Chore: (deps): Bump goreleaser/goreleaser-action from 5.0.0 to 6.3.0 (#6775 )

Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 5.0.0 to 6.3.0. - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](7ec5c2b0c6...9c156ee8a1) --- updated-dependencies: - dependency-name: goreleaser/goreleaser-action dependency-version: 6.3.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Chore: (deps): Bump github.com/go-git/go-git/v5 from 5.13.1 to 5.16.0 (#6764 )
2026-02-27 08:14:21 +00:00 · 2025-05-06 10:24:31 +05:30 · 2025-05-03 12:55:40 +05:30 · 2025-05-03 12:55:00 +05:30 · 2025-05-03 12:54:05 +05:30 · 2025-05-01 14:31:11 +05:30
549 changed files with 41793 additions and 9364 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1,35 +1,35 @@
 # This file is a github code protect rule follow the codeowners https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/creating-a-repository-on-github/about-code-owners#example-of-a-codeowners-file

-*                                  @barnettZQG @wonderflow @leejanee @Somefive @jefree-cat @FogDong @wangyikewxgm @chivalryq
-design/                            @barnettZQG @leejanee @wonderflow @Somefive @jefree-cat @FogDong
+*                                  @barnettZQG @wonderflow @leejanee @Somefive @jefree-cat @FogDong @wangyikewxgm @chivalryq @anoop2811
+design/                            @barnettZQG @leejanee @wonderflow @Somefive @jefree-cat @FogDong @anoop2811

 # Owner of Core Controllers
-pkg/controller/core.oam.dev       @Somefive @FogDong @barnettZQG @wonderflow @wangyikewxgm @chivalryq
+pkg/controller/core.oam.dev       @Somefive @FogDong @barnettZQG @wonderflow @wangyikewxgm @chivalryq @anoop2811

 # Owner of Standard Controllers
-pkg/controller/standard.oam.dev   @wangyikewxgm @barnettZQG @wonderflow @Somefive
+pkg/controller/standard.oam.dev   @wangyikewxgm @barnettZQG @wonderflow @Somefive @anoop2811 @FogDong

 # Owner of CUE
-pkg/cue                            @leejanee @FogDong @Somefive
-pkg/stdlib                         @leejanee @FogDong @Somefive
+pkg/cue                            @leejanee @FogDong @Somefive @anoop2811
+pkg/stdlib                         @leejanee @FogDong @Somefive @anoop2811

 # Owner of Workflow
-pkg/workflow                       @leejanee @FogDong @Somefive @wangyikewxgm @chivalryq
+pkg/workflow                       @leejanee @FogDong @Somefive @wangyikewxgm @chivalryq @anoop2811

 # Owner of vela templates
-vela-templates/                     @Somefive @barnettZQG @wonderflow @FogDong @wangyikewxgm @chivalryq
+vela-templates/                     @Somefive @barnettZQG @wonderflow @FogDong @wangyikewxgm @chivalryq @anoop2811

 # Owner of vela CLI
-references/cli/                     @Somefive @zzxwill @StevenLeiZhang @charlie0129 @wangyikewxgm @chivalryq
+references/cli/                     @Somefive @StevenLeiZhang @charlie0129 @wangyikewxgm @chivalryq @anoop2811 @FogDong

 # Owner of vela addon framework
-pkg/addon/                         @wangyikewxgm @wonderflow @charlie0129
+pkg/addon/                         @wangyikewxgm @wonderflow @charlie0129 @anoop2811 @FogDong

 # Owner of resource keeper and tracker
-pkg/resourcekeeper                 @Somefive @FogDong @chivalryq
-pkg/resourcetracker                @Somefive @FogDong @chivalryq
+pkg/resourcekeeper                 @Somefive @FogDong @chivalryq @anoop2811
+pkg/resourcetracker                @Somefive @FogDong @chivalryq @anoop2811

-.github/                           @chivalryq @wonderflow @Somefive @FogDong @wangyikewxgm
-makefiles                          @chivalryq @wonderflow @Somefive @FogDong @wangyikewxgm
-go.*                               @chivalryq @wonderflow @Somefive @FogDong @wangyikewxgm
+.github/                           @chivalryq @wonderflow @Somefive @FogDong @wangyikewxgm @anoop2811
+makefiles                          @chivalryq @wonderflow @Somefive @FogDong @wangyikewxgm @anoop2811
+go.*                               @chivalryq @wonderflow @Somefive @FogDong @wangyikewxgm @anoop2811

--- a/.github/workflows/back-port.yml
+++ b/.github/workflows/back-port.yml
@@ -17,12 +17,12 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          fetch-depth: 0

      - name: Open Backport PR
-        uses: zeebe-io/backport-action@bf5fdd624b35f95d5b85991a728bd5744e8c6cf2
+        uses: zeebe-io/backport-action@08bafb375e6e9a9a2b53a744b987e5d81a133191
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          github_workspace: ${{ github.workspace }}
--- a/.github/workflows/chart.yml
+++ b/.github/workflows/chart.yml
@@ -17,7 +17,7 @@ jobs:
      HELM_CHART_NAME: vela-core
    runs-on: ubuntu-22.04
    steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
      - name: Get git revision
        id: vars
        shell: bash
@@ -28,7 +28,7 @@ jobs:
        with:
          version: v3.4.0
      - name: Setup node
-        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c
+        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b
        with:
          node-version: '14'
      - name: Generate helm doc
@@ -47,7 +47,7 @@ jobs:
          chart_smever=${chart_version#"v"}
          sed -i "s/0.1.0/$chart_smever/g" $HELM_CHART/Chart.yaml

-      - uses: jnwng/github-app-installation-token-action@v2
+      - uses: jnwng/github-app-installation-token-action@c54add4c02866dc41e106745ac6dcf5cdd6339e5 # v2
        id: get_app_token
        with:
          appId: 340472
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -23,15 +23,15 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.37
+        uses: github/codeql-action/init@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16
        with:
          languages: ${{ matrix.language }}

      - name: Autobuild
-        uses: github/codeql-action/autobuild@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.37
+        uses: github/codeql-action/autobuild@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.37
+        uses: github/codeql-action/analyze@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16
--- a/.github/workflows/commit-lint.yml
+++ b/.github/workflows/commit-lint.yml
@@ -15,7 +15,7 @@ jobs:
  check:
    runs-on: ubuntu-22.04
    steps:
-      - uses: thehanimo/pr-title-checker@v1.4.0
+      - uses: thehanimo/pr-title-checker@5652588c80c479af803eabfbdb5a3895a77c1388 # v1.4.1
        with:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          pass_on_octokit_error: true
--- a/.github/workflows/core-api-test.yml
+++ b/.github/workflows/core-api-test.yml
@@ -16,16 +16,16 @@ jobs:
  core-api-test:
    runs-on: ubuntu-22.04
    steps:
-      - name: Set up Go 1.19
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+      - name: Set up Go 1.23.8
+        uses: actions/setup-go@v5
        env:
-          GO_VERSION: '1.19'
+          GO_VERSION: '1.23.8'
        with:
          go-version: ${{ env.GO_VERSION }}
        id: go

      - name: Check out code into the Go module directory
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608

      - name: Get the version
        id: get_version
--- a/.github/workflows/definition-lint.yml
+++ b/.github/workflows/definition-lint.yml
@@ -16,19 +16,19 @@ permissions:

 env:
  # Common versions
-  GO_VERSION: '1.19'
+  GO_VERSION: '1.23.8'

 jobs:
  definition-doc:
    runs-on: ubuntu-22.04
    steps:
      - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          submodules: true

--- a/.github/workflows/e2e-multicluster-test.yml
+++ b/.github/workflows/e2e-multicluster-test.yml
@@ -18,7 +18,7 @@ permissions:

 env:
  # Common versions
-  GO_VERSION: '1.19'
+  GO_VERSION: '1.23.8'

 jobs:

@@ -31,7 +31,7 @@ jobs:
    steps:
      - name: Detect No-op Changes
        id: noop
-        uses: fkirc/skip-duplicate-actions@12aca0a884f6137d619d6a8a09fcc3406ced5281
+        uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
@@ -39,19 +39,19 @@ jobs:
        continue-on-error: true

  e2e-multi-cluster-tests:
-    runs-on: self-hosted
+    runs-on: ubuntu-22.04
    needs: [ detect-noop ]
    if: needs.detect-noop.outputs.noop != 'true'
    strategy:
      matrix:
-        k8s-version: ["v1.26"]
+        k8s-version: ["v1.29"]
    concurrency:
      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.k8s-version }}
      cancel-in-progress: true

    steps:
      - name: Check out code into the Go module directory
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608

      - name: Install tools
        run: |
@@ -61,7 +61,7 @@ jobs:
          sudo snap install helm --classic

      - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
        with:
          go-version: ${{ env.GO_VERSION }}

@@ -71,12 +71,12 @@ jobs:

      - name: Setup KinD
        run: |
-          go install sigs.k8s.io/kind@v0.19.0
+          go install sigs.k8s.io/kind@v0.24.0
          kind delete cluster --name worker || true
-          kind create cluster --name worker --image=kindest/node:v1.26.4
+          kind create cluster --name worker --image=kindest/node:v1.29.8
          kind export kubeconfig --internal --name worker --kubeconfig /tmp/worker.kubeconfig
          kind delete cluster || true
-          kind create cluster --image=kindest/node:v1.26.4
+          kind create cluster --image=kindest/node:v1.29.8

      - name: Load image
        run: |
--- a/.github/workflows/e2e-test.yml
+++ b/.github/workflows/e2e-test.yml
@@ -18,7 +18,7 @@ permissions:

 env:
  # Common versions
-  GO_VERSION: '1.19'
+  GO_VERSION: '1.23.8'

 jobs:

@@ -31,7 +31,7 @@ jobs:
    steps:
      - name: Detect No-op Changes
        id: noop
-        uses: fkirc/skip-duplicate-actions@12aca0a884f6137d619d6a8a09fcc3406ced5281
+        uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
@@ -39,19 +39,19 @@ jobs:
        continue-on-error: true

  e2e-tests:
-    runs-on: self-hosted
+    runs-on: ubuntu-22.04
    needs: [ detect-noop ]
    if: needs.detect-noop.outputs.noop != 'true'
    strategy:
      matrix:
-        k8s-version: ["v1.26"]
+        k8s-version: ["v1.29"]
    concurrency:
      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.k8s-version }}
      cancel-in-progress: true

    steps:
      - name: Check out code into the Go module directory
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608

      - name: Install tools
        run: |
@@ -61,7 +61,7 @@ jobs:
          sudo snap install helm --classic

      - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
        with:
          go-version: ${{ env.GO_VERSION }}

@@ -71,14 +71,13 @@ jobs:

      - name: Setup KinD
        run: |
-          go install sigs.k8s.io/kind@v0.19.0
+          go install sigs.k8s.io/kind@v0.24.0
          kind delete cluster || true
-          kind create cluster
+          kind create cluster --image=kindest/node:v1.29.8

      - name: Get Ginkgo
        run: |
-          go install github.com/onsi/ginkgo/v2/ginkgo@v2.10.0
-          go get github.com/onsi/gomega/...
+          go install github.com/onsi/ginkgo/v2/ginkgo@v2.14.0

      - name: Load image
        run: |
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -11,16 +11,15 @@ on:
      - master
      - release-*

-permissions:  # added using https://github.com/step-security/secure-workflows
+permissions: # added using https://github.com/step-security/secure-workflows
  contents: read

 env:
  # Common versions
-  GO_VERSION: '1.19'
-  GOLANGCI_VERSION: 'v1.49'
+  GO_VERSION: "1.23.8"
+  GOLANGCI_VERSION: "v1.60.1"

 jobs:
-
  detect-noop:
    runs-on: ubuntu-22.04
    outputs:
@@ -30,7 +29,7 @@ jobs:
    steps:
      - name: Detect No-op Changes
        id: noop
-        uses: fkirc/skip-duplicate-actions@12aca0a884f6137d619d6a8a09fcc3406ced5281
+        uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
@@ -44,12 +43,12 @@ jobs:

    steps:
      - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          submodules: true

@@ -64,17 +63,17 @@ jobs:
    needs: detect-noop
    if: needs.detect-noop.outputs.noop != 'true'
    permissions:
-      contents: read  # for actions/checkout to fetch code
-      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
+      contents: read # for actions/checkout to fetch code
+      pull-requests: read # for golangci/golangci-lint-action to fetch pull requests

    steps:
      - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          submodules: true

@@ -83,7 +82,7 @@ jobs:
      # version, but we prefer this action because it leaves 'annotations' (i.e.
      # it comments on PRs to point out linter violations).
      - name: Lint
-        uses: golangci/golangci-lint-action@639cd343e1d3b897ff35927a75193d57cfcba299 # v3.6.0
+        uses: golangci/golangci-lint-action@v6
        with:
          version: ${{ env.GOLANGCI_VERSION }}

@@ -94,22 +93,22 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          submodules: true

      - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Setup node
-        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c
+        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b
        with:
-          node-version: '14'
+          node-version: "14"

      - name: Cache Go Dependencies
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8
+        uses: actions/cache@v4
        with:
          path: .work/pkg
          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
@@ -128,7 +127,7 @@ jobs:
        run: |
          export PATH=$(pwd)/bin/:$PATH
          make check-diff
-              
+
      - name: Cleanup binary
        run: make build-cleanup

@@ -139,17 +138,17 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          submodules: true

      - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Cache Go Dependencies
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8
+        uses: actions/cache@v4
        with:
          path: .work/pkg
          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
@@ -170,15 +169,15 @@ jobs:
    if: needs.detect-noop.outputs.noop != 'true'
    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          submodules: true
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@16c0bc4a6e6ada2cfd8afd41d22d95379cf7c32a # v2.8.0
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
      - name: Build Test for vela core
-        uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
        with:
          context: .
          file: Dockerfile
@@ -190,15 +189,15 @@ jobs:
    if: needs.detect-noop.outputs.noop != 'true'
    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          submodules: true
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@16c0bc4a6e6ada2cfd8afd41d22d95379cf7c32a # v2.8.0
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
      - name: Build Test for CLI
-        uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
        with:
          context: .
-          file: Dockerfile.cli
+          file: Dockerfile.cli
--- a/.github/workflows/issue-commands.yml
+++ b/.github/workflows/issue-commands.yml
@@ -7,6 +7,7 @@ on:

 permissions:
  contents: read
+  issues: write

 jobs:
  bot:
@@ -16,23 +17,23 @@ jobs:
      issues: write
    steps:
      - name: Checkout Actions
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          repository: "oam-dev/kubevela-github-actions"
          path: ./actions
          ref: v0.4.2
      - name: Setup Node.js
-        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c
+        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b
        with:
-          node-version: '14'
-          cache: 'npm'
+          node-version: "14"
+          cache: "npm"
          cache-dependency-path: ./actions/package-lock.json
      - name: Install Dependencies
        run: npm ci --production --prefix ./actions
      - name: Run Commands
        uses: ./actions/commands
        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.GH_KUBEVELA_COMMAND_WORKFLOW }}
          configPath: issue-commands

  backport:
@@ -47,14 +48,14 @@ jobs:
        id: command
        uses: xt0rted/slash-command-action@bf51f8f5f4ea3d58abc7eca58f77104182b23e88
        with:
-          repo-token: ${{ secrets.VELA_BOT_TOKEN }}
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
          command: backport
          reaction: "true"
          reaction-type: "eyes"
          allow-edits: "false"
          permission-level: read
      - name: Handle Command
-        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
        env:
          VERSION: ${{ steps.command.outputs.command-arguments }}
        with:
@@ -75,11 +76,11 @@ jobs:
            })
            console.log("Added '" + label + "' label.")
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          fetch-depth: 0
      - name: Open Backport PR
-        uses: zeebe-io/backport-action@bf5fdd624b35f95d5b85991a728bd5744e8c6cf2
+        uses: zeebe-io/backport-action@08bafb375e6e9a9a2b53a744b987e5d81a133191
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          github_workspace: ${{ github.workspace }}
@@ -93,7 +94,7 @@ jobs:
      issues: write
    steps:
      - name: Retest the current pull request
-        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
        env:
          PULL_REQUEST_ID: ${{ github.event.issue.number }}
          COMMENT_ID: ${{ github.event.comment.id }}
--- a/.github/workflows/license.yml
+++ b/.github/workflows/license.yml
@@ -9,7 +9,6 @@ on:
    branches:
      - master
      - release-*
-      -
 permissions:
  contents: read

@@ -18,9 +17,9 @@ jobs:
    runs-on: ubuntu-22.04
    name: Check for unapproved licenses
    steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
      - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@a6e6f86333f0a2523ece813039b8b4be04560854 # v1.190.0
        with:
          ruby-version: 2.6
      - name: Install dependencies
--- a/.github/workflows/registry.yml
+++ b/.github/workflows/registry.yml
@@ -1,23 +1,45 @@
 name: Registry
+
 on:
  push:
    branches:
      - master
    tags:
-      - "v*"
+      - 'v*'
  workflow_dispatch: {}

 permissions:
  contents: read

 jobs:
-  publish-core-images:
+  publish-vela-images:
+    name: Build and Push Vela Images
    permissions:
      packages: write
+      id-token: write
+      attestations: write
+      contents: write
    runs-on: ubuntu-22.04
+    outputs:
+      vela_core_image: ${{ steps.meta-vela-core.outputs.image }}
+      vela_core_digest: ${{ steps.meta-vela-core.outputs.digest }}
+      vela_core_dockerhub_image: ${{ steps.meta-vela-core.outputs.dockerhub_image }}
+      vela_cli_image: ${{ steps.meta-vela-cli.outputs.image }}
+      vela_cli_digest: ${{ steps.meta-vela-cli.outputs.digest }}
+      vela_cli_dockerhub_image: ${{ steps.meta-vela-cli.outputs.dockerhub_image }}
    steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
-      - name: Get the version
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.1
+
+      - name: Install Crane
+        uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.1
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # main
+        with:
+          cosign-release: 'v2.5.0'
+
+      - name: Get the image version
        id: get_version
        run: |
          VERSION=${GITHUB_REF#refs/tags/}
@@ -25,34 +47,41 @@ jobs:
            VERSION=latest
          fi
          echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
+
      - name: Get git revision
        id: vars
        shell: bash
        run: |
          echo "git_revision=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
-      - name: Login ghcr.io
-        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
+
+      - name: Login to GHCR
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Login docker.io
-        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
+
+      - name: Login to DockerHub
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: docker.io
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
-      - uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
-      - uses: docker/setup-buildx-action@16c0bc4a6e6ada2cfd8afd41d22d95379cf7c32a # v2.8.0
+
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
        with:
          driver-opts: image=moby/buildkit:master

-      - uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
-        name: Build & Pushing vela-core for Dockerhub, GHCR
+      - name: Build & Push Vela Core for Dockerhub, GHCR
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
        with:
          context: .
          file: Dockerfile
-          labels: |-
+          labels: |
            org.opencontainers.image.source=https://github.com/${{ github.repository }}
            org.opencontainers.image.revision=${{ github.sha }}
          platforms: linux/amd64,linux/arm64
@@ -61,16 +90,55 @@ jobs:
            GITVERSION=git-${{ steps.vars.outputs.git_revision }}
            VERSION=${{ steps.get_version.outputs.VERSION }}
            GOPROXY=https://proxy.golang.org
-          tags: |-
+          tags: |
            docker.io/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}
            ghcr.io/${{ github.repository_owner }}/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}

-      - uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
-        name: Build & Pushing CLI for Dockerhub, GHCR
+      - name: Get Vela Core Image Digest
+        id: meta-vela-core
+        run: |
+          GHCR_IMAGE=ghcr.io/${{ github.repository_owner }}/oamdev/vela-core
+          DOCKER_IMAGE=docker.io/oamdev/vela-core
+          TAG=${{ steps.get_version.outputs.VERSION }}
+
+          DIGEST=$(crane digest $GHCR_IMAGE:$TAG)
+
+          echo "image=$GHCR_IMAGE" >> $GITHUB_OUTPUT
+          echo "dockerhub_image=$DOCKER_IMAGE" >> $GITHUB_OUTPUT
+          echo "digest=$DIGEST" >> $GITHUB_OUTPUT
+
+      - name: Generate SBOM for Vela Core Image
+        id: generate_vela_core_sbom
+        uses: anchore/sbom-action@v0.17.0
+        with:
+          image: ghcr.io/${{ github.repository_owner }}/oamdev/vela-core:${{ steps.get_version.outputs.VERSION }}
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.GITHUB_TOKEN }}
+          format: spdx-json
+          artifact-name: sbom-vela-core.spdx.json
+          output-file: ${{ github.workspace }}/sbom-vela-core.spdx.json
+
+      - name: Sign Vela Core Image and Attest SBOM
+        env:
+          COSIGN_EXPERIMENTAL: 'true'
+        run: |
+          echo "signing vela core images..."
+          cosign sign --yes ghcr.io/${{ github.repository_owner }}/oamdev/vela-core@${{ steps.meta-vela-core.outputs.digest }}
+          cosign sign --yes docker.io/oamdev/vela-core@${{ steps.meta-vela-core.outputs.digest }}
+
+          echo "attesting SBOM against the vela core image..."
+          cosign attest --yes --predicate ${{ github.workspace }}/sbom-vela-core.spdx.json --type spdx \
+          ghcr.io/${{ github.repository_owner }}/oamdev/vela-core@${{ steps.meta-vela-core.outputs.digest }}
+
+          cosign attest --yes --predicate ${{ github.workspace }}/sbom-vela-core.spdx.json --type spdx \
+          docker.io/oamdev/vela-core@${{ steps.meta-vela-core.outputs.digest }}
+
+      - name: Build & Push Vela CLI for Dockerhub, GHCR
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
        with:
          context: .
          file: Dockerfile.cli
-          labels: |-
+          labels: |
            org.opencontainers.image.source=https://github.com/${{ github.repository }}
            org.opencontainers.image.revision=${{ github.sha }}
          platforms: linux/amd64,linux/arm64
@@ -79,6 +147,100 @@ jobs:
            GITVERSION=git-${{ steps.vars.outputs.git_revision }}
            VERSION=${{ steps.get_version.outputs.VERSION }}
            GOPROXY=https://proxy.golang.org
-          tags: |-
+          tags: |
            docker.io/oamdev/vela-cli:${{ steps.get_version.outputs.VERSION }}
            ghcr.io/${{ github.repository_owner }}/oamdev/vela-cli:${{ steps.get_version.outputs.VERSION }}
+
+      - name: Get Vela CLI Image Digest
+        id: meta-vela-cli
+        run: |
+          GHCR_IMAGE=ghcr.io/${{ github.repository_owner }}/oamdev/vela-cli
+          DOCKER_IMAGE=docker.io/oamdev/vela-cli
+          TAG=${{ steps.get_version.outputs.VERSION }}
+
+          DIGEST=$(crane digest $GHCR_IMAGE:$TAG)
+
+          echo "image=$GHCR_IMAGE" >> $GITHUB_OUTPUT
+          echo "dockerhub_image=$DOCKER_IMAGE" >> $GITHUB_OUTPUT
+          echo "digest=$DIGEST" >> $GITHUB_OUTPUT
+
+      - name: Generate SBOM for Vela CLI Image
+        id: generate_sbom
+        uses: anchore/sbom-action@v0.17.0
+        with:
+          image: ghcr.io/${{ github.repository_owner }}/oamdev/vela-cli:${{ steps.get_version.outputs.VERSION }}
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.GITHUB_TOKEN }}
+          format: spdx-json
+          artifact-name: sbom-vela-cli.spdx.json
+          output-file: ${{ github.workspace }}/sbom-vela-cli.spdx.json
+
+      - name: Sign Vela CLI Image and Attest SBOM
+        env:
+          COSIGN_EXPERIMENTAL: 'true'
+        run: |
+          echo "signing vela CLI images..."
+          cosign sign --yes ghcr.io/${{ github.repository_owner }}/oamdev/vela-cli@${{ steps.meta-vela-cli.outputs.digest }}
+          cosign sign --yes docker.io/oamdev/vela-cli@${{ steps.meta-vela-cli.outputs.digest }}      
+
+          echo "attesting SBOM against the vela cli image..."
+          cosign attest --yes --predicate ${{ github.workspace }}/sbom-vela-cli.spdx.json --type spdx \
+          ghcr.io/${{ github.repository_owner }}/oamdev/vela-cli@${{ steps.meta-vela-cli.outputs.digest }}
+
+          cosign attest --yes --predicate ${{ github.workspace }}/sbom-vela-cli.spdx.json --type spdx \
+          docker.io/oamdev/vela-cli@${{ steps.meta-vela-cli.outputs.digest }}
+
+      - name: Publish SBOMs as release artifacts
+        uses: anchore/sbom-action/publish-sbom@v0.17.0
+
+  provenance-ghcr:
+    name: Generate and Push Provenance to GCHR
+    needs: publish-vela-images
+    if: startsWith(github.ref, 'refs/tags/')
+    strategy:
+      matrix:
+        include:
+          - name: 'Vela Core Image'
+            image: ${{ needs.publish-vela-images.outputs.vela_core_image }}
+            digest: ${{ needs.publish-vela-images.outputs.vela_core_digest }}
+          - name: 'Vela CLI Image'
+            image: ${{ needs.publish-vela-images.outputs.vela_cli_image }}
+            digest: ${{ needs.publish-vela-images.outputs.vela_cli_digest }}
+    permissions:
+      id-token: write
+      contents: write
+      actions: read
+      packages: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0 # has to be sem var
+    with:
+      image: ${{ matrix.image }}
+      digest: ${{ matrix.digest }}
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
+
+  provenance-dockerhub:
+    name: Generate and Push Provenance to DockerHub
+    needs: publish-vela-images
+    if: startsWith(github.ref, 'refs/tags/')
+    strategy:
+      matrix:
+        include:
+          - name: 'Vela Core Image'
+            image: ${{ needs.publish-vela-images.outputs.vela_core_dockerhub_image }}
+            digest: ${{ needs.publish-vela-images.outputs.vela_core_digest }}
+          - name: 'Vela CLI Image'
+            image: ${{ needs.publish-vela-images.outputs.vela_cli_dockerhub_image }}
+            digest: ${{ needs.publish-vela-images.outputs.vela_cli_digest }}
+    permissions:
+      id-token: write
+      contents: write
+      packages: write
+      actions: read
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
+    with:
+      image: ${{ matrix.image }}
+      digest: ${{ matrix.digest }}
+      registry-username: oamdev
+    secrets:
+      registry-password: ${{ secrets.DOCKER_PASSWORD }}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,14 +3,16 @@ name: Release
 on:
  push:
    tags:
-      - "v*"
-  workflow_dispatch: { }
+      - 'v*'
+  workflow_dispatch: {}

 permissions:
  contents: read

 jobs:
-  build:
+  goreleaser:
+    name: goreleaser
+    runs-on: ubuntu-22.04
    permissions:
      contents: write
      actions: read
@@ -20,27 +22,54 @@ jobs:
      pull-requests: read
      repository-projects: read
      statuses: read
-    runs-on: ubuntu-22.04
-    name: goreleaser
+      id-token: write
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          fetch-depth: 0
-      - run: git fetch --force --tags
+
+      - name: Get Git tags
+        run: git fetch --force --tags
+
      - name: Set up Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
        with:
-          go-version: 1.19
+          go-version: 1.23.8
          cache: true
-      - uses: goreleaser/goreleaser-action@336e29918d653399e599bfca99fadc1d7ffbc9f7 # v4.3.0
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v2.5.0'
+
+      - name: Install syft
+        uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
        with:
          distribution: goreleaser
          version: 1.14.1
          args: release --rm-dist --timeout 60m
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Generate hashes
+        id: hash
+        if: startsWith(github.ref, 'refs/tags/')
+        run: |
+          set -euo pipefail
+          HASHES=$(find dist -type f -exec sha256sum {} \; | base64 -w0)
+          echo "hashes=$HASHES" >> "$GITHUB_OUTPUT"
+
  upload-plugin-homebrew:
+    name: upload-sha256sums
+    needs: goreleaser
+    runs-on: ubuntu-22.04
+    if: ${{ !contains(github.ref, 'alpha') && !contains(github.ref, 'beta') && !contains(github.ref, 'rc') }}
    permissions:
      contents: write
      actions: read
@@ -50,13 +79,9 @@ jobs:
      pull-requests: read
      repository-projects: read
      statuses: read
-    needs: build
-    runs-on: ubuntu-22.04
-    if: ${{ !contains(github.ref, 'alpha') && !contains(github.ref, 'beta') && !contains(github.ref, 'rc') }}
-    name: upload-sha256sums
    steps:
      - name: Checkout
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
      - name: Update kubectl plugin version in krew-index
        uses: rajatjindal/krew-release-bot@df3eb197549e3568be8b4767eec31c5e8e8e6ad8 # v0.0.46
      - name: Update Homebrew formula
@@ -67,3 +92,16 @@ jobs:
          tag: ${{ github.ref }}
          revision: ${{ github.sha }}
          force: false
+
+  provenance-vela-bins:
+    name: generate provenance for binaries
+    needs: [goreleaser]
+    if: startsWith(github.ref, 'refs/tags/')
+    permissions:
+      id-token: write
+      contents: write
+      actions: read
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 # has to be sem var
+    with:
+      base64-subjects: '${{ needs.goreleaser.outputs.hashes }}'
+      upload-assets: true
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -23,12 +23,12 @@ jobs:

    steps:
      - name: "Checkout code"
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          persist-credentials: false

      - name: "Run analysis"
-        uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # tag=v2.2.0
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # tag=v2.4.1
        with:
          results_file: results.sarif
          results_format: sarif
@@ -47,7 +47,7 @@ jobs:
      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
      - name: "Upload artifact"
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@134dcf33c0b9454c4b17a936843d7e21dccdc335 # v4.3.6
        with:
          name: SARIF file
          path: results.sarif
@@ -55,6 +55,6 @@ jobs:

      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.37
+        uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16
        with:
          sarif_file: results.sarif
--- a/.github/workflows/sdk-test.yml
+++ b/.github/workflows/sdk-test.yml
@@ -18,18 +18,18 @@ permissions:

 env:
  # Common versions
-  GO_VERSION: '1.19'
-  GOLANGCI_VERSION: 'v1.49'
+  GO_VERSION: '1.23.8'
+  GOLANGCI_VERSION: 'v1.60.1'

 jobs:
  sdk-tests:
    runs-on: ubuntu-22.04
    steps:
      - name: Check out code into the Go module directory
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608

      - name: Setup Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
        with:
          go-version: ${{ env.GO_VERSION }}

@@ -38,6 +38,11 @@ jobs:
          make goimports
          make golangci

+      - name: Setup KinD
+        run: |
+          go install sigs.k8s.io/kind@v0.19.0
+          kind create cluster
+
      - name: Build CLI
        run: make vela-cli

--- a/.github/workflows/sync-api.yml
+++ b/.github/workflows/sync-api.yml
@@ -11,19 +11,19 @@ permissions:
  contents: read

 env:
-  GO_VERSION: '1.19'
+  GO_VERSION: '1.23.8'

 jobs:
  sync-core-api:
    runs-on: ubuntu-22.04
    steps:
      - name: Set up Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Check out code into the Go module directory
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608

      - name: Get the version
        id: get_version
--- a/.github/workflows/sync-sdk.yaml
+++ b/.github/workflows/sync-sdk.yaml
@@ -15,19 +15,19 @@ permissions:
  contents: read

 env:
-  GO_VERSION: '1.19'
+  GO_VERSION: '1.23.8'

 jobs:
  sync_sdk:
    runs-on: ubuntu-22.04
    steps:
      - name: Set up Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Check out code into the Go module directory
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608

      - name: Get the version
        id: get_version
--- a/.github/workflows/trivy-scan.yml
+++ b/.github/workflows/trivy-scan.yml
@@ -13,21 +13,21 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608

      - name: Build Vela Core image from Dockerfile
        run: |
          docker build --build-arg GOPROXY=https://proxy.golang.org -t docker.io/oamdev/vela-core:${{ github.sha }} .

      - name: Run Trivy vulnerability scanner for vela core
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@d9cd5b1c23aaf8cb31bb09141028215828364bbb # master
        with:
          image-ref: 'docker.io/oamdev/vela-core:${{ github.sha }}'
          format: 'sarif'
          output: 'trivy-results.sarif'

      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16
        if: always()
        with:
          sarif_file: 'trivy-results.sarif'
--- a/.github/workflows/unit-test.yml
+++ b/.github/workflows/unit-test.yml
@@ -5,7 +5,7 @@ on:
    branches:
      - master
      - release-*
-  workflow_dispatch: { }
+  workflow_dispatch: {}
  pull_request:
    branches:
      - master
@@ -16,20 +16,19 @@ permissions:

 env:
  # Common versions
-  GO_VERSION: '1.19'
+  GO_VERSION: "1.23.8"

 jobs:
-
  detect-noop:
    permissions:
-      actions: write  # for fkirc/skip-duplicate-actions to skip or stop workflow runs
+      actions: write # for fkirc/skip-duplicate-actions to skip or stop workflow runs
    runs-on: ubuntu-22.04
    outputs:
      noop: ${{ steps.noop.outputs.should_skip }}
    steps:
      - name: Detect No-op Changes
        id: noop
-        uses: fkirc/skip-duplicate-actions@12aca0a884f6137d619d6a8a09fcc3406ced5281
+        uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          paths_ignore: '["**.md", "**.mdx", "**.png", "**.jpg"]'
@@ -43,17 +42,17 @@ jobs:

    steps:
      - name: Set up Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Check out code into the Go module directory
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
        with:
          submodules: true

      - name: Cache Go Dependencies
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8
+        uses: actions/cache@v4
        with:
          path: .work/pkg
          key: ${{ runner.os }}-pkg-${{ hashFiles('**/go.sum') }}
@@ -70,13 +69,6 @@ jobs:
          go install sigs.k8s.io/kind@v0.19.0
          kind create cluster

-      - name: install Kubebuilder
-        uses: RyanSiu1995/kubebuilder-action@ed0e300b13152c2c2bfb104475665c7bf609332f
-        with:
-          version: 3.9.1
-          kubebuilderOnly: false
-          kubernetesVersion: v1.26.2
-
      - name: Run Make test
        run: make test

--- a/.gitignore
+++ b/.gitignore
@@ -41,6 +41,7 @@ _tmp/

 references/cmd/cli/fake/source.go
 references/cmd/cli/fake/chart_source.go
+references/vela-sdk-gen/*
 charts/vela-core/crds/_.yaml
 .test_vela
 tmp/
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,18 +1,6 @@
 run:
  timeout: 10m

-  skip-files:
-    - "zz_generated\\..+\\.go$"
-    - ".*_test.go$"
-
-  skip-dirs:
-    - "hack"
-    - "e2e"
-
-output:
-  # colored-line-number|line-number|json|tab|checkstyle|code-climate, default is "colored-line-number"
-  format: colored-line-number
-
 linters-settings:
  errcheck:
    # report about not checking of errors in type assetions: `a := b.(MyStruct)`;
@@ -23,24 +11,12 @@ linters-settings:
    # default is false: such cases aren't reported by default.
    check-blank: false

-    # [deprecated] comma-separated list of pairs of the form pkg:regex
-    # the regex is used to ignore names within pkg. (default "fmt:.*").
-    # see https://github.com/kisielk/errcheck#the-deprecated-method for details
-    ignore: fmt:.*,io/ioutil:^Read.*
-
  exhaustive:
    # indicates that switch statements are to be considered exhaustive if a
    # 'default' case is present, even if all enum members aren't listed in the
    # switch
    default-signifies-exhaustive: true

-  govet:
-    # report about shadowed variables
-    check-shadowing: false
-
-  revive:
-    # minimal confidence for issues, default is 0.8
-    min-confidence: 0.8

  gofmt:
    # simplify code: gofmt with `-s` option, true by default
@@ -55,9 +31,6 @@ linters-settings:
    # minimal code complexity to report, 30 by default (but we recommend 10-20)
    min-complexity: 30

-  maligned:
-    # print struct with more effective memory layout or not, false by default
-    suggest-new: true

  dupl:
    # tokens count to trigger issue, 150 by default
@@ -73,13 +46,6 @@ linters-settings:
    # tab width in spaces. Default to 1.
    tab-width: 1

-  unused:
-    # treat code as a program (not a library) and report unused exported identifiers; default is false.
-    # XXX: if you enable this setting, unused will report a lot of false-positives in text editors:
-    # if it's called for subdir of a project it can't find funcs usages. All text editor integrations
-    # with golangci-lint call it on a directory with the changed file.
-    check-exported: false
-
  unparam:
    # Inspect exported functions, default is false. Set to true if no external program/library imports your code.
    # XXX: if you enable this setting, unparam will report a lot of false-positives in text editors:
@@ -107,9 +73,13 @@ linters-settings:
    # Allow only slices initialized with a length of zero. Default is false.
    always: false

+  revive:
+    rules:
+      - name: unused-parameter
+        disabled: true
+
 linters:
  enable:
-    - megacheck
    - govet
    - gocyclo
    - gocritic
@@ -121,11 +91,10 @@ linters:
    - misspell
    - nakedret
    - exportloopref
+    - unused
+    - gosimple
+    - staticcheck
  disable:
-    - deadcode
-    - scopelint
-    - structcheck
-    - varcheck
    - rowserrcheck
    - sqlclosecheck
    - errchkjson
@@ -137,8 +106,28 @@ linters:


 issues:
+
+  exclude-files:
+    - "zz_generated\\..+\\.go$"
+    - ".*_test.go$"
+
+  exclude-dirs:
+    - "hack"
+    - "e2e"
+
  # Excluding configuration per-path and per-linter
  exclude-rules:
+    - path: .*\.go
+      linters:
+        - errcheck
+      text: "fmt\\."
+
+    # Ignore unchecked errors from io/ioutil functions starting with Read
+    - path: .*\.go
+      linters:
+        - errcheck
+      text: "io/ioutil.*Read"
+      
    # Exclude some linters from running on tests files.
    - path: _test(ing)?\.go
      linters:
@@ -155,6 +144,13 @@ issues:
      linters:
        - gocritic

+    # Gosmopolitan complains of internationalization issues on the file that actually defines
+    # the translation.
+    - path: i18n\.go
+      text: "Han"
+      linters:
+        - gosmopolitan
+
    # These are performance optimisations rather than style issues per se.
    # They warn when function arguments or range values copy a lot of memory
    # rather than using a pointer.
@@ -220,7 +216,7 @@ issues:
  new: false

  # Maximum issues count per one linter. Set to 0 to disable. Default is 50.
-  max-per-linter: 0
+  max-issues-per-linter: 0

  # Maximum count of issues with the same text. Set to 0 to disable. Default is 3.
-  max-same-issues: 0
+  max-same-issues: 0
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -31,6 +31,28 @@ builds:
    ldflags:
      - -s -w -X github.com/oam-dev/kubevela/version.VelaVersion={{ .Version }} -X github.com/oam-dev/kubevela/version.GitRevision=git-{{.ShortCommit}}

+sboms:
+  - id: kubevela-binaries-sboms
+    artifacts: binary
+    documents:
+      - "${artifact}-{{ .Version }}-{{ .Os }}-{{ .Arch }}.spdx.sbom.json"
+
+signs:
+  - id: kubevela-cosign-keyless
+    artifacts: checksum # sign the checksum file over individual artifacts
+    signature: "${artifact}-keyless.sig"
+    certificate: "${artifact}-keyless.pem"
+    cmd: cosign
+    args:
+      - "sign-blob"
+      - "--yes"
+      - "--output-signature"
+      - "${artifact}-keyless.sig"
+      - "--output-certificate"
+      - "${artifact}-keyless.pem"
+      - "${artifact}"
+    output: true
+
 archives:
  - format: tar.gz
    id: vela-cli-tgz
--- a/4
+++ b/4
@@ -1,6 +1,6 @@
 ARG BASE_IMAGE
 # Build the manager binary
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.19-alpine@sha256:2381c1e5f8350a901597d633b2e517775eeac7a6682be39225a93b22cfd0f8bb as builder
+FROM golang:1.23.8-alpine@sha256:b7486658b87d34ecf95125e5b97e8dfe86c21f712aa36fc0c702e5dc41dc63e1 AS builder

 WORKDIR /workspace
 # Copy the Go Modules manifests
@@ -34,7 +34,7 @@ RUN GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} \
 # You can replace distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 # Overwrite `BASE_IMAGE` by passing `--build-arg=BASE_IMAGE=gcr.io/distroless/static:nonroot`
-FROM ${BASE_IMAGE:-alpine@sha256:e2e16842c9b54d985bf1ef9242a313f36b856181f188de21313820e177002501}
+FROM ${BASE_IMAGE:-alpine:3.18}
 # This is required by daemon connecting with cri
 RUN apk add --no-cache ca-certificates bash expat

--- a/Dockerfile.cli
+++ b/Dockerfile.cli
@@ -1,6 +1,6 @@
 ARG BASE_IMAGE
 # Build the cli binary
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.19-alpine@sha256:2381c1e5f8350a901597d633b2e517775eeac7a6682be39225a93b22cfd0f8bb as builder
+FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.23.8-alpine@sha256:b7486658b87d34ecf95125e5b97e8dfe86c21f712aa36fc0c702e5dc41dc63e1 AS builder
 ARG GOPROXY
 ENV GOPROXY=${GOPROXY:-https://proxy.golang.org}
 WORKDIR /workspace
--- a/Dockerfile.e2e
+++ b/Dockerfile.e2e
@@ -1,6 +1,6 @@
 ARG BASE_IMAGE
 # Build the manager binary
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.19-alpine@sha256:2381c1e5f8350a901597d633b2e517775eeac7a6682be39225a93b22cfd0f8bb as builder
+FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.23.8-alpine@sha256:b7486658b87d34ecf95125e5b97e8dfe86c21f712aa36fc0c702e5dc41dc63e1 AS builder

 WORKDIR /workspace
 # Copy the Go Modules manifests
--- a/14
+++ b/14
@@ -12,7 +12,7 @@ all: build
 # Targets

 ## test: Run tests
-test: unit-test-core test-cli-gen
+test: envtest unit-test-core test-cli-gen
 	@$(OK) unit-tests pass

 ## test-cli-gen: Run the unit tests for cli gen
@@ -22,8 +22,8 @@ test-cli-gen:

 ## unit-test-core: Run the unit tests for core
 unit-test-core:
-	go test -coverprofile=coverage.txt $(shell go list ./pkg/... ./cmd/... ./apis/... | grep -v apiserver | grep -v applicationconfiguration)
-	go test $(shell go list ./references/... | grep -v apiserver)
+	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test -coverprofile=coverage.txt $(shell go list ./pkg/... ./cmd/... ./apis/... | grep -v apiserver | grep -v applicationconfiguration)
+	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test $(shell go list ./references/... | grep -v apiserver)

 ## build: Build vela cli binary
 build: vela-cli kubectl-vela
@@ -41,9 +41,8 @@ fmt: goimports installcue
 	$(CUE) fmt ./vela-templates/definitions/internal/*
 	$(CUE) fmt ./vela-templates/definitions/deprecated/*
 	$(CUE) fmt ./vela-templates/definitions/registry/*
-	$(CUE) fmt ./pkg/stdlib/pkgs/*
-	$(CUE) fmt ./pkg/stdlib/op.cue
-	$(CUE) fmt ./pkg/workflow/tasks/template/static/*
+	$(CUE) fmt ./pkg/workflow/template/static/*
+	$(CUE) fmt ./pkg/workflow/providers/...

 ## sdk_fmt: Run go fmt against code
 sdk_fmt:
@@ -62,7 +61,7 @@ staticcheck: staticchecktool
 ## lint: Run the golangci-lint
 lint: golangci
 	@$(INFO) lint
-	@$(GOLANGCILINT) run --skip-dirs 'scaffold'
+	@$(GOLANGCILINT) run --fix --verbose --exclude-dirs 'scaffold'

 ## reviewable: Run the reviewable
 reviewable: manifests fmt vet lint staticcheck helm-doc-gen sdk_fmt
@@ -108,7 +107,6 @@ manifests: installcue kustomize
 	go generate $(foreach t,pkg apis,./$(t)/...)
 	# TODO(yangsoon): kustomize will merge all CRD into a whole file, it may not work if we want patch more than one CRD in this way
 	$(KUSTOMIZE) build config/crd -o config/crd/base/core.oam.dev_applications.yaml
-	./hack/crd/cleanup.sh
 	go run ./hack/crd/dispatch/dispatch.go config/crd/base charts/vela-core/crds
 	rm -f config/crd/base/*
 	./vela-templates/gen_definitions.sh
--- a/README.md
+++ b/README.md
@@ -59,6 +59,14 @@ and share the large growing community [addons](https://kubevela.net/docs/referen
 * [Installation](https://kubevela.io/docs/install)
 * [Deploy Your Application](https://kubevela.io/docs/quick-start)

+### Get Your Own Demo with Alibaba Cloud
+
+- install KubeVela on a Serverless K8S cluster in 3 minutes, try:
+
+  <a href="https://acs.console.aliyun.com/quick-deploy?repo=kubevela/kubevela&branch=master" target="_blank">
+    <img src="https://img.alicdn.com/imgextra/i1/O1CN01aiPSuA1Wiz7wkgF5u_!!6000000002823-55-tps-399-70.svg" width="200" alt="Deploy on Alibaba Cloud">
+  </a>
+
 ## Documentation

 Full documentation is available on the [KubeVela website](https://kubevela.io/).
--- a/apis/core.oam.dev/common/zz_generated.deepcopy.go
+++ b/apis/core.oam.dev/common/zz_generated.deepcopy.go
@@ -1,5 +1,4 @@
 //go:build !ignore_autogenerated
-// +build !ignore_autogenerated

 /*
 Copyright 2023 The KubeVela Authors.
--- a/apis/core.oam.dev/condition/zz_generated.deepcopy.go
+++ b/apis/core.oam.dev/condition/zz_generated.deepcopy.go
@@ -1,5 +1,4 @@
 //go:build !ignore_autogenerated
-// +build !ignore_autogenerated

 /*
 Copyright 2023 The KubeVela Authors.
--- a/apis/core.oam.dev/v1alpha1/garbagecollect_policy_types.go
+++ b/apis/core.oam.dev/v1alpha1/garbagecollect_policy_types.go
@@ -102,16 +102,16 @@ func (in *GarbageCollectPolicySpec) FindStrategy(manifest *unstructured.Unstruct
 }

 // FindDeleteOption find delete option for target resource
-func (in *GarbageCollectPolicySpec) FindDeleteOption(manifest *unstructured.Unstructured) []client.DeleteOption {
+func (in *GarbageCollectPolicySpec) FindDeleteOption(manifest *unstructured.Unstructured) (bool, []client.DeleteOption) {
 	for _, rule := range in.Rules {
 		if rule.Selector.Match(manifest) && rule.Propagation != nil {
 			switch *rule.Propagation {
 			case GarbageCollectPropagationOrphan:
-				return []client.DeleteOption{client.PropagationPolicy(metav1.DeletePropagationOrphan)}
+				return true, []client.DeleteOption{client.PropagationPolicy(metav1.DeletePropagationOrphan)}
 			case GarbageCollectPropagationCascading:
-				return []client.DeleteOption{client.PropagationPolicy(metav1.DeletePropagationBackground)}
+				return false, []client.DeleteOption{client.PropagationPolicy(metav1.DeletePropagationBackground)}
 			}
 		}
 	}
-	return nil
+	return false, nil
 }
--- a/apis/core.oam.dev/v1alpha1/resource_policy_types.go
+++ b/apis/core.oam.dev/v1alpha1/resource_policy_types.go
@@ -18,7 +18,7 @@ package v1alpha1

 import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/utils/pointer"
+	"k8s.io/utils/ptr"
 	stringslices "k8s.io/utils/strings/slices"

 	"github.com/oam-dev/kubevela/pkg/oam"
@@ -52,7 +52,7 @@ func (in *ResourcePolicyRuleSelector) Match(manifest *unstructured.Unstructured)
 		if len(src) == 0 {
 			return nil
 		}
-		return pointer.Bool(val != "" && stringslices.Contains(src, val))
+		return ptr.To(val != "" && stringslices.Contains(src, val))
 	}
 	conditions := []*bool{
 		match(in.CompNames, compName),
--- a/apis/core.oam.dev/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/core.oam.dev/v1alpha1/zz_generated.deepcopy.go
@@ -1,5 +1,4 @@
 //go:build !ignore_autogenerated
-// +build !ignore_autogenerated

 /*
 Copyright 2023 The KubeVela Authors.
--- a/apis/core.oam.dev/v1beta1/componentdefinition_types.go
+++ b/apis/core.oam.dev/v1beta1/componentdefinition_types.go
@@ -27,6 +27,9 @@ import (

 // ComponentDefinitionSpec defines the desired state of ComponentDefinition
 type ComponentDefinitionSpec struct {
+	// +optional
+	Version string `json:"version,omitempty"`
+
 	// Workload is a workload type descriptor
 	Workload common.WorkloadTypeDescriptor `json:"workload"`

--- a/apis/core.oam.dev/v1beta1/core_types.go
+++ b/apis/core.oam.dev/v1beta1/core_types.go
@@ -164,6 +164,9 @@ type TraitDefinitionSpec struct {
 	// pre-process and post-process respectively.
 	// +optional
 	Stage StageType `json:"stage,omitempty"`
+
+	// +optional
+	Version string `json:"version,omitempty"`
 }

 // StageType describes how the manifests should be dispatched.
--- a/apis/core.oam.dev/v1beta1/policy_definition.go
+++ b/apis/core.oam.dev/v1beta1/policy_definition.go
@@ -37,6 +37,9 @@ type PolicyDefinitionSpec struct {
 	// ManageHealthCheck means the policy will handle health checking and skip application controller
 	// built-in health checking.
 	ManageHealthCheck bool `json:"manageHealthCheck,omitempty"`
+
+	//+optional
+	Version string `json:"version,omitempty"`
 }

 // PolicyDefinitionStatus is the status of PolicyDefinition
--- a/apis/core.oam.dev/v1beta1/resourcetracker_types_test.go
+++ b/apis/core.oam.dev/v1beta1/resourcetracker_types_test.go
@@ -31,7 +31,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/utils/pointer"
+	"k8s.io/utils/ptr"

 	"github.com/oam-dev/kubevela/apis/core.oam.dev/common"
 	"github.com/oam-dev/kubevela/pkg/oam"
@@ -133,7 +133,7 @@ func TestManagedResourceKeys(t *testing.T) {
 	r.Equal("cluster/component", input.ComponentKey())
 	r.Equal("Deployment name (Cluster: cluster, Namespace: namespace)", input.DisplayName())
 	var deploy1, deploy2 appsv1.Deployment
-	deploy1.Spec.Replicas = pointer.Int32(5)
+	deploy1.Spec.Replicas = ptr.To(int32(5))
 	bs, err := json.Marshal(deploy1)
 	r.NoError(err)
 	r.ErrorIs(input.UnmarshalTo(&deploy2), errors.ManagedResourceHasNoDataError{})
@@ -168,7 +168,7 @@ func TestResourceTracker_ManagedResource(t *testing.T) {
 	pod3 := corev1.Pod{ObjectMeta: metav1.ObjectMeta{Name: "pod3"}}
 	input.AddManagedResource(&pod3, false, false, "")
 	r.Equal(3, len(input.Spec.ManagedResources))
-	deploy1.Spec.Replicas = pointer.Int32(5)
+	deploy1.Spec.Replicas = ptr.To(int32(5))
 	input.AddManagedResource(&deploy1, false, false, "")
 	r.Equal(3, len(input.Spec.ManagedResources))
 	input.DeleteManagedResource(&cm2, false)
@@ -203,7 +203,7 @@ func TestResourceTrackerCompression(t *testing.T) {
 		"../../../charts/vela-core/crds/core.oam.dev_componentdefinitions.yaml",
 		"../../../charts/vela-core/templates/kubevela-controller.yaml",
 		"../../../charts/vela-core/README.md",
-		"../../../pkg/velaql/providers/query/testdata/machinelearning.seldon.io_seldondeployments.yaml",
+		"../../../pkg/workflow/providers/legacy/query/testdata/machinelearning.seldon.io_seldondeployments.yaml",
 	}
 	for _, p := range paths {
 		b, err := os.ReadFile(p)
--- a/apis/core.oam.dev/v1beta1/workflow_step_definition.go
+++ b/apis/core.oam.dev/v1beta1/workflow_step_definition.go
@@ -33,6 +33,9 @@ type WorkflowStepDefinitionSpec struct {
 	// Only CUE schematic is supported for now.
 	// +optional
 	Schematic *common.Schematic `json:"schematic,omitempty"`
+
+	// +optional
+	Version string `json:"version,omitempty"`
 }

 // WorkflowStepDefinitionStatus is the status of WorkflowStepDefinition
--- a/apis/core.oam.dev/v1beta1/zz_generated.deepcopy.go
+++ b/apis/core.oam.dev/v1beta1/zz_generated.deepcopy.go
@@ -1,5 +1,4 @@
 //go:build !ignore_autogenerated
-// +build !ignore_autogenerated

 /*
 Copyright 2023 The KubeVela Authors.
@@ -147,7 +146,8 @@ func (in *ApplicationRevisionCompressibleFields) DeepCopyInto(out *ApplicationRe
 			if val == nil {
 				(*out)[key] = nil
 			} else {
-				in, out := &val, &outVal
+				inVal := (*in)[key]
+				in, out := &inVal, &outVal
 				*out = new(ComponentDefinition)
 				(*in).DeepCopyInto(*out)
 			}
@@ -169,7 +169,8 @@ func (in *ApplicationRevisionCompressibleFields) DeepCopyInto(out *ApplicationRe
 			if val == nil {
 				(*out)[key] = nil
 			} else {
-				in, out := &val, &outVal
+				inVal := (*in)[key]
+				in, out := &inVal, &outVal
 				*out = new(TraitDefinition)
 				(*in).DeepCopyInto(*out)
 			}
@@ -191,7 +192,8 @@ func (in *ApplicationRevisionCompressibleFields) DeepCopyInto(out *ApplicationRe
 			if val == nil {
 				(*out)[key] = nil
 			} else {
-				in, out := &val, &outVal
+				inVal := (*in)[key]
+				in, out := &inVal, &outVal
 				*out = new(WorkflowStepDefinition)
 				(*in).DeepCopyInto(*out)
 			}
--- a/apis/types/capability.go
+++ b/apis/types/capability.go
@@ -32,22 +32,6 @@ type CRDInfo struct {
 	Kind       string `json:"kind"`
 }

-// Chart defines all necessary information to install a whole chart
-type Chart struct {
-	Repo      string                 `json:"repo"`
-	URL       string                 `json:"url"`
-	Name      string                 `json:"name"`
-	Namespace string                 `json:"namespace,omitempty"`
-	Version   string                 `json:"version"`
-	Values    map[string]interface{} `json:"values"`
-}
-
-// Installation defines the installation method for this Capability, currently only helm is supported
-type Installation struct {
-	Helm Chart `json:"helm"`
-	// TODO(wonderflow) add raw yaml file support for install capability
-}
-
 // CapType defines the type of capability
 type CapType string

@@ -107,7 +91,6 @@ type Capability struct {
 	CueTemplateURI string             `json:"templateURI,omitempty"`
 	Parameters     []Parameter        `json:"parameters,omitempty"`
 	CrdName        string             `json:"crdName,omitempty"`
-	Center         string             `json:"center,omitempty"`
 	Status         string             `json:"status,omitempty"`
 	Description    string             `json:"description,omitempty"`
 	Example        string             `json:"example,omitempty"`
@@ -121,8 +104,7 @@ type Capability struct {
 	Namespace string `json:"namespace,omitempty"`

 	// Plugin Source
-	Source  *Source  `json:"source,omitempty"`
-	CrdInfo *CRDInfo `json:"crdInfo,omitempty"`
+	Source *Source `json:"source,omitempty"`

 	// Terraform
 	TerraformConfiguration string `json:"terraformConfiguration,omitempty"`
--- a/apis/types/componentmanifest.go
+++ b/apis/types/componentmanifest.go
@@ -26,13 +26,8 @@ type ComponentManifest struct {
 	Namespace    string
 	RevisionName string
 	RevisionHash string
-	// StandardWorkload contains K8s resource generated from "output" block of ComponentDefinition
-	StandardWorkload *unstructured.Unstructured
-	// Traits contains both resources generated from "outputs" block of ComponentDefinition and resources generated from TraitDefinition
-	Traits []*unstructured.Unstructured
-
-	// PackagedWorkloadResources contain all the workload related resources. It could be a Helm
-	// Release, Git Repo or anything that can package and run a workload.
-	PackagedWorkloadResources []*unstructured.Unstructured
-	PackagedTraitResources    map[string][]*unstructured.Unstructured
+	// ComponentOutput contains K8s resource generated from "output" block of ComponentDefinition
+	ComponentOutput *unstructured.Unstructured
+	// ComponentOutputsAndTraits contains both resources generated from "outputs" block of ComponentDefinition and resources generated from TraitDefinition
+	ComponentOutputsAndTraits []*unstructured.Unstructured
 }
--- a/charts/vela-core/README.md
+++ b/charts/vela-core/README.md
@@ -48,12 +48,14 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai

 ### KubeVela workflow parameters

-| Name                                   | Description                                            | Value   |
-| -------------------------------------- | ------------------------------------------------------ | ------- |
-| `workflow.enableSuspendOnFailure`      | Enable suspend on workflow failure                     | `false` |
-| `workflow.backoff.maxTime.waitState`   | The max backoff time of workflow in a wait condition   | `60`    |
-| `workflow.backoff.maxTime.failedState` | The max backoff time of workflow in a failed condition | `300`   |
-| `workflow.step.errorRetryTimes`        | The max retry times of a failed workflow step          | `10`    |
+| Name                                                    | Description                                             | Value   |
+| ------------------------------------------------------- | ------------------------------------------------------- | ------- |
+| `workflow.enableSuspendOnFailure`                       | Enable suspend on workflow failure                      | `false` |
+| `workflow.enableExternalPackageForDefaultCompiler`      | Enable external package for default cuex compiler       | `true`  |
+| `workflow.enableExternalPackageWatchForDefaultCompiler` | Enable external package watch for default cuex compiler | `false` |
+| `workflow.backoff.maxTime.waitState`                    | The max backoff time of workflow in a wait condition    | `60`    |
+| `workflow.backoff.maxTime.failedState`                  | The max backoff time of workflow in a failed condition  | `300`   |
+| `workflow.step.errorRetryTimes`                         | The max retry times of a failed workflow step           | `10`    |

 ### KubeVela controller parameters

@@ -96,26 +98,29 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai
 | `featureGates.informerCacheFilterUnnecessaryFields`          | filter unnecessary fields for informer cache                                                                                                                                                                                     | `true`  |
 | `featureGates.sharedDefinitionStorageForApplicationRevision` | use definition cache to reduce duplicated definition storage for application revision, must be used with InformerCacheFilterUnnecessaryFields                                                                                    | `true`  |
 | `featureGates.disableWorkflowContextConfigMapCache`          | disable the workflow context's configmap informer cache                                                                                                                                                                          | `true`  |
+| `featureGates.enableCueValidation`                           | enable the strict cue validation for cue required parameter fields                                                                                                                                                               | `false` |

 ### MultiCluster parameters

-| Name                                                        | Description                                                                                 | Value                            |
-| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------- | -------------------------------- |
-| `multicluster.enabled`                                      | Whether to enable multi-cluster                                                             | `true`                           |
-| `multicluster.metrics.enabled`                              | Whether to enable multi-cluster metrics collect                                             | `false`                          |
-| `multicluster.clusterGateway.direct`                        | controller will connect to ClusterGateway directly instead of going to Kubernetes APIServer | `true`                           |
-| `multicluster.clusterGateway.replicaCount`                  | ClusterGateway replica count                                                                | `1`                              |
-| `multicluster.clusterGateway.port`                          | ClusterGateway port                                                                         | `9443`                           |
-| `multicluster.clusterGateway.image.repository`              | ClusterGateway image repository                                                             | `oamdev/cluster-gateway`         |
-| `multicluster.clusterGateway.image.tag`                     | ClusterGateway image tag                                                                    | `v1.9.0-alpha.2`                 |
-| `multicluster.clusterGateway.image.pullPolicy`              | ClusterGateway image pull policy                                                            | `IfNotPresent`                   |
-| `multicluster.clusterGateway.resources.requests.cpu`        | ClusterGateway cpu request                                                                  | `50m`                            |
-| `multicluster.clusterGateway.resources.requests.memory`     | ClusterGateway memory request                                                               | `20Mi`                           |
-| `multicluster.clusterGateway.resources.limits.cpu`          | ClusterGateway cpu limit                                                                    | `500m`                           |
-| `multicluster.clusterGateway.resources.limits.memory`       | ClusterGateway memory limit                                                                 | `200Mi`                          |
-| `multicluster.clusterGateway.secureTLS.enabled`             | Whether to enable secure TLS                                                                | `true`                           |
-| `multicluster.clusterGateway.secureTLS.certPath`            | Path to the certificate file                                                                | `/etc/k8s-cluster-gateway-certs` |
-| `multicluster.clusterGateway.secureTLS.certManager.enabled` | Whether to enable cert-manager                                                              | `false`                          |
+| Name                                                          | Description                                                                                 | Value                            |
+| ------------------------------------------------------------- | ------------------------------------------------------------------------------------------- | -------------------------------- |
+| `multicluster.enabled`                                        | Whether to enable multi-cluster                                                             | `true`                           |
+| `multicluster.metrics.enabled`                                | Whether to enable multi-cluster metrics collect                                             | `false`                          |
+| `multicluster.clusterGateway.direct`                          | controller will connect to ClusterGateway directly instead of going to Kubernetes APIServer | `true`                           |
+| `multicluster.clusterGateway.replicaCount`                    | ClusterGateway replica count                                                                | `1`                              |
+| `multicluster.clusterGateway.port`                            | ClusterGateway port                                                                         | `9443`                           |
+| `multicluster.clusterGateway.image.repository`                | ClusterGateway image repository                                                             | `oamdev/cluster-gateway`         |
+| `multicluster.clusterGateway.image.tag`                       | ClusterGateway image tag                                                                    | `v1.9.0-alpha.2`                 |
+| `multicluster.clusterGateway.image.pullPolicy`                | ClusterGateway image pull policy                                                            | `IfNotPresent`                   |
+| `multicluster.clusterGateway.resources.requests.cpu`          | ClusterGateway cpu request                                                                  | `50m`                            |
+| `multicluster.clusterGateway.resources.requests.memory`       | ClusterGateway memory request                                                               | `20Mi`                           |
+| `multicluster.clusterGateway.resources.limits.cpu`            | ClusterGateway cpu limit                                                                    | `500m`                           |
+| `multicluster.clusterGateway.resources.limits.memory`         | ClusterGateway memory limit                                                                 | `200Mi`                          |
+| `multicluster.clusterGateway.secureTLS.enabled`               | Whether to enable secure TLS                                                                | `true`                           |
+| `multicluster.clusterGateway.secureTLS.certPath`              | Path to the certificate file                                                                | `/etc/k8s-cluster-gateway-certs` |
+| `multicluster.clusterGateway.secureTLS.certManager.enabled`   | Whether to enable cert-manager                                                              | `false`                          |
+| `multicluster.clusterGateway.serviceMonitor.enabled`          | Whether to enable service monitor                                                           | `false`                          |
+| `multicluster.clusterGateway.serviceMonitor.additionalLabels` | Additional labels for service monitor                                                       | `{}`                             |

 ### Test parameters

@@ -128,29 +133,32 @@ helm install --create-namespace -n vela-system kubevela kubevela/vela-core --wai

 ### Common parameters

-| Name                          | Description                                                                                                                                                        | Value                |
-| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------- |
-| `imagePullSecrets`            | Image pull secrets                                                                                                                                                 | `[]`                 |
-| `nameOverride`                | Override name                                                                                                                                                      | `""`                 |
-| `fullnameOverride`            | Fullname override                                                                                                                                                  | `""`                 |
-| `serviceAccount.create`       | Specifies whether a service account should be created                                                                                                              | `true`               |
-| `serviceAccount.annotations`  | Annotations to add to the service account                                                                                                                          | `{}`                 |
-| `serviceAccount.name`         | The name of the service account to use. If not set and create is true, a name is generated using the fullname template                                             | `nil`                |
-| `nodeSelector`                | Node selector                                                                                                                                                      | `{}`                 |
-| `tolerations`                 | Tolerations                                                                                                                                                        | `[]`                 |
-| `affinity`                    | Affinity                                                                                                                                                           | `{}`                 |
-| `rbac.create`                 | Specifies whether a RBAC role should be created                                                                                                                    | `true`               |
-| `logDebug`                    | Enable debug logs for development purpose                                                                                                                          | `false`              |
-| `logFilePath`                 | If non-empty, write log files in this path                                                                                                                         | `""`                 |
-| `logFileMaxSize`              | Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited.                                         | `1024`               |
-| `kubeClient.qps`              | The qps for reconcile clients                                                                                                                                      | `400`                |
-| `kubeClient.burst`            | The burst for reconcile clients                                                                                                                                    | `600`                |
-| `authentication.enabled`      | Enable authentication for application                                                                                                                              | `false`              |
-| `authentication.withUser`     | Application authentication will impersonate as the request User                                                                                                    | `true`               |
-| `authentication.defaultUser`  | Application authentication will impersonate as the User if no user provided in Application                                                                         | `kubevela:vela-core` |
-| `authentication.groupPattern` | Application authentication will impersonate as the request Group that matches the pattern                                                                          | `kubevela:*`         |
-| `sharding.enabled`            | When sharding enabled, the controller will run as master mode. Refer to https://github.com/kubevela/kubevela/blob/master/design/vela-core/sharding.md for details. | `false`              |
-| `sharding.schedulableShards`  | The shards available for scheduling. If empty, dynamic discovery will be used.                                                                                     | `""`                 |
+| Name                                           | Description                                                                                                                                                        | Value                |
+| ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------- |
+| `imagePullSecrets`                             | Image pull secrets                                                                                                                                                 | `[]`                 |
+| `nameOverride`                                 | Override name                                                                                                                                                      | `""`                 |
+| `fullnameOverride`                             | Fullname override                                                                                                                                                  | `""`                 |
+| `serviceAccount.create`                        | Specifies whether a service account should be created                                                                                                              | `true`               |
+| `serviceAccount.annotations`                   | Annotations to add to the service account                                                                                                                          | `{}`                 |
+| `serviceAccount.name`                          | The name of the service account to use. If not set and create is true, a name is generated using the fullname template                                             | `nil`                |
+| `nodeSelector`                                 | Node selector                                                                                                                                                      | `{}`                 |
+| `tolerations`                                  | Tolerations                                                                                                                                                        | `[]`                 |
+| `affinity`                                     | Affinity                                                                                                                                                           | `{}`                 |
+| `rbac.create`                                  | Specifies whether a RBAC role should be created                                                                                                                    | `true`               |
+| `logDebug`                                     | Enable debug logs for development purpose                                                                                                                          | `false`              |
+| `logFilePath`                                  | If non-empty, write log files in this path                                                                                                                         | `""`                 |
+| `logFileMaxSize`                               | Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited.                                         | `1024`               |
+| `kubeClient.qps`                               | The qps for reconcile clients                                                                                                                                      | `400`                |
+| `kubeClient.burst`                             | The burst for reconcile clients                                                                                                                                    | `600`                |
+| `authentication.enabled`                       | Enable authentication for application                                                                                                                              | `false`              |
+| `authentication.withUser`                      | Application authentication will impersonate as the request User                                                                                                    | `true`               |
+| `authentication.defaultUser`                   | Application authentication will impersonate as the User if no user provided in Application                                                                         | `kubevela:vela-core` |
+| `authentication.groupPattern`                  | Application authentication will impersonate as the request Group that matches the pattern                                                                          | `kubevela:*`         |
+| `sharding.enabled`                             | When sharding enabled, the controller will run as master mode. Refer to https://github.com/kubevela/kubevela/blob/master/design/vela-core/sharding.md for details. | `false`              |
+| `sharding.schedulableShards`                   | The shards available for scheduling. If empty, dynamic discovery will be used.                                                                                     | `""`                 |
+| `core.metrics.enabled`                         | Enable metrics for vela-core                                                                                                                                       | `false`              |
+| `core.metrics.serviceMonitor.enabled`          | Enable service monitor for metrics                                                                                                                                 | `false`              |
+| `core.metrics.serviceMonitor.additionalLabels` | Additional labels for service monitor                                                                                                                              | `{}`                 |


 ## Uninstallation
@@ -186,6 +194,21 @@ if [ $fluxcd ]; then
 fi
 ```

+Make sure all existing KubeVela resources deleted before uninstallation:
+```shell
+kubectl delete applicationrevisions.core.oam.dev --all
+kubectl delete applications.core.oam.dev --all
+kubectl delete componentdefinitions.core.oam.dev --all
+kubectl delete definitionrevisions.core.oam.dev --all
+kubectl delete policies.core.oam.dev --all
+kubectl delete policydefinitions.core.oam.dev --all
+kubectl delete resourcetrackers.core.oam.dev --all
+kubectl delete traitdefinitions.core.oam.dev --all
+kubectl delete workflows.core.oam.dev --all
+kubectl delete workflowstepdefinitions.core.oam.dev --all
+kubectl delete workloaddefinitions.core.oam.dev --all
+```
+
 To uninstall the KubeVela helm release:

 ```shell
--- a/charts/vela-core/crds/core.oam.dev_applicationrevisions.yaml
+++ b/charts/vela-core/crds/core.oam.dev_applicationrevisions.yaml
--- a/charts/vela-core/crds/core.oam.dev_applications.yaml
+++ b/charts/vela-core/crds/core.oam.dev_applications.yaml
@@ -3,7 +3,7 @@ kind: CustomResourceDefinition
 metadata:
  annotations:
    cert-manager.io/inject-ca-from: vela-system/kubevela-vela-core-root-cert
-    controller-gen.kubebuilder.io/version: v0.11.4
+    controller-gen.kubebuilder.io/version: v0.14.0
  name: applications.core.oam.dev
 spec:
  group: core.oam.dev
@@ -44,14 +44,19 @@ spec:
        description: Application is the Schema for the applications API
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@@ -104,10 +109,9 @@ spec:
                    scopes:
                      additionalProperties:
                        type: string
-                      description: scopes in ApplicationComponent defines the component-level
-                        scopes the format is <scope-type:scope-instance-name> pairs,
-                        the key represents type of `ScopeDefinition` while the value
-                        represent the name of scope instance.
+                      description: |-
+                        scopes in ApplicationComponent defines the component-level scopes
+                        the format is <scope-type:scope-instance-name> pairs, the key represents type of `ScopeDefinition` while the value represent the name of scope instance.
                      type: object
                      x-kubernetes-preserve-unknown-fields: true
                    traits:
@@ -133,10 +137,10 @@ spec:
                  type: object
                type: array
              policies:
-                description: Policies defines the global policies for all components
-                  in the app, e.g. security, metrics, gitops, multi-cluster placement
-                  rules, etc. Policies are applied after components are rendered and
-                  before workflow steps are executed.
+                description: |-
+                  Policies defines the global policies for all components in the app, e.g. security, metrics, gitops,
+                  multi-cluster placement rules, etc.
+                  Policies are applied after components are rendered and before workflow steps are executed.
                items:
                  description: AppPolicy defines a global policy for all components
                    in the app.
@@ -155,11 +159,12 @@ spec:
                  type: object
                type: array
              workflow:
-                description: 'Workflow defines how to customize the control logic.
-                  If workflow is specified, Vela won''t apply any resource, but provide
-                  rendered output in AppRevision. Workflow steps are executed in array
-                  order, and each step: - will have a context in annotation. - should
-                  mark "finish" phase in status.conditions.'
+                description: |-
+                  Workflow defines how to customize the control logic.
+                  If workflow is specified, Vela won't apply any resource, but provide rendered output in AppRevision.
+                  Workflow steps are executed in array order, and each step:
+                  - will have a context in annotation.
+                  - should mark "finish" phase in status.conditions.
                properties:
                  mode:
                    description: WorkflowExecuteMode defines the mode of workflow
@@ -332,33 +337,40 @@ spec:
                    creator:
                      type: string
                    fieldPath:
-                      description: 'If referring to a piece of an object instead of
-                        an entire object, this string should contain a valid JSON/Go
-                        field access statement, such as desiredState.manifest.containers[2].
-                        For example, if the object reference is to a container within
-                        a pod, this would take on a value like: "spec.containers{name}"
-                        (where "name" refers to the name of the container that triggered
-                        the event) or if no container name is specified "spec.containers[2]"
-                        (container with index 2 in this pod). This syntax is chosen
-                        only to have some well-defined way of referencing a part of
-                        an object. TODO: this design is not final and this field is
-                        subject to change in the future.'
+                      description: |-
+                        If referring to a piece of an object instead of an entire object, this string
+                        should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                        For example, if the object reference is to a container within a pod, this would take on a value like:
+                        "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                        the event) or if no container name is specified "spec.containers[2]" (container with
+                        index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                        referencing a part of an object.
+                        TODO: this design is not final and this field is subject to change in the future.
                      type: string
                    kind:
-                      description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                      description: |-
+                        Kind of the referent.
+                        More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                      type: string
                    name:
-                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                      description: |-
+                        Name of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                      type: string
                    namespace:
-                      description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                      description: |-
+                        Namespace of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
                      type: string
                    resourceVersion:
-                      description: 'Specific resourceVersion to which this reference
-                        is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                      description: |-
+                        Specific resourceVersion to which this reference is made, if any.
+                        More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
                      type: string
                    uid:
-                      description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                      description: |-
+                        UID of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
                      type: string
                  type: object
                  x-kubernetes-map-type: atomic
@@ -367,63 +379,63 @@ spec:
                description: Components record the related Components created by Application
                  Controller
                items:
-                  description: "ObjectReference contains enough information to let
-                    you inspect or modify the referred object. --- New uses of this
-                    type are discouraged because of difficulty describing its usage
-                    when embedded in APIs. 1. Ignored fields.  It includes many fields
-                    which are not generally honored.  For instance, ResourceVersion
-                    and FieldPath are both very rarely valid in actual usage. 2. Invalid
-                    usage help.  It is impossible to add specific help for individual
-                    usage.  In most embedded usages, there are particular restrictions
-                    like, \"must refer only to types A and B\" or \"UID not honored\"
-                    or \"name must be restricted\". Those cannot be well described
-                    when embedded. 3. Inconsistent validation.  Because the usages
-                    are different, the validation rules are different by usage, which
-                    makes it hard for users to predict what will happen. 4. The fields
-                    are both imprecise and overly precise.  Kind is not a precise
-                    mapping to a URL. This can produce ambiguity during interpretation
-                    and require a REST mapping.  In most cases, the dependency is
-                    on the group,resource tuple and the version of the actual struct
-                    is irrelevant. 5. We cannot easily change it.  Because this type
-                    is embedded in many locations, updates to this type will affect
-                    numerous schemas.  Don't make new APIs embed an underspecified
-                    API type they do not control. \n Instead of using this type, create
-                    a locally provided and used type that is well-focused on your
-                    reference. For example, ServiceReferences for admission registration:
-                    https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
-                    ."
+                  description: |-
+                    ObjectReference contains enough information to let you inspect or modify the referred object.
+                    ---
+                    New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
+                     1. Ignored fields.  It includes many fields which are not generally honored.  For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
+                     2. Invalid usage help.  It is impossible to add specific help for individual usage.  In most embedded usages, there are particular
+                        restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
+                        Those cannot be well described when embedded.
+                     3. Inconsistent validation.  Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
+                     4. The fields are both imprecise and overly precise.  Kind is not a precise mapping to a URL. This can produce ambiguity
+                        during interpretation and require a REST mapping.  In most cases, the dependency is on the group,resource tuple
+                        and the version of the actual struct is irrelevant.
+                     5. We cannot easily change it.  Because this type is embedded in many locations, updates to this type
+                        will affect numerous schemas.  Don't make new APIs embed an underspecified API type they do not control.
+
+
+                    Instead of using this type, create a locally provided and used type that is well-focused on your reference.
+                    For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
                  properties:
                    apiVersion:
                      description: API version of the referent.
                      type: string
                    fieldPath:
-                      description: 'If referring to a piece of an object instead of
-                        an entire object, this string should contain a valid JSON/Go
-                        field access statement, such as desiredState.manifest.containers[2].
-                        For example, if the object reference is to a container within
-                        a pod, this would take on a value like: "spec.containers{name}"
-                        (where "name" refers to the name of the container that triggered
-                        the event) or if no container name is specified "spec.containers[2]"
-                        (container with index 2 in this pod). This syntax is chosen
-                        only to have some well-defined way of referencing a part of
-                        an object. TODO: this design is not final and this field is
-                        subject to change in the future.'
+                      description: |-
+                        If referring to a piece of an object instead of an entire object, this string
+                        should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                        For example, if the object reference is to a container within a pod, this would take on a value like:
+                        "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                        the event) or if no container name is specified "spec.containers[2]" (container with
+                        index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                        referencing a part of an object.
+                        TODO: this design is not final and this field is subject to change in the future.
                      type: string
                    kind:
-                      description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                      description: |-
+                        Kind of the referent.
+                        More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                      type: string
                    name:
-                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                      description: |-
+                        Name of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                      type: string
                    namespace:
-                      description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                      description: |-
+                        Namespace of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
                      type: string
                    resourceVersion:
-                      description: 'Specific resourceVersion to which this reference
-                        is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                      description: |-
+                        Specific resourceVersion to which this reference is made, if any.
+                        More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
                      type: string
                    uid:
-                      description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                      description: |-
+                        UID of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
                      type: string
                  type: object
                  x-kubernetes-map-type: atomic
@@ -434,13 +446,15 @@ spec:
                  description: A Condition that may apply to a resource.
                  properties:
                    lastTransitionTime:
-                      description: LastTransitionTime is the last time this condition
-                        transitioned from one status to another.
+                      description: |-
+                        LastTransitionTime is the last time this condition transitioned from one
+                        status to another.
                      format: date-time
                      type: string
                    message:
-                      description: A Message containing details about this condition's
-                        last transition from one status to another, if any.
+                      description: |-
+                        A Message containing details about this condition's last transition from
+                        one status to another, if any.
                      type: string
                    reason:
                      description: A Reason for this condition's last transition from
@@ -451,8 +465,9 @@ spec:
                        False, or Unknown?
                      type: string
                    type:
-                      description: Type of this condition. At most one of each condition
-                        type may apply to a resource at any point in time.
+                      description: |-
+                        Type of this condition. At most one of each condition type may apply to
+                        a resource at any point in time.
                      type: string
                  required:
                  - lastTransitionTime
@@ -482,10 +497,13 @@ spec:
                format: int64
                type: integer
              policy:
-                description: PolicyStatus records the status of policy Deprecated
-                  This field is only used by EnvBinding Policy which is deprecated.
+                description: |-
+                  PolicyStatus records the status of policy
+                  Deprecated This field is only used by EnvBinding Policy which is deprecated.
                items:
-                  description: PolicyStatus records the status of policy Deprecated
+                  description: |-
+                    PolicyStatus records the status of policy
+                    Deprecated
                  properties:
                    name:
                      type: string
@@ -519,66 +537,63 @@ spec:
                      type: string
                    scopes:
                      items:
-                        description: "ObjectReference contains enough information
-                          to let you inspect or modify the referred object. --- New
-                          uses of this type are discouraged because of difficulty
-                          describing its usage when embedded in APIs. 1. Ignored fields.
-                          \ It includes many fields which are not generally honored.
-                          \ For instance, ResourceVersion and FieldPath are both very
-                          rarely valid in actual usage. 2. Invalid usage help.  It
-                          is impossible to add specific help for individual usage.
-                          \ In most embedded usages, there are particular restrictions
-                          like, \"must refer only to types A and B\" or \"UID not
-                          honored\" or \"name must be restricted\". Those cannot be
-                          well described when embedded. 3. Inconsistent validation.
-                          \ Because the usages are different, the validation rules
-                          are different by usage, which makes it hard for users to
-                          predict what will happen. 4. The fields are both imprecise
-                          and overly precise.  Kind is not a precise mapping to a
-                          URL. This can produce ambiguity during interpretation and
-                          require a REST mapping.  In most cases, the dependency is
-                          on the group,resource tuple and the version of the actual
-                          struct is irrelevant. 5. We cannot easily change it.  Because
-                          this type is embedded in many locations, updates to this
-                          type will affect numerous schemas.  Don't make new APIs
-                          embed an underspecified API type they do not control. \n
-                          Instead of using this type, create a locally provided and
-                          used type that is well-focused on your reference. For example,
-                          ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
-                          ."
+                        description: |-
+                          ObjectReference contains enough information to let you inspect or modify the referred object.
+                          ---
+                          New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
+                           1. Ignored fields.  It includes many fields which are not generally honored.  For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
+                           2. Invalid usage help.  It is impossible to add specific help for individual usage.  In most embedded usages, there are particular
+                              restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
+                              Those cannot be well described when embedded.
+                           3. Inconsistent validation.  Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
+                           4. The fields are both imprecise and overly precise.  Kind is not a precise mapping to a URL. This can produce ambiguity
+                              during interpretation and require a REST mapping.  In most cases, the dependency is on the group,resource tuple
+                              and the version of the actual struct is irrelevant.
+                           5. We cannot easily change it.  Because this type is embedded in many locations, updates to this type
+                              will affect numerous schemas.  Don't make new APIs embed an underspecified API type they do not control.
+
+
+                          Instead of using this type, create a locally provided and used type that is well-focused on your reference.
+                          For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
                        properties:
                          apiVersion:
                            description: API version of the referent.
                            type: string
                          fieldPath:
-                            description: 'If referring to a piece of an object instead
-                              of an entire object, this string should contain a valid
-                              JSON/Go field access statement, such as desiredState.manifest.containers[2].
-                              For example, if the object reference is to a container
-                              within a pod, this would take on a value like: "spec.containers{name}"
-                              (where "name" refers to the name of the container that
-                              triggered the event) or if no container name is specified
-                              "spec.containers[2]" (container with index 2 in this
-                              pod). This syntax is chosen only to have some well-defined
-                              way of referencing a part of an object. TODO: this design
-                              is not final and this field is subject to change in
-                              the future.'
+                            description: |-
+                              If referring to a piece of an object instead of an entire object, this string
+                              should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                              For example, if the object reference is to a container within a pod, this would take on a value like:
+                              "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                              the event) or if no container name is specified "spec.containers[2]" (container with
+                              index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                              referencing a part of an object.
+                              TODO: this design is not final and this field is subject to change in the future.
                            type: string
                          kind:
-                            description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                            description: |-
+                              Kind of the referent.
+                              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                            type: string
                          name:
-                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            description: |-
+                              Name of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                            type: string
                          namespace:
-                            description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                            description: |-
+                              Namespace of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
                            type: string
                          resourceVersion:
-                            description: 'Specific resourceVersion to which this reference
-                              is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                            description: |-
+                              Specific resourceVersion to which this reference is made, if any.
+                              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
                            type: string
                          uid:
-                            description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                            description: |-
+                              UID of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
                            type: string
                        type: object
                        x-kubernetes-map-type: atomic
@@ -626,63 +641,63 @@ spec:
                  appRevision:
                    type: string
                  contextBackend:
-                    description: "ObjectReference contains enough information to let
-                      you inspect or modify the referred object. --- New uses of this
-                      type are discouraged because of difficulty describing its usage
-                      when embedded in APIs. 1. Ignored fields.  It includes many
-                      fields which are not generally honored.  For instance, ResourceVersion
-                      and FieldPath are both very rarely valid in actual usage. 2.
-                      Invalid usage help.  It is impossible to add specific help for
-                      individual usage.  In most embedded usages, there are particular
-                      restrictions like, \"must refer only to types A and B\" or \"UID
-                      not honored\" or \"name must be restricted\". Those cannot be
-                      well described when embedded. 3. Inconsistent validation.  Because
-                      the usages are different, the validation rules are different
-                      by usage, which makes it hard for users to predict what will
-                      happen. 4. The fields are both imprecise and overly precise.
-                      \ Kind is not a precise mapping to a URL. This can produce ambiguity
-                      during interpretation and require a REST mapping.  In most cases,
-                      the dependency is on the group,resource tuple and the version
-                      of the actual struct is irrelevant. 5. We cannot easily change
-                      it.  Because this type is embedded in many locations, updates
-                      to this type will affect numerous schemas.  Don't make new APIs
-                      embed an underspecified API type they do not control. \n Instead
-                      of using this type, create a locally provided and used type
-                      that is well-focused on your reference. For example, ServiceReferences
-                      for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
-                      ."
+                    description: |-
+                      ObjectReference contains enough information to let you inspect or modify the referred object.
+                      ---
+                      New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
+                       1. Ignored fields.  It includes many fields which are not generally honored.  For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
+                       2. Invalid usage help.  It is impossible to add specific help for individual usage.  In most embedded usages, there are particular
+                          restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
+                          Those cannot be well described when embedded.
+                       3. Inconsistent validation.  Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
+                       4. The fields are both imprecise and overly precise.  Kind is not a precise mapping to a URL. This can produce ambiguity
+                          during interpretation and require a REST mapping.  In most cases, the dependency is on the group,resource tuple
+                          and the version of the actual struct is irrelevant.
+                       5. We cannot easily change it.  Because this type is embedded in many locations, updates to this type
+                          will affect numerous schemas.  Don't make new APIs embed an underspecified API type they do not control.
+
+
+                      Instead of using this type, create a locally provided and used type that is well-focused on your reference.
+                      For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
                    properties:
                      apiVersion:
                        description: API version of the referent.
                        type: string
                      fieldPath:
-                        description: 'If referring to a piece of an object instead
-                          of an entire object, this string should contain a valid
-                          JSON/Go field access statement, such as desiredState.manifest.containers[2].
-                          For example, if the object reference is to a container within
-                          a pod, this would take on a value like: "spec.containers{name}"
-                          (where "name" refers to the name of the container that triggered
-                          the event) or if no container name is specified "spec.containers[2]"
-                          (container with index 2 in this pod). This syntax is chosen
-                          only to have some well-defined way of referencing a part
-                          of an object. TODO: this design is not final and this field
-                          is subject to change in the future.'
+                        description: |-
+                          If referring to a piece of an object instead of an entire object, this string
+                          should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                          For example, if the object reference is to a container within a pod, this would take on a value like:
+                          "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                          the event) or if no container name is specified "spec.containers[2]" (container with
+                          index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                          referencing a part of an object.
+                          TODO: this design is not final and this field is subject to change in the future.
                        type: string
                      kind:
-                        description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                        description: |-
+                          Kind of the referent.
+                          More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                        type: string
                      name:
-                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                        type: string
                      namespace:
-                        description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                        description: |-
+                          Namespace of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
                        type: string
                      resourceVersion:
-                        description: 'Specific resourceVersion to which this reference
-                          is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                        description: |-
+                          Specific resourceVersion to which this reference is made, if any.
+                          More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
                        type: string
                      uid:
-                        description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                        description: |-
+                          UID of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
                        type: string
                    type: object
                    x-kubernetes-map-type: atomic
--- a/charts/vela-core/crds/core.oam.dev_componentdefinitions.yaml
+++ b/charts/vela-core/crds/core.oam.dev_componentdefinitions.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
+    controller-gen.kubebuilder.io/version: v0.14.0
  name: componentdefinitions.core.oam.dev
 spec:
  group: core.oam.dev
@@ -32,14 +32,19 @@ spec:
          API
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@@ -76,14 +81,14 @@ spec:
                type: object
                x-kubernetes-preserve-unknown-fields: true
              podSpecPath:
-                description: PodSpecPath indicates where/if this workload has K8s
-                  podSpec field if one workload has podSpec, trait can do lot's of
-                  assumption such as port, env, volume fields.
+                description: |-
+                  PodSpecPath indicates where/if this workload has K8s podSpec field
+                  if one workload has podSpec, trait can do lot's of assumption such as port, env, volume fields.
                type: string
              revisionLabel:
-                description: RevisionLabel indicates which label for underlying resources(e.g.
-                  pods) of this workload can be used by trait to create resource selectors(e.g.
-                  label selector for pods).
+                description: |-
+                  RevisionLabel indicates which label for underlying resources(e.g. pods) of this workload
+                  can be used by trait to create resource selectors(e.g. label selector for pods).
                type: string
              schematic:
                description: Schematic defines the data format and template of the
@@ -93,10 +98,9 @@ spec:
                    description: CUE defines the encapsulation in CUE format
                    properties:
                      template:
-                        description: Template defines the abstraction template data
-                          of the capability, it will replace the old CUE template
-                          in extension field. Template is a required field if CUE
-                          is defined in Capability Definition.
+                        description: |-
+                          Template defines the abstraction template data of the capability, it will replace the old CUE template in extension field.
+                          Template is a required field if CUE is defined in Capability Definition.
                        type: string
                    required:
                    - template
@@ -159,11 +163,11 @@ spec:
                        - remote
                        type: string
                      writeConnectionSecretToRef:
-                        description: WriteConnectionSecretToReference specifies the
-                          namespace and name of a Secret to which any connection details
-                          for this managed resource should be written. Connection
-                          details frequently include the endpoint, username, and password
-                          required to connect to the managed resource.
+                        description: |-
+                          WriteConnectionSecretToReference specifies the namespace and name of a
+                          Secret to which any connection details for this managed resource should
+                          be written. Connection details frequently include the endpoint, username,
+                          and password required to connect to the managed resource.
                        properties:
                          name:
                            description: Name of the secret.
@@ -191,6 +195,8 @@ spec:
                      the abstraction
                    type: string
                type: object
+              version:
+                type: string
              workload:
                description: Workload is a workload type descriptor
                properties:
@@ -222,13 +228,15 @@ spec:
                  description: A Condition that may apply to a resource.
                  properties:
                    lastTransitionTime:
-                      description: LastTransitionTime is the last time this condition
-                        transitioned from one status to another.
+                      description: |-
+                        LastTransitionTime is the last time this condition transitioned from one
+                        status to another.
                      format: date-time
                      type: string
                    message:
-                      description: A Message containing details about this condition's
-                        last transition from one status to another, if any.
+                      description: |-
+                        A Message containing details about this condition's last transition from
+                        one status to another, if any.
                      type: string
                    reason:
                      description: A Reason for this condition's last transition from
@@ -239,8 +247,9 @@ spec:
                        False, or Unknown?
                      type: string
                    type:
-                      description: Type of this condition. At most one of each condition
-                        type may apply to a resource at any point in time.
+                      description: |-
+                        Type of this condition. At most one of each condition type may apply to
+                        a resource at any point in time.
                      type: string
                  required:
                  - lastTransitionTime
--- a/charts/vela-core/crds/core.oam.dev_definitionrevisions.yaml
+++ b/charts/vela-core/crds/core.oam.dev_definitionrevisions.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
+    controller-gen.kubebuilder.io/version: v0.14.0
  name: definitionrevisions.core.oam.dev
 spec:
  group: core.oam.dev
@@ -34,14 +34,19 @@ spec:
        description: DefinitionRevision is the Schema for the DefinitionRevision API
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@@ -53,16 +58,19 @@ spec:
                  ComponentDefinition
                properties:
                  apiVersion:
-                    description: 'APIVersion defines the versioned schema of this
-                      representation of an object. Servers should convert recognized
-                      schemas to the latest internal value, and may reject unrecognized
-                      values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                    description: |-
+                      APIVersion defines the versioned schema of this representation of an object.
+                      Servers should convert recognized schemas to the latest internal value, and
+                      may reject unrecognized values.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
                    type: string
                  kind:
-                    description: 'Kind is a string value representing the REST resource
-                      this object represents. Servers may infer this from the endpoint
-                      the client submits requests to. Cannot be updated. In CamelCase.
-                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    description: |-
+                      Kind is a string value representing the REST resource this object represents.
+                      Servers may infer this from the endpoint the client submits requests to.
+                      Cannot be updated.
+                      In CamelCase.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                    type: string
                  metadata:
                    properties:
@@ -117,14 +125,14 @@ spec:
                        type: object
                        x-kubernetes-preserve-unknown-fields: true
                      podSpecPath:
-                        description: PodSpecPath indicates where/if this workload
-                          has K8s podSpec field if one workload has podSpec, trait
-                          can do lot's of assumption such as port, env, volume fields.
+                        description: |-
+                          PodSpecPath indicates where/if this workload has K8s podSpec field
+                          if one workload has podSpec, trait can do lot's of assumption such as port, env, volume fields.
                        type: string
                      revisionLabel:
-                        description: RevisionLabel indicates which label for underlying
-                          resources(e.g. pods) of this workload can be used by trait
-                          to create resource selectors(e.g. label selector for pods).
+                        description: |-
+                          RevisionLabel indicates which label for underlying resources(e.g. pods) of this workload
+                          can be used by trait to create resource selectors(e.g. label selector for pods).
                        type: string
                      schematic:
                        description: Schematic defines the data format and template
@@ -134,10 +142,9 @@ spec:
                            description: CUE defines the encapsulation in CUE format
                            properties:
                              template:
-                                description: Template defines the abstraction template
-                                  data of the capability, it will replace the old
-                                  CUE template in extension field. Template is a required
-                                  field if CUE is defined in Capability Definition.
+                                description: |-
+                                  Template defines the abstraction template data of the capability, it will replace the old CUE template in extension field.
+                                  Template is a required field if CUE is defined in Capability Definition.
                                type: string
                            required:
                            - template
@@ -202,12 +209,11 @@ spec:
                                - remote
                                type: string
                              writeConnectionSecretToRef:
-                                description: WriteConnectionSecretToReference specifies
-                                  the namespace and name of a Secret to which any
-                                  connection details for this managed resource should
-                                  be written. Connection details frequently include
-                                  the endpoint, username, and password required to
-                                  connect to the managed resource.
+                                description: |-
+                                  WriteConnectionSecretToReference specifies the namespace and name of a
+                                  Secret to which any connection details for this managed resource should
+                                  be written. Connection details frequently include the endpoint, username,
+                                  and password required to connect to the managed resource.
                                properties:
                                  name:
                                    description: Name of the secret.
@@ -235,6 +241,8 @@ spec:
                              for the abstraction
                            type: string
                        type: object
+                      version:
+                        type: string
                      workload:
                        description: Workload is a workload type descriptor
                        properties:
@@ -266,14 +274,15 @@ spec:
                          description: A Condition that may apply to a resource.
                          properties:
                            lastTransitionTime:
-                              description: LastTransitionTime is the last time this
-                                condition transitioned from one status to another.
+                              description: |-
+                                LastTransitionTime is the last time this condition transitioned from one
+                                status to another.
                              format: date-time
                              type: string
                            message:
-                              description: A Message containing details about this
-                                condition's last transition from one status to another,
-                                if any.
+                              description: |-
+                                A Message containing details about this condition's last transition from
+                                one status to another, if any.
                              type: string
                            reason:
                              description: A Reason for this condition's last transition
@@ -284,9 +293,9 @@ spec:
                                True, False, or Unknown?
                              type: string
                            type:
-                              description: Type of this condition. At most one of
-                                each condition type may apply to a resource at any
-                                point in time.
+                              description: |-
+                                Type of this condition. At most one of each condition type may apply to
+                                a resource at any point in time.
                              type: string
                          required:
                          - lastTransitionTime
@@ -330,16 +339,19 @@ spec:
                  PolicyDefinition
                properties:
                  apiVersion:
-                    description: 'APIVersion defines the versioned schema of this
-                      representation of an object. Servers should convert recognized
-                      schemas to the latest internal value, and may reject unrecognized
-                      values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                    description: |-
+                      APIVersion defines the versioned schema of this representation of an object.
+                      Servers should convert recognized schemas to the latest internal value, and
+                      may reject unrecognized values.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
                    type: string
                  kind:
-                    description: 'Kind is a string value representing the REST resource
-                      this object represents. Servers may infer this from the endpoint
-                      the client submits requests to. Cannot be updated. In CamelCase.
-                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    description: |-
+                      Kind is a string value representing the REST resource this object represents.
+                      Servers may infer this from the endpoint the client submits requests to.
+                      Cannot be updated.
+                      In CamelCase.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                    type: string
                  metadata:
                    properties:
@@ -372,31 +384,30 @@ spec:
                            description: Name of the referenced CustomResourceDefinition.
                            type: string
                          version:
-                            description: Version indicate which version should be
-                              used if CRD has multiple versions by default it will
-                              use the first one if not specified
+                            description: |-
+                              Version indicate which version should be used if CRD has multiple versions
+                              by default it will use the first one if not specified
                            type: string
                        required:
                        - name
                        type: object
                      manageHealthCheck:
-                        description: ManageHealthCheck means the policy will handle
-                          health checking and skip application controller built-in
-                          health checking.
+                        description: |-
+                          ManageHealthCheck means the policy will handle health checking and skip application controller
+                          built-in health checking.
                        type: boolean
                      schematic:
-                        description: Schematic defines the data format and template
-                          of the encapsulation of the policy definition. Only CUE
-                          schematic is supported for now.
+                        description: |-
+                          Schematic defines the data format and template of the encapsulation of the policy definition.
+                          Only CUE schematic is supported for now.
                        properties:
                          cue:
                            description: CUE defines the encapsulation in CUE format
                            properties:
                              template:
-                                description: Template defines the abstraction template
-                                  data of the capability, it will replace the old
-                                  CUE template in extension field. Template is a required
-                                  field if CUE is defined in Capability Definition.
+                                description: |-
+                                  Template defines the abstraction template data of the capability, it will replace the old CUE template in extension field.
+                                  Template is a required field if CUE is defined in Capability Definition.
                                type: string
                            required:
                            - template
@@ -461,12 +472,11 @@ spec:
                                - remote
                                type: string
                              writeConnectionSecretToRef:
-                                description: WriteConnectionSecretToReference specifies
-                                  the namespace and name of a Secret to which any
-                                  connection details for this managed resource should
-                                  be written. Connection details frequently include
-                                  the endpoint, username, and password required to
-                                  connect to the managed resource.
+                                description: |-
+                                  WriteConnectionSecretToReference specifies the namespace and name of a
+                                  Secret to which any connection details for this managed resource should
+                                  be written. Connection details frequently include the endpoint, username,
+                                  and password required to connect to the managed resource.
                                properties:
                                  name:
                                    description: Name of the secret.
@@ -481,6 +491,8 @@ spec:
                            - configuration
                            type: object
                        type: object
+                      version:
+                        type: string
                    type: object
                  status:
                    description: PolicyDefinitionStatus is the status of PolicyDefinition
@@ -491,14 +503,15 @@ spec:
                          description: A Condition that may apply to a resource.
                          properties:
                            lastTransitionTime:
-                              description: LastTransitionTime is the last time this
-                                condition transitioned from one status to another.
+                              description: |-
+                                LastTransitionTime is the last time this condition transitioned from one
+                                status to another.
                              format: date-time
                              type: string
                            message:
-                              description: A Message containing details about this
-                                condition's last transition from one status to another,
-                                if any.
+                              description: |-
+                                A Message containing details about this condition's last transition from
+                                one status to another, if any.
                              type: string
                            reason:
                              description: A Reason for this condition's last transition
@@ -509,9 +522,9 @@ spec:
                                True, False, or Unknown?
                              type: string
                            type:
-                              description: Type of this condition. At most one of
-                                each condition type may apply to a resource at any
-                                point in time.
+                              description: |-
+                                Type of this condition. At most one of each condition type may apply to
+                                a resource at any point in time.
                              type: string
                          required:
                          - lastTransitionTime
@@ -555,16 +568,19 @@ spec:
                  TraitDefinition
                properties:
                  apiVersion:
-                    description: 'APIVersion defines the versioned schema of this
-                      representation of an object. Servers should convert recognized
-                      schemas to the latest internal value, and may reject unrecognized
-                      values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                    description: |-
+                      APIVersion defines the versioned schema of this representation of an object.
+                      Servers should convert recognized schemas to the latest internal value, and
+                      may reject unrecognized values.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
                    type: string
                  kind:
-                    description: 'Kind is a string value representing the REST resource
-                      this object represents. Servers may infer this from the endpoint
-                      the client submits requests to. Cannot be updated. In CamelCase.
-                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    description: |-
+                      Kind is a string value representing the REST resource this object represents.
+                      Servers may infer this from the endpoint the client submits requests to.
+                      Cannot be updated.
+                      In CamelCase.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                    type: string
                  metadata:
                    properties:
@@ -590,21 +606,25 @@ spec:
                      a TraitDefinition.
                    properties:
                      appliesToWorkloads:
-                        description: AppliesToWorkloads specifies the list of workload
-                          kinds this trait applies to. Workload kinds are specified
-                          in resource.group/version format, e.g. server.core.oam.dev/v1alpha2.
-                          Traits that omit this field apply to all workload kinds.
+                        description: |-
+                          AppliesToWorkloads specifies the list of workload kinds this trait
+                          applies to. Workload kinds are specified in resource.group/version format,
+                          e.g. server.core.oam.dev/v1alpha2. Traits that omit this field apply to
+                          all workload kinds.
                        items:
                          type: string
                        type: array
                      conflictsWith:
-                        description: 'ConflictsWith specifies the list of traits(CRD
-                          name, Definition name, CRD group) which could not apply
-                          to the same workloads with this trait. Traits that omit
-                          this field can work with any other traits. Example rules:
-                          "service" # Trait definition name "services.k8s.io" # API
-                          resource/crd name "*.networking.k8s.io" # API group "labelSelector:foo=bar"
-                          # label selector labelSelector format: https://pkg.go.dev/k8s.io/apimachinery/pkg/labels#Parse'
+                        description: |-
+                          ConflictsWith specifies the list of traits(CRD name, Definition name, CRD group)
+                          which could not apply to the same workloads with this trait.
+                          Traits that omit this field can work with any other traits.
+                          Example rules:
+                          "service" # Trait definition name
+                          "services.k8s.io" # API resource/crd name
+                          "*.networking.k8s.io" # API group
+                          "labelSelector:foo=bar" # label selector
+                          labelSelector format: https://pkg.go.dev/k8s.io/apimachinery/pkg/labels#Parse
                        items:
                          type: string
                        type: array
@@ -620,9 +640,9 @@ spec:
                            description: Name of the referenced CustomResourceDefinition.
                            type: string
                          version:
-                            description: Version indicate which version should be
-                              used if CRD has multiple versions by default it will
-                              use the first one if not specified
+                            description: |-
+                              Version indicate which version should be used if CRD has multiple versions
+                              by default it will use the first one if not specified
                            type: string
                        required:
                        - name
@@ -645,18 +665,17 @@ spec:
                          component revision
                        type: boolean
                      schematic:
-                        description: Schematic defines the data format and template
-                          of the encapsulation of the trait. Only CUE and Kube schematic
-                          are supported for now.
+                        description: |-
+                          Schematic defines the data format and template of the encapsulation of the trait.
+                          Only CUE and Kube schematic are supported for now.
                        properties:
                          cue:
                            description: CUE defines the encapsulation in CUE format
                            properties:
                              template:
-                                description: Template defines the abstraction template
-                                  data of the capability, it will replace the old
-                                  CUE template in extension field. Template is a required
-                                  field if CUE is defined in Capability Definition.
+                                description: |-
+                                  Template defines the abstraction template data of the capability, it will replace the old CUE template in extension field.
+                                  Template is a required field if CUE is defined in Capability Definition.
                                type: string
                            required:
                            - template
@@ -721,12 +740,11 @@ spec:
                                - remote
                                type: string
                              writeConnectionSecretToRef:
-                                description: WriteConnectionSecretToReference specifies
-                                  the namespace and name of a Secret to which any
-                                  connection details for this managed resource should
-                                  be written. Connection details frequently include
-                                  the endpoint, username, and password required to
-                                  connect to the managed resource.
+                                description: |-
+                                  WriteConnectionSecretToReference specifies the namespace and name of a
+                                  Secret to which any connection details for this managed resource should
+                                  be written. Connection details frequently include the endpoint, username,
+                                  and password required to connect to the managed resource.
                                properties:
                                  name:
                                    description: Name of the secret.
@@ -742,10 +760,10 @@ spec:
                            type: object
                        type: object
                      stage:
-                        description: Stage defines the stage information to which
-                          this trait resource processing belongs. Currently, PreDispatch
-                          and PostDispatch are provided, which are used to control
-                          resource pre-process and post-process respectively.
+                        description: |-
+                          Stage defines the stage information to which this trait resource processing belongs.
+                          Currently, PreDispatch and PostDispatch are provided, which are used to control resource
+                          pre-process and post-process respectively.
                        type: string
                      status:
                        description: Status defines the custom health policy and status
@@ -760,6 +778,8 @@ spec:
                              for the abstraction
                            type: string
                        type: object
+                      version:
+                        type: string
                      workloadRefPath:
                        description: WorkloadRefPath indicates where/if a trait accepts
                          a workloadRef object
@@ -774,14 +794,15 @@ spec:
                          description: A Condition that may apply to a resource.
                          properties:
                            lastTransitionTime:
-                              description: LastTransitionTime is the last time this
-                                condition transitioned from one status to another.
+                              description: |-
+                                LastTransitionTime is the last time this condition transitioned from one
+                                status to another.
                              format: date-time
                              type: string
                            message:
-                              description: A Message containing details about this
-                                condition's last transition from one status to another,
-                                if any.
+                              description: |-
+                                A Message containing details about this condition's last transition from
+                                one status to another, if any.
                              type: string
                            reason:
                              description: A Reason for this condition's last transition
@@ -792,9 +813,9 @@ spec:
                                True, False, or Unknown?
                              type: string
                            type:
-                              description: Type of this condition. At most one of
-                                each condition type may apply to a resource at any
-                                point in time.
+                              description: |-
+                                Type of this condition. At most one of each condition type may apply to
+                                a resource at any point in time.
                              type: string
                          required:
                          - lastTransitionTime
@@ -830,16 +851,19 @@ spec:
                  WorkflowStepDefinition
                properties:
                  apiVersion:
-                    description: 'APIVersion defines the versioned schema of this
-                      representation of an object. Servers should convert recognized
-                      schemas to the latest internal value, and may reject unrecognized
-                      values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                    description: |-
+                      APIVersion defines the versioned schema of this representation of an object.
+                      Servers should convert recognized schemas to the latest internal value, and
+                      may reject unrecognized values.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
                    type: string
                  kind:
-                    description: 'Kind is a string value representing the REST resource
-                      this object represents. Servers may infer this from the endpoint
-                      the client submits requests to. Cannot be updated. In CamelCase.
-                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    description: |-
+                      Kind is a string value representing the REST resource this object represents.
+                      Servers may infer this from the endpoint the client submits requests to.
+                      Cannot be updated.
+                      In CamelCase.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                    type: string
                  metadata:
                    properties:
@@ -872,26 +896,25 @@ spec:
                            description: Name of the referenced CustomResourceDefinition.
                            type: string
                          version:
-                            description: Version indicate which version should be
-                              used if CRD has multiple versions by default it will
-                              use the first one if not specified
+                            description: |-
+                              Version indicate which version should be used if CRD has multiple versions
+                              by default it will use the first one if not specified
                            type: string
                        required:
                        - name
                        type: object
                      schematic:
-                        description: Schematic defines the data format and template
-                          of the encapsulation of the workflow step definition. Only
-                          CUE schematic is supported for now.
+                        description: |-
+                          Schematic defines the data format and template of the encapsulation of the workflow step definition.
+                          Only CUE schematic is supported for now.
                        properties:
                          cue:
                            description: CUE defines the encapsulation in CUE format
                            properties:
                              template:
-                                description: Template defines the abstraction template
-                                  data of the capability, it will replace the old
-                                  CUE template in extension field. Template is a required
-                                  field if CUE is defined in Capability Definition.
+                                description: |-
+                                  Template defines the abstraction template data of the capability, it will replace the old CUE template in extension field.
+                                  Template is a required field if CUE is defined in Capability Definition.
                                type: string
                            required:
                            - template
@@ -956,12 +979,11 @@ spec:
                                - remote
                                type: string
                              writeConnectionSecretToRef:
-                                description: WriteConnectionSecretToReference specifies
-                                  the namespace and name of a Secret to which any
-                                  connection details for this managed resource should
-                                  be written. Connection details frequently include
-                                  the endpoint, username, and password required to
-                                  connect to the managed resource.
+                                description: |-
+                                  WriteConnectionSecretToReference specifies the namespace and name of a
+                                  Secret to which any connection details for this managed resource should
+                                  be written. Connection details frequently include the endpoint, username,
+                                  and password required to connect to the managed resource.
                                properties:
                                  name:
                                    description: Name of the secret.
@@ -976,6 +998,8 @@ spec:
                            - configuration
                            type: object
                        type: object
+                      version:
+                        type: string
                    type: object
                  status:
                    description: WorkflowStepDefinitionStatus is the status of WorkflowStepDefinition
@@ -986,14 +1010,15 @@ spec:
                          description: A Condition that may apply to a resource.
                          properties:
                            lastTransitionTime:
-                              description: LastTransitionTime is the last time this
-                                condition transitioned from one status to another.
+                              description: |-
+                                LastTransitionTime is the last time this condition transitioned from one
+                                status to another.
                              format: date-time
                              type: string
                            message:
-                              description: A Message containing details about this
-                                condition's last transition from one status to another,
-                                if any.
+                              description: |-
+                                A Message containing details about this condition's last transition from
+                                one status to another, if any.
                              type: string
                            reason:
                              description: A Reason for this condition's last transition
@@ -1004,9 +1029,9 @@ spec:
                                True, False, or Unknown?
                              type: string
                            type:
-                              description: Type of this condition. At most one of
-                                each condition type may apply to a resource at any
-                                point in time.
+                              description: |-
+                                Type of this condition. At most one of each condition type may apply to
+                                a resource at any point in time.
                              type: string
                          required:
                          - lastTransitionTime
--- a/charts/vela-core/crds/core.oam.dev_policies.yaml
+++ b/charts/vela-core/crds/core.oam.dev_policies.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
+    controller-gen.kubebuilder.io/version: v0.14.0
  name: policies.core.oam.dev
 spec:
  group: core.oam.dev
@@ -26,14 +26,19 @@ spec:
        description: Policy is the Schema for the policy API
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
--- a/charts/vela-core/crds/core.oam.dev_policydefinitions.yaml
+++ b/charts/vela-core/crds/core.oam.dev_policydefinitions.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
+    controller-gen.kubebuilder.io/version: v0.14.0
  name: policydefinitions.core.oam.dev
 spec:
  group: core.oam.dev
@@ -24,14 +24,19 @@ spec:
        description: PolicyDefinition is the Schema for the policydefinitions API
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@@ -46,30 +51,30 @@ spec:
                    description: Name of the referenced CustomResourceDefinition.
                    type: string
                  version:
-                    description: Version indicate which version should be used if
-                      CRD has multiple versions by default it will use the first one
-                      if not specified
+                    description: |-
+                      Version indicate which version should be used if CRD has multiple versions
+                      by default it will use the first one if not specified
                    type: string
                required:
                - name
                type: object
              manageHealthCheck:
-                description: ManageHealthCheck means the policy will handle health
-                  checking and skip application controller built-in health checking.
+                description: |-
+                  ManageHealthCheck means the policy will handle health checking and skip application controller
+                  built-in health checking.
                type: boolean
              schematic:
-                description: Schematic defines the data format and template of the
-                  encapsulation of the policy definition. Only CUE schematic is supported
-                  for now.
+                description: |-
+                  Schematic defines the data format and template of the encapsulation of the policy definition.
+                  Only CUE schematic is supported for now.
                properties:
                  cue:
                    description: CUE defines the encapsulation in CUE format
                    properties:
                      template:
-                        description: Template defines the abstraction template data
-                          of the capability, it will replace the old CUE template
-                          in extension field. Template is a required field if CUE
-                          is defined in Capability Definition.
+                        description: |-
+                          Template defines the abstraction template data of the capability, it will replace the old CUE template in extension field.
+                          Template is a required field if CUE is defined in Capability Definition.
                        type: string
                    required:
                    - template
@@ -132,11 +137,11 @@ spec:
                        - remote
                        type: string
                      writeConnectionSecretToRef:
-                        description: WriteConnectionSecretToReference specifies the
-                          namespace and name of a Secret to which any connection details
-                          for this managed resource should be written. Connection
-                          details frequently include the endpoint, username, and password
-                          required to connect to the managed resource.
+                        description: |-
+                          WriteConnectionSecretToReference specifies the namespace and name of a
+                          Secret to which any connection details for this managed resource should
+                          be written. Connection details frequently include the endpoint, username,
+                          and password required to connect to the managed resource.
                        properties:
                          name:
                            description: Name of the secret.
@@ -151,6 +156,8 @@ spec:
                    - configuration
                    type: object
                type: object
+              version:
+                type: string
            type: object
          status:
            description: PolicyDefinitionStatus is the status of PolicyDefinition
@@ -161,13 +168,15 @@ spec:
                  description: A Condition that may apply to a resource.
                  properties:
                    lastTransitionTime:
-                      description: LastTransitionTime is the last time this condition
-                        transitioned from one status to another.
+                      description: |-
+                        LastTransitionTime is the last time this condition transitioned from one
+                        status to another.
                      format: date-time
                      type: string
                    message:
-                      description: A Message containing details about this condition's
-                        last transition from one status to another, if any.
+                      description: |-
+                        A Message containing details about this condition's last transition from
+                        one status to another, if any.
                      type: string
                    reason:
                      description: A Reason for this condition's last transition from
@@ -178,8 +187,9 @@ spec:
                        False, or Unknown?
                      type: string
                    type:
-                      description: Type of this condition. At most one of each condition
-                        type may apply to a resource at any point in time.
+                      description: |-
+                        Type of this condition. At most one of each condition type may apply to
+                        a resource at any point in time.
                      type: string
                  required:
                  - lastTransitionTime
--- a/charts/vela-core/crds/core.oam.dev_resourcetrackers.yaml
+++ b/charts/vela-core/crds/core.oam.dev_resourcetrackers.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
+    controller-gen.kubebuilder.io/version: v0.14.0
  name: resourcetrackers.core.oam.dev
 spec:
  group: core.oam.dev
@@ -38,14 +38,19 @@ spec:
          resources
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@@ -83,33 +88,38 @@ spec:
                      description: Deleted marks the resource to be deleted
                      type: boolean
                    fieldPath:
-                      description: 'If referring to a piece of an object instead of
-                        an entire object, this string should contain a valid JSON/Go
-                        field access statement, such as desiredState.manifest.containers[2].
-                        For example, if the object reference is to a container within
-                        a pod, this would take on a value like: "spec.containers{name}"
-                        (where "name" refers to the name of the container that triggered
-                        the event) or if no container name is specified "spec.containers[2]"
-                        (container with index 2 in this pod). This syntax is chosen
-                        only to have some well-defined way of referencing a part of
-                        an object. TODO: this design is not final and this field is
-                        subject to change in the future.'
+                      description: |-
+                        If referring to a piece of an object instead of an entire object, this string
+                        should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                        For example, if the object reference is to a container within a pod, this would take on a value like:
+                        "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                        the event) or if no container name is specified "spec.containers[2]" (container with
+                        index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                        referencing a part of an object.
+                        TODO: this design is not final and this field is subject to change in the future.
                      type: string
                    kind:
-                      description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                      description: |-
+                        Kind of the referent.
+                        More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
                      type: string
                    name:
-                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                      description: |-
+                        Name of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                      type: string
                    namespace:
-                      description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                      description: |-
+                        Namespace of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
                      type: string
                    raw:
                      type: object
                      x-kubernetes-preserve-unknown-fields: true
                    resourceVersion:
-                      description: 'Specific resourceVersion to which this reference
-                        is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                      description: |-
+                        Specific resourceVersion to which this reference is made, if any.
+                        More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
                      type: string
                    skipGC:
                      description: SkipGC marks the resource to skip gc
@@ -117,7 +127,9 @@ spec:
                    trait:
                      type: string
                    uid:
-                      description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                      description: |-
+                        UID of the referent.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
                      type: string
                  type: object
                  x-kubernetes-map-type: atomic
--- a/charts/vela-core/crds/core.oam.dev_traitdefinitions.yaml
+++ b/charts/vela-core/crds/core.oam.dev_traitdefinitions.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
+    controller-gen.kubebuilder.io/version: v0.14.0
  name: traitdefinitions.core.oam.dev
 spec:
  group: core.oam.dev
@@ -28,20 +28,26 @@ spec:
    name: v1beta1
    schema:
      openAPIV3Schema:
-        description: A TraitDefinition registers a kind of Kubernetes custom resource
-          as a valid OAM trait kind by referencing its CustomResourceDefinition. The
-          CRD is used to validate the schema of the trait when it is embedded in an
-          OAM ApplicationConfiguration.
+        description: |-
+          A TraitDefinition registers a kind of Kubernetes custom resource as a valid
+          OAM trait kind by referencing its CustomResourceDefinition. The CRD is used
+          to validate the schema of the trait when it is embedded in an OAM
+          ApplicationConfiguration.
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@@ -49,20 +55,25 @@ spec:
            description: A TraitDefinitionSpec defines the desired state of a TraitDefinition.
            properties:
              appliesToWorkloads:
-                description: AppliesToWorkloads specifies the list of workload kinds
-                  this trait applies to. Workload kinds are specified in resource.group/version
-                  format, e.g. server.core.oam.dev/v1alpha2. Traits that omit this
-                  field apply to all workload kinds.
+                description: |-
+                  AppliesToWorkloads specifies the list of workload kinds this trait
+                  applies to. Workload kinds are specified in resource.group/version format,
+                  e.g. server.core.oam.dev/v1alpha2. Traits that omit this field apply to
+                  all workload kinds.
                items:
                  type: string
                type: array
              conflictsWith:
-                description: 'ConflictsWith specifies the list of traits(CRD name,
-                  Definition name, CRD group) which could not apply to the same workloads
-                  with this trait. Traits that omit this field can work with any other
-                  traits. Example rules: "service" # Trait definition name "services.k8s.io"
-                  # API resource/crd name "*.networking.k8s.io" # API group "labelSelector:foo=bar"
-                  # label selector labelSelector format: https://pkg.go.dev/k8s.io/apimachinery/pkg/labels#Parse'
+                description: |-
+                  ConflictsWith specifies the list of traits(CRD name, Definition name, CRD group)
+                  which could not apply to the same workloads with this trait.
+                  Traits that omit this field can work with any other traits.
+                  Example rules:
+                  "service" # Trait definition name
+                  "services.k8s.io" # API resource/crd name
+                  "*.networking.k8s.io" # API group
+                  "labelSelector:foo=bar" # label selector
+                  labelSelector format: https://pkg.go.dev/k8s.io/apimachinery/pkg/labels#Parse
                items:
                  type: string
                type: array
@@ -78,9 +89,9 @@ spec:
                    description: Name of the referenced CustomResourceDefinition.
                    type: string
                  version:
-                    description: Version indicate which version should be used if
-                      CRD has multiple versions by default it will use the first one
-                      if not specified
+                    description: |-
+                      Version indicate which version should be used if CRD has multiple versions
+                      by default it will use the first one if not specified
                    type: string
                required:
                - name
@@ -103,18 +114,17 @@ spec:
                  revision
                type: boolean
              schematic:
-                description: Schematic defines the data format and template of the
-                  encapsulation of the trait. Only CUE and Kube schematic are supported
-                  for now.
+                description: |-
+                  Schematic defines the data format and template of the encapsulation of the trait.
+                  Only CUE and Kube schematic are supported for now.
                properties:
                  cue:
                    description: CUE defines the encapsulation in CUE format
                    properties:
                      template:
-                        description: Template defines the abstraction template data
-                          of the capability, it will replace the old CUE template
-                          in extension field. Template is a required field if CUE
-                          is defined in Capability Definition.
+                        description: |-
+                          Template defines the abstraction template data of the capability, it will replace the old CUE template in extension field.
+                          Template is a required field if CUE is defined in Capability Definition.
                        type: string
                    required:
                    - template
@@ -177,11 +187,11 @@ spec:
                        - remote
                        type: string
                      writeConnectionSecretToRef:
-                        description: WriteConnectionSecretToReference specifies the
-                          namespace and name of a Secret to which any connection details
-                          for this managed resource should be written. Connection
-                          details frequently include the endpoint, username, and password
-                          required to connect to the managed resource.
+                        description: |-
+                          WriteConnectionSecretToReference specifies the namespace and name of a
+                          Secret to which any connection details for this managed resource should
+                          be written. Connection details frequently include the endpoint, username,
+                          and password required to connect to the managed resource.
                        properties:
                          name:
                            description: Name of the secret.
@@ -197,10 +207,10 @@ spec:
                    type: object
                type: object
              stage:
-                description: Stage defines the stage information to which this trait
-                  resource processing belongs. Currently, PreDispatch and PostDispatch
-                  are provided, which are used to control resource pre-process and
-                  post-process respectively.
+                description: |-
+                  Stage defines the stage information to which this trait resource processing belongs.
+                  Currently, PreDispatch and PostDispatch are provided, which are used to control resource
+                  pre-process and post-process respectively.
                type: string
              status:
                description: Status defines the custom health policy and status message
@@ -215,6 +225,8 @@ spec:
                      the abstraction
                    type: string
                type: object
+              version:
+                type: string
              workloadRefPath:
                description: WorkloadRefPath indicates where/if a trait accepts a
                  workloadRef object
@@ -229,13 +241,15 @@ spec:
                  description: A Condition that may apply to a resource.
                  properties:
                    lastTransitionTime:
-                      description: LastTransitionTime is the last time this condition
-                        transitioned from one status to another.
+                      description: |-
+                        LastTransitionTime is the last time this condition transitioned from one
+                        status to another.
                      format: date-time
                      type: string
                    message:
-                      description: A Message containing details about this condition's
-                        last transition from one status to another, if any.
+                      description: |-
+                        A Message containing details about this condition's last transition from
+                        one status to another, if any.
                      type: string
                    reason:
                      description: A Reason for this condition's last transition from
@@ -246,8 +260,9 @@ spec:
                        False, or Unknown?
                      type: string
                    type:
-                      description: Type of this condition. At most one of each condition
-                        type may apply to a resource at any point in time.
+                      description: |-
+                        Type of this condition. At most one of each condition type may apply to
+                        a resource at any point in time.
                      type: string
                  required:
                  - lastTransitionTime
--- a/charts/vela-core/crds/core.oam.dev_workflowstepdefinitions.yaml
+++ b/charts/vela-core/crds/core.oam.dev_workflowstepdefinitions.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
+    controller-gen.kubebuilder.io/version: v0.14.0
  name: workflowstepdefinitions.core.oam.dev
 spec:
  group: core.oam.dev
@@ -25,14 +25,19 @@ spec:
          API
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@@ -47,26 +52,25 @@ spec:
                    description: Name of the referenced CustomResourceDefinition.
                    type: string
                  version:
-                    description: Version indicate which version should be used if
-                      CRD has multiple versions by default it will use the first one
-                      if not specified
+                    description: |-
+                      Version indicate which version should be used if CRD has multiple versions
+                      by default it will use the first one if not specified
                    type: string
                required:
                - name
                type: object
              schematic:
-                description: Schematic defines the data format and template of the
-                  encapsulation of the workflow step definition. Only CUE schematic
-                  is supported for now.
+                description: |-
+                  Schematic defines the data format and template of the encapsulation of the workflow step definition.
+                  Only CUE schematic is supported for now.
                properties:
                  cue:
                    description: CUE defines the encapsulation in CUE format
                    properties:
                      template:
-                        description: Template defines the abstraction template data
-                          of the capability, it will replace the old CUE template
-                          in extension field. Template is a required field if CUE
-                          is defined in Capability Definition.
+                        description: |-
+                          Template defines the abstraction template data of the capability, it will replace the old CUE template in extension field.
+                          Template is a required field if CUE is defined in Capability Definition.
                        type: string
                    required:
                    - template
@@ -129,11 +133,11 @@ spec:
                        - remote
                        type: string
                      writeConnectionSecretToRef:
-                        description: WriteConnectionSecretToReference specifies the
-                          namespace and name of a Secret to which any connection details
-                          for this managed resource should be written. Connection
-                          details frequently include the endpoint, username, and password
-                          required to connect to the managed resource.
+                        description: |-
+                          WriteConnectionSecretToReference specifies the namespace and name of a
+                          Secret to which any connection details for this managed resource should
+                          be written. Connection details frequently include the endpoint, username,
+                          and password required to connect to the managed resource.
                        properties:
                          name:
                            description: Name of the secret.
@@ -148,6 +152,8 @@ spec:
                    - configuration
                    type: object
                type: object
+              version:
+                type: string
            type: object
          status:
            description: WorkflowStepDefinitionStatus is the status of WorkflowStepDefinition
@@ -158,13 +164,15 @@ spec:
                  description: A Condition that may apply to a resource.
                  properties:
                    lastTransitionTime:
-                      description: LastTransitionTime is the last time this condition
-                        transitioned from one status to another.
+                      description: |-
+                        LastTransitionTime is the last time this condition transitioned from one
+                        status to another.
                      format: date-time
                      type: string
                    message:
-                      description: A Message containing details about this condition's
-                        last transition from one status to another, if any.
+                      description: |-
+                        A Message containing details about this condition's last transition from
+                        one status to another, if any.
                      type: string
                    reason:
                      description: A Reason for this condition's last transition from
@@ -175,8 +183,9 @@ spec:
                        False, or Unknown?
                      type: string
                    type:
-                      description: Type of this condition. At most one of each condition
-                        type may apply to a resource at any point in time.
+                      description: |-
+                        Type of this condition. At most one of each condition type may apply to
+                        a resource at any point in time.
                      type: string
                  required:
                  - lastTransitionTime
--- a/charts/vela-core/crds/cue.oam.dev_packages.yaml
+++ b/charts/vela-core/crds/cue.oam.dev_packages.yaml
@@ -0,0 +1,81 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.11.3
+  creationTimestamp: null
+  name: packages.cue.oam.dev
+spec:
+  group: cue.oam.dev
+  names:
+    kind: Package
+    listKind: PackageList
+    plural: packages
+    shortNames:
+    - pkg
+    - cpkg
+    - cuepkg
+    - cuepackage
+    singular: package
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.path
+      name: PATH
+      type: string
+    - jsonPath: .spec.provider.protocol
+      name: PROTO
+      type: string
+    - jsonPath: .spec.provider.endpoint
+      name: ENDPOINT
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: Package is an extension for cuex engine
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: PackageSpec the spec for Package
+            properties:
+              path:
+                type: string
+              provider:
+                description: Provider the external Provider in Package for cuex to
+                  run functions
+                properties:
+                  endpoint:
+                    type: string
+                  protocol:
+                    description: ProviderProtocol the protocol type for external Provider
+                    type: string
+                required:
+                - endpoint
+                - protocol
+                type: object
+              templates:
+                additionalProperties:
+                  type: string
+                type: object
+            required:
+            - path
+            - templates
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources: {}
--- a/charts/vela-core/templates/admission-webhooks/job-patch/job-createSecret.yaml
+++ b/charts/vela-core/templates/admission-webhooks/job-patch/job-createSecret.yaml
@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name:  {{ template "kubevela.fullname" . }}-admission-create
+  name: {{ template "kubevela.fullname" . }}-admission-create
  namespace: {{ .Release.Namespace }}
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade
@@ -17,7 +17,7 @@ spec:
  {{- end }}
  template:
    metadata:
-      name:  {{ template "kubevela.fullname" . }}-admission-create
+      name: {{ template "kubevela.fullname" . }}-admission-create
      labels:
        app: {{ template "kubevela.name" . }}-admission-create
        {{- include "kubevela.labels" . | nindent 8 }}
@@ -39,17 +39,26 @@ spec:
            - --cert-name=tls.crt
      restartPolicy: OnFailure
      serviceAccountName: {{ template "kubevela.fullname" . }}-admission
-      {{- with .Values.admissionWebhooks.patch.nodeSelector }}
+      {{- if .Values.admissionWebhooks.patch.nodeSelector }}
      nodeSelector:
-      {{- toYaml . | nindent 8 }}
+      {{- toYaml .Values.admissionWebhooks.patch.nodeSelector | nindent 8 }}
+      {{- else if .Values.nodeSelector }}
+      nodeSelector:
+      {{- toYaml .Values.nodeSelector | nindent 8 }}
      {{- end }}
-      {{- with .Values.admissionWebhooks.patch.affinity }}
+      {{- if .Values.admissionWebhooks.patch.affinity }}
      affinity:
-{{ toYaml . | indent 8 }}
+      {{- toYaml .Values.admissionWebhooks.patch.affinity | nindent 8 }}
+      {{- else if .Values.affinity }}
+      affinity:
+      {{- toYaml .Values.affinity | nindent 8 }}
      {{- end }}
-      {{- with .Values.admissionWebhooks.patch.tolerations }}
+      {{- if .Values.admissionWebhooks.patch.tolerations }}
      tolerations:
-{{ toYaml . | indent 8 }}
+      {{- toYaml .Values.admissionWebhooks.patch.tolerations | nindent 8 }}
+      {{- else if .Values.tolerations }}
+      tolerations:
+      {{- toYaml .Values.tolerations | nindent 8 }}
      {{- end }}
      securityContext:
        runAsGroup: 2000
--- a/charts/vela-core/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+++ b/charts/vela-core/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name:  {{ template "kubevela.fullname" . }}-admission-patch
+  name: {{ template "kubevela.fullname" . }}-admission-patch
  namespace: {{ .Release.Namespace }}
  annotations:
    "helm.sh/hook": post-install,post-upgrade
@@ -17,7 +17,7 @@ spec:
  {{- end }}
  template:
    metadata:
-      name:  {{ template "kubevela.fullname" . }}-admission-patch
+      name: {{ template "kubevela.fullname" . }}-admission-patch
      labels:
        app: {{ template "kubevela.name" . }}-admission-patch
        {{- include "kubevela.labels" . | nindent 8 }}
@@ -41,13 +41,26 @@ spec:
            {{- end }}
      restartPolicy: OnFailure
      serviceAccountName: {{ template "kubevela.fullname" . }}-admission
-      {{- with .Values.admissionWebhooks.patch.affinity }}
-      affinity:
-{{ toYaml . | indent 8 }}
+      {{- if .Values.admissionWebhooks.patch.nodeSelector }}
+      nodeSelector:
+      {{- toYaml .Values.admissionWebhooks.patch.nodeSelector | nindent 8 }}
+      {{- else if .Values.nodeSelector }}
+      nodeSelector:
+      {{- toYaml .Values.nodeSelector | nindent 8 }}
      {{- end }}
-      {{- with .Values.admissionWebhooks.patch.tolerations }}
+      {{- if .Values.admissionWebhooks.patch.affinity }}
+      affinity:
+      {{- toYaml .Values.admissionWebhooks.patch.affinity | nindent 8 }}
+      {{- else if .Values.affinity }}
+      affinity:
+      {{- toYaml .Values.affinity | nindent 8 }}
+      {{- end }}
+      {{- if .Values.admissionWebhooks.patch.tolerations }}
      tolerations:
-{{ toYaml . | indent 8 }}
+      {{- toYaml .Values.admissionWebhooks.patch.tolerations | nindent 8 }}
+      {{- else if .Values.tolerations }}
+      tolerations:
+      {{- toYaml .Values.tolerations | nindent 8 }}
      {{- end }}
      securityContext:
        runAsGroup: 2000
--- a/charts/vela-core/templates/admission-webhooks/validatingWebhookConfiguration.yaml
+++ b/charts/vela-core/templates/admission-webhooks/validatingWebhookConfiguration.yaml
@@ -14,13 +14,13 @@ webhooks:
      service:
        name: {{ template "kubevela.name" . }}-webhook
        namespace: {{ .Release.Namespace }}
-        path: /validating-core-oam-dev-v1alpha2-traitdefinitions
+        path: /validating-core-oam-dev-v1beta1-traitdefinitions
    {{- if .Values.admissionWebhooks.patch.enabled  }}
    failurePolicy: Ignore
    {{- else }}
    failurePolicy: {{ .Values.admissionWebhooks.failurePolicy }}
    {{- end }}
-    name: validating.core.oam.dev.v1alpha2.traitdefinitions
+    name: validating.core.oam.dev.v1beta1.traitdefinitions
    sideEffects: None
    admissionReviewVersions:
      - v1beta1
@@ -29,13 +29,12 @@ webhooks:
      - apiGroups:
          - core.oam.dev
        apiVersions:
-          - v1alpha2
+          - v1beta1
        operations:
          - CREATE
          - UPDATE
        resources:
          - traitdefinitions
-        scope: Cluster
    timeoutSeconds: 5
  - clientConfig:
      caBundle: Cg==
@@ -89,4 +88,30 @@ webhooks:
          - UPDATE
        resources:
          - componentdefinitions
+  - clientConfig:
+      caBundle: Cg==
+      service:
+        name: {{ template "kubevela.name" . }}-webhook
+        namespace: {{ .Release.Namespace }}
+        path: /validating-core-oam-dev-v1beta1-policydefinitions
+    {{- if .Values.admissionWebhooks.patch.enabled  }}
+    failurePolicy: Ignore
+    {{- else }}
+    failurePolicy: Fail
+    {{- end }}
+    name: validating.core.oam-dev.v1beta1.policydefinitions
+    sideEffects: None
+    admissionReviewVersions:
+      - v1beta1
+      - v1
+    rules:
+      - apiGroups:
+          - core.oam.dev
+        apiVersions:
+          - v1beta1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - policydefinitions
 {{- end -}}
--- a/charts/vela-core/templates/cluster-gateway/cluster-gateway.yaml
+++ b/charts/vela-core/templates/cluster-gateway/cluster-gateway.yaml
@@ -124,6 +124,7 @@ spec:
    - protocol: TCP
      port: {{ .Values.multicluster.clusterGateway.port }}
      targetPort: {{ .Values.multicluster.clusterGateway.port }}
+      name: default
 ---
 # 1.  Check whether APIService ""v1alpha1.cluster.core.oam.dev" is already present in the cluster
 # 2.a If the APIService doesn't exist, create it.
@@ -189,4 +190,4 @@ subjects:
  - kind: ServiceAccount
    name: {{ include "kubevela.serviceAccountName" . }}
    namespace: {{ .Release.Namespace }}
-{{ end }}
+{{ end }}
--- a/charts/vela-core/templates/cluster-gateway/job-patch.yaml
+++ b/charts/vela-core/templates/cluster-gateway/job-patch.yaml
@@ -95,6 +95,18 @@ spec:
        runAsGroup: 2000
        runAsNonRoot: true
        runAsUser: 2000
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
 ---
 apiVersion: batch/v1
 kind: Job
@@ -138,4 +150,16 @@ spec:
        runAsGroup: 2000
        runAsNonRoot: true
        runAsUser: 2000
-{{ end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{ end }}
--- a/charts/vela-core/templates/defwithtemplate/affinity.yaml
+++ b/charts/vela-core/templates/defwithtemplate/affinity.yaml
@@ -31,6 +31,9 @@ spec:
        						if k.namespace != _|_ {
        							namespace: k.namespace
        						}
+        						if k.namespaces != _|_ {
+        							namespaces: k.namespaces
+        						}
        						topologyKey: k.topologyKey
        						if k.namespaceSelector != _|_ {
        							namespaceSelector: k.namespaceSelector
@@ -57,6 +60,9 @@ spec:
        						if k.namespace != _|_ {
        							namespace: k.namespace
        						}
+        						if k.namespaces != _|_ {
+        							namespaces: k.namespaces
+        						}
        						topologyKey: k.topologyKey
        						if k.namespaceSelector != _|_ {
        							namespaceSelector: k.namespaceSelector
--- a/charts/vela-core/templates/defwithtemplate/annotations.yaml
+++ b/charts/vela-core/templates/defwithtemplate/annotations.yaml
@@ -4,7 +4,7 @@ apiVersion: core.oam.dev/v1beta1
 kind: TraitDefinition
 metadata:
  annotations:
-    definition.oam.dev/description: Add annotations on your workload. if it generates pod, add same annotations for generated pods.
+    definition.oam.dev/description: Add annotations on your workload. If it generates pod or job, add same annotations for generated pods.
  name: annotations
  namespace: {{ include "systemDefinitionNamespace" . }}
 spec:
@@ -16,17 +16,21 @@ spec:
      template: |
        // +patchStrategy=jsonMergePatch
        patch: {
-        	metadata: annotations: {
+        	let annotationsContent = {
        		for k, v in parameter {
        			(k): v
        		}
        	}
-        	if context.output.spec != _|_ && context.output.spec.template != _|_ {
-        		spec: template: metadata: annotations: {
-        			for k, v in parameter {
-        				(k): v
-        			}
-        		}
+
+        	metadata: annotations: annotationsContent
+        	if context.output.spec != _|_ if context.output.spec.template != _|_ {
+        		spec: template: metadata: annotations: annotationsContent
+        	}
+        	if context.output.spec != _|_ if context.output.spec.jobTemplate != _|_ {
+        		spec: jobTemplate: metadata: annotations: annotationsContent
+        	}
+        	if context.output.spec != _|_ if context.output.spec.jobTemplate != _|_ if context.output.spec.jobTemplate.spec != _|_ if context.output.spec.jobTemplate.spec.template != _|_ {
+        		spec: jobTemplate: spec: template: metadata: annotations: annotationsContent
        	}
        }
        parameter: [string]: string | null
--- a/charts/vela-core/templates/defwithtemplate/apply-component.yaml
+++ b/charts/vela-core/templates/defwithtemplate/apply-component.yaml
@@ -19,5 +19,7 @@ spec:
        	component: string
        	// +usage=Specify the cluster
        	cluster: *"" | string
+        	// +usage=Specify the namespace
+        	namespace: *"" | string
        }

--- a/charts/vela-core/templates/defwithtemplate/apply-deployment.yaml
+++ b/charts/vela-core/templates/defwithtemplate/apply-deployment.yaml
@@ -16,36 +16,39 @@ spec:
        import (
        	"strconv"
        	"strings"
-        	"vela/op"
+        	"vela/kube"
+        	"vela/builtin"
        )

-        output: op.#Apply & {
-        	cluster: parameter.cluster
-        	value: {
-        		apiVersion: "apps/v1"
-        		kind:       "Deployment"
-        		metadata: {
-        			name:      context.stepName
-        			namespace: context.namespace
-        		}
-        		spec: {
-        			selector: matchLabels: "workflow.oam.dev/step-name": "\(context.name)-\(context.stepName)"
-        			replicas: parameter.replicas
-        			template: {
-        				metadata: labels: "workflow.oam.dev/step-name": "\(context.name)-\(context.stepName)"
-        				spec: containers: [{
-        					name:  context.stepName
-        					image: parameter.image
-        					if parameter["cmd"] != _|_ {
-        						command: parameter.cmd
-        					}
-        				}]
+        output: kube.#Apply & {
+        	$params: {
+        		cluster: parameter.cluster
+        		value: {
+        			apiVersion: "apps/v1"
+        			kind:       "Deployment"
+        			metadata: {
+        				name:      context.stepName
+        				namespace: context.namespace
+        			}
+        			spec: {
+        				selector: matchLabels: "workflow.oam.dev/step-name": "\(context.name)-\(context.stepName)"
+        				replicas: parameter.replicas
+        				template: {
+        					metadata: labels: "workflow.oam.dev/step-name": "\(context.name)-\(context.stepName)"
+        					spec: containers: [{
+        						name:  context.stepName
+        						image: parameter.image
+        						if parameter["cmd"] != _|_ {
+        							command: parameter.cmd
+        						}
+        					}]
+        				}
        			}
        		}
        	}
        }
-        wait: op.#ConditionalWait & {
-        	continue: output.value.status.readyReplicas == parameter.replicas
+        wait: builtin.#ConditionalWait & {
+        	$params: continue: output.$returns.value.status.readyReplicas == parameter.replicas
        }
        parameter: {
        	image:    string
--- a/charts/vela-core/templates/defwithtemplate/apply-object.yaml
+++ b/charts/vela-core/templates/defwithtemplate/apply-object.yaml
@@ -13,13 +13,13 @@ spec:
    cue:
      template: |
        import (
-        	"vela/op"
+        	"vela/kube"
        )

-        apply: op.#Apply & {
-        	value:   parameter.value
-        	cluster: parameter.cluster
+        apply: kube.#Apply & {
+        	$params: parameter
        }
+
        parameter: {
        	// +usage=Specify Kubernetes native resource object to be applied
        	value: {...}
--- a/charts/vela-core/templates/defwithtemplate/apply-terraform-config.yaml
+++ b/charts/vela-core/templates/defwithtemplate/apply-terraform-config.yaml
@@ -14,11 +14,12 @@ spec:
    cue:
      template: |
        import (
-        	"vela/op"
+        	"vela/kube"
+        	"vela/builtin"
        )

-        apply: op.#Apply & {
-        	value: {
+        apply: kube.#Apply & {
+        	$params: value: {
        		apiVersion: "terraform.core.oam.dev/v1beta2"
        		kind:       "Configuration"
        		metadata: {
@@ -53,8 +54,10 @@ spec:
        		}
        	}
        }
-        check: op.#ConditionalWait & {
-        	continue: apply.value.status != _|_ && apply.value.status.apply != _|_ && apply.value.status.apply.state == "Available"
+        check: builtin.#ConditionalWait & {
+        	if apply.$returns.value.status != _|_ if apply.$returns.value.status.apply != _|_ {
+        		$params: continue: apply.$returns.value.status.apply.state == "Available"
+        	}
        }
        parameter: {
        	// +usage=specify the source of the terraform configuration
--- a/charts/vela-core/templates/defwithtemplate/apply-terraform-provider.yaml
+++ b/charts/vela-core/templates/defwithtemplate/apply-terraform-provider.yaml
@@ -14,61 +14,65 @@ spec:
    cue:
      template: |
        import (
-        	"vela/op"
+        	"vela/config"
+        	"vela/kube"
+        	"vela/builtin"
        	"strings"
        )

-        config: op.#CreateConfig & {
-        	name:      "\(context.name)-\(context.stepName)"
-        	namespace: context.namespace
-        	template:  "terraform-\(parameter.type)"
-        	config: {
-        		name: parameter.name
-        		if parameter.type == "alibaba" {
-        			ALICLOUD_ACCESS_KEY: parameter.accessKey
-        			ALICLOUD_SECRET_KEY: parameter.secretKey
-        			ALICLOUD_REGION:     parameter.region
-        		}
-        		if parameter.type == "aws" {
-        			AWS_ACCESS_KEY_ID:     parameter.accessKey
-        			AWS_SECRET_ACCESS_KEY: parameter.secretKey
-        			AWS_DEFAULT_REGION:    parameter.region
-        			AWS_SESSION_TOKEN:     parameter.token
-        		}
-        		if parameter.type == "azure" {
-        			ARM_CLIENT_ID:       parameter.clientID
-        			ARM_CLIENT_SECRET:   parameter.clientSecret
-        			ARM_SUBSCRIPTION_ID: parameter.subscriptionID
-        			ARM_TENANT_ID:       parameter.tenantID
-        		}
-        		if parameter.type == "baidu" {
-        			BAIDUCLOUD_ACCESS_KEY: parameter.accessKey
-        			BAIDUCLOUD_SECRET_KEY: parameter.secretKey
-        			BAIDUCLOUD_REGION:     parameter.region
-        		}
-        		if parameter.type == "ec" {
-        			EC_API_KEY: parameter.apiKey
-        		}
-        		if parameter.type == "gcp" {
-        			GOOGLE_CREDENTIALS: parameter.credentials
-        			GOOGLE_REGION:      parameter.region
-        			GOOGLE_PROJECT:     parameter.project
-        		}
-        		if parameter.type == "tencent" {
-        			TENCENTCLOUD_SECRET_ID:  parameter.secretID
-        			TENCENTCLOUD_SECRET_KEY: parameter.secretKey
-        			TENCENTCLOUD_REGION:     parameter.region
-        		}
-        		if parameter.type == "ucloud" {
-        			UCLOUD_PRIVATE_KEY: parameter.privateKey
-        			UCLOUD_PUBLIC_KEY:  parameter.publicKey
-        			UCLOUD_PROJECT_ID:  parameter.projectID
-        			UCLOUD_REGION:      parameter.region
+        cfg: config.#CreateConfig & {
+        	$params: {
+        		name:      "\(context.name)-\(context.stepName)"
+        		namespace: context.namespace
+        		template:  "terraform-\(parameter.type)"
+        		config: {
+        			name: parameter.name
+        			if parameter.type == "alibaba" {
+        				ALICLOUD_ACCESS_KEY: parameter.accessKey
+        				ALICLOUD_SECRET_KEY: parameter.secretKey
+        				ALICLOUD_REGION:     parameter.region
+        			}
+        			if parameter.type == "aws" {
+        				AWS_ACCESS_KEY_ID:     parameter.accessKey
+        				AWS_SECRET_ACCESS_KEY: parameter.secretKey
+        				AWS_DEFAULT_REGION:    parameter.region
+        				AWS_SESSION_TOKEN:     parameter.token
+        			}
+        			if parameter.type == "azure" {
+        				ARM_CLIENT_ID:       parameter.clientID
+        				ARM_CLIENT_SECRET:   parameter.clientSecret
+        				ARM_SUBSCRIPTION_ID: parameter.subscriptionID
+        				ARM_TENANT_ID:       parameter.tenantID
+        			}
+        			if parameter.type == "baidu" {
+        				BAIDUCLOUD_ACCESS_KEY: parameter.accessKey
+        				BAIDUCLOUD_SECRET_KEY: parameter.secretKey
+        				BAIDUCLOUD_REGION:     parameter.region
+        			}
+        			if parameter.type == "ec" {
+        				EC_API_KEY: parameter.apiKey
+        			}
+        			if parameter.type == "gcp" {
+        				GOOGLE_CREDENTIALS: parameter.credentials
+        				GOOGLE_REGION:      parameter.region
+        				GOOGLE_PROJECT:     parameter.project
+        			}
+        			if parameter.type == "tencent" {
+        				TENCENTCLOUD_SECRET_ID:  parameter.secretID
+        				TENCENTCLOUD_SECRET_KEY: parameter.secretKey
+        				TENCENTCLOUD_REGION:     parameter.region
+        			}
+        			if parameter.type == "ucloud" {
+        				UCLOUD_PRIVATE_KEY: parameter.privateKey
+        				UCLOUD_PUBLIC_KEY:  parameter.publicKey
+        				UCLOUD_PROJECT_ID:  parameter.projectID
+        				UCLOUD_REGION:      parameter.region
+        			}
        		}
        	}
        }
-        read: op.#Read & {
-        	value: {
+        read: kube.#Read & {
+        	$params: value: {
        		apiVersion: "terraform.core.oam.dev/v1beta1"
        		kind:       "Provider"
        		metadata: {
@@ -77,12 +81,9 @@ spec:
        		}
        	}
        }
-        check: op.#ConditionalWait & {
-        	if read.value.status != _|_ {
-        		continue: read.value.status.state == "ready"
-        	}
-        	if read.value.status == _|_ {
-        		continue: false
+        check: builtin.#ConditionalWait & {
+        	if read.$returns.value.status != _|_ {
+        		$params: continue: read.$returns.value.status.state == "ready"
        	}
        }
        providerBasic: {
--- a/charts/vela-core/templates/defwithtemplate/build-push-image.yaml
+++ b/charts/vela-core/templates/defwithtemplate/build-push-image.yaml
@@ -14,7 +14,9 @@ spec:
    cue:
      template: |
        import (
-        	"vela/op"
+        	"vela/builtin"
+        	"vela/kube"
+        	"vela/util"
        	"encoding/json"
        	"strings"
        )
@@ -28,8 +30,8 @@ spec:
        		value: parameter.context
        	}
        }
-        kaniko: op.#Apply & {
-        	value: {
+        kaniko: kube.#Apply & {
+        	$params: value: {
        		apiVersion: "v1"
        		kind:       "Pod"
        		metadata: {
@@ -95,14 +97,14 @@ spec:
        		}
        	}
        }
-        log: op.#Log & {
-        	source: resources: [{
+        log: util.#Log & {
+        	$params: source: resources: [{
        		name:      "\(context.name)-\(context.stepSessionID)-kaniko"
        		namespace: context.namespace
        	}]
        }
-        read: op.#Read & {
-        	value: {
+        read: kube.#Read & {
+        	$params: value: {
        		apiVersion: "v1"
        		kind:       "Pod"
        		metadata: {
@@ -111,8 +113,10 @@ spec:
        		}
        	}
        }
-        wait: op.#ConditionalWait & {
-        	continue: read.value.status != _|_ && read.value.status.phase == "Succeeded"
+        wait: builtin.#ConditionalWait & {
+        	if read.$returns.value.status != _|_ {
+        		$params: continue: read.$returns.value.status.phase == "Succeeded"
+        	}
        }
        #secret: {
        	name: string
--- a/charts/vela-core/templates/defwithtemplate/check-metrics.yaml
+++ b/charts/vela-core/templates/defwithtemplate/check-metrics.yaml
@@ -15,32 +15,35 @@ spec:
    cue:
      template: |
        import (
-        	"vela/op"
+        	"vela/metrics"
+        	"vela/builtin"
        )

-        check: op.#PromCheck & {
-        	query:          parameter.query
-        	metricEndpoint: parameter.metricEndpoint
-        	condition:      parameter.condition
-        	stepID:         context.stepSessionID
-        	duration:       parameter.duration
-        	failDuration:   parameter.failDuration
+        check: metrics.#PromCheck & {
+        	$params: {
+        		query:          parameter.query
+        		metricEndpoint: parameter.metricEndpoint
+        		condition:      parameter.condition
+        		stepID:         context.stepSessionID
+        		duration:       parameter.duration
+        		failDuration:   parameter.failDuration
+        	}
        }

-        fail: op.#Steps & {
-        	if check.failed != _|_ {
-        		if check.failed == true {
-        			breakWorkflow: op.#Fail & {
-        				message: check.message
+        fail: {
+        	if check.$returns.failed != _|_ {
+        		if check.$returns.failed == true {
+        			breakWorkflow: builtin.#Fail & {
+        				$params: message: check.$returns.message
        			}
        		}
        	}
        }

-        wait: op.#ConditionalWait & {
-        	continue: check.result
-        	if check.message != _|_ {
-        		message: check.message
+        wait: builtin.#ConditionalWait & {
+        	$params: continue: check.$returns.result
+        	if check.$returns.message != _|_ {
+        		$params: message: check.$returns.message
        	}
        }

--- a/charts/vela-core/templates/defwithtemplate/clean-jobs.yaml
+++ b/charts/vela-core/templates/defwithtemplate/clean-jobs.yaml
@@ -13,7 +13,7 @@ spec:
    cue:
      template: |
        import (
-        	"vela/op"
+        	"vela/kube"
        )

        parameter: {
@@ -21,42 +21,46 @@ spec:
        	namespace: *context.namespace | string
        }

-        cleanJobs: op.#Delete & {
-        	value: {
-        		apiVersion: "batch/v1"
-        		kind:       "Job"
-        		metadata: {
-        			name:      context.name
+        cleanJobs: kube.#Delete & {
+        	$params: {
+        		value: {
+        			apiVersion: "batch/v1"
+        			kind:       "Job"
+        			metadata: {
+        				name:      context.name
+        				namespace: parameter.namespace
+        			}
+        		}
+        		filter: {
        			namespace: parameter.namespace
-        		}
-        	}
-        	filter: {
-        		namespace: parameter.namespace
-        		if parameter.labelselector != _|_ {
-        			matchingLabels: parameter.labelselector
-        		}
-        		if parameter.labelselector == _|_ {
-        			matchingLabels: "workflow.oam.dev/name": context.name
+        			if parameter.labelselector != _|_ {
+        				matchingLabels: parameter.labelselector
+        			}
+        			if parameter.labelselector == _|_ {
+        				matchingLabels: "workflow.oam.dev/name": context.name
+        			}
        		}
        	}
        }

-        cleanPods: op.#Delete & {
-        	value: {
-        		apiVersion: "v1"
-        		kind:       "pod"
-        		metadata: {
-        			name:      context.name
+        cleanPods: kube.#Delete & {
+        	$params: {
+        		value: {
+        			apiVersion: "v1"
+        			kind:       "pod"
+        			metadata: {
+        				name:      context.name
+        				namespace: parameter.namespace
+        			}
+        		}
+        		filter: {
        			namespace: parameter.namespace
-        		}
-        	}
-        	filter: {
-        		namespace: parameter.namespace
-        		if parameter.labelselector != _|_ {
-        			matchingLabels: parameter.labelselector
-        		}
-        		if parameter.labelselector == _|_ {
-        			matchingLabels: "workflow.oam.dev/name": context.name
+        			if parameter.labelselector != _|_ {
+        				matchingLabels: parameter.labelselector
+        			}
+        			if parameter.labelselector == _|_ {
+        				matchingLabels: "workflow.oam.dev/name": context.name
+        			}
        		}
        	}
        }
--- a/charts/vela-core/templates/defwithtemplate/collect-service-endpoints.yaml
+++ b/charts/vela-core/templates/defwithtemplate/collect-service-endpoints.yaml
@@ -13,36 +13,30 @@ spec:
    cue:
      template: |
        import (
-        	"vela/op"
-        	"vela/ql"
+        	"vela/builtin"
+        	"vela/query"
        	"strconv"
        )

-        collect: ql.#CollectServiceEndpoints & {
-        	app: {
-        		name:      *context.name | string
-        		namespace: *context.namespace | string
-        		if parameter.name != _|_ {
-        			name: parameter.name
-        		}
-        		if parameter.namespace != _|_ {
-        			namespace: parameter.namespace
-        		}
+        collect: query.#CollectServiceEndpoints & {
+        	$params: app: {
+        		name:      parameter.name
+        		namespace: parameter.namespace
        		filter: {
        			if parameter.components != _|_ {
        				components: parameter.components
        			}
        		}
        	}
-        } @step(1)
+        }

        outputs: {
        	eps_port_name_filtered: *[] | [...]
        	if parameter.portName == _|_ {
-        		eps_port_name_filtered: collect.list
+        		eps_port_name_filtered: collect.$returns.list
        	}
        	if parameter.portName != _|_ {
-        		eps_port_name_filtered: [ for ep in collect.list if parameter.portName == ep.endpoint.portName {ep}]
+        		eps_port_name_filtered: [for ep in collect.$returns.list if parameter.portName == ep.endpoint.portName {ep}]
        	}

        	eps_port_filtered: *[] | [...]
@@ -50,12 +44,12 @@ spec:
        		eps_port_filtered: eps_port_name_filtered
        	}
        	if parameter.port != _|_ {
-        		eps_port_filtered: [ for ep in eps_port_name_filtered if parameter.port == ep.endpoint.port {ep}]
+        		eps_port_filtered: [for ep in eps_port_name_filtered if parameter.port == ep.endpoint.port {ep}]
        	}
-        	eps:       eps_port_filtered
+        	eps: eps_port_filtered
        	endpoints: *[] | [...]
        	if parameter.outer != _|_ {
-        		tmps: [ for ep in eps {
+        		tmps: [for ep in eps {
        			ep
        			if ep.endpoint.inner == _|_ {
        				outer: true
@@ -64,16 +58,16 @@ spec:
        				outer: !ep.endpoint.inner
        			}
        		}]
-        		endpoints: [ for ep in tmps if (!parameter.outer || ep.outer) {ep}]
+        		endpoints: [for ep in tmps if (!parameter.outer || ep.outer) {ep}]
        	}
        	if parameter.outer == _|_ {
        		endpoints: eps_port_filtered
        	}
        }

-        wait: op.#ConditionalWait & {
-        	continue: len(outputs.endpoints) > 0
-        } @step(2)
+        wait: builtin.#ConditionalWait & {
+        	$params: continue: len(outputs.endpoints) > 0
+        }

        value: {
        	if len(outputs.endpoints) > 0 {
@@ -85,9 +79,9 @@ spec:

        parameter: {
        	// +usage=Specify the name of the application
-        	name?: string
+        	name: *context.name | string
        	// +usage=Specify the namespace of the application
-        	namespace?: string
+        	namespace: *context.namespace | string
        	// +usage=Filter the component of the endpoints
        	components?: [...string]
        	// +usage=Filter the port of the endpoints
--- a/charts/vela-core/templates/defwithtemplate/command.yaml
+++ b/charts/vela-core/templates/defwithtemplate/command.yaml
@@ -32,7 +32,7 @@ spec:
        	_params:         #PatchParams
        	name:            _params.containerName
        	_baseContainers: context.output.spec.template.spec.containers
-        	_matchContainers_: [ for _container_ in _baseContainers if _container_.name == name {_container_}]
+        	_matchContainers_: [for _container_ in _baseContainers if _container_.name == name {_container_}]
        	_baseContainer: *_|_ | {...}
        	if len(_matchContainers_) == 0 {
        		err: "container \(name) not found"
@@ -73,7 +73,7 @@ spec:
        		}

        		// +patchStrategy=replace
-        		args: [ for a in _args if _delArgs[a] == _|_ {a}] + [ for a in _addArgs if _delArgs[a] == _|_ && _argsMap[a] == _|_ {a}]
+        		args: [for a in _args if _delArgs[a] == _|_ {a}] + [for a in _addArgs if _delArgs[a] == _|_ && _argsMap[a] == _|_ {a}]
        	}
        }
        // +patchStrategy=open
@@ -97,7 +97,7 @@ spec:
        	}
        	if parameter.containers != _|_ {
        		// +patchKey=name
-        		containers: [ for c in parameter.containers {
+        		containers: [for c in parameter.containers {
        			if c.containerName == "" {
        				err: "container name must be set for containers"
        			}
@@ -113,5 +113,5 @@ spec:
        	containers: [...#PatchParams]
        })

-        errs: [ for c in patch.spec.template.spec.containers if c.err != _|_ {c.err}]
+        errs: [for c in patch.spec.template.spec.containers if c.err != _|_ {c.err}]

--- a/charts/vela-core/templates/defwithtemplate/container-image.yaml
+++ b/charts/vela-core/templates/defwithtemplate/container-image.yaml
@@ -29,7 +29,7 @@ spec:
        	_params:         #PatchParams
        	name:            _params.containerName
        	_baseContainers: context.output.spec.template.spec.containers
-        	_matchContainers_: [ for _container_ in _baseContainers if _container_.name == name {_container_}]
+        	_matchContainers_: [for _container_ in _baseContainers if _container_.name == name {_container_}]
        	_baseContainer: *_|_ | {...}
        	if len(_matchContainers_) == 0 {
        		err: "container \(name) not found"
@@ -62,7 +62,7 @@ spec:
        	}
        	if parameter.containers != _|_ {
        		// +patchKey=name
-        		containers: [ for c in parameter.containers {
+        		containers: [for c in parameter.containers {
        			if c.containerName == "" {
        				err: "containerName must be set for containers"
        			}
@@ -78,5 +78,5 @@ spec:
        	containers: [...#PatchParams]
        })

-        errs: [ for c in patch.spec.template.spec.containers if c.err != _|_ {c.err}]
+        errs: [for c in patch.spec.template.spec.containers if c.err != _|_ {c.err}]

--- a/charts/vela-core/templates/defwithtemplate/container-ports.yaml
+++ b/charts/vela-core/templates/defwithtemplate/container-ports.yaml
@@ -0,0 +1,135 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/container-ports.cue
+apiVersion: core.oam.dev/v1beta1
+kind: TraitDefinition
+metadata:
+  annotations:
+    definition.oam.dev/description: Expose on the host and bind the external port to host to enable web traffic for your component.
+  name: container-ports
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  appliesToWorkloads:
+    - deployments.apps
+    - statefulsets.apps
+    - daemonsets.apps
+    - jobs.batch
+  podDisruptive: true
+  schematic:
+    cue:
+      template: |
+        import (
+        	"strconv"
+        	"strings"
+        )
+
+        #PatchParams: {
+        	// +usage=Specify the name of the target container, if not set, use the component name
+        	containerName: *"" | string
+        	// +usage=Specify ports you want customer traffic sent to
+        	ports: *[] | [...{
+        		// +usage=Number of port to expose on the pod's IP address
+        		containerPort: int
+        		// +usage=Protocol for port. Must be UDP, TCP, or SCTP
+        		protocol: *"TCP" | "UDP" | "SCTP"
+        		// +usage=Number of port to expose on the host
+        		hostPort?: int
+        		// +usage=What host IP to bind the external port to.
+        		hostIP?: string
+        	}]
+        }
+
+        PatchContainer: {
+        	_params:         #PatchParams
+        	name:            _params.containerName
+        	_baseContainers: context.output.spec.template.spec.containers
+        	_matchContainers_: [for _container_ in _baseContainers if _container_.name == name {_container_}]
+        	_baseContainer: *_|_ | {...}
+        	if len(_matchContainers_) == 0 {
+        		err: "container \(name) not found"
+        	}
+        	if len(_matchContainers_) > 0 {
+        		_baseContainer: _matchContainers_[0]
+        		_basePorts:     _baseContainer.ports
+        		if _basePorts == _|_ {
+        			// +patchStrategy=replace
+        			ports: [for port in _params.ports {
+        				containerPort: port.containerPort
+        				protocol:      port.protocol
+        				if port.hostPort != _|_ {
+        					hostPort: port.hostPort
+        				}
+        				if port.hostIP != _|_ {
+        					hostIP: port.hostIP
+        				}
+        			}]
+        		}
+        		if _basePorts != _|_ {
+        			_basePortsMap: {for _basePort in _basePorts {(strings.ToLower(_basePort.protocol) + strconv.FormatInt(_basePort.containerPort, 10)): _basePort}}
+        			_portsMap: {for port in _params.ports {(strings.ToLower(port.protocol) + strconv.FormatInt(port.containerPort, 10)): port}}
+        			// +patchStrategy=replace
+        			ports: [for portVar in _basePorts {
+        				containerPort: portVar.containerPort
+        				protocol:      portVar.protocol
+        				name:          portVar.name
+        				_uniqueKey:    strings.ToLower(portVar.protocol) + strconv.FormatInt(portVar.containerPort, 10)
+        				if _portsMap[_uniqueKey] != _|_ {
+        					if _portsMap[_uniqueKey].hostPort != _|_ {
+        						hostPort: _portsMap[_uniqueKey].hostPort
+        					}
+        					if _portsMap[_uniqueKey].hostIP != _|_ {
+        						hostIP: _portsMap[_uniqueKey].hostIP
+        					}
+        				}
+        			}] + [for port in _params.ports if _basePortsMap[strings.ToLower(port.protocol)+strconv.FormatInt(port.containerPort, 10)] == _|_ {
+        				if port.containerPort != _|_ {
+        					containerPort: port.containerPort
+        				}
+        				if port.protocol != _|_ {
+        					protocol: port.protocol
+        				}
+        				if port.hostPort != _|_ {
+        					hostPort: port.hostPort
+        				}
+        				if port.hostIP != _|_ {
+        					hostIP: port.hostIP
+        				}
+        			}]
+        		}
+        	}
+        }
+
+        patch: spec: template: spec: {
+        	if parameter.containers == _|_ {
+        		// +patchKey=name
+        		containers: [{
+        			PatchContainer & {_params: {
+        				if parameter.containerName == "" {
+        					containerName: context.name
+        				}
+        				if parameter.containerName != "" {
+        					containerName: parameter.containerName
+        				}
+        				ports: parameter.ports
+        			}}
+        		}]
+        	}
+        	if parameter.containers != _|_ {
+        		// +patchKey=name
+        		containers: [for c in parameter.containers {
+        			if c.containerName == "" {
+        				err: "container name must be set for containers"
+        			}
+        			if c.containerName != "" {
+        				PatchContainer & {_params: c}
+        			}
+        		}]
+        	}
+        }
+
+        parameter: *#PatchParams | close({
+        	// +usage=Specify the container ports for multiple containers
+        	containers: [...#PatchParams]
+        })
+
+        errs: [for c in patch.spec.template.spec.containers if c.err != _|_ {c.err}]
+
--- a/charts/vela-core/templates/defwithtemplate/create-config.yaml
+++ b/charts/vela-core/templates/defwithtemplate/create-config.yaml
@@ -13,28 +13,18 @@ spec:
    cue:
      template: |
        import (
-        	"vela/op"
+        	"vela/config"
        )

-        deploy: op.#CreateConfig & {
-        	name: parameter.name
-        	if parameter.namespace != _|_ {
-        		namespace: parameter.namespace
-        	}
-        	if parameter.namespace == _|_ {
-        		namespace: context.namespace
-        	}
-        	if parameter.template != _|_ {
-        		template: parameter.template
-        	}
-        	config: parameter.config
+        deploy: config.#CreateConfig & {
+        	$params: parameter
        }
        parameter: {
        	//+usage=Specify the name of the config.
        	name: string

        	//+usage=Specify the namespace of the config.
-        	namespace?: string
+        	namespace: *context.namespace | string

        	//+usage=Specify the template of the config.
        	template?: string
--- a/charts/vela-core/templates/defwithtemplate/cron-task.yaml
+++ b/charts/vela-core/templates/defwithtemplate/cron-task.yaml
@@ -11,6 +11,138 @@ spec:
  schematic:
    cue:
      template: |
+        mountsArray: {
+        	pvc: *[
+        		for v in parameter.volumeMounts.pvc {
+        			{
+        				mountPath: v.mountPath
+        				if v.subPath != _|_ {
+        					subPath: v.subPath
+        				}
+        				name: v.name
+        			}
+        		},
+        	] | []
+
+        	configMap: *[
+        		for v in parameter.volumeMounts.configMap {
+        			{
+        				mountPath: v.mountPath
+        				if v.subPath != _|_ {
+        					subPath: v.subPath
+        				}
+        				name: v.name
+        			}
+        		},
+        	] | []
+
+        	secret: *[
+        		for v in parameter.volumeMounts.secret {
+        			{
+        				mountPath: v.mountPath
+        				if v.subPath != _|_ {
+        					subPath: v.subPath
+        				}
+        				name: v.name
+        			}
+        		},
+        	] | []
+
+        	emptyDir: *[
+        		for v in parameter.volumeMounts.emptyDir {
+        			{
+        				mountPath: v.mountPath
+        				if v.subPath != _|_ {
+        					subPath: v.subPath
+        				}
+        				name: v.name
+        			}
+        		},
+        	] | []
+
+        	hostPath: *[
+        		for v in parameter.volumeMounts.hostPath {
+        			{
+        				mountPath: v.mountPath
+        				if v.subPath != _|_ {
+        					subPath: v.subPath
+        				}
+        				name: v.name
+        			}
+        		},
+        	] | []
+        }
+        volumesArray: {
+        	pvc: *[
+        		for v in parameter.volumeMounts.pvc {
+        			{
+        				name: v.name
+        				persistentVolumeClaim: claimName: v.claimName
+        			}
+        		},
+        	] | []
+
+        	configMap: *[
+        		for v in parameter.volumeMounts.configMap {
+        			{
+        				name: v.name
+        				configMap: {
+        					defaultMode: v.defaultMode
+        					name:        v.cmName
+        					if v.items != _|_ {
+        						items: v.items
+        					}
+        				}
+        			}
+        		},
+        	] | []
+
+        	secret: *[
+        		for v in parameter.volumeMounts.secret {
+        			{
+        				name: v.name
+        				secret: {
+        					defaultMode: v.defaultMode
+        					secretName:  v.secretName
+        					if v.items != _|_ {
+        						items: v.items
+        					}
+        				}
+        			}
+        		},
+        	] | []
+
+        	emptyDir: *[
+        		for v in parameter.volumeMounts.emptyDir {
+        			{
+        				name: v.name
+        				emptyDir: medium: v.medium
+        			}
+        		},
+        	] | []
+
+        	hostPath: *[
+        		for v in parameter.volumeMounts.hostPath {
+        			{
+        				name: v.name
+        				hostPath: path: v.path
+        			}
+        		},
+        	] | []
+        }
+        volumesList: volumesArray.pvc + volumesArray.configMap + volumesArray.secret + volumesArray.emptyDir + volumesArray.hostPath
+        deDupVolumesArray: [
+        	for val in [
+        		for i, vi in volumesList {
+        			for j, vj in volumesList if j < i && vi.name == vj.name {
+        				_ignore: true
+        			}
+        			vi
+        		},
+        	] if val._ignore == _|_ {
+        		val
+        	},
+        ]
        output: {
        	if context.clusterVersion.minor < 25 {
        		apiVersion: "batch/v1beta1"
@@ -90,16 +222,19 @@ spec:
        									requests: memory: parameter.memory
        								}
        							}
-        							if parameter["volumes"] != _|_ {
-        								volumeMounts: [ for v in parameter.volumes {
+        							if parameter["volumes"] != _|_ if parameter["volumeMounts"] == _|_ {
+        								volumeMounts: [for v in parameter.volumes {
        									{
        										mountPath: v.mountPath
        										name:      v.name
        									}}]
        							}
+        							if parameter["volumeMounts"] != _|_ {
+        								volumeMounts: mountsArray.pvc + mountsArray.configMap + mountsArray.secret + mountsArray.emptyDir + mountsArray.hostPath
+        							}
        						}]
-        						if parameter["volumes"] != _|_ {
-        							volumes: [ for v in parameter.volumes {
+        						if parameter["volumes"] != _|_ if parameter["volumeMounts"] == _|_ {
+        							volumes: [for v in parameter.volumes {
        								{
        									name: v.name
        									if v.type == "pvc" {
@@ -128,14 +263,17 @@ spec:
        									}
        								}}]
        						}
+        						if parameter["volumeMounts"] != _|_ {
+        							volumes: deDupVolumesArray
+        						}
        						if parameter["imagePullSecrets"] != _|_ {
-        							imagePullSecrets: [ for v in parameter.imagePullSecrets {
+        							imagePullSecrets: [for v in parameter.imagePullSecrets {
        								name: v
        							},
        							]
        						}
        						if parameter.hostAliases != _|_ {
-        							hostAliases: [ for v in parameter.hostAliases {
+        							hostAliases: [for v in parameter.hostAliases {
        								ip:        v.ip
        								hostnames: v.hostnames
        							},
@@ -224,7 +362,58 @@ spec:
        	// +usage=Specifies the attributes of the memory resource required for the container.
        	memory?: string

-        	// +usage=Declare volumes and volumeMounts
+        	volumeMounts?: {
+        		// +usage=Mount PVC type volume
+        		pvc?: [...{
+        			name:      string
+        			mountPath: string
+        			subPath?:  string
+        			// +usage=The name of the PVC
+        			claimName: string
+        		}]
+        		// +usage=Mount ConfigMap type volume
+        		configMap?: [...{
+        			name:        string
+        			mountPath:   string
+        			subPath?:    string
+        			defaultMode: *420 | int
+        			cmName:      string
+        			items?: [...{
+        				key:  string
+        				path: string
+        				mode: *511 | int
+        			}]
+        		}]
+        		// +usage=Mount Secret type volume
+        		secret?: [...{
+        			name:        string
+        			mountPath:   string
+        			subPath?:    string
+        			defaultMode: *420 | int
+        			secretName:  string
+        			items?: [...{
+        				key:  string
+        				path: string
+        				mode: *511 | int
+        			}]
+        		}]
+        		// +usage=Mount EmptyDir type volume
+        		emptyDir?: [...{
+        			name:      string
+        			mountPath: string
+        			subPath?:  string
+        			medium:    *"" | "Memory"
+        		}]
+        		// +usage=Mount HostPath type volume
+        		hostPath?: [...{
+        			name:      string
+        			mountPath: string
+        			subPath?:  string
+        			path:      string
+        		}]
+        	}
+
+        	// +usage=Deprecated field, use volumeMounts instead.
        	volumes?: [...{
        		name:      string
        		mountPath: string
--- a/charts/vela-core/templates/defwithtemplate/daemon.yaml
+++ b/charts/vela-core/templates/defwithtemplate/daemon.yaml
@@ -162,7 +162,7 @@ spec:
        						}]
        					}
        					if parameter["ports"] != _|_ {
-        						ports: [ for v in parameter.ports {
+        						ports: [for v in parameter.ports {
        							{
        								containerPort: v.port
        								protocol:      v.protocol
@@ -206,7 +206,7 @@ spec:
        					}

        					if parameter["volumes"] != _|_ && parameter["volumeMounts"] == _|_ {
-        						volumeMounts: [ for v in parameter.volumes {
+        						volumeMounts: [for v in parameter.volumes {
        							{
        								mountPath: v.mountPath
        								name:      v.name
@@ -233,14 +233,14 @@ spec:
        				}

        				if parameter["imagePullSecrets"] != _|_ {
-        					imagePullSecrets: [ for v in parameter.imagePullSecrets {
+        					imagePullSecrets: [for v in parameter.imagePullSecrets {
        						name: v
        					},
        					]
        				}

        				if parameter["volumes"] != _|_ && parameter["volumeMounts"] == _|_ {
-        					volumes: [ for v in parameter.volumes {
+        					volumes: [for v in parameter.volumes {
        						{
        							name: v.name
        							if v.type == "pvc" {
--- a/charts/vela-core/templates/defwithtemplate/delete-config.yaml
+++ b/charts/vela-core/templates/defwithtemplate/delete-config.yaml
@@ -13,23 +13,17 @@ spec:
    cue:
      template: |
        import (
-        	"vela/op"
+        	"vela/config"
        )

-        deploy: op.#DeleteConfig & {
-        	name: parameter.name
-        	if parameter.namespace != _|_ {
-        		namespace: parameter.namespace
-        	}
-        	if parameter.namespace == _|_ {
-        		namespace: context.namespace
-        	}
+        deploy: config.#DeleteConfig & {
+        	$params: parameter
        }
        parameter: {
        	//+usage=Specify the name of the config.
        	name: string

        	//+usage=Specify the namespace of the config.
-        	namespace?: string
+        	namespace: *context.namespace | string
        }

--- a/charts/vela-core/templates/defwithtemplate/depends-on-app.yaml
+++ b/charts/vela-core/templates/defwithtemplate/depends-on-app.yaml
@@ -13,12 +13,13 @@ spec:
    cue:
      template: |
        import (
-        	"vela/op"
+        	"vela/kube"
+        	"vela/builtin"
        	"encoding/yaml"
        )

-        dependsOn: op.#Read & {
-        	value: {
+        dependsOn: kube.#Read & {
+        	$params: value: {
        		apiVersion: "core.oam.dev/v1beta1"
        		kind:       "Application"
        		metadata: {
@@ -27,10 +28,10 @@ spec:
        		}
        	}
        }
-        load: op.#Steps & {
-        	if dependsOn.err != _|_ {
-        		configMap: op.#Read & {
-        			value: {
+        load: {
+        	if dependsOn.$returns.err != _|_ {
+        		configMap: kube.#Read & {
+        			$params: value: {
        				apiVersion: "v1"
        				kind:       "ConfigMap"
        				metadata: {
@@ -38,19 +39,19 @@ spec:
        					namespace: parameter.namespace
        				}
        			}
-        		}         @step(1)
-        		template: configMap.value.data["application"]
-        		apply:    op.#Apply & {
-        			value: yaml.Unmarshal(template)
-        		}     @step(2)
-        		wait: op.#ConditionalWait & {
-        			continue: apply.value.status.status == "running"
-        		} @step(3)
+        		}
+        		template: configMap.$returns.value.data["application"]
+        		apply: kube.#Apply & {
+        			$params: value: yaml.Unmarshal(template)
+        		}
+        		wait: builtin.#ConditionalWait & {
+        			$params: continue: apply.$returns.value.status.status == "running"
+        		}
        	}

-        	if dependsOn.err == _|_ {
-        		wait: op.#ConditionalWait & {
-        			continue: dependsOn.value.status.status == "running"
+        	if dependsOn.$returns.err == _|_ {
+        		wait: builtin.#ConditionalWait & {
+        			$params: continue: dependsOn.$returns.value.status.status == "running"
        		}
        	}
        }
--- a/charts/vela-core/templates/defwithtemplate/deploy.yaml
+++ b/charts/vela-core/templates/defwithtemplate/deploy.yaml
@@ -15,16 +15,19 @@ spec:
    cue:
      template: |
        import (
-        	"vela/op"
+        	"vela/multicluster"
+        	"vela/builtin"
        )

        if parameter.auto == false {
-        	suspend: op.#Suspend & {message: "Waiting approval to the deploy step \"\(context.stepName)\""}
+        	suspend: builtin.#Suspend & {$params: message: "Waiting approval to the deploy step \"\(context.stepName)\""}
        }
-        deploy: op.#Deploy & {
-        	policies:                 parameter.policies
-        	parallelism:              parameter.parallelism
-        	ignoreTerraformComponent: parameter.ignoreTerraformComponent
+        deploy: multicluster.#Deploy & {
+        	$params: {
+        		policies:                 parameter.policies
+        		parallelism:              parameter.parallelism
+        		ignoreTerraformComponent: parameter.ignoreTerraformComponent
+        	}
        }
        parameter: {
        	//+usage=If set to false, the workflow will suspend automatically before this step, default to be true.
--- a/charts/vela-core/templates/defwithtemplate/env.yaml
+++ b/charts/vela-core/templates/defwithtemplate/env.yaml
@@ -31,7 +31,7 @@ spec:
        	name:    _params.containerName
        	_delKeys: {for k in _params.unset {(k): ""}}
        	_baseContainers: context.output.spec.template.spec.containers
-        	_matchContainers_: [ for _container_ in _baseContainers if _container_.name == name {_container_}]
+        	_matchContainers_: [for _container_ in _baseContainers if _container_.name == name {_container_}]
        	_baseContainer: *_|_ | {...}
        	if len(_matchContainers_) == 0 {
        		err: "container \(name) not found"
@@ -41,7 +41,7 @@ spec:
        		_baseEnv:       _baseContainer.env
        		if _baseEnv == _|_ {
        			// +patchStrategy=replace
-        			env: [ for k, v in _params.env if _delKeys[k] == _|_ {
+        			env: [for k, v in _params.env if _delKeys[k] == _|_ {
        				name:  k
        				value: v
        			}]
@@ -49,7 +49,7 @@ spec:
        		if _baseEnv != _|_ {
        			_baseEnvMap: {for envVar in _baseEnv {(envVar.name): envVar}}
        			// +patchStrategy=replace
-        			env: [ for envVar in _baseEnv if _delKeys[envVar.name] == _|_ && !_params.replace {
+        			env: [for envVar in _baseEnv if _delKeys[envVar.name] == _|_ && !_params.replace {
        				name: envVar.name
        				if _params.env[envVar.name] != _|_ {
        					value: _params.env[envVar.name]
@@ -62,7 +62,7 @@ spec:
        						valueFrom: envVar.valueFrom
        					}
        				}
-        			}] + [ for k, v in _params.env if _delKeys[k] == _|_ && (_params.replace || _baseEnvMap[k] == _|_) {
+        			}] + [for k, v in _params.env if _delKeys[k] == _|_ && (_params.replace || _baseEnvMap[k] == _|_) {
        				name:  k
        				value: v
        			}]
@@ -88,7 +88,7 @@ spec:
        	}
        	if parameter.containers != _|_ {
        		// +patchKey=name
-        		containers: [ for c in parameter.containers {
+        		containers: [for c in parameter.containers {
        			if c.containerName == "" {
        				err: "containerName must be set for containers"
        			}
@@ -104,5 +104,5 @@ spec:
        	containers: [...#PatchParams]
        })

-        errs: [ for c in patch.spec.template.spec.containers if c.err != _|_ {c.err}]
+        errs: [for c in patch.spec.template.spec.containers if c.err != _|_ {c.err}]

--- a/charts/vela-core/templates/defwithtemplate/export-data.yaml
+++ b/charts/vela-core/templates/defwithtemplate/export-data.yaml
@@ -16,6 +16,7 @@ spec:
      template: |
        import (
        	"vela/op"
+        	"vela/kube"
        )

        object: {
@@ -37,23 +38,25 @@ spec:
        	if parameter.kind == "Secret" {
        		stringData: parameter.data
        	}
-        } @step(1)
+        }

        getPlacements: op.#GetPlacementsFromTopologyPolicies & {
        	policies: *[] | [...string]
        	if parameter.topology != _|_ {
        		policies: [parameter.topology]
        	}
-        } @step(2)
+        }

-        apply: op.#Steps & {
+        apply: {
        	for p in getPlacements.placements {
-        		(p.cluster): op.#Apply & {
-        			value:   object
-        			cluster: p.cluster
+        		(p.cluster): kube.#Apply & {
+        			$params: {
+        				value:   object
+        				cluster: p.cluster
+        			}
        		}
        	}
-        } @step(3)
+        }

        parameter: {
        	// +usage=Specify the name of the export destination
--- a/charts/vela-core/templates/defwithtemplate/export-service.yaml
+++ b/charts/vela-core/templates/defwithtemplate/export-service.yaml
@@ -16,6 +16,7 @@ spec:
      template: |
        import (
        	"vela/op"
+        	"vela/kube"
        )

        meta: {
@@ -48,25 +49,27 @@ spec:
        		addresses: [{ip: parameter.ip}]
        		ports: [{port: parameter.targetPort}]
        	}]
-        }] @step(1)
+        }]

        getPlacements: op.#GetPlacementsFromTopologyPolicies & {
        	policies: *[] | [...string]
        	if parameter.topology != _|_ {
        		policies: [parameter.topology]
        	}
-        } @step(2)
+        }

-        apply: op.#Steps & {
+        apply: {
        	for p in getPlacements.placements {
        		for o in objects {
-        			"\(p.cluster)-\(o.kind)": op.#Apply & {
-        				value:   o
-        				cluster: p.cluster
+        			"\(p.cluster)-\(o.kind)": kube.#Apply & {
+        				$params: {
+        					value:   o
+        					cluster: p.cluster
+        				}
        			}
        		}
        	}
-        } @step(3)
+        }

        parameter: {
        	// +usage=Specify the name of the export destination
--- a/charts/vela-core/templates/defwithtemplate/export2config.yaml
+++ b/charts/vela-core/templates/defwithtemplate/export2config.yaml
@@ -13,25 +13,27 @@ spec:
    cue:
      template: |
        import (
-        	"vela/op"
+        	"vela/kube"
        )

-        apply: op.#Apply & {
-        	value: {
-        		apiVersion: "v1"
-        		kind:       "ConfigMap"
-        		metadata: {
-        			name: parameter.configName
-        			if parameter.namespace != _|_ {
-        				namespace: parameter.namespace
-        			}
-        			if parameter.namespace == _|_ {
-        				namespace: context.namespace
+        apply: kube.#Apply & {
+        	$params: {
+        		value: {
+        			apiVersion: "v1"
+        			kind:       "ConfigMap"
+        			metadata: {
+        				name: parameter.configName
+        				if parameter.namespace != _|_ {
+        					namespace: parameter.namespace
+        				}
+        				if parameter.namespace == _|_ {
+        					namespace: context.namespace
+        				}
        			}
+        			data: parameter.data
        		}
-        		data: parameter.data
+        		cluster: parameter.cluster
        	}
-        	cluster: parameter.cluster
        }
        parameter: {
        	// +usage=Specify the name of the config map
--- a/charts/vela-core/templates/defwithtemplate/export2secret.yaml
+++ b/charts/vela-core/templates/defwithtemplate/export2secret.yaml
@@ -13,12 +13,12 @@ spec:
    cue:
      template: |
        import (
-        	"vela/op"
+        	"vela/kube"
        	"encoding/base64"
        	"encoding/json"
        )

-        secret: op.#Steps & {
+        secret: {
        	data: *parameter.data | {}
        	if parameter.kind == "docker-registry" && parameter.dockerRegistry != _|_ {
        		registryData: auths: "\(parameter.dockerRegistry.server)": {
@@ -28,28 +28,30 @@ spec:
        		}
        		data: ".dockerconfigjson": json.Marshal(registryData)
        	}
-        	apply: op.#Apply & {
-        		value: {
-        			apiVersion: "v1"
-        			kind:       "Secret"
-        			if parameter.type == _|_ && parameter.kind == "docker-registry" {
-        				type: "kubernetes.io/dockerconfigjson"
-        			}
-        			if parameter.type != _|_ {
-        				type: parameter.type
-        			}
-        			metadata: {
-        				name: parameter.secretName
-        				if parameter.namespace != _|_ {
-        					namespace: parameter.namespace
+        	apply: kube.#Apply & {
+        		$params: {
+        			value: {
+        				apiVersion: "v1"
+        				kind:       "Secret"
+        				if parameter.type == _|_ && parameter.kind == "docker-registry" {
+        					type: "kubernetes.io/dockerconfigjson"
        				}
-        				if parameter.namespace == _|_ {
-        					namespace: context.namespace
+        				if parameter.type != _|_ {
+        					type: parameter.type
        				}
+        				metadata: {
+        					name: parameter.secretName
+        					if parameter.namespace != _|_ {
+        						namespace: parameter.namespace
+        					}
+        					if parameter.namespace == _|_ {
+        						namespace: context.namespace
+        					}
+        				}
+        				stringData: data
        			}
-        			stringData: data
+        			cluster: parameter.cluster
        		}
-        		cluster: parameter.cluster
        	}
        }
        parameter: {
--- a/charts/vela-core/templates/defwithtemplate/expose.yaml
+++ b/charts/vela-core/templates/defwithtemplate/expose.yaml
@@ -44,7 +44,7 @@ spec:
        			]
        		}
        		if parameter["ports"] != _|_ {
-        			ports: [ for v in parameter.ports {
+        			ports: [for v in parameter.ports {
        				port:       v.port
        				targetPort: v.port
        				if v.name != _|_ {
--- a/charts/vela-core/templates/defwithtemplate/gateway.yaml
+++ b/charts/vela-core/templates/defwithtemplate/gateway.yaml
@@ -14,26 +14,35 @@ spec:
  podDisruptive: false
  schematic:
    cue:
-      template: |2
+      template: |
+        import "strconv"
+
        let nameSuffix = {
        	if parameter.name != _|_ {"-" + parameter.name}
        	if parameter.name == _|_ {""}
        }
-        let serviceOutputName = "service" + nameSuffix
-        let serviceMetaName = context.name + nameSuffix

-        outputs: (serviceOutputName): {
-        	apiVersion: "v1"
-        	kind:       "Service"
-        	metadata: name: "\(serviceMetaName)"
-        	spec: {
-        		selector: "app.oam.dev/component": context.name
-        		ports: [
-        			for k, v in parameter.http {
-        				port:       v
-        				targetPort: v
-        			},
-        		]
+        let serviceMetaName = {
+        	if (parameter.existingServiceName != _|_) {parameter.existingServiceName}
+        	if (parameter.existingServiceName == _|_) {context.name + nameSuffix}
+        }
+
+        if (parameter.existingServiceName == _|_) {
+        	let serviceOutputName = "service" + nameSuffix
+        	outputs: (serviceOutputName): {
+        		apiVersion: "v1"
+        		kind:       "Service"
+        		metadata: name: "\(serviceMetaName)"
+        		spec: {
+        			selector: "app.oam.dev/component": context.name
+        			ports: [
+        				for k, v in parameter.http {
+        					name:       "port-" + strconv.FormatInt(v, 10)
+        					port:       v
+        					targetPort: v
+        				},
+        			]
+        		}
        	}
        }

@@ -58,6 +67,18 @@ spec:
        			if parameter.gatewayHost != _|_ {
        				"ingress.controller/host": parameter.gatewayHost
        			}
+        			if parameter.annotations != _|_ {
+        				for key, value in parameter.annotations {
+        					"\(key)": "\(value)"
+        				}
+        			}
+        		}
+        		labels: {
+        			if parameter.labels != _|_ {
+        				for key, value in parameter.labels {
+        					"\(key)": "\(value)"
+        				}
+        			}
        		}
        	}
        	spec: {
@@ -122,6 +143,15 @@ spec:

        	// +usage=Specify a pathType for the ingress rules, defaults to "ImplementationSpecific"
        	pathType: *"ImplementationSpecific" | "Prefix" | "Exact"
+
+        	// +usage=Specify the annotations to be added to the ingress
+        	annotations?: [string]: string
+
+        	// +usage=Specify the labels to be added to the ingress
+        	labels?: [string]: string
+
+        	// +usage=If specified, use an existing Service rather than creating one
+        	existingServiceName?: string
        }
  status:
    customStatus: |-
@@ -131,11 +161,11 @@ spec:
      }
      let ingressMetaName = context.name + nameSuffix
      let ig  = [for i in context.outputs if (i.kind == "Ingress") && (i.metadata.name == ingressMetaName) {i}][0]
-      igs: *null | string
+      igs: *{} | {}
      if ig != _|_ if ig.status != _|_ if ig.status.loadbalancer != _|_ {
        igs: ig.status.loadbalancer.ingress[0]
      }
-      igr: *null | string
+      igr: *{} | {}
      if ig != _|_ if ig.spec != _|_  {
        igr: ig.spec.rules[0]
      }
@@ -155,7 +185,7 @@ spec:
          if igr.host != _|_ {
            message: "Visiting URL: " + igr.host + "\n"
          }
-          if igs.host == _|_ {
+          if igr.host == _|_ {
            message: "Host not specified, visit the cluster or load balancer in front of the cluster\n"
          }
        }
--- a/charts/vela-core/templates/defwithtemplate/generate-jdbc-connection.yaml
+++ b/charts/vela-core/templates/defwithtemplate/generate-jdbc-connection.yaml
@@ -13,12 +13,13 @@ spec:
    cue:
      template: |
        import (
-        	"vela/op"
+        	"vela/kube"
+        	"vela/util"
        	"encoding/base64"
        )

-        output: op.#Read & {
-        	value: {
+        output: kube.#Read & {
+        	$params: value: {
        		apiVersion: "v1"
        		kind:       "Secret"
        		metadata: {
@@ -29,16 +30,16 @@ spec:
        		}
        	}
        }
-        dbHost:   op.#ConvertString & {bt: base64.Decode(null, output.value.data["DB_HOST"])}
-        dbPort:   op.#ConvertString & {bt: base64.Decode(null, output.value.data["DB_PORT"])}
-        dbName:   op.#ConvertString & {bt: base64.Decode(null, output.value.data["DB_NAME"])}
-        username: op.#ConvertString & {bt: base64.Decode(null, output.value.data["DB_USER"])}
-        password: op.#ConvertString & {bt: base64.Decode(null, output.value.data["DB_PASSWORD"])}
+        dbHost: util.#ConvertString & {$params: bt: base64.Decode(null, output.$returns.value.data["DB_HOST"])}
+        dbPort: util.#ConvertString & {$params: bt: base64.Decode(null, output.$returns.value.data["DB_PORT"])}
+        dbName: util.#ConvertString & {$params: bt: base64.Decode(null, output.$returns.value.data["DB_NAME"])}
+        username: util.#ConvertString & {$params: bt: base64.Decode(null, output.$returns.value.data["DB_USER"])}
+        password: util.#ConvertString & {$params: bt: base64.Decode(null, output.$returns.value.data["DB_PASSWORD"])}

        env: [
-        	{name: "url", value:      "jdbc://" + dbHost.str + ":" + dbPort.str + "/" + dbName.str + "?characterEncoding=utf8&useSSL=false"},
-        	{name: "username", value: username.str},
-        	{name: "password", value: password.str},
+        	{name: "url", value: "jdbc://" + dbHost.$returns.str + ":" + dbPort.$returns.str + "/" + dbName.$returns.str + "?characterEncoding=utf8&useSSL=false"},
+        	{name: "username", value: username.$returns.str},
+        	{name: "password", value: password.$returns.str},
        ]

        parameter: {
--- a/charts/vela-core/templates/defwithtemplate/hpa.yaml
+++ b/charts/vela-core/templates/defwithtemplate/hpa.yaml
@@ -55,11 +55,11 @@ spec:
        						name: "memory"
        						target: {
        							type: parameter.mem.type
-        							if parameter.cpu.type == "Utilization" {
-        								averageUtilization: parameter.cpu.value
+        							if parameter.mem.type == "Utilization" {
+        								averageUtilization: parameter.mem.value
        							}
-        							if parameter.cpu.type == "AverageValue" {
-        								averageValue: parameter.cpu.value
+        							if parameter.mem.type == "AverageValue" {
+        								averageValue: parameter.mem.value
        							}
        						}
        					}
--- a/charts/vela-core/templates/defwithtemplate/list-config.yaml
+++ b/charts/vela-core/templates/defwithtemplate/list-config.yaml
@@ -13,22 +13,16 @@ spec:
    cue:
      template: |
        import (
-        	"vela/op"
+        	"vela/config"
        )

-        output: op.#ListConfig & {
-        	if parameter.namespace != _|_ {
-        		namespace: parameter.namespace
-        	}
-        	if parameter.namespace == _|_ {
-        		namespace: context.namespace
-        	}
-        	template: parameter.template
+        output: config.#ListConfig & {
+        	$params: parameter
        }
        parameter: {
        	//+usage=Specify the template of the config.
        	template: string
        	//+usage=Specify the namespace of the config.
-        	namespace?: string
+        	namespace: *context.namespace | string
        }

--- a/charts/vela-core/templates/defwithtemplate/nocalhost.yaml
+++ b/charts/vela-core/templates/defwithtemplate/nocalhost.yaml
@@ -42,7 +42,7 @@ spec:
        patch: metadata: annotations: {
        	"dev.nocalhost/application-name":      context.appName
        	"dev.nocalhost/application-namespace": context.namespace
-        	"dev.nocalhost":                       json.Marshal({
+        	"dev.nocalhost": json.Marshal({
        		name:        context.name
        		serviceType: parameter.serviceType
        		containers: [
@@ -126,14 +126,14 @@ spec:
        	workDir:       *"/home/nocalhost-dev" | string
        	storageClass?: string
        	command: {
-        		run:   *["sh", "run.sh"] | [...string]
+        		run: *["sh", "run.sh"] | [...string]
        		debug: *["sh", "debug.sh"] | [...string]
        	}
        	debug?: remoteDebugPort?: int
        	hotReload: *true | bool
        	sync: {
-        		type:              *"send" | string
-        		filePattern:       *["./"] | [...string]
+        		type: *"send" | string
+        		filePattern: *["./"] | [...string]
        		ignoreFilePattern: *[".git", ".vscode", ".idea", ".gradle", "build"] | [...string]
        	}
        	env?: [...{
--- a/charts/vela-core/templates/defwithtemplate/notification.yaml
+++ b/charts/vela-core/templates/defwithtemplate/notification.yaml
@@ -13,8 +13,12 @@ spec:
    cue:
      template: |
        import (
-        	"vela/op"
+        	"vela/http"
+        	"vela/email"
+        	"vela/kube"
+        	"vela/util"
        	"encoding/base64"
+        	"encoding/json"
        )

        parameter: {
@@ -69,7 +73,7 @@ spec:
        				picUrl?:     string
        			}

-        			link?:     #link
+        			link?: #link
        			markdown?: close({
        				text:  string
        				title: string
@@ -209,17 +213,23 @@ spec:
        }

        // send webhook notification
-        ding: op.#Steps & {
+        ding: {
        	if parameter.dingding != _|_ {
        		if parameter.dingding.url.value != _|_ {
-        			ding1: op.#DingTalk & {
-        				message: parameter.dingding.message
-        				dingUrl: parameter.dingding.url.value
+        			ding1: http.#Do & {
+        				$params: {
+        					method: "POST"
+        					url:    parameter.dingding.url.value
+        					request: {
+        						body: json.Marshal(parameter.dingding.message)
+        						header: "Content-Type": "application/json"
+        					}
+        				}
        			}
        		}
        		if parameter.dingding.url.secretRef != _|_ && parameter.dingding.url.value == _|_ {
-        			read: op.#Read & {
-        				value: {
+        			read: kube.#Read & {
+        				$params: value: {
        					apiVersion: "v1"
        					kind:       "Secret"
        					metadata: {
@@ -229,26 +239,38 @@ spec:
        				}
        			}

-        			stringValue: op.#ConvertString & {bt: base64.Decode(null, read.value.data[parameter.dingding.url.secretRef.key])}
-        			ding2:       op.#DingTalk & {
-        				message: parameter.dingding.message
-        				dingUrl: stringValue.str
+        			stringValue: util.#ConvertString & {$params: bt: base64.Decode(null, read.$returns.value.data[parameter.dingding.url.secretRef.key])}
+        			ding2: http.#Do & {
+        				$params: {
+        					method: "POST"
+        					url:    stringValue.$returns.str
+        					request: {
+        						body: json.Marshal(parameter.dingding.message)
+        						header: "Content-Type": "application/json"
+        					}
+        				}
        			}
        		}
        	}
        }

-        lark: op.#Steps & {
+        lark: {
        	if parameter.lark != _|_ {
        		if parameter.lark.url.value != _|_ {
-        			lark1: op.#Lark & {
-        				message: parameter.lark.message
-        				larkUrl: parameter.lark.url.value
+        			lark1: http.#Do & {
+        				$params: {
+        					method: "POST"
+        					url:    parameter.lark.message
+        					request: {
+        						body: json.Marshal(parameter.lark.message)
+        						header: "Content-Type": "application/json"
+        					}
+        				}
        			}
        		}
        		if parameter.lark.url.secretRef != _|_ && parameter.lark.url.value == _|_ {
-        			read: op.#Read & {
-        				value: {
+        			read: kube.#Read & {
+        				$params: value: {
        					apiVersion: "v1"
        					kind:       "Secret"
        					metadata: {
@@ -258,26 +280,39 @@ spec:
        				}
        			}

-        			stringValue: op.#ConvertString & {bt: base64.Decode(null, read.value.data[parameter.lark.url.secretRef.key])}
-        			lark2:       op.#Lark & {
-        				message: parameter.lark.message
-        				larkUrl: stringValue.str
+        			stringValue: util.#ConvertString & {$params: bt: base64.Decode(null, read.$returns.value.data[parameter.lark.url.secretRef.key])}
+        			lark2: http.#Do & {
+        				$params: {
+        					method: "POST"
+        					url:    stringValue.$returns.str
+        					request: {
+        						body: json.Marshal(parameter.lark.message)
+        						header: "Content-Type": "application/json"
+        					}
+        				}
        			}
+
        		}
        	}
        }

-        slack: op.#Steps & {
+        slack: {
        	if parameter.slack != _|_ {
        		if parameter.slack.url.value != _|_ {
-        			slack1: op.#Slack & {
-        				message:  parameter.slack.message
-        				slackUrl: parameter.slack.url.value
+        			slack1: http.#Do & {
+        				$params: {
+        					method: "POST"
+        					url:    parameter.slack.url.value
+        					request: {
+        						body: json.Marshal(parameter.slack.message)
+        						header: "Content-Type": "application/json"
+        					}
+        				}
        			}
        		}
        		if parameter.slack.url.secretRef != _|_ && parameter.slack.url.value == _|_ {
-        			read: op.#Read & {
-        				value: {
+        			read: kube.#Read & {
+        				$params: value: {
        					kind:       "Secret"
        					apiVersion: "v1"
        					metadata: {
@@ -287,36 +322,44 @@ spec:
        				}
        			}

-        			stringValue: op.#ConvertString & {bt: base64.Decode(null, read.value.data[parameter.slack.url.secretRef.key])}
-        			slack2:      op.#Slack & {
-        				message:  parameter.slack.message
-        				slackUrl: stringValue.str
+        			stringValue: util.#ConvertString & {$params: bt: base64.Decode(null, read.$returns.value.data[parameter.slack.url.secretRef.key])}
+        			slack2: http.#Do & {
+        				$params: {
+        					method: "POST"
+        					url:    stringValue.$returns.str
+        					request: {
+        						body: json.Marshal(parameter.slack.message)
+        						header: "Content-Type": "application/json"
+        					}
+        				}
        			}
        		}
        	}
        }

-        email: op.#Steps & {
+        email0: {
        	if parameter.email != _|_ {
        		if parameter.email.from.password.value != _|_ {
-        			email1: op.#SendEmail & {
-        				from: {
-        					address: parameter.email.from.address
-        					if parameter.email.from.alias != _|_ {
-        						alias: parameter.email.from.alias
+        			email1: email.#SendEmail & {
+        				$params: {
+        					from: {
+        						address: parameter.email.from.address
+        						if parameter.email.from.alias != _|_ {
+        							alias: parameter.email.from.alias
+        						}
+        						password: parameter.email.from.password.value
+        						host:     parameter.email.from.host
+        						port:     parameter.email.from.port
        					}
-        					password: parameter.email.from.password.value
-        					host:     parameter.email.from.host
-        					port:     parameter.email.from.port
+        					to:      parameter.email.to
+        					content: parameter.email.content
        				}
-        				to:      parameter.email.to
-        				content: parameter.email.content
        			}
        		}

        		if parameter.email.from.password.secretRef != _|_ && parameter.email.from.password.value == _|_ {
-        			read: op.#Read & {
-        				value: {
+        			read: kube.#Read & {
+        				$params: value: {
        					kind:       "Secret"
        					apiVersion: "v1"
        					metadata: {
@@ -326,19 +369,21 @@ spec:
        				}
        			}

-        			stringValue: op.#ConvertString & {bt: base64.Decode(null, read.value.data[parameter.email.from.password.secretRef.key])}
-        			email2:      op.#SendEmail & {
-        				from: {
-        					address: parameter.email.from.address
-        					if parameter.email.from.alias != _|_ {
-        						alias: parameter.email.from.alias
+        			stringValue: util.#ConvertString & {$params: bt: base64.Decode(null, read.$returns.value.data[parameter.email.from.password.secretRef.key])}
+        			email2: email.#SendEmail & {
+        				$params: {
+        					from: {
+        						address: parameter.email.from.address
+        						if parameter.email.from.alias != _|_ {
+        							alias: parameter.email.from.alias
+        						}
+        						password: stringValue.str
+        						host:     parameter.email.from.host
+        						port:     parameter.email.from.port
        					}
-        					password: stringValue.str
-        					host:     parameter.email.from.host
-        					port:     parameter.email.from.port
+        					to:      parameter.email.to
+        					content: parameter.email.content
        				}
-        				to:      parameter.email.to
-        				content: parameter.email.content
        			}
        		}
        	}
--- a/charts/vela-core/templates/defwithtemplate/podsecuritycontext.yaml
+++ b/charts/vela-core/templates/defwithtemplate/podsecuritycontext.yaml
@@ -0,0 +1,59 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/podsecuritycontext.cue
+apiVersion: core.oam.dev/v1beta1
+kind: TraitDefinition
+metadata:
+  annotations:
+    definition.oam.dev/description: Adds security context to the pod spec in path 'spec.template.spec.securityContext'.
+  name: podsecuritycontext
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  appliesToWorkloads:
+    - deployments.apps
+    - statefulsets.apps
+    - daemonsets.apps
+    - jobs.batch
+  podDisruptive: true
+  schematic:
+    cue:
+      template: |
+        patch: spec: template: spec: securityContext: {
+        	if parameter.appArmorProfile != _|_ {
+        		appArmorProfile: parameter.appArmorProfile
+        	}
+        	if parameter.fsGroup != _|_ {
+        		fsGroup: parameter.fsGroup
+        	}
+        	if parameter.runAsGroup != _|_ {
+        		runAsGroup: parameter.runAsGroup
+        	}
+        	if parameter.runAsUser != _|_ {
+        		runAsUser: parameter.runAsUser
+        	}
+        	if parameter.seccompProfile != _|_ {
+        		seccompProfile: parameter.seccompProfile
+        	}
+        	runAsNonRoot: parameter.runAsNonRoot
+        }
+
+        parameter: {
+        	// +usage=Specify the AppArmor profile for the pod
+        	appArmorProfile?: {
+        		type: "RuntimeDefault" | "Unconfined" | "Localhost"
+        		// +usage:  localhostProfile is required when type is 'Localhost'
+        		localhostProfile?: string
+        	}
+        	fsGroup?:    int
+        	runAsGroup?: int
+        	// +usage=Specify the UID to run the entrypoint of the container process
+        	runAsUser?: int
+        	// +usage=Specify if the container runs as a non-root user
+        	runAsNonRoot: *true | bool
+        	// +usage=Specify the seccomp profile for the pod
+        	seccompProfile?: {
+        		type: "RuntimeDefault" | "Unconfined" | "Localhost"
+        		// +usage:  localhostProfile is required when type is 'Localhost'
+        		localhostProfile?: string
+        	}
+        }
+
--- a/charts/vela-core/templates/defwithtemplate/print-message-in-status.yaml
+++ b/charts/vela-core/templates/defwithtemplate/print-message-in-status.yaml
@@ -13,12 +13,12 @@ spec:
    cue:
      template: |
        import (
-        	"vela/op"
+        	"vela/builtin"
        )

        parameter: message: string

-        msg: op.#Message & {
-        	message: parameter.message
+        msg: builtin.#Message & {
+        	$params: parameter
        }

--- a/charts/vela-core/templates/defwithtemplate/read-config.yaml
+++ b/charts/vela-core/templates/defwithtemplate/read-config.yaml
@@ -13,23 +13,17 @@ spec:
    cue:
      template: |
        import (
-        	"vela/op"
+        	"vela/config"
        )

-        output: op.#ReadConfig & {
-        	name: parameter.name
-        	if parameter.namespace != _|_ {
-        		namespace: parameter.namespace
-        	}
-        	if parameter.namespace == _|_ {
-        		namespace: context.namespace
-        	}
+        output: config.#ReadConfig & {
+        	$params: parameter
        }
        parameter: {
        	//+usage=Specify the name of the config.
        	name: string

        	//+usage=Specify the namespace of the config.
-        	namespace?: string
+        	namespace: *context.namespace | string
        }

--- a/charts/vela-core/templates/defwithtemplate/read-object.yaml
+++ b/charts/vela-core/templates/defwithtemplate/read-object.yaml
@@ -13,50 +13,31 @@ spec:
    cue:
      template: |
        import (
-        	"vela/op"
+        	"vela/kube"
        )

-        output: {
-        	if parameter.apiVersion == _|_ && parameter.kind == _|_ {
-        		op.#Read & {
-        			value: {
-        				apiVersion: "core.oam.dev/v1beta1"
-        				kind:       "Application"
-        				metadata: {
-        					name: parameter.name
-        					if parameter.namespace != _|_ {
-        						namespace: parameter.namespace
-        					}
-        				}
+        output: kube.#Read & {
+        	$params: {
+        		cluster: parameter.cluster
+        		value: {
+        			apiVersion: parameter.apiVersion
+        			kind:       parameter.kind
+        			metadata: {
+        				name:      parameter.name
+        				namespace: parameter.namespace
        			}
-        			cluster: parameter.cluster
-        		}
-        	}
-        	if parameter.apiVersion != _|_ || parameter.kind != _|_ {
-        		op.#Read & {
-        			value: {
-        				apiVersion: parameter.apiVersion
-        				kind:       parameter.kind
-        				metadata: {
-        					name: parameter.name
-        					if parameter.namespace != _|_ {
-        						namespace: parameter.namespace
-        					}
-        				}
-        			}
-        			cluster: parameter.cluster
        		}
        	}
        }
        parameter: {
        	// +usage=Specify the apiVersion of the object, defaults to 'core.oam.dev/v1beta1'
-        	apiVersion?: string
+        	apiVersion: *"core.oam.dev/v1beta1" | string
        	// +usage=Specify the kind of the object, defaults to Application
-        	kind?: string
+        	kind: *"Application" | string
        	// +usage=Specify the name of the object
        	name: string
        	// +usage=The namespace of the resource you want to read
-        	namespace?: *"default" | string
+        	namespace: *"default" | string
        	// +usage=The cluster you want to apply the resource to, default is the current control plane cluster
        	cluster: *"" | string
        }
--- a/charts/vela-core/templates/defwithtemplate/request.yaml
+++ b/charts/vela-core/templates/defwithtemplate/request.yaml
@@ -14,30 +14,33 @@ spec:
    cue:
      template: |
        import (
-        	"vela/op"
+        	"vela/http"
+        	"vela/builtin"
        	"encoding/json"
        )

-        http: op.#HTTPDo & {
-        	method: parameter.method
-        	url:    parameter.url
-        	request: {
-        		if parameter.body != _|_ {
-        			body: json.Marshal(parameter.body)
-        		}
-        		if parameter.header != _|_ {
-        			header: parameter.header
+        req: http.#HTTPDo & {
+        	$params: {
+        		method: parameter.method
+        		url:    parameter.url
+        		request: {
+        			if parameter.body != _|_ {
+        				body: json.Marshal(parameter.body)
+        			}
+        			if parameter.header != _|_ {
+        				header: parameter.header
+        			}
        		}
        	}
        }
-        fail: op.#Steps & {
-        	if http.response.statusCode > 400 {
-        		requestFail: op.#Fail & {
-        			message: "request of \(parameter.url) is fail: \(http.response.statusCode)"
+        fail: {
+        	if http.$returns.response.statusCode > 400 {
+        		requestFail: builtin.#Fail & {
+        			$params: message: "request of \(parameter.url) is fail: \(http.response.statusCode)"
        		}
        	}
        }
-        response: json.Unmarshal(http.response.body)
+        response: json.Unmarshal(http.$returns.response.body)
        parameter: {
        	url:    string
        	method: *"GET" | "POST" | "PUT" | "DELETE"
--- a/charts/vela-core/templates/defwithtemplate/resource.yaml
+++ b/charts/vela-core/templates/defwithtemplate/resource.yaml
@@ -13,43 +13,54 @@ spec:
    - statefulsets.apps
    - daemonsets.apps
    - jobs.batch
+    - cronjobs.batch
  podDisruptive: true
  schematic:
    cue:
-      template: |
-        patch: spec: template: spec: {
-        	// +patchKey=name
-        	containers: [{
-        		resources: {
-        			if parameter.cpu != _|_ if parameter.memory != _|_ if parameter.requests == _|_ if parameter.limits == _|_ {
-        				// +patchStrategy=retainKeys
-        				requests: {
-        					cpu:    parameter.cpu
-        					memory: parameter.memory
-        				}
-        				// +patchStrategy=retainKeys
-        				limits: {
-        					cpu:    parameter.cpu
-        					memory: parameter.memory
-        				}
+      template: |2
+        let resourceContent = {
+        	resources: {
+        		if parameter.cpu != _|_ if parameter.memory != _|_ if parameter.requests == _|_ if parameter.limits == _|_ {
+        			// +patchStrategy=retainKeys
+        			requests: {
+        				cpu:    parameter.cpu
+        				memory: parameter.memory
        			}
-
-        			if parameter.requests != _|_ {
-        				// +patchStrategy=retainKeys
-        				requests: {
-        					cpu:    parameter.requests.cpu
-        					memory: parameter.requests.memory
-        				}
-        			}
-        			if parameter.limits != _|_ {
-        				// +patchStrategy=retainKeys
-        				limits: {
-        					cpu:    parameter.limits.cpu
-        					memory: parameter.limits.memory
-        				}
+        			// +patchStrategy=retainKeys
+        			limits: {
+        				cpu:    parameter.cpu
+        				memory: parameter.memory
        			}
        		}
-        	}]
+
+        		if parameter.requests != _|_ {
+        			// +patchStrategy=retainKeys
+        			requests: {
+        				cpu:    parameter.requests.cpu
+        				memory: parameter.requests.memory
+        			}
+        		}
+        		if parameter.limits != _|_ {
+        			// +patchStrategy=retainKeys
+        			limits: {
+        				cpu:    parameter.limits.cpu
+        				memory: parameter.limits.memory
+        			}
+        		}
+        	}
+        }
+
+        if context.output.spec != _|_ if context.output.spec.template != _|_ {
+        	patch: spec: template: spec: {
+        		// +patchKey=name
+        		containers: [resourceContent]
+        	}
+        }
+        if context.output.spec != _|_ if context.output.spec.jobTemplate != _|_ {
+        	patch: spec: jobTemplate: spec: template: spec: {
+        		// +patchKey=name
+        		containers: [resourceContent]
+        	}
        }

        parameter: {
--- a/charts/vela-core/templates/defwithtemplate/securitycontext.yaml
+++ b/charts/vela-core/templates/defwithtemplate/securitycontext.yaml
@@ -0,0 +1,107 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/securitycontext.cue
+apiVersion: core.oam.dev/v1beta1
+kind: TraitDefinition
+metadata:
+  annotations:
+    definition.oam.dev/description: Adds security context to the container spec in path 'spec.template.spec.containers.[].securityContext'.
+  name: securitycontext
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  appliesToWorkloads:
+    - deployments.apps
+    - statefulsets.apps
+    - daemonsets.apps
+    - jobs.batch
+  podDisruptive: true
+  schematic:
+    cue:
+      template: |
+        #PatchParams: {
+        	// +usage=Specify the name of the target container, if not set, use the component name
+        	containerName: *"" | string
+        	addCapabilities?: [...string]
+        	allowPrivilegeEscalation: *false | bool
+        	dropCapabilities?: [...string]
+        	privileged:             *false | bool
+        	readOnlyRootFilesystem: *false | bool
+        	runAsNonRoot:           *true | bool
+        	runAsUser?:             int
+        	runAsGroup?:            int
+        }
+
+        PatchContainer: {
+        	_params:         #PatchParams
+        	name:            _params.containerName
+        	_baseContainers: context.output.spec.template.spec.containers
+        	_matchContainers_: [for _container_ in _baseContainers if _container_.name == name {_container_}]
+        	_baseContainer: *_|_ | {...}
+        	if len(_matchContainers_) == 0 {
+        		err: "container \(name) not found"
+        	}
+        	if len(_matchContainers_) > 0 {
+        		securityContext: {
+        			capabilities: {
+        				if _params.addCapabilities != _|_ {
+        					add: _params.addCapabilities
+        				}
+        				if _params.dropCapabilities != _|_ {
+        					drop: _params.dropCapabilities
+        				}
+        			}
+        			if _params.runAsUser != _|_ {
+        				runAsUser: _params.runAsUser
+        			}
+        			if _params.runAsGroup != _|_ {
+        				runAsGroup: _params.runAsGroup
+        			}
+        			allowPrivilegeEscalation: _params.allowPrivilegeEscalation
+        			readOnlyRootFilesystem:   _params.readOnlyRootFilesystem
+        			privileged:               _params.privileged
+        			runAsNonRoot:             _params.runAsNonRoot
+        		}
+        	}
+        }
+        patch: spec: template: spec: {
+        	if parameter.containers == _|_ {
+        		// +patchKey=name
+        		containers: [{
+        			PatchContainer & {_params: {
+        				if parameter.containerName == "" {
+        					containerName: context.name
+        				}
+        				if parameter.containerName != "" {
+        					containerName: parameter.containerName
+        				}
+        				allowPrivilegeEscalation: parameter.allowPrivilegeEscalation
+        				readOnlyRootFilesystem:   parameter.readOnlyRootFilesystem
+        				privileged:               parameter.privileged
+        				runAsNonRoot:             parameter.runAsNonRoot
+        				runAsUser:                parameter.runAsUser
+        				runAsGroup:               parameter.runAsGroup
+        				addCapabilities:          parameter.addCapabilities
+        				dropCapabilities:         parameter.dropCapabilities
+        			}}
+        		}]
+        	}
+
+        	if parameter.containers != _|_ {
+        		// +patchKey=name
+        		containers: [for c in parameter.containers {
+        			if c.containerName == "" {
+        				err: "containerName must be set for containers"
+        			}
+        			if c.containerName != "" {
+        				PatchContainer & {_params: c}
+        			}
+        		}]
+        	}
+        }
+
+        parameter: #PatchParams | close({
+        	// +usage=Specify the container image for multiple containers
+        	containers: [...#PatchParams]
+        })
+
+        errs: [for c in patch.spec.template.spec.containers if c.err != _|_ {c.err}]
+
--- a/charts/vela-core/templates/defwithtemplate/service-account.yaml
+++ b/charts/vela-core/templates/defwithtemplate/service-account.yaml
@@ -42,8 +42,8 @@ spec:
        // +patchStrategy=retainKeys
        patch: spec: template: spec: serviceAccountName: parameter.name

-        _clusterPrivileges: [ if parameter.privileges != _|_ for p in parameter.privileges if p.scope == "cluster" {p}]
-        _namespacePrivileges: [ if parameter.privileges != _|_ for p in parameter.privileges if p.scope == "namespace" {p}]
+        _clusterPrivileges: [if parameter.privileges != _|_ for p in parameter.privileges if p.scope == "cluster" {p}]
+        _namespacePrivileges: [if parameter.privileges != _|_ for p in parameter.privileges if p.scope == "namespace" {p}]
        outputs: {
        	if parameter.create {
        		"service-account": {
@@ -58,7 +58,7 @@ spec:
        				apiVersion: "rbac.authorization.k8s.io/v1"
        				kind:       "ClusterRole"
        				metadata: name: "\(context.namespace):\(parameter.name)"
-        				rules: [ for p in _clusterPrivileges {
+        				rules: [for p in _clusterPrivileges {
        					verbs: p.verbs
        					if p.apiGroups != _|_ {
        						apiGroups: p.apiGroups
@@ -95,7 +95,7 @@ spec:
        				apiVersion: "rbac.authorization.k8s.io/v1"
        				kind:       "Role"
        				metadata: name: parameter.name
-        				rules: [ for p in _namespacePrivileges {
+        				rules: [for p in _namespacePrivileges {
        					verbs: p.verbs
        					if p.apiGroups != _|_ {
        						apiGroups: p.apiGroups
--- a/charts/vela-core/templates/defwithtemplate/sidecar.yaml
+++ b/charts/vela-core/templates/defwithtemplate/sidecar.yaml
@@ -32,7 +32,7 @@ spec:
        			env: parameter.env
        		}
        		if parameter["volumes"] != _|_ {
-        			volumeMounts: [ for v in parameter.volumes {
+        			volumeMounts: [for v in parameter.volumes {
        				{
        					mountPath: v.path
        					name:      v.name
--- a/charts/vela-core/templates/defwithtemplate/startup-probe.yaml
+++ b/charts/vela-core/templates/defwithtemplate/startup-probe.yaml
@@ -65,7 +65,7 @@ spec:
        	// +usage=Instructions for assessing container startup status by probing a TCP socket. Either this attribute or the exec attribute or the tcpSocket attribute or the httpGet attribute MUST be specified. This attribute is mutually exclusive with the exec attribute and the httpGet attribute and the gRPC attribute.
        	tcpSocket?: {
        		// +usage=Number or name of the port to access on the container.
-        		port: string
+        		port: int
        		// +usage=Host name to connect to, defaults to the pod IP.
        		host?: string
        	}
@@ -74,7 +74,7 @@ spec:
        	_params:         #StartupProbeParams
        	name:            _params.containerName
        	_baseContainers: context.output.spec.template.spec.containers
-        	_matchContainers_: [ for _container_ in _baseContainers if _container_.name == name {_container_}]
+        	_matchContainers_: [for _container_ in _baseContainers if _container_.name == name {_container_}]
        	if len(_matchContainers_) == 0 {
        		err: "container \(name) not found"
        	}
@@ -98,9 +98,6 @@ spec:
        			if _params.periodSeconds != _|_ {
        				periodSeconds: _params.periodSeconds
        			}
-        			if _params.tcpSocket != _|_ {
-        				tcpSocket: _params.tcpSocket
-        			}
        			if _params.timeoutSeconds != _|_ {
        				timeoutSeconds: _params.timeoutSeconds
        			}
@@ -144,14 +141,14 @@ spec:
        					grpc: parameter.grpc
        				}
        				if parameter.tcpSocket != _|_ {
-        					tcpSocket: parameter.grtcpSocketpc
+        					tcpSocket: parameter.tcpSocket
        				}
        			}}
        		}]
        	}
        	if parameter.probes != _|_ {
        		// +patchKey=name
-        		containers: [ for c in parameter.probes {
+        		containers: [for c in parameter.probes {
        			if c.name == "" {
        				err: "containerName must be set when specifying startup probe for multiple containers"
        			}
@@ -167,5 +164,5 @@ spec:
        	probes: [...#StartupProbeParams]
        })

-        errs: [ for c in patch.spec.template.spec.containers if c.err != _|_ {c.err}]
+        errs: [for c in patch.spec.template.spec.containers if c.err != _|_ {c.err}]

--- a/charts/vela-core/templates/defwithtemplate/statefulset.yaml
+++ b/charts/vela-core/templates/defwithtemplate/statefulset.yaml
@@ -0,0 +1,605 @@
+# Code generated by KubeVela templates. DO NOT EDIT. Please edit the original cue file.
+# Definition source cue file: vela-templates/definitions/internal/statefulset.cue
+apiVersion: core.oam.dev/v1beta1
+kind: ComponentDefinition
+metadata:
+  annotations:
+    definition.oam.dev/description: Describes long-running, scalable, containerized services used to manage stateful application, like database.
+  name: statefulset
+  namespace: {{ include "systemDefinitionNamespace" . }}
+spec:
+  schematic:
+    cue:
+      template: |
+        import (
+        	"strconv"
+        	"strings"
+        )
+
+        mountsArray: [
+        	if parameter.volumeMounts != _|_ if parameter.volumeMounts.pvc != _|_ for v in parameter.volumeMounts.pvc {
+        		{
+        			mountPath: v.mountPath
+        			if v.subPath != _|_ {
+        				subPath: v.subPath
+        			}
+        			name: v.name
+        		}
+        	},
+
+        	if parameter.volumeMounts != _|_ if parameter.volumeMounts.configMap != _|_ for v in parameter.volumeMounts.configMap {
+        		{
+        			mountPath: v.mountPath
+        			if v.subPath != _|_ {
+        				subPath: v.subPath
+        			}
+        			name: v.name
+        		}
+        	},
+
+        	if parameter.volumeMounts != _|_ if parameter.volumeMounts.secret != _|_ for v in parameter.volumeMounts.secret {
+        		{
+        			mountPath: v.mountPath
+        			if v.subPath != _|_ {
+        				subPath: v.subPath
+        			}
+        			name: v.name
+        		}
+        	},
+
+        	if parameter.volumeMounts != _|_ if parameter.volumeMounts.emptyDir != _|_ for v in parameter.volumeMounts.emptyDir {
+        		{
+        			mountPath: v.mountPath
+        			if v.subPath != _|_ {
+        				subPath: v.subPath
+        			}
+        			name: v.name
+        		}
+        	},
+
+        	if parameter.volumeMounts != _|_ if parameter.volumeMounts.hostPath != _|_ for v in parameter.volumeMounts.hostPath {
+        		{
+        			mountPath: v.mountPath
+        			if v.subPath != _|_ {
+        				subPath: v.subPath
+        			}
+        			name: v.name
+        		}
+        	},
+        ]
+
+        volumesList: [
+        	if parameter.volumeMounts != _|_ if parameter.volumeMounts.pvc != _|_ for v in parameter.volumeMounts.pvc {
+        		{
+        			name: v.name
+        			persistentVolumeClaim: claimName: v.claimName
+        		}
+        	},
+
+        	if parameter.volumeMounts != _|_ if parameter.volumeMounts.configMap != _|_ for v in parameter.volumeMounts.configMap {
+        		{
+        			name: v.name
+        			configMap: {
+        				defaultMode: v.defaultMode
+        				name:        v.cmName
+        				if v.items != _|_ {
+        					items: v.items
+        				}
+        			}
+        		}
+        	},
+
+        	if parameter.volumeMounts != _|_ if parameter.volumeMounts.secret != _|_ for v in parameter.volumeMounts.secret {
+        		{
+        			name: v.name
+        			secret: {
+        				defaultMode: v.defaultMode
+        				secretName:  v.secretName
+        				if v.items != _|_ {
+        					items: v.items
+        				}
+        			}
+        		}
+        	},
+
+        	if parameter.volumeMounts != _|_ if parameter.volumeMounts.emptyDir != _|_ for v in parameter.volumeMounts.emptyDir {
+        		{
+        			name: v.name
+        			emptyDir: medium: v.medium
+        		}
+        	},
+
+        	if parameter.volumeMounts != _|_ if parameter.volumeMounts.hostPath != _|_ for v in parameter.volumeMounts.hostPath {
+        		{
+        			name: v.name
+        			hostPath: path: v.path
+        		}
+        	},
+        ]
+
+        deDupVolumesArray: [
+        	for val in [
+        		for i, vi in volumesList {
+        			for j, vj in volumesList if j < i && vi.name == vj.name {
+        				_ignore: true
+        			}
+        			vi
+        		},
+        	] if val._ignore == _|_ {
+        		val
+        	},
+        ]
+
+        output: {
+        	apiVersion: "apps/v1"
+        	kind:       "StatefulSet"
+        	spec: {
+        		selector: matchLabels: "app.oam.dev/component": context.name
+
+        		template: {
+        			metadata: {
+        				labels: {
+        					if parameter.labels != _|_ {
+        						parameter.labels
+        					}
+        					if parameter.addRevisionLabel {
+        						"app.oam.dev/revision": context.revision
+        					}
+        					"app.oam.dev/name":      context.appName
+        					"app.oam.dev/component": context.name
+        				}
+        				if parameter.annotations != _|_ {
+        					annotations: parameter.annotations
+        				}
+        			}
+
+        			spec: {
+        				containers: [{
+        					name:  context.name
+        					image: parameter.image
+        					if parameter["port"] != _|_ if parameter["ports"] == _|_ {
+        						ports: [{
+        							containerPort: parameter.port
+        						}]
+        					}
+        					if parameter["ports"] != _|_ {
+        						ports: [for v in parameter.ports {
+        							{
+        								containerPort: {
+        									if v.containerPort != _|_ {v.containerPort}
+        									if v.containerPort == _|_ {v.port}
+        								}
+        								protocol: v.protocol
+        								if v.name != _|_ {
+        									name: v.name
+        								}
+        								if v.name == _|_ {
+        									_name: {
+        										if v.containerPort != _|_ {"port-" + strconv.FormatInt(v.containerPort, 10)}
+        										if v.containerPort == _|_ {"port-" + strconv.FormatInt(v.port, 10)}
+        									}
+        									name: *_name | string
+        									if v.protocol != "TCP" {
+        										name: _name + "-" + strings.ToLower(v.protocol)
+        									}
+        								}
+        							}}]
+        					}
+
+        					if parameter["imagePullPolicy"] != _|_ {
+        						imagePullPolicy: parameter.imagePullPolicy
+        					}
+
+        					if parameter["cmd"] != _|_ {
+        						command: parameter.cmd
+        					}
+
+        					if parameter["args"] != _|_ {
+        						args: parameter.args
+        					}
+
+        					if parameter["env"] != _|_ {
+        						env: parameter.env
+        					}
+
+        					if context["config"] != _|_ {
+        						env: context.config
+        					}
+
+        					if parameter["cpu"] != _|_ {
+        						resources: {
+        							limits: cpu:   parameter.cpu
+        							requests: cpu: parameter.cpu
+        						}
+        					}
+
+        					if parameter["memory"] != _|_ {
+        						resources: {
+        							limits: memory:   parameter.memory
+        							requests: memory: parameter.memory
+        						}
+        					}
+
+        					if parameter["volumes"] != _|_ if parameter["volumeMounts"] == _|_ {
+        						volumeMounts: [for v in parameter.volumes {
+        							{
+        								mountPath: v.mountPath
+        								name:      v.name
+        							}}]
+        					}
+
+        					if parameter["volumeMounts"] != _|_ {
+        						volumeMounts: mountsArray
+        					}
+
+        					if parameter["livenessProbe"] != _|_ {
+        						livenessProbe: parameter.livenessProbe
+        					}
+
+        					if parameter["readinessProbe"] != _|_ {
+        						readinessProbe: parameter.readinessProbe
+        					}
+
+        				}]
+
+        				if parameter["hostAliases"] != _|_ {
+        					// +patchKey=ip
+        					hostAliases: parameter.hostAliases
+        				}
+
+        				if parameter["imagePullSecrets"] != _|_ {
+        					imagePullSecrets: [for v in parameter.imagePullSecrets {
+        						name: v
+        					},
+        					]
+        				}
+
+        				if parameter["volumes"] != _|_ if parameter["volumeMounts"] == _|_ {
+        					volumes: [for v in parameter.volumes {
+        						{
+        							name: v.name
+        							if v.type == "pvc" {
+        								persistentVolumeClaim: claimName: v.claimName
+        							}
+        							if v.type == "configMap" {
+        								configMap: {
+        									defaultMode: v.defaultMode
+        									name:        v.cmName
+        									if v.items != _|_ {
+        										items: v.items
+        									}
+        								}
+        							}
+        							if v.type == "secret" {
+        								secret: {
+        									defaultMode: v.defaultMode
+        									secretName:  v.secretName
+        									if v.items != _|_ {
+        										items: v.items
+        									}
+        								}
+        							}
+        							if v.type == "emptyDir" {
+        								emptyDir: medium: v.medium
+        							}
+        						}
+        					}]
+        				}
+
+        				if parameter["volumeMounts"] != _|_ {
+        					volumes: deDupVolumesArray
+        				}
+        			}
+        		}
+        	}
+        }
+
+        exposePorts: [
+        	if parameter.ports != _|_ for v in parameter.ports if v.expose == true {
+        		port: v.port
+        		if v.containerPort != _|_ {targetPort: v.containerPort}
+        		if v.containerPort == _|_ {targetPort: v.port}
+        		if v.name != _|_ {name: v.name}
+        		if v.name == _|_ {
+        			_name: {
+        				if v.containerPort != _|_ {
+        					"port-" + strconv.FormatInt(v.containerPort, 10)
+        				}
+        				if v.containerPort == _|_ {
+        					"port-" + strconv.FormatInt(v.port, 10)
+        				}
+        			}
+        			name: *_name | string
+        			if v.protocol != "TCP" {
+        				name: _name + "-" + strings.ToLower(v.protocol)
+        			}
+        		}
+        		if v.nodePort != _|_ if parameter.exposeType == "NodePort" {
+        			nodePort: v.nodePort
+        		}
+        		if v.protocol != _|_ {
+        			protocol: v.protocol
+        		}
+        	},
+        ]
+
+        outputs: {
+        	if len(exposePorts) != 0 {
+        		statefulsetsExpose: {
+        			apiVersion: "v1"
+        			kind:       "Service"
+        			metadata: name: context.name
+        			spec: {
+        				selector: "app.oam.dev/component": context.name
+        				ports: exposePorts
+        				type:  parameter.exposeType
+        			}
+        		}
+        	}
+        }
+
+        parameter: {
+        	// +usage=Specify the labels in the workload
+        	labels?: [string]: string
+
+        	// +usage=Specify the annotations in the workload
+        	annotations?: [string]: string
+
+        	// +usage=Which image would you like to use for your service
+        	// +short=i
+        	image: string
+
+        	// +usage=Specify image pull policy for your service
+        	imagePullPolicy?: "Always" | "Never" | "IfNotPresent"
+
+        	// +usage=Specify image pull secrets for your service
+        	imagePullSecrets?: [...string]
+
+        	// +ignore
+        	// +usage=Deprecated field, please use ports instead
+        	// +short=p
+        	port?: int
+
+        	// +usage=Which ports do you want customer traffic sent to, defaults to 80
+        	ports?: [...{
+        		// +usage=Number of port to expose on the pod's IP address
+        		port: int
+        		// +usage=Number of container port to connect to, defaults to port
+        		containerPort?: int
+        		// +usage=Name of the port
+        		name?: string
+        		// +usage=Protocol for port. Must be UDP, TCP, or SCTP
+        		protocol: *"TCP" | "UDP" | "SCTP"
+        		// +usage=Specify if the port should be exposed
+        		expose: *false | bool
+        		// +usage=exposed node port. Only Valid when exposeType is NodePort
+        		nodePort?: int
+        	}]
+
+        	// +ignore
+        	// +usage=Specify what kind of Service you want. options: "ClusterIP", "NodePort", "LoadBalancer"
+        	exposeType: *"ClusterIP" | "NodePort" | "LoadBalancer"
+
+        	// +ignore
+        	// +usage=If addRevisionLabel is true, the revision label will be added to the underlying pods
+        	addRevisionLabel: *false | bool
+
+        	// +usage=Commands to run in the container
+        	cmd?: [...string]
+
+        	// +usage=Arguments to the entrypoint
+        	args?: [...string]
+
+        	// +usage=Define arguments by using environment variables
+        	env?: [...{
+        		// +usage=Environment variable name
+        		name: string
+        		// +usage=The value of the environment variable
+        		value?: string
+        		// +usage=Specifies a source the value of this var should come from
+        		valueFrom?: {
+        			// +usage=Selects a key of a secret in the pod's namespace
+        			secretKeyRef?: {
+        				// +usage=The name of the secret in the pod's namespace to select from
+        				name: string
+        				// +usage=The key of the secret to select from. Must be a valid secret key
+        				key: string
+        			}
+        			// +usage=Selects a key of a config map in the pod's namespace
+        			configMapKeyRef?: {
+        				// +usage=The name of the config map in the pod's namespace to select from
+        				name: string
+        				// +usage=The key of the config map to select from. Must be a valid secret key
+        				key: string
+        			}
+        		}
+        	}]
+
+        	// +usage=Number of CPU units for the service, like `0.5` (0.5 CPU core), `1` (1 CPU core)
+        	cpu?: string
+
+        	// +usage=Specifies the attributes of the memory resource required for the container.
+        	memory?: string
+
+        	volumeMounts?: {
+        		// +usage=Mount PVC type volume
+        		pvc?: [...{
+        			name:      string
+        			mountPath: string
+        			subPath?:  string
+        			// +usage=The name of the PVC
+        			claimName: string
+        		}]
+        		// +usage=Mount ConfigMap type volume
+        		configMap?: [...{
+        			name:        string
+        			mountPath:   string
+        			subPath?:    string
+        			defaultMode: *420 | int
+        			cmName:      string
+        			items?: [...{
+        				key:  string
+        				path: string
+        				mode: *511 | int
+        			}]
+        		}]
+        		// +usage=Mount Secret type volume
+        		secret?: [...{
+        			name:        string
+        			mountPath:   string
+        			subPath?:    string
+        			defaultMode: *420 | int
+        			secretName:  string
+        			items?: [...{
+        				key:  string
+        				path: string
+        				mode: *511 | int
+        			}]
+        		}]
+        		// +usage=Mount EmptyDir type volume
+        		emptyDir?: [...{
+        			name:      string
+        			mountPath: string
+        			subPath?:  string
+        			medium:    *"" | "Memory"
+        		}]
+        		// +usage=Mount HostPath type volume
+        		hostPath?: [...{
+        			name:      string
+        			mountPath: string
+        			subPath?:  string
+        			path:      string
+        		}]
+        	}
+
+        	// +usage=Deprecated field, use volumeMounts instead.
+        	volumes?: [...{
+        		name:      string
+        		mountPath: string
+        		// +usage=Specify volume type, options: "pvc","configMap","secret","emptyDir", default to emptyDir
+        		type: *"emptyDir" | "pvc" | "configMap" | "secret"
+        		if type == "pvc" {
+        			claimName: string
+        		}
+        		if type == "configMap" {
+        			defaultMode: *420 | int
+        			cmName:      string
+        			items?: [...{
+        				key:  string
+        				path: string
+        				mode: *511 | int
+        			}]
+        		}
+        		if type == "secret" {
+        			defaultMode: *420 | int
+        			secretName:  string
+        			items?: [...{
+        				key:  string
+        				path: string
+        				mode: *511 | int
+        			}]
+        		}
+        		if type == "emptyDir" {
+        			medium: *"" | "Memory"
+        		}
+        	}]
+
+        	// +usage=Instructions for assessing whether the container is alive.
+        	livenessProbe?: #HealthProbe
+
+        	// +usage=Instructions for assessing whether the container is in a suitable state to serve traffic.
+        	readinessProbe?: #HealthProbe
+
+        	// +usage=Specify the hostAliases to add
+        	hostAliases?: [...{
+        		ip: string
+        		hostnames: [...string]
+        	}]
+        }
+
+        #HealthProbe: {
+
+        	// +usage=Instructions for assessing container health by executing a command. Either this attribute or the httpGet attribute or the tcpSocket attribute MUST be specified. This attribute is mutually exclusive with both the httpGet attribute and the tcpSocket attribute.
+        	exec?: {
+        		// +usage=A command to be executed inside the container to assess its health. Each space delimited token of the command is a separate array element. Commands exiting 0 are considered to be successful probes, whilst all other exit codes are considered failures.
+        		command: [...string]
+        	}
+
+        	// +usage=Instructions for assessing container health by executing an HTTP GET request. Either this attribute or the exec attribute or the tcpSocket attribute MUST be specified. This attribute is mutually exclusive with both the exec attribute and the tcpSocket attribute.
+        	httpGet?: {
+        		// +usage=The endpoint, relative to the port, to which the HTTP GET request should be directed.
+        		path: string
+        		// +usage=The TCP socket within the container to which the HTTP GET request should be directed.
+        		port:    int
+        		host?:   string
+        		scheme?: *"HTTP" | string
+        		httpHeaders?: [...{
+        			name:  string
+        			value: string
+        		}]
+        	}
+
+        	// +usage=Instructions for assessing container health by probing a TCP socket. Either this attribute or the exec attribute or the httpGet attribute MUST be specified. This attribute is mutually exclusive with both the exec attribute and the httpGet attribute.
+        	tcpSocket?: {
+        		// +usage=The TCP socket within the container that should be probed to assess container health.
+        		port: int
+        	}
+
+        	// +usage=Number of seconds after the container is started before the first probe is initiated.
+        	initialDelaySeconds: *0 | int
+
+        	// +usage=How often, in seconds, to execute the probe.
+        	periodSeconds: *10 | int
+
+        	// +usage=Number of seconds after which the probe times out.
+        	timeoutSeconds: *1 | int
+
+        	// +usage=Minimum consecutive successes for the probe to be considered successful after having failed.
+        	successThreshold: *1 | int
+
+        	// +usage=Number of consecutive failures required to determine the container is not alive (liveness probe) or not ready (readiness probe).
+        	failureThreshold: *3 | int
+        }
+  status:
+    customStatus: |-
+      ready: {
+      	readyReplicas: *0 | int
+      } & {
+      	if context.output.status.readyReplicas != _|_ {
+      		readyReplicas: context.output.status.readyReplicas
+      	}
+      }
+      message: "Ready:\(ready.readyReplicas)/\(context.output.spec.replicas)"
+    healthPolicy: |-
+      ready: {
+      	updatedReplicas:    *0 | int
+      	readyReplicas:      *0 | int
+      	replicas:           *0 | int
+      	observedGeneration: *0 | int
+      } & {
+      	if context.output.status.updatedReplicas != _|_ {
+      		updatedReplicas: context.output.status.updatedReplicas
+      	}
+      	if context.output.status.readyReplicas != _|_ {
+      		readyReplicas: context.output.status.readyReplicas
+      	}
+      	if context.output.status.replicas != _|_ {
+      		replicas: context.output.status.replicas
+      	}
+      	if context.output.status.observedGeneration != _|_ {
+      		observedGeneration: context.output.status.observedGeneration
+      	}
+      }
+      _isHealth: (context.output.spec.replicas == ready.readyReplicas) && (context.output.spec.replicas == ready.updatedReplicas) && (context.output.spec.replicas == ready.replicas) && (ready.observedGeneration == context.output.metadata.generation || ready.observedGeneration > context.output.metadata.generation)
+      isHealth: *_isHealth | bool
+      if context.output.metadata.annotations != _|_ {
+      	if context.output.metadata.annotations["app.oam.dev/disable-health-check"] != _|_ {
+      		isHealth: true
+      	}
+      }
+  workload:
+    definition:
+      apiVersion: apps/v1
+      kind: StatefulSet
+    type: statefulsets.apps
+
--- a/Show More
+++ b/Show More