Preparing e2e test environment..."
+        make e2e-cleanup
+        make e2e-setup-core
+
+        echo "Running Helm tests..."
+        helm test -n vela-system kubevela --timeout 5m
+
+    # ========================================================================
+    # E2E Test Execution
+    # ========================================================================
+    - name: Run API e2e tests
+      shell: bash
+      run: |
+        echo "Running API e2e tests..."
+        make e2e-api-test
+
+    - name: Run addon e2e tests
+      shell: bash
+      run: |
+        echo "Running addon e2e tests..."
+        make e2e-addon-test
+
+    - name: Run general e2e tests
+      shell: bash
+      run: |
+        echo "Running general e2e tests..."
+        make e2e-test
+
+    - name: Upload coverage report
+      if: ${{ inputs.codecov-enable == 'true' }}
+      uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24
+      with:
+        token: ${{ inputs.codecov-token }}
+        files: ./coverage.txt
+        flags: core-unittests
+        name: codecov-umbrella
+        fail_ci_if_error: false
+
+    # ========================================================================
+    # Failure Diagnostics
+    # ========================================================================
+    - name: Collect failure diagnostics
+      if: failure()
+      shell: bash
+      run: |
+        echo "=== FAILURE DIAGNOSTICS ==="
+        echo "Collecting diagnostic information for debugging..."
+
+        echo "--- Cluster Status ---"
+        kubectl get nodes -o wide || true
+        kubectl get pods -A || true
+
+        echo "--- KubeVela System Logs ---"
+        kubectl logs -n vela-system -l app.kubernetes.io/name=vela-core --tail=100 || true
+
+        echo "--- Recent Events ---"
+        kubectl get events -A --sort-by='.lastTimestamp' --field-selector type!=Normal || true
+
+        echo "--- Helm Release Status ---"
+        helm list -A || true
+        helm status kubevela -n vela-system || true
+
+        echo "--- Test Artifacts ---"
+        find . -name "*.log" -type f -exec echo "=== {} ===" \; -exec cat {} \; || true
--- a/.github/actions/env-setup/README.md
+++ b/.github/actions/env-setup/README.md
@@ -0,0 +1,67 @@
+# Kubevela Test Environment Setup Action
+
+A GitHub Actions composite action that sets up a complete testing environment for Kubevela projects with Go, Kubernetes tools, and the Ginkgo testing framework.
+
+## Features
+
+- 🛠️ **System Dependencies**: Installs essential build tools (make, gcc, jq, curl, etc.)
+- ☸️ **Kubernetes Tools**: Sets up kubectl and Helm for cluster operations
+- 🐹 **Go Environment**: Configurable Go version with module caching
+- 📦 **Dependency Management**: Downloads and verifies Go module dependencies
+- 🧪 **Testing Framework**: Installs Ginkgo v2 for BDD-style testing
+
+## Usage
+
+```yaml
+- name: Setup Kubevela Test Environment
+  uses: ./path/to/this/action
+  with:
+    go-version: '1.23.8'      # Optional: Go version (default: 1.23.8)
+```
+
+### Example Workflow
+
+```yaml
+name: Kubevela Tests
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Setup Test Environment
+        uses: ./path/to/this/action
+        with:
+          go-version: '1.21'
+          
+      - name: Run Tests
+        run: |
+          ginkgo -r ./tests/e2e/
+```
+
+## Inputs
+
+| Input | Description | Required | Default | Usage |
+|-------|-------------|----------|---------|-------|
+| `go-version` | Go version to install and use | No | `1.23.8` | Specify Go version for your project |
+
+## What This Action Installs
+
+### System Tools
+- **make**: Build automation tool
+- **gcc**: GNU Compiler Collection
+- **jq**: JSON processor for shell scripts
+- **ca-certificates**: SSL/TLS certificates
+- **curl**: HTTP client for downloads
+- **gnupg**: GNU Privacy Guard for security
+
+### Kubernetes Ecosystem
+- **kubectl**: Kubernetes command-line tool (latest stable)
+- **helm**: Kubernetes package manager (latest stable)
+
+### Go Development
+- **Go Runtime**: Specified version with module caching enabled
+- **Go Modules**: Downloaded and verified dependencies
+- **Ginkgo v2.14.0**: BDD testing framework for Go
--- a/.github/actions/env-setup/action.yaml
+++ b/.github/actions/env-setup/action.yaml
@@ -0,0 +1,120 @@
+name: 'Kubevela Test Environment Setup'
+description: 'Sets up complete testing environment for Kubevela with Go, Kubernetes tools, and testing frameworks.'
+
+inputs:
+  go-version:
+    description: 'Go version to use for testing'
+    required: false
+    default: '1.23.8'
+  install-ginkgo:
+    description: 'Install Ginkgo testing framework'
+    required: false
+    default: 'true'
+  install-setup-envtest:
+    description: 'Install setup-envtest for integration testing'
+    required: false
+    default: 'false'
+  install-kustomize:
+    description: 'Install kustomize for manifest management'
+    required: false
+    default: 'false'
+  kustomize-version:
+    description: 'Kustomize version to install'
+    required: false
+    default: '4.5.4'
+
+
+runs:
+  using: 'composite'
+  steps:
+    # ========================================================================
+    # Environment Setup
+    # ========================================================================
+    - name: Install system dependencies
+      shell: bash
+      run: |
+        # Update package manager and install essential tools
+        sudo apt-get update
+        sudo apt-get install -y \
+          make \
+          gcc \
+          jq \
+          ca-certificates \
+          curl \
+          gnupg
+
+    - name: Install kubectl and helm
+      shell: bash
+      run: |
+        # Detect architecture
+        ARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/')
+
+        # Install kubectl using a known stable version to avoid network issues
+        # The dl.k8s.io/release/stable.txt endpoint can return garbage due to CDN issues
+        KUBECTL_VERSION="v1.31.0"
+        echo "Installing kubectl version: $KUBECTL_VERSION for architecture: $ARCH"
+        curl -LO --retry 3 --fail "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl"
+        chmod +x kubectl
+        sudo mv kubectl /usr/local/bin/
+
+        # Install helm using the official script
+        echo "Installing Helm using official script..."
+        curl -fsSL --retry 3 -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
+        chmod 700 get_helm.sh
+        ./get_helm.sh
+        rm get_helm.sh
+
+        # Verify installations
+        echo "Verifying installations..."
+        kubectl version --client
+        helm version
+    
+
+    - name: Setup Go environment
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
+      with:
+        go-version: ${{ inputs.go-version }}
+        cache: true
+
+    - name: Download Go dependencies
+      shell: bash
+      run: |
+        # Download and cache Go module dependencies
+        go mod download
+        go mod verify
+
+    - name: Install Ginkgo testing framework
+      if: ${{ inputs.install-ginkgo == 'true' }}
+      shell: bash
+      run: |
+        echo "Installing Ginkgo testing framework..."
+        go install github.com/onsi/ginkgo/v2/ginkgo@v2.14.0
+        echo "Ginkgo installed successfully"
+
+    - name: Install setup-envtest
+      if: ${{ inputs.install-setup-envtest == 'true' }}
+      shell: bash
+      run: |
+        echo "Installing setup-envtest for integration testing..."
+        mkdir -p ./bin
+        GOBIN=$(pwd)/bin go install sigs.k8s.io/controller-runtime/tools/setup-envtest@v0.0.0-20240522175850-2e9781e9fc60
+        echo "setup-envtest installed successfully at ./bin/setup-envtest"
+        ls -la ./bin/setup-envtest
+
+        # Download and cache the Kubernetes binaries for envtest
+        echo "Downloading Kubernetes binaries for envtest..."
+        KUBEBUILDER_ASSETS=$(./bin/setup-envtest use 1.31.0 --bin-dir ./bin -p path)
+        echo "Kubernetes binaries downloaded successfully"
+        echo "KUBEBUILDER_ASSETS=${KUBEBUILDER_ASSETS}"
+        # Export for subsequent steps
+        echo "KUBEBUILDER_ASSETS=${KUBEBUILDER_ASSETS}" >> $GITHUB_ENV
+
+    - name: Install kustomize
+      if: ${{ inputs.install-kustomize == 'true' }}
+      shell: bash
+      run: |
+        echo "Installing kustomize version ${{ inputs.kustomize-version }}..."
+        mkdir -p ./bin
+        curl -sS https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh | bash -s ${{ inputs.kustomize-version }} $(pwd)/bin
+        echo "kustomize installed successfully at ./bin/kustomize"
+        ./bin/kustomize version
--- a/.github/actions/multicluster-test/README.md
+++ b/.github/actions/multicluster-test/README.md
@@ -0,0 +1,35 @@
+# Kubevela K8s Upgrade Multicluster E2E Test Action
+
+A comprehensive GitHub Actions composite action for running Kubevela Kubernetes upgrade multicluster end-to-end tests with automated coverage reporting and failure diagnostics.
+
+## Usage
+
+
+```yaml
+name: Kubevela Multicluster E2E Tests
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main]
+
+jobs:
+  multicluster-e2e:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Run Multicluster E2E Tests
+        uses: ./.github/actions/multicluster-test
+        with:
+          codecov-enable: 'true'
+          codecov-token: ${{ secrets.CODECOV_TOKEN }}
+```
+
+## Inputs
+
+| Input | Description | Required | Default | Type |
+|-------|-------------|----------|---------|------|
+| `codecov-token` | Codecov token for uploading coverage reports | No | `''` | string |
+| `codecov-enable` | Enable codecov coverage upload | No | `'false'` | string |
--- a/.github/actions/multicluster-test/action.yaml
+++ b/.github/actions/multicluster-test/action.yaml
@@ -0,0 +1,80 @@
+name: 'Kubevela K8s Upgrade Multicluster E2E Test'
+description: 'Runs Kubevela Kubernetes upgrade multicluster end-to-end tests, uploads coverage, and collects diagnostics on failure.'
+author: 'viskumar_gwre'
+
+inputs:
+  codecov-token:
+    description: 'Codecov token for uploading coverage reports'
+    required: false
+    default: ''
+  codecov-enable:
+    description: 'Enable codecov coverage upload'
+    required: false
+    default: 'false'
+
+runs:
+  using: 'composite'
+  steps:
+    # ========================================================================
+    # Environment Setup
+    # ========================================================================
+    - name: Configure environment setup
+      uses: ./.github/actions/env-setup
+      with:
+        install-ginkgo: 'true'
+        install-setup-envtest: 'false'
+        install-kustomize: 'false'
+
+    # ========================================================================
+    # E2E Test Execution
+    # ========================================================================
+    - name: Prepare e2e test environment
+      shell: bash
+      run: |
+        # Build CLI tools and prepare test environment
+        echo "Building KubeVela CLI..."
+        make vela-cli
+
+        echo "Cleaning up previous test artifacts..."
+        make e2e-cleanup
+
+        echo "Setting up core authentication for e2e tests..."
+        make e2e-setup-core-auth
+
+    - name: Execute multicluster upgrade e2e tests
+      shell: bash
+      run: |
+        # Add built CLI to PATH and run multicluster tests
+        export PATH=$(pwd)/bin:$PATH
+
+        echo "Running e2e multicluster upgrade tests..."
+        make e2e-multicluster-test
+
+    - name: Upload coverage report
+      if: ${{ inputs.codecov-enable == 'true' }}
+      uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24
+      with:
+        token: ${{ inputs.codecov-token }}
+        files: /tmp/e2e-profile.out,/tmp/e2e_multicluster_test.out
+        flags: e2e-multicluster-test
+        name: codecov-umbrella
+
+    # ========================================================================
+    # Failure Diagnostics
+    # ========================================================================
+    - name: Collect failure diagnostics
+      if: failure()
+      shell: bash
+      run: |
+        echo "=== FAILURE DIAGNOSTICS ==="
+        echo "Collecting diagnostic information for debugging..."
+
+        echo "--- Cluster Status ---"
+        kubectl get nodes -o wide || true
+        kubectl get pods -A || true
+
+        echo "--- KubeVela System Logs ---"
+        kubectl logs -n vela-system -l app.kubernetes.io/name=vela-core --tail=100 || true
+
+        echo "--- Recent Events ---"
+        kubectl get events -A --sort-by='.lastTimestamp' --field-selector type!=Normal || true
--- a/.github/actions/setup-kind-cluster/README.md
+++ b/.github/actions/setup-kind-cluster/README.md
@@ -0,0 +1,78 @@
+# Setup Kind Cluster Action
+
+A GitHub Action that sets up a Kubernetes testing environment using Kind (Kubernetes in Docker) for E2E testing.
+
+## Inputs
+
+| Input | Description | Required | Default |
+|-------|-------------|----------|---------|
+| `k8s-version` | Kubernetes version for the kind cluster | No | `v1.31.9` |
+
+## Quick Start
+
+```yaml
+name: E2E Tests
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.21'
+      
+      - name: Setup Kind Cluster
+        uses: ./.github/actions/setup-kind-cluster
+        with:
+          k8s-version: 'v1.31.9'
+      
+      - name: Run tests
+        run: |
+          kubectl cluster-info
+          make test-e2e
+```
+
+## What it does
+
+1. **Installs Kind CLI** - Downloads Kind v0.29.0 using Go
+2. **Cleans up** - Removes any existing Kind clusters
+3. **Creates cluster** - Spins up Kubernetes v1.31.9 cluster
+4. **Sets up environment** - Configures KUBECONFIG for kubectl access
+5. **Loads images** - Builds and loads Docker images using `make image-load`
+
+## File Structure
+
+Save as `.github/actions/setup-kind-cluster/action.yaml`:
+
+```yaml
+name: 'SetUp kind cluster'
+description: 'Sets up complete testing environment for Kubevela with Go, Kubernetes tools, and Ginkgo framework for E2E testing.'
+
+inputs:
+  k8s-version:
+    description: 'Kubernetes version for the kind cluster'
+    required: false
+    default: 'v1.31.9'
+
+runs:
+  using: 'composite'
+  steps:
+    # ========================================================================
+    # Kind cluster Setup
+    # ========================================================================
+    - name: Setup KinD
+      run: |
+        go install sigs.k8s.io/kind@v0.29.0
+        kind delete cluster || true
+        kind create cluster --image=kindest/node:${{ inputs.k8s-version }}
+      shell: bash
+
+    - name: Load image
+      run: |
+        mkdir -p $HOME/tmp/
+        TMPDIR=$HOME/tmp/ make image-load
+      shell: bash
+```
--- a/.github/actions/setup-kind-cluster/action.yaml
+++ b/.github/actions/setup-kind-cluster/action.yaml
@@ -0,0 +1,36 @@
+name: 'SetUp kind cluster'
+description: 'Sets up a KinD (Kubernetes in Docker) cluster with configurable Kubernetes version and optional cluster naming for testing and development workflows.'
+inputs:
+  k8s-version:
+    description: 'Kubernetes version for the kind cluster'
+    required: false
+    default: 'v1.31.9'
+  name:
+    description: 'Name of the kind cluster'
+    required: false
+runs:
+  using: 'composite'
+  steps:
+    # ========================================================================
+    # Kind cluster Setup
+    # ========================================================================
+    - name: Setup KinD
+      run: |
+        go install sigs.k8s.io/kind@v0.29.0
+        if [ -n "${{ inputs.name }}" ]; then
+          kind delete cluster --name="${{ inputs.name }}" || true
+          kind create cluster --name="${{ inputs.name }}" --image=kindest/node:${{ inputs.k8s-version }}
+          kind export kubeconfig --internal --name="${{ inputs.name }}" --kubeconfig /tmp/${{ inputs.name }}.kubeconfig
+        else
+          kind delete cluster || true
+          kind create cluster --image=kindest/node:${{ inputs.k8s-version }}
+        fi
+      shell: bash
+
+    - name: Load image
+      run: |
+        if [ -z "${{ inputs.name }}" ]; then
+          mkdir -p $HOME/tmp/
+          TMPDIR=$HOME/tmp/ make image-load
+        fi
+      shell: bash
--- a/.github/actions/unit-test/README.md
+++ b/.github/actions/unit-test/README.md
@@ -0,0 +1,34 @@
+# Kubevela K8s Upgrade Unit Test Action
+
+A comprehensive GitHub composite action for running KubeVela Kubernetes upgrade unit tests with coverage reporting and failure diagnostics.
+
+## Inputs
+
+| Input | Description | Required | Default |
+|-------|-------------|----------|---------|
+| `codecov-token` | Codecov token for uploading coverage reports | ❌ | `''` |
+| `codecov-enable` | Enable Codecov coverage upload (`'true'` or `'false'`) | ❌ | `'false'` |
+| `go-version` | Go version to use for testing | ❌ | `'1.23.8'` |
+
+## Quick Start
+
+### Basic Usage
+
+```yaml
+name: Unit Tests with Coverage
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        
+      - name: Run KubeVela Unit Tests
+        uses: viskumar_gwre/kubevela-k8s-upgrade-unit-test-action@v1
+        with:
+          codecov-enable: 'true'
+          codecov-token: ${{ secrets.CODECOV_TOKEN }}
+          go-version: '1.23.8'
+```
--- a/.github/actions/unit-test/action.yaml
+++ b/.github/actions/unit-test/action.yaml
@@ -0,0 +1,71 @@
+name: 'Kubevela K8s Upgrade Unit Test'
+description: 'Runs Kubevela K8s upgrade unit tests, uploads coverage, and collects diagnostics on failure.'
+
+inputs:
+  codecov-token:
+    description: 'Codecov token for uploading coverage reports'
+    required: false
+    default: ''
+  codecov-enable:
+    description: 'Enable codecov coverage upload'
+    required: false
+    default: 'false'
+
+runs:
+  using: "composite"
+  steps:
+    # ========================================================================
+    # Environment Setup
+    # ========================================================================
+    - name: Configure environment setup
+      uses: ./.github/actions/env-setup
+      with:
+        install-ginkgo: 'true'
+        install-setup-envtest: 'true'
+        install-kustomize: 'true'
+
+    # ========================================================================
+    # Unit Test Execution
+    # ========================================================================
+    - name: Run unit tests
+      shell: bash
+      run: |
+        echo "Running unit tests..."
+        make test
+
+    - name: Upload coverage report
+      if: ${{ inputs.codecov-enable == 'true' }}
+      uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24
+      with:
+        token: ${{ inputs.codecov-token }}
+        files: ./coverage.txt
+        flags: core-unittests
+        name: codecov-umbrella
+        fail_ci_if_error: false
+
+    # ========================================================================
+    # Failure Diagnostics
+    # ========================================================================
+    - name: Collect failure diagnostics
+      if: failure()
+      shell: bash
+      run: |
+        echo "=== FAILURE DIAGNOSTICS ==="
+        echo "Collecting diagnostic information for debugging..."
+
+        echo "--- Go Environment ---"
+        go version || true
+        go env || true
+
+        echo "--- Cluster Status ---"
+        kubectl get nodes -o wide || true
+        kubectl get pods -A || true
+
+        echo "--- KubeVela System Logs ---"
+        kubectl logs -n vela-system -l app.kubernetes.io/name=vela-core --tail=100 || true
+
+        echo "--- Recent Events ---"
+        kubectl get events -A --sort-by='.lastTimestamp' --field-selector type!=Normal || true
+
+        echo "--- Test Artifacts ---"
+        find . -name "*.log" -o -name "*test*.xml" -o -name "coverage.*" | head -20 || true
--- a/.github/bot.md
+++ b/.github/bot.md
@@ -1,6 +1,6 @@
 ### GitHub & kubevela automation

-The bot is configured via [issue-commands.json](https://github.com/kubevela/kubevela/blob/master/.github/workflows/issue-commands.json) 
+The bot is configured via [issue-commands.json](https://github.com/kubevela/kubevela/blob/master/.github/issue-commands.json) 
 and some other GitHub [workflows](https://github.com/kubevela/kubevela/blob/master/.github/workflows).
 By default, users with write access to the repo is allowed to use the comments, 
 the [userlist](https://github.com/kubevela/kubevela/blob/master/.github/comment.userlist) 
--- a/.github/comment.userlist
+++ b/.github/comment.userlist
@@ -11,4 +11,7 @@ wangyuan249
 chivalryq
 FogDong
 leejanee
-barnettZQG
+barnettZQG
+anoop2811 
+briankane 
+jguionnet
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,23 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "gomod" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "Chore: "
+      include: "scope"
+    ignore:
+      - dependency-name: k8s.io/*
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "Chore: "
+      include: "scope"      
--- a/.github/workflows/apiserver-test.yaml
+++ b/.github/workflows/apiserver-test.yaml
@@ -1,207 +0,0 @@
-name: VelaUX APIServer Test
-
-on:
-  push:
-    branches:
-      - master
-      - release-*
-      - apiserver
-    tags:
-      - v*
-  workflow_dispatch: { }
-  pull_request:
-    branches:
-      - master
-      - release-*
-      - apiserver
-
-env:
-  # Common versions
-  GO_VERSION: '1.19'
-  GOLANGCI_VERSION: 'v1.49'
-  K3D_IMAGE_VERSION: '[\"v1.20\",\"v1.24\"]'
-  K3D_IMAGE_VERSIONS: '[\"v1.20\",\"v1.24\"]'
-
-jobs:
-
-  detect-noop:
-    runs-on: ubuntu-20.04
-    outputs:
-      noop: ${{ steps.noop.outputs.should_skip }}
-    steps:
-      - name: Detect No-op Changes
-        id: noop
-        uses: fkirc/skip-duplicate-actions@v4.0.0
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
-          do_not_skip: '["workflow_dispatch", "schedule", "push"]'
-          concurrent_skipping: false
-
-  set-k8s-matrix:
-    runs-on: ubuntu-20.04
-    outputs:
-      matrix: ${{ steps.set-k8s-matrix.outputs.matrix }}
-    steps:
-      - id: set-k8s-matrix
-        run: |
-          if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
-            echo "pushing tag: ${{ github.ref_name }}"
-            echo "::set-output name=matrix::${{ env.K3D_IMAGE_VERSIONS }}"
-          else
-            echo "::set-output name=matrix::${{ env.K3D_IMAGE_VERSION }}"
-          fi
-
-  apiserver-unit-tests:
-    runs-on: ubuntu-20.04
-    needs: detect-noop
-    if: needs.detect-noop.outputs.noop != 'true'
-
-    steps:
-      - name: Set up Go
-        uses: actions/setup-go@v1
-        with:
-          go-version: ${{ env.GO_VERSION }}
-        id: go
-
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
-        with:
-          submodules: true
-
-      - name: Cache Go Dependencies
-        uses: actions/cache@v2
-        with:
-          path: .work/pkg
-          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
-          restore-keys: ${{ runner.os }}-pkg-
-
-      - name: Install ginkgo
-        run: |
-          sudo apt-get install -y golang-ginkgo-dev
-
-      - name: Start MongoDB
-        uses: supercharge/mongodb-github-action@1.7.0
-        with:
-          mongodb-version: '5.0'
-
-      - name: install Kubebuilder
-        uses: RyanSiu1995/kubebuilder-action@v1.2
-        with:
-          version: 3.1.0
-          kubebuilderOnly: false
-          kubernetesVersion: v1.21.2
-
-      - name: Run api server unit test
-        run: make unit-test-apiserver
-
-      - name: Upload coverage report
-        uses: codecov/codecov-action@v1
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          file: ./coverage.txt
-          flags: apiserver-unittests
-          name: codecov-umbrella
-
-  apiserver-e2e-tests:
-    runs-on: aliyun
-    needs: [ detect-noop,set-k8s-matrix ]
-    if: needs.detect-noop.outputs.noop != 'true'
-    strategy:
-      matrix:
-        k8s-version: ${{ fromJson(needs.set-k8s-matrix.outputs.matrix) }}
-    concurrency:
-      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.k8s-version }}
-      cancel-in-progress: true
-
-    steps:
-      - name: Set up Go
-        uses: actions/setup-go@v1
-        with:
-          go-version: ${{ env.GO_VERSION }}
-        id: go
-
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
-        with:
-          submodules: true
-
-      - name: Get dependencies
-        run: |
-          go get -v -t -d ./...
-
-      - name: Tear down K3d if exist
-        run: |
-          k3d cluster delete || true
-          k3d cluster delete worker || true
-
-      - name: Calculate K3d args
-        run: |
-          EGRESS_ARG=""
-          if [[ "${{ matrix.k8s-version }}" == v1.24 ]]; then
-            EGRESS_ARG="--k3s-arg --egress-selector-mode=disabled@server:0"
-          fi
-          echo "EGRESS_ARG=${EGRESS_ARG}" >> $GITHUB_ENV 
-
-      - name: Setup K3d (Hub)
-        uses: nolar/setup-k3d-k3s@v1.0.8
-        with:
-          version: ${{ matrix.k8s-version }}
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          k3d-args: ${{ env.EGRESS_ARG }}
-
-
-      - name: Setup K3d (Worker)
-        uses: nolar/setup-k3d-k3s@v1.0.8
-        with:
-          version: ${{ matrix.k8s-version }}
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          k3d-name: worker
-          k3d-args: --kubeconfig-update-default=false --network=k3d-k3s-default ${{ env.EGRESS_ARG }}
-
-
-      - name: Kind Cluster (Worker)
-        run: |
-          internal_ip=$(docker network inspect k3d-k3s-default|jq ".[0].Containers"| jq -r '.[]| select(.Name=="k3d-worker-server-0")|.IPv4Address' | cut -d/ -f1)
-          k3d kubeconfig get worker > /tmp/worker.client.kubeconfig
-          cp /tmp/worker.client.kubeconfig /tmp/worker.kubeconfig
-          sed -i "s/0.0.0.0:[0-9]\+/$internal_ip:6443/"  /tmp/worker.kubeconfig
-
-      - name: Load image to k3d cluster
-        run: make image-load
-
-      - name: Cleanup for e2e tests
-        run: |
-          make vela-cli
-          make e2e-cleanup
-          make e2e-setup-core
-          bin/vela addon enable fluxcd
-          timeout 600s bash -c -- 'while true; do kubectl get ns flux-system; if [ $? -eq 0 ] ; then break; else sleep 5; fi;done'
-          kubectl wait --for=condition=Ready pod -l app.kubernetes.io/name=vela-core,app.kubernetes.io/instance=kubevela -n vela-system --timeout=600s
-          kubectl wait --for=condition=Ready pod -l app=source-controller -n flux-system --timeout=600s
-          kubectl wait --for=condition=Ready pod -l app=helm-controller -n flux-system --timeout=600s
-
-      - name: Run api server e2e test
-        run: |
-          export ALIYUN_ACCESS_KEY_ID=${{ secrets.ALIYUN_ACCESS_KEY_ID }}
-          export ALIYUN_ACCESS_KEY_SECRET=${{ secrets.ALIYUN_ACCESS_KEY_SECRET }}
-          export GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
-          make e2e-apiserver-test
-
-      - name: Stop kubevela, get profile
-        run: make end-e2e-core
-
-      - name: Upload coverage report
-        uses: codecov/codecov-action@v1
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: /tmp/e2e_apiserver_test.out
-          flags: apiserver-e2etests
-          name: codecov-umbrella
-
-      - name: Clean e2e profile
-        run: rm /tmp/e2e-profile.out
-
-      - name: Cleanup image
-        if: ${{ always() }}
-        run: make image-cleanup
--- a/.github/workflows/back-port.yaml
+++ b/.github/workflows/back-port.yaml
@@ -4,19 +4,25 @@ on:
    types:
      - closed

+permissions:
+  contents: read
+
 jobs:
  # align with crossplane's choice https://github.com/crossplane/crossplane/blob/master/.github/workflows/backport.yml
  open-pr:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    if: github.event.pull_request.merged
+    permissions:
+      contents: write
+      pull-requests: write
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        with:
          fetch-depth: 0

      - name: Open Backport PR
-        uses: zeebe-io/backport-action@v0.0.6
+        uses: zeebe-io/backport-action@0193454f0c5947491d348f33a275c119f30eb736
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          github_workspace: ${{ github.workspace }}
--- a/.github/workflows/chart.yaml
+++ b/.github/workflows/chart.yaml
@@ -1,100 +0,0 @@
-name: Publish Chart
-
-on:
-  push:
-    tags:
-      - "v*"
-  workflow_dispatch: { }
-
-env:
-  BUCKET: ${{ secrets.OSS_BUCKET }}
-  ENDPOINT: ${{ secrets.OSS_ENDPOINT }}
-  ACCESS_KEY: ${{ secrets.OSS_ACCESS_KEY }}
-  ACCESS_KEY_SECRET: ${{ secrets.OSS_ACCESS_KEY_SECRET }}
-  ARTIFACT_HUB_REPOSITORY_ID: ${{ secrets.ARTIFACT_HUB_REPOSITORY_ID }}
-
-jobs:  
-  publish-charts:
-    env:
-      HELM_CHARTS_DIR: charts
-      HELM_CHART: charts/vela-core
-      MINIMAL_HELM_CHART: charts/vela-minimal
-      LEGACY_HELM_CHART: legacy/charts/vela-core-legacy
-      VELA_ROLLOUT_HELM_CHART: runtime/rollout/charts
-      LOCAL_OSS_DIRECTORY: .oss
-      HELM_CHART_NAME: vela-core
-      MINIMAL_HELM_CHART_NAME: vela-minimal
-      LEGACY_HELM_CHART_NAME: vela-core-legacy
-      VELA_ROLLOUT_HELM_CHART_NAME: vela-rollout
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/checkout@master
-      - name: Get git revision
-        id: vars
-        shell: bash
-        run: |
-          echo "::set-output name=git_revision::$(git rev-parse --short HEAD)"
-      - name: Install Helm
-        uses: azure/setup-helm@v1
-        with:
-          version: v3.4.0
-      - name: Setup node
-        uses: actions/setup-node@v2
-        with:
-          node-version: '14'
-      - name: Generate helm doc
-        run: |
-          make helm-doc-gen
-      - name: Prepare legacy chart
-        run: |
-          rsync -r $LEGACY_HELM_CHART $HELM_CHARTS_DIR
-          rsync -r $HELM_CHART/* $LEGACY_HELM_CHART --exclude=Chart.yaml --exclude=crds
-      - name: Prepare vela chart
-        run: |
-          rsync -r $VELA_ROLLOUT_HELM_CHART $HELM_CHARTS_DIR
-      - name: Get the version
-        id: get_version
-        run: |
-          VERSION=${GITHUB_REF#refs/tags/}
-          echo ::set-output name=VERSION::${VERSION}
-      - name: Tag helm chart image
-        run: |
-          image_tag=${{ steps.get_version.outputs.VERSION }}
-          chart_version=${{ steps.get_version.outputs.VERSION }}
-          sed -i "s/latest/${image_tag}/g" $HELM_CHART/values.yaml
-          sed -i "s/latest/${image_tag}/g" $MINIMAL_HELM_CHART/values.yaml
-          sed -i "s/latest/${image_tag}/g" $LEGACY_HELM_CHART/values.yaml
-          sed -i "s/latest/${image_tag}/g" $VELA_ROLLOUT_HELM_CHART/values.yaml
-          chart_smever=${chart_version#"v"}
-          sed -i "s/0.1.0/$chart_smever/g" $HELM_CHART/Chart.yaml
-          sed -i "s/0.1.0/$chart_smever/g" $MINIMAL_HELM_CHART/Chart.yaml
-          sed -i "s/0.1.0/$chart_smever/g" $LEGACY_HELM_CHART/Chart.yaml
-          sed -i "s/0.1.0/$chart_smever/g" $VELA_ROLLOUT_HELM_CHART/Chart.yaml
-      - name: Install ossutil
-        run: wget http://gosspublic.alicdn.com/ossutil/1.7.0/ossutil64 && chmod +x ossutil64 && mv ossutil64 ossutil
-      - name: Configure Alibaba Cloud OSSUTIL
-        run: ./ossutil --config-file .ossutilconfig config -i ${ACCESS_KEY} -k ${ACCESS_KEY_SECRET} -e ${ENDPOINT} -c .ossutilconfig
-      - name: sync cloud to local
-        run: ./ossutil --config-file .ossutilconfig sync oss://$BUCKET/core $LOCAL_OSS_DIRECTORY
-      - name: add artifacthub stuff to the repo
-        run: |
-          rsync $HELM_CHART/README.md $LEGACY_HELM_CHART/README.md
-          rsync $HELM_CHART/README.md $VELA_ROLLOUT_HELM_CHART/README.md
-          sed -i "s/ARTIFACT_HUB_REPOSITORY_ID/$ARTIFACT_HUB_REPOSITORY_ID/g" hack/artifacthub/artifacthub-repo.yml
-          rsync hack/artifacthub/artifacthub-repo.yml $LOCAL_OSS_DIRECTORY
-      - name: Package helm charts
-        run: |
-          helm package $HELM_CHART --destination $LOCAL_OSS_DIRECTORY
-          helm package $MINIMAL_HELM_CHART --destination $LOCAL_OSS_DIRECTORY
-          helm package $LEGACY_HELM_CHART --destination $LOCAL_OSS_DIRECTORY
-          helm package $VELA_ROLLOUT_HELM_CHART --destination $LOCAL_OSS_DIRECTORY
-          helm repo index --url https://$BUCKET.$ENDPOINT/core $LOCAL_OSS_DIRECTORY
-      - name: sync local to cloud
-        run: |
-          image_tag=${{ steps.get_version.outputs.VERSION }}
-          chart_semver=${image_tag#"v"}
-          ./ossutil --config-file .ossutilconfig cp -f $LOCAL_OSS_DIRECTORY/index.yaml oss://$BUCKET/core/index.yaml
-          ./ossutil --config-file .ossutilconfig cp -f $LOCAL_OSS_DIRECTORY/$HELM_CHART_NAME-${chart_semver}.tgz oss://$BUCKET/core/$HELM_CHART_NAME-${chart_semver}.tgz 
-          ./ossutil --config-file .ossutilconfig cp -f $LOCAL_OSS_DIRECTORY/$MINIMAL_HELM_CHART_NAME-${chart_semver}.tgz oss://$BUCKET/core/$MINIMAL_HELM_CHART_NAME-${chart_semver}.tgz
-          ./ossutil --config-file .ossutilconfig cp -f $LOCAL_OSS_DIRECTORY/$LEGACY_HELM_CHART_NAME-${chart_semver}.tgz oss://$BUCKET/core/$LEGACY_HELM_CHART_NAME-${chart_semver}.tgz
-          ./ossutil --config-file .ossutilconfig cp -f $LOCAL_OSS_DIRECTORY/$VELA_ROLLOUT_HELM_CHART_NAME-${chart_semver}.tgz oss://$BUCKET/core/$VELA_ROLLOUT_HELM_CHART_NAME-${chart_semver}.tgz
--- a/.github/workflows/chart.yml
+++ b/.github/workflows/chart.yml
@@ -0,0 +1,67 @@
+name: Publish Chart
+
+on:
+  push:
+    tags:
+      - "v*"
+  workflow_dispatch: { }
+
+permissions:
+  contents: read
+
+jobs:  
+  publish-charts:
+    env:
+      HELM_CHARTS_DIR: charts
+      HELM_CHART: charts/vela-core
+      HELM_CHART_NAME: vela-core
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - name: Get git revision
+        id: vars
+        shell: bash
+        run: |
+          echo "git_revision=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
+      - name: Install Helm
+        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78
+        with:
+          version: v3.4.0
+      - name: Setup node
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
+        with:
+          node-version: '14'
+      - name: Generate helm doc
+        run: |
+          make helm-doc-gen
+      - name: Get the version
+        id: get_version
+        run: |
+          VERSION=${GITHUB_REF#refs/tags/}
+          echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
+      - name: Tag helm chart image
+        run: |
+          image_tag=${{ steps.get_version.outputs.VERSION }}
+          chart_version=${{ steps.get_version.outputs.VERSION }}
+          sed -i "s/latest/${image_tag}/g" $HELM_CHART/values.yaml
+          chart_smever=${chart_version#"v"}
+          sed -i "s/0.1.0/$chart_smever/g" $HELM_CHART/Chart.yaml
+
+      - uses: jnwng/github-app-installation-token-action@c54add4c02866dc41e106745ac6dcf5cdd6339e5 # v2
+        id: get_app_token
+        with:
+          appId: 340472
+          installationId: 38064967
+          privateKey: ${{ secrets.GH_KUBEVELA_APP_PRIVATE_KEY }}
+      - name: Sync Chart Repo
+        run: |
+          git config --global user.email "135009839+kubevela[bot]@users.noreply.github.com"
+          git config --global user.name "kubevela[bot]"
+          git clone https://x-access-token:${{ steps.get_app_token.outputs.token }}@github.com/kubevela/charts.git kubevela-charts
+          helm package $HELM_CHART --destination ./kubevela-charts/docs/
+          helm repo index --url https://kubevela.github.io/charts ./kubevela-charts/docs/
+          cd kubevela-charts/
+          git add docs/
+          chart_version=${{ steps.get_version.outputs.VERSION }}
+          git commit -m "update vela-core chart ${chart_version}"
+          git push https://x-access-token:${{ steps.get_app_token.outputs.token }}@github.com/kubevela/charts.git
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -4,10 +4,17 @@ on:
  push:
    branches: [ master, release-* ]

+permissions:
+  contents: read
+
 jobs:
  analyze:
    name: Analyze
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
+
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      security-events: write  # for github/codeql-action/autobuild to send a status report

    strategy:
      fail-fast: false
@@ -15,16 +22,16 @@ jobs:
        language: [ 'go' ]

    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v2
+      - name: Checkout repository
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608

-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
-      with:
-        languages: ${{ matrix.language }}
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
+        with:
+          languages: ${{ matrix.language }}

-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5

-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
--- a/.github/workflows/commit-lint.yml
+++ b/.github/workflows/commit-lint.yml
@@ -8,11 +8,14 @@ on:
      - labeled
      - unlabeled

+permissions:
+  pull-requests: read
+
 jobs:
  check:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    steps:
-      - uses: thehanimo/pr-title-checker@v1.3.1
+      - uses: thehanimo/pr-title-checker@5652588c80c479af803eabfbdb5a3895a77c1388 # v1.4.1
        with:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          pass_on_octokit_error: true
--- a/.github/workflows/core-api-test.yml
+++ b/.github/workflows/core-api-test.yml
@@ -0,0 +1,40 @@
+name: core-api-test
+on:
+  pull_request:
+    paths:
+      - 'apis/**'
+      - 'pkg/oam/**'
+      - "hack/apis/**"
+    branches:
+      - master
+      - release-*
+
+permissions:
+  contents: read
+
+jobs:
+  core-api-test:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Set up Go 1.23.8
+        uses: actions/setup-go@v5
+        env:
+          GO_VERSION: '1.23.8'
+        with:
+          go-version: ${{ env.GO_VERSION }}
+        id: go
+
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
+
+      - name: Get the version
+        id: get_version
+        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+
+      - name: Test build kubevela-core-api
+        env:
+          VERSION: ${{ steps.get_version.outputs.VERSION }}
+          COMMIT_ID: ${{ github.sha }}
+        run: |
+          bash ./hack/apis/clientgen.sh
+          bash ./hack/apis/sync.sh test
--- a/.github/workflows/definition-lint.yml
+++ b/.github/workflows/definition-lint.yml
@@ -0,0 +1,46 @@
+name: Definition-Lint
+
+on:
+  push:
+    branches:
+      - master
+      - release-*
+  workflow_dispatch: {}
+  pull_request:
+    branches:
+      - master
+      - release-*
+
+permissions:
+  contents: read
+
+env:
+  # Common versions
+  GO_VERSION: '1.23.8'
+
+jobs:
+  definition-doc:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Setup Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+        with:
+          submodules: true
+
+      - name: Setup KinD
+        uses: ./.github/actions/setup-kind-cluster
+        with:
+          name: linter
+
+      - name: Definition Doc generate check
+        run: |
+          go build -o docgen hack/docgen/def/gen.go
+          ./docgen --type=comp --force-example-doc --path=./comp-def-check.md
+          ./docgen --type=trait --force-example-doc --path=./trait-def-check.md
+          ./docgen --type=wf --force-example-doc --path=./wf-def-check.md --def-dir=./vela-templates/definitions/internal/workflowstep/
+          ./docgen --type=policy --force-example-doc --path=./policy-def-check.md
--- a/.github/workflows/e2e-multicluster-test.yml
+++ b/.github/workflows/e2e-multicluster-test.yml
@@ -13,133 +13,74 @@ on:
      - master
      - release-*

+permissions:
+  contents: read
+
 env:
  # Common versions
-  GO_VERSION: '1.19'
-  GOLANGCI_VERSION: 'v1.49'
-  K3D_IMAGE_VERSION: '[\"v1.20\",\"v1.24\"]'
-  K3D_IMAGE_VERSIONS: '[\"v1.20\",\"v1.24\"]'
+  GO_VERSION: '1.23.8'

 jobs:

  detect-noop:
-    runs-on: ubuntu-20.04
+    permissions:
+      actions: write
+    runs-on: ubuntu-22.04
    outputs:
      noop: ${{ steps.noop.outputs.should_skip }}
    steps:
      - name: Detect No-op Changes
        id: noop
-        uses: fkirc/skip-duplicate-actions@v4.0.0
+        uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
          do_not_skip: '["workflow_dispatch", "schedule", "push"]'
-          concurrent_skipping: false
-
-  set-k8s-matrix:
-    runs-on: ubuntu-20.04
-    outputs:
-      matrix: ${{ steps.set-k8s-matrix.outputs.matrix }}
-    steps:
-      - id: set-k8s-matrix
-        run: |
-          if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
-            echo "pushing tag: ${{ github.ref_name }}"
-            echo "::set-output name=matrix::${{ env.K3D_IMAGE_VERSIONS }}"
-          else
-            echo "::set-output name=matrix::${{ env.K3D_IMAGE_VERSION }}"
-          fi
-
+        continue-on-error: true

  e2e-multi-cluster-tests:
-    runs-on: aliyun
-    needs: [ detect-noop,set-k8s-matrix ]
+    runs-on: ubuntu-22.04
+    needs: [ detect-noop ]
    if: needs.detect-noop.outputs.noop != 'true'
    strategy:
      matrix:
-        k8s-version: ${{ fromJson(needs.set-k8s-matrix.outputs.matrix) }}
+        k8s-version: ["v1.31.9"]
    concurrency:
      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.k8s-version }}
      cancel-in-progress: true

-
    steps:
      - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8

-      - name: Setup Go
-        uses: actions/setup-go@v2
+      - name: Setup worker cluster kinD
+        uses: ./.github/actions/setup-kind-cluster
        with:
-          go-version: ${{ env.GO_VERSION }}
+          name: worker
+          k8s-version: ${{ matrix.k8s-version }}

-      - name: Get dependencies
-        run: |
-          go get -v -t -d ./...
-
-      - name: Tear down K3d if exist
-        run: |
-          k3d cluster delete || true
-          k3d cluster delete worker || true
-
-      - name: Calculate K3d args
-        run: |
-          EGRESS_ARG=""
-          if [[ "${{ matrix.k8s-version }}" == v1.24 ]]; then
-            EGRESS_ARG="--k3s-arg --egress-selector-mode=disabled@server:0"
-          fi
-          echo "EGRESS_ARG=${EGRESS_ARG}" >> $GITHUB_ENV 
-
-      - name: Setup K3d (Hub)
-        uses: nolar/setup-k3d-k3s@v1.0.8
+      - name: Setup master cluster kinD
+        uses: ./.github/actions/setup-kind-cluster
        with:
-          version: ${{ matrix.k8s-version }}
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          k3d-args: ${{ env.EGRESS_ARG }}
+          k8s-version: ${{ matrix.k8s-version }}

-      - name: Setup K3d (Worker)
-        uses: nolar/setup-k3d-k3s@v1.0.8
+      - name: Run upgrade multicluster tests
+        uses: ./.github/actions/multicluster-test
        with:
-          version: ${{ matrix.k8s-version }}
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          k3d-name: worker
-          k3d-args: --kubeconfig-update-default=false --network=k3d-k3s-default ${{ env.EGRESS_ARG }}
-
-      - name: Generating internal worker kubeconfig
-        run: |
-          internal_ip=$(docker network inspect k3d-k3s-default|jq ".[0].Containers"| jq -r '.[]| select(.Name=="k3d-worker-server-0")|.IPv4Address' | cut -d/ -f1)
-          k3d kubeconfig get worker > /tmp/worker.client.kubeconfig
-          cp /tmp/worker.client.kubeconfig /tmp/worker.kubeconfig
-          sed -i "s/0.0.0.0:[0-9]\+/$internal_ip:6443/"  /tmp/worker.kubeconfig
-
-      - name: Load image to k3d cluster (hub and worker)
-        run: make image-load image-load-runtime-cluster
-
-      - name: Cleanup for e2e tests
-        run: |
-          make vela-cli
-          make e2e-cleanup
-          make e2e-setup-core-auth
-          make setup-runtime-e2e-cluster
-
-      - name: Run e2e multicluster tests
-        run: |
-          export PATH=$(pwd)/bin:$PATH
-          make e2e-multicluster-test
-
-      - name: Stop kubevela, get profile
-        run: make end-e2e-core
-
-      - name: Upload coverage report
-        uses: codecov/codecov-action@v1
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: /tmp/e2e-profile.out,/tmp/e2e_multicluster_test.out
-          flags: e2e-multicluster-test
-          name: codecov-umbrella
+          codecov-enable: true
+          codecov-token: ${{ secrets.CODECOV_TOKEN }}

      - name: Clean e2e profile
-        run: rm /tmp/e2e-profile.out
+        run: |
+          if [ -f /tmp/e2e-profile.out ]; then
+            rm /tmp/e2e-profile.out
+            echo "E2E profile cleaned"
+          else
+            echo "E2E profile not found, skipping cleanup"
+          fi

      - name: Cleanup image
        if: ${{ always() }}
-        run: make image-cleanup
+        run: |
+          make image-cleanup
+          docker image prune -f --filter "until=24h"
--- a/.github/workflows/e2e-rollout-test.yml
+++ b/.github/workflows/e2e-rollout-test.yml
@@ -1,128 +0,0 @@
-name: E2E Rollout Test
-
-on:
-  push:
-    branches:
-      - master
-      - release-*
-    tags:
-      - v*
-  workflow_dispatch: {}
-  pull_request:
-    branches:
-      - master
-      - release-*
-
-env:
-  # Common versions
-  GO_VERSION: '1.19'
-  GOLANGCI_VERSION: 'v1.49'
-  K3D_IMAGE_VERSION: '[\"v1.20\",\"v1.24\"]'
-  K3D_IMAGE_VERSIONS: '[\"v1.20\",\"v1.24\"]'
-
-jobs:
-
-  detect-noop:
-    runs-on: ubuntu-20.04
-    outputs:
-      noop: ${{ steps.noop.outputs.should_skip }}
-    steps:
-      - name: Detect No-op Changes
-        id: noop
-        uses: fkirc/skip-duplicate-actions@v4.0.0
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
-          do_not_skip: '["workflow_dispatch", "schedule", "push"]'
-          concurrent_skipping: false
-
-  set-k8s-matrix:
-    runs-on: ubuntu-20.04
-    outputs:
-      matrix: ${{ steps.set-k8s-matrix.outputs.matrix }}
-    steps:
-      - id: set-k8s-matrix
-        run: |
-          if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
-            echo "pushing tag: ${{ github.ref_name }}"
-            echo "::set-output name=matrix::${{ env.K3D_IMAGE_VERSIONS }}"
-          else
-            echo "::set-output name=matrix::${{ env.K3D_IMAGE_VERSION }}"
-          fi
-
-  e2e-rollout-tests:
-    runs-on: aliyun
-    needs: [ detect-noop,set-k8s-matrix ]
-    if: needs.detect-noop.outputs.noop != 'true'
-    strategy:
-      matrix:
-        k8s-version: ${{ fromJson(needs.set-k8s-matrix.outputs.matrix) }}
-    concurrency:
-      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.k8s-version }}
-      cancel-in-progress: true
-
-
-    steps:
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
-
-      - name: Setup Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
-      - name: Get dependencies
-        run: |
-          go get -v -t -d ./...
-
-      - name: Tear down K3d if exist
-        run: |
-          k3d cluster delete || true
-          k3d cluster delete worker || true
-
-      - name: Calculate K3d args
-        run: |
-          EGRESS_ARG=""
-          if [[ "${{ matrix.k8s-version }}" == v1.24 ]]; then
-            EGRESS_ARG="--k3s-arg --egress-selector-mode=disabled@server:0"
-          fi
-          echo "EGRESS_ARG=${EGRESS_ARG}" >> $GITHUB_ENV 
-
-      - name: Setup K3d
-        uses: nolar/setup-k3d-k3s@v1.0.8
-        with:
-          version: ${{ matrix.k8s-version }}
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          k3d-args: ${{ env.EGRESS_ARG }}
-
-      - name: Load image to k3d cluster
-        run: make image-load image-load-runtime-cluster
-
-      - name: Prepare for e2e tests
-        run: |
-          make vela-cli
-          make e2e-cleanup
-          make e2e-setup-core
-          make setup-runtime-e2e-cluster
-          helm test -n vela-system kubevela --timeout 5m
-
-      - name: Run e2e tests
-        run: make e2e-rollout-test
-
-      - name: Stop kubevela, get profile
-        run: make end-e2e
-
-      - name: Upload coverage report
-        uses: codecov/codecov-action@v1
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: /tmp/e2e-profile.out
-          flags: e2e-rollout-tests
-          name: codecov-umbrella
-
-      - name: Clean e2e profile
-        run: rm /tmp/e2e-profile.out
-
-      - name: Cleanup image
-        if: ${{ always() }}
-        run: make image-cleanup
--- a/.github/workflows/e2e-test.yml
+++ b/.github/workflows/e2e-test.yml
@@ -13,123 +13,69 @@ on:
      - master
      - release-*

+permissions:
+  contents: read
+
 env:
  # Common versions
-  GO_VERSION: '1.19'
-  GOLANGCI_VERSION: 'v1.49'
-  K3D_IMAGE_VERSION: '[\"v1.20\",\"v1.24\"]'
-  K3D_IMAGE_VERSIONS: '[\"v1.20\",\"v1.24\"]'
+  GO_VERSION: '1.23.8'

 jobs:

  detect-noop:
-    runs-on: ubuntu-20.04
+    permissions:
+      actions: write
+    runs-on: ubuntu-22.04
    outputs:
      noop: ${{ steps.noop.outputs.should_skip }}
    steps:
      - name: Detect No-op Changes
        id: noop
-        uses: fkirc/skip-duplicate-actions@v4.0.0
+        uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
          do_not_skip: '["workflow_dispatch", "schedule", "push"]'
-          concurrent_skipping: false
-
-  set-k8s-matrix:
-    runs-on: ubuntu-20.04
-    outputs:
-      matrix: ${{ steps.set-k8s-matrix.outputs.matrix }}
-    steps:
-      - id: set-k8s-matrix
-        run: |
-          if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
-            echo "pushing tag: ${{ github.ref_name }}"
-            echo "::set-output name=matrix::${{ env.K3D_IMAGE_VERSIONS }}"
-          else
-            echo "::set-output name=matrix::${{ env.K3D_IMAGE_VERSION }}"
-          fi
+        continue-on-error: true

  e2e-tests:
-    runs-on: aliyun
-    needs: [ detect-noop,set-k8s-matrix ]
+    runs-on: ubuntu-22.04
+    needs: [ detect-noop ]
    if: needs.detect-noop.outputs.noop != 'true'
    strategy:
      matrix:
-        k8s-version: ${{ fromJson(needs.set-k8s-matrix.outputs.matrix) }}
+        k8s-version: ["v1.31"]
    concurrency:
      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.k8s-version }}
      cancel-in-progress: true

-
    steps:
      - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8

-      - name: Setup Go
-        uses: actions/setup-go@v2
+      - name: Setup KinD
+        uses: ./.github/actions/setup-kind-cluster
+
+      # ========================================================================
+      # E2E Test Execution
+      # ========================================================================
+      - name: Run upgrade e2e tests
+        uses: ./.github/actions/e2e-test
        with:
-          go-version: ${{ env.GO_VERSION }}
-
-      - name: Get dependencies
-        run: |
-          go get -v -t -d ./...
-
-      - name: Tear down K3d if exist
-        run: |
-          k3d cluster delete || true
-          k3d cluster delete worker || true
-
-      - name: Calculate K3d args
-        run: |
-          EGRESS_ARG=""
-          if [[ "${{ matrix.k8s-version }}" == v1.24 ]]; then
-            EGRESS_ARG="--k3s-arg --egress-selector-mode=disabled@server:0"
-          fi
-          echo "EGRESS_ARG=${EGRESS_ARG}" >> $GITHUB_ENV 
-
-      - name: Setup K3d
-        uses: nolar/setup-k3d-k3s@v1.0.8
-        with:
-          version: ${{ matrix.k8s-version }}
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          k3d-args: ${{ env.EGRESS_ARG }}
-
-      - name: Load image to k3d cluster
-        run: make image-load
-
-      - name: Run Make
-        run: make
-
-      - name: Prepare for e2e tests
-        run: |
-          make e2e-cleanup
-          make e2e-setup-core
-          helm test -n vela-system kubevela --timeout 5m
-
-      - name: Run api e2e tests
-        run: make e2e-api-test
-
-      - name: Run addons e2e tests
-        run: make e2e-addon-test
-
-      - name: Run e2e tests
-        run: make e2e-test
-
-      - name: Stop kubevela, get profile
-        run: make end-e2e
-
-      - name: Upload coverage report
-        uses: codecov/codecov-action@v1
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: /tmp/e2e-profile.out
-          flags: e2etests
-          name: codecov-umbrella
+          codecov-enable: true
+          codecov-token: ${{ secrets.CODECOV_TOKEN }}

      - name: Clean e2e profile
-        run: rm /tmp/e2e-profile.out
+        run: |
+          if [ -f /tmp/e2e-profile.out ]; then
+            rm /tmp/e2e-profile.out
+            echo "E2E profile cleaned"
+          else
+            echo "E2E profile not found, skipping cleanup"
+          fi

      - name: Cleanup image
        if: ${{ always() }}
-        run: make image-cleanup
+        run: |
+          make image-cleanup
+          docker image prune -f --filter "until=24h"
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -11,133 +11,214 @@ on:
      - master
      - release-*

+permissions: # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 env:
  # Common versions
-  GO_VERSION: '1.19'
-  GOLANGCI_VERSION: 'v1.49'
+  GO_VERSION: "1.23.8"
+  GOLANGCI_VERSION: "v1.60.1"

 jobs:
-
  detect-noop:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    outputs:
      noop: ${{ steps.noop.outputs.should_skip }}
+    permissions:
+      actions: write
    steps:
      - name: Detect No-op Changes
        id: noop
-        uses: fkirc/skip-duplicate-actions@v4.0.0
+        uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
          do_not_skip: '["workflow_dispatch", "schedule", "push"]'
-          concurrent_skipping: false
+        continue-on-error: true

  staticcheck:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    needs: detect-noop
    if: needs.detect-noop.outputs.noop != 'true'

    steps:
      - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        with:
          submodules: true

-      - name: Cache Go Dependencies
-        uses: actions/cache@v2
-        with:
-          path: .work/pkg
-          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
-          restore-keys: ${{ runner.os }}-pkg-
-
-      - name: Install StaticCheck
-        run: go install honnef.co/go/tools/cmd/staticcheck@2022.1
-
      - name: Static Check
-        run: staticcheck ./...
+        run: make staticcheck

      - name: License Header Check
        run: make check-license-header

  lint:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    needs: detect-noop
    if: needs.detect-noop.outputs.noop != 'true'
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      pull-requests: read # for golangci/golangci-lint-action to fetch pull requests

    steps:
      - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        with:
          submodules: true

-      - name: Cache Go Dependencies
-        uses: actions/cache@v2
-        with:
-          path: .work/pkg
-          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
-          restore-keys: ${{ runner.os }}-pkg-
-
      # This action uses its own setup-go, which always seems to use the latest
      # stable version of Go. We could run 'make lint' to ensure our desired Go
      # version, but we prefer this action because it leaves 'annotations' (i.e.
      # it comments on PRs to point out linter violations).
      - name: Lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@v6
        with:
          version: ${{ env.GOLANGCI_VERSION }}

  check-diff:
-    runs-on: aliyun
+    runs-on: ubuntu-22.04
    needs: detect-noop
    if: needs.detect-noop.outputs.noop != 'true'

    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+        with:
+          submodules: true
+
+      - name: Free Disk Space
+        run: |
+          echo "Disk space before cleanup:"
+          df -h
+
+          # Remove unnecessary software to free up disk space
+          sudo rm -rf /usr/share/dotnet
+          sudo rm -rf /usr/local/lib/android
+          sudo rm -rf /opt/ghc
+          sudo rm -rf /opt/hostedtoolcache/CodeQL
+          sudo docker image prune --all --force
+
+          echo "Disk space after cleanup:"
+          df -h
+
+      - name: Setup Env
+        uses: ./.github/actions/env-setup
+        
+      - name: Setup node
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
+        with:
+          node-version: "14"
+
+      - name: Setup kinD
+        uses: ./.github/actions/setup-kind-cluster
+
+      - name: Run cross-build
+        run: make cross-build
+
+      - name: Free Disk Space After Cross-Build
+        run: |
+          echo "Disk space before cleanup:"
+          df -h
+
+          # Remove cross-build artifacts to free up space
+          # (make build will rebuild binaries for current platform)
+          rm -rf _bin
+
+          # Clean Go build cache and test cache
+          go clean -cache -testcache
+
+          # Remove Docker build cache
+          sudo docker builder prune --all --force || true
+
+          echo "Disk space after cleanup:"
+          df -h
+
+      - name: Check Diff
+        run: |
+          export PATH=$(pwd)/bin/:$PATH
+          make check-diff
+
+      - name: Cleanup binary
+        run: make build-cleanup
+
+  check-windows:
+    runs-on: windows-latest
+    needs: detect-noop
+    if: needs.detect-noop.outputs.noop != 'true'
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        with:
          submodules: true

      - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5
        with:
          go-version: ${{ env.GO_VERSION }}

-      - name: Setup node
-        uses: actions/setup-node@v2
-        with:
-          node-version: '14'
-
-      - name: Install StaticCheck
-        run: go install honnef.co/go/tools/cmd/staticcheck@2022.1
-
      - name: Cache Go Dependencies
-        uses: actions/cache@v2
+        uses: actions/cache@v4
        with:
          path: .work/pkg
          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
          restore-keys: ${{ runner.os }}-pkg-

-      - name: Check code formatting
-        run: go install golang.org/x/tools/cmd/goimports && make fmt
+      - name: Run Build CLI
+        run: make vela-cli

-      - name: Run cross-build
-        run: make cross-build
-
-      - name: Check Diff
+      - name: Run CLI for version
+        shell: cmd
        run: |
-          curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s v1.49.0
-          export PATH=$(pwd)/bin/:$PATH
-          make check-diff
-              
-      - name: Cleanup binary
-        run: make build-cleanup
+          move .\bin\vela .\bin\vela.exe
+          .\bin\vela.exe version
+
+  check-core-image-build:
+    runs-on: ubuntu-22.04
+    needs: detect-noop
+    if: needs.detect-noop.outputs.noop != 'true'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+        with:
+          submodules: true
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
+      - name: Build Test for vela core
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
+        with:
+          context: .
+          file: Dockerfile
+          platforms: linux/amd64,linux/arm64
+
+  check-cli-image-build:
+    runs-on: ubuntu-22.04
+    needs: detect-noop
+    if: needs.detect-noop.outputs.noop != 'true'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+        with:
+          submodules: true
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
+      - name: Build Test for CLI 
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
+        with:
+          context: .
+          file: Dockerfile.cli
--- a/.github/workflows/issue-commands.yml
+++ b/.github/workflows/issue-commands.yml
@@ -1,50 +1,61 @@
-name: Run commands when issues are labeled or comments added
+name: Run commands for issues and pull requests
 on:
  issues:
    types: [labeled, opened]
  issue_comment:
    types: [created]

+permissions:
+  contents: read
+  issues: write
+
 jobs:
  bot:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
+    permissions:
+      pull-requests: write
+      issues: write
    steps:
      - name: Checkout Actions
-        uses: actions/checkout@v2
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          repository: "oam-dev/kubevela-github-actions"
          path: ./actions
          ref: v0.4.2
      - name: Setup Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b
        with:
-          node-version: '14'
-          cache: 'npm'
+          node-version: "14"
+          cache: "npm"
          cache-dependency-path: ./actions/package-lock.json
      - name: Install Dependencies
        run: npm ci --production --prefix ./actions
      - name: Run Commands
        uses: ./actions/commands
        with:
-          token: ${{secrets.VELA_BOT_TOKEN}}
+          token: ${{ secrets.GH_KUBEVELA_COMMAND_WORKFLOW }}
          configPath: issue-commands

  backport:
    runs-on: ubuntu-22.04
    if: github.event.issue.pull_request && contains(github.event.comment.body, '/backport')
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
    steps:
      - name: Extract Command
        id: command
-        uses: xt0rted/slash-command-action@v1
+        uses: xt0rted/slash-command-action@bf51f8f5f4ea3d58abc7eca58f77104182b23e88
        with:
-          repo-token: ${{ secrets.VELA_BOT_TOKEN }}
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
          command: backport
          reaction: "true"
          reaction-type: "eyes"
          allow-edits: "false"
          permission-level: read
      - name: Handle Command
-        uses: actions/github-script@v4
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
        env:
          VERSION: ${{ steps.command.outputs.command-arguments }}
        with:
@@ -56,7 +67,7 @@ jobs:
              label = "backport " + version
            }
            // Add our backport label.
-            github.issues.addLabels({
+            github.rest.issues.addLabels({
              // Every pull request is an issue, but not every issue is a pull request.
              issue_number: context.issue.number,
              owner: context.repo.owner,
@@ -65,11 +76,68 @@ jobs:
            })
            console.log("Added '" + label + "' label.")
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          fetch-depth: 0
      - name: Open Backport PR
-        uses: zeebe-io/backport-action@v0.0.8
+        uses: zeebe-io/backport-action@0193454f0c5947491d348f33a275c119f30eb736
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          github_workspace: ${{ github.workspace }}
+
+  retest:
+    runs-on: ubuntu-22.04
+    if: github.event.issue.pull_request && contains(github.event.comment.body, '/retest')
+    permissions:
+      actions: write
+      pull-requests: write
+      issues: write
+    steps:
+      - name: Retest the current pull request
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
+        env:
+          PULL_REQUEST_ID: ${{ github.event.issue.number }}
+          COMMENT_ID: ${{ github.event.comment.id }}
+          COMMENT_BODY: ${{ github.event.comment.body }}
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const pull_request_id = process.env.PULL_REQUEST_ID
+            const comment_id = process.env.COMMENT_ID
+            const comment_body = process.env.COMMENT_BODY
+            console.log("retest pr: #" + pull_request_id + " comment: " + comment_body)
+            const {data: pr} = await github.rest.pulls.get({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: pull_request_id,
+            })
+            console.log("pr: " + JSON.stringify(pr))
+            const action = comment_body.split(" ")[0]
+            let workflow_ids = comment_body.split(" ").slice(1).filter(line => line.length > 0).map(line => line + ".yml")
+            if (workflow_ids.length == 0) workflow_ids = ["go.yml", "unit-test.yml", "e2e-test.yml", "e2e-multicluster-test.yml"]
+            for (let i = 0; i < workflow_ids.length; i++) {
+              const workflow_id = workflow_ids[i]
+              const {data: runs} = await github.rest.actions.listWorkflowRuns({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                workflow_id: workflow_id,
+                head_sha: pr.head.sha,
+              })
+              console.log("runs for " + workflow_id + ": ", JSON.stringify(runs))
+              runs.workflow_runs.forEach((workflow_run) => {
+                if (workflow_run.status === "in_progress") return
+                let handler = github.rest.actions.reRunWorkflow
+                if (action === "/retest-failed") handler = github.rest.actions.reRunWorkflowFailedJobs
+                handler({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  run_id: workflow_run.id
+                })
+              })
+            }
+            github.rest.reactions.createForIssueComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              comment_id: comment_id,
+              content: "eyes",
+            });
--- a/.github/workflows/license.yml
+++ b/.github/workflows/license.yml
@@ -9,15 +9,17 @@ on:
    branches:
      - master
      - release-*
+permissions:
+  contents: read

 jobs:
  license_check:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    name: Check for unapproved licenses
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
      - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@a6e6f86333f0a2523ece813039b8b4be04560854 # v1.190.0
        with:
          ruby-version: 2.6
      - name: Install dependencies
--- a/.github/workflows/registry.yml
+++ b/.github/workflows/registry.yml
@@ -1,63 +1,87 @@
 name: Registry
+
 on:
  push:
    branches:
      - master
    tags:
-      - "v*"
+      - 'v*'
  workflow_dispatch: {}

-env:
-  ACCESS_KEY: ${{ secrets.OSS_ACCESS_KEY }}
-  ACCESS_KEY_SECRET: ${{ secrets.OSS_ACCESS_KEY_SECRET }}
+permissions:
+  contents: read

 jobs:
-  publish-core-images:
-    runs-on: ubuntu-latest
+  publish-vela-images:
+    name: Build and Push Vela Images
+    permissions:
+      packages: write
+      id-token: write
+      attestations: write
+      contents: write
+    runs-on: ubuntu-22.04
+    outputs:
+      vela_core_image: ${{ steps.meta-vela-core.outputs.image }}
+      vela_core_digest: ${{ steps.meta-vela-core.outputs.digest }}
+      vela_core_dockerhub_image: ${{ steps.meta-vela-core.outputs.dockerhub_image }}
+      vela_cli_image: ${{ steps.meta-vela-cli.outputs.image }}
+      vela_cli_digest: ${{ steps.meta-vela-cli.outputs.digest }}
+      vela_cli_dockerhub_image: ${{ steps.meta-vela-cli.outputs.dockerhub_image }}
    steps:
-      - uses: actions/checkout@master
-      - name: Get the version
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.1
+
+      - name: Install Crane
+        uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.1
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # main
+        with:
+          cosign-release: 'v2.5.0'
+
+      - name: Get the image version
        id: get_version
        run: |
          VERSION=${GITHUB_REF#refs/tags/}
          if [[ ${GITHUB_REF} == "refs/heads/master" ]]; then
            VERSION=latest
          fi
-          echo ::set-output name=VERSION::${VERSION}
+          echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
+
      - name: Get git revision
        id: vars
        shell: bash
        run: |
-          echo "::set-output name=git_revision::$(git rev-parse --short HEAD)"
-      - name: Login ghcr.io
-        uses: docker/login-action@v1
+          echo "git_revision=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
+
+      - name: Login to GHCR
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Login docker.io
-        uses: docker/login-action@v1
+
+      - name: Login to DockerHub
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: docker.io
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: Login Alibaba Cloud ACR
-        uses: docker/login-action@v1
-        with:
-          registry: ${{ secrets.ACR_DOMAIN }}
-          username: ${{ secrets.ACR_USERNAME }}
-          password: ${{ secrets.ACR_PASSWORD }}
-      - uses: docker/setup-qemu-action@v1
-      - uses: docker/setup-buildx-action@v1
+
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
        with:
          driver-opts: image=moby/buildkit:master

-      - uses: docker/build-push-action@v2
-        name: Build & Pushing vela-core for Dockerhub, GHCR and ACR
+      - name: Build & Push Vela Core for Dockerhub, GHCR
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
        with:
          context: .
          file: Dockerfile
-          labels: |-
+          labels: |
            org.opencontainers.image.source=https://github.com/${{ github.repository }}
            org.opencontainers.image.revision=${{ github.sha }}
          platforms: linux/amd64,linux/arm64
@@ -66,17 +90,55 @@ jobs:
            GITVERSION=git-${{ steps.vars.outputs.git_revision }}
            VERSION=${{ steps.get_version.outputs.VERSION }}
            GOPROXY=https://proxy.golang.org
-          tags: |-
+          tags: |
            docker.io/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}
            ghcr.io/${{ github.repository_owner }}/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}
-            ${{ secrets.ACR_DOMAIN }}/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}

-      - uses: docker/build-push-action@v2
-        name: Build & Pushing CLI for Dockerhub, GHCR and ACR
+      - name: Get Vela Core Image Digest
+        id: meta-vela-core
+        run: |
+          GHCR_IMAGE=ghcr.io/${{ github.repository_owner }}/oamdev/vela-core
+          DOCKER_IMAGE=docker.io/oamdev/vela-core
+          TAG=${{ steps.get_version.outputs.VERSION }}
+
+          DIGEST=$(crane digest $GHCR_IMAGE:$TAG)
+
+          echo "image=$GHCR_IMAGE" >> $GITHUB_OUTPUT
+          echo "dockerhub_image=$DOCKER_IMAGE" >> $GITHUB_OUTPUT
+          echo "digest=$DIGEST" >> $GITHUB_OUTPUT
+
+      - name: Generate SBOM for Vela Core Image
+        id: generate_vela_core_sbom
+        uses: anchore/sbom-action@v0.17.0
+        with:
+          image: ghcr.io/${{ github.repository_owner }}/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.GITHUB_TOKEN }}
+          format: spdx-json
+          artifact-name: sbom-vela-core.spdx.json
+          output-file: ${{ github.workspace }}/sbom-vela-core.spdx.json
+
+      - name: Sign Vela Core Image and Attest SBOM
+        env:
+          COSIGN_EXPERIMENTAL: 'true'
+        run: |
+          echo "signing vela core images..."
+          cosign sign --yes ghcr.io/${{ github.repository_owner }}/oamdev/vela-core@${{ steps.meta-vela-core.outputs.digest }}
+          cosign sign --yes docker.io/oamdev/vela-core@${{ steps.meta-vela-core.outputs.digest }}
+
+          echo "attesting SBOM against the vela core image..."
+          cosign attest --yes --predicate ${{ github.workspace }}/sbom-vela-core.spdx.json --type spdx \
+          ghcr.io/${{ github.repository_owner }}/oamdev/vela-core@${{ steps.meta-vela-core.outputs.digest }}
+
+          cosign attest --yes --predicate ${{ github.workspace }}/sbom-vela-core.spdx.json --type spdx \
+          docker.io/oamdev/vela-core@${{ steps.meta-vela-core.outputs.digest }}
+
+      - name: Build & Push Vela CLI for Dockerhub, GHCR
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
        with:
          context: .
          file: Dockerfile.cli
-          labels: |-
+          labels: |
            org.opencontainers.image.source=https://github.com/${{ github.repository }}
            org.opencontainers.image.revision=${{ github.sha }}
          platforms: linux/amd64,linux/arm64
@@ -85,104 +147,100 @@ jobs:
            GITVERSION=git-${{ steps.vars.outputs.git_revision }}
            VERSION=${{ steps.get_version.outputs.VERSION }}
            GOPROXY=https://proxy.golang.org
-          tags: |-
+          tags: |
            docker.io/oamdev/vela-cli:${{ steps.get_version.outputs.VERSION }}
            ghcr.io/${{ github.repository_owner }}/oamdev/vela-cli:${{ steps.get_version.outputs.VERSION }}
-            ${{ secrets.ACR_DOMAIN }}/oamdev/vela-cli:${{ steps.get_version.outputs.VERSION }}

-  publish-addon-images:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@master
-      - name: Get the version
-        id: get_version
+      - name: Get Vela CLI Image Digest
+        id: meta-vela-cli
        run: |
-          VERSION=${GITHUB_REF#refs/tags/}
-          if [[ ${GITHUB_REF} == "refs/heads/master" ]]; then
-            VERSION=latest
-          fi
-          echo ::set-output name=VERSION::${VERSION}
-      - name: Get git revision
-        id: vars
-        shell: bash
+          GHCR_IMAGE=ghcr.io/${{ github.repository_owner }}/oamdev/vela-cli
+          DOCKER_IMAGE=docker.io/oamdev/vela-cli
+          TAG=${{ steps.get_version.outputs.VERSION }}
+
+          DIGEST=$(crane digest $GHCR_IMAGE:$TAG)
+
+          echo "image=$GHCR_IMAGE" >> $GITHUB_OUTPUT
+          echo "dockerhub_image=$DOCKER_IMAGE" >> $GITHUB_OUTPUT
+          echo "digest=$DIGEST" >> $GITHUB_OUTPUT
+
+      - name: Generate SBOM for Vela CLI Image
+        id: generate_sbom
+        uses: anchore/sbom-action@v0.17.0
+        with:
+          image: ghcr.io/${{ github.repository_owner }}/oamdev/vela-cli:${{ steps.get_version.outputs.VERSION }}
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.GITHUB_TOKEN }}
+          format: spdx-json
+          artifact-name: sbom-vela-cli.spdx.json
+          output-file: ${{ github.workspace }}/sbom-vela-cli.spdx.json
+
+      - name: Sign Vela CLI Image and Attest SBOM
+        env:
+          COSIGN_EXPERIMENTAL: 'true'
        run: |
-          echo "::set-output name=git_revision::$(git rev-parse --short HEAD)"
-      - name: Login ghcr.io
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Login docker.io
-        uses: docker/login-action@v1
-        with:
-          registry: docker.io
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: Login Alibaba Cloud ACR
-        uses: docker/login-action@v1
-        with:
-          registry: ${{ secrets.ACR_DOMAIN }}
-          username: ${{ secrets.ACR_USERNAME }}
-          password: ${{ secrets.ACR_PASSWORD }}
-      - uses: docker/setup-qemu-action@v1
-      - uses: docker/setup-buildx-action@v1
-        with:
-          driver-opts: image=moby/buildkit:master
+          echo "signing vela CLI images..."
+          cosign sign --yes ghcr.io/${{ github.repository_owner }}/oamdev/vela-cli@${{ steps.meta-vela-cli.outputs.digest }}
+          cosign sign --yes docker.io/oamdev/vela-cli@${{ steps.meta-vela-cli.outputs.digest }}      

-      - uses: docker/build-push-action@v2
-        name: Build & Pushing vela-apiserver for Dockerhub, GHCR and ACR
-        with:
-          context: .
-          file: Dockerfile.apiserver
-          labels: |-
-            org.opencontainers.image.source=https://github.com/${{ github.repository }}
-            org.opencontainers.image.revision=${{ github.sha }}
-          platforms: linux/amd64,linux/arm64
-          push: ${{ github.event_name != 'pull_request' }}
-          build-args: |
-            GITVERSION=git-${{ steps.vars.outputs.git_revision }}
-            VERSION=${{ steps.get_version.outputs.VERSION }}
-            GOPROXY=https://proxy.golang.org
-          tags: |-
-            docker.io/oamdev/vela-apiserver:${{ steps.get_version.outputs.VERSION }}
-            ghcr.io/${{ github.repository_owner }}/oamdev/vela-apiserver:${{ steps.get_version.outputs.VERSION }}
-            ${{ secrets.ACR_DOMAIN }}/oamdev/vela-apiserver:${{ steps.get_version.outputs.VERSION }}
+          echo "attesting SBOM against the vela cli image..."
+          cosign attest --yes --predicate ${{ github.workspace }}/sbom-vela-cli.spdx.json --type spdx \
+          ghcr.io/${{ github.repository_owner }}/oamdev/vela-cli@${{ steps.meta-vela-cli.outputs.digest }}

-      - uses: docker/build-push-action@v2
-        name: Build & Pushing runtime rollout Dockerhub, GHCR and ACR
-        with:
-          context: .
-          file: runtime/rollout/Dockerfile
-          labels: |-
-            org.opencontainers.image.source=https://github.com/${{ github.repository }}
-            org.opencontainers.image.revision=${{ github.sha }}
-          platforms: linux/amd64,linux/arm64
-          push: ${{ github.event_name != 'pull_request' }}
-          build-args: |
-            GITVERSION=git-${{ steps.vars.outputs.git_revision }}
-            VERSION=${{ steps.get_version.outputs.VERSION }}
-            GOPROXY=https://proxy.golang.org
-          tags: |-
-            docker.io/oamdev/vela-rollout:${{ steps.get_version.outputs.VERSION }}
-            ghcr.io/${{ github.repository_owner }}/oamdev/vela-rollout:${{ steps.get_version.outputs.VERSION }}
-            ${{ secrets.ACR_DOMAIN }}/oamdev/vela-rollout:${{ steps.get_version.outputs.VERSION }}
+          cosign attest --yes --predicate ${{ github.workspace }}/sbom-vela-cli.spdx.json --type spdx \
+          docker.io/oamdev/vela-cli@${{ steps.meta-vela-cli.outputs.digest }}

-  publish-capabilities:
-    env:
-      CAPABILITY_BUCKET: kubevela-registry
-      CAPABILITY_DIR: capabilities
-      CAPABILITY_ENDPOINT: oss-cn-beijing.aliyuncs.com
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/checkout@master
-      - name: Install ossutil
-        run: wget http://gosspublic.alicdn.com/ossutil/1.7.0/ossutil64 && chmod +x ossutil64 && mv ossutil64 ossutil
-      - name: Configure Alibaba Cloud OSSUTIL
-        run: ./ossutil --config-file .ossutilconfig config -i ${ACCESS_KEY} -k ${ACCESS_KEY_SECRET} -e ${CAPABILITY_ENDPOINT} -c .ossutilconfig
-      - name: sync capabilities bucket to local
-        run: ./ossutil --config-file .ossutilconfig sync oss://$CAPABILITY_BUCKET $CAPABILITY_DIR
-      - name: rsync all capabilites
-        run: rsync vela-templates/registry/auto-gen/* $CAPABILITY_DIR
-      - name: sync local to cloud
-        run: ./ossutil --config-file .ossutilconfig sync $CAPABILITY_DIR oss://$CAPABILITY_BUCKET -f
+      - name: Publish SBOMs as release artifacts
+        uses: anchore/sbom-action/publish-sbom@v0.17.0
+
+  provenance-ghcr:
+    name: Generate and Push Provenance to GCHR
+    needs: publish-vela-images
+    if: startsWith(github.ref, 'refs/tags/')
+    strategy:
+      matrix:
+        include:
+          - name: 'Vela Core Image'
+            image: ${{ needs.publish-vela-images.outputs.vela_core_image }}
+            digest: ${{ needs.publish-vela-images.outputs.vela_core_digest }}
+          - name: 'Vela CLI Image'
+            image: ${{ needs.publish-vela-images.outputs.vela_cli_image }}
+            digest: ${{ needs.publish-vela-images.outputs.vela_cli_digest }}
+    permissions:
+      id-token: write
+      contents: write
+      actions: read
+      packages: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0 # has to be sem var
+    with:
+      image: ${{ matrix.image }}
+      digest: ${{ matrix.digest }}
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
+
+  provenance-dockerhub:
+    name: Generate and Push Provenance to DockerHub
+    needs: publish-vela-images
+    if: startsWith(github.ref, 'refs/tags/')
+    strategy:
+      matrix:
+        include:
+          - name: 'Vela Core Image'
+            image: ${{ needs.publish-vela-images.outputs.vela_core_dockerhub_image }}
+            digest: ${{ needs.publish-vela-images.outputs.vela_core_digest }}
+          - name: 'Vela CLI Image'
+            image: ${{ needs.publish-vela-images.outputs.vela_cli_dockerhub_image }}
+            digest: ${{ needs.publish-vela-images.outputs.vela_cli_digest }}
+    permissions:
+      id-token: write
+      contents: write
+      packages: write
+      actions: read
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
+    with:
+      image: ${{ matrix.image }}
+      digest: ${{ matrix.digest }}
+    secrets:
+      registry-username: ${{ secrets.DOCKER_USERNAME }}
+      registry-password: ${{ secrets.DOCKER_PASSWORD }}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,177 +4,126 @@ on:
  push:
    tags:
      - "v*"
-  workflow_dispatch: { }
+  workflow_dispatch: {}

-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  BUCKET: ${{ secrets.CLI_OSS_BUCKET }}
-  ENDPOINT: ${{ secrets.CLI_OSS_ENDPOINT }}
-  ACCESS_KEY: ${{ secrets.CLI_OSS_ACCESS_KEY }}
-  ACCESS_KEY_SECRET: ${{ secrets.CLI_OSS_ACCESS_KEY_SECRET }}
+permissions:
+  contents: read

 jobs:
-  build:
-    runs-on: ubuntu-latest
-    name: build
-    strategy:
-      matrix:
-        TARGETS: [ linux/amd64, darwin/amd64, windows/amd64, linux/arm64, darwin/arm64 ]
-    env:
-      VELA_VERSION_KEY: github.com/oam-dev/kubevela/version.VelaVersion
-      VELA_GITVERSION_KEY: github.com/oam-dev/kubevela/version.GitRevision
-      GO_BUILD_ENV: GO111MODULE=on CGO_ENABLED=0
-      DIST_DIRS: find * -type d -exec
+  goreleaser:
+    name: goreleaser
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: write
+      actions: read
+      checks: write
+      issues: read
+      packages: write
+      pull-requests: read
+      repository-projects: read
+      statuses: read
+      id-token: write
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-      - name: Set up Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: 1.19
-      - name: Get release
-        id: get_release
-        uses: bruceadams/get-release@v1.2.2
-      - name: Get version
-        run: echo "VELA_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
-      - name: Get matrix
-        id: get_matrix
+      - name: Check disk (before)
        run: |
-          TARGETS=${{matrix.TARGETS}}
-          echo ::set-output name=OS::${TARGETS%/*}
-          echo ::set-output name=ARCH::${TARGETS#*/}
-      - name: Get ldflags
-        id: get_ldflags
-        run: |
-          LDFLAGS="-s -w -X ${{ env.VELA_VERSION_KEY }}=${{ env.VELA_VERSION }} -X ${{ env.VELA_GITVERSION_KEY }}=git-$(git rev-parse --short HEAD)"
-          echo "LDFLAGS=${LDFLAGS}" >> $GITHUB_ENV
-      - name: Build
-        run: |
-          ${{ env.GO_BUILD_ENV }} GOOS=${{ steps.get_matrix.outputs.OS }} GOARCH=${{ steps.get_matrix.outputs.ARCH }} \
-            go build -ldflags "${{ env.LDFLAGS }}" \
-            -o _bin/vela/${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}/vela -v \
-            ./references/cmd/cli/main.go
-          ${{ env.GO_BUILD_ENV }} GOOS=${{ steps.get_matrix.outputs.OS }} GOARCH=${{ steps.get_matrix.outputs.ARCH }} \
-            go build -ldflags "${{ env.LDFLAGS }}" \
-            -o _bin/kubectl-vela/${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}/kubectl-vela -v \
-            ./cmd/plugin/main.go
-      - name: Compress
-        run: |
-          echo "\n## Release Info\nVERSION: ${{ env.VELA_VERSION }}" >> README.md && \
-          echo "GIT_COMMIT: ${GITHUB_SHA}\n" >> README.md && \
-          cd _bin/vela && \
-          ${{ env.DIST_DIRS }} cp ../../LICENSE {} \; && \
-          ${{ env.DIST_DIRS }} cp ../../README.md {} \; && \
-          ${{ env.DIST_DIRS }} tar -zcf vela-{}.tar.gz {} \; && \
-          ${{ env.DIST_DIRS }} zip -r vela-{}.zip {} \; && \
-          cd ../kubectl-vela && \
-          ${{ env.DIST_DIRS }} cp ../../LICENSE {} \; && \
-          ${{ env.DIST_DIRS }} cp ../../README.md {} \; && \
-          ${{ env.DIST_DIRS }} tar -zcf kubectl-vela-{}.tar.gz {} \; && \
-          ${{ env.DIST_DIRS }} zip -r kubectl-vela-{}.zip {} \; && \
-          cd .. && \
-          sha256sum vela/vela-* kubectl-vela/kubectl-vela-* >> sha256-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.txt \
-      - name: Upload Vela tar.gz
-        uses: actions/upload-release-asset@v1.0.2
-        with:
-          upload_url: ${{ steps.get_release.outputs.upload_url }}
-          asset_path: ./_bin/vela/vela-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.tar.gz
-          asset_name: vela-${{ env.VELA_VERSION }}-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.tar.gz
-          asset_content_type: binary/octet-stream
-      - name: Upload Vela zip
-        uses: actions/upload-release-asset@v1.0.2
-        with:
-          upload_url: ${{ steps.get_release.outputs.upload_url }}
-          asset_path: ./_bin/vela/vela-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.zip
-          asset_name: vela-${{ env.VELA_VERSION }}-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.zip
-          asset_content_type: binary/octet-stream
-      - name: Upload Kubectl-Vela tar.gz
-        uses: actions/upload-release-asset@v1.0.2
-        with:
-          upload_url: ${{ steps.get_release.outputs.upload_url }}
-          asset_path: ./_bin/kubectl-vela/kubectl-vela-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.tar.gz
-          asset_name: kubectl-vela-${{ env.VELA_VERSION }}-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.tar.gz
-          asset_content_type: binary/octet-stream
-      - name: Upload Kubectl-Vela zip
-        uses: actions/upload-release-asset@v1.0.2
-        with:
-          upload_url: ${{ steps.get_release.outputs.upload_url }}
-          asset_path: ./_bin/kubectl-vela/kubectl-vela-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.zip
-          asset_name: kubectl-vela-${{ env.VELA_VERSION }}-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.zip
-          asset_content_type: binary/octet-stream
-      - name: Post sha256
-        uses: actions/upload-artifact@v2
-        with:
-          name: sha256sums
-          path: ./_bin/sha256-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.txt
-          retention-days: 1
-      - name: clear the asset
-        run: |
-          rm -rf ./_bin/vela/${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}
-          mv ./_bin/vela/vela-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.tar.gz ./_bin/vela/vela-${{ env.VELA_VERSION }}-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.tar.gz
-          mv ./_bin/vela/vela-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.zip ./_bin/vela/vela-${{ env.VELA_VERSION }}-${{ steps.get_matrix.outputs.OS }}-${{ steps.get_matrix.outputs.ARCH }}.zip
-      - name: Install ossutil
-        run: wget http://gosspublic.alicdn.com/ossutil/1.7.0/ossutil64 && chmod +x ossutil64 && mv ossutil64 ossutil
-      - name: Configure Alibaba Cloud OSSUTIL
-        run: ./ossutil --config-file .ossutilconfig config -i ${ACCESS_KEY} -k ${ACCESS_KEY_SECRET} -e ${ENDPOINT} -c .ossutilconfig
-      - name: sync local to cloud
-        run: ./ossutil --config-file .ossutilconfig sync ./_bin/vela oss://$BUCKET/binary/vela/${{ env.VELA_VERSION }}
-      
-      - name: sync the latest version file
-        if: ${{ !contains(env.VELA_VERSION,'alpha') && !contains(env.VELA_VERSION,'beta') }}
-        run: |
-          LATEST_VERSION=$(curl -fsSl https://static.kubevela.net/binary/vela/latest_version)
-          verlte() {
-            [  "$1" = "`echo -e "$1\n$2" | sort -V | head -n1`" ]
-          }
-          verlte ${{ env.VELA_VERSION }} $LATEST_VERSION && echo "${{ env.VELA_VERSION }} <= $LATEST_VERSION, skip update" && exit 0
-          echo ${{ env.VELA_VERSION }} > ./latest_version
-          ./ossutil --config-file .ossutilconfig cp -u ./latest_version oss://$BUCKET/binary/vela/latest_version
+          df -h
+          sudo du -sh /usr/local/lib/android /usr/share/dotnet /opt/ghc || true

+      - name: Free Disk Space (Ubuntu)
+        uses: insightsengineering/disk-space-reclaimer@v1
+        with:
+          # this might remove tools that are actually needed,
+          # if set to "true" but frees about 6 GB
+          tools-cache: false
+          # all of these default to true, but feel free to set to
+          # "false" if necessary for your workflow
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          swap-storage: true
+          docker-images: true
+
+      # Extra prune in case your job builds/pulls images
+      - name: Deep Docker prune
+        run: |
+          docker system prune -af || true
+          docker builder prune -af || true
+
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
+        with:
+          fetch-depth: 0
+
+      - name: Get Git tags
+        run: git fetch --force --tags
+
+      - name: Set up Go
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
+        with:
+          go-version: 1.23.8
+          cache: true
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: "v2.5.0"
+
+      - name: Install syft
+        uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
+        with:
+          distribution: goreleaser
+          version: 1.14.1
+          args: release --rm-dist --timeout 60m
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Generate hashes
+        id: hash
+        if: startsWith(github.ref, 'refs/tags/')
+        run: |
+          set -euo pipefail
+          HASHES=$(find dist -type f -exec sha256sum {} \; | base64 -w0)
+          echo "hashes=$HASHES" >> "$GITHUB_OUTPUT"
+
+      - name: Check disk (after)
+        run: df -h

  upload-plugin-homebrew:
-    needs: build
-    runs-on: ubuntu-latest
    name: upload-sha256sums
+    needs: goreleaser
+    runs-on: ubuntu-22.04
+    if: ${{ !contains(github.ref, 'alpha') && !contains(github.ref, 'beta') && !contains(github.ref, 'rc') }}
+    permissions:
+      contents: write
+      actions: read
+      checks: write
+      issues: read
+      packages: write
+      pull-requests: read
+      repository-projects: read
+      statuses: read
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
-      - name: Get release
-        id: get_release
-        uses: bruceadams/get-release@v1.2.2
-      - name: Download sha256sums
-        uses: actions/download-artifact@v2
-        with:
-          name: sha256sums
-          path: cli-artifacts
-      - name: Display structure of downloaded files
-        run: ls -R
-        working-directory: cli-artifacts
-      - name: Get version
-        run: echo "VELA_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
-      - shell: bash
-        working-directory: cli-artifacts
-        run: |
-          for file in *
-          do
-            sed -i "s/\/vela/-${{ env.VELA_VERSION }}/g" ${file}
-            sed -i "s/\/kubectl-vela/-${{ env.VELA_VERSION }}/g" ${file}
-            cat ${file} >> sha256sums.txt
-          done
-      - name: Upload Checksums
-        uses: actions/upload-release-asset@v1.0.2
-        with:
-          upload_url: ${{ steps.get_release.outputs.upload_url }}
-          asset_path: cli-artifacts/sha256sums.txt
-          asset_name: sha256sums.txt
-          asset_content_type: text/plain
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
+
      - name: Update kubectl plugin version in krew-index
-        uses: rajatjindal/krew-release-bot@v0.0.38
-      - name: Update Homebrew formula
-        uses: dawidd6/action-homebrew-bump-formula@v3
-        with:
-          token: ${{ secrets.HOMEBREW_TOKEN }}
-          formula: kubevela
-          tag: ${{ github.ref }}
-          revision: ${{ github.sha }}
-          force: false
+        uses: rajatjindal/krew-release-bot@df3eb197549e3568be8b4767eec31c5e8e8e6ad8 # v0.0.46
+
+  provenance-vela-bins:
+    name: generate provenance for binaries
+    needs: [goreleaser]
+    if: startsWith(github.ref, 'refs/tags/')
+    permissions:
+      id-token: write
+      contents: write
+      actions: read
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 # has to be sem var
+    with:
+      base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
+      upload-assets: true
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -0,0 +1,60 @@
+name: Scorecards supply-chain security
+on:
+  schedule:
+    # Weekly on Saturdays.
+    - cron: '30 1 * * 6'
+  push:
+    branches: [ master ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecards analysis
+    runs-on: ubuntu-22.04
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Used to receive a badge. (Upcoming feature)
+      id-token: write
+      actions: read
+      contents: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # tag=v2.4.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecards on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Publish the results for public repositories to enable scorecard badges. For more details, see
+          # https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories, `publish_results` will automatically be set to `false`, regardless
+          # of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@134dcf33c0b9454c4b17a936843d7e21dccdc335 # v4.3.6
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
+        with:
+          sarif_file: results.sarif
--- a/.github/workflows/sdk-test.yml
+++ b/.github/workflows/sdk-test.yml
@@ -0,0 +1,49 @@
+name: SDK Test
+
+on:
+  push:
+    tags:
+      - v*
+  workflow_dispatch: {}
+  pull_request:
+    paths:
+      - "vela-templates/definitions/**"
+      - "pkg/definition/gen_sdk/**"
+    branches:
+      - master
+      - release-*
+
+permissions:
+  contents: read
+
+jobs:
+  sdk-tests:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+
+      - name: Setup Env
+        uses: ./.github/actions/env-setup
+
+      - name: Install Go tools
+        run: |
+          make goimports
+          make golangci
+
+      - name: Setup KinD
+        uses: ./.github/actions/setup-kind-cluster
+        with:
+          name: sdk-test
+
+      - name: Build CLI
+        run: make vela-cli
+
+      - name: Build SDK
+        run: bin/vela def gen-api -f vela-templates/definitions/internal/ -o ./kubevela-go-sdk --package=github.com/kubevela-contrib/kubevela-go-sdk --init
+
+      - name: Validate SDK
+        run: |
+          cd kubevela-go-sdk
+          go mod tidy
+          golangci-lint run --timeout 5m -e "exported:" -e "dot-imports" ./...
--- a/.github/workflows/sync-api.yml
+++ b/.github/workflows/sync-api.yml
@@ -7,25 +7,22 @@ on:
    tags:
      - "v*"

+permissions:
+  contents: read
+
 jobs:
  sync-core-api:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    steps:
-      - name: Set up Go 1.17
-        uses: actions/setup-go@v1
-        env:
-          GO_VERSION: '1.19'
-          GOLANGCI_VERSION: 'v1.49'
-        with:
-          go-version: ${{ env.GO_VERSION }}
-        id: go
-
      - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
+
+      - name: Setup Env
+        uses: ./.github/actions/env-setup

      - name: Get the version
        id: get_version
-        run: echo ::set-output name=VERSION::${GITHUB_REF#refs/tags/}
+        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT

      - name: Sync to kubevela-core-api Repo
        env:
@@ -34,4 +31,4 @@ jobs:
          COMMIT_ID: ${{ github.sha }}
        run: |
          bash ./hack/apis/clientgen.sh
-          bash ./hack/apis/sync.sh
+          bash ./hack/apis/sync.sh sync
--- a/.github/workflows/sync-sdk.yaml
+++ b/.github/workflows/sync-sdk.yaml
@@ -0,0 +1,49 @@
+name: Sync SDK
+
+on:
+  push:
+    paths:
+      - vela-templates/definitions/internal/**
+      - pkg/definition/gen_sdk/**
+      - .github/workflows/sync-sdk.yaml
+    tags:
+      - "v*"
+    branches:
+      - master
+      - release-*
+permissions:
+  contents: read
+
+jobs:
+  sync_sdk:
+    runs-on: ubuntu-22.04
+    steps:
+
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
+
+      - name: Env setup
+        uses: ./.github/actions/env-setup
+
+      - name: Install Go tools
+        run: |
+          make goimports
+
+      - name: Build CLI
+        run: make vela-cli
+
+      - name: Setup KinD
+        uses: ./.github/actions/setup-kind-cluster
+        with:
+          name: sync-sdk
+
+      - name: Get the version
+        id: get_version
+        run: echo "VERSION=${GITHUB_REF}" >> $GITHUB_OUTPUT
+
+      - name: Sync SDK to kubevela/kubevela-go-sdk
+        run: bash ./hack/sdk/sync.sh
+        env:
+          SSH_DEPLOY_KEY: ${{ secrets.GO_SDK_DEPLOY_KEY }}
+          VERSION: ${{ steps.get_version.outputs.VERSION }}
+          COMMIT_ID: ${{ github.sha }}
--- a/.github/workflows/timed-task.yml
+++ b/.github/workflows/timed-task.yml
@@ -1,10 +0,0 @@
-name: Timed Task
-on:
-  schedule:
-    - cron: '* * * * *'
-jobs:
-  clean-image:
-    runs-on: aliyun
-    steps:
-      - name: Cleanup image
-        run: docker image prune -f
--- a/.github/workflows/trivy-scan.yml
+++ b/.github/workflows/trivy-scan.yml
@@ -4,27 +4,30 @@ on:
  pull_request:
    branches: [ master ]

+permissions:
+  contents: read
+
 jobs:
  images:
    name: Image Scan
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608

      - name: Build Vela Core image from Dockerfile
        run: |
          docker build --build-arg GOPROXY=https://proxy.golang.org -t docker.io/oamdev/vela-core:${{ github.sha }} .

      - name: Run Trivy vulnerability scanner for vela core
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@d9cd5b1c23aaf8cb31bb09141028215828364bbb # master
        with:
          image-ref: 'docker.io/oamdev/vela-core:${{ github.sha }}'
          format: 'sarif'
          output: 'trivy-results.sarif'

      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v1
+        uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
        if: always()
        with:
          sarif_file: 'trivy-results.sarif'
--- a/.github/workflows/unit-test.yml
+++ b/.github/workflows/unit-test.yml
@@ -11,75 +11,45 @@ on:
      - master
      - release-*

-env:
-  # Common versions
-  GO_VERSION: '1.19'
-  GOLANGCI_VERSION: 'v1.49'
+permissions:
+  contents: read

 jobs:
-
  detect-noop:
-    runs-on: ubuntu-20.04
+    permissions:
+      actions: write # for fkirc/skip-duplicate-actions to skip or stop workflow runs
+    runs-on: ubuntu-22.04
    outputs:
      noop: ${{ steps.noop.outputs.should_skip }}
    steps:
      - name: Detect No-op Changes
        id: noop
-        uses: fkirc/skip-duplicate-actions@v4.0.0
+        uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
          do_not_skip: '["workflow_dispatch", "schedule", "push"]'
-          concurrent_skipping: false
+        continue-on-error: true

  unit-tests:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    needs: detect-noop
    if: needs.detect-noop.outputs.noop != 'true'

    steps:
-      - name: Set up Go
-        uses: actions/setup-go@v1
-        with:
-          go-version: ${{ env.GO_VERSION }}
-        id: go
-
      - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        with:
          submodules: true

-      - name: Cache Go Dependencies
-        uses: actions/cache@v2
+      - name: Setup Env
+        uses: ./.github/actions/env-setup
+
+      - name: Setup KinD with Kubernetes
+        uses: ./.github/actions/setup-kind-cluster
+
+      - name: Run unit tests
+        uses: ./.github/actions/unit-test
        with:
-          path: .work/pkg
-          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
-          restore-keys: ${{ runner.os }}-pkg-
-
-      - name: Install ginkgo
-        run: |
-          sudo apt-get install -y golang-ginkgo-dev
-
-      - name: Setup K3d
-        uses: nolar/setup-k3d-k3s@v1.0.8
-        with:
-          version: v1.20
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: install Kubebuilder
-        uses: RyanSiu1995/kubebuilder-action@v1.2
-        with:
-          version: 3.1.0
-          kubebuilderOnly: false
-          kubernetesVersion: v1.21.2
-
-      - name: Run Make test
-        run: make test
-
-      - name: Upload coverage report
-        uses: codecov/codecov-action@v1
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          file: ./coverage.txt
-          flags: core-unittests
-          name: codecov-umbrella
+          codecov-enable: true
+          codecov-token: ${{ secrets.CODECOV_TOKEN }}
--- a/.github/workflows/upgrade-e2e-multicluster-test.yml
+++ b/.github/workflows/upgrade-e2e-multicluster-test.yml
@@ -0,0 +1,98 @@
+# =============================================================================
+# E2E Upgrade Multicluster Test Workflow
+# =============================================================================
+# This workflow performs end-to-end testing for KubeVela multicluster upgrades.
+# It tests the upgrade path from the latest released version to the current
+# development branch across multiple Kubernetes versions.
+#
+# Test Flow:
+# 1. Install latest KubeVela release
+# 2. Build and upgrade to current development version
+# 3. Run multicluster e2e tests to verify functionality
+# =============================================================================
+
+name: E2E Upgrade Multicluster Test
+
+# =============================================================================
+# Trigger Configuration
+# =============================================================================
+on:
+  # Trigger on pull requests targeting main branches
+  pull_request:
+    branches:
+      - master
+      - release-*
+
+  # Allow manual workflow execution
+  workflow_dispatch: {}
+
+# =============================================================================
+# Security Configuration
+# =============================================================================
+permissions:
+  contents: read  # Read-only access to repository contents
+
+# =============================================================================
+# Global Environment Variables
+# =============================================================================
+env:
+  GO_VERSION: '1.23.8'  # Go version for building and testing
+
+# =============================================================================
+# Job Definitions
+# =============================================================================
+jobs:
+  upgrade-multicluster-tests:
+    name: Upgrade Multicluster Tests
+    runs-on: ubuntu-22.04
+    if: startsWith(github.head_ref, 'chore/upgrade-k8s-')
+    timeout-minutes: 60  # Prevent hanging jobs
+
+    # ==========================================================================
+    # Matrix Strategy - Test against multiple Kubernetes versions
+    # ==========================================================================
+    strategy:
+      fail-fast: false  # Continue testing other versions if one fails
+      matrix:
+        k8s-version: ['v1.31.9']
+
+    # ==========================================================================
+    # Concurrency Control - Prevent overlapping runs
+    # ==========================================================================
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.k8s-version }}
+      cancel-in-progress: true
+
+    steps:
+      # ========================================================================
+      # Environment Setup
+      # ========================================================================
+
+      - name: Check out repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+
+      # ========================================================================
+      # Kubernetes Cluster Setup
+      # ========================================================================
+
+      - name: Setup worker cluster kinD
+        uses: ./.github/actions/setup-kind-cluster
+        with:
+          name: worker
+
+      - name: Setup KinD master clusters for multicluster testing
+        uses: ./.github/actions/setup-kind-cluster
+        with:
+          k8s-version: ${{ matrix.k8s-version }}
+
+      - name: Deploy latest release
+        uses: ./.github/actions/deploy-latest-release
+
+      - name: Upgrade from current branch
+        uses: ./.github/actions/deploy-current-branch
+
+      - name: Run upgarde multicluster tests
+        uses: ./.github/actions/multicluster-test
+        with:
+          codecov-enable: false
+          codecov-token: ''
--- a/.github/workflows/upgrade-e2e-test.yml
+++ b/.github/workflows/upgrade-e2e-test.yml
@@ -0,0 +1,102 @@
+# =============================================================================
+# Upgrade E2E Test Workflow
+# =============================================================================
+# This workflow performs comprehensive end-to-end testing for KubeVela upgrades.
+# It validates the upgrade path from the latest stable release to the current
+# development version by running multiple test suites including API, addon,
+# and general e2e tests.
+#
+# Test Flow:
+# 1. Install latest KubeVela release
+# 2. Build and upgrade to current development version
+# 3. Run comprehensive e2e test suites (API, addon, general)
+# 4. Validate upgrade functionality and compatibility
+# =============================================================================
+
+name: Upgrade E2E Test
+
+# =============================================================================
+# Trigger Configuration
+# =============================================================================
+on:
+  # Trigger on pull requests targeting main branches
+  pull_request:
+    branches:
+      - master
+      - release-*
+
+  # Allow manual workflow execution
+  workflow_dispatch: {}
+
+# =============================================================================
+# Environment Variables
+# =============================================================================
+env:
+  GO_VERSION: '1.23.8'
+
+# =============================================================================
+# Security Configuration
+# =============================================================================
+permissions:
+  contents: read  # Read-only access to repository contents
+
+# =============================================================================
+# Job Definitions
+# =============================================================================
+jobs:
+  upgrade-tests:
+    name: Upgrade E2E Tests
+    runs-on: ubuntu-22.04
+    if: startsWith(github.head_ref, 'chore/upgrade-k8s-')
+    timeout-minutes: 90  # Extended timeout for comprehensive e2e testing
+
+    # ==========================================================================
+    # Matrix Strategy - Test against multiple Kubernetes versions
+    # ==========================================================================
+    strategy:
+      fail-fast: false  # Continue testing other versions if one fails
+      matrix:
+        k8s-version: ['v1.31.9']
+
+    # ==========================================================================
+    # Concurrency Control - Prevent overlapping runs
+    # ==========================================================================
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.k8s-version }}
+      cancel-in-progress: true
+
+    steps:
+      # ========================================================================
+      # Repository Setup
+      # ========================================================================
+      - name: Check out code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+
+      # ========================================================================
+      # Kubernetes Cluster Setup
+      # ========================================================================
+      - name: Setup KinD with Kubernetes ${{ matrix.k8s-version }}
+        uses: ./.github/actions/setup-kind-cluster
+        with:
+          k8s-version: ${{ matrix.k8s-version }}
+
+      - name: Build vela CLI
+        run: make vela-cli
+
+      - name: Build kubectl-vela plugin
+        run: make kubectl-vela
+
+      - name: Install kustomize
+        run: make kustomize
+
+      - name: Deploy latest release
+        uses: ./.github/actions/deploy-latest-release
+
+      - name: Upgrade from current branch
+        uses: ./.github/actions/deploy-current-branch
+
+      # ========================================================================
+      # E2E Test Execution
+      # ========================================================================
+      - name: Run upgrade e2e tests
+        uses: ./.github/actions/e2e-test
--- a/.github/workflows/upgrade-unit-test.yml
+++ b/.github/workflows/upgrade-unit-test.yml
@@ -0,0 +1,83 @@
+# =============================================================================
+# Upgrade Unit Test Workflow
+# =============================================================================
+# This workflow performs unit testing for KubeVela upgrades by:
+# 1. Installing the latest stable KubeVela release
+# 2. Building and upgrading to the current development version
+# 3. Running unit tests to validate the upgrade functionality
+# =============================================================================
+
+name: Upgrade Unit Test
+
+# =============================================================================
+# Trigger Configuration
+# =============================================================================
+on:
+  # Trigger on pull requests targeting main and release branches
+  pull_request:
+    branches:
+      - master
+      - release-*
+
+  # Allow manual workflow execution
+  workflow_dispatch: {}
+
+# =============================================================================
+# Security Configuration
+# =============================================================================
+permissions:
+  contents: read  # Read-only access to repository contents
+
+# =============================================================================
+# Job Definitions
+# =============================================================================
+jobs:
+  upgrade-tests:
+    name: Upgrade Unit Tests
+    runs-on: ubuntu-22.04
+    if: startsWith(github.head_ref, 'chore/upgrade-k8s-')
+    timeout-minutes: 45  # Prevent hanging jobs
+
+    # ==========================================================================
+    # Matrix Strategy - Test against multiple Kubernetes versions
+    # ==========================================================================
+    strategy:
+      fail-fast: false  # Continue testing other versions if one fails
+      matrix:
+        k8s-version: ['v1.31.9']
+
+    # ==========================================================================
+    # Concurrency Control - Prevent overlapping runs
+    # ==========================================================================
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.k8s-version }}
+      cancel-in-progress: true
+
+    steps:
+      # ========================================================================
+      # Environment Setup
+      # ========================================================================
+
+      - name: Check out code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+
+      # ========================================================================
+      # Kubernetes Cluster Setup
+      # ========================================================================
+
+      - name: Setup KinD with Kubernetes ${{ matrix.k8s-version }}
+        uses: ./.github/actions/setup-kind-cluster
+        with:
+          k8s-version: ${{ matrix.k8s-version }}
+
+      - name: Deploy latest release
+        uses: ./.github/actions/deploy-latest-release
+
+      - name: Upgrade from current branch
+        uses: ./.github/actions/deploy-current-branch
+
+      - name: Run unit tests
+        uses: ./.github/actions/unit-test
+        with:
+          codecov-enable: false
+          codecov-token: ''
--- a/.github/workflows/webhook-upgrade-validation.yml
+++ b/.github/workflows/webhook-upgrade-validation.yml
@@ -0,0 +1,165 @@
+name: Webhook Upgrade Validation
+
+on:
+  push:
+    branches:
+      - master
+      - release-*
+    tags:
+      - v*
+  workflow_dispatch: {}
+  pull_request:
+    branches:
+      - master
+      - release-*
+
+permissions:
+  contents: read
+
+env:
+  GO_VERSION: '1.23.8'
+
+jobs:
+  webhook-upgrade-check:
+    runs-on: ubuntu-22.04
+    timeout-minutes: 30
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+
+      - name: Setup Env
+        uses: ./.github/actions/env-setup
+
+      - name: Setup KinD
+        run: |
+          go install sigs.k8s.io/kind@v0.29.0
+          kind delete cluster || true
+          kind create cluster --image=kindest/node:v1.31.9
+
+      - name: Install KubeVela CLI
+        run: curl -fsSL https://kubevela.io/script/install.sh | bash
+
+      - name: Install KubeVela baseline
+        run: |
+          vela install --set featureGates.enableCueValidation=true
+          kubectl wait --namespace vela-system --for=condition=Available deployment/kubevela-vela-core --timeout=300s
+
+      - name: Prepare failing chart changes
+        run: |
+          cat <<'CHART' > charts/vela-core/templates/defwithtemplate/resource.yaml
+          # Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+          # Definition source cue file: vela-templates/definitions/internal/resource.cue
+          apiVersion: core.oam.dev/v1beta1
+          kind: TraitDefinition
+          metadata:
+            annotations:
+              definition.oam.dev/description: Add resource requests and limits on K8s pod for your workload which follows the pod spec in path 'spec.template.'
+            name: resource
+            namespace: {{ include "systemDefinitionNamespace" . }}
+          spec:
+            appliesToWorkloads:
+              - deployments.apps
+              - statefulsets.apps
+              - daemonsets.apps
+              - jobs.batch
+              - cronjobs.batch
+            podDisruptive: true
+            schematic:
+              cue:
+                template: |2
+                  let resourceContent = {
+                    resources: {
+                      if parameter.cpu != _|_ if parameter.memory != _|_ if parameter.requests == _|_ if parameter.limits == _|_ {
+                        // +patchStrategy=retainKeys
+                        requests: {
+                          cpu:    parameter.cpu
+                          memory: parameter.memory
+                        }
+                        // +patchStrategy=retainKeys
+                        limits: {
+                          cpu:    parameter.cpu
+                          memory: parameter.memory
+                        }
+                      }
+                      if parameter.requests != _|_ {
+                        // +patchStrategy=retainKeys
+                        requests: {
+                          cpu:    parameter.requests.cpu
+                          memory: parameter.requests.memory
+                        }
+                      }
+                      if parameter.limits != _|_ {
+                        // +patchStrategy=retainKeys
+                        limits: {
+                          cpu:    parameter.limits.cpu
+                          memory: parameter.limits.memory
+                        }
+                      }
+                    }
+                  }
+                  if context.output.spec != _|_ if context.output.spec.template != _|_ {
+                    patch: spec: template: spec: {
+                      // +patchKey=name
+                      containers: [resourceContent]
+                    }
+                  }
+                  if context.output.spec != _|_ if context.output.spec.jobTemplate != _|_ {
+                    patch: spec: jobTemplate: spec: template: spec: {
+                      // +patchKey=name
+                      containers: [resourceContent]
+                    }
+                  }
+                  parameter: {
+                    // +usage=Specify the amount of cpu for requests and limits
+                    cpu?: *1 | number | string
+                    // +usage=Specify the amount of memory for requests and limits
+                    memory?: *"2048Mi" | =~"^([1-9][0-9]{0,63})(E|P|T|G|M|K|Ei|Pi|Ti|Gi|Mi|Ki)$"
+                    // +usage=Specify the resources in requests
+                    requests?: {
+                      // +usage=Specify the amount of cpu for requests
+                      cpu: *1 | number | string
+                      // +usage=Specify the amount of memory for requests
+                      memory: *"2048Mi" | =~"^([1-9][0-9]{0,63})(E|P|T|G|M|K|Ei|Pi|Ti|Gi|Mi|Ki)$"
+                    }
+                    // +usage=Specify the resources in limits
+                    limits?: {
+                      // +usage=Specify the amount of cpu for limits
+                      cpu: *1 | number | string
+                      // +usage=Specify the amount of memory for limits
+                      memory: *"2048Mi" | =~"^([1-9][0-9]{0,63})(E|P|T|G|M|K|Ei|Pi|Ti|Gi|Mi|Ki)$"
+                    }
+                  }
+
+      - name: Load image
+        run: |
+          mkdir -p $HOME/tmp/
+          TMPDIR=$HOME/tmp/ make image-load
+
+      - name: Run Helm upgrade (expected to fail)
+        run: |
+          set +e
+          helm upgrade \
+            --set image.repository=vela-core-test \
+            --set image.tag=$(git rev-parse --short HEAD) \
+            --set featureGates.enableCueValidation=true \
+            --wait kubevela ./charts/vela-core --debug -n vela-system
+          status=$?
+          echo "Helm upgrade exit code: ${status}"
+          if [ $status -eq 0 ]; then
+            echo "Expected helm upgrade to fail" >&2
+            exit 1
+          fi
+          echo "Helm upgrade failed as expected"
+
+      - name: Dump webhook configurations
+        if: ${{ always() }}
+        run: |
+          kubectl get mutatingwebhookconfiguration kubevela-vela-core-admission -o yaml
+          kubectl get validatingwebhookconfiguration kubevela-vela-core-admission -o yaml
+
+      - name: Verify webhook validation remains active
+        run: ginkgo -v --focus-file requiredparam_validation_test.go ./test/e2e-test
+
+      - name: Cleanup kind cluster
+        if: ${{ always() }}
+        run: kind delete cluster --name kind
--- a/.gitignore
+++ b/.gitignore
@@ -35,12 +35,21 @@ vendor/
 .vscode
 .history

+# Debug binaries generated by VS Code/Delve
+__debug_bin*
+*/__debug_bin*
+
+# Webhook certificates generated at runtime
+k8s-webhook-server/
+options.go.bak 
+
 pkg/test/vela
 config/crd/bases
 _tmp/

 references/cmd/cli/fake/source.go
 references/cmd/cli/fake/chart_source.go
+references/vela-sdk-gen/*
 charts/vela-core/crds/_.yaml
 .test_vela
 tmp/
@@ -50,6 +59,6 @@ tmp/
 # check docs
 git-page/

-# e2e rollout runtime image build
-runtime/rollout/e2e/tmp
 vela.json
+
+dist/
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,18 +1,6 @@
 run:
  timeout: 10m

-  skip-files:
-    - "zz_generated\\..+\\.go$"
-    - ".*_test.go$"
-
-  skip-dirs:
-    - "hack"
-    - "e2e"
-
-output:
-  # colored-line-number|line-number|json|tab|checkstyle|code-climate, default is "colored-line-number"
-  format: colored-line-number
-
 linters-settings:
  errcheck:
    # report about not checking of errors in type assetions: `a := b.(MyStruct)`;
@@ -23,24 +11,12 @@ linters-settings:
    # default is false: such cases aren't reported by default.
    check-blank: false

-    # [deprecated] comma-separated list of pairs of the form pkg:regex
-    # the regex is used to ignore names within pkg. (default "fmt:.*").
-    # see https://github.com/kisielk/errcheck#the-deprecated-method for details
-    ignore: fmt:.*,io/ioutil:^Read.*
-
  exhaustive:
    # indicates that switch statements are to be considered exhaustive if a
    # 'default' case is present, even if all enum members aren't listed in the
    # switch
    default-signifies-exhaustive: true

-  govet:
-    # report about shadowed variables
-    check-shadowing: false
-
-  revive:
-    # minimal confidence for issues, default is 0.8
-    min-confidence: 0.8

  gofmt:
    # simplify code: gofmt with `-s` option, true by default
@@ -53,11 +29,8 @@ linters-settings:

  gocyclo:
    # minimal code complexity to report, 30 by default (but we recommend 10-20)
-    min-complexity: 30
+    min-complexity: 35

-  maligned:
-    # print struct with more effective memory layout or not, false by default
-    suggest-new: true

  dupl:
    # tokens count to trigger issue, 150 by default
@@ -73,13 +46,6 @@ linters-settings:
    # tab width in spaces. Default to 1.
    tab-width: 1

-  unused:
-    # treat code as a program (not a library) and report unused exported identifiers; default is false.
-    # XXX: if you enable this setting, unused will report a lot of false-positives in text editors:
-    # if it's called for subdir of a project it can't find funcs usages. All text editor integrations
-    # with golangci-lint call it on a directory with the changed file.
-    check-exported: false
-
  unparam:
    # Inspect exported functions, default is false. Set to true if no external program/library imports your code.
    # XXX: if you enable this setting, unparam will report a lot of false-positives in text editors:
@@ -107,9 +73,13 @@ linters-settings:
    # Allow only slices initialized with a length of zero. Default is false.
    always: false

+  revive:
+    rules:
+      - name: unused-parameter
+        disabled: true
+
 linters:
  enable:
-    - megacheck
    - govet
    - gocyclo
    - gocritic
@@ -121,11 +91,10 @@ linters:
    - misspell
    - nakedret
    - exportloopref
+    - unused
+    - gosimple
+    - staticcheck
  disable:
-    - deadcode
-    - scopelint
-    - structcheck
-    - varcheck
    - rowserrcheck
    - sqlclosecheck
    - errchkjson
@@ -137,8 +106,28 @@ linters:


 issues:
+
+  exclude-files:
+    - "zz_generated\\..+\\.go$"
+    - ".*_test.go$"
+
+  exclude-dirs:
+    - "hack"
+    - "e2e"
+
  # Excluding configuration per-path and per-linter
  exclude-rules:
+    - path: .*\.go
+      linters:
+        - errcheck
+      text: "fmt\\."
+
+    # Ignore unchecked errors from io/ioutil functions starting with Read
+    - path: .*\.go
+      linters:
+        - errcheck
+      text: "io/ioutil.*Read"
+      
    # Exclude some linters from running on tests files.
    - path: _test(ing)?\.go
      linters:
@@ -155,6 +144,21 @@ issues:
      linters:
        - gocritic

+    # The preferFprint suggestion (sb.WriteString(fmt.Sprintf(...)) -> fmt.Fprintf(sb, ...))
+    # is a micro-optimization. The defkit package generates CUE code infrequently,
+    # so the performance difference is negligible and the current style is more readable.
+    - path: pkg/definition/defkit/
+      text: "preferFprint"
+      linters:
+        - gocritic
+
+    # Gosmopolitan complains of internationalization issues on the file that actually defines
+    # the translation.
+    - path: i18n\.go
+      text: "Han"
+      linters:
+        - gosmopolitan
+
    # These are performance optimisations rather than style issues per se.
    # They warn when function arguments or range values copy a lot of memory
    # rather than using a pointer.
@@ -220,7 +224,7 @@ issues:
  new: false

  # Maximum issues count per one linter. Set to 0 to disable. Default is 50.
-  max-per-linter: 0
+  max-issues-per-linter: 0

  # Maximum count of issues with the same text. Set to 0 to disable. Default is 3.
-  max-same-issues: 0
+  max-same-issues: 0
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -0,0 +1,98 @@
+# This is an example .goreleaser.yml file with some sensible defaults.
+# Make sure to check the documentation at https://goreleaser.com
+builds:
+  - id: vela-cli
+    binary: vela
+    goos:
+      - linux
+      - windows
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    main: ./references/cmd/cli/main.go
+    ldflags:
+      - -s -w -X github.com/oam-dev/kubevela/version.VelaVersion={{ .Version }} -X github.com/oam-dev/kubevela/version.GitRevision=git-{{.ShortCommit}}
+    env:
+      - CGO_ENABLED=0
+
+  - id: kubectl-vela
+    binary: kubectl-vela
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - windows
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    main: ./cmd/plugin/main.go
+    ldflags:
+      - -s -w -X github.com/oam-dev/kubevela/version.VelaVersion={{ .Version }} -X github.com/oam-dev/kubevela/version.GitRevision=git-{{.ShortCommit}}
+
+sboms:
+  - id: kubevela-binaries-sboms
+    artifacts: binary
+    documents:
+      - "${artifact}-{{ .Version }}-{{ .Os }}-{{ .Arch }}.spdx.sbom.json"
+
+signs:
+  - id: kubevela-cosign-keyless
+    artifacts: checksum # sign the checksum file over individual artifacts
+    signature: "${artifact}-keyless.sig"
+    certificate: "${artifact}-keyless.pem"
+    cmd: cosign
+    args:
+      - "sign-blob"
+      - "--yes"
+      - "--output-signature"
+      - "${artifact}-keyless.sig"
+      - "--output-certificate"
+      - "${artifact}-keyless.pem"
+      - "${artifact}"
+    output: true
+
+archives:
+  - format: tar.gz
+    id: vela-cli-tgz
+    wrap_in_directory: '{{ .Os }}-{{ .Arch }}'
+    builds:
+      - vela-cli
+    name_template: '{{ trimsuffix .ArtifactName ".exe" }}-{{ .Tag }}-{{ .Os }}-{{ .Arch }}'
+    files: [ LICENSE, README.md ]
+  - format: zip
+    id: vela-cli-zip
+    builds:
+      - vela-cli
+    wrap_in_directory: '{{ .Os }}-{{ .Arch }}'
+    name_template: '{{ trimsuffix .ArtifactName ".exe" }}-{{ .Tag }}-{{ .Os }}-{{ .Arch }}'
+    files: [ LICENSE, README.md ]
+  - format: tar.gz
+    id: plugin-tgz
+    builds:
+      - kubectl-vela
+    wrap_in_directory: '{{ .Os }}-{{ .Arch }}'
+    name_template: '{{ trimsuffix .ArtifactName ".exe" }}-{{ .Tag }}-{{ .Os }}-{{ .Arch }}'
+    files: [ LICENSE, README.md ]
+  - format: zip
+    id: plugin-zip
+    builds:
+      - kubectl-vela
+    wrap_in_directory: '{{ .Os }}-{{ .Arch }}'
+    name_template: '{{ trimsuffix .ArtifactName ".exe" }}-{{ .Tag }}-{{ .Os }}-{{ .Arch }}'
+    files: [ LICENSE, README.md ]
+
+checksum:
+  name_template: 'sha256sums.txt'
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - '^docs:'
+      - '^test:'
+
+# The lines beneath this are called `modelines`. See `:help modeline`
+# Feel free to remove those if you don't want/use them.
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+# vim: set ts=2 sw=2 tw=0 fo=cnqoj
--- a/.krew.yaml
+++ b/.krew.yaml
@@ -33,8 +33,8 @@ spec:
        arch: amd64
    {{addURIAndSha "https://github.com/oam-dev/kubevela/releases/download/{{ .TagName }}/kubectl-vela-{{ .TagName }}-windows-amd64.zip" .TagName }}
    files:
-    - from: "*/kubectl-vela"
-      to: "kubectl-vela.exe"
+    - from: "*/kubectl-vela.exe"
+      to: "."
    - from: "*/LICENSE"
      to: "."
    bin: "kubectl-vela.exe"
--- a/CHANGELOG/CHANGELOG-1.1.md
+++ b/CHANGELOG/CHANGELOG-1.1.md
@@ -230,7 +230,7 @@ spec:
 1. Workflow support specify Order Steps by Field Tag (#2022)
 2. support application policy (#2011)
 3. add OCM multi cluster demo (#1992)
-4. Fix(volume): seperate volume to trait (#2027)
+4. Fix(volume): separate volume to trait (#2027)
 5. allow application skip gc resource and leave workload ownerReference controlled by rollout(#2024)
 6. Store component parameters in context (#2030)
 7. Allow specify chart values for helm trait(#2033)
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,3 +1,3 @@
 # CONTRIBUTING Guide

-Please refer to https://kubevela.io/docs/contributor/overview for details.
+Please refer to https://kubevela.io/docs/contributor/overview for details.
--- a/13
+++ b/13
@@ -1,6 +1,6 @@
 ARG BASE_IMAGE
 # Build the manager binary
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.19-alpine as builder
+FROM golang:1.23.8-alpine@sha256:b7486658b87d34ecf95125e5b97e8dfe86c21f712aa36fc0c702e5dc41dc63e1 AS builder

 WORKDIR /workspace
 # Copy the Go Modules manifests
@@ -9,15 +9,14 @@ COPY go.sum go.sum

 # It's a proxy for CN developer, please unblock it if you have network issue
 ARG GOPROXY
-ENV GOPROXY=${GOPROXY:-https://goproxy.cn}
+ENV GOPROXY=${GOPROXY:-https://proxy.golang.org}

 # cache deps before building and copying source so that we don't need to re-download as much
 # and so that source changes don't invalidate our downloaded layer
 RUN go mod download

-# Copy the go source
-COPY cmd/core/main.go main.go
-COPY cmd/apiserver/main.go cmd/apiserver/main.go
+# Copy the go source for building core
+COPY cmd/core/ cmd/core/
 COPY apis/ apis/
 COPY pkg/ pkg/
 COPY version/ version/
@@ -29,13 +28,13 @@ ARG VERSION
 ARG GITVERSION
 RUN GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} \
    go build -a -ldflags "-s -w -X github.com/oam-dev/kubevela/version.VelaVersion=${VERSION:-undefined} -X github.com/oam-dev/kubevela/version.GitRevision=${GITVERSION:-undefined}" \
-    -o manager-${TARGETARCH} main.go
+    -o manager-${TARGETARCH} cmd/core/main.go

 # Use alpine as base image due to the discussion in issue #1448
 # You can replace distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 # Overwrite `BASE_IMAGE` by passing `--build-arg=BASE_IMAGE=gcr.io/distroless/static:nonroot`
-FROM ${BASE_IMAGE:-alpine:3.15}
+FROM ${BASE_IMAGE:-alpine:3.18}
 # This is required by daemon connecting with cri
 RUN apk add --no-cache ca-certificates bash expat

--- a/Dockerfile.apiserver
+++ b/Dockerfile.apiserver
@@ -1,49 +0,0 @@
-ARG BASE_IMAGE
-# Build the manager binary
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.19-alpine as builder
-ARG GOPROXY
-ENV GOPROXY=${GOPROXY:-https://goproxy.cn}
-WORKDIR /workspace
-# Copy the Go Modules manifests
-COPY go.mod go.mod
-COPY go.sum go.sum
-# cache deps before building and copying source so that we don't need to re-download as much
-# and so that source changes don't invalidate our downloaded layer
-RUN go mod download
-
-# Copy the go source
-COPY cmd/core/main.go main.go
-COPY cmd/apiserver/main.go cmd/apiserver/main.go
-COPY apis/ apis/
-COPY pkg/ pkg/
-COPY version/ version/
-COPY references/ references/
-
-# Build
-ARG TARGETARCH
-ARG VERSION
-ARG GITVERSION
-
-RUN GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} \
-    go build -a -ldflags "-s -w -X github.com/oam-dev/kubevela/version.VelaVersion=${VERSION:-undefined} -X github.com/oam-dev/kubevela/version.GitRevision=${GITVERSION:-undefined}" \
-    -o apiserver-${TARGETARCH} cmd/apiserver/main.go
-
-# Use alpine as base image due to the discussion in issue #1448
-# You can replace distroless as minimal base image to package the manager binary
-# Refer to https://github.com/GoogleContainerTools/distroless for more details
-# Overwrite `BASE_IMAGE` by passing `--build-arg=BASE_IMAGE=gcr.io/distroless/static:nonroot`
-
-FROM ${BASE_IMAGE:-alpine:3.15}
-# This is required by daemon connecting with cri
-RUN apk add --no-cache ca-certificates bash expat
-
-WORKDIR /
-
-ARG TARGETARCH
-COPY --from=builder /workspace/apiserver-${TARGETARCH} /usr/local/bin/apiserver
-
-COPY entrypoint.sh /usr/local/bin/
-
-ENTRYPOINT ["entrypoint.sh"]
-
-CMD ["apiserver"]
--- a/Dockerfile.cli
+++ b/Dockerfile.cli
@@ -1,8 +1,8 @@
 ARG BASE_IMAGE
 # Build the cli binary
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.19-alpine as builder
+FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.23.8-alpine@sha256:b7486658b87d34ecf95125e5b97e8dfe86c21f712aa36fc0c702e5dc41dc63e1 AS builder
 ARG GOPROXY
-ENV GOPROXY=${GOPROXY:-https://goproxy.cn}
+ENV GOPROXY=${GOPROXY:-https://proxy.golang.org}
 WORKDIR /workspace
 # Copy the Go Modules manifests
 COPY go.mod go.mod
@@ -32,7 +32,7 @@ RUN GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH:-amd64} \
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 # Overwrite `BASE_IMAGE` by passing `--build-arg=BASE_IMAGE=gcr.io/distroless/static:nonroot`

-FROM ${BASE_IMAGE:-alpine:3.15}
+FROM ${BASE_IMAGE:-alpine:3.15@sha256:cf34c62ee8eb3fe8aa24c1fab45d7e9d12768d945c3f5a6fd6a63d901e898479}
 # This is required by daemon connecting with cri
 RUN apk add --no-cache ca-certificates bash expat

--- a/Dockerfile.e2e
+++ b/Dockerfile.e2e
@@ -1,6 +1,6 @@
 ARG BASE_IMAGE
 # Build the manager binary
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.19-alpine as builder
+FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.23.8-alpine@sha256:b7486658b87d34ecf95125e5b97e8dfe86c21f712aa36fc0c702e5dc41dc63e1 AS builder

 WORKDIR /workspace
 # Copy the Go Modules manifests
@@ -13,7 +13,6 @@ RUN go mod download
 # Copy the go source
 COPY cmd/core/main.go main.go
 COPY cmd/core/main_e2e_test.go main_e2e_test.go
-COPY cmd/apiserver/main.go cmd/apiserver/main.go
 COPY cmd/ cmd/
 COPY apis/ apis/
 COPY pkg/ pkg/
@@ -29,16 +28,12 @@ RUN  apk add gcc musl-dev libc-dev ;\
    GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} \
    go test -c -o manager-${TARGETARCH}  -cover -covermode=atomic -coverpkg ./... .

-RUN GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} \
-    go build -a -ldflags "-s -w -X github.com/oam-dev/kubevela/version.VelaVersion=${VERSION:-undefined} -X github.com/oam-dev/kubevela/version.GitRevision=${GITVERSION:-undefined}" \
-    -o apiserver-${TARGETARCH} cmd/apiserver/main.go
-
 # Use alpine as base image due to the discussion in issue #1448
 # You can replace distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 # Overwrite `BASE_IMAGE` by passing `--build-arg=BASE_IMAGE=gcr.io/distroless/static:nonroot`

-FROM ${BASE_IMAGE:-alpine:3.15}
+FROM ${BASE_IMAGE:-alpine:3.15@sha256:cf34c62ee8eb3fe8aa24c1fab45d7e9d12768d945c3f5a6fd6a63d901e898479}
 # This is required by daemon connecting with cri
 RUN apk add --no-cache ca-certificates bash expat

@@ -46,7 +41,6 @@ WORKDIR /

 ARG TARGETARCH
 COPY --from=builder /workspace/manager-${TARGETARCH} /usr/local/bin/manager
-COPY --from=builder /workspace/apiserver-${TARGETARCH} /usr/local/bin/apiserver

 COPY entrypoint.sh /usr/local/bin/

--- a/GOVERNANCE.md
+++ b/GOVERNANCE.md
@@ -1,16 +1 @@
-# Governance
-
-[Project maintainers](https://github.com/kubevela/community/blob/main/OWNERS.md#maintainers) are responsible for activities around maintaining and updating KubeVela.
-Final decisions on the project reside with the project maintainers.
-
-Maintainers **MUST** remain active. If they are unresponsive for >6 months,
-they will be automatically removed unless a [super-majority](https://en.wikipedia.org/wiki/Supermajority#Two-thirds_vote) of the other project maintainers agrees to extend the period to be greater than 6 months.
-
-New maintainers can be added to the project by a [super-majority](https://en.wikipedia.org/wiki/Supermajority#Two-thirds_vote) vote of the existing maintainers.
-A potential maintainer may be nominated by an existing maintainer.
-A vote is conducted in private between the current maintainers over the course of a one week voting period.
-At the end of the week, votes are counted and a pull request is made on the repo adding the new maintainer to the [CODEOWNERS](https://github.com/kubevela/kubevela/blob/master/.github/CODEOWNERS) file.
-
-A maintainer may step down by submitting an [issue](https://github.com/kubevela/kubevela/issues/new/choose) stating their intent.
-
-Changes to this governance document require a pull request with approval from a [super-majority](https://en.wikipedia.org/wiki/Supermajority#Two-thirds_vote) of the current maintainers.
+Refer to https://github.com/kubevela/community/blob/main/GOVERNANCE.md
--- a/119
+++ b/119
@@ -8,64 +8,77 @@ include makefiles/e2e.mk
 .DEFAULT_GOAL := all
 all: build

-# Run tests
-test: unit-test-core test-cli-gen
+# ==============================================================================
+# Targets
+
+## test: Run tests
+test: envtest unit-test-core test-cli-gen
 	@$(OK) unit-tests pass

+## test-cli-gen: Run the unit tests for cli gen
 test-cli-gen: 
-	mkdir -p ./bin/doc
-	go run ./hack/docgen/cli/gen.go ./bin/doc
-unit-test-core:
-	go test -coverprofile=coverage.txt $(shell go list ./pkg/... ./cmd/... ./apis/... | grep -v apiserver | grep -v applicationconfiguration)
-	go test $(shell go list ./references/... | grep -v apiserver)
-unit-test-apiserver:
-	go test -gcflags=all=-l -coverprofile=coverage.txt $(shell go list ./pkg/... ./cmd/...  | grep -E 'apiserver|velaql')
+	@mkdir -p ./bin/doc
+	@go run ./hack/docgen/cli/gen.go ./bin/doc

-# Build vela cli binary
+## unit-test-core: Run the unit tests for core
+unit-test-core:
+	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test -coverprofile=coverage.txt $(shell go list ./pkg/... ./cmd/... ./apis/... | grep -v apiserver | grep -v applicationconfiguration)
+	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test $(shell go list ./references/... | grep -v apiserver)
+
+## build: Build vela cli binary
 build: vela-cli kubectl-vela
 	@$(OK) build succeed

+## build-cli: Clean build
 build-cleanup:
-	rm -rf _bin
+	@echo "===========> Cleaning all build output"
+	@rm -rf _bin

-# Run go fmt against code
+## fmt: Run go fmt against code
 fmt: goimports installcue
 	go fmt ./...
 	$(GOIMPORTS) -local github.com/oam-dev/kubevela -w $$(go list -f {{.Dir}} ./...)
 	$(CUE) fmt ./vela-templates/definitions/internal/*
 	$(CUE) fmt ./vela-templates/definitions/deprecated/*
 	$(CUE) fmt ./vela-templates/definitions/registry/*
-	$(CUE) fmt ./pkg/stdlib/pkgs/*
-	$(CUE) fmt ./pkg/stdlib/op.cue
-	$(CUE) fmt ./pkg/workflow/tasks/template/static/*
-# Run go vet against code
+	$(CUE) fmt ./pkg/workflow/template/static/*
+	$(CUE) fmt ./pkg/workflow/providers/...
+
+## sdk_fmt: Run go fmt against code
+sdk_fmt:
+	./hack/sdk/reviewable.sh
+
+## vet: Run go vet against code
 vet:
-	go vet ./...
+	@$(INFO) go vet
+	@go vet $(shell go list ./...|grep -v scaffold)

+## staticcheck: Run the staticcheck
 staticcheck: staticchecktool
-	$(STATICCHECK) ./...
+	@$(INFO) staticcheck
+	@$(STATICCHECK) $(shell go list ./...|grep -v scaffold)

+## lint: Run the golangci-lint
 lint: golangci
-	$(GOLANGCILINT) run ./...
+	@$(INFO) lint
+	@GOLANGCILINT=$(GOLANGCILINT) ./hack/utils/golangci-lint-wrapper.sh

-reviewable: manifests fmt vet lint staticcheck helm-doc-gen
-	go mod tidy
+## reviewable: Run the reviewable
+## Run make build to compile vela binary before running this target to ensure all generated definitions are up to date.
+reviewable: build manifests fmt vet lint staticcheck helm-doc-gen sdk_fmt

-# Execute auto-gen code commands and ensure branch is clean.
+# check-diff: Execute auto-gen code commands and ensure branch is clean.
 check-diff: reviewable
 	git --no-pager diff
 	git diff --quiet || ($(ERR) please run 'make reviewable' to include all changes && false)
 	@$(OK) branch is clean

-# Push the docker image
+## docker-push: Push the docker image
 docker-push:
-	docker push $(VELA_CORE_IMAGE)
-
-build-swagger:
-	go run ./cmd/apiserver/main.go build-swagger ./docs/apidoc/swagger.json
-
-
+	@echo "===========> Pushing docker image"
+	@docker push $(VELA_CORE_IMAGE)

+## image-cleanup: Delete Docker images
 image-cleanup:
 ifneq (, $(shell which docker))
 # Delete Docker images
@@ -74,45 +87,27 @@ ifneq ($(shell docker images -q $(VELA_CORE_TEST_IMAGE)),)
 	docker rmi -f $(VELA_CORE_TEST_IMAGE)
 endif

-ifneq ($(shell docker images -q $(VELA_RUNTIME_ROLLOUT_TEST_IMAGE)),)
-	docker rmi -f $(VELA_RUNTIME_ROLLOUT_TEST_IMAGE)
 endif

-endif
-
-
-
-# load docker image to the k3d cluster
+## image-load: load docker image to the kind cluster
 image-load:
 	docker build -t $(VELA_CORE_TEST_IMAGE) -f Dockerfile.e2e .
-	k3d image import $(VELA_CORE_TEST_IMAGE) || { echo >&2 "kind not installed or error loading image: $(VELA_CORE_TEST_IMAGE)"; exit 1; }
+	kind load docker-image $(VELA_CORE_TEST_IMAGE) || { echo >&2 "kind not installed or error loading image: $(VELA_CORE_TEST_IMAGE)"; exit 1; }

-image-load-runtime-cluster:
-	/bin/sh hack/e2e/build_runtime_rollout.sh
-	docker build -t $(VELA_RUNTIME_ROLLOUT_TEST_IMAGE) -f runtime/rollout/e2e/Dockerfile.e2e runtime/rollout/e2e/
-	rm -rf runtime/rollout/e2e/tmp
-	k3d image import $(VELA_RUNTIME_ROLLOUT_TEST_IMAGE)  || { echo >&2 "kind not installed or error loading image: $(VELA_RUNTIME_ROLLOUT_TEST_IMAGE)"; exit 1; }
-	k3d cluster get $(RUNTIME_CLUSTER_NAME) && k3d image import $(VELA_RUNTIME_ROLLOUT_TEST_IMAGE) --cluster=$(RUNTIME_CLUSTER_NAME) || echo "no worker cluster"
-
-# Run tests
+## core-test: Run tests
 core-test:
 	go test ./pkg/... -coverprofile cover.out

-# Build vela core manager and apiserver binary
+## manager: Build vela core manager binary
 manager:
 	$(GOBUILD_ENV) go build -o bin/manager -a -ldflags $(LDFLAGS) ./cmd/core/main.go
-	$(GOBUILD_ENV) go build -o bin/apiserver -a -ldflags $(LDFLAGS) ./cmd/apiserver/main.go

-vela-runtime-rollout-manager:
-	$(GOBUILD_ENV) go build -o ./runtime/rollout/bin/manager -a -ldflags $(LDFLAGS) ./runtime/rollout/cmd/main.go
-
-# Generate manifests e.g. CRD, RBAC etc.
-manifests: installcue kustomize
+## manifests: Generate manifests e.g. CRD, RBAC etc.
+manifests: tidy installcue kustomize sync-crds
 	go generate $(foreach t,pkg apis,./$(t)/...)
 	# TODO(yangsoon): kustomize will merge all CRD into a whole file, it may not work if we want patch more than one CRD in this way
 	$(KUSTOMIZE) build config/crd -o config/crd/base/core.oam.dev_applications.yaml
-	./hack/crd/cleanup.sh
-	go run ./hack/crd/dispatch/dispatch.go config/crd/base charts/vela-core/crds runtime/ charts/vela-minimal/crds
+	go run ./hack/crd/dispatch/dispatch.go config/crd/base charts/vela-core/crds
 	rm -f config/crd/base/*
 	./vela-templates/gen_definitions.sh

@@ -124,12 +119,26 @@ HOSTARCH := amd64
 endif


+## check-license-header: Check license header
 check-license-header:
 	./hack/licence/header-check.sh

+## def-gen: Install definitions
 def-install:
 	./hack/utils/installdefinition.sh

+## helm-doc-gen: Generate helm chart README.md
 helm-doc-gen: helmdoc
 	readme-generator -v charts/vela-core/values.yaml -r charts/vela-core/README.md
-	readme-generator -v charts/vela-minimal/values.yaml -r charts/vela-minimal/README.md
+
+## help: Display help information
+help: Makefile
+	@echo ""
+	@echo "Usage:"
+	@echo ""
+	@echo "  make [target]"
+	@echo ""
+	@echo "Targets:"
+	@echo ""
+	@awk -F ':|##' '/^[^\.%\t][^\t]*:.*##/{printf "  \033[36m%-20s\033[0m %s\n", $$1, $$NF}' $(MAKEFILE_LIST) | sort
+	@sed -n 's/^##//p' ${MAKEFILE_LIST} | column -t -s ':' |  sed -e 's/^/ /'
--- a/README.md
+++ b/README.md
@@ -6,7 +6,7 @@
  </p>
 </div>

-![Build status](https://github.com/kubevela/kubevela/workflows/E2E/badge.svg)
+![Build status](https://github.com/kubevela/kubevela/workflows/Go/badge.svg)
 [![Go Report Card](https://goreportcard.com/badge/github.com/kubevela/kubevela)](https://goreportcard.com/report/github.com/kubevela/kubevela)
 ![Docker Pulls](https://img.shields.io/docker/pulls/oamdev/vela-core)
 [![codecov](https://codecov.io/gh/kubevela/kubevela/branch/master/graph/badge.svg)](https://codecov.io/gh/kubevela/kubevela)
@@ -16,6 +16,9 @@
 [![Twitter](https://img.shields.io/twitter/url?style=social&url=https%3A%2F%2Ftwitter.com%2Foam_dev)](https://twitter.com/oam_dev)
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/kubevela)](https://artifacthub.io/packages/search?repo=kubevela)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4602/badge)](https://bestpractices.coreinfrastructure.org/projects/4602)
+![E2E status](https://github.com/kubevela/kubevela/workflows/E2E%20Test/badge.svg)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/kubevela/kubevela/badge)](https://scorecard.dev/viewer/?uri=github.com/kubevela/kubevela)
+[![](https://img.shields.io/badge/KubeVela-Check%20Your%20Contribution-orange)](https://opensource.alibaba.com/contribution_leaderboard/details?projectValue=kubevela)

 ## Introduction

@@ -27,17 +30,28 @@ KubeVela is a modern application delivery platform that makes deploying and oper

 KubeVela practices the "render, orchestrate, deploy" workflow with below highlighted values added to existing ecosystem:

-* Deployment as Code
+#### **Deployment as Code**

-Declare your deployment plan as workflow, run it automatically with any CI/CD or GitOps system, extend or re-program the workflow steps with CUE. No add-hoc scripts, no dirty glue code, just deploy. The deployment workflow in KubeVela is powered by [Open Application Model](https://oam.dev/).
+Declare your deployment plan as workflow, run it automatically with any CI/CD or GitOps system, extend or re-program the workflow steps with [CUE](https://cuelang.org/).
+No ad-hoc scripts, no dirty glue code, just deploy. The deployment workflow in KubeVela is powered by [Open Application Model](https://oam.dev/).

-* Built-in security and compliance building blocks
+#### **Built-in observability, multi-tenancy and security support**

-Choose from the wide range of LDAP integrations we provided out-of-box, enjoy multi-cluster authorization that is fully automated, pick and apply fine-grained RBAC modules and customize them per your own supply chain requirements.
+Choose from the wide range of LDAP integrations we provided out-of-box, enjoy enhanced [multi-tenancy and multi-cluster authorization and authentication](https://kubevela.net/docs/platform-engineers/auth/advance),
+pick and apply fine-grained RBAC modules and customize them as per your own supply chain requirements.
+All delivery process has fully [automated observability dashboards](https://kubevela.net/docs/platform-engineers/operations/observability).

-* Multi-cloud/hybrid-environments app delivery as first-class citizen
+#### **Multi-cloud/hybrid-environments app delivery as first-class citizen**

-Progressive rollout across test/staging/production environments, automatic canary, blue-green and continuous verification, rich placement strategy across clusters and clouds, fully managed cloud environments provision.
+Natively supports multi-cluster/hybrid-cloud scenarios such as progressive rollout across test/staging/production environments,
+automatic canary, blue-green and continuous verification, rich placement strategy across clusters and clouds,
+along with automated cloud environments provision.
+
+#### **Lightweight but highly extensible architecture**
+
+Minimize your control plane deployment with only one pod and 0.5c1g resources to handle thousands of application delivery.
+Glue and orchestrate all your infrastructure capabilities as reusable modules with a highly extensible architecture
+and share the large growing community [addons](https://kubevela.net/docs/reference/addons/overview).

 ## Getting Started

@@ -45,6 +59,14 @@ Progressive rollout across test/staging/production environments, automatic canar
 * [Installation](https://kubevela.io/docs/install)
 * [Deploy Your Application](https://kubevela.io/docs/quick-start)

+### Get Your Own Demo with Alibaba Cloud
+
+- install KubeVela on a Serverless K8S cluster in 3 minutes, try:
+
+  <a href="https://acs.console.aliyun.com/quick-deploy?repo=kubevela/kubevela&branch=master" target="_blank">
+    <img src="https://img.alicdn.com/imgextra/i1/O1CN01aiPSuA1Wiz7wkgF5u_!!6000000002823-55-tps-399-70.svg" width="200" alt="Deploy on Alibaba Cloud">
+  </a>
+
 ## Documentation

 Full documentation is available on the [KubeVela website](https://kubevela.io/).
@@ -85,7 +107,7 @@ Check out [KubeVela videos](https://kubevela.io/videos/talks/en/oam-dapr) for th

 ## Contributing

-Check out [CONTRIBUTING](https://kubevela.io/docs/contributor/overview) to see how to develop with KubeVela.
+Check out [CONTRIBUTING](https://kubevela.io/docs/contributor/overview) to see how to develop with KubeVela

 ## Report Vulnerability

@@ -93,4 +115,4 @@ Security is a first priority thing for us at KubeVela. If you come across a rela

 ## Code of Conduct

-KubeVela adopts [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).
+KubeVela adopts [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).
--- a/apis/core.oam.dev/common/types.go
+++ b/apis/core.oam.dev/common/types.go
@@ -26,23 +26,13 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"

+	wfTypesv1alpha1 "github.com/kubevela/pkg/apis/oam/v1alpha1"
 	workflowv1alpha1 "github.com/kubevela/workflow/api/v1alpha1"

 	"github.com/oam-dev/kubevela/apis/core.oam.dev/condition"
-	"github.com/oam-dev/kubevela/apis/standard.oam.dev/v1alpha1"
 	"github.com/oam-dev/kubevela/pkg/oam"
 )

-// Kube defines the encapsulation in raw Kubernetes resource format
-type Kube struct {
-	// Template defines the raw Kubernetes resource
-	// +kubebuilder:pruning:PreserveUnknownFields
-	Template runtime.RawExtension `json:"template"`
-
-	// Parameters defines configurable parameters
-	Parameters []KubeParameter `json:"parameters,omitempty"`
-}
-
 // ParameterValueType refers to a data type of parameter
 type ParameterValueType string

@@ -53,31 +43,6 @@ const (
 	BooleanType ParameterValueType = "boolean"
 )

-// A KubeParameter defines a configurable parameter of a component.
-type KubeParameter struct {
-	// Name of this parameter
-	Name string `json:"name"`
-
-	// +kubebuilder:validation:Enum:=string;number;boolean
-	// ValueType indicates the type of the parameter value, and
-	// only supports basic data types: string, number, boolean.
-	ValueType ParameterValueType `json:"type"`
-
-	// FieldPaths specifies an array of fields within this workload that will be
-	// overwritten by the value of this parameter. 	All fields must be of the
-	// same type. Fields are specified as JSON field paths without a leading
-	// dot, for example 'spec.replicas'.
-	FieldPaths []string `json:"fieldPaths"`
-
-	// +kubebuilder:default:=false
-	// Required specifies whether or not a value for this parameter must be
-	// supplied when authoring an Application.
-	Required *bool `json:"required,omitempty"`
-
-	// Description of this parameter.
-	Description *string `json:"description,omitempty"`
-}
-
 // CUE defines the encapsulation in CUE format
 type CUE struct {
 	// Template defines the abstraction template data of the capability, it will replace the old CUE template in extension field.
@@ -88,26 +53,11 @@ type CUE struct {
 // Schematic defines the encapsulation of this capability(workload/trait/scope),
 // the encapsulation can be defined in different ways, e.g. CUE/HCL(terraform)/KUBE(K8s Object)/HELM, etc...
 type Schematic struct {
-	KUBE *Kube `json:"kube,omitempty"`
-
 	CUE *CUE `json:"cue,omitempty"`

-	HELM *Helm `json:"helm,omitempty"`
-
 	Terraform *Terraform `json:"terraform,omitempty"`
 }

-// A Helm represents resources used by a Helm module
-type Helm struct {
-	// Release records a Helm release used by a Helm module workload.
-	// +kubebuilder:pruning:PreserveUnknownFields
-	Release runtime.RawExtension `json:"release"`
-
-	// HelmRelease records a Helm repository used by a Helm module workload.
-	// +kubebuilder:pruning:PreserveUnknownFields
-	Repository runtime.RawExtension `json:"repository"`
-}
-
 // Terraform is the struct to describe cloud resources managed by Hashicorp Terraform
 type Terraform struct {
 	// Configuration is Terraform Configuration
@@ -137,6 +87,9 @@ type Terraform struct {

 	// Region is cloud provider's region. It will override the region in the region field of ProviderReference
 	Region string `json:"customRegion,omitempty"`
+
+	// GitCredentialsSecretReference specifies the reference to the secret containing the git credentials
+	GitCredentialsSecretReference *corev1.SecretReference `json:"gitCredentialsSecretReference,omitempty"`
 }

 // A WorkloadTypeDescriptor refer to a Workload Type
@@ -183,14 +136,15 @@ type Status struct {
 	// HealthPolicy defines the health check policy for the abstraction
 	// +optional
 	HealthPolicy string `json:"healthPolicy,omitempty"`
+	// Details stores a string representation of a CUE status map to be evaluated at runtime for display
+	// +optional
+	Details string `json:"details,omitempty"`
 }

 // ApplicationPhase is a label for the condition of an application at the current time
 type ApplicationPhase string

 const (
-	// ApplicationRollingOut means the app is in the middle of rolling out
-	ApplicationRollingOut ApplicationPhase = "rollingOut"
 	// ApplicationStarting means the app is preparing for reconcile
 	ApplicationStarting ApplicationPhase = "starting"
 	// ApplicationRendering means the app is rendering
@@ -205,8 +159,6 @@ const (
 	ApplicationWorkflowTerminated ApplicationPhase = "workflowTerminated"
 	// ApplicationWorkflowFailed means the app's workflow is failed
 	ApplicationWorkflowFailed ApplicationPhase = "workflowFailed"
-	// ApplicationWorkflowFinished means the app's workflow is finished
-	ApplicationWorkflowFinished ApplicationPhase = "workflowFinished"
 	// ApplicationRunning means the app finished rendering and applied result to the cluster
 	ApplicationRunning ApplicationPhase = "running"
 	// ApplicationUnhealthy means the app finished rendering and applied result to the cluster, but still unhealthy
@@ -215,26 +167,6 @@ const (
 	ApplicationDeleting ApplicationPhase = "deleting"
 )

-// WorkflowState is a string that mark the workflow state
-type WorkflowState string
-
-const (
-	// WorkflowStateInitializing means the workflow is in initial state
-	WorkflowStateInitializing WorkflowState = "Initializing"
-	// WorkflowStateTerminated means workflow is terminated manually, and it won't be started unless the spec changed.
-	WorkflowStateTerminated WorkflowState = "Terminated"
-	// WorkflowStateSuspended means workflow is suspended manually, and it can be resumed.
-	WorkflowStateSuspended WorkflowState = "Suspended"
-	// WorkflowStateSucceeded means workflow is running successfully, all steps finished.
-	WorkflowStateSucceeded WorkflowState = "Succeeded"
-	// WorkflowStateFinished means workflow is end.
-	WorkflowStateFinished WorkflowState = "Finished"
-	// WorkflowStateExecuting means workflow is still running or waiting some steps.
-	WorkflowStateExecuting WorkflowState = "Executing"
-	// WorkflowStateSkipping means it will skip this reconcile and let next reconcile to handle it.
-	WorkflowStateSkipping WorkflowState = "Skipping"
-)
-
 // ApplicationComponentStatus record the health status of App component
 type ApplicationComponentStatus struct {
 	Name      string `json:"name"`
@@ -242,11 +174,15 @@ type ApplicationComponentStatus struct {
 	Cluster   string `json:"cluster,omitempty"`
 	Env       string `json:"env,omitempty"`
 	// WorkloadDefinition is the definition of a WorkloadDefinition, such as deployments/apps.v1
-	WorkloadDefinition WorkloadGVK              `json:"workloadDefinition,omitempty"`
-	Healthy            bool                     `json:"healthy"`
-	Message            string                   `json:"message,omitempty"`
-	Traits             []ApplicationTraitStatus `json:"traits,omitempty"`
-	Scopes             []corev1.ObjectReference `json:"scopes,omitempty"`
+	WorkloadDefinition WorkloadGVK `json:"workloadDefinition,omitempty"`
+	Healthy            bool        `json:"healthy"`
+	// WorkloadHealthy indicates the workload health without considering trait health.
+	// +optional
+	WorkloadHealthy bool                     `json:"workloadHealthy,omitempty"`
+	Details         map[string]string        `json:"details,omitempty"`
+	Message         string                   `json:"message,omitempty"`
+	Traits          []ApplicationTraitStatus `json:"traits,omitempty"`
+	Scopes          []corev1.ObjectReference `json:"scopes,omitempty"`
 }

 // Equal check if two ApplicationComponentStatus are equal
@@ -257,9 +193,11 @@ func (in ApplicationComponentStatus) Equal(r ApplicationComponentStatus) bool {

 // ApplicationTraitStatus records the trait health status
 type ApplicationTraitStatus struct {
-	Type    string `json:"type"`
-	Healthy bool   `json:"healthy"`
-	Message string `json:"message,omitempty"`
+	Type    string            `json:"type"`
+	Healthy bool              `json:"healthy"`
+	Pending bool              `json:"pending,omitempty"`
+	Details map[string]string `json:"details,omitempty"`
+	Message string            `json:"message,omitempty"`
 }

 // Revision has name and revision number
@@ -271,13 +209,6 @@ type Revision struct {
 	RevisionHash string `json:"revisionHash,omitempty"`
 }

-// RawComponent record raw component
-type RawComponent struct {
-	// +kubebuilder:validation:EmbeddedResource
-	// +kubebuilder:pruning:PreserveUnknownFields
-	Raw runtime.RawExtension `json:"raw"`
-}
-
 // AppStatus defines the observed state of Application
 type AppStatus struct {
 	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
@@ -299,6 +230,12 @@ type AppStatus struct {
 	// Workflow record the status of workflow
 	Workflow *WorkflowStatus `json:"workflow,omitempty"`

+	// WorkflowRestartScheduledAt schedules a workflow restart at the specified time.
+	// This field is automatically set when the app.oam.dev/restart-workflow annotation is present,
+	// and is cleared after the restart is triggered. Use RFC3339 format or set to current time for immediate restart.
+	// +optional
+	WorkflowRestartScheduledAt *metav1.Time `json:"workflowRestartScheduledAt,omitempty"`
+
 	// LatestRevision of the application configuration it generates
 	// +optional
 	LatestRevision *Revision `json:"latestRevision,omitempty"`
@@ -337,7 +274,8 @@ type WorkflowStatus struct {
 	Steps          []workflowv1alpha1.WorkflowStepStatus `json:"steps,omitempty"`

 	StartTime metav1.Time `json:"startTime,omitempty"`
-	EndTime   metav1.Time `json:"endTime,omitempty"`
+	// +nullable
+	EndTime metav1.Time `json:"endTime,omitempty"`
 }

 // DefinitionType describes the type of DefinitionRevision.
@@ -358,19 +296,6 @@ const (
 	WorkflowStepType DefinitionType = "WorkflowStep"
 )

-// AppRolloutStatus defines the observed state of AppRollout
-type AppRolloutStatus struct {
-	v1alpha1.RolloutStatus `json:",inline"`
-
-	// LastUpgradedTargetAppRevision contains the name of the app that we upgraded to
-	// We will restart the rollout if this is not the same as the spec
-	LastUpgradedTargetAppRevision string `json:"lastTargetAppRevision"`
-
-	// LastSourceAppRevision contains the name of the app that we need to upgrade from.
-	// We will restart the rollout if this is not the same as the spec
-	LastSourceAppRevision string `json:"LastSourceAppRevision,omitempty"`
-}
-
 // ApplicationTrait defines the trait of application
 type ApplicationTrait struct {
 	Type string `json:"type"`
@@ -387,9 +312,9 @@ type ApplicationComponent struct {
 	// +kubebuilder:pruning:PreserveUnknownFields
 	Properties *runtime.RawExtension `json:"properties,omitempty"`

-	DependsOn []string                     `json:"dependsOn,omitempty"`
-	Inputs    workflowv1alpha1.StepInputs  `json:"inputs,omitempty"`
-	Outputs   workflowv1alpha1.StepOutputs `json:"outputs,omitempty"`
+	DependsOn []string                    `json:"dependsOn,omitempty"`
+	Inputs    wfTypesv1alpha1.StepInputs  `json:"inputs,omitempty"`
+	Outputs   wfTypesv1alpha1.StepOutputs `json:"outputs,omitempty"`

 	// Traits define the trait of one component, the type must be array to keep the order.
 	Traits []ApplicationTrait `json:"traits,omitempty"`
@@ -414,41 +339,22 @@ type ClusterSelector struct {
 	Labels map[string]string `json:"labels,omitempty"`
 }

-// Distribution defines the replica distribution of an AppRevision to a cluster.
-type Distribution struct {
-	// Replicas is the replica number.
-	Replicas int `json:"replicas,omitempty"`
-}
-
-// ClusterPlacement defines the cluster placement rules for an app revision.
-type ClusterPlacement struct {
-	// ClusterSelector selects the cluster to  deploy apps to.
-	// If not specified, it indicates the host cluster per se.
-	ClusterSelector *ClusterSelector `json:"clusterSelector,omitempty"`
-
-	// Distribution defines the replica distribution of an AppRevision to a cluster.
-	Distribution Distribution `json:"distribution,omitempty"`
-}
-
 const (
 	// PolicyResourceCreator create the policy resource.
 	PolicyResourceCreator string = "policy"
 	// WorkflowResourceCreator create the resource in workflow.
 	WorkflowResourceCreator string = "workflow"
-	// DebugResourceCreator create the debug resource.
-	DebugResourceCreator string = "debug"
 )

 // OAMObjectReference defines the object reference for an oam resource
 type OAMObjectReference struct {
 	Component string `json:"component,omitempty"`
 	Trait     string `json:"trait,omitempty"`
-	Env       string `json:"env,omitempty"`
 }

 // Equal check if two references are equal
 func (in OAMObjectReference) Equal(r OAMObjectReference) bool {
-	return in.Component == r.Component && in.Trait == r.Trait && in.Env == r.Env
+	return in.Component == r.Component && in.Trait == r.Trait
 }

 // AddLabelsToObject add labels to object if properties are not empty
@@ -463,9 +369,6 @@ func (in OAMObjectReference) AddLabelsToObject(obj client.Object) {
 	if in.Trait != "" {
 		labels[oam.TraitTypeLabel] = in.Trait
 	}
-	if in.Env != "" {
-		labels[oam.LabelAppEnv] = in.Env
-	}
 	obj.SetLabels(labels)
 }

@@ -475,7 +378,6 @@ func NewOAMObjectReferenceFromObject(obj client.Object) OAMObjectReference {
 		return OAMObjectReference{
 			Component: labels[oam.LabelAppComponent],
 			Trait:     labels[oam.TraitTypeLabel],
-			Env:       labels[oam.LabelAppEnv],
 		}
 	}
 	return OAMObjectReference{}
@@ -533,8 +435,6 @@ const (
 	RenderCondition
 	// WorkflowCondition indicates whether workflow processing is successful.
 	WorkflowCondition
-	// RolloutCondition indicates whether rollout processing is successful.
-	RolloutCondition
 	// ReadyCondition indicates whether whole application processing is successful.
 	ReadyCondition
 )
@@ -545,7 +445,6 @@ var conditions = map[ApplicationConditionType]string{
 	PolicyCondition:   "Policy",
 	RenderCondition:   "Render",
 	WorkflowCondition: "Workflow",
-	RolloutCondition:  "Rollout",
 	ReadyCondition:    "Ready",
 }

@@ -577,3 +476,29 @@ type ReferredObjectList struct {
 	// +optional
 	Objects []ReferredObject `json:"objects,omitempty"`
 }
+
+// ContainerState defines the state of a container
+type ContainerState string
+
+const (
+	// ContainerRunning indicates the container is running
+	ContainerRunning ContainerState = "Running"
+	// ContainerWaiting indicates the container is waiting
+	ContainerWaiting ContainerState = "Waiting"
+	// ContainerTerminated indicates the container is terminated
+	ContainerTerminated ContainerState = "Terminated"
+)
+
+// ContainerStateToString convert the container state to string
+func ContainerStateToString(state corev1.ContainerState) string {
+	switch {
+	case state.Running != nil:
+		return "Running"
+	case state.Waiting != nil:
+		return "Waiting"
+	case state.Terminated != nil:
+		return "Terminated"
+	default:
+		return "Unknown"
+	}
+}
--- a/apis/core.oam.dev/common/types_test.go
+++ b/apis/core.oam.dev/common/types_test.go
@@ -29,13 +29,12 @@ func TestOAMObjectReference(t *testing.T) {
 	o1 := OAMObjectReference{
 		Component: "component",
 		Trait:     "trait",
-		Env:       "env",
 	}
 	obj := &unstructured.Unstructured{}
 	o2 := NewOAMObjectReferenceFromObject(obj)
 	r.False(o2.Equal(o1))
 	o1.AddLabelsToObject(obj)
-	r.Equal(3, len(obj.GetLabels()))
+	r.Equal(2, len(obj.GetLabels()))
 	o3 := NewOAMObjectReferenceFromObject(obj)
 	r.True(o1.Equal(o3))
 	o3.Component = "comp"
@@ -58,3 +57,17 @@ func TestClusterObjectReference(t *testing.T) {
 	o2.Cluster = "c"
 	r.False(o2.Equal(o1))
 }
+
+func TestContainerStateToString(t *testing.T) {
+	r := require.New(t)
+	r.Equal("Waiting", ContainerStateToString(v1.ContainerState{
+		Waiting: &v1.ContainerStateWaiting{},
+	}))
+	r.Equal("Running", ContainerStateToString(v1.ContainerState{
+		Running: &v1.ContainerStateRunning{},
+	}))
+	r.Equal("Terminated", ContainerStateToString(v1.ContainerState{
+		Terminated: &v1.ContainerStateTerminated{},
+	}))
+	r.Equal("Unknown", ContainerStateToString(v1.ContainerState{}))
+}
--- a/apis/core.oam.dev/common/zz_generated.deepcopy.go
+++ b/apis/core.oam.dev/common/zz_generated.deepcopy.go
@@ -1,8 +1,7 @@
 //go:build !ignore_autogenerated
-// +build !ignore_autogenerated

 /*
-Copyright 2021 The KubeVela Authors.
+Copyright 2023 The KubeVela Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -22,28 +21,13 @@ limitations under the License.
 package common

 import (
+	oamv1alpha1 "github.com/kubevela/pkg/apis/oam/v1alpha1"
 	"github.com/kubevela/workflow/api/v1alpha1"
 	crossplane_runtime "github.com/oam-dev/terraform-controller/api/types/crossplane-runtime"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 )

-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AppRolloutStatus) DeepCopyInto(out *AppRolloutStatus) {
-	*out = *in
-	in.RolloutStatus.DeepCopyInto(&out.RolloutStatus)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AppRolloutStatus.
-func (in *AppRolloutStatus) DeepCopy() *AppRolloutStatus {
-	if in == nil {
-		return nil
-	}
-	out := new(AppRolloutStatus)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AppStatus) DeepCopyInto(out *AppStatus) {
 	*out = *in
@@ -65,6 +49,10 @@ func (in *AppStatus) DeepCopyInto(out *AppStatus) {
 		*out = new(WorkflowStatus)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.WorkflowRestartScheduledAt != nil {
+		in, out := &in.WorkflowRestartScheduledAt, &out.WorkflowRestartScheduledAt
+		*out = (*in).DeepCopy()
+	}
 	if in.LatestRevision != nil {
 		in, out := &in.LatestRevision, &out.LatestRevision
 		*out = new(Revision)
@@ -109,12 +97,12 @@ func (in *ApplicationComponent) DeepCopyInto(out *ApplicationComponent) {
 	}
 	if in.Inputs != nil {
 		in, out := &in.Inputs, &out.Inputs
-		*out = make(v1alpha1.StepInputs, len(*in))
+		*out = make(oamv1alpha1.StepInputs, len(*in))
 		copy(*out, *in)
 	}
 	if in.Outputs != nil {
 		in, out := &in.Outputs, &out.Outputs
-		*out = make(v1alpha1.StepOutputs, len(*in))
+		*out = make(oamv1alpha1.StepOutputs, len(*in))
 		copy(*out, *in)
 	}
 	if in.Traits != nil {
@@ -147,10 +135,19 @@ func (in *ApplicationComponent) DeepCopy() *ApplicationComponent {
 func (in *ApplicationComponentStatus) DeepCopyInto(out *ApplicationComponentStatus) {
 	*out = *in
 	out.WorkloadDefinition = in.WorkloadDefinition
+	if in.Details != nil {
+		in, out := &in.Details, &out.Details
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 	if in.Traits != nil {
 		in, out := &in.Traits, &out.Traits
 		*out = make([]ApplicationTraitStatus, len(*in))
-		copy(*out, *in)
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
 	if in.Scopes != nil {
 		in, out := &in.Scopes, &out.Scopes
@@ -192,6 +189,13 @@ func (in *ApplicationTrait) DeepCopy() *ApplicationTrait {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ApplicationTraitStatus) DeepCopyInto(out *ApplicationTraitStatus) {
 	*out = *in
+	if in.Details != nil {
+		in, out := &in.Details, &out.Details
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationTraitStatus.
@@ -257,27 +261,6 @@ func (in *ClusterObjectReference) DeepCopy() *ClusterObjectReference {
 	return out
 }

-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ClusterPlacement) DeepCopyInto(out *ClusterPlacement) {
-	*out = *in
-	if in.ClusterSelector != nil {
-		in, out := &in.ClusterSelector, &out.ClusterSelector
-		*out = new(ClusterSelector)
-		(*in).DeepCopyInto(*out)
-	}
-	out.Distribution = in.Distribution
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterPlacement.
-func (in *ClusterPlacement) DeepCopy() *ClusterPlacement {
-	if in == nil {
-		return nil
-	}
-	out := new(ClusterPlacement)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterSelector) DeepCopyInto(out *ClusterSelector) {
 	*out = *in
@@ -315,91 +298,6 @@ func (in *DefinitionReference) DeepCopy() *DefinitionReference {
 	return out
 }

-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Distribution) DeepCopyInto(out *Distribution) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Distribution.
-func (in *Distribution) DeepCopy() *Distribution {
-	if in == nil {
-		return nil
-	}
-	out := new(Distribution)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Helm) DeepCopyInto(out *Helm) {
-	*out = *in
-	in.Release.DeepCopyInto(&out.Release)
-	in.Repository.DeepCopyInto(&out.Repository)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Helm.
-func (in *Helm) DeepCopy() *Helm {
-	if in == nil {
-		return nil
-	}
-	out := new(Helm)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Kube) DeepCopyInto(out *Kube) {
-	*out = *in
-	in.Template.DeepCopyInto(&out.Template)
-	if in.Parameters != nil {
-		in, out := &in.Parameters, &out.Parameters
-		*out = make([]KubeParameter, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Kube.
-func (in *Kube) DeepCopy() *Kube {
-	if in == nil {
-		return nil
-	}
-	out := new(Kube)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *KubeParameter) DeepCopyInto(out *KubeParameter) {
-	*out = *in
-	if in.FieldPaths != nil {
-		in, out := &in.FieldPaths, &out.FieldPaths
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
-	if in.Required != nil {
-		in, out := &in.Required, &out.Required
-		*out = new(bool)
-		**out = **in
-	}
-	if in.Description != nil {
-		in, out := &in.Description, &out.Description
-		*out = new(string)
-		**out = **in
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeParameter.
-func (in *KubeParameter) DeepCopy() *KubeParameter {
-	if in == nil {
-		return nil
-	}
-	out := new(KubeParameter)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OAMObjectReference) DeepCopyInto(out *OAMObjectReference) {
 	*out = *in
@@ -435,22 +333,6 @@ func (in *PolicyStatus) DeepCopy() *PolicyStatus {
 	return out
 }

-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *RawComponent) DeepCopyInto(out *RawComponent) {
-	*out = *in
-	in.Raw.DeepCopyInto(&out.Raw)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RawComponent.
-func (in *RawComponent) DeepCopy() *RawComponent {
-	if in == nil {
-		return nil
-	}
-	out := new(RawComponent)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RawExtensionPointer) DeepCopyInto(out *RawExtensionPointer) {
 	*out = *in
@@ -527,21 +409,11 @@ func (in *Revision) DeepCopy() *Revision {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Schematic) DeepCopyInto(out *Schematic) {
 	*out = *in
-	if in.KUBE != nil {
-		in, out := &in.KUBE, &out.KUBE
-		*out = new(Kube)
-		(*in).DeepCopyInto(*out)
-	}
 	if in.CUE != nil {
 		in, out := &in.CUE, &out.CUE
 		*out = new(CUE)
 		**out = **in
 	}
-	if in.HELM != nil {
-		in, out := &in.HELM, &out.HELM
-		*out = new(Helm)
-		(*in).DeepCopyInto(*out)
-	}
 	if in.Terraform != nil {
 		in, out := &in.Terraform, &out.Terraform
 		*out = new(Terraform)
@@ -587,6 +459,11 @@ func (in *Terraform) DeepCopyInto(out *Terraform) {
 		*out = new(crossplane_runtime.Reference)
 		**out = **in
 	}
+	if in.GitCredentialsSecretReference != nil {
+		in, out := &in.GitCredentialsSecretReference, &out.GitCredentialsSecretReference
+		*out = new(v1.SecretReference)
+		**out = **in
+	}
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Terraform.
--- a/apis/core.oam.dev/condition/zz_generated.deepcopy.go
+++ b/apis/core.oam.dev/condition/zz_generated.deepcopy.go
@@ -1,8 +1,7 @@
 //go:build !ignore_autogenerated
-// +build !ignore_autogenerated

 /*
-Copyright 2021 The KubeVela Authors.
+Copyright 2023 The KubeVela Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
--- a/apis/core.oam.dev/groupversion_info.go
+++ b/apis/core.oam.dev/groupversion_info.go
@@ -21,13 +21,12 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"

 	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1alpha1"
-	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1alpha2"
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1beta1"
 )

 func init() {
 	// Register the types with the Scheme so the resources can map objects to GroupVersionKinds and back
-	AddToSchemes = append(AddToSchemes, v1alpha1.SchemeBuilder.AddToScheme, v1alpha2.SchemeBuilder.AddToScheme, v1beta1.SchemeBuilder.AddToScheme)
+	AddToSchemes = append(AddToSchemes, v1alpha1.SchemeBuilder.AddToScheme, v1beta1.SchemeBuilder.AddToScheme)
 }

 // AddToSchemes may be used to add all resources defined in the project to a Scheme
--- a/apis/core.oam.dev/v1alpha1/applyonce_policy_types.go
+++ b/apis/core.oam.dev/v1alpha1/applyonce_policy_types.go
@@ -23,8 +23,17 @@ import (
 const (
 	// ApplyOncePolicyType refers to the type of configuration drift policy
 	ApplyOncePolicyType = "apply-once"
+	// ApplyOnceStrategyOnAppUpdate policy takes effect on application updating
+	ApplyOnceStrategyOnAppUpdate ApplyOnceAffectStrategy = "onUpdate"
+	// ApplyOnceStrategyOnAppStateKeep policy takes effect on application state keep
+	ApplyOnceStrategyOnAppStateKeep ApplyOnceAffectStrategy = "onStateKeep"
+	// ApplyOnceStrategyAlways policy takes effect always
+	ApplyOnceStrategyAlways ApplyOnceAffectStrategy = "always"
 )

+// ApplyOnceAffectStrategy is a string that mark the policy effective stage
+type ApplyOnceAffectStrategy string
+
 // ApplyOncePolicySpec defines the spec of preventing configuration drift
 type ApplyOncePolicySpec struct {
 	Enable bool `json:"enable"`
@@ -45,10 +54,18 @@ type ApplyOnceStrategy struct {
 	// Path the specified path that allow configuration drift
 	// like 'spec.template.spec.containers[0].resources' and '*' means the whole target allow configuration drift
 	Path []string `json:"path"`
+	// ApplyOnceAffectStrategy Decide when the strategy will take effect
+	// like affect:onUpdate/onStateKeep/always
+	ApplyOnceAffectStrategy ApplyOnceAffectStrategy `json:"affect"`
+}
+
+// Type the type name of the policy
+func (in *ApplyOncePolicySpec) Type() string {
+	return ApplyOncePolicyType
 }

 // FindStrategy find apply-once strategy for target resource
-func (in ApplyOncePolicySpec) FindStrategy(manifest *unstructured.Unstructured) *ApplyOnceStrategy {
+func (in *ApplyOncePolicySpec) FindStrategy(manifest *unstructured.Unstructured) *ApplyOnceStrategy {
 	if !in.Enable {
 		return nil
 	}
--- a/apis/core.oam.dev/v1alpha1/garbagecollect_policy_types.go
+++ b/apis/core.oam.dev/v1alpha1/garbagecollect_policy_types.go
@@ -17,11 +17,9 @@ limitations under the License.
 package v1alpha1

 import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/utils/pointer"
-	"k8s.io/utils/strings/slices"
-
-	"github.com/oam-dev/kubevela/pkg/oam"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 )

 const (
@@ -31,10 +29,17 @@ const (

 // GarbageCollectPolicySpec defines the spec of configuration drift
 type GarbageCollectPolicySpec struct {
+	// ApplicationRevisionLimit if set, this application will use this number for application revision instead of
+	// the global configuration
+	ApplicationRevisionLimit *int `json:"applicationRevisionLimit,omitempty"`
+
 	// KeepLegacyResource if is set, outdated versioned resourcetracker will not be recycled automatically
 	// outdated resources will be kept until resourcetracker be deleted manually
 	KeepLegacyResource bool `json:"keepLegacyResource,omitempty"`

+	// ContinueOnFailure if is set, continue to execute gc when the workflow fails, by default gc will be executed only after the workflow succeeds
+	ContinueOnFailure bool `json:"continueOnFailure,omitempty"`
+
 	// Order defines the order of garbage collect
 	Order GarbageCollectOrder `json:"order,omitempty"`

@@ -53,61 +58,9 @@ const (

 // GarbageCollectPolicyRule defines a single garbage-collect policy rule
 type GarbageCollectPolicyRule struct {
-	Selector ResourcePolicyRuleSelector `json:"selector"`
-	Strategy GarbageCollectStrategy     `json:"strategy"`
-}
-
-// ResourcePolicyRuleSelector select the targets of the rule
-// if multiple conditions are specified, combination logic is AND
-type ResourcePolicyRuleSelector struct {
-	CompNames        []string `json:"componentNames,omitempty"`
-	CompTypes        []string `json:"componentTypes,omitempty"`
-	OAMResourceTypes []string `json:"oamTypes,omitempty"`
-	TraitTypes       []string `json:"traitTypes,omitempty"`
-	ResourceTypes    []string `json:"resourceTypes,omitempty"`
-	ResourceNames    []string `json:"resourceNames,omitempty"`
-}
-
-// Match check if current rule selector match the target resource
-// If at least one condition is matched and no other condition failed (could be empty), return true
-// Otherwise, return false
-func (in *ResourcePolicyRuleSelector) Match(manifest *unstructured.Unstructured) bool {
-	var compName, compType, oamType, traitType, resourceType, resourceName string
-	if labels := manifest.GetLabels(); labels != nil {
-		compName = labels[oam.LabelAppComponent]
-		compType = labels[oam.WorkloadTypeLabel]
-		oamType = labels[oam.LabelOAMResourceType]
-		traitType = labels[oam.TraitTypeLabel]
-	}
-	resourceType = manifest.GetKind()
-	resourceName = manifest.GetName()
-	match := func(src []string, val string) (found *bool) {
-		if len(src) == 0 {
-			return nil
-		}
-		return pointer.Bool(val != "" && slices.Contains(src, val))
-	}
-	conditions := []*bool{
-		match(in.CompNames, compName),
-		match(in.CompTypes, compType),
-		match(in.OAMResourceTypes, oamType),
-		match(in.TraitTypes, traitType),
-		match(in.ResourceTypes, resourceType),
-		match(in.ResourceNames, resourceName),
-	}
-	hasMatched := false
-	for _, cond := range conditions {
-		// if any non-empty condition failed, return false
-		if cond != nil && !*cond {
-			return false
-		}
-		// if condition succeed, record it
-		if cond != nil && *cond {
-			hasMatched = true
-		}
-	}
-	// if at least one condition is met, return true
-	return hasMatched
+	Selector    ResourcePolicyRuleSelector `json:"selector"`
+	Strategy    GarbageCollectStrategy     `json:"strategy"`
+	Propagation *GarbageCollectPropagation `json:"propagation"`
 }

 // GarbageCollectStrategy the strategy for target resource to recycle
@@ -123,8 +76,23 @@ const (
 	GarbageCollectStrategyOnAppUpdate GarbageCollectStrategy = "onAppUpdate"
 )

+// GarbageCollectPropagation the deletion propagation setting similar to metav1.DeletionPropagation
+type GarbageCollectPropagation string
+
+const (
+	// GarbageCollectPropagationOrphan orphan child resources while deleting target resources
+	GarbageCollectPropagationOrphan = "orphan"
+	// GarbageCollectPropagationCascading delete child resources in background while deleting target resources
+	GarbageCollectPropagationCascading = "cascading"
+)
+
+// Type the type name of the policy
+func (in *GarbageCollectPolicySpec) Type() string {
+	return GarbageCollectPolicyType
+}
+
 // FindStrategy find gc strategy for target resource
-func (in GarbageCollectPolicySpec) FindStrategy(manifest *unstructured.Unstructured) *GarbageCollectStrategy {
+func (in *GarbageCollectPolicySpec) FindStrategy(manifest *unstructured.Unstructured) *GarbageCollectStrategy {
 	for _, rule := range in.Rules {
 		if rule.Selector.Match(manifest) {
 			return &rule.Strategy
@@ -132,3 +100,18 @@ func (in GarbageCollectPolicySpec) FindStrategy(manifest *unstructured.Unstructu
 	}
 	return nil
 }
+
+// FindDeleteOption find delete option for target resource
+func (in *GarbageCollectPolicySpec) FindDeleteOption(manifest *unstructured.Unstructured) (bool, []client.DeleteOption) {
+	for _, rule := range in.Rules {
+		if rule.Selector.Match(manifest) && rule.Propagation != nil {
+			switch *rule.Propagation {
+			case GarbageCollectPropagationOrphan:
+				return true, []client.DeleteOption{client.PropagationPolicy(metav1.DeletePropagationOrphan)}
+			case GarbageCollectPropagationCascading:
+				return false, []client.DeleteOption{client.PropagationPolicy(metav1.DeletePropagationBackground)}
+			}
+		}
+	}
+	return false, nil
+}
--- a/apis/core.oam.dev/v1alpha1/garbagecollect_policy_types_test.go
+++ b/apis/core.oam.dev/v1alpha1/garbagecollect_policy_types_test.go
--- a/apis/core.oam.dev/v1alpha1/policy_types.go
+++ b/apis/core.oam.dev/v1alpha1/policy_types.go
@@ -16,8 +16,6 @@ limitations under the License.

 package v1alpha1

-import "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-
 const (
 	// TopologyPolicyType refers to the type of topology policy
 	TopologyPolicyType = "topology"
@@ -25,8 +23,6 @@ const (
 	OverridePolicyType = "override"
 	// DebugPolicyType refers to the type of debug policy
 	DebugPolicyType = "debug"
-	// SharedResourcePolicyType refers to the type of shared resource policy
-	SharedResourcePolicyType = "shared-resource"
 	// ReplicationPolicyType refers to the type of replication policy
 	ReplicationPolicyType = "replication"
 )
@@ -64,26 +60,6 @@ type OverridePolicySpec struct {
 	Selector   []string            `json:"selector,omitempty"`
 }

-// SharedResourcePolicySpec defines the spec of shared-resource policy
-type SharedResourcePolicySpec struct {
-	Rules []SharedResourcePolicyRule `json:"rules"`
-}
-
-// SharedResourcePolicyRule defines the rule for sharing resources
-type SharedResourcePolicyRule struct {
-	Selector ResourcePolicyRuleSelector `json:"selector"`
-}
-
-// FindStrategy return if the target resource should be shared
-func (in SharedResourcePolicySpec) FindStrategy(manifest *unstructured.Unstructured) bool {
-	for _, rule := range in.Rules {
-		if rule.Selector.Match(manifest) {
-			return true
-		}
-	}
-	return false
-}
-
 // ReplicationPolicySpec defines the spec of replication policy
 // Override policy should be used together with replication policy to select the deployment target components
 type ReplicationPolicySpec struct {
--- a/apis/core.oam.dev/v1alpha1/readonly_policy_types.go
+++ b/apis/core.oam.dev/v1alpha1/readonly_policy_types.go
@@ -0,0 +1,49 @@
+/*
+Copyright 2022 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+
+const (
+	// ReadOnlyPolicyType refers to the type of read-only policy
+	ReadOnlyPolicyType = "read-only"
+)
+
+// ReadOnlyPolicySpec defines the spec of read-only policy
+type ReadOnlyPolicySpec struct {
+	Rules []ReadOnlyPolicyRule `json:"rules"`
+}
+
+// Type the type name of the policy
+func (in *ReadOnlyPolicySpec) Type() string {
+	return ReadOnlyPolicyType
+}
+
+// ReadOnlyPolicyRule defines the rule for read-only resources
+type ReadOnlyPolicyRule struct {
+	Selector ResourcePolicyRuleSelector `json:"selector"`
+}
+
+// FindStrategy return if the target resource is read-only
+func (in *ReadOnlyPolicySpec) FindStrategy(manifest *unstructured.Unstructured) bool {
+	for _, rule := range in.Rules {
+		if rule.Selector.Match(manifest) {
+			return true
+		}
+	}
+	return false
+}
--- a/apis/core.oam.dev/v1alpha1/register.go
+++ b/apis/core.oam.dev/v1alpha1/register.go
@@ -18,9 +18,10 @@ package v1alpha1

 import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	k8sscheme "k8s.io/client-go/kubernetes/scheme"
 	"sigs.k8s.io/controller-runtime/pkg/scheme"

-	workflowv1alpha1 "github.com/kubevela/workflow/api/v1alpha1"
+	wfTypesv1alpha1 "github.com/kubevela/pkg/apis/oam/v1alpha1"

 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 )
@@ -56,5 +57,11 @@ var (

 func init() {
 	SchemeBuilder.Register(&Policy{}, &PolicyList{})
-	SchemeBuilder.Register(&workflowv1alpha1.Workflow{}, &workflowv1alpha1.WorkflowList{})
+	SchemeBuilder.Register(&wfTypesv1alpha1.Workflow{}, &wfTypesv1alpha1.WorkflowList{})
+	_ = SchemeBuilder.AddToScheme(k8sscheme.Scheme)
+}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
 }
--- a/apis/core.oam.dev/v1alpha1/resource_policy_types.go
+++ b/apis/core.oam.dev/v1alpha1/resource_policy_types.go
@@ -0,0 +1,78 @@
+/*
+Copyright 2022 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/utils/ptr"
+	stringslices "k8s.io/utils/strings/slices"
+
+	"github.com/oam-dev/kubevela/pkg/oam"
+)
+
+// ResourcePolicyRuleSelector select the targets of the rule
+// if multiple conditions are specified, combination logic is AND
+type ResourcePolicyRuleSelector struct {
+	CompNames        []string `json:"componentNames,omitempty"`
+	CompTypes        []string `json:"componentTypes,omitempty"`
+	OAMResourceTypes []string `json:"oamTypes,omitempty"`
+	TraitTypes       []string `json:"traitTypes,omitempty"`
+	ResourceTypes    []string `json:"resourceTypes,omitempty"`
+	ResourceNames    []string `json:"resourceNames,omitempty"`
+}
+
+// Match check if current rule selector match the target resource
+// If at least one condition is matched and no other condition failed (could be empty), return true
+// Otherwise, return false
+func (in *ResourcePolicyRuleSelector) Match(manifest *unstructured.Unstructured) bool {
+	var compName, compType, oamType, traitType, resourceType, resourceName string
+	if labels := manifest.GetLabels(); labels != nil {
+		compName = labels[oam.LabelAppComponent]
+		compType = labels[oam.WorkloadTypeLabel]
+		oamType = labels[oam.LabelOAMResourceType]
+		traitType = labels[oam.TraitTypeLabel]
+	}
+	resourceType = manifest.GetKind()
+	resourceName = manifest.GetName()
+	match := func(src []string, val string) (found *bool) {
+		if len(src) == 0 {
+			return nil
+		}
+		return ptr.To(val != "" && stringslices.Contains(src, val))
+	}
+	conditions := []*bool{
+		match(in.CompNames, compName),
+		match(in.CompTypes, compType),
+		match(in.OAMResourceTypes, oamType),
+		match(in.TraitTypes, traitType),
+		match(in.ResourceTypes, resourceType),
+		match(in.ResourceNames, resourceName),
+	}
+	hasMatched := false
+	for _, cond := range conditions {
+		// if any non-empty condition failed, return false
+		if cond != nil && !*cond {
+			return false
+		}
+		// if condition succeed, record it
+		if cond != nil && *cond {
+			hasMatched = true
+		}
+	}
+	// if at least one condition is met, return true
+	return hasMatched
+}
--- a/apis/core.oam.dev/v1alpha1/resource_update_policy_types.go
+++ b/apis/core.oam.dev/v1alpha1/resource_update_policy_types.go
@@ -0,0 +1,70 @@
+/*
+Copyright 2023 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+
+const (
+	// ResourceUpdatePolicyType refers to the type of resource-update policy
+	ResourceUpdatePolicyType = "resource-update"
+)
+
+// ResourceUpdatePolicySpec defines the spec of resource-update policy
+type ResourceUpdatePolicySpec struct {
+	Rules []ResourceUpdatePolicyRule `json:"rules"`
+}
+
+// Type the type name of the policy
+func (in *ResourceUpdatePolicySpec) Type() string {
+	return ResourceUpdatePolicyType
+}
+
+// ResourceUpdatePolicyRule defines the rule for resource-update resources
+type ResourceUpdatePolicyRule struct {
+	// Selector picks which resources should be affected
+	Selector ResourcePolicyRuleSelector `json:"selector"`
+	// Strategy the strategy for updating resources
+	Strategy ResourceUpdateStrategy `json:"strategy,omitempty"`
+}
+
+// ResourceUpdateStrategy the update strategy for resource
+type ResourceUpdateStrategy struct {
+	// Op the update op for selected resources
+	Op ResourceUpdateOp `json:"op,omitempty"`
+	// RecreateFields the field path which will trigger recreate if changed
+	RecreateFields []string `json:"recreateFields,omitempty"`
+}
+
+// ResourceUpdateOp update op for resource
+type ResourceUpdateOp string
+
+const (
+	// ResourceUpdateStrategyPatch patch the target resource (three-way patch)
+	ResourceUpdateStrategyPatch ResourceUpdateOp = "patch"
+	// ResourceUpdateStrategyReplace update the target resource
+	ResourceUpdateStrategyReplace ResourceUpdateOp = "replace"
+)
+
+// FindStrategy return if the target resource is read-only
+func (in *ResourceUpdatePolicySpec) FindStrategy(manifest *unstructured.Unstructured) *ResourceUpdateStrategy {
+	for _, rule := range in.Rules {
+		if rule.Selector.Match(manifest) {
+			return &rule.Strategy
+		}
+	}
+	return nil
+}
--- a/apis/core.oam.dev/v1alpha1/sharedresource_policy_types.go
+++ b/apis/core.oam.dev/v1alpha1/sharedresource_policy_types.go
@@ -0,0 +1,49 @@
+/*
+Copyright 2022 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+
+const (
+	// SharedResourcePolicyType refers to the type of shared resource policy
+	SharedResourcePolicyType = "shared-resource"
+)
+
+// SharedResourcePolicySpec defines the spec of shared-resource policy
+type SharedResourcePolicySpec struct {
+	Rules []SharedResourcePolicyRule `json:"rules"`
+}
+
+// Type the type name of the policy
+func (in *SharedResourcePolicySpec) Type() string {
+	return SharedResourcePolicyType
+}
+
+// SharedResourcePolicyRule defines the rule for sharing resources
+type SharedResourcePolicyRule struct {
+	Selector ResourcePolicyRuleSelector `json:"selector"`
+}
+
+// FindStrategy return if the target resource should be shared
+func (in *SharedResourcePolicySpec) FindStrategy(manifest *unstructured.Unstructured) bool {
+	for _, rule := range in.Rules {
+		if rule.Selector.Match(manifest) {
+			return true
+		}
+	}
+	return false
+}
--- a/apis/core.oam.dev/v1alpha1/sharedresource_policy_types_test.go
+++ b/apis/core.oam.dev/v1alpha1/sharedresource_policy_types_test.go
--- a/apis/core.oam.dev/v1alpha1/takeover_policy_types.go
+++ b/apis/core.oam.dev/v1alpha1/takeover_policy_types.go
@@ -0,0 +1,49 @@
+/*
+Copyright 2022 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+
+const (
+	// TakeOverPolicyType refers to the type of take-over policy
+	TakeOverPolicyType = "take-over"
+)
+
+// TakeOverPolicySpec defines the spec of take-over policy
+type TakeOverPolicySpec struct {
+	Rules []TakeOverPolicyRule `json:"rules"`
+}
+
+// Type the type name of the policy
+func (in *TakeOverPolicySpec) Type() string {
+	return TakeOverPolicyType
+}
+
+// TakeOverPolicyRule defines the rule for taking over resources
+type TakeOverPolicyRule struct {
+	Selector ResourcePolicyRuleSelector `json:"selector"`
+}
+
+// FindStrategy return if the target resource should be taken over
+func (in *TakeOverPolicySpec) FindStrategy(manifest *unstructured.Unstructured) bool {
+	for _, rule := range in.Rules {
+		if rule.Selector.Match(manifest) {
+			return true
+		}
+	}
+	return false
+}
--- a/apis/core.oam.dev/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/core.oam.dev/v1alpha1/zz_generated.deepcopy.go
@@ -1,8 +1,7 @@
 //go:build !ignore_autogenerated
-// +build !ignore_autogenerated

 /*
-Copyright 2021 The KubeVela Authors.
+Copyright 2023 The KubeVela Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -314,6 +313,11 @@ func (in *EnvTraitPatch) DeepCopy() *EnvTraitPatch {
 func (in *GarbageCollectPolicyRule) DeepCopyInto(out *GarbageCollectPolicyRule) {
 	*out = *in
 	in.Selector.DeepCopyInto(&out.Selector)
+	if in.Propagation != nil {
+		in, out := &in.Propagation, &out.Propagation
+		*out = new(GarbageCollectPropagation)
+		**out = **in
+	}
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GarbageCollectPolicyRule.
@@ -329,6 +333,11 @@ func (in *GarbageCollectPolicyRule) DeepCopy() *GarbageCollectPolicyRule {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GarbageCollectPolicySpec) DeepCopyInto(out *GarbageCollectPolicySpec) {
 	*out = *in
+	if in.ApplicationRevisionLimit != nil {
+		in, out := &in.ApplicationRevisionLimit, &out.ApplicationRevisionLimit
+		*out = new(int)
+		**out = **in
+	}
 	if in.Rules != nil {
 		in, out := &in.Rules, &out.Rules
 		*out = make([]GarbageCollectPolicyRule, len(*in))
@@ -585,6 +594,44 @@ func (in *PolicyList) DeepCopyObject() runtime.Object {
 	return nil
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReadOnlyPolicyRule) DeepCopyInto(out *ReadOnlyPolicyRule) {
+	*out = *in
+	in.Selector.DeepCopyInto(&out.Selector)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReadOnlyPolicyRule.
+func (in *ReadOnlyPolicyRule) DeepCopy() *ReadOnlyPolicyRule {
+	if in == nil {
+		return nil
+	}
+	out := new(ReadOnlyPolicyRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReadOnlyPolicySpec) DeepCopyInto(out *ReadOnlyPolicySpec) {
+	*out = *in
+	if in.Rules != nil {
+		in, out := &in.Rules, &out.Rules
+		*out = make([]ReadOnlyPolicyRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReadOnlyPolicySpec.
+func (in *ReadOnlyPolicySpec) DeepCopy() *ReadOnlyPolicySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ReadOnlyPolicySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RefObjectsComponentSpec) DeepCopyInto(out *RefObjectsComponentSpec) {
 	*out = *in
@@ -682,6 +729,65 @@ func (in *ResourcePolicyRuleSelector) DeepCopy() *ResourcePolicyRuleSelector {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourceUpdatePolicyRule) DeepCopyInto(out *ResourceUpdatePolicyRule) {
+	*out = *in
+	in.Selector.DeepCopyInto(&out.Selector)
+	in.Strategy.DeepCopyInto(&out.Strategy)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceUpdatePolicyRule.
+func (in *ResourceUpdatePolicyRule) DeepCopy() *ResourceUpdatePolicyRule {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourceUpdatePolicyRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourceUpdatePolicySpec) DeepCopyInto(out *ResourceUpdatePolicySpec) {
+	*out = *in
+	if in.Rules != nil {
+		in, out := &in.Rules, &out.Rules
+		*out = make([]ResourceUpdatePolicyRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceUpdatePolicySpec.
+func (in *ResourceUpdatePolicySpec) DeepCopy() *ResourceUpdatePolicySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourceUpdatePolicySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourceUpdateStrategy) DeepCopyInto(out *ResourceUpdateStrategy) {
+	*out = *in
+	if in.RecreateFields != nil {
+		in, out := &in.RecreateFields, &out.RecreateFields
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceUpdateStrategy.
+func (in *ResourceUpdateStrategy) DeepCopy() *ResourceUpdateStrategy {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourceUpdateStrategy)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SharedResourcePolicyRule) DeepCopyInto(out *SharedResourcePolicyRule) {
 	*out = *in
@@ -720,6 +826,44 @@ func (in *SharedResourcePolicySpec) DeepCopy() *SharedResourcePolicySpec {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TakeOverPolicyRule) DeepCopyInto(out *TakeOverPolicyRule) {
+	*out = *in
+	in.Selector.DeepCopyInto(&out.Selector)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TakeOverPolicyRule.
+func (in *TakeOverPolicyRule) DeepCopy() *TakeOverPolicyRule {
+	if in == nil {
+		return nil
+	}
+	out := new(TakeOverPolicyRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TakeOverPolicySpec) DeepCopyInto(out *TakeOverPolicySpec) {
+	*out = *in
+	if in.Rules != nil {
+		in, out := &in.Rules, &out.Rules
+		*out = make([]TakeOverPolicyRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TakeOverPolicySpec.
+func (in *TakeOverPolicySpec) DeepCopy() *TakeOverPolicySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(TakeOverPolicySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TopologyPolicySpec) DeepCopyInto(out *TopologyPolicySpec) {
 	*out = *in
--- a/apis/core.oam.dev/v1alpha2/application_types.go
+++ b/apis/core.oam.dev/v1alpha2/application_types.go
@@ -1,123 +0,0 @@
-/*
-Copyright 2021 The KubeVela Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha2
-
-import (
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-
-	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
-	"github.com/oam-dev/kubevela/apis/standard.oam.dev/v1alpha1"
-)
-
-// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
-// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
-
-// AppStatus defines the observed state of Application
-type AppStatus struct {
-	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
-	v1alpha1.RolloutStatus `json:",inline"`
-
-	Phase common.ApplicationPhase `json:"status,omitempty"`
-
-	// Components record the related Components created by Application Controller
-	Components []corev1.ObjectReference `json:"components,omitempty"`
-
-	// Services record the status of the application services
-	Services []common.ApplicationComponentStatus `json:"services,omitempty"`
-
-	// ResourceTracker record the status of the ResourceTracker
-	ResourceTracker *corev1.ObjectReference `json:"resourceTracker,omitempty"`
-
-	// LatestRevision of the application configuration it generates
-	// +optional
-	LatestRevision *common.Revision `json:"latestRevision,omitempty"`
-}
-
-// ApplicationTrait defines the trait of application
-type ApplicationTrait struct {
-	Name string `json:"name"`
-	// +kubebuilder:pruning:PreserveUnknownFields
-	Properties *runtime.RawExtension `json:"properties,omitempty"`
-}
-
-// ApplicationComponent describe the component of application
-type ApplicationComponent struct {
-	Name         string `json:"name"`
-	WorkloadType string `json:"type"`
-	// +kubebuilder:pruning:PreserveUnknownFields
-	Settings runtime.RawExtension `json:"settings,omitempty"`
-
-	// Traits define the trait of one component, the type must be array to keep the order.
-	Traits []ApplicationTrait `json:"traits,omitempty"`
-
-	// +kubebuilder:pruning:PreserveUnknownFields
-	// scopes in ApplicationComponent defines the component-level scopes
-	// the format is <scope-type:scope-instance-name> pairs, the key represents type of `ScopeDefinition` while the value represent the name of scope instance.
-	Scopes map[string]string `json:"scopes,omitempty"`
-}
-
-// ApplicationSpec is the spec of Application
-type ApplicationSpec struct {
-	Components []ApplicationComponent `json:"components"`
-
-	// TODO(wonderflow): we should have application level scopes supported here
-
-	// RolloutPlan is the details on how to rollout the resources
-	// The controller simply replace the old resources with the new one if there is no rollout plan involved
-	// +optional
-	RolloutPlan *v1alpha1.RolloutPlan `json:"rolloutPlan,omitempty"`
-}
-
-// Application is the Schema for the applications API
-// +kubebuilder:object:root=true
-// +kubebuilder:resource:categories={oam},shortName={app,velaapp}
-// +kubebuilder:subresource:status
-// +kubebuilder:printcolumn:name="COMPONENT",type=string,JSONPath=`.spec.components[*].name`
-// +kubebuilder:printcolumn:name="TYPE",type=string,JSONPath=`.spec.components[*].type`
-// +kubebuilder:printcolumn:name="PHASE",type=string,JSONPath=`.status.status`
-// +kubebuilder:printcolumn:name="HEALTHY",type=boolean,JSONPath=`.status.services[*].healthy`
-// +kubebuilder:printcolumn:name="STATUS",type=string,JSONPath=`.status.services[*].message`
-// +kubebuilder:printcolumn:name="AGE",type=date,JSONPath=".metadata.creationTimestamp"
-type Application struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	Spec   ApplicationSpec  `json:"spec,omitempty"`
-	Status common.AppStatus `json:"status,omitempty"`
-}
-
-// +kubebuilder:object:root=true
-
-// ApplicationList contains a list of Application
-type ApplicationList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []Application `json:"items"`
-}
-
-// GetComponent get the component from the application based on its workload type
-func (app *Application) GetComponent(workloadType string) *ApplicationComponent {
-	for _, c := range app.Spec.Components {
-		if c.WorkloadType == workloadType {
-			return &c
-		}
-	}
-	return nil
-}
--- a/apis/core.oam.dev/v1alpha2/application_types_test.go
+++ b/apis/core.oam.dev/v1alpha2/application_types_test.go
@@ -1,68 +0,0 @@
-/*
-Copyright 2021 The KubeVela Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha2
-
-import (
-	"reflect"
-	"testing"
-)
-
-func TestApplicationGetComponent(t *testing.T) {
-	ac1 := ApplicationComponent{
-		Name:         "ac1",
-		WorkloadType: "type1",
-	}
-	ac2 := ApplicationComponent{
-		Name:         "ac2",
-		WorkloadType: "type2",
-	}
-	tests := map[string]struct {
-		app           *Application
-		componentName string
-		want          *ApplicationComponent
-	}{
-		"test get one": {
-			app: &Application{
-				Spec: ApplicationSpec{
-					Components: []ApplicationComponent{
-						ac1, ac2,
-					},
-				},
-			},
-			componentName: ac1.WorkloadType,
-			want:          &ac1,
-		},
-		"test get none": {
-			app: &Application{
-				Spec: ApplicationSpec{
-					Components: []ApplicationComponent{
-						ac2,
-					},
-				},
-			},
-			componentName: ac1.WorkloadType,
-			want:          nil,
-		},
-	}
-	for name, tt := range tests {
-		t.Run(name, func(t *testing.T) {
-			if got := tt.app.GetComponent(tt.componentName); !reflect.DeepEqual(got, tt.want) {
-				t.Errorf("GetComponent() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
--- a/apis/core.oam.dev/v1alpha2/applicationrevision_types.go
+++ b/apis/core.oam.dev/v1alpha2/applicationrevision_types.go
@@ -1,73 +0,0 @@
-/*
-Copyright 2021 The KubeVela Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha2
-
-import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-
-	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
-)
-
-// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
-
-// ApplicationRevisionSpec is the spec of ApplicationRevision
-type ApplicationRevisionSpec struct {
-	// Application records the snapshot of the created/modified Application
-	Application Application `json:"application"`
-
-	// ComponentDefinitions records the snapshot of the componentDefinitions related with the created/modified Application
-	ComponentDefinitions map[string]ComponentDefinition `json:"componentDefinitions,omitempty"`
-
-	// WorkloadDefinitions records the snapshot of the workloadDefinitions related with the created/modified Application
-	WorkloadDefinitions map[string]WorkloadDefinition `json:"workloadDefinitions,omitempty"`
-
-	// TraitDefinitions records the snapshot of the traitDefinitions related with the created/modified Application
-	TraitDefinitions map[string]TraitDefinition `json:"traitDefinitions,omitempty"`
-
-	// ScopeDefinitions records the snapshot of the scopeDefinitions related with the created/modified Application
-	ScopeDefinitions map[string]ScopeDefinition `json:"scopeDefinitions,omitempty"`
-
-	// Components records the rendered components from Application, it will contains the whole K8s CR of workload in it.
-
-	Components []common.RawComponent `json:"components,omitempty"`
-
-	// ApplicationConfiguration records the rendered applicationConfiguration from Application,
-	// it will contains the whole K8s CR of trait and the reference component in it.
-	// +kubebuilder:validation:EmbeddedResource
-	// +kubebuilder:pruning:PreserveUnknownFields
-	ApplicationConfiguration runtime.RawExtension `json:"applicationConfiguration"`
-}
-
-// ApplicationRevision is the Schema for the ApplicationRevision API
-// +kubebuilder:object:root=true
-// +kubebuilder:resource:categories={oam},shortName=apprev
-// +kubebuilder:printcolumn:name="AGE",type=date,JSONPath=".metadata.creationTimestamp"
-type ApplicationRevision struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	Spec ApplicationRevisionSpec `json:"spec,omitempty"`
-}
-
-// ApplicationRevisionList contains a list of ApplicationRevision
-// +kubebuilder:object:root=true
-type ApplicationRevisionList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []ApplicationRevision `json:"items"`
-}
--- a/apis/core.oam.dev/v1alpha2/componentdefinition_types.go
+++ b/apis/core.oam.dev/v1alpha2/componentdefinition_types.go
@@ -1,103 +0,0 @@
-/*
-Copyright 2021 The KubeVela Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha2
-
-import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-
-	"github.com/oam-dev/kubevela/apis/core.oam.dev/condition"
-
-	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
-)
-
-// ComponentDefinitionSpec defines the desired state of ComponentDefinition
-type ComponentDefinitionSpec struct {
-	// Workload is a workload type descriptor
-	Workload common.WorkloadTypeDescriptor `json:"workload"`
-
-	// ChildResourceKinds are the list of GVK of the child resources this workload generates
-	ChildResourceKinds []common.ChildResourceKind `json:"childResourceKinds,omitempty"`
-
-	// RevisionLabel indicates which label for underlying resources(e.g. pods) of this workload
-	// can be used by trait to create resource selectors(e.g. label selector for pods).
-	// +optional
-	RevisionLabel string `json:"revisionLabel,omitempty"`
-
-	// PodSpecPath indicates where/if this workload has K8s podSpec field
-	// if one workload has podSpec, trait can do lot's of assumption such as port, env, volume fields.
-	// +optional
-	PodSpecPath string `json:"podSpecPath,omitempty"`
-
-	// Status defines the custom health policy and status message for workload
-	// +optional
-	Status *common.Status `json:"status,omitempty"`
-
-	// Schematic defines the data format and template of the encapsulation of the workload
-	// +optional
-	Schematic *common.Schematic `json:"schematic,omitempty"`
-
-	// Extension is used for extension needs by OAM platform builders
-	// +optional
-	// +kubebuilder:pruning:PreserveUnknownFields
-	Extension *runtime.RawExtension `json:"extension,omitempty"`
-}
-
-// ComponentDefinitionStatus is the status of ComponentDefinition
-type ComponentDefinitionStatus struct {
-	// ConditionedStatus reflects the observed status of a resource
-	condition.ConditionedStatus `json:",inline"`
-	// ConfigMapRef refer to a ConfigMap which contains OpenAPI V3 JSON schema of Component parameters.
-	ConfigMapRef string `json:"configMapRef,omitempty"`
-	// LatestRevision of the component definition
-	// +optional
-	LatestRevision *common.Revision `json:"latestRevision,omitempty"`
-}
-
-// +kubebuilder:object:root=true
-
-// ComponentDefinition is the Schema for the componentdefinitions API
-// +kubebuilder:resource:scope=Namespaced,categories={oam},shortName=comp
-// +kubebuilder:subresource:status
-// +kubebuilder:printcolumn:name="WORKLOAD-KIND",type=string,JSONPath=".spec.workload.definition.kind"
-// +kubebuilder:printcolumn:name="DESCRIPTION",type=string,JSONPath=".metadata.annotations.definition\\.oam\\.dev/description"
-type ComponentDefinition struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	Spec   ComponentDefinitionSpec   `json:"spec,omitempty"`
-	Status ComponentDefinitionStatus `json:"status,omitempty"`
-}
-
-// SetConditions set condition for WorkloadDefinition
-func (cd *ComponentDefinition) SetConditions(c ...condition.Condition) {
-	cd.Status.SetConditions(c...)
-}
-
-// GetCondition gets condition from WorkloadDefinition
-func (cd *ComponentDefinition) GetCondition(conditionType condition.ConditionType) condition.Condition {
-	return cd.Status.GetCondition(conditionType)
-}
-
-// +kubebuilder:object:root=true
-
-// ComponentDefinitionList contains a list of ComponentDefinition
-type ComponentDefinitionList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []ComponentDefinition `json:"items"`
-}
--- a/apis/core.oam.dev/v1alpha2/conversion.go
+++ b/apis/core.oam.dev/v1alpha2/conversion.go
@@ -1,139 +0,0 @@
-/*
- Copyright 2021 The KubeVela Authors.
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
-     http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-*/
-
-package v1alpha2
-
-import (
-	"fmt"
-	"reflect"
-
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/klog/v2"
-	"sigs.k8s.io/controller-runtime/pkg/conversion"
-
-	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
-	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1beta1"
-)
-
-// ApplicationV1alpha2ToV1beta1 will convert v1alpha2 to v1beta1
-func ApplicationV1alpha2ToV1beta1(v1a2 *Application, v1b1 *v1beta1.Application) {
-	// 1) convert metav1.TypeMeta
-	// apiVersion and Kind automatically converted
-
-	// 2) convert metav1.ObjectMeta
-	v1b1.ObjectMeta = *v1a2.ObjectMeta.DeepCopy()
-
-	// 3) convert Spec  ApplicationSpec
-	// 3.1) convert Spec.Components
-	for _, comp := range v1a2.Spec.Components {
-
-		// convert trait, especially for `.name` -> `.type`
-		var traits = make([]common.ApplicationTrait, len(comp.Traits))
-		for j, trait := range comp.Traits {
-			traits[j] = common.ApplicationTrait{
-				Type:       trait.Name,
-				Properties: trait.Properties.DeepCopy(),
-			}
-		}
-
-		// deep copy scopes
-		scopes := make(map[string]string)
-		for k, v := range comp.Scopes {
-			scopes[k] = v
-		}
-		// convert component
-		// `.settings` -> `.properties`
-		v1b1.Spec.Components = append(v1b1.Spec.Components, common.ApplicationComponent{
-			Name:       comp.Name,
-			Type:       comp.WorkloadType,
-			Properties: comp.Settings.DeepCopy(),
-			Traits:     traits,
-			Scopes:     scopes,
-		})
-	}
-
-	// 4) convert Status common.AppStatus
-	v1b1.Status = *v1a2.Status.DeepCopy()
-}
-
-// ConvertTo converts this Application to the Hub version (v1beta1 only for now).
-func (app *Application) ConvertTo(dst conversion.Hub) error {
-	switch convertedApp := dst.(type) {
-	case *v1beta1.Application:
-		klog.Infof("convert *v1alpha2.Application [%s] to *v1beta1.Application", app.Name)
-		ApplicationV1alpha2ToV1beta1(app, convertedApp)
-		return nil
-	default:
-	}
-	return fmt.Errorf("unsupported convertTo object %v", reflect.TypeOf(dst))
-}
-
-// ConvertFrom converts from the Hub version (v1beta1) to this version (v1alpha2).
-func (app *Application) ConvertFrom(src conversion.Hub) error {
-	switch sourceApp := src.(type) {
-	case *v1beta1.Application:
-
-		klog.Infof("convert *v1alpha2.Application from *v1beta1.Application [%s]", sourceApp.Name)
-
-		// 1) convert metav1.TypeMeta
-		// apiVersion and Kind automatically converted
-
-		// 2) convert metav1.ObjectMeta
-		app.ObjectMeta = *sourceApp.ObjectMeta.DeepCopy()
-
-		// 3) convert Spec  ApplicationSpec
-		// 3.1) convert Spec.Components
-		for _, comp := range sourceApp.Spec.Components {
-
-			// convert trait, especially for `.type` -> `.name`
-			var traits = make([]ApplicationTrait, len(comp.Traits))
-			for j, trait := range comp.Traits {
-				traits[j] = ApplicationTrait{
-					Name:       trait.Type,
-					Properties: trait.Properties.DeepCopy(),
-				}
-			}
-
-			// deep copy scopes
-			scopes := make(map[string]string)
-			for k, v := range comp.Scopes {
-				scopes[k] = v
-			}
-			// convert component
-			//  `.properties` -> `.settings`
-
-			var compProperties runtime.RawExtension
-
-			if comp.Properties != nil {
-				compProperties = *comp.Properties.DeepCopy()
-			}
-
-			app.Spec.Components = append(app.Spec.Components, ApplicationComponent{
-				Name:         comp.Name,
-				WorkloadType: comp.Type,
-				Settings:     compProperties,
-				Traits:       traits,
-				Scopes:       scopes,
-			})
-		}
-
-		// 4) convert Status common.AppStatus
-		app.Status = *sourceApp.Status.DeepCopy()
-		return nil
-	default:
-	}
-	return fmt.Errorf("unsupported ConvertFrom object %v", reflect.TypeOf(src))
-}
--- a/apis/core.oam.dev/v1alpha2/conversion_test.go
+++ b/apis/core.oam.dev/v1alpha2/conversion_test.go
@@ -1,117 +0,0 @@
-/*
- Copyright 2021 The KubeVela Authors.
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
-     http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-*/
-
-package v1alpha2
-
-import (
-	"fmt"
-	"testing"
-
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/runtime/schema"
-
-	"github.com/stretchr/testify/require"
-
-	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
-	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1beta1"
-)
-
-var app = Application{
-	Spec: ApplicationSpec{
-		Components: []ApplicationComponent{{
-			Name:         "test-component",
-			WorkloadType: "worker",
-			Traits:       []ApplicationTrait{},
-			Scopes:       map[string]string{},
-		}},
-	},
-}
-
-type errType struct {
-}
-
-func (*errType) Hub() {}
-
-func (*errType) DeepCopyObject() runtime.Object {
-	return nil
-}
-
-func (*errType) GetObjectKind() schema.ObjectKind {
-	return nil
-}
-
-func TestApplicationV1alpha2ToV1beta1(t *testing.T) {
-	r := require.New(t)
-	expected := &v1beta1.Application{}
-	ApplicationV1alpha2ToV1beta1(&app, expected)
-
-	r.Equal(expected, &v1beta1.Application{
-		Spec: v1beta1.ApplicationSpec{
-			Components: []common.ApplicationComponent{{
-				Name:       "test-component",
-				Type:       "worker",
-				Properties: &runtime.RawExtension{},
-				Traits:     []common.ApplicationTrait{},
-				Scopes:     map[string]string{},
-			}},
-		},
-	})
-}
-
-func TestConvertTo(t *testing.T) {
-	r := require.New(t)
-	expected := &v1beta1.Application{}
-	err := app.ConvertTo(expected)
-	r.NoError(err)
-	r.Equal(expected, &v1beta1.Application{
-		Spec: v1beta1.ApplicationSpec{
-			Components: []common.ApplicationComponent{{
-				Name:       "test-component",
-				Type:       "worker",
-				Properties: &runtime.RawExtension{},
-				Traits:     []common.ApplicationTrait{},
-				Scopes:     map[string]string{},
-			}},
-		},
-	})
-
-	errCase := &errType{}
-	err = app.ConvertTo(errCase)
-	r.Equal(err, fmt.Errorf("unsupported convertTo object *v1alpha2.errType"))
-}
-
-func TestConvertFrom(t *testing.T) {
-	r := require.New(t)
-	to := &Application{}
-	from := &v1beta1.Application{
-		Spec: v1beta1.ApplicationSpec{
-			Components: []common.ApplicationComponent{{
-				Name:       "test-component",
-				Type:       "worker",
-				Properties: &runtime.RawExtension{},
-				Traits:     []common.ApplicationTrait{},
-				Scopes:     map[string]string{},
-			}},
-		},
-	}
-	err := to.ConvertFrom(from)
-	r.NoError(err)
-	r.Equal(to.Spec, app.Spec)
-
-	errCase := &errType{}
-	err = app.ConvertFrom(errCase)
-	r.Equal(err, fmt.Errorf("unsupported ConvertFrom object *v1alpha2.errType"))
-}
--- a/apis/core.oam.dev/v1alpha2/core_scope_types.go
+++ b/apis/core.oam.dev/v1alpha2/core_scope_types.go
@@ -1,146 +0,0 @@
-/*
-Copyright 2021 The KubeVela Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha2
-
-import (
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-
-	"github.com/oam-dev/kubevela/apis/core.oam.dev/condition"
-
-	"github.com/oam-dev/kubevela/pkg/oam"
-)
-
-// HealthStatus represents health status strings.
-type HealthStatus string
-
-const (
-	// StatusHealthy represents healthy status.
-	StatusHealthy HealthStatus = "HEALTHY"
-	// StatusUnhealthy represents unhealthy status.
-	StatusUnhealthy = "UNHEALTHY"
-	// StatusUnknown represents unknown status.
-	StatusUnknown = "UNKNOWN"
-)
-
-var _ oam.Scope = &HealthScope{}
-
-// A HealthScopeSpec defines the desired state of a HealthScope.
-type HealthScopeSpec struct {
-	// ProbeTimeout is the amount of time in seconds to wait when receiving a response before marked failure.
-	ProbeTimeout *int32 `json:"probe-timeout,omitempty"`
-
-	// ProbeInterval is the amount of time in seconds between probing tries.
-	ProbeInterval *int32 `json:"probe-interval,omitempty"`
-
-	// AppRefs records references of applications' components
-	AppRefs []AppReference `json:"appReferences,omitempty"`
-
-	// WorkloadReferences to the workloads that are in this scope.
-	// +deprecated
-	WorkloadReferences []corev1.ObjectReference `json:"workloadRefs"`
-}
-
-// AppReference records references of an application's components
-type AppReference struct {
-	AppName        string          `json:"appName,omitempty"`
-	CompReferences []CompReference `json:"compReferences,omitempty"`
-}
-
-// CompReference records references of a component's resources
-type CompReference struct {
-	CompName string                   `json:"compName,omitempty"`
-	Workload corev1.ObjectReference   `json:"workload,omitempty"`
-	Traits   []corev1.ObjectReference `json:"traits,omitempty"`
-}
-
-// A HealthScopeStatus represents the observed state of a HealthScope.
-type HealthScopeStatus struct {
-	condition.ConditionedStatus `json:",inline"`
-
-	// ScopeHealthCondition represents health condition summary of the scope
-	ScopeHealthCondition ScopeHealthCondition `json:"scopeHealthCondition"`
-
-	// AppHealthConditions represents health condition of applications in the scope
-	AppHealthConditions []*AppHealthCondition `json:"appHealthConditions,omitempty"`
-
-	// WorkloadHealthConditions represents health condition of workloads in the scope
-	// Use AppHealthConditions to provide app level status
-	// +deprecated
-	WorkloadHealthConditions []*WorkloadHealthCondition `json:"healthConditions,omitempty"`
-}
-
-// AppHealthCondition represents health condition of an application
-type AppHealthCondition struct {
-	AppName    string                     `json:"appName"`
-	EnvName    string                     `json:"envName,omitempty"`
-	Components []*WorkloadHealthCondition `json:"components,omitempty"`
-}
-
-// ScopeHealthCondition represents health condition summary of a scope.
-type ScopeHealthCondition struct {
-	HealthStatus       HealthStatus `json:"healthStatus"`
-	Total              int64        `json:"total,omitempty"`
-	HealthyWorkloads   int64        `json:"healthyWorkloads,omitempty"`
-	UnhealthyWorkloads int64        `json:"unhealthyWorkloads,omitempty"`
-	UnknownWorkloads   int64        `json:"unknownWorkloads,omitempty"`
-}
-
-// WorkloadHealthCondition represents informative health condition of a workload.
-type WorkloadHealthCondition struct {
-	// ComponentName represents the component name if target is a workload
-	ComponentName  string                 `json:"componentName,omitempty"`
-	TargetWorkload corev1.ObjectReference `json:"targetWorkload,omitempty"`
-	HealthStatus   HealthStatus           `json:"healthStatus"`
-	Diagnosis      string                 `json:"diagnosis,omitempty"`
-	// WorkloadStatus represents status of workloads whose HealthStatus is UNKNOWN.
-	WorkloadStatus  string                  `json:"workloadStatus,omitempty"`
-	CustomStatusMsg string                  `json:"customStatusMsg,omitempty"`
-	Traits          []*TraitHealthCondition `json:"traits,omitempty"`
-}
-
-// TraitHealthCondition represents informative health condition of a trait.
-type TraitHealthCondition struct {
-	Type            string       `json:"type"`
-	Resource        string       `json:"resource"`
-	HealthStatus    HealthStatus `json:"healthStatus"`
-	Diagnosis       string       `json:"diagnosis,omitempty"`
-	CustomStatusMsg string       `json:"customStatusMsg,omitempty"`
-}
-
-// +kubebuilder:object:root=true
-
-// A HealthScope determines an aggregate health status based of the health of components.
-// +kubebuilder:resource:categories={oam}
-// +kubebuilder:subresource:status
-// +kubebuilder:printcolumn:JSONPath=".status.health",name=HEALTH,type=string
-type HealthScope struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	Spec   HealthScopeSpec   `json:"spec,omitempty"`
-	Status HealthScopeStatus `json:"status,omitempty"`
-}
-
-// +kubebuilder:object:root=true
-
-// HealthScopeList contains a list of HealthScope.
-type HealthScopeList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []HealthScope `json:"items"`
-}
--- a/apis/core.oam.dev/v1alpha2/core_types.go
+++ b/apis/core.oam.dev/v1alpha2/core_types.go
@@ -1,673 +0,0 @@
-/*
-Copyright 2021 The KubeVela Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha2
-
-import (
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/util/intstr"
-
-	"github.com/oam-dev/kubevela/apis/core.oam.dev/condition"
-
-	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
-	"github.com/oam-dev/kubevela/apis/types"
-)
-
-// A WorkloadDefinitionSpec defines the desired state of a WorkloadDefinition.
-type WorkloadDefinitionSpec struct {
-	// Reference to the CustomResourceDefinition that defines this workload kind.
-	Reference common.DefinitionReference `json:"definitionRef"`
-
-	// ChildResourceKinds are the list of GVK of the child resources this workload generates
-	ChildResourceKinds []common.ChildResourceKind `json:"childResourceKinds,omitempty"`
-
-	// RevisionLabel indicates which label for underlying resources(e.g. pods) of this workload
-	// can be used by trait to create resource selectors(e.g. label selector for pods).
-	// +optional
-	RevisionLabel string `json:"revisionLabel,omitempty"`
-
-	// PodSpecPath indicates where/if this workload has K8s podSpec field
-	// if one workload has podSpec, trait can do lot's of assumption such as port, env, volume fields.
-	// +optional
-	PodSpecPath string `json:"podSpecPath,omitempty"`
-
-	// Status defines the custom health policy and status message for workload
-	// +optional
-	Status *common.Status `json:"status,omitempty"`
-
-	// Schematic defines the data format and template of the encapsulation of the workload
-	// +optional
-	Schematic *common.Schematic `json:"schematic,omitempty"`
-
-	// Extension is used for extension needs by OAM platform builders
-	// +optional
-	// +kubebuilder:pruning:PreserveUnknownFields
-	Extension *runtime.RawExtension `json:"extension,omitempty"`
-}
-
-// WorkloadDefinitionStatus is the status of WorkloadDefinition
-type WorkloadDefinitionStatus struct {
-	condition.ConditionedStatus `json:",inline"`
-}
-
-// +kubebuilder:object:root=true
-
-// A WorkloadDefinition registers a kind of Kubernetes custom resource as a
-// valid OAM workload kind by referencing its CustomResourceDefinition. The CRD
-// is used to validate the schema of the workload when it is embedded in an OAM
-// Component.
-// +kubebuilder:resource:scope=Namespaced,categories={oam},shortName=workload
-// +kubebuilder:printcolumn:name="DEFINITION-NAME",type=string,JSONPath=".spec.definitionRef.name"
-type WorkloadDefinition struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	Spec   WorkloadDefinitionSpec   `json:"spec,omitempty"`
-	Status WorkloadDefinitionStatus `json:"status,omitempty"`
-}
-
-// SetConditions set condition for WorkloadDefinition
-func (wd *WorkloadDefinition) SetConditions(c ...condition.Condition) {
-	wd.Status.SetConditions(c...)
-}
-
-// GetCondition gets condition from WorkloadDefinition
-func (wd *WorkloadDefinition) GetCondition(conditionType condition.ConditionType) condition.Condition {
-	return wd.Status.GetCondition(conditionType)
-}
-
-// +kubebuilder:object:root=true
-
-// WorkloadDefinitionList contains a list of WorkloadDefinition.
-type WorkloadDefinitionList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []WorkloadDefinition `json:"items"`
-}
-
-// A TraitDefinitionSpec defines the desired state of a TraitDefinition.
-type TraitDefinitionSpec struct {
-	// Reference to the CustomResourceDefinition that defines this trait kind.
-	Reference common.DefinitionReference `json:"definitionRef,omitempty"`
-
-	// Revision indicates whether a trait is aware of component revision
-	// +optional
-	RevisionEnabled bool `json:"revisionEnabled,omitempty"`
-
-	// WorkloadRefPath indicates where/if a trait accepts a workloadRef object
-	// +optional
-	WorkloadRefPath string `json:"workloadRefPath,omitempty"`
-
-	// PodDisruptive specifies whether using the trait will cause the pod to restart or not.
-	// +optional
-	PodDisruptive bool `json:"podDisruptive,omitempty"`
-
-	// AppliesToWorkloads specifies the list of workload kinds this trait
-	// applies to. Workload kinds are specified in kind.group/version format,
-	// e.g. server.core.oam.dev/v1alpha2. Traits that omit this field apply to
-	// all workload kinds.
-	// +optional
-	AppliesToWorkloads []string `json:"appliesToWorkloads,omitempty"`
-
-	// ConflictsWith specifies the list of traits(CRD name, Definition name, CRD group)
-	// which could not apply to the same workloads with this trait.
-	// Traits that omit this field can work with any other traits.
-	// Example rules:
-	// "service" # Trait definition name
-	// "services.k8s.io" # API resource/crd name
-	// "*.networking.k8s.io" # API group
-	// "labelSelector:foo=bar" # label selector
-	// labelSelector format: https://pkg.go.dev/k8s.io/apimachinery/pkg/labels#Parse
-	// +optional
-	ConflictsWith []string `json:"conflictsWith,omitempty"`
-
-	// Schematic defines the data format and template of the encapsulation of the trait
-	// +optional
-	Schematic *common.Schematic `json:"schematic,omitempty"`
-
-	// Status defines the custom health policy and status message for trait
-	// +optional
-	Status *common.Status `json:"status,omitempty"`
-
-	// Extension is used for extension needs by OAM platform builders
-	// +optional
-	// +kubebuilder:pruning:PreserveUnknownFields
-	Extension *runtime.RawExtension `json:"extension,omitempty"`
-}
-
-// TraitDefinitionStatus is the status of TraitDefinition
-type TraitDefinitionStatus struct {
-	// ConditionedStatus reflects the observed status of a resource
-	condition.ConditionedStatus `json:",inline"`
-	// ConfigMapRef refer to a ConfigMap which contains OpenAPI V3 JSON schema of Component parameters.
-	ConfigMapRef string `json:"configMapRef,omitempty"`
-	// LatestRevision of the trait definition
-	// +optional
-	LatestRevision *common.Revision `json:"latestRevision,omitempty"`
-}
-
-// +kubebuilder:object:root=true
-
-// A TraitDefinition registers a kind of Kubernetes custom resource as a valid
-// OAM trait kind by referencing its CustomResourceDefinition. The CRD is used
-// to validate the schema of the trait when it is embedded in an OAM
-// ApplicationConfiguration.
-// +kubebuilder:resource:scope=Namespaced,categories={oam},shortName=trait
-// +kubebuilder:subresource:status
-// +kubebuilder:printcolumn:name="APPLIES-TO",type=string,JSONPath=".spec.appliesToWorkloads"
-// +kubebuilder:printcolumn:name="DESCRIPTION",type=string,JSONPath=".metadata.annotations.definition\\.oam\\.dev/description"
-type TraitDefinition struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	Spec   TraitDefinitionSpec   `json:"spec,omitempty"`
-	Status TraitDefinitionStatus `json:"status,omitempty"`
-}
-
-// SetConditions set condition for TraitDefinition
-func (td *TraitDefinition) SetConditions(c ...condition.Condition) {
-	td.Status.SetConditions(c...)
-}
-
-// GetCondition gets condition from TraitDefinition
-func (td *TraitDefinition) GetCondition(conditionType condition.ConditionType) condition.Condition {
-	return td.Status.GetCondition(conditionType)
-}
-
-// +kubebuilder:object:root=true
-
-// TraitDefinitionList contains a list of TraitDefinition.
-type TraitDefinitionList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []TraitDefinition `json:"items"`
-}
-
-// A ScopeDefinitionSpec defines the desired state of a ScopeDefinition.
-type ScopeDefinitionSpec struct {
-	// Reference to the CustomResourceDefinition that defines this scope kind.
-	Reference common.DefinitionReference `json:"definitionRef"`
-
-	// WorkloadRefsPath indicates if/where a scope accepts workloadRef objects
-	WorkloadRefsPath string `json:"workloadRefsPath,omitempty"`
-
-	// AllowComponentOverlap specifies whether an OAM component may exist in
-	// multiple instances of this kind of scope.
-	AllowComponentOverlap bool `json:"allowComponentOverlap"`
-
-	// Extension is used for extension needs by OAM platform builders
-	// +optional
-	// +kubebuilder:pruning:PreserveUnknownFields
-	Extension *runtime.RawExtension `json:"extension,omitempty"`
-}
-
-// +kubebuilder:object:root=true
-
-// A ScopeDefinition registers a kind of Kubernetes custom resource as a valid
-// OAM scope kind by referencing its CustomResourceDefinition. The CRD is used
-// to validate the schema of the scope when it is embedded in an OAM
-// ApplicationConfiguration.
-// +kubebuilder:printcolumn:JSONPath=".spec.definitionRef.name",name=DEFINITION-NAME,type=string
-// +kubebuilder:resource:scope=Namespaced,categories={oam},shortName=scope
-type ScopeDefinition struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	Spec ScopeDefinitionSpec `json:"spec,omitempty"`
-}
-
-// +kubebuilder:object:root=true
-
-// ScopeDefinitionList contains a list of ScopeDefinition.
-type ScopeDefinitionList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []ScopeDefinition `json:"items"`
-}
-
-// A ComponentParameter defines a configurable parameter of a component.
-type ComponentParameter struct {
-	// Name of this parameter. OAM ApplicationConfigurations will specify
-	// parameter values using this name.
-	Name string `json:"name"`
-
-	// FieldPaths specifies an array of fields within this Component's workload
-	// that will be overwritten by the value of this parameter. The type of the
-	// parameter (e.g. int, string) is inferred from the type of these fields;
-	// All fields must be of the same type. Fields are specified as JSON field
-	// paths without a leading dot, for example 'spec.replicas'.
-	FieldPaths []string `json:"fieldPaths"`
-
-	// +kubebuilder:default:=false
-	// Required specifies whether or not a value for this parameter must be
-	// supplied when authoring an ApplicationConfiguration.
-	// +optional
-	Required *bool `json:"required,omitempty"`
-
-	// Description of this parameter.
-	// +optional
-	Description *string `json:"description,omitempty"`
-}
-
-// A ComponentSpec defines the desired state of a Component.
-type ComponentSpec struct {
-	// A Workload that will be created for each ApplicationConfiguration that
-	// includes this Component. Workload is an instance of a workloadDefinition.
-	// We either use the GVK info or a special "type" field in the workload to associate
-	// the content of the workload with its workloadDefinition
-	// +kubebuilder:validation:EmbeddedResource
-	// +kubebuilder:pruning:PreserveUnknownFields
-	Workload runtime.RawExtension `json:"workload"`
-
-	// HelmRelease records a Helm release used by a Helm module workload.
-	// +optional
-	Helm *common.Helm `json:"helm,omitempty"`
-
-	// Parameters exposed by this component. ApplicationConfigurations that
-	// reference this component may specify values for these parameters, which
-	// will in turn be injected into the embedded workload.
-	// +optional
-	Parameters []ComponentParameter `json:"parameters,omitempty"`
-}
-
-// A ComponentStatus represents the observed state of a Component.
-type ComponentStatus struct {
-	// The generation observed by the component controller.
-	// +optional
-	ObservedGeneration int64 `json:"observedGeneration"`
-
-	condition.ConditionedStatus `json:",inline"`
-
-	// LatestRevision of component
-	// +optional
-	LatestRevision *common.Revision `json:"latestRevision,omitempty"`
-
-	// One Component should only be used by one AppConfig
-}
-
-// +kubebuilder:object:root=true
-
-// A Component describes how an OAM workload kind may be instantiated.
-// +kubebuilder:resource:categories={oam}
-// +kubebuilder:subresource:status
-// +kubebuilder:printcolumn:JSONPath=".spec.workload.kind",name=WORKLOAD-KIND,type=string
-// +kubebuilder:printcolumn:name="age",type="date",JSONPath=".metadata.creationTimestamp"
-type Component struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	Spec   ComponentSpec   `json:"spec,omitempty"`
-	Status ComponentStatus `json:"status,omitempty"`
-}
-
-// +kubebuilder:object:root=true
-
-// ComponentList contains a list of Component.
-type ComponentList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []Component `json:"items"`
-}
-
-// A ComponentParameterValue specifies a value for a named parameter. The
-// associated component must publish a parameter with this name.
-type ComponentParameterValue struct {
-	// Name of the component parameter to set.
-	Name string `json:"name"`
-
-	// Value to set.
-	Value intstr.IntOrString `json:"value"`
-}
-
-// A ComponentTrait specifies a trait that should be applied to a component.
-type ComponentTrait struct {
-	// A Trait that will be created for the component
-	// +kubebuilder:validation:EmbeddedResource
-	// +kubebuilder:pruning:PreserveUnknownFields
-	Trait runtime.RawExtension `json:"trait"`
-
-	// DataOutputs specify the data output sources from this trait.
-	// +optional
-	DataOutputs []DataOutput `json:"dataOutputs,omitempty"`
-
-	// DataInputs specify the data input sinks into this trait.
-	// +optional
-	DataInputs []DataInput `json:"dataInputs,omitempty"`
-}
-
-// A ComponentScope specifies a scope in which a component should exist.
-type ComponentScope struct {
-	// A ScopeReference must refer to an OAM scope resource.
-	ScopeReference corev1.ObjectReference `json:"scopeRef"`
-}
-
-// An ApplicationConfigurationComponent specifies a component of an
-// ApplicationConfiguration. Each component is used to instantiate a workload.
-type ApplicationConfigurationComponent struct {
-	// ComponentName specifies a component whose latest revision will be bind
-	// with ApplicationConfiguration. When the spec of the referenced component
-	// changes, ApplicationConfiguration will automatically migrate all trait
-	// affect from the prior revision to the new one. This is mutually exclusive
-	// with RevisionName.
-	// +optional
-	ComponentName string `json:"componentName,omitempty"`
-
-	// RevisionName of a specific component revision to which to bind
-	// ApplicationConfiguration. This is mutually exclusive with componentName.
-	// +optional
-	RevisionName string `json:"revisionName,omitempty"`
-
-	// DataOutputs specify the data output sources from this component.
-	DataOutputs []DataOutput `json:"dataOutputs,omitempty"`
-
-	// DataInputs specify the data input sinks into this component.
-	DataInputs []DataInput `json:"dataInputs,omitempty"`
-
-	// ParameterValues specify values for the the specified component's
-	// parameters. Any parameter required by the component must be specified.
-	// +optional
-	ParameterValues []ComponentParameterValue `json:"parameterValues,omitempty"`
-
-	// Traits of the specified component.
-	// +optional
-	Traits []ComponentTrait `json:"traits,omitempty"`
-
-	// Scopes in which the specified component should exist.
-	// +optional
-	Scopes []ComponentScope `json:"scopes,omitempty"`
-}
-
-// An ApplicationConfigurationSpec defines the desired state of a
-// ApplicationConfiguration.
-type ApplicationConfigurationSpec struct {
-	// Components of which this ApplicationConfiguration consists. Each
-	// component will be used to instantiate a workload.
-	Components []ApplicationConfigurationComponent `json:"components"`
-}
-
-// A TraitStatus represents the state of a trait.
-type TraitStatus string
-
-// A WorkloadTrait represents a trait associated with a workload and its status
-type WorkloadTrait struct {
-	// Status is a place holder for a customized controller to fill
-	// if it needs a single place to summarize the status of the trait
-	Status TraitStatus `json:"status,omitempty"`
-
-	// Reference to a trait created by an ApplicationConfiguration.
-	Reference corev1.ObjectReference `json:"traitRef"`
-
-	// Message will allow controller to leave some additional information for this trait
-	Message string `json:"message,omitempty"`
-
-	// AppliedGeneration indicates the generation observed by the appConfig controller.
-	// The same field is also recorded in the annotations of traits.
-	// A trait is possible to be deleted from cluster after created.
-	// This field is useful to track the observed generation of traits after they are
-	// deleted.
-	AppliedGeneration int64 `json:"appliedGeneration,omitempty"`
-
-	// DependencyUnsatisfied notify does the trait has dependency unsatisfied
-	DependencyUnsatisfied bool `json:"dependencyUnsatisfied,omitempty"`
-}
-
-// A ScopeStatus represents the state of a scope.
-type ScopeStatus string
-
-// A WorkloadScope represents a scope associated with a workload and its status
-type WorkloadScope struct {
-	// Status is a place holder for a customized controller to fill
-	// if it needs a single place to summarize the status of the scope
-	Status ScopeStatus `json:"status,omitempty"`
-
-	// Reference to a scope created by an ApplicationConfiguration.
-	Reference corev1.ObjectReference `json:"scopeRef"`
-}
-
-// A WorkloadStatus represents the status of a workload.
-type WorkloadStatus struct {
-	// Status is a place holder for a customized controller to fill
-	// if it needs a single place to summarize the entire status of the workload
-	Status string `json:"status,omitempty"`
-
-	// ComponentName that produced this workload.
-	ComponentName string `json:"componentName,omitempty"`
-
-	// ComponentRevisionName of current component
-	ComponentRevisionName string `json:"componentRevisionName,omitempty"`
-
-	// DependencyUnsatisfied notify does the workload has dependency unsatisfied
-	DependencyUnsatisfied bool `json:"dependencyUnsatisfied,omitempty"`
-
-	// AppliedComponentRevision indicates the applied component revision name of this workload
-	AppliedComponentRevision string `json:"appliedComponentRevision,omitempty"`
-
-	// Reference to a workload created by an ApplicationConfiguration.
-	Reference corev1.ObjectReference `json:"workloadRef,omitempty"`
-
-	// Traits associated with this workload.
-	Traits []WorkloadTrait `json:"traits,omitempty"`
-
-	// Scopes associated with this workload.
-	Scopes []WorkloadScope `json:"scopes,omitempty"`
-}
-
-// HistoryWorkload contain the old component revision that are still running
-type HistoryWorkload struct {
-	// Revision of this workload
-	Revision string `json:"revision,omitempty"`
-
-	// Reference to running workload.
-	Reference corev1.ObjectReference `json:"workloadRef,omitempty"`
-}
-
-// A ApplicationStatus represents the state of the entire application.
-type ApplicationStatus string
-
-// An ApplicationConfigurationStatus represents the observed state of a
-// ApplicationConfiguration.
-type ApplicationConfigurationStatus struct {
-	condition.ConditionedStatus `json:",inline"`
-
-	// Status is a place holder for a customized controller to fill
-	// if it needs a single place to summarize the status of the entire application
-	Status ApplicationStatus `json:"status,omitempty"`
-
-	Dependency DependencyStatus `json:"dependency,omitempty"`
-
-	// RollingStatus indicates what phase are we in the rollout phase
-	RollingStatus types.RollingStatus `json:"rollingStatus,omitempty"`
-
-	// Workloads created by this ApplicationConfiguration.
-	Workloads []WorkloadStatus `json:"workloads,omitempty"`
-
-	// The generation observed by the appConfig controller.
-	// +optional
-	ObservedGeneration int64 `json:"observedGeneration"`
-
-	// HistoryWorkloads will record history but still working revision workloads.
-	HistoryWorkloads []HistoryWorkload `json:"historyWorkloads,omitempty"`
-}
-
-// DependencyStatus represents the observed state of the dependency of
-// an ApplicationConfiguration.
-type DependencyStatus struct {
-	Unsatisfied []UnstaifiedDependency `json:"unsatisfied,omitempty"`
-}
-
-// UnstaifiedDependency describes unsatisfied dependency flow between
-// one pair of objects.
-type UnstaifiedDependency struct {
-	Reason string               `json:"reason"`
-	From   DependencyFromObject `json:"from"`
-	To     DependencyToObject   `json:"to"`
-}
-
-// DependencyFromObject represents the object that dependency data comes from.
-type DependencyFromObject struct {
-	corev1.ObjectReference `json:",inline"`
-	FieldPath              string `json:"fieldPath,omitempty"`
-}
-
-// DependencyToObject represents the object that dependency data goes to.
-type DependencyToObject struct {
-	corev1.ObjectReference `json:",inline"`
-	FieldPaths             []string `json:"fieldPaths,omitempty"`
-}
-
-// +kubebuilder:object:root=true
-
-// An ApplicationConfiguration represents an OAM application.
-// +kubebuilder:resource:shortName=appconfig,categories={oam}
-// +kubebuilder:subresource:status
-type ApplicationConfiguration struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	Spec   ApplicationConfigurationSpec   `json:"spec,omitempty"`
-	Status ApplicationConfigurationStatus `json:"status,omitempty"`
-}
-
-// +kubebuilder:object:root=true
-
-// ApplicationConfigurationList contains a list of ApplicationConfiguration.
-type ApplicationConfigurationList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []ApplicationConfiguration `json:"items"`
-}
-
-// DataOutput specifies a data output source from an object.
-type DataOutput struct {
-	// Name is the unique name of a DataOutput in an ApplicationConfiguration.
-	Name string `json:"name,omitempty"`
-
-	// FieldPath refers to the value of an object's field.
-	FieldPath string `json:"fieldPath,omitempty"`
-
-	// Conditions specify the conditions that should be satisfied before emitting a data output.
-	// Different conditions are AND-ed together.
-	// If no conditions is specified, it is by default to check output value not empty.
-	// +optional
-	Conditions []ConditionRequirement `json:"conditions,omitempty"`
-	// OutputStore specifies the object used to store intermediate data generated by Operations
-	OutputStore StoreReference `json:"outputStore,omitempty"`
-}
-
-// StoreReference specifies the referenced object in DataOutput or DataInput
-type StoreReference struct {
-	corev1.ObjectReference `json:",inline"`
-	// Operations specify the data processing operations
-	Operations []DataOperation `json:"operations,omitempty"`
-}
-
-// DataOperation defines the specific operation for data
-type DataOperation struct {
-	// Type specifies the type of DataOperation
-	Type string `json:"type"`
-	// Operator specifies the operation under this DataOperation type
-	Operator DataOperator `json:"op"`
-	// ToFieldPath refers to the value of an object's field
-	ToFieldPath string `json:"toFieldPath"`
-	// ToDataPath refers to the value of an object's specfied by ToDataPath. For example the ToDataPath "redis" specifies "redis info" in '{"redis":"redis info"}'
-	ToDataPath string `json:"toDataPath,omitempty"`
-	// +optional
-	// Value specifies an expected value
-	// This is mutually exclusive with ValueFrom
-	Value string `json:"value,omitempty"`
-	// +optional
-	// ValueFrom specifies expected value from object such as workload and trait
-	// This is mutually exclusive with Value
-	ValueFrom  ValueFrom              `json:"valueFrom,omitempty"`
-	Conditions []ConditionRequirement `json:"conditions,omitempty"`
-}
-
-// DataOperator defines the type of Operator in DataOperation
-type DataOperator string
-
-const (
-	// AddOperator specifies the add operation for data passing
-	AddOperator DataOperator = "add"
-	// DeleteOperator specifies the delete operation for data passing
-	DeleteOperator DataOperator = "delete"
-	// ReplaceOperator specifies the replace operation for data passing
-	ReplaceOperator DataOperator = "replace"
-)
-
-// DataInput specifies a data input sink to an object.
-// If input is array, it will be appended to the target field paths.
-type DataInput struct {
-	// ValueFrom specifies the value source.
-	ValueFrom DataInputValueFrom `json:"valueFrom,omitempty"`
-
-	// ToFieldPaths specifies the field paths of an object to fill passed value.
-	ToFieldPaths []string `json:"toFieldPaths,omitempty"`
-
-	// StrategyMergeKeys specifies the merge key if the toFieldPaths target is an array.
-	// The StrategyMergeKeys is optional, by default, if the toFieldPaths target is an array, we will append.
-	// If StrategyMergeKeys specified, we will check the key in the target array.
-	// If any key exist, do update; if no key exist, append.
-	StrategyMergeKeys []string `json:"strategyMergeKeys,omitempty"`
-
-	// When the Conditions is satified, ToFieldPaths will be filled with passed value
-	Conditions []ConditionRequirement `json:"conditions,omitempty"`
-
-	// InputStore specifies the object used to read intermediate data genereted by DataOutput
-	InputStore StoreReference `json:"inputStore,omitempty"`
-}
-
-// DataInputValueFrom specifies the value source for a data input.
-type DataInputValueFrom struct {
-	// DataOutputName matches a name of a DataOutput in the same AppConfig.
-	DataOutputName string `json:"dataOutputName"`
-}
-
-// ConditionRequirement specifies the requirement to match a value.
-type ConditionRequirement struct {
-	Operator ConditionOperator `json:"op"`
-
-	// +optional
-	// Value specifies an expected value
-	// This is mutually exclusive with ValueFrom
-	Value string `json:"value,omitempty"`
-	// +optional
-	// ValueFrom specifies expected value from AppConfig
-	// This is mutually exclusive with Value
-	ValueFrom ValueFrom `json:"valueFrom,omitempty"`
-
-	// +optional
-	// FieldPath specifies got value from workload/trait object
-	FieldPath string `json:"fieldPath,omitempty"`
-}
-
-// ValueFrom gets value from AppConfig object by specifying a path
-type ValueFrom struct {
-	FieldPath string `json:"fieldPath"`
-}
-
-// ConditionOperator specifies the operator to match a value.
-type ConditionOperator string
-
-const (
-	// ConditionEqual indicates equal to given value
-	ConditionEqual ConditionOperator = "eq"
-	// ConditionNotEqual indicates not equal to given value
-	ConditionNotEqual ConditionOperator = "notEq"
-	// ConditionNotEmpty indicates given value not empty
-	ConditionNotEmpty ConditionOperator = "notEmpty"
-)
--- a/apis/core.oam.dev/v1alpha2/core_workload_types.go
+++ b/apis/core.oam.dev/v1alpha2/core_workload_types.go
@@ -1,355 +0,0 @@
-/*
-Copyright 2021 The KubeVela Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Package v1alpha2
-
-package v1alpha2
-
-import (
-	"k8s.io/apimachinery/pkg/api/resource"
-	"k8s.io/apimachinery/pkg/util/intstr"
-)
-
-// An OperatingSystem required by a containerised workload.
-type OperatingSystem string
-
-// Supported operating system types.
-const (
-	OperatingSystemLinux   OperatingSystem = "linux"
-	OperatingSystemWindows OperatingSystem = "windows"
-)
-
-// A CPUArchitecture required by a containerised workload.
-type CPUArchitecture string
-
-// Supported architectures
-const (
-	CPUArchitectureI386  CPUArchitecture = "i386"
-	CPUArchitectureAMD64 CPUArchitecture = "amd64"
-	CPUArchitectureARM   CPUArchitecture = "arm"
-	CPUArchitectureARM64 CPUArchitecture = "arm64"
-)
-
-// A SecretKeySelector is a reference to a secret key in an arbitrary namespace.
-type SecretKeySelector struct {
-	// The name of the secret.
-	Name string `json:"name"`
-
-	// The key to select.
-	Key string `json:"key"`
-}
-
-// TODO(negz): The OAM spec calls for float64 quantities in some cases, but this
-// is incompatible with controller-gen and Kubernetes API conventions. We should
-// reassess whether resource.Quantity is appropriate after resolving
-// https://github.com/oam-dev/spec/issues/313
-
-// CPUResources required by a container.
-type CPUResources struct {
-	// Required CPU count. 1.0 represents one CPU core.
-	Required resource.Quantity `json:"required"`
-}
-
-// MemoryResources required by a container.
-type MemoryResources struct {
-	// Required memory.
-	Required resource.Quantity `json:"required"`
-}
-
-// GPUResources required by a container.
-type GPUResources struct {
-	// Required GPU count.
-	Required resource.Quantity `json:"required"`
-}
-
-// DiskResource required by a container.
-type DiskResource struct {
-	// Required disk space.
-	Required resource.Quantity `json:"required"`
-
-	// Ephemeral specifies whether an external disk needs to be mounted.
-	// +optional
-	Ephemeral *bool `json:"ephemeral,omitempty"`
-}
-
-// A VolumeAccessMode determines how a volume may be accessed.
-type VolumeAccessMode string
-
-// Volume access modes.
-const (
-	VolumeAccessModeRO VolumeAccessMode = "RO"
-	VolumeAccessModeRW VolumeAccessMode = "RW"
-)
-
-// A VolumeSharingPolicy determines how a volume may be shared.
-type VolumeSharingPolicy string
-
-// Volume sharing policies.
-const (
-	VolumeSharingPolicyExclusive VolumeSharingPolicy = "Exclusive"
-	VolumeSharingPolicyShared    VolumeSharingPolicy = "Shared"
-)
-
-// VolumeResource required by a container.
-type VolumeResource struct {
-	// Name of this volume. Must be unique within its container.
-	Name string `json:"name"`
-
-	// MountPath at which this volume will be mounted within its container.
-	MountPath string `json:"mountPath"`
-
-	// TODO(negz): Use +kubebuilder:default marker to default AccessMode to RW
-	// and SharingPolicy to Exclusive once we're generating v1 CRDs.
-
-	// AccessMode of this volume; RO (read only) or RW (read and write).
-	// +optional
-	// +kubebuilder:validation:Enum=RO;RW
-	AccessMode *VolumeAccessMode `json:"accessMode,omitempty"`
-
-	// SharingPolicy of this volume; Exclusive or Shared.
-	// +optional
-	// +kubebuilder:validation:Enum=Exclusive;Shared
-	SharingPolicy *VolumeSharingPolicy `json:"sharingPolicy,omitempty"`
-
-	// Disk requirements of this volume.
-	// +optional
-	Disk *DiskResource `json:"disk,omitempty"`
-}
-
-// ExtendedResource required by a container.
-type ExtendedResource struct {
-	// Name of the external resource. Resource names are specified in
-	// kind.group/version format, e.g. motionsensor.ext.example.com/v1.
-	Name string `json:"name"`
-
-	// Required extended resource(s), e.g. 8 or "very-cool-widget"
-	Required intstr.IntOrString `json:"required"`
-}
-
-// ContainerResources specifies a container's required compute resources.
-type ContainerResources struct {
-	// CPU required by this container.
-	CPU CPUResources `json:"cpu"`
-
-	// Memory required by this container.
-	Memory MemoryResources `json:"memory"`
-
-	// GPU required by this container.
-	// +optional
-	GPU *GPUResources `json:"gpu,omitempty"`
-
-	// Volumes required by this container.
-	// +optional
-	Volumes []VolumeResource `json:"volumes,omitempty"`
-
-	// Extended resources required by this container.
-	// +optional
-	Extended []ExtendedResource `json:"extended,omitempty"`
-}
-
-// A ContainerEnvVar specifies an environment variable that should be set within
-// a container.
-type ContainerEnvVar struct {
-	// Name of the environment variable. Must be composed of valid Unicode
-	// letter and number characters, as well as _ and -.
-	// +kubebuilder:validation:Pattern=^[-_a-zA-Z0-9]+$
-	Name string `json:"name"`
-
-	// Value of the environment variable.
-	// +optional
-	Value *string `json:"value,omitempty"`
-
-	// FromSecret is a secret key reference which can be used to assign a value
-	// to the environment variable.
-	// +optional
-	FromSecret *SecretKeySelector `json:"fromSecret,omitempty"`
-}
-
-// A ContainerConfigFile specifies a configuration file that should be written
-// within a container.
-type ContainerConfigFile struct {
-	// Path within the container at which the configuration file should be
-	// written.
-	Path string `json:"path"`
-
-	// Value that should be written to the configuration file.
-	// +optional
-	Value *string `json:"value,omitempty"`
-
-	// FromSecret is a secret key reference which can be used to assign a value
-	// to be written to the configuration file at the given path in the
-	// container.
-	// +optional
-	FromSecret *SecretKeySelector `json:"fromSecret,omitempty"`
-}
-
-// A TransportProtocol represents a transport layer protocol.
-type TransportProtocol string
-
-// Transport protocols.
-const (
-	TransportProtocolTCP TransportProtocol = "TCP"
-	TransportProtocolUDP TransportProtocol = "UDP"
-)
-
-// A ContainerPort specifies a port that is exposed by a container.
-type ContainerPort struct {
-	// Name of this port. Must be unique within its container. Must be lowercase
-	// alphabetical characters.
-	// +kubebuilder:validation:Pattern=^[a-z]+$
-	Name string `json:"name"`
-
-	// Port number. Must be unique within its container.
-	Port int32 `json:"containerPort"`
-
-	// TODO(negz): Use +kubebuilder:default marker to default Protocol to TCP
-	// once we're generating v1 CRDs.
-
-	// Protocol used by the server listening on this port.
-	// +kubebuilder:validation:Enum=TCP;UDP
-	// +optional
-	Protocol *TransportProtocol `json:"protocol,omitempty"`
-}
-
-// An ExecProbe probes a container's health by executing a command.
-type ExecProbe struct {
-	// Command to be run by this probe.
-	Command []string `json:"command"`
-}
-
-// A HTTPHeader to be passed when probing a container.
-type HTTPHeader struct {
-	// Name of this HTTP header. Must be unique per probe.
-	Name string `json:"name"`
-
-	// Value of this HTTP header.
-	Value string `json:"value"`
-}
-
-// A HTTPGetProbe probes a container's health by sending an HTTP GET request.
-type HTTPGetProbe struct {
-	// Path to probe, e.g. '/healthz'.
-	Path string `json:"path"`
-
-	// Port to probe.
-	Port int32 `json:"port"`
-
-	// HTTPHeaders to send with the GET request.
-	// +optional
-	HTTPHeaders []HTTPHeader `json:"httpHeaders,omitempty"`
-}
-
-// A TCPSocketProbe probes a container's health by connecting to a TCP socket.
-type TCPSocketProbe struct {
-	// Port this probe should connect to.
-	Port int32 `json:"port"`
-}
-
-// A ContainerHealthProbe specifies how to probe the health of a container.
-// Exactly one of Exec, HTTPGet, or TCPSocket must be specified.
-type ContainerHealthProbe struct {
-	// Exec probes a container's health by executing a command.
-	// +optional
-	Exec *ExecProbe `json:"exec,omitempty"`
-
-	// HTTPGet probes a container's health by sending an HTTP GET request.
-	// +optional
-	HTTPGet *HTTPGetProbe `json:"httpGet,omitempty"`
-
-	// TCPSocketProbe probes a container's health by connecting to a TCP socket.
-	// +optional
-	TCPSocket *TCPSocketProbe `json:"tcpSocket,omitempty"`
-
-	// InitialDelaySeconds after a container starts before the first probe.
-	// +optional
-	InitialDelaySeconds *int32 `json:"initialDelaySeconds,omitempty"`
-
-	// TODO(negz): Use +kubebuilder:default marker to default PeriodSeconds,
-	// TimeoutSeconds, SuccessThreshold, and FailureThreshold to 10, 1, 1, and 3
-	// respectively once we're generating v1 CRDs.
-
-	// PeriodSeconds between probes.
-	// +optional
-	PeriodSeconds *int32 `json:"periodSeconds,omitempty"`
-
-	// TimeoutSeconds after which the probe times out.
-	// +optional
-	TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"`
-
-	// SuccessThreshold specifies how many consecutive probes must success in
-	// order for the container to be considered healthy.
-	// +optional
-	SuccessThreshold *int32 `json:"successThreshold,omitempty"`
-
-	// FailureThreshold specifies how many consecutive probes must fail in order
-	// for the container to be considered healthy.
-	// +optional
-	FailureThreshold *int32 `json:"failureThreshold,omitempty"`
-}
-
-// A Container represents an Open Containers Initiative (OCI) container.
-type Container struct {
-	// Name of this container. Must be unique within its workload.
-	Name string `json:"name"`
-
-	// Image this container should run. Must be a path-like or URI-like
-	// representation of an OCI image. May be prefixed with a registry address
-	// and should be suffixed with a tag.
-	Image string `json:"image"`
-
-	// Resources required by this container
-	// +optional
-	Resources *ContainerResources `json:"resources,omitempty"`
-
-	// Command to be run by this container.
-	// +optional
-	Command []string `json:"command,omitempty"`
-
-	// Arguments to be passed to the command run by this container.
-	// +optional
-	Arguments []string `json:"args,omitempty"`
-
-	// Environment variables that should be set within this container.
-	// +optional
-	Environment []ContainerEnvVar `json:"env,omitempty"`
-
-	// ConfigFiles that should be written within this container.
-	// +optional
-	ConfigFiles []ContainerConfigFile `json:"config,omitempty"`
-
-	// Ports exposed by this container.
-	// +optional
-	Ports []ContainerPort `json:"ports,omitempty"`
-
-	// A LivenessProbe assesses whether this container is alive. Containers that
-	// fail liveness probes will be restarted.
-	// +optional
-	LivenessProbe *ContainerHealthProbe `json:"livenessProbe,omitempty"`
-
-	// A ReadinessProbe assesses whether this container is ready to serve
-	// requests. Containers that fail readiness probes will be withdrawn from
-	// service.
-	// +optional
-	ReadinessProbe *ContainerHealthProbe `json:"readinessProbe,omitempty"`
-
-	// TODO(negz): Ideally the key within this secret would be configurable, but
-	// the current OAM spec allows only a secret name.
-
-	// ImagePullSecret specifies the name of a Secret from which the
-	// credentials required to pull this container's image can be loaded.
-	// +optional
-	ImagePullSecret *string `json:"imagePullSecret,omitempty"`
-}
--- a/apis/core.oam.dev/v1alpha2/doc.go
+++ b/apis/core.oam.dev/v1alpha2/doc.go
@@ -1,22 +0,0 @@
-/*
-Copyright 2021 The KubeVela Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Package v1alpha2 contains resources relating to the Open Application Model.
-// See https://github.com/oam-dev/spec for more details.
-// +kubebuilder:object:generate=true
-// +groupName=core.oam.dev
-// +versionName=v1alpha2
-package v1alpha2
--- a/apis/core.oam.dev/v1alpha2/methods.go
+++ b/apis/core.oam.dev/v1alpha2/methods.go
@@ -1,65 +0,0 @@
-/*
-Copyright 2021 The KubeVela Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// This code is manually implemented, but should be generated in the future.
-
-package v1alpha2
-
-import (
-	corev1 "k8s.io/api/core/v1"
-
-	"github.com/oam-dev/kubevela/apis/core.oam.dev/condition"
-)
-
-// GetCondition of this ApplicationConfiguration.
-func (ac *ApplicationConfiguration) GetCondition(ct condition.ConditionType) condition.Condition {
-	return ac.Status.GetCondition(ct)
-}
-
-// SetConditions of this ApplicationConfiguration.
-func (ac *ApplicationConfiguration) SetConditions(c ...condition.Condition) {
-	ac.Status.SetConditions(c...)
-}
-
-// GetCondition of this Component.
-func (cm *Component) GetCondition(ct condition.ConditionType) condition.Condition {
-	return cm.Status.GetCondition(ct)
-}
-
-// SetConditions of this Component.
-func (cm *Component) SetConditions(c ...condition.Condition) {
-	cm.Status.SetConditions(c...)
-}
-
-// GetCondition of this HealthScope.
-func (hs *HealthScope) GetCondition(ct condition.ConditionType) condition.Condition {
-	return hs.Status.GetCondition(ct)
-}
-
-// SetConditions of this HealthScope.
-func (hs *HealthScope) SetConditions(c ...condition.Condition) {
-	hs.Status.SetConditions(c...)
-}
-
-// GetWorkloadReferences to get all workload references for scope.
-func (hs *HealthScope) GetWorkloadReferences() []corev1.ObjectReference {
-	return hs.Spec.WorkloadReferences
-}
-
-// AddWorkloadReference to add a workload reference to this scope.
-func (hs *HealthScope) AddWorkloadReference(r corev1.ObjectReference) {
-	hs.Spec.WorkloadReferences = append(hs.Spec.WorkloadReferences, r)
-}
--- a/apis/core.oam.dev/v1alpha2/register.go
+++ b/apis/core.oam.dev/v1alpha2/register.go
@@ -1,124 +0,0 @@
-/*
-Copyright 2021 The KubeVela Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha2
-
-import (
-	"reflect"
-
-	"k8s.io/apimachinery/pkg/runtime/schema"
-	"sigs.k8s.io/controller-runtime/pkg/scheme"
-
-	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
-)
-
-// Package type metadata.
-const (
-	Group   = common.Group
-	Version = "v1alpha2"
-)
-
-var (
-	// SchemeGroupVersion is group version used to register these objects
-	SchemeGroupVersion = schema.GroupVersion{Group: Group, Version: Version}
-
-	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
-	SchemeBuilder = &scheme.Builder{GroupVersion: SchemeGroupVersion}
-)
-
-// ComponentDefinition type metadata.
-var (
-	ComponentDefinitionKind             = reflect.TypeOf(ComponentDefinition{}).Name()
-	ComponentDefinitionGroupKind        = schema.GroupKind{Group: Group, Kind: ComponentDefinitionKind}.String()
-	ComponentDefinitionKindAPIVersion   = ComponentDefinitionKind + "." + SchemeGroupVersion.String()
-	ComponentDefinitionGroupVersionKind = SchemeGroupVersion.WithKind(ComponentDefinitionKind)
-)
-
-// WorkloadDefinition type metadata.
-var (
-	WorkloadDefinitionKind             = reflect.TypeOf(WorkloadDefinition{}).Name()
-	WorkloadDefinitionGroupKind        = schema.GroupKind{Group: Group, Kind: WorkloadDefinitionKind}.String()
-	WorkloadDefinitionKindAPIVersion   = WorkloadDefinitionKind + "." + SchemeGroupVersion.String()
-	WorkloadDefinitionGroupVersionKind = SchemeGroupVersion.WithKind(WorkloadDefinitionKind)
-)
-
-// TraitDefinition type metadata.
-var (
-	TraitDefinitionKind             = reflect.TypeOf(TraitDefinition{}).Name()
-	TraitDefinitionGroupKind        = schema.GroupKind{Group: Group, Kind: TraitDefinitionKind}.String()
-	TraitDefinitionKindAPIVersion   = TraitDefinitionKind + "." + SchemeGroupVersion.String()
-	TraitDefinitionGroupVersionKind = SchemeGroupVersion.WithKind(TraitDefinitionKind)
-)
-
-// ScopeDefinition type metadata.
-var (
-	ScopeDefinitionKind             = reflect.TypeOf(ScopeDefinition{}).Name()
-	ScopeDefinitionGroupKind        = schema.GroupKind{Group: Group, Kind: ScopeDefinitionKind}.String()
-	ScopeDefinitionKindAPIVersion   = ScopeDefinitionKind + "." + SchemeGroupVersion.String()
-	ScopeDefinitionGroupVersionKind = SchemeGroupVersion.WithKind(ScopeDefinitionKind)
-)
-
-// Component type metadata.
-var (
-	ComponentKind             = reflect.TypeOf(Component{}).Name()
-	ComponentGroupKind        = schema.GroupKind{Group: Group, Kind: ComponentKind}.String()
-	ComponentKindAPIVersion   = ComponentKind + "." + SchemeGroupVersion.String()
-	ComponentGroupVersionKind = SchemeGroupVersion.WithKind(ComponentKind)
-)
-
-// ApplicationConfiguration type metadata.
-var (
-	ApplicationConfigurationKind             = reflect.TypeOf(ApplicationConfiguration{}).Name()
-	ApplicationConfigurationGroupKind        = schema.GroupKind{Group: Group, Kind: ApplicationConfigurationKind}.String()
-	ApplicationConfigurationKindAPIVersion   = ApplicationConfigurationKind + "." + SchemeGroupVersion.String()
-	ApplicationConfigurationGroupVersionKind = SchemeGroupVersion.WithKind(ApplicationConfigurationKind)
-)
-
-// HealthScope type metadata.
-var (
-	HealthScopeKind             = reflect.TypeOf(HealthScope{}).Name()
-	HealthScopeGroupKind        = schema.GroupKind{Group: Group, Kind: HealthScopeKind}.String()
-	HealthScopeKindAPIVersion   = HealthScopeKind + "." + SchemeGroupVersion.String()
-	HealthScopeGroupVersionKind = SchemeGroupVersion.WithKind(HealthScopeKind)
-)
-
-// Application type metadata.
-var (
-	ApplicationKind            = reflect.TypeOf(Application{}).Name()
-	ApplicationGroupKind       = schema.GroupKind{Group: Group, Kind: ApplicationKind}.String()
-	ApplicationKindAPIVersion  = ApplicationKind + "." + SchemeGroupVersion.String()
-	ApplicationKindVersionKind = SchemeGroupVersion.WithKind(ApplicationKind)
-)
-
-// ApplicationRevision type metadata
-var (
-	ApplicationRevisionKind             = reflect.TypeOf(ApplicationRevision{}).Name()
-	ApplicationRevisionGroupKind        = schema.GroupKind{Group: Group, Kind: ApplicationRevisionKind}.String()
-	ApplicationRevisionKindAPIVersion   = ApplicationRevisionKind + "." + SchemeGroupVersion.String()
-	ApplicationRevisionGroupVersionKind = SchemeGroupVersion.WithKind(ApplicationRevisionKind)
-)
-
-func init() {
-	SchemeBuilder.Register(&ComponentDefinition{}, &ComponentDefinitionList{})
-	SchemeBuilder.Register(&WorkloadDefinition{}, &WorkloadDefinitionList{})
-	SchemeBuilder.Register(&TraitDefinition{}, &TraitDefinitionList{})
-	SchemeBuilder.Register(&ScopeDefinition{}, &ScopeDefinitionList{})
-	SchemeBuilder.Register(&Component{}, &ComponentList{})
-	SchemeBuilder.Register(&ApplicationConfiguration{}, &ApplicationConfigurationList{})
-	SchemeBuilder.Register(&HealthScope{}, &HealthScopeList{})
-	SchemeBuilder.Register(&Application{}, &ApplicationList{})
-	SchemeBuilder.Register(&ApplicationRevision{}, &ApplicationRevisionList{})
-}
--- a/apis/core.oam.dev/v1alpha2/zz_generated.deepcopy.go
+++ b/apis/core.oam.dev/v1alpha2/zz_generated.deepcopy.go
--- a/apis/core.oam.dev/v1beta1/application_types.go
+++ b/apis/core.oam.dev/v1beta1/application_types.go
@@ -23,29 +23,18 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"

-	workflowv1alpha1 "github.com/kubevela/workflow/api/v1alpha1"
+	wfTypesv1alpha1 "github.com/kubevela/pkg/apis/oam/v1alpha1"

 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/condition"
 )

-const (
-	// TypeHealthy application are believed to be determined as healthy by a health scope.
-	TypeHealthy condition.ConditionType = "Healthy"
-)
-
-// Reasons an application is or is not healthy
-const (
-	ReasonHealthy        condition.ConditionReason = "AllComponentsHealthy"
-	ReasonUnhealthy      condition.ConditionReason = "UnhealthyOrUnknownComponents"
-	ReasonHealthCheckErr condition.ConditionReason = "HealthCheckeError"
-)
-
 // AppPolicy defines a global policy for all components in the app.
 type AppPolicy struct {
 	// Name is the unique name of the policy.
-	Name string `json:"name"`
-
+	// +optional
+	Name string `json:"name,omitempty"`
+	// Type is the type of the policy
 	Type string `json:"type"`
 	// +kubebuilder:pruning:PreserveUnknownFields
 	Properties *runtime.RawExtension `json:"properties,omitempty"`
@@ -53,9 +42,9 @@ type AppPolicy struct {

 // Workflow defines workflow steps and other attributes
 type Workflow struct {
-	Ref   string                                `json:"ref,omitempty"`
-	Mode  *workflowv1alpha1.WorkflowExecuteMode `json:"mode,omitempty"`
-	Steps []workflowv1alpha1.WorkflowStep       `json:"steps,omitempty"`
+	Ref   string                               `json:"ref,omitempty"`
+	Mode  *wfTypesv1alpha1.WorkflowExecuteMode `json:"mode,omitempty"`
+	Steps []wfTypesv1alpha1.WorkflowStep       `json:"steps,omitempty"`
 }

 // ApplicationSpec is the spec of Application
@@ -73,8 +62,6 @@ type ApplicationSpec struct {
 	// - will have a context in annotation.
 	// - should mark "finish" phase in status.conditions.
 	Workflow *Workflow `json:"workflow,omitempty"`
-
-	// TODO(wonderflow): we should have application level scopes supported here
 }

 // +kubebuilder:object:root=true
--- a/apis/core.oam.dev/v1beta1/applicationrevision_types.go
+++ b/apis/core.oam.dev/v1beta1/applicationrevision_types.go
@@ -17,9 +17,11 @@
 package v1beta1

 import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"encoding/json"

-	workflowv1alpha1 "github.com/kubevela/workflow/api/v1alpha1"
+	wfTypesv1alpha1 "github.com/kubevela/pkg/apis/oam/v1alpha1"
+	"github.com/kubevela/pkg/util/compression"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/v1alpha1"
@@ -29,47 +31,106 @@ import (

 // ApplicationRevisionSpec is the spec of ApplicationRevision
 type ApplicationRevisionSpec struct {
+	// ApplicationRevisionCompressibleFields represents all the fields that can be compressed.
+	ApplicationRevisionCompressibleFields `json:",inline"`
+
+	// Compression represents the compressed components in apprev in base64 (if compression is enabled).
+	Compression ApplicationRevisionCompression `json:"compression,omitempty"`
+}
+
+// ApplicationRevisionCompressibleFields represents all the fields that can be compressed.
+// So we can better organize them and compress only the compressible fields.
+type ApplicationRevisionCompressibleFields struct {
 	// Application records the snapshot of the created/modified Application
 	Application Application `json:"application"`

 	// ComponentDefinitions records the snapshot of the componentDefinitions related with the created/modified Application
-	ComponentDefinitions map[string]ComponentDefinition `json:"componentDefinitions,omitempty"`
+	ComponentDefinitions map[string]*ComponentDefinition `json:"componentDefinitions,omitempty"`

 	// WorkloadDefinitions records the snapshot of the workloadDefinitions related with the created/modified Application
 	WorkloadDefinitions map[string]WorkloadDefinition `json:"workloadDefinitions,omitempty"`

 	// TraitDefinitions records the snapshot of the traitDefinitions related with the created/modified Application
-	TraitDefinitions map[string]TraitDefinition `json:"traitDefinitions,omitempty"`
-
-	// ScopeDefinitions records the snapshot of the scopeDefinitions related with the created/modified Application
-	ScopeDefinitions map[string]ScopeDefinition `json:"scopeDefinitions,omitempty"`
+	TraitDefinitions map[string]*TraitDefinition `json:"traitDefinitions,omitempty"`

 	// PolicyDefinitions records the snapshot of the PolicyDefinitions related with the created/modified Application
 	PolicyDefinitions map[string]PolicyDefinition `json:"policyDefinitions,omitempty"`

 	// WorkflowStepDefinitions records the snapshot of the WorkflowStepDefinitions related with the created/modified Application
-	WorkflowStepDefinitions map[string]WorkflowStepDefinition `json:"workflowStepDefinitions,omitempty"`
-
-	// ScopeGVK records the apiVersion to GVK mapping
-	ScopeGVK map[string]metav1.GroupVersionKind `json:"scopeGVK,omitempty"`
+	WorkflowStepDefinitions map[string]*WorkflowStepDefinition `json:"workflowStepDefinitions,omitempty"`

 	// Policies records the external policies
 	Policies map[string]v1alpha1.Policy `json:"policies,omitempty"`

 	// Workflow records the external workflow
-	Workflow *workflowv1alpha1.Workflow `json:"workflow,omitempty"`
+	Workflow *wfTypesv1alpha1.Workflow `json:"workflow,omitempty"`

 	// ReferredObjects records the referred objects used in the ref-object typed components
 	// +kubebuilder:pruning:PreserveUnknownFields
 	ReferredObjects []common.ReferredObject `json:"referredObjects,omitempty"`
 }

+// ApplicationRevisionCompression represents the compressed components in apprev in base64.
+type ApplicationRevisionCompression struct {
+	compression.CompressedText `json:",inline"`
+}
+
+// MarshalJSON serves the same purpose as the one in ResourceTrackerSpec.
+func (apprev *ApplicationRevisionSpec) MarshalJSON() ([]byte, error) {
+	type Alias ApplicationRevisionSpec
+	tmp := &struct {
+		*Alias
+	}{}
+
+	if apprev.Compression.Type == compression.Uncompressed {
+		tmp.Alias = (*Alias)(apprev)
+	} else {
+		cpy := apprev.DeepCopy()
+		err := cpy.Compression.EncodeFrom(cpy.ApplicationRevisionCompressibleFields)
+		cpy.ApplicationRevisionCompressibleFields = ApplicationRevisionCompressibleFields{
+			// Application needs to have components.
+			Application: Application{Spec: ApplicationSpec{Components: []common.ApplicationComponent{}}},
+		}
+		if err != nil {
+			return nil, err
+		}
+		tmp.Alias = (*Alias)(cpy)
+	}
+
+	return json.Marshal(tmp.Alias)
+}
+
+// UnmarshalJSON serves the same purpose as the one in ResourceTrackerSpec.
+func (apprev *ApplicationRevisionSpec) UnmarshalJSON(data []byte) error {
+	type Alias ApplicationRevisionSpec
+	tmp := &struct {
+		*Alias
+	}{}
+
+	if err := json.Unmarshal(data, tmp); err != nil {
+		return err
+	}
+
+	if tmp.Compression.Type != compression.Uncompressed {
+		err := tmp.Compression.DecodeTo(&tmp.ApplicationRevisionCompressibleFields)
+		if err != nil {
+			return err
+		}
+		tmp.Compression.Clean()
+	}
+
+	(*ApplicationRevisionSpec)(tmp.Alias).DeepCopyInto(apprev)
+	return nil
+}
+
 // ApplicationRevisionStatus is the status of ApplicationRevision
 type ApplicationRevisionStatus struct {
 	// Succeeded records if the workflow finished running with success
 	Succeeded bool `json:"succeeded"`
 	// Workflow the running status of the workflow
 	Workflow *common.WorkflowStatus `json:"workflow,omitempty"`
+	// Record the context values to the revision.
+	WorkflowContext map[string]string `json:"workflowContext,omitempty"`
 }

 // +kubebuilder:object:root=true
--- a/apis/core.oam.dev/v1beta1/applicationrevision_types_test.go
+++ b/apis/core.oam.dev/v1beta1/applicationrevision_types_test.go
@@ -0,0 +1,84 @@
+/*
+Copyright 2021 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"encoding/json"
+	"fmt"
+	"testing"
+
+	"github.com/kubevela/pkg/util/compression"
+	"github.com/stretchr/testify/assert"
+	"k8s.io/apimachinery/pkg/runtime"
+
+	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
+)
+
+func TestApplicationRevisionCompression(t *testing.T) {
+	// Fill data
+	spec := &ApplicationRevisionSpec{}
+	spec.Application = Application{Spec: ApplicationSpec{Components: []common.ApplicationComponent{{Name: "test-name"}}}}
+	spec.ComponentDefinitions = make(map[string]*ComponentDefinition)
+	spec.ComponentDefinitions["def"] = &ComponentDefinition{Spec: ComponentDefinitionSpec{PodSpecPath: "path"}}
+	spec.WorkloadDefinitions = make(map[string]WorkloadDefinition)
+	spec.WorkloadDefinitions["def"] = WorkloadDefinition{Spec: WorkloadDefinitionSpec{Reference: common.DefinitionReference{Name: "testdef"}}}
+	spec.TraitDefinitions = make(map[string]*TraitDefinition)
+	spec.TraitDefinitions["def"] = &TraitDefinition{Spec: TraitDefinitionSpec{ControlPlaneOnly: true}}
+	spec.PolicyDefinitions = make(map[string]PolicyDefinition)
+	spec.PolicyDefinitions["def"] = PolicyDefinition{Spec: PolicyDefinitionSpec{ManageHealthCheck: true}}
+	spec.WorkflowStepDefinitions = make(map[string]*WorkflowStepDefinition)
+	spec.WorkflowStepDefinitions["def"] = &WorkflowStepDefinition{Spec: WorkflowStepDefinitionSpec{Reference: common.DefinitionReference{Name: "testname"}}}
+	spec.ReferredObjects = []common.ReferredObject{{RawExtension: runtime.RawExtension{Raw: []byte("123")}}}
+
+	testAppRev := &ApplicationRevision{Spec: *spec}
+
+	marshalAndUnmarshal := func(in *ApplicationRevision) (*ApplicationRevision, int) {
+		out := &ApplicationRevision{}
+		b, err := json.Marshal(in)
+		assert.NoError(t, err)
+		if in.Spec.Compression.Type != compression.Uncompressed {
+			assert.Contains(t, string(b), fmt.Sprintf("\"type\":\"%s\",\"data\":\"", in.Spec.Compression.Type))
+		}
+		err = json.Unmarshal(b, out)
+		assert.NoError(t, err)
+		assert.Equal(t, out.Spec.Compression.Type, in.Spec.Compression.Type)
+		assert.Equal(t, out.Spec.Compression.Data, "")
+		return out, len(b)
+	}
+
+	// uncompressed
+	testAppRev.Spec.Compression.SetType(compression.Uncompressed)
+	uncomp, uncompsize := marshalAndUnmarshal(testAppRev)
+
+	// zstd compressed
+	testAppRev.Spec.Compression.SetType(compression.Zstd)
+	zstdcomp, zstdsize := marshalAndUnmarshal(testAppRev)
+	// We will compare content later. Clear compression methods since it will interfere
+	// comparison and is verified earlier.
+	zstdcomp.Spec.Compression.SetType(compression.Uncompressed)
+
+	// gzip compressed
+	testAppRev.Spec.Compression.SetType(compression.Gzip)
+	gzipcomp, gzipsize := marshalAndUnmarshal(testAppRev)
+	gzipcomp.Spec.Compression.SetType(compression.Uncompressed)
+
+	assert.Equal(t, uncomp, zstdcomp)
+	assert.Equal(t, zstdcomp, gzipcomp)
+
+	assert.Less(t, zstdsize, uncompsize)
+	assert.Less(t, gzipsize, uncompsize)
+}
--- a/apis/core.oam.dev/v1beta1/componentdefinition_types.go
+++ b/apis/core.oam.dev/v1beta1/componentdefinition_types.go
@@ -27,6 +27,9 @@ import (

 // ComponentDefinitionSpec defines the desired state of ComponentDefinition
 type ComponentDefinitionSpec struct {
+	// +optional
+	Version string `json:"version,omitempty"`
+
 	// Workload is a workload type descriptor
 	Workload common.WorkloadTypeDescriptor `json:"workload"`

--- a/apis/core.oam.dev/v1beta1/core_types.go
+++ b/apis/core.oam.dev/v1beta1/core_types.go
@@ -164,6 +164,9 @@ type TraitDefinitionSpec struct {
 	// pre-process and post-process respectively.
 	// +optional
 	Stage StageType `json:"stage,omitempty"`
+
+	// +optional
+	Version string `json:"version,omitempty"`
 }

 // StageType describes how the manifests should be dispatched.
@@ -232,49 +235,3 @@ type TraitDefinitionList struct {
 	metav1.ListMeta `json:"metadata,omitempty"`
 	Items           []TraitDefinition `json:"items"`
 }
-
-// A ScopeDefinitionSpec defines the desired state of a ScopeDefinition.
-type ScopeDefinitionSpec struct {
-	// Reference to the CustomResourceDefinition that defines this scope kind.
-	Reference common.DefinitionReference `json:"definitionRef"`
-
-	// WorkloadRefsPath indicates if/where a scope accepts workloadRef objects
-	WorkloadRefsPath string `json:"workloadRefsPath,omitempty"`
-
-	// AllowComponentOverlap specifies whether an OAM component may exist in
-	// multiple instances of this kind of scope.
-	AllowComponentOverlap bool `json:"allowComponentOverlap"`
-
-	// Extension is used for extension needs by OAM platform builders
-	// +optional
-	// +kubebuilder:pruning:PreserveUnknownFields
-	Extension *runtime.RawExtension `json:"extension,omitempty"`
-}
-
-// +kubebuilder:object:root=true
-
-// A ScopeDefinition registers a kind of Kubernetes custom resource as a valid
-// OAM scope kind by referencing its CustomResourceDefinition. The CRD is used
-// to validate the schema of the scope when it is embedded in an OAM
-// ApplicationConfiguration.
-// +kubebuilder:printcolumn:JSONPath=".spec.definitionRef.name",name=DEFINITION-NAME,type=string
-// +kubebuilder:resource:scope=Namespaced,categories={oam},shortName=scope
-// +kubebuilder:storageversion
-// +genclient
-// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-type ScopeDefinition struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	Spec ScopeDefinitionSpec `json:"spec,omitempty"`
-}
-
-// +kubebuilder:object:root=true
-// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-
-// ScopeDefinitionList contains a list of ScopeDefinition.
-type ScopeDefinitionList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []ScopeDefinition `json:"items"`
-}
--- a/apis/core.oam.dev/v1beta1/policy_definition.go
+++ b/apis/core.oam.dev/v1beta1/policy_definition.go
@@ -37,6 +37,9 @@ type PolicyDefinitionSpec struct {
 	// ManageHealthCheck means the policy will handle health checking and skip application controller
 	// built-in health checking.
 	ManageHealthCheck bool `json:"manageHealthCheck,omitempty"`
+
+	//+optional
+	Version string `json:"version,omitempty"`
 }

 // PolicyDefinitionStatus is the status of PolicyDefinition
--- a/apis/core.oam.dev/v1beta1/register.go
+++ b/apis/core.oam.dev/v1beta1/register.go
@@ -20,6 +20,7 @@ import (
 	"reflect"

 	"k8s.io/apimachinery/pkg/runtime/schema"
+	k8sscheme "k8s.io/client-go/kubernetes/scheme"
 	"sigs.k8s.io/controller-runtime/pkg/scheme"

 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
@@ -48,6 +49,7 @@ var (
 	ComponentDefinitionGroupKind        = schema.GroupKind{Group: Group, Kind: ComponentDefinitionKind}.String()
 	ComponentDefinitionKindAPIVersion   = ComponentDefinitionKind + "." + SchemeGroupVersion.String()
 	ComponentDefinitionGroupVersionKind = SchemeGroupVersion.WithKind(ComponentDefinitionKind)
+	ComponentDefinitionGVR              = SchemeGroupVersion.WithResource("componentdefinitions")
 )

 // WorkloadDefinition type metadata.
@@ -64,6 +66,7 @@ var (
 	TraitDefinitionGroupKind        = schema.GroupKind{Group: Group, Kind: TraitDefinitionKind}.String()
 	TraitDefinitionKindAPIVersion   = TraitDefinitionKind + "." + SchemeGroupVersion.String()
 	TraitDefinitionGroupVersionKind = SchemeGroupVersion.WithKind(TraitDefinitionKind)
+	TraitDefinitionGVR              = SchemeGroupVersion.WithResource("traitdefinitions")
 )

 // PolicyDefinition type metadata.
@@ -72,6 +75,7 @@ var (
 	PolicyDefinitionGroupKind        = schema.GroupKind{Group: Group, Kind: PolicyDefinitionKind}.String()
 	PolicyDefinitionKindAPIVersion   = PolicyDefinitionKind + "." + SchemeGroupVersion.String()
 	PolicyDefinitionGroupVersionKind = SchemeGroupVersion.WithKind(PolicyDefinitionKind)
+	PolicyDefinitionGVR              = SchemeGroupVersion.WithResource("policydefinitions")
 )

 // WorkflowStepDefinition type metadata.
@@ -80,6 +84,7 @@ var (
 	WorkflowStepDefinitionGroupKind        = schema.GroupKind{Group: Group, Kind: WorkflowStepDefinitionKind}.String()
 	WorkflowStepDefinitionKindAPIVersion   = WorkflowStepDefinitionKind + "." + SchemeGroupVersion.String()
 	WorkflowStepDefinitionGroupVersionKind = SchemeGroupVersion.WithKind(WorkflowStepDefinitionKind)
+	WorkflowStepDefinitionGVR              = SchemeGroupVersion.WithResource("workflowstepdefinitions")
 )

 // DefinitionRevision type metadata.
@@ -106,14 +111,6 @@ var (
 	ApplicationRevisionGroupVersionKind = SchemeGroupVersion.WithKind(ApplicationRevisionKind)
 )

-// ScopeDefinition type metadata.
-var (
-	ScopeDefinitionKind             = reflect.TypeOf(ScopeDefinition{}).Name()
-	ScopeDefinitionGroupKind        = schema.GroupKind{Group: Group, Kind: ScopeDefinitionKind}.String()
-	ScopeDefinitionKindAPIVersion   = ScopeDefinitionKind + "." + SchemeGroupVersion.String()
-	ScopeDefinitionGroupVersionKind = SchemeGroupVersion.WithKind(ScopeDefinitionKind)
-)
-
 // ResourceTracker type metadata.
 var (
 	ResourceTrackerKind            = reflect.TypeOf(ResourceTracker{}).Name()
@@ -122,6 +119,20 @@ var (
 	ResourceTrackerKindVersionKind = SchemeGroupVersion.WithKind(ResourceTrackerKind)
 )

+// DefinitionTypeInfo contains the mapping information for a definition type
+type DefinitionTypeInfo struct {
+	GVR  schema.GroupVersionResource
+	Kind string
+}
+
+// DefinitionTypeMap maps definition types to their corresponding GVR and Kind
+var DefinitionTypeMap = map[reflect.Type]DefinitionTypeInfo{
+	reflect.TypeOf(ComponentDefinition{}):    {GVR: ComponentDefinitionGVR, Kind: ComponentDefinitionKind},
+	reflect.TypeOf(TraitDefinition{}):        {GVR: TraitDefinitionGVR, Kind: TraitDefinitionKind},
+	reflect.TypeOf(PolicyDefinition{}):       {GVR: PolicyDefinitionGVR, Kind: PolicyDefinitionKind},
+	reflect.TypeOf(WorkflowStepDefinition{}): {GVR: WorkflowStepDefinitionGVR, Kind: WorkflowStepDefinitionKind},
+}
+
 func init() {
 	SchemeBuilder.Register(&ComponentDefinition{}, &ComponentDefinitionList{})
 	SchemeBuilder.Register(&WorkloadDefinition{}, &WorkloadDefinitionList{})
@@ -129,10 +140,10 @@ func init() {
 	SchemeBuilder.Register(&PolicyDefinition{}, &PolicyDefinitionList{})
 	SchemeBuilder.Register(&WorkflowStepDefinition{}, &WorkflowStepDefinitionList{})
 	SchemeBuilder.Register(&DefinitionRevision{}, &DefinitionRevisionList{})
-	SchemeBuilder.Register(&ScopeDefinition{}, &ScopeDefinitionList{})
 	SchemeBuilder.Register(&Application{}, &ApplicationList{})
 	SchemeBuilder.Register(&ApplicationRevision{}, &ApplicationRevisionList{})
 	SchemeBuilder.Register(&ResourceTracker{}, &ResourceTrackerList{})
+	_ = SchemeBuilder.AddToScheme(k8sscheme.Scheme)
 }

 // Resource takes an unqualified resource and returns a Group qualified GroupResource
--- a/apis/core.oam.dev/v1beta1/register_test.go
+++ b/apis/core.oam.dev/v1beta1/register_test.go
@@ -0,0 +1,117 @@
+/*
+Copyright 2025 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"reflect"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+func TestDefinitionTypeMap(t *testing.T) {
+	tests := []struct {
+		name         string
+		defType      reflect.Type
+		expectedGVR  schema.GroupVersionResource
+		expectedKind string
+	}{
+		{
+			name:         "ComponentDefinition",
+			defType:      reflect.TypeOf(ComponentDefinition{}),
+			expectedGVR:  ComponentDefinitionGVR,
+			expectedKind: ComponentDefinitionKind,
+		},
+		{
+			name:         "TraitDefinition",
+			defType:      reflect.TypeOf(TraitDefinition{}),
+			expectedGVR:  TraitDefinitionGVR,
+			expectedKind: TraitDefinitionKind,
+		},
+		{
+			name:         "PolicyDefinition",
+			defType:      reflect.TypeOf(PolicyDefinition{}),
+			expectedGVR:  PolicyDefinitionGVR,
+			expectedKind: PolicyDefinitionKind,
+		},
+		{
+			name:         "WorkflowStepDefinition",
+			defType:      reflect.TypeOf(WorkflowStepDefinition{}),
+			expectedGVR:  WorkflowStepDefinitionGVR,
+			expectedKind: WorkflowStepDefinitionKind,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			info, ok := DefinitionTypeMap[tt.defType]
+			assert.Truef(t, ok, "Type %v should exist in DefinitionTypeMap", tt.defType)
+			assert.Equal(t, tt.expectedGVR, info.GVR)
+			assert.Equal(t, tt.expectedKind, info.Kind)
+
+			// Verify GVR follows Kubernetes conventions
+			assert.Equal(t, Group, info.GVR.Group)
+			assert.Equal(t, Version, info.GVR.Version)
+			// Resource should be lowercase plural of Kind
+			assert.Equal(t, strings.ToLower(info.Kind)+"s", info.GVR.Resource)
+		})
+	}
+}
+
+func TestDefinitionTypeMapCompleteness(t *testing.T) {
+	// Ensure all expected definition types are in the map
+	expectedTypes := []reflect.Type{
+		reflect.TypeOf(ComponentDefinition{}),
+		reflect.TypeOf(TraitDefinition{}),
+		reflect.TypeOf(PolicyDefinition{}),
+		reflect.TypeOf(WorkflowStepDefinition{}),
+	}
+
+	assert.Equal(t, len(expectedTypes), len(DefinitionTypeMap), "DefinitionTypeMap should contain exactly %d entries", len(expectedTypes))
+
+	for _, expectedType := range expectedTypes {
+		_, ok := DefinitionTypeMap[expectedType]
+		assert.Truef(t, ok, "DefinitionTypeMap should contain %v", expectedType)
+	}
+}
+
+func TestDefinitionKindValues(t *testing.T) {
+	// Verify that the Kind values match the actual type names
+	tests := []struct {
+		defType      interface{}
+		expectedKind string
+	}{
+		{ComponentDefinition{}, "ComponentDefinition"},
+		{TraitDefinition{}, "TraitDefinition"},
+		{PolicyDefinition{}, "PolicyDefinition"},
+		{WorkflowStepDefinition{}, "WorkflowStepDefinition"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.expectedKind, func(t *testing.T) {
+			actualKind := reflect.TypeOf(tt.defType).Name()
+			assert.Equal(t, tt.expectedKind, actualKind)
+
+			// Also verify it matches what's in the map
+			info, ok := DefinitionTypeMap[reflect.TypeOf(tt.defType)]
+			assert.True(t, ok)
+			assert.Equal(t, tt.expectedKind, info.Kind)
+		})
+	}
+}
--- a/apis/core.oam.dev/v1beta1/resourcetracker_types.go
+++ b/apis/core.oam.dev/v1beta1/resourcetracker_types.go
@@ -29,11 +29,11 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"

+	"github.com/kubevela/pkg/util/compression"
+
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
-	"github.com/oam-dev/kubevela/apis/interfaces"
 	velatypes "github.com/oam-dev/kubevela/apis/types"
 	"github.com/oam-dev/kubevela/pkg/oam"
-	"github.com/oam-dev/kubevela/pkg/utils/compression"
 	velaerr "github.com/oam-dev/kubevela/pkg/utils/errors"
 )

@@ -52,8 +52,7 @@ type ResourceTracker struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

-	Spec   ResourceTrackerSpec   `json:"spec,omitempty"`
-	Status ResourceTrackerStatus `json:"status,omitempty"`
+	Spec ResourceTrackerSpec `json:"spec,omitempty"`
 }

 // ResourceTrackerType defines the type of resourceTracker
@@ -76,10 +75,9 @@ type ResourceTrackerSpec struct {
 	Compression           ResourceTrackerCompression `json:"compression,omitempty"`
 }

-// ResourceTrackerCompression the compression for ResourceTracker ManagedResources
+// ResourceTrackerCompression represents the compressed components in ResourceTracker.
 type ResourceTrackerCompression struct {
-	Type compression.Type `json:"type,omitempty"`
-	Data string           `json:"data,omitempty"`
+	compression.CompressedText `json:",inline"`
 }

 // MarshalJSON will encode ResourceTrackerSpec according to the compression type. If type specified,
@@ -88,30 +86,19 @@ type ResourceTrackerCompression struct {
 func (in *ResourceTrackerSpec) MarshalJSON() ([]byte, error) {
 	type Alias ResourceTrackerSpec
 	tmp := &struct{ *Alias }{}
-	switch in.Compression.Type {
-	case compression.Uncompressed:
+
+	if in.Compression.Type == compression.Uncompressed {
 		tmp.Alias = (*Alias)(in)
-	case compression.Gzip:
+	} else {
 		cpy := in.DeepCopy()
-		data, err := compression.GzipObjectToString(in.ManagedResources)
+		cpy.ManagedResources = nil
+		err := cpy.Compression.EncodeFrom(in.ManagedResources)
 		if err != nil {
 			return nil, err
 		}
-		cpy.ManagedResources = nil
-		cpy.Compression.Data = data
 		tmp.Alias = (*Alias)(cpy)
-	case compression.Zstd:
-		cpy := in.DeepCopy()
-		data, err := compression.ZstdObjectToString(in.ManagedResources)
-		if err != nil {
-			return nil, err
-		}
-		cpy.ManagedResources = nil
-		cpy.Compression.Data = data
-		tmp.Alias = (*Alias)(cpy)
-	default:
-		return nil, compression.NewUnsupportedCompressionTypeError(string(in.Compression.Type))
 	}
+
 	return json.Marshal(tmp.Alias)
 }

@@ -124,24 +111,16 @@ func (in *ResourceTrackerSpec) UnmarshalJSON(src []byte) error {
 	if err := json.Unmarshal(src, tmp); err != nil {
 		return err
 	}
-	switch tmp.Compression.Type {
-	case compression.Uncompressed:
-		break
-	case compression.Gzip:
+
+	if tmp.Compression.Type != compression.Uncompressed {
 		tmp.ManagedResources = []ManagedResource{}
-		if err := compression.GunzipStringToObject(tmp.Compression.Data, &tmp.ManagedResources); err != nil {
+		err := tmp.Compression.DecodeTo(&tmp.ManagedResources)
+		if err != nil {
 			return err
 		}
-		tmp.Compression.Data = ""
-	case compression.Zstd:
-		tmp.ManagedResources = []ManagedResource{}
-		if err := compression.UnZstdStringToObject(tmp.Compression.Data, &tmp.ManagedResources); err != nil {
-			return err
-		}
-		tmp.Compression.Data = ""
-	default:
-		return compression.NewUnsupportedCompressionTypeError(string(in.Compression.Type))
+		tmp.Compression.Clean()
 	}
+
 	(*ResourceTrackerSpec)(tmp.Alias).DeepCopyInto(in)
 	return nil
 }
@@ -159,7 +138,7 @@ type ManagedResource struct {
 }

 // Equal check if two managed resource equals
-func (in ManagedResource) Equal(r ManagedResource) bool {
+func (in *ManagedResource) Equal(r ManagedResource) bool {
 	if !in.ClusterObjectReference.Equal(r.ClusterObjectReference) {
 		return false
 	}
@@ -170,7 +149,7 @@ func (in ManagedResource) Equal(r ManagedResource) bool {
 }

 // DisplayName readable name for locating resource
-func (in ManagedResource) DisplayName() string {
+func (in *ManagedResource) DisplayName() string {
 	s := in.Kind + " " + in.Name
 	if in.Namespace != "" || in.Cluster != "" {
 		s += " ("
@@ -189,12 +168,12 @@ func (in ManagedResource) DisplayName() string {
 }

 // NamespacedName namespacedName
-func (in ManagedResource) NamespacedName() types.NamespacedName {
+func (in *ManagedResource) NamespacedName() types.NamespacedName {
 	return types.NamespacedName{Namespace: in.Namespace, Name: in.Name}
 }

 // ResourceKey computes the key for managed resource, resources with the same key points to the same resource
-func (in ManagedResource) ResourceKey() string {
+func (in *ManagedResource) ResourceKey() string {
 	group := in.GroupVersionKind().Group
 	kind := in.GroupVersionKind().Kind
 	cluster := in.Cluster
@@ -205,12 +184,12 @@ func (in ManagedResource) ResourceKey() string {
 }

 // ComponentKey computes the key for the component which managed resource belongs to
-func (in ManagedResource) ComponentKey() string {
-	return strings.Join([]string{in.Env, in.Component}, "/")
+func (in *ManagedResource) ComponentKey() string {
+	return strings.Join([]string{in.Cluster, in.Component}, "/")
 }

 // UnmarshalTo unmarshal ManagedResource into target object
-func (in ManagedResource) UnmarshalTo(obj interface{}) error {
+func (in *ManagedResource) UnmarshalTo(obj interface{}) error {
 	if in.Data == nil || in.Data.Raw == nil {
 		return velaerr.ManagedResourceHasNoDataError{}
 	}
@@ -218,7 +197,7 @@ func (in ManagedResource) UnmarshalTo(obj interface{}) error {
 }

 // ToUnstructured converts managed resource into unstructured
-func (in ManagedResource) ToUnstructured() *unstructured.Unstructured {
+func (in *ManagedResource) ToUnstructured() *unstructured.Unstructured {
 	obj := &unstructured.Unstructured{}
 	obj.SetGroupVersionKind(in.GroupVersionKind())
 	obj.SetName(in.Name)
@@ -230,7 +209,7 @@ func (in ManagedResource) ToUnstructured() *unstructured.Unstructured {
 }

 // ToUnstructuredWithData converts managed resource into unstructured and unmarshal data
-func (in ManagedResource) ToUnstructuredWithData() (*unstructured.Unstructured, error) {
+func (in *ManagedResource) ToUnstructuredWithData() (*unstructured.Unstructured, error) {
 	obj := in.ToUnstructured()
 	if err := in.UnmarshalTo(obj); err != nil {
 		if errors.Is(err, velaerr.ManagedResourceHasNoDataError{}) {
@@ -240,13 +219,6 @@ func (in ManagedResource) ToUnstructuredWithData() (*unstructured.Unstructured,
 	return obj, nil
 }

-// ResourceTrackerStatus define the status of resourceTracker
-// For backward-compatibility
-type ResourceTrackerStatus struct {
-	// Deprecated
-	TrackedResources []common.ClusterObjectReference `json:"trackedResources,omitempty"`
-}
-
 // +kubebuilder:object:root=true
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

@@ -344,29 +316,3 @@ func (in *ResourceTracker) DeleteManagedResource(rsc client.Object, remove bool)
 	}
 	return true
 }
-
-// addClusterObjectReference
-// Deprecated
-func (in *ResourceTracker) addClusterObjectReference(ref common.ClusterObjectReference) bool {
-	for _, _rsc := range in.Status.TrackedResources {
-		if _rsc.Equal(ref) {
-			return true
-		}
-	}
-	in.Status.TrackedResources = append(in.Status.TrackedResources, ref)
-	return false
-}
-
-// AddTrackedResource add new object reference into tracked resources, return if already exists
-// Deprecated
-func (in *ResourceTracker) AddTrackedResource(rsc interfaces.TrackableResource) bool {
-	return in.addClusterObjectReference(common.ClusterObjectReference{
-		ObjectReference: corev1.ObjectReference{
-			APIVersion: rsc.GetAPIVersion(),
-			Kind:       rsc.GetKind(),
-			Name:       rsc.GetName(),
-			Namespace:  rsc.GetNamespace(),
-			UID:        rsc.GetUID(),
-		},
-	})
-}
--- a/apis/core.oam.dev/v1beta1/resourcetracker_types_test.go
+++ b/apis/core.oam.dev/v1beta1/resourcetracker_types_test.go
@@ -19,22 +19,22 @@ package v1beta1
 import (
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"os"
 	"strings"
 	"testing"
 	"time"

+	"github.com/kubevela/pkg/util/compression"
 	"github.com/stretchr/testify/require"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/utils/pointer"
+	"k8s.io/utils/ptr"

 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 	"github.com/oam-dev/kubevela/pkg/oam"
-	"github.com/oam-dev/kubevela/pkg/utils/compression"
 	"github.com/oam-dev/kubevela/pkg/utils/errors"
 )

@@ -124,17 +124,16 @@ func TestManagedResourceKeys(t *testing.T) {
 			},
 		},
 		OAMObjectReference: common.OAMObjectReference{
-			Env:       "env",
 			Component: "component",
 			Trait:     "trait",
 		},
 	}
 	r.Equal("namespace/name", input.NamespacedName().String())
 	r.Equal("apps/Deployment/cluster/namespace/name", input.ResourceKey())
-	r.Equal("env/component", input.ComponentKey())
+	r.Equal("cluster/component", input.ComponentKey())
 	r.Equal("Deployment name (Cluster: cluster, Namespace: namespace)", input.DisplayName())
 	var deploy1, deploy2 appsv1.Deployment
-	deploy1.Spec.Replicas = pointer.Int32(5)
+	deploy1.Spec.Replicas = ptr.To(int32(5))
 	bs, err := json.Marshal(deploy1)
 	r.NoError(err)
 	r.ErrorIs(input.UnmarshalTo(&deploy2), errors.ManagedResourceHasNoDataError{})
@@ -169,7 +168,7 @@ func TestResourceTracker_ManagedResource(t *testing.T) {
 	pod3 := corev1.Pod{ObjectMeta: metav1.ObjectMeta{Name: "pod3"}}
 	input.AddManagedResource(&pod3, false, false, "")
 	r.Equal(3, len(input.Spec.ManagedResources))
-	deploy1.Spec.Replicas = pointer.Int32(5)
+	deploy1.Spec.Replicas = ptr.To(int32(5))
 	input.AddManagedResource(&deploy1, false, false, "")
 	r.Equal(3, len(input.Spec.ManagedResources))
 	input.DeleteManagedResource(&cm2, false)
@@ -200,19 +199,14 @@ func TestResourceTrackerCompression(t *testing.T) {
 		"../../../charts/vela-core/crds/core.oam.dev_applicationrevisions.yaml",
 		"../../../charts/vela-core/crds/core.oam.dev_applications.yaml",
 		"../../../charts/vela-core/crds/core.oam.dev_definitionrevisions.yaml",
-		"../../../charts/vela-core/crds/core.oam.dev_healthscopes.yaml",
 		"../../../charts/vela-core/crds/core.oam.dev_traitdefinitions.yaml",
 		"../../../charts/vela-core/crds/core.oam.dev_componentdefinitions.yaml",
-		"../../../charts/vela-core/crds/core.oam.dev_workloaddefinitions.yaml",
-		"../../../charts/vela-core/crds/standard.oam.dev_rollouts.yaml",
-		"../../../charts/vela-core/templates/addon/fluxcd.yaml",
 		"../../../charts/vela-core/templates/kubevela-controller.yaml",
 		"../../../charts/vela-core/README.md",
-		"../../../pkg/velaql/providers/query/testdata/machinelearning.seldon.io_seldondeployments.yaml",
-		"../../../legacy/charts/vela-core-legacy/crds/standard.oam.dev_podspecworkloads.yaml",
+		"../../../pkg/workflow/providers/legacy/query/testdata/machinelearning.seldon.io_seldondeployments.yaml",
 	}
 	for _, p := range paths {
-		b, err := ioutil.ReadFile(p)
+		b, err := os.ReadFile(p)
 		r.NoError(err)
 		data = append(data, string(b))
 	}
--- a/apis/core.oam.dev/v1beta1/workflow_step_definition.go
+++ b/apis/core.oam.dev/v1beta1/workflow_step_definition.go
@@ -33,6 +33,9 @@ type WorkflowStepDefinitionSpec struct {
 	// Only CUE schematic is supported for now.
 	// +optional
 	Schematic *common.Schematic `json:"schematic,omitempty"`
+
+	// +optional
+	Version string `json:"version,omitempty"`
 }

 // WorkflowStepDefinitionStatus is the status of WorkflowStepDefinition
--- a/Show More
+++ b/Show More