Fix: Enhance shared resource handling to avoid last-applied-configuration pollution (#6998 ) (#7001 )

(cherry picked from commit 552764d48f) Signed-off-by: Brian Kane <briankane1@gmail.com> Co-authored-by: Ayush Kumar <65535504+roguepikachu@users.noreply.github.com>
Fix: Fix issue with imports/packages in status validations (#6963 ) (#6971 )
2026-03-02 09:40:51 +00:00 · 2025-11-26 08:06:58 -08:00 · 2025-11-06 18:56:43 -08:00 · 2025-11-06 06:31:05 -08:00 · 2025-09-30 19:41:27 -07:00 · 2025-09-30 18:24:08 -07:00
821 changed files with 65242 additions and 40576 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1,39 +1,35 @@
 # This file is a github code protect rule follow the codeowners https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/creating-a-repository-on-github/about-code-owners#example-of-a-codeowners-file

-*                                  @barnettZQG @wonderflow @leejanee @Somefive @jefree-cat @FogDong @wangyikewxgm @chivalryq
-design/                            @barnettZQG @leejanee @wonderflow @Somefive @jefree-cat @FogDong
+*                                  @barnettZQG @wonderflow @leejanee @Somefive @jefree-cat @FogDong @wangyikewxgm @chivalryq @anoop2811
+design/                            @barnettZQG @leejanee @wonderflow @Somefive @jefree-cat @FogDong @anoop2811

 # Owner of Core Controllers
-pkg/controller/core.oam.dev       @Somefive @FogDong @barnettZQG @wonderflow @wangyikewxgm @chivalryq
+pkg/controller/core.oam.dev       @Somefive @FogDong @barnettZQG @wonderflow @wangyikewxgm @chivalryq @anoop2811

 # Owner of Standard Controllers
-pkg/controller/standard.oam.dev   @wangyikewxgm @barnettZQG @wonderflow @Somefive
+pkg/controller/standard.oam.dev   @wangyikewxgm @barnettZQG @wonderflow @Somefive @anoop2811 @FogDong

 # Owner of CUE
-pkg/cue                            @leejanee @FogDong @Somefive
-pkg/stdlib                         @leejanee @FogDong @Somefive
+pkg/cue                            @leejanee @FogDong @Somefive @anoop2811
+pkg/stdlib                         @leejanee @FogDong @Somefive @anoop2811

 # Owner of Workflow
-pkg/workflow                       @leejanee @FogDong @Somefive @wangyikewxgm @chivalryq
-
-# Owner of rollout
-pkg/controller/common/rollout/     @wangyikewxgm @wonderflow
-runtime/rollout                    @wangyikewxgm @wonderflow
+pkg/workflow                       @leejanee @FogDong @Somefive @wangyikewxgm @chivalryq @anoop2811

 # Owner of vela templates
-vela-templates/                     @Somefive @barnettZQG @wonderflow @FogDong @wangyikewxgm @chivalryq
+vela-templates/                     @Somefive @barnettZQG @wonderflow @FogDong @wangyikewxgm @chivalryq @anoop2811

 # Owner of vela CLI
-references/cli/                     @Somefive @zzxwill @StevenLeiZhang @charlie0129 @wangyikewxgm @chivalryq
+references/cli/                     @Somefive @StevenLeiZhang @charlie0129 @wangyikewxgm @chivalryq @anoop2811 @FogDong

 # Owner of vela addon framework
-pkg/addon/                         @wangyikewxgm @wonderflow @charlie0129
+pkg/addon/                         @wangyikewxgm @wonderflow @charlie0129 @anoop2811 @FogDong

 # Owner of resource keeper and tracker
-pkg/resourcekeeper                 @Somefive @FogDong @chivalryq
-pkg/resourcetracker                @Somefive @FogDong @chivalryq
+pkg/resourcekeeper                 @Somefive @FogDong @chivalryq @anoop2811
+pkg/resourcetracker                @Somefive @FogDong @chivalryq @anoop2811

-.github/                           @chivalryq @wonderflow @Somefive @FogDong @wangyikewxgm
-makefiles                          @chivalryq @wonderflow @Somefive @FogDong @wangyikewxgm
-go.*                               @chivalryq @wonderflow @Somefive @FogDong @wangyikewxgm
+.github/                           @chivalryq @wonderflow @Somefive @FogDong @wangyikewxgm @anoop2811
+makefiles                          @chivalryq @wonderflow @Somefive @FogDong @wangyikewxgm @anoop2811
+go.*                               @chivalryq @wonderflow @Somefive @FogDong @wangyikewxgm @anoop2811

--- a/.github/actions/deploy-current-branch/README.md
+++ b/.github/actions/deploy-current-branch/README.md
@@ -0,0 +1,35 @@
+# Deploy Current Branch Action
+
+This GitHub composite action builds a Docker image from the current branch commit and deploys it to a KubeVela cluster for development testing.
+
+## What it does
+
+- Generates a unique image tag from the latest commit hash
+- Builds and loads the Docker image into a KinD cluster
+- Applies KubeVela CRDs for upgrade safety
+- Upgrades the KubeVela Helm release to use the local development image
+- Verifies deployment status and the running image version
+
+## Usage
+
+```yaml
+- name: Deploy Current Branch
+  uses: ./path/to/this/action
+```
+
+## Requirements
+
+- Docker, Helm, kubectl, and KinD must be available in your runner environment
+- Kubernetes cluster access
+- `charts/vela-core/crds` directory with CRDs
+- Valid Helm chart at `charts/vela-core`
+
+## Steps performed
+
+1. **Generate commit hash for image tag**
+2. **Build & load Docker image into KinD**
+3. **Pre-apply chart CRDs**
+4. **Upgrade KubeVela using local image**
+5. **Verify deployment and image version**
+
+---
--- a/.github/actions/deploy-current-branch/action.yaml
+++ b/.github/actions/deploy-current-branch/action.yaml
@@ -0,0 +1,89 @@
+name: 'Deploy Current Branch'
+description: 'Builds Docker image from current branch commit and deploys it to KubeVela cluster for development testing'
+
+runs:
+  using: "composite"
+  steps:
+    # ========================================================================
+    # Git Commit Hash Generation
+    # Generate unique image tag from current branch's latest commit
+    # ========================================================================
+    - name: Get commit hash
+      id: commit_hash
+      shell: bash
+      run: |
+        COMMIT_HASH="git-$(git rev-parse --short HEAD)"
+        echo "Using commit hash: $COMMIT_HASH"
+        echo "COMMIT_HASH=$COMMIT_HASH" >> $GITHUB_ENV
+
+    # ========================================================================
+    # Docker Image Build and Cluster Loading
+    # Build development image from current code and load into KinD cluster
+    # ========================================================================
+    - name: Build and load Docker image
+      shell: bash
+      run: |
+        echo "Building development image: vela-core-test:${{ env.COMMIT_HASH }}"
+
+        mkdir -p $HOME/tmp/
+
+        docker build --no-cache \
+          -t vela-core-test:${{ env.COMMIT_HASH }} \
+          -f Dockerfile .
+
+        echo "Loading image into KinD cluster..."
+        TMPDIR=$HOME/tmp/ kind load docker-image vela-core-test:${{ env.COMMIT_HASH }}
+
+    # ========================================================================
+    # Custom Resource Definitions Application
+    # Pre-apply CRDs to ensure upgrade compatibility and prevent conflicts
+    # ========================================================================
+    - name: Pre-apply CRDs from target chart (upgrade-safe)
+      shell: bash
+      run: |
+        CRD_DIR="charts/vela-core/crds"
+
+        echo "Applying CRDs idempotently..."
+        kubectl apply -f "${CRD_DIR}"
+
+    # ========================================================================
+    # KubeVela Helm Chart Upgrade
+    # Upgrade existing installation to use locally built development image
+    # ========================================================================
+    - name: Upgrade KubeVela to development image
+      shell: bash
+      run: |
+        echo "Upgrading KubeVela to development version..."
+        helm upgrade kubevela ./charts/vela-core \
+          --namespace vela-system \
+          --set image.repository=vela-core-test \
+          --set image.tag=${{ env.COMMIT_HASH }} \
+          --set image.pullPolicy=IfNotPresent \
+          --timeout 5m \
+          --wait \
+          --debug
+
+    # ========================================================================
+    # Deployment Status Verification
+    # Verify successful upgrade and confirm correct image deployment
+    # ========================================================================
+    - name: Verify deployment status
+      shell: bash
+      run: |
+        echo "=== DEPLOYMENT VERIFICATION ==="
+        echo "Verifying upgrade to local development image..."
+
+        echo "--- Pod Status ---"
+        kubectl get pods -n vela-system
+
+        echo "--- Deployment Rollout ---"
+        kubectl rollout status deployment/kubevela-vela-core \
+          -n vela-system \
+          --timeout=300s
+
+        echo "--- Deployed Image Version ---"
+        kubectl get deployment kubevela-vela-core \
+          -n vela-system \
+          -o yaml | grep "image:" | head -1
+
+        echo "Deployment verification completed successfully!"
--- a/.github/actions/deploy-latest-release/README.md
+++ b/.github/actions/deploy-latest-release/README.md
@@ -0,0 +1,32 @@
+# Install Latest KubeVela Release Action
+
+This GitHub composite action installs the latest stable KubeVela release from the official Helm repository and verifies its deployment status.
+
+## What it does
+
+- Discovers the latest stable KubeVela release tag from GitHub
+- Adds and updates the official KubeVela Helm chart repository
+- Installs KubeVela into the `vela-system` namespace (using Helm)
+- Verifies pod status and deployment rollout for successful installation
+
+## Usage
+
+```yaml
+- name: Install Latest KubeVela Release
+  uses: ./path/to/this/action
+```
+
+## Requirements
+
+- Helm, kubectl, jq, and curl must be available in your runner environment
+- Kubernetes cluster access
+
+## Steps performed
+
+1. **Release Tag Discovery:** Fetches latest stable tag (without `v` prefix)
+2. **Helm Repo Setup:** Adds/updates KubeVela Helm chart repo
+3. **Install KubeVela:** Installs latest release in the `vela-system` namespace
+4. **Status Verification:** Checks pod status and rollout for readiness
+
+---
+
--- a/.github/actions/deploy-latest-release/action.yaml
+++ b/.github/actions/deploy-latest-release/action.yaml
@@ -0,0 +1,68 @@
+name: 'Install Latest KubeVela Release'
+description: 'Installs the latest stable KubeVela release from official Helm repository with status verification'
+
+runs:
+  using: "composite"
+  steps:
+    # ========================================================================
+    # Latest Release Tag Discovery
+    # Fetch current stable release version from GitHub API
+    # ========================================================================
+    - name: Get latest KubeVela release tag (no v prefix)
+      id: get_latest_tag
+      shell: bash
+      run: |
+        TAG=$(curl -s https://api.github.com/repos/kubevela/kubevela/releases/latest | \
+              jq -r ".tag_name" | \
+              awk '{sub(/^v/, ""); print}')
+        echo "LATEST_TAG=$TAG" >> $GITHUB_ENV
+        echo "Discovered latest release: $TAG"
+
+    # ========================================================================
+    # Helm Repository Configuration
+    # Add and update official KubeVela chart repository
+    # ========================================================================
+    - name: Add KubeVela Helm repo
+      shell: bash
+      run: |
+        echo "Adding KubeVela Helm repository..."
+        helm repo add kubevela https://kubevela.github.io/charts
+        helm repo update
+        echo "Helm repository configuration completed"
+
+    # ========================================================================
+    # KubeVela Stable Release Installation
+    # Deploy latest stable version to vela-system namespace
+    # ========================================================================
+    - name: Install KubeVela ${{ env.LATEST_TAG }}
+      shell: bash
+      run: |
+        echo "Installing KubeVela version: ${{ env.LATEST_TAG }}"
+        helm install \
+          --create-namespace \
+          -n vela-system \
+          kubevela kubevela/vela-core \
+          --version ${{ env.LATEST_TAG }} \
+          --timeout 10m \
+          --wait
+        echo "KubeVela installation completed"
+
+    # ========================================================================
+    # Installation Status Verification
+    # Verify successful deployment and readiness of KubeVela components
+    # ========================================================================
+    - name: Post-install status
+      shell: bash
+      run: |
+        echo "=== INSTALLATION VERIFICATION ==="
+        echo "Verifying KubeVela deployment status..."
+
+        echo "--- Pod Status ---"
+        kubectl get pods -n vela-system
+
+        echo "--- Deployment Rollout ---"
+        kubectl rollout status deployment/kubevela-vela-core \
+          -n vela-system \
+          --timeout=300s
+
+        echo "KubeVela installation verification completed successfully!"
--- a/.github/actions/e2e-test/README.md
+++ b/.github/actions/e2e-test/README.md
@@ -0,0 +1,51 @@
+# Kubevela K8s Upgrade E2E Test Action
+
+A comprehensive GitHub composite action for running KubeVela Kubernetes upgrade end-to-end (E2E) tests with complete environment setup, multiple test suites, and failure diagnostics.
+
+
+> **Note**: This action requires the `GO_VERSION` environment variable to be set in your workflow.
+
+## Quick Start
+
+### Basic Usage
+
+```yaml
+name: E2E Tests
+on: [push, pull_request]
+
+jobs:
+  e2e-tests:
+    runs-on: ubuntu-latest
+    env:
+      GO_VERSION: '1.23.8'
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        
+      - name: Run KubeVela E2E Tests
+        uses: ./.github/actions/upgrade-e2e-test
+```
+
+## Test Flow Diagram
+
+```
+┌─────────────────┐    ┌──────────────────┐    ┌─────────────────┐
+│ Environment     │    │ E2E Environment  │    │ Test Execution  │
+│ Setup           │───▶│ Preparation      │───▶│ (3 Suites)      │
+│                 │    │                  │    │                 │
+│ • Install tools │    │ • Cleanup        │    │ • API tests     │
+│ • Setup Go      │    │ • Core setup     │    │ • Addon tests   │
+│ • Dependencies  │    │ • Helm tests     │    │ • General tests │
+│ • Build project │    │                  │    │                 │
+└─────────────────┘    └──────────────────┘    └─────────────────┘
+                                                        │
+                                                        ▼
+                                                ┌─────────────────┐
+                                                │ Diagnostics     │
+                                                │ (On Failure)    │
+                                                │                 │
+                                                │ • Cluster logs  │
+                                                │ • System events │
+                                                │ • Test artifacts│
+                                                └─────────────────┘
+```
--- a/.github/actions/e2e-test/action.yaml
+++ b/.github/actions/e2e-test/action.yaml
@@ -0,0 +1,96 @@
+name: 'Kubevela K8s Upgrade e2e Test'
+description: 'Runs Kubevela K8s upgrade e2e tests, uploads coverage, and collects diagnostics on failure.'
+
+inputs:
+  codecov-token:
+    description: 'Codecov token for uploading coverage reports'
+    required: false
+    default: ''
+  codecov-enable:
+    description: 'Enable codecov coverage upload'
+    required: false
+    default: 'false'
+
+runs:
+  using: "composite"
+  steps:
+    # ========================================================================
+    # Environment Setup
+    # ========================================================================
+    - name: Configure environment setup
+      uses: ./.github/actions/env-setup
+
+    - name: Build project
+      shell: bash
+      run: make
+
+    # ========================================================================
+    # E2E Test Environment Preparation
+    # ========================================================================
+    - name: Prepare e2e environment
+      shell: bash
+      run: |
+        echo "Preparing e2e test environment..."
+        make e2e-cleanup
+        make e2e-setup-core
+
+        echo "Running Helm tests..."
+        helm test -n vela-system kubevela --timeout 5m
+
+    # ========================================================================
+    # E2E Test Execution
+    # ========================================================================
+    - name: Run API e2e tests
+      shell: bash
+      run: |
+        echo "Running API e2e tests..."
+        make e2e-api-test
+
+    - name: Run addon e2e tests
+      shell: bash
+      run: |
+        echo "Running addon e2e tests..."
+        make e2e-addon-test
+
+    - name: Run general e2e tests
+      shell: bash
+      run: |
+        echo "Running general e2e tests..."
+        make e2e-test
+
+    - name: Upload coverage report
+      if: ${{ inputs.codecov-enable == 'true' }}
+      uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24
+      with:
+        token: ${{ inputs.codecov-token }}
+        files: ./coverage.txt
+        flags: core-unittests
+        name: codecov-umbrella
+        fail_ci_if_error: false
+
+    # ========================================================================
+    # Failure Diagnostics
+    # ========================================================================
+    - name: Collect failure diagnostics
+      if: failure()
+      shell: bash
+      run: |
+        echo "=== FAILURE DIAGNOSTICS ==="
+        echo "Collecting diagnostic information for debugging..."
+
+        echo "--- Cluster Status ---"
+        kubectl get nodes -o wide || true
+        kubectl get pods -A || true
+
+        echo "--- KubeVela System Logs ---"
+        kubectl logs -n vela-system -l app.kubernetes.io/name=vela-core --tail=100 || true
+
+        echo "--- Recent Events ---"
+        kubectl get events -A --sort-by='.lastTimestamp' --field-selector type!=Normal || true
+
+        echo "--- Helm Release Status ---"
+        helm list -A || true
+        helm status kubevela -n vela-system || true
+
+        echo "--- Test Artifacts ---"
+        find . -name "*.log" -type f -exec echo "=== {} ===" \; -exec cat {} \; || true
--- a/.github/actions/env-setup/README.md
+++ b/.github/actions/env-setup/README.md
@@ -0,0 +1,67 @@
+# Kubevela Test Environment Setup Action
+
+A GitHub Actions composite action that sets up a complete testing environment for Kubevela projects with Go, Kubernetes tools, and the Ginkgo testing framework.
+
+## Features
+
+- 🛠️ **System Dependencies**: Installs essential build tools (make, gcc, jq, curl, etc.)
+- ☸️ **Kubernetes Tools**: Sets up kubectl and Helm for cluster operations
+- 🐹 **Go Environment**: Configurable Go version with module caching
+- 📦 **Dependency Management**: Downloads and verifies Go module dependencies
+- 🧪 **Testing Framework**: Installs Ginkgo v2 for BDD-style testing
+
+## Usage
+
+```yaml
+- name: Setup Kubevela Test Environment
+  uses: ./path/to/this/action
+  with:
+    go-version: '1.23.8'      # Optional: Go version (default: 1.23.8)
+```
+
+### Example Workflow
+
+```yaml
+name: Kubevela Tests
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Setup Test Environment
+        uses: ./path/to/this/action
+        with:
+          go-version: '1.21'
+          
+      - name: Run Tests
+        run: |
+          ginkgo -r ./tests/e2e/
+```
+
+## Inputs
+
+| Input | Description | Required | Default | Usage |
+|-------|-------------|----------|---------|-------|
+| `go-version` | Go version to install and use | No | `1.23.8` | Specify Go version for your project |
+
+## What This Action Installs
+
+### System Tools
+- **make**: Build automation tool
+- **gcc**: GNU Compiler Collection
+- **jq**: JSON processor for shell scripts
+- **ca-certificates**: SSL/TLS certificates
+- **curl**: HTTP client for downloads
+- **gnupg**: GNU Privacy Guard for security
+
+### Kubernetes Ecosystem
+- **kubectl**: Kubernetes command-line tool (latest stable)
+- **helm**: Kubernetes package manager (latest stable)
+
+### Go Development
+- **Go Runtime**: Specified version with module caching enabled
+- **Go Modules**: Downloaded and verified dependencies
+- **Ginkgo v2.14.0**: BDD testing framework for Go
--- a/.github/actions/env-setup/action.yaml
+++ b/.github/actions/env-setup/action.yaml
@@ -0,0 +1,72 @@
+name: 'Kubevela Test Environment Setup'
+description: 'Sets up complete testing environment for Kubevela with Go, Kubernetes tools, and Ginkgo framework for E2E testing.'
+
+inputs:
+  go-version:
+    description: 'Go version to use for testing'
+    required: false
+    default: '1.23.8'
+
+
+runs:
+  using: 'composite'
+  steps:
+    # ========================================================================
+    # Environment Setup
+    # ========================================================================
+    - name: Install system dependencies
+      shell: bash
+      run: |
+        # Update package manager and install essential tools
+        sudo apt-get update
+        sudo apt-get install -y \
+          make \
+          gcc \
+          jq \
+          ca-certificates \
+          curl \
+          gnupg
+
+    - name: Install kubectl and helm
+      shell: bash
+      run: |
+        # Detect architecture
+        ARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/')
+        
+        # Install kubectl
+        echo "Installing kubectl for architecture: $ARCH"
+        curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/${ARCH}/kubectl"
+        chmod +x kubectl
+        sudo mv kubectl /usr/local/bin/
+        
+        # Install helm using the official script (more reliable)
+        echo "Installing Helm using official script..."
+        curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
+        chmod 700 get_helm.sh
+        ./get_helm.sh
+        rm get_helm.sh
+        
+        # Verify installations
+        echo "Verifying installations..."
+        kubectl version --client
+        helm version
+    
+
+    - name: Setup Go environment
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
+      with:
+        go-version: ${{ inputs.go-version }}
+        cache: true
+
+    - name: Download Go dependencies
+      shell: bash
+      run: |
+        # Download and cache Go module dependencies
+        go mod download
+        go mod verify
+
+    - name: Install Ginkgo testing framework
+      shell: bash
+      run: |
+        echo "Installing Ginkgo testing framework..."
+        go install github.com/onsi/ginkgo/v2/ginkgo@v2.14.0
--- a/.github/actions/multicluster-test/README.md
+++ b/.github/actions/multicluster-test/README.md
@@ -0,0 +1,35 @@
+# Kubevela K8s Upgrade Multicluster E2E Test Action
+
+A comprehensive GitHub Actions composite action for running Kubevela Kubernetes upgrade multicluster end-to-end tests with automated coverage reporting and failure diagnostics.
+
+## Usage
+
+
+```yaml
+name: Kubevela Multicluster E2E Tests
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main]
+
+jobs:
+  multicluster-e2e:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Run Multicluster E2E Tests
+        uses: ./.github/actions/multicluster-test
+        with:
+          codecov-enable: 'true'
+          codecov-token: ${{ secrets.CODECOV_TOKEN }}
+```
+
+## Inputs
+
+| Input | Description | Required | Default | Type |
+|-------|-------------|----------|---------|------|
+| `codecov-token` | Codecov token for uploading coverage reports | No | `''` | string |
+| `codecov-enable` | Enable codecov coverage upload | No | `'false'` | string |
--- a/.github/actions/multicluster-test/action.yaml
+++ b/.github/actions/multicluster-test/action.yaml
@@ -0,0 +1,76 @@
+name: 'Kubevela K8s Upgrade Multicluster E2E Test'
+description: 'Runs Kubevela Kubernetes upgrade multicluster end-to-end tests, uploads coverage, and collects diagnostics on failure.'
+author: 'viskumar_gwre'
+
+inputs:
+  codecov-token:
+    description: 'Codecov token for uploading coverage reports'
+    required: false
+    default: ''
+  codecov-enable:
+    description: 'Enable codecov coverage upload'
+    required: false
+    default: 'false'
+
+runs:
+  using: 'composite'
+  steps:
+    # ========================================================================
+    # Environment Setup
+    # ========================================================================
+    - name: Configure environment setup
+      uses: ./.github/actions/env-setup
+
+    # ========================================================================
+    # E2E Test Execution
+    # ========================================================================
+    - name: Prepare e2e test environment
+      shell: bash
+      run: |
+        # Build CLI tools and prepare test environment
+        echo "Building KubeVela CLI..."
+        make vela-cli
+
+        echo "Cleaning up previous test artifacts..."
+        make e2e-cleanup
+
+        echo "Setting up core authentication for e2e tests..."
+        make e2e-setup-core-auth
+
+    - name: Execute multicluster upgrade e2e tests
+      shell: bash
+      run: |
+        # Add built CLI to PATH and run multicluster tests
+        export PATH=$(pwd)/bin:$PATH
+
+        echo "Running e2e multicluster upgrade tests..."
+        make e2e-multicluster-test
+
+    - name: Upload coverage report
+      if: ${{ inputs.codecov-enable == 'true' }}
+      uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24
+      with:
+        token: ${{ inputs.codecov-token }}
+        files: /tmp/e2e-profile.out,/tmp/e2e_multicluster_test.out
+        flags: e2e-multicluster-test
+        name: codecov-umbrella
+
+    # ========================================================================
+    # Failure Diagnostics
+    # ========================================================================
+    - name: Collect failure diagnostics
+      if: failure()
+      shell: bash
+      run: |
+        echo "=== FAILURE DIAGNOSTICS ==="
+        echo "Collecting diagnostic information for debugging..."
+
+        echo "--- Cluster Status ---"
+        kubectl get nodes -o wide || true
+        kubectl get pods -A || true
+
+        echo "--- KubeVela System Logs ---"
+        kubectl logs -n vela-system -l app.kubernetes.io/name=vela-core --tail=100 || true
+
+        echo "--- Recent Events ---"
+        kubectl get events -A --sort-by='.lastTimestamp' --field-selector type!=Normal || true
--- a/.github/actions/setup-kind-cluster/README.md
+++ b/.github/actions/setup-kind-cluster/README.md
@@ -0,0 +1,78 @@
+# Setup Kind Cluster Action
+
+A GitHub Action that sets up a Kubernetes testing environment using Kind (Kubernetes in Docker) for E2E testing.
+
+## Inputs
+
+| Input | Description | Required | Default |
+|-------|-------------|----------|---------|
+| `k8s-version` | Kubernetes version for the kind cluster | No | `v1.31.9` |
+
+## Quick Start
+
+```yaml
+name: E2E Tests
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.21'
+      
+      - name: Setup Kind Cluster
+        uses: ./.github/actions/setup-kind-cluster
+        with:
+          k8s-version: 'v1.31.9'
+      
+      - name: Run tests
+        run: |
+          kubectl cluster-info
+          make test-e2e
+```
+
+## What it does
+
+1. **Installs Kind CLI** - Downloads Kind v0.29.0 using Go
+2. **Cleans up** - Removes any existing Kind clusters
+3. **Creates cluster** - Spins up Kubernetes v1.31.9 cluster
+4. **Sets up environment** - Configures KUBECONFIG for kubectl access
+5. **Loads images** - Builds and loads Docker images using `make image-load`
+
+## File Structure
+
+Save as `.github/actions/setup-kind-cluster/action.yaml`:
+
+```yaml
+name: 'SetUp kind cluster'
+description: 'Sets up complete testing environment for Kubevela with Go, Kubernetes tools, and Ginkgo framework for E2E testing.'
+
+inputs:
+  k8s-version:
+    description: 'Kubernetes version for the kind cluster'
+    required: false
+    default: 'v1.31.9'
+
+runs:
+  using: 'composite'
+  steps:
+    # ========================================================================
+    # Kind cluster Setup
+    # ========================================================================
+    - name: Setup KinD
+      run: |
+        go install sigs.k8s.io/kind@v0.29.0
+        kind delete cluster || true
+        kind create cluster --image=kindest/node:${{ inputs.k8s-version }}
+      shell: bash
+
+    - name: Load image
+      run: |
+        mkdir -p $HOME/tmp/
+        TMPDIR=$HOME/tmp/ make image-load
+      shell: bash
+```
--- a/.github/actions/setup-kind-cluster/action.yaml
+++ b/.github/actions/setup-kind-cluster/action.yaml
@@ -0,0 +1,36 @@
+name: 'SetUp kind cluster'
+description: 'Sets up a KinD (Kubernetes in Docker) cluster with configurable Kubernetes version and optional cluster naming for testing and development workflows.'
+inputs:
+  k8s-version:
+    description: 'Kubernetes version for the kind cluster'
+    required: false
+    default: 'v1.31.9'
+  name:
+    description: 'Name of the kind cluster'
+    required: false
+runs:
+  using: 'composite'
+  steps:
+    # ========================================================================
+    # Kind cluster Setup
+    # ========================================================================
+    - name: Setup KinD
+      run: |
+        go install sigs.k8s.io/kind@v0.29.0
+        if [ -n "${{ inputs.name }}" ]; then
+          kind delete cluster --name="${{ inputs.name }}" || true
+          kind create cluster --name="${{ inputs.name }}" --image=kindest/node:${{ inputs.k8s-version }}
+          kind export kubeconfig --internal --name="${{ inputs.name }}" --kubeconfig /tmp/${{ inputs.name }}.kubeconfig
+        else
+          kind delete cluster || true
+          kind create cluster --image=kindest/node:${{ inputs.k8s-version }}
+        fi
+      shell: bash
+
+    - name: Load image
+      run: |
+        if [ -z "${{ inputs.name }}" ]; then
+          mkdir -p $HOME/tmp/
+          TMPDIR=$HOME/tmp/ make image-load
+        fi
+      shell: bash
--- a/.github/actions/unit-test/README.md
+++ b/.github/actions/unit-test/README.md
@@ -0,0 +1,34 @@
+# Kubevela K8s Upgrade Unit Test Action
+
+A comprehensive GitHub composite action for running KubeVela Kubernetes upgrade unit tests with coverage reporting and failure diagnostics.
+
+## Inputs
+
+| Input | Description | Required | Default |
+|-------|-------------|----------|---------|
+| `codecov-token` | Codecov token for uploading coverage reports | ❌ | `''` |
+| `codecov-enable` | Enable Codecov coverage upload (`'true'` or `'false'`) | ❌ | `'false'` |
+| `go-version` | Go version to use for testing | ❌ | `'1.23.8'` |
+
+## Quick Start
+
+### Basic Usage
+
+```yaml
+name: Unit Tests with Coverage
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        
+      - name: Run KubeVela Unit Tests
+        uses: viskumar_gwre/kubevela-k8s-upgrade-unit-test-action@v1
+        with:
+          codecov-enable: 'true'
+          codecov-token: ${{ secrets.CODECOV_TOKEN }}
+          go-version: '1.23.8'
+```
--- a/.github/actions/unit-test/action.yaml
+++ b/.github/actions/unit-test/action.yaml
@@ -0,0 +1,67 @@
+name: 'Kubevela K8s Upgrade Unit Test'
+description: 'Runs Kubevela K8s upgrade unit tests, uploads coverage, and collects diagnostics on failure.'
+
+inputs:
+  codecov-token:
+    description: 'Codecov token for uploading coverage reports'
+    required: false
+    default: ''
+  codecov-enable:
+    description: 'Enable codecov coverage upload'
+    required: false
+    default: 'false'
+
+runs:
+  using: "composite"
+  steps:
+    # ========================================================================
+    # Environment Setup
+    # ========================================================================
+    - name: Configure environment setup
+      uses: ./.github/actions/env-setup
+
+    # ========================================================================
+    # Unit Test Execution
+    # ========================================================================
+    - name: Run unit tests
+      shell: bash
+      run: |
+        echo "Running unit tests..."
+        make test
+
+    - name: Upload coverage report
+      if: ${{ inputs.codecov-enable == 'true' }}
+      uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24
+      with:
+        token: ${{ inputs.codecov-token }}
+        files: ./coverage.txt
+        flags: core-unittests
+        name: codecov-umbrella
+        fail_ci_if_error: false
+
+    # ========================================================================
+    # Failure Diagnostics
+    # ========================================================================
+    - name: Collect failure diagnostics
+      if: failure()
+      shell: bash
+      run: |
+        echo "=== FAILURE DIAGNOSTICS ==="
+        echo "Collecting diagnostic information for debugging..."
+
+        echo "--- Go Environment ---"
+        go version || true
+        go env || true
+
+        echo "--- Cluster Status ---"
+        kubectl get nodes -o wide || true
+        kubectl get pods -A || true
+
+        echo "--- KubeVela System Logs ---"
+        kubectl logs -n vela-system -l app.kubernetes.io/name=vela-core --tail=100 || true
+
+        echo "--- Recent Events ---"
+        kubectl get events -A --sort-by='.lastTimestamp' --field-selector type!=Normal || true
+
+        echo "--- Test Artifacts ---"
+        find . -name "*.log" -o -name "*test*.xml" -o -name "coverage.*" | head -20 || true
--- a/.github/workflows/back-port.yml
+++ b/.github/workflows/back-port.yml
@@ -17,12 +17,12 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        with:
          fetch-depth: 0

      - name: Open Backport PR
-        uses: zeebe-io/backport-action@a759fd2d7d3314c9bb57d97a0350a12e878d3c7a
+        uses: zeebe-io/backport-action@0193454f0c5947491d348f33a275c119f30eb736
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          github_workspace: ${{ github.workspace }}
--- a/.github/workflows/chart.yml
+++ b/.github/workflows/chart.yml
@@ -17,7 +17,7 @@ jobs:
      HELM_CHART_NAME: vela-core
    runs-on: ubuntu-22.04
    steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
      - name: Get git revision
        id: vars
        shell: bash
@@ -28,7 +28,7 @@ jobs:
        with:
          version: v3.4.0
      - name: Setup node
-        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
        with:
          node-version: '14'
      - name: Generate helm doc
@@ -47,7 +47,7 @@ jobs:
          chart_smever=${chart_version#"v"}
          sed -i "s/0.1.0/$chart_smever/g" $HELM_CHART/Chart.yaml

-      - uses: jnwng/github-app-installation-token-action@v2
+      - uses: jnwng/github-app-installation-token-action@c54add4c02866dc41e106745ac6dcf5cdd6339e5 # v2
        id: get_app_token
        with:
          appId: 340472
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -23,15 +23,15 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.37
+        uses: github/codeql-action/init@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
        with:
          languages: ${{ matrix.language }}

      - name: Autobuild
-        uses: github/codeql-action/autobuild@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.37
+        uses: github/codeql-action/autobuild@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.37
+        uses: github/codeql-action/analyze@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
--- a/.github/workflows/commit-lint.yml
+++ b/.github/workflows/commit-lint.yml
@@ -15,7 +15,7 @@ jobs:
  check:
    runs-on: ubuntu-22.04
    steps:
-      - uses: thehanimo/pr-title-checker@v1.3.7
+      - uses: thehanimo/pr-title-checker@5652588c80c479af803eabfbdb5a3895a77c1388 # v1.4.1
        with:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          pass_on_octokit_error: true
--- a/.github/workflows/core-api-test.yml
+++ b/.github/workflows/core-api-test.yml
@@ -16,16 +16,16 @@ jobs:
  core-api-test:
    runs-on: ubuntu-22.04
    steps:
-      - name: Set up Go 1.19
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+      - name: Set up Go 1.23.8
+        uses: actions/setup-go@v5
        env:
-          GO_VERSION: '1.19'
+          GO_VERSION: '1.23.8'
        with:
          go-version: ${{ env.GO_VERSION }}
        id: go

      - name: Check out code into the Go module directory
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608

      - name: Get the version
        id: get_version
--- a/.github/workflows/definition-lint.yml
+++ b/.github/workflows/definition-lint.yml
@@ -16,26 +16,26 @@ permissions:

 env:
  # Common versions
-  GO_VERSION: '1.19'
+  GO_VERSION: '1.23.8'

 jobs:
  definition-doc:
    runs-on: ubuntu-22.04
    steps:
      - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        with:
          submodules: true

-      - uses: Setup KinD
-        run: |
-          go install sigs.k8s.io/kind@v0.19.0
-          kind create cluster
+      - name: Setup KinD
+        uses: ./.github/actions/setup-kind-cluster
+        with:
+          name: linter

      - name: Definition Doc generate check
        run: |
--- a/.github/workflows/e2e-multicluster-test.yml
+++ b/.github/workflows/e2e-multicluster-test.yml
@@ -18,7 +18,7 @@ permissions:

 env:
  # Common versions
-  GO_VERSION: '1.19'
+  GO_VERSION: '1.23.8'

 jobs:

@@ -31,7 +31,7 @@ jobs:
    steps:
      - name: Detect No-op Changes
        id: noop
-        uses: fkirc/skip-duplicate-actions@12aca0a884f6137d619d6a8a09fcc3406ced5281
+        uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
@@ -39,75 +39,45 @@ jobs:
        continue-on-error: true

  e2e-multi-cluster-tests:
-    runs-on: self-hosted
+    runs-on: ubuntu-22.04
    needs: [ detect-noop ]
    if: needs.detect-noop.outputs.noop != 'true'
    strategy:
      matrix:
-        k8s-version: ["v1.26"]
+        k8s-version: ["v1.31.9"]
    concurrency:
      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.k8s-version }}
      cancel-in-progress: true

    steps:
      - name: Check out code into the Go module directory
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8

-      - name: Install tools
-        run: |
-          sudo apt-get update
-          sudo apt-get install make gcc jq ca-certificates curl gnupg -y
-          sudo snap install kubectl --classic
-          sudo snap install helm --classic
-
-      - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+      - name: Setup worker cluster kinD
+        uses: ./.github/actions/setup-kind-cluster
        with:
-          go-version: ${{ env.GO_VERSION }}
+          name: worker
+          k8s-version: ${{ matrix.k8s-version }}

-      - name: Get dependencies
-        run: |
-          go get -v -t -d ./...
-
-      - name: Setup KinD
-        run: |
-          go install sigs.k8s.io/kind@v0.19.0
-          kind delete cluster --name worker || true
-          kind create cluster --name worker --image=kindest/node:v1.26.4
-          kind export kubeconfig --internal --name worker --kubeconfig /tmp/worker.kubeconfig
-          kind delete cluster || true
-          kind create cluster --image=kindest/node:v1.26.4
-
-      - name: Load image
-        run: |
-          mkdir -p $HOME/tmp/ 
-          TMPDIR=$HOME/tmp/ make image-load
-
-      - name: Cleanup for e2e tests
-        run: |
-          make vela-cli
-          make e2e-cleanup
-          make e2e-setup-core-auth
-
-      - name: Run e2e multicluster tests
-        run: |
-          export PATH=$(pwd)/bin:$PATH
-          make e2e-multicluster-test
-
-      - name: Stop kubevela, get profile
-        run: |
-          make end-e2e-core-shards
-
-      - name: Upload coverage report
-        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d
+      - name: Setup master cluster kinD
+        uses: ./.github/actions/setup-kind-cluster
        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: /tmp/e2e-profile.out,/tmp/e2e_multicluster_test.out
-          flags: e2e-multicluster-test
-          name: codecov-umbrella
+          k8s-version: ${{ matrix.k8s-version }}
+
+      - name: Run upgrade multicluster tests
+        uses: ./.github/actions/multicluster-test
+        with:
+          codecov-enable: true
+          codecov-token: ${{ secrets.CODECOV_TOKEN }}

      - name: Clean e2e profile
-        run: rm /tmp/e2e-profile.out
+        run: |
+          if [ -f /tmp/e2e-profile.out ]; then
+            rm /tmp/e2e-profile.out
+            echo "E2E profile cleaned"
+          else
+            echo "E2E profile not found, skipping cleanup"
+          fi

      - name: Cleanup image
        if: ${{ always() }}
--- a/.github/workflows/e2e-test.yml
+++ b/.github/workflows/e2e-test.yml
@@ -18,7 +18,7 @@ permissions:

 env:
  # Common versions
-  GO_VERSION: '1.19'
+  GO_VERSION: '1.23.8'

 jobs:

@@ -31,7 +31,7 @@ jobs:
    steps:
      - name: Detect No-op Changes
        id: noop
-        uses: fkirc/skip-duplicate-actions@12aca0a884f6137d619d6a8a09fcc3406ced5281
+        uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
@@ -39,83 +39,40 @@ jobs:
        continue-on-error: true

  e2e-tests:
-    runs-on: self-hosted
+    runs-on: ubuntu-22.04
    needs: [ detect-noop ]
    if: needs.detect-noop.outputs.noop != 'true'
    strategy:
      matrix:
-        k8s-version: ["v1.26"]
+        k8s-version: ["v1.31"]
    concurrency:
      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.k8s-version }}
      cancel-in-progress: true

    steps:
      - name: Check out code into the Go module directory
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
-
-      - name: Install tools
-        run: |
-          sudo apt-get update
-          sudo apt-get install make gcc jq ca-certificates curl gnupg -y
-          sudo snap install kubectl --classic
-          sudo snap install helm --classic
-
-      - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
-      - name: Get dependencies
-        run: |
-          go get -v -t -d ./...
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8

      - name: Setup KinD
-        run: |
-          go install sigs.k8s.io/kind@v0.19.0
-          kind delete cluster || true
-          kind create cluster
+        uses: ./.github/actions/setup-kind-cluster

-      - name: Get Ginkgo
-        run: |
-          go install github.com/onsi/ginkgo/v2/ginkgo
-          go get github.com/onsi/gomega/...
-
-      - name: Load image
-        run: |
-          mkdir -p $HOME/tmp/
-          TMPDIR=$HOME/tmp/ make image-load
-
-      - name: Run Make
-        run: make
-
-      - name: Prepare for e2e tests
-        run: |
-          make e2e-cleanup
-          make e2e-setup-core
-          helm test -n vela-system kubevela --timeout 5m
-
-      - name: Run api e2e tests
-        run: make e2e-api-test
-
-      - name: Run addons e2e tests
-        run: make e2e-addon-test
-
-      - name: Run e2e tests
-        run: make e2e-test
-
-      - name: Stop kubevela, get profile
-        run: make end-e2e
-
-      - name: Upload coverage report
-        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d
+      # ========================================================================
+      # E2E Test Execution
+      # ========================================================================
+      - name: Run upgrade e2e tests
+        uses: ./.github/actions/e2e-test
        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: /tmp/e2e-profile.out
-          flags: e2etests
-          name: codecov-umbrella
+          codecov-enable: true
+          codecov-token: ${{ secrets.CODECOV_TOKEN }}

      - name: Clean e2e profile
-        run: rm /tmp/e2e-profile.out
+        run: |
+          if [ -f /tmp/e2e-profile.out ]; then
+            rm /tmp/e2e-profile.out
+            echo "E2E profile cleaned"
+          else
+            echo "E2E profile not found, skipping cleanup"
+          fi

      - name: Cleanup image
        if: ${{ always() }}
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -11,16 +11,15 @@ on:
      - master
      - release-*

-permissions:  # added using https://github.com/step-security/secure-workflows
+permissions: # added using https://github.com/step-security/secure-workflows
  contents: read

 env:
  # Common versions
-  GO_VERSION: '1.19'
-  GOLANGCI_VERSION: 'v1.49'
+  GO_VERSION: "1.23.8"
+  GOLANGCI_VERSION: "v1.60.1"

 jobs:
-
  detect-noop:
    runs-on: ubuntu-22.04
    outputs:
@@ -30,7 +29,7 @@ jobs:
    steps:
      - name: Detect No-op Changes
        id: noop
-        uses: fkirc/skip-duplicate-actions@12aca0a884f6137d619d6a8a09fcc3406ced5281
+        uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
@@ -44,12 +43,12 @@ jobs:

    steps:
      - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        with:
          submodules: true

@@ -64,17 +63,17 @@ jobs:
    needs: detect-noop
    if: needs.detect-noop.outputs.noop != 'true'
    permissions:
-      contents: read  # for actions/checkout to fetch code
-      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
+      contents: read # for actions/checkout to fetch code
+      pull-requests: read # for golangci/golangci-lint-action to fetch pull requests

    steps:
      - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        with:
          submodules: true

@@ -83,7 +82,7 @@ jobs:
      # version, but we prefer this action because it leaves 'annotations' (i.e.
      # it comments on PRs to point out linter violations).
      - name: Lint
-        uses: golangci/golangci-lint-action@08e2f20817b15149a52b5b3ebe7de50aff2ba8c5 # v3.4.0
+        uses: golangci/golangci-lint-action@v6
        with:
          version: ${{ env.GOLANGCI_VERSION }}

@@ -94,32 +93,20 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        with:
          submodules: true

-      - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
+      - name: Setup Env
+        uses: ./.github/actions/env-setup
+        
      - name: Setup node
-        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
        with:
-          node-version: '14'
+          node-version: "14"

-      - name: Cache Go Dependencies
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8
-        with:
-          path: .work/pkg
-          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
-          restore-keys: ${{ runner.os }}-pkg-
-
-      - name: Setup KinD
-        run: |
-          go install sigs.k8s.io/kind@v0.19.0
-          kind delete cluster --name kind || true
-          kind create cluster --name kind --image=kindest/node:v1.26.4 --kubeconfig ~/.kube/config
+      - name: Setup kinD
+        uses: ./.github/actions/setup-kind-cluster

      - name: Run cross-build
        run: make cross-build
@@ -128,7 +115,7 @@ jobs:
        run: |
          export PATH=$(pwd)/bin/:$PATH
          make check-diff
-              
+
      - name: Cleanup binary
        run: make build-cleanup

@@ -139,17 +126,17 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        with:
          submodules: true

      - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Cache Go Dependencies
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8
+        uses: actions/cache@v4
        with:
          path: .work/pkg
          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
@@ -170,15 +157,15 @@ jobs:
    if: needs.detect-noop.outputs.noop != 'true'
    steps:
      - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        with:
          submodules: true
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
      - name: Build Test for vela core
-        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
        with:
          context: .
          file: Dockerfile
@@ -190,15 +177,15 @@ jobs:
    if: needs.detect-noop.outputs.noop != 'true'
    steps:
      - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        with:
          submodules: true
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1
-      - name: Build Test for CLI
-        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
+      - name: Build Test for CLI 
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
        with:
          context: .
-          file: Dockerfile.cli
+          file: Dockerfile.cli
--- a/.github/workflows/issue-commands.yml
+++ b/.github/workflows/issue-commands.yml
@@ -1,4 +1,4 @@
-name: Run commands for issues and pull requetss
+name: Run commands for issues and pull requests
 on:
  issues:
    types: [labeled, opened]
@@ -7,29 +7,33 @@ on:

 permissions:
  contents: read
+  issues: write

 jobs:
  bot:
    runs-on: ubuntu-22.04
+    permissions:
+      pull-requests: write
+      issues: write
    steps:
      - name: Checkout Actions
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          repository: "oam-dev/kubevela-github-actions"
          path: ./actions
          ref: v0.4.2
      - name: Setup Node.js
-        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c
+        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b
        with:
-          node-version: '14'
-          cache: 'npm'
+          node-version: "14"
+          cache: "npm"
          cache-dependency-path: ./actions/package-lock.json
      - name: Install Dependencies
        run: npm ci --production --prefix ./actions
      - name: Run Commands
        uses: ./actions/commands
        with:
-          token: ${{secrets.VELA_BOT_TOKEN}}
+          token: ${{ secrets.GH_KUBEVELA_COMMAND_WORKFLOW }}
          configPath: issue-commands

  backport:
@@ -44,14 +48,14 @@ jobs:
        id: command
        uses: xt0rted/slash-command-action@bf51f8f5f4ea3d58abc7eca58f77104182b23e88
        with:
-          repo-token: ${{ secrets.VELA_BOT_TOKEN }}
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
          command: backport
          reaction: "true"
          reaction-type: "eyes"
          allow-edits: "false"
          permission-level: read
      - name: Handle Command
-        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
        env:
          VERSION: ${{ steps.command.outputs.command-arguments }}
        with:
@@ -72,11 +76,11 @@ jobs:
            })
            console.log("Added '" + label + "' label.")
      - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          fetch-depth: 0
      - name: Open Backport PR
-        uses: zeebe-io/backport-action@a759fd2d7d3314c9bb57d97a0350a12e878d3c7a
+        uses: zeebe-io/backport-action@0193454f0c5947491d348f33a275c119f30eb736
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          github_workspace: ${{ github.workspace }}
@@ -86,12 +90,11 @@ jobs:
    if: github.event.issue.pull_request && contains(github.event.comment.body, '/retest')
    permissions:
      actions: write
-      contents: write
      pull-requests: write
      issues: write
    steps:
      - name: Retest the current pull request
-        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
        env:
          PULL_REQUEST_ID: ${{ github.event.issue.number }}
          COMMENT_ID: ${{ github.event.comment.id }}
--- a/.github/workflows/license.yml
+++ b/.github/workflows/license.yml
@@ -9,7 +9,6 @@ on:
    branches:
      - master
      - release-*
-      -
 permissions:
  contents: read

@@ -18,9 +17,9 @@ jobs:
    runs-on: ubuntu-22.04
    name: Check for unapproved licenses
    steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
      - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@a6e6f86333f0a2523ece813039b8b4be04560854 # v1.190.0
        with:
          ruby-version: 2.6
      - name: Install dependencies
--- a/.github/workflows/registry.yml
+++ b/.github/workflows/registry.yml
@@ -1,27 +1,45 @@
 name: Registry
+
 on:
  push:
    branches:
      - master
    tags:
-      - "v*"
+      - 'v*'
  workflow_dispatch: {}

-env:
-  ACCESS_KEY: ${{ secrets.OSS_ACCESS_KEY }}
-  ACCESS_KEY_SECRET: ${{ secrets.OSS_ACCESS_KEY_SECRET }}
-
 permissions:
  contents: read

 jobs:
-  publish-core-images:
+  publish-vela-images:
+    name: Build and Push Vela Images
    permissions:
      packages: write
+      id-token: write
+      attestations: write
+      contents: write
    runs-on: ubuntu-22.04
+    outputs:
+      vela_core_image: ${{ steps.meta-vela-core.outputs.image }}
+      vela_core_digest: ${{ steps.meta-vela-core.outputs.digest }}
+      vela_core_dockerhub_image: ${{ steps.meta-vela-core.outputs.dockerhub_image }}
+      vela_cli_image: ${{ steps.meta-vela-cli.outputs.image }}
+      vela_cli_digest: ${{ steps.meta-vela-cli.outputs.digest }}
+      vela_cli_dockerhub_image: ${{ steps.meta-vela-cli.outputs.dockerhub_image }}
    steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
-      - name: Get the version
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.1
+
+      - name: Install Crane
+        uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.1
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # main
+        with:
+          cosign-release: 'v2.5.0'
+
+      - name: Get the image version
        id: get_version
        run: |
          VERSION=${GITHUB_REF#refs/tags/}
@@ -29,34 +47,41 @@ jobs:
            VERSION=latest
          fi
          echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
+
      - name: Get git revision
        id: vars
        shell: bash
        run: |
          echo "git_revision=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
-      - name: Login ghcr.io
-        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
+
+      - name: Login to GHCR
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Login docker.io
-        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
+
+      - name: Login to DockerHub
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: docker.io
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
-      - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
-      - uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1
+
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
        with:
          driver-opts: image=moby/buildkit:master

-      - uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0
-        name: Build & Pushing vela-core for Dockerhub, GHCR
+      - name: Build & Push Vela Core for Dockerhub, GHCR
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
        with:
          context: .
          file: Dockerfile
-          labels: |-
+          labels: |
            org.opencontainers.image.source=https://github.com/${{ github.repository }}
            org.opencontainers.image.revision=${{ github.sha }}
          platforms: linux/amd64,linux/arm64
@@ -65,16 +90,55 @@ jobs:
            GITVERSION=git-${{ steps.vars.outputs.git_revision }}
            VERSION=${{ steps.get_version.outputs.VERSION }}
            GOPROXY=https://proxy.golang.org
-          tags: |-
+          tags: |
            docker.io/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}
            ghcr.io/${{ github.repository_owner }}/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}

-      - uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0
-        name: Build & Pushing CLI for Dockerhub, GHCR
+      - name: Get Vela Core Image Digest
+        id: meta-vela-core
+        run: |
+          GHCR_IMAGE=ghcr.io/${{ github.repository_owner }}/oamdev/vela-core
+          DOCKER_IMAGE=docker.io/oamdev/vela-core
+          TAG=${{ steps.get_version.outputs.VERSION }}
+
+          DIGEST=$(crane digest $GHCR_IMAGE:$TAG)
+
+          echo "image=$GHCR_IMAGE" >> $GITHUB_OUTPUT
+          echo "dockerhub_image=$DOCKER_IMAGE" >> $GITHUB_OUTPUT
+          echo "digest=$DIGEST" >> $GITHUB_OUTPUT
+
+      - name: Generate SBOM for Vela Core Image
+        id: generate_vela_core_sbom
+        uses: anchore/sbom-action@v0.17.0
+        with:
+          image: ghcr.io/${{ github.repository_owner }}/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.GITHUB_TOKEN }}
+          format: spdx-json
+          artifact-name: sbom-vela-core.spdx.json
+          output-file: ${{ github.workspace }}/sbom-vela-core.spdx.json
+
+      - name: Sign Vela Core Image and Attest SBOM
+        env:
+          COSIGN_EXPERIMENTAL: 'true'
+        run: |
+          echo "signing vela core images..."
+          cosign sign --yes ghcr.io/${{ github.repository_owner }}/oamdev/vela-core@${{ steps.meta-vela-core.outputs.digest }}
+          cosign sign --yes docker.io/oamdev/vela-core@${{ steps.meta-vela-core.outputs.digest }}
+
+          echo "attesting SBOM against the vela core image..."
+          cosign attest --yes --predicate ${{ github.workspace }}/sbom-vela-core.spdx.json --type spdx \
+          ghcr.io/${{ github.repository_owner }}/oamdev/vela-core@${{ steps.meta-vela-core.outputs.digest }}
+
+          cosign attest --yes --predicate ${{ github.workspace }}/sbom-vela-core.spdx.json --type spdx \
+          docker.io/oamdev/vela-core@${{ steps.meta-vela-core.outputs.digest }}
+
+      - name: Build & Push Vela CLI for Dockerhub, GHCR
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
        with:
          context: .
          file: Dockerfile.cli
-          labels: |-
+          labels: |
            org.opencontainers.image.source=https://github.com/${{ github.repository }}
            org.opencontainers.image.revision=${{ github.sha }}
          platforms: linux/amd64,linux/arm64
@@ -83,6 +147,100 @@ jobs:
            GITVERSION=git-${{ steps.vars.outputs.git_revision }}
            VERSION=${{ steps.get_version.outputs.VERSION }}
            GOPROXY=https://proxy.golang.org
-          tags: |-
+          tags: |
            docker.io/oamdev/vela-cli:${{ steps.get_version.outputs.VERSION }}
            ghcr.io/${{ github.repository_owner }}/oamdev/vela-cli:${{ steps.get_version.outputs.VERSION }}
+
+      - name: Get Vela CLI Image Digest
+        id: meta-vela-cli
+        run: |
+          GHCR_IMAGE=ghcr.io/${{ github.repository_owner }}/oamdev/vela-cli
+          DOCKER_IMAGE=docker.io/oamdev/vela-cli
+          TAG=${{ steps.get_version.outputs.VERSION }}
+
+          DIGEST=$(crane digest $GHCR_IMAGE:$TAG)
+
+          echo "image=$GHCR_IMAGE" >> $GITHUB_OUTPUT
+          echo "dockerhub_image=$DOCKER_IMAGE" >> $GITHUB_OUTPUT
+          echo "digest=$DIGEST" >> $GITHUB_OUTPUT
+
+      - name: Generate SBOM for Vela CLI Image
+        id: generate_sbom
+        uses: anchore/sbom-action@v0.17.0
+        with:
+          image: ghcr.io/${{ github.repository_owner }}/oamdev/vela-cli:${{ steps.get_version.outputs.VERSION }}
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.GITHUB_TOKEN }}
+          format: spdx-json
+          artifact-name: sbom-vela-cli.spdx.json
+          output-file: ${{ github.workspace }}/sbom-vela-cli.spdx.json
+
+      - name: Sign Vela CLI Image and Attest SBOM
+        env:
+          COSIGN_EXPERIMENTAL: 'true'
+        run: |
+          echo "signing vela CLI images..."
+          cosign sign --yes ghcr.io/${{ github.repository_owner }}/oamdev/vela-cli@${{ steps.meta-vela-cli.outputs.digest }}
+          cosign sign --yes docker.io/oamdev/vela-cli@${{ steps.meta-vela-cli.outputs.digest }}      
+
+          echo "attesting SBOM against the vela cli image..."
+          cosign attest --yes --predicate ${{ github.workspace }}/sbom-vela-cli.spdx.json --type spdx \
+          ghcr.io/${{ github.repository_owner }}/oamdev/vela-cli@${{ steps.meta-vela-cli.outputs.digest }}
+
+          cosign attest --yes --predicate ${{ github.workspace }}/sbom-vela-cli.spdx.json --type spdx \
+          docker.io/oamdev/vela-cli@${{ steps.meta-vela-cli.outputs.digest }}
+
+      - name: Publish SBOMs as release artifacts
+        uses: anchore/sbom-action/publish-sbom@v0.17.0
+
+  provenance-ghcr:
+    name: Generate and Push Provenance to GCHR
+    needs: publish-vela-images
+    if: startsWith(github.ref, 'refs/tags/')
+    strategy:
+      matrix:
+        include:
+          - name: 'Vela Core Image'
+            image: ${{ needs.publish-vela-images.outputs.vela_core_image }}
+            digest: ${{ needs.publish-vela-images.outputs.vela_core_digest }}
+          - name: 'Vela CLI Image'
+            image: ${{ needs.publish-vela-images.outputs.vela_cli_image }}
+            digest: ${{ needs.publish-vela-images.outputs.vela_cli_digest }}
+    permissions:
+      id-token: write
+      contents: write
+      actions: read
+      packages: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0 # has to be sem var
+    with:
+      image: ${{ matrix.image }}
+      digest: ${{ matrix.digest }}
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
+
+  provenance-dockerhub:
+    name: Generate and Push Provenance to DockerHub
+    needs: publish-vela-images
+    if: startsWith(github.ref, 'refs/tags/')
+    strategy:
+      matrix:
+        include:
+          - name: 'Vela Core Image'
+            image: ${{ needs.publish-vela-images.outputs.vela_core_dockerhub_image }}
+            digest: ${{ needs.publish-vela-images.outputs.vela_core_digest }}
+          - name: 'Vela CLI Image'
+            image: ${{ needs.publish-vela-images.outputs.vela_cli_dockerhub_image }}
+            digest: ${{ needs.publish-vela-images.outputs.vela_cli_digest }}
+    permissions:
+      id-token: write
+      contents: write
+      packages: write
+      actions: read
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
+    with:
+      image: ${{ matrix.image }}
+      digest: ${{ matrix.digest }}
+    secrets:
+      registry-username: ${{ secrets.DOCKER_USERNAME }}
+      registry-password: ${{ secrets.DOCKER_PASSWORD }}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,13 +4,15 @@ on:
  push:
    tags:
      - "v*"
-  workflow_dispatch: { }
+  workflow_dispatch: {}

 permissions:
  contents: read

 jobs:
-  build:
+  goreleaser:
+    name: goreleaser
+    runs-on: ubuntu-22.04
    permissions:
      contents: write
      actions: read
@@ -20,27 +22,83 @@ jobs:
      pull-requests: read
      repository-projects: read
      statuses: read
-    runs-on: ubuntu-22.04
-    name: goreleaser
+      id-token: write
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
    steps:
+      - name: Check disk (before)
+        run: |
+          df -h
+          sudo du -sh /usr/local/lib/android /usr/share/dotnet /opt/ghc || true
+
+      - name: Free Disk Space (Ubuntu)
+        uses: insightsengineering/disk-space-reclaimer@v1
+        with:
+          # this might remove tools that are actually needed,
+          # if set to "true" but frees about 6 GB
+          tools-cache: false
+          # all of these default to true, but feel free to set to
+          # "false" if necessary for your workflow
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          swap-storage: true
+          docker-images: true
+
+      # Extra prune in case your job builds/pulls images
+      - name: Deep Docker prune
+        run: |
+          docker system prune -af || true
+          docker builder prune -af || true
+
      - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          fetch-depth: 0
-      - run: git fetch --force --tags
+
+      - name: Get Git tags
+        run: git fetch --force --tags
+
      - name: Set up Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
        with:
-          go-version: 1.19
+          go-version: 1.23.8
          cache: true
-      - uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: "v2.5.0"
+
+      - name: Install syft
+        uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
        with:
          distribution: goreleaser
          version: 1.14.1
          args: release --rm-dist --timeout 60m
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Generate hashes
+        id: hash
+        if: startsWith(github.ref, 'refs/tags/')
+        run: |
+          set -euo pipefail
+          HASHES=$(find dist -type f -exec sha256sum {} \; | base64 -w0)
+          echo "hashes=$HASHES" >> "$GITHUB_OUTPUT"
+
+      - name: Check disk (after)
+        run: df -h
+
  upload-plugin-homebrew:
+    name: upload-sha256sums
+    needs: goreleaser
+    runs-on: ubuntu-22.04
+    if: ${{ !contains(github.ref, 'alpha') && !contains(github.ref, 'beta') && !contains(github.ref, 'rc') }}
    permissions:
      contents: write
      actions: read
@@ -50,13 +108,9 @@ jobs:
      pull-requests: read
      repository-projects: read
      statuses: read
-    needs: build
-    runs-on: ubuntu-22.04
-    if: ${{ !contains(github.ref, 'alpha') && !contains(github.ref, 'beta') && !contains(github.ref, 'rc') }}
-    name: upload-sha256sums
    steps:
      - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
      - name: Update kubectl plugin version in krew-index
        uses: rajatjindal/krew-release-bot@df3eb197549e3568be8b4767eec31c5e8e8e6ad8 # v0.0.46
      - name: Update Homebrew formula
@@ -67,3 +121,16 @@ jobs:
          tag: ${{ github.ref }}
          revision: ${{ github.sha }}
          force: false
+
+  provenance-vela-bins:
+    name: generate provenance for binaries
+    needs: [goreleaser]
+    if: startsWith(github.ref, 'refs/tags/')
+    permissions:
+      id-token: write
+      contents: write
+      actions: read
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 # has to be sem var
+    with:
+      base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
+      upload-assets: true
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -23,12 +23,12 @@ jobs:

    steps:
      - name: "Checkout code"
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          persist-credentials: false

      - name: "Run analysis"
-        uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # tag=v2.1.3
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # tag=v2.4.1
        with:
          results_file: results.sarif
          results_format: sarif
@@ -47,7 +47,7 @@ jobs:
      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
      - name: "Upload artifact"
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@134dcf33c0b9454c4b17a936843d7e21dccdc335 # v4.3.6
        with:
          name: SARIF file
          path: results.sarif
@@ -55,6 +55,6 @@ jobs:

      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.37
+        uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
        with:
          sarif_file: results.sarif
--- a/.github/workflows/sdk-test.yml
+++ b/.github/workflows/sdk-test.yml
@@ -16,28 +16,26 @@ on:
 permissions:
  contents: read

-env:
-  # Common versions
-  GO_VERSION: '1.19'
-  GOLANGCI_VERSION: 'v1.49'
-
 jobs:
  sdk-tests:
    runs-on: ubuntu-22.04
    steps:
      - name: Check out code into the Go module directory
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8

-      - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
-        with:
-          go-version: ${{ env.GO_VERSION }}
+      - name: Setup Env
+        uses: ./.github/actions/env-setup

      - name: Install Go tools
        run: |
          make goimports
          make golangci

+      - name: Setup KinD
+        uses: ./.github/actions/setup-kind-cluster
+        with:
+          name: sdk-test
+
      - name: Build CLI
        run: make vela-cli

--- a/.github/workflows/sync-api.yml
+++ b/.github/workflows/sync-api.yml
@@ -10,20 +10,15 @@ on:
 permissions:
  contents: read

-env:
-  GO_VERSION: '1.19'
-
 jobs:
  sync-core-api:
    runs-on: ubuntu-22.04
    steps:
-      - name: Set up Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
      - name: Check out code into the Go module directory
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
+
+      - name: Setup Env
+        uses: ./.github/actions/env-setup

      - name: Get the version
        id: get_version
--- a/.github/workflows/sync-sdk.yaml
+++ b/.github/workflows/sync-sdk.yaml
@@ -14,28 +14,16 @@ on:
 permissions:
  contents: read

-env:
-  GO_VERSION: '1.19'
-
 jobs:
  sync_sdk:
    runs-on: ubuntu-22.04
    steps:
-      - name: Set up Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
-        with:
-          go-version: ${{ env.GO_VERSION }}

      - name: Check out code into the Go module directory
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608

-      - name: Get the version
-        id: get_version
-        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
-
-      - name: Get dependencies
-        run: |
-          go get -v -t -d ./...
+      - name: Env setup
+        uses: ./.github/actions/env-setup

      - name: Install Go tools
        run: |
@@ -44,6 +32,10 @@ jobs:
      - name: Build CLI
        run: make vela-cli

+      - name: Get the version
+        id: get_version
+        run: echo "VERSION=${GITHUB_REF}" >> $GITHUB_OUTPUT
+
      - name: Sync SDK to kubevela/kubevela-go-sdk
        run: bash ./hack/sdk/sync.sh
        env:
--- a/.github/workflows/trivy-scan.yml
+++ b/.github/workflows/trivy-scan.yml
@@ -13,21 +13,21 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608

      - name: Build Vela Core image from Dockerfile
        run: |
          docker build --build-arg GOPROXY=https://proxy.golang.org -t docker.io/oamdev/vela-core:${{ github.sha }} .

      - name: Run Trivy vulnerability scanner for vela core
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@d9cd5b1c23aaf8cb31bb09141028215828364bbb # master
        with:
          image-ref: 'docker.io/oamdev/vela-core:${{ github.sha }}'
          format: 'sarif'
          output: 'trivy-results.sarif'

      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
        if: always()
        with:
          sarif_file: 'trivy-results.sarif'
--- a/.github/workflows/unit-test.yml
+++ b/.github/workflows/unit-test.yml
@@ -5,7 +5,7 @@ on:
    branches:
      - master
      - release-*
-  workflow_dispatch: { }
+  workflow_dispatch: {}
  pull_request:
    branches:
      - master
@@ -14,22 +14,17 @@ on:
 permissions:
  contents: read

-env:
-  # Common versions
-  GO_VERSION: '1.19'
-
 jobs:
-
  detect-noop:
    permissions:
-      actions: write  # for fkirc/skip-duplicate-actions to skip or stop workflow runs
+      actions: write # for fkirc/skip-duplicate-actions to skip or stop workflow runs
    runs-on: ubuntu-22.04
    outputs:
      noop: ${{ steps.noop.outputs.should_skip }}
    steps:
      - name: Detect No-op Changes
        id: noop
-        uses: fkirc/skip-duplicate-actions@12aca0a884f6137d619d6a8a09fcc3406ced5281
+        uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
@@ -42,48 +37,19 @@ jobs:
    if: needs.detect-noop.outputs.noop != 'true'

    steps:
-      - name: Set up Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
      - name: Check out code into the Go module directory
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        with:
          submodules: true

-      - name: Cache Go Dependencies
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8
+      - name: Setup Env
+        uses: ./.github/actions/env-setup
+
+      - name: Setup KinD with Kubernetes
+        uses: ./.github/actions/setup-kind-cluster
+
+      - name: Run unit tests
+        uses: ./.github/actions/unit-test
        with:
-          path: .work/pkg
-          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
-          restore-keys: ${{ runner.os }}-pkg-
-
-      - name: Install ginkgo
-        run: |
-          sudo sed -i 's/azure\.//' /etc/apt/sources.list
-          sudo apt-get update
-          sudo apt-get install -y golang-ginkgo-dev
-
-      - name: Setup KinD
-        run: |
-          go install sigs.k8s.io/kind@v0.19.0
-          kind create cluster
-
-      - name: install Kubebuilder
-        uses: RyanSiu1995/kubebuilder-action@ed0e300b13152c2c2bfb104475665c7bf609332f
-        with:
-          version: 3.9.1
-          kubebuilderOnly: false
-          kubernetesVersion: v1.26.2
-
-      - name: Run Make test
-        run: make test
-
-      - name: Upload coverage report
-        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          file: ./coverage.txt
-          flags: core-unittests
-          name: codecov-umbrella
+          codecov-enable: true
+          codecov-token: ${{ secrets.CODECOV_TOKEN }}
--- a/.github/workflows/upgrade-e2e-multicluster-test.yml
+++ b/.github/workflows/upgrade-e2e-multicluster-test.yml
@@ -0,0 +1,98 @@
+# =============================================================================
+# E2E Upgrade Multicluster Test Workflow
+# =============================================================================
+# This workflow performs end-to-end testing for KubeVela multicluster upgrades.
+# It tests the upgrade path from the latest released version to the current
+# development branch across multiple Kubernetes versions.
+#
+# Test Flow:
+# 1. Install latest KubeVela release
+# 2. Build and upgrade to current development version
+# 3. Run multicluster e2e tests to verify functionality
+# =============================================================================
+
+name: E2E Upgrade Multicluster Test
+
+# =============================================================================
+# Trigger Configuration
+# =============================================================================
+on:
+  # Trigger on pull requests targeting main branches
+  pull_request:
+    branches:
+      - master
+      - release-*
+
+  # Allow manual workflow execution
+  workflow_dispatch: {}
+
+# =============================================================================
+# Security Configuration
+# =============================================================================
+permissions:
+  contents: read  # Read-only access to repository contents
+
+# =============================================================================
+# Global Environment Variables
+# =============================================================================
+env:
+  GO_VERSION: '1.23.8'  # Go version for building and testing
+
+# =============================================================================
+# Job Definitions
+# =============================================================================
+jobs:
+  upgrade-multicluster-tests:
+    name: Upgrade Multicluster Tests
+    runs-on: ubuntu-22.04
+    if: startsWith(github.head_ref, 'chore/upgrade-k8s-')
+    timeout-minutes: 60  # Prevent hanging jobs
+
+    # ==========================================================================
+    # Matrix Strategy - Test against multiple Kubernetes versions
+    # ==========================================================================
+    strategy:
+      fail-fast: false  # Continue testing other versions if one fails
+      matrix:
+        k8s-version: ['v1.31.9']
+
+    # ==========================================================================
+    # Concurrency Control - Prevent overlapping runs
+    # ==========================================================================
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.k8s-version }}
+      cancel-in-progress: true
+
+    steps:
+      # ========================================================================
+      # Environment Setup
+      # ========================================================================
+
+      - name: Check out repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+
+      # ========================================================================
+      # Kubernetes Cluster Setup
+      # ========================================================================
+
+      - name: Setup worker cluster kinD
+        uses: ./.github/actions/setup-kind-cluster
+        with:
+          name: worker
+
+      - name: Setup KinD master clusters for multicluster testing
+        uses: ./.github/actions/setup-kind-cluster
+        with:
+          k8s-version: ${{ matrix.k8s-version }}
+
+      - name: Deploy latest release
+        uses: ./.github/actions/deploy-latest-release
+
+      - name: Upgrade from current branch
+        uses: ./.github/actions/deploy-current-branch
+
+      - name: Run upgarde multicluster tests
+        uses: ./.github/actions/multicluster-test
+        with:
+          codecov-enable: false
+          codecov-token: ''
--- a/.github/workflows/upgrade-e2e-test.yml
+++ b/.github/workflows/upgrade-e2e-test.yml
@@ -0,0 +1,102 @@
+# =============================================================================
+# Upgrade E2E Test Workflow
+# =============================================================================
+# This workflow performs comprehensive end-to-end testing for KubeVela upgrades.
+# It validates the upgrade path from the latest stable release to the current
+# development version by running multiple test suites including API, addon,
+# and general e2e tests.
+#
+# Test Flow:
+# 1. Install latest KubeVela release
+# 2. Build and upgrade to current development version
+# 3. Run comprehensive e2e test suites (API, addon, general)
+# 4. Validate upgrade functionality and compatibility
+# =============================================================================
+
+name: Upgrade E2E Test
+
+# =============================================================================
+# Trigger Configuration
+# =============================================================================
+on:
+  # Trigger on pull requests targeting main branches
+  pull_request:
+    branches:
+      - master
+      - release-*
+
+  # Allow manual workflow execution
+  workflow_dispatch: {}
+
+# =============================================================================
+# Environment Variables
+# =============================================================================
+env:
+  GO_VERSION: '1.23.8'
+
+# =============================================================================
+# Security Configuration
+# =============================================================================
+permissions:
+  contents: read  # Read-only access to repository contents
+
+# =============================================================================
+# Job Definitions
+# =============================================================================
+jobs:
+  upgrade-tests:
+    name: Upgrade E2E Tests
+    runs-on: ubuntu-22.04
+    if: startsWith(github.head_ref, 'chore/upgrade-k8s-')
+    timeout-minutes: 90  # Extended timeout for comprehensive e2e testing
+
+    # ==========================================================================
+    # Matrix Strategy - Test against multiple Kubernetes versions
+    # ==========================================================================
+    strategy:
+      fail-fast: false  # Continue testing other versions if one fails
+      matrix:
+        k8s-version: ['v1.31.9']
+
+    # ==========================================================================
+    # Concurrency Control - Prevent overlapping runs
+    # ==========================================================================
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.k8s-version }}
+      cancel-in-progress: true
+
+    steps:
+      # ========================================================================
+      # Repository Setup
+      # ========================================================================
+      - name: Check out code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+
+      # ========================================================================
+      # Kubernetes Cluster Setup
+      # ========================================================================
+      - name: Setup KinD with Kubernetes ${{ matrix.k8s-version }}
+        uses: ./.github/actions/setup-kind-cluster
+        with:
+          k8s-version: ${{ matrix.k8s-version }}
+
+      - name: Build vela CLI
+        run: make vela-cli
+
+      - name: Build kubectl-vela plugin
+        run: make kubectl-vela
+
+      - name: Install kustomize
+        run: make kustomize
+
+      - name: Deploy latest release
+        uses: ./.github/actions/deploy-latest-release
+
+      - name: Upgrade from current branch
+        uses: ./.github/actions/deploy-current-branch
+
+      # ========================================================================
+      # E2E Test Execution
+      # ========================================================================
+      - name: Run upgrade e2e tests
+        uses: ./.github/actions/e2e-test
--- a/.github/workflows/upgrade-unit-test.yml
+++ b/.github/workflows/upgrade-unit-test.yml
@@ -0,0 +1,83 @@
+# =============================================================================
+# Upgrade Unit Test Workflow
+# =============================================================================
+# This workflow performs unit testing for KubeVela upgrades by:
+# 1. Installing the latest stable KubeVela release
+# 2. Building and upgrading to the current development version
+# 3. Running unit tests to validate the upgrade functionality
+# =============================================================================
+
+name: Upgrade Unit Test
+
+# =============================================================================
+# Trigger Configuration
+# =============================================================================
+on:
+  # Trigger on pull requests targeting main and release branches
+  pull_request:
+    branches:
+      - master
+      - release-*
+
+  # Allow manual workflow execution
+  workflow_dispatch: {}
+
+# =============================================================================
+# Security Configuration
+# =============================================================================
+permissions:
+  contents: read  # Read-only access to repository contents
+
+# =============================================================================
+# Job Definitions
+# =============================================================================
+jobs:
+  upgrade-tests:
+    name: Upgrade Unit Tests
+    runs-on: ubuntu-22.04
+    if: startsWith(github.head_ref, 'chore/upgrade-k8s-')
+    timeout-minutes: 45  # Prevent hanging jobs
+
+    # ==========================================================================
+    # Matrix Strategy - Test against multiple Kubernetes versions
+    # ==========================================================================
+    strategy:
+      fail-fast: false  # Continue testing other versions if one fails
+      matrix:
+        k8s-version: ['v1.31.9']
+
+    # ==========================================================================
+    # Concurrency Control - Prevent overlapping runs
+    # ==========================================================================
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.k8s-version }}
+      cancel-in-progress: true
+
+    steps:
+      # ========================================================================
+      # Environment Setup
+      # ========================================================================
+
+      - name: Check out code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+
+      # ========================================================================
+      # Kubernetes Cluster Setup
+      # ========================================================================
+
+      - name: Setup KinD with Kubernetes ${{ matrix.k8s-version }}
+        uses: ./.github/actions/setup-kind-cluster
+        with:
+          k8s-version: ${{ matrix.k8s-version }}
+
+      - name: Deploy latest release
+        uses: ./.github/actions/deploy-latest-release
+
+      - name: Upgrade from current branch
+        uses: ./.github/actions/deploy-current-branch
+
+      - name: Run unit tests
+        uses: ./.github/actions/unit-test
+        with:
+          codecov-enable: false
+          codecov-token: ''
--- a/.github/workflows/webhook-upgrade-validation.yml
+++ b/.github/workflows/webhook-upgrade-validation.yml
@@ -0,0 +1,165 @@
+name: Webhook Upgrade Validation
+
+on:
+  push:
+    branches:
+      - master
+      - release-*
+    tags:
+      - v*
+  workflow_dispatch: {}
+  pull_request:
+    branches:
+      - master
+      - release-*
+
+permissions:
+  contents: read
+
+env:
+  GO_VERSION: '1.23.8'
+
+jobs:
+  webhook-upgrade-check:
+    runs-on: ubuntu-22.04
+    timeout-minutes: 30
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+
+      - name: Setup Env
+        uses: ./.github/actions/env-setup
+
+      - name: Setup KinD
+        run: |
+          go install sigs.k8s.io/kind@v0.29.0
+          kind delete cluster || true
+          kind create cluster --image=kindest/node:v1.31.9
+
+      - name: Install KubeVela CLI
+        run: curl -fsSL https://kubevela.io/script/install.sh | bash
+
+      - name: Install KubeVela baseline
+        run: |
+          vela install --set featureGates.enableCueValidation=true
+          kubectl wait --namespace vela-system --for=condition=Available deployment/kubevela-vela-core --timeout=300s
+
+      - name: Prepare failing chart changes
+        run: |
+          cat <<'CHART' > charts/vela-core/templates/defwithtemplate/resource.yaml
+          # Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+          # Definition source cue file: vela-templates/definitions/internal/resource.cue
+          apiVersion: core.oam.dev/v1beta1
+          kind: TraitDefinition
+          metadata:
+            annotations:
+              definition.oam.dev/description: Add resource requests and limits on K8s pod for your workload which follows the pod spec in path 'spec.template.'
+            name: resource
+            namespace: {{ include "systemDefinitionNamespace" . }}
+          spec:
+            appliesToWorkloads:
+              - deployments.apps
+              - statefulsets.apps
+              - daemonsets.apps
+              - jobs.batch
+              - cronjobs.batch
+            podDisruptive: true
+            schematic:
+              cue:
+                template: |2
+                  let resourceContent = {
+                    resources: {
+                      if parameter.cpu != _|_ if parameter.memory != _|_ if parameter.requests == _|_ if parameter.limits == _|_ {
+                        // +patchStrategy=retainKeys
+                        requests: {
+                          cpu:    parameter.cpu
+                          memory: parameter.memory
+                        }
+                        // +patchStrategy=retainKeys
+                        limits: {
+                          cpu:    parameter.cpu
+                          memory: parameter.memory
+                        }
+                      }
+                      if parameter.requests != _|_ {
+                        // +patchStrategy=retainKeys
+                        requests: {
+                          cpu:    parameter.requests.cpu
+                          memory: parameter.requests.memory
+                        }
+                      }
+                      if parameter.limits != _|_ {
+                        // +patchStrategy=retainKeys
+                        limits: {
+                          cpu:    parameter.limits.cpu
+                          memory: parameter.limits.memory
+                        }
+                      }
+                    }
+                  }
+                  if context.output.spec != _|_ if context.output.spec.template != _|_ {
+                    patch: spec: template: spec: {
+                      // +patchKey=name
+                      containers: [resourceContent]
+                    }
+                  }
+                  if context.output.spec != _|_ if context.output.spec.jobTemplate != _|_ {
+                    patch: spec: jobTemplate: spec: template: spec: {
+                      // +patchKey=name
+                      containers: [resourceContent]
+                    }
+                  }
+                  parameter: {
+                    // +usage=Specify the amount of cpu for requests and limits
+                    cpu?: *1 | number | string
+                    // +usage=Specify the amount of memory for requests and limits
+                    memory?: *"2048Mi" | =~"^([1-9][0-9]{0,63})(E|P|T|G|M|K|Ei|Pi|Ti|Gi|Mi|Ki)$"
+                    // +usage=Specify the resources in requests
+                    requests?: {
+                      // +usage=Specify the amount of cpu for requests
+                      cpu: *1 | number | string
+                      // +usage=Specify the amount of memory for requests
+                      memory: *"2048Mi" | =~"^([1-9][0-9]{0,63})(E|P|T|G|M|K|Ei|Pi|Ti|Gi|Mi|Ki)$"
+                    }
+                    // +usage=Specify the resources in limits
+                    limits?: {
+                      // +usage=Specify the amount of cpu for limits
+                      cpu: *1 | number | string
+                      // +usage=Specify the amount of memory for limits
+                      memory: *"2048Mi" | =~"^([1-9][0-9]{0,63})(E|P|T|G|M|K|Ei|Pi|Ti|Gi|Mi|Ki)$"
+                    }
+                  }
+
+      - name: Load image
+        run: |
+          mkdir -p $HOME/tmp/
+          TMPDIR=$HOME/tmp/ make image-load
+
+      - name: Run Helm upgrade (expected to fail)
+        run: |
+          set +e
+          helm upgrade \
+            --set image.repository=vela-core-test \
+            --set image.tag=$(git rev-parse --short HEAD) \
+            --set featureGates.enableCueValidation=true \
+            --wait kubevela ./charts/vela-core --debug -n vela-system
+          status=$?
+          echo "Helm upgrade exit code: ${status}"
+          if [ $status -eq 0 ]; then
+            echo "Expected helm upgrade to fail" >&2
+            exit 1
+          fi
+          echo "Helm upgrade failed as expected"
+
+      - name: Dump webhook configurations
+        if: ${{ always() }}
+        run: |
+          kubectl get mutatingwebhookconfiguration kubevela-vela-core-admission -o yaml
+          kubectl get validatingwebhookconfiguration kubevela-vela-core-admission -o yaml
+
+      - name: Verify webhook validation remains active
+        run: ginkgo -v --focus-file requiredparam_validation_test.go ./test/e2e-test
+
+      - name: Cleanup kind cluster
+        if: ${{ always() }}
+        run: kind delete cluster --name kind
--- a/.gitignore
+++ b/.gitignore
@@ -35,12 +35,21 @@ vendor/
 .vscode
 .history

+# Debug binaries generated by VS Code/Delve
+__debug_bin*
+*/__debug_bin*
+
+# Webhook certificates generated at runtime
+k8s-webhook-server/
+options.go.bak 
+
 pkg/test/vela
 config/crd/bases
 _tmp/

 references/cmd/cli/fake/source.go
 references/cmd/cli/fake/chart_source.go
+references/vela-sdk-gen/*
 charts/vela-core/crds/_.yaml
 .test_vela
 tmp/
@@ -50,8 +59,6 @@ tmp/
 # check docs
 git-page/

-# e2e rollout runtime image build
-runtime/rollout/e2e/tmp
 vela.json

 dist/
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,18 +1,6 @@
 run:
  timeout: 10m

-  skip-files:
-    - "zz_generated\\..+\\.go$"
-    - ".*_test.go$"
-
-  skip-dirs:
-    - "hack"
-    - "e2e"
-
-output:
-  # colored-line-number|line-number|json|tab|checkstyle|code-climate, default is "colored-line-number"
-  format: colored-line-number
-
 linters-settings:
  errcheck:
    # report about not checking of errors in type assetions: `a := b.(MyStruct)`;
@@ -23,24 +11,12 @@ linters-settings:
    # default is false: such cases aren't reported by default.
    check-blank: false

-    # [deprecated] comma-separated list of pairs of the form pkg:regex
-    # the regex is used to ignore names within pkg. (default "fmt:.*").
-    # see https://github.com/kisielk/errcheck#the-deprecated-method for details
-    ignore: fmt:.*,io/ioutil:^Read.*
-
  exhaustive:
    # indicates that switch statements are to be considered exhaustive if a
    # 'default' case is present, even if all enum members aren't listed in the
    # switch
    default-signifies-exhaustive: true

-  govet:
-    # report about shadowed variables
-    check-shadowing: false
-
-  revive:
-    # minimal confidence for issues, default is 0.8
-    min-confidence: 0.8

  gofmt:
    # simplify code: gofmt with `-s` option, true by default
@@ -55,9 +31,6 @@ linters-settings:
    # minimal code complexity to report, 30 by default (but we recommend 10-20)
    min-complexity: 30

-  maligned:
-    # print struct with more effective memory layout or not, false by default
-    suggest-new: true

  dupl:
    # tokens count to trigger issue, 150 by default
@@ -73,13 +46,6 @@ linters-settings:
    # tab width in spaces. Default to 1.
    tab-width: 1

-  unused:
-    # treat code as a program (not a library) and report unused exported identifiers; default is false.
-    # XXX: if you enable this setting, unused will report a lot of false-positives in text editors:
-    # if it's called for subdir of a project it can't find funcs usages. All text editor integrations
-    # with golangci-lint call it on a directory with the changed file.
-    check-exported: false
-
  unparam:
    # Inspect exported functions, default is false. Set to true if no external program/library imports your code.
    # XXX: if you enable this setting, unparam will report a lot of false-positives in text editors:
@@ -107,9 +73,13 @@ linters-settings:
    # Allow only slices initialized with a length of zero. Default is false.
    always: false

+  revive:
+    rules:
+      - name: unused-parameter
+        disabled: true
+
 linters:
  enable:
-    - megacheck
    - govet
    - gocyclo
    - gocritic
@@ -121,11 +91,10 @@ linters:
    - misspell
    - nakedret
    - exportloopref
+    - unused
+    - gosimple
+    - staticcheck
  disable:
-    - deadcode
-    - scopelint
-    - structcheck
-    - varcheck
    - rowserrcheck
    - sqlclosecheck
    - errchkjson
@@ -137,8 +106,28 @@ linters:


 issues:
+
+  exclude-files:
+    - "zz_generated\\..+\\.go$"
+    - ".*_test.go$"
+
+  exclude-dirs:
+    - "hack"
+    - "e2e"
+
  # Excluding configuration per-path and per-linter
  exclude-rules:
+    - path: .*\.go
+      linters:
+        - errcheck
+      text: "fmt\\."
+
+    # Ignore unchecked errors from io/ioutil functions starting with Read
+    - path: .*\.go
+      linters:
+        - errcheck
+      text: "io/ioutil.*Read"
+      
    # Exclude some linters from running on tests files.
    - path: _test(ing)?\.go
      linters:
@@ -155,6 +144,13 @@ issues:
      linters:
        - gocritic

+    # Gosmopolitan complains of internationalization issues on the file that actually defines
+    # the translation.
+    - path: i18n\.go
+      text: "Han"
+      linters:
+        - gosmopolitan
+
    # These are performance optimisations rather than style issues per se.
    # They warn when function arguments or range values copy a lot of memory
    # rather than using a pointer.
@@ -220,7 +216,7 @@ issues:
  new: false

  # Maximum issues count per one linter. Set to 0 to disable. Default is 50.
-  max-per-linter: 0
+  max-issues-per-linter: 0

  # Maximum count of issues with the same text. Set to 0 to disable. Default is 3.
-  max-same-issues: 0
+  max-same-issues: 0
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -31,6 +31,28 @@ builds:
    ldflags:
      - -s -w -X github.com/oam-dev/kubevela/version.VelaVersion={{ .Version }} -X github.com/oam-dev/kubevela/version.GitRevision=git-{{.ShortCommit}}

+sboms:
+  - id: kubevela-binaries-sboms
+    artifacts: binary
+    documents:
+      - "${artifact}-{{ .Version }}-{{ .Os }}-{{ .Arch }}.spdx.sbom.json"
+
+signs:
+  - id: kubevela-cosign-keyless
+    artifacts: checksum # sign the checksum file over individual artifacts
+    signature: "${artifact}-keyless.sig"
+    certificate: "${artifact}-keyless.pem"
+    cmd: cosign
+    args:
+      - "sign-blob"
+      - "--yes"
+      - "--output-signature"
+      - "${artifact}-keyless.sig"
+      - "--output-certificate"
+      - "${artifact}-keyless.pem"
+      - "${artifact}"
+    output: true
+
 archives:
  - format: tar.gz
    id: vela-cli-tgz
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,3 +1,3 @@
 # CONTRIBUTING Guide

-Please refer to https://kubevela.io/docs/contributor/overview for details.
+Please refer to https://kubevela.io/docs/contributor/overview for details.
--- a/6
+++ b/6
@@ -1,6 +1,6 @@
 ARG BASE_IMAGE
 # Build the manager binary
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.19-alpine@sha256:2381c1e5f8350a901597d633b2e517775eeac7a6682be39225a93b22cfd0f8bb as builder
+FROM golang:1.23.8-alpine@sha256:b7486658b87d34ecf95125e5b97e8dfe86c21f712aa36fc0c702e5dc41dc63e1 AS builder

 WORKDIR /workspace
 # Copy the Go Modules manifests
@@ -9,7 +9,7 @@ COPY go.sum go.sum

 # It's a proxy for CN developer, please unblock it if you have network issue
 ARG GOPROXY
-ENV GOPROXY=${GOPROXY:-https://goproxy.cn}
+ENV GOPROXY=${GOPROXY:-https://proxy.golang.org}

 # cache deps before building and copying source so that we don't need to re-download as much
 # and so that source changes don't invalidate our downloaded layer
@@ -34,7 +34,7 @@ RUN GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} \
 # You can replace distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 # Overwrite `BASE_IMAGE` by passing `--build-arg=BASE_IMAGE=gcr.io/distroless/static:nonroot`
-FROM ${BASE_IMAGE:-alpine@sha256:e2e16842c9b54d985bf1ef9242a313f36b856181f188de21313820e177002501}
+FROM ${BASE_IMAGE:-alpine:3.18}
 # This is required by daemon connecting with cri
 RUN apk add --no-cache ca-certificates bash expat

--- a/Dockerfile.cli
+++ b/Dockerfile.cli
@@ -1,8 +1,8 @@
 ARG BASE_IMAGE
 # Build the cli binary
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.19-alpine@sha256:2381c1e5f8350a901597d633b2e517775eeac7a6682be39225a93b22cfd0f8bb as builder
+FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.23.8-alpine@sha256:b7486658b87d34ecf95125e5b97e8dfe86c21f712aa36fc0c702e5dc41dc63e1 AS builder
 ARG GOPROXY
-ENV GOPROXY=${GOPROXY:-https://goproxy.cn}
+ENV GOPROXY=${GOPROXY:-https://proxy.golang.org}
 WORKDIR /workspace
 # Copy the Go Modules manifests
 COPY go.mod go.mod
--- a/Dockerfile.e2e
+++ b/Dockerfile.e2e
@@ -1,6 +1,6 @@
 ARG BASE_IMAGE
 # Build the manager binary
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.19-alpine@sha256:2381c1e5f8350a901597d633b2e517775eeac7a6682be39225a93b22cfd0f8bb as builder
+FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.23.8-alpine@sha256:b7486658b87d34ecf95125e5b97e8dfe86c21f712aa36fc0c702e5dc41dc63e1 AS builder

 WORKDIR /workspace
 # Copy the Go Modules manifests
--- a/30
+++ b/30
@@ -12,7 +12,7 @@ all: build
 # Targets

 ## test: Run tests
-test: unit-test-core test-cli-gen
+test: envtest unit-test-core test-cli-gen
 	@$(OK) unit-tests pass

 ## test-cli-gen: Run the unit tests for cli gen
@@ -22,8 +22,8 @@ test-cli-gen:

 ## unit-test-core: Run the unit tests for core
 unit-test-core:
-	go test -coverprofile=coverage.txt $(shell go list ./pkg/... ./cmd/... ./apis/... | grep -v apiserver | grep -v applicationconfiguration)
-	go test $(shell go list ./references/... | grep -v apiserver)
+	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test -coverprofile=coverage.txt $(shell go list ./pkg/... ./cmd/... ./apis/... | grep -v apiserver | grep -v applicationconfiguration)
+	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test $(shell go list ./references/... | grep -v apiserver)

 ## build: Build vela cli binary
 build: vela-cli kubectl-vela
@@ -41,9 +41,8 @@ fmt: goimports installcue
 	$(CUE) fmt ./vela-templates/definitions/internal/*
 	$(CUE) fmt ./vela-templates/definitions/deprecated/*
 	$(CUE) fmt ./vela-templates/definitions/registry/*
-	$(CUE) fmt ./pkg/stdlib/pkgs/*
-	$(CUE) fmt ./pkg/stdlib/op.cue
-	$(CUE) fmt ./pkg/workflow/tasks/template/static/*
+	$(CUE) fmt ./pkg/workflow/template/static/*
+	$(CUE) fmt ./pkg/workflow/providers/...

 ## sdk_fmt: Run go fmt against code
 sdk_fmt:
@@ -62,7 +61,7 @@ staticcheck: staticchecktool
 ## lint: Run the golangci-lint
 lint: golangci
 	@$(INFO) lint
-	@$(GOLANGCILINT) run --skip-dirs 'scaffold'
+	@GOLANGCILINT=$(GOLANGCILINT) ./hack/utils/golangci-lint-wrapper.sh

 ## reviewable: Run the reviewable
 reviewable: manifests fmt vet lint staticcheck helm-doc-gen sdk_fmt
@@ -88,10 +87,6 @@ ifneq ($(shell docker images -q $(VELA_CORE_TEST_IMAGE)),)
 	docker rmi -f $(VELA_CORE_TEST_IMAGE)
 endif

-ifneq ($(shell docker images -q $(VELA_RUNTIME_ROLLOUT_TEST_IMAGE)),)
-	docker rmi -f $(VELA_RUNTIME_ROLLOUT_TEST_IMAGE)
-endif
-
 endif

 ## image-load: load docker image to the kind cluster
@@ -99,14 +94,6 @@ image-load:
 	docker build -t $(VELA_CORE_TEST_IMAGE) -f Dockerfile.e2e .
 	kind load docker-image $(VELA_CORE_TEST_IMAGE) || { echo >&2 "kind not installed or error loading image: $(VELA_CORE_TEST_IMAGE)"; exit 1; }

-## image-load-runtime-cluster: Load the run-time cluster image
-image-load-runtime-cluster:
-	/bin/sh hack/e2e/build_runtime_rollout.sh
-	docker build -t $(VELA_RUNTIME_ROLLOUT_TEST_IMAGE) -f runtime/rollout/e2e/Dockerfile.e2e runtime/rollout/e2e/
-	rm -rf runtime/rollout/e2e/tmp
-	kind load docker-image $(VELA_RUNTIME_ROLLOUT_TEST_IMAGE)  || { echo >&2 "kind not installed or error loading image: $(VELA_RUNTIME_ROLLOUT_TEST_IMAGE)"; exit 1; }
-	kind load docker-image $(VELA_RUNTIME_ROLLOUT_TEST_IMAGE) --name=$(RUNTIME_CLUSTER_NAME) || echo "no worker cluster"
-
 ## core-test: Run tests
 core-test:
 	go test ./pkg/... -coverprofile cover.out
@@ -115,16 +102,11 @@ core-test:
 manager:
 	$(GOBUILD_ENV) go build -o bin/manager -a -ldflags $(LDFLAGS) ./cmd/core/main.go

-## vela-runtime-rollout-manager: Build vela runtime rollout manager binary
-vela-runtime-rollout-manager:
-	$(GOBUILD_ENV) go build -o ./runtime/rollout/bin/manager -a -ldflags $(LDFLAGS) ./runtime/rollout/cmd/main.go
-
 ## manifests: Generate manifests e.g. CRD, RBAC etc.
 manifests: installcue kustomize
 	go generate $(foreach t,pkg apis,./$(t)/...)
 	# TODO(yangsoon): kustomize will merge all CRD into a whole file, it may not work if we want patch more than one CRD in this way
 	$(KUSTOMIZE) build config/crd -o config/crd/base/core.oam.dev_applications.yaml
-	./hack/crd/cleanup.sh
 	go run ./hack/crd/dispatch/dispatch.go config/crd/base charts/vela-core/crds
 	rm -f config/crd/base/*
 	./vela-templates/gen_definitions.sh
--- a/README.md
+++ b/README.md
@@ -17,7 +17,7 @@
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/kubevela)](https://artifacthub.io/packages/search?repo=kubevela)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4602/badge)](https://bestpractices.coreinfrastructure.org/projects/4602)
 ![E2E status](https://github.com/kubevela/kubevela/workflows/E2E%20Test/badge.svg)
-[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/kubevela/kubevela/badge)](https://api.securityscorecards.dev/projects/github.com/kubevela/kubevela)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/kubevela/kubevela/badge)](https://scorecard.dev/viewer/?uri=github.com/kubevela/kubevela)
 [![](https://img.shields.io/badge/KubeVela-Check%20Your%20Contribution-orange)](https://opensource.alibaba.com/contribution_leaderboard/details?projectValue=kubevela)

 ## Introduction
@@ -38,7 +38,7 @@ No ad-hoc scripts, no dirty glue code, just deploy. The deployment workflow in K
 #### **Built-in observability, multi-tenancy and security support**

 Choose from the wide range of LDAP integrations we provided out-of-box, enjoy enhanced [multi-tenancy and multi-cluster authorization and authentication](https://kubevela.net/docs/platform-engineers/auth/advance),
-pick and apply fine-grained RBAC modules and customize them per your own supply chain requirements.
+pick and apply fine-grained RBAC modules and customize them as per your own supply chain requirements.
 All delivery process has fully [automated observability dashboards](https://kubevela.net/docs/platform-engineers/operations/observability).

 #### **Multi-cloud/hybrid-environments app delivery as first-class citizen**
@@ -59,6 +59,14 @@ and share the large growing community [addons](https://kubevela.net/docs/referen
 * [Installation](https://kubevela.io/docs/install)
 * [Deploy Your Application](https://kubevela.io/docs/quick-start)

+### Get Your Own Demo with Alibaba Cloud
+
+- install KubeVela on a Serverless K8S cluster in 3 minutes, try:
+
+  <a href="https://acs.console.aliyun.com/quick-deploy?repo=kubevela/kubevela&branch=master" target="_blank">
+    <img src="https://img.alicdn.com/imgextra/i1/O1CN01aiPSuA1Wiz7wkgF5u_!!6000000002823-55-tps-399-70.svg" width="200" alt="Deploy on Alibaba Cloud">
+  </a>
+
 ## Documentation

 Full documentation is available on the [KubeVela website](https://kubevela.io/).
@@ -107,4 +115,4 @@ Security is a first priority thing for us at KubeVela. If you come across a rela

 ## Code of Conduct

-KubeVela adopts [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).
+KubeVela adopts [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).
--- a/apis/core.oam.dev/common/types.go
+++ b/apis/core.oam.dev/common/types.go
@@ -29,20 +29,9 @@ import (
 	workflowv1alpha1 "github.com/kubevela/workflow/api/v1alpha1"

 	"github.com/oam-dev/kubevela/apis/core.oam.dev/condition"
-	"github.com/oam-dev/kubevela/apis/standard.oam.dev/v1alpha1"
 	"github.com/oam-dev/kubevela/pkg/oam"
 )

-// Kube defines the encapsulation in raw Kubernetes resource format
-type Kube struct {
-	// Template defines the raw Kubernetes resource
-	// +kubebuilder:pruning:PreserveUnknownFields
-	Template runtime.RawExtension `json:"template"`
-
-	// Parameters defines configurable parameters
-	Parameters []KubeParameter `json:"parameters,omitempty"`
-}
-
 // ParameterValueType refers to a data type of parameter
 type ParameterValueType string

@@ -53,31 +42,6 @@ const (
 	BooleanType ParameterValueType = "boolean"
 )

-// A KubeParameter defines a configurable parameter of a component.
-type KubeParameter struct {
-	// Name of this parameter
-	Name string `json:"name"`
-
-	// +kubebuilder:validation:Enum:=string;number;boolean
-	// ValueType indicates the type of the parameter value, and
-	// only supports basic data types: string, number, boolean.
-	ValueType ParameterValueType `json:"type"`
-
-	// FieldPaths specifies an array of fields within this workload that will be
-	// overwritten by the value of this parameter. 	All fields must be of the
-	// same type. Fields are specified as JSON field paths without a leading
-	// dot, for example 'spec.replicas'.
-	FieldPaths []string `json:"fieldPaths"`
-
-	// +kubebuilder:default:=false
-	// Required specifies whether or not a value for this parameter must be
-	// supplied when authoring an Application.
-	Required *bool `json:"required,omitempty"`
-
-	// Description of this parameter.
-	Description *string `json:"description,omitempty"`
-}
-
 // CUE defines the encapsulation in CUE format
 type CUE struct {
 	// Template defines the abstraction template data of the capability, it will replace the old CUE template in extension field.
@@ -88,26 +52,11 @@ type CUE struct {
 // Schematic defines the encapsulation of this capability(workload/trait/scope),
 // the encapsulation can be defined in different ways, e.g. CUE/HCL(terraform)/KUBE(K8s Object)/HELM, etc...
 type Schematic struct {
-	KUBE *Kube `json:"kube,omitempty"`
-
 	CUE *CUE `json:"cue,omitempty"`

-	HELM *Helm `json:"helm,omitempty"`
-
 	Terraform *Terraform `json:"terraform,omitempty"`
 }

-// A Helm represents resources used by a Helm module
-type Helm struct {
-	// Release records a Helm release used by a Helm module workload.
-	// +kubebuilder:pruning:PreserveUnknownFields
-	Release runtime.RawExtension `json:"release"`
-
-	// HelmRelease records a Helm repository used by a Helm module workload.
-	// +kubebuilder:pruning:PreserveUnknownFields
-	Repository runtime.RawExtension `json:"repository"`
-}
-
 // Terraform is the struct to describe cloud resources managed by Hashicorp Terraform
 type Terraform struct {
 	// Configuration is Terraform Configuration
@@ -186,6 +135,9 @@ type Status struct {
 	// HealthPolicy defines the health check policy for the abstraction
 	// +optional
 	HealthPolicy string `json:"healthPolicy,omitempty"`
+	// Details stores a string representation of a CUE status map to be evaluated at runtime for display
+	// +optional
+	Details string `json:"details,omitempty"`
 }

 // ApplicationPhase is a label for the condition of an application at the current time
@@ -214,26 +166,6 @@ const (
 	ApplicationDeleting ApplicationPhase = "deleting"
 )

-// WorkflowState is a string that mark the workflow state
-type WorkflowState string
-
-const (
-	// WorkflowStateInitializing means the workflow is in initial state
-	WorkflowStateInitializing WorkflowState = "Initializing"
-	// WorkflowStateTerminated means workflow is terminated manually, and it won't be started unless the spec changed.
-	WorkflowStateTerminated WorkflowState = "Terminated"
-	// WorkflowStateSuspended means workflow is suspended manually, and it can be resumed.
-	WorkflowStateSuspended WorkflowState = "Suspended"
-	// WorkflowStateSucceeded means workflow is running successfully, all steps finished.
-	WorkflowStateSucceeded WorkflowState = "Succeeded"
-	// WorkflowStateFinished means workflow is end.
-	WorkflowStateFinished WorkflowState = "Finished"
-	// WorkflowStateExecuting means workflow is still running or waiting some steps.
-	WorkflowStateExecuting WorkflowState = "Executing"
-	// WorkflowStateSkipping means it will skip this reconcile and let next reconcile to handle it.
-	WorkflowStateSkipping WorkflowState = "Skipping"
-)
-
 // ApplicationComponentStatus record the health status of App component
 type ApplicationComponentStatus struct {
 	Name      string `json:"name"`
@@ -243,6 +175,7 @@ type ApplicationComponentStatus struct {
 	// WorkloadDefinition is the definition of a WorkloadDefinition, such as deployments/apps.v1
 	WorkloadDefinition WorkloadGVK              `json:"workloadDefinition,omitempty"`
 	Healthy            bool                     `json:"healthy"`
+	Details            map[string]string        `json:"details,omitempty"`
 	Message            string                   `json:"message,omitempty"`
 	Traits             []ApplicationTraitStatus `json:"traits,omitempty"`
 	Scopes             []corev1.ObjectReference `json:"scopes,omitempty"`
@@ -256,9 +189,10 @@ func (in ApplicationComponentStatus) Equal(r ApplicationComponentStatus) bool {

 // ApplicationTraitStatus records the trait health status
 type ApplicationTraitStatus struct {
-	Type    string `json:"type"`
-	Healthy bool   `json:"healthy"`
-	Message string `json:"message,omitempty"`
+	Type    string            `json:"type"`
+	Healthy bool              `json:"healthy"`
+	Details map[string]string `json:"details,omitempty"`
+	Message string            `json:"message,omitempty"`
 }

 // Revision has name and revision number
@@ -270,13 +204,6 @@ type Revision struct {
 	RevisionHash string `json:"revisionHash,omitempty"`
 }

-// RawComponent record raw component
-type RawComponent struct {
-	// +kubebuilder:validation:EmbeddedResource
-	// +kubebuilder:pruning:PreserveUnknownFields
-	Raw runtime.RawExtension `json:"raw"`
-}
-
 // AppStatus defines the observed state of Application
 type AppStatus struct {
 	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
@@ -358,19 +285,6 @@ const (
 	WorkflowStepType DefinitionType = "WorkflowStep"
 )

-// AppRolloutStatus defines the observed state of AppRollout
-type AppRolloutStatus struct {
-	v1alpha1.RolloutStatus `json:",inline"`
-
-	// LastUpgradedTargetAppRevision contains the name of the app that we upgraded to
-	// We will restart the rollout if this is not the same as the spec
-	LastUpgradedTargetAppRevision string `json:"lastTargetAppRevision"`
-
-	// LastSourceAppRevision contains the name of the app that we need to upgrade from.
-	// We will restart the rollout if this is not the same as the spec
-	LastSourceAppRevision string `json:"LastSourceAppRevision,omitempty"`
-}
-
 // ApplicationTrait defines the trait of application
 type ApplicationTrait struct {
 	Type string `json:"type"`
@@ -414,41 +328,22 @@ type ClusterSelector struct {
 	Labels map[string]string `json:"labels,omitempty"`
 }

-// Distribution defines the replica distribution of an AppRevision to a cluster.
-type Distribution struct {
-	// Replicas is the replica number.
-	Replicas int `json:"replicas,omitempty"`
-}
-
-// ClusterPlacement defines the cluster placement rules for an app revision.
-type ClusterPlacement struct {
-	// ClusterSelector selects the cluster to  deploy apps to.
-	// If not specified, it indicates the host cluster per se.
-	ClusterSelector *ClusterSelector `json:"clusterSelector,omitempty"`
-
-	// Distribution defines the replica distribution of an AppRevision to a cluster.
-	Distribution Distribution `json:"distribution,omitempty"`
-}
-
 const (
 	// PolicyResourceCreator create the policy resource.
 	PolicyResourceCreator string = "policy"
 	// WorkflowResourceCreator create the resource in workflow.
 	WorkflowResourceCreator string = "workflow"
-	// DebugResourceCreator create the debug resource.
-	DebugResourceCreator string = "debug"
 )

 // OAMObjectReference defines the object reference for an oam resource
 type OAMObjectReference struct {
 	Component string `json:"component,omitempty"`
 	Trait     string `json:"trait,omitempty"`
-	Env       string `json:"env,omitempty"`
 }

 // Equal check if two references are equal
 func (in OAMObjectReference) Equal(r OAMObjectReference) bool {
-	return in.Component == r.Component && in.Trait == r.Trait && in.Env == r.Env
+	return in.Component == r.Component && in.Trait == r.Trait
 }

 // AddLabelsToObject add labels to object if properties are not empty
@@ -463,9 +358,6 @@ func (in OAMObjectReference) AddLabelsToObject(obj client.Object) {
 	if in.Trait != "" {
 		labels[oam.TraitTypeLabel] = in.Trait
 	}
-	if in.Env != "" {
-		labels[oam.LabelAppEnv] = in.Env
-	}
 	obj.SetLabels(labels)
 }

@@ -475,7 +367,6 @@ func NewOAMObjectReferenceFromObject(obj client.Object) OAMObjectReference {
 		return OAMObjectReference{
 			Component: labels[oam.LabelAppComponent],
 			Trait:     labels[oam.TraitTypeLabel],
-			Env:       labels[oam.LabelAppEnv],
 		}
 	}
 	return OAMObjectReference{}
@@ -533,8 +424,6 @@ const (
 	RenderCondition
 	// WorkflowCondition indicates whether workflow processing is successful.
 	WorkflowCondition
-	// RolloutCondition indicates whether rollout processing is successful.
-	RolloutCondition
 	// ReadyCondition indicates whether whole application processing is successful.
 	ReadyCondition
 )
@@ -545,7 +434,6 @@ var conditions = map[ApplicationConditionType]string{
 	PolicyCondition:   "Policy",
 	RenderCondition:   "Render",
 	WorkflowCondition: "Workflow",
-	RolloutCondition:  "Rollout",
 	ReadyCondition:    "Ready",
 }

--- a/apis/core.oam.dev/common/types_test.go
+++ b/apis/core.oam.dev/common/types_test.go
@@ -29,13 +29,12 @@ func TestOAMObjectReference(t *testing.T) {
 	o1 := OAMObjectReference{
 		Component: "component",
 		Trait:     "trait",
-		Env:       "env",
 	}
 	obj := &unstructured.Unstructured{}
 	o2 := NewOAMObjectReferenceFromObject(obj)
 	r.False(o2.Equal(o1))
 	o1.AddLabelsToObject(obj)
-	r.Equal(3, len(obj.GetLabels()))
+	r.Equal(2, len(obj.GetLabels()))
 	o3 := NewOAMObjectReferenceFromObject(obj)
 	r.True(o1.Equal(o3))
 	o3.Component = "comp"
--- a/apis/core.oam.dev/common/zz_generated.deepcopy.go
+++ b/apis/core.oam.dev/common/zz_generated.deepcopy.go
@@ -1,5 +1,4 @@
 //go:build !ignore_autogenerated
-// +build !ignore_autogenerated

 /*
 Copyright 2023 The KubeVela Authors.
@@ -28,22 +27,6 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 )

-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AppRolloutStatus) DeepCopyInto(out *AppRolloutStatus) {
-	*out = *in
-	in.RolloutStatus.DeepCopyInto(&out.RolloutStatus)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AppRolloutStatus.
-func (in *AppRolloutStatus) DeepCopy() *AppRolloutStatus {
-	if in == nil {
-		return nil
-	}
-	out := new(AppRolloutStatus)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AppStatus) DeepCopyInto(out *AppStatus) {
 	*out = *in
@@ -147,10 +130,19 @@ func (in *ApplicationComponent) DeepCopy() *ApplicationComponent {
 func (in *ApplicationComponentStatus) DeepCopyInto(out *ApplicationComponentStatus) {
 	*out = *in
 	out.WorkloadDefinition = in.WorkloadDefinition
+	if in.Details != nil {
+		in, out := &in.Details, &out.Details
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 	if in.Traits != nil {
 		in, out := &in.Traits, &out.Traits
 		*out = make([]ApplicationTraitStatus, len(*in))
-		copy(*out, *in)
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
 	if in.Scopes != nil {
 		in, out := &in.Scopes, &out.Scopes
@@ -192,6 +184,13 @@ func (in *ApplicationTrait) DeepCopy() *ApplicationTrait {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ApplicationTraitStatus) DeepCopyInto(out *ApplicationTraitStatus) {
 	*out = *in
+	if in.Details != nil {
+		in, out := &in.Details, &out.Details
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationTraitStatus.
@@ -257,27 +256,6 @@ func (in *ClusterObjectReference) DeepCopy() *ClusterObjectReference {
 	return out
 }

-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ClusterPlacement) DeepCopyInto(out *ClusterPlacement) {
-	*out = *in
-	if in.ClusterSelector != nil {
-		in, out := &in.ClusterSelector, &out.ClusterSelector
-		*out = new(ClusterSelector)
-		(*in).DeepCopyInto(*out)
-	}
-	out.Distribution = in.Distribution
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterPlacement.
-func (in *ClusterPlacement) DeepCopy() *ClusterPlacement {
-	if in == nil {
-		return nil
-	}
-	out := new(ClusterPlacement)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterSelector) DeepCopyInto(out *ClusterSelector) {
 	*out = *in
@@ -315,91 +293,6 @@ func (in *DefinitionReference) DeepCopy() *DefinitionReference {
 	return out
 }

-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Distribution) DeepCopyInto(out *Distribution) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Distribution.
-func (in *Distribution) DeepCopy() *Distribution {
-	if in == nil {
-		return nil
-	}
-	out := new(Distribution)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Helm) DeepCopyInto(out *Helm) {
-	*out = *in
-	in.Release.DeepCopyInto(&out.Release)
-	in.Repository.DeepCopyInto(&out.Repository)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Helm.
-func (in *Helm) DeepCopy() *Helm {
-	if in == nil {
-		return nil
-	}
-	out := new(Helm)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Kube) DeepCopyInto(out *Kube) {
-	*out = *in
-	in.Template.DeepCopyInto(&out.Template)
-	if in.Parameters != nil {
-		in, out := &in.Parameters, &out.Parameters
-		*out = make([]KubeParameter, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Kube.
-func (in *Kube) DeepCopy() *Kube {
-	if in == nil {
-		return nil
-	}
-	out := new(Kube)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *KubeParameter) DeepCopyInto(out *KubeParameter) {
-	*out = *in
-	if in.FieldPaths != nil {
-		in, out := &in.FieldPaths, &out.FieldPaths
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
-	if in.Required != nil {
-		in, out := &in.Required, &out.Required
-		*out = new(bool)
-		**out = **in
-	}
-	if in.Description != nil {
-		in, out := &in.Description, &out.Description
-		*out = new(string)
-		**out = **in
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeParameter.
-func (in *KubeParameter) DeepCopy() *KubeParameter {
-	if in == nil {
-		return nil
-	}
-	out := new(KubeParameter)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OAMObjectReference) DeepCopyInto(out *OAMObjectReference) {
 	*out = *in
@@ -435,22 +328,6 @@ func (in *PolicyStatus) DeepCopy() *PolicyStatus {
 	return out
 }

-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *RawComponent) DeepCopyInto(out *RawComponent) {
-	*out = *in
-	in.Raw.DeepCopyInto(&out.Raw)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RawComponent.
-func (in *RawComponent) DeepCopy() *RawComponent {
-	if in == nil {
-		return nil
-	}
-	out := new(RawComponent)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RawExtensionPointer) DeepCopyInto(out *RawExtensionPointer) {
 	*out = *in
@@ -527,21 +404,11 @@ func (in *Revision) DeepCopy() *Revision {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Schematic) DeepCopyInto(out *Schematic) {
 	*out = *in
-	if in.KUBE != nil {
-		in, out := &in.KUBE, &out.KUBE
-		*out = new(Kube)
-		(*in).DeepCopyInto(*out)
-	}
 	if in.CUE != nil {
 		in, out := &in.CUE, &out.CUE
 		*out = new(CUE)
 		**out = **in
 	}
-	if in.HELM != nil {
-		in, out := &in.HELM, &out.HELM
-		*out = new(Helm)
-		(*in).DeepCopyInto(*out)
-	}
 	if in.Terraform != nil {
 		in, out := &in.Terraform, &out.Terraform
 		*out = new(Terraform)
--- a/apis/core.oam.dev/condition/zz_generated.deepcopy.go
+++ b/apis/core.oam.dev/condition/zz_generated.deepcopy.go
@@ -1,5 +1,4 @@
 //go:build !ignore_autogenerated
-// +build !ignore_autogenerated

 /*
 Copyright 2023 The KubeVela Authors.
--- a/apis/core.oam.dev/v1alpha1/garbagecollect_policy_types.go
+++ b/apis/core.oam.dev/v1alpha1/garbagecollect_policy_types.go
@@ -102,16 +102,16 @@ func (in *GarbageCollectPolicySpec) FindStrategy(manifest *unstructured.Unstruct
 }

 // FindDeleteOption find delete option for target resource
-func (in *GarbageCollectPolicySpec) FindDeleteOption(manifest *unstructured.Unstructured) []client.DeleteOption {
+func (in *GarbageCollectPolicySpec) FindDeleteOption(manifest *unstructured.Unstructured) (bool, []client.DeleteOption) {
 	for _, rule := range in.Rules {
 		if rule.Selector.Match(manifest) && rule.Propagation != nil {
 			switch *rule.Propagation {
 			case GarbageCollectPropagationOrphan:
-				return []client.DeleteOption{client.PropagationPolicy(metav1.DeletePropagationOrphan)}
+				return true, []client.DeleteOption{client.PropagationPolicy(metav1.DeletePropagationOrphan)}
 			case GarbageCollectPropagationCascading:
-				return []client.DeleteOption{client.PropagationPolicy(metav1.DeletePropagationBackground)}
+				return false, []client.DeleteOption{client.PropagationPolicy(metav1.DeletePropagationBackground)}
 			}
 		}
 	}
-	return nil
+	return false, nil
 }
--- a/apis/core.oam.dev/v1alpha1/register.go
+++ b/apis/core.oam.dev/v1alpha1/register.go
@@ -60,3 +60,8 @@ func init() {
 	SchemeBuilder.Register(&workflowv1alpha1.Workflow{}, &workflowv1alpha1.WorkflowList{})
 	_ = SchemeBuilder.AddToScheme(k8sscheme.Scheme)
 }
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
--- a/apis/core.oam.dev/v1alpha1/resource_policy_types.go
+++ b/apis/core.oam.dev/v1alpha1/resource_policy_types.go
@@ -18,7 +18,7 @@ package v1alpha1

 import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/utils/pointer"
+	"k8s.io/utils/ptr"
 	stringslices "k8s.io/utils/strings/slices"

 	"github.com/oam-dev/kubevela/pkg/oam"
@@ -52,7 +52,7 @@ func (in *ResourcePolicyRuleSelector) Match(manifest *unstructured.Unstructured)
 		if len(src) == 0 {
 			return nil
 		}
-		return pointer.Bool(val != "" && stringslices.Contains(src, val))
+		return ptr.To(val != "" && stringslices.Contains(src, val))
 	}
 	conditions := []*bool{
 		match(in.CompNames, compName),
--- a/apis/core.oam.dev/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/core.oam.dev/v1alpha1/zz_generated.deepcopy.go
@@ -1,5 +1,4 @@
 //go:build !ignore_autogenerated
-// +build !ignore_autogenerated

 /*
 Copyright 2023 The KubeVela Authors.
--- a/apis/core.oam.dev/v1beta1/application_types.go
+++ b/apis/core.oam.dev/v1beta1/application_types.go
@@ -29,18 +29,6 @@ import (
 	"github.com/oam-dev/kubevela/apis/core.oam.dev/condition"
 )

-const (
-	// TypeHealthy application are believed to be determined as healthy by a health scope.
-	TypeHealthy condition.ConditionType = "Healthy"
-)
-
-// Reasons an application is or is not healthy
-const (
-	ReasonHealthy        condition.ConditionReason = "AllComponentsHealthy"
-	ReasonUnhealthy      condition.ConditionReason = "UnhealthyOrUnknownComponents"
-	ReasonHealthCheckErr condition.ConditionReason = "HealthCheckeError"
-)
-
 // AppPolicy defines a global policy for all components in the app.
 type AppPolicy struct {
 	// Name is the unique name of the policy.
@@ -74,8 +62,6 @@ type ApplicationSpec struct {
 	// - will have a context in annotation.
 	// - should mark "finish" phase in status.conditions.
 	Workflow *Workflow `json:"workflow,omitempty"`
-
-	// TODO(wonderflow): we should have application level scopes supported here
 }

 // +kubebuilder:object:root=true
--- a/apis/core.oam.dev/v1beta1/applicationrevision_types.go
+++ b/apis/core.oam.dev/v1beta1/applicationrevision_types.go
@@ -53,18 +53,12 @@ type ApplicationRevisionCompressibleFields struct {
 	// TraitDefinitions records the snapshot of the traitDefinitions related with the created/modified Application
 	TraitDefinitions map[string]*TraitDefinition `json:"traitDefinitions,omitempty"`

-	// ScopeDefinitions records the snapshot of the scopeDefinitions related with the created/modified Application
-	ScopeDefinitions map[string]ScopeDefinition `json:"scopeDefinitions,omitempty"`
-
 	// PolicyDefinitions records the snapshot of the PolicyDefinitions related with the created/modified Application
 	PolicyDefinitions map[string]PolicyDefinition `json:"policyDefinitions,omitempty"`

 	// WorkflowStepDefinitions records the snapshot of the WorkflowStepDefinitions related with the created/modified Application
 	WorkflowStepDefinitions map[string]*WorkflowStepDefinition `json:"workflowStepDefinitions,omitempty"`

-	// ScopeGVK records the apiVersion to GVK mapping
-	ScopeGVK map[string]metav1.GroupVersionKind `json:"scopeGVK,omitempty"`
-
 	// Policies records the external policies
 	Policies map[string]v1alpha1.Policy `json:"policies,omitempty"`

--- a/apis/core.oam.dev/v1beta1/applicationrevision_types_test.go
+++ b/apis/core.oam.dev/v1beta1/applicationrevision_types_test.go
@@ -38,8 +38,6 @@ func TestApplicationRevisionCompression(t *testing.T) {
 	spec.WorkloadDefinitions["def"] = WorkloadDefinition{Spec: WorkloadDefinitionSpec{Reference: common.DefinitionReference{Name: "testdef"}}}
 	spec.TraitDefinitions = make(map[string]*TraitDefinition)
 	spec.TraitDefinitions["def"] = &TraitDefinition{Spec: TraitDefinitionSpec{ControlPlaneOnly: true}}
-	spec.ScopeDefinitions = make(map[string]ScopeDefinition)
-	spec.ScopeDefinitions["def"] = ScopeDefinition{Spec: ScopeDefinitionSpec{AllowComponentOverlap: true}}
 	spec.PolicyDefinitions = make(map[string]PolicyDefinition)
 	spec.PolicyDefinitions["def"] = PolicyDefinition{Spec: PolicyDefinitionSpec{ManageHealthCheck: true}}
 	spec.WorkflowStepDefinitions = make(map[string]*WorkflowStepDefinition)
--- a/apis/core.oam.dev/v1beta1/componentdefinition_types.go
+++ b/apis/core.oam.dev/v1beta1/componentdefinition_types.go
@@ -27,6 +27,9 @@ import (

 // ComponentDefinitionSpec defines the desired state of ComponentDefinition
 type ComponentDefinitionSpec struct {
+	// +optional
+	Version string `json:"version,omitempty"`
+
 	// Workload is a workload type descriptor
 	Workload common.WorkloadTypeDescriptor `json:"workload"`

--- a/apis/core.oam.dev/v1beta1/core_types.go
+++ b/apis/core.oam.dev/v1beta1/core_types.go
@@ -164,6 +164,9 @@ type TraitDefinitionSpec struct {
 	// pre-process and post-process respectively.
 	// +optional
 	Stage StageType `json:"stage,omitempty"`
+
+	// +optional
+	Version string `json:"version,omitempty"`
 }

 // StageType describes how the manifests should be dispatched.
@@ -232,49 +235,3 @@ type TraitDefinitionList struct {
 	metav1.ListMeta `json:"metadata,omitempty"`
 	Items           []TraitDefinition `json:"items"`
 }
-
-// A ScopeDefinitionSpec defines the desired state of a ScopeDefinition.
-type ScopeDefinitionSpec struct {
-	// Reference to the CustomResourceDefinition that defines this scope kind.
-	Reference common.DefinitionReference `json:"definitionRef"`
-
-	// WorkloadRefsPath indicates if/where a scope accepts workloadRef objects
-	WorkloadRefsPath string `json:"workloadRefsPath,omitempty"`
-
-	// AllowComponentOverlap specifies whether an OAM component may exist in
-	// multiple instances of this kind of scope.
-	AllowComponentOverlap bool `json:"allowComponentOverlap"`
-
-	// Extension is used for extension needs by OAM platform builders
-	// +optional
-	// +kubebuilder:pruning:PreserveUnknownFields
-	Extension *runtime.RawExtension `json:"extension,omitempty"`
-}
-
-// +kubebuilder:object:root=true
-
-// A ScopeDefinition registers a kind of Kubernetes custom resource as a valid
-// OAM scope kind by referencing its CustomResourceDefinition. The CRD is used
-// to validate the schema of the scope when it is embedded in an OAM
-// ApplicationConfiguration.
-// +kubebuilder:printcolumn:JSONPath=".spec.definitionRef.name",name=DEFINITION-NAME,type=string
-// +kubebuilder:resource:scope=Namespaced,categories={oam},shortName=scope
-// +kubebuilder:storageversion
-// +genclient
-// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-type ScopeDefinition struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	Spec ScopeDefinitionSpec `json:"spec,omitempty"`
-}
-
-// +kubebuilder:object:root=true
-// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-
-// ScopeDefinitionList contains a list of ScopeDefinition.
-type ScopeDefinitionList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []ScopeDefinition `json:"items"`
-}
--- a/apis/core.oam.dev/v1beta1/policy_definition.go
+++ b/apis/core.oam.dev/v1beta1/policy_definition.go
@@ -37,6 +37,9 @@ type PolicyDefinitionSpec struct {
 	// ManageHealthCheck means the policy will handle health checking and skip application controller
 	// built-in health checking.
 	ManageHealthCheck bool `json:"manageHealthCheck,omitempty"`
+
+	//+optional
+	Version string `json:"version,omitempty"`
 }

 // PolicyDefinitionStatus is the status of PolicyDefinition
--- a/apis/core.oam.dev/v1beta1/register.go
+++ b/apis/core.oam.dev/v1beta1/register.go
@@ -49,6 +49,7 @@ var (
 	ComponentDefinitionGroupKind        = schema.GroupKind{Group: Group, Kind: ComponentDefinitionKind}.String()
 	ComponentDefinitionKindAPIVersion   = ComponentDefinitionKind + "." + SchemeGroupVersion.String()
 	ComponentDefinitionGroupVersionKind = SchemeGroupVersion.WithKind(ComponentDefinitionKind)
+	ComponentDefinitionGVR              = SchemeGroupVersion.WithResource("componentdefinitions")
 )

 // WorkloadDefinition type metadata.
@@ -65,6 +66,7 @@ var (
 	TraitDefinitionGroupKind        = schema.GroupKind{Group: Group, Kind: TraitDefinitionKind}.String()
 	TraitDefinitionKindAPIVersion   = TraitDefinitionKind + "." + SchemeGroupVersion.String()
 	TraitDefinitionGroupVersionKind = SchemeGroupVersion.WithKind(TraitDefinitionKind)
+	TraitDefinitionGVR              = SchemeGroupVersion.WithResource("traitdefinitions")
 )

 // PolicyDefinition type metadata.
@@ -73,6 +75,7 @@ var (
 	PolicyDefinitionGroupKind        = schema.GroupKind{Group: Group, Kind: PolicyDefinitionKind}.String()
 	PolicyDefinitionKindAPIVersion   = PolicyDefinitionKind + "." + SchemeGroupVersion.String()
 	PolicyDefinitionGroupVersionKind = SchemeGroupVersion.WithKind(PolicyDefinitionKind)
+	PolicyDefinitionGVR              = SchemeGroupVersion.WithResource("policydefinitions")
 )

 // WorkflowStepDefinition type metadata.
@@ -81,6 +84,7 @@ var (
 	WorkflowStepDefinitionGroupKind        = schema.GroupKind{Group: Group, Kind: WorkflowStepDefinitionKind}.String()
 	WorkflowStepDefinitionKindAPIVersion   = WorkflowStepDefinitionKind + "." + SchemeGroupVersion.String()
 	WorkflowStepDefinitionGroupVersionKind = SchemeGroupVersion.WithKind(WorkflowStepDefinitionKind)
+	WorkflowStepDefinitionGVR              = SchemeGroupVersion.WithResource("workflowstepdefinitions")
 )

 // DefinitionRevision type metadata.
@@ -107,14 +111,6 @@ var (
 	ApplicationRevisionGroupVersionKind = SchemeGroupVersion.WithKind(ApplicationRevisionKind)
 )

-// ScopeDefinition type metadata.
-var (
-	ScopeDefinitionKind             = reflect.TypeOf(ScopeDefinition{}).Name()
-	ScopeDefinitionGroupKind        = schema.GroupKind{Group: Group, Kind: ScopeDefinitionKind}.String()
-	ScopeDefinitionKindAPIVersion   = ScopeDefinitionKind + "." + SchemeGroupVersion.String()
-	ScopeDefinitionGroupVersionKind = SchemeGroupVersion.WithKind(ScopeDefinitionKind)
-)
-
 // ResourceTracker type metadata.
 var (
 	ResourceTrackerKind            = reflect.TypeOf(ResourceTracker{}).Name()
@@ -123,6 +119,20 @@ var (
 	ResourceTrackerKindVersionKind = SchemeGroupVersion.WithKind(ResourceTrackerKind)
 )

+// DefinitionTypeInfo contains the mapping information for a definition type
+type DefinitionTypeInfo struct {
+	GVR  schema.GroupVersionResource
+	Kind string
+}
+
+// DefinitionTypeMap maps definition types to their corresponding GVR and Kind
+var DefinitionTypeMap = map[reflect.Type]DefinitionTypeInfo{
+	reflect.TypeOf(ComponentDefinition{}):    {GVR: ComponentDefinitionGVR, Kind: ComponentDefinitionKind},
+	reflect.TypeOf(TraitDefinition{}):        {GVR: TraitDefinitionGVR, Kind: TraitDefinitionKind},
+	reflect.TypeOf(PolicyDefinition{}):       {GVR: PolicyDefinitionGVR, Kind: PolicyDefinitionKind},
+	reflect.TypeOf(WorkflowStepDefinition{}): {GVR: WorkflowStepDefinitionGVR, Kind: WorkflowStepDefinitionKind},
+}
+
 func init() {
 	SchemeBuilder.Register(&ComponentDefinition{}, &ComponentDefinitionList{})
 	SchemeBuilder.Register(&WorkloadDefinition{}, &WorkloadDefinitionList{})
@@ -130,7 +140,6 @@ func init() {
 	SchemeBuilder.Register(&PolicyDefinition{}, &PolicyDefinitionList{})
 	SchemeBuilder.Register(&WorkflowStepDefinition{}, &WorkflowStepDefinitionList{})
 	SchemeBuilder.Register(&DefinitionRevision{}, &DefinitionRevisionList{})
-	SchemeBuilder.Register(&ScopeDefinition{}, &ScopeDefinitionList{})
 	SchemeBuilder.Register(&Application{}, &ApplicationList{})
 	SchemeBuilder.Register(&ApplicationRevision{}, &ApplicationRevisionList{})
 	SchemeBuilder.Register(&ResourceTracker{}, &ResourceTrackerList{})
--- a/apis/core.oam.dev/v1beta1/register_test.go
+++ b/apis/core.oam.dev/v1beta1/register_test.go
@@ -0,0 +1,117 @@
+/*
+Copyright 2025 The KubeVela Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"reflect"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+func TestDefinitionTypeMap(t *testing.T) {
+	tests := []struct {
+		name         string
+		defType      reflect.Type
+		expectedGVR  schema.GroupVersionResource
+		expectedKind string
+	}{
+		{
+			name:         "ComponentDefinition",
+			defType:      reflect.TypeOf(ComponentDefinition{}),
+			expectedGVR:  ComponentDefinitionGVR,
+			expectedKind: ComponentDefinitionKind,
+		},
+		{
+			name:         "TraitDefinition",
+			defType:      reflect.TypeOf(TraitDefinition{}),
+			expectedGVR:  TraitDefinitionGVR,
+			expectedKind: TraitDefinitionKind,
+		},
+		{
+			name:         "PolicyDefinition",
+			defType:      reflect.TypeOf(PolicyDefinition{}),
+			expectedGVR:  PolicyDefinitionGVR,
+			expectedKind: PolicyDefinitionKind,
+		},
+		{
+			name:         "WorkflowStepDefinition",
+			defType:      reflect.TypeOf(WorkflowStepDefinition{}),
+			expectedGVR:  WorkflowStepDefinitionGVR,
+			expectedKind: WorkflowStepDefinitionKind,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			info, ok := DefinitionTypeMap[tt.defType]
+			assert.Truef(t, ok, "Type %v should exist in DefinitionTypeMap", tt.defType)
+			assert.Equal(t, tt.expectedGVR, info.GVR)
+			assert.Equal(t, tt.expectedKind, info.Kind)
+
+			// Verify GVR follows Kubernetes conventions
+			assert.Equal(t, Group, info.GVR.Group)
+			assert.Equal(t, Version, info.GVR.Version)
+			// Resource should be lowercase plural of Kind
+			assert.Equal(t, strings.ToLower(info.Kind)+"s", info.GVR.Resource)
+		})
+	}
+}
+
+func TestDefinitionTypeMapCompleteness(t *testing.T) {
+	// Ensure all expected definition types are in the map
+	expectedTypes := []reflect.Type{
+		reflect.TypeOf(ComponentDefinition{}),
+		reflect.TypeOf(TraitDefinition{}),
+		reflect.TypeOf(PolicyDefinition{}),
+		reflect.TypeOf(WorkflowStepDefinition{}),
+	}
+
+	assert.Equal(t, len(expectedTypes), len(DefinitionTypeMap), "DefinitionTypeMap should contain exactly %d entries", len(expectedTypes))
+
+	for _, expectedType := range expectedTypes {
+		_, ok := DefinitionTypeMap[expectedType]
+		assert.Truef(t, ok, "DefinitionTypeMap should contain %v", expectedType)
+	}
+}
+
+func TestDefinitionKindValues(t *testing.T) {
+	// Verify that the Kind values match the actual type names
+	tests := []struct {
+		defType      interface{}
+		expectedKind string
+	}{
+		{ComponentDefinition{}, "ComponentDefinition"},
+		{TraitDefinition{}, "TraitDefinition"},
+		{PolicyDefinition{}, "PolicyDefinition"},
+		{WorkflowStepDefinition{}, "WorkflowStepDefinition"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.expectedKind, func(t *testing.T) {
+			actualKind := reflect.TypeOf(tt.defType).Name()
+			assert.Equal(t, tt.expectedKind, actualKind)
+
+			// Also verify it matches what's in the map
+			info, ok := DefinitionTypeMap[reflect.TypeOf(tt.defType)]
+			assert.True(t, ok)
+			assert.Equal(t, tt.expectedKind, info.Kind)
+		})
+	}
+}
--- a/apis/core.oam.dev/v1beta1/resourcetracker_types.go
+++ b/apis/core.oam.dev/v1beta1/resourcetracker_types.go
@@ -32,7 +32,6 @@ import (
 	"github.com/kubevela/pkg/util/compression"

 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
-	"github.com/oam-dev/kubevela/apis/interfaces"
 	velatypes "github.com/oam-dev/kubevela/apis/types"
 	"github.com/oam-dev/kubevela/pkg/oam"
 	velaerr "github.com/oam-dev/kubevela/pkg/utils/errors"
@@ -53,8 +52,7 @@ type ResourceTracker struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

-	Spec   ResourceTrackerSpec   `json:"spec,omitempty"`
-	Status ResourceTrackerStatus `json:"status,omitempty"`
+	Spec ResourceTrackerSpec `json:"spec,omitempty"`
 }

 // ResourceTrackerType defines the type of resourceTracker
@@ -140,7 +138,7 @@ type ManagedResource struct {
 }

 // Equal check if two managed resource equals
-func (in ManagedResource) Equal(r ManagedResource) bool {
+func (in *ManagedResource) Equal(r ManagedResource) bool {
 	if !in.ClusterObjectReference.Equal(r.ClusterObjectReference) {
 		return false
 	}
@@ -151,7 +149,7 @@ func (in ManagedResource) Equal(r ManagedResource) bool {
 }

 // DisplayName readable name for locating resource
-func (in ManagedResource) DisplayName() string {
+func (in *ManagedResource) DisplayName() string {
 	s := in.Kind + " " + in.Name
 	if in.Namespace != "" || in.Cluster != "" {
 		s += " ("
@@ -170,12 +168,12 @@ func (in ManagedResource) DisplayName() string {
 }

 // NamespacedName namespacedName
-func (in ManagedResource) NamespacedName() types.NamespacedName {
+func (in *ManagedResource) NamespacedName() types.NamespacedName {
 	return types.NamespacedName{Namespace: in.Namespace, Name: in.Name}
 }

 // ResourceKey computes the key for managed resource, resources with the same key points to the same resource
-func (in ManagedResource) ResourceKey() string {
+func (in *ManagedResource) ResourceKey() string {
 	group := in.GroupVersionKind().Group
 	kind := in.GroupVersionKind().Kind
 	cluster := in.Cluster
@@ -186,12 +184,12 @@ func (in ManagedResource) ResourceKey() string {
 }

 // ComponentKey computes the key for the component which managed resource belongs to
-func (in ManagedResource) ComponentKey() string {
-	return strings.Join([]string{in.Env, in.Component}, "/")
+func (in *ManagedResource) ComponentKey() string {
+	return strings.Join([]string{in.Cluster, in.Component}, "/")
 }

 // UnmarshalTo unmarshal ManagedResource into target object
-func (in ManagedResource) UnmarshalTo(obj interface{}) error {
+func (in *ManagedResource) UnmarshalTo(obj interface{}) error {
 	if in.Data == nil || in.Data.Raw == nil {
 		return velaerr.ManagedResourceHasNoDataError{}
 	}
@@ -199,7 +197,7 @@ func (in ManagedResource) UnmarshalTo(obj interface{}) error {
 }

 // ToUnstructured converts managed resource into unstructured
-func (in ManagedResource) ToUnstructured() *unstructured.Unstructured {
+func (in *ManagedResource) ToUnstructured() *unstructured.Unstructured {
 	obj := &unstructured.Unstructured{}
 	obj.SetGroupVersionKind(in.GroupVersionKind())
 	obj.SetName(in.Name)
@@ -211,7 +209,7 @@ func (in ManagedResource) ToUnstructured() *unstructured.Unstructured {
 }

 // ToUnstructuredWithData converts managed resource into unstructured and unmarshal data
-func (in ManagedResource) ToUnstructuredWithData() (*unstructured.Unstructured, error) {
+func (in *ManagedResource) ToUnstructuredWithData() (*unstructured.Unstructured, error) {
 	obj := in.ToUnstructured()
 	if err := in.UnmarshalTo(obj); err != nil {
 		if errors.Is(err, velaerr.ManagedResourceHasNoDataError{}) {
@@ -221,13 +219,6 @@ func (in ManagedResource) ToUnstructuredWithData() (*unstructured.Unstructured,
 	return obj, nil
 }

-// ResourceTrackerStatus define the status of resourceTracker
-// For backward-compatibility
-type ResourceTrackerStatus struct {
-	// Deprecated
-	TrackedResources []common.ClusterObjectReference `json:"trackedResources,omitempty"`
-}
-
 // +kubebuilder:object:root=true
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

@@ -325,29 +316,3 @@ func (in *ResourceTracker) DeleteManagedResource(rsc client.Object, remove bool)
 	}
 	return true
 }
-
-// addClusterObjectReference
-// Deprecated
-func (in *ResourceTracker) addClusterObjectReference(ref common.ClusterObjectReference) bool {
-	for _, _rsc := range in.Status.TrackedResources {
-		if _rsc.Equal(ref) {
-			return true
-		}
-	}
-	in.Status.TrackedResources = append(in.Status.TrackedResources, ref)
-	return false
-}
-
-// AddTrackedResource add new object reference into tracked resources, return if already exists
-// Deprecated
-func (in *ResourceTracker) AddTrackedResource(rsc interfaces.TrackableResource) bool {
-	return in.addClusterObjectReference(common.ClusterObjectReference{
-		ObjectReference: corev1.ObjectReference{
-			APIVersion: rsc.GetAPIVersion(),
-			Kind:       rsc.GetKind(),
-			Name:       rsc.GetName(),
-			Namespace:  rsc.GetNamespace(),
-			UID:        rsc.GetUID(),
-		},
-	})
-}
--- a/apis/core.oam.dev/v1beta1/resourcetracker_types_test.go
+++ b/apis/core.oam.dev/v1beta1/resourcetracker_types_test.go
@@ -31,7 +31,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/utils/pointer"
+	"k8s.io/utils/ptr"

 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 	"github.com/oam-dev/kubevela/pkg/oam"
@@ -124,17 +124,16 @@ func TestManagedResourceKeys(t *testing.T) {
 			},
 		},
 		OAMObjectReference: common.OAMObjectReference{
-			Env:       "env",
 			Component: "component",
 			Trait:     "trait",
 		},
 	}
 	r.Equal("namespace/name", input.NamespacedName().String())
 	r.Equal("apps/Deployment/cluster/namespace/name", input.ResourceKey())
-	r.Equal("env/component", input.ComponentKey())
+	r.Equal("cluster/component", input.ComponentKey())
 	r.Equal("Deployment name (Cluster: cluster, Namespace: namespace)", input.DisplayName())
 	var deploy1, deploy2 appsv1.Deployment
-	deploy1.Spec.Replicas = pointer.Int32(5)
+	deploy1.Spec.Replicas = ptr.To(int32(5))
 	bs, err := json.Marshal(deploy1)
 	r.NoError(err)
 	r.ErrorIs(input.UnmarshalTo(&deploy2), errors.ManagedResourceHasNoDataError{})
@@ -169,7 +168,7 @@ func TestResourceTracker_ManagedResource(t *testing.T) {
 	pod3 := corev1.Pod{ObjectMeta: metav1.ObjectMeta{Name: "pod3"}}
 	input.AddManagedResource(&pod3, false, false, "")
 	r.Equal(3, len(input.Spec.ManagedResources))
-	deploy1.Spec.Replicas = pointer.Int32(5)
+	deploy1.Spec.Replicas = ptr.To(int32(5))
 	input.AddManagedResource(&deploy1, false, false, "")
 	r.Equal(3, len(input.Spec.ManagedResources))
 	input.DeleteManagedResource(&cm2, false)
@@ -204,7 +203,7 @@ func TestResourceTrackerCompression(t *testing.T) {
 		"../../../charts/vela-core/crds/core.oam.dev_componentdefinitions.yaml",
 		"../../../charts/vela-core/templates/kubevela-controller.yaml",
 		"../../../charts/vela-core/README.md",
-		"../../../pkg/velaql/providers/query/testdata/machinelearning.seldon.io_seldondeployments.yaml",
+		"../../../pkg/workflow/providers/legacy/query/testdata/machinelearning.seldon.io_seldondeployments.yaml",
 	}
 	for _, p := range paths {
 		b, err := os.ReadFile(p)
--- a/apis/core.oam.dev/v1beta1/workflow_step_definition.go
+++ b/apis/core.oam.dev/v1beta1/workflow_step_definition.go
@@ -33,6 +33,9 @@ type WorkflowStepDefinitionSpec struct {
 	// Only CUE schematic is supported for now.
 	// +optional
 	Schematic *common.Schematic `json:"schematic,omitempty"`
+
+	// +optional
+	Version string `json:"version,omitempty"`
 }

 // WorkflowStepDefinitionStatus is the status of WorkflowStepDefinition
--- a/apis/core.oam.dev/v1beta1/zz_generated.deepcopy.go
+++ b/apis/core.oam.dev/v1beta1/zz_generated.deepcopy.go
@@ -1,5 +1,4 @@
 //go:build !ignore_autogenerated
-// +build !ignore_autogenerated

 /*
 Copyright 2023 The KubeVela Authors.
@@ -23,7 +22,6 @@ package v1beta1

 import (
 	"github.com/kubevela/workflow/api/v1alpha1"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"

 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
@@ -148,7 +146,8 @@ func (in *ApplicationRevisionCompressibleFields) DeepCopyInto(out *ApplicationRe
 			if val == nil {
 				(*out)[key] = nil
 			} else {
-				in, out := &val, &outVal
+				inVal := (*in)[key]
+				in, out := &inVal, &outVal
 				*out = new(ComponentDefinition)
 				(*in).DeepCopyInto(*out)
 			}
@@ -170,20 +169,14 @@ func (in *ApplicationRevisionCompressibleFields) DeepCopyInto(out *ApplicationRe
 			if val == nil {
 				(*out)[key] = nil
 			} else {
-				in, out := &val, &outVal
+				inVal := (*in)[key]
+				in, out := &inVal, &outVal
 				*out = new(TraitDefinition)
 				(*in).DeepCopyInto(*out)
 			}
 			(*out)[key] = outVal
 		}
 	}
-	if in.ScopeDefinitions != nil {
-		in, out := &in.ScopeDefinitions, &out.ScopeDefinitions
-		*out = make(map[string]ScopeDefinition, len(*in))
-		for key, val := range *in {
-			(*out)[key] = *val.DeepCopy()
-		}
-	}
 	if in.PolicyDefinitions != nil {
 		in, out := &in.PolicyDefinitions, &out.PolicyDefinitions
 		*out = make(map[string]PolicyDefinition, len(*in))
@@ -199,20 +192,14 @@ func (in *ApplicationRevisionCompressibleFields) DeepCopyInto(out *ApplicationRe
 			if val == nil {
 				(*out)[key] = nil
 			} else {
-				in, out := &val, &outVal
+				inVal := (*in)[key]
+				in, out := &inVal, &outVal
 				*out = new(WorkflowStepDefinition)
 				(*in).DeepCopyInto(*out)
 			}
 			(*out)[key] = outVal
 		}
 	}
-	if in.ScopeGVK != nil {
-		in, out := &in.ScopeGVK, &out.ScopeGVK
-		*out = make(map[string]v1.GroupVersionKind, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
-		}
-	}
 	if in.Policies != nil {
 		in, out := &in.Policies, &out.Policies
 		*out = make(map[string]core_oam_devv1alpha1.Policy, len(*in))
@@ -565,6 +552,22 @@ func (in *DefinitionRevisionSpec) DeepCopy() *DefinitionRevisionSpec {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DefinitionTypeInfo) DeepCopyInto(out *DefinitionTypeInfo) {
+	*out = *in
+	out.GVR = in.GVR
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefinitionTypeInfo.
+func (in *DefinitionTypeInfo) DeepCopy() *DefinitionTypeInfo {
+	if in == nil {
+		return nil
+	}
+	out := new(DefinitionTypeInfo)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ManagedResource) DeepCopyInto(out *ManagedResource) {
 	*out = *in
@@ -694,7 +697,6 @@ func (in *ResourceTracker) DeepCopyInto(out *ResourceTracker) {
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
-	in.Status.DeepCopyInto(&out.Status)
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceTracker.
@@ -786,105 +788,6 @@ func (in *ResourceTrackerSpec) DeepCopy() *ResourceTrackerSpec {
 	return out
 }

-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ResourceTrackerStatus) DeepCopyInto(out *ResourceTrackerStatus) {
-	*out = *in
-	if in.TrackedResources != nil {
-		in, out := &in.TrackedResources, &out.TrackedResources
-		*out = make([]common.ClusterObjectReference, len(*in))
-		copy(*out, *in)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceTrackerStatus.
-func (in *ResourceTrackerStatus) DeepCopy() *ResourceTrackerStatus {
-	if in == nil {
-		return nil
-	}
-	out := new(ResourceTrackerStatus)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ScopeDefinition) DeepCopyInto(out *ScopeDefinition) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	in.Spec.DeepCopyInto(&out.Spec)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScopeDefinition.
-func (in *ScopeDefinition) DeepCopy() *ScopeDefinition {
-	if in == nil {
-		return nil
-	}
-	out := new(ScopeDefinition)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *ScopeDefinition) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ScopeDefinitionList) DeepCopyInto(out *ScopeDefinitionList) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]ScopeDefinition, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScopeDefinitionList.
-func (in *ScopeDefinitionList) DeepCopy() *ScopeDefinitionList {
-	if in == nil {
-		return nil
-	}
-	out := new(ScopeDefinitionList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *ScopeDefinitionList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ScopeDefinitionSpec) DeepCopyInto(out *ScopeDefinitionSpec) {
-	*out = *in
-	out.Reference = in.Reference
-	if in.Extension != nil {
-		in, out := &in.Extension, &out.Extension
-		*out = new(runtime.RawExtension)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScopeDefinitionSpec.
-func (in *ScopeDefinitionSpec) DeepCopy() *ScopeDefinitionSpec {
-	if in == nil {
-		return nil
-	}
-	out := new(ScopeDefinitionSpec)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TraitDefinition) DeepCopyInto(out *TraitDefinition) {
 	*out = *in
--- a/apis/interfaces/resourcetracker.go
+++ b/apis/interfaces/resourcetracker.go
@@ -1,35 +0,0 @@
-/*
-Copyright 2021 The KubeVela Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-	http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package interfaces
-
-import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-)
-
-// ObjectOwner is the interface for get and set ownerReference
-type ObjectOwner interface {
-	GetOwnerReferences() []metav1.OwnerReference
-	SetOwnerReferences([]metav1.OwnerReference)
-}
-
-// TrackableResource is the interface for resources to be tracked by resourcetracker
-type TrackableResource interface {
-	client.Object
-	metav1.Type
-	ObjectOwner
-}
--- a/apis/standard.oam.dev/v1alpha1/groupversion_info.go
+++ b/apis/standard.oam.dev/v1alpha1/groupversion_info.go
@@ -1,43 +0,0 @@
-/*
-Copyright 2021 The KubeVela Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Package v1alpha1 contains API Schema definitions for the standard v1alpha1 API group
-// +kubebuilder:object:generate=true
-// +groupName=standard.oam.dev
-package v1alpha1
-
-import (
-	"k8s.io/apimachinery/pkg/runtime/schema"
-	"sigs.k8s.io/controller-runtime/pkg/scheme"
-)
-
-const (
-	// GroupName of the CRDs
-	GroupName = "standard.oam.dev"
-	// Version of the group of CRDs
-	Version = "v1alpha1"
-)
-
-var (
-	// SchemeGroupVersion is group version used to register these objects
-	SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: Version}
-
-	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
-	SchemeBuilder = &scheme.Builder{GroupVersion: SchemeGroupVersion}
-
-	// AddToScheme adds the types in this group-version to the given scheme.
-	AddToScheme = SchemeBuilder.AddToScheme
-)
--- a/apis/standard.oam.dev/v1alpha1/register.go
+++ b/apis/standard.oam.dev/v1alpha1/register.go
@@ -1,35 +0,0 @@
-/*
-Copyright 2021 The KubeVela Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha1
-
-import (
-	"reflect"
-
-	"k8s.io/apimachinery/pkg/runtime/schema"
-)
-
-// Rollout type metadata
-var (
-	RolloutKind            = reflect.TypeOf(Rollout{}).Name()
-	RolloutGroupKind       = schema.GroupKind{Group: GroupName, Kind: RolloutKind}.String()
-	RolloutKindAPIVersion  = RolloutKind + "." + SchemeGroupVersion.String()
-	RolloutKindVersionKind = SchemeGroupVersion.WithKind(RolloutKind)
-)
-
-func init() {
-	SchemeBuilder.Register(&Rollout{}, &RolloutList{})
-}
--- a/apis/standard.oam.dev/v1alpha1/rollout_plan_types.go
+++ b/apis/standard.oam.dev/v1alpha1/rollout_plan_types.go
@@ -1,285 +0,0 @@
-/*
-Copyright 2021 The KubeVela Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha1
-
-import (
-	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/util/intstr"
-
-	"github.com/oam-dev/kubevela/apis/core.oam.dev/condition"
-)
-
-// RolloutStrategyType defines strategies for pods rollout
-type RolloutStrategyType string
-
-const (
-	// IncreaseFirstRolloutStrategyType indicates that we increase the target resources first
-	IncreaseFirstRolloutStrategyType RolloutStrategyType = "IncreaseFirst"
-
-	// DecreaseFirstRolloutStrategyType indicates that we decrease the source resources first
-	DecreaseFirstRolloutStrategyType RolloutStrategyType = "DecreaseFirst"
-)
-
-// HookType can be pre, post or during rollout
-type HookType string
-
-const (
-	// InitializeRolloutHook execute webhook during the rollout initializing phase
-	InitializeRolloutHook HookType = "initialize-rollout"
-	// PreBatchRolloutHook execute webhook before each batch rollout
-	PreBatchRolloutHook HookType = "pre-batch-rollout"
-	// PostBatchRolloutHook execute webhook after each batch rollout
-	PostBatchRolloutHook HookType = "post-batch-rollout"
-	// FinalizeRolloutHook execute the webhook during the rollout finalizing phase
-	FinalizeRolloutHook HookType = "finalize-rollout"
-)
-
-// RollingState is the overall rollout state
-type RollingState string
-
-const (
-	// LocatingTargetAppState indicates that the rollout is in the stage of locating target app
-	// we use this state to make sure we special handle the target app successfully only once
-	LocatingTargetAppState RollingState = "locatingTargetApp"
-	// VerifyingSpecState indicates that the rollout is in the stage of verifying the rollout settings
-	// and the controller can locate both the target and the source
-	VerifyingSpecState RollingState = "verifyingSpec"
-	// InitializingState indicates that the rollout is initializing all the new resources
-	InitializingState RollingState = "initializing"
-	// RollingInBatchesState indicates that the rollout starts rolling
-	RollingInBatchesState RollingState = "rollingInBatches"
-	// FinalisingState indicates that the rollout is finalizing, possibly clean up the old resources, adjust traffic
-	FinalisingState RollingState = "finalising"
-	// RolloutFailingState indicates that the rollout is failing
-	// one needs to finalize it before mark it as failed by cleaning up the old resources, adjust traffic
-	RolloutFailingState RollingState = "rolloutFailing"
-	// RolloutSucceedState indicates that rollout successfully completed to match the desired target state
-	RolloutSucceedState RollingState = "rolloutSucceed"
-	// RolloutAbandoningState indicates that the rollout is being abandoned
-	// we need to finalize it by cleaning up the old resources, adjust traffic and return control back to its owner
-	RolloutAbandoningState RollingState = "rolloutAbandoning"
-	// RolloutDeletingState indicates that the rollout is being deleted
-	// we need to finalize it by cleaning up the old resources, adjust traffic and return control back to its owner
-	RolloutDeletingState RollingState = "RolloutDeletingState"
-	// RolloutFailedState indicates that rollout is failed, the target replica is not reached
-	// we can not move forward anymore, we will let the client to decide when or whether to revert.
-	RolloutFailedState RollingState = "rolloutFailed"
-)
-
-// BatchRollingState is the sub state when the rollout is on the fly
-type BatchRollingState string
-
-const (
-	// BatchInitializingState still rolling the batch, the batch rolling is not completed yet
-	BatchInitializingState BatchRollingState = "batchInitializing"
-	// BatchInRollingState still rolling the batch, the batch rolling is not completed yet
-	BatchInRollingState BatchRollingState = "batchInRolling"
-	// BatchVerifyingState verifying if the application is ready to roll.
-	BatchVerifyingState BatchRollingState = "batchVerifying"
-	// BatchRolloutFailedState indicates that the batch didn't get the manual or automatic approval
-	BatchRolloutFailedState BatchRollingState = "batchVerifyFailed"
-	// BatchFinalizingState indicates that all the pods in the are available, we can move on to the next batch
-	BatchFinalizingState BatchRollingState = "batchFinalizing"
-	// BatchReadyState indicates that all the pods in the are upgraded and its state is ready
-	BatchReadyState BatchRollingState = "batchReady"
-)
-
-// RolloutPlan fines the details of the rollout plan
-type RolloutPlan struct {
-
-	// RolloutStrategy defines strategies for the rollout plan
-	// The default is IncreaseFirstRolloutStrategyType
-	// +optional
-	RolloutStrategy RolloutStrategyType `json:"rolloutStrategy,omitempty"`
-
-	// The size of the target resource. The default is the same
-	// as the size of the source resource.
-	// +optional
-	TargetSize *int32 `json:"targetSize,omitempty"`
-
-	// The number of batches, default = 1
-	// +optional
-	NumBatches *int32 `json:"numBatches,omitempty"`
-
-	// The exact distribution among batches.
-	// its size has to be exactly the same as the NumBatches (if set)
-	// The total number cannot exceed the targetSize or the size of the source resource
-	// We will IGNORE the last batch's replica field if it's a percentage since round errors can lead to inaccurate sum
-	// We highly recommend to leave the last batch's replica field empty
-	// +optional
-	RolloutBatches []RolloutBatch `json:"rolloutBatches,omitempty"`
-
-	// All pods in the batches up to the batchPartition (included) will have
-	// the target resource specification while the rest still have the source resource
-	// This is designed for the operators to manually rollout
-	// Default is the the number of batches which will rollout all the batches
-	// +optional
-	BatchPartition *int32 `json:"batchPartition,omitempty"`
-
-	// Paused the rollout, default is false
-	// +optional
-	Paused bool `json:"paused,omitempty"`
-
-	// RolloutWebhooks provide a way for the rollout to interact with an external process
-	// +optional
-	RolloutWebhooks []RolloutWebhook `json:"rolloutWebhooks,omitempty"`
-
-	// CanaryMetric provides a way for the rollout process to automatically check certain metrics
-	// before complete the process
-	// +optional
-	CanaryMetric []CanaryMetric `json:"canaryMetric,omitempty"`
-}
-
-// RolloutBatch is used to describe how the each batch rollout should be
-type RolloutBatch struct {
-	// Replicas is the number of pods to upgrade in this batch
-	// it can be an absolute number (ex: 5) or a percentage of total pods
-	// we will ignore the percentage of the last batch to just fill the gap
-	// +optional
-	// it is mutually exclusive with the PodList field
-	Replicas intstr.IntOrString `json:"replicas,omitempty"`
-
-	// The list of Pods to get upgraded
-	// +optional
-	// it is mutually exclusive with the Replicas field
-	PodList []string `json:"podList,omitempty"`
-
-	// MaxUnavailable is the max allowed number of pods that is unavailable
-	// during the upgrade. We will mark the batch as ready as long as there are less
-	// or equal number of pods unavailable than this number.
-	// default = 0
-	// +optional
-	MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty"`
-
-	// The wait time, in seconds, between instances upgrades, default = 0
-	// +optional
-	InstanceInterval *int32 `json:"instanceInterval,omitempty"`
-
-	// RolloutWebhooks provides a way for the batch rollout to interact with an external process
-	// +optional
-	BatchRolloutWebhooks []RolloutWebhook `json:"batchRolloutWebhooks,omitempty"`
-
-	// CanaryMetric provides a way for the batch rollout process to automatically check certain metrics
-	// before moving to the next batch
-	// +optional
-	CanaryMetric []CanaryMetric `json:"canaryMetric,omitempty"`
-}
-
-// RolloutWebhook holds the reference to external checks used for canary analysis
-type RolloutWebhook struct {
-	// Type of this webhook
-	Type HookType `json:"type"`
-
-	// Name of this webhook
-	Name string `json:"name"`
-
-	// URL address of this webhook
-	URL string `json:"url"`
-
-	// Method the HTTP call method, default is POST
-	Method string `json:"method,omitempty"`
-
-	// ExpectedStatus contains all the expected http status code that we will accept as success
-	ExpectedStatus []int `json:"expectedStatus,omitempty"`
-
-	// Metadata (key-value pairs) for this webhook
-	// +optional
-	Metadata *map[string]string `json:"metadata,omitempty"`
-}
-
-// RolloutWebhookPayload holds the info and metadata sent to webhooks
-type RolloutWebhookPayload struct {
-	// Name of the upgrading resource
-	Name string `json:"name"`
-
-	// Namespace of the upgrading resource
-	Namespace string `json:"namespace"`
-
-	// Phase of the rollout
-	Phase string `json:"phase"`
-
-	// Metadata (key-value pairs) are the extra data send to this webhook
-	Metadata map[string]string `json:"metadata,omitempty"`
-}
-
-// CanaryMetric holds the reference to metrics used for canary analysis
-type CanaryMetric struct {
-	// Name of the metric
-	Name string `json:"name"`
-
-	// Interval represents the windows size
-	Interval string `json:"interval,omitempty"`
-
-	// Range value accepted for this metric
-	// +optional
-	MetricsRange *MetricsExpectedRange `json:"metricsRange,omitempty"`
-
-	// TemplateRef references a metric template object
-	// +optional
-	TemplateRef *corev1.ObjectReference `json:"templateRef,omitempty"`
-}
-
-// MetricsExpectedRange defines the range used for metrics validation
-type MetricsExpectedRange struct {
-	// Minimum value
-	// +optional
-	Min *intstr.IntOrString `json:"min,omitempty"`
-
-	// Maximum value
-	// +optional
-	Max *intstr.IntOrString `json:"max,omitempty"`
-}
-
-// RolloutStatus defines the observed state of a rollout plan
-type RolloutStatus struct {
-	// Conditions represents the latest available observations of a CloneSet's current state.
-	condition.ConditionedStatus `json:",inline"`
-
-	// RolloutTargetSize is the size of the target resources. This is determined once the initial spec verification
-	// and does not change until the rollout is restarted
-	RolloutOriginalSize int32 `json:"rolloutOriginalSize,omitempty"`
-
-	// RolloutTargetSize is the size of the target resources. This is determined once the initial spec verification
-	// and does not change until the rollout is restarted
-	RolloutTargetSize int32 `json:"rolloutTargetSize,omitempty"`
-
-	// NewPodTemplateIdentifier is a string that uniquely represent the new pod template
-	// each workload type could use different ways to identify that so we cannot compare between resources
-	NewPodTemplateIdentifier string `json:"targetGeneration,omitempty"`
-
-	// lastAppliedPodTemplateIdentifier is a string that uniquely represent the last pod template
-	// each workload type could use different ways to identify that so we cannot compare between resources
-	// We update this field only after a successful rollout
-	LastAppliedPodTemplateIdentifier string `json:"lastAppliedPodTemplateIdentifier,omitempty"`
-
-	// RollingState is the Rollout State
-	RollingState RollingState `json:"rollingState"`
-
-	// BatchRollingState only meaningful when the Status is rolling
-	// +optional
-	BatchRollingState BatchRollingState `json:"batchRollingState"`
-
-	// The current batch the rollout is working on/blocked
-	// it starts from 0
-	CurrentBatch int32 `json:"currentBatch"`
-
-	// UpgradedReplicas is the number of Pods upgraded by the rollout controller
-	UpgradedReplicas int32 `json:"upgradedReplicas"`
-
-	// UpgradedReadyReplicas is the number of Pods upgraded by the rollout controller that have a Ready Condition.
-	UpgradedReadyReplicas int32 `json:"upgradedReadyReplicas"`
-}
--- a/apis/standard.oam.dev/v1alpha1/rollout_state.go
+++ b/apis/standard.oam.dev/v1alpha1/rollout_state.go
@@ -1,430 +0,0 @@
-/*
-Copyright 2021 The KubeVela Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha1
-
-import (
-	"fmt"
-	"time"
-
-	"github.com/oam-dev/kubevela/apis/core.oam.dev/condition"
-
-	v1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/klog/v2"
-)
-
-// RolloutEvent is used to describe the events during rollout
-type RolloutEvent string
-
-const (
-	// RollingFailedEvent indicates that we encountered an unexpected error during upgrading and can't be retried
-	RollingFailedEvent RolloutEvent = "RollingFailedEvent"
-
-	// RollingRetriableFailureEvent indicates that we encountered an unexpected but retriable error
-	RollingRetriableFailureEvent RolloutEvent = "RollingRetriableFailureEvent"
-
-	// AppLocatedEvent indicates that apps are located successfully
-	AppLocatedEvent RolloutEvent = "AppLocatedEvent"
-
-	// RollingModifiedEvent indicates that the rolling target or source has changed
-	RollingModifiedEvent RolloutEvent = "RollingModifiedEvent"
-
-	// RollingDeletedEvent indicates that the rolling is being deleted
-	RollingDeletedEvent RolloutEvent = "RollingDeletedEvent"
-
-	// RollingSpecVerifiedEvent indicates that we have successfully verified that the rollout spec
-	RollingSpecVerifiedEvent RolloutEvent = "RollingSpecVerifiedEvent"
-
-	// RollingInitializedEvent indicates that we have finished initializing all the workload resources
-	RollingInitializedEvent RolloutEvent = "RollingInitializedEvent"
-
-	// AllBatchFinishedEvent indicates that all batches are upgraded
-	AllBatchFinishedEvent RolloutEvent = "AllBatchFinishedEvent"
-
-	// RollingFinalizedEvent indicates that we have finalized the rollout which includes but not
-	// limited to the resource garbage collection
-	RollingFinalizedEvent RolloutEvent = "AllBatchFinishedEvent"
-
-	// InitializedOneBatchEvent indicates that we have successfully rolled out one batch
-	InitializedOneBatchEvent RolloutEvent = "InitializedOneBatchEvent"
-
-	// FinishedOneBatchEvent indicates that we have successfully rolled out one batch
-	FinishedOneBatchEvent RolloutEvent = "FinishedOneBatchEvent"
-
-	// RolloutOneBatchEvent indicates that we have rollout one batch
-	RolloutOneBatchEvent RolloutEvent = "RolloutOneBatchEvent"
-
-	// OneBatchAvailableEvent indicates that the batch resource is considered available
-	// this events comes after we have examine the pod readiness check and traffic shifting if needed
-	OneBatchAvailableEvent RolloutEvent = "OneBatchAvailable"
-
-	// BatchRolloutApprovedEvent indicates that we got the approval manually
-	BatchRolloutApprovedEvent RolloutEvent = "BatchRolloutApprovedEvent"
-
-	// BatchRolloutFailedEvent indicates that we are waiting for the approval of the
-	BatchRolloutFailedEvent RolloutEvent = "BatchRolloutFailedEvent"
-)
-
-// These are valid conditions of the rollout.
-const (
-	// RolloutSpecVerifying indicates that the rollout just started with verification
-	RolloutSpecVerifying condition.ConditionType = "RolloutSpecVerifying"
-	// RolloutInitializing means we start to initialize the cluster
-	RolloutInitializing condition.ConditionType = "RolloutInitializing"
-	// RolloutInProgress means we are upgrading resources.
-	RolloutInProgress condition.ConditionType = "RolloutInProgress"
-	// RolloutFinalizing means the rollout is finalizing
-	RolloutFinalizing condition.ConditionType = "RolloutFinalizing"
-	// RolloutFailing means the rollout is failing
-	RolloutFailing condition.ConditionType = "RolloutFailing"
-	// RolloutAbandoning means that the rollout is being abandoned.
-	RolloutAbandoning condition.ConditionType = "RolloutAbandoning"
-	// RolloutDeleting means that the rollout is being deleted.
-	RolloutDeleting condition.ConditionType = "RolloutDeleting"
-	// RolloutFailed means that the rollout failed.
-	RolloutFailed condition.ConditionType = "RolloutFailed"
-	// RolloutSucceed means that the rollout is done.
-	RolloutSucceed condition.ConditionType = "RolloutSucceed"
-	// BatchInitializing
-	BatchInitializing condition.ConditionType = "BatchInitializing"
-	// BatchPaused
-	BatchPaused condition.ConditionType = "BatchPaused"
-	// BatchVerifying
-	BatchVerifying condition.ConditionType = "BatchVerifying"
-	// BatchRolloutFailed
-	BatchRolloutFailed condition.ConditionType = "BatchRolloutFailed"
-	// BatchFinalizing
-	BatchFinalizing condition.ConditionType = "BatchFinalizing"
-	// BatchReady
-	BatchReady condition.ConditionType = "BatchReady"
-)
-
-// NewPositiveCondition creates a positive condition type
-func NewPositiveCondition(condType condition.ConditionType) condition.Condition {
-	return condition.Condition{
-		Type:               condType,
-		Status:             v1.ConditionTrue,
-		LastTransitionTime: metav1.NewTime(time.Now()),
-	}
-}
-
-// NewNegativeCondition creates a false condition type
-func NewNegativeCondition(condType condition.ConditionType, message string) condition.Condition {
-	return condition.Condition{
-		Type:               condType,
-		Status:             v1.ConditionFalse,
-		LastTransitionTime: metav1.NewTime(time.Now()),
-		Message:            message,
-	}
-}
-
-const invalidRollingStateTransition = "the rollout state transition from `%s` state  with `%s` is invalid"
-
-const invalidBatchRollingStateTransition = "the batch rolling state transition from `%s` state  with `%s` is invalid"
-
-func (r *RolloutStatus) getRolloutConditionType() condition.ConditionType {
-	// figure out which condition type should we put in the condition depends on its state
-	switch r.RollingState {
-	case VerifyingSpecState:
-		return RolloutSpecVerifying
-
-	case InitializingState:
-		return RolloutInitializing
-
-	case RollingInBatchesState:
-		switch r.BatchRollingState {
-		case BatchInitializingState:
-			return BatchInitializing
-
-		case BatchVerifyingState:
-			return BatchVerifying
-
-		case BatchFinalizingState:
-			return BatchFinalizing
-
-		case BatchRolloutFailedState:
-			return BatchRolloutFailed
-
-		case BatchReadyState:
-			return BatchReady
-
-		default:
-			return RolloutInProgress
-		}
-
-	case FinalisingState:
-		return RolloutFinalizing
-
-	case RolloutFailingState:
-		return RolloutFailing
-
-	case RolloutAbandoningState:
-		return RolloutAbandoning
-
-	case RolloutDeletingState:
-		return RolloutDeleting
-
-	case RolloutSucceedState:
-		return RolloutSucceed
-
-	default:
-		return RolloutFailed
-	}
-}
-
-// RolloutRetry is a special state transition since we need an error message
-func (r *RolloutStatus) RolloutRetry(reason string) {
-	// we can still retry, no change on the state
-	r.SetConditions(NewNegativeCondition(r.getRolloutConditionType(), reason))
-}
-
-// RolloutFailed is a special state transition since we need an error message
-func (r *RolloutStatus) RolloutFailed(reason string) {
-	// set the condition first which depends on the state
-	r.SetConditions(NewNegativeCondition(r.getRolloutConditionType(), reason))
-	r.RollingState = RolloutFailedState
-}
-
-// RolloutFailing is a special state transition that always moves the rollout state to the failing state
-func (r *RolloutStatus) RolloutFailing(reason string) {
-	// set the condition first which depends on the state
-	r.SetConditions(NewNegativeCondition(r.getRolloutConditionType(), reason))
-	r.RollingState = RolloutFailingState
-	r.BatchRollingState = BatchInitializingState
-}
-
-// ResetStatus resets the status of the rollout to start from beginning
-func (r *RolloutStatus) ResetStatus() {
-	r.NewPodTemplateIdentifier = ""
-	r.RolloutTargetSize = -1
-	r.LastAppliedPodTemplateIdentifier = ""
-	r.RollingState = LocatingTargetAppState
-	r.BatchRollingState = BatchInitializingState
-	r.CurrentBatch = 0
-	r.UpgradedReplicas = 0
-	r.UpgradedReadyReplicas = 0
-}
-
-// SetRolloutCondition sets the supplied condition, replacing any existing condition
-// of the same type unless they are identical.
-func (r *RolloutStatus) SetRolloutCondition(new condition.Condition) {
-	exists := false
-	for i, existing := range r.Conditions {
-		if existing.Type != new.Type {
-			continue
-		}
-		// we want to update the condition when the LTT changes
-		if existing.Type == new.Type &&
-			existing.Status == new.Status &&
-			existing.Reason == new.Reason &&
-			existing.Message == new.Message &&
-			existing.LastTransitionTime == new.LastTransitionTime {
-			exists = true
-			continue
-		}
-
-		r.Conditions[i] = new
-		exists = true
-	}
-	if !exists {
-		r.Conditions = append(r.Conditions, new)
-	}
-}
-
-// we can't panic since it will crash the other controllers
-func (r *RolloutStatus) illegalStateTransition(err error) {
-	r.RolloutFailed(err.Error())
-}
-
-// StateTransition is the center place to do rollout state transition
-// it returns an error if the transition is invalid
-// it changes the coming rollout state if it's valid
-func (r *RolloutStatus) StateTransition(event RolloutEvent) {
-	rollingState := r.RollingState
-	batchRollingState := r.BatchRollingState
-	defer func() {
-		klog.InfoS("try to execute a rollout state transition",
-			"pre rolling state", rollingState,
-			"pre batch rolling state", batchRollingState,
-			"post rolling state", r.RollingState,
-			"post batch rolling state", r.BatchRollingState)
-	}()
-
-	// we have special transition for these types of event since they require additional info
-	if event == RollingFailedEvent || event == RollingRetriableFailureEvent {
-		r.illegalStateTransition(fmt.Errorf(invalidRollingStateTransition, rollingState, event))
-		return
-	}
-	// special handle modified event here
-	if event == RollingModifiedEvent {
-		if r.RollingState == RolloutDeletingState {
-			r.illegalStateTransition(fmt.Errorf(invalidRollingStateTransition, rollingState, event))
-			return
-		}
-		if r.RollingState == RolloutFailedState || r.RollingState == RolloutSucceedState {
-			r.ResetStatus()
-		} else {
-			r.SetRolloutCondition(NewNegativeCondition(r.getRolloutConditionType(), "Rollout Spec is modified"))
-			r.RollingState = RolloutAbandoningState
-			r.BatchRollingState = BatchInitializingState
-		}
-		return
-	}
-
-	// special handle deleted event here, it can happen at many states
-	if event == RollingDeletedEvent {
-		if r.RollingState == RolloutFailedState || r.RollingState == RolloutSucceedState {
-			r.illegalStateTransition(fmt.Errorf(invalidRollingStateTransition, rollingState, event))
-			return
-		}
-		r.SetRolloutCondition(NewNegativeCondition(r.getRolloutConditionType(), "Rollout is being deleted"))
-		r.RollingState = RolloutDeletingState
-		r.BatchRollingState = BatchInitializingState
-		return
-	}
-
-	// special handle appLocatedEvent event here, it only applies to one state but it's legal to happen at other states
-	if event == AppLocatedEvent {
-		if r.RollingState == LocatingTargetAppState {
-			r.RollingState = VerifyingSpecState
-		}
-		return
-	}
-
-	switch rollingState {
-	case VerifyingSpecState:
-		if event == RollingSpecVerifiedEvent {
-			r.SetRolloutCondition(NewPositiveCondition(r.getRolloutConditionType()))
-			r.RollingState = InitializingState
-			return
-		}
-		r.illegalStateTransition(fmt.Errorf(invalidRollingStateTransition, rollingState, event))
-
-	case InitializingState:
-		if event == RollingInitializedEvent {
-			r.SetRolloutCondition(NewPositiveCondition(r.getRolloutConditionType()))
-			r.RollingState = RollingInBatchesState
-			r.BatchRollingState = BatchInitializingState
-			return
-		}
-		r.illegalStateTransition(fmt.Errorf(invalidRollingStateTransition, rollingState, event))
-
-	case RollingInBatchesState:
-		r.batchStateTransition(event)
-		return
-
-	case RolloutAbandoningState:
-		if event == RollingFinalizedEvent {
-			r.SetRolloutCondition(NewPositiveCondition(r.getRolloutConditionType()))
-			r.ResetStatus()
-			return
-		}
-		r.illegalStateTransition(fmt.Errorf(invalidRollingStateTransition, rollingState, event))
-
-	case RolloutDeletingState:
-		if event == RollingFinalizedEvent {
-			r.SetRolloutCondition(NewPositiveCondition(r.getRolloutConditionType()))
-			r.RollingState = RolloutFailedState
-			return
-		}
-		r.illegalStateTransition(fmt.Errorf(invalidRollingStateTransition, rollingState, event))
-
-	case FinalisingState:
-		if event == RollingFinalizedEvent {
-			r.SetRolloutCondition(NewPositiveCondition(r.getRolloutConditionType()))
-			r.RollingState = RolloutSucceedState
-			return
-		}
-		r.illegalStateTransition(fmt.Errorf(invalidRollingStateTransition, rollingState, event))
-
-	case RolloutFailingState:
-		if event == RollingFinalizedEvent {
-			r.SetRolloutCondition(NewPositiveCondition(r.getRolloutConditionType()))
-			r.RollingState = RolloutFailedState
-			return
-		}
-		r.illegalStateTransition(fmt.Errorf(invalidRollingStateTransition, rollingState, event))
-
-	case RolloutSucceedState, RolloutFailedState:
-		r.illegalStateTransition(fmt.Errorf(invalidRollingStateTransition, rollingState, event))
-
-	default:
-		r.illegalStateTransition(fmt.Errorf("invalid rolling state %s before transition", rollingState))
-	}
-}
-
-// batchStateTransition handles the state transition when the rollout is in action
-func (r *RolloutStatus) batchStateTransition(event RolloutEvent) {
-	batchRollingState := r.BatchRollingState
-	if event == BatchRolloutFailedEvent {
-		r.BatchRollingState = BatchRolloutFailedState
-		r.RollingState = RolloutFailedState
-		r.SetConditions(NewNegativeCondition(r.getRolloutConditionType(), "failed"))
-		return
-	}
-	switch batchRollingState {
-	case BatchInitializingState:
-		if event == InitializedOneBatchEvent {
-			r.BatchRollingState = BatchInRollingState
-			return
-		}
-		r.illegalStateTransition(fmt.Errorf(invalidBatchRollingStateTransition, batchRollingState, event))
-
-	case BatchInRollingState:
-		if event == RolloutOneBatchEvent {
-			r.SetRolloutCondition(NewPositiveCondition(r.getRolloutConditionType()))
-			r.BatchRollingState = BatchVerifyingState
-			return
-		}
-		r.illegalStateTransition(fmt.Errorf(invalidBatchRollingStateTransition, batchRollingState, event))
-
-	case BatchVerifyingState:
-		if event == OneBatchAvailableEvent {
-			r.SetRolloutCondition(NewPositiveCondition(r.getRolloutConditionType()))
-			r.BatchRollingState = BatchFinalizingState
-			return
-		}
-		r.illegalStateTransition(fmt.Errorf(invalidBatchRollingStateTransition, batchRollingState, event))
-
-	case BatchFinalizingState:
-		if event == FinishedOneBatchEvent {
-			r.SetRolloutCondition(NewPositiveCondition(r.getRolloutConditionType()))
-			r.BatchRollingState = BatchReadyState
-			return
-		}
-		if event == AllBatchFinishedEvent {
-			r.SetRolloutCondition(NewPositiveCondition(r.getRolloutConditionType()))
-			// transition out of the batch loop
-			r.BatchRollingState = BatchReadyState
-			r.RollingState = FinalisingState
-			return
-		}
-		r.illegalStateTransition(fmt.Errorf(invalidBatchRollingStateTransition, batchRollingState, event))
-
-	case BatchReadyState:
-		if event == BatchRolloutApprovedEvent {
-			r.SetRolloutCondition(NewPositiveCondition(r.getRolloutConditionType()))
-			r.BatchRollingState = BatchInitializingState
-			r.CurrentBatch++
-			return
-		}
-		r.illegalStateTransition(fmt.Errorf(invalidBatchRollingStateTransition, batchRollingState, event))
-
-	default:
-		r.illegalStateTransition(fmt.Errorf("invalid batch rolling state %s", batchRollingState))
-	}
-}
--- a/apis/standard.oam.dev/v1alpha1/rollout_type.go
+++ b/apis/standard.oam.dev/v1alpha1/rollout_type.go
@@ -1,77 +0,0 @@
-/*
-Copyright 2021 The KubeVela Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha1
-
-import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-// Rollout is the Schema for the Rollout API
-// +kubebuilder:object:root=true
-// +kubebuilder:resource:categories={oam},shortName=rollout
-// +kubebuilder:subresource:status
-// +kubebuilder:storageversion
-// +kubebuilder:printcolumn:name="TARGET",type=string,JSONPath=`.status.rolloutTargetSize`
-// +kubebuilder:printcolumn:name="UPGRADED",type=string,JSONPath=`.status.upgradedReplicas`
-// +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.upgradedReadyReplicas`
-// +kubebuilder:printcolumn:name="BATCH-STATE",type=string,JSONPath=`.status.batchRollingState`
-// +kubebuilder:printcolumn:name="ROLLING-STATE",type=string,JSONPath=`.status.rollingState`
-// +kubebuilder:printcolumn:name="AGE",type=date,JSONPath=".metadata.creationTimestamp"
-type Rollout struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	Spec   RolloutSpec       `json:"spec,omitempty"`
-	Status CompRolloutStatus `json:"status,omitempty"`
-}
-
-// RolloutSpec defines how to describe an update between different compRevision
-type RolloutSpec struct {
-	// TargetRevisionName contains the name of the componentRevisionName that we need to upgrade to.
-	TargetRevisionName string `json:"targetRevisionName"`
-
-	// SourceRevisionName contains the name of the componentRevisionName  that we need to upgrade from.
-	// it can be empty only when it's the first time to deploy the application
-	SourceRevisionName string `json:"sourceRevisionName,omitempty"`
-
-	// ComponentName specify the component name
-	ComponentName string `json:"componentName"`
-
-	// RolloutPlan is the details on how to rollout the resources
-	RolloutPlan RolloutPlan `json:"rolloutPlan"`
-}
-
-// CompRolloutStatus defines the observed state of rollout
-type CompRolloutStatus struct {
-	RolloutStatus `json:",inline"`
-
-	// LastUpgradedTargetRevision contains the name of the componentRevisionName that we upgraded to
-	// We will restart the rollout if this is not the same as the spec
-	LastUpgradedTargetRevision string `json:"lastTargetRevision"`
-
-	// LastSourceRevision contains the name of the componentRevisionName that we need to upgrade from.
-	// We will restart the rollout if this is not the same as the spec
-	LastSourceRevision string `json:"LastSourceRevision,omitempty"`
-}
-
-// RolloutList contains a list of Rollout
-// +kubebuilder:object:root=true
-type RolloutList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []Rollout `json:"items"`
-}
--- a/apis/standard.oam.dev/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/standard.oam.dev/v1alpha1/zz_generated.deepcopy.go
@@ -1,334 +0,0 @@
-//go:build !ignore_autogenerated
-// +build !ignore_autogenerated
-
-/*
-Copyright 2023 The KubeVela Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by controller-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	v1 "k8s.io/api/core/v1"
-	runtime "k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/util/intstr"
-)
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CanaryMetric) DeepCopyInto(out *CanaryMetric) {
-	*out = *in
-	if in.MetricsRange != nil {
-		in, out := &in.MetricsRange, &out.MetricsRange
-		*out = new(MetricsExpectedRange)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.TemplateRef != nil {
-		in, out := &in.TemplateRef, &out.TemplateRef
-		*out = new(v1.ObjectReference)
-		**out = **in
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CanaryMetric.
-func (in *CanaryMetric) DeepCopy() *CanaryMetric {
-	if in == nil {
-		return nil
-	}
-	out := new(CanaryMetric)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CompRolloutStatus) DeepCopyInto(out *CompRolloutStatus) {
-	*out = *in
-	in.RolloutStatus.DeepCopyInto(&out.RolloutStatus)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CompRolloutStatus.
-func (in *CompRolloutStatus) DeepCopy() *CompRolloutStatus {
-	if in == nil {
-		return nil
-	}
-	out := new(CompRolloutStatus)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *MetricsExpectedRange) DeepCopyInto(out *MetricsExpectedRange) {
-	*out = *in
-	if in.Min != nil {
-		in, out := &in.Min, &out.Min
-		*out = new(intstr.IntOrString)
-		**out = **in
-	}
-	if in.Max != nil {
-		in, out := &in.Max, &out.Max
-		*out = new(intstr.IntOrString)
-		**out = **in
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MetricsExpectedRange.
-func (in *MetricsExpectedRange) DeepCopy() *MetricsExpectedRange {
-	if in == nil {
-		return nil
-	}
-	out := new(MetricsExpectedRange)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Rollout) DeepCopyInto(out *Rollout) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	in.Spec.DeepCopyInto(&out.Spec)
-	in.Status.DeepCopyInto(&out.Status)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rollout.
-func (in *Rollout) DeepCopy() *Rollout {
-	if in == nil {
-		return nil
-	}
-	out := new(Rollout)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *Rollout) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *RolloutBatch) DeepCopyInto(out *RolloutBatch) {
-	*out = *in
-	out.Replicas = in.Replicas
-	if in.PodList != nil {
-		in, out := &in.PodList, &out.PodList
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
-	if in.MaxUnavailable != nil {
-		in, out := &in.MaxUnavailable, &out.MaxUnavailable
-		*out = new(intstr.IntOrString)
-		**out = **in
-	}
-	if in.InstanceInterval != nil {
-		in, out := &in.InstanceInterval, &out.InstanceInterval
-		*out = new(int32)
-		**out = **in
-	}
-	if in.BatchRolloutWebhooks != nil {
-		in, out := &in.BatchRolloutWebhooks, &out.BatchRolloutWebhooks
-		*out = make([]RolloutWebhook, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.CanaryMetric != nil {
-		in, out := &in.CanaryMetric, &out.CanaryMetric
-		*out = make([]CanaryMetric, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RolloutBatch.
-func (in *RolloutBatch) DeepCopy() *RolloutBatch {
-	if in == nil {
-		return nil
-	}
-	out := new(RolloutBatch)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *RolloutList) DeepCopyInto(out *RolloutList) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]Rollout, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RolloutList.
-func (in *RolloutList) DeepCopy() *RolloutList {
-	if in == nil {
-		return nil
-	}
-	out := new(RolloutList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *RolloutList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *RolloutPlan) DeepCopyInto(out *RolloutPlan) {
-	*out = *in
-	if in.TargetSize != nil {
-		in, out := &in.TargetSize, &out.TargetSize
-		*out = new(int32)
-		**out = **in
-	}
-	if in.NumBatches != nil {
-		in, out := &in.NumBatches, &out.NumBatches
-		*out = new(int32)
-		**out = **in
-	}
-	if in.RolloutBatches != nil {
-		in, out := &in.RolloutBatches, &out.RolloutBatches
-		*out = make([]RolloutBatch, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.BatchPartition != nil {
-		in, out := &in.BatchPartition, &out.BatchPartition
-		*out = new(int32)
-		**out = **in
-	}
-	if in.RolloutWebhooks != nil {
-		in, out := &in.RolloutWebhooks, &out.RolloutWebhooks
-		*out = make([]RolloutWebhook, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.CanaryMetric != nil {
-		in, out := &in.CanaryMetric, &out.CanaryMetric
-		*out = make([]CanaryMetric, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RolloutPlan.
-func (in *RolloutPlan) DeepCopy() *RolloutPlan {
-	if in == nil {
-		return nil
-	}
-	out := new(RolloutPlan)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *RolloutSpec) DeepCopyInto(out *RolloutSpec) {
-	*out = *in
-	in.RolloutPlan.DeepCopyInto(&out.RolloutPlan)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RolloutSpec.
-func (in *RolloutSpec) DeepCopy() *RolloutSpec {
-	if in == nil {
-		return nil
-	}
-	out := new(RolloutSpec)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *RolloutStatus) DeepCopyInto(out *RolloutStatus) {
-	*out = *in
-	in.ConditionedStatus.DeepCopyInto(&out.ConditionedStatus)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RolloutStatus.
-func (in *RolloutStatus) DeepCopy() *RolloutStatus {
-	if in == nil {
-		return nil
-	}
-	out := new(RolloutStatus)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *RolloutWebhook) DeepCopyInto(out *RolloutWebhook) {
-	*out = *in
-	if in.ExpectedStatus != nil {
-		in, out := &in.ExpectedStatus, &out.ExpectedStatus
-		*out = make([]int, len(*in))
-		copy(*out, *in)
-	}
-	if in.Metadata != nil {
-		in, out := &in.Metadata, &out.Metadata
-		*out = new(map[string]string)
-		if **in != nil {
-			in, out := *in, *out
-			*out = make(map[string]string, len(*in))
-			for key, val := range *in {
-				(*out)[key] = val
-			}
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RolloutWebhook.
-func (in *RolloutWebhook) DeepCopy() *RolloutWebhook {
-	if in == nil {
-		return nil
-	}
-	out := new(RolloutWebhook)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *RolloutWebhookPayload) DeepCopyInto(out *RolloutWebhookPayload) {
-	*out = *in
-	if in.Metadata != nil {
-		in, out := &in.Metadata, &out.Metadata
-		*out = make(map[string]string, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RolloutWebhookPayload.
-func (in *RolloutWebhookPayload) DeepCopy() *RolloutWebhookPayload {
-	if in == nil {
-		return nil
-	}
-	out := new(RolloutWebhookPayload)
-	in.DeepCopyInto(out)
-	return out
-}
--- a/apis/types/capability.go
+++ b/apis/types/capability.go
@@ -17,13 +17,7 @@ limitations under the License.
 package types

 import (
-	"encoding/json"
-
 	"cuelang.org/go/cue"
-	"github.com/spf13/pflag"
-	"k8s.io/apimachinery/pkg/runtime"
-
-	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 )

 // Source record the source of Capability
@@ -38,22 +32,6 @@ type CRDInfo struct {
 	Kind       string `json:"kind"`
 }

-// Chart defines all necessary information to install a whole chart
-type Chart struct {
-	Repo      string                 `json:"repo"`
-	URL       string                 `json:"url"`
-	Name      string                 `json:"name"`
-	Namespace string                 `json:"namespace,omitempty"`
-	Version   string                 `json:"version"`
-	Values    map[string]interface{} `json:"values"`
-}
-
-// Installation defines the installation method for this Capability, currently only helm is supported
-type Installation struct {
-	Helm Chart `json:"helm"`
-	// TODO(wonderflow) add raw yaml file support for install capability
-}
-
 // CapType defines the type of capability
 type CapType string

@@ -64,8 +42,6 @@ const (
 	TypeWorkload CapType = "workload"
 	// TypeTrait represents OAM Trait
 	TypeTrait CapType = "trait"
-	// TypeScope represent OAM Scope
-	TypeScope CapType = "scope"
 	// TypeWorkflowStep represent OAM Workflow
 	TypeWorkflowStep CapType = "workflowstep"
 	// TypePolicy represent OAM Policy
@@ -91,10 +67,6 @@ type CapabilityCategory string
 const (
 	TerraformCategory CapabilityCategory = "terraform"

-	HelmCategory CapabilityCategory = "helm"
-
-	KubeCategory CapabilityCategory = "kube"
-
 	CUECategory CapabilityCategory = "cue"
 )

@@ -111,49 +83,6 @@ type Parameter struct {
 	JSONType string      `json:"jsonType,omitempty"`
 }

-// SetFlagBy set cli flag from Parameter
-func SetFlagBy(flags *pflag.FlagSet, v Parameter) {
-	name := v.Name
-	if v.Alias != "" {
-		name = v.Alias
-	}
-	// nolint:exhaustive
-	switch v.Type {
-	case cue.IntKind:
-		var vv int64
-		switch val := v.Default.(type) {
-		case int64:
-			vv = val
-		case json.Number:
-			vv, _ = val.Int64()
-		case int:
-			vv = int64(val)
-		case float64:
-			vv = int64(val)
-		}
-		flags.Int64P(name, v.Short, vv, v.Usage)
-	case cue.StringKind:
-		flags.StringP(name, v.Short, v.Default.(string), v.Usage)
-	case cue.BoolKind:
-		flags.BoolP(name, v.Short, v.Default.(bool), v.Usage)
-	case cue.NumberKind, cue.FloatKind:
-		var vv float64
-		switch val := v.Default.(type) {
-		case int64:
-			vv = float64(val)
-		case json.Number:
-			vv, _ = val.Float64()
-		case int:
-			vv = float64(val)
-		case float64:
-			vv = val
-		}
-		flags.Float64P(name, v.Short, vv, v.Usage)
-	default:
-		// other types not supported yet
-	}
-}
-
 // Capability defines the content of a capability
 type Capability struct {
 	Name           string             `json:"name"`
@@ -162,7 +91,6 @@ type Capability struct {
 	CueTemplateURI string             `json:"templateURI,omitempty"`
 	Parameters     []Parameter        `json:"parameters,omitempty"`
 	CrdName        string             `json:"crdName,omitempty"`
-	Center         string             `json:"center,omitempty"`
 	Status         string             `json:"status,omitempty"`
 	Description    string             `json:"description,omitempty"`
 	Example        string             `json:"example,omitempty"`
@@ -176,15 +104,10 @@ type Capability struct {
 	Namespace string `json:"namespace,omitempty"`

 	// Plugin Source
-	Source  *Source  `json:"source,omitempty"`
-	CrdInfo *CRDInfo `json:"crdInfo,omitempty"`
+	Source *Source `json:"source,omitempty"`

 	// Terraform
 	TerraformConfiguration string `json:"terraformConfiguration,omitempty"`
 	ConfigurationType      string `json:"configurationType,omitempty"`
 	Path                   string `json:"path,omitempty"`
-
-	// KubeTemplate
-	KubeTemplate  runtime.RawExtension   `json:"kubetemplate,omitempty"`
-	KubeParameter []common.KubeParameter `json:"kubeparameter,omitempty"`
 }
--- a/apis/types/componentmanifest.go
+++ b/apis/types/componentmanifest.go
@@ -17,25 +17,17 @@ limitations under the License.
 package types

 import (
-	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )

 // ComponentManifest contains resources rendered from an application component.
 type ComponentManifest struct {
-	Name             string
-	Namespace        string
-	RevisionName     string
-	RevisionHash     string
-	ExternalRevision string
-	// StandardWorkload contains K8s resource generated from "output" block of ComponentDefinition
-	StandardWorkload *unstructured.Unstructured
-	// Traits contains both resources generated from "outputs" block of ComponentDefinition and resources generated from TraitDefinition
-	Traits []*unstructured.Unstructured
-	Scopes []*corev1.ObjectReference
-
-	// PackagedWorkloadResources contain all the workload related resources. It could be a Helm
-	// Release, Git Repo or anything that can package and run a workload.
-	PackagedWorkloadResources []*unstructured.Unstructured
-	PackagedTraitResources    map[string][]*unstructured.Unstructured
+	Name         string
+	Namespace    string
+	RevisionName string
+	RevisionHash string
+	// ComponentOutput contains K8s resource generated from "output" block of ComponentDefinition
+	ComponentOutput *unstructured.Unstructured
+	// ComponentOutputsAndTraits contains both resources generated from "outputs" block of ComponentDefinition and resources generated from TraitDefinition
+	ComponentOutputsAndTraits []*unstructured.Unstructured
 }
--- a/apis/types/event.go
+++ b/apis/types/event.go
@@ -23,19 +23,14 @@ const (
 	ReasonPolicyGenerated = "PolicyGenerated"
 	ReasonRevisoned       = "Revisioned"
 	ReasonApplied         = "Applied"
-	ReasonHealthCheck     = "HealthChecked"
 	ReasonDeployed        = "Deployed"
-	ReasonRollout         = "Rollout"

-	ReasonFailedParse       = "FailedParse"
-	ReasonFailedRender      = "FailedRender"
-	ReasonFailedRevision    = "FailedRevision"
-	ReasonFailedWorkflow    = "FailedWorkflow"
-	ReasonFailedApply       = "FailedApply"
-	ReasonFailedHealthCheck = "FailedHealthCheck"
-	ReasonFailedStateKeep   = "FailedStateKeep"
-	ReasonFailedGC          = "FailedGC"
-	ReasonFailedRollout     = "FailedRollout"
+	ReasonFailedParse     = "FailedParse"
+	ReasonFailedRevision  = "FailedRevision"
+	ReasonFailedWorkflow  = "FailedWorkflow"
+	ReasonFailedApply     = "FailedApply"
+	ReasonFailedStateKeep = "FailedStateKeep"
+	ReasonFailedGC        = "FailedGC"
 )

 // event message for Application
@@ -44,16 +39,6 @@ const (
 	MessageRendered         = "Rendered successfully"
 	MessagePolicyGenerated  = "Policy generated successfully"
 	MessageRevisioned       = "Revisioned successfully"
-	MessageApplied          = "Applied successfully"
 	MessageWorkflowFinished = "Workflow finished"
-	MessageHealthCheck      = "Health checked healthy"
 	MessageDeployed         = "Deployed successfully"
-	MessageRollout          = "Rollout successfully"
-
-	MessageFailedParse       = "fail to parse application, err: %v"
-	MessageFailedRender      = "fail to render application, err: %v"
-	MessageFailedRevision    = "fail to handle application revision, err: %v"
-	MessageFailedApply       = "fail to apply component, err: %v"
-	MessageFailedHealthCheck = "fail to health check, err: %v"
-	MessageFailedGC          = "fail to garbage collection, err: %v"
 )
--- a/apis/types/rolling.go
+++ b/apis/types/rolling.go
@@ -1,31 +0,0 @@
-/*
-Copyright 2021 The KubeVela Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package types
-
-// RollingStatus represents the rollout phases
-type RollingStatus string
-
-const (
-	// RollingTemplating means that the AC is rolling and need template
-	RollingTemplating RollingStatus = "RollingTemplating"
-	// RollingTemplated means that the AC is rolling and it already templated
-	RollingTemplated RollingStatus = "RollingTemplated"
-	// RollingCompleted means that the AC is the new active revision of the application
-	RollingCompleted RollingStatus = "RollingCompleted"
-	// InactiveAfterRollingCompleted means that the AC is the inactive revision after the rolling is finished
-	InactiveAfterRollingCompleted RollingStatus = "InactiveAfterRollingCompleted"
-)
--- a/apis/types/types.go
+++ b/apis/types/types.go
@@ -64,8 +64,6 @@ const (
 	LabelDefinitionDeprecated = "custom.definition.oam.dev/deprecated"
 	// LabelDefinitionHidden is the label which describe whether the capability is hidden by UI
 	LabelDefinitionHidden = "custom.definition.oam.dev/ui-hidden"
-	// LabelDefinitionScope is the label which describe whether the capability's scope
-	LabelDefinitionScope = "custom.definition.oam.dev/scope"
 	// LabelNodeRoleGateway gateway role of node
 	LabelNodeRoleGateway = "node-role.kubernetes.io/gateway"
 	// LabelNodeRoleWorker worker role of node
@@ -157,8 +155,6 @@ const LabelArg = "label"

 // DefaultFilterAnnots are annotations that won't pass to workload or trait
 var DefaultFilterAnnots = []string{
-	oam.AnnotationAppRollout,
-	oam.AnnotationRollingComponent,
 	oam.AnnotationInplaceUpgrade,
 	oam.AnnotationFilterLabelKeys,
 	oam.AnnotationFilterAnnotationKeys,
--- a/apis/types/workflow.go
+++ b/apis/types/workflow.go
@@ -1,29 +0,0 @@
-/*
-Copyright 2021 The KubeVela Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package types
-
-import (
-	corev1 "k8s.io/api/core/v1"
-)
-
-// WorkflowContext is the workflow context to pass into workflow objects.
-type WorkflowContext struct {
-	AppName           string                      `json:"appName,omitempty"`
-	AppRevision       string                      `json:"appRevision,omitempty"`
-	WorkflowIndex     int                         `json:"workflowIndex"`
-	ResourceConfigMap corev1.LocalObjectReference `json:"resourceConfigMap,omitempty"`
-}
--- a/charts/vela-core/README.md
+++ b/charts/vela-core/README.md
@@ -25,7 +25,7 @@ multi-cloud environments. At the mean time, it is highly extensible and programm
 ## TL;DR

 ```bash
-helm repo add kubevela https://charts.kubevela.net/core
+helm repo add kubevela https://kubevela.github.io/charts
 helm repo update
 helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wait
 ```
@@ -38,25 +38,24 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai

 ### KubeVela core parameters

-| Name                          | Description                                                                                   | Value  |
-| ----------------------------- | --------------------------------------------------------------------------------------------- | ------ |
-| `systemDefinitionNamespace`   | System definition namespace, if unspecified, will use built-in variable `.Release.Namespace`. | `nil`  |
-| `applicationRevisionLimit`    | Application revision limit                                                                    | `2`    |
-| `definitionRevisionLimit`     | Definition revision limit                                                                     | `2`    |
-| `concurrentReconciles`        | concurrentReconciles is the concurrent reconcile number of the controller                     | `4`    |
-| `controllerArgs.reSyncPeriod` | The period for resync the applications                                                        | `5m`   |
-| `OAMSpecVer`                  | OAMSpecVer is the oam spec version controller want to setup                                   | `v0.3` |
-| `disableCaps`                 | Disable capability                                                                            | `all`  |
-| `dependCheckWait`             | dependCheckWait is the time to wait for ApplicationConfiguration's dependent-resource ready   | `30s`  |
+| Name                          | Description                                                                                   | Value |
+| ----------------------------- | --------------------------------------------------------------------------------------------- | ----- |
+| `systemDefinitionNamespace`   | System definition namespace, if unspecified, will use built-in variable `.Release.Namespace`. | `nil` |
+| `applicationRevisionLimit`    | Application revision limit                                                                    | `2`   |
+| `definitionRevisionLimit`     | Definition revision limit                                                                     | `2`   |
+| `concurrentReconciles`        | concurrentReconciles is the concurrent reconcile number of the controller                     | `4`   |
+| `controllerArgs.reSyncPeriod` | The period for resync the applications                                                        | `5m`  |

 ### KubeVela workflow parameters

-| Name                                   | Description                                            | Value   |
-| -------------------------------------- | ------------------------------------------------------ | ------- |
-| `workflow.enableSuspendOnFailure`      | Enable suspend on workflow failure                     | `false` |
-| `workflow.backoff.maxTime.waitState`   | The max backoff time of workflow in a wait condition   | `60`    |
-| `workflow.backoff.maxTime.failedState` | The max backoff time of workflow in a failed condition | `300`   |
-| `workflow.step.errorRetryTimes`        | The max retry times of a failed workflow step          | `10`    |
+| Name                                                    | Description                                             | Value   |
+| ------------------------------------------------------- | ------------------------------------------------------- | ------- |
+| `workflow.enableSuspendOnFailure`                       | Enable suspend on workflow failure                      | `false` |
+| `workflow.enableExternalPackageForDefaultCompiler`      | Enable external package for default cuex compiler       | `true`  |
+| `workflow.enableExternalPackageWatchForDefaultCompiler` | Enable external package watch for default cuex compiler | `false` |
+| `workflow.backoff.maxTime.waitState`                    | The max backoff time of workflow in a wait condition    | `60`    |
+| `workflow.backoff.maxTime.failedState`                  | The max backoff time of workflow in a failed condition  | `300`   |
+| `workflow.step.errorRetryTimes`                         | The max retry times of a failed workflow step           | `10`    |

 ### KubeVela controller parameters

@@ -86,7 +85,6 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai
 | `optimize.enableInMemoryWorkflowContext`                     | Optimize workflow by use in-memory context.                                                                                                                                                                                      | `false` |
 | `optimize.disableResourceApplyDoubleCheck`                   | Optimize workflow by ignoring resource double check after apply.                                                                                                                                                                 | `false` |
 | `optimize.enableResourceTrackerDeleteOnlyTrigger`            | Optimize resourcetracker by only trigger reconcile when resourcetracker is deleted.                                                                                                                                              | `true`  |
-| `featureGates.enableLegacyComponentRevision`                 | if disabled, only component with rollout trait will create component revisions                                                                                                                                                   | `false` |
 | `featureGates.gzipResourceTracker`                           | compress ResourceTracker using gzip (good) before being stored. This is reduces network throughput when dealing with huge ResourceTrackers.                                                                                      | `false` |
 | `featureGates.zstdResourceTracker`                           | compress ResourceTracker using zstd (fast and good) before being stored. This is reduces network throughput when dealing with huge ResourceTrackers. Note that zstd will be prioritized if you enable other compression options. | `true`  |
 | `featureGates.applyOnce`                                     | if enabled, the apply-once feature will be applied to all applications, no state-keep and no resource data storage in ResourceTracker                                                                                            | `false` |
@@ -100,26 +98,31 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai
 | `featureGates.informerCacheFilterUnnecessaryFields`          | filter unnecessary fields for informer cache                                                                                                                                                                                     | `true`  |
 | `featureGates.sharedDefinitionStorageForApplicationRevision` | use definition cache to reduce duplicated definition storage for application revision, must be used with InformerCacheFilterUnnecessaryFields                                                                                    | `true`  |
 | `featureGates.disableWorkflowContextConfigMapCache`          | disable the workflow context's configmap informer cache                                                                                                                                                                          | `true`  |
+| `featureGates.enableCueValidation`                           | enable the strict cue validation for cue required parameter fields                                                                                                                                                               | `false` |
+| `featureGates.enableApplicationStatusMetrics`                | enable application status metrics and structured logging                                                                                                                                                                         | `false` |
+| `featureGates.validateResourcesExist`                        | enable webhook validation to check if resource types referenced in definition templates exist in the cluster                                                                                                                     | `false` |

 ### MultiCluster parameters

-| Name                                                        | Description                                                                                 | Value                            |
-| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------- | -------------------------------- |
-| `multicluster.enabled`                                      | Whether to enable multi-cluster                                                             | `true`                           |
-| `multicluster.metrics.enabled`                              | Whether to enable multi-cluster metrics collect                                             | `false`                          |
-| `multicluster.clusterGateway.direct`                        | controller will connect to ClusterGateway directly instead of going to Kubernetes APIServer | `true`                           |
-| `multicluster.clusterGateway.replicaCount`                  | ClusterGateway replica count                                                                | `1`                              |
-| `multicluster.clusterGateway.port`                          | ClusterGateway port                                                                         | `9443`                           |
-| `multicluster.clusterGateway.image.repository`              | ClusterGateway image repository                                                             | `oamdev/cluster-gateway`         |
-| `multicluster.clusterGateway.image.tag`                     | ClusterGateway image tag                                                                    | `v1.9.0-alpha.2`                 |
-| `multicluster.clusterGateway.image.pullPolicy`              | ClusterGateway image pull policy                                                            | `IfNotPresent`                   |
-| `multicluster.clusterGateway.resources.requests.cpu`        | ClusterGateway cpu request                                                                  | `50m`                            |
-| `multicluster.clusterGateway.resources.requests.memory`     | ClusterGateway memory request                                                               | `20Mi`                           |
-| `multicluster.clusterGateway.resources.limits.cpu`          | ClusterGateway cpu limit                                                                    | `500m`                           |
-| `multicluster.clusterGateway.resources.limits.memory`       | ClusterGateway memory limit                                                                 | `200Mi`                          |
-| `multicluster.clusterGateway.secureTLS.enabled`             | Whether to enable secure TLS                                                                | `true`                           |
-| `multicluster.clusterGateway.secureTLS.certPath`            | Path to the certificate file                                                                | `/etc/k8s-cluster-gateway-certs` |
-| `multicluster.clusterGateway.secureTLS.certManager.enabled` | Whether to enable cert-manager                                                              | `false`                          |
+| Name                                                          | Description                                                                                 | Value                            |
+| ------------------------------------------------------------- | ------------------------------------------------------------------------------------------- | -------------------------------- |
+| `multicluster.enabled`                                        | Whether to enable multi-cluster                                                             | `true`                           |
+| `multicluster.metrics.enabled`                                | Whether to enable multi-cluster metrics collect                                             | `false`                          |
+| `multicluster.clusterGateway.direct`                          | controller will connect to ClusterGateway directly instead of going to Kubernetes APIServer | `true`                           |
+| `multicluster.clusterGateway.replicaCount`                    | ClusterGateway replica count                                                                | `1`                              |
+| `multicluster.clusterGateway.port`                            | ClusterGateway port                                                                         | `9443`                           |
+| `multicluster.clusterGateway.image.repository`                | ClusterGateway image repository                                                             | `oamdev/cluster-gateway`         |
+| `multicluster.clusterGateway.image.tag`                       | ClusterGateway image tag                                                                    | `v1.9.0-alpha.2`                 |
+| `multicluster.clusterGateway.image.pullPolicy`                | ClusterGateway image pull policy                                                            | `IfNotPresent`                   |
+| `multicluster.clusterGateway.resources.requests.cpu`          | ClusterGateway cpu request                                                                  | `50m`                            |
+| `multicluster.clusterGateway.resources.requests.memory`       | ClusterGateway memory request                                                               | `20Mi`                           |
+| `multicluster.clusterGateway.resources.limits.cpu`            | ClusterGateway cpu limit                                                                    | `500m`                           |
+| `multicluster.clusterGateway.resources.limits.memory`         | ClusterGateway memory limit                                                                 | `200Mi`                          |
+| `multicluster.clusterGateway.secureTLS.enabled`               | Whether to enable secure TLS                                                                | `true`                           |
+| `multicluster.clusterGateway.secureTLS.certPath`              | Path to the certificate file                                                                | `/etc/k8s-cluster-gateway-certs` |
+| `multicluster.clusterGateway.secureTLS.certManager.enabled`   | Whether to enable cert-manager                                                              | `false`                          |
+| `multicluster.clusterGateway.serviceMonitor.enabled`          | Whether to enable service monitor                                                           | `false`                          |
+| `multicluster.clusterGateway.serviceMonitor.additionalLabels` | Additional labels for service monitor                                                       | `{}`                             |

 ### Test parameters

@@ -132,29 +135,34 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai

 ### Common parameters

-| Name                          | Description                                                                                                                                                        | Value                |
-| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------- |
-| `imagePullSecrets`            | Image pull secrets                                                                                                                                                 | `[]`                 |
-| `nameOverride`                | Override name                                                                                                                                                      | `""`                 |
-| `fullnameOverride`            | Fullname override                                                                                                                                                  | `""`                 |
-| `serviceAccount.create`       | Specifies whether a service account should be created                                                                                                              | `true`               |
-| `serviceAccount.annotations`  | Annotations to add to the service account                                                                                                                          | `{}`                 |
-| `serviceAccount.name`         | The name of the service account to use. If not set and create is true, a name is generated using the fullname template                                             | `nil`                |
-| `nodeSelector`                | Node selector                                                                                                                                                      | `{}`                 |
-| `tolerations`                 | Tolerations                                                                                                                                                        | `[]`                 |
-| `affinity`                    | Affinity                                                                                                                                                           | `{}`                 |
-| `rbac.create`                 | Specifies whether a RBAC role should be created                                                                                                                    | `true`               |
-| `logDebug`                    | Enable debug logs for development purpose                                                                                                                          | `false`              |
-| `logFilePath`                 | If non-empty, write log files in this path                                                                                                                         | `""`                 |
-| `logFileMaxSize`              | Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited.                                         | `1024`               |
-| `kubeClient.qps`              | The qps for reconcile clients                                                                                                                                      | `400`                |
-| `kubeClient.burst`            | The burst for reconcile clients                                                                                                                                    | `600`                |
-| `authentication.enabled`      | Enable authentication for application                                                                                                                              | `false`              |
-| `authentication.withUser`     | Application authentication will impersonate as the request User                                                                                                    | `true`               |
-| `authentication.defaultUser`  | Application authentication will impersonate as the User if no user provided in Application                                                                         | `kubevela:vela-core` |
-| `authentication.groupPattern` | Application authentication will impersonate as the request Group that matches the pattern                                                                          | `kubevela:*`         |
-| `sharding.enabled`            | When sharding enabled, the controller will run as master mode. Refer to https://github.com/kubevela/kubevela/blob/master/design/vela-core/sharding.md for details. | `false`              |
-| `sharding.schedulableShards`  | The shards available for scheduling. If empty, dynamic discovery will be used.                                                                                     | `""`                 |
+| Name                                           | Description                                                                                                                                                        | Value                |
+| ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------- |
+| `imagePullSecrets`                             | Image pull secrets                                                                                                                                                 | `[]`                 |
+| `nameOverride`                                 | Override name                                                                                                                                                      | `""`                 |
+| `fullnameOverride`                             | Fullname override                                                                                                                                                  | `""`                 |
+| `serviceAccount.create`                        | Specifies whether a service account should be created                                                                                                              | `true`               |
+| `serviceAccount.annotations`                   | Annotations to add to the service account                                                                                                                          | `{}`                 |
+| `serviceAccount.name`                          | The name of the service account to use. If not set and create is true, a name is generated using the fullname template                                             | `nil`                |
+| `nodeSelector`                                 | Node selector                                                                                                                                                      | `{}`                 |
+| `tolerations`                                  | Tolerations                                                                                                                                                        | `[]`                 |
+| `affinity`                                     | Affinity                                                                                                                                                           | `{}`                 |
+| `rbac.create`                                  | Specifies whether a RBAC role should be created                                                                                                                    | `true`               |
+| `logDebug`                                     | Enable debug logs for development purpose                                                                                                                          | `false`              |
+| `devLogs`                                      | Enable formatted logging support for development purpose                                                                                                           | `false`              |
+| `logFilePath`                                  | If non-empty, write log files in this path                                                                                                                         | `""`                 |
+| `logFileMaxSize`                               | Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited.                                         | `1024`               |
+| `kubeClient.qps`                               | The qps for reconcile clients                                                                                                                                      | `400`                |
+| `kubeClient.burst`                             | The burst for reconcile clients                                                                                                                                    | `600`                |
+| `authentication.enabled`                       | Enable authentication framework for applications                                                                                                                   | `false`              |
+| `authentication.withUser`                      | Application authentication will impersonate as the request User (must be true for security)                                                                        | `true`               |
+| `authentication.defaultUser`                   | Application authentication will impersonate as the User if no user provided or withUser is false                                                                   | `kubevela:vela-core` |
+| `authentication.groupPattern`                  | Application authentication will impersonate as the request Group that matches the pattern                                                                          | `kubevela:*`         |
+| `authorization.definitionValidationEnabled`    | Enable definition permission validation for RBAC checks on definitions                                                                                             | `false`              |
+| `sharding.enabled`                             | When sharding enabled, the controller will run as master mode. Refer to https://github.com/kubevela/kubevela/blob/master/design/vela-core/sharding.md for details. | `false`              |
+| `sharding.schedulableShards`                   | The shards available for scheduling. If empty, dynamic discovery will be used.                                                                                     | `""`                 |
+| `core.metrics.enabled`                         | Enable metrics for vela-core                                                                                                                                       | `false`              |
+| `core.metrics.serviceMonitor.enabled`          | Enable service monitor for metrics                                                                                                                                 | `false`              |
+| `core.metrics.serviceMonitor.additionalLabels` | Additional labels for service monitor                                                                                                                              | `{}`                 |


 ## Uninstallation
@@ -190,6 +198,21 @@ if [ $fluxcd ]; then
 fi
 ```

+Make sure all existing KubeVela resources deleted before uninstallation:
+```shell
+kubectl delete applicationrevisions.core.oam.dev --all
+kubectl delete applications.core.oam.dev --all
+kubectl delete componentdefinitions.core.oam.dev --all
+kubectl delete definitionrevisions.core.oam.dev --all
+kubectl delete policies.core.oam.dev --all
+kubectl delete policydefinitions.core.oam.dev --all
+kubectl delete resourcetrackers.core.oam.dev --all
+kubectl delete traitdefinitions.core.oam.dev --all
+kubectl delete workflows.core.oam.dev --all
+kubectl delete workflowstepdefinitions.core.oam.dev --all
+kubectl delete workloaddefinitions.core.oam.dev --all
+```
+
 To uninstall the KubeVela helm release:

 ```shell
--- a/charts/vela-core/crds/core.oam.dev_applicationrevisions.yaml
+++ b/charts/vela-core/crds/core.oam.dev_applicationrevisions.yaml
--- a/charts/vela-core/crds/core.oam.dev_applications.yaml
+++ b/charts/vela-core/crds/core.oam.dev_applications.yaml
@@ -3,7 +3,7 @@ kind: CustomResourceDefinition
 metadata:
  annotations:
    cert-manager.io/inject-ca-from: vela-system/kubevela-vela-core-root-cert
-    controller-gen.kubebuilder.io/version: v0.11.4
+    controller-gen.kubebuilder.io/version: v0.16.5
  name: applications.core.oam.dev
 spec:
  group: core.oam.dev
@@ -44,14 +44,19 @@ spec:
        description: Application is the Schema for the applications API
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@@ -104,10 +109,9 @@ spec:
                    scopes:
                      additionalProperties:
                        type: string
-                      description: scopes in ApplicationComponent defines the component-level
-                        scopes the format is <scope-type:scope-instance-name> pairs,
-                        the key represents type of `ScopeDefinition` while the value
-                        represent the name of scope instance.
+                      description: |-
+                        scopes in ApplicationComponent defines the component-level scopes
+                        the format is <scope-type:scope-instance-name> pairs, the key represents type of `ScopeDefinition` while the value represent the name of scope instance.
                      type: object
                      x-kubernetes-preserve-unknown-fields: true
                    traits:
@@ -133,10 +137,10 @@ spec:
                  type: object
                type: array
              policies:
-                description: Policies defines the global policies for all components
-                  in the app, e.g. security, metrics, gitops, multi-cluster placement
-                  rules, etc. Policies are applied after components are rendered and
-                  before workflow steps are executed.
+                description: |-
+                  Policies defines the global policies for all components in the app, e.g. security, metrics, gitops,
+                  multi-cluster placement rules, etc.
+                  Policies are applied after components are rendered and before workflow steps are executed.
                items:
                  description: AppPolicy defines a global policy for all components
                    in the app.
@@ -155,11 +159,12 @@ spec:
                  type: object
                type: array
              workflow:
-                description: 'Workflow defines how to customize the control logic.
-                  If workflow is specified, Vela won''t apply any resource, but provide
-                  rendered output in AppRevision. Workflow steps are executed in array
-                  order, and each step: - will have a context in annotation. - should
-                  mark "finish" phase in status.conditions.'
+                description: |-
+                  Workflow defines how to customize the control logic.
+                  If workflow is specified, Vela won't apply any resource, but provide rendered output in AppRevision.
+                  Workflow steps are executed in array order, and each step:
+                  - will have a context in annotation.
+                  - should mark "finish" phase in status.conditions.
                properties:
                  mode:
                    description: WorkflowExecuteMode defines the mode of workflow
@@ -332,33 +337,39 @@ spec:
                    creator:
                      type: string
                    fieldPath:
-                      description: 'If referring to a piece of an object instead of
-                        an entire object, this string should contain a valid JSON/Go
-                        field access statement, such as desiredState.manifest.containers[2].
-                        For example, if the object reference is to a container within
-                        a pod, this would take on a value like: "spec.containers{name}"
-                        (where "name" refers to the name of the container that triggered
-                        the event) or if no container name is specified "spec.containers[2]"
-                        (container with index 2 in this pod). This syntax is chosen
-                        only to have some well-defined way of referencing a part of
-                        an object. TODO: this design is not final and this field is
-                        subject to change in the future.'
+                      description: |-
+                        If referring to a piece of an object instead of an entire object, this string
+                        should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                        For example, if the object reference is to a container within a pod, this would take on a value like:
+                        "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                        the event) or if no container name is specified "spec.containers[2]" (container with
+                        index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                        referencing a part of an object.
                      type: string
                    kind:
-                      description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                      description: |-
+                        Kind of the referent.
+                        More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                      type: string
                    name:
-                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                      description: |-
+                        Name of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                      type: string
                    namespace:
-                      description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                      description: |-
+                        Namespace of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
                      type: string
                    resourceVersion:
-                      description: 'Specific resourceVersion to which this reference
-                        is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                      description: |-
+                        Specific resourceVersion to which this reference is made, if any.
+                        More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
                      type: string
                    uid:
-                      description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                      description: |-
+                        UID of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
                      type: string
                  type: object
                  x-kubernetes-map-type: atomic
@@ -367,63 +378,46 @@ spec:
                description: Components record the related Components created by Application
                  Controller
                items:
-                  description: "ObjectReference contains enough information to let
-                    you inspect or modify the referred object. --- New uses of this
-                    type are discouraged because of difficulty describing its usage
-                    when embedded in APIs. 1. Ignored fields.  It includes many fields
-                    which are not generally honored.  For instance, ResourceVersion
-                    and FieldPath are both very rarely valid in actual usage. 2. Invalid
-                    usage help.  It is impossible to add specific help for individual
-                    usage.  In most embedded usages, there are particular restrictions
-                    like, \"must refer only to types A and B\" or \"UID not honored\"
-                    or \"name must be restricted\". Those cannot be well described
-                    when embedded. 3. Inconsistent validation.  Because the usages
-                    are different, the validation rules are different by usage, which
-                    makes it hard for users to predict what will happen. 4. The fields
-                    are both imprecise and overly precise.  Kind is not a precise
-                    mapping to a URL. This can produce ambiguity during interpretation
-                    and require a REST mapping.  In most cases, the dependency is
-                    on the group,resource tuple and the version of the actual struct
-                    is irrelevant. 5. We cannot easily change it.  Because this type
-                    is embedded in many locations, updates to this type will affect
-                    numerous schemas.  Don't make new APIs embed an underspecified
-                    API type they do not control. \n Instead of using this type, create
-                    a locally provided and used type that is well-focused on your
-                    reference. For example, ServiceReferences for admission registration:
-                    https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
-                    ."
+                  description: ObjectReference contains enough information to let
+                    you inspect or modify the referred object.
                  properties:
                    apiVersion:
                      description: API version of the referent.
                      type: string
                    fieldPath:
-                      description: 'If referring to a piece of an object instead of
-                        an entire object, this string should contain a valid JSON/Go
-                        field access statement, such as desiredState.manifest.containers[2].
-                        For example, if the object reference is to a container within
-                        a pod, this would take on a value like: "spec.containers{name}"
-                        (where "name" refers to the name of the container that triggered
-                        the event) or if no container name is specified "spec.containers[2]"
-                        (container with index 2 in this pod). This syntax is chosen
-                        only to have some well-defined way of referencing a part of
-                        an object. TODO: this design is not final and this field is
-                        subject to change in the future.'
+                      description: |-
+                        If referring to a piece of an object instead of an entire object, this string
+                        should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                        For example, if the object reference is to a container within a pod, this would take on a value like:
+                        "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                        the event) or if no container name is specified "spec.containers[2]" (container with
+                        index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                        referencing a part of an object.
                      type: string
                    kind:
-                      description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                      description: |-
+                        Kind of the referent.
+                        More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                      type: string
                    name:
-                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                      description: |-
+                        Name of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                      type: string
                    namespace:
-                      description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                      description: |-
+                        Namespace of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
                      type: string
                    resourceVersion:
-                      description: 'Specific resourceVersion to which this reference
-                        is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                      description: |-
+                        Specific resourceVersion to which this reference is made, if any.
+                        More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
                      type: string
                    uid:
-                      description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                      description: |-
+                        UID of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
                      type: string
                  type: object
                  x-kubernetes-map-type: atomic
@@ -434,13 +428,15 @@ spec:
                  description: A Condition that may apply to a resource.
                  properties:
                    lastTransitionTime:
-                      description: LastTransitionTime is the last time this condition
-                        transitioned from one status to another.
+                      description: |-
+                        LastTransitionTime is the last time this condition transitioned from one
+                        status to another.
                      format: date-time
                      type: string
                    message:
-                      description: A Message containing details about this condition's
-                        last transition from one status to another, if any.
+                      description: |-
+                        A Message containing details about this condition's last transition from
+                        one status to another, if any.
                      type: string
                    reason:
                      description: A Reason for this condition's last transition from
@@ -451,8 +447,9 @@ spec:
                        False, or Unknown?
                      type: string
                    type:
-                      description: Type of this condition. At most one of each condition
-                        type may apply to a resource at any point in time.
+                      description: |-
+                        Type of this condition. At most one of each condition type may apply to
+                        a resource at any point in time.
                      type: string
                  required:
                  - lastTransitionTime
@@ -482,10 +479,13 @@ spec:
                format: int64
                type: integer
              policy:
-                description: PolicyStatus records the status of policy Deprecated
-                  This field is only used by EnvBinding Policy which is deprecated.
+                description: |-
+                  PolicyStatus records the status of policy
+                  Deprecated This field is only used by EnvBinding Policy which is deprecated.
                items:
-                  description: PolicyStatus records the status of policy Deprecated
+                  description: |-
+                    PolicyStatus records the status of policy
+                    Deprecated
                  properties:
                    name:
                      type: string
@@ -507,6 +507,10 @@ spec:
                  properties:
                    cluster:
                      type: string
+                    details:
+                      additionalProperties:
+                        type: string
+                      type: object
                    env:
                      type: string
                    healthy:
@@ -519,66 +523,46 @@ spec:
                      type: string
                    scopes:
                      items:
-                        description: "ObjectReference contains enough information
-                          to let you inspect or modify the referred object. --- New
-                          uses of this type are discouraged because of difficulty
-                          describing its usage when embedded in APIs. 1. Ignored fields.
-                          \ It includes many fields which are not generally honored.
-                          \ For instance, ResourceVersion and FieldPath are both very
-                          rarely valid in actual usage. 2. Invalid usage help.  It
-                          is impossible to add specific help for individual usage.
-                          \ In most embedded usages, there are particular restrictions
-                          like, \"must refer only to types A and B\" or \"UID not
-                          honored\" or \"name must be restricted\". Those cannot be
-                          well described when embedded. 3. Inconsistent validation.
-                          \ Because the usages are different, the validation rules
-                          are different by usage, which makes it hard for users to
-                          predict what will happen. 4. The fields are both imprecise
-                          and overly precise.  Kind is not a precise mapping to a
-                          URL. This can produce ambiguity during interpretation and
-                          require a REST mapping.  In most cases, the dependency is
-                          on the group,resource tuple and the version of the actual
-                          struct is irrelevant. 5. We cannot easily change it.  Because
-                          this type is embedded in many locations, updates to this
-                          type will affect numerous schemas.  Don't make new APIs
-                          embed an underspecified API type they do not control. \n
-                          Instead of using this type, create a locally provided and
-                          used type that is well-focused on your reference. For example,
-                          ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
-                          ."
+                        description: ObjectReference contains enough information to
+                          let you inspect or modify the referred object.
                        properties:
                          apiVersion:
                            description: API version of the referent.
                            type: string
                          fieldPath:
-                            description: 'If referring to a piece of an object instead
-                              of an entire object, this string should contain a valid
-                              JSON/Go field access statement, such as desiredState.manifest.containers[2].
-                              For example, if the object reference is to a container
-                              within a pod, this would take on a value like: "spec.containers{name}"
-                              (where "name" refers to the name of the container that
-                              triggered the event) or if no container name is specified
-                              "spec.containers[2]" (container with index 2 in this
-                              pod). This syntax is chosen only to have some well-defined
-                              way of referencing a part of an object. TODO: this design
-                              is not final and this field is subject to change in
-                              the future.'
+                            description: |-
+                              If referring to a piece of an object instead of an entire object, this string
+                              should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                              For example, if the object reference is to a container within a pod, this would take on a value like:
+                              "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                              the event) or if no container name is specified "spec.containers[2]" (container with
+                              index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                              referencing a part of an object.
                            type: string
                          kind:
-                            description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                            description: |-
+                              Kind of the referent.
+                              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                            type: string
                          name:
-                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            description: |-
+                              Name of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                            type: string
                          namespace:
-                            description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                            description: |-
+                              Namespace of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
                            type: string
                          resourceVersion:
-                            description: 'Specific resourceVersion to which this reference
-                              is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                            description: |-
+                              Specific resourceVersion to which this reference is made, if any.
+                              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
                            type: string
                          uid:
-                            description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                            description: |-
+                              UID of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
                            type: string
                        type: object
                        x-kubernetes-map-type: atomic
@@ -588,6 +572,10 @@ spec:
                        description: ApplicationTraitStatus records the trait health
                          status
                        properties:
+                          details:
+                            additionalProperties:
+                              type: string
+                            type: object
                          healthy:
                            type: boolean
                          message:
@@ -626,63 +614,46 @@ spec:
                  appRevision:
                    type: string
                  contextBackend:
-                    description: "ObjectReference contains enough information to let
-                      you inspect or modify the referred object. --- New uses of this
-                      type are discouraged because of difficulty describing its usage
-                      when embedded in APIs. 1. Ignored fields.  It includes many
-                      fields which are not generally honored.  For instance, ResourceVersion
-                      and FieldPath are both very rarely valid in actual usage. 2.
-                      Invalid usage help.  It is impossible to add specific help for
-                      individual usage.  In most embedded usages, there are particular
-                      restrictions like, \"must refer only to types A and B\" or \"UID
-                      not honored\" or \"name must be restricted\". Those cannot be
-                      well described when embedded. 3. Inconsistent validation.  Because
-                      the usages are different, the validation rules are different
-                      by usage, which makes it hard for users to predict what will
-                      happen. 4. The fields are both imprecise and overly precise.
-                      \ Kind is not a precise mapping to a URL. This can produce ambiguity
-                      during interpretation and require a REST mapping.  In most cases,
-                      the dependency is on the group,resource tuple and the version
-                      of the actual struct is irrelevant. 5. We cannot easily change
-                      it.  Because this type is embedded in many locations, updates
-                      to this type will affect numerous schemas.  Don't make new APIs
-                      embed an underspecified API type they do not control. \n Instead
-                      of using this type, create a locally provided and used type
-                      that is well-focused on your reference. For example, ServiceReferences
-                      for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
-                      ."
+                    description: ObjectReference contains enough information to let
+                      you inspect or modify the referred object.
                    properties:
                      apiVersion:
                        description: API version of the referent.
                        type: string
                      fieldPath:
-                        description: 'If referring to a piece of an object instead
-                          of an entire object, this string should contain a valid
-                          JSON/Go field access statement, such as desiredState.manifest.containers[2].
-                          For example, if the object reference is to a container within
-                          a pod, this would take on a value like: "spec.containers{name}"
-                          (where "name" refers to the name of the container that triggered
-                          the event) or if no container name is specified "spec.containers[2]"
-                          (container with index 2 in this pod). This syntax is chosen
-                          only to have some well-defined way of referencing a part
-                          of an object. TODO: this design is not final and this field
-                          is subject to change in the future.'
+                        description: |-
+                          If referring to a piece of an object instead of an entire object, this string
+                          should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                          For example, if the object reference is to a container within a pod, this would take on a value like:
+                          "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                          the event) or if no container name is specified "spec.containers[2]" (container with
+                          index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                          referencing a part of an object.
                        type: string
                      kind:
-                        description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                        description: |-
+                          Kind of the referent.
+                          More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                        type: string
                      name:
-                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                        type: string
                      namespace:
-                        description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                        description: |-
+                          Namespace of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
                        type: string
                      resourceVersion:
-                        description: 'Specific resourceVersion to which this reference
-                          is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                        description: |-
+                          Specific resourceVersion to which this reference is made, if any.
+                          More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
                        type: string
                      uid:
-                        description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                        description: |-
+                          UID of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
                        type: string
                    type: object
                    x-kubernetes-map-type: atomic
--- a/charts/vela-core/crds/core.oam.dev_componentdefinitions.yaml
+++ b/charts/vela-core/crds/core.oam.dev_componentdefinitions.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
+    controller-gen.kubebuilder.io/version: v0.16.5
  name: componentdefinitions.core.oam.dev
 spec:
  group: core.oam.dev
@@ -32,14 +32,19 @@ spec:
          API
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@@ -76,14 +81,14 @@ spec:
                type: object
                x-kubernetes-preserve-unknown-fields: true
              podSpecPath:
-                description: PodSpecPath indicates where/if this workload has K8s
-                  podSpec field if one workload has podSpec, trait can do lot's of
-                  assumption such as port, env, volume fields.
+                description: |-
+                  PodSpecPath indicates where/if this workload has K8s podSpec field
+                  if one workload has podSpec, trait can do lot's of assumption such as port, env, volume fields.
                type: string
              revisionLabel:
-                description: RevisionLabel indicates which label for underlying resources(e.g.
-                  pods) of this workload can be used by trait to create resource selectors(e.g.
-                  label selector for pods).
+                description: |-
+                  RevisionLabel indicates which label for underlying resources(e.g. pods) of this workload
+                  can be used by trait to create resource selectors(e.g. label selector for pods).
                type: string
              schematic:
                description: Schematic defines the data format and template of the
@@ -93,84 +98,13 @@ spec:
                    description: CUE defines the encapsulation in CUE format
                    properties:
                      template:
-                        description: Template defines the abstraction template data
-                          of the capability, it will replace the old CUE template
-                          in extension field. Template is a required field if CUE
-                          is defined in Capability Definition.
+                        description: |-
+                          Template defines the abstraction template data of the capability, it will replace the old CUE template in extension field.
+                          Template is a required field if CUE is defined in Capability Definition.
                        type: string
                    required:
                    - template
                    type: object
-                  helm:
-                    description: A Helm represents resources used by a Helm module
-                    properties:
-                      release:
-                        description: Release records a Helm release used by a Helm
-                          module workload.
-                        type: object
-                        x-kubernetes-preserve-unknown-fields: true
-                      repository:
-                        description: HelmRelease records a Helm repository used by
-                          a Helm module workload.
-                        type: object
-                        x-kubernetes-preserve-unknown-fields: true
-                    required:
-                    - release
-                    - repository
-                    type: object
-                  kube:
-                    description: Kube defines the encapsulation in raw Kubernetes
-                      resource format
-                    properties:
-                      parameters:
-                        description: Parameters defines configurable parameters
-                        items:
-                          description: A KubeParameter defines a configurable parameter
-                            of a component.
-                          properties:
-                            description:
-                              description: Description of this parameter.
-                              type: string
-                            fieldPaths:
-                              description: "FieldPaths specifies an array of fields
-                                within this workload that will be overwritten by the
-                                value of this parameter. \tAll fields must be of the
-                                same type. Fields are specified as JSON field paths
-                                without a leading dot, for example 'spec.replicas'."
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: Name of this parameter
-                              type: string
-                            required:
-                              default: false
-                              description: Required specifies whether or not a value
-                                for this parameter must be supplied when authoring
-                                an Application.
-                              type: boolean
-                            type:
-                              description: 'ValueType indicates the type of the parameter
-                                value, and only supports basic data types: string,
-                                number, boolean.'
-                              enum:
-                              - string
-                              - number
-                              - boolean
-                              type: string
-                          required:
-                          - fieldPaths
-                          - name
-                          - type
-                          type: object
-                        type: array
-                      template:
-                        description: Template defines the raw Kubernetes resource
-                        type: object
-                        x-kubernetes-preserve-unknown-fields: true
-                    required:
-                    - template
-                    type: object
                  terraform:
                    description: Terraform is the struct to describe cloud resources
                      managed by Hashicorp Terraform
@@ -229,11 +163,11 @@ spec:
                        - remote
                        type: string
                      writeConnectionSecretToRef:
-                        description: WriteConnectionSecretToReference specifies the
-                          namespace and name of a Secret to which any connection details
-                          for this managed resource should be written. Connection
-                          details frequently include the endpoint, username, and password
-                          required to connect to the managed resource.
+                        description: |-
+                          WriteConnectionSecretToReference specifies the namespace and name of a
+                          Secret to which any connection details for this managed resource should
+                          be written. Connection details frequently include the endpoint, username,
+                          and password required to connect to the managed resource.
                        properties:
                          name:
                            description: Name of the secret.
@@ -256,11 +190,17 @@ spec:
                    description: CustomStatus defines the custom status message that
                      could display to user
                    type: string
+                  details:
+                    description: Details stores a string representation of a CUE status
+                      map to be evaluated at runtime for display
+                    type: string
                  healthPolicy:
                    description: HealthPolicy defines the health check policy for
                      the abstraction
                    type: string
                type: object
+              version:
+                type: string
              workload:
                description: Workload is a workload type descriptor
                properties:
@@ -292,13 +232,15 @@ spec:
                  description: A Condition that may apply to a resource.
                  properties:
                    lastTransitionTime:
-                      description: LastTransitionTime is the last time this condition
-                        transitioned from one status to another.
+                      description: |-
+                        LastTransitionTime is the last time this condition transitioned from one
+                        status to another.
                      format: date-time
                      type: string
                    message:
-                      description: A Message containing details about this condition's
-                        last transition from one status to another, if any.
+                      description: |-
+                        A Message containing details about this condition's last transition from
+                        one status to another, if any.
                      type: string
                    reason:
                      description: A Reason for this condition's last transition from
@@ -309,8 +251,9 @@ spec:
                        False, or Unknown?
                      type: string
                    type:
-                      description: Type of this condition. At most one of each condition
-                        type may apply to a resource at any point in time.
+                      description: |-
+                        Type of this condition. At most one of each condition type may apply to
+                        a resource at any point in time.
                      type: string
                  required:
                  - lastTransitionTime
--- a/charts/vela-core/crds/core.oam.dev_definitionrevisions.yaml
+++ b/charts/vela-core/crds/core.oam.dev_definitionrevisions.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
+    controller-gen.kubebuilder.io/version: v0.16.5
  name: definitionrevisions.core.oam.dev
 spec:
  group: core.oam.dev
@@ -34,14 +34,19 @@ spec:
        description: DefinitionRevision is the Schema for the DefinitionRevision API
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@@ -53,16 +58,19 @@ spec:
                  ComponentDefinition
                properties:
                  apiVersion:
-                    description: 'APIVersion defines the versioned schema of this
-                      representation of an object. Servers should convert recognized
-                      schemas to the latest internal value, and may reject unrecognized
-                      values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                    description: |-
+                      APIVersion defines the versioned schema of this representation of an object.
+                      Servers should convert recognized schemas to the latest internal value, and
+                      may reject unrecognized values.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
                    type: string
                  kind:
-                    description: 'Kind is a string value representing the REST resource
-                      this object represents. Servers may infer this from the endpoint
-                      the client submits requests to. Cannot be updated. In CamelCase.
-                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    description: |-
+                      Kind is a string value representing the REST resource this object represents.
+                      Servers may infer this from the endpoint the client submits requests to.
+                      Cannot be updated.
+                      In CamelCase.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                    type: string
                  metadata:
                    properties:
@@ -117,14 +125,14 @@ spec:
                        type: object
                        x-kubernetes-preserve-unknown-fields: true
                      podSpecPath:
-                        description: PodSpecPath indicates where/if this workload
-                          has K8s podSpec field if one workload has podSpec, trait
-                          can do lot's of assumption such as port, env, volume fields.
+                        description: |-
+                          PodSpecPath indicates where/if this workload has K8s podSpec field
+                          if one workload has podSpec, trait can do lot's of assumption such as port, env, volume fields.
                        type: string
                      revisionLabel:
-                        description: RevisionLabel indicates which label for underlying
-                          resources(e.g. pods) of this workload can be used by trait
-                          to create resource selectors(e.g. label selector for pods).
+                        description: |-
+                          RevisionLabel indicates which label for underlying resources(e.g. pods) of this workload
+                          can be used by trait to create resource selectors(e.g. label selector for pods).
                        type: string
                      schematic:
                        description: Schematic defines the data format and template
@@ -134,86 +142,13 @@ spec:
                            description: CUE defines the encapsulation in CUE format
                            properties:
                              template:
-                                description: Template defines the abstraction template
-                                  data of the capability, it will replace the old
-                                  CUE template in extension field. Template is a required
-                                  field if CUE is defined in Capability Definition.
+                                description: |-
+                                  Template defines the abstraction template data of the capability, it will replace the old CUE template in extension field.
+                                  Template is a required field if CUE is defined in Capability Definition.
                                type: string
                            required:
                            - template
                            type: object
-                          helm:
-                            description: A Helm represents resources used by a Helm
-                              module
-                            properties:
-                              release:
-                                description: Release records a Helm release used by
-                                  a Helm module workload.
-                                type: object
-                                x-kubernetes-preserve-unknown-fields: true
-                              repository:
-                                description: HelmRelease records a Helm repository
-                                  used by a Helm module workload.
-                                type: object
-                                x-kubernetes-preserve-unknown-fields: true
-                            required:
-                            - release
-                            - repository
-                            type: object
-                          kube:
-                            description: Kube defines the encapsulation in raw Kubernetes
-                              resource format
-                            properties:
-                              parameters:
-                                description: Parameters defines configurable parameters
-                                items:
-                                  description: A KubeParameter defines a configurable
-                                    parameter of a component.
-                                  properties:
-                                    description:
-                                      description: Description of this parameter.
-                                      type: string
-                                    fieldPaths:
-                                      description: "FieldPaths specifies an array
-                                        of fields within this workload that will be
-                                        overwritten by the value of this parameter.
-                                        \tAll fields must be of the same type. Fields
-                                        are specified as JSON field paths without
-                                        a leading dot, for example 'spec.replicas'."
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: Name of this parameter
-                                      type: string
-                                    required:
-                                      default: false
-                                      description: Required specifies whether or not
-                                        a value for this parameter must be supplied
-                                        when authoring an Application.
-                                      type: boolean
-                                    type:
-                                      description: 'ValueType indicates the type of
-                                        the parameter value, and only supports basic
-                                        data types: string, number, boolean.'
-                                      enum:
-                                      - string
-                                      - number
-                                      - boolean
-                                      type: string
-                                  required:
-                                  - fieldPaths
-                                  - name
-                                  - type
-                                  type: object
-                                type: array
-                              template:
-                                description: Template defines the raw Kubernetes resource
-                                type: object
-                                x-kubernetes-preserve-unknown-fields: true
-                            required:
-                            - template
-                            type: object
                          terraform:
                            description: Terraform is the struct to describe cloud
                              resources managed by Hashicorp Terraform
@@ -274,12 +209,11 @@ spec:
                                - remote
                                type: string
                              writeConnectionSecretToRef:
-                                description: WriteConnectionSecretToReference specifies
-                                  the namespace and name of a Secret to which any
-                                  connection details for this managed resource should
-                                  be written. Connection details frequently include
-                                  the endpoint, username, and password required to
-                                  connect to the managed resource.
+                                description: |-
+                                  WriteConnectionSecretToReference specifies the namespace and name of a
+                                  Secret to which any connection details for this managed resource should
+                                  be written. Connection details frequently include the endpoint, username,
+                                  and password required to connect to the managed resource.
                                properties:
                                  name:
                                    description: Name of the secret.
@@ -302,11 +236,17 @@ spec:
                            description: CustomStatus defines the custom status message
                              that could display to user
                            type: string
+                          details:
+                            description: Details stores a string representation of
+                              a CUE status map to be evaluated at runtime for display
+                            type: string
                          healthPolicy:
                            description: HealthPolicy defines the health check policy
                              for the abstraction
                            type: string
                        type: object
+                      version:
+                        type: string
                      workload:
                        description: Workload is a workload type descriptor
                        properties:
@@ -338,14 +278,15 @@ spec:
                          description: A Condition that may apply to a resource.
                          properties:
                            lastTransitionTime:
-                              description: LastTransitionTime is the last time this
-                                condition transitioned from one status to another.
+                              description: |-
+                                LastTransitionTime is the last time this condition transitioned from one
+                                status to another.
                              format: date-time
                              type: string
                            message:
-                              description: A Message containing details about this
-                                condition's last transition from one status to another,
-                                if any.
+                              description: |-
+                                A Message containing details about this condition's last transition from
+                                one status to another, if any.
                              type: string
                            reason:
                              description: A Reason for this condition's last transition
@@ -356,9 +297,9 @@ spec:
                                True, False, or Unknown?
                              type: string
                            type:
-                              description: Type of this condition. At most one of
-                                each condition type may apply to a resource at any
-                                point in time.
+                              description: |-
+                                Type of this condition. At most one of each condition type may apply to
+                                a resource at any point in time.
                              type: string
                          required:
                          - lastTransitionTime
@@ -402,16 +343,19 @@ spec:
                  PolicyDefinition
                properties:
                  apiVersion:
-                    description: 'APIVersion defines the versioned schema of this
-                      representation of an object. Servers should convert recognized
-                      schemas to the latest internal value, and may reject unrecognized
-                      values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                    description: |-
+                      APIVersion defines the versioned schema of this representation of an object.
+                      Servers should convert recognized schemas to the latest internal value, and
+                      may reject unrecognized values.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
                    type: string
                  kind:
-                    description: 'Kind is a string value representing the REST resource
-                      this object represents. Servers may infer this from the endpoint
-                      the client submits requests to. Cannot be updated. In CamelCase.
-                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    description: |-
+                      Kind is a string value representing the REST resource this object represents.
+                      Servers may infer this from the endpoint the client submits requests to.
+                      Cannot be updated.
+                      In CamelCase.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                    type: string
                  metadata:
                    properties:
@@ -444,107 +388,34 @@ spec:
                            description: Name of the referenced CustomResourceDefinition.
                            type: string
                          version:
-                            description: Version indicate which version should be
-                              used if CRD has multiple versions by default it will
-                              use the first one if not specified
+                            description: |-
+                              Version indicate which version should be used if CRD has multiple versions
+                              by default it will use the first one if not specified
                            type: string
                        required:
                        - name
                        type: object
                      manageHealthCheck:
-                        description: ManageHealthCheck means the policy will handle
-                          health checking and skip application controller built-in
-                          health checking.
+                        description: |-
+                          ManageHealthCheck means the policy will handle health checking and skip application controller
+                          built-in health checking.
                        type: boolean
                      schematic:
-                        description: Schematic defines the data format and template
-                          of the encapsulation of the policy definition. Only CUE
-                          schematic is supported for now.
+                        description: |-
+                          Schematic defines the data format and template of the encapsulation of the policy definition.
+                          Only CUE schematic is supported for now.
                        properties:
                          cue:
                            description: CUE defines the encapsulation in CUE format
                            properties:
                              template:
-                                description: Template defines the abstraction template
-                                  data of the capability, it will replace the old
-                                  CUE template in extension field. Template is a required
-                                  field if CUE is defined in Capability Definition.
+                                description: |-
+                                  Template defines the abstraction template data of the capability, it will replace the old CUE template in extension field.
+                                  Template is a required field if CUE is defined in Capability Definition.
                                type: string
                            required:
                            - template
                            type: object
-                          helm:
-                            description: A Helm represents resources used by a Helm
-                              module
-                            properties:
-                              release:
-                                description: Release records a Helm release used by
-                                  a Helm module workload.
-                                type: object
-                                x-kubernetes-preserve-unknown-fields: true
-                              repository:
-                                description: HelmRelease records a Helm repository
-                                  used by a Helm module workload.
-                                type: object
-                                x-kubernetes-preserve-unknown-fields: true
-                            required:
-                            - release
-                            - repository
-                            type: object
-                          kube:
-                            description: Kube defines the encapsulation in raw Kubernetes
-                              resource format
-                            properties:
-                              parameters:
-                                description: Parameters defines configurable parameters
-                                items:
-                                  description: A KubeParameter defines a configurable
-                                    parameter of a component.
-                                  properties:
-                                    description:
-                                      description: Description of this parameter.
-                                      type: string
-                                    fieldPaths:
-                                      description: "FieldPaths specifies an array
-                                        of fields within this workload that will be
-                                        overwritten by the value of this parameter.
-                                        \tAll fields must be of the same type. Fields
-                                        are specified as JSON field paths without
-                                        a leading dot, for example 'spec.replicas'."
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: Name of this parameter
-                                      type: string
-                                    required:
-                                      default: false
-                                      description: Required specifies whether or not
-                                        a value for this parameter must be supplied
-                                        when authoring an Application.
-                                      type: boolean
-                                    type:
-                                      description: 'ValueType indicates the type of
-                                        the parameter value, and only supports basic
-                                        data types: string, number, boolean.'
-                                      enum:
-                                      - string
-                                      - number
-                                      - boolean
-                                      type: string
-                                  required:
-                                  - fieldPaths
-                                  - name
-                                  - type
-                                  type: object
-                                type: array
-                              template:
-                                description: Template defines the raw Kubernetes resource
-                                type: object
-                                x-kubernetes-preserve-unknown-fields: true
-                            required:
-                            - template
-                            type: object
                          terraform:
                            description: Terraform is the struct to describe cloud
                              resources managed by Hashicorp Terraform
@@ -605,12 +476,11 @@ spec:
                                - remote
                                type: string
                              writeConnectionSecretToRef:
-                                description: WriteConnectionSecretToReference specifies
-                                  the namespace and name of a Secret to which any
-                                  connection details for this managed resource should
-                                  be written. Connection details frequently include
-                                  the endpoint, username, and password required to
-                                  connect to the managed resource.
+                                description: |-
+                                  WriteConnectionSecretToReference specifies the namespace and name of a
+                                  Secret to which any connection details for this managed resource should
+                                  be written. Connection details frequently include the endpoint, username,
+                                  and password required to connect to the managed resource.
                                properties:
                                  name:
                                    description: Name of the secret.
@@ -625,6 +495,8 @@ spec:
                            - configuration
                            type: object
                        type: object
+                      version:
+                        type: string
                    type: object
                  status:
                    description: PolicyDefinitionStatus is the status of PolicyDefinition
@@ -635,14 +507,15 @@ spec:
                          description: A Condition that may apply to a resource.
                          properties:
                            lastTransitionTime:
-                              description: LastTransitionTime is the last time this
-                                condition transitioned from one status to another.
+                              description: |-
+                                LastTransitionTime is the last time this condition transitioned from one
+                                status to another.
                              format: date-time
                              type: string
                            message:
-                              description: A Message containing details about this
-                                condition's last transition from one status to another,
-                                if any.
+                              description: |-
+                                A Message containing details about this condition's last transition from
+                                one status to another, if any.
                              type: string
                            reason:
                              description: A Reason for this condition's last transition
@@ -653,9 +526,9 @@ spec:
                                True, False, or Unknown?
                              type: string
                            type:
-                              description: Type of this condition. At most one of
-                                each condition type may apply to a resource at any
-                                point in time.
+                              description: |-
+                                Type of this condition. At most one of each condition type may apply to
+                                a resource at any point in time.
                              type: string
                          required:
                          - lastTransitionTime
@@ -699,16 +572,19 @@ spec:
                  TraitDefinition
                properties:
                  apiVersion:
-                    description: 'APIVersion defines the versioned schema of this
-                      representation of an object. Servers should convert recognized
-                      schemas to the latest internal value, and may reject unrecognized
-                      values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                    description: |-
+                      APIVersion defines the versioned schema of this representation of an object.
+                      Servers should convert recognized schemas to the latest internal value, and
+                      may reject unrecognized values.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
                    type: string
                  kind:
-                    description: 'Kind is a string value representing the REST resource
-                      this object represents. Servers may infer this from the endpoint
-                      the client submits requests to. Cannot be updated. In CamelCase.
-                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    description: |-
+                      Kind is a string value representing the REST resource this object represents.
+                      Servers may infer this from the endpoint the client submits requests to.
+                      Cannot be updated.
+                      In CamelCase.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                    type: string
                  metadata:
                    properties:
@@ -734,21 +610,25 @@ spec:
                      a TraitDefinition.
                    properties:
                      appliesToWorkloads:
-                        description: AppliesToWorkloads specifies the list of workload
-                          kinds this trait applies to. Workload kinds are specified
-                          in resource.group/version format, e.g. server.core.oam.dev/v1alpha2.
-                          Traits that omit this field apply to all workload kinds.
+                        description: |-
+                          AppliesToWorkloads specifies the list of workload kinds this trait
+                          applies to. Workload kinds are specified in resource.group/version format,
+                          e.g. server.core.oam.dev/v1alpha2. Traits that omit this field apply to
+                          all workload kinds.
                        items:
                          type: string
                        type: array
                      conflictsWith:
-                        description: 'ConflictsWith specifies the list of traits(CRD
-                          name, Definition name, CRD group) which could not apply
-                          to the same workloads with this trait. Traits that omit
-                          this field can work with any other traits. Example rules:
-                          "service" # Trait definition name "services.k8s.io" # API
-                          resource/crd name "*.networking.k8s.io" # API group "labelSelector:foo=bar"
-                          # label selector labelSelector format: https://pkg.go.dev/k8s.io/apimachinery/pkg/labels#Parse'
+                        description: |-
+                          ConflictsWith specifies the list of traits(CRD name, Definition name, CRD group)
+                          which could not apply to the same workloads with this trait.
+                          Traits that omit this field can work with any other traits.
+                          Example rules:
+                          "service" # Trait definition name
+                          "services.k8s.io" # API resource/crd name
+                          "*.networking.k8s.io" # API group
+                          "labelSelector:foo=bar" # label selector
+                          labelSelector format: https://pkg.go.dev/k8s.io/apimachinery/pkg/labels#Parse
                        items:
                          type: string
                        type: array
@@ -764,9 +644,9 @@ spec:
                            description: Name of the referenced CustomResourceDefinition.
                            type: string
                          version:
-                            description: Version indicate which version should be
-                              used if CRD has multiple versions by default it will
-                              use the first one if not specified
+                            description: |-
+                              Version indicate which version should be used if CRD has multiple versions
+                              by default it will use the first one if not specified
                            type: string
                        required:
                        - name
@@ -789,94 +669,21 @@ spec:
                          component revision
                        type: boolean
                      schematic:
-                        description: Schematic defines the data format and template
-                          of the encapsulation of the trait. Only CUE and Kube schematic
-                          are supported for now.
+                        description: |-
+                          Schematic defines the data format and template of the encapsulation of the trait.
+                          Only CUE and Kube schematic are supported for now.
                        properties:
                          cue:
                            description: CUE defines the encapsulation in CUE format
                            properties:
                              template:
-                                description: Template defines the abstraction template
-                                  data of the capability, it will replace the old
-                                  CUE template in extension field. Template is a required
-                                  field if CUE is defined in Capability Definition.
+                                description: |-
+                                  Template defines the abstraction template data of the capability, it will replace the old CUE template in extension field.
+                                  Template is a required field if CUE is defined in Capability Definition.
                                type: string
                            required:
                            - template
                            type: object
-                          helm:
-                            description: A Helm represents resources used by a Helm
-                              module
-                            properties:
-                              release:
-                                description: Release records a Helm release used by
-                                  a Helm module workload.
-                                type: object
-                                x-kubernetes-preserve-unknown-fields: true
-                              repository:
-                                description: HelmRelease records a Helm repository
-                                  used by a Helm module workload.
-                                type: object
-                                x-kubernetes-preserve-unknown-fields: true
-                            required:
-                            - release
-                            - repository
-                            type: object
-                          kube:
-                            description: Kube defines the encapsulation in raw Kubernetes
-                              resource format
-                            properties:
-                              parameters:
-                                description: Parameters defines configurable parameters
-                                items:
-                                  description: A KubeParameter defines a configurable
-                                    parameter of a component.
-                                  properties:
-                                    description:
-                                      description: Description of this parameter.
-                                      type: string
-                                    fieldPaths:
-                                      description: "FieldPaths specifies an array
-                                        of fields within this workload that will be
-                                        overwritten by the value of this parameter.
-                                        \tAll fields must be of the same type. Fields
-                                        are specified as JSON field paths without
-                                        a leading dot, for example 'spec.replicas'."
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: Name of this parameter
-                                      type: string
-                                    required:
-                                      default: false
-                                      description: Required specifies whether or not
-                                        a value for this parameter must be supplied
-                                        when authoring an Application.
-                                      type: boolean
-                                    type:
-                                      description: 'ValueType indicates the type of
-                                        the parameter value, and only supports basic
-                                        data types: string, number, boolean.'
-                                      enum:
-                                      - string
-                                      - number
-                                      - boolean
-                                      type: string
-                                  required:
-                                  - fieldPaths
-                                  - name
-                                  - type
-                                  type: object
-                                type: array
-                              template:
-                                description: Template defines the raw Kubernetes resource
-                                type: object
-                                x-kubernetes-preserve-unknown-fields: true
-                            required:
-                            - template
-                            type: object
                          terraform:
                            description: Terraform is the struct to describe cloud
                              resources managed by Hashicorp Terraform
@@ -937,12 +744,11 @@ spec:
                                - remote
                                type: string
                              writeConnectionSecretToRef:
-                                description: WriteConnectionSecretToReference specifies
-                                  the namespace and name of a Secret to which any
-                                  connection details for this managed resource should
-                                  be written. Connection details frequently include
-                                  the endpoint, username, and password required to
-                                  connect to the managed resource.
+                                description: |-
+                                  WriteConnectionSecretToReference specifies the namespace and name of a
+                                  Secret to which any connection details for this managed resource should
+                                  be written. Connection details frequently include the endpoint, username,
+                                  and password required to connect to the managed resource.
                                properties:
                                  name:
                                    description: Name of the secret.
@@ -958,10 +764,10 @@ spec:
                            type: object
                        type: object
                      stage:
-                        description: Stage defines the stage information to which
-                          this trait resource processing belongs. Currently, PreDispatch
-                          and PostDispatch are provided, which are used to control
-                          resource pre-process and post-process respectively.
+                        description: |-
+                          Stage defines the stage information to which this trait resource processing belongs.
+                          Currently, PreDispatch and PostDispatch are provided, which are used to control resource
+                          pre-process and post-process respectively.
                        type: string
                      status:
                        description: Status defines the custom health policy and status
@@ -971,11 +777,17 @@ spec:
                            description: CustomStatus defines the custom status message
                              that could display to user
                            type: string
+                          details:
+                            description: Details stores a string representation of
+                              a CUE status map to be evaluated at runtime for display
+                            type: string
                          healthPolicy:
                            description: HealthPolicy defines the health check policy
                              for the abstraction
                            type: string
                        type: object
+                      version:
+                        type: string
                      workloadRefPath:
                        description: WorkloadRefPath indicates where/if a trait accepts
                          a workloadRef object
@@ -990,14 +802,15 @@ spec:
                          description: A Condition that may apply to a resource.
                          properties:
                            lastTransitionTime:
-                              description: LastTransitionTime is the last time this
-                                condition transitioned from one status to another.
+                              description: |-
+                                LastTransitionTime is the last time this condition transitioned from one
+                                status to another.
                              format: date-time
                              type: string
                            message:
-                              description: A Message containing details about this
-                                condition's last transition from one status to another,
-                                if any.
+                              description: |-
+                                A Message containing details about this condition's last transition from
+                                one status to another, if any.
                              type: string
                            reason:
                              description: A Reason for this condition's last transition
@@ -1008,9 +821,9 @@ spec:
                                True, False, or Unknown?
                              type: string
                            type:
-                              description: Type of this condition. At most one of
-                                each condition type may apply to a resource at any
-                                point in time.
+                              description: |-
+                                Type of this condition. At most one of each condition type may apply to
+                                a resource at any point in time.
                              type: string
                          required:
                          - lastTransitionTime
@@ -1046,16 +859,19 @@ spec:
                  WorkflowStepDefinition
                properties:
                  apiVersion:
-                    description: 'APIVersion defines the versioned schema of this
-                      representation of an object. Servers should convert recognized
-                      schemas to the latest internal value, and may reject unrecognized
-                      values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                    description: |-
+                      APIVersion defines the versioned schema of this representation of an object.
+                      Servers should convert recognized schemas to the latest internal value, and
+                      may reject unrecognized values.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
                    type: string
                  kind:
-                    description: 'Kind is a string value representing the REST resource
-                      this object represents. Servers may infer this from the endpoint
-                      the client submits requests to. Cannot be updated. In CamelCase.
-                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    description: |-
+                      Kind is a string value representing the REST resource this object represents.
+                      Servers may infer this from the endpoint the client submits requests to.
+                      Cannot be updated.
+                      In CamelCase.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                    type: string
                  metadata:
                    properties:
@@ -1088,102 +904,29 @@ spec:
                            description: Name of the referenced CustomResourceDefinition.
                            type: string
                          version:
-                            description: Version indicate which version should be
-                              used if CRD has multiple versions by default it will
-                              use the first one if not specified
+                            description: |-
+                              Version indicate which version should be used if CRD has multiple versions
+                              by default it will use the first one if not specified
                            type: string
                        required:
                        - name
                        type: object
                      schematic:
-                        description: Schematic defines the data format and template
-                          of the encapsulation of the workflow step definition. Only
-                          CUE schematic is supported for now.
+                        description: |-
+                          Schematic defines the data format and template of the encapsulation of the workflow step definition.
+                          Only CUE schematic is supported for now.
                        properties:
                          cue:
                            description: CUE defines the encapsulation in CUE format
                            properties:
                              template:
-                                description: Template defines the abstraction template
-                                  data of the capability, it will replace the old
-                                  CUE template in extension field. Template is a required
-                                  field if CUE is defined in Capability Definition.
+                                description: |-
+                                  Template defines the abstraction template data of the capability, it will replace the old CUE template in extension field.
+                                  Template is a required field if CUE is defined in Capability Definition.
                                type: string
                            required:
                            - template
                            type: object
-                          helm:
-                            description: A Helm represents resources used by a Helm
-                              module
-                            properties:
-                              release:
-                                description: Release records a Helm release used by
-                                  a Helm module workload.
-                                type: object
-                                x-kubernetes-preserve-unknown-fields: true
-                              repository:
-                                description: HelmRelease records a Helm repository
-                                  used by a Helm module workload.
-                                type: object
-                                x-kubernetes-preserve-unknown-fields: true
-                            required:
-                            - release
-                            - repository
-                            type: object
-                          kube:
-                            description: Kube defines the encapsulation in raw Kubernetes
-                              resource format
-                            properties:
-                              parameters:
-                                description: Parameters defines configurable parameters
-                                items:
-                                  description: A KubeParameter defines a configurable
-                                    parameter of a component.
-                                  properties:
-                                    description:
-                                      description: Description of this parameter.
-                                      type: string
-                                    fieldPaths:
-                                      description: "FieldPaths specifies an array
-                                        of fields within this workload that will be
-                                        overwritten by the value of this parameter.
-                                        \tAll fields must be of the same type. Fields
-                                        are specified as JSON field paths without
-                                        a leading dot, for example 'spec.replicas'."
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: Name of this parameter
-                                      type: string
-                                    required:
-                                      default: false
-                                      description: Required specifies whether or not
-                                        a value for this parameter must be supplied
-                                        when authoring an Application.
-                                      type: boolean
-                                    type:
-                                      description: 'ValueType indicates the type of
-                                        the parameter value, and only supports basic
-                                        data types: string, number, boolean.'
-                                      enum:
-                                      - string
-                                      - number
-                                      - boolean
-                                      type: string
-                                  required:
-                                  - fieldPaths
-                                  - name
-                                  - type
-                                  type: object
-                                type: array
-                              template:
-                                description: Template defines the raw Kubernetes resource
-                                type: object
-                                x-kubernetes-preserve-unknown-fields: true
-                            required:
-                            - template
-                            type: object
                          terraform:
                            description: Terraform is the struct to describe cloud
                              resources managed by Hashicorp Terraform
@@ -1244,12 +987,11 @@ spec:
                                - remote
                                type: string
                              writeConnectionSecretToRef:
-                                description: WriteConnectionSecretToReference specifies
-                                  the namespace and name of a Secret to which any
-                                  connection details for this managed resource should
-                                  be written. Connection details frequently include
-                                  the endpoint, username, and password required to
-                                  connect to the managed resource.
+                                description: |-
+                                  WriteConnectionSecretToReference specifies the namespace and name of a
+                                  Secret to which any connection details for this managed resource should
+                                  be written. Connection details frequently include the endpoint, username,
+                                  and password required to connect to the managed resource.
                                properties:
                                  name:
                                    description: Name of the secret.
@@ -1264,6 +1006,8 @@ spec:
                            - configuration
                            type: object
                        type: object
+                      version:
+                        type: string
                    type: object
                  status:
                    description: WorkflowStepDefinitionStatus is the status of WorkflowStepDefinition
@@ -1274,14 +1018,15 @@ spec:
                          description: A Condition that may apply to a resource.
                          properties:
                            lastTransitionTime:
-                              description: LastTransitionTime is the last time this
-                                condition transitioned from one status to another.
+                              description: |-
+                                LastTransitionTime is the last time this condition transitioned from one
+                                status to another.
                              format: date-time
                              type: string
                            message:
-                              description: A Message containing details about this
-                                condition's last transition from one status to another,
-                                if any.
+                              description: |-
+                                A Message containing details about this condition's last transition from
+                                one status to another, if any.
                              type: string
                            reason:
                              description: A Reason for this condition's last transition
@@ -1292,9 +1037,9 @@ spec:
                                True, False, or Unknown?
                              type: string
                            type:
-                              description: Type of this condition. At most one of
-                                each condition type may apply to a resource at any
-                                point in time.
+                              description: |-
+                                Type of this condition. At most one of each condition type may apply to
+                                a resource at any point in time.
                              type: string
                          required:
                          - lastTransitionTime
--- a/charts/vela-core/crds/core.oam.dev_policies.yaml
+++ b/charts/vela-core/crds/core.oam.dev_policies.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
+    controller-gen.kubebuilder.io/version: v0.16.5
  name: policies.core.oam.dev
 spec:
  group: core.oam.dev
@@ -26,14 +26,19 @@ spec:
        description: Policy is the Schema for the policy API
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
--- a/charts/vela-core/crds/core.oam.dev_policydefinitions.yaml
+++ b/charts/vela-core/crds/core.oam.dev_policydefinitions.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
+    controller-gen.kubebuilder.io/version: v0.16.5
  name: policydefinitions.core.oam.dev
 spec:
  group: core.oam.dev
@@ -24,14 +24,19 @@ spec:
        description: PolicyDefinition is the Schema for the policydefinitions API
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@@ -46,104 +51,34 @@ spec:
                    description: Name of the referenced CustomResourceDefinition.
                    type: string
                  version:
-                    description: Version indicate which version should be used if
-                      CRD has multiple versions by default it will use the first one
-                      if not specified
+                    description: |-
+                      Version indicate which version should be used if CRD has multiple versions
+                      by default it will use the first one if not specified
                    type: string
                required:
                - name
                type: object
              manageHealthCheck:
-                description: ManageHealthCheck means the policy will handle health
-                  checking and skip application controller built-in health checking.
+                description: |-
+                  ManageHealthCheck means the policy will handle health checking and skip application controller
+                  built-in health checking.
                type: boolean
              schematic:
-                description: Schematic defines the data format and template of the
-                  encapsulation of the policy definition. Only CUE schematic is supported
-                  for now.
+                description: |-
+                  Schematic defines the data format and template of the encapsulation of the policy definition.
+                  Only CUE schematic is supported for now.
                properties:
                  cue:
                    description: CUE defines the encapsulation in CUE format
                    properties:
                      template:
-                        description: Template defines the abstraction template data
-                          of the capability, it will replace the old CUE template
-                          in extension field. Template is a required field if CUE
-                          is defined in Capability Definition.
+                        description: |-
+                          Template defines the abstraction template data of the capability, it will replace the old CUE template in extension field.
+                          Template is a required field if CUE is defined in Capability Definition.
                        type: string
                    required:
                    - template
                    type: object
-                  helm:
-                    description: A Helm represents resources used by a Helm module
-                    properties:
-                      release:
-                        description: Release records a Helm release used by a Helm
-                          module workload.
-                        type: object
-                        x-kubernetes-preserve-unknown-fields: true
-                      repository:
-                        description: HelmRelease records a Helm repository used by
-                          a Helm module workload.
-                        type: object
-                        x-kubernetes-preserve-unknown-fields: true
-                    required:
-                    - release
-                    - repository
-                    type: object
-                  kube:
-                    description: Kube defines the encapsulation in raw Kubernetes
-                      resource format
-                    properties:
-                      parameters:
-                        description: Parameters defines configurable parameters
-                        items:
-                          description: A KubeParameter defines a configurable parameter
-                            of a component.
-                          properties:
-                            description:
-                              description: Description of this parameter.
-                              type: string
-                            fieldPaths:
-                              description: "FieldPaths specifies an array of fields
-                                within this workload that will be overwritten by the
-                                value of this parameter. \tAll fields must be of the
-                                same type. Fields are specified as JSON field paths
-                                without a leading dot, for example 'spec.replicas'."
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: Name of this parameter
-                              type: string
-                            required:
-                              default: false
-                              description: Required specifies whether or not a value
-                                for this parameter must be supplied when authoring
-                                an Application.
-                              type: boolean
-                            type:
-                              description: 'ValueType indicates the type of the parameter
-                                value, and only supports basic data types: string,
-                                number, boolean.'
-                              enum:
-                              - string
-                              - number
-                              - boolean
-                              type: string
-                          required:
-                          - fieldPaths
-                          - name
-                          - type
-                          type: object
-                        type: array
-                      template:
-                        description: Template defines the raw Kubernetes resource
-                        type: object
-                        x-kubernetes-preserve-unknown-fields: true
-                    required:
-                    - template
-                    type: object
                  terraform:
                    description: Terraform is the struct to describe cloud resources
                      managed by Hashicorp Terraform
@@ -202,11 +137,11 @@ spec:
                        - remote
                        type: string
                      writeConnectionSecretToRef:
-                        description: WriteConnectionSecretToReference specifies the
-                          namespace and name of a Secret to which any connection details
-                          for this managed resource should be written. Connection
-                          details frequently include the endpoint, username, and password
-                          required to connect to the managed resource.
+                        description: |-
+                          WriteConnectionSecretToReference specifies the namespace and name of a
+                          Secret to which any connection details for this managed resource should
+                          be written. Connection details frequently include the endpoint, username,
+                          and password required to connect to the managed resource.
                        properties:
                          name:
                            description: Name of the secret.
@@ -221,6 +156,8 @@ spec:
                    - configuration
                    type: object
                type: object
+              version:
+                type: string
            type: object
          status:
            description: PolicyDefinitionStatus is the status of PolicyDefinition
@@ -231,13 +168,15 @@ spec:
                  description: A Condition that may apply to a resource.
                  properties:
                    lastTransitionTime:
-                      description: LastTransitionTime is the last time this condition
-                        transitioned from one status to another.
+                      description: |-
+                        LastTransitionTime is the last time this condition transitioned from one
+                        status to another.
                      format: date-time
                      type: string
                    message:
-                      description: A Message containing details about this condition's
-                        last transition from one status to another, if any.
+                      description: |-
+                        A Message containing details about this condition's last transition from
+                        one status to another, if any.
                      type: string
                    reason:
                      description: A Reason for this condition's last transition from
@@ -248,8 +187,9 @@ spec:
                        False, or Unknown?
                      type: string
                    type:
-                      description: Type of this condition. At most one of each condition
-                        type may apply to a resource at any point in time.
+                      description: |-
+                        Type of this condition. At most one of each condition type may apply to
+                        a resource at any point in time.
                      type: string
                  required:
                  - lastTransitionTime
--- a/charts/vela-core/crds/core.oam.dev_resourcetrackers.yaml
+++ b/charts/vela-core/crds/core.oam.dev_resourcetrackers.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
+    controller-gen.kubebuilder.io/version: v0.16.5
  name: resourcetrackers.core.oam.dev
 spec:
  group: core.oam.dev
@@ -38,14 +38,19 @@ spec:
          resources
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@@ -82,36 +87,38 @@ spec:
                    deleted:
                      description: Deleted marks the resource to be deleted
                      type: boolean
-                    env:
-                      type: string
                    fieldPath:
-                      description: 'If referring to a piece of an object instead of
-                        an entire object, this string should contain a valid JSON/Go
-                        field access statement, such as desiredState.manifest.containers[2].
-                        For example, if the object reference is to a container within
-                        a pod, this would take on a value like: "spec.containers{name}"
-                        (where "name" refers to the name of the container that triggered
-                        the event) or if no container name is specified "spec.containers[2]"
-                        (container with index 2 in this pod). This syntax is chosen
-                        only to have some well-defined way of referencing a part of
-                        an object. TODO: this design is not final and this field is
-                        subject to change in the future.'
+                      description: |-
+                        If referring to a piece of an object instead of an entire object, this string
+                        should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                        For example, if the object reference is to a container within a pod, this would take on a value like:
+                        "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                        the event) or if no container name is specified "spec.containers[2]" (container with
+                        index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                        referencing a part of an object.
                      type: string
                    kind:
-                      description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                      description: |-
+                        Kind of the referent.
+                        More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                      type: string
                    name:
-                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                      description: |-
+                        Name of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                      type: string
                    namespace:
-                      description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                      description: |-
+                        Namespace of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
                      type: string
                    raw:
                      type: object
                      x-kubernetes-preserve-unknown-fields: true
                    resourceVersion:
-                      description: 'Specific resourceVersion to which this reference
-                        is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                      description: |-
+                        Specific resourceVersion to which this reference is made, if any.
+                        More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
                      type: string
                    skipGC:
                      description: SkipGC marks the resource to skip gc
@@ -119,7 +126,9 @@ spec:
                    trait:
                      type: string
                    uid:
-                      description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                      description: |-
+                        UID of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
                      type: string
                  type: object
                  x-kubernetes-map-type: atomic
@@ -130,56 +139,6 @@ spec:
            required:
            - applicationGeneration
            type: object
-          status:
-            description: ResourceTrackerStatus define the status of resourceTracker
-              For backward-compatibility
-            properties:
-              trackedResources:
-                description: Deprecated
-                items:
-                  description: ClusterObjectReference defines the object reference
-                    with cluster.
-                  properties:
-                    apiVersion:
-                      description: API version of the referent.
-                      type: string
-                    cluster:
-                      type: string
-                    creator:
-                      type: string
-                    fieldPath:
-                      description: 'If referring to a piece of an object instead of
-                        an entire object, this string should contain a valid JSON/Go
-                        field access statement, such as desiredState.manifest.containers[2].
-                        For example, if the object reference is to a container within
-                        a pod, this would take on a value like: "spec.containers{name}"
-                        (where "name" refers to the name of the container that triggered
-                        the event) or if no container name is specified "spec.containers[2]"
-                        (container with index 2 in this pod). This syntax is chosen
-                        only to have some well-defined way of referencing a part of
-                        an object. TODO: this design is not final and this field is
-                        subject to change in the future.'
-                      type: string
-                    kind:
-                      description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-                      type: string
-                    name:
-                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
-                      type: string
-                    namespace:
-                      description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
-                      type: string
-                    resourceVersion:
-                      description: 'Specific resourceVersion to which this reference
-                        is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
-                      type: string
-                    uid:
-                      description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
-                      type: string
-                  type: object
-                  x-kubernetes-map-type: atomic
-                type: array
-            type: object
        type: object
    served: true
    storage: true
--- a/charts/vela-core/crds/core.oam.dev_scopedefinitions.yaml
+++ b/charts/vela-core/crds/core.oam.dev_scopedefinitions.yaml
@@ -1,83 +0,0 @@
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: scopedefinitions.core.oam.dev
-spec:
-  group: core.oam.dev
-  names:
-    categories:
-    - oam
-    kind: ScopeDefinition
-    listKind: ScopeDefinitionList
-    plural: scopedefinitions
-    shortNames:
-    - scope
-    singular: scopedefinition
-  scope: Namespaced
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .spec.definitionRef.name
-      name: DEFINITION-NAME
-      type: string
-    name: v1beta1
-    schema:
-      openAPIV3Schema:
-        description: A ScopeDefinition registers a kind of Kubernetes custom resource
-          as a valid OAM scope kind by referencing its CustomResourceDefinition. The
-          CRD is used to validate the schema of the scope when it is embedded in an
-          OAM ApplicationConfiguration.
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: A ScopeDefinitionSpec defines the desired state of a ScopeDefinition.
-            properties:
-              allowComponentOverlap:
-                description: AllowComponentOverlap specifies whether an OAM component
-                  may exist in multiple instances of this kind of scope.
-                type: boolean
-              definitionRef:
-                description: Reference to the CustomResourceDefinition that defines
-                  this scope kind.
-                properties:
-                  name:
-                    description: Name of the referenced CustomResourceDefinition.
-                    type: string
-                  version:
-                    description: Version indicate which version should be used if
-                      CRD has multiple versions by default it will use the first one
-                      if not specified
-                    type: string
-                required:
-                - name
-                type: object
-              extension:
-                description: Extension is used for extension needs by OAM platform
-                  builders
-                type: object
-                x-kubernetes-preserve-unknown-fields: true
-              workloadRefsPath:
-                description: WorkloadRefsPath indicates if/where a scope accepts workloadRef
-                  objects
-                type: string
-            required:
-            - allowComponentOverlap
-            - definitionRef
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources: {}
--- a/charts/vela-core/crds/core.oam.dev_traitdefinitions.yaml
+++ b/charts/vela-core/crds/core.oam.dev_traitdefinitions.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
+    controller-gen.kubebuilder.io/version: v0.16.5
  name: traitdefinitions.core.oam.dev
 spec:
  group: core.oam.dev
@@ -28,20 +28,26 @@ spec:
    name: v1beta1
    schema:
      openAPIV3Schema:
-        description: A TraitDefinition registers a kind of Kubernetes custom resource
-          as a valid OAM trait kind by referencing its CustomResourceDefinition. The
-          CRD is used to validate the schema of the trait when it is embedded in an
-          OAM ApplicationConfiguration.
+        description: |-
+          A TraitDefinition registers a kind of Kubernetes custom resource as a valid
+          OAM trait kind by referencing its CustomResourceDefinition. The CRD is used
+          to validate the schema of the trait when it is embedded in an OAM
+          ApplicationConfiguration.
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@@ -49,20 +55,25 @@ spec:
            description: A TraitDefinitionSpec defines the desired state of a TraitDefinition.
            properties:
              appliesToWorkloads:
-                description: AppliesToWorkloads specifies the list of workload kinds
-                  this trait applies to. Workload kinds are specified in resource.group/version
-                  format, e.g. server.core.oam.dev/v1alpha2. Traits that omit this
-                  field apply to all workload kinds.
+                description: |-
+                  AppliesToWorkloads specifies the list of workload kinds this trait
+                  applies to. Workload kinds are specified in resource.group/version format,
+                  e.g. server.core.oam.dev/v1alpha2. Traits that omit this field apply to
+                  all workload kinds.
                items:
                  type: string
                type: array
              conflictsWith:
-                description: 'ConflictsWith specifies the list of traits(CRD name,
-                  Definition name, CRD group) which could not apply to the same workloads
-                  with this trait. Traits that omit this field can work with any other
-                  traits. Example rules: "service" # Trait definition name "services.k8s.io"
-                  # API resource/crd name "*.networking.k8s.io" # API group "labelSelector:foo=bar"
-                  # label selector labelSelector format: https://pkg.go.dev/k8s.io/apimachinery/pkg/labels#Parse'
+                description: |-
+                  ConflictsWith specifies the list of traits(CRD name, Definition name, CRD group)
+                  which could not apply to the same workloads with this trait.
+                  Traits that omit this field can work with any other traits.
+                  Example rules:
+                  "service" # Trait definition name
+                  "services.k8s.io" # API resource/crd name
+                  "*.networking.k8s.io" # API group
+                  "labelSelector:foo=bar" # label selector
+                  labelSelector format: https://pkg.go.dev/k8s.io/apimachinery/pkg/labels#Parse
                items:
                  type: string
                type: array
@@ -78,9 +89,9 @@ spec:
                    description: Name of the referenced CustomResourceDefinition.
                    type: string
                  version:
-                    description: Version indicate which version should be used if
-                      CRD has multiple versions by default it will use the first one
-                      if not specified
+                    description: |-
+                      Version indicate which version should be used if CRD has multiple versions
+                      by default it will use the first one if not specified
                    type: string
                required:
                - name
@@ -103,92 +114,21 @@ spec:
                  revision
                type: boolean
              schematic:
-                description: Schematic defines the data format and template of the
-                  encapsulation of the trait. Only CUE and Kube schematic are supported
-                  for now.
+                description: |-
+                  Schematic defines the data format and template of the encapsulation of the trait.
+                  Only CUE and Kube schematic are supported for now.
                properties:
                  cue:
                    description: CUE defines the encapsulation in CUE format
                    properties:
                      template:
-                        description: Template defines the abstraction template data
-                          of the capability, it will replace the old CUE template
-                          in extension field. Template is a required field if CUE
-                          is defined in Capability Definition.
+                        description: |-
+                          Template defines the abstraction template data of the capability, it will replace the old CUE template in extension field.
+                          Template is a required field if CUE is defined in Capability Definition.
                        type: string
                    required:
                    - template
                    type: object
-                  helm:
-                    description: A Helm represents resources used by a Helm module
-                    properties:
-                      release:
-                        description: Release records a Helm release used by a Helm
-                          module workload.
-                        type: object
-                        x-kubernetes-preserve-unknown-fields: true
-                      repository:
-                        description: HelmRelease records a Helm repository used by
-                          a Helm module workload.
-                        type: object
-                        x-kubernetes-preserve-unknown-fields: true
-                    required:
-                    - release
-                    - repository
-                    type: object
-                  kube:
-                    description: Kube defines the encapsulation in raw Kubernetes
-                      resource format
-                    properties:
-                      parameters:
-                        description: Parameters defines configurable parameters
-                        items:
-                          description: A KubeParameter defines a configurable parameter
-                            of a component.
-                          properties:
-                            description:
-                              description: Description of this parameter.
-                              type: string
-                            fieldPaths:
-                              description: "FieldPaths specifies an array of fields
-                                within this workload that will be overwritten by the
-                                value of this parameter. \tAll fields must be of the
-                                same type. Fields are specified as JSON field paths
-                                without a leading dot, for example 'spec.replicas'."
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: Name of this parameter
-                              type: string
-                            required:
-                              default: false
-                              description: Required specifies whether or not a value
-                                for this parameter must be supplied when authoring
-                                an Application.
-                              type: boolean
-                            type:
-                              description: 'ValueType indicates the type of the parameter
-                                value, and only supports basic data types: string,
-                                number, boolean.'
-                              enum:
-                              - string
-                              - number
-                              - boolean
-                              type: string
-                          required:
-                          - fieldPaths
-                          - name
-                          - type
-                          type: object
-                        type: array
-                      template:
-                        description: Template defines the raw Kubernetes resource
-                        type: object
-                        x-kubernetes-preserve-unknown-fields: true
-                    required:
-                    - template
-                    type: object
                  terraform:
                    description: Terraform is the struct to describe cloud resources
                      managed by Hashicorp Terraform
@@ -247,11 +187,11 @@ spec:
                        - remote
                        type: string
                      writeConnectionSecretToRef:
-                        description: WriteConnectionSecretToReference specifies the
-                          namespace and name of a Secret to which any connection details
-                          for this managed resource should be written. Connection
-                          details frequently include the endpoint, username, and password
-                          required to connect to the managed resource.
+                        description: |-
+                          WriteConnectionSecretToReference specifies the namespace and name of a
+                          Secret to which any connection details for this managed resource should
+                          be written. Connection details frequently include the endpoint, username,
+                          and password required to connect to the managed resource.
                        properties:
                          name:
                            description: Name of the secret.
@@ -267,10 +207,10 @@ spec:
                    type: object
                type: object
              stage:
-                description: Stage defines the stage information to which this trait
-                  resource processing belongs. Currently, PreDispatch and PostDispatch
-                  are provided, which are used to control resource pre-process and
-                  post-process respectively.
+                description: |-
+                  Stage defines the stage information to which this trait resource processing belongs.
+                  Currently, PreDispatch and PostDispatch are provided, which are used to control resource
+                  pre-process and post-process respectively.
                type: string
              status:
                description: Status defines the custom health policy and status message
@@ -280,11 +220,17 @@ spec:
                    description: CustomStatus defines the custom status message that
                      could display to user
                    type: string
+                  details:
+                    description: Details stores a string representation of a CUE status
+                      map to be evaluated at runtime for display
+                    type: string
                  healthPolicy:
                    description: HealthPolicy defines the health check policy for
                      the abstraction
                    type: string
                type: object
+              version:
+                type: string
              workloadRefPath:
                description: WorkloadRefPath indicates where/if a trait accepts a
                  workloadRef object
@@ -299,13 +245,15 @@ spec:
                  description: A Condition that may apply to a resource.
                  properties:
                    lastTransitionTime:
-                      description: LastTransitionTime is the last time this condition
-                        transitioned from one status to another.
+                      description: |-
+                        LastTransitionTime is the last time this condition transitioned from one
+                        status to another.
                      format: date-time
                      type: string
                    message:
-                      description: A Message containing details about this condition's
-                        last transition from one status to another, if any.
+                      description: |-
+                        A Message containing details about this condition's last transition from
+                        one status to another, if any.
                      type: string
                    reason:
                      description: A Reason for this condition's last transition from
@@ -316,8 +264,9 @@ spec:
                        False, or Unknown?
                      type: string
                    type:
-                      description: Type of this condition. At most one of each condition
-                        type may apply to a resource at any point in time.
+                      description: |-
+                        Type of this condition. At most one of each condition type may apply to
+                        a resource at any point in time.
                      type: string
                  required:
                  - lastTransitionTime
--- a/charts/vela-core/crds/core.oam.dev_workflowstepdefinitions.yaml
+++ b/charts/vela-core/crds/core.oam.dev_workflowstepdefinitions.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
+    controller-gen.kubebuilder.io/version: v0.16.5
  name: workflowstepdefinitions.core.oam.dev
 spec:
  group: core.oam.dev
@@ -25,14 +25,19 @@ spec:
          API
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@@ -47,100 +52,29 @@ spec:
                    description: Name of the referenced CustomResourceDefinition.
                    type: string
                  version:
-                    description: Version indicate which version should be used if
-                      CRD has multiple versions by default it will use the first one
-                      if not specified
+                    description: |-
+                      Version indicate which version should be used if CRD has multiple versions
+                      by default it will use the first one if not specified
                    type: string
                required:
                - name
                type: object
              schematic:
-                description: Schematic defines the data format and template of the
-                  encapsulation of the workflow step definition. Only CUE schematic
-                  is supported for now.
+                description: |-
+                  Schematic defines the data format and template of the encapsulation of the workflow step definition.
+                  Only CUE schematic is supported for now.
                properties:
                  cue:
                    description: CUE defines the encapsulation in CUE format
                    properties:
                      template:
-                        description: Template defines the abstraction template data
-                          of the capability, it will replace the old CUE template
-                          in extension field. Template is a required field if CUE
-                          is defined in Capability Definition.
+                        description: |-
+                          Template defines the abstraction template data of the capability, it will replace the old CUE template in extension field.
+                          Template is a required field if CUE is defined in Capability Definition.
                        type: string
                    required:
                    - template
                    type: object
-                  helm:
-                    description: A Helm represents resources used by a Helm module
-                    properties:
-                      release:
-                        description: Release records a Helm release used by a Helm
-                          module workload.
-                        type: object
-                        x-kubernetes-preserve-unknown-fields: true
-                      repository:
-                        description: HelmRelease records a Helm repository used by
-                          a Helm module workload.
-                        type: object
-                        x-kubernetes-preserve-unknown-fields: true
-                    required:
-                    - release
-                    - repository
-                    type: object
-                  kube:
-                    description: Kube defines the encapsulation in raw Kubernetes
-                      resource format
-                    properties:
-                      parameters:
-                        description: Parameters defines configurable parameters
-                        items:
-                          description: A KubeParameter defines a configurable parameter
-                            of a component.
-                          properties:
-                            description:
-                              description: Description of this parameter.
-                              type: string
-                            fieldPaths:
-                              description: "FieldPaths specifies an array of fields
-                                within this workload that will be overwritten by the
-                                value of this parameter. \tAll fields must be of the
-                                same type. Fields are specified as JSON field paths
-                                without a leading dot, for example 'spec.replicas'."
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: Name of this parameter
-                              type: string
-                            required:
-                              default: false
-                              description: Required specifies whether or not a value
-                                for this parameter must be supplied when authoring
-                                an Application.
-                              type: boolean
-                            type:
-                              description: 'ValueType indicates the type of the parameter
-                                value, and only supports basic data types: string,
-                                number, boolean.'
-                              enum:
-                              - string
-                              - number
-                              - boolean
-                              type: string
-                          required:
-                          - fieldPaths
-                          - name
-                          - type
-                          type: object
-                        type: array
-                      template:
-                        description: Template defines the raw Kubernetes resource
-                        type: object
-                        x-kubernetes-preserve-unknown-fields: true
-                    required:
-                    - template
-                    type: object
                  terraform:
                    description: Terraform is the struct to describe cloud resources
                      managed by Hashicorp Terraform
@@ -199,11 +133,11 @@ spec:
                        - remote
                        type: string
                      writeConnectionSecretToRef:
-                        description: WriteConnectionSecretToReference specifies the
-                          namespace and name of a Secret to which any connection details
-                          for this managed resource should be written. Connection
-                          details frequently include the endpoint, username, and password
-                          required to connect to the managed resource.
+                        description: |-
+                          WriteConnectionSecretToReference specifies the namespace and name of a
+                          Secret to which any connection details for this managed resource should
+                          be written. Connection details frequently include the endpoint, username,
+                          and password required to connect to the managed resource.
                        properties:
                          name:
                            description: Name of the secret.
@@ -218,6 +152,8 @@ spec:
                    - configuration
                    type: object
                type: object
+              version:
+                type: string
            type: object
          status:
            description: WorkflowStepDefinitionStatus is the status of WorkflowStepDefinition
@@ -228,13 +164,15 @@ spec:
                  description: A Condition that may apply to a resource.
                  properties:
                    lastTransitionTime:
-                      description: LastTransitionTime is the last time this condition
-                        transitioned from one status to another.
+                      description: |-
+                        LastTransitionTime is the last time this condition transitioned from one
+                        status to another.
                      format: date-time
                      type: string
                    message:
-                      description: A Message containing details about this condition's
-                        last transition from one status to another, if any.
+                      description: |-
+                        A Message containing details about this condition's last transition from
+                        one status to another, if any.
                      type: string
                    reason:
                      description: A Reason for this condition's last transition from
@@ -245,8 +183,9 @@ spec:
                        False, or Unknown?
                      type: string
                    type:
-                      description: Type of this condition. At most one of each condition
-                        type may apply to a resource at any point in time.
+                      description: |-
+                        Type of this condition. At most one of each condition type may apply to
+                        a resource at any point in time.
                      type: string
                  required:
                  - lastTransitionTime
--- a/charts/vela-core/crds/cue.oam.dev_packages.yaml
+++ b/charts/vela-core/crds/cue.oam.dev_packages.yaml
@@ -0,0 +1,81 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.11.3
+  creationTimestamp: null
+  name: packages.cue.oam.dev
+spec:
+  group: cue.oam.dev
+  names:
+    kind: Package
+    listKind: PackageList
+    plural: packages
+    shortNames:
+    - pkg
+    - cpkg
+    - cuepkg
+    - cuepackage
+    singular: package
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.path
+      name: PATH
+      type: string
+    - jsonPath: .spec.provider.protocol
+      name: PROTO
+      type: string
+    - jsonPath: .spec.provider.endpoint
+      name: ENDPOINT
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: Package is an extension for cuex engine
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: PackageSpec the spec for Package
+            properties:
+              path:
+                type: string
+              provider:
+                description: Provider the external Provider in Package for cuex to
+                  run functions
+                properties:
+                  endpoint:
+                    type: string
+                  protocol:
+                    description: ProviderProtocol the protocol type for external Provider
+                    type: string
+                required:
+                - endpoint
+                - protocol
+                type: object
+              templates:
+                additionalProperties:
+                  type: string
+                type: object
+            required:
+            - path
+            - templates
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources: {}
--- a/charts/vela-core/crds/standard.oam.dev_rollouts.yaml
+++ b/charts/vela-core/crds/standard.oam.dev_rollouts.yaml
@@ -1,477 +0,0 @@
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: rollouts.standard.oam.dev
-spec:
-  group: standard.oam.dev
-  names:
-    categories:
-    - oam
-    kind: Rollout
-    listKind: RolloutList
-    plural: rollouts
-    shortNames:
-    - rollout
-    singular: rollout
-  scope: Namespaced
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .status.rolloutTargetSize
-      name: TARGET
-      type: string
-    - jsonPath: .status.upgradedReplicas
-      name: UPGRADED
-      type: string
-    - jsonPath: .status.upgradedReadyReplicas
-      name: READY
-      type: string
-    - jsonPath: .status.batchRollingState
-      name: BATCH-STATE
-      type: string
-    - jsonPath: .status.rollingState
-      name: ROLLING-STATE
-      type: string
-    - jsonPath: .metadata.creationTimestamp
-      name: AGE
-      type: date
-    name: v1alpha1
-    schema:
-      openAPIV3Schema:
-        description: Rollout is the Schema for the Rollout API
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: RolloutSpec defines how to describe an update between different
-              compRevision
-            properties:
-              componentName:
-                description: ComponentName specify the component name
-                type: string
-              rolloutPlan:
-                description: RolloutPlan is the details on how to rollout the resources
-                properties:
-                  batchPartition:
-                    description: All pods in the batches up to the batchPartition
-                      (included) will have the target resource specification while
-                      the rest still have the source resource This is designed for
-                      the operators to manually rollout Default is the the number
-                      of batches which will rollout all the batches
-                    format: int32
-                    type: integer
-                  canaryMetric:
-                    description: CanaryMetric provides a way for the rollout process
-                      to automatically check certain metrics before complete the process
-                    items:
-                      description: CanaryMetric holds the reference to metrics used
-                        for canary analysis
-                      properties:
-                        interval:
-                          description: Interval represents the windows size
-                          type: string
-                        metricsRange:
-                          description: Range value accepted for this metric
-                          properties:
-                            max:
-                              anyOf:
-                              - type: integer
-                              - type: string
-                              description: Maximum value
-                              x-kubernetes-int-or-string: true
-                            min:
-                              anyOf:
-                              - type: integer
-                              - type: string
-                              description: Minimum value
-                              x-kubernetes-int-or-string: true
-                          type: object
-                        name:
-                          description: Name of the metric
-                          type: string
-                        templateRef:
-                          description: TemplateRef references a metric template object
-                          properties:
-                            apiVersion:
-                              description: API version of the referent.
-                              type: string
-                            fieldPath:
-                              description: 'If referring to a piece of an object instead
-                                of an entire object, this string should contain a
-                                valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
-                                For example, if the object reference is to a container
-                                within a pod, this would take on a value like: "spec.containers{name}"
-                                (where "name" refers to the name of the container
-                                that triggered the event) or if no container name
-                                is specified "spec.containers[2]" (container with
-                                index 2 in this pod). This syntax is chosen only to
-                                have some well-defined way of referencing a part of
-                                an object. TODO: this design is not final and this
-                                field is subject to change in the future.'
-                              type: string
-                            kind:
-                              description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-                              type: string
-                            name:
-                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
-                              type: string
-                            namespace:
-                              description: 'Namespace of the referent. More info:
-                                https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
-                              type: string
-                            resourceVersion:
-                              description: 'Specific resourceVersion to which this
-                                reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
-                              type: string
-                            uid:
-                              description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
-                              type: string
-                          type: object
-                          x-kubernetes-map-type: atomic
-                      required:
-                      - name
-                      type: object
-                    type: array
-                  numBatches:
-                    description: The number of batches, default = 1
-                    format: int32
-                    type: integer
-                  paused:
-                    description: Paused the rollout, default is false
-                    type: boolean
-                  rolloutBatches:
-                    description: The exact distribution among batches. its size has
-                      to be exactly the same as the NumBatches (if set) The total
-                      number cannot exceed the targetSize or the size of the source
-                      resource We will IGNORE the last batch's replica field if it's
-                      a percentage since round errors can lead to inaccurate sum We
-                      highly recommend to leave the last batch's replica field empty
-                    items:
-                      description: RolloutBatch is used to describe how the each batch
-                        rollout should be
-                      properties:
-                        batchRolloutWebhooks:
-                          description: RolloutWebhooks provides a way for the batch
-                            rollout to interact with an external process
-                          items:
-                            description: RolloutWebhook holds the reference to external
-                              checks used for canary analysis
-                            properties:
-                              expectedStatus:
-                                description: ExpectedStatus contains all the expected
-                                  http status code that we will accept as success
-                                items:
-                                  type: integer
-                                type: array
-                              metadata:
-                                additionalProperties:
-                                  type: string
-                                description: Metadata (key-value pairs) for this webhook
-                                type: object
-                              method:
-                                description: Method the HTTP call method, default
-                                  is POST
-                                type: string
-                              name:
-                                description: Name of this webhook
-                                type: string
-                              type:
-                                description: Type of this webhook
-                                type: string
-                              url:
-                                description: URL address of this webhook
-                                type: string
-                            required:
-                            - name
-                            - type
-                            - url
-                            type: object
-                          type: array
-                        canaryMetric:
-                          description: CanaryMetric provides a way for the batch rollout
-                            process to automatically check certain metrics before
-                            moving to the next batch
-                          items:
-                            description: CanaryMetric holds the reference to metrics
-                              used for canary analysis
-                            properties:
-                              interval:
-                                description: Interval represents the windows size
-                                type: string
-                              metricsRange:
-                                description: Range value accepted for this metric
-                                properties:
-                                  max:
-                                    anyOf:
-                                    - type: integer
-                                    - type: string
-                                    description: Maximum value
-                                    x-kubernetes-int-or-string: true
-                                  min:
-                                    anyOf:
-                                    - type: integer
-                                    - type: string
-                                    description: Minimum value
-                                    x-kubernetes-int-or-string: true
-                                type: object
-                              name:
-                                description: Name of the metric
-                                type: string
-                              templateRef:
-                                description: TemplateRef references a metric template
-                                  object
-                                properties:
-                                  apiVersion:
-                                    description: API version of the referent.
-                                    type: string
-                                  fieldPath:
-                                    description: 'If referring to a piece of an object
-                                      instead of an entire object, this string should
-                                      contain a valid JSON/Go field access statement,
-                                      such as desiredState.manifest.containers[2].
-                                      For example, if the object reference is to a
-                                      container within a pod, this would take on a
-                                      value like: "spec.containers{name}" (where "name"
-                                      refers to the name of the container that triggered
-                                      the event) or if no container name is specified
-                                      "spec.containers[2]" (container with index 2
-                                      in this pod). This syntax is chosen only to
-                                      have some well-defined way of referencing a
-                                      part of an object. TODO: this design is not
-                                      final and this field is subject to change in
-                                      the future.'
-                                    type: string
-                                  kind:
-                                    description: 'Kind of the referent. More info:
-                                      https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-                                    type: string
-                                  name:
-                                    description: 'Name of the referent. More info:
-                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
-                                    type: string
-                                  namespace:
-                                    description: 'Namespace of the referent. More
-                                      info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
-                                    type: string
-                                  resourceVersion:
-                                    description: 'Specific resourceVersion to which
-                                      this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
-                                    type: string
-                                  uid:
-                                    description: 'UID of the referent. More info:
-                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
-                                    type: string
-                                type: object
-                                x-kubernetes-map-type: atomic
-                            required:
-                            - name
-                            type: object
-                          type: array
-                        instanceInterval:
-                          description: The wait time, in seconds, between instances
-                            upgrades, default = 0
-                          format: int32
-                          type: integer
-                        maxUnavailable:
-                          anyOf:
-                          - type: integer
-                          - type: string
-                          description: MaxUnavailable is the max allowed number of
-                            pods that is unavailable during the upgrade. We will mark
-                            the batch as ready as long as there are less or equal
-                            number of pods unavailable than this number. default =
-                            0
-                          x-kubernetes-int-or-string: true
-                        podList:
-                          description: The list of Pods to get upgraded it is mutually
-                            exclusive with the Replicas field
-                          items:
-                            type: string
-                          type: array
-                        replicas:
-                          anyOf:
-                          - type: integer
-                          - type: string
-                          description: 'Replicas is the number of pods to upgrade
-                            in this batch it can be an absolute number (ex: 5) or
-                            a percentage of total pods we will ignore the percentage
-                            of the last batch to just fill the gap it is mutually
-                            exclusive with the PodList field'
-                          x-kubernetes-int-or-string: true
-                      type: object
-                    type: array
-                  rolloutStrategy:
-                    description: RolloutStrategy defines strategies for the rollout
-                      plan The default is IncreaseFirstRolloutStrategyType
-                    type: string
-                  rolloutWebhooks:
-                    description: RolloutWebhooks provide a way for the rollout to
-                      interact with an external process
-                    items:
-                      description: RolloutWebhook holds the reference to external
-                        checks used for canary analysis
-                      properties:
-                        expectedStatus:
-                          description: ExpectedStatus contains all the expected http
-                            status code that we will accept as success
-                          items:
-                            type: integer
-                          type: array
-                        metadata:
-                          additionalProperties:
-                            type: string
-                          description: Metadata (key-value pairs) for this webhook
-                          type: object
-                        method:
-                          description: Method the HTTP call method, default is POST
-                          type: string
-                        name:
-                          description: Name of this webhook
-                          type: string
-                        type:
-                          description: Type of this webhook
-                          type: string
-                        url:
-                          description: URL address of this webhook
-                          type: string
-                      required:
-                      - name
-                      - type
-                      - url
-                      type: object
-                    type: array
-                  targetSize:
-                    description: The size of the target resource. The default is the
-                      same as the size of the source resource.
-                    format: int32
-                    type: integer
-                type: object
-              sourceRevisionName:
-                description: SourceRevisionName contains the name of the componentRevisionName  that
-                  we need to upgrade from. it can be empty only when it's the first
-                  time to deploy the application
-                type: string
-              targetRevisionName:
-                description: TargetRevisionName contains the name of the componentRevisionName
-                  that we need to upgrade to.
-                type: string
-            required:
-            - componentName
-            - rolloutPlan
-            - targetRevisionName
-            type: object
-          status:
-            description: CompRolloutStatus defines the observed state of rollout
-            properties:
-              LastSourceRevision:
-                description: LastSourceRevision contains the name of the componentRevisionName
-                  that we need to upgrade from. We will restart the rollout if this
-                  is not the same as the spec
-                type: string
-              batchRollingState:
-                description: BatchRollingState only meaningful when the Status is
-                  rolling
-                type: string
-              conditions:
-                description: Conditions of the resource.
-                items:
-                  description: A Condition that may apply to a resource.
-                  properties:
-                    lastTransitionTime:
-                      description: LastTransitionTime is the last time this condition
-                        transitioned from one status to another.
-                      format: date-time
-                      type: string
-                    message:
-                      description: A Message containing details about this condition's
-                        last transition from one status to another, if any.
-                      type: string
-                    reason:
-                      description: A Reason for this condition's last transition from
-                        one status to another.
-                      type: string
-                    status:
-                      description: Status of this condition; is it currently True,
-                        False, or Unknown?
-                      type: string
-                    type:
-                      description: Type of this condition. At most one of each condition
-                        type may apply to a resource at any point in time.
-                      type: string
-                  required:
-                  - lastTransitionTime
-                  - reason
-                  - status
-                  - type
-                  type: object
-                type: array
-              currentBatch:
-                description: The current batch the rollout is working on/blocked it
-                  starts from 0
-                format: int32
-                type: integer
-              lastAppliedPodTemplateIdentifier:
-                description: lastAppliedPodTemplateIdentifier is a string that uniquely
-                  represent the last pod template each workload type could use different
-                  ways to identify that so we cannot compare between resources We
-                  update this field only after a successful rollout
-                type: string
-              lastTargetRevision:
-                description: LastUpgradedTargetRevision contains the name of the componentRevisionName
-                  that we upgraded to We will restart the rollout if this is not the
-                  same as the spec
-                type: string
-              rollingState:
-                description: RollingState is the Rollout State
-                type: string
-              rolloutOriginalSize:
-                description: RolloutTargetSize is the size of the target resources.
-                  This is determined once the initial spec verification and does not
-                  change until the rollout is restarted
-                format: int32
-                type: integer
-              rolloutTargetSize:
-                description: RolloutTargetSize is the size of the target resources.
-                  This is determined once the initial spec verification and does not
-                  change until the rollout is restarted
-                format: int32
-                type: integer
-              targetGeneration:
-                description: NewPodTemplateIdentifier is a string that uniquely represent
-                  the new pod template each workload type could use different ways
-                  to identify that so we cannot compare between resources
-                type: string
-              upgradedReadyReplicas:
-                description: UpgradedReadyReplicas is the number of Pods upgraded
-                  by the rollout controller that have a Ready Condition.
-                format: int32
-                type: integer
-              upgradedReplicas:
-                description: UpgradedReplicas is the number of Pods upgraded by the
-                  rollout controller
-                format: int32
-                type: integer
-            required:
-            - currentBatch
-            - lastTargetRevision
-            - rollingState
-            - upgradedReadyReplicas
-            - upgradedReplicas
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
--- a/charts/vela-core/templates/NOTES.txt
+++ b/charts/vela-core/templates/NOTES.txt
@@ -29,3 +29,36 @@ Welcome to use the KubeVela! Enjoy your shipping application journey!


 You can refer to https://kubevela.io for more details.
+
+{{- if and .Values.authentication.enabled (not .Values.authentication.withUser) }}
+
+WARNING: Authentication is enabled but withUser is disabled.
+   This configuration provides NO security benefit:
+   - All applications will run as '{{ .Values.authentication.defaultUser }}' regardless of who creates them
+   - User groups matching '{{ .Values.authentication.groupPattern }}' are still collected but not used effectively
+   - Service account annotations are blocked
+   
+   To enable true user impersonation for security:
+     --set authentication.withUser=true
+{{- end }}
+
+{{- if and (not .Values.authorization.definitionValidationEnabled) (not .Values.authentication.enabled) }}
+
+SECURITY RECOMMENDATION: Both authentication and definition validation are disabled.
+   If KubeVela is running with cluster-admin or other high-level permissions,
+   consider enabling one or both security features:
+
+   1. Authentication with impersonation (recommended for multi-tenant environments):
+      --set authentication.enabled=true 
+      --set authentication.withUser=true
+      This makes KubeVela impersonate the requesting user, applying their RBAC permissions.
+      Note: Both flags must be enabled for user impersonation to work.
+
+   2. Definition permission validation (lightweight RBAC for definitions):
+      --set authorization.definitionValidationEnabled=true
+      This ensures users can only reference definitions they have access to.
+
+   Using both features together provides defense in depth.
+   Without these protections, users can leverage KubeVela's permissions to deploy
+   resources beyond their intended access level.
+{{- end }}
--- a/charts/vela-core/templates/addon_registry.yaml
+++ b/charts/vela-core/templates/addon_registry.yaml
@@ -8,7 +8,7 @@ data:
  "KubeVela":{
    "name": "KubeVela",
    "helm": {
-      "url": "https://addons.kubevela.net"
+      "url": "https://kubevela.github.io/catalog/official"
    }
  }
 }'
--- a/charts/vela-core/templates/admission-webhooks/job-patch/clusterrole.yaml
+++ b/charts/vela-core/templates/admission-webhooks/job-patch/clusterrole.yaml
@@ -4,7 +4,7 @@ kind: ClusterRole
 metadata:
  name:  {{ template "kubevela.fullname" . }}-admission
  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade,post-rollback
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
  labels:
    app: {{ template "kubevela.name" . }}-admission
--- a/charts/vela-core/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
+++ b/charts/vela-core/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
@@ -4,7 +4,7 @@ kind: ClusterRoleBinding
 metadata:
  name:  {{ template "kubevela.fullname" . }}-admission
  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade,post-rollback
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
  labels:
    app: {{ template "kubevela.name" . }}-admission
--- a/charts/vela-core/templates/admission-webhooks/job-patch/job-createSecret.yaml
+++ b/charts/vela-core/templates/admission-webhooks/job-patch/job-createSecret.yaml
@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name:  {{ template "kubevela.fullname" . }}-admission-create
+  name: {{ template "kubevela.fullname" . }}-admission-create
  namespace: {{ .Release.Namespace }}
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade
@@ -17,7 +17,7 @@ spec:
  {{- end }}
  template:
    metadata:
-      name:  {{ template "kubevela.fullname" . }}-admission-create
+      name: {{ template "kubevela.fullname" . }}-admission-create
      labels:
        app: {{ template "kubevela.name" . }}-admission-create
        {{- include "kubevela.labels" . | nindent 8 }}
@@ -39,17 +39,26 @@ spec:
            - --cert-name=tls.crt
      restartPolicy: OnFailure
      serviceAccountName: {{ template "kubevela.fullname" . }}-admission
-      {{- with .Values.admissionWebhooks.patch.nodeSelector }}
+      {{- if .Values.admissionWebhooks.patch.nodeSelector }}
      nodeSelector:
-      {{- toYaml . | nindent 8 }}
+      {{- toYaml .Values.admissionWebhooks.patch.nodeSelector | nindent 8 }}
+      {{- else if .Values.nodeSelector }}
+      nodeSelector:
+      {{- toYaml .Values.nodeSelector | nindent 8 }}
      {{- end }}
-      {{- with .Values.admissionWebhooks.patch.affinity }}
+      {{- if .Values.admissionWebhooks.patch.affinity }}
      affinity:
-{{ toYaml . | indent 8 }}
+      {{- toYaml .Values.admissionWebhooks.patch.affinity | nindent 8 }}
+      {{- else if .Values.affinity }}
+      affinity:
+      {{- toYaml .Values.affinity | nindent 8 }}
      {{- end }}
-      {{- with .Values.admissionWebhooks.patch.tolerations }}
+      {{- if .Values.admissionWebhooks.patch.tolerations }}
      tolerations:
-{{ toYaml . | indent 8 }}
+      {{- toYaml .Values.admissionWebhooks.patch.tolerations | nindent 8 }}
+      {{- else if .Values.tolerations }}
+      tolerations:
+      {{- toYaml .Values.tolerations | nindent 8 }}
      {{- end }}
      securityContext:
        runAsGroup: 2000
--- a/charts/vela-core/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+++ b/charts/vela-core/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
@@ -2,10 +2,10 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name:  {{ template "kubevela.fullname" . }}-admission-patch
+  name: {{ template "kubevela.fullname" . }}-admission-patch
  namespace: {{ .Release.Namespace }}
  annotations:
-    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook": post-install,post-upgrade,post-rollback
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
  labels:
    app: {{ template "kubevela.name" . }}-admission-patch
@@ -17,7 +17,7 @@ spec:
  {{- end }}
  template:
    metadata:
-      name:  {{ template "kubevela.fullname" . }}-admission-patch
+      name: {{ template "kubevela.fullname" . }}-admission-patch
      labels:
        app: {{ template "kubevela.name" . }}-admission-patch
        {{- include "kubevela.labels" . | nindent 8 }}
@@ -41,13 +41,26 @@ spec:
            {{- end }}
      restartPolicy: OnFailure
      serviceAccountName: {{ template "kubevela.fullname" . }}-admission
-      {{- with .Values.admissionWebhooks.patch.affinity }}
-      affinity:
-{{ toYaml . | indent 8 }}
+      {{- if .Values.admissionWebhooks.patch.nodeSelector }}
+      nodeSelector:
+      {{- toYaml .Values.admissionWebhooks.patch.nodeSelector | nindent 8 }}
+      {{- else if .Values.nodeSelector }}
+      nodeSelector:
+      {{- toYaml .Values.nodeSelector | nindent 8 }}
      {{- end }}
-      {{- with .Values.admissionWebhooks.patch.tolerations }}
+      {{- if .Values.admissionWebhooks.patch.affinity }}
+      affinity:
+      {{- toYaml .Values.admissionWebhooks.patch.affinity | nindent 8 }}
+      {{- else if .Values.affinity }}
+      affinity:
+      {{- toYaml .Values.affinity | nindent 8 }}
+      {{- end }}
+      {{- if .Values.admissionWebhooks.patch.tolerations }}
      tolerations:
-{{ toYaml . | indent 8 }}
+      {{- toYaml .Values.admissionWebhooks.patch.tolerations | nindent 8 }}
+      {{- else if .Values.tolerations }}
+      tolerations:
+      {{- toYaml .Values.tolerations | nindent 8 }}
      {{- end }}
      securityContext:
        runAsGroup: 2000
--- a/charts/vela-core/templates/admission-webhooks/job-patch/role.yaml
+++ b/charts/vela-core/templates/admission-webhooks/job-patch/role.yaml
@@ -5,7 +5,7 @@ metadata:
  name:  {{ template "kubevela.fullname" . }}-admission
  namespace: {{ .Release.Namespace }}
  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade,post-rollback
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
  labels:
    app: {{ template "kubevela.name" . }}-admission
--- a/Show More
+++ b/Show More